Securing your systems

[Eric S. Raymond]

Two days ago Susan Sons came to my place and we spent a day hardening
my security.  I now have full-disk encryption on both the Great Beast
and my laptop, a lock code on my phone, I'm using Signal for encrypted
SMS, and have begun to set up 2FA on my web accounts that support it.
Some weeks back, at her urging, I switched to a GPG key with the
largest bit width currently possible.

Why bother?  Because, as Susan explained and Mark has previously
noted, DDoS via NTP is a favored tool for all manner of bad guys from
script kiddies up to and including advanced persistent threats like
the PLA and the Russian Mafia.  They have a strong interest in
compromising NTPsec's security so they can know what we know about
unpublished vulns.

This means, in particular, that our personal computers are prime
targets. So are our GPG keys - both personal and project-related.

Take this threat seriously.  We probably don't need to worry about
rubber-hose attacks, because the bad guys want a compromise that's
covert and deniable.  But some of our potential adversaries are
state-level actors with enough patience and resources that they were
able to undetectably subvert Google's Perforce repositories
(undetectably until the inserted code was noticed, anyway - that one
was probably the PLA).  They will throw as much cracking skill at us
as they think they need to.

While we can't perfectly secure ourselves against the likes of the PLA
or the NSA, we can and should make it difficult for them to compromise
our security without being noticed.

Susan was, therefore, right to insist that I tighten up my security.
Those of you who aren't hardened at least to the level I described
above should do likewise.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

There's a truism that the road to Hell is often paved with good intentions.
The corollary is that evil is best known not by its motives but by its
*methods*.