Nov. 17th, 2016

deborah: The management regrets that it was unable to find a Gnomic Utterance that was suitably irrelevant. (gnomic)
I'm seeing a lot of people post about how, in light of current political shifts, everyone should increase online security. A few points on this:

  • Yes.
  • This is always true.
  • Most of the advice going around is a mix of good, reasonable, difficult, and bad. (eg. One list going around says Gmail is totally safe because it won't get hacked. Google (and Facebook, and Apple, and others) explicitly cooperates with the CIA, the NSA, and other governments around the world.
  • There is a conflation of different concepts of online security: protecting your data from theft, protecting your data from government abuse, protecting your accounts from hacking. There's no point in getting paranoid about Internet security if you don't know which of these dangers is most important to you, how much you can assess risk, and what measures specifically apply to that danger.

Don't take the advice of activists about security. Take the advice of professional Internet security experts (I am not one). Start with Brian Krebs ([twitter.com profile] briankrebs) and Bruce Schneier ([twitter.com profile] schneierblog). A lot of what they have to say is aimed at security experts and you can ignore it; focus on the pieces that are obviously relevant to you, such as Brian Krebs' Tools for a safer PC. If you are the kind of person who likes to look for the work of women and people of color when you are looking for expert opinions, don't hold your breath when you are looking in research for computer security. That is not to say that there are not security experts who aren't white men, but infosec has notoriously always been so misogynist and such a cultural cesspool that it appalls even the rest of the tech industry.

When it comes to protecting your accounts and your own devices from hackers, the tips you get from experts are only somewhat inconvenient and a great place to start.

However, when it comes to protecting your information from the panopticon, whether corporate or government, I've got some bad news for you:

If the advice sounds easy or socially convenient, it's false.


  • Cloud services put you at risk. (Twitter, Gmail, Facebook, and technically Dreamwidth, though the scale of Dreamwidth allows many of us to have a relationship of trust with the site.)
  • Credit cards put you at risk, whether or not you have ever purchased something online in your life.
  • Using an email address in multiple places put you are risk.
  • Having ever given your telephone number, email address, or Social Security number to a business puts you at risk.
  • Having friends who know your email address or your phone number puts you at risk.
  • Not knowing the underlying tech infrastructure of the online services you use puts you at risk.
  • Browsing the web puts you at risk.

If you are going to be engaging in the kind of activism that will put you in a government's crosshairs, and you have a sincere, evidence-based belief that you are going to be targeted by a government because of your activities, and you want to protect yourself, you need to do some serious, hard-core curation of your available information online. You are not going to fix your problems by installing Tor and using two-factor authentication on your Gmail account. You are not going to fix your problems by any tip sheet that is currently being circulated around Twitter. And you are not going to fix your problems easily. It is difficult to address this kind of situation without a major life change. For most of us, resources would be better spent on lobbying the companies we do business with to mitigate the damage from these kind of practices writ large. That is to say, not necessarily helping ourselves, but trying to diminish the surveillance state as a whole.

Here's a very brief summation of the problem. Okay, not so brief. Be Afraid. )

tl;dr

If you are seriously worried and have good reason to be exceptionally careful:

  • Encrypt everything.
  • Only use cloud services where you explicitly trust the host and know their policy about government requests for information, third-party vendors, and their third-party vendors' similar policies.
  • Only use throwaway cell phone numbers, email addresses, and credit card numbers to do business.
  • Never, ever use social media.

For the rest of us, well. Here's what we can do.

  • Take a deep breath and acknowledge that any reasonably competent government and sufficiently well-off corporation already knows anything about us that it wants to.
  • Protect our devices and our accounts from explicit hacking.
  • Lobby for institutional change in the surveillance state and the industrial panopticon.
  • Stop panicking.

And seriously, folks. Install 1Password, KeePass, or some other locally hosted password manager, and switch to unique and difficult passwords for every account you have. And then install Ghostery on your browsers.

And don't panic about this. Be concerned, and be careful, but panicking is counterproductive; the cat is so far out of the bag for most of us that there is not even cat hair left. We have a lot more to panic about than whether the government can find us.
deborah: the Library of Congress cataloging numbers for children's literature, technology, and library science (Default)
Those of you who subscribe to the childlit mailing list will understand why this clip has been looping endlessly through my head for the last day.


(Transcript)

Those of you who don't can extrapolate.
Page generated May. 1st, 2017 12:37 am
Powered by Dreamwidth Studios