Tom Hackshaw

@tom

Blog of Tom Hackshaw

1,603 words

https://tom.org.nz Guestbook
You'll only receive email when Tom Hackshaw publishes a new post

"The most secure phone"

The “most secure phone” doesn’t exist. Any current phone carries some level of security risk, and not carrying one at all is the safest option. However, this isn’t really a viable choice for people today, so the following notes are for those that want a phone but are concerned about their opsec.

For a phone, I recommend any iPhone that is newer than the 5S. Older iPhones don’t contain Trusted Platform Module (TPM) chips that are responsible for encrypting your phone storage.

I don’t recommend Android phones. Google makes it’s profit off of data mining users, and Android leaks far too much information. Copperhead OS will probably offer you the most security, but this is limited to Google Pixel devices and requires a fair amount of technical knowledge to install. For a balance of security and convenience, I’d always recommend iOS.

In order to fully secure your iPhone, there are a few things that need to be done:

  • create a new Apple ID that is tied to that phone only. Use a unique, long, alphanumeric passphrase for the account.
  • disable Touch ID or Face ID. While convenient, it’s been shown that fingerprints are not treated like passwords at customs, and you will be forced to surrender them upon being asked.
  • for the Apple ID security questions, use additional passwords. Don’t set simple questions like “what is your mother’s maiden name”, as a lot of this can be guessed or found out with little effort from an attacker.
  • disable Siri. She’s awesome, but leaks too much information and bypasses the passcode for many functions.
  • Bluetooth (off completely in Settings. If done via the Control Center it only sets BT into a standby mode)
  • disable Control Center on Lock Screen.
  • disable Spotlight Siri suggestions.
  • disable Handoff and App Suggestions.
  • disable CarPlay
  • disable Voice Dial
  • disable everything that is listed under “Allow Access When Locked"
  • disable everything related to iCloud except for Find My iPhone. If you keep iCloud Backup enabled for iMessage all of your encrypted messages will be kept as plaintext, so best to turn this off even you intend on using a different messenger such as Signal.
  • disable Notification Previews.
  • disable “Send as SMS” for messages (not end-to-end encrypted like iMessage)
  • disable Javascript for Safari. This will prevent trackers and other malicious JS from executing in webpages (content blockers in Safari are not robust enough at this point in time, as they are reliant on other apps such as Adguard and Firefox Focus from also being secure. Remember, the less non-native apps we have installed, the smaller the attack vector)
  • disable Browsing Cookies and History.
  • Enable Erase Data after 10 failed passcode attempts
  • Ensure your iPhone is up to date with the latest software version, and that all of your installed apps are up to date (more on this later)
  • Enable Two-Factor Authentication on your Apple ID (and all of your other accounts, but more on this later). This ensures that your device is secure even if your password is compromised.

When using your device:

  • carry a USB Condom or a battery pack for charging, or only use your own wall-plug charger (and mark it with your name). Do not plug your phone into any ports that you do not trust. With newer iPhones that have wireless charging capabilities, you could potentially go as far as filling the lightning port with cement or hot glue to disable port access to the phone.
  • Use encrypted Notes (make Note in "On my iPhone", then tap the share button in top right corner, "Lock Note"). Please note: the first line of the note is kept unencrypted as the title, so keep this blank! An alternative is using the Standard Notes app which encrypts all of your notes by default.
  • in saying this, remember to try to avoid installing non-native apps and keep them to a minimum. Having more apps potentially increases the attack surface for gaining access to the phone.
  • if you must use Javascript with your web browsing, use Brave as your Javascript-enabled browser. It has HTTPS Everywhere and ad blocking enabled by default.
  • avoid email for communication. Everything is plaintext by default, so use iMessage, Signal or Wire for communication. Other messaging services make far too many compromises to be considered secure

If you can, use Signal for all of your communication. It is open source, fully audited, and backed by some of the best security researchers in the world. When setting it up:

  • enable Screen Security
  • Show Sender Name Only for notifications
  • disable Debug Log
  • “Pre-warm” conversations with the people you expect to communicate with during your trip. Don’t message people out of the blue without knowing where they are at beforehand. You can take the time to verify each other’s “fingerprints” prior to sending any messages.
  • take a screenshot of your fingerprint QR (long tap on the name of a conversation), and send it to yourself (and verify the fingerprints between your two phones). You'll want to put that on your out-of-office email. You can also check that the fingerprints of the people you talk to match the ones you see on your main phone.

If you are going to be logging into other accounts via your phone, make sure you have secure passwords for each, with two-factor authentication enabled on everything.

I highly recommend using 1Password to generate and manage your passwords (everything except your Apple ID, as this is something you need to know and be able to type with relative ease). It has a very strong reputation and is endorsed by security experts such as Troy Hunt.

Making websites more accessible

I have spent most of today working to try and make my personal website more accessible to folks who use screen readers or other auxilary devices. It has mostly involved adding alt text to images and links, but I regret not doing this sooner.

To anyone maintaining their own websites I urge you - put accessibility at the forefront of your design! That way everyone can enjoy it.

Today I heard

Today I heard some great advice that came in the form of a question:
“What aren’t you saying that needs to be said?”

Reading

I am currently re-reading "Meditations" by Marcus Aurelius. It's right up there as being one of my favourite books of all time, and have always gone back to it when I feel like I've lost my way a little.

I imagine what it must have been like for someone like Aurelius, on the battlefield when all of his troops were asleep, to be writing this document and trying to reflect on the human condition. His situation was the complete opposite of someone like Epictetus, a slave, and yet they were both dealing with the exact same issues.

Simple, meditative and poetic, I highly recommend this book to those looking to do some introspection and reflection.

Staying asleep today...

Tomorrow will be a good day
And today will be okay

Stormy days...

It's starting to really pack up in Tamaki Makaurau today. The trees outside are being hammered against the wind, and Mother Nature is making Herself truly felt

Championships

If you haven't heard Meek Mill's new album, I'd highly recommend it!

I hadn't really been such a fan of him up until now, but with this album I really feel as though he has reinvented himself. The songs on this album are really heartfelt and endearing, and really shows the level of reflection he's gone through since being released from prison.

Even if you don't usually listen to hiphop, give it a listen!

Missed a day

And it's been a pretty tricky day as it is
But hey
It's okay
Because at the end of the day
The ground will be under my feet
No more hiccups of the heart

Writing for everyday

Doesn't matter what it's about
Doesn't matter if it's good
Doesn't matter if it's bad
Just go for it
Go for it

12/5

There was a year when I wasn’t really sure of myself. I didn’t want to disappoint those around me, and yet I found myself doing so no matter how hard I tried.

Not knowing what to do, I sought the advice and counsel of someone much wiser than me. They told me this:

“You entered this world with nothing, and will leave this world with nothing. All that you have is the space in between”

In my effort to continually please others, I had lost myself. I had forgotten about the truly important things that make me who I am.

One day I will depart this world and move to the next. The fabric of my being is made up of countless men and women who came before me, and of those who have yet to enter this world.

They are always with me. When the time comes, I won’t be lonely. When the time comes, I won’t have to worry.

11/5

I once heard an artist say that he would have other people make work in his name, even after he had died.

“Someone’s got to support my wife and kids while I’m gone!”, they said.

This was a few years ago now. Ever since I had that conversation with them, it’s made me think about what will happen to the things I have made, including this website, once I’ve departed this world.

Will I have my computer continue to make work and exist in my name?

At the moment I am thinking about...

Dancing in a browser

Machines that play themselves

A work that can be done every day, in every room of the house