Difference between revisions of "Security notes - security for the everyday person"

From Helpful
Jump to: navigation, search
m (Is it important to use antivirus/malware protection?)
m (Laptop hard drive encryption)
Line 377: Line 377:
 
-->
 
-->
  
==Laptop hard drive encryption==
+
==More on laptop hard drive encryption==
 
===Practical side===
 
===Practical side===
 
<!--
 
<!--
  
'''What problem are we actually solving?'''
+
There are a few flavours of disk encryption, including
 +
* "enter password at boot to decrypt disk"
 +
: means the entire computer is unusable without a master password
  
 +
* "TPM does it for you"
  
'''tl;dr: it's great for peace of mind if it's stolen. And not much else.'''
+
* "protecting one account at a time"there's some regions of data being protected, e.g. just user account contents
 +
: meaning the OS can boot, but you can't use a specific account
 +
: can be tied to TPM, other hardware, or be purely software
  
  
Encrypted or not, while your PC is in use, you can access everything on disk.
 
  
So it does not protect against your programs, or malware, or anything else doing bad things while it's running.
+
====What problem are we actually solving?====
  
And it doesn't protect against other people sitting down, unless you remember to screen-lock.
+
'''The "enter password at boot to decrypt disk" solutions are great for peace of mind if it's stolen. And not much else.'''
  
  
Drive encryption is only about protecting data at rest.
+
That is, it '''makes the data unreadable at rest''', meaning that once the computer is it's powered off,
 +
it's unreadable and stays unreadable until you power on and have entered your passphrase.
  
With encryption, once it's powered off, it's unreadable.  
+
It solves the problem that without encryption,  
 +
you can slot your drive into another computer, and it can read all data on it,
 +
regardless of your 'log into your account' password.
  
The next time your laptop boots up it asks for a passphrase, once, before any (and typically all) data can become readable.
 
  
Whereas unencrypted drives are easy to read out from another PC (or other OS).
 
  
 +
But what some people forget is that '''disk encryption does almost nothing for you while your computer is running.'''
  
 +
Whether your disk is encrypted or not, while your computer is on and in use,
 +
the disk must appears decrypted to be usable, and programs can access everything on disk,
 +
so it doesn't protect you against your own programs,
 +
against malware,
 +
or or against someone else sitting down at your computer if you forget to screen-lock.
  
But the question is a little broader.  I see roughly four categories here:
 
  
  
* '''Disks or data where you don't care about encryption.'''
+
'''The "TPM does it for you" situation does even less.'''
  
Unencrypted disks make data recovery a lot easier.  You may prefer this for non-sensitive data.
+
Sure, it's convenient that there is no password for your to enter.
  
This is also an argument for partial disk encryption - basically, have one (mounted) drive where you put the sensitive stuff.  
+
And yes, if someone steals the disk from your laptop,
 +
it's completely useless to them.
 +
 
 +
The thing is that it's much more likely they steal the laptop
 +
 
 +
But if they steal the laptop, it'll give you thinks without question.
 +
 
 +
 
 +
 
 +
The "one account at a time"" ''can'' be a better case
 +
 
 +
 
 +
 
 +
 
 +
 
 +
The real question should perhaps be a little broader.
 +
 
 +
I see roughly four categories here:
 +
 
 +
 
 +
* '''Computers with data where you don't care about encryption.'''
 +
 
 +
Unencrypted disks make data recovery a lot easier, encryption ''sometimes'' makes recovery  impossible.
 +
 
 +
You may prefer recoverability for computers that you know will only ever contain non-sensitive data.
 +
 
 +
 
 +
''Never'' containing sensitive data is hard to ensure, so this is sometimes an argument for ''partial'' disk encryption - basically, have one (mounted) drive where you put the sensitive stuff.
 +
 
 +
Or only your account data, possibly on a per-case basis.  
  
  
Line 422: Line 461:
  
  
But some do care, and are technical enough -- because unless encrypted, you can just
+
...but some do care, and are capable enough, or have a friend that is.
put the disk in another computer to read off everything.
+
 
+
Encryption makes it not remotely worth putting in the time or effort.
+
(...and will probably have to go "eh, okay, I'll wipe it and reinstall an OS" before selling it on)
+
  
Note that this largely holds even if they implementation is quite flawed, which most are not.
+
Encryption will make it not remotely worth putting in the time or effort.
 +
Most thieves would probably go "meh, I'll wipe it and reinstall" before selling it on.
 +
(This is likely even if the encryption is quite flawed, which most are not).
  
  

Revision as of 22:48, 18 November 2021

Security related stuff.

Practical


Theory / unsorted

how to do a login system badly
how to do encryption badly
Disk and file encryption notes

Is it important to use antivirus/malware protection?

Is it important to encrypt my laptop?

Is it important to encrypt my phone?

Is it important to encrypt my PC?

Is it important to use a password manager?

Is it important to use a VPN?

Is it important to use secure mail?

So these messenging apps are the end-all then?

More on laptop hard drive encryption

Practical side

A note on speed

Techical side

Drive encryption and TPM