Tuesday, January 26, 2016

PRIVACY: protecting yourself on the internet

I Ramped Up My Internet Security, and You Should Too

by Julia Angwin in ProPublica



Some people make dieting resolutions in the New Year. I make security and privacy resolutions, because those are the things that keep me up at night. 

After all, as a journalist, it's important for me to give my sources assurances that I will keep their communications confidential. And in today's world, that is an ever-more-difficult task.

Everyone — journalists or not — faces an increasing array of attacks on our security and privacy. Even if you're not the U.S.'s intelligence chief, whose email was recently hacked, it's smart to up your game. So this year, I thought I'd share my resolutions.

1. Software updates

It's not sexy, but at the top of my list is updating my software to the latest versions. Nothing else matters - not fancy encryption or strong passwords - if you're using software that contains gaping holes that any criminal or spy can penetrate.

And I hate to break it to you, but all your software is as holey as Swiss cheese. The software updates you receive are just patches for the holes that have been discovered so far. More holes will be discovered later. What's more, updates are basically red alerts to hackers, pointing them to the holes.

So I've just updated my phone and computer operating systems, as well as all my Web browsers, software and phone apps.

2. Ditching old, buggy software

Next up is ditching old, unused or poorly maintained software. Using software is a commitment. If you don't update it, you are wearing a "hack me" sign on your forehead. So if there are programs or apps that you don't use, delete them.

This year, I decided to ditch my instant messaging client Adium. I was using it to enable encrypted chats. But like many cash-strapped open source projects, it is rarely updated and has been linked to many security vulnerabilities.

Instead, I switched to Tor Messenger, an encrypted messaging program that is run by the Tor Project, a nonprofit that makes the anonymous Web browser that I already use. By the sad standards of underfunded open source security tools, Tor is relatively well-financed and so I have some hope that its tools will continue to be updated.

Tor Messenger links up with my existing Gmail and Jabber chat accounts, and is encrypted and anonymous by default.

For even more privacy, I also signed up for Ricochet, an encrypted chat program that runs on the so-called Dark Web. One downside: You can only chat with other Ricochet users. So far, I have all of two buddies on it. [INSERT SAD EMOJI HERE!]

3. Upgrading my passwords

Passwords are, of course, the definition of unsexy. But you gotta have ‘em, and they should be long and unique (no re-using between websites). I use a password manager, 1Password, to generate most of my passwords.

But for my most important accounts, such as email and my bank, I use a method called Diceware to generate passwords that are about 30 characters long and made up of dictionary words that I can remember. (Thank you Chase for allowing 30-character long passwords — not all banks do, strangely.)

If your passwords are long and unique, you don't need to change them every few months, as most companies incorrectly force employees to do. But I'd been using the same Diceware passwords for a few years now — and I figured it was time to create new ones.

4. Upgrading my encryption key

After getting all the basics out of the way, I finally got to the fun stuff: Secret coded messages! Who doesn't love encryption? Modern crypto scrambles your communications so well that FBI Director James Comey has spent the past year complaining that it's too hard to crack.

Most of my encrypted communications take place on Signal, an easy to use phone app. But for email, I use Gnu Privacy Guard, a much older and more complex program.

I've long been haunted by the fact that when I set up GPG four years ago, I didn't create my encryption key in the most secure way. This year, I decided to finally fix it. To set up my keys correctly, I had to find a computer that never touches the Internet and follow the instructions in this helpful guide: "Creating the Perfect GPG Key Pair."

My new key seemed all pristine and shiny. And my old key - which I am now revoking - was like an old sweater that I was tossing. It had served me well, but it was time to go.

In fact, closet cleaning is probably the best analogy for my New Year's security project. At the end, I felt cleaner and lighter — the same way I do when I toss out old clothes. And perhaps that feeling was its greatest benefit. I may not be able to foil all the hackers and spies across theInternet. But I can sleep better at night knowing I have tried my best.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.