@briankrebs Had to testify at #maine legislature not long ago against a proposal to put all Maine prescriptions into a searchable online database (not just controlled meds like we do now). 🙄

#privacy

@briankrebs

In all honesty, I just expect that everything is out there. I figure that tying together enough info to get a reasonable amount of PII is so easy that’s practically worthless, as an average Joe, to protect too much against.

That said, I do try very hard to segregate my work life from my personal life. At no point does anything work related touch my home network, which is fully segregated and VPNd. I never log into personal stuff on a work machine and vice versa, cell phone included.

@briankrebs This is precisely the reason I have been exploring the use of threshold cryptography to secure data for the past ten years. People demanded proof so I wrote a Threshold Key Infrastructure. Now they complain I am just pushing my code.

Threshold means that I can encrypt data such that a cloud service can control decryption but cannot decrypt. That is powerful.

There is a genuinely end-to-end secure credential manager that does not rely on passwords at all. But that is only a small part of what the Mesh does.

http://mathmesh.com/

@briankrebs signing up for websites makes no sense to me in a vm. That honestly just sounds like you're looking for additional points to make.

Nowhere did I see you mention that you then re-access those websites through that specifically created VM, thusly obviating the need for it in the first place.

I want to think that this is all meant in good honest intentions but I mean it really sounds a little bit like fear mongering.

Maybe that's just what you have to do these days, and I don't mean that a shot at you, I mean generally, just to earn eyeballs.

I fully understand that the threat models are different for you and myself, but I don't understand the holes in yours as you laid them out.

@briankrebs
We're not far from using burner VMs the way people used burner phones for the past decade.

I'm a pedestrian, don't pull back the curtain on the darker side of security issues; but on a critical work machine, I only go online from there within a sacrificial burner VM. It get's nuked after certain sessions – wipe it, restore, and start over fresh. For the same reasons.

As an extra layer of obfuscation, the VM runs a different OS, emulating different hardware, than the host.

@briankrebs Enjoyed the thoughts, one thing in particular that has alarmed me recently is the amount of healthcare providers I'm finding myself having to register online with to access doc email/test results.

Most online services seem to be run by SaaS companies founded in the last decade and are meant to be administered by folks without a lot of technical experience (doc office staff). Always makes me loosen my tie in nervousness.

@briankrebs "Online" is used a few different ways, and as the lines become increasingly blurry, I am reminded that "everything gets hacked, eventually" means that there is no distinction.

If something being recorded, it will be public. If something s being created, it will be public. So I don't really have secrets/private information recorded, I have temporarily harder-to-get information.

This doesn't just change the way I relate to companies, it changes the way I relate to all documenting/recording and collecting of data, on all devices, on all paper notes, etc.

@briankrebs Oh boy, so I'm a bit overly cautious than most, based on the stuff I have seen, but this is what I do:

I color code everything based on security zones. Networks, PCs, VMs, browser profiles, passwords, folders, and even command prompts. Yes, many people do this, but I take it to the extreme. I colorize everything, including network cables, browser themes, windows wallpaper, command prompt backgrounds, etc. Anything that lets me colorize gets colorized. Every color zone has very specific security levels, rules, etc. that I follow religiously. Nothing ever crosses a zone without going through some security barrier. My passwords managers for each zone are color encoded as well. Some zones I have to store offline. Oh and in Windows, I have a list of (orange and red) apps/commands blocked from my regular non-privileged account and some (crimson) that will only run on a secure desktop isolated from everything.

Every zone has it's own online accounts/personas and uses a different browser or browser profile. On my browser profiles, I use uBlock Origin heavily loaded with my own custom rules and filter lists, some I have been building for years. Some browser profiles are allowlist only, some I treat as if they were at an internet cafe.

I must admit I have given up on trying to maintain privacy, but I do isolate different personas for types of online activities or interests. None of them ever cross paths and the most isolated run in their own VMs and have different VPN providers. Some of my personas I have maintained for 15 years or more, so they have well-established histories. One persona I even had set up as a DBA once so I could get a bank account and run a business with it.

Of course there are limits on how effective this all can be--my personal information is still in innumerable databases--but it does also have its benefits.

I have spent many years building this all, but now the biggest fear at this point in my life, is what happens when I die. I have it somewhat documented, but I can't even imagine my wife--or even an expert in the field--trying to make sense of it all. I may have to pay an estate lawyer to document it.

What a nightmare.