Mastodawn

BrianKrebs Dec 24, 2022

Everything online gets leaked, lost, sold or stolen eventually. This is a fundamental reality that catches up with everyone. BTW this is not a recently acquired conviction: https://web.archive.org/web/20190216141214/https://twitter.com/briankrebs/status/1045091640480804864

But please, convince me I'm wrong if you can!

I know that over the years I've radically overhauled how I interact with companies I chose to do business with. For starters, I assume breach, which means that any information I share with them is likely going to be on the Internet at some point.

E.g., I no longer sign up for a new account somewhere without also doing it in a local, hardened VM and VPN.

I assume that the IP address I used to sign up there will be leaked in connection with my other account details, and probably the last IP I used. I assume records of what I'm doing or buying there will also be leaked.

Hell, I do pretty much all of my news reading now in the same kind of (separate) setup. No way I'm agreeing to run 97 pieces of Javascript from 22 uncertain destinations on the web. I know a lot of my readers unfortunately swear by ad blockers and rarely make exceptions (I'm not a big user of them myself for a variety of reasons), but being able to reset your system after a weekend of wantonly browsing the web is also nice.

Those are just a few basic examples. But I'm curious to hear from others -- How have the folks here altered the way they live and work online in response to the incessant reminders that everyone gets pwned?

Some food for thought over the, er...food coma the next few days :) Cheers!

briankrebs on Twitter

“Being in infosec for so long takes its toll. I've come to the conclusion that if you give a data point to a company, they will eventually sell it, leak it, lose it or get hacked and relieved of it. There really don't seem to be any exceptions, and it gets depressing.”

Twitter

Show thread

Mark Burnett

@briankrebs Oh boy, so I'm a bit overly cautious than most, based on the stuff I have seen, but this is what I do:

I color code everything based on security zones. Networks, PCs, VMs, browser profiles, passwords, folders, and even command prompts. Yes, many people do this, but I take it to the extreme. I colorize everything, including network cables, browser themes, windows wallpaper, command prompt backgrounds, etc. Anything that lets me colorize gets colorized. Every color zone has very specific security levels, rules, etc. that I follow religiously. Nothing ever crosses a zone without going through some security barrier. My passwords managers for each zone are color encoded as well. Some zones I have to store offline. Oh and in Windows, I have a list of (orange and red) apps/commands blocked from my regular non-privileged account and some (crimson) that will only run on a secure desktop isolated from everything.

Every zone has it's own online accounts/personas and uses a different browser or browser profile. On my browser profiles, I use uBlock Origin heavily loaded with my own custom rules and filter lists, some I have been building for years. Some browser profiles are allowlist only, some I treat as if they were at an internet cafe.

I must admit I have given up on trying to maintain privacy, but I do isolate different personas for types of online activities or interests. None of them ever cross paths and the most isolated run in their own VMs and have different VPN providers. Some of my personas I have maintained for 15 years or more, so they have well-established histories. One persona I even had set up as a DBA once so I could get a bank account and run a business with it.

Of course there are limits on how effective this all can be--my personal information is still in innumerable databases--but it does also have its benefits.

I have spent many years building this all, but now the biggest fear at this point in my life, is what happens when I die. I have it somewhat documented, but I can't even imagine my wife--or even an expert in the field--trying to make sense of it all. I may have to pay an estate lawyer to document it.

What a nightmare.

Show thread

Mark Burnett Dec 24, 2022

@briankrebs Different browser colors, with a colorized desktop in the background.

Show thread

Mark Burnett Dec 24, 2022

@briankrebs Colorized command prompts.

Show thread

Mark Burnett Dec 24, 2022

@briankrebs Some folders in my password manager.

Show thread

Mark Burnett Dec 24, 2022

@briankrebs Oh yeah and colorized file system.

Show thread

Mark Burnett Dec 24, 2022

@briankrebs Oh on this topic, I dug up this article I wrote almost twenty years ago on theregister.com:
https://www.theregister.com/2005/04/27/security_for_the_paranoid/

Kind of funny actually reading things from a 2005 perspective but the commentary still stands.

Security for the paranoid

Even a paranoid can have enemies

The Register

Show thread

Ken Camper Dec 25, 2022

@m8urnett @briankrebs I have to laugh, this reminds me of a quote from Peter Norton back in the 80’s, opining there was no real need for color monitors. I couldn’t understand his rejection of the most basic utility of color.