
The Bare Minimum You Should Do to Protect Your Family's Data - octosphere
https://blog.mozilla.org/internetcitizen/2018/11/25/the-bare-minimum-you-should-do-to-protect-your-familys-data/
======
hannob
More than half of that I wouldn't advice or would have serious caveats about
the advice given...

This is really a strange document...

Just a few examples:

"Don’t open emails, texts, ]...] from anyone you don’t know, don’t recognize,
or weren’t expecting" <\- sorry, that's not how email works. I want to get
emails from strangers that care about what I do.

"Don’t use unsecure Wi-Fi networks" Largely outdated due to HTTPS and
completely impractical. Everyone uses the Wifi at starbucks.

"Even better, get a VPN (virtual private network) — but, just like with
antivirus software, don’t use a free VPN." How should an average user know if
the VPN is a scam? (More than half of VPN providers are scam and there's
little reason to believe that payed providers are always better.)

"Use tough passwords and change them frequently." Changing passwords
frequently is considered deprecated advice. The single most important rule
about passwords is to use unique passwords. Which they don't say at all...

I could go on...

Update: Mozilla deleted the post after criticism, see
[https://twitter.com/asadotzler/status/1068961020540899329](https://twitter.com/asadotzler/status/1068961020540899329)

~~~
perplamps
I ended up writing my own take on bare minimum security practices for less-
technical people as a sort of response to the Mozilla article:

[https://medium.com/@perplamps/super-basic-security-
advice-f9...](https://medium.com/@perplamps/super-basic-security-
advice-f9ba900c416b)

If anyone finds any problems or disagrees with any of my suggestions, let me
know and I'll update it!

~~~
mcny
I don't see any problem with the article but almost all the points you raised
show there are things hardware vendors, operating system vendors, application
developers, and essentially our world should fix on our end and not burden
users with it.

For example, some web browsers (Google Chrome and Apple Safari) offer to
create randomized passwords.

------
kgwxd
"Buy and download antivirus software from a reputable source such as McAfee,
Norton, or Symantec."

Installing more proprietary software with unrestricted access seems like a
huge step backwards.
[https://en.wikipedia.org/wiki/Magic_Lantern_%28software%29#A...](https://en.wikipedia.org/wiki/Magic_Lantern_%28software%29#Antivirus_vendor_cooperation)

~~~
ken
Previously, from a former Mozilla developer [1]:

> At best, there is negligible evidence that major non-MS AV products give a
> net improvement in security. More likely, they hurt security significantly;
> for example, see bugs in AV products listed in Google's Project Zero. These
> bugs indicate that not only do these products open many attack vectors, but
> in general their developers do not follow standard security practices.
> (Microsoft, on the other hand, is generally competent.)

In the linked Project Zero issue tracker, all 3 of these "reputable sources"
have exploits in their anti-virus software.

[1]: [https://robert.ocallahan.org/2017/01/disable-your-
antivirus-...](https://robert.ocallahan.org/2017/01/disable-your-antivirus-
software-except.html)

~~~
badrabbit
Vulnerability is not lack of security. You need a threat actor exploiting the
weakness for it to become actual insecurity.

~~~
astura
That's... not what vulnerability means.

vul·ner·a·bil·i·ty noun the quality or state of being exposed to the
possibility of being attacked or harmed, either physically or emotionally.

~~~
badrabbit
I did not define vulnerability,I only explained security.

This is security101. Risk is measured by multiplying vulnerability by threat.

Maybe an analogy might help. You are vulnerable to bullets. But your security
with respect to your bullet vulnerability is measured by multiplying it
against active threats that might shoot you with bullets. So,your security
decreases when in a warzone as opposed to lying in bed at your suburban house
due to reduction of threat.

------
imbusy111
I expected better from Mozilla.

Connecting to unsecured WiFi is mostly not a problem. Most websites and
applocations encrypt traffic and the security of the channel does not matter.

Plus, the recommendation to installl shady antivirus software throws the
motivation of this article into doubt.

~~~
glitcher
I agree. The section on "Use tough passwords and change them frequently",
except for the final suggestion to use a password manager, felt like
antiquated password advice.

~~~
stretchwithme
As long as the password manager is trusted. Some are run by a single person
nobody's heard of. I met a woman in Vegas who ran one and who couldn't believe
that people trusted it so much.

~~~
tokyodude
And then there are ones like LastPass that people on HN seem to recommend even
though their TOS basically says they spy on all your browser behavior and sell
it to 3rd parties

------
ChrisSD
> _Use tough passwords and change them frequently._ The best practice for
> passwords is to use real words or phrases you can remember easily — but
> spell them incorrectly. They should be at least eight characters and have a
> combination of letters, numbers, and special characters, such as 5pEAzhawh$
> for “five pizzas.”

The result of encouraging frequent changes: 5pEAzhawh$, 5pEAzhawh$2,
5pEAzhawh$3, 5pEAzhawh$4, 5pEAzhawh$5, ...

> Even better, use a password manager like Lastpass.

They really should have lead with this.

~~~
tokyodude
When will LastPass stop being recommended? It says right in their TOS they
collect all your browser behavior and sell it to 3rd parties. Why should I
trust them?

~~~
ydj
Can you highlight where in the TOS they say this? I’ve used LastPass for
several years and this would be concerning if true. I didn’t seen any such
language in their ToS: [https://www.logmeininc.com/legal/terms-and-
conditions](https://www.logmeininc.com/legal/terms-and-conditions)

~~~
tokyodude
tos:

> You may use our Services only as permitted in these Terms, and you consent
> to our Privacy Policy at
> [https://www.logmeininc.com/legal/privacy](https://www.logmeininc.com/legal/privacy),
> which is incorporated by reference.

pp:

> When you use our Services, we receive information generated through the use
> of the Service, either entered by you or others who use the Services with
> you (for example, schedules, attendee info, etc.), or from the Service
> infrastructure itself, (for example, duration of session, use of webcams,
> connection information, etc.) We may also collect usage and log data about
> how the services are accessed and used, including information about the
> device you are using the Services on, IP addresses, location information,
> language settings, what operating system you are using, unique device
> identifiers and other diagnostic data to help us support the Services.

> Third Party Data: We may receive information about you from other sources,
> including publicly available databases or third parties from whom we have
> purchased data, and combine this data with information we already have about
> you. We may also receive information from other affiliated companies that
> are a part of our corporate group. This helps us to update, expand and
> analyze our records, identify new prospects for marketing, and provide
> products and services that may be of interest to you.

> Location Information: We collect your location-based information for the
> purpose of providing and supporting the service and for fraud prevention and
> security monitoring. If you wish to opt-out of the collection and use of
> your collection information, you may do so by turning it off on your device
> settings.

> Device Information: When you use our Services, we automatically collect
> information on the type of device you use, operating system version, and the
> device identifier (or "UDID").

and

> Some specific examples of how we use the information:

> * Conduct research and analysis

> * Display content based upon your interests

> * Market services of our third-party business partners

and

> 4\. Information Sharing

> ... We may share your personal information with (a) third party service
> providers; (b) business partners; (c) affiliated companies within our
> corporate structure and (d) as needed for legal purposes.

and

> Examples of how we may share information with service providers include:

> * Sending marketing communications

there's more

------
gkoberger
It was removed:

[https://twitter.com/asadotzler/status/1068961020540899329?s=...](https://twitter.com/asadotzler/status/1068961020540899329?s=20)

But here's the original article:

[https://web.archive.org/web/20181130081659/https://blog.mozi...](https://web.archive.org/web/20181130081659/https://blog.mozilla.org/internetcitizen/2018/11/25/the-
bare-minimum-you-should-do-to-protect-your-familys-data/)

~~~
octosphere
Also on Archive.today: [https://archive.is/7SYNe](https://archive.is/7SYNe)

------
Zhenya
"Use antivirus protection. Buy and download antivirus software from a
reputable source such as McAfee, Norton, or Symantec. Beware of free antivirus
software, as it can contain malware. The iOS operating system has antivirus
software built in..."

Do people still really install anti-virus? Isn't it just another vector for
attack since they themeselves use exploits to manipulate the OS?

Linux for desktop, pixel or iOS for phone. Signal for communication, fastmail
or Gmail on g suite for email.

Minimize installed apps on phone Run JavaScript blocker on Firefox if you're
using an Android (and on your desktop).

~~~
cmurf
Not only do people install it, I see it _required_ in corporate IT all the
time. As in, they even set a VPN policy that checks your anti-virus
definitions for currency and will refuse to connect if the definitions aren't
current or if anti-virus is not installed. These same corporate IT who force
90 day password changes, and nonsense like 5pEAzhawh$ instead of
fivepizzassoundsgoodbutdontforgetthebeer because no matter what longer is
better.

~~~
pbhjpbhj
I was on a site the other day, which I won't share publicly, that required "NO
MORE than 6 characters, including precisely 1 number and 1 capital"
(paraphrase, my emphasis) ... I definitely WTF-ed at that.

My default is 20 characters of alphanum, or 16 of "graph" (though I drop look
alike characters; 32 chars if I'm entering payment details).

One has to hope they have a small limit on retries. They definitely carry
commercially sensitive data and do payment processing.

What worries me is they used js to catch my attempt to use 20 chars, so
they're not operating completely naively -- all I can think was it was a
misinterpretation and s/most/least.

------
epistasis
> Fine-tune your browser settings

This is not so great advice, especially as a "bare minimum." What setting
would a user really want to change here?

The only advice should perhaps be the last sentence "Consider using plug-ins
like Privacy Badger or HTTPS Everywhere to block tracking or keep your
activity safer from snoops." And then explain what they do.

------
cmurf
Author needs to read, or re-read NIST 800-63B.
[https://pages.nist.gov/800-63-3/sp800-63b.html](https://pages.nist.gov/800-63-3/sp800-63b.html)

Do not change passwords frequently. Do not use short passwords and try to
compensate by using special characters and nonsensical word obfuscation,
instead use long passphrases, the longer the better.

------
codegeek
Overall a good resource but please no to "antivirus" software like McAfee.
Absolutely horrible and makes it worse.

~~~
ozim
Ok so you have kids who play say Minecraft, they download all mods they can in
zipfiles and install all the other games packs from weird internet forums.

What is bigger threat and attack vector, McAfee, Symantec or modding forums
for 10 year old?

For me installing AV is silly I don't download and run random crap from
internet that friend from school also installed. But If I would have kids
having installed AV and updated is quite good idea. I also wonder all time how
my non technical close ones break their computers, I don't know what they are
clicking but I do not get unusable windows 10 every 3 months. My gf is not
technical but she almost never install anything on her laptop and it works
fine, so for this one I am quite happy.

~~~
astura
Is McAfee really better than Windows Defender in this use case though?

------
e_d_e_v
Link to archive:
[http://web.archive.org/web/20181127021739/https://blog.mozil...](http://web.archive.org/web/20181127021739/https://blog.mozilla.org/internetcitizen/2018/11/25/the-
bare-minimum-you-should-do-to-protect-your-familys-data/)

~~~
octosphere
Also, for posterity it can be found here too:
[https://archive.is/7SYNe](https://archive.is/7SYNe)

------
pasta
Mozilla should enable safe browser settings by default.

For example: third party cookies are never needed on 99% of the sites you
visit.

------
AnaniasAnanas
Ironically another advice to protect your privacy would be not to use Firefox
- considering all the new telemetry, newtabpage, beacons, and calling-home
that Firefox nowadays does.

------
qwerty456127
> Use tough passwords and change them frequently.

This is a futile advice, no sane person is ever going to follow it. You can
memorize a tough password or two but change them and memorize the new ones
frequently... nope.

> Tweak your home assistants.

Don't use home assistants unless you are a kind of person who really doesn't
mind broadcasting their whole life as a reality show without even being
informed when you're on air. I can't imagine a reasonable privacy-caring
person who would.

------
lifeisstillgood
OK, ... so what _would_ the Hacker News Guide to Online Family Security look
like?

\- ISPs \- Routers \- Ad Blockers \- OS \- Data storage / backups \- Facebook
or not ? \- ios v android ...

~~~
jaxn
I have PiHole running on our home network blocking ads, phisihing domains,
etc.

I also don't use the ISP router / wifi.

I feel like those two things are good steps towards protecting my family. They
give me some piece of mind at least.

~~~
intopieces
Have you run into any issues that required tweaking of the PiHole set-up? I'm
running PiHole + a hand-rolled VPN on Digital Ocean but I'm looking to put
together little PiHole boxes for my family who live across the country. It
needs to pretty much be perfect out of the box or they'll unplug it.

I've only had to disconnect once or twice to unsubscribe from spam lists, but
I doubt my family would even bother.

~~~
jaxn
The only thing that almost annoys me is that Google ads are blocked on the
redirect, but not display. So sometimes I click them and have to go back and
click the organic result. I could probably tweak it.

I am running it on a old Pi B (the old one with an RCA jack). No issues. if I
was sending to family across the country, I'd probably add remote access of
some sort for myself.

------
Sushi-san
I think that it's beneficial that Mozilla pushes this privacy-minded ideology.
People who aren't tech-savvy might not know these tips.

------
michaelwu
Hitting a 404 now. Maybe all the comments here made them the blog editors
realize they posted some bizarre advice.

------
Budabellly
I've been wondering recently, (how) do identity protection or fraud protection
software services actually work?

I feel like someone actually doing that right would be a big deal but haven't
heard anything special about the market leaders.

------
z3t4
If you don't want web sites to track you, you better not use a browser with
JavaScript. eg. you better not user Firefox :P Also to avoid tracking you are
better off using other peoples internet connection, eg. not your own.

------
miguelmota
The advice was basic high level advice which at this point should be common
knowledge for anyone using the internet. I can see why they took down the blog
post because it was disappointing content

------
radovanb
Page not found 404 error.

~~~
astura
They pulled it, because it was garbage:
[https://twitter.com/asadotzler/status/1068961020540899329?s=...](https://twitter.com/asadotzler/status/1068961020540899329?s=20)

------
octosphere
There's a mirror here: [https://archive.is/7SYNe](https://archive.is/7SYNe)

------
afpx
Does anyone know how data taken in data breeches is used by attackers? I’ve
always been curious.

------
jobigoud
Also avoid DNA services. If one family member does it it can compromise the
entire family.

~~~
astura
"Compromise" in what sense?

I don't find any sort of value in DNA services, but I don't feel "compromised"
one bit that my brother uses them.

Anyway, the idea of "family" when we get into DNA is not useful, a skilled
person can track you down because a total stranger who you share great great
great grandparents with uploaded their DNA into an open source DNA database,
which is what happened with the Last Area Rapist.

~~~
diminoten
If you murder someone, they might be able to find you via 32andme.

Some people would say, "Don't murder people, then!" but folks sometimes
prefer, "How dare they catch you, what a violation of your privacy!"

~~~
astura
So don't use 23 and me to make sure if your relatives can get away with
murder?

~~~
pessimizer
Everyone who doesn't want their genetics searched has a murder to hide.

The punchline: the series of rapes and murders that was used to
institutionalize mass DNA collection turned out to have been done by a cop who
didn't have DNA taken.

------
minton
>Turn off location services.

Will this make it impossible to find your lost iPhone?

~~~
Sushi-san
Yes, but you can edit location settings for individual apps IIRC.

------
saagarjha
> They should be at least eight characters and have a combination of letters,
> numbers, and special characters, such as 5pEAzhawh$ for “five pizzas.”

Obligatory xkcd telling you to not do this:
[https://xkcd.com/936/](https://xkcd.com/936/)

~~~
ImprovedSilence
I'm by no means and expert is this field, but I thought at some point I had
heard that using words like the xkcd comic were actually less secure, I
thought what I heard was that there is a type of dictionary search that can be
more efficient in cracking those "all words" passwords (as in, you don't
really have 44 bits of entropy). Again, I've got no source, and am not very
knowledgeable in this space, so someone correct me.

~~~
heinrich5991
Assuming you pull these four words randomly (not-human-random, actually
random) out of a dictionary of at least 2048 words, and separate them by a
space, you have a password of (at least) 44 bits of entropy. There's no way a
"dictionary" attack can reduce the possible password space to less than 2 __44
possibilities.

~~~
ImprovedSilence
Some quick googling gave me this:[https://paul.reviews/passwords-why-
using-3-random-words-is-a...](https://paul.reviews/passwords-why-
using-3-random-words-is-a-really-bad-idea/)

(also good stuff here:
[https://security.stackexchange.com/questions/151165/is-
rando...](https://security.stackexchange.com/questions/151165/is-randomly-
generating-passwords-from-an-assortment-of-dictionary-words-cryptogr))

It seems the consensus is to use 5-6 words, and following the xkcd trick of 4
may not be enough.

~~~
tashbarg
Your first link uses a few assumptions that are very good security practice
but may confuse the unexperienced reader:

It assumes that the attacker has complete knowledge of the password generation
method. This is good security practice and provides you with a worst case
boundary. In reality, though, an attacker seldomly has that advantage. Before
an attacker spends x hours/days/weeks to crack pure word-based passwords, they
will spend time to crack "passw0rd". If you remove the advantage of password
generation method knowledge, all numbers in this article are very different.
The reader should know about that!

It assumes that whoever is storing the password may do so badly. It even
states "assume the site stores our credentials in the weakest possible way".
Which is a dangerous assumption since the weakest possible way would be
plaintext and then the whole article would be moot. So, obviously we exclude
plaintext. The article goes with simple, single md5 hashes instead. While some
kind of worst case, it's pretty unrealistic nowadays that someone makes an
effort not to store passwords in plaintext and then fails so miserably in
googling how to do so. This worst case is probably chosen to have easier and
more impressive cracking numbers. The reader should be aware of this.

It assumes that the attacker obtains the password database. Again, good
security practice and a worst case scenario. But still not exactly 100%
realistic. If you argue with this assumption, the reader should be aware of
that.

In essence, this article proves that the "3 word method" is not secure enough
when absolutely everyone uses this exact same method (with knowledge of the
exact same words) with a service who incompetently stores passwords and got
its password database stolen.

While that is true, the advice it gives "Don't use words in passwords. Ever."
is just another example of great oversimplification that is harmful in the
end.

Instead of bashing methods for being not secure enough (whatever that means),
we should provide users with practical methods to come up with usable
passwords that are reasonably secure for the service in question.

------
jimnotgym
404? Has it been taken down?

------
stevew20
As someone who has dropped almost all social media (mostly so I can get more
done, but also for privacy), I can point out some non obvious consequences.
This blog post mentions that stopping the use of Facebook will prevent you
from seeing your nephews baby pictures... This is true.

My extended family and remote friends actually got upset when I dropped
Facebook. They asked why I didn't want to be part of their lives, asked why I
was choosing not to talk to them anymore... All while texting me on phones
that allow instantaneous communication of any type of election media
imaginable, more so that Facebook allows.

Moral of the story: Facebook and other social media makes most people socially
lazy with continuous use. If you don't believe me, go try to meet someone
under the age of 30 "out in the wild", at a bar or venue. Bars used to be
easiest places to meet anyone at, just walk in, sit at the front, and start
chatting. I'm not talking about people who are on their phones ignoring the
outside world; even people just chilling and having a beer just don't know how
to talk to someone outside of their social media platforms.

