Peter's Rules of
for Protecting Your Data
Updated: 10/11/2018

Note: This is a Work In Progress! It will never truly be done because The Bad Guys keep finding new games to play. I'll update as time and temperment allow.

1. There are a lot of Bad Guys on the Internet.
2. They are smarter than you are—regardless of how smart you think you are.
3. They want your money.
4. If you don't take positive action to stop them, they are going to win.
5. I guarantee it.
6. Oh, and back up your data because hardware, AV software, and companies fail. Every. Single. Day.

If the above doesn't motivate you to do something, then ... fine. I don't care. I can't see your bank/brokerage balance from my house. Go zone out on FaceBook; Mark Z cares about your privacy. No, really he does. He even said so early on.

For those of you still with me, here is my best, current (10/11/2018) assessment of what is happening and what you can do about it. The Good News is that you can do something about it.

Much has changed in the 5+ years since I last did a major update to my Rules. What hasn't changed is that there are still Bad Guys^® out there who want to take your money. What has changed (and continues to change) are the specific mechanisms the Bad Guys use to accomplish their nefarious goals.

What prompted me to finally do this update are:

• the jaw-dropping security failure by Equifax in 2017;
• the announcement of 2 new jaw-dropping hardware vulnerabilities;
• my receiving 3 7 10 12 18 webcam blackmail messages emails in 10 weeks (and which included a specific reference to an ancient password of mine).

Note bene: If you call me asking for help and you haven't done (or at least attempted to do) everything on this page, then I will do some combination of laugh at you, deride your woeful inability to protect yourself, or hang up on you. What you won't get is sympathy or respect. You have been warned.

What You Need to Do

Even if you're a hot shot tech person, you need to make sure you have taken the following actions. If you already know how to do these, then read the list and go do them. If you don't know how to do them, I will try to head you in the right direction.

• Freeze all of your credit reports. If you only do one thing because of this page, this is the one to do. DO IT NOW!
• Monitor all of your financial account activity like a hawk.
• Be continuously up-to-date on all security patches for your machines. This includes desktops, laptops, servers, tablets, and ... cellphones. See 2017 Equifax Data Breach for what can happen if you don't.
• Use long, strong, and unique passwords for each of your online accounts that have anything to do with money or identity. E.g. banks, brokerages, Amazon (think: gift cards), etc.
• Use unique email addresses for each of your online accounts that have anything to do with money or identity.
• Backup everything you care about on all of your devices. Let me repeat that: BACKUP! BACKUP! BACKUP!
• Use anti-virus software as appropriate.
• Stop clicking links in your emails!!

I try to give fairly detailed instructions on how to do each of these in the section Things You Can Do NOW!.

So What Happened?

Topping the list are two separate events: The 2017 Equifax Database Breach and the announcement of not 1 but 2 fundamental hardware vulnerabilities.

See the next section, Freeze Your Credit Reports, for more on the Equifax fiasco.

The hardware vulnerabilities are both harder to describe and harder to fix. Most techies are of the opinion that there really isn't anyone to blame for either of these vulnerabilities. They've existed for years and it's only in the last year or so that White Hat Hackers (AKA The Good Guys^®) found them.

• Meltdown: This hardware vulnerability affects essentially every CPU chip manufactured by Intel (and some by AMD) ... since 1995! (This positivley boggles my mind.) The problem is with the chip, so, yes, this includes Windows, Macs and Linux machines.
• Spectre: This hardware vulnerability affects essentially every chip manufactured by Intel, AMD, or ARM since 2010. You may not be familiar with ARM, but if you have a tablet or a cell phone manufactured by anyone then it's about 99.9999% certain it's using an ARM chip. I've seen estimates that say as many as 2+ billion devices may be vulnerable to Spectre.

Both of these vulnerabilities allow for something called a Side-Channel Vulnerability. This is sort of like someone discovering there is a peephole into the girl's shower room at school. Only this is a peephole into the operating system's private memory. Translation: a successful exploit of either of these vulnerabilities will give the Bad Guy unfettered read access to anything on the machine.

The good news is that there is a "workaround" for Meltdown. A workaround is not a fix, but it's a way of doing things that make the peephole not work anywhere near as well as it could. The bad news is that the workaround slows down your computer. For a normal user with an over-powered desktop or laptop, you probably won't notice it at all. For servers, especially those running heavy-weight database software (which does lots of heavy file I/O), the slowdown can be anywhere from 20% to 35%. That means that companies will a) have to apply the patch to the OS, and b) buy/rent 20%-35% more servers. Alternatively they could switch to using servers based on (certain) AMD chips, which many companies already do anyway.

With Spectre there is good news and bad news. The good news is that it is a much more difficult vulnerability to exploit. The bad news is that the "fix" is to fundamentally rethink how modern CPUs (Central Processing Units) are designed and built. As we geeks say, this is a nontrivial problem. Translation: it may take a lot of time—at least months, quite possibly years—to come up with the new design. And then everyone will have to buy new hardware; we're talking trillions of dollars here. Yes, it really is that bad.

Meanwhile, make sure your security patches are up to date. :-)

Note: For the truly curious and/or masochistic members of the audience, I recommend starting with the announcement released on 1/4/2018 by US-CERT (Computer Emergency Readiness Team): TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance. It's very technical, but it basically says we need to go to the cyber equivalent of DEFCON 2.

And then you might want to go to Meltdown and Spectre: Vulnerabilities in modern computers leak passwords and sensitive data, where you can get information straight from the people who discovered these two Swamp Things.

Things You Can Do NOW!

Freeze Your Credit Reports

In early 2017 Equifax screwed the pooch on an epic scale. As a result of criminal negligence on their part (in this case, failure to apply available, critical security patches to their servers) the highly sensitive details on over 143 million Americans became avaliable to anyone who wanted to pay for them on the Dark Web.

In other words, the Bad Guys now know your name, your address (and all of your previous addresses), your driver's license number, your Social Security Number, and the full account numbers on every bank account and credit card you've ever had. It really doesn't get much worse than that.

Freezing your credit reports means telling the Big 3 — TransUnion, Experian, and (gag!) Equifax — that they can't release your data to anyone who asks for it. This means it will be a bit of a hassle getting a new credit card, or getting a mortgage, but you can always temporarily unfreeze the information and then refreeze it after you've done your thing. The important point here is that the Bad Guys can't open a new account in your name.

Although the freeze/unfreeze process is not free, the cost of not doing it can be ruinous. Maria and I are a) California residents and b) over 65, so State law says we get it for free. Your milage may vary. Check your own state laws on this.

Note bene: You must freeze each person's credit reports at all 3 agencies.

Note bene²: Identity Theft Protection is a scam run by the credit reporting agencies! Why? Because they are desperate to keep you from freezing your credit reports. Why? Because that's how they make money: selling your data. If you report is frozen, well ... they can't do that, can they? Too bad, so sad.

But don't take my word on how bad this situation is, read what the U.S. Federal Trade Commision has to say about this. The Equifax Data Breach: What to Do.

And here is their Credit Freeze FAQ. Read it and DO IT!

Monitor Your Financial Accounts

Maria is borderline OCD on this point and it is because she is that she knew within hours that our primary credit card had been compromised for over $4,200 — $800+ at Tiffany's online store and $3,400+ at StubHub, a ticket resale/scalping site.

I can't tell you how to monitor each of your accounts because the details vary tremendously from site to site. You need to find out how to check the current balance and transaction list for every credit card you have and every other financial account you can access online (bank, brokerage, etc.), even if you have never been there online before. If you have no idea where to start, call them and ask.

Why do you have to do this? Because Equifax, that's why.

Security Patches

The short version is learn how to keep your device up-to-date! If you don't know how, then shame on you. To fix this serious character flaw, just remember Google Is Your Friend.

• Windows 7
  Note: You must have an up-to-date Antivirus app installed or Microsoft will not update your system. This is because of the new CPU flaws mentioned above.
• Windows 8
  Note: You must upgrade from Windows 8.0 to 8.1 to receive updates.
• Windows 10
• iPhone & Mac OS
• Android Phone
• Linux. If you are smart enough to be running Linux (either at home or on a server), then you should be smart enough to find, track, and apply appropriate security patches to whatever distro(s) you are using. And if you're not that smart then ... go get a Mac or a Windows machine.

Long, Strong, and Unique Passwords

Most people suck at creating passwords, and the Bad Guys love that aspect of how people use them.

There are three attributes that all good passwords have in common:

1. They are unique for every site. If one site gets hacked it doesn't automatically make you naked on all of the other sites you have accounts on.
2. They are made up of a combination of lower case (a-z), upper case (A-Z), digits (0-9), and 'special' characters such as !@#$%^&*(){};:.,<>?/"'.
3. They are loooong. Like at least 14 characters, but more is better.

The problem is creating and remembering a good password for each site.

The good news is that it is easy to come up with nearly unbreakable passwords that are different for each site you connect to. I have accounts on so many different websites I lost count a long, long time ago. Remember, I've been doing this since 1973, so ... I've had some practice.

Here's how you do it.

1. Pick a favorite phrase or song lyric. Pick something that has somewhere between 8-10 words in it. For this example I'm going to use a Stephen Wright quote:

   I intend to live forever.... so far, so good

   But that's too long to type, so let's just use the first character in each word and, for now, ignore case and punctuation. This gives us the beginning of our base password: 'iitlfsfsg'. That's 9 characters long and trivial to remember, particularly if you practice it a few times. My base password is 10 characters long and I can type it in my sleep.
2. Decide which character(s) to make upper case and which to replace with a number or special character. For example, "I1t1f.Sfsg.". So I upper-cased the first charcter and the 's', put a period after "forever", and replaced the second 'i' and the 'l' with the numeral '1', and put a period at the end. That means I have an 11 character base password composed of lowercase, uppercase, numbers, and special.

   Other common substitutions are '0' (that's a zero) for 'o', '5' for 's', and '7' for 't'. Season to taste.

3. For each site add something from the site name to your base. For amazon.com I might have 'am.I1t1f.Sfsg.'. Now I'm up to 14 characters of apparent gibberish, except it's not gibberish to me!

   I know one person who puts the 'modifier' at the beginning if it starts with 'a' through 'm', and at the end if it's 'n' through 'z'. So he would have the above for Amazon, but Zappos might be 'I1t1f.Sfsg.za.'

4. And for accounts that really matter, make it longer. This is where knowing how passwords are stored is useful. Passwords are not stored as 'clear text' (well, there are some really badly designed sites where that has happened), instead they are stored as the result of a cryptographic hash. It's sort of like taking a bunch of fruits and throwing them into a blender and hitting pureé. What you end up with looks nothing like what you put it, but if you start with exactly the same ingredients (the same characters), and run it for exactly the same length of time, you will get exactly the same result. What's important to know is that a cryptographic hash gives no indication of how 'close' you might be to the original. All you get is match / no match.

   So to make it longer ... just add some set number of periods; say 4. For Amazon that would give us 'am.I1t1f.Sfsg.....'. Using a tool to estimate how long it would take an attacker to 'brute force' guess this password using a massive, multiple CPU botnet, it said it would take about 1.28 trillion centuries to crack it. This is waaaay beyond the estimated death of the Universe, at which point I no longer care! :-)

5. One special note: some sites have stupid, stupid programmers that only allow certain special characters. There's no good reason for this, so it must be simple stupidity. Anyway, for those sites pick some other 'allowed' special character — '!' or '_' or whatever — and replace each instance of '.' (or whatever your normal special character is) with the allowed one. So maybe Zappos doesn't like '.' but they allow '!'. So your password there might be 'za!I1t1f!Sfsg!!!!!'

   Remembering this is a PITA, so for these stupid sites you can write down "Zappos !". It will make sense to you and no one else.

Unique Emails for Each Site

Almost as important as a unique password for each site is a unique email address for each site.

Most of my friends and family have their own domain names: e.g. my primary is 'techbuddy.us'. There are several advantages to this, one of which is you can create an infinite number (well, not quite, but lots and lots) of different email addresses. That might sound difficult to manage, but it's not. Simply create what's called a “catchall” at the place managing your MX (Mail Exchange) servers and have everything forwarded to your main account. Easy peasy.

So I have techbuddy.us addresses for Amazon (amazon@techbuddy.us), Social Security (ss@techbuddy.us), NY Times (nytimes@techbuddy.us), etc., etc. I also have sorting rules in my mail agent (Thunderbird) that puts each different address into appropriate subfolders. Nothing handled specifically goes into a folder called, surprisiingly, techbuddy.

By the way, if you have a gmail.com email address, you can to something related. Read this article for more info.

The point of having a unique email for each site is that it makes life for the Bad Guys much, much harder. On the Dark Web, hacked databases are bought and sold like candy. The more expensive collections are composed of “combos”— a combination of an email address and a password that were harvested from 1 site. Bad Guys use these to do something called “credential stuffing”, which is where they take combos from one database breach and try slamming them into all manner of other sites to see just how stupid lazy you are.

If you've been paying attention, you now know that you don't have any combos that are of any value! That's because a) you are using a long, strong, unique password for each site, and b) you are using unique email addresses for each site. That means that even if they can crack your almost-uncrackable password, it is paired with an email address that doesn't work anywhere else. Game, set, and match to you!

Two Factor Authentication (2FA)

2FA is a system where you need your username/password pair plus some other information that only you have access to. This "thing" is called a "token" and is generally generated in such a way that it is a cryptographic nonce. There are a number of ways of doing 2FA, some of which work better than others.

The 2 main classes of 2FA are software-based and hardware-based. Although software-based (often through text messages sent to your cellphone) is easier to inplement, there have already been some successful breaches of it. Hardware-based has a lot to like, but with one exception: not everyone agrees on the hardware fob used to generate the nonce.

I don't currently use 2FA because I feel reasonably secure (perhaps foolishly) that my uniquie email/password combos are pretty tough to break.

Backing Up Your Data

Need ... more words ...

Anti-virus Software

Let's be clear here: antivirus (AV) software is not going to do you any good at all if you've ignored any of the above items. Seriously. The most serious threats to your financial assets come from the very websites that should be doing the most to protect them. If their sysadmins are not paying attention, then all of the AV software in the world is not going to help you.

Having said that, there are still things of value in decent AV software.

Need ... more words ...

Clicking Links in Email

For the love of all that is Holy stop clicking links in your goddamn emails!!!

... more words ...