2. sex, lies, & instant-messenger
@alecmuffett
www.alecmuffett.com
green lane security
www.greenlanesecurity.com
v2.0
@alecmuffett sex, lies and instant messenger
3. What should come of this?
@alecmuffett sex, lies and instant messenger
4. When using the Web
for private communication...
@alecmuffett sex, lies and instant messenger
5. be aware
1) what can go wrong unexpectedly?
@alecmuffett sex, lies and instant messenger
6. be aware
2) what risks you protecting against?
@alecmuffett sex, lies and instant messenger
7. be aware
3) what must you do/not do?
@alecmuffett sex, lies and instant messenger
8. Goal
“Keep control of your data.”
@alecmuffett sex, lies and instant messenger
9. disclaimer (1)
All examples appearing in this work are
fictitious. Any resemblance to real events
or to real persons, living or dead,
is mostly coincidental.
@alecmuffett sex, lies and instant messenger
10. disclaimer (2)
Advice given here is necessarily
incomplete; information security is a huge
discipline and a full set of risks cannot be
conveyed in 30 minutes.
@alecmuffett sex, lies and instant messenger
11. 1) what can go wrong unexpectedly?
@alecmuffett sex, lies and instant messenger
28. password
a window into your mind?
@alecmuffett sex, lies and instant messenger
29. password
reveals something about you?
@alecmuffett sex, lies and instant messenger
30. password
reflects your tastes?
@alecmuffett sex, lies and instant messenger
31. password
is known to your spouse?
@alecmuffett sex, lies and instant messenger
32. also
• reuse = self-incrimination
• ...which is bad...
• ...more later...
@alecmuffett sex, lies and instant messenger
33. basic password discipline
• use a password management tool
• use 12/more random characters
• use different passwords at each website
• never reuse passwords
• never share passwords
• change annually/more often
• change when someone discovers one!
@alecmuffett sex, lies and instant messenger
35. do not Skype IM with your lover!
@alecmuffett sex, lies and instant messenger
36. Skype
• peer to peer architecture
• robust, replicated, flexible
• excellent security
• ...unless you’re up against the USA
• ...or China
• ...or maybe the UK
@alecmuffett sex, lies and instant messenger
37. virtually impossible to expunge
a recent conversation
@alecmuffett sex, lies and instant messenger
38. deletion can make things worse
messages resurrect from the dead!
@alecmuffett sex, lies and instant messenger
39. (zombie data is not good)
@alecmuffett sex, lies and instant messenger
40. Avoid XMPP with a lover...
• Also called Jabber Protocol
• Implementations:
• GoogleChat
• Some Facebook chat
• Other systems
@alecmuffett sex, lies and instant messenger
41. XMPP
• Initial message is multicast
• sent to all logged-in instances
• eg: “hello sexy”
• ...also arrives on the home PC
• ...whilst you are at work
@alecmuffett sex, lies and instant messenger
42. Other IM systems?
• Not really wise...
• AIM now multicast
• YIM likewise
• Go for something simple
• Avoid specialist IM-client software
• Use web-based systems
@alecmuffett sex, lies and instant messenger
49. D bob Nude! http://twitpic.com/b0gu5
@alecmuffett sex, lies and instant messenger
50. Twitter App Risks
• Third-party apps get access to DMs
• Twitter clients...
• Web Apps...
• Proliferation of data is unwise
• more backups
• more caches
• more access
@alecmuffett sex, lies and instant messenger
51. do not Facebook your lover!
@alecmuffett sex, lies and instant messenger
52. too easy to get wrong
@alecmuffett sex, lies and instant messenger
53. Dropping Hints
homepage displays with whom you
communicate frequently
@alecmuffett sex, lies and instant messenger
54. “Transitive trust”
friends-of-friends may not be friends
@alecmuffett sex, lies and instant messenger
55. Facebook Software Ecology
Facebook is not really Facebook
@alecmuffett sex, lies and instant messenger
56. Analogy
if you want to be private,
don’t throw your diary
into a pub full of gossips and journalists
@alecmuffett sex, lies and instant messenger
67. held to lower standard than IM
@alecmuffett sex, lies and instant messenger
68. heavily-integrated software
• game
• voice
• webcam
• other third party stuff
@alecmuffett sex, lies and instant messenger
69. game logs
• logfiles are...
• comprehensive
• disparate
• spattered all over the hard drive
• ...and therefore hard to remove
@alecmuffett sex, lies and instant messenger
72. avoid sharing geolocation
• Foursquare, Twitter, etc
• “...but your Twitter messages said
that you were in Essex?”
@alecmuffett sex, lies and instant messenger
73. Do you have an in-car GPS?
...and do you know how to wipe it?
@alecmuffett sex, lies and instant messenger
74. next, an obvious thing that’s often missed:
@alecmuffett sex, lies and instant messenger
75. do not send porny naked pictures
of yourselves, to each other
@alecmuffett sex, lies and instant messenger
80. homebrew porn
• Took it with iPhone?
• backed up to iTunes
• backed up to iCloud?
@alecmuffett sex, lies and instant messenger
81. homebrew porn
• boyfriend’s archive copies
• ...for sharing when you break up
@alecmuffett sex, lies and instant messenger
82. do not use the family computer
@alecmuffett sex, lies and instant messenger
83. there’s a reason it’s called
a family computer
@alecmuffett sex, lies and instant messenger
84. do not use work-related hardware
@alecmuffett sex, lies and instant messenger
85. work hardware
• not your machine
• thus: “not your data”
• may be taken from you
• eg: bankruptcy, fired, updated
• old hardware auctioned
• automated backups?
• network access logged?
@alecmuffett sex, lies and instant messenger
92. Things Geeks Do
• Enumerate all possible URLs:
• tinyurl
• bit.ly
• is.gd
• t.co
• ...and save the good ones
@alecmuffett sex, lies and instant messenger
93. Things Geeks Do
• Trawl...
• Picasa
• Twitpic
• Yfrog
• ...to much the same ends
@alecmuffett sex, lies and instant messenger
94. Things Geeks Do
• buy hardware from Ebay
• undelete data files
• desktops
• laptops
• printers (!)
• storage
• hard disks
• thumb drives
• SD cards
@alecmuffett sex, lies and instant messenger
95. Things Geeks Do
• buy phones from Ebay
• restore deleted SMS
• retrieve e-mail passwords
@alecmuffett sex, lies and instant messenger
96. Find hardware in the street...
@alecmuffett sex, lies and instant messenger
99. Your challenge is to make that hard
@alecmuffett sex, lies and instant messenger
100. 3) what must you do/not do?
@alecmuffett sex, lies and instant messenger
101. do use separate identities,
do not link identities!
@alecmuffett sex, lies and instant messenger
102. create a disposable identity,
start with an e-mail address
@alecmuffett sex, lies and instant messenger
103. use a fake, boring,
common pseudonym
• good
• edward wilson
• carole smith
• bad
• sexxxy4UinBasingstoke
• anything else that’s unique
@alecmuffett sex, lies and instant messenger
104. is this legal?
• probably breaking terms of service
• is it criminal to lie?
• maybe...
@alecmuffett sex, lies and instant messenger
105. idea:
Use a disposable Gmail account
to set up a fake Yahoo account
or vice-versa.
@alecmuffett sex, lies and instant messenger
106. do not bookmark your secret identity
@alecmuffett sex, lies and instant messenger
107. do use a random password
• never used before
• never use anywhere else
• keep the password in your brain
@alecmuffett sex, lies and instant messenger
108. do not store the secret identity password
in your normal password manager!
@alecmuffett sex, lies and instant messenger
109. do minimise data proliferation,
do not leave footprints!
@alecmuffett sex, lies and instant messenger
110. do not access your secret identity
from your normal phone
@alecmuffett sex, lies and instant messenger
111. iPhone
• All backed up by iTunes:
• SMS
• call logs
• geolocation (see recent press)
• ...possibly password protected
• You’re using a different password, yes?
@alecmuffett sex, lies and instant messenger
112. Android
• basically ditto
• ...but backed up on Google instead
@alecmuffett sex, lies and instant messenger
113. Do not access your secret identity
using your normal laptop “login”
@alecmuffett sex, lies and instant messenger
115. set up different “users”
• keep sensitive files in one place
• ...hopefully
• ...mostly
• ...except for logs
@alecmuffett sex, lies and instant messenger
116. set up encrypted hard disks
resistant to post-Ebay forensics
@alecmuffett sex, lies and instant messenger
117. use browsers which support
private browsing modes,
which delete cookies & history on exit
@alecmuffett sex, lies and instant messenger
123. browser settings (1)
• clear cookies on exit
• clear history on exit
• don't accept 3rd-party cookies
• block popups
@alecmuffett sex, lies and instant messenger
124. browser settings (2)
• don't save form input
• don't save history
• switch off autosuggest
• set to private browser mode
• ...permanently, if possible
• else auto/delete cookies on exit
@alecmuffett sex, lies and instant messenger
125. plugins / similar
• Flash Player
• Visit the security settings panel
• purge Flash cookies and sites
• set Flash db size to zero
• HTML5 settings
• set HTML5 db size to zero
• watch for other/new issues
@alecmuffett sex, lies and instant messenger
126. Firefox extensions
• Tor
• better: Tor Browser Bundle
•SSL Everywhere
•NoScript
•RequestPolicy
•AdBlock Plus
•Ghostery
@alecmuffett sex, lies and instant messenger
127. Adium / Pidgin for IM
• use OTR encryption
• not the same as “OTR” in GoogleChat!
• can solve the point-to-point chat issue
@alecmuffett sex, lies and instant messenger
133. do not leave voicemails
@alecmuffett sex, lies and instant messenger
134. wipe your SMS messages regularly
@alecmuffett sex, lies and instant messenger
135. dumbphone SMS
• lowest common denominator
• messages still logged on backend
• but overall exposure is less
@alecmuffett sex, lies and instant messenger
136. if you must use smartphone
• don’t link to your normal Google
Account
@alecmuffett sex, lies and instant messenger
137. if you must use smartphone
• check out:
• WhatsApp
• TigerText
• other SMS replacements
@alecmuffett sex, lies and instant messenger
139. decommission old hardware!
• computers
• DBAN - Darik’s Boot & Nuke
• Free suicide pill / CDROM for PCs
• phones
• Remove SIM
• SMS may be on SIM as well as phone!
• Check whether factory reset actually works
• if not, smash it and drive a car over it repeatedly
@alecmuffett sex, lies and instant messenger
140. bottom line
• the more copies of data exist
• the harder it is to remove them
• when data escapes your control
• it's available forever
@alecmuffett sex, lies and instant messenger
141. when mistakes happen...
• clean up calmly
• do not amplify the mistake
@alecmuffett sex, lies and instant messenger
142. remember
• your lover has the same data
• but may not be taking care of it
• educate them gently
• his/her systems will also
one day be sold on eBay
@alecmuffett sex, lies and instant messenger
143. so why must you actually know all this?
@alecmuffett sex, lies and instant messenger