Letting Go of Google

I have used Google for years, mostly in the form of Gmail.  In Your Ultimate Security Guide: Windows 7 Edition I wrote about Gmail.  I threw in some well-deserved praise about Google’s security; it is very, very good.  Google offers one of the most user-friendly two-factor systems I have used.  They alert you when your account is logged into from a new IP and browser.  Your entire sessions is HTTPS encrypted, and encrypted inside of Google.  From a security standpoint it’s hard to complain about Google.  Privacy is another matter completely.

As Bruce Schneier recently pointed out, Google wants you to be secure from everyone except Google.  Google keeps your data safe from hackers and the NSA (they say), but they don’t keep it safe from themselves.  Google scans all your emails, records all your searches, remembers what videos you’ve watched, and what sites you go to when you leave Google.  And it never forgets.  Though I never created a Google + account, don’t log into YouTube, and don’t upload files to Google Drive, Google still knows an incredible amount of information about me.  That information will be remembered forever.  It will be accessible with warrants.  It may be seen if Google is hacked (Google holds a lot – a lot – of data and is a target because of it).  It will still be sold to advertisers.  And I don’t like that.

DDG_Full_Vertical.2x

I have managed to subvert much of Google’s ability to track me through with several tools.  I don’t use Google’s browser, Chrome.  Instead of searching through Google I use DuckDuckGo, a search engine that doesn’t collect or store data about its users.  Another very good tool is Disconnect Private Search, a browser add-on for Firefox and Chrome that routes all your searches through a “light” VPN.  Google doesn’t know who sent the request and can’t track me (Disconnect Search also allows you to use Bing, DuckDuckGo, and Yahoo!).  I also configure my browsers to delete history and cookies each time it is closed and I close it frequently.  I run BleachBit or CCleaner several times a day, too.

I have also been a fairly heavy Google Voice user.  I liked Google Voice because I could give out a GV number instead of my “real” number.  I could get calls, texts, and voicemail from my phone or computer, and the most compelling feature was its price: free.  I have managed to subvert this, too, through Silent Circle.  Though I have to pay for it Silent Circle offers me security from everyone, not everyone-but-them.

These steps seem simple in comparison to finding a suitable substitute for Gmail.  Other “mainstream” (read: free) email providers scrape emails, too, and unfortunately I don’t have the confidence in my own technical accumen to run my own email server.  Through the last several months, however, I have managed to piece together a workable email solution.  Unfortunately there is no sole-source replacement for Gmail, but with paid services like KolabNow and free ones like ProtonMail I know my communications are, if not more secure, at least more private.

You should also know that if you contact me, your communications are stored privately and securely on email servers that are not scraped for advertisments.  The email address to which the contact form on this site links is a ProtonMail email address.  Additionally, I have removed Google Analytics from this site.  I do not have access to any data about the individuals who visit my site, whether specifically or in aggregate.  When I initially set up this blog I thought it would be a good idea to see how often the site was visited, but I quickly realized that I had become part of the problem.  This is my mea culpa.

Thoughts on the LastPass Breach

I have a couple of thoughts regarding the breach on the popular password manager LastPass earlier this week.  Initially I was disheartened to hear about the breach but was very glad that LastPass dealt with it swiftly and responsibly.  I actually learned of the breach from LastPass, with an email alerting me to change my master password.  Additionally LastPass is verifying all intial post-breach logins via email unless two-factor authentication is enabled on the account. I was also glad to hear that the attackers were unable to make off with anything more substantial than very strongly hashed (encrypted) master passwords, cryptographic salts, and email addresses.  Though certainly less than ideal, the attackers were still unable to capture plaintext password vaults.

LastPassLogo822x100

Though I don’t use LastPass anymore I did for several years and because of this and my comfort with it, I recommended it in Your Ultimate Security Guide: Windows 7 Edition and plan to in the upcoming iOS 8.3 Edition.  The two big take-aways from this breach (at least in my mind) are:

Cloud-based password managers are inherently risky.  This may be a provocative statement because many people use web-based password managers without incident.  But for how long?  Because of the treasure trove of information a password manager contains they are naturally a target.  Secondly, because they are a more complex system than a host-based password manager like Password Safe there are more potential points of failure.  The data must transit the internet, back and forth from your computer to the internet, be decrypted locally to be used, be re-encrypted before being re-uploaded to the cloud server, etc.  A lot of things have to be done correctly for it to be secure throughout the entire process.

Two-factor authentication is important.  When I first saw the email from LastPass about the breach my heart sank.  I no longer use LastPass but I know a lot of people who do.  Fortunately I know that msot of them also use two-factor authentication and as I learned more about the breach I realized that accounts protected with two-factor were still safe.  I gave high praise to LastPass in Your Ultimate Security Guide: Windows 7 Edition for the multitudinous two-factor options it offers: “The Grid” (my favorite), Google Authenticator, fingerprints, Yubikey, etc.  With two-factor enabled my friends were able to rest easy that their passwords had not been breached.  This is the kind of confidence I want in an internet system, especially one with which so much critical data is entrusted.

As I said earlier, I would still recommend LastPass to anyone who is determined to have a web-based password manager.  The convenience of the system is hard to deny, but personally, I’d rather have the security of knowing exactly where all of my passwords are stored.

Why YOU Need a Virtual Private Network

Using a virtual private network (VPN) is an important part of strong digital security.  A VPN can accomplish several tasks.  First, it creates an encrypted tunnel to a remote server through which your traffic transits.  This means that anyone inspecting your traffic (from internet service providers to malicious hackers) will capture nothing but unusable, encrypted data.  For best security I recommend using the OpenVPN or IPSec encryption protocols.  Next, because your traffic appears to originate from a remote server your IP address is not correlated with your browsing.  This is important: if you visit a website that logs your IP address they can use the IP address to find your geographical location, your internet service provider, and all your visits to that site.  Using a VPN server that hundreds of other people also use makes you less distinctive and protects your physical location.  Lastly, VPNs can be used to help bypass geographical restrictions.  If you are in a country that blocks certain content you can use your VPN to connect to a server in another country, bypassing geographical restriction.

IPv6 Test

I recommend strongly against using free VPN services.  The recent story about a free VPN known as Hola! last week is an excellent reminder of why paying for a VPN is worth it: Hola! was selling the bandwidth of anyone who had their plugin installed, sometimes to malicious users who conducted botnet activity.  This opens users up to a number of security risks.  Free VPN providers have also been known to monetize by collecting and selling user information which defeats much of the raison d’être for a VPN.

To determine if your VPN is leaking information about you or how much information you are leaking if you are not using a VPN, Private Internet Access (with which I am an affiliate) has some helpful links.  They will test whether your DNS is leaked, if your IP address is leaked when you send an email, and if your IPv6 address is leaked.

Though I like Astrill, Private Internet Access, and WiTopia, there are pleny of great VPN options out there.  Most are under $100 per year and offer a great many features.  This is a very small price to pay for the disporportionate level of security and privacy they provide.