The Biggest data breach yet: Part 2
(Hey look, we didn’t forget to follow up that first post… we just got really busy. On a good note, our security analyst was again a recognized member of the beta-testing group for the upcoming 2020 release of Bitdefender!)
So now that you know your life isn’t private, let’s take a look at how you can protect yourself.
First thing’s first. Yes, this will get a little technical. And yes, some of this might be more work than you want to do. Truth be told, having privacy in today’s world is in large part a tradeoff. Do you want more privacy or more convenience? I’ll try and break this down as much as possible into least little vs much effort options.
Why does it matter?
This is a bit of a rehash from the last post, but it really comes down to this: we have a fundamental right to privacy. Over time, this right has been chipped away at so slowly that people didn’t know what was happening. Now, it’s hidden behind fine print and fancy algorithms so you don’t stand a chance to know what’s happening unless someone tells you.
Maybe this is better illustrated with a simple scenario (which is already happening today). Say someone in your house happens to have a smart insulin pump. Cool stuff, right? They can check out some of its info from their phone. This someone isn’t you. For you, you happen to go to fast food places more often than you’d like to say. Cool again, Cookout rocks. But now you need some health insurance. Your prospective insurance company spends a trivial amount of money and learns you love your fast food and might also have that insulin pump. Your quote is now 30% higher. And all you know is that this is your quote, not why you were quoted that amount. Or that it could be lower.
Do you think 3rd party companies should be able to buy information like that? Or that this information should be collected in the first place? I don’t. Let’s look at how to stop it.
The principal of how to avoid this is pretty simple. Basically, use encryption everywhere you can, don’t load the extra stuff on websites, and limit the permission you give to things on your phone.
The technical requirements for this are a tad more advanced. But still not too bad. Hang with me on this one and I’ll break it down in (what I hope are) simple ways and then link offsite to more complicated areas for our power users out there.
It’s time to STOP BEING THE PRODUCT
I’m going to go the same route with this that I did in part 1. We’ll start off with emails and then head over to phones and finish off with computers.
Ultimately, there is only 1 way to provide privacy with emails: encryption. If your email isn’t encrypted, it’s being read while in route to its destination and when it has arrive and is wating to be seen by your recipient. If your email is encrypted, it can only be read by you and the recipient. So how do you encrypt your email? Good question!
The simplistic route has two good options:
- Use an email provider who does this by default. Personally, I like Protonmail. They tick off all the security guidelines with good server policies, protection from nation-state snooping, and top-notch encryption. They also offer free and paid tiers. Plus, no personal information is needed to make an email with them. Not a fan of Protonmail? You can check out this link for all of the privacy-focused email options out there and how they stack up with each other. All that said, keep in mind that if you are sending an email to someone outside of your email provider (for example, sending from Protonmail to gmail), the email is not sent encrypted unless you check off to encrypt it. Added bonus: we can even set up your own domain to use something like Protonmail if you want (so firstname.lastname@example.org can go through Protonmail’s servers to keep you secure)!
- Use an Outlook addon that will encrypt the email for you. This is pretty easy to set up as well and there are numerous options to pick from. I’ve not looked too far into it but I can say that Lockbin’s addon worked great with it’s free tier. Basically, you make an account with Lockbin and then install their addon to Outlook (very easy process). From there, if you email anyone who also has a Lockbin account/addon, the email shows up decrypted in Outlook. If you send an encrypted email to someone without Lockbin, you assign it a password and the recipient will get a link to Lockbin’s site where they enter the password to get the email.
The not so simple method of email encryption:
I’m not going to get too far into this one as it gets complicated fact. Basically, you create two keys known as a private/public key pair. The private key is kept by you and never shown to anyone. The public key is given to those who you want to be able to decrypt your message. Something encrypted by your private key can only be decrypted by your public key. Likewise, something encrypted with the private key can only be decrypted with your private key. What’s cool about this is it provides both privacy and certainty. Your emails are private and you know for sure (unless that private key was stolen) that the person sending the email is who they say they are. I’m not going to get into implementation here but I will say that my preferred route is using Thunderbird with the Enigmail addon. There are Outlook options too but Thunderbird handles this a tad better. Want to learn more? This link is a good place to start.
Before anything else, remember that the smart phone in your pocket is basically a little spy. You can apply mitigations but you will never completely control it (although Purism has a really cool phone in the makes which might say different). A few basic rules to follow with your phone:
- If you are ever looking to be truly private, don’t trust the phone. Need to have a conversation you know is private at a place you don’t want connected to you? Turn the phone completely off before you ever arrive. Otherwise, your location is logged and there’s a chance that conversation is being listened in on (though in this regard that’s more of if you are interest at government levels than just some end user).
- Use good communication apps. The best apps secure your messages to insure they are only readable by you and the person you send them to. For texting, Signal is hands-down the best option. It works great and does all the hard work automatically when sending a message to someone else with Signal. It even has a desktop app so you can use it from your computer. Many people have heard of Telegram too. It’s way more privacy focused than something like Facebook Messenger so if you’re picking between the two I’d say Telegram. The only word of caution, without getting into the technicalities of why, is that Telegram is great for basic privacy only… don’t trust it if you need to hide illegal activity (which we do not condone of course).
- Only install the apps you need. Keep in mind free apps get their money from somewhere… which is usually your data. For the apps you have, limit their permissions. On Android, you can view the permissions each app has under your Apps setting. Don’t think the app needs to have permission to access you microphone? Go ahead and deny it. If the app breaks, determine if you trust it enough to turn that permission back on or if you want to find a different app.
- Use tracking blockers. For your web browsing app, Brave does a fantastic job at blocking adds and trackers while still allowing almost all websites to keep working. The better route here is to actually create a DNS proxy on your phone and catch all ad and tracker traffic. I know this sounds hard but it isn’t. A slightly customized AdBlock can be used for the iphone or the Blokada app (only obtained through F-Droid) for Android. I’ll cover this in a future blog post.
And your computer. Just switch to Linux… you know you want to. Joking aside, let’s dig in.
This is an interesting one. For the sake of not writing a book, I’m sticking with Windows as my example here. Sorry Mac/Linux users. Extra sorry to the Mac users… I’m not the hugest fan of Mac’s and skipped large sections of their security in my studies. Any of my Linux fans out there, I’m happy to lend a hand on securing your systems. Now then, the best approach here is to break this into three categories.
Do you know what kind of data is the hardest to find? The kind of data that either never existed in the first place or can’t be proven to exist. Want to insure your data is nice and safe on your computer? Encrypt the disk. Not password protect your login or making a single encrypted folder. Encrypt the entire disk. Windows has a built-in tool called Bitlocker for their Professional and Enterprise levels. It encrypts the entire disk and works pretty well invisibly if your computer has what’s called a TPM chip or else asks you for a password before Windows will even boot. There is some controversy for whether the government has forced Microsoft to build a backdoor into Bitlocker so they can still get in but current evidence doesn’t support that. Another great option is the free program VeraCrypt. It does the same thing with more options (like even being able to hide encrypted volumes inside other encrypted space so they can’t be found unless you know they are there!). Bottom line though: unencrypted data can be grabbed and read with almost no effort by anyone who can physically access your device.
Just a quick note here… if you encrypt your data and lose the key/password, we are not responsible for that. If you aren’t sure what you’re doing, ask us. We’d be glad to help.
This is another one of those sections which could be an entire post by itself. And actually, I’ve touched on it in other posts. But here’s the thing: using this blog as an example… we know you’re reading it, your ISP knows you’re reading it, and the government knows you’re reading it. And probably a ton of advertisers but we’ll hit on that in just a second. How do all of us know you’re reading the blog? Simple. We see the connection coming from your house/office/phone and ending up on our site. Nothing is hiding who you are. The most popular anonymizing service you can get is a VPN service (please do not buy the first thing that says VPN after reading this… 98% of them are scams). In simple terms, all of your traffic gets funneled through an encrypted connection to a remote server and then out to its destination. Now no one has a clue what you are doing online and the end destinations cannot tell its coming from you. Unless you picked a bad VPN service. As these services change, I will only say that you should talk to us if you need one and we will be happy to help at that point. There are also other services such as Tor, JonDonym, various internet proxies, and the like which all have the same end goal. VPN’s are the most common for their simplicity. One important thing to note however: if you only use these services when you need them, it’s pretty obvious to onlookers that you are attempting to hide something. If all you’re doing is downloading music illegally, you probably aren’t a big enough target for a nation-state to care about. If you are trying to overthrow the government… well, I’m not going to tell you how to stay hidden but I will say this won’t quite cut it.
Now, if anyone has a semi-legitimate reason to stay very hidden, I would love to discuss different means of doing so with them. I think security is very fun and take anonymity quite seriously.
This is arguably the most important thing here. All other tracking out there pales in comparison to the services which hound you across the internet. I’ve mentioned cookies before. To state it somewhat broadly, say Google gets a tracking cookie in your browser. Now every site you go to from there which has Google’s services see that cookie and know who you are (specifically who you are if you are logged into something like gmail. Otherwise, they know it’s the same computer). Many people have adblockers which block some of the cookies. But there are also 3rd party scripts, invisible pictures, remote DNS queries… the list goes on. And yes, I did say invisible pictures. While perhaps the least known tracking method, they are quite useful. Basically, it’s a tiny, invisible picture which will be rendered slightly differently by every computer depending upon the exact hardware within the computer. How your computer renders it is then scored. While you might be blocking other tracking methods, every site you go to with this picture knows exactly who you are when they see your unique score. Interesting huh? This is called canvasing. So how do you beat all of this? Let’s break down a few of the options.
1. First off, and this would seem somewhat intuitive but people still often miss the connection… Google is basically the king of tracking. If you really want privacy, you should pick a browser which doesn’t send all of your browsing habits back to Google. To make matters worse, Google might stop letting you block ads on Chrome unless you’re a business-level user. My recommendation? I love Firefox. If you would rather a Chrome feel with minimal effort but decent results for privacy, Brave is for you. Even nicer, both of these exist for Linux and Mac (oh hey, I didn’t completely forget about you Mac users).
2. Plugins. Whoo. If you opted for Brave, ignore this section. There are quite a number of different plugins people float around but there are really only three I’ll mention: Ublock Origin, CanvasBlocker, HTTPS Everywhere, and uMatrix. I’ll come right out and say that last one isn’t for everyone. Lets break this down a bit:
uBlock Origin. This is a ad blocker with a ton of potential. The first thing you’ll want to do after installing it is to right click the Ublock icon in the top right of your browser and go to manage extension (this is the Firefox route). On that next page, click those three dots on the right and hit preferences. Now tick off the “I’m an advanced user” box and the “Prevent WebRTC” box. You are now in full control. When you click the plugin in the upper right, it now shows you every place the website you’re on is pulling information from. Most of this is tracking services but a decent amount is still legitimate. You’ll see there are two columns of boxes. The left column is global and the right column is only for the site you are on. Don’t want a particular domain to load anywhere (hint hint… google analytics)? Turn that domain red on the global side. Don’t want it to load for just that site? Use the right column for local site only. Check out the picture to the right for an example (you can click it to enlarge). I globally block all 3rd party items and then allow them only as needed to each site I visit.
CanvasBlocker. Remember that canvas tracking method I mentioned with the invisible images? While Firefox has updated to theoretically block this, I like adding this plugin for some extra protection. What it does is randomize the score for your computer whenever there’s a canvas on the webpage. This way, your score changes for every site and can no longer be tracked. No special configurations needed. Just install and let it do it’s job.
HTTPS Everywhere. As the name suggests, this plugin forces a HTTPS connection if one is possible. Nowadays, it isn’t needed as much. But every now and then, you see a website which lets you access it over both HTTP and HTTPS and will not automatically send you to the safer (encrypted) HTTPS side. This plugin will always connect you via HTTPS if the option is available. Again, no configuration needed.
3. Even though Firefox is geared towards privacy, not all defaults create full privacy. You wouldn’t think it, but did you know opening Firefox full screen can compromise your privacy? It tells websites what size your monitor is. While not exactly saying who you are, it builds a piece of the profile to determine who is on the site. FFprofile is a site you can go to for a secure Firefox profile. It will walk you through how secure you want to make it (a very small subset of sites stop working if it’s the most secure settings). Once made, it walks you through how to start using it. The process isn’t too bad. You’ll type “about:support” without the quotes into your search bar in Firefox. This opens the support page where you’ll see a “open directory” button. Hit that button to open up a window showing the files in your profile, close firefox, and then replace the existing profile files with the newly downloaded ones from FFprofile. You might want to simply copy the existing files to your desktop rather than delete them… if you don’t like the new profile, you can just remove the new files and drag the old back in. Much easier than having to start from scratch.
4. This is more of a general purpose, blanket area. Again, VPN’s are good for helping to mask who you are. If you’re using Ublock Origin and uMatrix, however, you probably aren’t letting in the services which would track you (your ISP and government can still see what you are doing though). Further options you might look into are running virtual machines. VMware and VirtualBox both have free programs for this. If you are going to run a persistent virtual computer (in other words, you are actually installing an operating system and it will keep any changes you make), it’s best to encrypt the whole virtual machine. If you want a simple virtual machine which you turn on and off as needed but don’t need changes saved, Tails is built for privacy and comes ready to go as a virtual machine. You might also download the free program BleachBit and give it a run every now and then. It’s designed to clear out temporary files, junk, and cookies. Just be careful on which boxes you tick off so don’t lose something important (for example, best not to wipe the entire computer with it…).
5. Another good idea is to user a different search engine than google.com. After all… it’s google. Try duckduckgo or startpage. They both serve good results without classifying you to a tiny bubble (google on shows you information it thinks you should see in particular). In fact, Startpage serves you Google’s exact searches without that “bubble” through a deal they brokered with Google. In turn for giving Google a piece of the ads profit for the first three search results, Google gives them access the Google’s search index. Though I think I still prefer duckduckgo. All that said, some searches are still best performed on Google to find what you are looking for. Just try to limit your use on it.
And with that, I’d say you’re well on your way to regaining your privacy. The web tracks everything. The fact that your life probably exists somewhere on a server as a list of information about you complete with geolocation data for every place you visit is a sad fact. It’s time to fight back. Hopefully this article helps in your pursuit of privacy and anonymity.