
Basic security precautions for non-profits and journalists (2017) - ColinWright
https://techsolidarity.org/resources/basic_security.htm
======
newscracker
Previous HN post of this article and discussion from February 2017 with a
wealth of advice and comments:

[https://news.ycombinator.com/item?id=13622684](https://news.ycombinator.com/item?id=13622684)

------
paulryanrogers
> Don't store sensitive information in cloud services like Evernote or
> Dropbox.

Good advice but distinguishing when the cloud is involved is getting harder,
even for technical people.

~~~
plg
They recommend (in another article on congressional campaigns) using Google
Drive over Evernote or Dropbox.

How about iCloud Drive? Trustworthy/secure as Google Drive?

------
dwighttk
Don’t use Android... do use Gmail?

~~~
tptacek
That's right.

It's not about avoiding Google. Google does excellent security work. It's
about using the most secure products in each category. An Android phone can be
made asymptotically as secure as an iPhone, but only by an expert.

~~~
plttn
Buy a Pixel, set a secure passcode. There you go.

~~~
tptacek
No, that's wishful. The Pixels are the most secure Android phones you can buy,
but they are not natively as secure as an iPhone.

But: if it helps put a dumb argument to rest, consider that in the populations
being trained, "Android phone" means "phone from an insane variety of vendors,
most of whom are not competent to sell or maintain a secure phone".

~~~
coretx
Pixels are the #1 pick for security, but not with it's default ROM installed.
[https://copperhead.co/](https://copperhead.co/) is a seriously hardened ROM
without google play services and simply having security as a #1 priority.

~~~
tptacek
I don't even know where to start with this but let's just stipulate that when
I said "experts can get an Android phone asymptotically as secure as an
iPhone", I meant stuff like "people can pick very specific models and then
install an entire custom operating system on the phone". I don't _actually_
agree with what you're saying, but the argument will be unproductive, and I
think we're close enough that my point stands.

------
dtujmer
Why iPhone instead of Android?

------
lifeisstillgood
Couple of odd points

\- Don't use your fingerprint to lock/unlock devices.

(presumably because you can be unconscious, and still unlock your phone?)

But the stand out one for me was

If you have a Windows laptop, uninstall any antivirus products except for
Windows Defender (from Microsoft).

I am assuming this means that they don't trust Symantec? Who might be
installing backdoors? How verified is this threat? And should we tell every
major bank / finance house / government who seem to have AV everywhere.

~~~
tptacek
This is an example of what makes it so hard to communicate security advice to
laypeople: nerds come out of the woodwork trying to reconstruct and critique
the advice from first principles, and going off on all sorts of weird
tangents.

So: no, _nobody_ serious trusts Symantec. But not because they're "installing
backdoors"; it's because their software is complicated, embedded deep into the
guts of the operating system, is historically full of bugs, and doesn't
actually solve the problem it purports to solve.

~~~
lifeisstillgood
OK. I should have been ... clearer - what I meant was if not using AV is good
advice, why is that and why do so many many corporates ignore that advice?

The why is AV untrustworthy you covered, but why do so many people keep using
it?

Edit: I could take a guess but not now :-)

~~~
qrbLPHiKpiux
If you really need to open an attachment, it’s best to open it on Google
Drive, in the cloud. Let them deal with any virus issues.

------
coretx
Lists like these are dangerous as they should be tailored per
situation/person.

On most occasions i have experience with it's usually best for the operative
to behave like the generic tech-moron he/she is in order to NOT stand out of
the crowd / raise attention. When something sensitive is about to commence,
stick the TAILS usb stick in the laptop & go. Microwave the USB stick when
done. But as in my first alinea; advice like this should be tailored at all
times.

~~~
newscracker
Security has trade offs that need to be carefully weighed for each situation
before some appropriate decisions are taken (with the benefit of knowledge).

But a big hurdle here is that the target audience has a critical need to have
very good protective measures in place but is also at the same time very
likely not to know about the trade offs or how to weigh the trade offs or even
have a relatively good understanding of the basis of the trade offs. Hence the
need for generic advice that could be easier to follow for most people while
providing a better set of protections than the status quo (with the status quo
being not even considering the security part and making assumptions based
solely on habit and convenience).

Anyone who has taken some of this advice to heart and still is unsure would
usually find a way to ask people who know better for tailored advice.

~~~
coretx
For a general statement I agree with you. I find it even a good thing to teach
everyone, not just journalists, basic data hygiene. The target audience set
however is far from general. They are journalists and non-profits. Such
entities have adversaries such as
[https://en.wikipedia.org/wiki/Tailored_Access_Operations](https://en.wikipedia.org/wiki/Tailored_Access_Operations)
haunting them. Even most well trained security professionals are far from
qualified enough to deal with such actors. In other words, people should be
honest with the journalists and tell them they are not competent enough to
assess or commit trade offs. On most occassions, knowing you are not secure is
the best security you can get as it alters your behaviour accordingly.

------
philistine
The list says to use an iPhone instead of a laptop, I presume because the
iPhone has hardware encryption coming from the Secure Enclave. But newer
MacBook Pros from Apple, and even the iMac Pro, feature the T2 chip to achieve
the same result as the Secure Enclave with regards to encryption.

I guess my point is this list is deeply flawed because it explains none of its
decision-making process. Journalists aren’t idiots. Tell them why they should
not use a laptop.

~~~
tptacek
Trained a lot of journalists, have you? A lot of them asked you about the
chipsets in the machines they were using?

For what it's worth: no, the important difference between a Macbook and an
iPhone isn't the SEP.

~~~
philistine
What is so different from physical access to an unlocked iPhone than an
unlocked Mac? You’re screwed either way, no?

~~~
vladvasiliu
Yes, if someone has physical access to an unlocked iphone or mac you're
screwed. The author's idea might rather be about the OS, the main difference
between an iphone and a mac (or pc for that matter) is the os. Hence the
recommandation for a chromebook.

I suppose the author assumes that on ios a random website is less likely to
have access to your files (articles).

So this might be more about protection from attackers who don't have physical
access to the device.

