Changing program behaviors and/or adding new features are high-risk endeavors. Safely implementing new/changed code requires new and complex tools. The most important of these is an automated regression-test tool to ensure that the new features don’t break the old code. If you don’t have a comprehensive suite of regression tests sufficient to verify the correct functioning of the current code, then adding to or changing that code will inevitably put its functionality at risk. For example (as detailed below), BitWarden has suddenly started locking me out of my vault.
I have been using BitWarden (via a FireFox app on my PC) since 2019, and it has always
allowed me to access my vault if I enter the correct password. However, BitWarden has
suddenly started locking me out because “traffic from your [my] network looks unusual”.
High-end users often deploy a Virtual Private Network (aka. a VPN) for privacy/security
reasons. VPN apps encrypt/decrypt a user’s outgoing/incoming data (which prevents their
ISP from spying on them). It vectors the resultant data packets thru a user-selected VPN
server. The VPN server decrypts/encrypts the incoming/outgoing data. And it uses a new,
server-assigned IP address to transfer that data to/from the user’s intended destination.
Targeted websites see only the server-assigned IP addresses (which makes VPN users
difficult to spy on). The VPN servers pull these addresses from a pool of IP addresses.
They typically assign multiple users to each address.
People use VPNs for different reasons. Certainly all competent cyber-criminals use VPNs,
but not all VPN users are cyber-criminals. Billions of people in Russia, China, Iraq,
Iran, and India – indeed, freedom lovers the world over – rely on VPNs to safely access
government-banned websites. Other folks merely dislike the idea of “sharing” their private
affairs with online corporate stalkers (viz. google, Microsoft, etcetera).
Banning VPN users is little more than a half measure. If BitWarden’s programmers
truly want to provide improved protection against key loggers, then they should give users the
option to enable Two-Factor Authentication (2FA). But many, perhaps most, users will find
2FA to be more intrusive than needful. I rely on the following protections instead:
(1) Purchase notifications
My bank sends me an email whenever it debits my account. Moreover, it requires
special authorization for any especially large or unusual purchases.
(2) A good password manager
I like BitWarden. Its security-critical code is open source and has been audited by
experts. It features a highly competent wildcard-search capability. Also, its
auto-generated passwords are unbreakable on a competently designed system. I disable
its auto-update option in FireFox to prevent its behaviors from changing without warning
(but they did anyway!). I use a stong password.
(3) An anti-malware utility
I run a competent anti-malware app.
(4) A good firewall
I have configured my firewall to block all apps that don't have a clear and ongoing
need for internet access.
(5) Full-system backups
I revert to my most recent full-system backup if my system so much as burps.
(6) Virus Total
I check all downloaded apps with Virus Total before running them.
I avoid auto-updating apps like the plague (except for my anti-malware app).