Computer Security and Privacy

TL;DR about computer safety, security and privacy:

Levels of safety, security and privacy (my opinion):
  1. No backups, no passwords on devices, same password on many online accounts.

    A disaster waiting to happen. Accidentally delete many files, hard disk crashes, or someone steals your phone, and you're in a world of pain.

  2. Backups (multiple, at least one off-site, and you've tested restoring from them) link, passwords on devices link, important software auto-updating link, anti-virus link.

  3. Password manager link to handle online accounts, ad-blockers and script-blockers link in browsers, credit-report freezes link, use HTTPS web sites link, set privacy settings on accounts link, password-protect your phone number link, be careful with your smartphone link, pay cash for as many things as possible.

  4. Full encryption on devices link, two-factor authentication link on important online accounts, reduce browser fingerprint link, VPN link, opt out of data-broker tracking link.

  5. Change to Linux link, use secure email and messaging link, special firewall/router, redirected email and phone numbers and credit cards link, postal-mail forwarding service.

  6. Tor browser link, two computers (one secure and non-networked, other for routine use and network access), gift-cards.

  7. Burner phones, clean OS every time (e.g. Tails), security-centric OS (e.g. Qubes), run your own mail server and VPN, crypto-currency, fake personas link and fake ID.



Some Key Principles to Follow:

Data Preservation

Online Security

[If you're planning to make big changes to your situation, do the big changes first. Such as: changing to Linux, changing to Firefox, starting to use a password manager, changing email provider. Then do the smaller tweaks and additions.]

  1. Password security:

    Use the password and security features of your device and software; many people don't even bother to set a password !

    It's especially important on smartphones, because a lot of smartphone apps don't even have a "log out" feature. They assume that if you have the phone and were able to log in once a while ago, you must be the account owner, no account password needed.

    Don't use the same password on multiple sites. If one site is breached, all the others become vulnerable. pick a password
    Do NOT use Facebook login (or Google, or Apple, or Microsoft) as your login to lots of other web sites. Not only does it let your activity get shared to Facebook (or etc), but if Facebook (or etc) ever deactivates your account for some reason, you've lost access to those other sites too. Similarly, don't use a Microsoft login to your Windows PC, use a local login.

    Really, you should have only 2 or 3 passwords you remember; the rest should be in a password manager.

    See my Authentication page.

  2. Other "managers".

    Don't let web sites or browsers save your important data if you can avoid it. Store it in specialized encrypted, private "manager" applications on your machine.

    Some types of "managers":

    Often the last four types are together in a "Personal Information Manager" (PIM). Some email client applications will include those functions too; I use Thunderbird.

    Most of the PIMs I see are more complex than I want, and don't say anything about encrypting their database. Probably best to pick a simple PIM and put its database inside a Veracrypt container.
    Osmo (Linux only, database not encrypted, files under ~/.config/osmo and ~/.local/share/osmo by default)

    If you don't use a specialized application, you could use a text file inside a Veracrypt container. But you'd lose the ability to sort by various fields, alert on calendar events, view the calendar in standard calendar format, have a tree-view for to-do items, etc.

  3. Password-protect your phone-service-provider account.

    Mobile-service providers often let you set a PIN to control changes to account settings. So if you (or a scammer) calls them and says "move this phone number to a different SIM", the provider won't do it unless the proper PIN or password is given. This can stop "SIM Swapping" (AKA "SIM Hijacking", but really it's "phone-number hijacking" or "number-porting").

    Days after you set a PIN on your account, call your provider again and try to make a change, and see if they actually do ask for the PIN.

    Emily Price's "Add a PIN to Your Smartphone Account"
    Zack Whittaker's "Cybersecurity 101: How to protect your cell phone number and why you should care"
    Brendan Hesse's "How to Prevent and Respond to a SIM Swap Scam"
    CipherBlade's "The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You"

    If you're going to abandon a phone number, first remove it from any accounts that may have it, and inform your contacts. Assume that the number will be re-issued to some new customer within a year. What will happen if they start getting calls or messages intended for you ?

  4. Give "them" as little data as possible.

    Don't let web sites save your credit-card data. If possible, give them a fake phone number and address.

  5. Use fake data as answers to the "security questions".

    Security question - grandmother
    If you give fake data as your mother's maiden name, town where you were born, etc, no attacker can look that up somewhere and know what answer to give. Of course, you have to save those answers yourself (in your password manager).

  6. Software updating:

    Run the newest stable version of your operating system, and turn on auto-updating. Same for browsers, anti-virus, VPN.
    windows update

    But this is a major problem for Android smartphones: on older phones, you can't update the OS to a newer version, unless you install a "custom ROM". Android's update mechanism is somewhat broken, because phone vendors have no incentive to test and provide updates. Not a problem for newest phones directly from Google ?

    See Android Custom ROMs section of my Android page.

    For less-important software, I would turn off auto-updating. I don't want a lot of little check-for-update background processes running all the time, and I don't have confidence that the maker of some genealogy application or something has invested a lot of effort into making their update process secure.

    Keep an eye out for news about the software you use.

    A corollary of "do updates" is "don't use software that has been end-of-lifed or abandoned". If you're using something where the vendor no longer provides updates, you're vulnerable.

    The more I think about it, updating is a major security issue for all OS's. What controls guarantee that an installer or updater will update only the application or component it is associated with ? Is the communication channel encrypted ?

    If something is updated through Windows Update or Linux's manager (Update Manager, on Mint) or an app store, maybe you can have some confidence that the process is efficient and secure. But if an individual app is reaching out of your system to its update server every day in some unknown way, that is questionable. If you have 20 such apps doing so every day, an attacker has lots of surface to attack, and there is lots of traffic for you to monitor or analyze for threats. Not to mention lots of little look-for-update processes running in the background all the time, maybe.

    What is the long-term solution for this ? Lobby Microsoft to let third-party apps use the Windows Update mechanism ? On Linux, only install apps via the main software manager on the system ? Add some kind of OS controls so an installer/updater can touch only the associated component's folder and registry tree ? I assume Windows Update and Linux's managers and app stores use TLS on their connection back to the server; true ?

    In response, someone pointed out: evilgrade

  7. Anti-virus software:

    Two main "modes":
    • Real-time / constantly-active protection (catches every file write or download and scans it).

      Could be disk-only (catches file writes) or also wired into the browser (to prevent access to known-dangerous web sites) and email (to scan attachments).

      Set it to update automatically.

    • User-initiated / manual-scan (user runs a full-disk scan every week or two, or user right-clicks on a suspicious file and selects "scan it").

    Two main "sources":
    • Supplied by the OS vendor. Usually best; doesn't destabilize or increase attack-surface of the system.

    • Third-party (a separate app / service you install into the system).

    Prevention / detection:

    • Anti-virus protection.

      For Windows 10, I use Windows Defender, in constantly-active mode.

      For Linux, I use Sophos in manual-scan mode, doing a scan every few weeks.

      If you use Adblock Plus, you can then install a malware site filter.

      Quora "What is the best open source antivirus software?"

    • Keylogger.

      A "keylogger" may do one or more of these:
      • Capture keystrokes as you type them.
      • Capture the contents of your clipboard.
      • Capture screenshots.
      • Capture input from your computer's camera and microphone.

      A keylogger may:
      • Log the data into a log file.
      • Email the data to somewhere.
      • Send the data across the internet to somewhere.

      There seem to be three types of keylogger:
      • Hardware: some device attached to your computer or keyboard or installed into it.
      • Software: an application and/or service installed on your computer. It may try to hide in various ways, not showing up in list of installed apps, or choosing a name similar to a standard app or service.
      • Rootkit: software installed into the firmware of your computer, or the boot loader of your OS, or the kernel of your OS.

      Detect or defend against keyloggers:

      On Windows, I used AVG (free) and Malwarebytes (free). But I found that AVG and MWB (with RTP) don't stop/report keylogging as tested by AKLT. [And when AVG and MWB got more aggressive about change-to-paid-version pop-up ads, I got rid of them and now just rely on Windows Defender.]

    • Firewall.
      From someone on reddit's /r/Windscribe:
      > I've recently signed up for Windscribe VPN (firewall enabled).
      > I have an ASUS RT-AC66U router (firewall enabled),
      > and on top of that Norton Security with its built-in
      > super aggro "smart firewall". All of this seems a bit
      > redundant and ridiculous.

      Windscribe firewall blocks traffic that tries to go outside of the VPN, including if the server you're connected to goes down. It's different from a program/port firewall that allows or blocks certain traffic completely based on a ruleset.

      Your Norton firewall is designed to prevent malicious programs from calling home to download more malware or upload your information.

      Your router firewall is designed to prevent open ports from being abused by programs or attackers.

      Windscribe firewall is designed to prevent your traffic from going through the normal unencrypted route to your ISP. If the connection drops for some reason nothing will get through because the Windscribe firewall blocked all other ways in or out.

      So all three serve different purposes (the router and Norton firewalls overlap a bit but they still do different things).
      Gufw (Linux only)

    Aurelian Neagu's "10 Warning Signs That Your Computer is Malware Infected"

    Testing your defenses to see if they actually work:

    EICAR Standard Anti-Virus Test File
    Fortinet's "Test Your Metal" (browser fetches bad files from server, see if firewall or AV etc stops it)

    Web site that does various tests: AMTSO Security Features Check Tools
    Where to get virus samples, to check your AV ?
    greg5678 / Malware-Samples (Linux only)
    Packet Storm's "Unix rootkits" (have to compile some from source)
    VirusTotal Private/Premium API

    Run a test program that does keylogging and see if your software detects/stops it:
    Mike Williams' "Anti-Keylogger Tester 3.0"
    SpyShelter's "Security Test Tool"

    Install a real keylogger and see if your software detects it:
    Spyrix Free Keylogger
    Revealer Keylogger Free
    lkl, uberkey, THC-vlogger, PyKeylogger, logkeys.

    "Normal" apps or services could be used to spy on you:

    Many legitimate standard apps or services, if set incorrectly, or set maliciously without your consent, could be used to spy on you or track you.

    For example, Google Maps on your phone will let you share your location with other people, maybe with your spouse or children. That's fine if you consent to that and know you're doing that. It's bad if you're having issues with your spouse and they turn that on without your consent.

    Various browsers and operating systems can be set to collect data about your behavior and report it to the manufacturer (usually called "telemetry"). Maybe the data is anonymized. Maybe it is limited to just crash reports. Or maybe it includes what sites you visit and what searches you do, even local searching of the hard disk. Check those settings. [Windows 10 in particular has an astonishing amount of this (article1), but you can turn most of it off, I think: article2. Or change OS to Windows 10 Ameliorated]

    Suppose you install a remote-access application, or open an incoming VPN connection, so that you can access your home computer from work if you need to. But accidentally you allow anyone on the internet to access it, or someone in your house turns on access for themselves without your consent.

    A "sync" feature that automatically copies data among your devices is multiplying the places your data could be stolen. Smartphones tend to have the worst security, so syncing data from laptop to phone is weakening security. For example: "... Apple's universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: passwords, work documents, sensitive emails, financial information. Anything." from Zak Doffman article.

    I don't think any of the anti-virus scanners will report such settings to you as "potentially unwanted".

  8. Browser:

    General recommendation: use Firefox or Brave.

    On Linux, consider running the browser either in a container (snap or flatpak) or in a security context (Firejail or AppArmor).

    Important: After you install a browser, disconnect from the internet, launch the browser for the first time, turn off telemetry and other features you don't want, quit, connect to internet again, launch the browser again.

    Don't log in to a cloud service associated with your browser, such as Google Chrome login or Firefox login. That's a recipe for having unknown ties between browser and service, including automatic backups or sharing, telemetry, etc.

    Set your browser to update automatically; browsers contain security features that should be kept up to date.

    Set your browser to ask you each time a page wants to do certain things: download a file, use camera or microphone, etc.

    Things you may want to turn off:

    • Any "suggestion" or "prediction" feature (probably sends your keystrokes to a server).
    • Any "usage-reporting" or "telemetry" or "let vendor run studies" features.
    • Any "crash-reporting" feature (I leave this one enabled).
    • Any "syncing" feature.
    • Any "password-remembering", "payment methods", "address-remembering" features.
    • Any "security-screening" or "safe-browsing" feature (debatable; maybe your VPN or ad-blocker does this; apparently now browsers use Update API which avoids sending your URLs out to a server).

    These days, users probably spend 90% of their time in a browser. So, take the time to go through ALL of your browser's settings/options. Generally turn off things that send data to a cloud service. Turn off features you don't need.

    From someone on reddit 11/2018:
    "Chrome has a whole host of services that send data to/from Google (auto-complete, prediction services, spell check, translation, safe browsing, etc...). ... if you don't want Google to know anything about you, you can't use Google products." [Also password syncing, and "login to Google automatically logs you in to Chrome". And check options carefully to see what is turned on.]
    So: ungoogled-chromium (have to uninstall Chromium first, if it's installed)

    Brian King's "Towards a Quieter Firefox"
    hjstephens09 / Better-Fox
    Douglas J. Leith's "Web Browser Privacy: What Do Browsers Say When They Phone Home?"

    Use as few browser extensions/plug-ins/add-ons as possible; each additional extension installed means a greater chance of getting a malicious extension or a security hole or a performance hit.
    Chris Hoffman's "Browser Extensions Are a Privacy Nightmare: Stop Using So Many of Them"

    If you can, avoid using browser extensions associated with other applications on your machine, such as anti-virus or VPN or password manager. The combination of application and extension gives enormous access to all of your data, inside and outside your browser, and an easy connection to the internet.

    To see what's running/open in your browser and how much RAM each is taking:
    In Firefox, type "about:performance" in the address bar, or click Hamburger / More / Task Manager.
    In Chrome, type Shift-Esc, or click "..."" / More tools / Task manager.

    Use an "ad-blocker" add-on in your browser to protect against ads that contain malware (malvertising).
    I use uBlock Origin (get from here ?). I used uMatrix for a while, but it required constant tweaking (and 9/2020 development is ceasing).

    An add-on that tries to protect you from look-alike domain names (e.g. ""): Donkey Defender

    Show what your browser reveals to a web site:

    Some sites (eBay, banks ?) use WebSockets to do a port-scan of your system (to localhost, from the web page, from the inside !), to see if you look like an IoT device that is part of a botnet (article1, article2). If you want to stop this scanning, in uBlock Origin go to the Dashboard and then My Filters and add a rule "*$websocket". (I'm told Adblock Plus uses same filter syntax.) An add-on that tries to protect you from this scanning (and other things): Behave! by Minded Security. Test before and after with WebSockets test. The block in uBlock Origin may break some sites (but it didn't break any of my bank logins, but broke eBay login).

    Is there any add-on that monitors what certificates and extensions are installed/enabled in your browser, and values of all of the settings, and warns you if anything has changed between quit/relaunch of the browser ?

    Browsers are far too bloated and complicated, we should re-design them:

    Drew DeVault's "The reckless, infinite scope of web browsers"
    Open Hub's analysis of Firefox (30M lines including comments and blanks, in 48 programming languages)

    Move many functions out to add-ons or external apps or OS stacks or OS features:
    • Bookmarking, link-sharing.
    • Password management (and auto-fill).
    • History.
    • Media-handling (audio, video, etc).
    • Networking (DNS, proxy, socks, DNS over HTTPS, VPN should be in OS network stack).
    • Caching (should be in OS network stack).
    • Certificates (use OS store or keyring, or secret server).
    • Search engines, suggestions, predictive typing in address bar.
    • Ad-blocking.
    • Header-setting (do not track, user-agent).
    • Security policy (HTTPS Everywhere, padlock icon, tracking protection, malware-blocking, site whitelist/blacklist).
    • Cookie and site local storage and management.
    • Language and appearance settings (get from system settings).
    • Download manager.
    • File and application handling (save or open, where to open, ask each time, etc).
    • Browser update (use the OS mechanism, not a custom mechanism built into browser).
    • Add-on update (use a separate app, or the OS update mechanism).
    • Sync (use apps such as rsync, Syncthing, etc).

    The browser proper should just do:
    • Page rendering.
    • DOM.
    • Page operation (scrolling, buttons, etc).
    • Scripting with DOM and hooks to storage etc.
    • Page/DOM dev tools.
    • Application framework (tabs, menus, windows, connecting everything together).

    Maybe I just want a minimal browser. On Linux: I've tried about 8-10 of them, and so far they all have fatal flaws, except GNOME Web (Epiphany). But that browser isn't very minimal, and is working to add more features.

    Maybe I could start with Firefox, delete the code-modules I don't want, and build a custom version.

    Also: We need better control of browser add-ons:

    Apparently, today, when you do a web request or get a response, all installed add-ons get a chance to process/modify it, in parallel or in unspecified order. Then their modifications (including discarding it) get merged somehow.

    Instead, the user should be able to specify:
    • Rules for order of execution of add-ons.
    • Domain whitelist/blacklist for each add-on.
    • Information accessible by each add-on.
    • Types of operation (request/response, HTTP/HTTPS, GET/POST, etc) that can be processed by each add-on.
    • Changes allowed by each add-on.

  9. Manufacturer's software:

    Your machine may come with manufacturer's apps (for launching, printing, help, support, updating, diagnostics, recovery) pre-installed and doing stuff in the background. How secure is that software ?

    Bill Demirkapi's "Remote Code Execution on most Dell computers" (offered more as an example of how much is going on in the background, rather than a realistic threat)
    Peleg Hadar's "OEM Software Puts Multiple Laptops At Risk"
    Dan Timpson's "Lenovo's Superfish Adware and the Perils of Self-Signed Certificates"
    Wang Wei's "Pre-Installed Keylogger Found On Over 460 HP Laptop Models"

  10. OS Settings:

    Don't log in to a cloud service associated with your OS, such as Microsoft login or AppleID. That's a recipe for having unknown ties between OS and service, including automatic backups or sharing, telemetry, etc.

    For example: "... Apple's universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: passwords, work documents, sensitive emails, financial information. Anything." from Zak Doffman article.

    Run as few operating-system services as possible; turn off the ones you don't need.
    Look for privacy and security settings in the OS settings / control panel.

    Mayank Parmar's "Windows 10 Privacy Guide: Settings Everyone Should Use"
    Martin Brinkmann's "Comparison of Windows 10 Privacy tools"
    Windows 10 Ameliorated

  11. Computer firmware:

    There might be firmware in: management engine, motherboard/BIOS, Linux microcode on top of the MB/BIOS firmware, HDD, SSD, printer, router, TV.

    Usually you have to manually check for updates to the firmware, on the manufacturer's web site.

    Record firmware version number from your ISP's router every now and then, to make sure they're updating it.


    Is the firmware (say, BIOS firmware) readable ? Can an OS or user process read it and compare to the last-installed version, and flag "hey, firmware has changed since the last time you booted !" ? Do any current OS's do that ? It could even be a user-level feature.

    Shouldn't all devices (routers, security cams, disk drives, etc) come with a "read out the current firmware contents" feature ? Maybe a very clever malicious firmware could mimic a legit firmware, but it might not be easy if firmware memory is full (excess space padded with random static stuff when legit firmware is generated).

    In Linux, do "sudo grep ROM /proc/iomem". If it returns "000f0000-000fffff : System ROM", you can read BIOS via "sudo dd if=/dev/mem of=pcbios.bin bs=64k skip=15 count=1 # 15*64k + 64k" or "sudo dd if=/dev/mem of=pcbios.bin bs=1k skip=960 count=64". Also relevant "sudo dmidecode". Maybe someone could make a little daemon or cron job that uses them to report any changes.

    How about Linux's /dev/microcode ? Also would be nice to know if the router/gateway MAC address has changed ("arp" command).

    Maybe enhance the "fwupdmgr" command to be able to read/verify existing firmware contents.
    Does "fwupdmgr verify DEVICEID" do that ?
    "fwupdmgr --show-all-devices get-devices", "fwupdmgr refresh", "fwupdmgr verify DEVICEID", "fwupdmgr get-updates", "fwupdmgr update".
    There is a timer running; see it in "sudo systemctl list-timers".
    Maybe do "sudo systemctl disable fwupd-refresh.timer" and "sudo systemctl disable fwupd-refresh.service" ?

    Processor "Management Engines":

    /u/SupposedlyImSmart on reddit 11/2018

    Intel's "Management Engine":
    Intel ME seems to be a big problem; maybe just avoid Intel chip-sets next time you buy a computer ?
    Wikipedia's "Intel Management Engine"
    Lily Hay Newman's "Intel Chip Flaws Leave Millions of Devices Exposed"
    Erica Portnoy and Peter Eckersley's "Intel's Management Engine is a security hazard, and users need a way to disable it"
    coreboot Wiki's "Intel Management Engine"
    From someone on reddit:
    "Do you have an Intel CPU from the last 10+ years? If so, then yes ME is enabled. If it weren't via HAP, you'd know."
    Shane McGlaun's "Here's How To Disable Intel Management Engine And Slam Its Alleged Security Backdoor Shut"
    "Sakaki's EFI Install Guide / Disabling the Intel Management Engine"
    Steven J. Vaughan-Nichols' "Computer vendors start disabling Intel Management Engine"
    corna's "me_cleaner"

    Test your system ?
    Intel's "INTEL-SA-00086 Detection Tool". Run it on Linux CLI via:
    sudo python2

    intelmetool from coreboot / coreboot ? But the project's build process is very strange, and failed for me. Also tried to build just intelmetool, and failed.

    From someone on reddit:
    "After I did the firmware update for my version of IME, I just made sure and disabled everything relating to IME/vPro in my BIOS/UEFI settings and also disabled its related services and related serial port in device manager in Windows."

    From someone on reddit:
    "Intel ME listens on ports 623, 664 and 16992-16995. So if you're behind a firewall block these ports. Though you'd be better off to create a whitelist instead."

    AMD's "Secure Processor" (previously known as PSP):
    Chiefio's "For deep security, use ARM, avoid Intel & AMD processors"
    But ARM has "TrustZone" ? Article

    Anton Shilov's "HP's Endpoint Security Controller: More Details About A New Chip in HP Notebooks"

    Run on Linux CLI:
    cat /sys/devices/system/cpu/vulnerabilities/*
    One idea: don't connect network to motherboard's network interface, instead use a third-party network interface board, which the ME shouldn't know how to use.

    coreboot (Wikipedia's "coreboot")

    Brendan Hesse's "How to Check Your USB Devices for Unsafe Firmware" (but see the comments)
    Jessie Frazelle's "Why open source firmware is important for security"
    Catalin Cimpanu article about infected firmware in smartphones
    Dan Goodin's "Google confirms that advanced backdoor came preinstalled on Android devices"

  12. Sandbox applications:

    Run application such as browser inside a "sandbox" which prevents it from accessing files on your computer, or controls which files are accessible.

    Sandboxie (Windows only)
    Firejail (Linux only)
    AppArmor (Linux only)

  13. File access controls:

    For various files and folders, set which applications are allowed to access them.

    Brendan Hesse's "Why You Should Use Windows Defender's Ransomware Prevention"

  14. Separate computers for separate functions:

    It may be tempting to run a web server and database and routing software and network-storage disk and your personal stuff (browser, password manager, files, etc) all on the same box. It can be done, under Windows or Linux etc. But that greatly increases the chance of some bug or exploit, some incoming attacker being able to access your personal files. It's better to run all the server (incoming) stuff on one box, and all the personal (outgoing) stuff on another box. And set the firewall rules on each box to allow only what is needed on that box.

    Even better, run server-stuff on some commercial hosting service. Let them worry about 24/365 availability, bandwidth, disk space, updating, etc. But you'll have to pay for it.

  15. Turn off the computer:

    When not using the computer, turn it off, so attacks can't get in. Maybe turn off your entire LAN (by turning off the router) before going to bed at night, or when going on vacation ?

    Maybe put critical data on a thumb-drive or external drive, and only mount that drive for brief periods when you need to use that data.

  16. Connection security (protecting "data in motion"):

    Use encryption on your connection: encrypted Wi-Fi, HTTPS web sites, maybe VPN (see VPN section of my "Connection Security and Privacy" page). If you're using a mail application (such as Thunderbird) or an FTP application, make sure they're using encryption on their connection to the server.

    On your home network, make connections using Ethernet cables instead of Wi-Fi where possible (client device is close to router/modem). Wired connection is faster and more secure than wireless (and old custom wireless is worst of all; at least Wi-Fi and Bluetooth have been improved). Similar when transferring data between phone and PC: using a USB cable is more secure than emailing the data or using some other across-the-internet method. Similar with printer: use a USB cable.

    Consider having separate home networks for your critical (computers, file server, phones) and untrusted (TV, refrigerator, security camera, baby monitor, game consoles, guest, etc) devices. This may mean having to use two routers.

    When choosing a name for your home Wi-Fi network, choose something unusual but bland such as "network2793". Don't include your name or address or brand of router in the network name; that information would help an attacker. And the network name may be included in bug reports and such. article

    ilGur's "Smart HTTPS" browser extension

    wikiHow's "How to Secure Your Wireless Home Network"
    Eric Griffith's "12 Ways to Secure Your Wi-Fi Network"
    Decent Security's "Router configuration - easy security and improvements"
    David Murphy's "How to Make Your Wifi Router as Secure as Possible"
    Easy Linux tips project's "Wireless security: four popular myths and 12 tips"
    Lifehacker's "Top 10 Ways to Stay Safe On Public Wi-Fi Networks"
    Smart Home Gear Guide's "17 Lockdown Strategies To Secure Your WiFi Network From Hackers"
    Chris Hoffman's "How to See Who's Connected to Your Wi-Fi Network"
    But: Nick Mediati's "The EFF wants to improve your privacy by making your Wi-Fi public"

    From discussion on reddit, and elsewhere:

    Securing home Wi-Fi:
    • Use the WPA2 protocol. It has now been broken but the chances anyone will use it against you are slim. [Use AES, not TKIP. Use WPA3 if available.]
    • Use a strong passphrase. Longer is better than more complex.
    • If you have a guest network, isolate it so it can access your internet but not your local network.
    • Where possible, use 5Ghz. It doesn't have good penetration so it's less likely to broadcast your network to your neighbors. Otherwise some routers will let you adjust the power of your broadcast.
    • Don't bother with MAC address filtering. It's just a headache and it's easy to bypass.
    • Apply any patches that are available, to clients and router.
    • Turn off WPS and uPnP and access to web interface/console from Wi-Fi.
    • Probably turn off telnet, SNMP, TFTP and SMI; they're usually unencrypted and/or insecure.

    You could look in your router admin to check what devices are connected. Supposedly there are TWO lists: a list of devices which obtained an address via DHCP (which may not include all devices), and also a MAC address list of all connected devices.

    Test your router configuration (turn off VPN first):
    See the "Port scanning and router testing" section of this page.

    Turn off any VPN, use IPChicken to get your network's current public IP address, then paste that into your browser's address bar, and see how your router responds when someone from outside tries to access your router on port 80. Also try the address with ":443" appended to it.

    Alan Henry's "Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs)"
    That One Privacy Site (VPN and email comparisons)

  17. Application-level encryption:

    See my "Secure Communication" page.

  18. Data encryption (protecting "data at rest"):

    See "Data Encryption" section of my "Computer Theft Recovery" page

  19. Specific problems:

    Known bad software:

    Do not use these:

    Detect my Browser

    Remote-access software:

    Be very careful if you have remote-access software installed on your computer for some reason. If someone hacks it or it's misconfigured, the attacker can do anything you can do sitting at the computer, and it will look just like you doing it.

    Jason Fitzpatrick's "How to Lock Down TeamViewer for More Secure Remote Access"
    Rick Rouse's "Protect your Windows PC from hackers by disabling Quick Assist / Remote Assistance"

    Aggregation services:

    • Don't use online financial/budget aggregation services that will connect to all of your bank accounts and credit-card accounts and Amazon etc to consolidate the data and summarize what's happening. They just have too much access to your data, and can sell it. Instead, maybe find a local desktop application, download CSV files from your banks etc, and import the CSV files into the local application.
      Jason Baker's "5 open source personal finance tools for Linux"

    • Online income-tax-filing services ? You're giving a LOT of info to them, from many sources. But they're very convenient, and you need something that is updated every year. You could use paper forms instead, if your affairs are fairly simple.
      OpenTaxSolver (OTS)

    • Don't use online mailbox-client services that will connect to all of your email accounts and show everything in one web page. They just have too much access to your data, and can sell it. Instead, use a local application such as Thunderbird or K-9 Mail.

    Things that are full of telemetry (but hard to stop using):

    • Windows 10.

    • Chrome browser (maybe use Chromium or ungoogled-chromium).

    Turn off macroes in Microsoft Office.

    Remove bloatware installed by computer's manufacturer: those system-tray applications that offer manufacturer's Help Center or Support or Driver Updater, for example. They're poor quality, constantly-running, and probably offer a huge attack surface.

    A bit suspicious, and a general way to stop specific applications from running in Windows:
    Martin Brinkmann's "How to block the Chrome Software Reporter Tool"

    Wireless devices are less secure than wired devices, and often wireless has greater range than you'd expect. Old custom wireless is worst of all; at least Wi-Fi and Bluetooth have been improved.

  20. Turn off features you don't use.

    Either turn them off permanently, or enable them only when you want to use them.

    Don't use Bluetooth, mobile Hotspot, mobile tethering, NFC, Z-Wave, Zigbee, infrared, Cortana, Siri, location/GPS services, voice controls ? Turn them off completely, at the OS level. Don't use some old applications ? Uninstall them, or turn off their update background services.
    Rick Rouse's "How to turn off 'File and Printer Sharing' in Microsoft Windows"

    Maybe turn off location-monitoring services and apps in your smart-phone and browser. But your cell-phone company will always know where your phone is, if it's turned on, or maybe even just if it has a battery in it. And various map and taxi apps will be unhappy that they can't read your location.

    Turn off services you're not going to use for a while. Turn off any remote-access service when you're at home.

    Turn off the whole device if you're not going to use it for a while. Does your internet-connected computer need to be running 24/7 ?

    Put tape over the webcam on your laptop.
    Or software:
    Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?"

    Turn off the microphone on your laptop or smartphone.
    Maybe put a dummy plug into the external microphone jack.
    Tape over the built-in microphone opening doesn't really work.
    Or software:
    Alan Henry's "How to Stop Web Sites from Potentially Listening to Your Microphone" (Chrome only)
    Jignesh Padhiyar's "How to Find and Prevent Apps from Accessing Your iPhone's Microphone in iOS 7"
    Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?"
    The highest-confidence solution: physically unplug the built-in microphone inside the case, and always use an external microphone (plugged in only when you need it).

    Note: iPhones have 1 to 4 microphones, depending on model. Most Android phones have 1, some have 2.

  21. Know the features of your devices.

    Mozilla's "*privacy not included"
    David Murphy's "How to Keep Your Internet-Connected Device From Spying on You"

    Using router/modem supplied by your ISP:

    See Router And Modem section of my Connection Security page

    From someone on reddit:
    If your ISP can access your modem (and if you're using an ISP-supplied modem, it'd be foolish to assume they can't), they can see anything your modem can potentially log (think SSIDs, MACs) via a little-known protocol known as CWMP. And this is to not even begin the implications that they could not simply be retrieving logs, but actively tampering with data. So yes, do not use ISP-given devices, get your own. This is critical.

    At the least, your ISP-supplied router could be reporting names and MAC addresses of all devices on your LAN. Names may be easy to change to something uninformative such as "laptop1". But MAC addresses could be more revealing, and used for tracking. Harrison Sand's "Your ISP is Probably Spying On You"

    From someone on reddit:
    > Do ISPs update router firmware and watch for malware ?

    Routers, in general, are not updated if they are not the latest and greatest router in their class. Long term support is typically lacking unless you install a 3rd party firmware. European ISPs are typically far better at updating their software than American and Canadian ISPs due to no laws requiring ISPs accountable to update their software if possible. More damning, routers typically don't even have patches available as they were discontinued support long ago.
    So it sounds like if you can't find firmware updates for your router, and it's more than a couple of years old, maybe best to just replace it. If it's ISP-owned, maybe ask if they have a newer model available, and if you can upgrade for low or no fee. If you own it, replace it or install DD-WRT or OpenWrt on it.

    Ways to avoid the ISP-supplied router/modem:
    [Note: things get more complicated if the router is providing cable-TV service in addition to internet.]

    • Ask ISP if you can replace it with a router/modem you own yourself.

      From someone on reddit:
      "Google for modem compatibility lists. You can generally find a site that sorts by state and ISP and lists which current model modems would or should work."

      If you replace the modem, you'll have to register/configure the new modem with your ISP.

      If you want to run custom software in the router you own, see Router And Modem section of my Connection Security page.

    • Check router's admin page, or ask ISP, if their router/modem can be set into "bridge mode", so you can add your own router behind it.

      This amounts to turning off the router and Wi-Fi in the ISP-supplied router/modem box, using router and Wi-Fi in your own new router box, and connecting the two boxes via an Ethernet cable. Connect all home devices (except telephone ?) to your box, not the ISP's box. Now the ISP-supplied box doesn't have access to your LAN, it just sees what comes out of the bridge-Ethernet port of your new router box. See Router And Modem section of my Connection Security page.

    Ethan Robish's "Home Network Design - Part 1"

    Michael Horowitz's "Router Security"
    Michael Horowitz's "Using VLANs for Network Isolation"

    Keep it simple. If you have your smartphone controlling your door-locks and security-cameras and automatically uploading photos to Instagram and accessing your LAN and the internet and the cell network, you really don't know everything that is happening and everything that can go wrong. Better to have some compartmentalization, some things that happen only on one device or happen only manually.

    I work in IT

  22. Know the vulnerabilities of your devices.

    "The 'S' in 'IoT' stands for 'Security'."
    -- from Grumpy Old Geeks Podcast

    Are there any known security flaws in your internet-connected devices, especially devices you can't update ? For example, security cameras: article1, article2. And home Wi-Fi routers: article3.

    For each of your devices, read the manual, and do some internet searches for "exploit/vulnerability/hack/problem MANUFACTURERNAME model NNN".

    Some of the simpler-looking devices (tablets) may be the most vulnerable, because you probably don't install anti-virus on them, and they may not get security updates. Yet they're in your trusted local network, and could attack other devices.
    Rhett Jones's "A New Reason to Not Buy These Cheap Android Devices: Complimentary Malware"

    Especially dangerous are all-in-one devices with multiple connections. A fax-modem-copier-printer may connect to both a phone line and to your LAN; a flaw could let an attack come in the phone line and onto the LAN. A simpler attack could exhaust your expensive toner cartridge. Is the firmware updatable ? Is the manufacturer known and providing updates ? Don't leave the device powered on 24/365 unless absolutely necessary. Or unplug it from phone line and/or LAN except when needed.

    A smartphone probably is connected to both the cell data network and to your LAN; that's a potential vulnerability.

    Game consoles seem to be fairly secure, from what I read. Since they're going to be sold for years and in hundreds of millions of units, and used to handle DRM and in-game purchases, I guess the manufacturers work hard to make them secure. Usually they commmunicate mostly to the manufacturer's central game servers, which are walled gardens. The biggest issue may be that they also provide communication services: what could other players say or send to your child as they're playing the game ?
    ProtonVPN's "The complete guide to online gaming privacy"

    Interesting items from "Hackable?" podcasts:

    Host invited hackers to attack his home LAN and devices. Some of the hackers were local (just outside his house), others were far away across the internet.

    • Local hackers were able to set up a fake router with same Wi-Fi network name, force all the LAN devices to reconnect, and they connected to the fake router. Since many of those devices store the Wi-Fi password, that password was revealed to the fake router.

    • The admin credentials of the home router appeared in an old data breach, and hadn't been changed since then.

    • IoT devices on the LAN had various default or hard-coded admin credentials.

    • Once onto the LAN, hackers were able to intercept traffic from security webcams that were set to LAN-only and thus thought safe.

    • Once onto the LAN, hackers were able to provide a MITM DNS, and redirect traffic to send the user to a fake Facebook login page, and capture the login credentials.

    • A fax/printer connected to a phone line was vulnerable to some malicious document faxed to it. Then it was used to access documents across the LAN and fax/send them out to the hackers.

    YourThings Scorecard (evaluations of a number of common devices)
    Devin Coldewey's "Cheap Internet of Things gadgets betray you even after you toss them in the trash"
    OWASP's "Internet of Things (IoT) Top 10 2018" (PDF)
    Brian Krebs' "Some Basic Rules for Securing Your IoT Stuff"
    Router Security's "Test Your Router" (also cameras, printers, etc)

    Testing webcam / security camera from inside (LAN side):

    Assuming camera's LAN IP address is /err.htm (Telnet) (Telnet)

    If test from LAN side gives suspicious results, investigate from WAN side.

    Testing networked printer from inside (LAN side):

    Assuming printer's LAN IP address is (Telnet) (Telnet)
    Probably ports 9100, 631, 515 will be open on the LAN side; this is normal. But they shouldn't be exposed on the WAN side.

    If test from LAN side gives suspicious results, investigate from WAN side.

  23. Mobile devices are vectors for infection

    Suppose you routinely carry your phone / tablet / laptop / USB stick from home to work and back, connecting to Wi-Fi or plugging in in each place. And your partner does the same with their devices and their work. And the kids carry devices from home to school and back, and to friend's houses, connecting to Wi-Fi in each place. Maybe some of you use Wi-Fi in fast-food places or hotels or something.

    Any of these systems could carry malware from one network to another, if not properly protected and isolated.

    A sophisticated attacker could try to take advantage of this situation. Suppose they want to get data from the corporation you work for. So they sit outside your house probing the Wi-Fi, and find your kid's phone is vulnerable. They use that to attack your laptop, get some malware onto the laptop, and the next day you take that laptop to work.

    Segment, isolate, compartmentalize, protect, test. Don't assume that "inside the router" means "safe".

    Similar connections occur if you access personal email or cloud storage from your work computer, or the kids access school email or group homework-project docs or their sports-team docs on a home computer. Malware can be copied from one place to the other.

  24. Would you know if your device was compromised ?

    Set honeytraps on your devices:

    Have log-files:

    • How can you turn on logging ?

    • Is there anything useful in the logs ? Do they record logins, commands run, etc ? Do you know how to read them and understand them ?

    • Are the logs copied to somewhere else for storage ? (Called "log shipping".) Otherwise an intruder could erase them. Send with rsyslog, analyze with LOGalyze or LogAnalyzer ?

    • How long are the logs kept ? How long a time-period do they cover ?

    Logging Made Easy (Windows only)

  25. Don't routinely use an Administrator-privileged account, use a non-Administrator account.

    This issue is a bit overblown, for a desktop single-user machine. In such a situation, all the interesting files are owned by the non-admin user. The only added risks from compromise of the admin account would be that the attacker might be able to do privileged operations such as spying on all LAN traffic.

    I think this issue is a bit overblown in Win10, also. If you install Win10 and only log in as "administrator", really what you're doing is running in an "administrator-capable" account. If you try to do something that requires actual administrator privileges, you will see a "UAC" dialog and have to click "yes" to achieve administrator privileges. If you're running in a "normal" user account and try to do something that requires actual administrator privileges, you will see a "UAC" dialog and have to type an administrator password to achieve administrator privileges.

    Rick Rouse's "Why you should use a 'Standard' user account in Windows"

    From someone on reddit, about Windows:
    > If I already have my account as admin, is there a way to demote it?

    Create another user account. Name it Admin or Bambi or whatever floats your boat at that particular second. Set that account as a system administrator. Log out of your current account and into the new account. Change your normal account to a standard user. Log out of the new admin account and back into your regular account.

    All of this is done through the 'User accounts' control panel applet.

    Similar in Linux: use a normal user account, and "sudo" when you need to do something as root.

    But see: xkcd's "Authorization"

  26. Keep account security info up-to-date:

    If your bank or credit card company sends you a security alert, but they send it to your old dead email address or old postal address, it doesn't do any good.

    If you have a login problem somewhere, and the web site says "no problem, verify by clicking link in your email", but they send it to your old dead email address, you're in trouble.

    If you never receive routine communications or verifications from your account at some company, figure out why and fix it, don't let it slide.

  27. Monitor your accounts for evidence of problems:

    At this point, there have been so many and such huge breaches (e.g. at OPM, Equifax, Anthem, more) that you should assume your Social Security number and DOB and credit-card info and email address have been stolen.


    • Set Firefox Monitor to monitor your email addresses.

    • Set up Google Alerts about your email addresses. Maybe also an alert on your home postal address ?

    • Some services (such as, Transferwise) can be set to send you an email every time a transaction occurs.

    • Some of the credit-agencies may send you an email if a credit card is created or closed under your name.

    • Maybe use an identity-theft warning service.

    Periodic checking:

    Report freezing:

    Maybe freeze your credit (a "credit freeze" or "security freeze"; usually free to apply and $5 to remove) or institute a fraud alert (free, but not as good).
    US credit agencies: Equifax, Experian, TransUnion, Innovis, NCTUE, SageStream.
    Jason Lloyd's "Why You Should Freeze Your Credit Report"
    FTC's "Credit Freeze FAQs"
    William Charles' "Two Credit Bureaus You Should Freeze Before You Apply For A U.S Bank Credit Card"
    AJ Dellinger's "Equifax Operates Another Credit Bureau, and You Can't Freeze Your Report Online"
    From Brian Krebs' "The Lowdown on Freezing Your Kid's Credit":
    Some fans of my series explaining why I recommend that all adults place a freeze on their credit files have commented that one reason they like the freeze is that they believe it stops the credit bureaus from making tons of money tracking their financial histories and selling that data to other companies. Let me make this abundantly clear: Freezing your credit will not stop the bureaus from splicing, dicing and selling your financial history to third parties; it just stops new credit accounts from being opened in your name.
    Also, a credit freeze does not prevent a background check (by govt or corporation etc) from getting your data.

    Even if you have a credit freeze enabled, still check your credit reports every year or two, to make sure nothing incorrect or fraudulent appears on them.

    Maybe freeze your salary/employment history report.
    Salary/employment history agencies: Equifax Workforce Solutions (AKA The Work Number, AKA TALX), AccuSource, InVerify.
    [I requested my TALX report. It only had the very last year of my work history (I retired almost 20 years ago), but it did have my employer, job title, and salary for that year.]
    Alicia Adamczyk's "How to Review (and Dispute) the Salary Data Equifax Collects on You"
    KrebsOnSecurity's "How to Opt Out of Equifax Revealing Your Salary History"

    European credit-reporting agencies:
    Spain: Asnef-Equifax
    Spain: RAI (Registro de Aceptaciones Impagadas)
    Spain: Experian España
    Spain: CIRBE
    Germany: Schufa
    UK: TransUnion / Callcredit
    many more ...
    Haven Mortgages' "Credit Bureaus Around the World" (PDF)

    Check your status in a bank-account-monitoring service:
    ChexSystems' "Consumer Disclosure"
    LexisNexis' "Accurint Individual Access Program"
    [I requested my LexisNexis report. 42 pages, much of it repetitive. It showed 2/3 of the addresses I've lived at, and one address that was wrong. A boat that I had owned, but none of the cars I owned. None of my bank accounts or my credit card. Nothing about school or employment history.]
    [Sent an opt-out request to LexisNexis, and got a response (paraphrased): "Your request is approved and in process. Note that your info will remain in the following services: restricted public records products available to commercial and govt entities that meet credential requirements and are used to detect and prevent fraud, enforce transactions, perform due diligence and other critical business and govt functions; products regulated by the Fair Credit Reporting Act, third-party data available through real-time gateways; news; legal documents."]

    Bruce Schneier's "Protecting Yourself from Identity Theft"

    Kelli B. Grant and Katie Young's "How to protect yourself from medical identity theft"
    Beth Skwarecki's "What Happens to Your Stolen Medical Data"

    A limited number of people can set a PIN on their IRS filings:
    IRS's "Get An Identity Protection PIN (IP PIN)"

    I think anyone can create an online account with the IRS, and better that you do it before some scammer does it for you:
    IRS's "View Your Account Information"

    Apparently the US Post Office has a notification service where they send email to you when something is about to be delivered. You want to register for this before some bad actor does so in your name.

    Sign up for your online US Social Security account (may require a trip to a SS office).
    Carissa Ratanaphanyarat's "Your Social Security Number Was Stolen! Now What?"
    Brian Krebs' "Crooks Hijack Retirement Funds Via SSA Portal"

    When someone uses your public reputation to get jobs:
    Relja Damnjanovic's "Freelancer Identity Theft: It Happened to Me - Here's What You Should Know"

    You can opt-out of some of this tracking:

    Opting out of everything probably is impossible, and a game of Whack-A-Mole. But at least hit some of the top places.

    If you're using a PO Box or PMB to hide your real address, probably don't opt-out in places where they have only your PO Box or PMB address. You want to have your data associated with that address, not your real location.

    Don't copy a standard opt-out request letter or email from some workbook, and send that to services. They're aware of standard formats, and ignore them. Instead, compose a request in your own words. Don't say you're doing it "for privacy", instead say your family has been getting strange phone calls giving personal information and threats, and is feeling endangered and stalked. Emphasize that you need your data removed from both their search results and their deeper listings.

    Often the first response to a "remove my data" request is an automated response. Respond to it and repeat your request, maybe changing it a little.

    Some opt-out services (on data-brokers, and on such services as Yahoo Mail) work by putting a cookie on your computer, telling their advertising code not to track you. But this conflicts with my desire to delete all cookies every time I close the browser.

    A couple of US states have registries of data-brokers ( Vermont and California), so maybe you can use those to find opt-out addresses.

    LexisNexis' "Individual Requests for Information Suppression Policy"
    SageStream Opt Out
    Acxiom Opt Out
    Palantir privacy statement

    World Privacy Forum's "Data Brokers Opt Out List"
    Yael Grauer's "Here's a Long List of Data Broker Sites and How to Opt-Out of Them"
    Michael Bazzell's "Personal Data Removal Workbook & Credit Freeze Guide" (PDF)'s "Opt Out List"
    ParanoidsBible's "The Master Opt-Out List"
    Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"
    Elizabeth Harper's "How to Remove Yourself From People Search Directories"
    Alicia Adamczyk's "Run a Comprehensive Background Check on Yourself"

    There are some mass-opt-out services, but they just store preferences in cookies in your browser, so if you delete cookies, your preferences are deleted:
    EU: Your Online Choices
    USA: WebChoices

    Instead of opt-out lists/sites, I'd like:

    • A big comma-separated list of email addresses, so I can paste the whole list into the BCC field in my email client and send one "please delete my info from your site" email to all of them in one operation.

    • A browser add-on or app that will let me push one button, and the add-on/app will go to N opt-out web pages and fill in the forms to tell each of them "please delete my info from your site".

    From interesting audio podcast interview of a guy who runs people-search sites, The Complete Privacy & Security Podcast episode 071:

    There are maybe 6 big players in the people-search industry ( Pipl's "Removal from Search Results", BeenVerified, Spokeo, TruthFinder, Radaris, MyLife, Intelius ), and a hundred subsidiaries/affiliates of them, and a hundred smaller competitors. And maybe 3000 web sites, owned by those companies. But they may create dozens of new web sites every week or month, trying to get into the top-ten results on Google Search.

    Some of the companies make money through ads, but mostly they make money when someone views their free report and decides to subscribe to get their full report.

    These companies are scraping data from everywhere: from each other, from govt, from companies such as real-estate agencies, from any account you create that allows sharing your data with third parties, etc. Some governments will sell driver's license data or car registration data.

    Getting a company to "delete your record" is not best, because your info probably will flow back in from somewhere else a week or a month later, and they'll treat it as a new record because they no longer have a record of you. It's better to have them "block your info", so they keep a record but don't give it out (if they're ethical).

    Disinformation can work, but it won't hide any real information, and you have to be consistent, using the same false info again and again, as many places as possible.

    Name, address, phone are the key items used to correlate data from various places, but I'm sure SSN, DOB, credit-card number are used when available.

    Some big services used by private investigators and law-enforcement: Tracers, TLO, IRBsearch.

    Michael Bazzell's "Personal Data Removal Workbook & Credit Freeze Guide" (PDF)
    Kristen V Brown's "Deleting Your Online DNA Data Is Brutally Difficult"
    Michael Bazzell's "Hiding from the Internet"
    Wolfie Christl's "Corporate Surveillance in Everyday Life"

    If you're a victim of Identity Theft:

    • Immediately report it to your banks and other financial companies. Cancel cards and get new ones.

    • Immediately report it as "fraud alert" to one or more of the credit-reporting agencies.

    • If you know or suspect how it was done, change password and/or make report to that source.

    • Review past transactions going back a year or more; this may have been going on for a while. Dispute any fraudulent charges, correct any wrong info on credit reports.

    • Make a report to local police, even if they will do absolutely nothing about it and even if the problem is entirely online, not local. You will be putting a sworn statement on the record, and that will be useful to give to your banks, use in court, etc.

    • File identity-theft report with FTC:

    • Do items in the Report freezing section above, if you haven't done them already.

    • Change important passwords, even if they may seem unrelated to this problem.

    • Check social media postings to see if they could have revealed info used to create this problem.

    • Get copies of your credit reports every couple of months for the foreseeable future.

    ASecureLife's "Identity Theft Recovery Checklist" (PDF)
    Neil J. Rubenking's "5 Ways Identity Theft Can Ruin Your Life"
    Kelli B. Grant and Katie Young's "How to protect yourself from medical identity theft"

    OSINT Framework

  28. Simplify your life:

    Do you really need email accounts at N different providers ? Each one has to be secured. Really need accounts at Twitter, LinkedIn, Facebook, Snapchat, Instagram, Flickr, YouTube, 20 different online stores, etc ? Really need 5 credit cards and accounts at 5 banks ? Each one is a possible security or privacy problem.

    Reduce, simplify. But you do need a backup email account, and a second bank account and debit card, IMO.

  29. Be smart: won the lottery
    Be aware of security threats, and don't fall for them. Know how to recognize spam, scams (here), phishing attempts. False alerts that say "something is wrong with your computer, better run this scanning software right away !". Be especially careful when downloading and installing software.

    One way to think of it: be wary of any "incoming" stuff. Email you receive, SMS or WhatsApp texts you receive, Facebook posts or comments you receive, a USB drive you find on the ground, a USB drive given/mailed to you, a phone call you receive, software you download, a recommendation that you do or install something. "Incoming" == "potential threat".

    Be wary of threats in search results. Lots of sites have been set up to provide "GMail Support phone number" or similar in search-engine results. But these big vendors with free services (Google, Facebook, WhatsApp, etc) deliberately do not HAVE a phone support number you can call. They have hundreds of millions or billions of free users; the LAST thing they want is for users to be able to call a human at their company. Any search result that gives you such a phone number is trying to connect you to a scammer. At best, they'll try to sell you something. At worst, they'll install ransomware, steal your money, and sell your information.

    When you see scams or spam or abuse, report them if you can. You may save someone else from getting scammed or abused.
    Google's "Safe Browsing" (report links at bottom-right)

    If something strange starts happening with your phone (service turned off, or lots of SMS messages, or requests to confirm transactions you didn't initiate), or similar in your email (requests to confirm transactions you didn't initiate), react immediately, don't let it slide. You may be under attack. Check your key accounts and devices. Call your bank and phone service provider. Run anti-virus scans. Don't panic, but check on things.

    If you receive a 2FA code on your phone when you didn't try to login, someone may have your username and password for that account, or may have just your email address and requested a password-reset for that account. Check your account and probably you should change your password.


    Phishing is when someone sends you something to trick you into giving away important information (such as your username and password, or credit card details).

    Phishing attempts usually come through email, but also they could be done through Instant Messaging, chat, SMS, a Facebook post, a web page you find through searching, even paper mail.

    People rightly are told to be suspicious of links and domain names. Be doubly suspicious of QR codes, which really just resolve to a link (URL). Don't just blindly scan a QR code and assume it sent you to a legit page. QR Code

    My quiz about phishing emails to home users: Go to Phishing Test page 1 of 6

    Google's "Phishing Quiz"
    [I got only 6/8. I think that quiz proves that users need a LOT more help from browsers and email clients. Maybe email pages should have:
    • A same-origin policy to require all email addresses and links to be in the same domain.
    • An icon next to every URL so you can click and see the owner of the domain.
    • Text of every link forced to match exactly the URL of the link.

    SonicWall's "How is your Phishing IQ?"
    PhishingBox's "Phishing Test"
    OpenDNS's "Phishing Quiz"
    ProProfs' "5kazen Quiz - Phishing Scams"
    Tyler Omoth's "10 quick tips to identifying phishing emails"

    Wikipedia's "Phishing"

    Send any suspect links or files to VirusTotal for checking. (Maybe also URLVoid or or Zscaler's Zulu or Trend Micro's "Site Safety Center" or Talos Intelligence or Hybrid Analysis or Joe Sandbox)

    Report any suspicious emails to the company they're pretending to come from, or to your email provider, or to FTC Complaint Assistant.

    Report any phishing or look-alike web sites to Google Safe Browsing or Microsoft SmartScreen or Netcraft Anti-Phishing.

    Don't click on a link in the email to report it or say "no, I didn't request a password reset"; that link could be malicious.

    A browser add-on that tries to protect you from look-alike domain names (e.g. ""): Donkey Defender

    Be especially careful in a big-money rushed situation such as closing a real-estate transaction (buying a house). A scammer may jump into the middle of the process and send you an email saying "okay, send the deposit money to bank account NNNNNNN, ASAP !". Always find out up front how and where the money will be transferred, and get it in writing. If there is any change, get the new info in person and in writing (or at least initiate a phone call to verify such things).

    IP Logging:

    Generally, clicking on a link is not enough to hurt you. Your browser will load a web page. There is a small chance that code on that page could find some vulnerability in your browser, if you haven't kept your software updated. But it's unlikely.

    A bigger risk is that the page could fool you into doing something bad, such as giving your login credentials.

    A valid risk is that the page could collect as much information as possible about you and your browser and machine, and send that information somewhere. At a minimum, it could record your IP address ("IP logging"). It could record what browser you're using, what OS you're using, etc. All the stuff listed in the Browser fingerprinting section.

    If you're using a VPN, and have turned on privacy and anti-tracking settings in your browser, maybe there will not be much info. But suppose the link looks like something you really want to see ("we tried to deliver a package to you"), and the page says "blocked because you're using a VPN; turn off your VPN" ? You might do it. Then the attacker could find out more information.

    Watch out for fleeceware apps or sites: subscriptions that say $10/year in big print and then $10/week next to the button where you're paying.

    Watch out for ridiculously-priced items on web sites such as eBay or Craigslist. Some people buy things on Amazon for $20 and then put them for sale on eBay for $40 to see if anyone will bite.

    Watch out for deceptive items for sale. It may look like they're selling a phone, when in fact they're selling a case for a phone or a model of a phone.

    Max Eddy's "How To Protect Yourself From Social Engineering"
    Alan Henry's "Why Social Engineering Should Be Your Biggest Security Concern"
    IC3's "Internet Crime Prevention Tips"
    Decent Security's "How Computers Get Infected"

    "I got a strange email from you, your account must be hacked !":
    This does not necessarily mean someone has been "hacked". Perhaps some software scanned Facebook, found that A and B are Friends, and found A's email address in A's Facebook profile. Then a scammer sends an email to A, with a few cosmetic changes to make it look like it came from B, and saying "hey, this is B, check out this [dodgy] site" or something. A says to B "I got a strange email from you, your account must be hacked !".

    One way to check: A's email client may have a "show details" button or link, where you can see the actual email address the email originated from. It probably isn't B's email address, even though the displayed "from" name is "B".

    If you start getting a flood of junk emails from many sites, it could be that someone is harassing you, or it could be something more serious: If someone manages to break into your Amazon account, for example, and place an order, they might flood your InBox with junk so you overlook the real order confirmation email from Amazon.

    Some scams work by trying to claim a special bond. We're members of the same religion or political party, for example.

    And of course scams are not just online, they also can come via phone or snail-mail or in person.
    Alan Henry's "Five Common Scams Directed at Seniors (and How to Avoid Them)"
    FTC's "Phone Scams"
    ACCC's "Scamwatch - Types of scams"

    If you get scammed, report it to local police. Sometimes scammers are fairly local, not in some faraway country. Sometimes police will be able to combine your info with that of other victims to see a pattern that you don't see.

Kashmir Hill's "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy"
Andrew Cunningham's "A beginner's guide to beefing up your privacy and security online"
ProtonVPN's "12 mistakes that can get your data hacked - and how to avoid them"
Decent Security's "Windows Security From The Ground Up"
Wired's "Guide to Digital Security"
Kashmir Hill's "Journalist Invited Hackers To Hack Him. Learn From The Mistakes."
Adam Clark Estes' "How to Encrypt Everything"
Spread Privacy's "How to Set Up Your Devices for Privacy Protection"
Justin Carroll's "Thirty-Day Security Challenge"
Open Reference Architecture for Security and Privacy
Filippo Valsorda's "I'm throwing in the towel on PGP, and I work in security"
ProtonMail's "A complete guide to Internet privacy"
Fried's "The Ultimate Guide to Online Privacy"
Michael Horowitz's "A Defensive Computing Checklist"
Lissy93 / personal-security-checklist
CISA's "Tips"
kaiiyer / rajappan's "Privacy Guides"
Andy Greenberg's "How To Bust Your Boss Or Loved One For Installing Spyware On Your Phone"

security T-shirt

Online Privacy

  1. Don't put really private stuff online. At all.

    Naked pictures of yourself or your spouse ? Personal embarrassments ? Dark secrets ? Something illegal ? Something embarrassing about your friends or family ? Just don't put it online, or transmit it over the internet. Maybe don't even put it on your computer or phone or camera.

    Either stop using social media, or use it more carefully.

    Use multiple throwaway accounts on social media (mainly reddit) where that's easy to do and people don't need to find you by your real name.

  2. Other people are a threat to your privacy.

    Don't tell other people about stupid or illegal stuff you've done; maybe they'll post or WhatsApp about it, or tell someone else and then they'll post about it.

    Have a friend or family member who likes to gossip about you, who betrays your trust ? Now they can do it online. Be careful what you tell them, online or offline. Be careful how you connect to them online, and what you expose on those connections. And you may be exposing other people to them, online.

  3. "Privacy" is not just about your data, it's about the data of others too.

    You have lots of data about your friends and family and employer and coworkers and neighbors. Treat it carefully. Encrypt your devices. Think twice before posting about someone else, or about something you did with someone else.

  4. Give "them" as little data as possible.

    Don't fill in all of those "profile" fields. Why tell Facebook where you've worked, where you went to school, who your family members are ? Why tell LinkedIn everyone you've worked with ?

    Registering for professional conferences is particularly bad; those directly give your data to all 500 vendors at the conference.

  5. Give them fake data.

    Don't give them your real birthday, or real mailing address, or real phone number. Misspell your name slightly.
    [But: if Facebook or whoever later challenges you to produce real ID to verify your account, and your info doesn't match, you'll lose the account.]

    Set Facebook profile fields for school, work, places lived to real, big places that have no actual connection to you. Let them sell misinformation.

    Maybe have multiple people (your whole family, or half a dozen of your friends) share one social-media account (Facebook, Twitter, Pinterest, reddit).

    Maybe you could have multiple accounts on one social-media site, and use a different account every day.

    For map/GPS applications, set home and work addresses to nearby addresses, not your exact addresses.

    But you can't give fake data to police or government or schools or insurance or banks. That may be illegal, or may come back to bite you later in some way.

    When installing an OS, or using a brand-new PC for the first time: Give your PC a generic name such as "laptop2". Create a user account with a generic name such as "user3", instead of using your real full name. Or use your initials: "userJD". Those names will appear on networks and other places.

    Your computer or browser or ISP may reveal your physical location to web sites.

    Ways your location can be determined or set:

    • GPS, in smartphone.
    • Cell towers that your smartphone can see.
    • Adapters (networks) that your Wi-Fi can see.
    • Adapters or devices that your Bluetooth can see.
    • Adapters or devices that your device can see through a mesh network.
    • Location set by the owner of the LAN's router ?
    • Location set by the ISP that connects to the router.
    • Small clues set in your OS, such as system time-zone and language and country-code.
    • Location you set in your browser or other application (VoIP?) or OS.
    • Location you set in your online accounts (social media, etc).
    • Location set or known in other devices on your LAN or Bluetooth, such as TV or game consoles or car's GPS ?
    • Location set or calculated in body-devices on Bluetooth, such as watch or fitness-tracker ?
    • Location acquired from connected nearby devices not owned by you, through hookup apps ?


    • Operating system:
      Windows 10 gives a setting to turn off location and set a "predetermined location" to give to apps. I think you get to it through "Diagnostic Settings".
      It seems Linux does not have a similar facility.

    • Set location in your browser:
      Location Guard
      In Firefox, do about:config and look at "geo." entries. Someone says set something like:
      geo.wifi.uri = data:,{"location":{"lat": 51.50,"lng":-0.12},"accuracy":1000}
      In Chrome, maybe "Manual Geolocation" extension, or:
      "developer console / 3 dots / more tools / sensors / enter geo you want or choose from presets"

    • Smartphone:
      Go through app permissions and disable Location wherever possible. But I have a couple of bank or other financial apps that insist on having location turned on, I guess as part of fraud detection.
      mcastillof's "FakeTraveler" (Android only; fake GPS location)

    Test via: IP Location

    Maybe Create fake personas:

    Create a fake name who lives at your real address:

    • Pick a simple, neutral name, such as "Alex Smith".

    • Create an email address that fits, such as A.Smith at gmail.

    • Get a pay-as-you-go SIM phone and use it for this person.

    • Get a virtual credit-card in their name.

    • Use one set of fake data (phone number, email address, gender, DOB, SSN, photo [not a stock photo from the internet; maybe from This Person Does Not Exist], CC number, school history, work history) for this persona, and stick with it. Write it all down, print it out for easy use.

    • Create an email address that fits, such as A.Smith at gmail.

    • Use your real postal address.

    • Subscribe to a couple of cheap or free magazine trials (Forbes, Wired) in their name, using your real postal address.

    • Subscribe the email address to a couple of newsletters, so there's activity in the account. Set the account to forward the newsletters to some other junk account, so there's outgoing traffic too.

    • Use this persona when ordering things online.

    The goal of this persona is to avoid giving out your real data, and make it look like someone else is living at your address, so maybe you have moved out.

    Associate your real name with lots of fake data:

    • Pick one set of fake data (phone number, postal address, email address, DOB not too far from your real DOB, SSN, school history, work history) and stick with it. Write it all down, print it out for easy use.

    • Use your real name, your real gender, your real photo.

    • For the postal address, maybe pick the address of some big hotel in the same county as your real address.

    • Maybe create a fake company ID-card with this data on it ? But there are few cases where you'd need to use it. Could be useful to hand over to a store-clerk when they demand your data, or just to help you remember your fake data.

    • Maybe create a credit card with this data on it ? But there are few cases where you'd be able to use it, since it would not be a physical card, and it would not be connected to your real postal address. The bills would be paid, so using it is not fraud, probably.

    • Create a free Wordpress blog page, giving the data of this persona, about some subject unrelated to you. If it looks like a personal business, you have an excuse to give address, phone number, and email address.

    • Maybe buy a domain-name that matches your real name, giving the data of this persona (although I think you'll need to give real email address). Create a web page giving this persona's data and unrelated subjects. [Probably a lot of work.]

    • Some people-search sites let you submit "corrected" data. Give them this persona's data.

    • Online, request quotes for home alarm-monitoring services.

    • Online, make a PasteBin page containing the info; they get scraped frequently.

    • If you have a burner phone number to use, maybe create a LinkedIn account for the fake persona.

    • Subscribe the email address to a couple of newsletters, so there's activity in the account. Set the account to forward the newsletters to some other junk account, so there's outgoing traffic too.

    • Use this persona anywhere that data is demanded but you don't need/want to receive anything in postal mail or email. In retail stores, for unimportant online accounts, professional conferences, etc.

    The goal of this persona is to create fresh misleading data (in your real name) that is newer than your real data.

    Maybe have a separate different-colored wallet for each persona, so you can keep everything straight and it doesn't look funny if someone sees multiple names in your wallet.

    Remember that you can't give fake data to police or government or schools or insurance or financial companies. That may be illegal, or may come back later to bite you in some way.

    I think Sudo (MySudo) creates and manages email addresses and phone numbers, but not the rest of a persona's information. I think Blur creates and manages email addresses and phone numbers and credit-card numbers (but with fees), but not the rest of a persona's information.

    Fake Name Generator

    Email address:

    What Google harvests from your accounts (mainly GMail), from someone on reddit 12/2018:

    ... I downloaded what supposedly is all the data Google keeps about me ...

    In my Takeout archive, there is a folder called "Purchases and reservations", which contains many files with all the anonymous* data that Google collected from my e-mails. This includes my purchases on all sorts of websites (Amazon, etc.), shipping updates and my flight/train reservations. ...

    My location data file freaked me out a little bit too, with all of its "ON_FOOT", "STILL" and "IN_ROAD_VEHICLE" strings, but I had my location history on, so that was to be expected. That text file alone is 82.7 megabytes - not bad, huh?

    If you have a Google account, I suggest you download all of your data from Google Takeout and check what it looks like with your own eyes.

    *Anonymous, in this particular case, means that my home address and my full name (albeit only in the reservation files), are written in plain text.

    It may be a good idea to have separate email addresses for family, work, financial, social, shopping.
    Hiding From The Internet's "Compartmentalization"

    You can get a disposable email address, which exists just long enough to finish registering somewhere: 10 Minute Mail, Mailinator, others.

    A service which will "screen" your real email address, phone number, credit card number by giving out different info which relays to your info: Blur (Stop giving out your real personal info online with MaskMe, a new privacy tool).

    A service which will "screen" your real email address, phone number, credit card number by giving out virtual info (but not relaying to your existing providers, I think): Sudo

    Another: "PlusPrivacy feature - email identity management"

    In your email client, turn off automatic display of HTML, images, and JavaScript. It's dangerous to let some random person send you a piece of software that executes in your client.

    Some security guys say it's safer to use browser-based email instead of a client application (such as Thunderbird). The browser is somewhat of a sandbox, and highly tested, and you need it for other reasons too. A mail client application is an additional complex piece of software that probably is less secure.

    On the other hand, if you use an email client application (such as Thunderbird), your email is not stored on the email provider's server for very long, it's stored on your personal machine. Maybe you can find a provider that promises to erase your messages completely from their server after you retrieve them to your machine.

    Nitrous's "The Easy Way to Use PGP for Encrypting Emails on Windows, Mac & Linux " (if using Thunderbird)

    Changing your email address:
    Changing your email address on all accounts (such as from old insecure email service to a new secure email service) can be tricky. If your email address is used as your username on an account, the service may or may not let you change it. But if you can't change username, you still might be able to change email address used within the account. Worst case, you may have to delete the account and create a new one.

    You may be able to set your old email account to forward all messages to a new account. But this is bad as a permanent thing: makes everything less clear and reliable, old provider still sees your mail, still have to manage old account as well as new one.
    Rick Rouse's "How to forward your Yahoo mail to another email account"

    Virtual phone numbers:

    It may be a good idea to have separate phone numbers for family, work, financial, social, shopping.

    Nomad Gate's "How to Build Your Own Virtual Phone in Minutes"
    Ben Stockton's "5 of the Best Virtual Cell Phone Number Apps for Android"

    Google Voice
    SMS: Hushed (cheapest plan $5/month, but there are many limits by country, maybe have to address-verify, etc)
    TextNow (available only in USA, Canada, and some others)

    Credit-card info:

    Even if you have a credit card with a chip in it, the magnetic stripe on that card still contains all of the info needed to do a transaction, and the stripe is easy to read. So keep a close eye on any merchant you hand your credit card to. And monitor your account for any unauthorized charges.

    If you want a fake number to satisfy a "free trial" web site, see .

    Virtual Credit Cards:
    Such a card or card number is connected to a real credit card or a bank account. Any transactions you do get "passed through" to the real account backing the virtual card or card number. Multiple cards or card numbers can be backed by the same real account.

    You can get one or more Virtual Credit Card numbers. You may be able to set a purchase limit or time limit on the number. You might be able to get such a number from your existing credit card company.

    Such a number is virtual, not physical, so you can use it only online, not in a store. Don't use it for something you buy online but then pick up in person: maybe air travel, hotel, rental car, event tickets. Virtual numbers often don't work for overseas transactions, only within the country of origin. If your real number and all virtual numbers are issued by the same company, that company still can see all of your activity.

    I wonder about the legal implications of this. In USA at least, consumers have a lot of rights to dispute credit card charges and be protected against losses. What happens to those rights if charges are going through another service first ?

    Also, real credit cards often give accident insurance when renting a car, or trip-cancellation insurance when buying plane tickets.

    Online, paying with a service such as PayPal gives less data to the merchant than paying with a credit card. But not all merchants accept PayPal, and I'm not sure about protections and benefits when paying with PayPal.

    Rules and fees vary greatly from company to company. Some allow only citizens or residents of certain countries. Some are accepted only by merchants in a specific country. Some have an annual fee per card, or a fee per transaction.

    Neil J. Rubenking's "5 Things You Should Know About Virtual Credit Cards"
    Alan Henry's "Privacy Lets You Create 'Virtual' Credit Card Numbers, Deactivate One Instantly If It's Stolen"
    Rebecca Lake's "Why Virtual Credit Card Numbers Aren't Worth It"
    Simon Zhen's "Virtual Account Numbers: What You Need to Know"
    Zahra's "Best Virtual and Prepaid Cards for International Shoppers"

    Blur (article)
    Token (smartphone app only; Chrome extension being developed)
    Sudo (MySudo)
    Revolut (Premium plan, €8/month)

    My experience with since 1/2018:

    Available to US or Canadian citizens only. Requires USA mailing address, requires email that can be verified, US phone number that can receive an SMS for verification. Will pay directly out of your bank account, so it requires your bank account username and password.

    Gave it credentials to my bank account at ETrade, but connection kept failing, they said there's a bug.

    A month later, I asked if they had fixed that bug, and instead they turned on ability to give ABA routing number and account number. I gave those numbers, they did 2 deposits to my account to confirm that it existed.

    A few days later, tried to create a number, and it failed. Turned out I hadn't quite finished the process, I was supposed to tell them exactly the amounts of the test-deposits.

    You can't create a physical credit card that carries a number created through, it won't work. [But it seems legal to possess a credit card writer; they're for sale on Amazon, eBay, etc. And you can buy blank white credit cards there, too. You might need a special printer to print on them; search for "credit card printer embosser". I'm not sure if any card-printing services will create a real, working credit card for you, unless you're a business, and ordering in largish quantities.] But 9/2019 says they MAY offer a physical card within the next 12 months.

    Each card you create can only be used at one merchant, the first where you use it. You can't create one card which you can use for any merchant.

    Also not specified: what name is on the card. Asked Support, and got:
    In terms of name / billing, you can use any name and billing address / zip code with the merchant you would like, and we will return that it's correct when the merchant runs the charge.

    Please keep in mind though, merchants have sophisticated fraud checks on their end sometimes, so don't get too creative with the billing info or it might raise a flag in their system. Also if the transaction requires a shipping address, generally using a billing address in the same city is a good idea (for example, if the shipping address in San Francisco and the billing address is in New York it may trigger their fraud checks as well).
    So, you just have to give the right card number, CCV, and expiration date, and the card will work.

    Other than putting a "nickname" on each card on their web site, the web site gives no help for managing the cards. You can't tag each one with the name and address you're using with the card, for example. (Maybe better to do that in a password manager, anyway.)

    In my bank account, transactions show up as "direct debit" and description "something PRIVACYCOM". The "something" comes from the vendor, it's not the nickname of the card. You can change this by going to YourName / Account / Private Payments.

    My referral code for anyone who wants to create an account.

    Free account works fine. If you want 1% cash-back cards, you have to have $10/month account.
    From someone on reddit about 7/2018:
    Don't make multiple cards for same merchant, probably best to use same card for eBay and PayPal; there is an unstated daily spending limit as well as the stated monthly limit.

    From someone on reddit about Blur 7/2019, in response to "looking for a virtual card provider in UK/EU":
    Don't. I have Blur and they're terrible for privacy. In the UK they don't have virtual cards at all, the only option they give you is the ability to have a masked email. They also (as of about a month ago) have removed masked numbers.

    On top of that they were involved in a security breach that they still haven't acknowledged or issued a statement surrounding (to the best of my knowledge).

    Prepaid (debit) cards:
    Such a card or card number has to have money deposited into it ahead of time; you have to maintain a positive balance in the account. Any transactions you do are paid from that balance. If you have multiple cards or card numbers, maybe each one has a separate balance ? Not sure.

    You can get a physical card, so not just for online use. But refunds may get complicated. Any balance you load into the card might not be protected by banking laws, certainly not at the $50 limit of protection on a credit card.

    From someone on reddit 2/2018:
    Any card sold in the USA that is "reloadable" in some way must have a real SSN with matching name and Date of Birth on file. The only exception is the cards that are only loadable once and after the funds are gone, it is useless. ... You know that little folded-up piece of paper that folds out to about a legal-size sheet of paper with fine print on it? It is all in there. It also lets you know that the card can only be used within the USA and not outside of it. This includes online merchants and many online merchants in general are starting to block those cards regardless.

    Pre-paid cards often have a web site you can use to track the purchases and remaining balance. All you need to access that info is the data printed on the card itself. So be wary of buying a card from somewhere sketchy, or using a card you received in the mail: someone could have copied that login information, and will use it to track you. Buy cards only from mainstream, reputable stores.

    Rules and fees vary greatly from company to company. Some allow only citizens or residents of certain countries. Some are accepted only by merchants in a specific country. Some have an annual fee per card, or a fee per transaction, or charge a percentage of the money you load into a card. Check to see how unused balances are handled; can you transfer money among cards, or get a refund, or do you just lose the unused money ? There seems to be a lot of turnover in this industry; what happens if your card-company stops offering cards or goes out of business ?

    Zahra's "Best Virtual and Prepaid Cards for International Shoppers"
    Gunjan's article (with misleading title)
    Nick Beeny's article (with slightly misleading title)


    Photo ID card:

    Official government ID that doesn't give away your address: passport, or US passport card (available for $55 when you renew your passport).

    Some people carry a fake ID, to show to businesses that demand photo ID. I think it's legal as long as it's not a fake of a government ID, and you're not committing fraud. A fake corporate employee ID card from a fake corporation, maybe. Maybe add this fake person as an authorized user to your real credit card ?

    Maybe in the future we'll get "decoy" tools or services: something that posts fake info online to make it harder for others to figure out your true info. Fake pictures of you, fake address, fake postings, etc.

  6. Maybe use login/password info from elsewhere, instead of using your own.


  7. Use "blockers".

    Blockers usually prevent: tracking scripts/images, ads that clutter your page, malware that might come in via ads/scripts/downloads, ads/images/scripts that would reduce performance.

    Several ways to do this:

    • Native settings / functionality in your browser.

      This may include pop-up blocking, safe-domain checking, dangerous download blocking, tracker-blocking, containers, camera/microphone permissions, cookie blocking or deletion. [I don't block cookies, but I have the browser delete all of them when it closes. And I use Containers to keep sites from seeing cookies from other sites.]

      Dave Camp's "Firefox Now Available with Enhanced Tracking Protection ..."

    • Extensions / plug-ins / add-ons in your browser.

      uBlock Origin (get inside your browser, or from here ?)
      Disconnect for Facebook
      Privacy Badger (but article)
      Privacy Possum
      Disconnect (prevents tracking by Facebook, Google, Twitter)
      Priv3 (affects Facebook, Google +1, Twitter, LinkedIn)
      "Stop Tracking Me on Reddit"
      Add-on to control or delete "referer" information in HTTP requests; in browser, do a "Get Add-ons" and search for "referer"
      More complex tools:
      uMatrix (article; but 9/2020 development is ceasing)

      Requires a tweaking and whitelisting to get it right for you, but worth doing: NoScript (AKA "NoScript Security Suite")
      Martin Brinkmann's "How to use NoScript efficiently"
      The Tin Hat's "NoScript Tutorial"
      Wikipedia's "NoScript"
      I found it fairly easy to get started. By default, the whitelist contains some common sites, such as Google and Yahoo and Mozilla and PayPal. To get Facebook and Reddit to work, I whitelisted their top domains. But some sites (some banks, some govt sites, some ticket agencies) just will not work if NoScript is installed, no matter how much you whitelist them. For those, I switch to a different browser without NoScript. [I'm finding that some of them are being blocked by Privacy Badger; have to tweak the settings on that. And some sites are allergic to VPNs.] [Later stopped using NoScript and tried uMatrix. Same story: too much fiddling and breakage, although later someone said "There are 4 options in the ... menu of the uMatrix window that are not turned off if you turn off uMatrix by the 'power button'". Moved to uBlock Origin; you're in "easy mode" by default, more options if you enable the "I am an advanced user" check-box.]


      I would not use Decentraleyes. This gives me pause: "It comes bundled with a fair amount of commonly used files, and serves them locally whenever a site tries to fetch them from a delivery network." from Thomas Rientjes' "Simple Introduction"

      This is a pre-loaded cache, content coming from the developer, and that seems bad to me. Why not just start with an empty cache, and fetch the libraries from the actual sources the first time they're accessed ? But the developer has closed requests for this change.

      Also the add-on doesn't automatically cache newer versions of code from the CDNs, so a change/fix may not get to your machine until many months later when the add-on is updated.

      Test utility if you DO use Decentraleyes.
      Fork of Decentraleyes: LocalCDN

    • Filtering in DNS or VPN.

      Advantage: affects all browsers and all applications, from one place.
      Cloudflare's "Introducing for Families"

    • Hosts file modifications.

      Advantage: affects all browsers and all applications, from one place.
      uBlock Origin (get from here ?)
      StevenBlack / hosts

    • In your network router.

      Advantages: Affects all devices and all browsers and all applications, from one place. New or guest devices get protected automatically. Protects devices which don't allow installation of a blocker on them (smart TV, game console, some phones). No changes needed on your device (such as rooting a smartphone).

      Disadvantages: If you take your phone/laptop to another network, all of the blocking is gone. Many routers may not support blocking. If a web site ceases to function because of the blocking, you have to administer the router to allow ads/scripts on that site, affecting everyone.

      Rob Turner's "Install and Configure pfBlockerNg for DNS Black Listing in pfSense Firewall"

    • In a device between your ISP's modem and your network router.

      Advantages: Affects all devices and all browsers and all applications, from one place. New or guest devices get protected automatically. Protects devices which don't allow installation of a blocker on them (smart TV, game console, some phones). No changes needed on your device (such as rooting a smartphone).

      Disadvantages: If you take your phone/laptop to another network, all of the blocking is gone. Another hardware device to buy and install and maintain. Won't work if your ISP supplies a single integrated modem/router device, unless you buy a second router and bridge to it. If a web site ceases to function because of the blocking, you have to administer the device to allow ads/scripts on that site, affecting everyone.

      "Pi Hole setup guide: Ad-free better internet in 15 minutes"

    • For Android smartphone:

      Non-rooted: AdGuard, Netguard, Dns66, AdClear, Block This, Cygery AdSkip.
      Rooted: AdAway, MinMinGuard Xposed.

    • General OS controls.

      Spybot Anti-Beacon (prevents Windows sending info to Microsoft)
      Martin Brinkmann's "Block all outbound traffic in Windows Firewall"
      O&O ShutUp10 (helps you manage Windows 10 privacy-related settings)
      For Windows 10, some info in Wallace Chu's "Should You Disable Windows 10 Telemetry?"
      In Windows 10, also see "Diagnostic Settings", I think.
      For Mac: Little Snitch (limits outbound traffic)

    Many sites will stop working properly if you block scripts, some will refuse to work if ads are blocked, and some sites will not work even if you whitelist them in the blockers. You'll have to keep a "clean" copy of a browser (or browser profile) to use on those sites, and keep track of which sites require that special treatment.

    Side-effects of using too many privacy controls:
    • Increased chance of bugs.
    • Slower performance.
    • Increased attack surface (mainly in browser).
    • More things to keep updated.
    • More things to turn off if you really need to use some web site (such as your bank's site) that refuses to run without JavaScript or cross-domain access or ads or something.

    Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"
    Mozilla Blog's "Make your Firefox browser a privacy superpower with these extensions"
    Kingpin's "How to disable WebRTC ..."

  8. Set the "do not track" option in your browser to (maybe) stop "ad tracking".

    In Firefox, it's: Preferences - Privacy & Security - Content Blocking - Send websites a "Do Not Track" signal ...

    But: Jon Brodkin's "Yahoo is the latest company ignoring Web users' requests for privacy"

    One form of tracking is a "super-cookie": your ISP remembers what domains your IP address accesses, and maybe remembers some useful data (a unique ID number identifying you) for each site, and sells that data to sites and advertisers. The only way to stop that is to use a VPN (and also not use the ISP's DNS).

  9. Reduce "browser fingerprinting".

    When you use a browser to fetch a web page, the browser sends a "user agent" string that may say something like "Firefox 54.0 on Windows 10". Same happens when a game console or media player application etc accesses the web. See WhoIsHostingThis's "What's My User Agent?". Other information is sent: an "accept header" saying what types of media can be returned, your preferred language(s).

    Then after the page is retrieved, JavaScript code in the page can access your browser and determine more details about your configuration, such as your time-zone, your screen resolution, (with some effort, maybe using Canvas) what fonts are installed in your system, your browser's default language, your history in the current tab. On Chrome, I think the code can get the full list of extensions.

    All of this information can be used to form a "browser fingerprint" that may be unique to you, or close to unique.
    Am I Unique?'s "What is browser fingerprinting?"
    Lance Cottrell's "Browser fingerprints, and why they are so hard to erase"
    Mozilla Wiki's "Fingerprinting"

    This fingerprint can be used to track you, even across multiple web sites, even if you turn off cookies, change IP address, use a VPN, etc.

    Some things a web page, Javascript, or web server can not read, without special cooperation from a browser extension or some other unusual addition: your Wi-Fi network name (SSID), your MAC address, the list of extensions/plug-ins/add-ons in your browser (although it may be possible to check for specific extensions: article, and maybe Chrome gives away extension info).

    Testing your fingerprint:
    EFF's "Is your browser safe against tracking?"
    Device Info
    Am I Unique ?'s "Privacy Analyzer"
    Detect my Browser
    And see the Testing your privacy and security section.

    Key ways to avoid fingerprinting:

    • Use an ad-blocker.
      uBlock Origin
    • Turn off JavaScript.
      But this will break some sites (mostly some banks and govt sites), even if you whitelist them. Sometimes I have to switch to a different browser that does not have NoScript installed.
    • Minimize the number of browser add-ons you use.
    • Use a common browser and keep it updated.
    • Install multiple different browsers on your system, and use each for a different set of web sites.
    • Set the "do not track" option in your browser to (maybe) stop "ad tracking".
    • Set browser so it doesn't save usernames and passwords; verify using demo linked at Gunes Acar's "Web trackers exploit browser login managers".
    • New features coming in Firefox, from Tor: set privacy.resistFingerprinting to true.
    • Fake or random user-agent string.
      Matthew Muller's "How to Change User Agents in Chrome, Firefox and Edge Browsers"
    • Fake or disabled Canvas fingerprint.
      Canvas Defender
    • Fake or disabled WebGL fingerprint.
    • Fake or disabled WebRTC.
      CanvasBlocker ?
      Or in Firefox about:config, set "media.peerconnection.enabled" to false ?
    • Control system font list returned by browser ?
      In Firefox about:config, create a new string "font.system.whitelist" and set value to something like "Helvetica, Courier, Verdana". But for me, this made my fingerprint a lot worse.
      Daniel Aleksandersen's "Fluxfonts"
    • Control installed plug-in list returned by browser.
      In Firefox about:config, set "plugins.enumerable_names" to empty.
    Septimiu-Vlad Mocan's "Browser Fingerprinting and You"

  10. Minimize the number of things you use.

    Do you really need to use:
    • Each add-on you have installed in your browser ?
    • Each app you have installed on your phone ?
    • Each app you have installed on your computer ?
    • Each app you have allowed to access your Facebook account ?
    • Each app you have allowed to access your email account ?
    • Each social media site you use ?
    Every one of these is potential point of failure, a thing that could be stealing and selling your data, or accidentally having a security vulnerability.

  11. Reduce "behavior fingerprinting".

    If you always do the same set of operations in the same order each day, someone who can see all that activity can "fingerprint" you, maybe tying your identity to an IP address.

    For example, suppose every morning you go to web sites of NPR, NYTimes, BBC, USAToday, LATimes, your local newspaper. Always in that order. You may be the ONLY person who does that every day. Someone who has code on all those sites (Google or Facebook or Amazon, maybe), or sees all that traffic (your ISP or VPN company or ad-blocking service or DNS), could see the pattern and determine your IP address and identity and track you.

    Same is true of any automated application you start up each morning. Your email client, or feed-reader, maybe ? Any script you run that accesses a number of web sites ?
    Daniel Aleksandersen's "Feed readers can be uniquely fingerprinted"

  12. Use the privacy controls in the ISP and social networks and sites you use.

    The default settings are chosen to benefit the company, not you.

    Very important: Log on to the web site for your ISP and find any privacy settings they have for your account.

    Facebook lets you control the access that Apps and external sites get to your data: go to Account - Privacy Settings - Apps and Websites - Edit your settings.
    Melanie Pinola's "The 'Nuclear' Option for Total Facebook App Privacy"

    Turn off your Google search history: here. Also Rick Rouse's "How to prevent Google from storing your search history and tracking your online activities"

    YouTube: profile - Video Manager - History - Clear All Viewing History, and then History - Pause Viewing History, and then Search History and do the same clear-and-pause.

    Windows 10 activity history

    See and turn off data aggregating by BlueKai: here

    Handy central places to start:

    Instead of Google Search, use a service that promises not to track you:
    DuckDuckGo (or DuckDuckGo non-JavaScript)

    Privacy settings in Firefox browser:
    Privacy Settings add-on

    Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"

    Apparently, "opting out" via NAI stops targeted ads, but does not stop companies from tracking your activities.

  13. Delete most cookies every now and then.

    This does two things: gets rid of tracking cookies, and means that if someone sits down at your computer and opens a site they won't automatically be logged in to that site.


    Or delete all cookies every time you close the browser:
    Ian Paul's "How to automatically delete your cookies every time you close your browser"
    Chris Hoffman's "How to Automatically Clear Private Data When You Close Your Browser"
    But if you do this, you'll probably want to be using a password manager, because you'll be logging in to sites a lot.

    Or use extension Cookie AutoDelete to delete most cookies but save some of them.

  14. Encrypt your traffic: use HTTPS web sites, and/or a proxy or VPN.

    Definitely use HTTPS on all of your sensitive sites: email, financial.

    But not every HTTPS site implements security to the same level; you can test a site using:
    CDN77's "TLS Checker"
    Qualys SSL Labs' "SSL Server Test"

    See my "Connection Security and Privacy" page about proxy and VPN.

  15. Don't always use the same IP address, or hide your IP address via a proxy or VPN.


    Changing IP address periodically:

    If you're connecting through a home Wi-Fi and cable router/modem (and no VPN), you probably can't change your external IP address. The router/modem probably is using one external IP address for all devices on your home network. To test this, open browsers on two devices simultaneously and go to on both devices. You'll probably see the same (external) IP address for both devices.

    Try power-cycling the fiber router/modem, and see if it comes up with a new external IP address. It may not. Try powering it off for longer, such as overnight.

    Try contacting your ISP and asking if they can change your IP address. If they ask for a reason, I guess you could say "to increase my privacy, to make it harder for advertisers to track me" ?

    If you're connecting some other way, you may have a chance of changing IP address. On Windows, create a CMD file containing "ipconfig /release && ipconfig /renew" and run it as Administrator. Check before and after, using

    WikiHow's "How to Refresh Your IP Address on a Windows Computer"

    See my "Connection Security and Privacy" page for information about VPN, Proxy, Firewall, DNS, and more.

    If you're doing illegal things, don't expect a VPN or proxy company and their ISP to shield you if they're served with a court order. They may be forced to log your activity and trace you and give the data to law enforcement.

    If you're abusing the VPN itself, such as sending out millions of spam emails through the VPN, don't expect a VPN or proxy company and their ISP to shield you. They may report you to law enforcement, or happily cooperate with law enforcement.

  16. Don't always use the same MAC address.

    The MAC address is associated with your network interface hardware (Ethernet or Wi-Fi chip). Generally it is visible only inside your LAN. But if you're on a public LAN (public Wi-Fi), you may want to change it.

    For Linux:

    It's FOSS's "How to Change MAC Address in Linux"
    Chris Hoffman's "How (and Why) to Change Your MAC Address on Windows, Linux, and Mac"
    sudo apt install macchanger
    # I see little harm in setting it to run automatically, each time a
    # network interface is taken down or up.  But it might be confusing
    # to have random devices appear and disappear on your LAN.
    # So maybe set it to manual mode, then change only the 2nd half of the address.
    sudo macchanger -e enp19s0	# keep 1st half (vendor) real, 2nd half new
    sudo macchanger -p enp19s0	# change back to original/real address
    sudo macchanger -e wlp18s0
    # address will revert to original/real address next time you reboot

    Also for Wi-Fi only maybe could edit /etc/NetworkManager/NetworkManager.conf to add:
    Thomas Haller's "MAC Address Spoofing in NetworkManager 1.4.0"

  17. Stay logged out of Google and Facebook et al as much as possible, as you browse other sites.

    Or use some kind of "container" feature in your browser to isolate one tab from another:

    I use Firefox, with the Facebook Container extension, Google Container extension, Firefox Multi-Account Containers extension, and Temporary Containers extension. and enable the "Container Tabs" option in Preferences / General / Tabs. People have created specific Container extensions for other sites such as reddit, Amazon.

    The Help for FMAC says if you use both FMAC and Facebook Containers, don't use FMAC to manage any Facebook-owned sites. I assume that is true for the other site-specific container extensions too.

    Some people point out: Container settings don't sync across multiple devices, and add-ons such as uMatrix know nothing about containers.

    Seems to be no way to save/export/import settings for Firefox Multi-Account Containers extension. Old instructions no longer work because of recent storage changes in FF.

    In Firefox about:config, set privacy.firstparty.isolate and privacy.firstparty.isolate.restrict_opener_access to false. Otherwise Yahoo Mail login doesn't work.

    Have to whitelist the FMAC extension in uMatrix.

    Containers sometimes screw up the browser history. You're in a uncontained page, you follow a link to a contained page, then the Back button has lost your history (no way to go Back to uncontained page).

    I suspect that making a separate container for PayPal or credit card, or enabling the "open external link in a new container" features of Temporary Containers, will interfere with paying for things online. If you're in an AirBNB container and on the AirBNB site and you want to pay with PayPal, you need the PayPal cookies accessible from the AirBNB container.

    I created a Containers import/export extension (Containers settings export import), but it's really limited, all it imports/exports is the container names and icons and colors. IMO the architecture of Containers is badly done. All of the working guts of each container, the mapping to a domain and such, is saved in the local storage of each separate extension such as Multi-Account Containers, Facebook Container, Google Container, etc. So my extension can't really get at those to import/export them.

    The Containerise extension is an alternative to the Firefox Multi-Account Containers extension; use one or the other but not both. I couldn't understand Containerise and get it to work for me. Also it has a far smaller user base. And 9/2019 the main dev is mulling a total rewrite of it.

    Test via / Social Media Login Detection.

    Or use separate browsers or separate instances for multiple sites.

    Whitson Gordon's "Watch Age Restricted YouTube Videos Without Signing In"

  18. Don't use everything from one company.

    If you use Google Apps, Google Docs, Google Sites, Chrome browser, GMail, Google search, Google Maps, and Google Drive, then of course Google is going to know a lot about you. Instead, compartmentalize it: ProtonMail, Facebook, some free web hosting service, Firefox browser, DuckDuckGo search, etc. Use Google only where you have to.

  19. You can delete your accounts on various services, although often they make it hard to find out how to do that.

    Some people say: instead of just deleting an account, first go in and delete as much of your data as you can, and change as much of the rest as you can to fake data (this is called "data poisoning"). Maybe let it sit in that state for a couple of weeks. Then delete your account.

    David Nield's "The Complete Guide to Dumping Google"
    tycrek / degoogle

  20. Some people say: Don't use anything from the biggest tech companies: Google, Apple, Microsoft, Facebook, Amazon, Cloudflare.

    I don't agree; I say be aware of the costs and benefits. Sure, maybe it's good to use alternatives when possible.

    But there seems to be no good alternative for Microsoft Office (apparently when you go to fancy features, or need exact compatibility with MS Office, LibreOffice doesn't quite cut it). There may be no good alternative for Facebook (80% of my friends and family are on there, and the Groups contain a wealth of knowledge and helpful people).

    For Android phone operating system, there are good alternatives (such as LineageOS), but installing them is not for the faint of heart. For e-readers, there are decent alternatives to the Amazon Kindle. For desktop/laptop OS, Linux is a viable alternative to Windows and Mac.

    Some people say: before deleting your social-media account (on Facebook, reddit, Google+, etc), "poison" it by adding false data, deleting or editing posts and comments, Liking lots of spurious stuff, etc. And let it sit that way for a couple of weeks before deleting the account. I don't agree. Editing your profile is fine. But deleting or editing existing posts and comments will damage the work of other people, those who responded to your post or had a conversation stimulated by your post. Doing lots of spurious posts or comments or Likes will flood your Friends with nonsense. Just edit your profile, let it sit, then delete your account.

    Kashmir Hill's "I Tried to Block Amazon From My Life. It Was Impossible."
    Kashmir Hill's "I Cut Facebook Out of My Life. Surprisingly, I Missed It"
    Kashmir Hill's "I Cut Google Out Of My Life. It Screwed Up Everything"
    Kashmir Hill's "I Cut Microsoft Out of My Life - or So I Thought"
    Kashmir Hill's "I Cut Apple Out of My Life. It Was Devastating"
    Kashmir Hill's "I Cut the 'Big Five' Tech Giants From My Life. It Was Hell"
    Daniel Oberhaus's "How I Quit Apple, Microsoft, Google, Facebook, and Amazon"
    Mike Felch's "How to Purge Google and Start Over - Part 2"
    tycrek / degoogle (ethical alternatives)

  21. Deleting browser history really does nothing for your privacy, unless someone steals your computer and looks at your history.


  22. Anything you store on a server may reduce your privacy.

    Your contact list in email, buddy list on instant messaging, Friends list on Facebook, etc. Any emails in your Inbox, or saved long-term in a "folder" within your email service. Okay, email or IM or Facebook won't function without those contact lists. But maybe you shouldn't use your email as a data store. And maybe you shouldn't keep anything except name and email/IM address or phone number in each Contact entry. Store postal addresses and anything else in some private contact manager.

  23. Cloud services for backup or storage.

    For any service, read the TOS and check the account settings.

    Note that a "sync" feature is not a backup. If something is deleted or corrupted on one end of it, that thing will be deleted or corrupted on the other end too. Similar if you're directly using a cloud drive: if you delete a file from it, that file is gone, probably you can't recover it, you don't have a separate copy on your hard disk.

  24. Using someone else's device.

    You have few rights to anything you store on or do with your employer's or school's computers or phones or networks. And you don't know how many administrators have access to the data, what cloud place the data may be copied to, desor what other companies the data may be shared with. Don't use them for private things.

    You don't know what software or viruses may be installed on a computer you use at a library, in an internet cafe, at work, at school, or at a friend's house. There may be a keylogger, a clipboard-scraper, some browser plug-in that harvests data from webmail, something that logs all your internet traffic, something that copies any USB drive you plug in, ransomware, viruses, etc. Be very reluctant to use your password manager or email or other accounts on such a machine. Two-factor authentication on logins can reduce some of the threat.

    If you have to stick a USB drive into such a machine, for example to print a document on their printer, treat the drive as infected from then on. And have as few documents as possible on the drive to begin with; all of them may get infected, or encrypted by ransomware.

    Kashmir Hill's "How To Tell If Your Boss Is Spying On You"
    David Nield's "How to Find Spyware Your Employer Installed on Your Computer and What to Do About It"

  25. Letting someone else onto your network.

    Your friend comes over to your place, and asks for the Wi-Fi password to connect their phone to your LAN.

    You have no idea what malware is on their device, or who else they may give that password to, or what traffic they may do through your internet connection. Suppose malware on their device starts spamming people on the internet, and your ISP shuts down your service ? Suppose your internet has a monthly data-cap, and their device starts torrenting or something ?

    It would be best to have a "guest" network defined in your router, but I think few ISP-supplied routers support that.

  26. There are more-aggressive things you can do, but you may judge the cost/inconvenience to be too high for the benefit. (And some of them require your friends to use the same applications, or adapt to your behavior.)

    Peter Bright and Dan Goodin's "Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away?"
    "The Hostile Email Landscape" (maybe from Jody Ribton)
    The Tin Hat's "How Do I Start An Anonymous Blog?"
    awesome-selfhosted / awesome-selfhosted

    If you do any "run your own server" things, what happens to them when you die ? Who else and what else depends on those servers ? What is to be done with them ? See "Electronic Assets" section of my "Legal Stuff" page.

    When you get to some high level of OPSEC, your behavior is as important as the tools you use. And having the discipline to always follow your rules, never making a mistake, is very hard.
    Douglas Goddard's "Technical Anonymity Guide"
    The Grugq's "Hacker's Guide to Stay out of Jail"

  27. Your friends, relatives, coworkers are a threat to your privacy.

    They may post about you on social networks, put pictures of you online, mention you in emails. They may widely repost something that you posted to a small audience.

    Your family may submit their DNA (which is partly your DNA) to testing services. Their family medical history is your family medical history.

    Push back, calmly, if they post something you wish they wouldn't.

    Don't give them information that you don't want them to put in Contacts lists in email or phone.

  28. Know your legal rights.

    You can say "no" if police ask to enter your house or search your phone or computer or car. Don't give in to the temptation to be friendly or helpful; politely say "no".

  29. There is no such thing as total privacy, or perfect security.

    If the government or a spy agency or law enforcement really wants to get your data, they can get it. The software we use is extremely large and complex and has lots of bugs and vulnerabilities. If an agency seizes all your devices and really digs into them, they'll probably get your data. Do your best to protect yourself, but be realistic about the limits.

    If you see a claim that a tool or technique will give you "100% security" or "make you disappear online", or something is unhackable or "impossible to crack", assume that's false.

Be safe on the internet
Watch Your Hack
Paul Bischoff's "75+ free tools to protect your privacy online"
Fried's "The Ultimate Guide to Online Privacy"
Karegohan-And-Kamehameha's "privacyguide"
Noah Kelley's "A DIY Guide to Feminist Cybersecurity"
CISA's "Tips"
Sarah Jeong's "The Motherboard Guide to Avoiding State Surveillance"
"The Motherboard Guide to Not Getting Hacked"
For Linux, mainly: "The paranoid #! Security Guide"
Do Son's "Destroy-Windows-10-Spying: Destroy Windows Spying tool"
Do Son's "Hardentools: disables a number of risky Windows features"
xkcd's "Security"

My desktop computer configuration:

See "Security and Privacy" section of my "Smartphone" page


Facebook is a special case, because they know so much about you, and they have code on many other web sites, and they sell login services to many sites, and they buy data about you from other services.

Just for info: Facebook actually doesn't "sell your data". I think they provide two main targeting mechanisms to advertisers: Facebook takes that ad from the advertiser, figures out the right FB users to show it to, and shows it to them. Data about individual users is never shown to the advertiser.


Check what activity other sites have reported to Facebook: Facebook's "Off-Facebook Activity"

Vicki Boykis' "What should you think about when using Facebook?"
Paul Bischoff's "How to stop Facebook from tracking you on sites that aren't Facebook"
Emily Price's "See if You're Using These Popular Android Apps That Overshare Info to Facebook"

iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment

Minimizing knowledge and connections

Yegor S's "How to (actually) be anonymous online"

Reporting violations:

Suppose some software (app, browser add-on, application, web site) doesn't have a privacy policy, or has a policy that breaks the law, or has no way to request closing your account or deleting your data.

Some notes about my account configurations:

[I don't use SMS 2FA; often my phone doesn't have cell service, what if I lost my phone, and SMS is insecure anyway.]

A confession:

My wife still uses Windows 10, no password manager, with ad-blocker, no VPN.

The reason is that changing each of those imposes some cost, either in terms of requiring fiddling by the user, or in terms of things that may not work. Moving to Linux would make PDF files and MS Office files not quite work in some situations. The password manager I use, KeePassXC, uses a bunch of key-combinations you should memorize to use it quickly. Script-blockers and VPN sometimes make some sites fail.

So I feel unable to convert my wife's situation to have better security and privacy. She does have 2FA on a number of accounts.

Anticipate problems

Think ahead:

Maintain a secondary email account, on a different provider from your primary email. If something happens to your primary, you can use the secondary to send critical messages until you fix the primary. [Same for other things in your life: second bank account with ATM card, second credit card, etc.]

What happens if your laptop display suddenly fails, and you need to send it out for repair ? Is any important info on disk encrypted ? Or can you remove the disk entirely before sending the laptop to the shop ? Also, for repairs, make it clear to the repair shop whether wiping all the data is okay. Smartphones often are "repaired" by completely replacing the entire guts of the device, so you lose all data.

What happens if your phone suddenly fails or is stolen ? How would people contact you ? Would any accounts with two-factor authentication be disabled ?

If your laptop or phone is absolutely critical to you, can't be without it for more than a few hours, maybe you should have a synced-up hot spare waiting, ready to use. Same for your internet router and modem on your LAN.

What happens if your wallet or purse is stolen ? Do you have the info needed to notify your credit-card company, your bank, etc ? Do you have any papers in there with login details or PINs written down ? If your housekeys are lost/stolen, do they have your house address written on them ? It's safest to put your email address on physical things (keys, outside of phone and laptop, wallet, etc) so police or finder could contact you to return them. Put your email address on the lock screen of your phone, for same reason.

What happens if the police come and confiscate ALL your devices to investigate something ?
Christian Haschek's "That (not so) awesome time the police raided my home"

Is there any one thing you have where you can say "geez, if I ever lost that I'd be TOTALLY screwed" ? Then figure out a way to back up that thing, or reduce your reliance on that thing.

Account-recovery info:

Don't ignore the account-recovery settings on your accounts, or put bad data in there. Sure, you'd rather not let Google or Yahoo or Facebook know your phone number or your second email address. But that information can save you if their security triggers get pulled for some reason. You travel, you try to access your email from laptop or internet cafe (seems not to happen when accessed from phone), you get "hey, we see a login attempt from a new country, we're turning off account access until you give us the code we're SMSing to your phone or emailing to your other account". Better hope you've kept the account-recovery options up-to-date.

Similar can happen if someone tries to brute-force their way into your cloud or email account. The provider won't let them log in, but may turn off account access for everyone (including you) until you provide extra verification. Better hope you have that info.

Similar can happen if someone wants to disable your email account to hide a scam. Suppose they get your Amazon credentials somehow, order something, then do a bunch of bad login attempts to your email account, to get your email account locked, so you can't see the Amazon order confirmation message.

Have backups, don't just keep your data online:

From DrStephenPoop on reddit:


And not just what's on your hard drive.

Do not trust the cloud!

Google recently ended my account for an unidentified TOS violation. I am not sure what I did. I just logged into gmail one day and instead of an inbox I saw a message saying my account had been disabled. I lost:

8 years of email contacts

6 years of favorited YouTube videos

About a dozen videos I made with my brother that were uploaded to YouTube.

All my Drive/Doc files including original writing.

My passwords to several sites, including banking and insurance sites.

Three albums I had purchased from Google Play.

Here's the kicker: I was a google believer. I am one of the 5 or so non-developers who actually owns a first generation Chromebook. I believed in the cloud!

Use and enjoy Google's services, but do NOT rely on them. Even though you buy their computers and purchase music from them, you are STILL not the consumer with google. You are the product (sold to advertisers). So when you are shut out from their garden, you have no customer service to appeal to, or to even find out why you got tossed. You might as well be staring at an angel with a flaming sword, wondering where your pants are.

> Didn't you contact Support ?

When you get the "your account has been disabled" screen, they give you a link to voice your grievance. After submitting, you get a message that says something to the effect of: "If we find we have reason to contact you, we will contact you."

You can also go the community forums and plead for help. Sometimes someone associated with google will actually say: "I'll have people take a look at this." In all my pleas, I never got a response. That is as far as support goes. You are not a customer. You are the product, and you are merely a commodity. Have you ever heard of "commodity support"?
Tienlon Ho's "Can You Live Without Google?"

From someone on reddit:

A few days ago my Facebook account was disabled suddenly and without warning. I've gone through what I thought was a fairly routine appeals process - filled in the form they link you to when you try to log in and included a scan of my photo ID as they requested to prove I'm a real person etc. However, I just received an email from Facebook saying the following:

> ... Upon investigation, we have determined that you
> are ineligible to use Facebook. ... Unfortunately, for
> safety and security reasons, we cannot provide
> additional information as to why your account
> was disabled. This decision is final. ...

This is really bizarre and quite upsetting - it's easy to forget just how much we rely on this service. If I can't get my account reactivated, that's six years of content (and memories) lost, and a huge blow to my ability to keep in contact with some friends and family.

The only possible reason I can think of for my account being disabled is what I was doing at the time - sending some photos to someone through the private messaging system. Some of the photos were (mildly) adult in nature (at her request!) which could be deemed a breach of the Community Standards if you look at it in strict black and white terms ("Facebook has a strict policy against the sharing of pornographic content"). However I can't bring myself to believe that there is someone monitoring private message attachments and instantly banning people if they see boobs. Beyond that, I genuinely can't conceive of a reason as to why my account was singled out for anything.

Any advice would be appreciated as to what I should do next - I am not yet willing to just give up and lose all of that content. I have replied to the email, though I doubt anyone will read it, but beyond that there's really no other contact options I can see, and Googling this problem does not produce much beyond more horror stories like this.

From /u/sugarbreach on reddit:

I am writing this to warn Google users to back up their data, and to realize that everything you take for granted can be taken away in an instant.

About a week ago I attempted to log into my Gmail account and was greeted with a page saying my account was disabled. It says that it was disabled due to a perceived violation of the terms of service and product specific polices. I have read and reread the google terms of service, and I know I haven't done anything to violate them. The only possibility I can think of is that someone may have hacked into my account. I have been an enthusiastic gmail user since it first came out in beta, and you had to be invited to get an account. I have relied on google apps to make my life easier. I have filled in their account recovery form, and even tried calling members of the Gmail team, but have had no luck. I also have posted on the gmail help forum, but an expert there said he contacted google and there was nothing he could do and google wouldn't tell him anything "for privacy reasons".

This has created the ultimate real-life nightmare, and has turned my life upside down, a few examples of which are listed below.

All of my contacts were linked to this account. I now do not have access to emails, phone numbers, addresses, etc.

My google voice telephone number is no longer working. I had this phone number on my business cards and email signature, and now when someone dials the number, they are given an error recording. "We could not complete your call, please try again".

My youtube account with many videos I cherished of my children are now gone.

I have all of my photos backed up to the account for nearly my entire life, as I thought this was the safest place to keep them (the cloud!) I have photos of my beloved grandparents who have since passed away, and the thought that I can no longer access these photos makes me sick. I also have thousands of pictures from vacations and of my children that I fear are gone forever.

A nice chromebook that I purchased to access all of the google apps is now almost useless since my account has been disabled.

I have multiple documents in my google drive that I have spent hours of work on, and can no longer access them.

I placed an enormous amount of faith and trust into google's products and services, as millions of people have worldwide. It is a shame that something this important in someone's life cannot even warrant a response from a live person at Google.

I have been very depressed because my entire life was encased in google's products, and now everything is gone.

Again, I am writing this to warn others that this can happen to anyone at any time, so it would be wise to back up treasured items in your google account. Ironically, google provides the means to do this through their "takeout" app, which I did not learn about until after my account was disabled. If there is anyone out there reading this that can offer any guidance for getting my account reinstated, I would sure appreciate it!

Jon Christian's "Deleting the Family Tree"
DanDeals' "PSA: Don't Mess With The Google!"
Alex Hern's "Pixel phone resellers banned from using Google accounts"
"A few reasons not to organise on Facebook"

Matthew Miller's "SIM swap horror story: I've lost decades of data and Google won't lift a finger"
David Murphy's "I Lost Nine Years of Photos by Locking Myself Out of My Google Account"
Leo Notenboom's "A One-step Way to Lose Your Account ... Forever"

Paraphrased from someone on reddit 11/2019:
"As a prank, a friend changed the name of our WhatsApp group to something obscene. WhatsApp then banned the group and the accounts of everyone in the group ! My account has been banned !"
[Related: don't let unknown people add you to groups; you could get suspended or banned for being added to a malicous group. In Android app, relevant setting is Settings / Account / Privacy / Groups.]

Paraphrased from someone on reddit 12/2019:
"My Facebook account got banned (maybe for creating two accounts ?), and then a week later my WhatsApp account got banned too, I assume because my Facebook account got banned."

If you lose a cloud account, you can lose stored data, your calendar, remaining time on a subscription, any accumulated credit or gift cards, network link that makes some device (such as Amazon Echo, Google Home, etc) work, playlists, contact list, media you had bought or stored there, etc.

Do NOT use Facebook or Google or Apple or Microsoft as your login to lots of other web sites. Not only does it let your activity get shared to Facebook or etc, but if Facebook or etc ever deactivates your account for some reason, you've lost access to those other sites too.

Do NOT use Google's online password manager (holding passwords you've saved in Chrome or Android). If Google ever deactivates your account for some reason, maybe you've lost access to those other sites too, I'm not sure.

Do NOT use Facebook or Google or Pinterest or Amazon or etc as the sole, critical host of your business, if you can avoid it. They give the "appearance of ownership", but in fact you do not own the platform, you have "digital tenancy". If the service ever deactivates your account for some reason, your business is dead. And content you write on them (in FB Pages, Amazon items for sale, etc) probably is in a non-standard format and hard to move to elsewhere. If you absolutely must use such a service as your critical host, plan for the possibility that they may drop you. Keep backups, have a separate web site and email, have pages on other services, etc.

Do NOT rely on a high page-rank in Facebook or Google, or a high reputation rating in Amazon or iTunes or YouTube or AirBNB or Yelp or something, as the critical asset of your business, if you can avoid it. The algorithms behind those can change at any time. A couple of bad reviews from users can harm you greatly.

Do NOT use a free email account supplied by your ISP or cell-phone service provider. If you ever change service provider for some reason, you may lose that email account.

Maybe some people don't consider their email/messenger to be "cloud data", but it is. If you're saving 10 years of past messages in GMail or WhatsApp or something, it may be valuable to you, and it may be used or deleted by a hacker if your account gets hacked. It also may be hard to back up, and may be hard to move to elsewhere. I'm a big believer in keeping your email account as close to empty as feasible. Clean it out !

If you're running a business on a cloud service (Facebook, eBay, Shopify, Etsy, GMail, Amazon, AirBNB, etc), back up your data. The service may or may not be backing it up for you. Even if they are backing it up, getting it restored may take a while. And if they turn off your account for some reason, you need that data so you can move to another platform and continue to serve your customers. These services give the "appearance of ownership", but in fact you do not own the platform, you have "digital tenancy". If there's a way to use a custom domain name that you own, that's safer than using one provided by the service: if the service fails then you can make the domain name point to some new server. Same is true of a phone number, especially a VOIP number: you don't really own it, the provider owns it, and you can lose the number through disuse or failure to pay or some other mishap.

Do you actually "own" the things you think you own ? If a friend set up your domain registration or email account for you, is it in their name or yours ? If an employee administers the company email accounts on GMail, is the employee's personal account the only administrator for the whole company ? If someone gave you a used computer or phone or something, whose name is on any accounts or subscriptions associated with it ? If your relationship with your spouse or partner is failing, whose name is registered as the owner of various accounts ?

If you do lose access to something important, be wary of threats in search results. Lots of sites have been set up to provide "Facebook Support phone number" or "Unlock your banned WhatsApp account" or similar in search-engine results. But these big vendors with free services (Google, Facebook, WhatsApp, etc) deliberately do not HAVE a phone support number you can call. They have hundreds of millions or billions of free users; the LAST thing they want is for users to be able to call a human at their company. Any search result that gives you such a phone number is trying to connect you to a scammer. At best, they'll try to sell you something. At worst, they'll install ransomware, steal your money, and sell your information.

Backups to the cloud:

If you do backups to the cloud, don't leave those backups accessible from your machine via a "cloud drive" that is always mounted (shows up as drive H: or something). If you get hit by malware, it may affect files on all accessible drives, including your backups in the cloud.

Apparently, automatic cloud backups of your phone data can expire and be deleted if you don't use your phone for many months. Android backups in Google Drive Backup are deleted if you don't use the phone for 2 months ? iPhone backups in iCloud are deleted if the iCloud account is not used for 6 months ?

A factor to consider: today's cloud backup may be encrypted so well that no one can crack it. But that encrypted data may still be available somewhere in the cloud 20 years from now, and maybe 20-years-future technology WILL be able to crack today's encryption.

Eric Griffith's "Back Up Your Cloud: How to Download All Your Data"
Adam Dachis's "How to Protect Your Data in the Event of a Webapp Shutdown"

Other things to back up:

Do "backups" of old non-electronic data, such as family photos and diplomas and such. Scan them and back up the images.

From Justin Carroll on an ITRH podcast:
Kinds of information (for you and everyone in family, and pets) you should have backed up and available (carry with you) in event of a disaster:
Lisa Rowan's "Keep These Financial Records in Your 'Go Bag'"

Do a "backup" of your own memory: in a simple text file, write a summary autobiography. Dates and places you lived, went to school, worked, traveled, etc. Names of friends, roommates, coworkers, etc. Memory fades over time.

And of course back up your local data, not just your cloud data.
"Backups" section of my "Computer Theft Recovery" page

Rick Rouse's "Why you need a battery backup device for your computer"

Make rescue disks or recovery disks/drives for your machines / OSs:

The time to do this is while everything still is working, before you have a problem. Make a USB stick or something, test it briefly, then label it and put it in a drawer.

For Linux, see Rescue Disk section of my Using Linux page.

For Windows:

Josh Norem's "How to create a Windows 10 recovery USB drive"
Katie Rapid's "How to Use and Create Windows 10 Recovery USB Disk"
Rick Rouse's "How to create a System Repair Disc and System Image Backup in Windows 10"
Need 16 GB flash stick. One large partition, NTFS, or unformatted. Don't insert stick yet. Go to Control Panel / Security / Create Recovery Disk and follow directions. Takes several hours to write to the flash stick.
Gecko & Fly's "5 Bootable Windows PE ISO To Boot, Recover And Repair Windows"
MajorGeeks' "F-Secure Rescue CD"

Lawrence Abrams' "Microsoft quietly created a Windows 10 File Recovery tool, how to use"

windows apple

See My "Computer Theft Recovery" page


From someone on reddit:

The basic methods of "hacking" accounts are:


[Generally from most likely to least likely:]
  1. Your own actions. (The biggest threat of all. You accidentally post something private in the wrong place, expose a password, mis-configure your device or account, drop your device, lose your device, accidentally delete your data, trust a scammer.)

  2. Your family, friends, associates. (They post about you, snoop on you, accidentally leave your house or car unlocked, mis-configure their device, use their infected device on your LAN, sit next to you with their unprotected phone running, drop your device, accidentally delete your data, trust a scammer. They expose their phone or email Contacts list, which contains your name and email and address and phone number and birthday. They put your info into Amazon or eBay when buying a gift for you. They tag you in Facebook photographs, or mention that you were with them at some wild party.)
    Your browser history

    accidental photo

  3. Your ex-spouse, former friends who now are enemies, former coworkers who you fired or angered. (They may be highly motivated, but probably don't have access or skill to cause high-tech harm. Unless you forgot to change the passwords they know. But they may have private info they could post.
    Cyrus Farivar's "If you're a revenge porn victim, consider this free, helpful legal guide")

  4. Your software. Some application or web site you use may be sending your data to somewhere else that you don't know about (some apps harvest your email address book or phone contact list or Friends list). Or storing your data in an unsafe way in a server.

  5. Corporations selling your meta-data or data to advertisers.

  6. Corporations reading your data to enforce their contract rights (terms of service) and maybe look for criminal activity.

  7. Organizations accidentally exposing data you've entrusted to them, through careless practices or by getting hacked.

  8. Data criminals and hackers. (Identity thieves, spammers, credit-card thieves, blackmailers, ransomware, etc. Hackers who want to use your device as part of a botnet or crypto-coin-mining network. Criminals who want to make your phone call their $3/hour phone service repeatedly, running up a $10K phone bill that you have to pay. And you may be a special target if you have something valuable on your computer:)
    Laura Shin's "Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers"
    Alex Hernandez's "Chase eATM user has mobile app hacked and loses $3,000"

  9. Casual snoops or thieves.
    (Although with snooping software, "casual" capabilities are increasing.)

  10. Companies (recording everyone's activity, such as cell-phone locations and car license plates, and then selling it to police and repo men and bounty-hunters).

  11. Random mass attacks looking for any weak passwords, unpatched systems, etc.

  12. Local law enforcement (recording everyone's activity, such as cell-phone locations and car license plates).

  13. Internet vigilantes or lynch mobs or public shaming.
    (E.g. someone decides a picture shows you mistreating your dog, and whips up a mob to punish you.)
    Kashmir Hill's "When a Stranger Decides to Destroy Your Life"

  14. Reporters.

  15. Private investigators and lawyers. (They have some access to government databases and powers.)

  16. Law enforcement (specifically targeting you; and local police may pass data or devices up to FBI for analysis).
    Jonathan Zdziarski's "Protecting Your Data at a Border Crossing"
    Andy Greenber's "A Guide to Getting Past Customs With Your Digital Privacy Intact"
    EFF's "Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud" ANSSI's "Best Practices For Business Travellers"

  17. Foreign government intelligence agency. (Highest technical ability, but no legal authority.)

  18. Government intelligence agency. (NSA, DHS, etc. Highest technical ability, PLUS legal authority.)

Sean Gallagher's "How I learned to stop worrying (mostly) and love my threat model"
Wired's "Guide to Digital Security - Choose Your Security Profile"
EFF's "Your Security Plan"

No matter what protection you propose, some people will say "oh, the NSA has cracked that !". First, how do they know ? Second, a counter-measure still may be worth using even if the NSA could crack it; NSA is not the only threat or main threat. Third, just because NSA could crack something, doesn't mean they would spend the resources to crack your messages.

And some people say "trust no one !". Well, I think it is reasonable to trust the CPU chip vendors, and the compiler-writers. I don't see how useful "backdoors" could be built into those things (and I have BS and MS degrees in Computer Science). Trusting the OS vendors is a little more dubious; I guess I trust the basic OS, but maybe not all of the standard apps and services supplied with them. Same for trusting browser vendors.

Of course, if you trust no one, you'll never be able to get anything done. Can't drive my car, because I shouldn't trust the manufacturer. Better not eat anything, because I shouldn't trust the food companies or stores.

Some people say "it's all over, we've lost our privacy, it's done". No, it's an arms race, and right now consumers don't have very good weapons. We need to get convenient, good, routine encryption. We need more sites, applications, and protocols designed with security and privacy as priorities from the foundation up. Maybe "mesh" networking, peer-to-peer systems, distributed systems ("6 Anti-NSA Technological innovations that May Just Change the World"). We in USA need better regulation of spy agencies, via FISA and Congress. It's not over. You're generating new private data every day; you can protect that. And you can create fake data.

A worrisome trend: intelligence agencies being pressed to use their powers for non-intelligence purposes.
From Alex Hern's "David Cameron: GCHQ will be brought in to tackle child abuse images": "GCHQ [the British intelligence agency] will be brought in to tackle the problem of child abuse material being shared on peer-to-peer networks."
From NSA spokesman quoted in Barton Gellman and Ashkan Soltani's "NSA collects millions of e-mail address books globally": "[The NSA] is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers."
John Shiffman and Kristina Cooke's "U.S. directs agents to cover up program used to investigate Americans"
Conor Friedersdorf's "The NSA's Porn-Surveillance Program: Not Safe for Democracy"

Types of cyber-crime:

Costs of counter-measures:

Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"

Your home:

Jack Morse's "How to blur your house on Google Street View"

If your house has ever been listed on a real-estate site, they may still display the exterior and interior pictures of your house from that time. Companies to check include Redfin,, Zillow, Trulia. Check their sites, and if they have info about your house, send them a request to delete it.
Ilyce Glink and Samuel J. Tamkin's "Do you have the right to have photos of your home removed from realty sites after the sale?"

When living away from home:

If you're staying in a hotel room, AirBNB, or friend's house, and connecting to their network:

General counter-measures:

How to attack cryptography:

[From hardest to easiest:]
  1. Find a flaw in the mathematics (extremely unlikely).

  2. Find a flaw in the algorithm.

  3. Find a flaw in the crypto software.

  4. Find a flaw in the key-generation.

  5. Brute-force password-guessing.

  6. Find or create a flaw in the surrounding software (operating system, networking, key-logger, etc).

  7. Intercept the keys somehow.

  8. Find a flaw in the configuration (software not updated, password not set, place where data is not encrypted, etc).

  9. Human problems (password exposed or easily guessed, social engineering, etc).

  10. Legal tools (warrant or subpoena to get encryption keys or tap traffic).

Low-tech solutions:

Things that may not increase security and privacy:

Operating systems and environments:

Buying or setting up a brand-new device:

For all devices in general:
  1. Change or set password.

  2. Turn off features you don't want.

  3. Connect to internet.

  4. Update OS, and set it to auto-update.

  5. Update apps, and set them to auto-update.

For computers, and maybe other devices:

Buying or setting up a used device:

Be VERY careful if you've bought a device through eBay or Craigslist or similar, especially if the device has anything to do with financial, crypto-currency, security, or encryption stuff.

Maybe start with a factory reset. Maybe format the disk. Definitely install new firmware and operating system.

Kai Sedgwick's "Man's Life Savings Stolen from Hardware Wallet Supplied by a Reseller"
Trail of Bits' "From The Depths Of Counterfeit Smartphones"

Getting rid of a device:

Get new device working, especially with any accounts that have 2FA enabled, before getting rid of old device. Go into cloud accounts and remove any trust of old device. Factory-reset the old device, then boot it and try to connect to accounts. Then factory-reset again.

Lexy Savvides' "How to wipe your phone or tablet before you sell it"
Patrick Lucas Austin's "Disable iCloud Before You Get Rid of Your Mac"
David Murphy's "How to Get Your MacBook Ready to Sell"
Devin Coldewey's "Cheap Internet of Things gadgets betray you even after you toss them in the trash"

Many disk-erase utilities will not erase certain parts of a disk: HPA, DCO, bad sectors that have been re-mapped.

Some disk-erase utilities are not appropriate for erasing an SSD or flash drive. Either use a utility provided by the manufacturer of the drive, or completely fill the device with random nonsense data.

Living dangerously:

If you really, really want to download and run something that could be dangerous: If you have to attach your USB drive to a public computer (such as at a print shop or internet cafe, to print documents):

Testing your privacy and security:

Linux Security's "Security Tools"

New things we need to increase our privacy or security:

"Privacy" from incoming abuse:

If people are saying nasty things to and about you online: Rebecca Fishbein's "What to Do If You're a Victim of Revenge Porn"

Physical security and privacy:

Family issues:

ProtonMail's "How to protect your children's privacy online"
Michelle Woo's "Teach Your Kid About Digital Safety With the 'Be Internet Awesome' Program"
Troy Hunt's "Sharenting, BYOD and Kids Online: 10 Digital Tips for Modern Day Parents"
Amer Owaida's "3 things to discuss with your kids before they join social media"

Do a periodic check and cleanup:

Idea: scanner app:
It would be nice to have an app that did a very quick scan of your system, reported any sensitive apps or conditions, and suggested that you check their settings to make sure they're secure and updated. Maybe report: You might even find things you forgot were installed, or you never knew were installed or active.

In *buntu:
apt list | grep -e vnc -e x2go -e remmina -e rclone -e rsync -e dropbox -e megasync -e xrdp/ -e nextcloud -e xpra | grep installed
snap list | grep -e vnc -e remmina -e rclone -e rsync -e dropbox -e odrive -e nextcloud

If you own/run a web site, see my "Your Personal Web Site" page.

Port scanning or router testing:

Web sites (testing from WAN side) (turn off your VPN to use these):

Testing router from inside (LAN side):
Assuming router's LAN IP address is

These should give 404 or nothing: cgi_status.js BRS_netgear_success.html /cgi-bin/;echo$IFS'Vulnerable' (backdoor on some routers) (TR-069 or CPE WAN Management Protocol (CWMP)) (Telnet) (Telnet)
This probably should give a login page: (HTTP)
This probably will give 404 or nothing: (HTTPS)

If you have nmap:
nmap -F

# increase verbosity level, aggressive scan, no ping / skip discovery,
# open ports, show reason it's open, probe for service version info,
# use default script, do all ports, address
nmap -v -A -Pn --open --reason -sV -sC -p 1-65535

# increase verbosity level, no ping / skip discovery,
# open ports, UDP scan, max delay 50ms between probes,
# no retries, do all ports, address
sudo nmap -v -Pn --open -sU --max-scan-delay 50ms --max-retries 0 -p 1-65535
Port 1900 is PnP; that should not be open.
Android app: "UPnP Tool" by TJ App.

Depending on open ports, you could try:
ftp -v
ssh -v admin@
ssh -v root@
ssh -v Root@
If test from LAN side gives suspicious results, go to previous section and investigate from WAN side.

Testing IPv6:
Your PC's IPv6 localhost address: [::1]
Same address written fully: [0000:0000:0000:0000:0000:0000:0000:0001]
Real IPv6 address on public internet: [2600::] (Sprint)

There is no standard IPv6 LAN address for the router, equivalent to in IPv4. IPv6 addresses on your LAN are used on the WAN too, so your router's IPv6 address has to be assigned by your ISP.

IPv6 addresses starting with FC00 or FD00 are LAN-only.

Depending on your /etc/hosts file, IPv6 names may include: ip6-localhost, ip6-loopback, ip6-allnodes, ip6-allrouters, or similar starting with "ipv6-" instead of "ip6-". Try "ping6" to them.

If you have nmap:
# not sure these are right, I have IPv6 disabled so I can't test them !

# IPv6, increase verbosity level, aggressive scan, no ping / skip discovery,
# open ports, show reason it's open, no DNS resolution, probe for service version info,
# use default script, do all ports, address ::1
nmap -6 -v -A -Pn --open --reason -n -sV -sC -p 1-65535 ::1

# IPv6, increase verbosity level, no ping / skip discovery,
# open ports, UDP scan, max delay 50ms between probes,
# no retries, no DNS resolution, do all ports, address ::1
sudo nmap -6 -v -Pn --open -sU --max-scan-delay 50ms --max-retries 0 -n -p 1-65535 ::1

Free Android apps:

PC applications:

Lee Munson's "Penetration testing for the home computer user"
TechIncidents' "Penetration Testing Checklist with Android, windows, Apple & Blackberry Phones"
Online Tech Tips' "How to Scan Your Network for Devices and Open Ports"
SpiceWork's thread "How can I pen test my own network?" (more about business networks)
Paul Wagenseil's "Your Router's Security Stinks: Here's How to Fix It"

From StackExchange's "Best way to test my home network from the outside":
If you decide to perform a scan from the Internet you may want to give your ISP a heads-up to avoid any trouble.

I run scans on my home IP from a Linode account [virtual Linux box on a cloud service]. Any VPS that doesn't filter your outbound traffic should work (just make sure it doesn't violate your TOS).

First run a full scan against your home IP address. Expect to find only the ports you know you have explicitly opened open. Expect everything else to be "filtered".

Then verify that it is your home router that is performing the filtering and not your ISP. To do this, open a port on your router and rerun the scan. Expect that the port you have opened is detected as open by your scanner. If you find that you still see this port as filtered, then your ISP may be blocking that port. If so, this isn't necessarily a problem, but it means that the previous test didn't test your router, it tested the network connection to your router. Don't forget to disable the port when you're done.

If you want to test your router in isolation, and your router isn't built in to the modem, then you can test it as follows:
  1. Disconnect the router from your modem. (Where "modem" is whatever device connects from your LAN to your ISP's network.)

  2. Connect a second computer to the WAN port on the router. Configure this computer with a static IP address that is independent of the LAN addresses used by your router.

  3. You may need to turn on a DHCP server on the second computer so that the router's WAN interface gets an IP address as usual.

  4. Perform the scans described above from the second computer.

To deliberately create an open port on your computer (to see if your testing catches it), on Linux run "netcat -4 -k -l -v PORTNUM" (IPv4 TCP) or "netcat -6 -k -l -u -v PORTNUM" (IPv6 UDP) or similar. Use port number 22 (SSH) or 80 (HTTP) if it should be closed in your system; that open port should be caught by any tester.

Good audio podcasts:
The Complete Privacy & Security Podcast
Security In Five Podcast

Justin Carroll's ""

cryptoseb / CryptoPaper

Brendan Hesse's "How to Submit a Bug Report to Apple, Google, Facebook, Twitter, Microsoft, and More"

"OPSEC - The Most Secure Man in the World" (video)

This page updated: September 2020

Search my site