Embed Size (px)
Citation preview
Anti-virus and Firewalls
I’m not going to talk about firewalls and anti-virus. That’s boring. I don’t even use it. Even though Macs are not impervious to viruses, it’s really just a money-making scam by the anti-virus guys. Would you give this man money to protect your computer? (Mcaffee)
Little Snitch
http://www.obdev.at/
I protect against viruses on my mail server, and as far as I know I’ve never had one slip through the cracks. On the odd occasion I feel I do need a firewall, I use this (Little Snitch). It’s useful if I’m on a very exposed network, or if I’m worried about apps phoning home or I suspect something untoward happening on my machine. But most of the time it’s just an annoyance.
You’re already compromised
That doesn’t mean that security isn’t important to me. I just take a fairly pragmatic view of the situation - I assume that I’m already compromised. I assume my servers are backdoored up the ying-yang, that my computer is totally open to multiple unknown nefarious parties, and that they have my worst intentions at heart.
A year ago, that would have been conjecture. Today, thanks to this guy, we know it’s fact. And don’t think that Apple is immune to this.
The NSA has a product called Dropout Jeep that gives them unfettered access to iPhones. It’s got a 100% success rate, and can be used to track location, pull files and contact lists, and even use the phone as a listening device.
Apple also cooperates with the NSA’s Prism program, even though they were the last major technology company to come on board. This press release states that they’ve responded to just under 1000 requests from the NSA. That’s just for US cases - they don’t report non-US investigations.
And let’s not forget all the other services we use, including Google, Skype, and Youtube, which all also cooperate with the NSA.
http://getprsm.com/
So where does that leave us? As we move more and more onto the cloud, protecting our desktops becomes less meaningful.
Learn to stop worryingand love the encryption
Fortunately we have one weapon on our side. Encryption. And until the NSA builds its quantum supercomputer to crack all encryption ever (which it’s currently working on, by the way), encryption is by far the safest way to live our digital lives.
Before we get started, I’m going to quickly explain how encryption works, particularly public keys. !<Demo ssh keys>
SSH keys are cool if you’re dealing with servers, but not that useful if you just want to use the web. On the web, the most important and ubiquitous encryption standard is HTTPS. !HTTPS is becoming pretty ubiquitous. And it’s a good thing too. Less than a year ago, sites like Facebook made it optional - they’ve now made it mandatory. And that’s sad news for hackers. !But we still need to be aware of whether the sites we are on are encrypted, because it’s incredibly easy, particularly with open wifi networks, to hijack a user session and log in to someone’s email or similar services.
Perfect forward security(elliptic curve, ephemeral Diffie-Hellman RSA)
HTTPS does a good job, for now, but one thing we know is that at some point in the future, current crypto keys will be cracked. And most websites use a single crypto key for every single transaction that goes through them. So anyone patiently storing all the encrypted transactions, say for instance the US government, will at some point in the future be able to go back and decrypt all the communications that went through the network. !That’s where perfect forward security comes in. It generates a new crypto key for every communication. Have a look at the difference here between FNB and Twitter’s HTTPS security. The second “E” in ECDHE_RSA stands for “ephemeral”, which means the key is only used once. That means that someone who does manage to decrypt the key will only decrypt one message - not every email sent through GMail ever (if they have the capability to store that amount of info).
Chatting securely
https://crypto.cat/ Adium
Mac Mail
So how else can we use cryptography to secure our communications? There’s quite a lot we can use in the Mac without much effort. !Cryptocat, Adium encryption, turn on SSL/TLS on your mail
Going further
Password manager https://lastpass.com
File Encryptor http://www.truecrypt.org/
Disk encryption (Native)
Password manager - with 2-factor encryption! Now you can use OSX’s native password manager. File encryptor like Truecrypt Disk encryption
And for the really paranoid…
TOR, anonymous proxies, virtual/chroot jails etc
