Blog piece by TheNewOil
I honestly don’t know how long this blog post will be because the basic concept is actually really simple, but I’ll do my best to explain it without over-explaining it.
This morning while collecting links to share on my Mastodon account, I came across this gem. Basically, a VPN provider claimed not to keep logs and then got caught with an unsecured database exposing plain text passwords (let’s not even touch that one), VPN session keys, IP addresses of users and servers, timestamps, geotags, and other stuff. This is not a blog post about VPNs, but this story does highlight the point of this post. This post is about one of the most important yet rarely talked about foundational concepts in privacy and security: layering your strategies.
Points of Failure & Redundancy
In most industries, there’s what’s known as a “point of failure.” In other words, “this is the most likely spot where something will go wrong.” Because of my background, I’m going to use a concert as an example: when connecting a sound system, your points of failure are usually the cables themselves. The more cables you have, the more points of failure you introduce and the more risk you run of something going wrong. The more you have going on, the more points of failure you introduce. Which brings us to redundancy.
Redundancy is simply having two things that do the same thing. Let’s keep with the concert example above: a “snake” is basically a super long audio cable that stretches from the sound booth a few hundred feet in front of the stage to the stage itself. This is how the signal gets transported back and forth from the mics to the mixer (where the sound gets processed) back to the speakers. These days, Ethernet cables are typically used as snakes because they’re cheap, fast, reliable, and smaller than a traditional snake. But Ethernet cables are also typically less physically sturdy than traditional XLR, which means they’re more likely to fail than a traditional snack. So many modern sound mixers come with two Ethernet snake ports, an A and a B. If A fails, you can instantly (sometimes automatically) switch over to B and keep the show going with no (or almost no) noticeable gap in sound. This is redundancy. A system that is redundant has more points of failure because there is more going on, but because of overlap there’s also less risk of that failure being a big deal. The odds of both Ethernet cables failing at the same time is almost nonexistent.
Privacy, Points of Failure, & Redundancy
While I do encourage the use of a reputable VPN provider (read as: not one who advertises all over their website that they’re free coughUFOcough), I also don’t encourage that as a single privacy tactic. I mentioned in a previous blog that if you delete Facebook, you’re getting a little bit of privacy. If you use Signal, you get a little bit of privacy and security. If you do both, you’re getting even more privacy and security. This is how privacy and security should be properly executed, by layering one privacy technique on top of another. I use Tor because I trust the decentralized nature of it, but I also layer that use of Tor with things like TLS. I use strong passwords, but I couple that with using two-factor authentication everywhere I can. My passwords are a point of failure. My two-factor is a point of failure. But the odds of both being compromised by the same person simultaneously? Almost nonexistent. The key to successfully being private and secure is to be redundant, to have overlapping tactics that help to accomplish the same goal, and to make sure there’s not a single point of failure in your approach.
Redundancy & Threat Models
Now, I have said from day one that there is no perfect “one-size-fits-all” approach to privacy. It’s important not to be overly redundant for a lot of reasons. For one, it will make things inconvenient, and unless your life is on the line you’ll eventually get sick of the inconvenience and stop doing it, making it useless. Some people preach using a completely separate device to do financial work, but I find that overkill in most situations. Maybe a virtual machine is more appropriate. Or, honestly, just using a separate Firefox container or separate browser is sufficient in many situations. In other cases, too much redundancy actually hurts you more than it helps you. For example, using too many browser add-ons makes your browser more unique and stands out among the crowd. The benefit of using these add-ons (disabling automatic trackers) is minimal: your life is not at risk if Google finds out you like Neapolitan ice cream and adds that to your marketing profile.
The point here is that it’s important to evaluate your threat model and determine how much redundancy you need. A journalist may find it very important – depending on the severity of the information they’re working with – to use separate machines for work and pleasure. An intelligence operative may risk their life if they don’t have two factor enabled. A celebrity may be putting their whole family at risk by not buying a house in an anonymous trust or shell corporation. But for most people reading this, the stakes are much lower.
I hope that I didn’t confuse you with the last paragraph. My point is not “eh, it probably doesn’t matter if you do or don’t do this stuff.” My point is to make sure that you’re not overdoing it. Once again, if you overdo something there’s a very high risk you just won’t do it at all. Let’s take passwords and two-factor as an example: we should all be using strong passwords with a password manager and two-factor authentication whenever possible. End of story, no debate. But if your two-factor of choice is a hardware token, and you find yourself frequently forgetting your token at home, it’s probably safe to use a software token. The redundancy should still be there because the effort is minimal while the payoff is immense. There’s no need to say “the hardware token isn’t working out, I guess I’ll just disable two-factor altogether.” But in most cases, the risks are also minimal. It’s highly unlikely – for most of my readers – that you’re being targeted by a nation-state or a sophisticated hacker that requires an extra hardcore measure of security. A software token is plenty sufficient. There’s no need to make life that much harder on yourself. (Of course, if you don’t forget the hardware token and you find it quite easy to adapt to, there’s also no reason to settle for less).
This post ended up being much longer than I expected. I hope you found it helpful and gave you some thoughts. Please don’t settle for a “one-and-done” privacy solution. And when you do have a single point of failure – for example, a ProtonMail inbox with multiple addresses – make sure you understand the risks and how to mitigate them. In that example, I would say to be certain that you’re using strong passwords and two-factor, and also keeping backups of your private key locally. Make sure the machine you’re using to access that email account is secure and clean. It’s all a series of overlapping, multilayered techniques that add up to create a more secure lifestyle. Perhaps another way to think of it might be a suit of armor. A helmet is important. A chest piece is important. Either one by itself is better than being naked. But only by combining the entire suit of armor do you achieve maximum protection. And some people may need bulletproof armor (my analogy is kind of falling apart here but just bear with me). Others may just need something that stops small pebbles and dull knives. Ask yourself where you are, what are the weaknesses in your armor, and how you can best patch them up. And remember: even a suit of armor has weak spots. Nothing is ever 100%. But we certainly can and should be aiming for as close as sustainably possible.
Find more on today's blogger, TheNewOil, and more recommended services and programs at TheNewOil.xyz. You can also get daily privacy news updates at @firstname.lastname@example.org or support my work on Liberapay.