[AT] OT - unsecured servers

Spencer Yost spencer at rdfarms.com
Fri Jan 3 20:18:44 PST 2020 

Yea, TOR isn’t for everyone - just those that care enough about anonymity to use it.   I personally don’t use it.  Brave has been looking promising ever since they ditched muon and based it on Chromium.  Browsers, as far as security and privacy go, rank typically like this(depending on the release and the reviewer).  Best to worst:

TOR
Firefox
Brave
Chromium(not the same thing as Chrome!!!)
Safari
Chrome
Everything else you shouldn’t use

Brave may take 2nd in 2-3 years.  The current concerns with their ICO (most of the coins ended up in a small group of advertisers, kind of defeating the purpose) and their whole model keeps them behind Firefox.  But if they get the backend stuff in the light of day and working smoothly they might have something. 

Spencer
Sent from my iPhone

> On Jan 3, 2020, at 8:09 AM, Stephen Offiler <soffiler at gmail.com> wrote:
> 
> 
> Hi Spencer:
> 
> Speaking of Tor, are you familiar with the new browser called Brave?
> https://en.wikipedia.org/wiki/Brave_(web_browser)  
> 
> I've been using it for a few weeks now and it's a dead-ringer for Chrome.  If you do a Ctrl-Shft-N private window in Brave, it gives you an easy option to use Tor.  Otherwise, as far as I know, Tor is kind of cumbersome.
> 
> SO
> 
> 
> 
> 
> 
>> On Thu, Jan 2, 2020 at 10:16 PM Spencer Yost <spencer at rdfarms.com> wrote:
>> Just to be clear, VPNs are primarily used to anonymize you. In other words:  hide origin and identity. While the traffic between you and the VPN service is indeed secure(provided the service is legit and well configured); after it leaves a VPN service your traffic is no different than when leaving your  ISP.
>> 
>> I generally recommend them for people who have enough tech savvy to set them up and use them. And I am not knocking  anonymity - there is something to be said for that.   the services also  provide some additional features such as compression to improve your bandwidth, etc  Also, regardless of it’s limitations it’s more secure than a coffee shop.  But make no mistake:  If you really are worried about a man in the middle attacks(or any of the other attacks I mentioned) VPNs are not a solution.
>> 
>> In other words, VPNs are the cats meow when used between you and your endpoint(e.g. connecting to your employer’s  internal networks).  If the service is not your endpoint your risk profile is only marginally improved.
>> 
>> If your are serious about anonymity you should look into the TOR network.
>> 
>> https://www.torproject.org/
>> 
>> Spencer
>> 
>> Sent from my iPhone
>> 
>>>> On Jan 2, 2020, at 9:21 AM, Easley, Greg A. <EasleyG at health.missouri.edu> wrote:
>>>> 
>>> Very good advice there.
>>> 
>>> I would add one thing to that - purchase a subscription to one of the commercial VPN services.
>>> 
>>> 
>>> Greg
>>> 
>>> -----Original Message-----
>>> From: AT [mailto:at-bounces at lists.antique-tractor.com] On Behalf Of Spencer Yost
>>> Sent: Tuesday, December 31, 2019 9:13 PM
>>> To: Antique Tractor Email Discussion Group
>>> Subject: Re: [AT] OT - unsecured servers
>>> 
>>> Since cybersecurity is my line of work, I’ll jump in.  Do these things:
>>> 
>>> 
>>> Always manually type the url - never click off an email or some other source.
>>> 2FA is always awesome(everyone should do this whenever available).
>>> Close the browser, or at least each browser tab, when you are done.
>>> Private browsing tabs with cookies blocked are great too but some sites don’t have authentication procedures that behave well with private tabs or cookies blocked so this is hit or miss.
>>> 
>>> As an added bonus always clear the cookies, cache, and local storage related to the website before you close the browser.  This will prevent any near-future malware infection from taking advantage of an valid session.
>>> 
>>> The lack of a secure private Internet connection should not be too much of a concern. The fact of the matter remains that after your traffic leaves your ISP at your home it’s on a public network as well. Between the HTTPS protocol and the steps above you should be fine.
>>> 
>>> The primary concerns are XSS and CRSF attacks(I’ll let you look them up). Both requires malware (or attempt to trick you into redirecting your attempts to login) and/or an active session for to take advantage of you.   So by following those steps you will thwart them.
>>> 
>>> 2FA helps to thwart password cracking success.   That means even if someone has cracked your password (usually they have cracked a bunch because the site uses a digest hash that was weak - or worse the idiot site stores the password in plain text) they can’t log in without you knowing and confirming.
>>> 
>>> Of course, if you are already infected, school is out anyways and you have already been compromised and your money is probably already gone.   If it’s still there, you are good.
>>> 
>>> Waiting for the ball to drop.....
>>> 
>>> Spencer
>>> 
>>> 
>>> 
>>> Sent from my iPhone
>>> 
>>>> On Dec 31, 2019, at 8:38 PM, Mike M <meulenms at gmx.com> wrote:
>>>> 
>>>> Hi and Happy New Year,
>>>> Going on vacation for a while in the Keys. I found out too late that 
>>>> the place does not have wi-fi. I have some banking items to take care 
>>>> of and am leery of taking care of it over an unsecured connection. 
>>>> This is time sensitive and needs to be done. My banks both use 2 step 
>>>> authentication does that help at all?
>>>> 
>>>> Regards,
>>>> Mike M
>>>> 
>>>> _______________________________________________
>>>> AT mailing list
>>>> AT at lists.antique-tractor.com
>>>> http://lists.antique-tractor.com/listinfo.cgi/at-antique-tractor.com
>>>> 
>>> 
>>> _______________________________________________
>>> AT mailing list
>>> AT at lists.antique-tractor.com
>>> http://lists.antique-tractor.com/listinfo.cgi/at-antique-tractor.com
>>> _______________________________________________
>>> AT mailing list
>>> AT at lists.antique-tractor.com
>>> http://lists.antique-tractor.com/listinfo.cgi/at-antique-tractor.com
>> _______________________________________________
>> AT mailing list
>> AT at lists.antique-tractor.com
>> http://lists.antique-tractor.com/listinfo.cgi/at-antique-tractor.com
> _______________________________________________
> AT mailing list
> AT at lists.antique-tractor.com
> http://lists.antique-tractor.com/listinfo.cgi/at-antique-tractor.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.antique-tractor.com/pipermail/at-antique-tractor.com/attachments/20200103/5bd1b9a6/attachment.htm>

More information about the AT mailing list