Security and Internet is like an egg-hen problem. If you are connected to the web, you are at risk, if you are not connected to the web, you don't have the proper updates on your device and are also at risk. So how does one close potential back-doors?
The answer is pretty simple: It's not possible to be completely safe on the web. Especially with thinks like the Meltdown attack users have to accept that there might be possibilities to compromise their devices on a sub-OS level.
Still, the world banking economy and a lot of blockchains run smoothly and demonstrate that it is possible to run a safe machine online, keeping in mind the security settings advised by VRITS in their great article:
which is the basis of any safe operation of your Cardano-Nodes.
On the other hand the above examples illustrate, that the only way for complete safety is to run a machine in a so called "safe-by-design" setup. This means, for example, having your computer disconnected completely from the web, which - by design - eliminates the possibility of someone compromising your device via the internet. This is the advised setting for your node which is used to sign transactions - the node which contains your cold keys. Following this simple precaution automatically iliminates the risk of your cold keys being stolen via the web. On the other hand - if the device is not encrypted - it is possible to physically steal the computer from your home - thereby stealing your cold keys and the access to all your ADAs on your pool. For this reason the encryption of the cold keys is highly advised - software like VeraCrypt can encrypt your files in a safe container, thereby protecting your keys from being physically stolen. Be sure to have your cold keys on mutliple encrypted locations.
But what about all the users and stakepool operators out there, accessing the internet via their home-routers?
Here the same principles apply as for usual goods. Where is the most dangerous location for your information? It's on the road, like with real goods! So how can one protect internet packets? By sealing all the intrusion points.
1. A first thing to advise is protecting the road of your packets. The internet is of course build by machines interacting though the IP protocol, so if you access a website you really access the IP of the server hosting this website. And the one telling you the IP of the hosted website is your Domain Name Service (DNS). So - if you access for example cardanojournal.com - you really don't know what you are accessing and your DNS tells you which IP the cardanojournal.com website really has. If your DNS is compromised however - you can be fooled and sent to imitating sites! Check your DNS on Linux by first installing resolv.conf if you don't have it:
sudo apt install resolvconf
You can print your DNS servers by:
Which gives some lines plus:
Which is the IP of your DNS. Check if this DNS is the DNS of your internet service provider (ISP), if not, your device might be compromised.
Furthermore the DNS provider knows all your visited websites and saves them, in most countries, for some months. Your DNS provider might even censor the Web - by sending you to different sites if you access a censored site. This is why it is highly adviseable to choose a proper DNS which is accordance with your wants. A fast, free, reliable and uncensored DNS is run by https://blog.uncensoreddns.org/. Be sure not to edit the resolv.conf file directly, as the changes will be overwritten. Instead, edit your wi-fi/lan internet connection settings and enter the DNS in the DNS section. Reconnect and do the cat /etc/resolv.conf again to check if your nameservers match the wanted dns. For uncensoreddns the output looks like:
2. Router safety is an issue!
As all your internet is going through your router, also make sure to properly configure your router! This tutorial will only give some key points, where it is always adviseable to check the web for potential threats concerning your router model. Keeping in mind the settings from below will however bring you closer to a secure web experience.
Check your Router password! Most of the users never change their router passwords and - even if the default user/pw are not things like user: admin password: admin - there have been breaches of company data containing the default router passwords. As the router is the gate to the web it is of utmost importance that it is not compromised! Log into your router and change the default user and pw!
Only use WPA2 for wifi - thinks like WEP can be hacked in less than 5 minutes.
Disable remote administration - some routers feature it but it's a potential security risk.
Keep your router firmware up to date! Check if there are updates for your router model - if you are running on a very old router where no updates exist - consider contacting your ISP for a new model.
For an extended discussion of router security visit: https://routersecurity.org/
3. Don't browse the web randomly on a machine you use for crypto - it exposes your machine to things like flash which have been known to feature intrusion points for malware. Consider installing NoScript, as it blocks most of the unwanted scripts running on web-pages.
4. Never - Never - Never expose your crypto holdings! It should be self-explanatory - but there still are people out their blurting about how many ADA they bough yesterday on twitter. Don't do this, it exposes you as a potential candidate to attack!
5. Stay safe - stay alert: Always follow the latest news on your project, only use proper links for the software, check pgp keys and stay up to date! Most of the hacks are exposed very fast and security updates are released sealing the back-doors.
6. Always be alert handling your crypto - if something seems strange - take a break and check again.
This is only a short list of things to pay attention to to stay safe - without the guarantee of complete safety - as it doesn't exist.