On the off chance this heads off any super-unproductive debates:
When you're advising/training at-risk end users, it's not enough that it be possible to achieve some kind of security with a given load-out. It needs to be secure without trying hard.
So for the purposes of this document, we don't really need to litigate this phone or that browser. We just have to note that for non-specialist end-users in high-stakes environments:
* It has to work.
* It has to stand a good chance of retaining secure without trying.
* It has to be incredibly simple to get everyone set up the same way.
A casual read says the safest easiest setup is everyone doing all their work on a recent iPhone model. Good news is, assuming the budget requirement can be met, this is pretty close to what is already happening for most people.
Indeed; most Washington types who used to live on Blackberry (excluding those who haven’t yet had to give their precious up) moved to iPhones over Android, in my anecdotal experience. Outlook is the name of the game, and that runs quite well on iOS. Though it sounds like this training would push people toward the Gmail app, which is just fine.
One point I would make is that it’s rather easy to make Siri only respond after unlocking, but that’s probably out of scope of this training — and not something staffers are going to remember. For added security, disable Hey Siri, too, because that’s a hot mic. (But again, scope.)
Can we just all be clear that these aren't "Washington types" we're talking about? These are random businesspeople in random Congressional districts scattered throughout the US.
I don’t follow what you’re correcting or why you’re using my comment to launch off on that correction to everyone, because I was agreeing with Jeff on the broader motion to iOS based on my anecdotal experience with Washington staffers in general, not limited to a Congressional campaign. That being said, the senior ranks of any successful national campaign are always Washington types (one notable, recent outlier notwithstanding), and they benefit dramatically from this training, so it’s not even an unfair observation in the context you’re asserting.
(Unless you’re saying a gaggle of Chamber of Commerce suits from Topeka can navigate party politics, secure funding, get attention, get nominated, then somehow win without DC experience and connections in leadership.)
Edit: 'idlewords — I tried to reply to you before you deleted; Congress or a Congressional campaign means a national race, and toned my replies here. You and Thomas are talking about state legislature races, apparently, which was not obvious until your deleted comment. We don’t identify state-level legislative bodies as Congress, which is a term that means the entire national legislative body, not just the House. It’d be half appropriate to say congressional without a capital C, but still weird. Gotta enunciate state.
I genuinely thought you were training early campaigns for next national, the way you worded it. You should, honestly. They don’t get awesome advice.
I want to give a little bit of context to this guide. So far I've done this training with six congressional campaigns, and a very similar one with about two dozen journalists.
Everyone has a limited mental budget for security hassle, and it's a challenge to fit the most important bits of advice into that budget. The hardest bits are those things that are relatively easy to use, but a beast to set up—password managers and security keys.
There's a lot more that could be in this guide, but I've found that it's the most material that I can fit into an hour, and even then the people running for office find it intimidating. However, they are also very glad to get actionable advice, and in a format that is not too technical.
By far the most surprising thing to people on this list is the admonition to turn off anti-virus software.
Someone I know could be considered a high profile target. A few months back I helped him migrate from Internet Explorer, to Chrome.
I was onsite for most of an afternoon helping the process. For the next few weeks I received phone calls because he was lost and needed help.
I've seen Reddit comments on people in similar positions with statements like "they should be on Qubes OS, period" or "they should use Tails only" or "anyone in that position should be using deblobbed Thinkpad".
I can only tell those commentators they have tried to help such a person. Thank you for a much more realistic view on the situation.
The one you really want to figure out how to nail is the email attachment problem. This is as good as any realistic advice I've seen, but you just know that even for people who read this stuff really carefully, attachments are how they're going to get owned up.
I don't have an easy answer, but the "just use google drive" advice has always struck me as "create a workflow that sees lots of google logins" which exacerbates phishing. I think U2F probably helps a lot here, but I would really push to move away from web based workflows. It puts a lot of really dangerous UI all in the same window. In a world where people use Outlook (or pine, harhar) they don't type their all powerful email password into the browser because why the hell would the browser ever ask for the email password. But I think that ship has sunk.
First, running things locally opens you to local exploits which, once successful, can capture not only your email password but everything else you do on a computer.
Second, with a password manager, users shouldn't be typing passwords in. I don't even know my Gmail password.
Campaigns seem like they might be easier to wean off attachments than journalists, who routinely email documents back and forth to their editor with 'track changes' turned on. But I'm eager to follow up with campaigns in a couple of months and see whether they actually followed the advice.
Which journalists? City papers have managed their writing/editing workflows in software specifically meant for newsrooms since long before there were GUIs. Freelancers, maybe?
Keep in mind "journalist" is a broad term now. Most blogs or new media mastheads work that way or track changes in Google Docs/G Suite/whatever. In general, I'd assume you're right about traditional papers, who I'd expect to work the way you suggest.
Smart money is following what WaPo is doing in that space with Arc. They've begun to corner that market.
Can you briefly explain about turning off anti-virus? I see that but nothing about why, or why Windows Defender is still ok and how that differs from the general category of anti virus?
Maybe its in your course so you don't want to spill the beans, but all of your other advice seems consistently good, this one could use some more explanation for the uninitiated who have heard the exact opposite for, like, ever. :-)
The problem is that many AVs are not tested well, and prone to actually making you more vulnerable by bugs in their analysis code.
Basically, think of receiving an email with a malware attachment. If you have good hygiene, you won't open it yourself. But your AV will open it to 'scan' it, and that gives it an opportunity to compromise it.
Add the fact that most AV runs with high privileges and is not sandboxes, and this is a pretty bad state.
Because intelligence agencies buy or hack antivirus software because its access patterns don't look suspicious. Scanning your harddrive and uploading random contents? What AV is supposed to be doing.
Windows Defender is different because if Microsoft wants to fuck you and you're using Windows, they already can.
AV only detects already known malware, and often poorly. As a trade off you are running highly privileged code that fundamentally needs to process untrusted input and is often of low quality. For a high interest target, AV software opens up more holes than it closes.
I live in DC, with socialize with many others in a similar professional situation as infosec people.
I'll read your site again to not wait on answer here, I'm a huge fan of you after reading your longform stuff on Yemen and seeing your mention of the TS idea before on HN 1-2 years ago. Is there any need for volunteers on the ground. What can I do to help you?
No, it's because Tor Browser is the worst possible combination of attributes: a lagged fork of what is currently (despite heroic efforts from Mozillians) the least secure mainstream browser, packaged in a way that disproportionate numbers of high-value targets use it.
Does anyone have insight as to why they recommend only using Chrome, including using Tor with Chrome and not the Tor browser (fork of Firefox)? Is this just to keep things consistent or are there privacy/security concerns over using Firefox?
Chrome has a process-sandbox architecture that is significantly protective against new exploits; Firefox's equivalent, Electrolysis, isn't ready yet. In the 2017 Pwn2Own competition, Firefox was cracked and Chrome wasn't.
The Tor browser is almost certainly better at avoiding accidental disclosure of your IP address, but worse at general exploit-resistance. Making use of Tor in a way that fully protects their identity is probably beyond the capabilities of a Congressional candidate anyways, so it would at best create a sense of anonymity that was false.
If we're really nerding out about browser security, it's important to understand that while Firefox's sandboxing is not as sophisticated as Chrome's, it's not a lack of sandboxing that puts Firefox behind Chrome (and probably Edge), but also all the other stuff that goes into browser security, most notably runtime hardening and ancillary vulnerability research.
People tend to look for a simple explanation for these kinds of differences, like, "iPhones are more secure because they have a Secure Enclave", or "Chrome is more secure because it has better sandboxing". But the real answers are rarely that simple. There's a lot more that goes into both iPhone and Chrome security than those simple things.
Can you elaborate as to what you mean by Chrome having better "runtime hardening"?
For what it's worth, I tend to think the biggest issues are the weaker sandbox (the GPU driver is exposed in Firefox, which WebRender is taking a big step toward fixing) and, in the future, Site Isolation (which I think is oversold, but it would help sites like Gmail).
I'm still a bit lost as to what legitimate use a Congressional candidate would have for anonymity. If they need someone to do adversarial research anonymously, they should "have people for that"... since if the anonymity is breached, it would expose only the deniable asset. "Rogue employee" or such...
Plenty of things combined, but not least of which is that Mozilla only patches High + Critical bugs in long term stable release builds, so you can just chain Low + Medium known vulnerabilities together until you get access.
The only safe way to use Tor is with a router acting providing a secure middle point for "upgrading" all traffic to Tor. That way if the end point is compromised, it cannot beacon information back w/o being forced through Tor. This is why I don't like software solutions that provide Tor access and are tenant on the same hardware. It simply means that one additional exploit breaks the system. A Tor router (a good one, none of the commercial ones are) will expose only the DHCP server [optional] and the Tor SOCKS5 proxy port. Leaving an attacker with only a very small attack surface: the Linux kernel network stack and the Tor daemon. A software solution with co-tenant router (such as Qubes, or Whonix) has the same attack surface plus a hypervisor and (potentially) a shared kernel interface (i.e. the entire kernel API). Tor Browser Bundle is even worse as there is no Tor router, simply an app that is configured to use Tor, and if it is compromised then the code executed by the attacker can elect not to use Tor as the system itself is networked.
Tor has very few use cases IMHO, and since one of them is "purchasing drugs from a reputable source," I don't really see why Congressional candidates should ever use it themselves. A VPN, on the other hand, is different.
I would actually extend the guide by @idlewords and say "install the Freedome VPN on all your iOS devices, enable it, buy the $30 a year service, and forget about it. You'll have a secure IKEv2 VPN to a reasonably[0] safe end point that is doing active filtering for malicious sites as well as some trackers and ad blocking (the source of most 'drive by malware.') This one app will make all public WiFi safe[1] to use, it will increase your privacy [by aggregating your traffic with other people's exiting that same IP], and help to reduce your exposure to known bad websites that serve malware."
[0] 'reasonably safe end point' in that it is operated by F-Secure, not anonymous and potentially malicious agents. F-Secure has a reputation to maintain and actively sniffing traffic for secrets (e.g. Wikileaks) or inserting malware into downloads (e.g. various threat actors) would be the end of their business. They are probably capable of securing an end point as well as anyone else, and if you aren't technical enough to setup Algo VPN yourself then Freedome is a reasonable compromise. Vastly better than fly-by-night "bittorrent safe, logless!" "we put OpenVPN on a VPS" VPN companies.
[1] yes, nothing is truly safe, the NSA is logging all encrypted traffic for years, chemtrails don't care about IPSec and jet fuel can't melt APs, thanks for your pedantic observation.
To quote tqbf on this site, 'Do NOT EVER use Tor Browser. It's the least safe browser you can use: a lagged fork of Firefox for which whole classes of security bugs are potentially WONTFIX'd, and also the only browser that goes out of its way to collect high-value targets.'
@tptacek and @idlewords can you share how you are teaching these non-tech people how to use a password manager?
In my experience it's far from intuitive even if you're using 1Password. Just the first step of explaining how to create a master password that is strong enough to protect all the other secrets is a challenge. I try and describe the diceware process because it will yield a better result than what the user will come up with.
> You must use an iPhone, model SE or later. Android phones are not safe to use.
> If possible, consider getting a Chromebook. This is a simplified computer, far more secure than an ordinary laptop, that can only run the Chrome browser.
Reducing attack vectors in this way seems very sensible to be honest. It's crazy to expect users to understand the ins and outs of computers to remain secure. I remember it being common that people would comment that you can't drive a car without a license so you should have something similar for being allowed to use a computer.
> Siri can reveal information about your contacts even when the phone is locked.
So can swiping to the right on iOS 11... or just getting a message notification from Signal with its default settings. For that matter, shouldn’t this guide contain some guidelines about where your contacts should be stored if that’s considered sensitive?
Without teaching folks what a password manager is and how to use it, it's useless advice. I've seen folks use 1Password with their old password for everything... A 2min demo and an explanation why they should use unique passwords is needed for most.
That's one of the reasons a text guide isn't enough, you need a briefing. Also, the installation procedure for 1password is an absolute nightmare. Ideally people shouldn't even see it.
To me, “if you can remember your password, it is likely not strong enough“ — conflicts with suggesting it is okay for a user to use “a six-digit key code” on their iPhone.
To expand on that, the iPhone hardware (secure encalve) limits the number and rate of PIN attempts. Depending on configuration, after a number of incorrect attempts, it either takes an increasingly long time to make a guess or just wipes the device (by destroying the encryption key).
This is pretty shitty advice. Online brute force attacks against passwords are rare. The only really important advice for passwords is never reuse anything. This is only achievable with a password manager. So the only really important advice is to use a password manager. Everything else is noise.
First, Google’s Password Alert extension should be added to the list of extensions. Best protection against spear phishing.
Secondly, “Assume that anything you say on Slack or in Twitter direct messages will one day be public. It's fine to use Slack for coordinating and organizing, but be mindful of the conversations you have there. Move private discussions to Signal.”
This “eventually public” argument they say is the best framing of the benefit of end-to-end encryption I’ve seen so far. It’s not about “hackers could hack Slack and own your data now!” as much as “eventually any interesting cloud data that’s unencrypted will be made public.”
Specialists with carefully chosen phones can achieve security that is asymptotically as good as a recent iPhone.
We can spare ourselves the world's dumbest HN thread if we stipulate that by far the largest problem with Android is that it means a zillion different things. Campaign workers (or NGO employees) with "Android phones" are people that have every conceivable random phone that happens to be running some variant of Android.
>Specialists with carefully chosen phones can achieve security that is asymptotically as good as a recent iPhone.
Who cares? Security conditional on expertise, extraordinary caution, and time investment is WORTHLESS.
Security is more about guiding (or forcing) human beings to the right behavior than it is about making technical mechanisms available for the willing and able. Your security model should assume that the user is stupid, grossly negligent, and in the case they are the employee or other agent of an organization, somewhat hostile to the interests of the organization.
The security advice I give the non-tech people in my life is to get either an iPhone or a Pixel (or older phone made by Google). Is there any reason this isn't good enough? I vaguely recall that recent iPhones have a few useful crypto features that the Pixel still doesn't, but I'm not sure how much of a difference this makes. Certainly, I view the update situation as the primary reason not to use third-party Android phones, and the Pixel doesn't have that problem.
Yes, there are reasons that's not good enough. It's not simply that you have to be careful what phone you pick, but also that you have to do things differently on Android phones, including Google's phones.
At-risk nonspecialists should avoid all Android phones, and standardize on iPhones.
> We can spare ourselves the world's dumbest HN thread if we stipulate that by far the largest problem with Android is that it means a zillion different things.
Does that mean that there are other specific Android phones that one could have required instead? Or are you keeping silent about the real reason?
Not to mention even with a better android OS (I've finally switched to lineage from cyagenomod) is the thousand random applications users install. The best thing iOS and the Foss androids did was give more granular app permission control.
In general my suggestion is people uninstall every app they don't "need" and to pay carefully attention to permissions.
Even when I was an iOS user, all I needed was a terminal, from ssh, emacs, gnus, screen, etc.
In the secure-browser article cited in the parent comment, number eight is the Yandex Browser. Quoting from the article: "Yandex, which is based on Chromium, uses the 'Blink' engine which runs checks through downloads and even uses Kaspersky's antivirus to scan for malicious content." I find this recommendation a bit surprising.
Sorry. I don't even know where to start here but so much of it is really bad advice that doesn't accurately make assessment of user workflows and effective threat modelling.
I found this to have a lot of holes at best. If this is for end-users working with a campaign some of this might be appropriate, but really the campaign should have people in charge of security and a lot of things should be funneled through them. If this is for end-users then the advice about antivirus, etc. should be removed because that should NOT be an end-user decision.
First thing: How is the campaign going to be operating and handling documents? Security for the scenarios is going to be different.
* If it's going to be in one or more offices with tightly restricted access from outside those offices that's probably the best for security but may be less convenient. Primary approach: restrict access to a limited pool of "trusted" devices and keep those secure.
* Entirely cloud-based (e.g. GMail, Google Docs, etc. or perhaps the business/enterprise Office365 and OneDrive). Primary approach: Tightly control document access at the storage side, probably primarily based on user accounts, while allowing many devices.
* Using online storage but traditional desktop programs, etc. is a second option, but may be harder to control. Primary approach: None, this is a hybrid and I think it has all the weaknesses of both other approaches.
Second, be aware of the kinds of threats you need to be ready for. Big areas of concern that jump out at me:
* Data theft/exfiltration of sensitive campaign documents.
* Data loss/destruction - via malicious trashing by an intruder or via failure of key systems.
* Loss of access at key times - are there times where temporary loss of access to systems has a major impact? (I'm used to thinking in terms of electronic medical records for doctors' offices, where at the least a down EMR puts a huge crimp in ability to see patients.)
* Possibly addressing of faked documents, but I'm not sure that's an internal security matter that can be addressed beyond being able to say with confidence "Our network has not been breached and we have access/audit logs to prove it."
Focusing on what I'd recommend as the best option from a security standpoint (documents, etc. are stored within the network, documents can be accessed only from within the network, network access is tightly controlled, document storage is appropriately partitioned with security groups to limit access) some thoughts. This is also the kind of network I'm most familiar with - I'd never consider having any medical client using any kind of cloud storage for practice documents that could contain PHI/PII (Protected Health Information/Personally Identifiable Information).
Re: Updates, absolutely, everything should be kept up-to-date. Ideally patch status, etc. should be monitored for all systems. This includes network equipment as well, most notably routers and any wireless equipment.
Re: Anti-virus, I disagree - Choose a good managed AV product, use it, have someone whose job includes getting alerts from it and reviewing logs it generates. I'm partial to Bitdefender, but Emsisoft may also be a good choice and also uses Bitdefender's virus definitions as one component. I'd avoid Kaspersky these days. I say this because I see the logs for managed Bitdefender blocking of known and suspected phishing and malware sites and I get alerts when malware is blocked. A good AV product should also help protect against both hacked websites visited by campaign staff and spearphishing.
Re: Email, why is this document talking about personal email? Do not use personal email for campaign work. Do not use personal email on campaign systems (assuming the "closed network" approach). If staff need to deal with personal email because their sister-in-law just sent them the newest Elf Bowling, they can do it on their phones and/or their own time.
Re: Email, if using an email system that supports 2-factor auth, use it.
Re: Email Attachments, assume malice. The advice to open documents on a phone instead is not unreasonable since the phone viewer is unlikely to have the same vulnerabilities as a desktop program. Viewing documents in a different program may also be a viable option, particularly if your internal use of that program isn't well known (e.g. Word-based attacks are unlikely to impact LibreOffice).
Re: Email, Inbound email should be going through all sorts of filtering which may not stop all attacks but should at least be able to cut down on possible noise. As an example with Office365 Exchange, there are a bunch of options (under "International Spam") to block messages based on the language encoding, the country/region it was sent from, etc.
Re: Passwords, 1Password is a good option. 1Password Teams is probably a better one.
Re: Phones, the advice to use iPhones is probably good, particularly because current-enough iPhones all get software updates where Android phones from different vendors are all over the map. Possible exception: If you're using the all-cloud approach on Google services, the Pixel phones should be a viable choice. If feasible, something that can be remotely wiped (at least email) by a mail administrator is probably not a bad idea.
Re: Laptops, yep, full disk encryption, etc. and never plug in USB devices, but on a management side assume that laptops are a weak point and take steps to ensure that the damage from a compromised laptop can be limited.
Re: Wireless access for Phones, Laptops, Tablets, etc.: Consider not using Wifi AT ALL. If Wifi is used, lock it down to recognized devices, which should not include ANY personally owned devices, particularly including phones, tablets, etc. Any device that end-users are allowed to install software on is a device that should not be connecting directly to your network. If you're unfortunate enough to have a campaign office in the basement of a steel building, set up a separate "Devices" network (still with authentication) that those devices can connect to.
Re: Messaging, yep, Signal. Regard just about anything else particularly including SMS as being plain-text that a skilled attacker could read. Also be wary of apps like Join, MightyText, etc. that allow handling of messages and device notifications from desktops.
Re: Browser, I'm not sure I agree with a Chrome-only approach (why no Firefox?), but I don't have a big problem with it. One advantage particularly for individual installations is that it will auto-update in the background, and with process-per-tab I believe new tabs will get created on updated versions (can anyone who's read this wall of text confirm?). I agree with the use of uBlock Origin and HTTPS Everywhere - compromised ad networks particularly with targeted ads could be a real risk.
Re: Mobile Browser, Even more than incognito mode, Firefox Focus may be a good choice as a default for browsing that doesn't require logins to sites.
Did I leave any gaping holes? This is kind of off the top of my head.
I'm not sure you understand what a Congressional campaign is like. Outside a few really rich districts, you'll have the candidate, a campaign manager, a media person, someone in charge of fundraising, and people to manage volunteers. Using social media is routine, and everything that doesn't involve money is connected to people's regular accounts.
If you're lucky, the campaign staff will have an analytics person, and they (or the most technically adept member of the campaign) become de facto tech support for everyone else.
Many of the people the campaign staff need to work with will be volunteers who are already task saturated on campaigning, and have no capacity to learn whatever security processes you have in place.
The overriding priorities of the campaign will be fundraising and outreach. Everything else will be subordinate, and anything that makes those two things harder will be ignored.
I don't know what situation your comments are appropriate for, but they will not work for the people we are trying to protect.
Thanks, I didn't realize how small most campaigns were, and I can see why it wouldn't be something where a third-party could set up to provide the services - way too cyclical.
The Democratic party apparatus steps in to some extent, but only after the primaries, and they're not too clueful, either.
The guide here is an attempt to see how much we can bring up the level of security on a campaign without IT infrastructure. It's meant to be the "wash hands, boil water" of security advice, not an ultimate security guide. So thanks for understanding the context!
>> the campaign should have people in charge of security
OK, but most don't.
Money is a very limited resource in campaigns, and almost all campaign managers will choose to spend it on direct mail and ads over hiring someone for IT security. Their thinking will go "this organization is only around for a year or two, and if we don't win then it won't matter what our IT issues were", and their colleagues in the world of professional campaigning will agree with them. If we're lucky - and I hope we are - the DNC/RNC will have a hotline and national support team for IT security that campaigns can call, but it'll get swamped fast.
Local campaigns don't do enterprise IT. Local campaigns buy G Suite and some old laptops, and leave them sitting around campaign offices in which plenty of not-well-known people come and go. They'll likely be administered by either a contractor hired to set up the offices, or by a friend of one of the early paid employees who "knows computers". While simple changes that individual users can do aren't as through as what you get with a proper security administrator, they're much more likely to get done.
If you're a local[0] campaign and a nation-state actor wants to attack you, they'll probably be successful - but anything you can do to tilt the odds in your favor (like this guide) will help.
[0] Senate campaigns will generally have a small IT team who can do most of the enterprise-level management things mentioned. National campaigns will have a well-staffed IT team to do all this and more.
This is a very good comment. Worth mentioning here is that a typical budget for a Congressional campaign is 500K-1M, while a Senate campaign costs 10M, so can potentially put more resources towards IT.
I know this is showing my age around here, but didn't there used to be a norm about not posting a straight wall of text? Like, write your own blog post if you want to respond at length to either someone else on the site or the link being discussed?
I'm going to guess because no one wants to read your new yorker-length-wall-of-text-blog-post-cum-comment. It was an original part of the rules of the site which have now been removed, if I cared enough I'd dig up an archived version of the site and find the FAQ.
Well, maybe if I was able to provide New Yorker levels of quality, but I make no such claims.
If I were able to do anything with it I would have since it was largely based on my misunderstanding of the scale and logistics of the campaigns, but by the time that was clear I was no longer able to edit and I think the followup comments are better in context anyway.
For my part, I appreciated your comment, both for the perspective that it offered, and because it showed me how differently people imagine these operations than the way they look from the ground, a year away from the election.
I think substantive comments should always be welcome here, long or short.
When you're advising/training at-risk end users, it's not enough that it be possible to achieve some kind of security with a given load-out. It needs to be secure without trying hard.
So for the purposes of this document, we don't really need to litigate this phone or that browser. We just have to note that for non-specialist end-users in high-stakes environments:
* It has to work.
* It has to stand a good chance of retaining secure without trying.
* It has to be incredibly simple to get everyone set up the same way.