from Hacker News

A Guide to Not Getting Hacked

by wnm on 11/19/17, 12:56 PM with 79 comments

  • by tptacek on 11/19/17, 8:32 PM

    Everything that's in this piece that's true is on the Tech Solidarity guide. What isn't, is false.

    https://techsolidarity.org/resources/basic_security.htm

    In particular:

    * Do NOT install antivirus on your computers. Antivirus software is absurdly dangerous. The closest you'll come to benign AV is Microsoft's, but that's an asymptotic kind of safety.

    * Do NOT go out of your way to funnel your traffic through a commercial VPN provider. If you need a VPN for your NGO or journalism outlet, let me or someone else trustworthy know, and we'll set up Algo for you. No commercial VPN provider is safe for at-risk users.

    * Do NOT EVER use Tor Browser. It's the least safe browser you can use: a lagged fork of Firefox for which whole classes of security bugs are potentially WONTFIX'd, and also the only browser that goes out of it's way to collect high-value targets.

    * Do NOT install Adium or Pidgin to speak to people over OTR. It's difficult to find exploitable bugs in libotr, but it is not difficult to find them in libpurple. Use Signal, WhatsApp, or Wire.

    * You would have to be out of your fucking mind to install mobile AV.

  • by davidscolgan on 11/19/17, 4:51 PM

    I've lately only been using Linux on my laptop and desktop, but my grandparents recently asked me about advice on a new computer. Is the current best practice to avoid all antivirus software and assume Windows 10 is secure with whatever is built in?

    Grandpa thinks Avast makes his computer secure and is using their custom browser for his banking. Is my great distrust in all antivirus systems as worse than the viruses they theoretically find still valid?

  • by edraferi on 11/19/17, 2:12 PM

    This is a pretty thorough introduction to personal digital security. It starts by emphasizing Threat Modeling, which lay users often forget.

    Most of the recommendations are standard (password manager, two factor authentication, basic OPSEC, ad blocking plugins) but it also has a fairly detailed discussion about the TOR browser. The recommendation to use a VPN may be controversial, but it includes a discussion of the relevant threat model, which helps.

  • by ploggingdev on 11/19/17, 2:36 PM

    > Do use antivirus

    I think the standard advice from the security community is to not use any antivirus at all and maybe only Windows Defender if you're on windows.

    The advice to use Tor browser is also terrible. The Tor browser is based on an older version of Firefox ( currently version 52 vs 57 for upstream Firefox ) and so might contain known bugs.

    On a side note what does the security community think about Qubes OS [0]? The approach of security by isolation is interesting.

    [0] https://www.qubes-os.org/

  • by JepZ on 11/19/17, 4:02 PM

    > Mac users can install Adium, PC (and Linux) users will have to install Pidgin and the OTR plugin.

    No word about OMEMO[1] or Conversations[2]. I think running your own XMPP Server with end-to-end encryption should be pretty safe (if needs to be safer run it within a VPN). After that the unsafest part is probably to device you use your app with (closed source firmwares nobody has ever seen).

    https://xmpp.org/extensions/xep-0384.html https://conversations.im

  • by ryanlol on 11/19/17, 2:26 PM

    This is overwhelmingly terrible advice.

    It even tells you to install a mobile antivirus!

  • by proee on 11/19/17, 8:39 PM

    Regarding web extensions like Adblock or others, this seems to be quite risky I'm using because the developers of the plug-in could get hacked and silenly release a version that captures your password fields.

    Are we really ok giving full read/write access to our webpages from companies we know nothing about?

    I'm considering removal of all web extensions that have read/write access.

    Thoughts?

  • by suyash on 11/19/17, 7:33 PM

    "Camera access" - let's discuss this in more detail. So I am not convinced that I need to put that ugly piece of sticker onto my laptop camera. Is this really a big problem on Mac or no. Is there another alternative than putting some ugly sticker on a beautiful laptop?

  • by mar77i on 11/20/17, 4:16 PM

    ....With my 32 years and tech affinity I simply can't imagine owning a credit card. The missing security being one thing, but it may also have to do with relatives being perpetually short on money for debt they accumulated themselves.

  • by stoolpigeon on 11/19/17, 2:39 PM

    I don't understand why their first point for mobile was "Get an iPhone" but they didn't do something similar for desktop. Why didn't they say "Run OpenBSD"?

  • by qrbLPHiKpiux on 11/19/17, 2:30 PM

    But nobody really wants to understand anything. They want a turn key solution. An intro to threat modeling is good. But it’s lost on deaf ears. The weakest link in compsec will always be the person using the device.

  • by SomeStupidPoint on 11/19/17, 2:58 PM

    Everyone should appropriately consider the source (and their security concerns), but this also exists:

    https://github.com/iadgov

    It provides some advice and references a number of other government sources once you dig into it.

  • by gggvvh on 11/19/17, 7:13 PM

    Ban China, Russia and India IP space. Problem solved.

    Edit: what’s with the downvotes? Burned much? Hey, try looking at your failed ssh login attempts before and after doing this. You’re welcome.

  • by suyash on 11/19/17, 7:36 PM

    Pretty solid guide, considering sharing this with all your family and friends on Facebook, email etc as an average Joe can learn a lot from this.

  • by beamatronic on 11/19/17, 5:24 PM

    For the parents and grandparents:

    Do as much as you can with just a Chromebook

    Use 2 factor authentication

    Don't go anywhere near Windows