Data security ratings --------------------- I had an interesting conversation on Mastodon last night with my fellow sundog Christina, who opened with: "#infosec and #privacy enthusiasts of all levels of knowledge and ability, three questions for you! 1. On a scale of 1 to 10, where do you rate your personal infosec practices? Name three practices you do to define that level. 2. If you rated yourself above 6, name two practices someone at levels 2 through 5 could do to raise her level. 3. If you rated yourself below 6, name two practices of yours that most people should do but don't. What would you like to learn." Some good conversation followed from this, which she has summarised at her phlog[1]. I liked these questions, but what I liked even more was exploring this notion of ratings. Christina said "I wish I had enough knowledge and textbox space to personally define the levels 1 to 10, the rebuttals & corrections would be illuminating", and I quite agree! I actually don't think this is a super productive way to think about security (more on that in a later post, I promise, but basically a ranking scale like this is no substitute for the concept of threat models), but I will readily admit that it's a heck of a lot of fun. I reluctantly rated myself a 7, but based on some of my practices, zelbrium was astonished I ranked myself so low and wondered what it would take to hit a 10. So, just for fun, here are my ideas on what the endpoints of this scale look like. A "0" user is never out of reach of their smartphone, which runs stock software with all features enabled and has an unlimited data plan which is always on. They use a Windows PC without any antivirus software, and browse the web using a stock browser. They are daily, enthusiastic users of Facebook, Twitter and Google, never log out of them, and all of their account names are first_m_last. A "10" user does not own a cellphone and has no home internet connection. If they use more than one computer at home, they are either not networked or are networked only via ethernet. This person accesses the internet via their dedicated internet computer, which is a laptop they purchased second hand, with cash. The laptop is either old enough that it never had a built in camera or microphone, or if it had them they have been permanently destroyed, e.g. cables cut, chips desoldered, whatever. The laptop has a wireless device but no hard drive. It boots an OS from a USB stick or, better yet, a non-rewritable CD. To get online, a "10" user takes this machine to a local library, cafe, or somewhere else with free wifi. They connect to that free wifi, and then route everything through Tor, or perhaps a VPN account paid for with carefully obtained bitcoins. Their browser is fully pimped out with all the requisite privacy enhancing plugins. Once on the internet in this manner, they never, ever do anything involving their real name, real address or real date of birth. No internet banking, no online paying of bills, no shopping at Amazon or eBay. Strictly passive content consumption, or posting under a pseudonym on some services *not* run by surveillance countries. This might sound super extreme, but in this way you could easily follow world news, educate yourself with Wikipedia, operate an SDF account (pay for all membership tiers in mailed cash!) or a Mastodon account, send encrypted emails to penpals, etc. An online life lived this way would be extremely difficult to tie to your real world identity. Surely not impossible, but the time, energy and money involved in doing so means nobody is going to bother just for the sake of advertising. Unless you manage to piss off a nation state, you're probably pretty safe. [1] gopher://circumlunar.space:70/0/~christina/InfosecAndDataPrivacy.txt