Defense Against Doxing

[straycat19]

POSTER'S NOTE:  If you don't read the entire article at least read the very last paragraph.

 

Defense Against Doxing


A decade ago, I wrote about the death of ephemeral conversation. As
computers were becoming ubiquitous, some unintended changes happened,
too. Before computers, what we said disappeared once we'd said it.
Neither face-to-face conversations nor telephone conversations were
routinely recorded. A permanent communication was something different
and special; we called it correspondence.

The Internet changed this. We now chat by text message and e-mail, on
Facebook and on Instagram. These conversations -- with friends, lovers,
colleagues, fellow employees -- all leave electronic trails. And while
we know this intellectually, we haven't truly internalized it. We still
think of conversation as ephemeral, forgetting that we're being recorded
and what we say has the permanence of correspondence.

That our data is used by large companies for psychological manipulation
-- we call this advertising -- is well known. So is its use by
governments for law enforcement and, depending on the country, social
control. What made the news over the past year were demonstrations of
how vulnerable all of this data is to hackers and the effects of having
it hacked, copied, and then published online. We call this doxing.

Doxing isn't new, but it has become more common. It's been perpetrated
against corporations, law firms, individuals, the NSA and -- just this
week -- the CIA. It's largely harassment and not whistleblowing, and
it's not going to change anytime soon. The data in your computer and in
the cloud are, and will continue to be, vulnerable to hacking and
publishing online. Depending on your prominence and the details of this
data, you may need some new strategies to secure your private life.

There are two basic ways hackers can get at your e-mail and private
documents. One way is to guess your password. That's how hackers got
their hands on personal photos of celebrities from iCloud in 2014.

How to protect yourself from this attack is pretty obvious. First, don't
choose a guessable password. This is more than not using "password1"  or
"qwerty"; most easily memorizable passwords are guessable. My advice is
to generate passwords you have to remember by using either the XKCD
scheme or the Schneier scheme, and to use large random passwords stored
in a password manager for everything else.

Second, turn on two-factor authentication where you can, like Google's
2-Step Verification. This adds another step besides just entering a
password, such as having to type in a one-time code that's sent to your
mobile phone. And third, don't reuse the same password on any sites you
actually care about.

You're not done, though. Hackers have accessed accounts by exploiting
the "secret question" feature and resetting the password. That was how
Sarah Palin's e-mail account was hacked in 2008. The problem with secret
questions is that they're not very secret and not very random. My advice
is to refuse to use those features. Type randomness into your keyboard,
or choose a really random answer and store it in your password manager.

Finally, you also have to stay alert to phishing attacks, where a hacker
sends you an enticing e-mail with a link that sends you to a web page
that looks *almost* like the expected page, but which actually isn't.
This sort of thing can bypass two-factor authentication, and is almost
certainly what tricked John Podesta and Colin Powell.

The other way hackers can get at your personal stuff is by breaking in
to the computers the information is stored on. This is how the Russians
got into the Democratic National Committee's network and how a lone
hacker got into the Panamanian law firm Mossack Fonseca. Sometimes
individuals are targeted, as when China hacked Google in 2010 to access
the e-mail accounts of human rights activists. Sometimes the whole
network is the target, and individuals are inadvertent victims, as when
thousands of Sony employees had their e-mails published by North Korea
in 2014.

Protecting yourself is difficult, because it often doesn't matter what
you do. If your e-mail is stored with a service provider in the cloud,
what matters is the security of that network and that provider. Most
users have no control over that part of the system. The only way to
truly protect yourself is to not keep your data in the cloud where
someone could get to it. This is hard. We like the fact that all of our
e-mail is stored on a server somewhere and that we can instantly search
it. But that convenience comes with risk. Consider deleting old e-mail,
or at least downloading it and storing it offline on a portable hard
drive. In fact, storing data offline is one of the best things you can
do to protect it from being hacked and exposed. If it's on your
computer, what matters is the security of your operating system and
network, not the security of your service provider.

Consider this for files on your own computer. The more things you can
move offline, the safer you'll be.

E-mail, no matter how you store it, is vulnerable. If you're worried
about your conversations becoming public, think about an encrypted chat
program instead, such as Signal, WhatsApp or Off-the-Record Messaging.
Consider using communications systems that don't save everything by
default.

None of this is perfect, of course. Portable hard drives are vulnerable
when you connect them to your computer. There are ways to jump air gaps
and access data on computers not connected to the Internet.
Communications and data files you delete might still exist in backup
systems somewhere -- either yours or those of the various cloud
providers you're using. And always remember that there's always another
copy of any of your conversations stored with the person you're
conversing with. Even with these caveats, though, these measures will
make a big difference.

When secrecy is truly paramount, go back to communications systems that
are still ephemeral. Pick up the telephone and talk. Meet face to face.
We don't yet live in a world where everything is recorded and everything
is saved, although that era is coming. Enjoy the last vestiges of
ephemeral conversation while you still can.

 

Article