Tuesday, February 21, 2012

Accessible Encryption, Privacy & Security

Sometimes I talk to people about things like privacy, security, or data redundancy and they look at me like I'm a crazy person - why would anyone care about that? Do you have to be some sort of sick weirdo to care that much about those issues?

The reality is that my digital life is pretty boring, but it's important to me. I've had relatives have their emails "hacked" and I can only imagine how much it sucks to lose all of your correspondence and contacts. I've seen stories of people who bring their computers to a shop to have them repaired, and the creeps at Best Buy copy all sorts of personal files to snoop through later. I'm also extremely uncomfortable with the idea of people (internet service providers, governments) monitoring my web browsing habits, just like I'd be uncomfortable reading my physical mail and packages, or looking at my library history, or reading through my medical files.

Here's a few pieces of software that I use to keep myself safe and secure.

KeePass - free - www.keepass.info

One of the worst things you can do online is use the same password EVERYWHERE. If someone breaks into your email account, they can search your history to find all the services you subscribe to (Facebook, your bank, Skype, etc) then try your password on those sites. Odds are in their favour that it will work.

KeePass is a vault where you can store all of your passwords. You set a "master" password on the vault, then save all of your other passwords inside. KeePass also has a password suggester/generator which helps change all of your dumb passwords into awesome passwords. The file is highly encrypted (you generate entropy for the encryption by waving your mouse around the screen) and can't be accessed if you use a complex password. KeePass looks like this:

Generally I have a few unique passwords I remember, like my Gmail account. But everything else goes in the vault, and I randomly generate a 20+ character password for each account. If you asked me what my online banking password was, my honest answer would be "I don't know". I've been using KeePass for over four years and find it indispensable.


TrueCrypt - free - http://www.truecrypt.org/

TrueCrypt is free and open source hard drive encryption software. You can choose to encrypt your whole hard drive, create an encrypted "container" (like a folder) that you can encrypt and decrypt on the fly, or create a secret, undetectable hidden partition. Like KeePass, it uses extremely robust encryption to secure whatever you need away from prying eyes.

What would you store there? Ask yourself this question: If someone stole your computer, do you have any files that you'd never want to be shared with the world? Those are the files you'd encrypt with TrueCrypt. Maybe it's your tax return, maybe it's some bad Grade 8 creative writing that you can't bring yourself to delete, maybe it's your digital diary, who knows.

Or maybe someday you're going to have to cross a border into another country. Border security agents are getting more and more power to do things like copy your entire hard drive onto their systems for analysis. Imagine landing in London only to be immediately deported for having some pirated movies on your laptop. Forget asking whether they might find anything incriminating - do you think your personal data is safe with them?

Just how good is this encryption? Right now, there's a mortgage fraud case in the States where a judge is ordering a defendant to decrypt the contents of her laptop because the Feds can't break it.


Prey - free (for basic version) - http://preyproject.com/

Prey is free (for the basic version) and open source software that helps you recover your computer, phone, or tablet if its stolen. You install the software once, then write down your website username and password somewhere safe (how about your KeePass vault, backed up on your Dropbox account?).

If someone steals your computer and connects to the internet, Prey acts like a "good guy" Trojan horse - you can turn on the webcam, take a picture of the bad guy, and get information about where it's connecting to the internet from (without the thief knowing). You can take that info to your local police and they'll usually step in and get it back. Prey has a whole blog of success stories of people who recovered lost or stolen devices with Prey:
http://preyproject.com/blog/cat/recoveries


A VPN (I use WiTopia, which is $50-70 per year)

I just blog posted about this the other day - go read this post: http://blog.brahm.ca/2012/02/virtual-private-networks-and-why-you.html


Tor Browser - free - http://www.torproject.org

In my blog post about VPNs I give an over-simplified explanation of how VPNs work. Tor is a network of VPNs that obfuscates your location by encrypting your web traffic and routing it through multiple "Tor nodes" all over the globe. A super-detailed explanation can be found here.

I first heard about the Tor project a few years ago, when it was significantly less user friendly - it required a lot of end-user configuration. I just checked it out today, and wow, I'm impressed. It can be downloaded as a pre-configured instance of Firefox's portable edition that "just works". You start it up, wait a second as it builds an encrypted connection, and this is what you see:



If you're trying to access the internet from a country with a crazy dictator or want to take the simplest step possible to protect your privacy when you're travelling, install Tor Browser. Here's a list of who uses it, and why.

--

Make yourself and your data safe, and protect yourself from digital snoops!

3 comments:

  1. Well written, Brahm. Do you use dropbox (or similar) service? What are your thoughts on using it from a security standpoint given that I think it uses server side encryption instead of client side.

    ReplyDelete
    Replies
    1. Hey Shea, thanks.

      I think Dropbox does actually use an SSL connection for transferring files (see: https://www.dropbox.com/dmca#security), but that didn't stop them from having a big ugly security breach last year.

      I mostly use Dropbox for convenience - I store a few documents and guitar tab files there.

      One thing Dropbox is superbly useful for is a storage locker for your encrypted "containers". I keep my encrypted KeePass database in Dropbox so I can access it anywhere. I also created a 250MB TrueCrypt container that acts as an ultra-secure cloud storage locker for some files I might need access to remotely - like some personal accounting info, and a snapshot of the contents of my wallet in case my wallet gets stolen (again).

      In both cases, all Dropbox gets to see is a highly encrypted file. I start up KeePass or TrueCrypt and open the files locally on my computer, but Dropbox wouldn't ever "see" the password or the encrypted files inside, just a lump of garbled data.

      Delete
  2. Thanks for the excellent contribution to the discussion.

    ReplyDelete