Security Friends

Hey friends, let's talk about secure lifestyle. In my last post I discussed identifying yourself for access to things (authentication) and the three types of factors presented as identity. This post is going to cover how those factors differ and why it matters. For the purpose of this post, I'm only going to consider systems that require a single factor as identification: Logging into a forum with your password or getting into your house with your key, for instance. Combining factors will be covered in the next post.

First, consider something you know. This is usually a password of some kind, and these factors have many advantages. When used correctly (i.e. not written down), they're impossible to steal since they're only in your head. If for some reason your password becomes insecure (maybe you shared it with someone who doesn't like you anymore), it's easily changed as long as you control that account. The major disadvantage of something you know is that if it's discovered, it's very easy to spread, and anyone from anywhere can use it. For that reason, you want to make your passwords as secure as possible, though that's a topic for another time.

Second, consider something you have. This is usually a key or your phone, and it's a bit more difficult to see the utility of using this factor online. If you've had to log into a service that sent a code to your phone in order to log in, then you've used this factor: Unless someone has your phone, they're not getting into your account. That seems inherently less secure since your phone can be stolen or misplaced, but there's a major advantage -- Things you have are physical objects that can only be used where they are. Someone in Russia can't use your key to open a door since your key is safe in your pocket. Things you have can also be replaced if compromised (e.g. if someone copies your key), though not as easily as with something you know.

Third, consider something you are. This is usually your fingerprint, though sci-fi has entertained the idea of retinal scans for decades. This factor is deceptive: It seems like the ultimate form of security, since no-one else has your features. However, this simply isn't true. Most people have many pictures of themselves online, your fingerprints are likely in government databases, and lots of personal information is collected by your employer. Most importantly, if your personal data is compromised (e.g. someone swipes your fingerprint data), it can't be replaced -- That data is permanently insecure.

It's also important to consider the legal implications of these three types of factors. Legally, something you know is the most secure since the 5th Amendment protects you from self-incrimination. If someone is accusing you of a crime and is suing you to get access to your phone for evidence, they're out of luck if your phone is password protected since you don't have to divulge your password. Something you have can be seized with the right search warrant, so they may not give you much protection in that situation. Legally, anything you are is public, so you can be compelled to provide your fingerprint to unlock a phone. You might say this is paranoid since you trust the government and don't have anything to hide, but remember that companies and private citizens can bring lawsuits against you too, so there's no reason not to use the best security practices.

Hey friends, let's talk about secure lifestyle. When you want to access something private (like your e-mail or your house), you first need to identify yourself. This process (known as "authentication" online) secures your stuff so other people who aren't you can't get access to it. It involves presenting one or more items (known as "factors") that ensures you are who you say you are. Living a secure lifestyle involves understanding a little bit of how those factors work, but before we can get into that, we have to understand what factors are.

In general, all factors fall into one of three categories: Something you know, something you have, or something you are. If you're logging into a forum or e-mail online, you have to present a password -- Something you know. It identifies you because it's presumably something that only you know, so if somebody knows your password, they must be you. This type of factor is used in the real world as well. A challenge/sign/countersign is sometimes used in the military to identify friendly forces, presuming that only your allies know the responses.

If you've ever unlocked the door to your house or apartment, you've identified yourself with something you have (your key, in this case). This type of factor is very common in the real world. Aside from the key/lock example, you might have a library card, which identifies you as a member of that library. This type of factor is used online as well. If you've had a website such as a bank send you a login code via text message, that identifies you through something you have (your phone).

You identify people by something they are all the time. If you see someone you know on the street, you know them by their face, their body, how they carry themselves, their voice, etc. Police use fingerprints to help them make sense of forensic evidence. This type of factor is becoming more common online -- Some phones allow you to unlock your phone with a thumbprint, for instance.

Hey friends, let’s talk about secure communications. Actually, let's talk about insecure communications. If you’ve been following my Signal posts, you’re already using Signal to chat one-on-one with people. If you're using an Android phone, Signal can handle SMS and MMS messages (a.k.a. text messages) for you as well. This might be convenient for you, but it doesn't make those messages secure!

Hey friends, let’s talk about secure communications. If you’ve been following my Signal posts, you’re already using Signal to chat one-on-one with people. Signal’s secure end-to-end encryption means that the only places anyone will be able to read your messages are on your phone and the recipient’s phone. If the idea of your chat history coming back to haunt you worries you, then maybe Disappearing Messages is for you.

Disappearing Messages is an option you can choose from the menu while already in a conversation. Once you’ve selected it and chosen a duration (say, 5 minutes), then any messages you send afterwards will only be readable for that duration. You’ll see a message about setting the timer in your chat window and a clock with the duration you’ve chosen at the top of the chat window. It only affects messages sent after the setting is changed, and the clock doesn’t start until the recipient sees the message. To turn Disappearing Messages off, choose it from the menu again and choose “Off”.

Hey friends, let’s talk about secure communications. If you’ve been following my Signal posts, you’re already using Signal to chat one-on-one with people. Signal also gives you the ability to chat with entire groups of people at a time. To start a group, choose “New Group” from the menu, enter a name for the group, and invite people to the group (Signal groups are invite only). That’s all it takes!

There are some important things to remember when using Signal groups. First is that there’s no group administration: Anyone can change the group name, anyone can invite more people to the group, and once someone is in the group they can’t be kicked out, though group members can leave voluntarily. Be sure you trust the people you’re grouping with! Second is that chat history isn’t stored in any central location and isn’t shared, so new group members can’t see any messages sent before they joined.

Hey friends, let's talk about secure communications. If you saw my post yesterday, you'll have what it takes to install Signal on your phone and then also on your computer if you like. Today I'm going to share two quick tips about your contact list. When you first activate your account on Signal, it will search your phone contacts and put any Signal users there into your Signal contact list. That's the only time it will do that automatically, so if someone on your contact list later installs Signal, they won't automatically be on your Signal contact list.

Hey friends – Let’s talk about secure communications and secure lifestyle. After yesterday’s post, you might be thinking “Hey, this might be a useful tool if I ever need it.” Let’s change that mindset to “This is something I should use right now.” It’s important to know your tools before they become necessary, and if you’re already using them when you think they might be useful, then they’re already protecting you. Perhaps more importantly, you probably have friends that are more vulnerable than you and will need those tools before you do; they’ll be glad you both started early.

Let’s start with getting connected to Signal. Signal starts with your phone, so grab “Signal Instant Messenger” from the app store – Open Whisper Systems is the developer. When you start it for the first time, enter your phone number (it should be pre-filled for you) and it will go through the setup process automatically. You’ll get an SMS message during this process; you can ignore it because Signal handles it on its own. After a minute or two you the process should finish and you’re ready to chat!

If you’re like me, you do a lot of chatting from your computer, and prefer typing on a keyboard rather than a phone. As it turns out, Signal has a desktop chat program, they just don’t do a good job of advertising it. You need to have Signal installed and set up on your phone before it will work, so do that first. You’ll also need your phone handy for initial setup. Download the Signal desktop app from the Chrome Web Store:https://chrome.google.com/…/bikioccmkafdpakkkcpdbppfkghcmih…

Once it’s downloaded, start it up and click through screens until you see a QR code. You need to pair this with your phone, so open Signal on your phone, go to Settings in the menu, and choose Linked Devices. Touch the plus to add a device, then use your phone’s camera to scan the QR code on your computer screen. Once it’s done you’ll be asked to enter a name for your computer (this can be whatever you like), and you’re ready to chat!

Sitting here in the light of morning, I see a lot of people asking "what's next" and looking for ways to organize. That's not really my strong suit, so allow me to concentrate on what is. Let's talk about secure communications and secure computing. I want to know that I have a way to reach my loved ones without others listening in. I want to know that if things get bad for my more vulnerable friends, they have a safe way to contact me. I want to know that there's a network of people who all have the tools to protect each other. Let's all start introducing this infrastructure into our lives so it's there if we need it.