[tptacek]

Everything that's in this piece that's true is on the Tech Solidarity guide. What isn't, is false.

https://techsolidarity.org/resources/basic_security.htm

In particular:

* Do NOT install antivirus on your computers. Antivirus software is absurdly dangerous. The closest you'll come to benign AV is Microsoft's, but that's an asymptotic kind of safety.

* Do NOT go out of your way to funnel your traffic through a commercial VPN provider. If you need a VPN for your NGO or journalism outlet, let me or someone else trustworthy know, and we'll set up Algo for you. No commercial VPN provider is safe for at-risk users.

* Do NOT EVER use Tor Browser. It's the least safe browser you can use: a lagged fork of Firefox for which whole classes of security bugs are potentially WONTFIX'd, and also the only browser that goes out of it's way to collect high-value targets.

* Do NOT install Adium or Pidgin to speak to people over OTR. It's difficult to find exploitable bugs in libotr, but it is not difficult to find them in libpurple. Use Signal, WhatsApp, or Wire.

* You would have to be out of your fucking mind to install mobile AV.

[donkeyd]

Recently, on national TV, the Director of Cyber Risk Services from Deloitte Netherlands told people that they shouldn't be using free virus scanners, but that they should invest in their security. I was flabbergasted, because this is a person that is being hired by the government to advice on cyber security matters and is often involved in public discussions.

[blfr]

Do NOT EVER use Tor Browser.

Is that a general recommendation against Tor? Or would you recommend another tool to someone who wants to use Tor? Tails?

One advantage of Tor Browser is the standardization. When using the Tor Browser, you look just like every other user of the Tor Browser.

[tptacek]

I don't think Tor is a good idea in general, but my categorical "never" is about the browser bundle.

[drngdds]

What's so bad about AV, and what makes Windows Defender an exception?

[Santosh83]

Windows Defender doesn't need to compete in the AV marketplace as it's bundled with every single copy of Windows, and also its maker is the same one who makes Windows, and therefore it is in MS's interests to make their AV light and unobtrusive (relatively). Other AV vendors compete fiercely with themselves and this leads to feature creep and bloat, as well as trying to grab the user's attention to sell their features and upgrades. All this leads to a subjectively poorer experience with non-MS AVs under Windows.

[unicornporn]

So it's a question of UX, not security?

[teamhappy]

No, it's a question of security. AVs are huge and therefore significantly increase the attack surface. They also auto-update all the time which means your computer now talks to one more update server that can be compromised.

Windows Defender is relatively small, doesn't really have any features or fancy UI and updates come from the same servers that your OS updates come from (presumably). That's about as close as you can get to not making it worse by installing an AV.

[ikeboy]

Is tor browser inside whonix good? Would you recommend a different browser inside of whonix instead?

[Santosh83]

It is explicitly warned not to use the Tor Browser under Whonix because the browser starts its own instance of Tor while Whonix already funnels every network request through its gateway Tor and Tor over Tor is supposedly undefined behaviour. So you have to go the additional step of disabling Tor Browser from starting its bundled Tor...

Or under Whonix just use any normal browser like Firefox.

[ikeboy]

That's not what I see on https://www.whonix.org/wiki/Tor_Browser

It explicitly says "There is no Tor over Tor scenario in the Whonix environment." when using their modified Tor Browser.

[Santosh83]

Thanks. I stand corrected. I didn't realise they supplied their own modified Tor Browser...

[ryanlol]

> any normal browser like Firefox.

This is very bad advice. Do not use Firefox. It is not as secure as Chrome.

[hellbanner]

An example: https://stackoverflow.com/questions/42195095/https-is-secure...

[tptacek]

If you use your browser for more than one site per execution, having your browser process owned up is devastating. Don't use Tor Browser.

[raarts]

What's the better alternative?

[ryanlol]

https://medium.com/@thegrugq/tor-and-its-discontents-ef51648...

You really just want to use Chrome/Chromium.