Now, first off, the ONLY source of information I trust on these matters without question is a bloke by the name of Bruce Schneier . His website is at https://www.schneier.com/ (note that his site is https). Some quick examples:
- https://www.schneier.com/blog/
archives/2014/07/risks_of_ keylog.html is about the risks of key logging on public computers, such as at hotels;
- https://www.schneier.com/blog/
archives/2014/07/risks_of_ keylog.html is about the insecurity of USBs; and - https://www.schneier.com/blog/
archives/2004/12/safe_ personal_c.html, which is a summary of Bruce Schneier's recommendations around PC security.
Mr Schneier's site covers all the fundamentals of on-line security (although I have found that website hard to do searches on, so it can be hard to track stuff down):
- regularly changed passwords
(mine are:
- all long [unless the website has a character limit] - and I change the length when I change the password,
- can't be found through spell check, etc, and
- NONE are written down anywhere.
I won't go into how I do that, other than to say that I personally consider the use of password storage software a vulnerability - including to others in the locality such as visitors who could potentially wander past and have a look [not to mention what can happen in public places], so I refuse to use any such software, which is the only disagreement I can think of that I have with Mr Schneier, as he recommends using - good - password storage software); - maintaining security updates and anti-viral software.
On that, NO anti-viral package is 100% effective in tests - the best percentage I've seen for stopping viruses during tests is around 96 - 98%.
Another issue here is that the time taken to infect a computer is incredibly short. I've been an absolute pain in the backside at times in the past when I've been switching to a new system, and have insisted that I get the new system on a disk or something, and install it BEFORE I connect to the Internet; - NEVER using one's full birth date ANYWHERE on the Internet. Where I am asked for a date (other than something like the Tax Office, where I have no choice), I use a modified date. Wherever possible, I avoid giving a year (this is but one of the reasons I don't use Facebook: I could use a fake date, but then I would be uncomfortable about stating that all information is true and correct, which is where I abandoned the one and only attempt I ever - reluctantly - made to sign up); and
- using a secure browser with the capability of blocking automatic use of scripts (which is why I have stuck with Firefox predominantly, but note Schneier's recommendations are for other browsers), and being aware of the problem of cross-tab browsing.
Another
fundamental as far as I am concerned is putting multiple email addresses
in the BCC box, rather than having them visible (apart from the fact that forwarding email addresses without permission is potentially a breach of the Privacy Act). This cuts down on the
possible use of the email address to receive spam, or to be used as the
spoof source in sending spam (see http://en.wikipedia.org/wiki/
Another
fundamental is using password protection on key files, so even if a device is stolen and hacked, there is still a further layer of protection, even if it is perhaps just a further inconvenience to those criminals.
- in some parts of the world, you potentially don't need much to be able to, say, open an account - name, date of birth including year, and address will get you a long way there (I know we need more here to do that, but that isn't the point: there are places where it is still easy; I've read a few media articles about what criminals can do with information such as a credit card number, and it is quite staggering);
- many security problems are related to criminals who are often, basically, trying to use identity theft, and they
(a) have pretty good computer skills, and
(b) could be located anywhere, but work anywhere in the world (remember to so-called Nigerian spam? If not, see http://www.scamwatch.gov.au/content/index.phtml/tag/nigerian419scams. It only needed to work once in a while, and that would be enough for them to steal plenty of money);
- suppose someone hacked into or stole something, and was able to get that information for, say, one of your or a friend's kids, used that to open an account somewhere overseas and overdrew it;
- later, that particular kid travels to that country, and is arrested.
There are remedies against identity theft after it has happened, but to use them is stressful, slow and expensive - and not guaranteed of a good result. Having to do so while unsupported in another country would be enough, I imagine, to potentially drive one to suicide.
So, as a result, I:
- keep addresses in a an old fashioned address book without phone numbers, using part names or nick names wherever possible;
- have one email address that I do not use for personal emails, but which is where I keep an unshared calendar
with birthdays and anniversaries related to people I love - and I have
avoided putting years of birth. I enter the dates as recurring
reminders.
(The downside for that is that I can't keep track of key age birthdays, so I'll probably work out a code to enable me to do so.)
(I also have one email which I have never sent an email from, which is for password recovery, and I use two factor authentication on all key emails); - I keep phone numbers on my phone, with no address or birth dates.
On
that, I don't have a smartphone. One reason is that, until Apple
recently introduced a "wipe out" feature, anyone who stole the thing, or
found it if it had been lost, anyone who had it had instant access to
my emails and anything else I had logged into - most people didn't even
use password or PIN protection to access the device when it was turned
on, in my observations of how they were actually using them.
(Another reason is that the rare earth minerals used to build these and other advanced electronic devices are subject to problems similar to that of blood diamonds - see http://www.globalwitness.org/
There is no question that smartphones are convenient, and can be used for some good things, but I draw the line at using them for email or storing personal or sensitive information. (At work, I'm happy to have a "dumb phone" - and I don't use all this security for business contacts at work, but then, I suppose I don't keep track of any birthdays there, and the addresses are all of businesses, not individuals. I have also nagged them at work into educating everyone about the importance of locking their PCs when they are not at their desk.)
(Another reason is that the rare earth minerals used to build these and other advanced electronic devices are subject to problems similar to that of blood diamonds - see http://www.globalwitness.org/
There is no question that smartphones are convenient, and can be used for some good things, but I draw the line at using them for email or storing personal or sensitive information. (At work, I'm happy to have a "dumb phone" - and I don't use all this security for business contacts at work, but then, I suppose I don't keep track of any birthdays there, and the addresses are all of businesses, not individuals. I have also nagged them at work into educating everyone about the importance of locking their PCs when they are not at their desk.)
One thing about smartphones and ALL
OTHER ELECTRONIC DEVICES, is that they can potentially die. The first
PC I ever had was a $200 thing created out of left over bits and pieces.
It ran on the notoriously flaky Windows 98, and died before I had
learned to use off-PC back up. I kept and destroyed the hard drive,
and recycled the rest. A few years ago my lap top died. I had back up,
so didn't lose much in terms of being able to keep working, but I still
destroyed it as best I could rather than recycle it, as I didn't want
ANY risk that someone else's personal details could be accessed in any
way. The
only way I would recycle something like that would be if it was
scrambled or wiped in my presence at handover (or if I could do so first).
Now, all of the above is mostly
about online security. I also avoid keeping this sort information in one
place as a hard copy, and for exactly the same reason: if someone broke
in and stole it, they could potentially create problems for people I
love (I've actually had nuisance calls to me as a result of exactly that).
Is all this paranoid? Yes.
Is it necessary? When I consider what could potentially happen to someone I love or their kids, A THOUSAND TIMES YES!!!
[2]
Please see here and my post "The
Death of Wikipedia" for the
reasons I now recommend caution when using Wikipedia. I'm also exploring use of
h2g2, although that doesn't appear to be as
extensive (h2g2 is intended - rather
engagingly - to be the Earth edition of "The Hitchhiker's Guide to
the Galaxy").
Love, light, hugs and blessings
Gnwmythr,
Wéofodthegn
(pronounced "new-MYTH-ear"; ... aka Bellatrix
Lux? … Morinehtar?
… Would-be drýicgan
... )
My "blogiography" (list of all posts and guide as to how to best use this site) is here, and my glossary/index is here.
I started this blog to cover karmic regression-rescue (see here and here), and it grew ... See here for my group mind project, here and here for my "Pagans for Peace" project (and join me at 9 PM on Sunday, wherever you are, to meditate for peace), and here for my bindrune kit-bag. I also strongly recommend learning how to flame, ground and shield, do alternate nostril breathing, work with colour, and see also here and be flexible.
