IT security
Let me begin with the security part because it seems to me that it is easier to understand, since everybody is more or less used to it.
If we want to have a good security level we will have to watch to some aspects, which I am going to present below. Basically:
Using secure programs
A program just executes a combination of orders and offers a group of options to the user. If that program is well made (properly programmed) there won't be any mistakes in its source code (what the programmer writes in order to create the program) which a possible cracker could take advantage of with the aim of accessing to our data. Indeed, a mistake or lack of foresight by the programmer could leave an open door that could be used by a cybercriminal to do something that, in principle, couldn’t be possible.
How can we distinguish a secure program from another one which is not secure? In principle, we can't. Statistically there is an error in each thousand code lines. Thus, it could be assumed that every program, when it is created, has some mistakes of this kind.
The key is how those errors can be corrected. And at this point there is an important difference, since we can differentiate two kinds of programs.
On the one hand, we have the proprietary or private software which is the software in which the source code is protected under copyright laws in such a way that only the creator has access to it. Therefore, only the owner of that copyrighted program can examine it and try to find mistakes and correct them. Just a few eyes can work on that task.
On the other hand, we have the programs belonging to the Free Software group. In this case, the source code of the program is freely available for everybody who wants to see and modify it. This is fundamental because it allows that much more people can collaborate in the task of finding and correcting errors. Apparently, this second kind of programs is more vulnerable to have problems related to their security issues, because there is no intention to hide them. And, it is precisely here where they can be found in an open way, whereas in the case of proprietary o private software, we simply don't know if there are any kind of mistakes, and we cannot know it either.
Of course, and though it doesn't have to be so, the private software's maker could also leave some “errors” on purpose in the source code of the program for serving to other ends. Or even design programs that do hidden things. Since the maker is the only one who can access to the source code, and therefore knows what exactly is the program doing, users simply wouldn't know anything about those hidden issues.
Although a Free Software program doesn't guarantee that it was created being more secure, in the middle and long run the probability that it was so is much higher. And surely it does guarantee that we can know what exactly that program does.
I will show you a table of the more commonly used programs and some of their possible alternatives, but now I recommend you to look at the following website:
https://prism-break.org/en/all/
https://www.privacytools.io/
In order to fully understand the meaning of those websites, however, it is necessary to understand the part about the privacy as well. So I encourage you to continue reading.
As you can see everything is written in conditional tense. “The maker could...”. It seems that I am too much distrustful, right? Would I have any reason to be so? Let's explain the reasons that lead me to think about those negative possibilities.
Does the name of Edward Snowden sound familiar to you? Do you remember why it could be familiar to you?
Edward Snowden is an formerworker of the CIA (Central Intelligence Agency) and of NSA (National Security Agency) of the U.S.A. That man became known in 2013 when he made public top secret classified documents about several NSA's programs, some of which about bulk surveillance (spying, to clarify) such as PRISM1. (Source: https://en.wikipedia.org/wiki/Edward_Snowden).
The key of all this matter is that some companies “cooperate” in some way with NSA to provide access to the information that is stored and generated by their users. Which information are we talking about? Which companies are we talking about? The next figure illustrates these questions:
Undoubtedly it draws attention, not only on the access to the information, but especially about the companies involved. Mainly because they are the companies whose programs and services (email, social networks, etc.) are the most commonly used.
This is, certainly, the first lesson. We will have to find out what the behavior of the companies is, so that we can know if the use of their programs and services is recommendable.
We will talk about services a little bit later. Regarding the programs, you can see a table below with some alternatives to the most commonly used programs. Of course, all the alternatives are Free Software, since we have already seen that this kind of software is the one which offers us more guarantees in terms of security. Please, take into account that they are examples, there are much more Free Software alternatives.
|
Private program
|
Free Software alternatives
|
|
Microsoft Windows, Mac OS (Apple)
|
GNU/Linux (there are many distributions)
|
|
Microsoft Office
|
LibreOffice
|
|
Internet Explorer, Google Chrome
|
Mozilla Firefox
|
|
Microsoft Outlook
|
Mozilla Thunderbird
|
|
Adobe Photoshop
|
GIMP, Krita
|
|
Corel Draw
|
Inkscape
|
|
Adobe Reader
|
Evince
|
|
Windows Media Player
|
VLC
|
|
Windows Movie Maker
|
OpenShot Video Editor, Kdenlive
|
|
Android, Windows Phone, iOS
|
CynagenMod, FirefoxOS, Ubuntu Phone, Replicant
|
|
Whatsapp
|
Telegram (it promotes non-free net services, but it means an improvement on Whatsapp)
|
|
Google Play Store
|
F-Droid
|
Briefly, there are much more programs which can be replaced and also much more alternatives. If you want to know more alternatives I encourage you to search on the Internet
(Privacy: search engines)
something like “free software alternative to [program's name]”. You can also consult the following websites:
And finally, you can contact me through info (at) pablomarinero (dot) com
For security reasons, especially to avoid SPAM, the email address has been altered. So, please replace the text
at for @ and the text dot for . and, lastly, remove all blank spaces.
Using secure services
Through the term “services” we refer to email accounts, social networks accounts, etc. That is to say, services that we can use on the Internet.
In the previous section, we have seen how programs themselves can be more or less secure. In this part we are going to see how we can know if the connections to the websites are secure.
You may have noticed that, in the past, all websites were "http://www.websitename.sth".
Nevertheless, for some time now many websites' url begin with https. That “s” comes from secure. The difference is the next. If somebody spy the communication we have with the website, in the case of http (without -s) that person could see directly all the information we are sending (by forms for instance) whereas in the case of https (with -s) the information is cyphered.
The cipher means a transformation from the original information with the aim that it can't be understood. For example, if I send a name by a form, with http (without s) the spy would see: Charles. But if the connection is ciphered, https (with s), instead of Charles the spy would see a group of letters, numbers and symbols without any sense: %6d3d8K8.
The connection being ciphered is fundamental when we make payments on the Internet, when we access to our bank accounts and, in general, when we type information on the Internet that we do not want to be spied by anyone. Nowadays, those websites where that confidentiality is needed have https (with s) and therefore the connection is ciphered (generally).
However, there are many cipher techniques. It is important that websites change their cipher techniques in order to adopt the most modern and secure ones. Cipher techniques, over time, become less secure because there are people (crackers) who are finding out how they work and so they can decipher the information which is coded with them.
With respect to this, I can recommend you two add-ons for the Mozilla Firefox navigator which may help us.
The first one is “httpseverywhere”. It is an add-on which will send us to the secure website https (with s) when both options, with and without s, are available. That is: you search a website in a search engine
(
Privacy: search engines)
and you don't know if the first search result is a secure website, or if the secure website exists as an alternative. When you have this add-on is very likely that you will go always to the secure website automatically (when both effectively exist). This add-on is installed and after that you don't have to do anything else.
You can install it from: https://www.eff.org/https-everywhere
This add-on is developed by the EFF (Electronic Frontier Foundation), a non-profit foundation settled in EE.UU., whose aim is to defend the digital rights of the users in the digital world (Internet.
On the other hand, you could also be interested in knowing how secure is a cyphered connection. That is to say, how updated the cypher techniques are in a particular website. For this purpose, we can install another add-on for Mozilla Firefox called “Ssleuth”.
You can install it from: https://addons.mozilla.org/en/firefox/addon/ssleuth/, or searching for it in the menu Tools/Add-ons.
In this case, we will see the add-on in the upper-left part of the Firefox's window. Every time we go to a website using https (with s) the add-on will show a mark, between 0 and 10, for the secure connection. If you click on the mark the complete evaluation will be displayed in a window which explains, in a very detailed way, how that mark was obtained, while further knowledge is needed to completely understand it. Nevertheless, seeing that mark is enough because it indicates us how trustworthy the website's cypher is.
Just after installingit I visited different bank websites. Unfortunately, the result was very negative, in general.
In addition, one of the certificate's features that is evaluated, is called Perfect Forward Secrecy. It is something very important, because it is a property of the cryptography systems (systems of cypher) which guarantees that the discovery of the currently used keys does not compromise the keys used before (it doesn't reveal them)2.
I would like to show you below a table with the marks obtained on the access websites to the users area of different banking entities at the day I checked it (test date: 2 August 2015).
Please, do not follow those links with the aim of accessing your account user interface. Use it only in order to check the marks of the Ssleuth add-on. It is just for a question of safety. Somebody could crack this website and change the urls to readdress it to a fake website.
|
BANCK AND URL
|
MARK
|
PERFECT FORWARD SECRECY
|
|
La Caixa
https://portal.lacaixa.es/home/particulares_es.html
|
10,0
|
YES
|
|
ING Direct
https://ing.ingdirect.es/login/#verify
|
8,8
|
YES
|
|
Bankinter
https://www.bankinter.com/www2/particulares/es/inicio/bienvenida
|
8,8
|
YES
|
|
Caja Rural
https://www.ruralvia.com/isum/Main?ISUM_SCR=login&loginType=accesoSeguro&ISUM_Portal=2&acceso_idioma=es_ES
|
8,4
|
YES
|
|
Evo Banco
https://bancaelectronica.evobanco.com/
|
7,8
|
YES
|
|
Banco Sabadell
https://www.bancsabadell.com/cs/Satellite/SabAtl/
|
6,3
|
NO
|
|
Bankia
https://oi.bankia.es/es/login
|
6,0
|
NO
|
|
Banco Popular
https://www2.bancopopular.es/particularesN
|
6,0
|
NO
|
|
Banco Santander
https://particulares.gruposantander.es/SUPFPA_ENS/BtoChannelDriver.ssobto?dse_operationName=NavLoginSupernet&dse_parentContextName=&dse_processorState=initial&dse_nextEventName=start
|
5,0
|
NO
|
|
BBVA
https://www.bbva.es/particulares/index.jsp
|
5,0
|
NO
|
In conclusion, the website of any search engine has a more secure cypher connection than many of the banking entities we have checked. So be careful!
Of course, it is highly recommended to access a bank website using always a privacy window and a virtual keyboard.
You can open a private window, for example in Firefox, in the menu File/new private window, or making click on the three bars icon (Open menu) and afterwards on the icon with a mask (new private window). While we are using that private window, temporal data will not remain in the computer: history, cache, etc. That is why is recommendable to use it when you access to the bank website.
On the other hand, bank websites have usually a virtual keyboard in the password's field, and it's mandatory to use it. However, in the case of the user's number there is usually not such virtual keyboard. Every time you cannot find a virtual keyboard for typing information in such confidential fields it is recommendable to use a virtual keyboard program. The problem we are constantly trying to avoid is the possibility of having a malware which registers keystrokes (keylogger). Without the help of a virtual keyboard we don't know where our credentials may go.
Lastly, as a piece of advice, if you are a client of some banking entity with a bad mark in its cypher connection, you can contact them (usually there is a link for that in the website) and explain these worries to them. If bank entities realize that this is an important user's concern maybe they will do something about it.
Using secure passwords and managing them in an effective way
Whereas the previous sections have an evident importance, following those indications but not using appropriate passwords throw to the ground all the effort made before. You have to take into account that without a secure password it will not be very difficult, for a cracker, to find it out and access to our account.
Passwords are a fundamental part of the security of any system. Now, we are going to review the basics we need to know in order to create secure passwords (and easy to remember) and managing them properly.
Secure passwords should satisfy the following conditions in order to be secure:
-
Having, at least, 8 characters.
-
They should include lower case and upper case letters, numbers and special characters (brackets, a dollar symbol, etc).
In order to improve more those passwords it is recommendable to follow the next suggestions:
-
Do not repeat characters.
-
Do not type characters which are in order in the keyboard.
-
It is better if we avoid words that can be in a dictionary, because they are used to try combinations. It is better also avoiding personal names, company names or simply the user’s name.
-
Passwords should be changed frequently. You decide how often you may change them. The more often you change your passwords the more secure they will be.
Of course, the first problem is easily discerned. All of this is very good, but if I follow those instructions there is no way to remember the password.
Below, we are going to see some relatively easy methods to make secure and easy to remember passwords.
To justify the examples that I am going to show you, I will use a password meter which is in this website:
http://www.passwordmeter.com/
Be careful! I recommend that website in order to check methods to make passwords, but never type there the passwords you are going to use, just in case. In fact, that website is not even cyphered.
A methodology example could be something as I expose below. First of all, we think in a three or four-syllable word. The minimum amount of letters should be repeated, if possible. A good example would be “kindergarden”. But, alone, that word make a very weak password.
In order to add some uppercase letters, and making it easy to remember, we can type in uppercase a couple of letters (better if they are not one after the other), for instance “KindergardeN”. That way we have improved it, but it is still not enough.
The most difficult part consists in using numbers and symbols which can be easy to remember. But we can use a string of numbers and symbols and change in different passwords the word we choose.
Now we are going to design the string. For example “%9” (it usually is a good idea using the blank space, if it is allowed in the website where we want to create the password, because it is a especially safe symbol). Then, we divide the word we had and we put the string in the middle. So, it would be “Kinder%9gardeN”.
It is also interesting using other symbols, but be aware if you have to go abroad and use the keyboard of other country, because maybe the special symbol you normally use is not available.
Now we have a minimally secure password. It order to make it easier, as I said before, you can use the same number and symbol string (you can use more than one of each one, though it will be more difficult to remember), more than one time while you completely change the word in which you are going to locate it. Nevertheless, the ideal is that all you passwords were totally different.
However, I must say that despite the fact that this method creates secure passwords it can be improved. In a recent interview to Edward Snowden, he recommended making longer passwords than the ones we have been talking about. In that interview I read, Snowden said that the best password he had seen lately was “MargaretThatcherIs100%Sexy”. It is a very good password because it is long, it combines lowercase, uppercase, numbers and special symbols, it is easy to remember and it doesn't make sense. This is, no doubt, the way to make passwords that I can better recommend, though the previous method is also valid (but also less secure).
If somebody finds this too complicated (security requires an effort) try at least not to use a simple word. Try to use a word which is not in a dictionary of any language, and add a number and a symbol at the end. And put the first letter in capitals, or only the first letter in lowercase. For example: “Trufito=3”. It is not going to be as secure as the previous methods, but it will be much better than a simple word.
In the following table I would like to show you the complexity of the passwords I was choosing, measured in percentage (minimum 0, maximum 100).
|
PASSWORD
|
SCORE
|
|
kindergarden
|
13
|
|
KindergardeN
|
41
|
|
Kinder%9gardeN
|
95
|
|
Trufito=3
|
70
|
Lastly, I insist that it is important to change passwords with certain frequency. Take into account that one way to uncover passwords is trying all possible combinations. If we change our passwords from time to time it is more difficult that somebody obtain them.
Another thing is where to save our passwords. As a personal recommendation (there are many opinions about this) I suggest that you have a small notebook, well saved somewhere, in which you write down your user and password for every website's account. I suggest so because where the cybercriminal's tentacles can't reach is inside a physical drawer in your home. If somebody goes in there, you have another problem.
Personally, I don't like options about saving passwords in browsers or other programs.
We could say much more things about security, but this only pretends to be a basic guide. However, if you want that all these things we have seen before are worth the effort, read the section about
privacy
which comes next.
1 https://en.wikipedia.org/wiki/PRISM
2 https://en.wikipedia.org/wiki/Perfect_forward_secrecy
Privacy
First of all, I would like to remember that privacy is the right we have to decide what kind of information we share with other people and with whom we want to share it.
The problem I would like to make clear in this section is related to the terms of service that we have to accept in order to use a program or service.
For instance, when we install a program, we have to accept the terms of use which are in the program's license. When we open a new e-mail account, a new social network account or any other online account we have to accept the terms of use. Besides, we usually accept that we have read and agreed to the terms.
But, what do those terms say? Are they the same in all cases? Not at all! In fact, the differences are very important.
There is a website where we can have a look at the most important information in the privacy terms of the most used services, such as e-mail accounts or social networks. It is:
https://tosdr.org/
The project is outdated, but people can easily contribute to update it. I encourage people to contribute. However, the information we can see in that website is pretty significant.
There we can see how the services most people know and use have very negative points in their privacy terms in most cases. In many cases, the company reserves the right to share our information with other entities, to use our content. Even sometimes the property of the author rights over the materials we upload is not clear. In some of them, such as Skype, the users’ accounts cannot be deleted (UPDATE: for some time now it is possible to delete a Skype account. You have to follow a little tedious procedure, but it is possible). In others we can delete the accounts, but the information contained in them is not really deleted.
In the end, all of this ends in the same thing: we cannot control what part of the information is shared nor with whom. And therefore, this basically means that those terms we accept say that we are accepting to refuse our privacy rights. Not only over the data we put on that website, but also over the information we generate using those services.
Most people I know when listen to these things for the first time they usually think: but why on earth could someone want my data or the data I generate using a social network, a email service, a search engine or whatever it was? I have nothing to hide, and with that data they will not get anything.
Indeed, without more information to answer those questions it seems absurd that somebody wants that data. Nevertheless, that data is worth so much money that companies which made those social networks (and compose those privacy terms) do not want to charge you for using their social networks, email, etc, because they make more money with the data you give them and the data you generate using their services than with the few euros you would be willing to pay for using those services.
My personal data, and yours, are NOT important for those companies. Then, what a mess, what do they want them for? Simple, from the combination of the data they extract information which need to be representative of the studied population in order to be valuable (at this point almost any imaginable population, since they have data of a lot of people in almost any part of the world). Thus, they do not care about your data but if they can have them they want them, because your data feed their data set and improve the resultant models.
All that money is generated through a way to process large quantities of data which is called big data. You can read a simple explanation of what is big data in my blog (in Spanish) or a more complete explanation in Wikipedia in English (this is a very recommended reading, here or where you prefer, but you need to know what is big data if you want to understand this matter).
I participated as a speaker in the last Linux&Tapas event in the city of León (May, 6th 2017) with a talk about big data and privacy titled "The tale of the goose of the golden data" (in Spanish) in which I explain why some of the most famous companies want people's data and its implications.
Moreover, if we take into account that some of those companies collaborate with the NSA (National Security Agency of the U.S.A.), then the question about the terms goes to a secondary level, because those awful conditions (in the terms of service) are allowing those companies to do that kind of things. Accepting some particular terms we are accepting that they spy on us!
But not everything is lost, there are services that indeed have terms of service which respect users’privacy. As we said before, you can find many alternatives in:
https://prism-break.org/en/all/
https://www.privacytools.io/
In any case and in order to simplify, I would liket to mention some services among the ones we use more, that I think are recommendable.
Search engines
Most people I know use Google as a search engine. And none of those people know that company is tracking them all the time. This means that things like the websites you are visiting, where you click, etc. are being registered. In general, all the activity you carry out.
There are many alternatives. The simplest one for a lot of people is Startpage (https://www.startpage.com/).
Startpage returns the same results as Google (in fact the search is carried out by Google), but since Startpage acts as an intermediary the absence of tracking is guaranteed.
An alternative which, personally, I think is more interesting is Ixquick (https://www.ixquick.eu/). In this case, Ixquick will return results obtained from different search engines, excluding the Google ones. There is not tracking either. And, in addition, for many websites it indicates which one is the official site. This last feature is very interesting when we want to search the official site of a bank entity or the official website of a particular program, for instance.
Both Ixquick and Startpage have an European Privacy Seal.
On the website of both search engines you can look up more information regarding this.
Finally, I would like to warn you about the existence of another search engine which promise privacy. It is called Duck Duck Go, the famous duck search engine. However, as you can read in the next article, Why You Should Not Use Duck Duck Go, it is more related to a good marketing campaign and I DON'T RECOMMEND YOU DUCK DUCK GO AT ALL.
In any case, on many websites there are links that are going to track you. In order to avoid that tracking, as well as to identify those tracking links, I recommend you the installation of another add-on on Firefox, which is developed by the Electronic Frontier Foundation: Privacy Badger.
https://www.eff.org/privacybadger
This add-on blocks the tracking links on the website you visit. In some cases, when those links are required by the website due to the correct working of some of its parts, it will not block it but you will be able to see what that link is (and it will try to block their cookies). To see that information you only have to click on the add-on icon which will be on the right side of the address bar, next to the icon menu of Firefox.
E-mail and online storage (cloud)
There are many wonderful projects where we can open an email account. They are services that do respect our privacy. In the section about “Email Accounts” on the
prism-break.org website you can find many alternatives as well as in the same section in privacytools.
Previously, I thought that OpenMailBox was an interesting option, but after the changes that took place this year (2017) in that service I have changed my mind.
By now, I have an account in Tutanota.com. I like very much how it works, it has its own app for Android, which will be available in F-droid. At the moment, you can write to the people of Tutanota about it and they will provide you a link to download it without having to create an account in Play Store.
In the same websites I recommended before you can find options for cloud providers without having to forget your privacy.
Remember that in the case of Gmail or Hotmail/Outlook you don't pay any money, but you do pay by renouncing to your privacy. How much is your privacy worth?
Social networks
It is a shame that not everybody knows Diaspora*, a social network based on Free Software and decentralized, which is also important. Its website is:
https://diasporafoundation.org/
You can read in that website the advantages of Diaspora*, what a decentralized social network is, etc.
There are a million more things we could talk about, but these are the basics.
Remember: information is always worth money, the information you generate serves some companies to obtain money. You are the only one who can really value your privacy.
Currently, I have prepared a 20-hourcourse on Security and Privacy with which anyone, at home or in a company, will be able to protect their security and privacy. If all of these things about security and privacy are getting your attention, those 20 hours will change your life.
You can contact me through info (at) pablomarinero (dot) com
For security reasons, especially to avoid SPAM, the email address has been altered. So, please replace the text
at for @ and the text dot for . and, lastly, remove all blank spaces.
