Securing your digital home - part 1: overviewD. Olsson
Your own digital privacy and security is incredibly important these days. So many aspects of our day-to-day life rely on digital services. I don’t think you would ever leave the door unlocked to your home while you’re away, leave you bedroom window blinds open while you’re sleeping or broadcast your private conversations over speakers on the street outside. Nevertheless, this is metaphorically what’s happening to most people’s digital homes when appropriate care is not taken. In this blog post series we will cover things you can do to better protect your digital home.
What’s the “digital home” you ask? I’m referring to (1) your mobile phone (2) your laptop and (3) your home WiFi. These are primarily the three types of devices through which you live your digital life. Being digitally secure or private has been considered very difficult in the past. Part of the problem is understanding the why, what and who. Finding easy to understand yet comprehensive guidelines is difficult. But this blog post series will try to tackle this in a holistic yet pragmatic way.
Before we talk further about security and privacy we need to define our threat model. Why protect something? What are we protecting? Who are we protecting from?
Why and what to protect
I don’t care, I don’t have anything valuable to protect or hide in my digital life
I’m frankly getting tiered of hearing this argument. Privacy is a human right that will be taken away if we don’t treasure it, no matter if we have something to hide or not. I usually counter the earlier argument by asking:
Please send me your email and Facebook passwords to email@example.com
No one ever sent me their passwords. I wonder why? Perhaps for the same reason you never hand out copies of your door key to strangers, even if you don’t have a million dollars under the mattress.
Who to trust
The best place to start when thinking about enhancing your digital security and privacy is to identify what (and what not) to trust. Ultimately your threat model will vary based your situation. Most people are not secret service agents or whistleblowers and therefore have no reason to live a paranoid life not trusting anyone. Instead we’ll define a pragmatic threat model that arguably should apply to most people, starting with what we need to trust:
- Operating system (OS): If you don’t trust who provides your OS you’ll have to compile it yourself from source code. But for most people this is not practical. So in this model we’ll trust the OS provider and their related services (e.g. Apple and iCloud, Windows and OneDrive).
- Virtual Private Network (VPN): Private and secure connection to the Internet does not come without a cost. Although VPN providers incentives are aligned with respecting customer privacy (e.g. not saving or analyzing logs) we have to trust them simply because they can spy on you.
Who to not trust
Given the aforementioned assumptions of who we trust in our threat model, below are the four parties one should not trust.
1. Snooping middle-men
When you connect to the Internet you always connect via some middle-man, e.g. your government’s Internet cables, your Internet service provider (ISP), your mobile data provider, public WiFi spots etc. You’re facing two issues with these middlemen (1) they are able to spy on you since you connect through their systems (2) it’s often possible for a malicious human or bot on the same network to attack your computer.
Other snooping men-in-the-middle are companies that give out email services for free in exchange for selling your private data, such as Google or Yahoo. There ain’t no such thing as a free lunch.
Middle-men are nasty, we’ll find a way to hide from them!
2. Evil bots on the Internet
It’s 2017. The Internet is not a pretty place anymore. It’s full of malicious bots trying to inject and attack anything and everyone. These bots constantly knock on your digital door by trying random passwords to your online accounts, look for open holes on your computer (network ports) in order to steal or hold your information hostage, to use your computers resources to attack others or in rare cases steal digital currency like Ether on your computer.
Bots are real and evil, we’ll find a way to defend ourselves!
3. Malware on your device
No matter how well you protect yourself, eventually something will happen. Malicious software (aka. malware, ransomware, trojan, virus) could be placed on your computer by a bot or by yourself unknowingly downloading malicious software. And when this happens (because it will) you need to have things in-place to limit the damage and let you know something’s wrong.
Computer malware is a real thing, we’ll find a way to stay digitally healthy!
4. Harmful people
So far we only talked about automated attacks and blanket spying methods. But there’s also people wanting to cause you direct harm, like people who disagree with your opinions or just the common thief who just want to steal your computer. Direct access to your computer is a risk because stealing documents, emails, keys or other sensitive information can be as easy as plugging-in a USB-key to your computer with an automatic malware.
Thieves do no good, so we’ll find a way to physically protect our devices!
The keys to your house
As we begin to be more conscious of how we communicate and how we protect our information online we must pay great attention to passwords and other secrets sometimes called “digital keys”. These digital keys will be what ultimately protect your digital home and used for (1) logging into services (2) sign messages to ensure it was really you who sent it (3) encrypt messages so that only the person you want can read them.
The next blog post in this series will be about how we establish our digital identity and the best way to store our digital keys so that we easily can recover them if they are lost. We don’t want to be locked out from our house, or worse, locked out from our digital identity!