Data security ratings

I had an interesting conversation on Mastodon last night with my

fellow sundog Christina, who opened with:

"#infosec and #privacy enthusiasts of all levels of knowledge and

ability, three questions for you!

1. On a scale of 1 to 10, where do you rate your personal infosec

practices? Name three practices you do to define that level.

2. If you rated yourself above 6, name two practices someone at levels

2 through 5 could do to raise her level.

3. If you rated yourself below 6, name two practices of yours that

most people should do but don't. What would you like to learn."

Some good conversation followed from this, which she has summarised at

her phlog[1]. I liked these questions, but what I liked even more was

exploring this notion of ratings. Christina said "I wish I had enough

knowledge and textbox space to personally define the levels 1 to 10,

the rebuttals & corrections would be illuminating", and I quite agree!

I actually don't think this is a super productive way to think about

security (more on that in a later post, I promise, but basically a

ranking scale like this is no substitute for the concept of threat

models), but I will readily admit that it's a heck of a lot of fun. I

reluctantly rated myself a 7, but based on some of my practices,

zelbrium was astonished I ranked myself so low and wondered what it

would take to hit a 10. So, just for fun, here are my ideas on what

the endpoints of this scale look like.

A "0" user is never out of reach of their smartphone, which runs stock

software with all features enabled and has an unlimited data plan

which is always on. They use a Windows PC without any antivirus

software, and browse the web using a stock browser. They are daily,

enthusiastic users of Facebook, Twitter and Google, never log out of

them, and all of their account names are first_m_last.

A "10" user does not own a cellphone and has no home internet

connection. If they use more than one computer at home, they are

either not networked or are networked only via ethernet. This person

accesses the internet via their dedicated internet computer, which is

a laptop they purchased second hand, with cash. The laptop is either

old enough that it never had a built in camera or microphone, or if it

had them they have been permanently destroyed, e.g. cables cut, chips

desoldered, whatever. The laptop has a wireless device but no hard

drive. It boots an OS from a USB stick or, better yet, a

non-rewritable CD. To get online, a "10" user takes this machine to a

local library, cafe, or somewhere else with free wifi. They connect

to that free wifi, and then route everything through Tor, or perhaps a

VPN account paid for with carefully obtained bitcoins. Their browser

is fully pimped out with all the requisite privacy enhancing plugins.

Once on the internet in this manner, they never, ever do anything

involving their real name, real address or real date of birth. No

internet banking, no online paying of bills, no shopping at Amazon or

eBay. Strictly passive content consumption, or posting under a

pseudonym on some services not run by surveillance countries. This

might sound super extreme, but in this way you could easily follow

world news, educate yourself with Wikipedia, operate an SDF account

(pay for all membership tiers in mailed cash!) or a Mastodon account,

send encrypted emails to penpals, etc. An online life lived this way

would be extremely difficult to tie to your real world identity.

Surely not impossible, but the time, energy and money involved in

doing so means nobody is going to bother just for the sake of

advertising. Unless you manage to piss off a nation state, you're

probably pretty safe.

[1] gopher://circumlunar.space:70/0/~christina/InfosecAndDataPrivacy.txt