5: Don’t just change your passwords. Change the way you password.
Most of us suck at generating good passwords, so the top passwords worldwide remain stupid-easy. Stock advice on passwords — use at least two numbers, two uppercase letters, and a special symbol in a combination totaling at least eight characters, changed every so often — generates predictable password patterns that are at once relatively beatable and difficult to memorize. Yet according to some experts, writing down passwords effectively nullifies them. (Others disagree.)
Instead of following that dysfunctional, commonly recommended password pattern, prioritize length. You might use the first letters of each line of a few paragraphs of a favorite poem, prayer, song, monologue, joke, speech, or novel. You might even use entire phrases, with a few capitals, numbers, and special characters thrown in. Length is the key.
6: Secure communications aren’t, unless you have secure devices.
Edward Snowden revealed unprecedented illegal mass surveillance including NSA insertion of surveillance backdoors in routers. As Snowden said: “endpoint security is so terrifically weak that NSA can frequently find ways around it.” Over ten percent of the global population has since taken steps to protect themselves against illegal mass spying — but most people remain vulnerable to nation-state level attacks on vulnerable endpoints, or devices.
You cannot effectively solve this problem with smart phones, because they are essentially five or six computer systems in one. They’re too complex for you to modify in a way that reliably promotes endpoints security. And modifying a relatively simple laptop by installing an encrypted hard disk — while simple and cheap — doesn’t protect against someone forcing you to type your password. Nothing is perfect.
But anyone can modify a simple machine, like an IBM ThinkPad X201, by popping out the old 320 gb Hitachi hard disk and inserting a Samsung Solid State Drive 850 EVO 250 gb in its place. The Samsung is lighter, has fewer moving parts, and is thus harder to break with a bump in transit. Then install Linux on a USB drive you can learn how to make here. The installation wizard offers the option to encrypt the installation for security — giving you an opportunity to practice your new passwording skills straightaway.
This setup protects against data compromise in the event of a lost, stolen, or impounded laptop. It doesn’t defend against nation-state level threats or someone forcing you to type your password — although it’s better than the norm.
Nor is this an easy step for most users. A lower-key alternative to installing a new hard drive in a Thinkpad is to simply install Linux as a second option on your existing laptop, using the machine as a “dual boot.” That way, you have a safer operating system to use as you wish. You might find
7: When you hear infosec, think opsec. And take a walk.
Good information security is as much about using the right tools as it is about talking to the right people about the right stuff in the right context — operational security. If you don’t trust someone, don’t give them information they might be able to use against you. If you trust them but they don’t need to know, don’t tell them either. If you trust them and they need to know, take a walk in the park if you can. It’s harder to intercept a whisper in a field — a human exchange that comes and goes in a moment — than an email, text, call, or letter that will exist long after its intended purpose. It also gets you away from increasing numbers of smart devices with easily backdoored microphones and cameras.
It’s also more fun to walk and talk with your friends. The revolution — of implementing the liberty and justice for which we stand — will take time. And in the meanwhile, we need to walk together in the sun, and take care of ourselves and each other.
These better information security practices take a little time, a little research, a willingness to try new things, and a little help from your friends. They’re worth the effort in the interests of global, national, and individual security. It will take subverting illegal surveillance to further free information exchange, freedom of ideas and association, and other fundamental facets of peaceful, democratic societies. It will take better information security than is currently the norm for bloggers, journalists, and other truth-tellers to advance accurate news and protect sources — the basic problem of democratic society according to Pulitzer Prize-winning journalist and soft power theorist Walter Lippmann. Security, freedom, and democracy are worth it.