{"@attributes":{"version":"2.0"},"channel":{"title":"DEV Community: Ondrej","description":"The latest articles on DEV Community by Ondrej (@ondrejs).","link":"https:\/\/dev.to\/ondrejs","image":{"url":"https:\/\/media2.dev.to\/dynamic\/image\/width=90,height=90,fit=cover,gravity=auto,format=auto\/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F110067%2F37e93d2b-8e27-4d27-97a1-e7eb0fc58ec3.jpg","title":"DEV Community: Ondrej","link":"https:\/\/dev.to\/ondrejs"},"language":"en","item":[{"title":"Question about topic","pubDate":"Thu, 03 Jan 2019 20:05:02 +0000","link":"https:\/\/dev.to\/ondrejs\/question-about-topic-kcb","guid":"https:\/\/dev.to\/ondrejs\/question-about-topic-kcb","description":"

\n \n \n Hello fellow devs!\n<\/h2>\n\n

I have a question for my future vector of posting on this site - would you like to read something about information security practices for \"normal\" (i.e. not in security industry) people? I mean post about communication security, best practices in usage of major operation systems, security on the web and so on...<\/p>\n\n

I sincerely don't know if it belongs here, on forum primarily oriented on web development, but if you'd like to read something about these topics...I would be happy to share my knowledge\/experience :)<\/p>\n\n","category":["infosec","security","privacy"]},{"title":"Effective Communication Security \/ Beyond 'Use Signal Use Tor'","pubDate":"Sat, 15 Dec 2018 18:30:36 +0000","link":"https:\/\/dev.to\/ondrejs\/effective-communication-security--beyond-use-signal-use-tor-55hk","guid":"https:\/\/dev.to\/ondrejs\/effective-communication-security--beyond-use-signal-use-tor-55hk","description":"

\"alt<\/a><\/p>\n\n

\n \n \n Effective Communication Security \/ Beyond 'Use Signal Use Tor'.\n<\/h3>\n\n

Devoted to people who live under oppressive regimes.<\/p>\n\n

\"The \u201ctools first\u201d brigade love to advance \u201cuse ${this}\u201d as if whatever ${this} is will implement all sequences of the process for you. Then any tool which fails to address a real threat, or provide the appropriate protection, can be blamed for not addressing arbitrary threat models. This entire approach is backwards.\"<\/em> Grugq<\/p>\n\n

Key points:<\/p>\n\n

Real problems associated with bad communication practices are usually on endpoints, not really in SW\/apps\/protocols. Keep in mind that bad implementation of technology is human problem.<\/strong><\/p>\n\n

Laptop - Do use ephemeral messaging apps as often as possible, which cannot be traced to your physical identity (e.g. Ricochet - https:\/\/ricochet.im<\/a><\/strong>). Another choice with good UX could be CoyIM<\/strong> (https:\/\/coy.im<\/a>).<\/p>\n\n

Mobile device - Do use Signal\/Wire<\/strong>, prefer encrypted voicecalls over messaging or make sure you use self-destructing messages for all sensitive conversations. Do not use their Electron-based desktop versions (possibility of XSS attack vector but with the OS level access as a sweet bonus). Also realize that these apps are bound to your physical identity (to your phone number, e-mail or simply IP address), so you're not really pseudonymous\/anonymous.<\/p>\n\n

Rule of thumb - no logs, no crime. Avoid logs<\/strong>, even on the client side. Also this is one of reasons to avoid IRC for sharing sensitive info \/ organizing events.<\/p>\n\n

Avoid proprietary messaging apps (e.g. Telegram, Messenger). Try to always use open-source software audited by professionals.<\/p>\n\n

In general, a laptop is significantly less secure than an iOS device. Even a Pixel Android device (kept patched) is more secure than a laptop.<\/strong> If possible, use iPhone, always updated to newest iOS version. Do not jailbreak it. If use Android, do not root your device & do not enable developer mode. For both platforms - disable cloud backup. Require a password to unlock. If possible, register Signal\/Wire with pre-paid SIM card.<\/p>\n\n

Avoid private communication via e-mail at all costs, even via encrypted e-mail. Use communication channels listed above instead.<\/strong> <\/p>\n\n

Enable two factor authentication (YubiKey, Google Auth., Duo, Authy) whenever possible.<\/strong><\/p>\n\n

If you want to present your ideas & future plans on any social media\/event-sharing platforms (eg blog, Twitter feed), always use Tor (note: Tor does not mean extremely insecure Tor Browser).<\/strong><\/p>\n\n

Enable full HDD encryption. Encrypting only \/home\/ folder is often not enough in case your machine will be seized. Always turn off your PC\/Mac after usage. Never store decryption keys on non-encrypted drives.<\/p>\n\n

Consider using VeraCrypt<\/strong> containers for sensitive stuff (on top of full HDD encryption) because you could be forced to hand over your keys to authorities by court (This is especially relevant for citizens of Australia, Canada, France, Norway, Russia and United Kingdom)<\/strong>.<\/p>\n\n

Never ever contaminate your online activist identity with your real identity. Learn to compartmentalize.<\/strong><\/p>\n\n

What's wrong with Snowden's simple 'Use Signal Use Tor' statements ?<\/p>\n\n

Well, you'd better use endpoint of your endpoint (i.e. your brain, my friend) in the first place. Consider your threat model and behave appropriately. Do not rely solely on technology. Majority of serious communication security problems are generated on endpoints (i.e. user's bad OPSEC practices).<\/strong><\/p>\n\n

Security is the holistic and never-ending process, not the final product (to quote Bruce Schneier).<\/p>\n\n

Stay safe, my friend.<\/p>\n\n","category":["communication","security","privacy","infosec"]}]}}