Notes from reading Firewalls Don’t Stop Dragons

Photo by Alyzah K on Unsplash

This is the one book I recommend to my non-tech-savvy friends for them to learn essential computer security and privacy. Carey Parker (the author) does an amazing job simply explaining essential cybersecurity and privacy concepts. He structures each chapter with a series of explanations followed by a checklist of recommendations. This makes it easy to follow-through and actually make security or privacy-focused decisions based on what you learn. He teaches you the why and how. Consider buying the book off of Amazon for yourself or friends/family and check out his podcast (also called Firewalls Don’t Stop Dragons) on your preferred podcast app.

Before reading, I recommend watching this video from Glenn Greenwald which best illustrates why privacy should matter for you. The author links to the video in his book. The list of concepts, tools, or highlights that follow are not a replacement to actually reading the book. Consider what follows as a teaser on what the book actually explains.

TED talk from Glen Greenwald on Why Privacy Matters

Concepts and tools:

  • security and privacy, credential stuffing, convenience vs. security, prevention, detection, recovery, defense in depth, cloud computing, net neutrality
  • malware, worm, trojan, spyware, scareware, potentially unwanted program (PUP), bot, botnet, rootkit, hardware hacking, exploit, zero-day exploit
  • CIA Triad (confidentiality, integrity, and availability)
  • cryptanalysis, cryptography, cypher vs plaintext, frequency analysis, symmetric encryption, asymmetric encryption, public and private keys, crytographic hashing function
  • uninterruptible power supply, attack surface, authentication
  • Fast Identify Online (FIDO), SQRL1 (Secure, Quick, Reliable Login), multifactor authentication, smart phone authenticator app, sim swapping attack, time-based PIN, limiting windows of opportunity with password expirations
  • security through obscurity, practice of least privilege, firewalls, network address translation (NAT), FUD (fear, uncertainty and doubt), signature-based vs heuristic AV algorithms, dynamic lock in Windows 10, cross-cutting shredders
  • local area network (LAN), wide area network (WAN), ISP, modem, router, WLAN,Dynamic Host Configuration Protocol (DHCP), quality of service (QoS), IoT devices, virtual private network (VPN), HTTPS vs HTTP, WPA, WEP, SSID, Transport layer security (TLS), certificate authorities (CAs), domain name service (DNS) lookup, cookie, web browser, electronic frontier foundation (EFF), active advertising, malvertising, digital fingerprinting, referer HTTP header, DuckDuckGo, PrivacyBadger, HTTPS Everywhere, uBlock Origin
  • Short message service (SMS), Rich Communications Services (RCS), Punycode, end to end encryption (E2EE), Pretty Good Privacy (PGP)
  • Equifax, Experian, TransUnion, freezing your credit, email aliases, Firefox relay, virtual credit card services, daily withdrawal limits, Equifax Work Number database, Cryptomator, EXIF (Exchange Image File format), juice jacking, usb data blocker
  • digital estate planning, preventing unscrupulous people from stealing a deceased person’s identity, NoScript, Haven android app on an old android phone, Dedicate Guest Wifi Router, LittleSnitch, PrivacyTools.io, Open Source Routers — DD-WRT or OpenWRT or Tomato, SecureDrop, TailsOS, sandboxing with a virtual container, Pi Hole, EFF Dice and DiceKeys
  • Takeaways: Backup files, keep software up to date, use strong pass, use two factor authentication (via an authenticator app or hardware authentication device), surf web safely with security and privacy, don’t open or click on unrequested or unexpected attachments or links, support privacy protection organizations like EFF.

A few highlights (excerpts From: Carey Parker. “Firewalls Don’t Stop Dragons”):

  • “Compromised security can be fixed; compromised privacy cannot.”
  • “if your computer or online accounts are compromised, they can be used to compromise others — particularly those with whom you are connected to directly. When you leave yourself vulnerable, you’re not just risking your own safety — you’re risking the safety of others, as well.”
  • “The most common single-letter words in the English language are I and a. The most common three-letter word is the… The most common first letter of a word in English is the letter S.”
  • “If the product is free, then you are probably the product”
  • “You can attempt to “opt out,” but you’re relying on these unregulated companies to voluntarily comply with your wishes — not just now but forever.”
  • “In many cases you just need to ask, how do they make their money? Are you paying a fair price for what you’re getting? If you’re paying nothing or if the price is too good to be true, then you should think carefully about trusting the source”
  • “The focus is not educational or informational; it’s about getting (and keeping) eyeballs. The Internet economy is based on attention.”
  • “Something you know (like a password or PIN), Something you have (like a key, a badge, or your smartphone), Something you are (like your fingerprint, your face, or your eye’s iris pattern)”
  • “The assumption is that your fingerprint or face can’t be faked or copied, but that’s a bad assumption. In 2015, the US Office of Personnel Management (OPM) had 5.6 million digitized fingerprints stolen via computer hack. It’s not like those 5.6 million can change their fingerprints. They’re screwed for life.”
  • “First, you should never use regular words, phrases, or guessable numbers like birth dates. Second, you need a wide variety of characters: uppercase and lowercase letters, numbers, and special characters. Third, you need at least 12 characters to prevent a brute-force attack”
  • “You should have a unique password for every website”
  • “Security through obscurity means that you try to lie low and not draw attention. If they don’t see you, they won’t attack you”
  • “Social media services are the most colossally effective Trojan horses ever created by humans”

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store