Computer security questions

Hey everyone,

Does anyone have any recommendations on computer security? I usually consider myself a fairly clued-up kitty, but there seem to be a couple of gaps in my internet security setup, and since you’re a knowledgeable collective, I thought you may have some useful advice.

Two things I’ve been looking into-

VPN’s-

Password managers-

The common thread with both of them is that the involve trusting a third party with important info, so I’m naturally a bit sketchy about both. Does anyone have any experience with really reputable providers? hints, tips and things to avoid? Any other suggestions from a security and prioacy perspective?

I have no experience with VPNs, but I use the following as a password manager:

https://www.schneier.com/academic/passsafe/

• It’s written by Bruce Schneier, a well-regarded computer security researcher.
• It’s open source, so even if you don’t trust Schneier, you can feel comfortable that no one else has found any obvious backdoors.
• No one has access to your credentials but you: they’re stored in the file, encrypted and inaccessible without the password.
• The file can be uploaded to a file-sharing service, who won’t be able to decrypt it, and synchronized across multiple devices
• A bunch of different apps exist for use with it (PC, Mac, Linux, Android, and probably Apple) once you’ve downloaded the file to your other devices.

There’s still a level of trust involved, because there always is, but it’s about the most convenience, while making the fewest compromises to security, that I’ve ever found.

With regards to VPNs, among yoho-fiddly-dee sailors of the seven seas, a few recommendations are common:
• PrivateInternetAccess (based out of the US)
• NordVPN (based in Panama)
• ProtonVPN (based in Switzerland)

I’ve been using this for about 10 years, maybe? I’ve never had a problem with it, and it feels good to use 20-character random strings with digits and special characters as passwords. I have copies of the database stored in various places. The master password I never forget (yet).

It’s open source, but I don’t know who wrote it particularly.

Password Manager:
Like @kxkvi, I’ve been using Keepass every day for many years now and I’m a fan. Unlike other password managers (like Lastpass, which I have to use for work), Keepass stores all the data locally (and encrypted); there’s no cloud service provider, no third-party website to get hacked, or anything like that. You can sync it via dropbox or other file-sharing site if you want. But I just manually copy it to my phone, a backup drive, and a USB stick or two. I don’t use cloud sync for anything yet.

I think there are versions of it on every common OS - I use Windows and Android but I think when I used a Chromebook I had it there too and I know I could use it on the Mac if I wanted.

Worth noting, a good password manager does more than just manage passwords. You can put secure notes about various things (like those stupid ‘security’ questions) or if you’ve linked an account or have multiple accounts which one this is, etc. Also by opening the site from the URL that you’ve stored in your password manager instead of clicking a link you’re much less likely to fall for phishing. And it’s easier - two clicks to open and login.

Re: Tips and things to avoid, it’s my personal opinion that I want to control that data myself and have it in a file that I can easily backup/transfer, so I don’t use a service or cloud solution or something built in to a browser. That means that you really have to make mirror copies (USB, phone, backup drive, etc.) in case you lose one (or more). But I prefer that. The networked solutions do get breached occasionally. The stuff should be encrypted, so that may be ok, but I’m skeptical.

VPN:
I’ve been using PIA Private Internet Access for a few years with no problems, though I don’t use it all that much. I mostly only use it when torrenting (which I don’t do much anymore since streaming has gotten so much better) or when I want to check something from another country (bypass regional media restrictions or check latency from there to a site I’m working on). I chose it because of their no-logging policy; getting a VPN for privacy is pointless if it logs everything you do (which some do).

If you’re not doing anything that’s mundane but that you need private (like torrenting) and the region traversal isn’t useful for you, I’m not entirely sure it’s worth the cost. I keep it around anyway, but I don’t really see it as a necessity. If you wanted to do ‘dark’ stuff, (buying drugs online, subverting an oppressive government, illegal porn), you’d want more than a VPN. But I don’t have recommendations for that.

I also use KeePass, for pretty much exactly the reasons @DaakSyde has already covered. But I’ll second his advice anyway, because it bears repeating: you have to manage your own backups and DR. I think the trade-off (compared to cloud services) is worth it, but it’s something to think about when trying to decide.

We use LastPass at work, and I kind of loath it, but that’s mostly because it’s a gussied-up consumer product crammed into an enterprise software licensing model that solves exactly none of my problems. It’s probably fine for individuals, especially if most of your passwords are for websites and the like. (For my role at work, it’s about as useful and searchable as a single giant text file; their web site nags me to install their plugin every. single. time. I log in; it’s one of those clever single-page-app sites, so even though it’s a browser-based service, I can’t copy-paste a link to a specific secret; oh, and there’s about seventeen different analytics/tracking scripts on the page, and I’m almost certain my ad-blocker was the source of a “non-reproducible” bug that would create a duplicate entry every time I moved a secret from one group to another. Actually, you know what? Skip LastPass. Do not let them pass GO. Do not give them two hundred dollars. Seriously, fuck those guys.)

As for VPNs, I’m in the same boat as you. It really does boil down to an issue of trust. I don’t use a commercial service myself, so I can’t make a specific recommendation, but I think the How-To Geek is fairly reputable, so this might not be a bad place to start:

It occurred to me that I could write a batch file to do this. I just have to remember to run it every time I make an additional entry or change a password. That way I can back it up easily regardless of the timing of regular backups.

I’ll add my own recommendation for KeePass:

I can’t overstate the value of the plugin community for KeePass. There are even plugins to make backups easy. Personally, I just store my password database on a cloud drive service, and use that to keep things in sync between multiple PCs and my phone. Not being tied to any particular service gives one many options, though.

As for VPN services. I’ll reiterate that it really depends on what you need a VPN for. If you are trying to obscure activity like torrenting, you may actually be better using something like a seed box. Not that I’m familiar with any such back alley transactions, but one does hear rumors. My own interests are purely academic, of course.

My wife works from home using a work computer, which uses its own VPN. I wonder; do you suppose we could use PIA for my computer and her home computer? We’re all hard-wired, but I we use the wifi for an iPad and 2 iPhones.

I could ask the company but that would be more work.

Password managers are great. I use Lastpass. The thing about them though is that once you pick one, you’ll be wedded to it for life. Switching to a new one would be a major pita. Not that I have any reason to switch. I like Lastpass because I can use it on all of my devices, but I would imagine by now, all of them let you do that. When I started using it, that wasn’t the case.

I have a vpn as well, but I only use it occasionally. Now that virtually all web traffic is encrypted, it isn’t as critical as it used to be. (If you use standard email as opposed to web based one, it’s still essential.) But I do use it when I am using a wifi connection at a hotel or coffee shop to keep them or other people there from sniffing my traffic. It’s also handy for downloading torrents without getting any questions from my isp. Finally, it’s good for skirting region restrictions on youtube or BBC videos. The downside is that can introduce a real speed hit.

Oh, and I also use a vpn connection to work on one of my client’s web servers. It doesn’t allow me to connect to its tender underbelly unless I’m already part of the network.

Oh, and Lastpass does use a cloud based model, but everything is encrypted locally before it is stored so it is safe in that regard. As far as what happens should they happen to go belly up, it’s possible to keep a backup version of the database locally, but keeping it up-to-date requires diligence.

I do have an account with NordVPN… but there have been some changes, lately.

Are the eyepatch crowd concerned, do you know, or do they still recommend?

I donned me eyepatch and checked the local tavern talk. Should be all clear.

I have a couple of quick questions if I might ask them here. I’m having difficulty with screen “interfacing” both with my android and also my tablet with windows 10.

First off, my android keyboard is becoming absolutely horrible at aligning actual typed keys with keys clear across the keyboard (v, g, or b for t…having to turn my phone just to be able to type o). I read that there are diagnostic/calibration tools for this on Google Play, but are they legit, or just malware?

Second, my Chinese tablet Chuwi hi10 needs to update the Bosch Accelerometer driver, but for the life of me, I can’t find the correct update. It’s really interfering with my tablet, constantly freezing up and giving me the disconnect/connect chimes (I assume it keeps wanting to change orientation despite sitting on the table, docked to the keyboard).

Can anyone point me to legit downloads for these?