Basic introduction to information security

InfoSec

It’s about harm reduction.

A good security culture is aware of the points of interest it needs to protect. (And doesn’t do unnecessary things for security’s sake.)

Good security culture: Don’t talk to cops.

Surprise birthday party, may have experience with that.

Josh: Phone tree for TC-DSA housing, we choose not to have the phone numbers on Slack.

Anything sensitive probably shouldn’t go over electronic information.

Recognize when things aren’t urgent to be said over a line of communication.

‘vector’ of attack. We know that our physical body and what we carry can be attacked. But equally important, is social engineering.

Kevin Mitnick almost never used technology in the attack. “Why pick the lock if they’ll open the door for you?”

Don’t ever feel obligated to share information you think may be sensitive, including metadata!

LinkedIn is really bad at how much data it gets out of you; your whole history and what jobs you’re interested in.

Internet exposure via school or university affiliations, including alumni magazine profiles. Be aware of the Internet Archive Wayback machine also.

Not everyone is the same. Public schoolteacher, or an artist who survives based on having a public-facing presence,

Doxing is a strategy where someone targets harassment by putting personal information, like a home address or phone number, in front of people who wish to harass or harm the doxed person.

Sometimes we use these methods to combat Nazis.

Even with a common name, if you can limit by geographical area. In 15 minutes how much information can you find out about yourself? And your family members?

A tool you can use, Crash Override, has a list of services and data brokers. Steps and a checklist to help you minimize your presence on these aggregators. It’s not 100% that they have to remove.

Point is harm reduction: In 10 minutes can a neo-nazi find information about me?

This takes a long time. It’s good to do this together in a party setting.

If you use Signal, turn on disappearing messages.

Your phone is a cop.

Google.com/myactivity - basically, if you look through this, they know so much data. That they’re willing to tell you they know!

Symmetric encryption: How i write it is the same way i decode the message. Includes passwords; getting data is the same way i encrypt the data: entering the password.

Caution against touch passwords: you can see the trace of the finger track.

4-digit pin is pretty strong.

Set up multifactor authentication.

Turn on hidden content on your phone, so that the 2nd factor authentication text isn’t readable even through your lockscreen, or your Signal messages.

Do not use the thumb thing. You can print out things and it’ll work. You can get someone’s fingerprints and 3D print it easily. You can put a picture of the person in front of your face to get past facial identification.

Mnemonic reduction method for creating strong passwords:

Take first or third or whatever consistent thing from each word.

“IWW Safer Spaces Policy A Paraphrasing” => ISSPAP

And then we can salt it. Reproducible is important so that you can make it different at different web sites.

Could make it ISSPAP.goo for Google.

uBlock Privacy Badger Duck Duck Go

Advanced: