I’m giving a talk this weekend at Florida DrupalCamp on some basic personal security tips. The focus isn’t on development security, or on securing Drupal projects, but instead is meant to be applicable to pretty much everybody.

If you spend any time on the internet, this guide can offer some help to you. First:

Why do I need to care about this?

Let’s get one of the common misconceptions out of the way:

I don’t have anything to hide, so I don’t need to worry about privacy.

I honestly can’t think of anyone that this statement is true about. Everyone has something that they don’t want others to see, for whatever reason. If I were to ask you for access to every digital account that you own (not to mention your home and all other personal belongings), you would probably not give me access to any of them, even with my solemn pinky oath to not touch anything. The fact that I’m asking gives you pause. Now how about those that don’t bother with the pleasantries?

You have something of value to lose online. That’s a fact of life now, and while you may be thinking of embarrassing emails or compromising texts, there are other things like workplace data, financial accounts, health records, and more that are vulnerable if you do not maintain some basic web security. With the insidious chaining together of accounts, now you have the danger of one insecure email address allowing all accounts to be compromised.

Even if you still think that you don’t personally need to worry about security, what about those around you? There is a safety in numbers. When someone is alone in using encrypted communications, they stand out to profilers, even if the content of their communications does not. When everyone around them is using encrypted communications as well, now there’s just so much more chatter to stay safe in.

Like inoculations against illness serve to inordinately protect the members of society with the weakest immune systems, the group protection that comes from supporting secure software helps those most vulnerable who rely on these tools. Also, your insecure devices can be used to launch attacks that can affect everyone, and those insecurities are not going away anytime soon.

So now that we’ve covered that it’s important to care about your online security, where do we start?

What’s Your Profile?

We’re looking to define two profiles to start with: your Attack Surface Profile, and your Adversary Profile. These will help us determine where to put effort in building our security profile.

Attack Surface Profile: The ways that you can conceivably be compromised. This is the cellphone in your pocket, the accounts that you have logged in automatically on your laptop, the fact that your email address is linked to your Amazon credit card. You will miss some of these, but the major ones are where it matters most.

Adversary Profile: Who conceivably cares enough about you that you need to secure yourself against? Are you going through a divorce or custody battle, with lawyers watching your every move? Are you exploring your sexuality or religion in a setting where harm can come from exposure? In addition to these or other specific threats, you have the general drive-by attacks done on accounts related to data breaches to worry about.

Security Profile: Now that you’ve defined your Attack Surface Profile and your Adversary Profile, you can create your security profile. You’ve identified that you use your laptop at coffeeshops regularly, and commit to avoiding using financial services there. You want to avoid being tracked while going to a sensitive meeting, so you leave your phone at home. You want to learn more about things that may be socially unacceptable, so you use TOR browser to hide your browsing history.

How Can I Get Started?

There are a wide variety of tools available with varying degrees of complexity and protections afforded. A few suggestions:

  • Use a password manager. There is the possibility that these tools can be compromised, but they are much better than memorizing (meaning reusing) passwords, which you should stop doing. LastPass is a free web-based tool, and KeePass is an open source password manager that lives on your computer.
  • Enable two factor authentication everywhere that you can. That means email, social media accounts, developer accounts like hosting and Github, everywhere. Two factor authentication is generally accessed via a text or app on your phone, and is used as a secondary method to prove you are who you say you are.
  • Switch to Signal for messaging. It doesn’t have the pretty colored bubbles of iMessage, but get over it. Signal is the current standard for end-to-end encrypted messaging, which means nobody without access to either device can read the messages being sent. It is compatible with all major phone brands, and has all of the features that any standard messenger has, plus some bonus goodies like secure VOIP calls.
  • Check your privacy settings on Chrome, Firefox, Twitter and Facebook.
  • Take advantage of the tools that the EFF makes for privacy. This includes HTTPS Everywhere, to encrypt your browsing to and from websites, and Privacy Badger, which is a custom tailored ad and tracker blocker.

This is too much. Isn’t this impossible anyway?

I agree, there are a lot of things that you have to worry about to maintain your privacy and security. There will always be something that you miss, but that doesn’t mean that you shouldn’t try. If you lock your house or car you are engaged in a similar decision-making process. Sure, a burglar could smash a window and get in, but they’re more likely to move on in search of an easier target.

Don’t give up on security! It is becoming easier than ever to maintain some of your privacy and information security thanks to the work of countless contributors to open source tools. Support their work, and protect your freedoms!

Your Cybersecurity Self-Defense Cheat Sheet, Jacob Brogan, Slate. 1 February 2017.
The Privacy Paradox Tip Sheet, Manoush Zomorodi, WNYC. 10 February 2017.
Tor Overview: Staying Anonymous. Retrieved 17 February 2017.

A few days ago I woke up and against my own judgement decided to check my email before exercise. Unsurprisingly, with a world news email that I get every morning, there was something that got me angry and instantly shot up my already not great blood pressure.

I finally made a decision that had been percolating in my mind for a while. My internet consumption had to change, and it had to change fast. A few hours later I had some coffee and was settled in to get to work.

Starting My Media Consumption Cleanup

I disabled chat on Facebook, as well as audio and video calls. Half of my chats consist of “send this to my business email” coming from all non-connections, and all of my contacts on Facebook have a dozen other ways that they can reach me.

I disabled the ability for Twitter to post on my behalf to Facebook. This was one of the first integrations that I set up, and is basically the only reason that I’ve been active on Facebook at all besides managing groups and pages for the past several years. Gone now are the “I have no idea what you post” comments from folks IRL that remind me that I’ve written for a different platform and audience, and the message is reaching only the people that I have in mind when I write in the first place.

Speaking of Twitter, I didn’t have to do much here, as I keep my feed fairly curated as is, seeing as it’s the main place I communicate with others outside of Slack. Last month I implemented Wil Wheaton’s block list, which has been helpful. It cleans up a few of the folks that I wouldn’t want to interact with, though if they are quoted by others I see the “tweet unavailable” grey box, which is a bit annoying.

Twitter finally announced a feature that doesn’t display folks that you have blocked or muted in searches and trends, which is long overdue. Half of the stuff that makes me angry online comes from Twitter trends, which I should avoid clicking on but always feel the need to be informed with. I need to use a client like Tweetdeck that doesn’t display these, but it’s usually easiest (probably too easy) for me to open a new browser tab, click the t key, then click enter. This is one habit that I’ll have to work on a bit better.

Finally, I went into my unroll.me accounts (this is free and totally worth paying for if it wasn’t), and unsubscribed from a lot of emails. While I did an initial cleanup when I created the accounts, at the time I was thinking of the savings that come with only having to review a daily email of non-essentials. Now I’m prioritizing making that daily email one that has less strife (sorry Mother Jones and Change.org, I still donate!), and fewer subscriptions that I don’t use anymore. Now that daily email feels more essential and relevant, and my reading time has cut in half, with the hope that it will be less painful as well.

FOMO, Failure of Mastering Objectives

I suffer fairly regularly from FOMO, or that “fear of missing out” that tech folks and us ungrateful millenials are all about these days. The basic steps are this: I remind myself of a project that sounds interesting, I get re-pumped to do it, I remind myself that I have other things to do first, and I get deflated when I think of how far behind I’ll fall by not doing it.

Sometimes I have an idea and someone else takes it up, and I think that I could have done it first, and now I can’t. That’s ok. One, I have to remind myself that those that come first rarely go as far as those that come after them. Two, I should be grateful that someone else was able to remove something from my want-to-do list.

Loss Aversion is another problem that I regularly deal with. I’ll spend more time than probably necessary considering the ways that projects can go wrong and planning for them, rather than getting anything done. The same applies to potential projects: can I give up an opportunity just because I’ve talked about it for five years and not made any headway on it?

It’s a great idea to consider potential negatives and mitigate them where possible, but when is this going to far? When can I finally free myself from the self-appointed responsibility of needing to do all of the things, and ending up doing some or none of the things instead?

Do You Have A Solution?

This is still very much a work in progress for me. I have only scratched the surface of what I can do to clean up my media consumption. I’ve got a few more things planned for the next week or so, mainly in offloading ideas that I’m just not going to do.

Do you have any tips on how to remove the stresses of feeling like you’re missing out when you choose not to do a project or start something new? I’m not going to eliminate this overnight, but I’m taking small steps now.

I told myself that I would endeavor to create a project using an entirely new-to-me technology every month, and on the last possible day in January I’m doing a writeup on a bit of bash and wp-cli code written for last week’s WordPress Orlando Meetup.

While I didn’t quite hit the mark, I did learn quite a bit more about WP-CLI and bash scripting, so I’ll count that as a win.

The script that we’re going to refer to in the post is here: https://gist.github.com/davidwolfpaw/3f1d431071196f61c753e572700e7cbe. This is intended as a follow up to this post on using VVV, VV, and WP-CLI to setup new sites.

What are we doing here?

The script does quite a few things to set up a new WordPress site with some defaults. I made the selections based on my common usage, but the script has been made general enough that it can be modified as you see fit for your own needs.

First, I’ve got a few constants in the script, including a username that I like to use for these sites, so I get something other than “admin” that isn’t random. It also sets an email for all accounts, and the specific VV blueprint that I want to use. I can cover blueprints at a later time, but for now check out some information about them at the VV Github page.

Next up I use the name that was input after the command to run this script was issued to create the name and domain of the website. A password and table prefix (the wp_ portion of the WordPress database tables) are both randomly generated. The password is copied to the clipboard to allow me to paste it in while logging into the site for the first time.

The command below does quite a bit. It uses VV to create a new site on my VVV install, with the name and domain supplied, the username and email that I pre-set, and the table prefix and password that were just generated for us. It also turns on debug, calls the VV blueprint that I’ve setup, and tells VV to use all other defaults that it normally supplies.

yes | vv create -n $name -d $name.dev --username $wpuser --password $password --email $email --prefix $prefix -x -b $blueprint --defaults

VV and the blueprint do the bulk of the initial setup, but there are still a lot of things to do.

Continuing Site Setup With WP-CLI

There are a lot of tasks that I do on almost every site, most outlined on the previous post, but as a recap:

  • Deleting the “Hello Dolly” plugin as well as all default themes except for the current year default
  • Activating the premium plugins and themes that I use. This includes the Genesis theme, as well as Gravity Forms, iThemes Security and Sync, BackupBuddy, and Advanced Custom Field.
  • Deleting the default page, post, and comment
  • Creating home and blog pages, and setting them to display as home and blog, respectively
  • Creating About and Contact pages
  • Creating a menu with all of the pages that I’ve created, and setting it to the primary menu
  • Removing all default widgets from the sidebar
  • Creating a category titled “News”, and setting it as the default category, to avoid posts being labeled as uncategorized

Finally, I have the script open up Chrome to the login page for the site that was just created. There I can type in my username and paste in the generated password. Eventually this step can be scripted as well, to automatically log me in.

And there we have it: a fully setup staging site that saves us hours on creation and setting up defaults that will be used over and over again!

Drawbacks to the current bash script method

That’s not to say that this is perfect. By all accounts there’s plenty that I can do to fix up this script. I started working on an integration with the Lastpass-CLI for instance, to use their password generator and to automatically save my passwords to avoid being prompted when I first load the site. For some reason I was unable to get it working, and removed that feature to get it done in time for the meetup

Gravity Forms also has a CLI, though with the downside of needing to be installed as a plugin first. If I install the plugin though, I can use that to install and license my copy of Gravity Forms, as well as import some default forms. I’m going to add that to a future version of this builder, as most sites that I make will have a contact and newsletter form with a few fields by default.

Finally, I want to work on executing the script on the server, as opposed to on my local machine. I can set this up with a bit of forethought, but it’d be beneficial to have some sort of installer to allow anyone to input their specifics (credentials, email, install directory, plugins to activate, etc). For now, I’m using vassh, which was developed specifically to run

vagrant ssh

followed by a WP-CLI command, but the tool is not very efficient. Currently it opens and closes a connection with each command, which quickly adds up when you’re running several dozen commands like this script is.