Tim Lavoie

Created: 2022-04-08 Fri 15:04

Defend Yourself on the Internet (few others will…)

  • Tim Lavoie
    • tim@fractaldragon.net
    • @tjlavoie on Twitter

Privacy, Secrecy, Security

  • Different, but related.
  • What you do in the bathroom may not be secret, but you close the door.
  • You might want something in there to be secret though, and that's OK.

Security Principles

Confidentiality

  • Sometimes you might need that "special" alone time in the bathroom. Really alone, not even the cat.
  • Finding out that pictures had been taken without your permission would feel most intrusive, even if you did nothing unusual.

Integrity

  • You want to be able to trust that the condoms in the drawer are intact.
  • Poking them with pins, and replacing toothpaste with "Preparation H" would both be attacks on the integrity of your bathroom.

Availability

  • You want the bathroom to be available when you need it.
  • Strangers barging in and hogging the john would be what is known as a "denial of service" attack.

The internet is not private

  • More like a postcard
  • Except that postcards have more legal protection

Slightly better

  • Use an envelope
  • Pay for a tracking code

Internet has many intermediaries

  • Feels like a flow of information
  • Really broken up into small pieces called "packets"
  • Reassembled later to look coherent

Packets have no protection

  • Can be:
    • altered
    • dropped
    • inspected

How it works

  • Look up address
  • Send a request
  • Get a response
  • Lather, rinse, repeat

Look up address

  • Computers, networks use numbers
  • Names are for our convenience
  • "cbc.ca" has multiple answers, e.g. "23.59.189.83"

How to reach an address

  • Series of hops
    • Your local network is one
    • Your ISP is the next
    • Multiple providers,
      multiple country borders often in the middle

Make a request

  • GET /boobs.jpg HTTP/1.0
  • Web server responds, possibly with a picture

Data vs. Metadata

  • Data is typically full content
    • What's in your posted envelope
  • Metadata is high-level, but still revealing
    • Who you are, what you asked for
    • Addresses and postmark on the envelope
    • Rarely secret, even if contents are

Requests lead to more requests

  • A page is text
  • Links fetch images, video
  • Links can be for other sites (not in address bar)

Privacy

  • A child born today will grow up with no conception of privacy at all. They’ll never know what it means to have a private moment to themselves an unrecorded, unanalyzed thought. And that’s a problem because privacy matters; privacy is what allows us to determine who we are and who we want to be.
    Edward Snowden

The Internet Does Not Forget

  • Ever do anything embarrassing?
  • Before computers, memory was finite
  • Post now, it's forever

Be Careful

  • Most of us post without thinking
  • Social Media profits, and encourages over-sharing
  • Location data in your phone, apps, data

Facebook's CEO, on people giving him info

  • Zuck: I don't know why.
    Zuck: They "trust me"
    Zuck: Dumb fucks

Now consider

  • Facebook wants to be the middle man for your personal communications
  • "Likes" sell brands to your friends, in your name
  • Social Graph - more metadata
  • Default sharing becomes more public at every turn

Ad networks

  • It's not the site you're on
  • Per-page auction
  • Targeted ads pay more
  • Winner shows you ads

Ad Network Malware

  • Malware tricks your programs
  • Gives control to attacker
  • Do you trust (or know) the ad network?

Forbes.com

  • Started using nag screen
    • (Some) users disabled ad block
    • Received malware in the ad

ISP, Friend or Foe?

  • Comcast & US Congress
    • wanted to pass a law permitting the internet service provider (ISP) to do all sorts of things with your data.
    • Not in Canada, but…

Pushed for legislation to allow ISPs to:

Sell your data to marketers

  • browsing history, geolocation

Hijack your searches

  • Several did this

Snoop your traffic, insert ads

  • AT&T, Charter, CMA

Pre-install software, record URLS

  • AT&T, Sprint, T-Mobile

Inject tracking cookies in all mobile traffic

  • AT&T, Verizon

Unpatched and Unsupported

  • Home networks now have many devices
  • Most little or no vendor support
  • IoT = Internet of (unsecured) Things

Light bulbs

Dolls

  • Recorded audio, sent to manufacturer, left exposed on internet

Ceiling fans

Dog houses

Fridges

Baby monitors

Juice Machines

(In)security cameras

Botnet of Things?

  • Cameras were part of a huge bot-net, used to attack other systems recently
  • Related, @internetofshit on Twitter is great

Open Wi-Fi

  • Not just (usually) slow
  • Even encrypted, all traffic is shared locally
  • Surprise dick-pics on the printer

Spam, Scams & Phishing

Controls

  • These are things you can do to reduce risk

Passwords

  • use long ones and a password manager
    • KeePassXC
      • Portable: Windows, Mac, Linux
      • Secure encryption
      • Easy to sync via Dropbox, Google, thumb drive
  • Generate random, copy/paste when needed
  • DO NOT RE-USE

Two-factor Authentication

  • Not just something you know, but something you have
  • Google Authenticator app, others
  • SMS (text) is weak, but much better than none

Control your network

  • Log in to your router to list devices
  • Disable UPnP
  • Firewalls
    • On system
    • Network edge
    • Don't forget out-bound

Back Ups

  • Ransomware is huge, threat is losing access to your information
  • Back up to separate device, ideally somewhere else
  • Keep multiple versions
  • One option: CrashPlan.com

Have I been pwned?

Patch everything

Encrypt everything

Browser Options

  • DELETE Adobe Flash
  • Use good browsers with Adblock and privacy add ons
  • Watch what you put online, and assume that it's going to fail

HTTPS Everywhere

  • Use encryption by default
  • Metadata still out there though

Ublock Origin

  • Filter ads
  • Load Faster, Safer

Privacy Badger

  • Filter Tracking Data

Terms of Service - Didn't Read

Links

Links (2)