The article is very slightly more nuanced but the conceptss the title purports is <i></i>DANGEROUSLY INCOMPETENT<i></i> for any security expert / discussion / context.<p>1) idea that security is something you check off and be done with is dangerously wrong. Security must be continuous, must be updated, reviewed, etc.<p>2) idea that you can "encrypt" [secure] your entire life is ludacris and leads to many dangerous security misconceptions. You don't even have control of your entire life, let alone ability to secure it. Most the data on you is owned by others and not even available to you to secure. <i></i>The world is not private or secure<i></i>. Everyone needs to know and think about this when they are tweeting, sexting, talking shit about future president and then being surprised when SS comes to investigate.<p>3) idea that security is either on/off, a binary, that you can be secure or not. Is False and leads to extremely poor security choices, over/under securing. Nothing is secure. <i></i>There is not such thing as SECURE<i></i>. Things lie on a gradient of security from easy to break to impractically difficult. Things on the impractical to break technically end are still broken due to social engineering, externalities (power consumption of cpu), poor practices surrounding item, etc. Security is making the effort required to get an item greater than the value of getting the item.
[Copied from my comment on a duplicate post -- there seems to be random tracking junk at the end of the URL that prevents these from being detected as duplicates!]<p>I appreciate how practical these tips are and I hope people will follow them.<p>I have two quarrels with this:<p>> Andy Grove was a Hungarian refugee who escaped communism [... and] encourages us to be paranoid.<p>I'm pretty sure that Grove was referring to business strategy, not communications security.<p>> Congratulations — you can now use the internet with peace of mind that it’s virtually impossible for you to be tracked.<p>Something I've seen over and over again is that Tor users tend to have a poor understanding of what Tor protects and doesn't protect. The original Tor paper said that Tor (or any technology of its kind) can't protect you against someone who can see both sides of the connection -- including just their <i>timing</i>. Sometimes, some adversaries can see both sides of a person's connection. As The Grugq and others have documented, Tor users like Eldo Kim and Jeremy Hammond were caught by law enforcement because someone was monitoring the home and university networks from which they connected to Tor and saw that they used Tor at exactly the same time or times as the suspects did. (In Hammond's case, recurrently, confirming law enforcement's hypothesis about his identity; in Kim's case, only once, but apparently he was the only person at the university who used Tor at that specific time.)<p>As law enforcement has <i>actually identified Tor users</i> in these cases, I think people need to understand that Tor is not magic and it protects certain things and not other things. In fact, I helped to make a chart about this a few years ago:<p><a href="https://www.eff.org/pages/tor-and-https" rel="nofollow">https://www.eff.org/pages/tor-and-https</a><p>This chart was meant to show why using HTTPS is important when you use Tor, but it also points to other possible attacks (including an end-to-end timing correlation attack, represented in the chart by NSA observing the connection at two different places on the network) because many people in the picture know <i>something</i> about what the user is doing.<p>I've been a fan of Tor for many years, but I think we have to do a lot better at communicating about its limitations.
Signal is atrocious for security. You literally log in with your phone number. Anything you send is directly and irrevocably tied with your physical identity. What good is to me that the messages are encrypted? When the police come knocking, either I'll decrypt them, they'll beat me until I decrypt them, or I'll die in prison for not decrypting them. I do want my messages encrypted, but more than that I really want them not tied to ME.
I tried using Signal but the problem is no one else wants to. So yeah I'd love e2e encryption but it requires both parties to use it, which is a problem.
If you're being specifically targeted by a sufficiently capable adversary, this is, at best, a speed bump.<p>Categorize your levels of paranoia appropriately.
> In a single sitting, you can make great strides toward securing your privacy.<p>There's no such thing as privacy when using proprietary software.<p>If the goal is to secure your privacy, there no need to argue beyond that.
Be careful with 2 factot authentication. A Telegram user was hacked by the police in Russia. The government can receive your SMSes. Use non-SMS 2-factor.
I would also suggest using an actually encrypted email like:<p><a href="https://protonmail.com/" rel="nofollow">https://protonmail.com/</a>
Question: Given that gmail can be compromised, even 2 factor auth. Why aren't there any extensions that would make it easier to use a public key while keeping the gmail data encrypted? Yes, I understand that gmail is not eager to encrypt the emails but users would be will to do it if there was a simple extension in chrome or firefox. Using an extension would have saved many from email hacks in the past year. Yes, it would still be available on the user's machine but it would certainly add another level of security.
Better off reading JJ Luna's How to Be Invisible plus espionage non-fiction about Cold War fieldcraft. Then just stop using electronics when you really want privacy. Also, if you do crypto, make it look like HTTPS or something normal to be lost in the crowds over WiFi proxies. Signal and Tor screams "Look at me!"<p>Truth is, though, you wont be participating with most people online if you have very strong INFOSEC and OPSEC. The baseline is just way too low with insecurity and surveillance everywhere.
How is it possible for DuckDuckGo to offer google search results legally? Aren't Bing and Google constantly sniping at each other for implementing each other's results?
The article didn't cover email: Get off of the freebie services like Yahoo! and Gmail and go someplace else because we already know that these companies are in big-time cahoots with the government. Also, Google was working hard to get Clinton crime cabal elected to the point of messing with search results. WE WON'T FORGET.<p>FastMail is a decent paid service.
Or ProtonMail, Hushmail who market on privacy and security.
Isn't 2FA considered dangerous now? We've seen how susceptible it can be to social engineering.<p>On a related note, I noticed that my Windows Phone displays text message notifications even when it's locked... So adding a PIN doesn't prevent an attacker from doing 2FA if they have access to my phone.