How do you ensure your data and online activity is secure? Both on your personal/work computers and servers.
2 Likes
Here in the UK the government has just passed the Investigatory Powers Act 2016 which, amongst other things, means that ISPs must now keep a record of all your internet activity and it can be accessed by around 50 govt agencies. Apart from the corrosion of privacy, a big concern is that this information will at some point get hacked (ISPs retain it, not ultra-secure govt departments).
Anyway, it got me thinking about security.
On the server side I think we practice the usual stuff, firewall, port-scanner blockers, failed password blockers, remove-root login, passwordless-login, change ssh ports etc but on my local dev machine I just:
- Encrypt contents of HD
- Enable Apple firewall
And thatās it 
What else can be done to protect the contents of my computer and my online activity? Is a VPN the way to go?
1 Like
I love VPNās, I have a constant SSH tunnel from my phone to one of my servers to go out for example. SSH is awesome. ^.^
3 Likes
Plus firewall rules to limit Internet traffic to the VPN tunnel.
For the home network Iām planning on setting up a small pfSense security gateway.
2 Likes
Do you install the VPN software on your computers or configure your routers?
Configuring a router would be my preferred option - so that all devices on the network automatically use it.
Do you experience a reduction in speed? Or interruption in service?
Andā¦ what are the best VPNs out there? (Many lists seem to be āaffiliatesā :/)
1 Like
I use SSH forwarding everywhere, installed straight on to my computers/phones for my VPN use. SSH adds some latency but that is about it.
2 Likes
Iām currently connecting to my VPN providerās servers from each computer (my provider allows for up to three connections), but plan to change that when I get my pfSense box set up. Two of my computers are connected all the time, and they get the internets just fine.
I find AirVPN to be by far the most reassuring provider so far. They allow for a variety of means of connection, including downloading openvpn config files which can be put in /etc/openvpn (minus the .ovpn extension) for auto-connection; at least that works in my Debian-derived Linux distros. They also have an opensource GUI client called Eddie for Mac OS, Windows and Linux.
2 Likes
We at AmberBit have introduced a few company-wide measures.
-
We enable 2 factor auth everywhere, and require all our employees and contractors, as well as clients who wish to have access to our tools (say Github). Peopleās passwords are weak link.
-
We disable SSH passwords on all installations, use only keys.
-
We require all employees/contractors to encrypt the storage that we keep our code on. When we buy laptops, before giving to employee, we encrypt full hard drive.
-
We do not have any backup codes, or 2fa configured to use publictly available phone numbers (say visible on web site). Telecom companies are a weak link. You can literally go and ask for sim replacement, and the employees do not care to check your ID or to ensure you look the same as on ID card. I asked for replacement showing them 12 years driving license, where I was 20kg slimmer, had long hair and no beard. The guy said āyou donāt look anything alike on your IDā and handed me SIM card replacement within next 30 seconds, no further questions asked. I have other device to use as 2fa / authorization tool that no one has knowledge of but me.
-
Encrypt phones.
-
Do not use any publictly available wifis.
-
Use Telegraph / Signal / similar encrypted chat tools to discuss impotant stuff and send over credentials. No passwords pasted on Slack.
4 Likes
Iāve never really thought of this - when I got my new sim they did say I could go into one of their retail shops to get one or theyād send me one out (I opted for them to send one). I wonder what ID they would have asked for had I gone into their shopā¦
Have you thought about using a VPN? Such as the one @BrightEyesDavid posted?
I use a VPN for most things. My company actually has a little tool you can run to provision a VPN for yourself on Digital Ocean. Itās usually cheaper than most VPN providers, and letās you stay in control of all of your data.
I havenāt used it since we changed the copy up for the Rio Olympics, but it should still work: https://www.tinfoilsecurity.com/vpn/new
Edit: If youāre curious, this is the OpenVPN script we deploy: https://github.com/tinfoil/openvpn_autoconfig/blob/master/bin/openvpn.sh
3 Likes
Thatās a cool idea - but do you have to keep an eye on bandwidth? I watch a lot of Youtube videos 
I wonder how easy OpenVPN is to set-up/use. But then again, their āPrivate Tunnelā service seems to be pretty inexpensive: https://www.privatetunnel.com/home/pricing Edit: Hmmm, looks like that is something else.
1 Like
The cheapest plan on Digital Ocean ($5/month) gives you 1TB of transfer. Thatās a lot of Youtube videos 
3 Likes
VPN to a country that does not have any ISP retention laws.
Use throw away VM that boots ālive cdā to browse crap sites.
At work we mostly used openBSD + pf for firewalls and pretty much all network infra. type things,
for paranoid setups OpenBSD in bridge mode doing filtering.
