Thoughts on electronic security tools
I was recently interviewed by blogger Jillian C. York, one of those handful of people with whom I have an oddly enjoyable entirely Twitter-based relationship. The interview was part of a set she’s doing on people’s use of Tor, a web anonymity tool. (It’s run within a program called Vidalia, like the onion, an apt metaphor for how Tor anonymizes your web surfing by passing your data through layers of other users).
The interview was the first time I’d had a chance to think through my use of Tor and other electronic security tools. It comes down to: while I don’t really have anything to hide; while I’m not a security master; and while I’m not a paranoid, it still feels like an obvious best practice, like locking up your bike. It’s easy, and it’s free, so why not take that extra step? (And sometimes you get props, or suspicion, or both, like when Chris Csikszentmihalyi walked by my laptop and said conspiratorially, “You’re running Vidalia?”)
One thing I mentioned in the interview but largely glossed over was my use of TrueCrypt, a harddrive encryption program.
TrueCrypt is freaking awesome. It would take thousands of years to decrypt your data if someone ever got a hold of it. Except there’s a weak link: you have to remember your password. There’s absolutely no password-recovery option. When I went out sick in ’07 with the memory problems, the person Tufts brought in to cover my work didn’t know the password. And neither did I, anymore. I had to go into the office a couple weeks after my surgery, and luckily, amazingly, my fingers had enough muscle memory that they typed out the password on the first try. (But I uninstalled TrueCrypt on both my computers after that. I wrote to Bruce Schneier sometime afterward and asked him what you’re supposed to do about a TrueCrypt password if you have a crappy memory. His three-word reply: “Write it down.”)
Electronic security tools today are dead-simple to use, free, and open source (therefore verifiably safe). They don’t get a lot of attention, but each one of them—Vidalia, TrueCrypt, or a password-organizer like KeePassX—are all worth the 5 minutes to set up.