Request a free site audit

Interested in offering ad free site memberships?

Life news: I got a dog


My digital security setup

Y’all see that guy who got hacked recently? TL;DR: AT&T sent a hacker some dude’s SIM card, so all his 2FA defenses were useless.

Story shocked me into getting my operational security into shape. Here’s where I am right now.

Step 1: Secure my devices.
I’ve switched to 10+ character randomized alphanumeric passwords for my phone and work/personal laptop. In retrospect these devices were SPOF – if a malicious party had gotten access, they could have gained access to my password vault and any sensitive information on my hard drive.

To prevent the Mac login experience from taking too long, I’ve also purchased YubiKeys and Rohos Logon Key for Mac. This allows me to unlock my computer with physical YubiKeys. If someone got my computer and my YubiKey, I’d be screwed – I think it should be possible to add a PIN code to the YubiKey but I haven’t done this yet.

I’ve also ensured that my password managers require passwords be re-entered after new login.

Step 2. Secure my services.

The most involved part of this process was auditing Github, Google, Dropbox, and Facebook for settings, as well as deleting any apps/devices no longer being used. These services all support YubiKey as a 2FA option, so that coupled with Google Authenticator allowed me to drop SMS for 2FA entirely. Twitter requires use of SMS –  a glaring weakness.

Surprisingly my financial institutions were least equipped to handle 2FA. Simple only supports text messages; Chase’s implementation is sporadic and also text only; and PNC has got literally nothing in the 2FA space. Despicable.

Update 10:27am Colin Howells pointed out on Twitter that PayPal’s SMS-based 2FA might be worst of all. He also noted some flaws with iCloud’s 2FA implementation, which uses any Apple devices previously authorized (including the device you might be physically using to access the service). So that iCloud protection is of questionable security value if the malicious actor has already gained access to your desktop.

Step 3. Secure my network access.

I got a lifetime subscription to VPN Unlimited as a general prophylactic. My main WordPress server has been running SSL for a minute now and I hardened my SSH settings. Pantheon doesn’t have its own 2FA technology, unfortunately, but I was able to apply 2FA through Google Authenticator to my administrator account.

Anything else I should be doing? Share your tips in the comments!

Your ad blocker is on.

Read ad free.

Sign up for our e-mail newsletter:
Support quality journalism:
Purchase a Subscription!


Vox Media licenses Chorus to Sun-Times; take a look at what the backend’s like

The team at Vox Media deserves all the snaps for its work on Chorus, the once-mythical “unicorn” content management system that does just about everything a digital publisher could want.

EverQuote and patent medicine

In a thread begun October 2016, Washington Post technology director Aram Zucker-Scharff tweeted about the shady advertising practices of EverQuote, a Boston-based startup. Since then these ads have become prolific on the web (and nearly as prolific are Aram’s tweets documenting the malfeasance).

Send this to a friend