3 Things for InfoSec Amateurs To Do Post-Wikileaks “Vault 7” Revelation
tfw when it’s raining code and you remembered to bring a jacket
Post-November, many people who had never thought about digital security beyond Rami Malek’s beautiful face, started taking steps to be more secure online.
Myriad digital security experts jumped at the chance to get vital security information out there — and, for once, have best practices actually be taken seriously.
Delving into the world of digital security for the average security tech amateur, can be overwhelming. The world of digital security in many ways, reminds me of the nebulous social justice idea of “self care”: the real problem has never been knowing that you need to meditate, take breaks, or go outside — it’s just that it’s not actionable for most people trying to “self care”.
When it comes to digital security, there’s really no one “secure” app, practice, or tool, and protecting yourself online requires significant thought (and god forbid, auditing) about what data is most at risk from which entities. Making digital security part of your practice is often tedious, inconvenient, and, if you’re doing it carelessly, could even make you more insecure.
And once you’ve taken a few basic steps, heard the repeated platitudes (‘nothing is 100% secure’ ‘digital security is like washing your hands’), and struggled through implementing harm reduction changes to your own digital lifestyle, there is always a point where someone who knows more than you, be it a giddy brogrammer or a relatively impassive entity like the EFF, imparts information that undermines the totality of your digital security understanding thus far.
Moments like Wikileaks’ Vault7 revelation, a collection of 8,761 leaked documents when many outlets initially reported that NSA/CIA can “hack” Signal and other encrypted apps, is one of those moments that test the nerves of people just starting to take digital security seriously.
“I literally just got my astrologer to use Signal,” you can almost hear the reluctant digital security hivemind thinking as they scroll through the news. “I guess I’ll change my Facebook password back to ‘password123”.
Digital security is often discussed using a harm reduction framework — aimed at reducing negative consequences rather than ever believing harm can be mitigated entirely. So in understanding digital security, it’s vital to prioritize thinking about the potential harm and devastation caused by a breach in your security. What would happen if a rando got access to your PayPal? What if your
The answer is different for all of us but it is truly rare that taking some steps to minimize your risk would be unneeded.
Now we come to the three things. FYI, the headline is a trick — rather than eliminating Signal, moving all of your email correspondence to messenger pigeon, or getting a password manager for a day then promptly changing all of your passwords back to your old passwords when you get locked out, there are three critical steps that you should take, regardless of what security tool is trending in the newscycle:
- Invite all of your organizing group members, friends, comrades, etc, over. Have snacks.
- Spend one hour thinking about “what data would fuck up my life, or the lives of people I care about, the most if it were compromised? Who would profit most from access to that information?” List it out — and list out where it is stored and how you share it.
- Make a plan with your friends, complete w/ calendar and accountability buddies, to slowly but surely:
a. delete the information from that list that you don’t need.
b. backup the information that you DEEPLY need (and make sure it doesn’t live anywhere that you don’t know about).
c. take steps to secure your accounts— 2FA, password managers/ your hardware — encrypting your hard drive/adding passcodes to your phone/ your
d. bug your friends to do the same. really bug them. set up times to help them install programs.
e. make understanding the basics of digital security a priority (start by reading about: encryption, threat modeling, compartmentalization) — pick a topic to understand once a week.
H, you didn’t actually explain what this whole thing was about… the experts do it better.
Digital Security training resources for security trainers, Winter 2017 Edition
Authors: Rachel Weidinger ( https://twitter.com/rachelannyes ) Cooper Quintin ( https://twitter.com/cooperq ) Martin…