[HN Gopher] Ask HN: Do you manage your family's digital safety?
___________________________________________________________________
Ask HN: Do you manage your family's digital safety?
Most of my family members (nuclear and extended) have little
interest in spending time to manage their digital selves. Amongst
other things making sure they have control of their passwords and
accounts in a safe matter. I've lately decided to set up a
1Password Family Account to help at least my nuclear family into
taking net security more serious. - What steps did you take to
make it simple enough for your family to care? - Did you retain
any restorative powers? As in keeping master passwords to certain
things and/or emergency accesses like in LastPass? - Which
subjects spurred the most discussions and how did you solve it? -
Which items do you share amongst all family members? Edit:
Formatting
Author : arzmir
Score : 123 points
Date : 2022-04-14 14:51 UTC (8 hours ago)
| p932 wrote:
| E-banking security. Configured a dedicated hardware laptop with
| default network policy outgoing to denied. Manually configured a
| very limited set of IPs for the banks sites used (no DNS server
| allowed, static resolution in /etc/hosts) and OS packages. Second
| step (or factor) done on a dedicated phone hardware too (no sim
| card used). Automatic browser startup at session open with tabs
| open for the banks website.
|
| Been operational for a few years. Minimal maintenance. Great
| peace of mind.
| theycouldsue776 wrote:
| "The Personal Infosec & Security Checklist"
| https://www.goldfiglabs.com/guide/personal-infosec-security-...
|
| Internet safety, DNS security,
| https://wrdrd.github.io/docs/consulting/kids #internet-safety
| #family-media-plan #screen-time-guidelines
|
| Rclone _supports encryption_ over top of like every cloud storage
| provider; and then what js could hit delete and confirm on our
| cloud storage, resulting in starting over from zero, like
| preppers, like bushcrafters - with DR bushcraft knives with
| flints (and hand-crank solar rechargeable FM /WX radio USB
| powerpacks) - like a low-budget made for TV Swiss Family
| Robinson: https://wrdrd.github.io/docs/tools#rclone
|
| Ansible-molecule, DevSec baselines; your (1) Raspberry Pi SD card
| _will_ fail, and probably before a thumbdrive or an SSD.
|
| E2E: Cyph, Keybase has encrypted git repos; GitLab/Gitea does
| Issues with trackbacks: https://www.cyph.com/blog/cyph-pgp
|
| PWD generates a _printable_ substitution box:
| https://github.com/westurner/pwd
|
| SGP: SuperGenPass https://github.com/chriszarate/supergenpass
|
| JS implementations of SSS to do better than splitting a string in
| parts and printing some redundantly:
| https://github.com/topics/shamir-secret-sharing
|
| "SLIP-0039: Shamir's Secret-Sharing for Mnemonic Codes"
| https://github.com/satoshilabs/slips/blob/master/slip-0039.m... :
|
| > _Shamir 's secret-sharing provides a better mechanism for
| backing up secrets by distributing custodianship among a number
| of trusted parties in a manner that can prevent loss even if one
| or a few of those parties become compromised._
|
| > _However, the lack of SSS standardization to date presents a
| risk of being unable to perform secret recovery in the future
| should the tooling change. Therefore, we propose standardizing
| SSS so that SLIP-0039 compatible implementations will be
| interoperable._
| eljimmy wrote:
| The biggest security vulnerability is the human element. Proper
| education on phishing and the dissemination of personal
| information trumps all else, IMO.
| nonesuch49 wrote:
| We recently threw out everything we thought about surveillance,
| privacy, liberty, and learning through experience when it comes
| to our kids' access to the Internet. They now have no phone. The
| computer has a whitelist of sites it can visit and a few ports
| open for some games. It only gets used with the door open. I
| disable the Internet completely between the hours of 10pm and
| 6am. I am looking into even more big brother solutions. It's all
| theoretical until real stuff goes down. I'll admit to having
| thrown away my personal principles in regards to freedom and
| privacy to try to protect my kids.
| TruthIsHeresy wrote:
| This is insanity. You cannot protect children forever. What
| will you do if your kids go to a friend's house and have access
| to devices which are not heavily restricted? What if a friend
| comes over with their own similar device? As a child of parents
| who did similar things as you are doing, I can say confidently
| that it did not protect me, it created a resentment towards my
| parents, and it increased my motivation to break rules in
| general.
| Wariith wrote:
| sounds too extreme
| nonesuch49 wrote:
| I thought so too. I hoped I'd never have to be this way. It's
| not just stolen money from a bank account or a hacked
| Instagram. It could be life or death.
| stonewareslord wrote:
| > It could be life or death.
|
| What does this mean? Isn't it better to teach them how to
| be safe so when they grow up they will be safe? Instead of
| teaching them nothing but to not trust you?
|
| Once your monitoring no longer exists on their devices,
| what do you think they'd do?
| tenebrisalietum wrote:
| They're using their friend's phones at school, unless you
| homeschool them.
| croutonwagon wrote:
| I use bitwarden for my families account. My wife has her own that
| i setup and got working on her phone/browser. I wish she used it
| more but she DOES use it for the "org" account and shared info
| (cc, passwords etc).
|
| Email i use on a gsuite legacy domain and have for a very long
| time. It allows us to move email around if needed. We still have
| some older gmail accounts as backup, but rarely use them. Ill
| probably move to something else, Mail in a box on a linode or
| protonmail. The problem is i havent found a 1:1 feature, between
| google voice for voicemail and junk phone #, and contact syncing.
|
| On the network i manage that. Use opnsense with unifi for wifi
| and a few vlans. We dont have cable, so roku's/ROKU tvs get their
| own DMZ and we have plex and a few streaming services.
|
| I also help manage my parents network. So they have a pfsense
| appliance (setup and bought well before all the nonsense) and it
| has a VPN connection to my house, with a similar Unifi wifi
| network.
|
| All of our stuff is MFA enabled and i just handled the setup on
| her phone etc, gave and setup yubikeys etc.
|
| Outside of my parents and wife/family, i dont really get
| involved. I really dont want to. My in-laws I have helped do
| things for like setup some wifi extenders etc. But their needs
| are more simple and dont require the complexity my parents do
| (that WFH and run a business from home with a larger layout.)
| croutonwagon wrote:
| I have already moved to workspace for now. There will be no
| charges until August or so. And then 50% off through August of
| 2023. So its....not awesome but gives me breathing room to find
| an alternative (Or just stay the course).
|
| I will say one gotcha that got me...The dont allow Google Voice
| for workspace. If youhave a legacy account, even on the gsuite
| it should be fine, but you cant setup new service. And if you
| mark the payment account as "individual" you have NO options.
| If you set it as a business you could get google voice as a
| paid service.
|
| Payment accounts cant be changed once setup. Which is crazy.
| BrandoElFollito wrote:
| You must hurry with the Google apps domain, they are closing
| the grandfathered accounts 1st of June.
|
| Mine was almost 20 years old.
| croutonwagon wrote:
| Sorry...i apparently replied to myself today. Heres what I
| said to myself when actually trying to reply to you..oops.
|
| I have already moved to workspace for now. There will be no
| charges until August or so. And then 50% off through August
| of 2023. So its....not awesome but gives me breathing room to
| find an alternative (Or just stay the course).
|
| I will say one gotcha that got me...The dont allow Google
| Voice for workspace. If youhave a legacy account, even on the
| gsuite it should be fine, but you cant setup new service. And
| if you mark the payment account as "individual" you have NO
| options. If you set it as a business you could get google
| voice as a paid service.
|
| Payment accounts cant be changed once setup. Which is crazy.
| jl6 wrote:
| For a tech-illiterate aging relative:
|
| * iPhone SE
|
| * Gmail account
|
| * WhatsApp account
|
| * Everything set to auto-update
|
| * Good passwords, written down on paper kept safely
|
| * Never install any apps without me
|
| * Call me if you are ever worried about any email or message
| enobrev wrote:
| This post reminds me of a huge win I had, recently.
|
| I had convinced my wife (who is not of the tech world) to switch
| to a password manager a couple years ago, and while she didn't
| love it, she's now totally on board.
|
| My mother runs a fairly successful small online business and kept
| getting BS charges on her business cards along with other various
| occurrences. She and her employees were sharing a couple
| passwords for everything the company used. They weren't _bad_
| passwords, but it wasn't a great set-up.
|
| Finally, my wife and I convinced her to try out a password
| manager. After quite a few excuses why it would never work for
| her over a couple weeks, she got a another bogus charge and
| begrudgingly accepted. My wife went and spent a day to help her
| move _everything_ over, generate strong passwords, and showed her
| how to set up accounts for her team and share them so her team
| could do the same.
|
| I'd since forgotten about all of that, as it's been well over a
| year since all that happened, and I assumed she went back to her
| old ways. Then last weekend I heard her bragging to a colleague
| about using a PW manager and how it's changed her life
| significantly - recommending they do the same.
|
| She said excitedly "I don't even know my passwords! It's great!"
| raajg wrote:
| For non-tech folks, I have been at loss to figure out how to
| convince them to use a password manager! Easy passwords
| repeated over and over again, and saved in plain text on one of
| the apps which itself has a simple password is the workflow
| that I'm seeing all the time. And tried many different ways to
| convince using a password manager and then forgetting about
| passwords but to no success. There's always this reluctance to
| change the workflow that they've been using for a decade or
| more
| vorpalhex wrote:
| + Family 1Password so everyone can securely manage passwords and
| share logins
|
| + Network is covered by pihole (and in exchange,
| plex/jellyfin/etc access works nicely)
|
| + Smart home stuff is managed by me. Everyone has admin rights
| but shared terminals (eg kitchen panel) are unpriviledged users.
|
| + Everyone has a home directory on the homelab they can back up
| to with as much space as they want (4tb+). I help them set it up
| if they ask.
|
| + Haven't done this yet but would like some kind of network level
| monitoring for threats (viruses, cryptominers, etc)
|
| Things intentionally not done:
|
| + I don't install anything on folks devices.. at all, but never
| without their consent and without them having an off switch.
|
| + We have cams but everyone can turn them off and view
| recordings. Recordings are kept only for a short timeframe. Cams
| are all visible/known.
|
| + I intentionally collect no logs of dns or other stuff. When I
| do occasionally need to debug an issue, I let everyone know I am
| flipping on logs for a few minutes.
|
| Empower users, don't control them.
| c22 wrote:
| I have a similar setup at my house. The kids are on devices I
| do exert more control over (customized per child) but it is
| known that if they want to acquire their own devices they can
| set them up however they like at which point they will be
| responsible for their own security (on which I am happy to
| consult). My oldest is saving up to buy her own tablet, but I
| have an outstanding offer on the table to purchase any parts or
| components for any of them that want to attempt building their
| own device.
| BrandoElFollito wrote:
| This assumes some kind of knowledge your users have.
|
| I install whatever I can to control/centralize the devices of
| my wife and parents. The less they know the better. Because
| your know, I am the 24/7/365 all-knowing support.
|
| I do not do this with my teen kids. They can manage their
| stupid themselves. Until recently I had them tracked in Google
| maps but not anymore. They do see me though.
| vorpalhex wrote:
| > The less they know the better.
|
| I have found the opposite to be true. If I push them to
| invest and understand, they are more likely to fix their own
| problems. I play tech support very infrequently and usually
| it's just initial onboarding - "Hey, how do I watch movies?"
|
| My users can reset their own passwords, reboot devices, and
| some of them can even restart stuff on the server.
|
| There's a dashboard with all of our links, so I don't get the
| "What's the url for..." stuff.
|
| I keep quick docs in the family notes.
|
| Usually my only problem makers are game servers since those
| are always a bit less than stable once loaded up with mods.
| monsieurbanana wrote:
| Some people learn, some don't. Generalizing how tech savy
| people are, can or even want to be is a futile effort
| vorpalhex wrote:
| People learn when they have motivation.
|
| If you always do everything for them, tell them it's
| complicated or easy to mess up.. well then yeah, they
| aren't going to learn.
|
| Tech knowledge is not special compared to any other kind
| of knowledge. You don't have to be "tech savvy" to be a
| self sufficient user.
| tristor wrote:
| No. I don't feel like this is respectful of autonomy, so I don't
| engage in it. If someone asks for help or asks questions, I will
| give them truthful answers at a level they can understand. The
| only rules I enforce are for devices on my own network, which I
| filter and control extensively but only at a network level. I
| don't control any of the devices on the network except those
| which are purchased by me for my own purposes. I explicitly
| taught my spouse and children that you should never share
| passwords with anyone for any reason, including with me. Most of
| the devices are protected simply by connecting to the network,
| but mobile devices also have data plans. Almost everyone uses a
| password manager by choice and on my recommendation, but
| everybody uses different ones based on what they're most
| comfortable with.
|
| In this way, people in my family get to choose their own pathway
| online. They're informed, and they get to make informed choices
| about what data they care about protecting vs sharing. You can do
| whatever you want on your own devices, but not on my network,
| that's mine and I get to set the rules there. For the most part,
| folks choose my network for protection and performance rather
| than the wider freedoms of mobile data. I also provide everyone
| with a VPN account for their mobile devices for when they're out
| of the house, and most of us use it, but it's entirely optional.
| recursive wrote:
| Minor children are actually not legally autonomous. Usually
| practically either. They rely on their parents for safety. This
| seems like a weird place to apply personal freedoms.
|
| "Before crossing the street, look both ways. Or don't. But you
| might have to get a job to pay off your hospital debts. I'm
| respecting your autonomy."
| rootusrootus wrote:
| I have a 1Password family account for my immediate family, and I
| let my mother have the fifth license.
|
| My kids get locked down OS's and games, in addition to
| communications limits and screen time restrictions. But they're
| elementary age, so this is okay. The rules relax bit by bit as
| they get older.
|
| For my extended family? Nothin. They're grown ups. I do host the
| family e-mail domain but there aren't any rules around that
| (well, they do have to pay for it...). We've had discussions
| about best practices, but the non-technical folks don't care ("so
| what if Google tracks me, I don't care") and the other half are
| technical and more than capable of managing their own digital
| lives.
| 2OEH8eoCRo0 wrote:
| I make everybody get it out of the way now and post full nudes
| online so that we cannot be blackmailed.
|
| Jokes aside,
|
| > making sure they have control of their passwords and accounts
| in a safe matter.
|
| This looks like two requirements. Control your passwords and
| accounts and safeguard them. Because saving via Chrome, though
| unpopular, is quite safe but you give up control.
|
| I've found this to be useful lately as I go through and take
| control of my login credentials:
|
| https://mullvad.net/en/blog/2021/11/15/forget-your-passwords...
| betwixthewires wrote:
| No, because I don't have a family of my own really, but I do
| intend to manage it similarly to how I manage my own.
|
| - run my own DNS and tunnel into the home network,
|
| - no TVs,
|
| - no smart devices,
|
| - networked devices in communal spaces only.
|
| I think all the rest like password managers and such are personal
| choices, but those sorts of behaviors will be encouraged.
|
| There's a line between trying to control the behavior of your
| family and keeping the environment they're in healthy and safe. I
| wouldn't want to have a master password or access to all their
| personal accounts.
| hi5eyes wrote:
| My worry is still web vulnerabilities, opsec
|
| opening a malicious pdf on their main machine or a malicious
| website
|
| the one time all their sensitive info compromises their main
| gmail/apple account
|
| How is it even possible to help our extremely vulnerable elderly
| parents and then our very young family members, nephews, nieces
|
| We've probably all been pwned at least once, and we're the more
| cautious/aware of the population, how do the helpless even fare?
| Besides locking them down in the apple eco and idk vetting every
| file/website they use?
| garrickvanburen wrote:
| * a very aggressive pihole * Fastmail accounts for everyone *
| just Apple devices or Chromebooks
| Isamu wrote:
| Anybody trying 1.1.1.1 for families?
| nopcode wrote:
| I preconfigure all windows machines in my family, and take away
| their local admin rights. No crapware installs, no disabling of
| updates or defender. No microsoft accounts.
|
| They get firefox browser with adblocker preinstalled. I manage
| their important passwords (eg fastmail) and trained them to rely
| on firefox sync for the recoverable accounts.
|
| I use MeshCentral for remote administration (amt)... its amazing
| for the price (free).
|
| OPNsense firewall in all the homes. Unknown devices are isolated
| and egress over wireguard VPN.
| bobkazamakis wrote:
| a physical jail cell and a faraday cage and you'll only need to
| tighten the chains a little more!
| nopcode wrote:
| Two of the four homes already have a faraday cage :)
|
| It was built by a german chemicals company and the reinforced
| concrete blocks signals.
| ortusdux wrote:
| I rented a place where the walls were lined with chicken
| wire. They used it to hold the plaster to the lath. I ended
| up needing to run a POE wifi AP to each room.
|
| When I moved out I told the landlord that he should use it
| as a selling point, as some people in the area had just
| tried (and failed) to sue the library for not respecting
| their wifi allergy.
| jackallis wrote:
| this got me rolling on the floor,lol.
| orev wrote:
| You may be surprised to learn that removing admin rights is no
| longer (and never really did) protect against app installs.
| Many developers have figured out they can just install into the
| user's profile.
|
| Only apps that truly need admin rights (that install services,
| etc.) would be blocked. Everything else is wide open.
|
| The admin rights restriction on app installs was almost just a
| convention that people followed. Now that the app incentives
| have changed (malicious apps don't try to take over the machine
| anymore, they just try to steal your data), admin rights
| restrictions are becoming irrelevant.
| stedaniels wrote:
| Note however this is only partially true for single user
| devices, where lack of admin rights does prevent some
| attacker persistence, and is not at all true for multi user
| devices e.g. the shared family PC.
| dhimes wrote:
| Not OP, but _I 'm_ surprised. So thank you.
| Darmody wrote:
| > No microsoft accounts.
|
| Good look with that from now on.
| TacticalCoder wrote:
| "good luck" you mean?
|
| I'm asking because I do exactly the same: no admin accounts
| for my family on their own Windows machine (mother in law and
| wife etc.).
|
| They're also using only local account. Is Microsoft banning
| local accounts?
| heavyset_go wrote:
| Firefox Sync is great for this. It's essentially a password
| manager, and if you install it on Android, you can use it as
| the default login information autofill app.
| muh_gradle wrote:
| I use Lastpass with my family. The Lastpass plugin for Chrome has
| been reliable and convenient for everyone. It took a lot of
| badgering on my part initially, but now everyone is used to the
| process. For emergency access, I have that stored safely and can
| access if necessary.
| crispyambulance wrote:
| Got 1Password family plan 2 or 3 years ago. Still waiting for the
| wife and I to be able to sit down so I can get her set up with
| it. I use it. My wife says she wants to use it and we remind
| ourselves to do it whenever there's a cybersecurity horror-
| story... but then it never happens.
|
| Also, got some yubi-keys which I use for aws and gmail. Still
| have a raincheck for my wife to try those.
|
| Yes, I told her it's not hard to get started, she could do it
| herself if she wanted to, but she wants to discuss it at length
| and spend time on it (I agree with that, but geez, it's hard to
| do stuff like this). Taxes are a nightmare enough for us.
|
| I knew when I saw the title here that there would be multiple
| stories of folks who have gone ABOVE AND BEYOND AND THEN SOME,
| HN-style. Ain't going to happen in my house.
| blowski wrote:
| > What steps did you take to make it simple enough for your
| family to care?
|
| I did the same thing as in the office - embarrassed or annoyed
| them (in a small way) by using their lack of security. I changed
| desktop backgrounds, "stole" PS20, sent emails with promises like
| "I'll wash your car" to people. I'd follow this up with a lecture
| on "if I can do this, imagine what some dodgy foreign hacker
| could do".
|
| Constructively, I pay for the whole family's 1Password and
| Fastmail accounts. I am the admin. I'm patient and understanding
| when they do something wrong. And I limit the number of people I
| help to those I can really help.
|
| We have a WhatsApp group where they can ask whether something is
| dodgy. They don't use it for chitchat, so anything that comes
| through, I treat urgently.
| ale42 wrote:
| Considering the privacy issues related to Whatsapp handling of
| personal data (e.g. contact info sent to Meta servers, message
| metadata collection, etc.), why not using Signal, Matrix, or
| something alike? Or is it too difficult for them to use
| something else than Whatsapp?
| crowbahr wrote:
| Not OP but they're likely using Whatsapp already.
|
| I'm a big believer in Signal (I have a monthly contribution
| set up) but Whatsapp is far more common for most people to
| use.
|
| I have convinced my older parents and siblings to all use
| Signal though, so I consider that a win.
| arzmir wrote:
| > We have a WhatsApp group where they can ask whether something
| is dodgy. They don't use it for chitchat, so anything that
| comes through, I treat urgently.
|
| I really like that idea.
| acwan93 wrote:
| Until an older relative uses that same group for something
| completely unrelated.
| BrandoElFollito wrote:
| This actually happened to me and I gave up. I support them
| through every channel now and the family whatsapp chat is a
| messy, happy heap of everything.
| blowski wrote:
| We have a separate chat group for that. It doesn't work
| perfectly but it does work well enough.
| cglan wrote:
| 1Password family and encouraging rental insurance that includes
| some form of identity theft help is literally like the cheapest
| way you help people. Anything past that and I simply don't want
| to be responsible for things
| Havoc wrote:
| No - just nudge them towards better practices and answer
| questions they may have.
|
| It isn't worth the drama frankly and they are grown adults.
|
| >Which subjects spurred the most discussions and how did you
| solve it?
|
| We had one distant family member go off the deep end with 5G
| vax/google/phone is listening to me. That triggered a family wide
| discussion on this. Tried injecting some facts, but its quite
| hard explaining concepts like fingerprinting and data brokers.
| Its such a nebulous concept and if you're not careful you just
| end up affirming the paranoia unintentionally. "oh so you're
| saying they do track me and read my mails?" Yes, but also noooo
| godelski wrote:
| I think one thing to note here is that a lot of conspiracies
| are founded on a grain of truth, or at least uncertainty. The
| problem is that things are taken too far. But finding this
| keystone is also often the manner in which you can dismantle
| that conspiracy.
|
| As an example to this, a lot of 9/11 were founded on the "they
| fell too fast" aspect and "jet fuel doesn't melt steal beams."
| Both these things are true! The problem is not understanding
| some basic engineering principles. In this case 1) skyscrapers
| are have a designed failure mode to collapse in on themselves
| (and quickly) as to not destroy surrounding buildings if they
| fail. 2) Jet fuel may not melt steal beams, but it is hot
| enough that it can cause significant structural weakness,
| enough that the weight of 1/3rd of a skyscraper will cause said
| beams to break. Understanding this makes it a far more likely
| scenario than Bush allies placing hundreds of thermite bombs
| all around the WTC without anyone noticing.
|
| But the problem is that there was something odd that doesn't
| fit general knowledge. Knowledge is 100% the cure to
| conspiracies.
|
| Worse, I think hiding information will just build on the
| paranoia. Especially with something like data privacy, since we
| all here work with data. It will turn into "you hid this from
| me, so you're part of the conspiracy." In that case, it removes
| all chances that you have. Yes, discussing the nuances of the
| "conspiracy" can cause people to go a little further off the
| deepend, but it can also form a bridge between you and that
| person (as opposed to isolation, which is what most conspiracy
| theorists do. Put themselves in a bubble). That bridge can be
| used to lead them out, because they now trust you and you have
| expertise. It's not easy, but it's something I've personally
| done.
| epc wrote:
| Family 1Password for me + spouse, separate 1Password account for
| my elderly parent-in-law. I maintain paper copies of all keys.
|
| I back up (export) 1Password vaults quarterly to an offline
| backup I maintain.
|
| I maintain two small (1Tb) SSDs with digital copies/scans of all
| important documents, offline. Try to sync monthly. Store inside
| faraday bags inside fireproof (in theory) safes.
|
| We both lie excessively when creating profiles for online
| accounts. Unless absolutely necessary we use a PO Box for
| addresses. We've both been online 30+ years and the amount of
| old, forgotten accounts that resurface in breaches and scams is
| disappointing, and yet not surprising. Our late dog continues to
| receive a lot of "growth hacking" spam from services that started
| after she died.
|
| Everything important has multiple 2FA options enabled, avoiding
| SMS as much as possible.
|
| All of our financial accounts use email addresses off an obscure
| domain name I manage, not our personal email addresses (which
| themselves are G Suite/WorkPlace/WorkSpace/Whatever accounts).
|
| I review all financial accounts monthly to look for odd charges.
| The last serious fraud we experienced started as small (<$10)
| charges over several weeks, I guess testing the credit card
| information they'd gotten.
|
| I just assume we'll get hacked at some point, instead of trying
| to make that impossible, I try to ensure that we have backups of
| everything (and a paper trail as necessary to prove who we are,
| though I'm not convinced the various automata at FAANG gang
| companies will believe any of that).
| zrail wrote:
| How do you find using GSuite (etc) for family accounts? I've
| been considering it for a bit but I'd love to hear about your
| experience.
| epc wrote:
| It's a ridiculous pain in the ass made tolerable because
| we're both tech industry dinosaurs. Initially it was the only
| way to get TOTP 2FA on a Gmail account which is why I
| switched and because of the way Google does Google things my
| spouse has a completely separate account (she was a Googler
| at the time though has now successfully escaped). For my MIL
| we set up G Suite because it was the easiest way to lock down
| her security settings and support her remotely. There is no G
| Suite "family" option, you're either a business or an
| enterprise.
|
| For our purposes it's been fine, but it's overkill for the
| typical family or typical consumer.
|
| One definite downside is that G Suite accounts are not
| considered to be consumer accounts so you run into various
| Google services which either don't work at all or work very
| differently. For the brief time we used Google Home it could
| not access either of our G Suite calendars (but somehow the
| Alexa could). Our Nest footprint exists in a separate world
| from our G Suite accounts. When we had YoutubeTV we had to
| use a separate GMail account because (at the time, I don't
| know if this is still the case) ...because G Suite accounts
| could not be used for YouTube TV.
| beckman466 wrote:
| if only we'd expand the scope beyond the nuclear family, we'd be
| a much better society
| heavyset_go wrote:
| It's an uphill battle. The best I can seem to do is to put
| adblockers and privacy plugins on phones and browsers, and
| upgrade computers with Linux.
|
| These days, if someone's needs can be met by ChromeOS, then they
| can be met with desktop Linux and a browser, too. Compared to
| Windows, the support issues almost cease upon upgrading to Linux,
| as it is virtually impossible for someone who doesn't know what
| they're doing to break a Linux install. The slim amount of issues
| I've encountered can be fixed with a restart.
| uuyi wrote:
| Nuclear: Everything apple, preferably iOS where possible and
| locked down if required.
|
| Everyone else: not my circus, not my monkey.
|
| I have done zero or little past basic configuration and have had
| no issues or surprises.
| [deleted]
| Justsignedup wrote:
| - I configure all windows machines at home - Everyone gets
| adblockers - I configure all android phones at home, everyone
| gets an adblocker - Everyone runs malwarebytes - Everyone is
| briefed on these tools and to talk to me when installing rando
| software - 1password on phone and all computers, everyone should
| be generating PWs
| bsedlm wrote:
| I don't. my family is all adult individuals so we all do whatever
| we want and are able.
|
| I do not go around imposing my beliefs upon them. They have their
| own problems to be bothered with mine too.
| kcb wrote:
| Yea... I can understand working with your significant other and
| managing your non-adult kids, but outside of that some of the
| comments here seem pretty invasive.
| tlb wrote:
| If you have high-value info to protect, you are somewhat
| exposed if other people in your house are sloppy with security.
|
| Household shared threat models include:
|
| - they download a trojan, it infects your shared printer, and
| copies all your documents to the bad guys
|
| - their phone is compromised and its microphone listens to your
| conversations and keystrokes.
|
| These are attacks against high-value targets. If you're just
| surfing Reddit, you probably don't care. But if you work for a
| tech company and have customer data or cloud logins on your
| machine, you should probably care.
| morpheuskafka wrote:
| Wouldn't most of these issues be addressed by the company
| managing their own work-issued laptop, presumably with an
| always-on VPN and full disk encryption? Same for work phones.
| Customer data and production cloud credentials should never
| be on a personal machine, period.
|
| Printer could be an issue, I guess, but most tech jobs don't
| involve a lot of printing and if they do a USB only printer
| should be supplied by the company.
| eternityforest wrote:
| I'm a single guy, with no authority or desire therefore, but I am
| the most tech oriented person, and one of the most tech focused
| people in my friend group.
|
| If anyone asks me anything about security I tell them to assume
| everything everywhere is spying in every way(I don't advise
| against using any specific devices or services, or avoid them
| myself, whether they care about Google spying is up to them).
|
| But mainly I just tell everyone that they should be using 2FA.
| Everyone even remotely tech savvy these days knows that spying us
| the business model for half the internet, and only a few care
| enough to do anything about it.
|
| The only in depth discussions I've had(Outside of work of
| course), have nothing to do with insecure systems and everything
| to do with public posts.
|
| For everyone who gets their bank details hacked(And probably gets
| most of it back), there's probably 5 who lost jobs or friends or
| opportunities, or just embarrassed themselves, because they
| posted something on a medium that is easy to misinterpret and
| encourages posting without thinking.
|
| In the last year I know one person who was hacked. They didn't
| have 2FA on.
| lifeisstillgood wrote:
| I was literally looking for a MDM family solution - I have looked
| at Jamf pro etc but frankly it's a lot for family use (it's like
| 140 per person per year.)
|
| There seems like a good OSS project - a bit of WMI a bit of bash
| - so I am interested if anyone has a idea.
| dervjd wrote:
| Have a look at ManageEngine MDM. Their free tier is good for up
| to 25 devices. The interface is a bit weird/confusing at first,
| but I've been using it for a few years and it seems to work
| well.
| egberts1 wrote:
| I was just looking at Adam:One (DNSthingy), a comprehensive
| gateway with focus on filtering "bad things" add-on for
| Pfsense/BSD when I saw this post.
|
| You got bigger problems after Password Managers.
|
| Just polished up the transparent Squid/SquidProxy/custom-ICAP-
| servers-to-block-DNS-over-HTTPS/Default-Deny-firewall for my
| home.
|
| It seems to me that we are losing the war on Zero-Trust home-
| based content filtering (with the onslaught of Webroot port 7777,
| and DNS-over-HTTPS, and even AVG 443 for DNS.
|
| You all hear me? I am (and probably we are) losing control of the
| HomeLAN/home-net via the onslaughts via circumventions of Zero
| Trust Model.
|
| And this new DNS RTYPE SVCB and HTTPS by Akamai CDN, Apple
| iPhone/iPad, Cloudflare, and BigIP/F5 is making this gateway (and
| me) losing it all.
|
| https://filters.pluckeye.net
|
| https://adamnet.works
|
| https://docs.diladele.com/tutorials/transparently_filtering_...
|
| https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https...
| throw1234651234 wrote:
| In the same vein, what is the biggest risk vector? My general
| impression is that AV will NOT catch new malware 99% of the time.
| I am to the point where I don't keep ANY/identity personal info
| on my computer.
| abledon wrote:
| I'm the annoying uncle at christmas telling everyone to use
| Bitwarden.
| nicholasjarnold wrote:
| Yes, I configure and manage all devices that connect to our
| home's network unless that device is only provisioned for access
| to a "guest" wireless network which is only routable to the
| public internet (no LAN access whatsoever).
|
| Steps to make it "simple" - use password manager - store shared
| and individual pw DBs on a NAS where family has access - use
| Syncthing to keep changes aligned between devices - configure all
| browsers and devices to be integrated with pw manager and demo
| proper usage - everything important stored on a NAS that is in my
| physical possesion and which uses redundant storage (RAID) -
| implement backup of critical NAS data - test backups monthly!
| (can be restored? are still occurring properly?) - install a
| Linux distro and configure key-based auth (my key trusted) SSH
| for family members who are willing to use Linux on the desktop.
| 2022 is the year for it! ;) - ensure things auto-update - if
| problem occurs shell access is a few keystrokes away - can manage
| family's digital situation remotely to some degree this way. very
| helpful! much better than the ole' "Call up grammy and try to
| drive her clicks and typing remotely..." routine!
|
| Restorative powers retained? - yes, except for the master
| password to any private password DBs
|
| Which subjects spurred the most discussions and how did you solve
| it? - Linux: Some people have no idea what an operating system
| even is, let alone how a "Linux" differs from an "Apple" (not
| OSX, it's an Apple!) or a "Windows". This was solved by reminding
| them what I do professionally and them remembering how much time
| I spent behind the screen doing the bits n bytes. Basically "I
| got u fam, don't worry about it." was my solution. - Social
| Media: This is an unsolved problem. Some insist on having FB,
| Insta, whatever installed on their cellphone! It's nuts. I'm not
| cool with it, but we all make our own choices. I try to educate
| people on this topic, but it's an uphill battle.
|
| Items shared for all family members - none - within household:
| shared pw database with things like streaming & delivery service
| logins, etc
| Mikeb85 wrote:
| Not really. Basically just recommend Google as their services are
| the easiest to use securely across devices.
|
| You can be non-tech savvy, use Chrome, Gmail, Drive, etc... and
| get good cloud services that are secure.
| digitallyfree wrote:
| Here we go...
|
| All secure tasks like handling of IDs, banking, trading, etc.
| must be done through managed Linux workstations (Landscape with
| master image), or managed VDI. Keepass is used to store
| credentials. There is a network storage accessible only to those
| workstations containing important documents. A second storage
| area is avaliable for unmanaged and Windows devices.
|
| Windows devices have Group Policy set for update settings, but
| generally users can do whatever they like. Mobile devices are
| expected to be patched but they have free reign. Haven't found a
| good management solution for Windows and mobile yet.
|
| Wifi uses EAP-TLS, no exceptions and no guest devices permitted.
| As a result IOT and smart home devices are not allowed on the
| network since they don't support EAP-TLS. Certificates are issued
| per device and allow access to different services like VPN etc.
|
| I currently don't have managed switches so mobile devices and
| personal workstations do share the same network as my servers and
| such, but all local services like network storage are encrypted
| and require authentication. Ideally I'd have VLAN segregation,
| but this will have to wait for the next network upgrade.
| kcb wrote:
| Daddy Daddy my friend wants to connect her Ipad to the
| internet, what's the wifi password? Not fooling me hackerrr
| rodolphoarruda wrote:
| I have a wife and 2 kids under 13.
|
| - We have a phone that never leaves home and has no SIM card. We
| use it for banking apps and 2FA critical services.
|
| - So our "street phones" don't have any banking apps installed,
| nor social media apps, 2FA nor password managers.
|
| - We have a paper notebook with secrets and 2FA recovery codes in
| the bookshelf sitting among many other notebooks and old dusty
| random stuff.
|
| - Our kid's phones have DNS pointing to Cloudflare's family
| filter server. Their YouTube accounts are set to filter adult
| content.
|
| - We use BitWarden family plan for sharing passwords among us.
|
| - We use a Keybase team to share documents between us and our
| personal devices. Everything is, in theory, encrypted and we can
| revoke the device in case it gets lost/stolen.
|
| - Our laptops have luks drive encryption and we transport them
| turned-off. So in case they are lost/stolen, data in the drives
| are unreadable.
| snowwrestler wrote:
| I'm curious what threat model your first two bullets are
| intended to mitigate.
| TacticalCoder wrote:
| > I'm curious what threat model your first two bullets are
| intended to mitigate.
|
| "Smishing" (aka "SMS phishing"), for a start.
|
| Then it seems to me that a phone that is _only_ used for
| banking apps and 2FA is less likely to be owned than a phone
| used for everything under the sun.
| dervjd wrote:
| Entire family is Apple devices, and I actually set up MDM to
| manage them (ManageEngine's free tier lets you manage 25
| devices). WiFi settings, enforced updates, FileVault encryption,
| etc all managed via MDM policies. Using Cloudflare Gateway (free)
| for DNS. Sophos XG Home firewall for router/VPN/etc.
|
| I also put a basic 2-bay Synology NAS in the basement, and
| everyone's laptops are set to back up via Time Machine
| automatically.
| kkfx wrote:
| By points:
|
| > What steps did you take to make it simple enough for your
| family to care?
|
| GNU/Linux desktops for all, for me NixOS/Emacs (EXWM), for
| relatives mostly Gnome SHell (the second capital is NOT a
| mistake, but they want something like that) and XFce, no wifi, at
| least I have few MikroTik APs but powerd off, powered on only if
| I have a guest and he/she can't use wired ethernet. Desktops have
| "proper" WebVM [1] with user.js/various extensions etc all
| regularly kept up to date backed up and casually restored around
| once or twice a year when I upgrade from a major release to
| another. IoT stuff (domestic p.v. + related tools) offline on a
| separate network with a homeserver (Home Assistant pip-installed,
| not the absurd docker image) bridging the WebUI part from the
| desktop's LAN.
|
| > Did you retain any restorative powers? As in keeping master
| passwords to certain things and/or emergency accesses like in
| LastPass?
|
| I have a printed copy, "encrypted" with a simple letter
| substitution scheme those who need know it, of some passwords, so
| they can ask for help someone who know GNU/Linux if I have some
| health issues/I can't really help for some reasons, but it's not
| much a tested setup just something do and explained a bit without
| really having ever used it so I can't really know how much it can
| work, it's a potentially serious issue but so far no one seems
| interesting in that, I'm healthy etc so...
|
| In iron terms I have enough iron to survive various faults on
| both desktops and homeserver/mini-small-rack side, in software
| terms everything is almost reproducible with org-mode documented
| and tangle-ed NixOS configs and relevant custom ISOs ventoy-
| deployed locally or deployed via LAN depending on the case. Not
| everything is fully covered but it's enough.
|
| > Which subjects spurred the most discussions and how did you
| solve it?
|
| Well... The "family policy" a bit against my will is "you are the
| techie, we do not care" so there aren't really be discussions,
| just few explanations/training etc
|
| > Which items do you share amongst all family members?
|
| Phone system (Grandstream UCM PBX + GXP phones simply because
| when my old Asterisk card die and I see an offer for the PBX I
| was a bit tired of Asterisk), video surveillance, witch is only
| outside and physically powered off when someone of us is at home.
| Aside the small p.v. system witch, sigh, is to be counted in the
| "digital" things since it's full of FWs and to be effective
| enough (like piloting the hot water production depending on the
| sunlight) it demand a home assistant...
|
| Essentially my general policy is:
|
| - restricting as much as possible the attack surface
|
| - restricting connected stuff (witch count in the attack surface)
| as much as possible, still leaving a bit of comfort
|
| - be reproducible
|
| - have a bit of redundant gears, not for anything, too expensive
| and demand too much space, but for something yes. For instance a
| VoIP spare phone + two analogs (with the PBX that have two fxs
| ports), around a desktop (ssds, mobos, CPUs, ram etc) and a half
| as spare parts, two 16 ports spare switches against a 48 ports in
| production one (not all ports used, of course) etc.
|
| [1] monsters mostly called browsers for legacy reasons, like
| Firefox or Chromium that actually are not much more "browsers"
| than a JDK...
| rsync wrote:
| The number one thing that we do is use an assumed name and
| address (and phone number) for all online interactions.
|
| If it's not a government agency, it doesn't get any real info.
|
| So, for instance, Amazon has a made-up name and our PO BOX and
| our "junk" number from Twilio.
|
| As I have mentioned here many, many times:
|
| This is possible because VISA/MC do not verify cardholder name.
| They make it _seem_ like they do and merchants _think_ that they
| do ... but they do not. You can just enter "Mickey Mouse" and it
| will work just fine.[1][2]
|
| Lyft, opentable, Toasttab, _Apple_ ... none of them have ever
| seen our real names or addresses.
|
| [1] This is not true of AMEX - they _do_ verify cardholder name
| the way people think they do.
|
| [2] There is a very rare, seldom used "verified by visa" step
| that some online merchants used to use (mostly in Europe) that
| did verify cardholder name ... but I have not seen it in years
| ...
| SnowHill9902 wrote:
| Merchants can and do check names but it's not mandatory for a
| charge. Credit card number and expiration dates are the only
| required info.
| croutonwagon wrote:
| I can understand this sentiment. I certainly do it for some
| things (like reddit accounts, or things to do with
| say....gaming online, steam etc).
|
| For most things though I dont mind too much about things that
| are already public anyhow. Like name, address etc.
|
| That said for services that extend beyond that, If i feel the
| need to go that far i just dont participate. Like facebook for
| example.
|
| I do carry a google voice number. That is the only thing a
| company, service or basically anything that gets typed into a
| computer gets. It has signifigantly cut down on spam calls to
| my actual cell phone, which friends and family do have.
| grvdrm wrote:
| Just curious - do you have Lyft pick you up or drop you off at
| your house/apt or do you avoid that as well? I think of that
| action as different from payment information verification.
| rsync wrote:
| "Just curious - do you have Lyft pick you up or drop you off
| at your house/apt or do you avoid that as well?"
|
| We live on a ranch at the end of a 2 mile private road.
|
| Lyft is something we use in the city or while traveling.
|
| However, I do understand the spirit of your question and I
| don't have formal practices for these kind of things.
|
| Like a sibling comment said, life is short ...
| lowwave wrote:
| don't use Lyft or Uber. Why would I want a company to keep
| track where I'm going linked to my credit card. It is creepy.
| Workaccount2 wrote:
| Is this a disaster waiting to happen if visa/mc one day flip
| the switch on name verification?
|
| Beyond that, for the type of tracking and fingerprinting done
| today, how relevant is your name actually?
| wirrbel wrote:
| For a lot of stuff your credit card number is the reliable
| join key anyway
| ceejayoz wrote:
| > Is this a disaster waiting to happen if visa/mc one day
| flip the switch on name verification?
|
| Doesn't even have to be that big of a policy change; if
| Facebook gets suspicious about you using a fake name or
| various other scenarios, they'll lock your account until you
| provide a scan of a passport or state ID.
| JackGreyhat wrote:
| You are assuming that a person who is cautious about
| privacy, uses facebook. Unlikely. However, I have been in
| that alley. I renamed my facebook account yearly, until it
| got blocked indeed. But then again, there are some great ID
| .psd templates out there:P solved it immediately.
| ceejayoz wrote:
| I cite Facebook as a specific example I'm aware of.
| There's no reason Amazon or Apple (which the parent
| poster indicates they use) couldn't request similar docs
| with the threat of an account revocation.
| warent wrote:
| Maybe you're a very high profile individual that this matters
| beyond paranoia? I've always used my name for signups, and I
| have a very unique name, probably the only one on the whole
| planet. It has affected my life in no meaningful / noticeably
| negative way.
| inetknght wrote:
| > _Maybe you 're a very high profile individual that this
| matters beyond paranoia?_
|
| You can call it paranoia. I'd call it a healthy value of
| privacy.
|
| Nothing stops a company from taking your name from your
| credit card and using it to build/sell shadow profiles except
| their word. Companies' words aren't worth shit.
| rhn_mk1 wrote:
| Collecting personal data is insidious: it doesn't manifest
| itself until it does. It's no different from having your
| password leaked, or from having your mortgage application
| rejected for opaque reasons.
|
| The data is there, silently, stored for a future use which
| may come at an unpredictable time.
| beckman466 wrote:
| same.
| rsync wrote:
| The reason I do this is that there are _fascinating and
| unpredictable_ interactions between behavior and identity
| that extend out into the indeterminate future.
|
| If we assume this information persists forever - and we might
| as well - it represents infinite liability and risk whereas
| the mitigations I have proposed cost almost nothing.
|
| Or, to put it another way, it's very cheap insurance.
| warent wrote:
| You're saying the word "unpredictable" but with cognitive
| dissonance, because you are predicting disaster.
|
| If it is truly unpredictable, then you may be diminishing
| something which may actually be beneficial and necessary in
| the future.
|
| This obfuscated data which may or may not be linked to you
| (or the lack of data entirely, a void which certainly is
| linked to you) is itself forever persistent and represents
| its own infinite liability.
|
| Not to say that you're wrong or right, just pointing out
| that your claim of somehow rising above this system is
| bogus. No matter what we do, our mark (be it a shadow
| profile or a void) is left, and perceptions will form
| around it that cannot be predicted.
| kenjackson wrote:
| Or even worse -- behaviors that attempt to hide identity
| may in the future be the exact sort of thing they use to
| do forensic sweeps. Unfortunately, I think that is just
| as likely as anything else.
| kcb wrote:
| Life is finite
| mathrawka wrote:
| A life span is finite, but your life during the life span
| is infinite.
|
| See chaos theory's infinitely long line in a finite-sized
| circle
| royaltjames wrote:
| Data is forever
| nicholasjarnold wrote:
| "A datum is forever" - De Nerds circa 2022, inspired by a
| quip from one royaltjames of the same era
|
| I like this a lot more than the De Beers campaign
| popularized in the late 1940s[0]!
|
| [0]: https://www.theatlantic.com/magazine/archive/1982/02
| /have-yo...
| heavyset_go wrote:
| > _So, for instance, Amazon has a made-up name and our PO BOX
| and our "junk" number from Twilio._
|
| If you're worried about the government prying, using a fake
| name on a PO box is a great way to rouse suspicion and
| investigations into whether or not you're doing something
| nefarious with the post.
| rsync wrote:
| We don't use a fake name on the PO BOX. It is _the vendor_
| (like Amazon) that gets a fake name (and our po box).
|
| The post office (quasi-government agency) knows who we are.
| lesuorac wrote:
| > If it's not a government agency, it doesn't get any real
| info.
|
| I don't think rsync is worried about government prying.
| lazyeye wrote:
| All the big tech companies almost certainly have your real name
| on file. Im assuming its very easy to buy large datasets
| matching real name,cc and email.
|
| The only really private way to use these services would be
| using something like burnermail.io and crypto.
| jokethrowaway wrote:
| In Europe your payment will most likely fail if your name
| doesn't match your card's and often even if your address
| doesn't match the address on your card.
|
| Sad.
| dsnr wrote:
| Also, knowing how bureaucratic Europe is, I can totally see
| myself having a warranty claim rejected because of a name
| mismatch.
| inetknght wrote:
| Whose name the warranty is in and who pays for the warranty
| should not be required to be identical.
| ceejayoz wrote:
| There are plenty of non-transferable warranties out
| there.
___________________________________________________________________
(page generated 2022-04-14 23:02 UTC)