Protecting your Device
Your communications cannot be secure if your device is not. Attacks from keyloggers, remote access tools, and other various data exfiltration threats make any in transit protections moot. Your device might be a phone or a PC or something else. For the purposes of this post, we will consider how to secure computers. Phones and tablets etc, will have to be a separate post.
The modern computer is next to useless without an always on internet connection. Tablets, e-readers and other devices have take over the disconnected computer use space. Our use case is specific to communications and therefore requires a connected PC. Therefore we have to be more advanced in our protection.
Full Disk Encryption
Full disk encryption protects your data from being read without your knowledge or consent. All three of the major operating systems offer this feature. The main benefit is that your data stays safe even if you are separated from your device. This protects your information if you laptop is stolen, or your computer is seized by governments. Full disk encryption does not protect you from malware running on your computer or people from looking at your data when your computer is on and logged in. In order to ensure your disk is protected, turn your computer all the way off, not just "sleep" mode. This is especially important for FDE desktops, It also is not compatible with dual booting PCs like Apple+Bootcamp or Linux and Windows on the same machine.
Be advised that the government can compel you to divulge your password, or hold you in contempt of court until you do. If your disk is imaged, they can try to attack it outside of of your grasp until they get it. This is a concern at borders especially. Full disk encryption is a place you really want to use a long, secure password that is easy to type and difficult to guess. See
this video for some more information.
Windows:
Windows markets it FDE as a "Professional" feature called Bitlocker. Be advised that if you log into your Windows PC with your Windows Live ID that
Microsoft can reset a "Lost" Bitlocker key. It is best to create a local (or domain) account to protect your data. there is a rumor that Bitlocker is backdoored for US police access, but I have not found any proof of this. Since there is no code review, there is no way to know for sure. All Windows 10 PCs also have
"Device Encryption" which is good enough to protect your data from thieves and other non-technical attacks, but can be reset the same way and cannot be configured without Microsoft recovery options.
Apple:
On Mac computers,
FileVault is the full disk encryption tool. Again there is an Apple recovery option that could be used to unlock your machine by the government. If you want to protect your data from the government, we recommend you do not use the iCloud or other Apple options. Also, while it has been attacked and tested, Apple has not released the code fro review as far as I can tell. However, based on Apple's actions during the San Bernardino case a backdoor is unlikely at the time of this writing.
Linux:
Most Linux distributions include a Full Disk Encryption option in the advanced installations. Unlike the other options this code is open for code review and has no outside recovery option to be cooped by the government.
With all of these options we recommend you encrypt the empty space if offered the option. Full disk encryption is strong protection, but it is often only useful if you are already being investigated or detained. It can certainly help, but it isn't a panacea.
Malware Protection:
Malware is the generic term for viruses, spyware and other programs that can exfiltrate your data without your knowledge. Luckily, this is a concern shared by nearly all computer users and there are lots of software solutions available.
Adblockers
At the time of this writing, ads serving malware is one of the most effective ways to infect wary websurfers. In addition on privacy concerns, may like how it prevents sites from monetizing your view without your consent.
Antivirus
An old standby of computer protection, Antivirus is now integrated into Windows, and widely available for free. Antivirus now stands more a a scanning tool and emergency protection rather then a front line defense.
Anti-Spyware
This is often integrated into Antivirus and also is partly built into Windows. for deep removal of persistent malware specific solutions exist and are useful.
General protection and computer hygiene:
These are more behaviors then they are software. Some behaviors can open you up for attacks more then others.
Installation
When installing software, double check the source of the software. Many search engines will preface your search result with ads that will repackage the software you want with ads and malware you don't be sure to download from the site of the company, not a third party.
Patches
In the always connected world in which we live often software will ship and bugs (especially security bugs) will be found later. Or exploits will overcome previously secure code. For these reasons, keeping your programs and operating system up to date is an important safety concern. Most good software will have a service builtin to check for and install updates and patches, often automatically.
Other Solutions:
The most paranoid thing you can do to protect your computer from being compromised is to run your operating system off of an ROM disc, such as a Linux Live CD. As long as the software was secure when you wrote it to disc, you can be sure that each session is not compromised. Unfortunately, modem software needs constant patching to stay secure and safe, requiring you to create new ROM discs on a fairly regular basis. ROM based operating systems are alos slow, don't have bookmarks, cookies or other labor saving devices. They are excellent in assuring a safe connection, but difficult to actually use.
Recommendations:
- Use Adblockers, anti-malware and software from the publisher's site.
- Keep software up to date.
- Use full disk encryption, especially on laptops.
