Halloween has always been my favorite holiday. With plenty of candy, ghosts, monsters, scary movies and mystery in the air, it’s hard not to get excited.
Each year I try to cram as many scary movies into the month of October as possible in order to get myself into the Halloween spirit. It’s become a family tradition. Surprisingly, there’s only one thing that scares me more: poor security practices.
Seeing as we’re now well into the spookiest month of the year, I thought I’d provide some non-spooky information for those of you who appreciate the less-scary things in life.
Below is my personal list of the top five services you should be using to make your Halloween (and beyond) less scary.
There’s nothing quite as scary to us in the security industry as sensitive information being compromised. And I can’t think of any information more sensitive than personal email.
Email is a critical part of everyday life: it’s how we keep up with friends and coworkers, plan events, track packages, and receive important updates about services we use. If someone were able to grab hold of your email, what do you think they could learn about you? The answer, of course, is a lot.
People tend to take email security for granted – but is it really guaranteed?
Storing your sensitive email in services like Outlook and Gmail are not as secure as you might be led to believe. These providers store your sensitive email in plain text, and are able to pass your personal information through software designed to discover more about you, and use that information for advertising and other purposes.
These email services are also subject to US law, which means that all your email may be handed over to the US government upon request.
Scary? I think so.
That’s why the first service I’d like to recommend on my list is ProtonMail.
Protonmail is a secure email provider based in Switzerland which has a number of features that make it far less scary to use than other email providers:
- The company behind Protonmail is located in Switzerland which means it is subject to Swiss law. Switzerland currently provides some of the strongest data privacy laws in the world. You can read more about Swiss law and data protection here.
- Protonmail uses OpenPGP to encrypt your email and keep it encrypted. Protonmail can never view or access the plain-text bodies of your email once they’ve been received. This means your data is never accessible to the company. You can read more about Protonmail’s security model here.
- Protonmail will comply with Swiss law, so if a Swiss judge orders Protonmail to turn over a customer’s personal email, they will. But since they only store the encrypted email bodies, all of your personal information will remain encrypted. To provide transparency, Protonmail publishes all of their data requests from government agencies here.
- Protonmail is completely open source, which means you don’t have to trust their security claims, you can go verify them for yourself.
If email security is a concern for you, I’d highly recommend giving Protonmail a try. I’ve been a happy user for over a year now and am loving it.
Another touchy subject is personal chat and text messages. These personal conversations hold a lot of valuable and sensitive information. Unfortunately, most chat providers don’t protect your personal data.
Services like Google Hangouts, Slack, Hipchat, and SMS are all insecure. The providers who run them can read your messages and give them to government agencies, use them for advertising, etc.
One fantastic messaging alternative is Signal.
Signal is widely considered to be the safest and most secure messaging app available. It has a number of things going for it (in addition to its simple and easy-to-use interface):
- It’s completely open source.
- It uses end-to-end encryption to ensure that only you and the person (or people) you’re messaging can read the messages.
- You can create auto-expiring messages that are permanently deleted after a certain amount of time.
- You can use Signal for text chat, video, or audio chat. Signal is an ideal secure replacement for phone calls, SMS messages, and video chat.
- Signal is a non-profit company. The service will never aim for making a profit, so there’s no risk they’ll need to eventually sell your data to advertisers, etc. The company goals and monetary motivations are 100% aligned with your personal privacy and security.
- Signal is recommended by Edward Snowden
I’ve been using Signal for years as my primary messenger, and truly enjoy it. I highly recommend giving it a shot.
Another sensitive area in terms of personal security is file management: who can view your private files?
Many people today use services like Google Drive, Dropbox, or Amazon Drive to store their personal files: both on their computer as well as their mobile devices. These services are super convenient for the majority of personal and business files, but they're not encrypted, and thus not private.
One of my favorite recent services is Tresorit. Tresorit is a file syncing service that operates much like Google Drive or Dropbox, but with encryption.
Tresorit never sees a copy of your files, only the encrypted versions. This means that Tresorit knows nothing about what you’re storing, not even the names of your files.
This has many advantages, as you can likely imagine:
- Your data is exclusively viewable by you
- Your data (even if requested by a government agency) cannot be provided in plain text
In addition to the obvious benefits, Tresorit provides an excellent user experience:
- It runs natively on Mac, Windows, Android, iOS, and Linux (to my knowledge, it is the only file sync service that does this)
- It allows you to selectively choose what folders to sync to your device
- It has a simple and easy to use UI
- You can choose to share some of your files publicly (just like Dropbox). Tresorit uses a neat method to securely share files via links: you can set file expiration times, create passwords that are needed to access the data, all while still maintaining end-to-end encryption. When the user you’re sharing the file with visits your shared link, the data will be decrypted in the browser!
I’ve been using Tresorit for over a year now as well, and highly recommend it.
4. Standard Notes
The final thing I’ll talk about is notes. If you spend a lot of time around computing devices, odds are, you use a note tool.
It’s difficult to remember everything, and note taking tools have become increasingly popular over the last handful of years. Depending on the tool you’re using however, this can open your organization up to a security issue.
Most tools in this space don’t encrypt user files, so the provider can read every note your employees take. Clearly, there are business implications to consider here. Many of my coworkers, for instance, use note-taking tools to jot down meeting notes, to-do lists, etc. If these notes were to be seen by anyone else there could be catastrophic business consequences.
This is why the final service I’ll recommend to you today is Standard Notes. Standard Notes is a relatively new note-taking service, but one that has become a staple in my daily routine.
What’s fantastic about Standard Notes is that all your notes are completely encrypted, so even the company itself is unable to read them. Standard Notes also offers:
- Mac, Windows, Linux, iOS, and Android clients (along with a web client, of course)
- A healthy amount of extensions that allow you to customize the service for your particular needs
- A beautiful UI for managing your notes in any environment
- An open source codebase, so you can audit what is happening behind the scenes
- A strongly worded privacy manifesto (that I wish more companies would adopt)
If you’re looking for a simple and secure way to store your notes, give it a try!
A Word About File Storage for Your Organization
We’ve established that personal files are very important from a security perspective, so how is your business storing them? Storing business files in third-party services can put your company information at risk if the service isn’t end-to-end encrypted, and many aren’t.
From a competitive standpoint: would you want to give your most sensitive business files and documents over to your potential competitors? It’s certainly worth thinking about what you’re storing in third-party storage services, and whether some of those files need additional security.
If you determine that true end-to-end encryption is required for some of your business files, I’ve got a bonus recommendation for you: Try Tarsnap (in combination with a sync tool like Tresorit, mentioned above) to manage file backups. Some of the benefits it provides include:
- All files are encrypted locally, so Tarsnap never has any idea what has been stored
- Backup jobs can be processed in a differential way, speeding up backups for even large amounts of information
Tarsnap is written by Dr. Colin Percival, a well-known security researcher, and cryptographer. It’s completely open source, and there’s an open bug bounty: anyone who can find bugs in Tarsnap will be paid by Dr. Percival personally.
Be aware that Tarsnap isn’t a user-friendly solution for non-technical audiences, but it can be incredibly useful for those that are.
Be Safe Out There
I hope that some of these recommendations were useful to you. If you’re like me and value your online security, I strongly recommend giving these services a chance.
As someone who’s been using them all for quite a while now: choosing secure alternatives doesn’t mean you need to suffer. These tools are well-built and provide good user experiences.
Making your online world secure has never been as easy as it is today.
If you have any questions, please tweet me.