BrianKrebsDec 24, 2022

Everything online gets leaked, lost, sold or stolen eventually. This is a fundamental reality that catches up with everyone. BTW this is not a recently acquired conviction: https://web.archive.org/web/20190216141214/https://twitter.com/briankrebs/status/1045091640480804864

But please, convince me I'm wrong if you can!

I know that over the years I've radically overhauled how I interact with companies I chose to do business with. For starters, I assume breach, which means that any information I share with them is likely going to be on the Internet at some point.

E.g., I no longer sign up for a new account somewhere without also doing it in a local, hardened VM and VPN.

I assume that the IP address I used to sign up there will be leaked in connection with my other account details, and probably the last IP I used. I assume records of what I'm doing or buying there will also be leaked.

Hell, I do pretty much all of my news reading now in the same kind of (separate) setup. No way I'm agreeing to run 97 pieces of Javascript from 22 uncertain destinations on the web. I know a lot of my readers unfortunately swear by ad blockers and rarely make exceptions (I'm not a big user of them myself for a variety of reasons), but being able to reset your system after a weekend of wantonly browsing the web is also nice.

Those are just a few basic examples. But I'm curious to hear from others -- How have the folks here altered the way they live and work online in response to the incessant reminders that everyone gets pwned?

Some food for thought over the, er...food coma the next few days :) Cheers!

briankrebs on Twitter

“Being in infosec for so long takes its toll. I've come to the conclusion that if you give a data point to a company, they will eventually sell it, leak it, lose it or get hacked and relieved of it. There really don't seem to be any exceptions, and it gets depressing.”

Twitter
Show threadPhillip Hallam-Baker

@briankrebs This is precisely the reason I have been exploring the use of threshold cryptography to secure data for the past ten years. People demanded proof so I wrote a Threshold Key Infrastructure. Now they complain I am just pushing my code.

Threshold means that I can encrypt data such that a cloud service can control decryption but cannot decrypt. That is powerful.

There is a genuinely end-to-end secure credential manager that does not rely on passwords at all. But that is only a small part of what the Mesh does.

http://mathmesh.com/

The Mathematical Mesh

The Mathematical Mesh
Dec 24, 2022 at 5:21pmWeb
Show threadMichael RichardsonDec 24, 2022
@hallam @briankrebs
https://datatracker.ietf.org/doc/draft-richardson-t2trg-idevid-considerations/ is under adoption review by T2TRG. It should get some text on threshold methods to the generation list, and I'd sure like a better name for symmetric-seed method. https://mailarchive.ietf.org/arch/msg/t2trg/9PgBN_aUc3W6_87OnP9YWTRLt88/
A Taxonomy of operational security considerations for manufacturer installed keys and Trust Anchors

This document provides a taxonomy of methods used by manufacturers of silicon and devices to secure private keys and public trust anchors. This deals with two related activities: how trust anchors and private keys are installed into devices during manufacturing, and how the related manufacturer held private keys are secured against disclosure. This document does not evaluate the different mechanisms, but rather just serves to name them in a consistent manner in order to aid in communication. RFCEDITOR: please remove this paragraph. This work is occurring in https://github.com/mcr/idevid-security-considerations

IETF Datatracker