By comparison, the Tech Solidarity checklist is the result of a survey of a bunch of different security people and is both generally more sophisticated and sound than this checklist and also manages to be a little shorter (in word count):
> Do as much of your work as possible on an iPhone or iPad rather than on a laptop. Use a bluetooth keyboard for easier typing.
Is that serious? I mean sure, iPhones and iPads are generally less prone to viruses and such, but I feel like it is generally safe to use computers, and if you do other things on this list you won't end up with an infected computer. In addition, if you are doing most your work on these, it is almost guaranteed that all the information is going to be sent to iCloud / another apps 'cloud'.
* Google Mail is, for most people, the safest email service, with the most mature and comprehensive 2FA, direct connectivity to GDocs to make viewing attachments safer, and a gigantic security team. Note too: this guide also suggests avoiding email as much as possible.
* If you work with sensitive documents (this checklist was originally devised for journalists and the airport lawyers), all the cloud drive services (not just Google Drive) are a bad idea.
* Chrome is the safest browser with the most mature and reliable anti-exploitation hardening and the most responsive security team.
* iOS devices are, for most people, far more secure than computers, which aren't locked down at all and for which any kind of local code execution is almost invariably game-over all the way through the kernel, and at least game over for all of the user's data. Most computer users are never more than an errant couple of clicks away from losing their whole machine to an attacker, which is not the case for someone reading their mail on an iPad.
> Google Mail is, for most people, the safest email service, with the most mature and comprehensive 2FA, direct connectivity to GDocs to make viewing attachments safer
> If you work with sensitive documents (this checklist was originally devised for journalists and the airport lawyers), all the cloud drive services (not just Google Drive) are a bad idea.
So is Google Drive a good idea or a bad idea? Maybe for normal people Gmail is good, but in the next point you say this list is for journalists and airport lawyers, wouldn't you advice them to use something more secure like fastmail/proton mail, or if you are serious, your own mail server or something? Why does this list not talk about TOR / PGP, the most fundamental tools for security for journalists?
> Chrome is the safest browser with the most mature and reliable anti-exploitation hardening and the most responsive security team.
I don't think this is true at all. What is wrong with Chromium or Firefox open source alternatives? Why doesn't it mention things like no-script and ublock origin?
> iOS devices are, for most people, far more secure than computers, which aren't locked down at all and for which any kind of local code execution is almost invariably game-over all the way through the kernel, and at least game over for all of the user's data. Most computer users are never more than an errant couple of clicks away from losing their whole machine to an attacker, which is not the case for someone reading their mail on an iPad.
My fundamental problem with this is that if you are going to be doing things on an iPad you are almost certainly going to be using cloud services. Weather it is Google Docs or Pages or Word or anything, it is very difficult to keep things 'local' to your hard drive on a iPad, where on a computer with dropbox it is much more clear that files in there are going to leave your computer.
For most people, including technically inclined people, running your own mail server will almost certainly lose you significant amounts of security.
If you deal with sensitive documents like legal artifacts in immigration cases, you want to have control over which of your documents wind up in the cloud and which you retain custody over. So while viewing attachments in the cloud is very good practice (viewing them locally is a good way to get owned), running a service that generally slurps your local drive (or big chunks of it) into the cloud is not a good idea.
If you want to run a Chromium build rather than Chrome, that's fine.
I provided the reasoning for preferring iOS devices to general purpose computers already. The additional concern you just added doesn't come close to offsetting.
I'll add, though this isn't in the Tech Solidarity checklist, that if the goal is commercially reasonable security and not security in the public interest, Chromebooks are another good option for end-user computing.
> If you deal with sensitive documents like legal artifacts in immigration cases, you want to have control over which of your documents wind up in the cloud and which you retain custody over.
This is incredibly easy with Dropbox or Google Drive. Everyone I know who uses these services has an intuitive knowledge for 'stuff in this folder goes in the cloud', and if they wanted to keep sensitive data off it they would know exactly how.
I am on an iPad, so no mature options for encrypting it myself with pgp or something really exist. I shouldn't upload it to a cloud service (although chances are that it already is, because pretty much every iOS app uses a cloud of some sort). I shouldn't email it. I can't plug in a physical usb device because iOS doesn't have File reading access to. I guess I convince everyone to use Signal? That is pretty impractical for 'normal' people to convert everyone over to their own messaging app.
Also, on your phone, what browser do you use? Chrome? Well, not really because it is all webkit under the hood, so you are going to be using Safari no matter what.
Regarding sharing of sensitive documents: if you have to do it over the Internet, use a secure messenger to do it. Email attachments are probably the second most dangerous attack vector facing end-users (after phishing). That's why we tell people to use Google Mail; attachments open in their browser viewer and are rendered Google-serverside.
You don't need to convince everyone to use Signal; it's adequate to use WhatsApp, which, again, is already one of the most popular messaging applications in the world (this is one of the reasons getting Signal Protocol baked into WhatsApp was such a monumental achievement).
In the particular case you mentioned they aren't picking on Drive, they're saying that if there are copies of your messages that's less secure in the sense that now somebody could get those copies, not the originals you have. Doesn't matter how, write an NSL, break into a server, trick a customer services agent - the problem is you allowed copies to exist, so it's not that Drive is specifically bad but that you shouldn't use anything at all.
For the iOS reliance, I personally wouldn't do this but I can see the sense of the advice. Full blown personal computers are not easy to secure against unsolicited garbage, why take the risk?
That Tech Solidarity checklist does say who it's for, which is a start, but it doesn't tell them what it's aiming to achieve for them if they follow the advice.
For example, maybe WhatsApp makes the list because it uses the Signal protocol design and they assessed that this was especially resistant to attacks on the confidentiality of individual messages. Or, perhaps they felt WhatsApp would protect a journalist's sources especially well due to the large volume of other WhatsApp users acting as cover for any analysis. Maybe they felt the method users follow to confirm that there's no MITM was better (easier to use, better documented) in WhatsApp than competitors, or maybe they felt its owners were more likely to tell the FBI to fuck off if they turn up with a warrant.
> Use a bluetooth keyboard for easier typing.
Creator here - thanks for bringing this up. I was concerned about the message here as well. I'm not getting paid for that ad. I had a couple companies offer sponsorship of this list, but I decided to not pursue. In the end, 1Password simply offered this discount to visitors. For me this felt like the best thing I could do from a user experience point of view (switching to a password manager is hard for most people, and giving the extra nudge to do something really important for their online security might just do the trick) and from an ethical point of view (I'm not getting paid, and will continue adding competing password managers to the list).
You should of course not be using a compromised laptop. Covering the light that goes on when they activate the camera would be one of the few signals that something like that is up; that is of course assuming they did not manage to disable that.
Otherwise solid list.
I'd add a few items:
Plan for the worst and have a contingency plan for breaches. E.g. have a list of phonenumbers handy that you can call to get cards blocked, critical accounts that you need to verify the integrity off, secure backups of essential documents, etc. Also consider what can happen to you when you travel. Phones, laptops, etc. get stolen all the time. Hardware tokens are easy to lose. Bags get stolen, etc.
Keep your 2fa recovery codes in a sane place where you can access them but no-one else can. An encrypted file on a drop box folder with a sufficiently strong key might do the trick.
Be careful with paper copies of anything. Burglaries do happen and in case you are targeted, this may be the most valuable thing to steal in your building.
Require passwords to be entered whenever you access your password manager or 2fa app (e.g. authy). It only takes a few seconds to access your password manager if somebody gets their hands on your unlocked device while you visit the restroom or grab a coffee.
Have an aggressive screen lock policy (it should be locked whenever you are separated from your laptop/phone). Many devices have all sorts of convenient features that boil down to them being unlocked when they shouldn't.
not to mention they're probably recording everything you say, which is probably more valuable than pictures of your face.
Total side note and blatant plug but if people are interested in open source checklists and lessons on digital and physical security (from how to send a secure email to how to detect physical surveillance) checkout Umbrella Security, a free open source app we built. It’s on Google Play and you can find out a bit more at https://www.secfirst.org. iOS and totally new version due out in Feb!
Granted, if the attacker can access the webcam then most likely your system is compromised, 1password is compromised (including the 2nd factor as advertised on the site), so you might have bigger problems already. It all depends on the intent of the attacker.
One thing I would like to figure out is how can I 'trust' JS for google on google maps (required to work), but4 not anywhere else? It seems like Noscript is per domain but not based on what page you are on.
I understand why you used this language, but I think it's worth noting that, unlike blindly executing a program on the operating system itself (such as by running an .exe file you receive via email, torrent, download, etc.), you are executing a script inside a program that is, or should be, sandboxed. So, even though something can still go wrong, the potential impact is a lot smaller.
Covering your camera is supposed to protect you from this kind of things, especially for younger ages or for people less technologically inclined.
Note that they may have gotten the password from a hacked website--not from your webcam/microphone.
Check out https://haveibeenpwned.com/
Take note that some of these tips are either not considered good practice or even harmful depending on your locale.
E.g., the data protection standards in the EU are so high, that there's no need to worry about DNS or ISP snooping for advertisements/tracking. This makes using a VPN or using a different DNS less useful. I might even go so far and call it harmful, because you're introducing a party that you don't have such a strong contract with.
...or even impossible in some cases.
* 18.104.22.168 is blocked in Turkey.
* Most VPN providers are blocked in Turkey.
My personal opinions:
* I don't like the promotion of Brave over Firefox. Change my mind if you can.
* Stressing the importance of HTTPS (extensions like HTTPS Everywhere) should really be included in this list.
Furthermore I find it contradictory that the site uses Google Analytics while encouraging the use of DuckDuckGo.
Yeah, there is no "real" facebook button. Nevertheless one can find a Google Analytics Script inside the source code. IMO this is really sarcastic.
Bitwarden or KeePass for password management
FreeOTP for 2FA
cut off headphone jack plugged in in your laptops mic port complementary to the webcam covering
It is reasonable to trust a VPN provider more than an ISP because you have a choice of VPN provider, you can vet them and choose the one that you feel provides the best safeguards to your privacy and security. Most Americans have between zero and one choices for high speed internet. Even in major metropolitan areas it is common to live in a cable monopoly, with a phone company providing sub-par "competition". You cannot vet your choice and choose the one that provides the best experience because you have no options. Even those that do have a choice may still connect to coffee shop or hotel WiFi on occasion, losing choice again.
In short, VPN providers are a) competitive and b) portable.
You're not wrong that you're putting the same amount of trust in them, but these properties mean you would not be wrong to do so.
I trust them a lot more than I trust some VPN provider.
often used by people in preference to other operating systems due to a variety of reasons
Linux being available free of cost is certainly one of the least relevant features for me.
Dell also sells Ubuntu desktops and laptops that cost more than their Windows equivalents. The cost difference is presumably because the Ubuntu machines do not include the crapware bloat that comes with Windows, such as antivirus trial subscriptions.
What's the concern here? That it's set to some DNS provider that does evil things? If they intercept DNS requests (not unusual as even my home router can do that), this migitation is useless and you're sending your DNS requests to a third party.
I work in embedded systems, mostly C code, and I find this area is often missing from general "security guidelines" type of resources.
Sorry, securitycheckli.st I can't see your content because you fail this basic test.
I think they're suggesting we should default to no JS anywhere by default, other than sites one whitelists JS usage on.
IOW what NoScript (and maybe uMatrix?) does.
Perhaps the authors felt, storing passwords in their own infrastructure is beyond many users (or) unavailability of iOS app is a downer.
1: Pass - Password Store by Mingshen Sun https://itunes.apple.com/us/app/pass-password-store/id120582...
You can read more about it here: https://developers.cloudflare.com/22.214.171.124/dns-over-https/
All "normal" UK ISPs (I use a tiny boutique one that doesn't do this but anything advertising on TV is big enough to have agreed to participate) voluntarily filter DNS. Right now in theory they just try to filter out child pornography, "extreme" pornography, and whatever Hollywood told them was a copyright violation. In 2019, in the event they find time to do something other than bickering about their ludicrous "Brexit" the British government wants to upgrade this to let them filter out anything they want.
Their 2018 white paper about this supposes that DNS blocking will be effective against ordinary users, though it notes if you have Tor you aren't blocked. Coincidentally at the same time they were publishing that paper, there was an IETF in London discussing DPRIV which is a set of protocols like DNS over HTTPS designed to er... make such filtering impossible.
I strongly disagree with that statement, though I don't necessarily advocate use of a password manager for 2FA. When 2FA is in use, you have 2 points of failure, since the failure of either will lock you out of your account. Reducing that to 1 point of failure actually increases your overall resilience.
It's like a car: reducing the number of necessary parts decreases your car's overall likelihood of breaking down.
For the user it doesn’t really change much. Loss of password manager or 2FA client will lock them out of their account. This is easily hedged against because a lot of providers provide easy access to reset a password and provide backup 2FA tokens or fall over to SMS/Email tokens.
Yes... but if someone has access to your 1Password account, they most likely gained physical access to or otherwise pwned your computer. Sure, it's slightly easier for an attacker to do that than to get 2FA tokens off your phone, if that's where you keep them.
So the increased risk of using 1Password for 2FA (given you're already using 1Password for passwords) would be roughly quantified by taking the risk of computer pwnage and subtracting the risk of phone pwnage given they already pwned your computer -- not much in my opinion, if you're reasonably security-conscious on your computer. Note that I'm ignoring the risk of 1Password's encryption being broken or insider threat at AgileBits, which in my opinion is vanishingly small at present.
One thing I read somewhere and previously never thought about: if you are _really_ about security, you should use a password manager and should enable 2FA.
But: you should not use one program for both (1Password offers this), because you are creating a single point of failure.
* Keep your software updated.
* Restrict & remove online access as needed. After the 2nd time she gave out her password, Granny's web banking was turned off.
* Lock users down to just the access they need; if managing devices for kids or the elderly or less technically savvy, consider removing admin access.
* When using any tool, get the paid version. Free means your privacy is what it cost.
* Keep backups, and know how to restore in case you are compromised.
* Set up access alerts going to a separate email account for as many of your accounts and services as possible.
Things to question:
* Not sure we can safely promote Australian-based Fastmail thanks to their backwards new laws.
* Mobile browsers, like Firefox Focus, are great - not sure that I'd put Brave ahead of Firefox.
* Not sure VPNs are really all that helpful, feels more like a personal preference vs. a real security measure.
Disclaimer: not an Australian citizen, not a lawyer, etc.
All the coverage I've heard about this law has focused on the idea that companies and service providers are expected to "assist" with government access to encrypted communication. In that context, I'm not sure how this particular law really impacts Fastmail. For the basic use case, their service is built in a such a way that it already has access to all your unencrypted data. So the Australian government didn't need this law specifically to get at your data, they just needed to issue a lawful order. If you're taking the additional steps encrypt your data before it reaches their service (e.g. using a third-party email client with PGP), then there's not really anything Fastmail is going to be able to "assist" with beyond providing access to the data you've encrypted.
I'm not affiliated - not even using their product.
For the "Use a privacy-first email provider".
I currently use G Suite for business emails within my personal business.
Are there any alternatives that offers something similar to G Suite but with the expected privacy of the listed provider.
I'm aware that I won't be able to get all the features of G Suite, but I primarily only use the email part (Of course with multiple users so it has to have support for that.)
Is there even a difference between main Google PP and G-Suite PP? Is Office365 PP privacy first?
* Signal >> Blog >> Setback in the outback || https://signal.org/blog/setback-in-the-outback/
* Advocating for privacy in Australia || https://fastmail.blog/2018/12/21/advocating-for-privacy-aabi...
* Honest Government Ad | Ass Access (anti-encryption law) | The Juice Media || https://thejuicemedia.com/honest-government-ad-ass-access-an...
*Having worked for a large telecommunications provider
Cloudflare is suddenly better than Google? Not a fan of either company but I suppose it's possibly the best public dns provider.
Create a new login entry, then create a new field under the Section header. By default, it's a text field, but you can change it to a 2FA code. Then it will prompt you to scan a QR code.
Also the answer to your question is the first result when googling "1password 2fa".
If there's any risk of an attacker breaching your 1Password vault, I don't know if it's even worth talking about whether you have 2FA enabled for accounts -- at that point it's very likely they also have access to whatever you'd have used for 2FA also.
(One exception might be if a AgileBits insider were to install malicious code into the 1Password client. In that case, those who use 2FA outside 1Password would be significantly less vulnerable.)