persec

There are plenty of general thoughts I have around one's personal security. I view security as layers of defense: there are progressive barriers you can put up, but the ones closest to you are the most important. And remember, there are *always* tradeoffs. With greater security, you lose convenience and vice-versa (whatever's easy for you would also be easy for a malicious actor). So let's make it really tough for the bad guys.

Layer 0: Possession

Physical security/possession of your devices

This may come off as a bit obvious, but physically losing your devices or having them (even temporarily) compromised is a huge risk. Some example scenarios include having your phone/computer stolen (in the worst case while they’re unlocked), having someone install malicious software while you’re briefly away from your computer at a coffee shop, or even having someone do the same to your phone under the guise of, say, borrowing it to text or call a friend. Don’t mean to scare you, but some exploits are reaaaally sophisticated these days. Thankfully, there are means of mitigating some of these scary cases: these days we have the ability to wipe devices remotely (see here). However, we gotta note this requires a connection to the Internet (a doomsday scenario would be someone stealing your laptop while unlocked, immediately disabling your WiFi, and copying all contents to a hard drive). In any case, you just can’t let this happen.

TLDR: whenever you’re away from your computer in public places, lock it, or better yet bring it physically with you. If you high key have trust issues, might be best to lock it in private places as well. Gotta watch your ish — be careful *with* your devices.

Virtual security/possession of your devices

In a video-conferencing-happy world, there’s a whole lotta screensharing going on. While services like Zoom/Google/FaceTime are relatively trustworthy for transmitting payloads securely, it’s still pretty easy to accidentally share the wrong screen (e.g. one with personal notes or worse yet, credentials). Another case of virtual ownership of a device being compromised is with remote access: do not let anyone ever (especially those claiming to offer any sort of tech support) gain remote access to your device. This might be on par with, or even worse than, having someone gain physical access to your device.

TLDR: be careful *on* your devices.

Layer 1: Authentication

Passwords

At the very least, use good passwords, and don’t reuse them. Avoid the silly ones like “password” and “yologang123”. With passwords, size matters as each additional character introduces a huge set of possibilities. If the password is relatively short, it ideally shouldn’t contain full words, but rather a series of letters/numbers/characters. Remember, there’s a finite number of words/word combos to use (a number in the millions may seem like a huge figure to us as humans, but it actually isn’t too much to a computer. Peep some pieces on dictionary attacks). One way of creating a secure password is based on a mnemonic: think of a phrase that makes sense to you, and use a scheme such as grabbing the first letter in each of the words that comprise the phrase. The end result would likely look like a senseless collection of characters to others, but would have meaning for you. Sprinkle in some numbers and symbols for good measure. As you could imagine, keeping track of hundreds of such mnemonic phrases, whether in your brain or in physical form, for all your favorite sites would be an absolute nightmare. Fortunately, we can offload this duty to password managers, which generate secure passwords, safely store them, and also offer other utilities (help you log into sites, etc). This means it’s doubly important to ensure that your “master password” to your vault of passwords is secure AF. Use a mnemonic.

On the topic of password managers, while I won’t endorse any specific ones, some prominent pieces of software are 1Password, Dashlane, LastPass, and some others that I’m sure I’m leaving out. Note that these aren’t perfect either; passwords are fundamentally hard to manage, since

TLDR: use good passwords, and check if yours have been compromised via sites like https://haveibeenpwned.com. There are many differing opinions on the topic of secure password generation. At the end of the day, format isn’t paramount; security is.

Phishing

Once you have your password, now you have to safeguard it. By using a password manager per the previous section, you are effectively trusting that the maintainers of that software are 1) not malicious, and 2) are good at what they do. However, they can’t control what you do with your password. If you were to accidentally leak it, the onus would then be on you to quickly change it to something secure once more. One form of unintentional leakage (not my finest choice of words) is via phishing, where someone could socially engineer you (by creating a fake site or otherwise drawing the password from you) to give up the goods. For the sake of brevity, I would suggest bookmarking trusted sites, ensuring that these trusted sites use https (look for the 🔒 in your address bar), and considering using something like https-everywhere.

TLDR: whenever you see a sus email asking you to log into a site or share any sort of credentials/personal information, protect ya neck.

Two-factor authentication (2FA)

So, you’re too lazy to use a password manager or type in a keyboard barf every time you hop into Discord? Please please please use 2FA. Y’all have likely heard of it at this point, but please use it. Again, there are levels to it as well.

• SMS (very weak): this is anecdotally the most common form of 2FA, and it comes in the form of a 4-6 digit code that’s sent via text (SMS). This is generally vulnerable to an attack called “sim swapping”. A previous manager of mine from an internship was hit hard by one and ended up producing this excellent piece of literature on the subject (and another one, just for good measure). Sure, SMS might be better than absolutely nothing, but not by much. If you do, I highly recommend using a VOIP number, like a Google Voice number, as the recipient of your SMS codes as Google Voice numbers can’t be tampered with/compromised via humans (e.g. scam-perceptible customer service agents). Reach out if you need help doing this.
• Authenticator apps (strong): mobile authenticator apps like Google Authenticator/Authy/Duo are a huge step up from the above. When in use, these apps will generate 6 digit codes that refresh periodically (every ~30 seconds) to be used to log in. Pros: it’s hard for an attacker to guess such codes. Cons: it’s still technically possible for them to guess the codes, and/or gain access to the app otherwise. Quite unlikely, though.
• Hardware keys/smart cards (very strong): these are physical security keys (e.g. Yubico’s Yubikeys, Google’s Titan keys) that must be physically connected to your device and tapped to log into your favorite services. The entire value prop of these products is around the fact that the authenticating material at the hardware level cannot be compromised. Try not to lose these.

Note: the three options above are in order of sophistication — assume relatively few will offer 2FA at all, and that even fewer would offer it in the form of Authenticator apps, and even fewer in the form of hardware key support. It’s absolutely crucial that your first line of defense (password) is solid.

Layer 2: Trust issues

At the end of the day, exploits usually happen between people. Humans aren’t perfect, and that’s okay! On the flip side, there are super sophisticated savages out there that have no issue opportunistically preying on unsuspecting people. There’s surprisingly a lot of valuable information that can be extracted from relatively benign questions, like where you usually shop online (see this Amazon exploit from years ago). Attackers could reach out under the guise of offering a helping hand (via email, phone, Twitter, Discord, you name it), galaxy brain the long game and try to gain your trust, and then run their attack. This likely won’t stop anytime soon; it lowkey pains me to say this, but it’s important to generally be skeptical of “Internet strangers.” You never know their MOs.

TLDR: don’t trust, verify.

Note on $$$/cryptocurrency accounts, aka “honeypots”

All accounts these days are extremely valuable. This is particularly true of accounts that are linked to other accounts, like email addresses. If your primary email account is compromised, and it’s linked to other important accounts (bank/social media/shopping apps containing your payment info/etc), someone with access to your email account could then reset your passwords to those other accounts, and end up wreaking havoc. We don’t want that. For the most part, with centralized services, in the worst case you could generally rely on banks and credit card issuers to freeze money to stop fraudulent activity. Unfortunately, this isn’t quite the case with alternative forms of $ like cryptocurrencies. Cryptocurrency payments are generally irreversible, which means if someone somehow gains access to your funds (via account takeover, or by discovering the seed to your crypto wallet), it might just be a wrap. With that being said, any accounts that touch your $ should be the most highly guarded. Use strong passwords. Use 2FA. Watch your own back.

TLDR: Security is often framed as an individual playing defense against an offending attacker. We gotta flip that script — we want to be playing defense offensively. LOL

If you’ve made it down here, thanks for reading. In an increasingly digital world where more of our lives are online, the kinds of losses we could have are also becoming increasingly scary. Please reach out with any questions, doubts, skepticisms — alllll of it. Always happy to chop it up.