Aug 19 2008
Longtime readers of my weblog are no doubt familiar with my preoccuptation with security, which lead to my working in that field of endeavour, and also my interest in personal privacy. A couple of weeks ago, some of my readers asked me what they, as computer users who aren't experts but aren't starting from square zero either could do on a personal level. I thought and thought for a couple of days and put together a list of things, and then realized that making all of it make sense would take much more than a single post because it's not a simple topic at all. Using personal technology to secure one's privacy and anonymity, should they desire it, is a modular topic, however, which lends itself readily to a serialized format.
Like a bunch of blog posts.
The first question that you have to ask yourself is probably the hardest of all... how paranoid do you really need to be? What do you do that would make adding a couple of security measures a worthwhile activity? Let's look at some of the dirty tricks that we know They are up to because They slip up from time to time, and Their actions wind up in the news..
Stolen equipment. Breaking and entering to install keystroke loggers/image your hard drive/install malware. Country border searches (with or without confiscation of your equipment). Political speeches that involve the phrase "think of the children" or the word "terrorism". No matter how you look at it, your computer equipment is important to more than just you, mostly due to the kinds of data that accumulate through the course of normal use.
Sure, you might only e-mail your significant other and your mom once in a while, but that information's still useful to people who want to know who you're talking to more than why and how often. The latest technologies in our lives - the applications running on the Web like e-mail, blogs, and social networking sites - have the potential to harm our lives (even inadvertantly) just as much as they can enhance them by bringing people closer together. Companies are willing to pay millions of dollars to find out what web sites you visit and which links you follow so that they can generate a custom marketing campaign just for you. Maybe you do everything on your laptop, from checking your e-mail to updating your weblog, to maybe doing your taxes or managing your finances.
It's privacy you want - a little peace of mind from the fact that you control what information is out there about you, what information can be gotten from you, and how difficult it would be for someone gunning for you (for whatever reason) to get at that information and locate you.
First of all, ask yourself this: What are you up to?
No, seriously, what are you doing? What do you do that could be used against you somehow if the wrong information fell into the hands of an attacker (to use a generic term - substitute as appropriate)? What kind of damage could be done to your personal life or your career if someone cracked your workstation and went digging through your files? Do you do your taxes, handle your bank accounts, and manage your investments on a computer hooked up to the Net all the time? Do you do those same things on a portable computer? Do you do security research of some kind (wearing any color hat)? Does the company you work for require you to secure your equipment? Is there something in your life that isn't illegal but could damage your reputation in your community, at work, or with your family? Are you writing something for publication that you don't want leaked early or software that'll let you retire early when it hits the market? Are you concerned that your interests or what you do will cause you trouble while you're travelling (or worse, trying to get back home)? Are you possibly being stalked by someone who just won't leave you alone? Maybe they're making your life a living hell?
Or do you want privacy for the sake of privacy, as a basic part of your life?
Go ahead and think about those questions for a while. Be honest with yourself about the possibilities and consequences of your actions.
The possible hassles and consequences of What You Do should help you determine how secure you want your data and activities to be. If all you really do is browse the odd news site and e-mail your kids, then you probably don't need to set up military grade defenses and encrypt everything. You're probably more concerned with your laptop being stolen, in which case I'd advise a couple of basic security measures. First of all, buy yourself a good locking laptop cable. They don't cost a lot of money, generally $70us or less and are available pretty much anywhere you buy computer equipment. Get one with a combination lock that you can re-set periodically and keep it with your laptop. If you're going to be away from your workspace for any period of time - even if you're on site in a borrowed cube, lock your laptop up with the cable. If you have to leave your computer in the car, lock the doors, lock your field kit in the trunk, and leave it there. Most laptop computers (and other portable devices) are stolen out of unattended motor vehicles, so make it look like there's nothing in your car worth stealing. When going through airport security, let the person in front of you go through the metal detector before you let that tray containing your laptop (which, of course, you have to have in a bin all its own) travel down the conveyor belt. This is so that you'll have enough time to beat it through, assuming that you don't trust the screeners to stop anyone stealing your gear.
I also recommend installing software like LoJack on your laptop. LoJack integrates into Microsoft Windows in such a way that it phones home to LoJack periodically to register itself. If your laptop is ever stolen, the idea is that you contact LoJack after you call the police via their website and have them flag your laptop as missing, possibly stolen. Depending upon your yearly subscription with the company, they can track your laptop every time it's powered on and help the police recover it, or even erase sensitive data from the laptop so that it can't be abused. However, this is dependent upon your laptop connecting to the Net after it's been stolen.
There have also been problems reported with LoJack when used in conjunction with WDE (whole disk encryption) software like PGPdisk and Truecrypt because LoJack hooks the Windows bootloader. If you plan on encrypting your hard drive, I strongly recommend researching alternatives.
I'm a big fan of the service Stuffbak, which is a company that sells small metal labels that you stick to important pieces of technology (like laptops and cellphones) in unobtrusive places. You can often purchase packets of these labels from office supply or computer stores for a couple of dollars American. After the label is attached, go to their website and register the device with the unique ID code burned onto the label. If your hardware goes missing, go to the Stuffbak website and flag the device as missing, with a reward for safe return. Whomever finds the unit will see the label with the Stuffbak URL and the ID code, punch the code into the website or call the toll-free hotline, and the company arranges for your equipment to be returned to you; the finder receives a reward ($20us plus whatever you want to throw in to sweeten the deal - I put aside $100us per device just in case), and you've got your gear (and data) back. The whole process is anonymous, so if you're concerned about the owner of the iPod you found turning on you like a crazed weasel they won't be able to find you if you go through Stuffbak. More's the point, each label has this service associated with it for two calendar years from the time it's registered; you have to pay for additional years after that, but I think it's a worthwhile investment.
This work by The Doctor [412/724/301/703] is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.