TL;DR about computer safety, security and privacy:

+/-
  • Don't put really private stuff on electronic devices or on the internet. Or keep it on an external hard drive that usually is disconnected, or in an encrypted container that usually is unmounted.

  • Set passwords on your devices. Even the same 4-digit PIN on all of your devices; some password is better than no password.

  • Write email address on outsides of your devices and on lock screens, so if they're lost, someone can return them to you.

  • Make backups of your important data. Using both an external disk drive and a cloud service.

  • Keep your important software updated. Turn on auto-update where possible.

  • Install an anti-virus program.

  • Use a password manager (such as KeePassXC) so you can use strong passwords without having to memorize all of them. Use two-factor authentication on important accounts (email, financial).

  • Use the privacy controls in the ISP and social networks and sites you use. Important: Log on to the web site for your ISP and find any privacy settings they have for your account.

  • Password-protect your phone account.

  • Don't carry a paper "agenda" book full of your appointments, contacts, notes, and username/password information. Guaranteed you will lose it someday, and there is no password protection on it. Same thing with Post-It notes in your wallet or purse, giving login details or PINs. Don't do it.

         



Levels of safety, security and privacy (my opinion):

+/-
  1. No backups, no passwords on devices, same password on many online accounts.

    A disaster waiting to happen. Accidentally delete many files, hard disk crashes, or someone steals your phone, and you're in a world of pain.

  2. Backups (multiple, at least one off-site, and you've tested restoring from them) link, passwords on devices link, important software auto-updating link, anti-virus link.

  3. Password manager link to handle online accounts, ad-blockers and script-blockers link in browsers, credit-report freezes link, use HTTPS web sites link, set privacy settings on accounts link, password-protect your phone company account link, be careful with your smartphone link, pay cash for as many things as possible.

  4. Full encryption on devices link, two-factor authentication link on important online accounts, reduce browser fingerprint link, VPN link, opt out of data-broker tracking link.

  5. Change to Linux link, use secure email and messaging link, special firewall/router, redirected email and phone numbers and credit cards link, postal-mail forwarding service.

  6. Tor browser link, two computers (one secure and non-networked, other for routine use and network access), gift-cards.

  7. Burner phones, clean OS every time (e.g. Tails), security-centric OS (e.g. Qubes), run your own mail server and VPN, crypto-currency, fake personas link and fake ID.

         



Terms:

  • Safety: make mistakes less likely.
  • Preservation: prevent loss of your data.
  • Security: mechanisms to control reading and modifying your data.
  • Privacy: prevent unauthorized use of your data.
  • Anonymity / Deniability: prevent connecting your activities/data to your identity.



Some Key Principles to Follow:

  • Analyze: know what assets you have and why.
  • Minimize Attack Surface: turn off things you don't need.
  • Compartmentalize: have barriers and isolation where possible.
  • Defense in Depth: have layers of protection, no single point of failure.
  • Redundancy: have alternatives and spares.
  • Best Tools and Practices: know what is recommended, and do it.
  • Test: don't assume something is working, test it.
  • Be Dynamic, not Static: keep learning, keep improving.





Safety



These are good practices to reduce the chance of mistakes or accidents. More info in the Physical security and preparation section.





Data Preservation







Online Security



[If you're planning to make big changes to your situation, do the big changes first. Such as: changing to Linux, changing to Firefox, starting to use a password manager, changing email provider. Then do the smaller tweaks and additions.]

See my "Computer Security" page

There's some overlap between the Security page and (see next section) the Privacy page, so you might want to check both.





Online Privacy



See my "Computer Privacy" page

There's some overlap between the Security page (see previous section) and the Privacy page, so you might want to check both.





Anticipate problems



Think ahead

+/-
Maintain a secondary email account, on a different provider from your primary email. If something happens to your primary, you can use the secondary to send critical messages until you fix the primary. [Same for other things in your life: second bank account with ATM card, second credit card, alternative to PayPal, etc.]

Repairs:
What happens if your laptop display suddenly fails, and you need to send it out for repair ?

Is any important info on disk encrypted ? Or can you remove the disk entirely before sending the laptop to the shop ?

Dan Goodin article

If the shop says they need passwords, give them the BIOS password and a bootable USB stick, no need to give access to main disk. If they insist, give them a fake login password.

Same for hardware repair to a phone, if they insist, give a fake PIN/password.

Also, make it clear to the repair shop whether wiping all the data is okay. Smartphones often are "repaired" by completely replacing the entire guts of the device, so you lose all data. Make sure you have good backups; assume the shop WILL wipe your storage despite you telling them not to.

What happens if your phone suddenly fails or is stolen ? How would people contact you ? Would any accounts with two-factor authentication be disabled ?

If your laptop or phone is absolutely critical to you, can't be without it for more than a few hours, maybe you should have a synced-up hot spare waiting, ready to use. Same for your internet router and modem on your LAN.

What happens if your wallet or purse is stolen ? Do you have the info needed to notify your credit-card company, your bank, etc ? Do you have any papers in there with login details or PINs written down ? If your housekeys are lost/stolen, do they have your house address written on them ? It's safest to put your email address on physical things (keys, outside of phone and laptop, wallet, etc) so police or finder could contact you to return them. Put your email address on the lock screen of your phone, for same reason.

What happens if the police come and confiscate ALL your devices to investigate something ?
Christian Haschek's "That (not so) awesome time the police raided my home"

Is there any one thing you have where you can say "geez, if I ever lost that I'd be TOTALLY screwed" ? Then figure out a way to back up that thing, or reduce your reliance on that thing.



Account-recovery info

+/-
Don't ignore the account-recovery settings on your accounts, or put bad data in there. Sure, you'd rather not let Google or Yahoo or Facebook know your phone number or your second email address. But that information can save you if their security triggers get pulled for some reason. You travel, you try to access your email from laptop or internet cafe (seems not to happen when accessed from phone), you get "hey, we see a login attempt from a new country, we're turning off account access until you give us the code we're SMSing to your phone or emailing to your other account". Better hope you've kept the account-recovery options up-to-date.

Similar can happen if someone tries to brute-force their way into your cloud or email account. The provider won't let them log in, but may turn off account access for everyone (including you) until you provide extra verification. Better hope you have that info.

Similar can happen if someone wants to disable your email account to hide a scam. Suppose they get your Amazon credentials somehow, order something, then do a bunch of bad login attempts to your email account, to get your email account locked, so you can't see the Amazon order confirmation message.



See "Don't just keep your data online" section of my "Backups" page.



See "Backups to the cloud" section of my "Backups" page.



And of course back up your local data, and non-digital data, not just your cloud data.
My "Backups" page

Rick Rouse's "Why you need a battery backup device for your computer"

Make rescue disks or recovery disks/drives for your machines / OSs

+/-
The time to do this is while everything still is working, before you have a problem. Make a USB stick or something, test it briefly, then label it and put it in a drawer.

For Linux, see Rescue Disk section of my Using Linux page.

For Windows:

Josh Norem's "How to create a Windows 10 recovery USB drive"
Katie Rapid's "How to Use and Create Windows 10 Recovery USB Disk"
Rick Rouse's "How to create a System Repair Disc and System Image Backup in Windows 10"
Need 16 GB flash stick. One large partition, NTFS, or unformatted. Don't insert stick yet. Go to Control Panel / Security / Create Recovery Disk and follow directions. Takes several hours to write to the flash stick.
Gecko & Fly's "5 Bootable Windows PE ISO To Boot, Recover And Repair Windows"
MajorGeeks' "F-Secure Rescue CD"

Lawrence Abrams' "Microsoft quietly created a Windows 10 File Recovery tool, how to use"


windows apple

See My "Computer Theft Recovery" page





Miscellaneous



How accounts are hacked

+/-
[From someone on reddit:]
The basic methods of "hacking" accounts are:
  • You forgot to log out.

  • Guess the password. Many people have incredibly simple passwords and guessing can work. Many web sites have some kind of measure against repeated guessing (e.g. captchas). I think Facebook's countermeasures are good enough that pure guessing can rarely work on that specific site.

  • Find your password in a list of leaked username and passwords. Often when there is a breach of a huge database the list ends up on the Internet and people who want to hack you can search for your name, e-mail and common usernames to see if your password has ever been leaked. If it has they can try that password and it will often work, or sometimes a simple change to your password will work.

  • Guessing your secret questions. Often the answers can be learned from just searching your Facebook or other social media accounts, or at least it can be narrowed down to a small list.

  • Tricking you into entering your username and Facebook on their web site. Maybe they send you an e-mail that claims to be from Facebook and gives you a link that looks to be from facebook where they want you to log in. For example they may say that your account was compromised and that they need you to log in to verify your details. Another common one is that they claim that you've won something, but you just need to log in with your facebook credentials to verify it.

  • Calling customer support claiming to be you and asking for a password reset saying that you have lost access to your account and e-mail. This is especially useful if they can find a lot of information about you online so it seems like they're really you. Often a lot of what they ask about has already been leaked in another breach. This can sometimes even get around two-factor authorization.




Threats

+/-
[Generally from most likely to least likely:]
  1. Your own actions. (The biggest threat of all. You accidentally post something private in the wrong place, expose a password, mis-configure your device or account, drop your device, lose your device, accidentally delete your data, trust a scammer.)

  2. Your family, friends, associates. (They post about you, snoop on you, accidentally leave your house or car unlocked, mis-configure their device, use their infected device on your LAN, sit next to you with their unprotected phone running, drop your device, accidentally delete your data, trust a scammer. They expose their phone or email Contacts list, which contains your name and email and address and phone number and birthday. They put your info into Amazon or eBay when buying a gift for you. They tag you in Facebook photographs, or mention that you were with them at some wild party.)
    Your browser history

    accidental photo

  3. Your ex-spouse, former friends who now are enemies, former co-workers who you fired or angered. (They may be highly motivated, but probably don't have access or skill to cause high-tech harm. Unless you forgot to change the passwords they know. But they may have private info they could post.
    Cyrus Farivar's "If you're a revenge porn victim, consider this free, helpful legal guide")

  4. Some random guy on the internet who gets mad at you. They could cause a fair amount of annoyance to you if they got your email address or phone number.

  5. Your software. Some application or web site you use may be sending your data to somewhere else that you don't know about (some apps harvest your email address book or phone contact list or Friends list). Or storing your data in an unsafe way in a server.

  6. Companies recording everyone's activity, such as cell-phone locations and car license plates, and then selling it to police and repo men and bounty-hunters and advertisers. No accountability, no warrants.

  7. Corporations reading your data to enforce their contract rights (terms of service) and maybe look for criminal activity.

  8. Organizations accidentally exposing data you've entrusted to them, through careless practices or by getting hacked.

  9. Random mass attacks looking for any weak passwords, unpatched systems, etc.

  10. Data criminals and hackers. (Identity thieves, spammers, credit-card thieves, blackmailers, ransomware, etc. Hackers who want to use your device as part of a botnet or crypto-coin-mining network. Criminals who want to make your phone call their $3/hour phone service repeatedly, running up a $10K phone bill that you have to pay. And you may be a special target if you have something valuable on your computer:)
    Laura Shin's "Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers"
    Alex Hernandez's "Chase eATM user has mobile app hacked and loses $3,000"

  11. Casual snoops or thieves.
    (Although with snooping software, "casual" capabilities are increasing.)

  12. Local law enforcement recording everyone's activity, such as cell-phone locations and car license plates.

  13. Internet vigilantes or lynch mobs or public shaming.
    (E.g. someone decides a picture shows you mistreating your dog, and whips up a mob to punish you.)
    Kashmir Hill's "When a Stranger Decides to Destroy Your Life"

  14. Reporters.

  15. Private investigators and lawyers. (They have some access to government databases and powers.)

  16. Law enforcement (specifically targeting you; and local police may pass data or devices up to FBI for analysis).
    Jonathan Zdziarski's "Protecting Your Data at a Border Crossing"
    Andy Greenber's "A Guide to Getting Past Customs With Your Digital Privacy Intact"
    EFF's "Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud"
    ANSSI's "Best Practices For Business Travellers"
    Travel Blogs' "10 Tips For Travelling With Encrypted Data"

  17. Foreign government intelligence agency. (Highest technical ability, but no legal authority.)

  18. Government intelligence agency. (NSA, DHS, etc. Highest technical ability, PLUS legal authority and local personnel and access to govt records.)


Threat Modeling is partly nonsense, IMO

+/-
I've heard various definitions of "threat modeling", mostly with:
  • Who do you want to protect from ?
  • What data/activities do you want to protect ?
  • What are the Consequences if various data/activities are compromised ?
I think the Who part is somewhat nonsense, for normal people. They want some protection against "everything". They have no specific threats. If you ask them "do you want to be protected from NSA reading your stuff ?", they would say "yes", right ? Who would say "no" ? They want to be protected against every one of the 18 types of threat listed above. Of course they can't get or afford total protection against some threats (say, NSA), but that's a separate question.

The What part is reasonable. But probably no need to enumerate every type of data someone has. If a person says "I just have bank accounts", that single item is enough to drive just about every decision they need to make, every counter-measure they need to use, to the same answers they'd get if they wrote up a huge list. They just need to do standard best practices: backups, encryption at rest, HTTPS, password manager, 2FA, update software, blockers in the browser, don't download dodgy stuff, anti-virus, etc.

The Consequences part is reasonable, but has more to do with "how much am I willing to pay for counter-measures ?" instead of "threats". I wouldn't call it part of a "threat model". You and I might have the same threat model, but I'm willing to pay more for defenses because I have more money in the bank, consequences of a compromised bank account are larger for me.

EFF's "Your Security Plan"
Privacy Guides' "Threat Modeling"
Wired's "Guide to Digital Security - Choose Your Security Profile"
Sean Gallagher's "How I learned to stop worrying (mostly) and love my threat model"
CupWire's "Finding your threat model" (privacy, not so much security)
Techlore's "How to PROPERLY threat model"
Wikipedia's "Threat model"
Wikipedia's "Operations security" (OPSEC)


No matter what protection you propose, some people will say "oh, the NSA has cracked that !". First, how do they know ? Second, a counter-measure still may be worth using even if the NSA could crack it; NSA is not the only threat or main threat. Third, just because NSA could crack something, doesn't mean they would spend the resources to crack your messages.

Some people say "trust no one !". But if you trust no one, you'll never be able to get anything done. Can't drive my car, because I shouldn't trust the manufacturer. Better not eat anything, because I shouldn't trust the food companies or stores.

So, instead minimize trust: compartmentalize, encrypt, use defense in depth, test, verify, don't post private stuff, maybe don't do illegal stuff. And give fake/anon info where possible: fake name, throwaway or unique email address, pay with gift card or virtual credit card or crypto or cash. You can use a VPN, ISP, bank, etc without having to trust them. Similar with eating food: have food-safety regulations, buy from a reputable place, eye and sniff food before eating it, have laws and courts so you can sue if you're harmed. You don't have to just "trust".

Some people say "it's all over, we've lost our privacy, it's done". No, it's an arms race, and right now consumers don't have very good weapons. We need to get convenient, good, routine encryption. We need more sites, applications, and protocols designed with security and privacy as priorities from the foundation up. Maybe "mesh" networking, peer-to-peer systems, distributed systems ("6 Anti-NSA Technological innovations that May Just Change the World"). We in USA need better regulation of spy agencies, via FISA and Congress. It's not over. You're generating new private data every day; you can protect that. And you can create fake data.

A worrisome trend: intelligence agencies being pressed to use their powers for non-intelligence purposes.
From Alex Hern's "David Cameron: GCHQ will be brought in to tackle child abuse images": "GCHQ [the British intelligence agency] will be brought in to tackle the problem of child abuse material being shared on peer-to-peer networks."
From NSA spokesman quoted in Barton Gellman and Ashkan Soltani's "NSA collects millions of e-mail address books globally": "[The NSA] is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers."
John Shiffman and Kristina Cooke's "U.S. directs agents to cover up program used to investigate Americans"
Conor Friedersdorf's "The NSA's Porn-Surveillance Program: Not Safe for Democracy"

Another trend: spying devices, software, and services may start out being used only by intelligence agencies, but eventually they are sold to the much larger market of police departments and private investigators.



Types of cyber-crime

+/-
  • Old crimes that now have a small cyber connection: tax fraud, social engineering (con games), Nigerian prince, identity theft, propaganda, misinformation, vandalism, harassment.

  • Old crimes that have changed a lot: bank fraud, payment fraud, deep fakes.

  • Totally new crimes: ransomware, DOS, cryptojacking, click fraud.




Costs of counter-measures

+/-
  • Makes system harder to use. (Extra steps to do things, dialogs popping up, more software to install and update, etc.)

  • Inconvenience / more tweaking. (Loading a web page in Firefox fails. Is it because of settings of uMatrix/uBlock, Privacy Badger, Canvas-blocker, the VPN server's IP address is blocked, the ad-blocker in the VPN server, the browser Containers, the anti-virus, the browser settings, firewall in computer is blocking it, firewall in router is blocking it, Ethernet or Wi-Fi connection is down, site is Chrome-only, site is down, or what ? If one or more things have to be turned off to use that site, have to remember to turn them back on afterward.)

  • Performance penalty. (Encryption takes cycles. Tor and VPNs impose multiple hops.)

  • Worse results. (Such as worse search-engine results if you use something other than Google Search.)

  • Have to get other people to use it, too. (Biggest problem with using encryption on email, or using a social network optimized for privacy.)

  • Can't use some features. (To use Tor browser for best privacy, I think you're advised to disable Flash, JavaScript, ads: Seth Rosenblatt's "NSA tracks Google ads to find Tor users". If you turn off location-tracking on your phone, you lose some features.) It's JavaScript

  • Reduced reliability or recoverability. (If your disk is encrypted, and some key sectors go bad, the whole thing may be toast. There are many recovery tools for non-encrypted disks.)

  • Greater dependence on fewer vendors. (If your encryption vendor or encrypted-email service goes bankrupt, what happens ? And if you demand good encryption or privacy above all else, maybe you can't use the most popular and best services.)

  • Money and time costs. (For example, some people say you should run your own DNS, VPN, and email servers, use a custom firewall such as pfSense or Pi-hole. Sounds like a lot of work.)


Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"



Your home

+/-
Jack Morse's "How to blur your house on Google Street View"

If your house has ever been listed on a real-estate site, they may still display the exterior and interior pictures of your house from that time. Companies to check include Redfin, Realtor.com, Zillow, Trulia. Check their sites, and if they have info about your house, send them a request to delete it.
Kim Komando's "How to Remove Your Home's Photos from Zillow, Redfin, and Realtor.com"
Ilyce Glink and Samuel J. Tamkin's "Do you have the right to have photos of your home removed from realty sites after the sale?"



When living away from home

+/-
If you're staying in a hotel room, AirBNB, or friend's house, and connecting to their network:




General counter-measures

+/-
  • Best to do encryption/decryption at the extreme ends of a transaction, not on short segments in the middle. (But even that can be defeated by a keylogger.)

  • Peer-to-peer architecture better than central-server architecture. (So no one can grab all of your data by going to one place.)

  • Don't put really private or valuable stuff on electronic devices, or on internet. (There is no such thing as total privacy or perfect security.)




Semi-myths about Hacking

+/-
  • Just opening a bad email, or clicking on a bad link, or scanning a bad QR code, can infect you:

    If you open a phishing email or link, the bad thing would happen in the next step: you'll be asked to give your login credentials, and if you do that, you're in trouble.

    An exception: you click on a link sent to your email or phone, and the link is related to a password-reset or account-recovery operation. By clicking, you are confirming that the person at that email or on that phone is approving the action. Very bad.

    Another exception: you click on a link sent to your email or phone, and the link is to a site that you're already logged-into in the browser. The link could initiate some action you don't want, such as sending a message from your account.

    An HTML message could contain image SRC attributes that reference some tracking site, so the tracker could tell that you'd read the message, and gather some limited info about your browser and system.

    Clicking a link gives your IP address (and other data, such as approximate location) to the destination site. See next item in this list.

    Defenses: If your software (especially browser) is updated, and you have blockers (link) in the browser, chances are extremely low that anything bad will happen. If you are vulnerable just by viewing a web-page, you are not doing things right. Also, set your email client to not display images in email messages.


  • If someone gets your IP address, they can hack you:

    An IP address does not uniquely identify your device, if you're behind a router. It uniquely identifies the router. And your ISP might be adding another layer, CG-NAT, which means many customers might be sharing the same public IP address.

    The IP address is public; scanners and bots can try all IP addresses. But the connection between your ID and the IP address is not public.

    An attacker who got your IP address could port-scan your router, or try to DOS it.

    They could determine your approximate physical location (city).

    Possibly if they found your IP address in a data-breach along with your account info and personal info, they could do something with the info. Correlate it with other accounts and personal info online, try to guess answers to security questions, see if you've used same password elsewhere.

    My experience is that this is not accurate, maybe because of CG-NAT: iknowwhatyoudownload

    Defenses: You should port-scan your router and machines yourself (link), to make sure nothing is open that shouldn't be. Maybe report any DOS attacks to your ISP.

    LiveOverflow's "I Leaked My IP Address!" (video)


  • If someone learns your email address, they can hack you:

    They could subscribe you to lots of mailing-lists, flooding your InBox.

    They could try to guess your password on various sites, assuming your username is your email address.

    Possibly if they found your email address in a data-breach along with your account info and personal info, they could do something with the info. Correlate it with other accounts and personal info online, try to guess answers to security questions, see if you've used same password elsewhere.

    They could flood your email service with bad login attempts or password reset attempts, resulting in locking your email account.

    They could flood your other sites with bad login attempts or password reset attempts, assuming your username is your email address, resulting in locking your accounts on those sites.

    They could try a password-reset or account-recovery on your email service, hoping that you'll accidentally confirm the attempt (but then usually you will set a new password, not the attacker, so maybe not useful).

    Defenses: Use junk-controls or address-blocking in your email client or service. Don't click on suspicious links in email messages. Use email address aliases as usernames on web sites.


  • If someone learns your phone number, they can hack you:

    They could subscribe you to lots of sales places, maybe flooding you with lots of annoying calls.

    They could try to fool your service-provider into moving your phone number to the attacker's SIM ("SIM-swapping").

    They could use your phone number to try to find your accounts on many services, and accumulate more info about you that way. One way is "contact syncing", where attacker puts your phone number in their phone's Contacts, then runs apps from Facebook, Instagram, WhatsApp, etc to see if they say "hey, you know Bob, he has an account here too, want to connect with him ?".

    Possibly if they found your phone number in a data-breach along with your account info and personal info, they could do something with the info. Correlate it with other accounts and personal info online, try to guess answers to security questions, see if you've used same password elsewhere.

    If they can correlate with your username on some service, they could call you and try to fool you into giving up 2FA code to do a pasword reset on your account. "Hello, this is PayPal, there's a problem with your account, please tell me the code we're texting to you now."

    They could make phone calls while setting the caller ID to your phone number, maybe getting your number reported as a spammer.

    Some utility companies have a "report an outage" page which can be used to map phone number to postal address.

    There are reverse-phone-book services which can be used to map phone number to name and postal address.

    From someone on reddit:
    +/-
    I want to start off by saying that this has been brought up to the WhatsApp support team. I even had a conversation with an "upper level" individual, and they didn't provide a solution.

    This is what attackers did to kick/ban me from WhatsApp:

    1- They installed WhatsApp on a phone and gave my phone number.

    2- WA sent a verification code to me, not them. So they can't use my account (which has 2FA anyway).

    3- They keep trying.

    That's it. Eventually WA will suspend my number for trying too many times. First 8 hours, then 24, then days, then weeks. Every time WA un-bans my number, the attackers do the same verification thing. That's all. End result is, I'm kicked from WhatsApp.

    I've tried using a different number, but they simply go through the process with the new number, and kick me again.

    Defenses: Block spam-call phone numbers. Have a password or fraud-protection on your account with your phone-service provider. Give your phone number to as few places as possible. Maybe use VOIP numbers where possible. Tell service providers you're being attacked, if there is a way to tell them. Change phone number (painful).


  • If you use public Wi-Fi, someone can hack you:

    If you use an up-to-date browser and OS, and use HTTPS, and heed any warnings from the browser, you should be safe against MITM and other attacks.

    Probably the most likely case is hijacking DNS and sending you to a typo-squatting domain. You try to go to amazon.com, the attacker's DNS sends you to amaz0n.com, it has a valid cert, you type in your amazon.com creds. So don't use the default DNS for the LAN, maybe use encrypted connection to DNS, and pay attention to domain names.


From article:
"... on average, 80% of consumers have had their emails leaked on the dark web, 70% have had their phone numbers compromised, 10% have had their driver's license leaked and 7% have had their Social Security Number exposed online."



How to attack cryptography

+/-
[From hardest to easiest:]
  1. Find a flaw in the mathematics (extremely unlikely).

  2. Find a flaw in the algorithm.

  3. Find a flaw in the crypto software.

  4. Find a flaw in the key-generation.

  5. Brute-force password-guessing.

  6. Find or create a flaw in the surrounding software (operating system, networking, key-logger, etc).

  7. Intercept the keys somehow.

  8. Find a flaw in the configuration (software not updated, password not set, place where data is not encrypted, etc).

  9. Human problems (password exposed or easily guessed, social engineering, etc).

  10. Legal tools (warrant or subpoena to get encryption keys or tap traffic).




Low-tech solutions

+/-
  • Put tape over cameras when you're not using them, or have the phone camera facing down onto a desktop.

  • Turn off devices when you're not using them, or disconnect them from the network. But a phone may be completely off only when the battery is removed. Going away for a week ? Maybe power off your router, to take down your whole LAN.

  • Don't carry your phone with you if you don't need it.

  • Maybe put your phone in a "Faraday bag" (or wrap in four layers of aluminum foil with no gaps), or put it in Airplane mode, when you don't need to receive incoming calls and messages, and don't want the cell company to track you. Test that the bag or wrapping works, maybe by calling the phone from another phone.

  • If you have cards with RFID, maybe put them in RFID-blocking sleeves. Your passport may have RFID, but is supposed to have it blocked when the passport is closed. Test the sleeves to see if they work, by trying to use the card while it's still in the sleeve. But there are different RFID frequencies, so make sure you're buying a sleeve for the right frequency.

  • Use encrypted external drives to store really sensitive data, and unplug them when not using them.

  • If you use encrypted containers such as VeraCrypt, or encrypted drives, dismount them when not using them.

  • Don't put really critical stuff on networked devices if you don't have to. trust technology

  • Connect devices through the safest way feasible for your use: USB is best, wired Ethernet less secure, wireless least secure of all.

  • Don't have very sensitive conversations in front of devices with microphones.

  • Pay cash for things when possible.

  • Pay for a PO Box and use that instead of your real home address.
    [But a box at a UPS store may require a lot less ID than a USPS PO Box.
    And a PMB at a mail-forwarding service can be located far from your real address, offer additional services such as scanning, and be more acceptable to banks etc.]

  • Shred any trash that has your name, address, phone number, email address, and/or account number on it.

  • Some people advocate: Don't register to vote, don't have a driver's license, don't own a car, don't donate to political campaigns. [The last item is particularly bad: databases showing contributions are completely open and contain lots of info about you.] [9/2020: Apparently I can buy for $100 (from the govt) a list of all registered voters in my county in NJ. Not sure how much info there is about each voter.]

  • Some people advocate: Don't use tax software or a tax web site such as TurboTax or TaxAsct, because they get your info. File by paper, or maybe direct free-filing with IRS (if possible). Or use software to create a draft return (with fake personal info), then copy the numbers onto paper and file that.

  • Don't carry a paper "agenda" book full of your appointments, contacts, notes, and username/password information. Guaranteed you will lose it someday, and there is no password protection on it. Same thing with Post-It notes in your wallet or purse or on your desk, giving login details or PINs. Don't do it.




Things that may not increase security and privacy

+/-
  • Trying to remove yourself from people-search sites.

    Seems an enormous amount of effort, and exposing more information, for little gain. Your info is out there; accept that fact.

  • Following news about specific data breaches to see if they affect you.

    If you have an account involved in a breach, probably you'll be notified by the company, or be forced to do a password-reset next time you try to log in.

    Instead, focus on keeping as little info as possible in each account, and don't re-use passwords, and use 2FA.

  • Notices about Privacy policies or Cookie policies on web sites.

    Just having a privacy policy, and telling you about cookies, does nothing. The content of the privacy policy probably says "you have no privacy".

  • Padlock icons and other HTTPS indicators on connections to web sites.

    HTTPS encrypts data in motion between your browser and the web site. It adds protection and privacy against spying or attacks by third parties against that connection and that data in motion. But it says nothing about the trustworthiness of the web site, or what the site does with your data.

  • Private browsing or incognito mode in browser.

    This mostly just prevents your activity from being recorded in the History in your browser, so the next person who sits down at your computer and uses your browser won't see a record of your activity. It does nothing to prevent spying on your activity as it travels across the internet.
    Harry Bone's "What is Incognito mode ?"
    Computer Hope's "How do I set my browser to Incognito or Private mode?"

  • Full-disk encryption.

    This prevents someone from stealing your turned-off computer or phone and reading your disk or SD card. But once you sit down at your computer and enter the password for the encrypted disk, the decrypted contents are available to all of the software on your computer. So a virus or malware could access the data on the disk, send it out over the internet, encrypt it for ransom, etc. If you get up and someone else sits down at your computer, they have full access to your data. I prefer encrypted containers, each of which you have open (decrypted) only when you actually need to use it.

    And sometimes encryption can be defeated by a sophisticated attacker with physical access.
    HDDGuru thread "Forgot WD My Passport password"
    GitHub / reallymine thread "Forgot password of WD My Passport Ultra"
    Iain Thomson's "Western Digital's hard drive encryption is useless. Totally useless"
    Lucian Constantin's "Western Digital encrypted external hard drives have flaws that can expose data"

  • RAID disk.

    There are many forms of RAID, and they have varying effects on effective disk reliability. Probably a mistake to use RAID instead of having good backups. Certainly you still need off-site backups.

  • Using "sync" where you should use "backup".

    Syncing your primary disk to a secondary disk, or syncing a primary disk to the cloud, is not the same as backing up that primary disk. With syncing, if you delete something from the primary or it gets corrupted, the problem will be synced to the other place, and you've lost data.

  • Open-source software.

    Major security bugs have been found in some open-source software after many years of use. It's not enough that the software be open-source, but it also has to be examined by experts, and not so complex that it defies understanding, and maintained/updated/patched by someone. And also you need some way to verify that the source you see matches the binary you are running.

    Jarrod Overson's "Exploiting Developer Infrastructure Is Ridiculously Easy (The open-source ecosystem is broken)"

  • Cleaning or optimizing the Windows registry.

    Don't do it. This is a big gamble, you don't know what will happen, rarely helps.

  • Using crypto-currency.

    The Tin Hat's "Is Bitcoin Actually Private?"


10 dumbest ideas in privacy communities, from someone on reddit 12/2021:
+/-
This is a compilation of the most stupid ideas I have seen floating around on Reddit.
  • Something is open source so it must be trustworthy and secure. How would it even be possible to insert a backdoor? The Linux kernel is a shiny example of this. It has thousands of eyes looking at it, how could any one maliciously put any vulnerabilities in it? Right? Right? Oh wait ... OpenSourceInsecurity.pdf

  • Every single thing made by Google and the so-called big tech is evil and must be avoided at all cost!!! Let's not even evaluate the technology itself - Chromium bad, Android bad, Fuchsia bad. Pixels are also bad. GrapheneOS bad cuz it needs a Pixel. Let's buy massively overpriced and not-so-secure Linux phones with horrible specs instead! After all, it's open-source software and hardware right? Let's see ... Daniel Micay tweets

  • Enumerating badness is a totally valid approach to privacy issues. Let's just make massive blocklists, pile tons and tons extensions on top of each other, because blocking is good! Let's completely ruin the Android security model and install Adaway as root too because why not. Oh wait a minute ... The Six Dumbest Ideas in Computer Security

  • Encrypted DNS is totally a valid replacement to a VPN or Tor. If you hide your DNS queries, there is no possible way the ISP can figure out what you are visiting, right? Wait what Why encrypted DNS is ineffective

  • 5G bad! I am so hopelessly dependent on the not-so-secure-or-private teleco network that I need them for cell connection but I don't wanna use 5G. Let me just buy EOL LTE phones instead!!!

  • Anything made by companies are inherently bad and evil. Anything made by the community must be good. Red Hat bad. Fedora bad cuz Red Hat. SUSE bad. openSUSE bad cuz SUSE. Ubuntu bad cuz Canonical. Manjaro and Debian must be good. Hold on for a second ... manjarno

  • Proprietary software bad! Proprietary software obviously has backdoors. There is no way I will install any proprietary software on my beautiful Debian install. Wait, I need to install the proprietary microcode updates to fix a critical vulnerability with my CPU? Oh noes! Spectre fix

  • Shifting trust is a perfectly good idea. Proton Mail is a honeypot because they comply with lawful government requests. Lemme switch to Tutanota instead. They sure will break the law and go to jail for me cuz privacy, of course. Wait what ... Sudais Asif's "German court forcing Tutanota to let authorities read emails in plain text"

  • Decentralization good. Centralization bad. Who needs nuances. Why even bother to evaluate the technology on their own merits? VPNs are bad cuz of the supposed centralization. Everyone should just use random DNS servers with DOH instead! Or alternatively, just use dVPN, right? Decentralization good. Oh wait ... TorGuard's "The Privacy Risks Associated with Decentralized VPNs"

  • More encryption = better. Let's just do VPN over Tor over VPN. Who cares if it breaks anonymization features such as Isolated Stream. There is no way the FBI is gonna catch me if I am behind 7 proxies, right?





Operating systems and environments

+/-
  • Windows: large closed-source system with tons of features and modifications, popular target, frequent OS updates.

  • IOS and Apple: closed-source system with more closed design, less-popular target, frequent OS updates.

  • Linux: open-source system with modifications, less-popular target, less-frequent OS updates.

  • Android: closed-source system, popular target, mostly broken OS update system.

  • "Captive" devices such as Kindle, Chromium OS, etc: closed-source system, less-popular target, frequent OS updates ?




Buying or setting up a brand-new device

+/-
For all devices in general:
  1. Change or set password.

  2. Turn off features you don't want.

  3. Connect to internet.

  4. Update OS, and set it to auto-update.

  5. Update apps, and set them to auto-update.

  6. Record serial numbers, model number, configuration.

  7. Put email address on tape somewhere on the case, and on the lock screen.

For computers, and maybe other devices:
  • Might be a good idea to immediately wipe the whole operating system and re-install from a source of your choosing. You don't know what might have been done to the system by the vendor or store or during shipping.

  • Create a local account to log in, not a Microsoft or Google account.

  • Go through all the privacy and feature settings to tweak them as you wish.

  • Once it's set up reasonably, do a backup or save a restore point. And make a bootable recovery disk or flash-drive.




Buying or setting up a used device

+/-
Be VERY careful if you've bought a device through eBay or Craigslist or similar, especially if the device has anything to do with financial, crypto-currency, security, or encryption stuff.

Maybe start with a factory reset. Maybe format the disk. Definitely install new firmware and operating system.

When you buy a used house or used car, what devices or services or apps are in it or connected to it ? Some of them can take a while to switch from old owner to new owner. Double-check that old owner's access has been revoked.

Kai Sedgwick's "Man's Life Savings Stolen from Hardware Wallet Supplied by a Reseller"
Trail of Bits' "From The Depths Of Counterfeit Smartphones"
David Ruddock's "What is a 'factory reset'?"



Getting rid of a device

+/-
Get new device working, especially with any accounts that have 2FA enabled, before getting rid of old device. Go into cloud accounts and remove any trust of old device.

On old device, delete optional added apps and data files. Delete any connection to email account, VPN, calendar, delete contacts, etc. Un-register from cloud service. Go in at file level and look for anything to delete. Go in through standard apps (Contacts, Gallery, Calendar, etc) and look for anything you forgot to delete.

Maybe: Factory-reset the old device, then boot it and try to connect to accounts. Then factory-reset again.

Lexy Savvides' "How to wipe your phone or tablet before you sell it"
Patrick Lucas Austin's "Disable iCloud Before You Get Rid of Your Mac"
David Murphy's "How to Get Your MacBook Ready to Sell"
David Ruddock's "What is a 'factory reset'?"
Devin Coldewey's "Cheap Internet of Things gadgets betray you even after you toss them in the trash"

Many disk-erase utilities will not erase certain parts of a disk: HPA, DCO, bad sectors that have been re-mapped.

Some disk-erase utilities are not appropriate for erasing an SSD or flash drive. Either use a utility provided by the manufacturer of the drive, or completely fill the device with random nonsense data. On Linux, "sudo nvme sanitize /dev/nvme0nX". Boomstick (Linux)

When you sell a house or car, what devices or services or apps are in it or connected to it ? Some of them can take a while to terminate.



After getting new internet service (ISP, router)

+/-
  • Record equipment numbers and addresses, router settings, Wi-Fi network name and password, phone number, etc.

  • Change router's admin password.
  • Look for features of router: VLANs, IPv6, guest network, firewall ?
  • Go through router settings: turn off PnP, turn on firewall, check IPv6 status, etc.
  • Port-scan router from LAN side.
  • Port-scan network from public internet.
  • Run browser and DNS leak tests, including IPv6 tests.
  • Check that various features/apps work, on computer and phone, especially with router security tightened: VPN, torrenting, videoconferencing, VoIP.

  • Log into your account on ISP's web site and tighten privacy/marketing settings.
  • Get a copy of your ISP contract.
  • Log into your account on ISP's web site and check fees/charges/limits.



Living dangerously

+/-
If you really, really want to download and run something that could be dangerous:
  • Have good backups.
  • After downloading it, run a virus-check on it. Also send it to VirusTotal.
  • If possible, run a hash-signature check on it (this just checks that the actual file-download worked).
  • Before running it, disconnect from the internet.
  • Disconnect or unmount any external drives or USB sticks or network drives or encrypted containers.
  • Do not run the dangerous thing when you're logged in as a privileged user.
  • Create and login as a new non-privileged user, different from your normal user login, just to run the new thing.
  • Run the dangerous thing in a sandbox or virtual machine ?
  • Afterward, do whole-system virus scans.
  • If you're going to keep using the new thing, maybe always use it when logged in as that special non-privileged user.
If you have to attach your USB drive to a public computer (such as at a print shop or internet cafe, to print documents):
  • Put only the minimum needed documents on the drive.
  • If possible, make the drive read-only or mount it read-only.
  • Do virus-checks before and after.
  • If possible, don't copy the documents back to your main disk afterward. Delete them.
  • Erase/reformat the drive afterward.



See Testing your privacy and security section of my Testing Your Security and Privacy page.

New things we need to increase our privacy or security

+/-
  • To use when someone (law enforcement) is forcing you to surrender your password:

    +/-
    • Dummy access password: a special password that you enter, and the device or account gives access to only a special "dummy" version of the data.

      Known as "plausible deniability encryption" ? Maybe VeraCrypt provides something like this on desktop OS's ? Maybe smartphone app "Protect My Privacy" does this ?

    • Self-destruct password: a special password that you enter, and the device or account wipes itself clean.

      (Note: factory reset probably doesn't overwrite all data, just removes pointers to it.)

    • Limited self-destruct OS password: a special OS login password, and browser cookies and selected files get deleted as you get logged in.

    Ken Kinder's "The travel-only Gmail account: A practical proposal for digital privacy at the US border"
    Quincy Larson's "I'll never bring my phone on an international flight again. Neither should you."
    Kristin Wong's "What to Do Before Packing Your Laptop in a Checked Bag"


  • End-to-end encryption, running on the client machines, so the service companies (Facebook, email service, etc) can't read our data and can't surrender it to law enforcement.


  • Apps or extensions to pad our phone Contacts list and email Address Book and Amazon and eBay address lists with lots of fake people (with reasonable names and addresses and phone numbers), so apps and brokers who grab that info and sell it get lots of disinformation.

    Some people have pointed out that this is hard to do well enough to fool bots and data-miners. You'd want to update the "last contacted" date in the Contacts list periodically, and it would be best if Contact lists from multiple phones had the same information for bogus contacts.


  • A "privacy noise-generator":

    +/-
    At random intervals, it would do random searches, page-hits, chats, VOIP calls, pings. Millions of people would run it routinely, and generate traffic that would obscure the patterns of real activity. A government or company trying to analyze our traffic would have a more difficult time separating the real and false data.

    TrackMeNot
    AdNauseam (browser extension; blocks ads and clicks on them)
    Internet Noise
    Track This
    Chaff (browser add-on; Chrome only)
    Noiszy (browser add-on; Chrome only)
    Needl (Linux only)
    benyanke / internet_noise_bash (Linux only; maybe doesn't work)
    davideolgiati / PartyLoud (Linux only)
    Noisy (Linux only; article)
    Ruin My Search History
    reddit's /r/datapoisoning

    Thorin Klosowski's "Generating a Bunch Of 'Internet Noise' Isn't Going to Hide Your Browsing Habits"

    mcastillof's "FakeTraveler" (Android only; fake GPS location)


  • Notifications to tell us if our accounts have been accessed by an intruder.

    For example, create a throwaway email account that does nothing but automatically send a notification to your real email account if someone logs in to the throwaway account. Then put the login info for the throwaway account in your password manager.

    You can create an HTML email message in your InBox, and get an alert if anyone reads that message, using Canarytokens.





Family issues

+/-
  • Do your spouse and children know about backups and security and privacy ?

  • Maybe create an official family privacy policy, maybe something like:
    • What happens at home is private, by default.
    • If you want to record something, you have to warn people.
    • If you want to upload or post a recording, you have to get permission.


  • Children will face a lot of threats and peer pressure from their friends. Bad behavior, bad sites, I have a smartphone and you don't, let's all make posts telling X she's ugly and stupid, etc.

  • Don't set up a child's device or account to pay things out of your credit card or bank account. You may get a nasty surprise a month later. If you must give a card, maybe give a Privacy.com limited virtual card.

  • Parental control apps are much more available and powerful on Android phones as opposed to Apple phones.

  • School and sports leagues will demand a lot of information about your children (such as birth certificates) and you and your spouse (address, phone number, email, etc).

  • School may require that your children have a laptop for schoolwork, and use Google or other cloud accounts.

  • Think ahead to how your family would cope if you died suddenly. Are you the only one who knows the passwords, knows what software is being used, knows how to make and recover from backups ? Maybe write down instructions, and leave a copy of your password manager database, or a copy of a subset of it. Then leave the master password with a trusted friend who doesn't have access to the database or devices. Or leave half of the master password with one trusted friend and the other half with another trusted friend. But this may not work if you have two-factor authentication.
    Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"

  • Maybe do credit freezes for each of your children, as soon as they have SSNs.
    Brian Krebs' "The Lowdown on Freezing Your Kid's Credit"

Proton Mail's "How to protect your children's privacy online"
Michelle Woo's "Teach Your Kid About Digital Safety With the 'Be Internet Awesome' Program"
Troy Hunt's "Sharenting, BYOD and Kids Online: 10 Digital Tips for Modern Day Parents"
Amer Owaida's "3 things to discuss with your kids before they join social media"



See "Do a periodic check and cleanup" section of my Testing Your Security and Privacy page.



If you own/run a web site

See my "Your Personal Web Site" page.



See Port scanning or router testing section of my Testing Your Security and Privacy page.



This stuff is too hard for "normal" people:
+/-
I think tools need to get easier, and be "safe by default".

For example, operating systems should be aware of and support third-party encryption such as VeraCrypt. Today, a VC volume may be reported as "unformatted" by the OS. Opportunity to enable VC encryption on system disk should be right in the Windows Home or Linux installer. Encrypting an external disk with VeraCrypt should be an option in File Explorer or whatever, along with the OS native encryption (BitLocker or LUKS).

Browsers should default to having ad/tracker-blockers either built-in, or an extension such as uBlock Origin installed by default. Default to having location services disabled, or extension such as Location Guard installed.

When you install an OS, the installer should ask "okay, what password manager do you want to use ?". It's okay for the user to pick "none", but there should be subtle pressure. Same with VPN, same with firewall, same with backup software. OS should have built-in anti-virus (as Windows does), but also prompt up front for which anti-virus user wants ("none" is a choice).

Browsers need to push back somehow against web sites that want to know all the details of a device. Maybe default to display size and OS type and other details not revealed to JS.

Software updating should default to "automatic" (user can change it), and include all apps (including third-party apps) as well as OS.



Good audio podcasts:
The Complete Privacy & Security Podcast
Security In Five Podcast
Ask Leo! by Leo Notenboom

Unredacted Magazine

cryptoseb / CryptoPaper

Brendan Hesse's "How to Submit a Bug Report to Apple, Google, Facebook, Twitter, Microsoft, and More"

Humor:
"OPSEC - The Most Secure Man in the World" (video)