BrianKrebsDec 24, 2022

Everything online gets leaked, lost, sold or stolen eventually. This is a fundamental reality that catches up with everyone. BTW this is not a recently acquired conviction: https://web.archive.org/web/20190216141214/https://twitter.com/briankrebs/status/1045091640480804864

But please, convince me I'm wrong if you can!

I know that over the years I've radically overhauled how I interact with companies I chose to do business with. For starters, I assume breach, which means that any information I share with them is likely going to be on the Internet at some point.

E.g., I no longer sign up for a new account somewhere without also doing it in a local, hardened VM and VPN.

I assume that the IP address I used to sign up there will be leaked in connection with my other account details, and probably the last IP I used. I assume records of what I'm doing or buying there will also be leaked.

Hell, I do pretty much all of my news reading now in the same kind of (separate) setup. No way I'm agreeing to run 97 pieces of Javascript from 22 uncertain destinations on the web. I know a lot of my readers unfortunately swear by ad blockers and rarely make exceptions (I'm not a big user of them myself for a variety of reasons), but being able to reset your system after a weekend of wantonly browsing the web is also nice.

Those are just a few basic examples. But I'm curious to hear from others -- How have the folks here altered the way they live and work online in response to the incessant reminders that everyone gets pwned?

Some food for thought over the, er...food coma the next few days :) Cheers!

briankrebs on Twitter

“Being in infosec for so long takes its toll. I've come to the conclusion that if you give a data point to a company, they will eventually sell it, leak it, lose it or get hacked and relieved of it. There really don't seem to be any exceptions, and it gets depressing.”

Twitter
Show threadInfosecsie
@briankrebs This is exactly how I interact with companies as well. I use an email that isn’t tied to my more personal stuff, I have a Google voice number I give out, make purchases with virtual credit cards where I can, and I even use a sort of “alias” when I make orders or new accounts that isn’t my real name. Our home network even utilizes proxies, adblockers, a well-configured firewall, endpoint protection, and a VPN where it makes sense. The list goes on.
Having worked for, alongside, and/or with various companies from a security perspective has made me realize how fragile everything is.
Dec 24, 2022 at 5:53pmWeb
Show threadInfosecsieDec 24, 2022
@briankrebs Not to mention, there are times when I “bully” companies into being more secure. (I use that word jokingly.) I’ll provide my own Egnyte account, read-only no downloadable access configurations for files, or utilize encryption and password protections where they fail to. (Sometimes I tell them I won’t give them that information if they’re not operating securely where applicable.)
Yeah, I can be THAT person.
Show threadMax Leibman has moved!Dec 25, 2022
@myraccoonhands @briankrebs These all seem like very good practices to me, but they remind me of two things I've seen this year that make my blood boil: many companies are now using sign up forms that will detect the obfuscating email addresses that Apple will generate for iCloud users and reject them, and I've now also seen three sites that insist on a "work" or "professional" email address (I assume they're just checking for and rejecting all the gmail, outlook, etc., "freemail" domains). 😡
Show threadInfosecsieDec 25, 2022
@maxleibman @briankrebs I’m starting to get a lot of forms that reject my virtual credit cards as well as my Google Voice, too. it’s becoming more and more frustrating.