Youtube's ban on "hacking techniques" threatens to shut down all of infosec Youtube (Boing Boing)
Youtube banning security disclosures doesn't make products more secure, nor will it prevent attackers from exploiting defects -- but it will mean that users will be the last to know that they've been trusting the wrong companies, and that developers will keep on making the same stupid mistakes...forever.

Life Moves Fast, Smart-Apartment Style by an author
I had no idea when I got the initial email about my apartment going “smart” how much my life would change in the course of a month. At the time I was speaking in front of a room of cybersecurity journalists, and it was all I could do to keep my cool and quickly blast off an appalled (and probably less than tactful) tweet. Only a few weeks later, my situation has changed everything.

In 2017 I’m trying to be be a bit more privacy and security-minded when using the web (on all devices). I’ve been increasingly interested in these areas for a few years, and especially since the Snowden revelations, and recent events like the IP Bill, aka the “Snoopers Charter,” in the UK have pushed me further towards them. Over the next few weeks I’m going to look into (and try to document here) various things I can do to increase my security, decrease the amount of information applications and services can collect on me, and generally “take back control” of my online privacy.

I work in the tech industry, I’m fairly conscious about this stuff, and understand a few of the elements and technologies, but it’s really a very basic understanding. What I do know might be out of date. At this stage it might be too little too late… right now I don’t really know.

Upfront: I fully recognise that if the police/MI5/NSA/FSB/whoever really wanted my data, nothing I could do would be able to stop them.

security

Also upfront: even with that in mind, whatever I put in place won’t be considered “perfect.” What I’m looking to do is balance convenience, practicality, and security. If something is too difficult or fiddly to use, it will end up not being used.

Thinking specifically about the IP Bill, far too many agencies for my liking will have complete, unfettered access to what I get up to on the internet. Beyond that one example, the amount of web ad trackers we have to contend with nowadays is snowballing, as are the services amassing data to pay for those “free” apps we enjoy.

While it might be that none of these data collectors have nefarious purposes in mind (if you’re trusting), data security breaches are becoming bigger and more frequent. Data being stored is likely to leak or be stolen at some point, so the best you can hope for is to limit the amount of potentially harmful data1 being held.

On a lighter note, here’s a great spoof from Cassetteboy about the IP Bill

So all this is a bit of a long-winded preamble to saying look out for the future posts where I talk about what I have learned, how I’m applying it, any recommendations I have, and how you can do the same. The first post on some of the basics, and links to reading materials will be coming today/tomorrow. In the meantime, are there any tips or good sources you’ve come across? Feel free to share in the comments.


  1. Insert definition of what you would consider “harmful data if leaked” 

For someone who’s primarily a developer/support person, I spend a lot of time setting up and configuring – or fixing – servers. I guess this came from an eagerness to learn and I got tarred with the “Linux/Server” Guy brushes at some point!

My interest in Operations has had an uptick again recently, so I’ve been doing a bit of reading of late. This morning, while waiting on news about some work-related activities I’ve come across a couple of interesting articles:

My First 5 Minutes On A Server; Or, Essential Security for Linux Servers by Brian Kennedy is a fantastic little quick-start for securing a Linux server. It’s not everything you need to do, but as noted in the article, it sets the foundations for a secure server which is easy to keep secure. Do these steps first, then go about securing any additional services you need to run.

One thing I’ve been wondering about, is setting up my own email system, rather than run on Google Apps. As convenient as the Google platform is, I do sometimes think I’m trusting them with a bit too much of my information. Recent revelations about the NSA/GCHQ, PRISM, and whatever-comes-next, from Edward Snowden haven’t done much to allay those worries.

But Google Apps is convenient. It wraps my mail, calander, contacts, and many other things into a nice package that is available everywhere and syncs across platform, with Push notifications, search, and other modern conveniences… but never the less, I’ve been thinking about how I could move away from the “Do-No-Evil” Empire, which is why Drew Crawford’s excellent, in-depth article “NSA-proof your e-mail in 2 hours” was a great find. I might spin up an instance on my dormant Joyent account and give it a try on one of my spare domains, so I can evaluate the process and benefits before deciding on moving my primary mail domain.

Other topics which have crossed my path this weekend are system configuration, maintenance, and automation using tools such as Chef and Puppet. The idea of taking a known-good environment and replicating it with just a few commands is definitely appealing – particularly when it comes to tasks such as setting up development/test environments! I haven’t gone too far into these topics yet, but I’m hoping to find the time in the next few weeks to go through some of the articles I’ve found.