Is there any interest here in digital privacy tools, for example PGP email encryption, TOR browser bundle, darkweb, VPN, etc?
I'm just an enthusiast user of these things, not an IT or pro in this field, but I have I think picked up some useful tips and tools via osmosis, hanging around others, etc. It's not shooty or outside survival, but I think it's still useful and fits in with wanting with those other skillsets. Nowadays, I can't imagine going online without using some of these things to stay private.
Caveat- just like other things of interest around here, these are just tools and they don't make you bulletproof or invisible just by having them. Protecting your digital privacy may include using these kinds of tools, but you still must always exercise information discipline in order for the tools to do you any good. And, in today's world it might not be safe to use some of these things as doing so can put you "on a list". For example, I've been told elsewhere that if you use Tor browser, your IP address is almost certainly put into a .gov list somewhere for whatever purpose they have. Using Tor isn't illegal (for now) but that kind of thing is something to know before you decide.
One useful place to start, if you're interested, is "Info Security for Journalists 101" (PDF alert)
You don't have to use the tools in the pdf or even the versions of the tools presented in it. The PDF is written for non-technical people and is a good primer that explains each concept/tool and then has decent step-by-step instructions on how to install and use the tools.
I'm somewhere in the middle of the bell curve, privacy wise. I haven't gone totally hardcore like a journalist in China or Iran might do, anticipating a police dissection of his or her computer (there are instructions in the PDF for how to physically disconnect the speaker mic on your pc so that it couldn't be activated to listen to your conversations). I put a piece of tape over the webcam, I use a commercial VPN service, I keep Tor installed and occasionally use it, always use Duckduckgo as a search engine etc. If possible I use PGP with emailing friends, of which maybe 1/4 of my friends are tech enough to be comfortable using PGP. For the other friends, I at least try to use something more private than Gmail such as an offshore-based webmail provider like Protonmail, Unseen, etc.
If it does any good though, I want the bastids to have to work at it a little bit to keep the big eye on me.
Any interests, thoughts?
I think it's interesting, but ultimately not something I focus on. I take general precautions about PII, but I fully realize there is a long paper trail on me given my background, security clearances, and having to pay hosting fees on this site.
"Man is still the first weapon of war" - Field Marshal Montgomery
I think digital privacy tools are far more likely to be useful in today's world than a gun for someone who isn't an LEO or active duty infantry.
I'll definitely be checking out your link.
"Good judgement comes from experience, and experience comes from bad judgement"
Hi, guys. I'm Justin. I work in the digital security/privacy realm and have written several books on the topic. If there is interest I am happy to delve into some of this. Before getting into specific tools, techniques, and procedures, however, it is helpful to have some framework on which to hang privacy and security problems.
Critical to understanding this framework is disambiguating privacy and security. Though they are often thought of as the same thing, they aren't. Let's use my house as an example.
The bottom line: security prevents access to a location, account, etc. Privacy is the obfuscation or minimization of the information that is publicly findable or viewable about you. Ideally we want both, but we compromise some on both to make life livable. Finding your balance is up to you.
Finding the balance is the product of Threat Modeling. A threat model is a realistic, plausible accounting of potential threat actors and their intersection with your attack surface. This is a topic unto itself, but is critically important. If we overestimate our threats we spend too much time, energy, and money protecting ourselves from implausible threats; if we underestimate our threats we get hurt, hacked, or otherwise pwned. Questions to ask to determine your threat model:
There isn't really a digital security problem that can't be hung on this framework. There are implied tasks (good, strong passwords for instance) under each of these. This is my preferred way to think about digital security.
There are tons of tools to help with each of these, but honestly the best security measure in most cases is better human behavior.
I recommend taking some time to think about these principles. I'm happy to expound if there is any interest.
Hey Justin- Great, I'm interested! (Not to derail things if this is too far off-topic for the intent of this forum, though, hopefully this is considered part of the area of interest.)
I would imagine that you have a combination of knowledge and training-skills you'd recommend the average person have in this area? I'd be curious as to how you'd recommend the average person get some bang for the buck for their efforts and learning to get a reasonable amount of security/privacy with available time, money etc resources.
I'm not even sure if that's possible with the way the internet and all of our "smart" devices work, but I'd like to learn more and do what I can. All things considered, it seems to me that it'd be a good idea to keep a lot of "training talk" more private if possible.
I don't think we're derailing; Matt asked me to help out with this topic. I'm glad to offer any input I can. However...
Please bear with me. I will get to the cool privacy/security tools, but there is some important groundwork to lay. Without a way to conceptualize privacy and the art of the possible, you could spend a lot of time spinning your wheels on mitigations that require a ton of effort but at the end of the day aren't worth the squeeze. So without further ado, let's talk about...
Privacy Nihilism vs. Privacy Purism vs. Privacy Harm Reduction, and Personal Responsibility
Privacy Nihilism: This presents as one of two things. The first and most common is, "I have nothing to hide." First of all, that is patently false - every human on earth has thoughts, words, or actions he or she would not want to become public knowledge. If those have been recorded on digital media there is a greater than zero chance they will be exposed. We all have something to hide.
The other way this presents is, "there's so much out there about me already OR the NSA/corporate surveillance apparatus/Russians can get anything they want...so what's the point?" Well, if the NSA is a credible threat actor within your threat model, I can't help you very much. I can help you a little, and I can help you a lot against everything else. Opting out of default collection is (relatively) easy; opting out of a targeted intelligence effort or law enforcement investigation against you is not. I'm happy to elaborate on this if there's a specific question about it (though obviously I can't reveal certain capabilities/TTPs, so please *don't* ask that one).
Privacy Purism: I've been down this road. I've rented apartments, registered cars, and turned on utilities in the names of anonymous LLCs. I've become a resident of a state I've spent exactly one night in, used expensive mail drop services...the list goes on and on. Unless privacy is your job and/or you have no need to earn a living, date/have a social life, leave your house, etc., this is a challenge for most people. I have too many other pursuits and skillsets that need to be developed and maintained to remain the "purist".
It is possible for the purist to be insanely private. However, even he cannot avoid leaving his home. He can't stop shopping. This means he can't stop being recorded on video, in association with his name when using an ATM, withdrawing money at the bank, etc. He can't stop his license plate from being recorded by automated license plate readers (ALPR)(most of which are owned by private corporations). The issue with Privacy Purism is it isn't sustainable unless you're independently wealthy and don't have to leave home and/or have no other responsibilities, and/or it is your only interest area. If it is your only interest area...dude, get out from behind the computer!
Privacy Harm Reduction: This is the strategy I take. Harm reduction means, in a nutshell, "do what you can. Every little bit helps." I liken it to quitting smoking - if you've smoked for 20 years, your lungs probably suck. If you quit today you're not going to be in perfect health tomorrow, but in 10 years you're going to be massively better off. If you tighten up some privacy and security problems now, they aren't going to turn into big problems later on.
The harm reduction strategy is sustainable. It doesn't require you "burn it down" tonight and start life as a new person tomorrow. A lot of people try this and get discouraged, and give up. Harm reduction involves mitigating privacy/security interventions into your life as they are necessary, or you have the time, money, and mental bandwidth. There are a few things I think everyone should do IMMEDIATELY (if not sooner), but most things can wait another month or two.
It's also possible to be very private and very secure in this category. I can go as far as I want, but at the same time accept the things that aren't worth it relative to my threat model and not be kept up at night worry about them. This is a very sustainable model, and the one you should begin with. If you want to be a purist later and have the time and money - go for it! If you try to go all-in right now, you have a daunting task ahead of you and not many succeed.
Personal Responsibility: I think you do have personal responsibility for your own privacy and security. Believe me, NO ONE ELSE CARES ABOUT YOU. No one is coming to save you. When your accounts get hacked or your data gets spilled, what do you think your local police department is going to do? They're going to give you a report...to prove that you filed a police report.That's it. Good luck with that.
Your responsibility is to yourself and those within your financial care. It's funny - we'll spend hours debating red dots versus LPVOs for something that we will almost certainly never use in extremis, but completely cop out to something that will almost certainly happen to someone reading this. Take responsibility for yourself.
Responsibility also means you have to stop saying, "well, I hate Google having all my data, but what can you do?" There are things you can do. But like most things worth having they will cost you something. Google is - in my opinion - email welfare. I don't want free email; I'll pay for my products and services.
We also have a bigger responsibility to limit the information available to those in power (corporate powers or government powers). You may be a big fan of the current administration and not view your relationship with them as adversarial. But guess what? Yep - a new administration will eventually take this one's place. Do you want them to be able to subpeona Google for a list of devices that has ever been to a gun store or shooting range? I don't. But in light of the erosions against the First and Fourth Amendments in the last decade (yes, those protects all others, too. Hell, the whole thing is important, and I'm not "pro-2A", I'm "pro-Constitution") we have to take it upon ourselves to limit that information. The national gun registry is here and the organization maintaining it isn't ATF or DHS - it's FAANG: Facebook, Amazon, Apple, Netflix, and Google.
If you'd like to hear more about the risks of government having access to all the data we hand to third parties, check out my interview on the SOFREP Radio podcast, episode 392.
Ok, with some of the background out of the way, let's talk about Part I of the framework: Malware Resilience.
Malware is THE single biggest digital threats we face today. Not to insult anyone's intelligence, but "malware" is short for "malicious software," software that takes some action that is not in our best interest. When we go on the internet, regardless of what sites we go to we are essentially walking around in the sketchy part of town, headphones in, eyes down...and unarmed. The problem is theres no graffiti, it's well-lit, everyone looks friendly, and all the stores are upscale. We're in the bad part of town and we don't even know it. That's the problem with the internet; even "good" or "safe" or "reputable" sites serve malware sometimes. Maybe they sold ad space and didn't vet the code that went into it, or maybe their site got hacked. The old adage to use "good browsing hygeine" is impossible because it's not possible for us to assess whether a site is "good" or "bad".
Malware is the mugger we'll never see coming, and we'll probably never realize our wallet is missing. That's the insidious thing about malware; it's main goal is to remain undetected after it has "mugged" you. Getting malware on a modern machine can be difficult. The attacker who uses it has spent either a massive amount of time or money, or both developing the exploit through which it installs. He wants to get a foothold on your machine and keep it. If you discover it (because it slows your machine down, or it makes a million porn pop-ups appear), you'll fix it, so it does its best to fly under the radar.
Once installed, malware might do any number of things. It may use your machine to mine cryptocurrency, process stolen credit cards, or turn it into a CAPTCHA-solving zombie. It might record your keystrokes and what happens on your screen and for blackmail use. It might encrypt all your stuff and extort you for a couple thousand bucks to get the decryption key. Your computer might be used in distributed denial of service attacks, to send email spam, or maybe just to hack your email/bank/social media accounts. It might even turn your machine into a child pornography server.
Someone reading this - maybe even me - is impacted by malware right now. Securing the system against malware is the critical first step to becoming somewhat secure. Fortunately, the techniques for doing this are pretty easy.
Step 1: Get Off Your Administrator Account
When you purchased your laptop (phones/tablets are a little different, we'll talk about those later) it came with a single account - the administrator. Your computer must have an admin account. The admin account allows the system administrator to make global changes to the computer - things like installing or removing software, making changes to the registry, etc.
Unfortunately, most of us log in to this account and begin using it as our personal account. When we use this account all the time, we're operating in a state (this state is technically called "escalated privilege") where changes like this are possible to anyone who wants to make them. Windows or Mac assumes, "hey, the admin is logged in, so these changes must be legit...so let's let them happen."
The administrator account is designed so that a company's system administrator can create discrete user accounts for the employees of the company so that only he can make global changes. The user accounts can use all the functions of the computer (browsers, word processors, etc.) but they can't make global changes. For personal use, you should think of yourself as your household/family's system administrator WHEN NEEDED...but you should think of yourself as a user most of the time.
This means you need to setup a Standard User Account for yourself and work out of it. This should be the very first step when you purchase a new computer. If you already have a computer and you've been working out of it for awhile you might not want to do this because all your files are where you want them, etc. In that case you can make a new administrator account and "demote" your current one to standard user.
It's a bit dated, but I wrote <a href=" removed link " target="true">step-by-step instructions for this on my security blog a couple years ago.
Step 2: Update, update, update!!!!
Updates are important. There are more lines of code in Microsoft Word than were used in the entire first mission to the moon. Naturally, in this much code there are bound to be mistakes which potentially equal vulnerabilities. We want updates the instant they are available, not only because they correct the vulnerability, but also because the existence of an update advertises the problem to malware developers. Though it is slightly inconvenient, GET YOUR UPDATES IMMEDIATELY!!!
Step 3: Antivirus
This is usually what people think of when they think of computer security. For me this is important, but is a last line of defense. My first lines of defense are created by not operating in a state of escalated privilege (an administrator account) and having everything updated. I'm already making an attacker make a decision about me, to wit, "do I risk burning this little-known or zero-day exploit on this guy?"
Still, I would recommend having a reputable, high-quality antivirus. It does work. It works through two mechanisms. First it has a definitions file which is essentially a "naughty list" of code that it will not allow to execute on your machine. The problem there is exploits that are not currently know cannot, by definition, be on this list. The fix is to also monitor activity heuristics. If a weird process that is potentially malicious is observed, your antivirus should put a stop to it. Lastly, a lot of antivirus will conduct a recce of your system before attempting to install. If they notice no antivirus, it's tantamount to a burglar noticing your don't have an alarm system - you move up his flow chart of possible targets.
None of these techniques are "high speed," but if everyone did these three things we'd live in a massively safer digital environment. Malware would be way harder to deploy on a broad scale and would be far less lucrative. Start with these three steps. I'll be back later with more.
@justinc This post got caught up in the moderation queue because of the links (the site doesn't allow users to post links until they reach a certain post threshold, it's an anti-spam measure). You can email or PM them to me and I'll inser them for you.
"Man is still the first weapon of war" - Field Marshal Montgomery
I should have mentioned this earlier, but if there are specific questions about anything I have presented here please don't hesitate to ask. I am more than happy to help to the best of my ability!
In my last post I talked about Step 1 in my Security Framework. The steps there are all designed to minimize the chances of contracting malware. There are other steps, more advanced that can be taken, and maybe I'll cover those in the future. They get much more technically demanding and time-consuming to implement. However, @xsquidgator asked how the average person gets some bang for their buck. The steps listed yesterday are good examples of very high "flash to bang" steps. They take minimal effort to enable, require minimal effort and interaction on a daily basis, but provide a significant upgrade in most people's security. Every human should do those three steps.
Now I'm going to go out of order and talk about Step 4 of the framework: Protecting Cloud Stored Data. My framework is ordered to apply to the operational context of most of my government clients. For our purposes here, protecting cloud-stored data is probably the next most important item. For the average citizen this is a massive concern. Everything is cloud-connected. Our online accounts exist in enemy territory. They can be "touched" by anyone who wants to take a crack at logging into them.
Protecting Cloud Stored Data
In one of his early posts on this thread, @matt mentioned that a lot of information is already "out there" (my quotes and verbiage, not his) because of his security clearances, paying for the site, etc. And that's true - that information does exist online. But that doesn't mean we shouldn't care about it. Because it exists somewhere doesn't mean it is available everywhere and to everyone. We should take personal responsibility and ownership for it and protect it to the fullest extent possible. We're all already doing this to some point whether we realize it or not.
Back to @matt as an example (sorry, Matt). Yes, you've given OPM* your social security number, DOB, and mother's maiden name, but you probably aren't posting that information on your Facebook page. You might've given GoDaddy your credit card number, it's expiration and CCV, but that information probably isn't in a meme you posted on Instagram. Subconsciously we recognize that just because information exists about us, it isn't and shouldn't be available to everyone, everywhere.
The purpose of these next few steps is to make that information as difficult as possible to access.
Step One: Limit the Scope of Information 'In the Wild'. Once again we're going to focus on behavior rather than tools. Whether we realize it or not, we have a massive ability to control information that is "out there" about us. There are a few steps we need to take to do that.
Keeping minimal information online is our best bet at preventing hacking. We still need email, online banking, etc. Since we can't minimize everything down to zero, we need a strategy to protect those accounts that are still out there. Now we get into the fun stuff...
Just kidding. Now we get to talk about everyone's favorite: PASSWORDS (and other authentication measures).
Step One: Use Good, Strong Passwords. Here's the bad news: all of the passwords you currently use suck. If you know them in your head and type them with your fingers, they suck. Period. They are difficult for you to remember and type, but trivially easy for a computer to break. Here are the three criteria to making strong passwords:
There is one other factor when it comes to passwords: you should use a different one on every. Single. Account. Period. No "ifs," "ands," or "buts." I know at this point you're asking, "how am I supposed to remember a different, 30-character password that I didn't make up in my head...for every single account?
Step One Point One: Use a Password Manager. A password manager is nothing more than a simple application or utility that remembers all your passwords securely. They have a number of benefits: they take up minimal space, use minimal resources, are optimized for ease of use, and they help you do what computers are good at: remembering stuff.
There is an adage that goes something like, "security and convenience are inversely proportional." This is usually true, but not in the case of password managers. They make your life easier. You never have to try and remember which password you used on that site you rarely visit. You never have to make up a password for a new site. Password managers do all this stuff for us. Even my girlfriend (who is not a tech geek, nor terribly interested in security or privacy) LOVES her password manager.
My two specific recommendations are:
If there's one big takeaway from this long post, it is: use a password manager, and begin changing your passwords. However, DON'T RUSH IN and try to change everything!!! Get the password manager and put a trial password in it (one your know, in case you screw something up). Get familiar with the functions and cycle of operations. Get really comfortable before you start changing your passwords to long, complex, pseudorandomly generated junk. Take it nice and slow.
I know this one has run long, but I have one more step:
Two-Factor Authentication (2FA for short from here on out) is a system that requires to "factors" to log in to a system. The first is a knowledge-based factor: your password. The second should be a different factor, like a one-time code you retrieve from your phone.
2FA makes you massively more secure than a password alone. Let's say you are using amazing passwords from your KeePassXC database. That's great, but the service could still spill their database of passwords somehow - you have no control over that. But even armed with the correct username AND password, an attacker would still need that "other" factor to be able to log in to your account. Another example: you use a public computer/work computer/malicious Wi-Fi network where your information is captured. Well, it's not great that they got your password, but without access to that other factor, it still won't do them any good.
There are several ways 2FA works. I'm only going to talk about the two most common:
Hopefully this wasn't too overwhelming!
I notice that somehow I managed to delete yesterday's footnotes, so here they are:
*OK, so let's talk about the OPM hack. Really this is applicable to any hack or breach or spill, but let's just use OPM as an easy example. Sure, your stuff has been hacked by them, and that sucks. But that doesn't mean your SF86, fingerprint card, etc., etc., is for sale on the open market. That means a state actor has it. Fortunately, they are probably protecting it better than USG is protecting it even now. That data is a massive intelligence haul for whatever entity got it; they aren't going to sell it to low-lives who want to commit employment insurance fraud in your name, and certainly aren't going to give it away. So yes, OPM got hacked, but think about what that actually means before going down the submitting to Privacy Nihilism.
Actually, the fact that OPM got hacked means you probably need more security, not less. A state actor committed that hack for intelligence value. You're not much more likely to be elicited...or further exploited digitally if you are assessed to be of some intelligence value.
**A dictionary attack is a pre-defined list of words that an attacker will test in an attempt to find your password. There are a number of ways an attacker might choose a dictionary.
Today we're going to talk about protecting data-at-rest. Before we dive into tools, techniques, and procedures, I want to give you a meaningful way to conceptualize this. There are two ways that the community thinks about this that are FLAT OUT WRONG. The first is an over-reliance on encryption. The second is imagining that attacks on data-at-rest is the biggest threat we face. It's not, and I think these next couple of paragraphs will help explain why.
There are essentially two ways an attacker can get the data that is stored on your hard drive (i.e. your tax documents, you selfies, those embarrassing dick pics, and whatever else). First, the attacker can get malware on your system. Malware can access these files and, if necessary, upload them off your machine. At this point we have protected our systems from malware to a reasonable degree by upgrading (actually, downgrading) to a standard user account rather than an Administrator account, by ensuring our system and all apps are updated, and by using antivirus. We haven't done anything sexy, but honestly, we're easily in the top 95th percentile of home users, security-wise. If you haven't completed those steps, you should seriously consider it before moving on to this next portion.
The other way an attacker can access our stuff is by physically accessing our equipment. There he or she can use forensic tools to execute a keyboard (logical) attack on our device. This type of attack uses software to copy your hard drive, then attempts to assemble files from the "1"s and "0"s found on it. So...ask yourself what is more likely. Is it more likely that someone is going to sit down at your computer an attack it directly, or you are going to contract malware from the internet. The vast majority of us never take our computers outside our homes. This doesn't mean they can't be stolen in a burglary (more on that in a moment), but that risk pales in comparison to the risk of operating in an adversarial digital environment (the Internet) every single day.
Don't get me wrong; I think encrypting your data is important. For most of us, though, it's just not as important as protecting it from malware. Without further ado, let's get back into the Framework with Step 2:
I mentioned earlier that encryption is the first thing you'll read about on security blogs when it comes to protecting data-at-rest. Screw that - I don't want to rely on software to protect me if I don't have to. Software is vulnerable to other software. For me, encryption of data-at-rest is LAST RESORT SECURITY. For me (and probably for you) the first line of defense should be physical security.
Caveat: If you are a SOF operator or intelligence operative you may spend significant time with your computer transiting to and from and through dangerous places. In this instance encryption becomes extremely important because you are forced to relinquish some physical security.
I'm going to try to rein myself in here - I could talk about physical security all day. My "lock pick kit" weighs about seventy pounds, and is a four-drawer toolbox (and ironically, has fewer actual lock picks than most lock pick sets on the market)(see? I'm already side-tracking!). I co-wrote a full, 300-page book on physical security, so I'll just hit a few high points here:
OK, so we've established that physical security can't protect us from everything. If our house is broken into, we get mugged, have an auto accident while our laptop is in the car, get arrested, etc, etc, we may lose physical control of the device. At that point we are left relying on software to protect us.
We want to choose the best software possible. The only encryption algorithm we should consider is called AES (Advanced Encryption Standard). AES was selected by NIST (remember them? I mentioned them in the previous post in the discussion of two-factor authentication), as the result of a contest. That's right - a USG agency ran a contest that was open to anyone on earth to select the encryption algorithm we use to protect classified information. The contest was won by two Belgian cryptographers. That should tell you something about good encryption: even if you intimately understand how it works, you can't take encrypted cipher-text and reverse-engineer it back to plain text. That's the type of encryption we want protecting our stuff. Never settle for anything other than AES. If you're looking at an encryption product and it is touting "proprietary encryption" or "military grade" without those three letters, keep looking.
There are three basic ways we can use encryption. They each have advantages and disadvantages.
Full Disk Encryption (FDE): This is the best option for most people. Full disk encryption protects your entire hard drive. That means your operating system, your files, your applications, and even your unused space. Not only is it the most secure option, it's also usually the easiest to work with. You log in as you normally would; a decryption key is stored in memory as long as the computer is booted up, and your files are cryptographically accessible. In a nutshell: you don't notice anything different at all, but if I try to attack your computer, everything is protected. The tools for this are:
Volume Level Encryption
This form of encryption involves making a container that you put specific files into. VeraCrypt is the preferred tool for this task. If you download VeraCrypt (it is available for Windows, Mac, and Linux) and click "Help" you can open the VeraCrypt User's Guide that will walk you through all of the functions of the application. I'm not going to duplicate that effort here, though I will tell you how I use VeraCrypt. And of course, if you have questions please ask.
I have one huge volume (~250 GB) that gets mounted as soon as I boot my computer. This volume contains all my files. Everything goes in there. Why? I view it much like a view my gun safe. My home is secure, but I also want a more secure place. If my home is broken into (or I have guests over, or whatever) I still have a place for those special items.
When you mount (or open) your VeraCrypt container, you only have to provide your password once. You don't have to individually unlock every single file you want to access. This is true as long as the container remains mounted. When you dismount the container, or shut down your computer, everything is once again cryptographically inaccessible and secure. You may want to consider using VeraCrypt as a redundancy for your full disk encryption (as I do) or as your primary encryption if - for some reason - you absolutely cannot use FDE.
File Level Encryption
This is the third major encryption implementation. This is the one I use the least, but it does serve a valuable purpose. File Level Encryption means encrypting individual files. There are tons and tons of applications that do this. Some do it by default, like Microsoft Word/PowerPoint/Excel (using AES-128). If you have a Mac you can export encrypted PDFs using Preview (if you're a Windows user you'll need to spring for Adobe Acrobat Pro to encrypt PDFs). There are also a ton of third-party programs like 7-Zip, Encrypto, etc. that will encrypt single files.
My use-case for these is typically emailing a document to a non- or low-skilled user. My accountant is an excellent example. She is a great accountant, but not a great security person, so I can't get her to setup VeraCrypt. But I can send her an encrypted PDF. When she opens it, it prompts her for a password which I can give to her over the phone.
I hope this post has given you some tools to protect your data. Most importantly, I hope I've helped you think about encryption and physical security. If anyone has any questions, please don't hesitate to ask!
@JustinC- thanks very much for writing and posting this! This is great information and well-explained, as well as being broken into achievable steps.
I am back on the computer after a few days at work but am looking forward today to re-reading this and starting to do some of the things.
It hadn't occurred to me to encrypt everything on my disk but yeah, that's obvious in retrospect. Use a non-administrator account, ditto.
Great stuff - I think this is very helpful!
Thanks for letting me know what you think! I hope I didn't hijack this thing - I just really, really enjoy writing about this stuff. Glad you're finding it helpful and again, if I can answer any specific questions, let me know!
@JustinC, I've still got a lot of digesting to do of what you've put up here, but I've made progress on accomplishing some of your recommendations. HAven't encrypted my whole hard drive but I have encrypted my own root level folder that had all my stuff in it (200+ GB). Will keep re-reading what you put up and moving towards some other things. Thanks again for sharing your expertise!
Thank you for coming by The Everyday Marksman. This site and its community are a labor of love. I hope you stick around for a while, and maybe even join us.
We can't Wait to Show You More