[Plura-list] How to be safe(r) online

Cory Doctorow doctorow at craphound.com
Sat Nov 13 11:16:19 EST 2021

Read today's issue online at: https://pluralistic.net/2021/11/13/opsec-soup-to-nuts/


Today at 12PM PT, I'm presenting a talk called "Move Fast and Fix Things," for Aaron Swartz Day:



Today's links

* How to be safe(r) online: Ars Technica's excellent guide, by Sean Gallagher.

* This day in history: 2006, 2011, 2016, 2020

* Colophon: Recent publications, upcoming/recent appearances, current writing projects, current reading


⌨️ How to be safe(r) online

I flatter myself that I am pretty secure online. I've written a series of global bestsellers about information security, I've worked for EFF for nearly 20 years, I've given keynotes at some of the world's largest infosec conferences. And yet, I have been hacked. It wasn't even very sophisticated!

It was in 2010. My kid had made a fuss about going to day-care so my wife and I were late walking to work. The cafe we always stopped at for a coffee had longer lines at that hour, so I stood in line while she sat down and read a paper.


I had reinstalled my phone's OS the day before - the same day I'd had three different articles come out. I was hearing from a lot of people about those articles, *and* I was having to re-key my password in a lot of websites because I'd blown out my browser preferences with the reinstall.

Standing in line, I got a DM from an old friend: "Is this you?" followed by a URL. I clicked it, and my browser opened, then redirected to Twitter. I sighed, thinking that I needed to find the system setting to tell my phone to open tweets in the Twitter app. I typed my Twitter password into my browser, and ordered coffees.

As I was handing my wife her coffee, my phone buzzed three more times. It was three more DMs, from three more old friends: "Is this you?" and the same URL.

My guts twisted. I'd just been phished.

The Twitter worm that got me was simple: they took your Twitter password, logged in as you, and DMed all your friends with "Is this you?" and a phishing URL that looked like Twitter's login screen. The URL started with https://twitter.com, but continued with .scammysite.com (my mobile browser only showed me the first part).

I got fooled because of a perfect alignment of vulnerabilities - late, long line, new OS, new publications, bad browser design, inattentiveness. If the first phishing DM had come in 5 minutes later, in the flurry with the three others, I'd never have been caught. If we'd been on time and I'd received the DM while at my desk on my laptop, I wouldn't have been caught.

It's easy to sneer at people who get fooled by phishers, but imagine this: you are buying a house. You've just gone into escrow. You get an email or a phone call or a text from your bank about your mortgage, telling you that you have to complete another form. It's probably not even the first time that's happened - buying a house often requires going back several times to complete new forms! It's high-stakes, high-tension, and the market is so hot that if you miss a form, the house might go to someone else. Maybe you've already given your landlord notice or sold your own house.

Do you triple-check the URL your bank gives you? Does it even matter? Your bank is probably using half a dozen fintech services to close your mortgage and escrow. You're already routinely transmitting sensitive data to companies you've never heard of.

I get dozens of phishing emails like this every day, but I'm not actually buying a house, so I ignore them. But if I got one of these on the morning that I was closing on the deed? While juggling movers and finance and maybe a new job and a new school for the kid in another city? I'm not so sure. If you're honest, you won't be so sure, either.

That's the thing we miss about scams - they're scattered like dandelion seeds. The cost of adding another email address to an untargeted scam is close to zero, and the scammer doesn't care whether that email is deleted unread anymore than a dandelion cares whether one of its seeds falls on concrete.

The dandelion's reproductive strategy isn't to ensure that every seed takes root - it's to ensure that every crack in every sidewalk has a dandelion growing out of it.


11 years ago, I got phished. I immediately realized my mistake and changed my Twitter password, but, like many people then (and now!), I'd reused that password elsewhere.

I'd created my Twitter account while standing in line for a Game Developer's Conference press pass, after Ev Williams sent me an invite to the beta. I didn't think I needed a good password for it, because it was a toy that sent you updates about other people's lunches over SMS. Half a decade later, I had tens of thousands of followers and the account was key to my professional life.

The person who phished me hadn't targeted me. I was fooled by an embarrassingly blunt and transparent ploy. Is there any way I could have avoided this?

Perhaps. But not by maintaining perfect vigilance, or by never being harried or hasty. The blame-the-victim school of unattainable security locates the infosec pandemic's problem in human frailty, rather than bad systems.

Good security advice transcends this, and Ars Technica has just published an outstanding guide to securing your online life, in two parts, written by Sean Gallagher.

Part One ("The Basics") lays out both a way of thinking about security (particularly dispelling the notion that criminals won't target you because you're no one special), and a set of (mostly) simple steps you can take to defend yourself against opportunistic, untargeted attacks:


Part Two ("The Special Circumstances") offers advice for people who might be specifically targeted by attackers. That's not just one percenters and politicians - it can include people whose ex-spouses harass them with stalkerware, middle-schoolers targeted by bullies, and more.


I often get asked what people should do to be more secure, and I offer four basic pieces of advice:

I. Use a strong, unique password for every service. Get *any* reputable password manager (including the free one that probably came with your OS) and use it to generate *all* your passwords. Never use a password that you are capable of remembering - if you can remember it, a computer can guess it (the exception being the password that unlocks your password manager!).

II. Use two-factor authentication, preferably an authenticator app, like the one that comes with your mobile OS, or an indie like Authy. Turn it on for every account you use regularly, and seek it out when you create a new account. Avoid SMS-based 2FA.

III. Keep your OS and software up to date. When your OS or app asks you whether you want to update, *do it*.

IV. Turn on full-disk encryption. It's free, it came with your device, and it protects your data.

All of this is in Gallagher's advice, along with something I don't recommend enough, though I'm obsessive about it myself:

V. Back up your data, offsite, and keep multiple backups.

The easiest way to do this is with an encrypted cloud service. I do some of that, but my first line of defense are cheap, encrypted 1TB thumb drives that I back up to every day. Once a week, I take a disk to an offsite location and swap it with one that's already there.

Gallagher also offers solid privacy advice:

* get a tracker-blocker (like Privacy Badger) and an ad-blocker

* change the permission on all of your apps so they can only get your location while you're using them

* change your mobile device's Bluetooth name to something other than your own (e.g., not "Fred's phone")

He's also got some specific advice I hadn't really thought about:

* beware of a stranger who wants to move a conversation from one app to another (say, from Tinder to Whatsapp), as this is a "signature move" of fraudsters

* claim an IRS account for your Social Security Number (warning: this is complicated and I failed in my attempt because my information wasn't recognized)


One of the most common questions I get is "Which VPN should I use." Gallagher's answer? None of them: "for everyday Internetting, you just don’t need VPNs that much anymore. Transport Layer Security now encrypts a vast majority of Internet traffic, and it’s unlikely that someone is going to grab your credit card data or other personal information off a public Wi-Fi network."

But that's for "everyday internetting." If you're a whistleblower or someone else likely to be targeted, "use Tor." He also advises using Signal for encrypted chat, which is good advice for everyone, not just people in high-risk situations.

Another piece of advice offered in Part Two that everyone should follow is locking your credit report.

For people at risk of domestic violence and stalkerware (the two are highly correlated), he suggests Operation Safe Escape:


All in all, this is excellent advice. If I'd followed it when I was phished, my recovery would have been a lot simpler. 2FA would have defended me, and if it hadn't, I would only have needed to change a single password.

But some of the advice is less realistic, even if it's sound: telling people not to click on email links, or to turn off wifi and Bluetooth when they're out of the house (especially in an era in which the headphone jack is nearly extinct) may be good advice, but realistically, no one's going to follow it.

As with much in information security, a sound defense requires both technology and policy. You shouldn't have to turn off Bluetooth and wifi, because both the standards that define them and the implementations in your device should defend you from information leakage. Likewise, mobile OSes shouldn't default to naming your device after you, and app vendors shouldn't be able to get your location when you're not using their apps, period.

Of course, most of us aren't in a position to do anything about policy. We're not FCC commissioners, we don't work in an EU Information Commissioner's Office or for a state Attorney General.

But that doesn't mean that we should ignore policy, or give tech advice that no one will follow. A good deal of the threat to our privacy and security doesn't come from criminals, it comes from large corporations adhering with bad, or out of date, laws.

America trails the world in privacy law. It is long overdue for a federal privacy law, with a private right of action - something ferociously resisted by telcos, ad-tech, and Googbook:


Before the FDA was founded, people were routinely sickened and killed by "medicine" that was literally poisonous. I imagine that people got advice then that sounds a lot like our infosec advice today: "Only take medicine from doctors you trust," "read the labels carefully," etc.

Today, we have a better system: we make it a crime to poison people or lie to them about what's in medicine or what they can expect of it.

The advice in Gallagher's guide is essential, and much of it would apply even in a world where we had good tech policy. But even if you follow all that advice, it won't protect you from the choices made by governments and corporations that put their priorities ahead of your welfare.

Today is Aaron Swartz Day. One of Aaron's most memorable quotes is from the fight over SOPA, an idiotic, internet-destroying legal proposal that Aaron helped kill a decade ago: "This is the 21st century. It's not OK for politicians not to understand the internet anymore."


The awful state of tech policy is a scandal that puts us all at risk. Security is a team sport, after all. No matter how careful you are, you can still be compromised by someone else's badly configured technology - the emails you send to someone else may leak, a company may suffer a breach and put your home address on the internet forever, etc.

Aaron fought for better tech policy. A lot of orgs do that today: EFF, of course, but also Public Knowledge, Software Freedom Conservancy, FSF, Creative Commons, Internet Archive, Fight for the Future, SFLC, EDRI, Open Rights Group, and many, many others.

We should all take some measure of responsibility for our technological safety and security, sure - but until we get better tech policy, we'll just be sticking bandaids on tech's gaping wounds.


⌨️ This day in history

#15yrsago Canadian copyright minister caught lining pockets https://web.archive.org/web/20061115062027/https://www.michaelgeist.ca/content/view/1529/135/

#15yrsago Universal Music CEO: iPod owners are thieves https://web.archive.org/web/20061201014046/https://www.billboard.com/bbcom/news/article_display.jsp?vnu_content_id=1003380831

#10yrsago Berlusconi to neo-fascists: “I’ll be back.” https://www.theguardian.com/world/2011/nov/13/berlusconi-hints-return-italy-government

#10yrsago Occupy London members evicted from St Paul’s memorial services https://www.theguardian.com/uk/2011/nov/13/occupy-london-asked-leave-st-pauls-services

#5yrsago People who voted for Trump knew their shot at the elites was fired through the guts of their neighbors https://www.newstatesman.com/spotlight/2016/11/on-the-election-of-donald-j-trump-2

#1yrago Big Car wants to pump the brakes on Right to Repair https://pluralistic.net/2020/11/13/said-no-one-ever/#r2r


⌨️ Colophon

Today's top sources: Bruce Schneier (https://www.schneier.com/blog/).

Currently writing:

* Spill, a Little Brother short story about pipeline protests. Friday's progress: 251 words (30385 words total)

* Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. Yesterday's progress: 551 words (37782 words total).

* A Little Brother short story about remote invigilation.  PLANNING

* A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown."  FINAL EDITS

* A post-GND utopian novel, "The Lost Cause."  FINISHED

* A cyberpunk noir thriller novel, "Red Team Blues."  FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Breaking In https://craphound.com/news/2021/09/26/breaking-in-fixed/

Upcoming appearances:

* Move Fast and Fix Things (Aaron Swartz Day), Nov 13

* Policy, Profit, Privacy, and Privilege: The Post-Pandemic Future of Remote Testing Technology (ACM-USTPC), Nov 15

*  Alternative recommender systems in the DSA: How to protect free expression, create competition and empower users all at once (Article 19)

* Launch for Jeffrey Cranor and Janina Matthewson's "You Feel It Just Below the Ribs" (Kepler's), Nov 18

* The Kids Are (Kinda) All Right (San Diego Comic-Con), Nov 28

Recent appearances:

* Tales From the Bridge:

* Seize the Means of Computation (Internet Archive):

* Making Money (Desert Island Discworld)

Latest book:

* "Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The *Washington Post* called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59 (print edition: https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)

* "Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html

* "Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.

Upcoming books:

* The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.


Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


⌨️ How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Medium (no ads, paywalled):


(Latest Medium column: "Bait and Switch: Capitalism’s Shell Game: From Robert Bork to John Deere" https://medium.com/@doctorow/bait-and-switch-7f61cff85aa3)
Twitter (mass-scale, unrestricted, third-party surveillance and advertising):


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion Guy" DeVilla

More information about the Plura-list mailing list