Some simple things to improve your online privacy

Reading about all the ways a user is identified, tracked, and sold  across the web can make it seem like the only way to avoid this fate is to turn off your computer. But why deprive yourself of the wonderful tools available online? You shouldn’t have to.  In this post I will describe a few simple things a computer user can do to guard their privacy online.  This list is by no means exhaustive, not is it meant to me.  But these are some easy things you can do today to begin making a difference.

Take a good hard look at what web browser you’re using and consider also installing  the Brave web browser.  It blocks (most) advertising, (all known) malvertisingtracking pixels and tracking cookies , and upgrades connections to https.  Brave is available for Windows, Mac, Linux (I’m writing this in Brave for Ubuntu right now), as well as iOS and Android.  Over time, you’ll block a LOT:  Brave also gives you information about the page you’re on. This can be done via extensions with other web browsers as well but it’s built in to Brave.  For example, here’s information about the Wall Street Journal web site:

Mind you, this is a site I pay a (hefty) subscription fee to.

Finally, the team behind brave is trying to fundamentally change how online advertising works via a block-chain-based Basic Attention Token, but that’s a subject for another post.

I say also installing the Brave web browser because there may be situations where you want to use Chrome or Safari for some feature they offer that Brave doesn’t (yet). For example, when I’m doing cryptocurrency stuff, I use Chrome with the MetaMask extension to let me access blockchain-requiring sites.

Think about which search engine you use, then take a look at DuckDuckGo. They don’t collect
or share any of your personal information.  They have a helpful page on how to install DuckDuckGo as your default search engine in a range of browser:  https://duck.co/help/desktop.  What does the Brave panel look like for DuckDuckGo? I’m glad you asked:

 

Pay attention to the your privacy settings with online services. For example, the Electonic Frontier Foundation (EFF) has a nice summary of why recent Twitter privacy policy changes are not necessarily in the users’ privacy interests. For any online service you use, it’s worth looking at the settings.  Canceling your account is the ultimate opt-out.

What’s in  your traffic? We no longer have an expectation of privacy from internet service providers (ISPs) due to repeal of the Broadband Privacy Rules. In other words, ISP’s can monitor, store, and sell our browsing history to a third party, hijack our searches, insert ads, and insert tracking cookies (see Five Creepy Things Your ISP Could Do……). Probably the best way to prevent this is to use a Virtual Private Network service. Most cost money, so that’s a privacy tax.  I use VyprVPN from Golden Frog and have been very happy with their product.

Finally, get serious about your passwords.  You need to be using strong, unique passwords across web sites.  Where available, two factor authentication should be enabled.  One of the interesting tidbits from the Edward Snowden movie Citizen Four is that the NSA can track you across the internet if you use the same passwords!  There are great password managers available. Brave has support for several baked right in (LastPass, DashLane, 1Password).  I’ve been using AgileBits’ One Password since it came out in 2006 but having been (slowly) moving over to LastPass since they have a Linux version.

A little time spent making these changes will go a long way toward regaining some of your online privacy.  Even just using the Brave browser and changing your search engine will help a great deal.

Hello, ProtonMail

After reading this blog post about how Google was able to influence traffic to the secure email provider Proton Mail, I’ve been pushed past the tipping point with regard to Google.  Here’s a short excerpt:

The short summary is that for nearly a year, Google was hiding ProtonMail from search results for queries such as ‘secure email’ and ‘encrypted email’. This was highly suspicious because ProtonMail has long been the world’s largest encrypted email provider.

My response? I canceled my paid Google email account and opened a ProtonMail account and am happily paying for it. Not hard, and costs roughly the same. Yes, there is a free version.

Qubes may be the perfect OS for the Linux newbie

Qubes OS is thought of as a unique OS which emphasizes security, in this case security by compartmentalization, and this is why people like Edward Snowden and Micah F Lee have said positive things about it (see the Qubes home page).  But could it also be a great OS for someone trying to learn Linux?  Let me explain why I think the answer is YES.

I’ve installed Ubuntu linux multiple times on older Macs (and Canonical has done a fantastic job of making it easy to install on a wide variety of hardware).  Just like when they were running OS X, these old Macs booted into Ubuntu on startup and I could practice using the GUI programs and even a little command line interface (CLI).  The file system was written to the physical disk.  This worked great…..until I broke something. I would either spend hours trying to figure out how to fix it or (more likely) just re-install Ubuntu Linux and start again. This became quite frustrating and time consuming.

In Qubes, each operating system installed is running in its’ own virtual machine (VM), something that’s made possible by the Xen hypervisor.  (This also means you can install a variety of operating systems, even Windows.)  Put another way, the bare metal of the computer, instead of just running one operating system for one user, can run multiple operating systems for multiple users with multiple roles and levels of trust.  The key here is that a virtual machine can be easily duplicated (and erased).  And that is why it’s great for beginners.  Install Qubes (my installation of Qubes OS 3.1 came with VMs for Fedora 23, Debian 8, and whonix), duplicate one of these VM’s, then tinker away on the copy. Screw it up? No problem! Shut down the VM, delete it, duplicate yourself a new one from the template and start from scratch…..in minutes.

The VM Manager in Qubes OS
The VM Manager in Qubes OS

QubesOS on a System 76 Lemur

lemurI’ve been fascinated by the security-by-compartmentalization model used in Qubes OS, a Linux-based operating system.  I even managed to get it running as a virtual machine in VMWare Fusion on OS X, but wanted  to get dedicated hardware to run it on.  Failing on several older macs I had around the house, I decided to ante up for a Linux laptop.  With some encouragement from Micah  F. Lee via Twitter, I decided to order a System76 Lemur  14″ laptop for my experiment.  The Lemur arrived today and it looks like I have successfully installed Qubes 3.1!  I’m happy to say the hardest part was figuring out how to get a boot menu (F7 after powering on in System76 computers).

My plan is to post about my experience as I go along.

That reminds me: dump Java.

I was just reading a post at MalwareBytes Labs titled Cross-platform Malware Adwind Infects Mac by Thomas Reed about the Adwind Remore Access Tool (RAT) which reminded me I had wanted to remove JAVA from my Mac as it represents a security risk.  A quick DuckDuckGo search led me to How to uninstall Java in Mac OS X at dotTech which offered concise instructions for how to remove both the runtime and the jdk.

Go ahead. Do it. You’ll feel smart after using the Terminal.

Authy two-factor authentication for WordPress

I just installed WordPress 4.5.2 via DreamHost’s One-Click installer.  I’ve been with DreamHost a loooong time now, but this is the first blog I’ve ever set up at this URL. I wanted a place I could post quasi-geek stuff without having to worry about if it was related to anesthesia or not (my day…and night….job).

The one-click install worked flawlessly, and Dreamhost even arranges for a free SSL certificate via Let’s Encrypt, so the site has the benefit of https without having to pay for a cert. Cool.

I’ve been using Authy in place of Google Authenticator on my Newton 2000 iPhone for my two-factor authentication tokens for quite a while now , and wondered if I could use it on my own personal site.  The short answer is a resounding YES. The longer answer is that it was easier than I thought.

Authy offers a WordPress plugin that can be installed on your own site:

Authy Plugin for WordPress
Here’s a screenshot of the Authy wordpress plugin description.

Even though this 2.5.5 version hasn’t been updated in about a year, it works fine with this WordPress 4.5.2 installation.  Once installed and activated, all I had to do was go to http://www.authy.com/signup to get a free API key.

I can see why Authy makes this free and easy to encourage users to try their technology. Once ‘inside’ you can get a glimpse of what is possible with 2-FA via Authy and how well thought out and smooth the whole service is.  My only concern is that I see most tokens have gone from 6 to 8 numbers.  It could be a real problem for me to type in 20 numbers in 30 seconds should it come to that. 😐