Security notes - security for the everyday person: Difference between revisions
Jump to navigation
Jump to search
(7 intermediate revisions by the same user not shown) | |||
Line 61: | Line 61: | ||
--> | --> | ||
==Is it important to encrypt my | ==Is it important to encrypt my laptop or phone?== | ||
<!-- | <!-- | ||
tl;dr: | |||
: if you think you'll lose it, and want to ensure that the next reboot people will have a ''hard'' time getting in, yes. | |||
: keep in mind that encrypted devices does not do much against law enforcement, | |||
:: in that in a lot of places, you are more or less ''required'' to give them access somehow, and your refusal will have implications. | |||
in that in a lot of places, you are more or less ''required'' to give them access somehow, and your refusal will have implications. | |||
What makes more-mobile devices special is that they are ''usually'' in environments you can't trust | What makes more-mobile devices special is that they physically are ''usually'' in environments you can't trust, | ||
and unlike most other kinds of devices, not doing that ''defeats their point''. | |||
Data-at-rest encryption is arguably largely about "what happens when the people steal the storage and/or device that contains it?" | |||
After it's stolen and it's still on, this encryption does not yet play a role. | After it's stolen and it's still on, this encryption does not yet play a role. | ||
Line 143: | Line 132: | ||
Also, [https://xkcd.com/538/ [[File:security.png]] ] | Also, [https://xkcd.com/538/ [[File:security.png]] ] | ||
--> | |||
==Is it important to encrypt my PC?== | |||
<!-- | |||
tl;dr: | |||
: if you think it'll get stolen for the data on it, yes. | |||
: if you think targeted theft is likely (based on who you are and what you have), yes, do it. | |||
: if you like peace of mind, yes | |||
: yet practically | |||
:: people don't generally take their PCs anywhere - LAN parties happen less than since the late nineties | |||
:: even theft by non-interested people is not too much threat. Yes, they could poke around, but chances are that they or the next owner will just format them. | |||
: keep in mind that encrypted devices does not do much against law enforcement, | |||
:: in that in a lot of places, you are more or less ''required'' to give them access somehow, and your refusal will have implications. | |||
--> | |||
==Is it important to use two-factor authentication?== | |||
<!-- | |||
Or even more practically: | |||
* changes are higher that you will know about bad attempts | |||
* changes are lower than someone will get in at all | |||
So for anything that really matters to you, it is likely worth it. | |||
There are footnotes to that, but | |||
The idea that you have to provide | |||
* something you ''have'' (varies, but for convenience is now often "something done on your phone") plus something | |||
'''AND''' | |||
* something you ''know'' (like a password) | |||
...means that | |||
* even if ''one'' of those is taken, or just poorly chosen, | |||
* a system that is set up for 2FA is also more likely to ''tell'' you about attempts that failed on using just one of them | |||
Line 261: | Line 298: | ||
In security, you do threat modeling, a.k.a. figuring out '''what problem you are trying to solve'''. | In security, you do threat modeling, a.k.a. figuring out '''what problem you are trying to solve'''. | ||
Because if it solves problems you didn't have in the first place, | |||
based on | Because | ||
: if it solves problems you didn't have in the first place, | |||
: or if it solves a minor one but forgets a much larger one | |||
then chances are you bought a sales pitch, rather than actual security -- particularly if based on [[fear, uncertainty, and doubt]] based marketing and other "overheard in public" stuff. | |||
This can even have negative effects, e.g. | This can even have negative effects, e.g. | ||
when actually nothing changed in your safety | when actually nothing changed in your safety | ||
but you think you are safer, and act more careless. | but you only ''think'' you are safer, and act more careless. | ||
The main | The main point of a VPN is often that all your traffic goes to your VPN company's servers first (encrypted), | ||
and only ''then'' to the rest of the internet (unencrypted). | and only ''then'' to the rest of the internet (unencrypted). | ||
So they often primarily are a '''proxy''': | So they often primarily are a '''proxy''' that cannot be snooped on for part of the path | ||
: | : As far as the remote side is concerned, you come from that VPN company's servers, not from your own ISP's | ||
: As far as the ISP is converned, it's just another secure connection. | |||
:: They can know ''that'' it's a VPN connection, but nothing about the contents. | |||
: As far as the ISP, or anyone on your home network, or office network, or coffe shop wifi is concerned, the contents are unknown | |||
:: For most browser requests, this is true already. | |||
Whether either of those have any added value depends on what you're doing. | |||
: the enc | |||
Also, they add encryption, but as those parentheses suggest, only for part of the path. | Also, they add encryption, but as those parentheses suggest, only for part of the path. | ||
: whether that has any added value depends on who you (dis)trust more | : whether that has any added value depends on who you (dis)trust more |
Revision as of 17:55, 8 April 2024
Security related stuff.
Securing services
Unsorted - · Anonymization notes · website security notes · integrated security hardware · Glossary · unsorted |