Today's post is about personal data security ratings and practices. Mastodon's fediverse and Gopherspace appear to host people who are interested in personal data security, online privacy, a right to control their data and people who perform and design information security and operations security practices. Although I do not claim a high level of technical expertise, I care about personal data security. I've been on the internet a very long time: my Yahoo! email account dating to 1997 was locked five times, at least Yahoo! announced to me it had been locked that many times, owing to foreign state actors using crack programs. Yahoo! stated that changing my password was the best measure I could take, but I don't understand how changing my password would stop my account from being locked by Yahoo!. It seems Yahoo! did not hire people with much technical expertise. But those were the days when carelessness and negligence were the worst qualities an internet company exhibited. This decade companies and nation states have overweening interest in our data and our internet consumption patterns. We in turn deserve to decide how much of our data to share and with whom. I tooted three questions on Wednesday 8 August: #infosec and #privacy enthusiasts of all levels of knowledge and ability, three questions for you! 1. On a scale of 1 to 10, where do you rate your personal infosec practices? Name three practices you do to define that level. 2. If you rated yourself above 6, name two practices someone at levels 2 through 5 could do to raise her level. 3. If you rated yourself below 6, name two practices of yours that most people should do but don't. What would you like to learn. A few boosts led to a few answers, not all flip or sardonic. Solderpunk's response: "I guess I would (reluctantly) rate myself around a 7? I run my own mail server, encrypt my hard drive (including swap), have an almost google-free phone (LineageOS + FDroid) and use a VPN for almost all internet traffic. "Some of my favourite recommendations: disable 3rd party cookies, use OpenNIC DNS, and install an /etc/hosts file like the one at http://someonewhocares.org/hosts/hosts, which resolves known nasties to localhost. I didn't want to rate myself higher than 7 because I don't routinely use Tor, don't routinely use GPG, do not use NoScript or similar, don't use separate browser profiles for real name stuff and pseudonym stuff (I used to do this, got lazy), and don't always suspend to encrypted disk instead of to RAM (again, used to, got lazy). "Maybe it's an 8? I dunno, I find it very hard to assign myself a rating. I can definitely think of additional things I could be doing (see my other post), so I definitely don't feel like I could be a 9 or 10. Between doing the kind of stuff I do and having no internet connection at all, you could have none in your home and only use the internet from cafe/library wifi hotspots (through a VPN or Tor). But that's getting into, like, Chinese political dissident territory." zelbrium shared: "I have some custom modifications to /etc/hosts (namely, routing facebook to localhost)." "Almost all of my interaction with the internet is encrypted (HTTPS), and as many trackers, cookies, etc. that I can block are blocked. However, my local file security is sub-par; I forget to make regular backups and haven't bothered with full disk encryption yet. So I'm maybe a 6. More secure browsing practices (use Firefox, enable tracking protection, be observant of the green lock icon, etc) I think would be useful for most people. I want to get better at local file security." "I weight local file security slightly less than internet security, since it requires physical access (or at least close proximity) to attack. However, I really should stop being lazy about backups...." tomasino supplied a list of things he does for enhanced privacy and info security: - Unique email address for every service I sign up for - Encrypt all the things, in storage and in transit - Personal off-site data redundancy - Non-google/facebook/twitter/everything for services - Actively disseminate false profile information and metadata to confuse trackers - gopher. over. tor. ;) - some silly email routing/encryption/storage nonsense - signal/wire These practices range in technical expertise and effort. In my next phlog post I share what I do or know what I should do and would if I weren't lazy, and share my self-rating for personal data and information privacy and security.