An update to the Globe and Mail Guide to Safer Computing
Hack-proof computers don’t exist. That’s an important truth to keep in mind as you browse this guide to building a more secure computer. Covered here are myriad tools and services to help protect you from malware, spam, bot-nets and even that amorphous threat of government monitoring. But even if you implement every piece of advice mentioned here and more, you’ll still have, at best, a hack-resistant computer.
Ever hear the old chestnut “it’s not paranoia if they really are after you”? Not long ago, we published the first two instalments of a Globe and Mail Guide to Safer Computing. We had intended it to be a compendium of tools to make your digital life more secure, and planned to run it over the course of a week. Then the Heartbleed bug came to light, and we had to re-evaluate everything again.
As such, we pulled the guide, went through it to look for potential vulnerabilities in the recommended software, and updated the text accordingly. The re-edited version is presented below in its entirety. We will update it regularly with new software and/or whenever new catastrophic security flaws come to light. This is by no means an exhaustive guide. Indeed, if you have any suggestions to add, let us know.
Ever since former National Security Agency contractor Edward Snowden began leaking secret documents in the summer of 2013, millions of everyday computer users have taken a much greater interest in protecting their digital privacy and security. This guide as a means of listing some of the tools we find most helpful in that endeavour.
Virtually every tool and service in this guide adheres to three basic rules:
1: Free or Very Inexpensive:
There are enough hurdles keeping most people from taking their digital security seriously, and we didn’t want to add price to that list. Whenever possible, We’ve tried to recommend products and services that won’t cost you any money.
Most of the software we use today, such as Microsoft Word, Adobe Photoshop or Apple Anything, is proprietary. You can’t (legally) open it up and look at its inner workings. Open-source software, on the other hand, is generally free for inspection by anyone. This means two things: first, open-source software is generally cost-free (See Rule 1); but more importantly, open-source software is also usually subject to a kind of crowdsourced security audit by a large group of third-party experts. Another way to put this is, lots of geeks go through the code looking for bugs, and if they find one, they raise hell (which is exactly what happened with the Heartbleed bug, it was discovered by industrious geeks). That doesn’t mean all open-source software is safer than the proprietary stuff (Microsoft has a huge financial incentive to keep its software bug-free, and the resources to hire the brightest tech minds on the planet), but open-source software at least offers some much-needed transparency as to what is actually happening under the hood.
3: A Flat Learning Curve:
For this guide, We have purposely left out many superior security solutions for the simple reason that they require too much technical know-how. Sure, if you go back to school and earn a PhD in computer science, you can build a far more secure machine than the one we describe here, but this guide is aimed at the above-average (usually Windows-based) user who has a little technical ability. If that person can’t learn to use it pretty well within 30 minutes of starting it up, we’ve kept it out of this guide.
Prologue: A Floating Brothel on International Waters
The single most effective thing you can do right now to improve the security of your computer is unplug it from the Internet. Pull out that Ethernet cable; throw the wireless router in the microwave. The vast, vast majority of infections that plague your machine will arrive via the Web.
Unfortunately, if you want to get anything done, that’s not an option. So, before we go into specific software tools, here are some general Internet safety tips to at least reduce the risk of contracting something nasty. Most if not all of these tips may sound obvious, but people still do these things, so it’s worth repeating:
1: If someone calls you out of the blue claiming to be “from” Microsoft or Google or your bank, and asks for any information, it is a scam. Microsoft and Google aren’t going to call you, their people have better things to do. And unless your “bank” is a crowbar-wielding loan shark, you’re not going to get a phone call demanding anything. Hang up and, if possible, report it.
2: There are no European lottery commissions randomly e-mailing people to award them prizes they never entered to win in the first place. There are no Nigerian ministers’ offspring looking to move massive sums of money out of the country. There is no reason why plastic surgeons hate that woman in the pop-up ad. It’s all garbage, designed either to lure you into a lawless corner of the web, steal your personal information, or straight-up take your money. If you get an unsolicited e-mail offering the possibility of financial reward, don’t reply. Please don’t become this person.
3: The same goes for social media. If you get a friend request from someone you’ve never heard of named “Maxamad Maxxhamad,” it’s either the start of a fraud scam, or someone looking to scrape your personal information from your Facebook profile to create other fake accounts. If you receive a message from someone on Twitter saying, “Hey, this security camera caught you naked! Take a look!” and asking you to click a link, it’s a ploy to get you to give up access to your Twitter account, so the sender can hijack it and use it to send more malicious messages. Don’t click on it. There is no security camera footage of you naked on the Internet. Trust us, we checked.
4: Update your software. Download security patches when they become available. None of this is guaranteed to stop you from getting hacked or monitored (if there’s one thing the Snowden leaks have shown us, it’s that a lot of the big tech companies either don’t know or don’t care how susceptible their products are to unauthorized tampering – at least by certain groups). But for the most part, security patches and updates actually do fix serious weaknesses. If you’re still using Internet Explorer 6, you probably deserve whatever apocalyptic malware catastrophe that befalls your computer.
5: Most people use terrible passwords. There are a number of reasons for this. One is the sheer variety of password-enabled devices we have to deal with every day (how many people still have the default “1234” as the password on their vehicle’s Bluetooth connection?). Another is the fault of certain products and websites that either don’t care what sort of password you choose, or force you to jump through a bunch of hoops that result in the creation of a convoluted password you end up forgetting a week later.
As Randall Munroe, notes the most important determinant of password strength is entropy. Basically, the more stuff there is to guess, the better the password. So choose a long password. And if you don’t think you can remember multiple passwords and don’t want to use a password manager (see Part III, below), at least memorize a strong password and use it exclusively for your most important digital transaction. The last thing you want is your banking login compromised because someone hacked into a gaming forum you frequent.
Much of Internet security boils down to your own appetite for risk. If you only go to trusted websites, don’t download shady programs from strange-looking sites and generally follow the rules above, your risk profile is far lower than if you’re constantly clicking the ads on porn sites, downloading pirated software changing your Facebook privacy setting to “Anything Goes.” That’s not to say you can’t do any of these things (to each their own), just understand the risks involved.
A crass but surprisingly apt metaphor is venereal disease. If you’re using protection and only sleeping with people you trust, you’re not guaranteed to avoid catching anything nasty, but your odds are pretty good. If you spend most of your time partaking in anonymous orgies in a floating brothel on international waters, you might get away with it, but the odds are not in your favour.
Part I: Hardware
Since this guide is primarily focused on software, this will be a fairly short section. That isn’t to say that your computer hardware is somehow immune to hacking. Indeed, this chilling talk by digital activist Jacob Applebaum shows that the scope of hardware hacking is actually far greater than many of us ever suspected.
But there are very few hardware tools that don’t violate one or more of the rules listed at the beginning of this guide. There are some laptops (and smartphones, thanks to Apple) that utilize fingerprint readers, which will give you another layer of security. But it’s impossible for us to tell you much about how secure the software side of those fingerprint-readers are, given that it’s mostly proprietary technology.
There is another promising technology being built in Canada right now, and we mention it here primarily because it sounds very interesting. It’s called Nymi, and it’s the brainchild of a Toronto startup called Bionym. It’s a wristband that authenticates you by monitoring your unique cardiac rhythm. As long as you’re wearing it, the thinking goes, you don’t need to type in any passwords. We can’t recommend it, because we still haven’t had a chance to play around with it, but it sounds fascinating.
As a general rule (and we may get angry e-mails from some retailers for saying this), we try not to buy our PCs from big-box stores. The primary reason for this is that many of these stores will sell you computers preloaded with all kinds of bloated software that isn’t just unnecessary, but will often start bugging you to register and pay – so much so that it meets our personal criteria for malware. On top of that, some of these stores will also offer to remove this software – for an extra fee.
There are plenty of smaller, local computer stores and websites (such as Newegg and Tiger Direct) that will let you buy individual components and build your own computer or, if that sounds too complex, many of these stores will build it for you.
(As an aside, you can always get one of those nifty desktop cases that have a little lock on them. But keep in mind that those locks can often be picked with a toothpick or a particularly hard-eyed stare.)
Part II: Operating System
A lot of everyday computer users tend to treat their operating system the way they treat their religion – whether they believe wholeheartedly in it or are long-lapsed, they’ve gotten used to certain rituals and ways of doing things, and they have no intention of switching to something else.
There are, of course, far more secure operating systems than Windows, which currently runs in one form or another on some 90 per cent of the world’s desktops and laptops. OpenBSD, for example, is a UNIX-based operating system that’s considered by many to be one of the most secure in the world. But it is not a particularly easy system to learn, and so fails our rule about ease of use.
Linux, however, does not. The generally free operating system has been around for years, but tends to suffer from the perception that it is intended for people who have neck beards and dream in hexadecimal.
For the most part, this isn’t really true. Many versions of Linux are almost identical in look and feel to Windows. And virtually every major piece of commercial software available for Windows exists in some form for Linux.
The advantages of Linux are mostly related to the fact that a massive community of people who have neck beards and dream in hexadecimal are constantly checking it for bugs. This means that if there’s something goes wrong, someone will probably find it.
But in reality, Linux’s biggest anti-malware feature is the fact that far fewer people actually use it, making it a less appealing target for people writing malicious code. Most of the world’s viruses live in the Windows ecosystem because that’s where the users are.
That’s not to say that a properly protected Windows computer is any less secure than a Linux machine, because there are plenty of other variables at play. But if you’re looking to try Linux, the most user-friendly flavours for Windows users are Ubuntu and Mint. The developers responsible for both operating systems recently issued patches to plug the Heartbleed bug.
But there’s also a third option – a temporary, or “live” operating system. These tools allow you to carry around in your pocket an operating system on a USB key that, inserted into any machine, instantly turns it into a temporarily secure computer. The most useful of these operating systems is a program called Tails. Simply install it on a memory stick, and Tails becomes an instant operating system. Before you start your (or any) computer, plug in the memory stick. Instead of loading to the default operating system, the computer will boot up Tails, which is designed to leave no trace of your data or its own existence once the machine is shut down. Tails comes pre-loaded with an anonymous, secure browser, and will not write any data to the hard drive unless you specifically instruct it to. If you’re frequently finding yourself using untrustworthy computers, or even if you occasionally want total anonymity on your own machine, a copy of Tails is invaluable.
It appears Tails also escaped unscathed from the Heartbleed debacle. Keep in mind, though, that the developers are seriously understaffed and are constantly finding esoteric bugs in the software. Still, pound for pound, Tails is one of the best anonymity tools in the world.
Part III: Encryption and Password Managers
Encryption is one of those computer terms that sometimes turns off casual computer users because it sounds like a lot of work. In reality, encryption simply means keeping something secret such that it sounds like gibberish to anyone who doesn’t know the secret key. Pig Latin is a kind of encryption.
Encryption is also one of the most powerful ways of keeping your data private. There exist all kinds of tools to enable encryption. Some Linux flavours, such as Mint, for example, will give you the option of encrypting your Home folder from the moment you install the operating system. There are also powerful, open-source encryption tools for Windows and Mac, such as TrueCrypt.
E-mail encryption is also particularly useful, given that e-mail is still the most common form of digital communication for many people. One way of encrypting e-mail uses a mathematical scheme called public-key cryptography. Without going into too much detail (Lifehacker has a great explanation of how it works here), this type of encryption allows you to send messages that only the intended recipient can decipher. Most popular e-mail programs, such as Thunderbird, support public-key encryption.
The problem with this encryption is that it fails if someone figures out your secret encryption key (just as all safes fail if someone figures out your combination). The bigger problem is that e-mail encryption is a two-way street, and requires the person you’re e-mailing to participate – which they may be too lazy to do.
There are also on-line e-mail services, similar to Gmail and Hotmail, which focus on privacy and security. These include services such as HushMail, which operates servers out of Vancouver. These services will do a lot of the security heavy lifting for you, but are often not-open source. Make sure to read their terms carefully to understand exactly what information they keep, who they may be required to give it to (most of the time, it’s the cops) and when they will delete it.
There is also a growing body of encryption tools and standards for instant messaging. One popular method is something called Off-The-Record, which is designed not only to keep messages secret from prying eyes, but to also authenticate its users, thereby ensuring that the person you’re chatting with is really who they say they are.
As with public-key cryptography, you can save yourself some time and effort by getting a messaging tool that already implements OTR, such as Adium. The open-source program can connect to and is compatible with lots of popular messaging tools, from Facebook Chat to ICQ.
Part IV: Anonymity and Safe Browsing
The amount of information a website can collect from you every time you visit is kind of astounding – your location, your operating system, your screen size and a hundred other bits of personal data. What’s worse is that many sites have become so reliant on this information that they’ll refuse to work without it.
Irrespective of software, one of the easiest ways to gauge the security of a web site is to look for the HTTPS prefix before the site’s web address. For example, if you type “Facebook.com” into your browser’s address bar, you will be taken to “Https://www.facebook.com,” because Facebook enables HTTPS by default.
HTTPS is basically a more secure way of connecting to web sites, and gives you greater assurance that the site you’re visiting is the real thing. This is particularly vital for sites that ask you for passwords or personal information. The last thing you want is to log in to your bank’s web site, only to discover it’s not really your bank’s web site.
But HTTPS is by no means fool-proof. Part of what makes Heartbleed such a dangerous security flaw is the fact that it can theoretically be used to spoof a trusted site’s HTTPS certificate, effectively rendering the whole scheme worse than useless. Realistically, there’s not much you as an end-user can do about this other than contact the website and ensure they updated their security certificates post-Heartbleed (which, sadly, many smaller sites did not) and change your passwords.
HTTPS also does nothing to protect you from sites looking to (legitimately) collect your personal information. To maintain privacy on the web, you often need to resort to anonymous browsing. Perhaps the most popular and powerful anonymous browsing tool around today is Tor. It’s basically a piece of software that reroutes your Internet traffic through countless “nodes” all over the globe, making it extremely difficult for anyone to figure out where you really are (a version of Tor is also built in to the Tails operating system). Tor is so good at this that it is often employed by human rights activists working in some of the most dangerous places on Earth.
(And because this is the case, please use Tor wisely – by which we mean, please don’t bog down the network for everyone by using it to download high-definition movie files, or something equally frivolous).
Here, the developers behind Tor outline the extent to which the software may have been affected by the Heartbleed bug. The developers also released a new beta version of the software to address the bug.
Many websites also employ “scripts,” or mini-programs that run on the site. Some of these scripts enable pretty nifty experiences, because they’re more powerful than basic Web languages, but they also have the potential to mess with your computer in some pretty profound ways (including digital surveillance). To disable scripts entirely or just on certain sites, you can use NoScript, a free and powerful Firefox browser add-on.
Keep in mind, however, that the Internet looks very different when you start disabling scripts and browsing anonymously. Some sites will refuse to work at all, while others will passive-aggressively ask you to enable cookies and scripts and God knows what else. When we visited Facebook using Tor, for example, the site freaked out, because the traffic seemed to originate from a random node in India, and the site believed our account had been hacked.
Obviously, the sites you visit also play a huge role in your level of anonymity. There are countless examples of this, but an easy change worth making is switching your default search engine to DuckDuckGo. It doesn’t work as well as Google’s search engine, but it also doesn’t collect or store massive amounts of information about you.
(As a complete aside for those users who, like us, work in journalism, there’s a new tool called SecureDrop that’s designed to bring anonymity to the process of document transmission. If you want a secure way to accept documents from sources who want to remain anonymous, this is a good tool to consider).
Part V: Removing Files and Removing Malware.
The process of truly deleting a file from a computer is fairly complex. Most of the time, when you delete a file (and even empty the recycle bin), it doesn’t actually go away. Instead, the computer puts a “For Sale” sign on the part of the hard drive where the file is located. Over time, other files and programs may override the space, but they also may not. This means that, even after you delete a file, it can often be partially or fully retrieved by anyone who knows what they’re doing.
To really get ride of a file, you need to get your hands dirty – or simply use a tool such as Eraser. Instead of just deleting a file, Eraser will overwrite the file with random data, making it almost impossible to recover.
Removing malware, on the other hand, is far less straightforward than removing unwanted files. It’s also difficult for us to make too many recommendations in this category because almost all the tools available tend to violate one of our three rules for this guide. Malwarebytes, for example, is a fine tool for catching malicious software, and there’s a free version available, but the program’s creators haven’t made it open-source – in part because they don’t want the authors of malicious software to know how it works. Windows users will want to get their hands on Microsoft Security Essentials, an all-round security suite that is not open-source, but is free and built by the people who know Windows best. ComboFix is a great malware-nuking tool but – and we can’t stress this enough – is extremely powerful and, if used incorrectly, can thoroughly destroy your PC.
It’s worth noting that malware protection is one of the most amorphous areas of computer security. Many anti-virus programs are little more than glorified pattern recognition, designed to pick out malicious programs based on what other malicious programs tend to do. This, of course, won’t work too well whenever a new type of malware comes along. It’s quite possible that most consumer PCs on the planet are infected with some kind of malicious code, and the first thing a lot of that code does is try to neuter the on-board anti-malware software. (A great all-round malware prevention guide, which includes software recommendations, can be found here.)
Part VI: Smartphone Safety
Given that many people today use their smartphone as their primary computer, it is worth talking about ways to keep your mobile devices secure.
The problem with a lot of smartphones is that (with the exception of perhaps BlackBerry) they were not designed primarily to be very secure. Some companies, such as Apple, employ severe restrictions on what a user can do with the hardware and software – making the platform more secure as a result. Google’s Android operating system, on the other hand, is free to use and customize by anyone, and as such is probably far more susceptible to the growing field of mobile malware.
All things being equal, BlackBerry likely remains the most secure big-name smartphone you can buy off the shelf today. But there are several caveats. Firstly, there are two flavours of BlackBerry service – consumer-focused and enterprise-focused. Of these two, the one built for enterprises is much, much more secure than the one you or I can purchase at the mall. Also, there is a persistent perception that BlackBerry PIN messages are somehow immune to hacking, which is not true – if a law enforcement agency wants to get at those PIN messages, it will find a way. We also don’t know the exact terms on which BlackBerry deals with various government agencies around the world when it comes to requests for user data. We don’t know the details of BlackBerry’s dealings for the same reasons we don’t know the details of any other major tech company’s dealings – because they can’t or won’t tell us.
In terms of hardware, there are some promising developments on the horizon. BlackPhone, a new secure phone running on a highly customized version of Android, seems enticing, but is not yet available for general sale.
For a truly secure phone, you can opt to buy a CryptoPhone, which uses some of the most powerful encryption technology available anywhere. You’ll have to pay, but as with the BlackPhone, we’re willing to make an exception to the cost-free rule in the case of hardware.
There are several pieces of software you can download today to make your mobile device more secure. WhisperSystems builds several excellent tools for secure mobile communications, including an encrypted phone call program called RedPhone and private text chat tool called TextSecure.
Also keep in mind that some of the tools discussed in other parts of this guide may also be available for smartphones.
Epilogue: Negative Space
Will all these tools keep you totally safe from malware and surveillance? No.
The truth is, even though there exists a massive community of hard-working privacy and security experts trying to stay ahead of their adversaries, we have no idea what the extent of the Internet’s dark side really is. The Snowden revelations have changed the way we think about the scope and capabilities of government surveillance, and on any given day, thousands of new and potent malware strains are created. Neither of these phenomena come with documentation; there is no user’s manual to consult.
As such, a negative space is created where conspiracy theories flourish. It is quite likely that the National Security Agency has never spied on your computer. But maybe they have – you just don’t know. It is impossible to create impenetrable digital security and privacy not only because there exists no such thing as a bullet-proof vest (only bullet-resistant vests), but also because the threat against which you’re protecting yourself is, at its core, a mystery.