The document discusses various options for helping non-technical friends and family browse the internet safely, such as using encryption and VPNs. It recommends browser extensions like Privacy Badger to block tracking, enabling two-factor authentication, and using a password manager. The document also discusses setting up a personal VPN using tools like Streisand or Algo that automate the process.
6. iʼm also not a lawyer and anything that sounds like iʼm
giving you legal advice is all in your imagination
disclaimer:
not a
“security guy”6 — Helping Friends - OpenWest 2017 – @genehack
7. who is already providing tech support for
friends or family members?
not as a part of your job
who provides web hosting?
who provides email hosting?
anybody already running a vpn for friends
and family?
quick
poll7 — Helping Friends - OpenWest 2017 – @genehack
10. thereʼs a lot of things that are “best practices” or even “common sense” to us that non-technical
folks are probably not too familiar with
we all live on the internet now -- it's real life, like Deb said in her keynote this morning -- but the
knowledge of how to do that safely isn't distributed evenly. it's like if most of the people driving
around in cars had never had any sort of training or driver education -- but (generally, broadly
speaking) we have. so what can we do to help reduce the number of flaming wrecks on the
shoulder of the internet?
safe internetting
10 — Helping Friends - OpenWest 2017 – @genehack
11. one of the biggest unmet personal infosec needs, in my opinion, relates to privacy.
and some recent changes, earlier this year, have brought this more to mind
privacy concerns
11 — Helping Friends - OpenWest 2017 – @genehack
12. Weʼve had some changes this year in terms of whatʼs legally
allowed when it comes to online privacy
Congressional Review Act, or CRA, is a law passed in 1996 that
gives Congress the power to override regulations created by
government agencies.
Senator Jeff Flake of Arizona introduced a law to overrule an
FCC rule limiting what ISPs could do with your info. After 10
minutes of floor discussion, it passed on a 50-48 party line vote.
Moved on to the House where it passed 231-189, again on a
straight party line vote
Signed into law by Pres Trump, 3 April 2017
recent changes
12 — Helping Friends - OpenWest 2017 – @genehack
13. Hereʼs the significance of the date of this tweet...
13 — Helping Friends - OpenWest 2017 – @genehack
14. who benefits?
primary beneficiaries are large monopoly ISPs -- Cox, Comcast, Time
Warner, Charter -- and wireless providers -- AT&T, Verizon -- who are
now free to continue collecting data about everything you do online
cui
bono?14 — Helping Friends - OpenWest 2017 – @genehack
22. due to the “natural monopoly” nature of internet service,
most people donʼt have any choice, so market-based
remedies to this seem pretty unlikley
how many folks have a choice in their internet provider?
what can
we do?22 — Helping Friends - OpenWest 2017 – @genehack
25. political action is great, but what can you do in the
meantime, not just for yourself, but for friends and family
what can we
practically do?
25 — Helping Friends - OpenWest 2017 – @genehack
26. available for firefox, chrome, and opera
developed by the EFF
keeps your browser using HTTPS as much as possible
for sites that support it. if they default to HTTP, or if they
put HTTP links into HTTPS pages, this extension
notices and keeps you on the HTTPS version of the site
using HTTPS limits the amount of info your ISP can see
about what youʼre doing -- they can still see who youʼre
talking to, but they can no longer see what youʼre
talking about
note that this is good, but metadata analysis can still
reveal a ton of info about you
26 — Helping Friends - OpenWest 2017 – @genehack
27. also developed by EFF
also Chrome, Firefox, Opera
looks at third-party content being loaded by web pages,
specifically trying to see if that third party content looks
like itʼs tracking you across sites
when it detects those sorts of things, it blocks the third
party site
can also be configured to allow the third party site
content to load, but to discard the cookies and other
tracking attempts
only tracks third parties - if you go to a “first party” site
(e.g., Facebook), Privacy Badger wonʼt do anything
27 — Helping Friends - OpenWest 2017 – @genehack
28. moving from privacy issues to more “safe internetting” in
general, thereʼs two factor authentication
Two-Factor
Authentication
28 — Helping Friends - OpenWest 2017 – @genehack
29. something you have + something you know
can use physical token, 2FA app, or get
SMSʼd code
needs to be set up per service or provider
who has (and uses) a Yubikey?
who uses 2FA via app or SMS for work
stuff? for personal stuff?
who has helped get a friend or family
2FA
29 — Helping Friends - OpenWest 2017 – @genehack
30. moving on from “safe internetting” to just “safe
computing”, thereʼs hard drive encryption.
thereʼs pretty good os level support for this in everything
now, just turn it on.
hard drive
encryption
30 — Helping Friends - OpenWest 2017 – @genehack
31. rather than a simple 4 digit PIN
think about whether the convenience of
fingerprint unlock outweighs the risk
pro-tip: if you reboot your phone, it will require
the passphrase the first time
use a
passphrase
on your phone31 — Helping Friends - OpenWest 2017 – @genehack
32. get one and use it. i like 1password
use a distinct password per site
if you encrypted your hard drive, but
that password in here for sure!
also put 2FA recovery tokens in here
you can also use these to generate the
answers to security questions
password
managers
32 — Helping Friends - OpenWest 2017 – @genehack
33. they donʼt track you, simple as that
they also have this awesome feature called
bang searches, come find me afterwards and iʼll
show you
who uses DDG?
useduckduckgo
33 — Helping Friends - OpenWest 2017 – @genehack
34. signal is secure SMS
TOR is onion routing -- routes your web
browser requests via a network of bridge
nodes, obscuring what info youʼre looking for
who is using signal?
who is using tor?
anybody set friends or family up on signal or
tor?
personally tor is on the wrong side of the
use signal
use tor
34 — Helping Friends - OpenWest 2017 – @genehack
35. now we get to the meat
if you follow the security or infosec space at all, you
probably noticed around the end of march this year, vpn
articles spiked up.
vpns35 — Helping Friends - OpenWest 2017 – @genehack
36. everybody had an opinion
36 — Helping Friends - OpenWest 2017 – @genehack
37. which is not to say that there was any sort of consensus
37 — Helping Friends - OpenWest 2017 – @genehack
38. even the more mainstream internet publications started getting in on the action,
although they were a bit …further behind on some of the critical questions
38 — Helping Friends - OpenWest 2017 – @genehack
39. a vpn creates an encrypted tunnel between your computer and some other computer on
the internet -- the endpoint. anything your computer sends to the internet looks like it
comes out of that endpoint instead of coming out of your computer.
what does a
vpn
actually do?39 — Helping Friends - OpenWest 2017 – @genehack
44. if i absolutely had to get a non-technical friend or family member
onto a vpn, for whatever reason, this is where i would start
option #1
opera
44 — Helping Friends - OpenWest 2017 – @genehack
48. so pick you
a good one
48 — Helping Friends - OpenWest 2017 – @genehack
49. just one example: some estimates are that up to 20% of the
vpns in the android app store do nothing
“good one”
49 — Helping Friends - OpenWest 2017 – @genehack
52. clearly you need to do some careful
research
plus things are changing all the time
iʼm not going to give any recommendations
let’s focus
on this
52 — Helping Friends - OpenWest 2017 – @genehack
53. also has general vpn choice guide, info on email providers,
etc etc.
thatoneprivacysite.net
53 — Helping Friends - OpenWest 2017 – @genehack
54. just to reprise this idea: thereʼs basically no way (other than maybe luck)
that a non-technical user is going to be able to handle this stuff
and vpns are useful for way more stuff than just preventing your isp
from snooping on you -- theyʼre super handy for things like internet
banking or shopping from your favorite coffee shop
54 — Helping Friends - OpenWest 2017 – @genehack
55. option #3
D I Y55 — Helping Friends - OpenWest 2017 – @genehack
58. L2TP/IPsec
OpenConnect (Cisco AnyConnect compatible)
OpenVPN (with stunnel wrapping so VPN
connections look like normal SSL traffic)
WireGuard (next-gen kernel-based VPN for
Linux -- the future of VPNs, basically)
various VPN servers
58 — Helping Friends - OpenWest 2017 – @genehack
59. OpenSSH + SOCKS proxy for forwarding HTTP/HTTPS
(poor manʼs VPN)
sslh protocol demuxer allows Nginx, OpenSSH, and
OpenVPN to all share port 443 (normally the HTTPS
port), making it less likely youʼll be blocked
Tor bridge relay
other connection options
59 — Helping Friends - OpenWest 2017 – @genehack
60. firewall is automatically set up and configured for known
services; all other traffic is blocked
automatic process monitoring and restarting if services
crash
unattended updates configured so the server is
automatically kept fully up to date
sysadmin stuff
60 — Helping Friends - OpenWest 2017 – @genehack
61. also provides a website with documentation on how to
configure and use all these services
documentation
61 — Helping Friends - OpenWest 2017 – @genehack
66. only supports strongswan (ipsec) with modern crypto
single vpn server
66 — Helping Friends - OpenWest 2017 – @genehack
67. SSH supported for tunneling only
other connection options
67 — Helping Friends - OpenWest 2017 – @genehack
68. installs ad-blocking DNS server
optional ad-blocking
68 — Helping Friends - OpenWest 2017 – @genehack
69. auto generates profiles for apple devices (ios and macos)
apple device profiles
69 — Helping Friends - OpenWest 2017 – @genehack
70. configure in advance
comes with helper script to add/remove
users
multi-user support
70 — Helping Friends - OpenWest 2017 – @genehack
71. algo is a bit less expansive than streisand -- they actually
tout things they donʼt support
anti-features
71 — Helping Friends - OpenWest 2017 – @genehack
75. literal quote…
does not claim
to provide
anonymity or
censorship avoidance
75 — Helping Friends - OpenWest 2017 – @genehack
76. …and a second literal quote
i know who the FSB is, i know who the FSM
is .. MSS, DGSE, i have no idea
does not claim to
protect you from
the fsb, mss, dgse, or fsm
76 — Helping Friends - OpenWest 2017 – @genehack
86. i haven't really used either one of them enough, particularly in the
"support non-technical friends" arena, to have a strong informed
opinion
i would love to hear from people that do, particularly if you're here now
and end up going down this road
fulldisclosure86 — Helping Friends - OpenWest 2017 – @genehack
91. both of these will give you information about how much is
leaking from your VPN/browser
ipleak.net
whoer.net
91 — Helping Friends - OpenWest 2017 – @genehack
92. what are other
longer term
things you can do?
92 — Helping Friends - OpenWest 2017 – @genehack
96. bonus points: install this on your VPN server (or just use
algoʼs built-in ad blocker) and get DNS-level ad blocking
DNS-level is nicer than browser-based plugins because
it works on everything -- phones, tablets, etc.
anybody already running anything like this?
96 — Helping Friends - OpenWest 2017 – @genehack
98. at the end of the day, the real solution for this problem is legislative. the best way to make
that happen is to let the people who represent you in congress know that this is an
important issue to you. call, write, visit town halls.
98 — Helping Friends - OpenWest 2017 – @genehack
100. electronic privacy information center
donate your money, donate your time -- both these
organizations are critical in the fight to protect internet
privacy (not to mention little things like net neutrality)
give
to
epic100 — Helping Friends - OpenWest 2017 – @genehack
102. when you go to set this up for other folks -- particularly non-technical folks -- consider
carefully whether youʼre going to be giving them an overall improvement to their quality of life
virtually everything iʼve talked about in this talk -- even the simple plugins like HTTPS
Everywhere and Privacy Badger -- have the potential to break things. theyʼre generally well-
maintained, have whitelists that work around known issues, and so on -- but itʼs still possible
to end up with stuff broken, in a way that a non-technical person is going to have a hard time
figuring out
much like dynamite, these are very useful tools in trained hands, but can be pretty disruptive
if used wrongly. itʼs fine to inflict them on yourself, naturally… but try to have some empathy
for the folks youʼre “helping” too
102 — Helping Friends - OpenWest 2017 – @genehack
107. contrary to what Deb said this morning, i really do like criticism. this is the first time i'm giving this
talk, and i'm very interested in what people think of it -- so either use this joined in page to leave me
anonymous feedback, or tweet at me, or just find me after the talk and let me know what you think
give me all the feedbacks please
https://joind.in/talk/ad7b5
107 — Helping Friends - OpenWest 2017 – @genehack