Occasionally I get posed questions like the above, and I want to coalesce my thinking.
Exactly as the above, you have a small campaign of people who are dedicated but who are scared of user-interfaces and configuration panels. You have a message you want to “get out”. You are pretty sure that $STATE_ACTOR_BADGUY is going to attempt to take you and your message down.
In these circumstances, how do you speak?
Option 1: Facebook
This is not necessarily obvious, but so long as your audience is a population that uses Facebook, then why not outsource all the badness-handling to the Facebook security team? They’re good at this stuff, and they understand the issues, and they are surprisingly sympathetic towards “the little guy” pursuing a liberal cause – I can confirm this, I used to work there.
You have to play by the rules, though: one or more real Facebook accounts, of real people, need to become owners of a “Page” that will host the content. The page will have to tread upon the “polite” side of political protest. There are declarations to be filled out and completed.
There will doubtless be $BADGUYS who will repeatedly report your page for hosting porn, etc, because they want to shut you up, but so long as the page owners are real and beyond reproach (rather than, say, “fake accounts set up for the explicit purpose” which would be detected and lead to a dramatic loss of sympathy and data) then you should be fine.
Note regarding “Two-factor Authentication” (2FA)
- The Facebook 2FA page is a good resource about 2FA examples. Also the Wikipedia page.
- In general you should avoid enabling SMS-based forms of 2FA; sometimes it is unavoidable, but it’s a weak spot in your security if you do so.
- In general you should enable the use of reputable third-party authentication apps such as “Authy”, “Google Authenticator”, and “1Password” to name but three.
Then, for Facebook, you should:
- Ensure that all the Facebook accounts of all people who own or can edit the page are protected by 2FA so that it’s hard to break into the page.
- Ensure that all the Email accounts (e.g. Gmail, Yahoo, Outlook) of all people who can own or edit the page, are likewise protected by 2FA; if this is not possible, then the user should not be an owner/editor
- Download regular backups of content.
If you are very advanced, you might want to use a “security token” such as a Yubikey, but that might be a stretch for a non-technical person, and in any case not many sites support them.
IT IS VERY, VERY IMPORTANT THAT YOU PRINT OUT AND KEEP SAFE THE LIST OF EMERGENCY BACKUP KEY-CODES THAT YOU WILL BE GIVEN, IN CASE YOU LOSE OR DESTROY YOUR PHONE.
Option 2: Huge Commercial Blog Provider, e.g. WordPress.COM, Medium, …
If Facebook doesn’t work for you, then why not create a blog on WordPress or Medium? Again: it already exists at huge commercial scale and is resistant to attack. Why make life hard for yourself?
- You can register a domain name of your own choice
- Most big and reputable DNS providers will offer a “register this domain pseudonymously with extra privacy” option for a fee.
- You can then import the domain name into the blog.
For the purposes of hygiene, you should
- enable 2FA for your DNS account
- enable 2FA for your BLOG account; if the Blog supports “Login with Google” or “Login with Facebook” or “Login with Apple”, then assure that 2FA is enabled for the relevant Google or Facebook or Apple accounts.
- enable 2FA for the Email accounts (e.g. Gmail, Yahoo, Outlook) of anyone who owns, edits, or writes-for the blog; if this is not available for an individual, then that individual should not own/edit/write-for the blog
- WordPress seems to support all the major forms of 2FA but their help-page is confusing, you will have to tiptoe around not-enabling SMS-based 2FA.
- Be careful what plugins and themes you use/choose; but at least the point of using a hosted service like this is that updates (etc) and resistance to attack (etc) should be “someone else’s problem”.
- Download regular backups of content.
Option 3: Self-Hosting.
I would recommend that you don’t do this. Really. There’s a considerable technical burden which is hard to express, and you will need to keep on top of a lot of issues. Here are some highlights:
- Hosting Provider: you could roll your own, but frankly you are probably better off going with something like AWS where you can scale-up if you need to handle loads. Make sure to 2FA your hosting provider account. Make sure that you have a robust payment mechanism set-up, using a payment card for someone reputable with adequate funds.
- DNS Provider, with privacy protection. See the notes above. Make sure to 2FA your DNS Provider account
- Anti-DDOS Provision; for AWS this is probably Cloudfront, for everyone else this is probably Cloudflare. Other options are available, but may or may-not appreciate nation-state attacks, whereas the former two have a lot of practice. Make sure to 2FA your Anti-DDOS Provider account
…and then for your Linux instance(s)
- Minimised.
- Strongly authenticated (SSH-Key access).
- Access controls (i.e. Firewall or Security Group controls) for inbound SSH.
- Automatic software updates.
- No “homebrew” software, everything battle-tested.
- Setup LetsEncrypt for HTTPS.
- Do not use a CMS merely because “it’s what we know”, use something that has a few million installs and is kept current and has lots of documentation.
- Enable static content caching (e.g.
WP-SuperCacheif you are using WordPress) so that your Anti-DDOS provider should not need to do much. - Especially WordPress, but also in general: do not use any plugins which are not supported directly by the CMS provider, e.g. Automattic.
- Do not install plugins that offer only cuteness or minimal convenience.
- Consider all software to be hackable or likely to fail under load until reasonably proven otherwise.
- Set up logging. If you use a third party logging service, set up 2FA
- Set up alerts. Send alerts to trusted phone, or to Email service protected by 2FA
- Make sure to 2FA every single provider or service that you depend upon.
- Take regular backups.
- Run some basic security scans on it
- Make sure that alerts are actually being delivered by faking some of the events (e.g. filestore filled by overflowing logs) that should cause them
- So much more, so very much more. This is why using Facebook or WordPress makes sense.
This is a prototype page, and I have gotten to a reasonable place to stop. Suggestions are welcome, below.
- yes I would mention Github Pages, except for “non-techie writers”
Leave a Reply