Security

Firefox Relay vs DuckDuckGo email

I signed up for DuckDuckGo’s privacy relay email service (https://duckduckgo.com/email) as soon as i could. Aside from their little dust up about them sending some of your info to Microsoft (https://thenextweb.com/news/duckduckgo-microsoft-tracking-sparks-backlash) they’ve got a good track record re: privacy. I signed up for some CNet and PCMag newsletters and found that DuckDuckGo removed a few trackers from every email they sent. Yay DuckDuckGo! But one of the things I don’t like is they don’t provide a dashboard – I can’t see what duck aliases I’ve created and used.

So, I signed up for a paid Firefox Relay account cuz they do have a dashboard! What’s more, you can associate each email with the website or service you’ve used it with! Major yay! I signed up new Relay email addresses for CNet and PCMag newsletters and began comparing the duck emails with the relay emails. Relay isn’t removing ANY trackers!?! I emailed Relay support and got a fairly prompt response however it wasn’t terribly satisfying. The relay folks are being very responsible and making sure that the trackers they remove don’t break the email – yay them! I’m continuing to correspond with Relay’s support on this topic. In the meantime, I suggest you go with the free DuckDuckGo email relay service if you want a little more privacy in your newsletter traffic, dashboard notwithstanding.

Firefox Relay vs DuckDuckGo email Read More »

Proton has a Google Drive alternative

It’s been in beta since 2020 but they’ve finally made it available to the rest of us. Android app and web app available now, the rest is coming. As with all Proton products it’s open source, privacy focused. 1GB for free, 200GB for $4/month or the whole package (mail, calendar, drive, and VPN) for $10/month. Read about Drive at https://www.howtogeek.com/835660/proton-drive-is-a-privacy-first-google-drive-alternative/

Proton has a Google Drive alternative Read More »

Finally, a point-to-point VPN!

I’ve set up a VPN at home and, honestly, in my config, it’s a PAIN! I have 3 routers that need to have ports opened and then I need to make sure that certificates and passwords are all secure.

Then I found Tailscale.com! What a breath of fresh air. Why didn’t anyone think of this before? Create an account on tailscale.com then install the tailscale service on the machine you want to be a part of the VPN and run it. The service connects to the tailscale server and it becomes an immediately available VPN target, complete with its own hostname (which you can change) and its VPN IP address. If you enable their “MagicDNS” in your settings then the hostnames all resolve to their VPN IP addresses (i.e. the hostname is first checked against the hostnames on the VPN before being checked against other DNS resolvers). Voila! No config, no ports to open, no firewall rules to manage! Now, when you’re away from home, you can get to your home server with confidence.

It’s free for a single hobby/personal user. There are a few restrictions as to how many subnets you have available but, honestly, if you’re a home user, the restrictions probably won’t bother you. It’s multi-platform with binaries for Android, MacOS, iOS, Windows, and Linux so you can connect just about anything you want. They’re on github at https://github.com/tailscale and a place to discuss it at https://forum.tailscale.com/. And, yes, you can use tailscale to act as a subnet router – https://tailscale.com/kb/1019/subnets/ – to get to those devices (e.g. printers) on which you can’t install tailscale.

Apologies for the delay between postings but I prefer to try the things before I post about them and tailscale took a while.

Finally, a point-to-point VPN! Read More »

Integrating Red and Blue InfoSec teams

InfoSec typically divides some their people into Red (attack) and Blue (defend) teams. While I agree with the general idea, I’ve often thought it wasn’t sufficiently granular and left a lot out of the InfoSec equation. Up comes this article (https://danielmiessler.com/study/red-blue-purple-teams/) which really digs into what’s missing and how to tie things together. A Purple “team” integrates and facilitates communication between the Red and Blue teams. Further, a Yellow team (builder) and then the combination of the various colors in the Build Attack Defend pyramid, leading to Orange and Green teams, in addition to the Purple team.

WHile it ay overly complicate the picture, the idea is sound, I think – encourage, faciitate, and integrate communications between the various teams/groups. Share knowledge and use that sharing to build a stronger security posture.

Integrating Red and Blue InfoSec teams Read More »

Government cybersecurity bill passes!

Last night, a few hours before the State of the Union address, congress passed a cybersecurity bill…finally! Some of the details, summarized from the article
* Businesses in certain sectors (e.g. financial, transportation, energy to name a few) MUST alert the government when hacked or when they pay ransomware
* Updates to rules how government agencies manage information security
* Changes to how the government assesses and manages the security the the cloud systems in use
CISA should get much more information and insight into the number and type of attacks U.S. companies are being subjected to on a daily basis and be able to share it with concerned entities in a more timely fashion.

Details at https://www.washingtonpost.com/politics/2022/03/02/senate-is-finally-passing-big-cyber-bills/ if you’re interested in more details.

Government cybersecurity bill passes! Read More »

I’ve been warning about this for years

I haven’t said anything about the Log4j issue here but this article from the Washington Post (https://www.washingtonpost.com/politics/2022/01/14/open-source-bugs-present-an-extermination-problem-government/) that discusses the recent meeting at the White House about securing open source software shows that people are finally waking up to the fact that open source needs to be patrolled better. Far too many developers pull in open source packages without regard to their exposures and those places that makes sure the packages are vetted often miss the packages that are pulled in as dependencies.

I’m not putting down any of the open source contributors but I’ve been a contributor and code reviewer and it’s just TOO easy to miss a vulnerability. Sure, automated processes can catch a lot but if someone is intent on introducing a vulnerability, it can be done without a lot of extra effort. No, I don’t have a solution but I’m certain the open source community can come up with some good ones.

I’ve been warning about this for years Read More »

Maybe you don’t need that domain after all…

Firefox Relay (https://relay.firefox.com/ has just exited beta and now has a premium tier ($1/month) that gives you more than the 5 email aliases the free plan provides.
I’ve been a big proponent of paying for an email service like FastMail.com and buying your own domain so you have an unlimited number of email addresses available to you. But it requires some geek work to bring it all together. Services like SimpleLogin.com provide similar capabilities by generating unique email addresses for you and forwarding them to an address you specify when you sign up. Mozilla’s service isn’t all that different but it’s from Mozilla and it’s pretty cheap (right now…they say it’s a promotional price with no mention of when the price will go up), Still, it’s a worthwhile investment if you don’t feel like giving your precious personal email address out to various websites and newsletters.

Maybe you don’t need that domain after all… Read More »