The DIY guide to feminist cybersecurity.

/The DIY guide to feminist cybersecurity.

The “feminist” in the title seems to refer to “we used a lot of terrible cutesy metaphors because lil’ ladieez don’t understand the interblargs tee hee hee”, but… okay.

This advice isn’t terrible, which is why I’m linking it, but I do have the sorts of problems with it that I have with, like, 99.99% of all INFOSEC everythings, which is that it focuses too much on “sexy” technical controls (TOR! VPNs!! encrypt ALL the things!!!) and not enough on actually understanding the threats it’s trying to counter.

I mean, motherfucking TOR is for, like, political dissidents and hardcore criminals. There are a whole bunch of neckbeards getting pissy at me for saying that, so I’ll also add “paranoid libertarian tin-hatters” to the list to really round out the hate. TOR is designed to prevent, in effect, people intercepting your internet traffic over the wire. This almost never happens. Like, it’s pretty hard to overstate that.1 Because, with some exceptions, that level of traffic interception requires control over, or at least access to, a country’s internet infrastructure.

In other words, if you’re Jane Random Feminist, your main concern is very likely to be trolls from 4chan ruining your life with rape threats and SWATting. These people do not, as a general rule, have access to your ISP or national infrastructure on the level that would be required to sniff your traffic off the wire. And TOR won’t do shit to obfuscate your social media presence or protect your passwords.

Also, it’s run by the NSA. Okay, that’s a slight exaggeration, but only slightly, mostly because nowadays it’s not just the NSA. The way TOR works, briefly, is by chopping up your internet browsing and shunting it around a whole bunch of other computers, obscuring which of those computers originated the request.2 In other words, what TOR relies on is a bunch of computers, called endpoints, to do that shunting. When you use TOR, your network traffic–whatever you’re doing online, from logging into Facebook to buying a black market kidney to posting politically dissident messages–gets sprayed out to a whole bunch of endpoints owned by random people across the globe.

I want you to think about that for a moment, and think about how it might go wrong. No, think bigger.

Got it yet? The problem with TOR (one of the many problems, in fact), is that it relies on no one organisation monopolising the ownership of its endpoints. People who do own endpoints can, in fact, watch the traffic that comes through them. People who own many endpoints can watch a lot of that traffic and, potentially, piece it together over the long term. While they don’t necessarily know where it originated, if said traffic is Facebook requests to Jane R. Feminist then it doesn’t really matter much, does it?

Actually, Jane R. Feminist isn’t in much danger from this. But maybe Chén Xiǎomíng is. Particularly because there are a suspicious number of TOR endpoints that appear to be enormous servers that would seem to cost thousands of dollars to run.

Now. Who on Earth has the budget for thousands of dollars worth of servers, and a desire to monitor “anonymous” internet traffic? Oh, gee. Let me think.

So the ironic part here is that TOR does, in reality, very little for “feminist privacy” because it’s designed to protect individuals against surveillance by nation-state level actors. But, at the same time, it’s so infiltrated by nation-state level actors, that it’s really only useful for things like low-level “feminist privacy”.

The one thing TOR will do is hide your IP address from websites, which can help obfuscate your physical location. But physical location here means “city level”, for the most part, and nowadays everyone has so many contextual clues on social media about their physical location that no-one really needs to worry about geolocating IPs any more.

VPN services will obfuscate your IP, and provide the bonus of protecting your internet use against the one place it is likely to be intercepted/sniffed, i.e. while using public wi-fi. Its downside is you’re now giving a record of every internet thing you do to a third party, the VPN provider, so you’d better bloody well trust them.

Basically, cybersecurity is freakin’ difficult, and it’s really difficult because people focus on the solutions rather than looking at the problems. And don’t even get me started on encryption, which suffers from the key-under-the-doormat problem;3 it doesn’t matter what strength algorithm you use to encrypt your hard-drive if you write the password on a Post-It note under your keyboard.4 The ironic part about operational security–this is all the “use unique passwords” and “always encrypt” and whatever stuff–is that the more you ratchet it up, the more usability tends to go down, which makes you more likely to breach your own security by taking lazy shortcuts.

Like I said, the SafeHubTech’s page isn’t terrible, but it’s obviously… written by a certain type I see a lot of in INFOSEC, shall we say.5 So take it with a grain of salt.

  1. I once heard a security researcher describe controls against network-level interception attacks as like if car companies kept releasing products to prevent people from being shot by arrows via the sunroof. It can happen, but it’s not exactly the most pressing safety concern most people should have when they get into a vehicle, y’know? ^
  2. Technical people, try not to wince. I’m sorry. ^
  3. Also known as the $5 Wrench Attack. ^
  4. This happens a lot, in both the literal and metaphorical senses. ^
  5. Hint: these tend to be the guys–and they are always, always guys–who have better reputations outside the industry than inside it. For what that tells you. ^
2016-11-17T20:15:54+00:006th May, 2015|Tags: infosec, privacy|Comments Off on The DIY guide to feminist cybersecurity.