Computer Security and Privacy.          Please send any comments to me.       



Online Security section ( Password security, Password Manager, Two-factor authentication,
       Software updating, Anti-virus software, Connection security,
       Application-level encryption, Report freezing, Opt-out of tracking )
Online Privacy section ( Fake data, Blockers, Browser fingerprinting, Privacy controls,
       VPN, Proxy, Firewall, DNS, MAC Address, Certificates, Tor, Virtual Machine,
       Smartphones )
Anticipate problems section ( Back up your data )
Miscellaneous section ( Threats, Low-tech solutions, Testing your privacy and security,
       New things we need )

My "Privacy In General" page
My "Computer Theft Recovery" page



TL;DR about computer privacy, security and safety:
         



Levels of privacy, security and safety (my opinion):
  1. No backups, no passwords on devices, same password on many online accounts.

    A disaster waiting to happen. Accidentally delete many files, hard disk crashes, or someone steals your phone, and you're in a world of pain.

  2. Backups (multiple, at least one off-site, and you've tested restoring from them), passwords on devices, important software auto-updating, anti-virus.

  3. Password manager to handle online accounts, ad-blockers and script-blockers in browsers, credit-report freezes, use HTTPS web sites, set privacy settings on accounts, be careful with your smartphone, pay cash for as many things as possible.

  4. Full encryption on devices, two-factor authentication on important online accounts, reduce browser fingerprint, VPN, opt out of data-broker tracking.

  5. Change to Linux, use secure email and messaging, special firewall/router, redirected email and phone numbers and credit cards, postal-mail forwarding service.

  6. TOR browser, burner phones, clean OS every time, run your own mail server and VPN, fake ID, gift-cards, Bitcoin.

         



Terms:









Online Security



  1. Password security:

    Use the password and security features of your device and software; many people don't even bother to set a password !

    But some passwords are fairly easy to bypass; don't expect them to protect you from every threat:
    Computer Hope's "How to clear an unknown BIOS or CMOS password"
    Mark Wilson's "How to crack Windows and OS X passwords"
    Hack Cave's "Hack Windows 10 Login Password In 2 Minutes [Works For All Windows Versions]"
    Hack Cave's "Hacking/Bypassing Android Password/Pattern/Face/PIN"

    Do NOT use Facebook login or Google login as your login to lots of other web sites. Not only does it let everything get shared, but if Facebook or Google ever deactivates your account for some reason, you've lost access to those other sites too.

    Similarly, don't use a Microsoft login to your Windows PC, use a local login.

    Mobile-service providers often let you set a PIN to control changes to account settings (such as adding or transferring a phone number).
    Emily Price's "Add a PIN to Your Smartphone Account"

    Use a Password Manager:

    Features to consider:
    Reasons to use a password manager:
    • Avoids forgetting passwords and other info.
    • Avoids writing down passwords on Post-It's and other insecure places.
    • Makes it easy to use a different password for every web site.
    • Makes it easy to use long random passwords.
    • Makes it easy to use two-factor authentication such as software-TOTP.
    • Can report duplicate passwords.
    • Makes it easy to look at list of accounts and delete ones you don't want any more.

    Some passwords they don't help manage: your PC's BIOS and Windows login info, encrypted boot drive's password, physical-world passwords such as ATM PIN. You can store those passwords in the password manager, but not drag them out to apply them.

    Don't use a browser's password-saving features; the security level is unknown, there are exploits of it for tracking purposes (Gunes Acar's "Web trackers exploit browser login managers"), it's not cross-browser, features will be minimal. Use a dedicated password manager.

    One major risk: if you store your bank login info in a password manager, and it gets hacked, and the thief empties your bank account, neither the password manager company nor your bank will compensate you. Both will deny any liability, according to their terms of service. Your money will be gone.

    A quirk: every now and then, I find I have to type a password manually. Maybe I'm reading it out of the password manager in my laptop, and typing it into someone's phone. In that case, having a password that mixes lots of letters and numbers and special characters is a real pain. And having similar-looking characters such as "1" and "l" and "0" and "O" is a pain. So I try to avoid generating passwords with that last problem.

    Features to consider:
    • Price.
    • Type:
      • Online: your passwords are stored online, which is bad (have to trust that place; what if they go bankrupt) and good (accessible from any device; backed up). Usually there will be a synchronized local copy of your password database, too.
      • Local application: your passwords are stored only on your device.
      • Feature of a security suite: same as local application.
      • Browser feature: first implementations of this had some holes/bugs, no way to sync across different brands of browsers, maybe no way to sync across multiple devices.
      • Browser add-on, or bookmarklet (Javascript): maybe same issues as browser-feature type.
    • Devices supported (PC, smartphone, tablet, etc).
    • OS's supported.
    • Browsers supported (almost all managers use a related add-on in your browser).
    • Syncing devices to each other.
    • Cloud backup.
    • Handles credit card info.
    • Handles application passwords.
    • Supports two-factor authentication.
    • Supports fingerprint (biometric).
    • Miscellanous: form-filling, import from other managers, automatic login capture, profile info, notes, credit report monitoring, etc.

    Wikipedia's "Password manager"
    Slant's "What are the best offline password managers?"
    Alan Henry's "Five Best Password Managers"
    How-To Geek's "Password Managers Compared: LastPass vs KeePass vs Dashlane vs 1Password"

    Some free password managers:
    Bitwarden
    Blur (more than just a password manager)
    Dashlane
    KeePass
    LastPass
    Passpack
    RoboForm

    I don't want a manager with a browser add-on that watches every web page I load. And an offline manager is more secure.

    So I chose KeePass 2.x, and use just the application, not any browser add-ons for it. I drag-and-drop username and password from KeePass application into login web page.

    In my cloud backup application, I disabled backup of the KeePass database file; I want to back it up to my own devices (external hard drive, etc) only.

    On Android phone, I installed Keepass2Android Offline. Emailed KeePass database file and read email on phone to get the file into Downloads, then have Keepass2Android Offline access it from there. Some strange things: there is no "log out" in the Yahoo Mail app; you have to "remove" your email account, and then when you add it back later, you're asked for your phone's PIN, not your Yahoo Mail password. Similar for GMail app, but even worse: removing your GMail account could affect many other services on the phone. ProtonMail app also has no logout; after password is given at installation time it never asks for password again. Reddit app has a "log out" button, but then when you log back in, it doesn't ask for a password, you're just back in ! The Tripadvisor, AirBNB, and FaceSlim apps do have a proper sign-in/sign-out behavior. The WhatsApp app has no sign-out at all. I guess you could use the browser and web sites instead of installing these apps, but then you lose a lot of functionality and nice UI.

    Reasons to use a password manager on a smartphone, despite the app issues I listed:
    From /u/VividVerism on reddit:
    Logging into web pages. Signing into apps for the first time. Signing into apps after deleting data and/or reinstalling and/or factory reset. Banking apps and similar high-security apps that do require a password either to log in or confirm a purchase/transfer/etc. Storing Wi-Fi passwords. Having your passwords handy for manually logging into sites on computers you don't own, or while traveling. Storing things other than passwords, such as credit card information, social security numbers, or library card information. Installing plugins to let you transfer passwords via QR code or to plug your phone into a computer via USB to type your passwords for you. Using the TOTP features to generate 2FA codes instead of a dedicated app. Storing passwords for any new accounts you set up on your phone. Keeping a database backup with you.

    I'm probably missing a few use cases. In short, yes: there are plenty of reasons a password manager can be useful on a phone.

    /u/Rafficer's "How to set up automatic login with 2FA and Two-Password mode with KeePass 2"

    Dan Goodin's "'Severe' password manager attacks steal digital keys and data en masse"
    Martin Vigo's "Even the LastPass Will be Stolen, Deal with It!"

    With enough effort, and maybe good starting guesses, password manager databases are crackable. See for example devio's mod0keecrack, ElcomSoft blog

    Don't let Windows store passwords and apply them automatically. If someone cracked your Windows password, they would get automatic access to those things. I set my backup application to not "remember" me, so I have to log in to it manually every time I run it. If you have an encrypted external hard disk, don't let Windows hold the password and apply it automatically (auto-unlock); you should type it in manually each time you plug in the disk drive.

    Don't let your browser store passwords and apply them automatically. The quality of their security is unclear, and that method works only inside that browser. Not sure how backup and restore would work. Much better to use a dedicated password manager application.

    Passwords, from article by Jacob Bernstein in The New York Times, June 24 2012:

    ... it is less clear to cybersecurity experts that having a password with extra numbers or special characters actually makes customers safer.

    "People's choice of passwords is not the real problem today", said Dr. Joseph Bonneau, a University of Cambridge researcher who studies cyber security. "The real problem is typing in passwords to the wrong Web site, which is stealing them."

    So why are Web sites suddenly requiring users to add special characters or numbers ? "It's security theater", Dr. Bonneau said. "So people feel safe. It makes the Web sites seem like they're taking things more seriously, when in fact most of them have no control if you have malware. In absence of a way to tackle bigger problems, it's easy to add restrictions. They don't want to seem less secure than competitors."

    Two-factor authentication:

    Some sites offer two-factor authentication, where you can't log in unless you possess both knowledge (password) and your registered device (phone or dongle or token). When logging in to the site, you have to type in your usual password, plus some one-time passcode you get through the device.

    For web sites, often that requires you to have a phone that does SMS (text messaging); the site will SMS the passcode to your device, and then you type in the passcode on the web site. [Note: SMS is expensive in Europe.] Sometimes phones also can get the passcode via voice call or through a mobile app.

    If you have to use a phone-based method, I would choose one that doesn't depend on the cellular network, which can fail or be unavailable. Also, I'd rather not give my phone number to all of these web sites. Instead of SMS, use a TOTP app such as Google Authenticator, if supported. Save the starting code and any recovery codes, so if you lose the phone, you can install them on another phone. [I can't find any list of all the sites that use Google Authenticator.] [Turns out all of the TOTP apps are compatible: Google Authenticator, andOTP, Authy, Authenticator Plus, more. I switched from Google Authenticator to andOTP because andOTP is open-source and not-Google, and Google Authenticator is specific to the phone (number) it is installed on. Also andOTP has a password protecting the app. Still I don't put sitenames and usernames into the app, so if someone gets the database they don't have enough info to find the accounts.]

    Some systems call themselves two-factor but really are just two-step, they don't require that you have a device such as a phone. They just send a code to your email or ask you more questions or something.

    With two-factor, check ahead of time to see what happens if you lose your device (or it dies, or the battery runs out), or have to change your phone number, or have to reinstall the security application (which may change the security ID), or want to log in through some other computer (if using the no-phone option). In some cases you'd have to contact each vendor and answer security questions to get them to set a new password and security ID on your account. This could be a real pain if you change phone number or upgrade to a new phone or laptop; you'd have to contact all of the vendors you use. Some systems have a way to print out verification codes to use if your device fails; don't skip this step when turning on two-factor security.
    Eric Ravenscraft's "What Happens If I Use Two-Factor Authentication and Lose My Phone?"
    (Found these instructions for VeriSign VIP Access: "You need to save the VIP.tok from \Application Data\VIPAccess. You also need to save the registry keys HKLM\Comm\Security\Crypto\UserKeys\Microsoft Enhanced Cryptographic Provider v1.0\VipAccessKeyContainer and HKCU\Software\VIPAccess".)

    None of the phone-number-specific solutions seem to work for cases where multiple people would be sharing the same account, or where you switch around a lot and carry only one of your multiple devices (phone, tablet, laptop) at a time. If you use a computer (non-phone) app, how would that work with multiple computers (home desktop, work desktop, laptop) ?

    Note that any two-factor that requires the user to type in a code still is vulnerable to phishing or scamming. A keylogger could record the code as it is typed in, or the user could be typing it in to a bogus web page, or the user may be fooled into reciting the code to a "tech support" scammer on the phone. Time-based two-factor is less vulnerable, since the thief would have to use the code within 60 seconds or so. Tokens or software that connect directly (USB, NFC, etc) to the computer/phone probably are less vulnerable than typed codes.

    Note that software TOTP two-factor still is vulnerable to a breach at the server. If the company loses its database of passwords and two-factor secret starting codes, the hacker can get into your account. But software two-factor TOTP does defend against you reusing passwords across multiple sites, and against a keylogger listening to your typing (the hacker would have to use the code within 60 seconds or so), and against brute-forcing.

    As of 9/2013, it seems some major sites that support two-factor authentication are Google, Facebook ("Login Approvals"), EBay, PayPal, ETrade, Twitter, Dropbox, Wordpress, Yahoo! Mail, (as of 11/2015) Amazon.
    Not supported on Citigroup, my credit union (a smallish place), my 401K manager (a large national corp).
    Two Factor Auth (2FA) (list of sites that do/don't support 2FA)
    VeriSign "VIP Member Sites"
    Whitson Gordon's "Here's Everywhere You Should Enable Two-Factor Authentication Right Now"

    Lucian Constantin's "5 things you should know about two-factor authentication"
    Internet2's "Two-Factor Authentication"
    Wes Siler's "Traveling With Two-Factor: How To Access Your Accounts Abroad"
    Emily Price's "Always Carry Your Google Account's Two-Step Verification Codes With You"

    Eric Ravenscraft's "Google Adds a USB Key Option to Two-Factor Authentication"
    Robert Lemos's "Google offers USB security key to make bad passwords moot"

    Jenny Knafo's "Most Popular 2-Factor Authentication (2FA) Compared"

    Some serious security guys like YubiKey.
    Another prominent company is Feitian.
    Cheapest (U2F only, USB only): U2F Zero.
    New 9/2018 (U2F only, USB/NFC/Bluetooth): Google Titan (article1, article2).

    It seems U2F is the newest, best protocol, but not supported everywhere quite yet (12/2017 not in Lastpass, not in Windows 10 for home users). Nick Parlante's "The Unofficial FIDO U2F FAQ"

    USB is needed for PCs; NFC is needed for phones.

    YubiKey:
    Costs $40 or $50 per key.

    Models:
    • YubiKey 4 Family: newest, multiple form factors to choose from, all support U2F, OTP, Smart Card, PGP, etc, all support up to a 4096 bit key length, no NFC.

    • YubiKey NEO: only keychain form factor, all support U2F, OTP, Smart Card, PGP, etc, only up to a 2048 bit key length, support NFC. Yubico NEO-n: no longer sold.

    • Yubico Security Key: only keychain form factor, only supports U2F, but cheapest YubiKey.

    Yubico's "Compare YubiKeys"

    [From /u/SoCleanSoFresh on reddit.]

    My questions:
    [I'm a Windows 10 Home user, a normal home PC user.]

    • How do I recover from a lost YubiKey ?

      Easiest way is to have a second YubiKey. But it has to be registered to all the same accounts and logins as the first key. No way to just clone a YubiKey, or declare two YubiKeys to always have equal credentials.

      If you don't have a second YubiKey, you'll have to exercise whatever "account recovery" options there are for all of your accounts, one at a time. There are no "emergency codes" or "recovery codes" you can save and use to generate a new YubiKey that is equal to the lost one, or bypass the requirement to have your YubiKey. But many accounts will use your email and/or phone as primary means of recovery, and if those are locked by the lost YubiKey, you're stuck.

    • Can a YubiKey be required for my PC's system/BIOS login ?

      But this wouldn't really protect my information on disk, if that disk is unencrypted. A thief could just take out the disk and attach it to another PC to get access to the data.

      Answer seems to be no, unless you install some custom boot-loader.

    • A YubiKey can be required for my Windows 10 user login, in addition to the password.

      But this wouldn't really protect my information on disk, if that disk is unencrypted. A thief could just take out the disk and attach it to another PC to get access to the data.

      Would the Yubikey protect upon login when waking up from sleep or hibernation, or only upon initial user login ?

    • Can a YubiKey be required for my Android phone's system login ? I have a Samsung Galaxy S4 I9505 (does have NFC) running LineageOS 14.

    • Can a YubiKey be required to mount a hardware-encrypted WD Passport Ultra external hard disk onto my computer ?

      Answer seems to be no.

    • Can a YubiKey be required to mount a software-encrypted container (using Veracrypt or Bitlocker, for example) onto my computer ?

      Answer seems to be no (except in a few Linux configurations).


    Windows:
    Apparently there are two ways to use YubiKey with Windows login:

    • If you use YubiKey for Windows Hello app, the YubiKey enables login without entering the Windows user password: article1, article2.
      Does not operate with system/BIOS login, only Windows user login.
      Works with a local Windows account or a cloud account.
      Uses CCID mode on the YubiKey.

    • If you use YubiKey with Yubico's Windows Logon app, the user must have both the password and the YubiKey to login: article3.
      Does not operate with system/BIOS login, only Windows user login ?
      Works with a local Windows account only.
      Uses challenge-response using HMAC-SHA1 mode on the YubiKey.


    drduh's "Guide to using YubiKey as a SmartCard for GPG and SSH" (mostly Linux-only)

    Important places to use two-factor authentication:
    • Password manager.
    • Email accounts.
    • Financial accounts.

    Downsides of two-factor authentication:
    • If you lose your authentication device or it dies or it runs out of battery charge, now you can't access email etc through your computer too. Unless and until you have some emergency method, and it's close to hand.
    • If you take your laptop somewhere, you have to take your phone with you too.
    • Some carriers charge for SMS messages.
    • Login is slower.
    • There may be a charge for the authentication device or service.
    • If the authentication device plugs into a USB port, some places (internet cafe, library, etc) may not allow that.

    Russell Brandom's "Two-factor authentication is a mess"

    My experience with Symantec VIP hardware token starting 2/2018:


    Got it for free from my main bank. Push a button, it generates a 6-digit number, which changes every 30 seconds or whatever. This is called a Time-based One Time Password (TOTP).

    For my bank, activated it online by logging in, going to a Security page, and then giving serial number of token and current 6-digit number. Then when logging in, just add the current 6-digit number to the end of the password. If I lose the security token, I can call the bank and answer lots of questions, and they'll deactivate it for login.

    The Symantec web site says one of the sites that uses "Symantec VIP" is PayPal, but the PayPal site seems to say only SMS is supported, not the hardware token. Same thing with EBay USA, Symantec claims support but then token is not supported by the site.

    Fidelity funds does support this token, but the Fidelity retirement unit where I have an account does not support it.

    My credit union does not support two-factor of any kind.

    None of my three email providers support this device; 2 of 3 support no hardware devices at all. Facebook and reddit don't support this kind of device. Transferwise doesn't support hardware devices. IDrive doesn't really do two-factor. Veracrypt doesn't do two-factor.

    Maybe login to the KeePass password manager can be set to use TOTP, via "OtpKeyProv" extension ? Fidesmo's "Securing KeePass databases with OTP codes generated on a Fidesmo device" But I don't want to do this. If I lost the security token, I'd have no way to recover, other than having previously saved a copy of the database that did not require the security token.

    /u/Rafficer's "How to set up automatic login with 2FA and Two-Password mode with KeePass 2"

    There is a way (using Linux) to make a software-TOTP equivalent of a Symantec VIP hardware-TOTP token: Chef-Koch's "How To use TOTP with your PayPal account". The "This credential expires on this date" feature is worth noting. Couldn't get it to install properly, using "sudo pip install .". Then did "sudo apt install docker.io" and that seemed to work. Did "docker run --rm kayvan/vipaccess provision -p -t VSST", and got "Command 'docker' not found". Dev said do "pip install setuptools". Got further, to some error about "oauth bdist_wheels". Did "pip install wheel". From home directory, did ".local/bin/vipaccess provision -p -t VSMT". Worked ! Copied "otpauth://totp/VIP%20Access:VSMTXXXXXXX?digits=6&secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXX&period=30&algorithm=SHA1&issuer=Symantec" Put info (including expiration date) into my Keepass password manager, went to PayPal and activated TOTP using Symantec VIP 30-second, logged out of PayPal and back in using TOTP, worked !

    Patrick Lucas Austin's "How to Boost Your Game Console's Security"


  2. Other "managers".

    Don't let web sites save your important data if you can avoid it. Store it in an encrypted, private "manager" application on your machine.

    Some types of "managers":
    • Password Manager: discussed in previous section. I use KeePass.
    • Financial / Budget Manager:
    • Address Book / Contact Manager:
    • Calendar:
    • To-Do List:
    Often the last three types are together in a "Personal Information Manager" (PIM). Some email client applications will include those three functions too.

    Most of the PIMs I see are more complex than I want, and don't say anything about encrypting their database. Probably best to pick a simple PIM and put its database inside a Veracrypt container.
    Osmo (Linux only, database not encrypted, files under ~/.config/osmo and ~/.local/share/osmo by default)

    If you don't use a specialized application, you could use a text file inside a Veracrypt container. But you'd lose the ability to sort by various fields, alert on calendar events, view the calendar in standard calendar format, have a tree-view for to-do items, etc.

    But I decided I'll use ProtonMail's calendar when they come out with it, since I use them for email. And I don't need special software for contact manager and to-do list.


  3. Give "them" as little data as possible.

    Don't let web sites save your credit-card data. If possible, give them a fake phone number and address.


  4. Use fake data as answers to the "security questions".

    If you give fake data as your mother's maiden name, town where you were born, etc, no attacker can look that up somewhere and know what answer to give. Of course, you have to write down those answers yourself.


  5. Software updating:

    Run the newest stable version of your operating system, and turn on auto-updating. Same for browsers, anti-virus, VPN.


    But this is a major problem for Android smartphones: on older phones, you can't update the OS to a later version, unless you install a "custom ROM". Android's update mechanism is somewhat broken, because phone vendors have no incentive to test and provide updates.

    See Android Custom ROMs section of my Android page.

    For less-important software, I would turn off auto-updating. I don't want a lot of little check-for-update background processes running all the time, and I don't have confidence that the maker of some genealogy application or something has invested a lot of effort in making their update process secure.

    The more I think about it, updating is a major security issue for all OS's. What controls guarantee that an installer or updater will update only the application or component it is associated with ? Is the communication channel encrypted ?

    If something is updated through Windows Update or Linux's manager (Update Manager, on Mint) or an app store, maybe you can have some confidence that the process is efficient and secure. But if an individual app is reaching out of your system to its update server every day in some unknown way, that is questionable. If you have 20 such apps doing so every day, an attacker has lots of surface to attack, and there is lots of traffic for you to monitor or analyze for threats. Not to mention lots of little look-for-update processes running in the background all the time, maybe.

    What is the long-term solution for this ? Lobby Microsoft to let third-party apps use the Windows Update mechanism ? On Linux, only install apps via the main software manager on the system ? Add some kind of OS controls so an installer/updater can touch only the associated component's folder and registry tree ? I assume Windows Update and Linux's managers and app stores use TLS on their connection back to the server; true ?

    In response, someone pointed out: evilgrade



  6. Anti-virus software:

    Install it, set it to update automatically, run a full scan every now and then.

    Two main "modes": real-time protection (catches every file write or download and scans it), and user-initiated (user runs a full-disk scan every week or two). The real-time protection could be disk-only (catches file writes) or also wired into the browser (to prevent access to known-dangerous web sites).

    Things that loosely fall into this category:
    • Anti-virus protection.
      Quora "What is the best open source antivirus software?"

    • Malware removal (such as Malwarebytes, Spybot ).

    • Keylogger detection and removal.

      A "keylogger" may do one or more of these:
      • Capture keystrokes as you type them.
      • Capture the contents of your clipboard.
      • Capture screenshots.
      • Capture input from your computer's camera and microphone.

      A keylogger may:
      • Log the data into a log file.
      • Email the data to somewhere.
      • Send the data across the internet to somewhere.

      There seem to be three types of keylogger:
      • Hardware: some device attached to your computer or keyboard or installed into it.
      • Software: an application and/or service installed on your computer. It may try to hide in various ways, not showing up in list of installed apps, or choosing a name similar to a standard app or service.
      • Rootkit: software installed into the firmware of your computer, or the boot loader of your OS, or the kernel of your OS.

      Detect or defend against keyloggers:

      Testing your defenses to see if they actually work:
      Run a test program that does keylogging and see if your software detects/stops it:
      Mike Williams' "Anti-Keylogger Tester 3.0"
      SpyShelter's "Security Test Tool"

      Install a real keylogger and see if your software detects it:
      Spyrix Free Keylogger
      Revealer Keylogger Free
      StupidKeylogger


    • Firewall.
      From someone on reddit's "/r/Windscribe":
      > I've recently signed up for Windscribe VPN (firewall enabled).
      > I have an ASUS RT-AC66U router (firewall enabled),
      > and on top of that Norton Security with its built-in
      > super aggro "smart firewall". All of this seems a bit
      > redundant and ridiculous.

      Windscribe firewall blocks traffic that tries to go outside of the VPN, including if the server you're connected to goes down. It's different from a program/port firewall that allows or blocks certain traffic completely based on a ruleset.

      Your Norton firewall is designed to prevent malicious programs from calling home to download more malware or upload your information.

      Your router firewall is designed to prevent open ports from being abused by programs or attackers.

      Windscribe firewall is designed to prevent your traffic from going through the normal unencrypted route to your ISP. If the connection drops for some reason nothing will get through because the Windscribe firewall blocked all other ways in or out.

      So all three serve different purposes (the router and Norton firewalls overlap a bit but they still do different things).
      Gufw (Linux only)

    • Crapware or bloatware removal (such as PC Decrapifier, Should I Remove It?, SlimCleaner, AdwCleaner ).

    • Slow-down diagnostics (such as Soluto ).



    Testing your defenses to see if they actually work:
    EICAR Standard Anti-Virus Test File

    Where to get virus samples, to check your AV ?
    MalShare
    TekDefense
    VirusShare.com
    greg5678 / Malware-Samples (Linux only)
    Packet Storm's "Unix rootkits" (have to compile some from source)

    On Windows, I use AVG (free) and Malwarebytes (free). But I found that AVG and MWB (with RTP) don't stop/report keylogging as tested by AKLT.

    If you use Adblock Plus, you can then install a malware site filter.

    Aurelian Neagu's "10 Warning Signs That Your Computer is Malware Infected"
    /r/techsupport's "Official Malware Removal Guide"


  7. Browser:

    Set your browser to update automatically; browsers contain security features that should be kept up to date.

    From someone on reddit 11/2018:
    "Chrome has a whole host of services that send data to/from Google (auto-complete, prediction services, spell check, translation, safe browsing, etc...). ... if you don't want Google to know anything about you, you can't use Google products." [Also password syncing, and "login to Google automatically logs you in to Chrome". And check options carefully to see what is turned on.]

    These days, users probably spend 90% of their time in a browser. So, take the time to go through ALL of your browser's settings/options. Generally turn off things that send data to a cloud service. Turn off features you don't need.

    Enable security features in your browser: IE's "SmartScreen Filter", Firefox's Options/Security tab, Chrome's "Enable phishing and malware protection", Opera's "Enable Fraud Prevention".

    Use as few browser extensions/plug-ins/add-ons as possible; each additional extension installed means a greater chance of getting a malicious extension or a security hole or a performance hit.
    Chris Hoffman's "Browser Extensions Are a Privacy Nightmare: Stop Using So Many of Them"

    Use an "ad-blocker" add-on in your browser to protect against ads that contain malware (malvertising).
    uBlock Origin (get from here ?)

    Show what your browser presents to a web site:
    BrowserSpy.dk


  8. Computer firmware:

    There might be firmware in: management engine, motherboard/BIOS, Linux microcode on top of the MB/BIOS firmware, HDD, SSD.

    Usually you have to manually check for updates to the firmware, on the manufacturer's web site.

    Idea:
    Is the firmware (say, BIOS firmware) readable ? Can an OS or user process read it and compare to the last-installed version, and flag "hey, firmware has changed since the last time you booted !" ? Do any current OS's do that ? It could even be a user-level feature.

    Shouldn't all devices (routers, security cams, disk drives, etc) come with a "read out the current firmware contents" feature ? Maybe a very clever malicious firmware could mimic a legit firmware, but it might not be easy if firmware memory is full (excess space padded with random static stuff when legit firmware is generated).

    In Linux, do "sudo grep ROM /proc/iomem". If it returns "000f0000-000fffff : System ROM", you can read BIOS via "sudo dd if=/dev/mem of=pcbios.bin bs=64k skip=15 count=1 # 15*64k + 64k" or "sudo dd if=/dev/mem of=pcbios.bin bs=1k skip=960 count=64". Also relevant "sudo dmidecode". Maybe someone could make a little daemon or cron job that uses them to report any changes.

    How about Linux's /dev/microcode ? Also would be nice to know if the router/gateway MAC address has changed ("arp" command).

    Processor "Management Engines":

    /u/SupposedlyImSmart on reddit 11/2018

    Intel's "Management Engine":
    Intel ME seems to be a big problem; maybe just avoid Intel chip-sets next time you buy a computer ?
    Lily Hay Newman's "Intel Chip Flaws Leave Millions of Devices Exposed"
    Erica Portnoy and Peter Eckersley's "Intel's Management Engine is a security hazard, and users need a way to disable it"
    From someone on reddit:
    "Do you have an Intel CPU from the last 10+ years? If so, then yes ME is enabled. If it weren't via HAP, you'd know."
    Shane McGlaun's "Here's How To Disable Intel Management Engine And Slam Its Alleged Security Backdoor Shut"
    "Sakaki's EFI Install Guide / Disabling the Intel Management Engine"
    Steven J. Vaughan-Nichols' "Computer vendors start disabling Intel Management Engine"
    corna's "me_cleaner"

    From someone on reddit:
    "After I did the firmware update for my version of IME, I just made sure and disabled everything relating to IME/vPro in my BIOS/UEFI settings and also disabled its related services and related serial port in device manager in Windows."

    AMD's "Secure Processor" (previously known as PSP):

    Chiefio's "For deep security, use ARM, avoid Intel & AMD processors"

    coreboot (Wikipedia's "coreboot")


  9. Sandbox applications:

    Run application such as browser inside a "sandbox" which prevents it from accessing files on your computer, or controls which files are accessible.

    Sandboxie (Windows only)
    Firejail (Linux only)
    AppArmor (Linux only)


  10. Separate computers for separate functions:

    It may be tempting to run a web server and database and routing software and network-storage disk and your personal stuff (browser, password manager, files, etc) all on the same box. It can be done, under Windows or Linux etc. But that greatly increases the chance of some bug or exploit, some incoming attacker being able to access your personal files. It's better to run all the server (incoming) stuff on one box, and all the personal (outgoing) stuff on another box. And set the firewall rules on each box to allow only what is needed on that box.

    Even better, run server-stuff on some commercial hosting service. Let them worry about 24/365 availability, bandwidth, disk space, updating, etc. But you'll have to pay for it.


  11. Turn off the computer:

    When not using the computer, turn it off, so attacks can't get in. Maybe turn off your entire LAN (by turning off the router) before going to bed at night ?

    Maybe put critical data on a thumb-drive or external drive, and only mount that drive for brief periods when you need to use that data.


  12. Connection security (protecting "data in motion"):

    Use encryption on your connection: encrypted Wi-Fi, HTTPS web sites, maybe VPN (see VPN section later on this page). If you're using a mail application (such as Thunderbird) or an FTP application, make sure they're using encryption on their connection to the server.

    On your home network, make connections using Ethernet cables instead of Wi-Fi where possible (client device is close to router/modem). Wired connection is faster and more secure than wireless. Similar when transferring data between phone and PC: using a USB cable is more secure than emailing the data or using some other across-the-internet method.

    Consider having separate home networks for your critical (computers, file server, phones) and untrusted (TV, refrigerator, security camera, baby monitor, game consoles, guest, etc) devices. This may mean having to use two routers.

    When choosing a name for your home Wi-Fi network, choose something bland such as "network27". Don't include your name or address or brand of router in the network name; that information would help an attacker. And the information may be included in bug reports and such.

    ilGur's "Smart HTTPS" browser extension

    wikiHow's "How to Secure Your Wireless Home Network"
    Eric Griffith's "12 Ways to Secure Your Wi-Fi Network"
    Decent Security's "Router configuration - easy security and improvements"
    David Murphy's "How to Make Your Wifi Router as Secure as Possible"
    Easy Linux tips project's "Wireless security: four popular myths and 12 tips"
    Lifehacker's "Top 10 Ways to Stay Safe On Public Wi-Fi Networks"
    Smart Home Gear Guide's "17 Lockdown Strategies To Secure Your WiFi Network From Hackers"
    Who's On My Wifi (free application to list devices on your network)
    UIC-ACCC's "How can I secure my internet connection?"
    But: Nick Mediati's "The EFF wants to improve your privacy by making your Wi-Fi public"

    From discussion on reddit, and elsewhere:
    Securing home Wi-Fi:
    • Use the WPA2 protocol. It has now been broken but the chances anyone will use it against you are slim.
    • Use a strong passphrase. Longer is better than more complex.
    • If you have a guest network, isolate it so it can access your internet but not your local network.
    • Where possible, use 5Ghz. It doesn't have good penetration so it's less likely to broadcast your network to your neighbors. Otherwise some routers will let you adjust the power of your broadcast.
    • Don't bother with MAC address filtering. It's just a headache and it's easy to bypass.
    • Apply any patches that are available, to clients and router.
    • Turn off WPS and uPnP and access to web interface/console from Wi-Fi.
    • Probably turn off telnet, SNMP, TFTP and SMI; they're usually unencrypted and/or insecure.

    Test your router configuration (turn off VPN first):
    See the "Port scanning and router testing" section of this page.

    Turn off any VPN, use IPChicken to get your network's current public IP address, then paste that into your browser's address bar, and see how your router responds when someone from outside tries to access your router on port 80. Also try the address with ":443" appended to it.

    Symantec's "Check Your Router for VPNFilter"

    Alan Henry's "Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs)"
    That One Privacy Site (VPN and email comparisons)


  13. Application-level encryption:

    For communication apps, person at other end has to use same software.

    Browser add-ons:
    Encrypted Communication (Firefox only; encrypt/decrypt blocks of text in web pages or docs)
    SafeGmail (GMail only; Chrome only)
    Encipher.it (Chrome add-on, or client app; encrypt/decrypt blocks of text in any web page)

    Other solutions require you (and person at other end) to change email providers or use different applications. Not feasible, in my opinion.

    In your email client, if possible, turn off automatic display of HTML, images, and Javascript. It's dangerous to let some random person send you a piece of software that executes in your client.

    Some security guys say it's safer to use browser-based email instead of a client application (such as Thunderbird). The browser is somewhat of a sandbox, and highly tested, and you need it for other reasons too. A mail client application is an additional complex piece of software that probably is less secure.

    End-to-end encrypted email:
    Features encrypted email should have:
    • End-to-end encryption: encrypt/decrypt done as close to the user as possible. Even so, it's still possible for a keylogger or something to grab the plaintext.
    • Encryption code installed once on user's machine, not every time you access email, so it's less likely to be suborned.
    • Encryption keys generated and held by the user: if code from the email provider is used to handle the keys, you can't be certain that the keys are safe.
    • Easy interoperability with other secure-email providers. Today, this is non-existent, to my knowledge. The best that is offered is that a user could extract keys and do PGP themselves.
    • Privacy statement that the email provider keeps no logs, doesn't read messages, etc. But usually they say they WILL cooperate (to the extent possible) with a valid court order.
    • Open-source policy. But this is not an absolute guarantee; how do you know if the source being released is what is actually run by the service, and how well has that source been reviewed ?
    • Located in a country with good privacy laws, and separate from your country. Having multiple jurisdictions makes it harder for someone to track you and serve legal papers to get your data.
    • Zero-knowledge policy on accounts: the provider shouldn't require your real name, address, credit card. Should allow access through a VPN.

    Highly recommended by security people: Protonmail
    Eric Mann's "End-to-End Crypto: Secure Email"

    But they may have quirks. For example, apparently Protonmail is incapable of sending a normal, plaintext email; only HTML-plus-plaintext or HTML-encrypted or internal-encrypted are supported ? Because the Protonmail server can't decrypt your messages, it can't do vacation-forwarding or server-based content-based filtering.

    From someone on reddit 11/2018:
    Gmail is decades ahead of ProtonMail in terms of feature support.
    • really good spam filtering
    • nested labels w/ coloring, multiple star icons
    • multiple inbox support
    • machine learning based importance detection
    • autosuggested replies and autocomplete
    • advanced plugin ecosystem
    • plain HTML fallback version when JS isn't available

    On any service where you aren't the sole holder of the keys, there are vulnerabilities:
    Wired's "Mr. Robot Uses ProtonMail, But It Still Isn't Fully Secure"
    Nadim Kobeissi's "An Analysis of the ProtonMail Cryptographic Architecture" (PDF)

    That One Privacy Site's "Email Section"
    PrxBx's "Privacy-Conscious Email Services"


    We need transparent encryption of email:

    I wish some large email provider, such as GMail or Yahoo Mail, would start using end-to-end (client-to-client) encryption routinely, and transparently. When you click the Send button, software (maybe an open-source browser plug-in) looks to see if your recipient has a preferred encryption method and public key registered anywhere (or if one is cached locally, via prior key-exchange). If recipient does, the message gets encrypted (by open-source browser plug-in) via that method before sending. If recipient is not registered anywhere, message goes unencrypted, as usual. Simple ! And now the email provider itself can't read or decrypt the messages, and can't decrypt them for the government.

    The company that does this first could seize the mantle of "privacy champion".

    They still could do targeted advertising based on keywords: the plug-in that does the encryption first extracts a few keywords, and then passes them on along with the encrypted message.

    Searching your messages on the server would be affected; the server wouldn't be able to read the text of the messages. I suppose you could do a search by sending all of the encrypted messages to the client (browser), and decrypting them and doing the search there, but that would be horribly inefficient (but possible). Or search-keywords could be sent to the server along with each encrypted message (compromising security a fair amount, but enabling searching).

    Spam-filtering would be affected. If a spammer is willing to look up your public key and encrypt their message to you, it will have to be caught on the client, not the server. That's an issue. Need an open-source spam-filter plug-in or something.

    The reason I want an existing large provider to do this, as opposed to new secure-email startups, is that the change by an existing large provider would immediately make encryption easily available to hundreds of millions of existing users. No need for users to change providers, with new UI and new email addresses and having to transfer their contact lists. Most users will NOT move to new secure-email services; we need to get encryption into existing services.

    Mailvelope is a bit like what I want, although it's far from as transparent and integrated as what I outlined (which requires changes by Google, Yahoo, etc).

    Google and Yahoo were working on a couple of end-to-end things, but as of 2/2017 seem to have dropped their efforts.

    This change is happening in the VOIP and IM markets, with WhatsApp and Skype changing to end-to-end encryption.

    Once we have end-to-end encrypted message bodies, a few changes could secure the meta-data better. Move the subject line inside the message body before encrypting, and move it back out when decrypting, so all of the servers and middlemen see only a dummy subject line. Encrypt the destination user's email address in some way that the destination server can decrypt, so only the originating client and the destination server and destination client know the full destination address (all other servers and middlemen can see the destination server name, but not the real destination user name). Do same with originating user's email address, in way that only originating server and originating client and destination client can decrypt. Example: a middleman would see "From: 5$33!8*AW@gmail.com To: 7^h$g#FS@yahoo.com Subject: none".

    GitHub's "Overview of projects working on next-generation secure email"


    Secure messaging (text, chat, voice, video):

    Some people say that internet email fundamentally can not be made very secure, without a total redesign. So they use non-email messaging.

    There is a convergence between text-chat and voice-call and video-call applications. Text-chat applications are adding voice and video, Skype has text, etc.

    Justin Carroll pointed out on a podcast:
    Many/most IM applications have the bad quality of using your phone number as your userID/username, making it impossible to keep your phone number private, and allowing people to voice-call or SMS you instead of only contacting you inside the IM application, etc. That's unfortunate.
    [Some that don't use phone number: Kik, Discord, Threema, Wickr Me.]

    Some major choices:
    WhatsApp
    Signal
    Google Voice and Allo and Duo ?

    Nate Drake's "Top 10 best secure messaging apps of 2017"
    Micah Lee's "Battle of the Secure Messaging Apps: How Signal Beats WhatsApp"
    Thorin Klosowski's "Secure Messaging App Showdown: WhatsApp vs. Signal"
    Hiding From The Internet's "Signal – Private Messenger"



  14. Data encryption (protecting "data at rest"):

    See "Data Encryption" section of my "Computer Theft Recovery" page


  15. Specific problems:

    Known bad software:

    Do not use these:


    Remote-access software:
    Be very careful if you have remote-access software installed on your computer for some reason. If someone hacks it or it's misconfigured, the attacker can do anything you can do sitting at the computer, and it will look just like you doing it.

    Jason Fitzpatrick's "How to Lock Down TeamViewer for More Secure Remote Access"
    Rick Rouse's "Protect your Windows PC from hackers by disabling Quick Assist / Remote Assistance"

    Turn off macroes in Microsoft Office.

    A bit suspicious, and a general way to stop specific applications from running in Windows:
    Martin Brinkmann's "How to block the Chrome Software Reporter Tool"


  16. Keep account security info up-to-date:

    If your bank or credit card company sends you a security alert, but they send it to your old email address or old postal address, it doesn't do any good.

    If you have a login problem somewhere, and the web site says "no problem, verify by clicking link in your email", but they send it to your old email address, you're in trouble.

    If you never receive routine communications or verifications from your account at some company, figure out why and fix it, don't let it slide.


  17. Monitor your accounts for evidence of problems:

    At this point, there have been so many and such huge breaches (e.g. at OPM, Equifax, Anthem, more) that you should assume your Social Security number and DOB and credit-card info and email address have been stolen.

    Periodic checking:

    • Check the activity in your credit card and bank accounts every week or two.

    • Check your credit record annually (free; AnnualCreditReport.com), or use a credit-monitoring service.

    • Do a Google search on your email address and see what appears.

    • Use Have i been pwned?.
      And you can be notified by them in the future: Notify me.
      Similar plus more (soon): Firefox Monitor.
      Also:
      SpyCloud
      DeHashed (access to details costs $2.50 for 1 week).


    Maybe use an identity-theft warning service.

    Report freezing:

    Maybe freeze your credit report (a "credit freeze" or "security freeze"; usually free to apply and $5 to remove) or institute a fraud alert (free, but not as good).
    Credit agencies: Equifax, Experian, TransUnion, Innovis, NCTUE.
    Kristin Wong's "Keep Your Identity Secure With a Credit Freeze or Fraud Alert"
    Jason Lloyd's "Why You Should Freeze Your Credit Report"
    FTC's "Credit Freeze FAQs"
    William Charles' "Two Credit Bureaus You Should Freeze Before You Apply For A U.S Bank Credit Card"
    AJ Dellinger's "Equifax Operates Another Credit Bureau, and You Can't Freeze Your Report Online"
    From Brian Krebs' "The Lowdown on Freezing Your Kid's Credit":
    Some fans of my series explaining why I recommend that all adults place a freeze on their credit files have commented that one reason they like the freeze is that they believe it stops the credit bureaus from making tons of money tracking their financial histories and selling that data to other companies. Let me make this abundantly clear: Freezing your credit will not stop the bureaus from splicing, dicing and selling your financial history to third parties; it just stops new credit accounts from being opened in your name.

    Maybe freeze your salary/employment history report.
    Salary/employment history agencies: Equifax Workforce Solutions (AKA The Work Number, AKA TALX), AccuSource, InVerify.
    [I requested my TALX report. It only had the very last year of my work history (I retired almost 20 years ago), but it did have my employer, job title, and salary for that year.]
    Alicia Adamczyk's "How to Review (and Dispute) the Salary Data Equifax Collects on You"
    KrebsOnSecurity's "How to Opt Out of Equifax Revealing Your Salary History"

    Check your status in a bank-account-monitoring service:
    ChexSystems' "Consumer Disclosure"
    LexisNexis' "Access Your Full File Disclosure"
    [I requested my LexisNexis report. 42 pages, much of it repetitive. It showed 2/3 of the addresses I've lived at, and one address that was wrong. A boat that I had owned, but none of the cars I owned. None of my bank accounts or my credit card. Nothing about school or employment history.]
    [Sent an opt-out request to LexisNexis, and got a response (paraphrased): "Your request is approved and in process. Note that your info will remain in the following services: restricted public records products available to commercial and govt entities that meet credential requirements and are used to detect and prevent fraud, enforce transactions, perform due diligence and other critical business and govt functions; products regulated by the Fair Credit Reporing Act, third-party data available through real-time gateways; news; legal documents."

    Kelli B. Grant and Katie Young's "How to protect yourself from medical identity theft"

    A limited number of people can set a PIN on their IRS filings:
    IRS's "Get An Identity Protection PIN (IP PIN)"

    Apparently the US Post Office has a notification service where they send email to you when something is about to be delivered. You want to register for this before some bad actor does so in your name.

    Sign up for your online US Social Security account (may require a trip to a SS office).

    When someone uses your public reputation to get jobs:
    Relja Damnjanovic's "Freelancer Identity Theft: It Happened to Me - Here's What You Should Know"

    You can opt-out of some of this tracking:

    Opting out of everything probably is impossible, and a game of Whack-A-Mole. But at least hit some of the top places.

    Some opt-out services (on data-brokers, and on such services as Yahoo Mail) work by putting a cookie on your computer, telling their advertising code not to track you. But this conflicts with my desire to delete all cookies every time I close the browser.

    LexisNexis' "Lexis Nexis Opt Out/Information Suppression Request"
    SageStream Opt Out
    Acxiom Opt Out
    Palantir privacy statement

    Yael Grauer's "Here's a Long List of Data Broker Sites and How to Opt-Out of Them"
    StopDataMining.me's "Opt Out List"
    ParanoidsBible's "The Master Opt-Out List"
    Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"
    Elizabeth Harper's "How to Remove Yourself From People Search Directories"

    From interesting audio podcast interview of a guy who runs people-search sites, The Complete Privacy & Security Podcast episode 071:

    There are maybe 6 big players in the people-search industry ( Pipl, BeenVerified, Spokeo, TruthFinder, Radaris, MyLife, Intelius ), and a hundred subsidiaries/affiliates of them, and a hundred smaller competitors. And maybe 3000 web sites, owned by those companies. But they may create dozens of new web sites every week or month, trying to get into the top-ten results on Google Search.

    Some of the companies make money through ads, but mostly they make money when someone views their free report and decides to subscribe to get their full report.

    These companies are scraping data from everywhere: from each other, from govt, from companies such as real-estate agencies, from any account you create that allows sharing your data with third parties, etc. Some governments will sell driver's license data or car registration data.

    Getting a company to "delete your record" is not best, because your info probably will flow back in from somewhere else a week or a month later, and they'll treat it as a new record because they no longer have a record of you. It's better to have them "block your info", so they keep a record but don't give it out (if they're ethical).

    Disinformation can work, but it won't hide any real information, and you have to be consistent, using the same false info again and again, as many places as possible.

    Name, address, phone are the key items used to correlate data from various places, but I'm sure SSN, DOB, credit-card number are used when available.

    Some big services used by private investigators and law-enforcement: Tracers, TLO, IRBsearch.

    Kristen V Brown's "Deleting Your Online DNA Data Is Brutally Difficult"



  18. Simplify your life:

    Do you really need email accounts at N different providers ? Each one has to be secured. Really need accounts at Twitter, LinkedIn, Facebook, Snapchat, Instagram, YouTube, 20 different online stores, etc ? Each one is a possible security or privacy problem. Really need 5 credit cards and accounts at 5 banks ? Reduce, simplify.


  19. Be smart:

    Be aware of security threats, and don't fall for them. Know how to recognize spam, scams, phishing attempts. False alerts that say "something is wrong with your computer, better run this scanning software right away !". Be especially careful when downloading and installing software.

    Be especially careful in a big-money rushed situation such as closing a real-estate transaction (buying a house). A scammer may jump into the middle of the process and send you an email saying "okay, send the deposit money to bank account NNNNNNN, ASAP !". Always call to verify such things, and find out up front how and where the money will be transferred.

    Max Eddy's "How To Protect Yourself From Social Engineering"
    Alan Henry's "Why Social Engineering Should Be Your Biggest Security Concern"
    IC3's "Internet Crime Prevention Tips"
    Decent Security's "How Computers Get Infected"

    If someone says "I got a strange email from you, your account must be hacked !":
    This does not necessarily mean someone has been "hacked". Perhaps some software scanned Facebook, found that A and B are Friends, and found A's email address in A's Facebook profile. Then a scammer sends an email to A, claiming to be from B.

    One way to check: A's email client may have a "show details" button or link, where you can see the actual email address the email originated from. It probably isn't B's email address, even though the displayed "from" name is "B".

    And of course scams are not just online, they also can come via phone or snail-mail or in person.
    Alan Henry's "Five Common Scams Directed at Seniors (and How to Avoid Them)"


Kashmir Hill's "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy"
Andrew Cunningham's "A beginner's guide to beefing up your privacy and security online"
ProtonVPN's "12 mistakes that can get your data hacked - and how to avoid them"
Decent Security's "Windows Security From The Ground Up"
Wired's "Guide to Digital Security"
PRISM Break
Security-in-a-Box
Kashmir Hill's "Journalist Invited Hackers To Hack Him. Learn From The Mistakes."
Adam Clark Estes' "How to Encrypt Everything"
Spread Privacy's "How to Set Up Your Devices for Privacy Protection"
Justin Carroll's "Thirty-Day Security Challenge"
Open Reference Architecture for Security and Privacy
Filippo Valsorda's "I'm throwing in the towel on PGP, and I work in security"
ProtonMail's "A complete guide to Internet privacy"
Fried's "The Ultimate Guide to Online Privacy"
Andy Greenberg's "How To Bust Your Boss Or Loved One For Installing Spyware On Your Phone"











Online Privacy



  1. Don't put really private stuff online. At all.

    Naked pictures of yourself or your spouse ? Personal embarrassments ? Dark secrets ? Something illegal ? Just don't put it online, or transmit it over the internet. Maybe don't even put it on your computer or phone or camera.

    Either stop using social media, or use it more carefully.


  2. Give "them" as little data as possible.

    Don't fill in all of those "profile" fields. Why tell Facebook where you've worked, where you went to school, who your family members are ?


  3. Give them fake data.

    Don't give them your real birthday, or real mailing address, or real phone number. Misspell your name slightly.
    [But: if Facebook or whoever later challenges you to produce real ID to verify your account, and your info doesn't match, you'll lose the account.]

    Set Facebook profile fields for school, work, places lived to real, big places that have no actual connection to you. Let them sell misinformation.

    Similar when installing an OS, or using a brand-new PC for the first time. Give your PC a generic name like "laptopJ", create a user account with a generic name like "userK", instead of using your real full name. Those names will appear on networks and other places.

    But you can't give fake data to police or government or schools or insurance or banks. That may be illegal, or may come back to bite you later in some way.

    Location Guard
    mcastillof's "FakeTraveler" (Android only; fake GPS location)

    Email address:

    It may be a good idea to have separate email addresses for family, work, financial, social, shopping.
    Hiding From The Internet's "Compartmentalization"

    You can get a disposable email address, which exists just long enough to finish registering somewhere: 10 Minute Mail, Mailinator, others.

    A service which will "screen" your real email address, phone number, credit card number by giving out different info which relays to your info: MaskMe (Stop giving out your real personal info online with MaskMe, a new privacy tool). [Maybe name has changed to "Blur" ? Blur]

    A service which will "screen" your real email address, phone number, credit card number by giving out virtual info (but not relaying to your existing providers, I think): Sudo

    Another: "PlusPrivacy feature - email identity management"

    In your email client, turn off automatic display of HTML, images, and Javascript. It's dangerous to let some random person send you a piece of software that executes in your client.

    Some security guys say it's safer to use browser-based email instead of a client application (such as Thunderbird). The browser is somewhat of a sandbox, and highly tested, and you need it for other reasons too. A mail client application is an additional complex piece of software that probably is less secure.

    On the other hand, if you use an email client application (such as Thunderbird), your email is not stored on the email provider's server for very long, it's stored on your personal machine. Maybe you can find a provider that promises to erase your messages completely from their server after you retrieve them to your machine.

    Changing your email address:
    Changing your email address on all accounts (such as from old insecure email service to a new secure email service) can be tricky. If your email address is used as your username on an account, the service may or may not let you change it. But if you can't change username, you still might be able to change email address used within the account. Worst case, you may have to delete the account and create a new one.

    You may be able to set your old email account to forward all messages to a new account. But this is bad as a permanent thing: makes everything less reliable, old provider still sees your mail, still have to manage old account as well as new one.
    Rick Rouse's "How to forward your Yahoo mail to another email account"


    Phone number:

    It may be a good idea to have separate phone numbers for family, work, financial, social, shopping.

    Sudo

    Credit-card info:

    Even if you have a credit card with a chip in it, the magnetic stripe on that card still contains all of the info needed to do a transaction, and the stripe is easy to read. So keep a close eye on any merchant you hand your credit card to. And monitor your account for any unauthorized charges.

    Virtual Credit Cards:
    You can get one or more Virtual Credit Card numbers. You may be able to set a purchase limit or time limit on the number. You might be able to get such a number from your existing credit card company.

    Such a number is virtual, not physical, so you can use it only online, not in a store. Don't use it for something you buy online but then pick up in person: air travel, hotel, rental car. Virtual numbers often don't work for overseas transactions, only within the country of origin. If your real number and all virtual numbers are issued by the same company, that company still can see all of your activity.

    I wonder about the legal implications of this. In USA at least, consumers have a lot of rights to dispute credit card charges and be protected against losses. What happens to those rights if charges are going through another service first ?

    Also, real credit cards often give accident insurance when renting a car, or trip-cancellation insurance when buying plane tickets.

    Neil J. Rubenking's "5 Things You Should Know About Virtual Credit Cards"
    Alan Henry's "Privacy Lets You Create 'Virtual' Credit Card Numbers, Deactivate One Instantly If It's Stolen"
    Rebecca Lake's "Why Virtual Credit Card Numbers Aren't Worth It"
    Simon Zhen's "Virtual Account Numbers: What You Need to Know"

    Blur
    Privacy.com
    Sudo

    My experience with Privacy.com 1/2018:

    Requires USA mailing address, requires email that can be verified, US phone number that can receive an SMS for verification. Will pay directly out of your bank account, so it requires your bank account username and password.

    Gave it credentials to my bank account at ETrade, but connection kept failing, they said there's a bug.

    A month later, I asked if they had fixed that bug, and instead they turned on ability to give ABA routing number and account number. I gave those numbers, they did 2 deposits to my account to confirm that it existed.

    A few days later, tried to create a number, and it failed. Turned out I hadn't quite finished the process, I was supposed to tell them exactly the amounts of the test-deposits.

    You can't create a physical credit card that carries a number created through Privacy.com, it won't work.

    Apparently each card you create can only be used at one merchant, the first where you use it. Not specified anywhere on the web site.

    Also not specified: what name is on the card. Asked Support, and got:
    In terms of name / billing, you can use any name and billing address / zip code with the merchant you would like, and we will return that it's correct when the merchant runs the charge.

    Please keep in mind though, merchants have sophisticated fraud checks on their end sometimes, so don't get too creative with the billing info or it might raise a flag in their system. Also if the transaction requires a shipping address, generally using a billing address in the same city is a good idea (for example, if the shipping address in San Francisco and the billing address is in New York it may trigger their fraud checks as well).
    So, you just have to give the right card number, CCV, and expiration date, and the card will work.
    From someone on reddit about Privacy.com 7/2018:
    Don't make multiple cards for same merchant, probably best to use same card for eBay and PayPal; there is an unstated daily spending limit as well as the stated monthly limit.

    Prepaid (debit) cards:
    You can get a physical card, so not just for online use. But refunds may get complicated. Any balance you load into the card might not be protected by banking laws, certainly not at the $50 limit of protection on a credit card.

    From someone on reddit 2/2018:
    Any card sold in the USA that is "reloadable" in some way must have a real SSN with matching name and Date of Birth on file. The only exception is the cards that are only loadable once and after the funds are gone, it is useless. You must have bought a reloadable one. You know that little folded-up piece of paper that folds out to about a legal-size sheet of paper with fine print on it? It is all in there. It also lets you know that the card can only be used within the USA and not outside of it. This includes online merchants and many online merchants in general are starting to block those cards regardless.

    Netspend


    Photo ID card:

    Official government ID that doesn't give away your address: passport, or US passport card (available for $55 when you renew your passport).

    Some people carry a fake ID, to show to businesses that demand photo ID. I think it's legal as long as it's not a fake of a government ID, and you're not committing fraud. A fake corporate employee ID card from a fake corporation, maybe. Maybe add this fake person as an authorized user to your real credit card ?

    Maybe in the future we'll get "decoy" tools or services: something that posts fake info online to make it harder for others to figure out your true info. Fake pictures of you, fake address, fake postings, etc.


  4. Maybe use login/password info from elsewhere, instead of using your own.

    BugMeNot
    login2.me


  5. Use "blockers".

    Several ways to do this:


    Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"
    Mozill Blog's "Make your Firefox browser a privacy superpower with these extensions"

    There are costs to using a lot of blockers: an administration cost, but mainly a convenience cost. Many sites will stop working properly if you block scripts, some will refuse to work if ads are blocked, and some sites will not work even if you whitelist them in the blockers. You'll have to keep a "clean" copy of a browser (or browser profile) to use on those sites, and keep track of which sites require that special treatment.


  6. Set the "do not track" option in your browser to (maybe) stop "ad tracking".

    In FireFox 10, it's: Options - Options - Privacy - Tell websites I do not want to be tracked.

    But: Jon Brodkin's "Yahoo is the latest company ignoring Web users' requests for privacy"


  7. Reduce "browser fingerprinting".

    When you use a browser to fetch a web page, the browser sends a "user agent" string that may say something like "firefox 54.0 on Windows 10". Same happens when a game console or media player application etc accesses the web. See WhoIsHostingThis's "What's My User Agent?". Other information is sent: an "accept header" saying what types of media can be returned, your preferred language(s).

    Then after the page is retrieved, Javascript code in the page can access your browser and determine more details about your configuration, such as your time-zone, your screen resolution, (with some effort) what fonts are installed in your system, your browser's default language.

    All of this information can be used to form a "browser fingerprint" that may be unique to you, or close to unique.
    Am I Unique?'s "What is browser fingerprinting?"
    Lance Cottrell's "Browser fingerprints, and why they are so hard to erase"
    Mozilla Wiki's "Fingerprinting"

    This fingerprint can be used to track you, even across multiple web sites, even if you turn off cookies, change IP address, use a VPN, etc.

    Testing your fingerprint:
    EFF's "Is your browser safe against tracking?"
    BrowserLeaks.com
    Device Info
    Am I Unique ?
    Privacy.net's "Privacy Analyzer"

    Key ways to avoid fingerprinting:
    • Use an ad-blocker.
      uBlock Origin
    • Turn off Javascript.
      NoScript
      But this will break some sites (mostly some banks and govt sites), even if you whitelist them. Sometimes I have to switch to a different browser that does not have NoScript installed.
    • Minimize the number of browser add-ons you use.
    • Use a common browser and keep it updated.
    • Install multiple different browsers on your system, and use each for a different set of web sites.
    • Set the "do not track" option in your browser to (maybe) stop "ad tracking".
    • Set browser so it doesn't save usernames and passwords; verify using demo linked at Gunes Acar's "Web trackers exploit browser login managers".
    • New features coming in Firefox, from Tor: set privacy.resistFingerprinting to true.
    • Fake or random user-agent string.
      Paul Ferson's "How to Change the User Agents in Firefox, Chrome and IE"
    • Fake or disabled Canvas fingerprint.
      CanvasBlocker
      Canvas Defender
    • Fake or disabled WebGL fingerprint.
      CanvasBlocker
    • Fake or disabled WebRTC.
      CanvasBlocker ?
      Or in Firefox about:config, set "media.peerconnection.enabled" to false ?
    • Control system font list returned by browser ?
      In Firefox about:config, create a new string "font.system.whitelist" and set value to something like "Helvetica, Courier, Verdana". But for me, this made my fingerprint a lot worse.
    • Control installed plug-in list returned by browser.
      In Firefox about:config, set "plugins.enumerable_names" to empty.


  8. Minimize the number of things you use.

    Do you really need to use:
    • Each add-on you have installed in your browser ?
    • Each app you have installed on your phone ?
    • Each app you have installed on your computer ?
    • Each app you have allowed to access your Facebook account ?
    • Each app you have allowed to access your email account ?
    • Each social media site you use ?
    Every one of these is potential point of failure, a thing that could be stealing and selling your data, or accidentally having a security vulnerability.


  9. Use the privacy controls in the ISP and social networks and sites you use.

    Very important: Log on to the web site for your ISP and find any privacy settings they have for your account.

    Facebook lets you control the access that Apps and external sites get to your data: go to Account - Privacy Settings - Apps and Websites - Edit your settings.
    Melanie Pinola's "The 'Nuclear' Option for Total Facebook App Privacy"

    Turn off your Google search history: here. Also Rick Rouse's "How to prevent Google from storing your search history and tracking your online activities"

    YouTube: profile - Video Manager - History - Clear All Viewing History, and then History - Pause Viewing History, and then Search History and do the same clear-and-pause.

    See and turn off data aggregating by BlueKai: here

    Handy central places to start:
    MyPermissions

    Instead of Google Search, use a service that promises not to track you:
    StartPage (but image search is slow)
    DuckDuckGo

    Privacy settings in Firefox browser:
    Privacy Settings add-on

    Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"


  10. Apparently, "opting out" via NAI stops targeted ads, but does not stop companies from tracking your activities.


  11. Delete most cookies every now and then.

    This does two things: gets rid of tracking cookies, and means that if someone sits down at your computer and opens a site they won't automatically be logged in to that site.

    BleachBit
    CCleaner

    Or delete all cookies every time you close the browser:
    Ian Paul's "How to automatically delete your cookies every time you close your browser"
    Chris Hoffman's "How to Automatically Clear Private Data When You Close Your Browser"
    But if you do this, you'll probably want to be using a password manager, because you'll be logging in to sites a lot.

    Or use extension Cookie AutoDelete to delete most cookies but save some of them.


  12. Encrypt your traffic: use HTTPS web sites, and/or a proxy or VPN.

    Definitely use HTTPS on all of your sensitive sites: email, financial.

    But not every HTTPS site implements security to the same level; you can test a site using: Qualys SSL Labs' "SSL Server Test"
    testssl.sh

    See next section about proxy and VPN.


  13. Don't always use the same IP address, or hide your IP address via a proxy or VPN.



    Changing IP address periodically:

    If you're connecting through a home Wi-Fi and cable router/modem (and no VPN), you probably can't change your external IP address. The router/modem probably is using one external IP address for all devices on your home network. To test this, open browsers on two devices simultaneously and go to showip.net on both devices. You'll probably see the same (external) IP address for both devices.

    Try power-cycling the fiber router/modem, and see if it comes up with a new external IP address. It may not. Try powering it off for longer, such as overnight.

    Try contacting your ISP and asking if they can change your IP address. If they ask for a reason, I guess you could say "to increase my privacy, to make it harder for advertisers to track me" ?

    If you're connecting some other way, you may have a chance of changing IP address. On Windows, create a CMD file containing "ipconfig /release && ipconfig /renew" and run it as Administrator. Check before and after, using showip.net.

    WikiHow's "How to Refresh Your IP Address on a Windows Computer"

    VPN:

    There are two "directions" of VPN:
    • From your PC out to the internet. Also called a commercial VPN service (such as Windscribe, ProtonVPN, PIA).

    • From a PC you're using at some outside place (work, school, etc) into your home network and home PC or home file-server.

    This section is talking about the first type.

    Various combinations and who can see your data:

    If you use:Who can see what domains you accessWho can see your content
    HTTP to ISPLocalDevices + YourISPLocalDevices + YourISP + DestISP + DestSite
    HTTPS to ISPLocalDevices + YourISPDestSite
    HTTPS to VPNclient to ISPVPNDestSite
    HTTP to VPNclient to ISPVPNVPN + DestISP + DestSite

    • If you use HTTP and Wi-Fi to ISP, anyone spying on the Wi-Fi also can see every site and every web page and URL you visit and every search you do. If the Wi-Fi is in your house and encrypted, probably no one is spying on it. If it's public Wi-Fi in a cafe or something, there's a reasonable chance that someone will be spying. Also, your ISP knows your name and address, and can see every site and every web page and URL you visit and every search you do. They could log and monitor and sell this data.

    • If you use HTTP and wire or fiber ISP, your ISP knows your name and address, and can see every site and every web page and URL you visit and every search you do. They could log and monitor and sell this data.

    • If you use HTTPS encryption to ISP to sites, HTTPS encryption is used between you and the web sites. Your ISP knows your name and address, and can see every site (domain) you visit, but NOT web pages and URLs and searches. They could log and monitor and sell this data.

    • If you use HTTPS to ISP to VPN to sites, HTTPS encryption is used between you and the web sites, and an additional layer of HTTPS encryption between you and the VPN server. So your ISP knows your name and address, and can see only that you're talking to the VPN server; ISP can't see any site (domain) or page or URL or search data. The VPN may not know your true name and address, and can see every site (domain) you visit, but not web pages and URLs and searches. Also the VPN exit may be in another country, so no one on that end knows what country you're in. And all of your traffic to site X will be mixed with traffic from other users of the same VPN to that same site, so it's harder for a spy on the site connection to separate out your traffic.

    • If you use HTTP to ISP to VPN to sites, a layer of HTTPS encryption is used between you and the VPN server. So your ISP knows your name and address, and can see only that you're talking to the VPN server; ISP can't see any site (domain) or page or URL or search data. The VPN may not know your true name and address, and can see every site and every web page and URL you visit and every search you do. They could log and monitor and sell this data. Also the VPN exit may be in another country, so no one on that end knows what country you're in. And all of your traffic to site X will be mixed with traffic from other users of the same VPN to that same site, so it's harder for a spy on the site connection to separate out your traffic.

    • Not all web sites support HTTPS.

    • "The ISP" could be your home ISP, or one used by your school or library or restaurant where you use Wi-Fi. So a VPN is not just protecting against your home's ISP.


    Some drawbacks of using a VPN:
    • You will pay a performance penalty, the only question is how much.

    • Some VPNs may sell your data.

    • You may pay money for the VPN.

    • Some sites may not work or may impose a CAPTCHA if they see your traffic is coming out of a VPN. Some (e.g. PayPal) may not let you log in through a VPN unless you have two-factor authentication enabled on the account.

    • Some sites (such as govt or credit-reporting companies) may not work if they see your traffic coming from a foreign country.

    • Some sites (such as bank or PayPal) may trigger a security flag if they see your traffic coming from an unusual country.

      My bank said this:
      We do not prohibit the use of a VPN per se, but VPN use often triggers our automated high-risk login protocols which lead to temporary account restrictions.

      We strongly suggest if you choose to use a VPN that you also enable two-factor authentication on your account. An account with active two-factor authentication should be exempt from automated restrictions.
      [Someone on reddit said same is true of Capital One; if you use VPN, have to use 2FA.]
      But your VPN may always have its traffic coming from a certain country, and you may be able to specify a static IP address. So you could reduce or avoid this problem.

    [To avoid the last three issues, you may be able to add VPN exceptions or a proxy so that some sites don't go through the VPN, or set one browser or browser profile to use the VPN and another to not use it.]

    • Some networks (such as a school or library or public network) may ban/block VPN use.
      You may be able to defeat this by using OpenVPN with TCP + port 443 instead of the more common UDP + port 1194.

    • You're adding another layer, another point of failure, to your system. If the VPN or its ISP is down, you're down.

    • If you're installing the VPN's custom app on your system, you're trusting the VPN vendor not to be malicious.

    • Your ISP has to obey the laws of your country; the VPN may be located in some foreign country under a different legal system. The VPN company may be less regulated than your ISP.

    • If the VPN shares IP addresses among many customers, you may suffer from the bad behavior of other users. For example, suppose user X uses address N to do spamming, Google tags that address as a spammer, then you connect to the VPN and start using address N ? Maybe Google tags you as a spammer. Avoid VPNs that share IP addresses among customers ?

    • Some networks (e.g. hotels, schools) may disable use of a VPN, and some VPN clients may not inform you of this. So you could browse for a while thinking you're using the VPN, when you're not. The feature where the VPN client software disables all internet access if the VPN disconnects is called a "kill switch".


    • Many of the advantages of HTTPS and VPN can be lost via Javascript or user's own actions. What good is it to have the VPN hide your originating country if Javascript on the web page gets your location from the browser and sends it to the web site ? What good is it to hide your real name and address from ISP and VPN if you just go ahead and post those things on Facebook anyway ? Or suppose while you're browsing, some updater software on your machine connects to an update server using your ID for that service ? In each case, you're not giving the info directly to the ISP or VPN companies, but you're revealing it. So HTTPS and VPN by themselves are not cure-alls.

      From Tor Project's "b. Don't torrent over Tor":
      Torrent applications "often send out your real IP address in the tracker GET request".

    • I suspect that there is a vulnerability if your computer connects to internet automatically at startup, and your VPN client is running in the computer (not in the router). When the OS boots, various services and apps on the computer may access the internet directly before the VPN client starts up, revealing your true IP address to some sites.

    • Some VPNs provide filtering features. For example, 10/2018 Windscribe announced their servers block IPs of known sources of malware, and soon their DNS's will be doing ad-blocking. The level of filtering will be adjustable.


    VPN client software:

    To use a VPN, you have to have some client-side software installed at some level. Could be:

    • Add-on in browser (so works only for that application), or

    • A layer in OS networking stack on client computer (so each computer in the house has to install it), or

    • In router used by all client devices in the house.

      Some VPNs have client software that can be installed in your home router/modem. Only a few home routers support this, and maybe only pre-installed before you buy the router.

      Advantages: nothing has to be installed on each client device, some client devices (such as game consoles) are locked down and you can't install VPN client software on them, new devices automatically use the VPN, you administer the VPN client in only one place.

      But if that home router/modem is owned by your ISP, they may be able to see your traffic before it goes into the VPN. And if you need to disable the VPN to play a game or stream video or something, it may get disabled for all devices. Make sure you can put a list of domains into the VPN router client, so access to those sites does not use the VPN, because some sites will not tolerate a VPN. Another disadvantage: if you take your phone/laptop to another network, it no longer has (automatic) use of the VPN, you have to remember to switch to client software on the device.

      From someone on reddit 6/2017:

      > I want to buy a used router/modem for $100
      > that would run a VPN client.

      On a $100 budget you won't be able to get a new modem and router and have a router that is decent for VPNs.

      Consumer-level routers are generally woefully underpowered for OpenVPN, so you need the best router CPU that you can get for the budget you have. An underpowered CPU in the router will severely limit your performance to all devices connected through the router while on the VPN.

      Also consider the OS of the router. Asus has done a lot of work to make the OpenVPN install process very easy on their routers, and many other vendors do not support OpenVPN out of the box and require flashing the router to DD-WRT or Tomato, which can be hit and miss with support for your router hardware and also be an older build that contains security vulnerabilities.

      DD-WRT does have the advantage of being open source, unlike AsusWRT, but it really is a sh*tshow for first-time VPN users.

      Based on your budget, i'd get a mid-range consumer-level router from your preferred brand, and connect to the VPN using a regular OpenVPN client on the devices that you want protected. This is because a typical PC (even an old one) has many times over faster CPUs for VPN usage.

      This setup would give you the protection of a VPN, with decent speeds (if your VPN provider is fast) and not break your budget.

      Router specifically built to run a VPN client: InvizBox

    The client software could be:
    • Proprietary to the VPN vendor, or
    • Built into the OS, or
    • Open-source standard (OpenVPN or WireGuard)

    OpenVPN is:
    • A standard communications protocol, and
    • An open-source protocol layer in the 7-layer stack, and
    • An application to start and manage the OpenVPN protocol layer.

    It seems to me that if the client piece is proprietary software from the VPN vendor, you're trusting it to a great degree: it can see all of your unencrypted traffic and encrypted traffic. Also it could install something else: Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"

    From someone on reddit's "/r/VPN":
    > On Android, should I install VPN provider's app directly, or
    > should I set up OpenVPN per instructions on provider's website?

    Often the custom VPN client supplied by a VPN service has nice features that make it preferable to use. The stock Android OpenVPN client is spartan. 'OpenVPN for Android' by Arne Schwabe is better. You choose based on features/convenience.

    I tried OpenVPN client on Windows 10 with Windscribe VPN 4/2018:

    • Downloaded OpenVPN client installer from OpenVPN's "Downloads".
    • Logged in to Windscribe web site and downloaded files from OpenVPN Config Generator.
    • Installed OpenVPN and copied Windscribe ".ovpn" config file into OpenVPN config folder.
    • Ran OpenVPN client and logged in with credentials from Windscribe.
    • DNS leak test showed a DNS leak until I added a "block-outside-dns" line to the config file Windscribe gave me. (But someone says that "only works for modern Windows versions, using the Windows Filtering Platform (WFP)", which is true.)
    • No way to select a particular VPN server, but directive such as "remote es.windscribe.com 443" in the OpenVPN client config file means you will get a Windscribe server in Spain ("es").
    • I didn't install certificates supplied by Windscribe, and saw no obvious ill effects.

    Michael Horowitz's "An introduction to six types of VPN software"

    • Who can monitor/log your activity ?
      The choice is:
      • Your home ISP, if you use no VPN.
      • The VPN service, if you use a commercial VPN.
      • The cloud service, if you use your own VPN server hosted on a cloud service.
      • Your home ISP, if you use your own VPN server hosted at home.

    • Summary:
      • Definitely use HTTPS on every site that supports it.
      • Using a VPN hides HTTP traffic from your ISP, and others on your network.
      • Using a VPN has costs, in performance and functionality and maybe money.
      • Even if the VPN is logging and selling your data, that may be better than your ISP doing the same.

    From /u/wilsonhlacerda on reddit:
    > Which is the cheapest vpn app out there? That won't sell my info?

    You never know if they will sell or not. If they will give it away or not. If they will spy on you or not. Or if they will give info when justice, government, cops, or similar demand them or not. If not the company itself, then an employee, will get your info or not.

    Yegor S's "Free VPN Myths Debunked"

    Excerpted from an FT article, on reddit 11/2018:
    More than half of the world's 30 most popular smartphone apps for browsing the internet privately are owned by Chinese companies, according to a new study that raises significant privacy concerns.

    Seventeen of the apps, which offer to connect users to the internet through a secure tunnel known as a "virtual private network" (VPN), were owned either by Chinese companies or companies appearing to have links to China.

    ...

    But the companies operating them often had very limited privacy policies, said Simon Migliano, the head of research at Top10VPN.com, which reviews VPN services.

    "We found a few apps that explicitly stated that users' internet activity was logged, which we have never seen anywhere else with VPNs. [VPN] policies usually state that they never ever log data," he said.

    "We even found that in some cases they stated they would share your data with third parties in mainland China, which is clearly anti-privacy."

    ...

    "It's pretty crazy that 60 per cent of apps we looked at didn't have a company website. Over half hosted their privacy policies on free wordpress blogs, that had ads on the page, full of typos and when you looked at them together, they had copied and pasted from each other in a sloppy way. This is far from what you'd expect from an internet company trying to protect your privacy."

    Three of the apps - TurboVPN, ProxyMaster and SnapVPN - were found to have linked ownership. In their privacy policy, they noted: "Our business may require us to transfer your Personal Data to countries outside of the European Economic Area ("EEA"), including to countries such as the People's Republic of China or Singapore."

    From someone on reddit:

    VPN Kill Switch For Linux Using Easy Firewall Rules

    If you're connected to a VPN, you need a killswitch. No, it's not as metal as it sounds. It's just a mechanism that stops your Internet connection when you're disconnected from the VPN. It protects you from inadvertently leaking sensitive information onto the Internet when the VPN connection drops.

    Some VPN services provide clients with a built-in killswitch, but none are as reliable as using iptables. Since iptables is independent of your VPN service, and it's integrated into the kernel itself, it won't fail when your VPN does. Iptables is also a well-proven security technology that can and will keep your computer safe.

    The Tin Hat's "The Best VPN Kill Switch For Linux Using Easy Firewall Rules"

    Testing to see if all traffic actually goes through the VPN:

    • Do DNS leak testing, with sites such as Doileak.com and IPleak.com.

    • Run a traffic dump and see if any traffic is going to any address other than your VPN's address.

      On Linux, use tcpdump.

      On Windows, use netsh and Microsoft Message Analyzer [WORK IN PROGRESS; MAY BE WRONG]:
      1. Make sure your VPN is running.
      2. Run CMD as administrator (Start menu, search for cmd, right-click on Command Prompt, choose "Run as administrator").
      3. Run "Netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=yes traceFile=C:\Logs\NetTrace.etl".
      4. Do some network activity.
      5. Run "netsh trace stop".
      6. Install Microsoft Message Analyzer
      7. Run Microsoft Message Analyzer.
      8. Open the trace file (".etl" file) saved by netsh.
      9. Your VPN's address probably starts with 10 or 172 or 192. Addresses starting with 127 are okay. (Wikipedia's "IPv4") Access to an IP address starting with some other number is suspicious. Try looking up suspicious addresses on LookIP.net.
      10. To do this efficiently, add filter "!(IPv4.Address in [10.0.0.0/24, 172.0.0.0/24, 192.0.0.0/24, 127.0.0.0/24])".
      11. Apparently only values of TCP "local" addresses matter ? "Remote" will be the outside address the VPN server is talking to, but your computer is not talking directly to that address ?

    Alan Henry's "Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs)"
    Thorin Klosowski's "The Biggest Misconceptions About VPNs"
    joepie91's "Don't use VPN services"
    Max Eddy's "The Best VPN Services of 2017"
    TheBestVPN's "Best VPN Services"
    Amul Kalia's "Here's How to Protect Your Privacy From Your Internet Service Provider"
    ProtonVPN's "VPN Threat Model" (what a VPN can and can't protect you from)
    Troy Wolverton's "No perfect way to protect privacy"
    Jonas DeMuro's "7 good reasons why a VPN isn't enough"
    VPN Scam's "How to Avoid VPN Scams in 2017-2018"
    reddit's /r/VPN
    Wikipedia's "OpenVPN"

    Private Internet Access (PIA) VPN
    ProtonVPN
    Windscribe

    Some "VPNs" are just data-collecting operations:
    Dell Cameron's "Do Not, I Repeat, Do Not Download Onavo, Facebook's Vampiric VPN Service"
    Justin Cauchon about Verizon Safe Wi-Fi VPN

    General complaint, from /u/wombtemperature on reddit 5/2017:

    This VPN industry needs a wake-up call, ELSE a better way at helping the average joe at Starbucks. Guys. Like. Me.

    I read. As such, I know the importance of a VPN. In fact, I have spent hours/days reading up on them. I have made excel spreadsheets to compare them (and looked at the ones on "that site"). I even WANT to give you my money to insure I have a good one. As such, I have tried 4 paid popular ones I won't mention as I don't want to call them out, and spent a ton of time testing them on my PC and mobile.

    They all are frustratingly SLOW. Or interfere with connections.

    No matter what, all I want is a FAST secure connection I don't have to think about. Yet, I can't find a VPN that doesn't bring my public and often home networks connections to a crawl. The expected "30% drop" is BS. And none automatically find me the best servers, and in fact often I can get faster servers 5000 miles away, but I have to manually select them.

    I understand its complicated. But I have stuff to do. Seriously. Which is why I want to pay someone else to think about these things and give me a good product.

    You all sales-pitch me the "fastest speeds" but then I watch as my connection up and down speeds drop to pathetic - and I have the spreadsheets to prove it.

    To anyone listening I speak for the masses ... take my money and give me a decent, secure VPN connection.

    And if I am just not "reading enough" to know how to get what I am looking for, then it highlights my point that there is a problem out there for the non-technical guys like me who just want security without massive compromise and hours of research.
    From /u/Youknowimtheman on reddit:

    When we talk about speed drops, you're going to lose ~9% just because of how the encapsulation and encryption works. You're also going to lose about 10ms on pings because the actual encrypting and decrypting takes time.

    It is also important to manage expectations when we talk about privacy networks that are based on shared connections. We have had a rash of users on our service that are unhappy with our "slow" performance because their gigabit connection slows down to 190Mbit. They don't understand the nature of VPNs and that in order to keep their information private, their traffic has to be mixed with other users on a server, and these servers are running the same 1Gbit connection that they have. Yes, it is 20% of your line speed, but at the same time it is extremely fast for the market generally, and pretty much the limits of what you'll see on a server with proper user densities to protect your information.

    If you're talking about a 30% drop on 10Mbit that is significant. If you're getting a 30% drop on 200Mbit that's absolutely normal.

    There's also other factors that play into VPN performance like distance from the server, which protocol they are using, etc.

    In other words, you're always going to have some loss. If all factors are good, you can minimize that loss up to a limit in speed. More than 200Mbit just isn't going to happen on a safe and private connection generally.

    IPv6, from someone on reddit 6/2017:

    > why do many VPN setup guides advise you to disable IPv6 ?

    A lot of VPNs only handle IPv4 so on those any IPv6 traffic bypasses the VPN.

    Easiest fix is to disable IPv6. Better long-term solution would be to get a VPN that properly handles IPv6.

    ...

    ... the main reasons are:

    • Many ISPs still do not support ipv6 to clients. Unlike retail ISPs, VPN providers tend to be global services, so this is not a small deal.

    • Less than 20% of server sites support ipv6 - google conveniently tracks these sorts of stats.

    • ipv6 has very different configuration and security characteristics than ipv4, especially in extensibility at a protocol level. It is very easy for network and stack providers, i.e. including your OS, to mess up on both fronts, leading to an insecure network potentially at multiple levels. These issues are several factors worse on mixed networks, i.e. tunnelling ipv6 through ipv4 or ipv6 and ipv4 on same networks.

    • Related to the above, ipv6 is still maturing. Even the hardware tech to support both the equivalent level of configuration and security at scale for ipv6 is not readily available or is more costly than ipv4.

    • By default ipv6 uses globally routable addresses, i.e. every client gets an address that uniquely identifies them perhaps forever for a given ISP-client combination. Any leak there would be bad news. Since many VPN providers cannot even maintain leak-free status in ipv4, ipv6 over a VPN is not something to be carelessly keen about.

    • OpenVPN, the most popular retail VPN protocol, has been slow to add ipv6 support and it is still incomplete.

    That's why, if you really care about security, your first concern is finding a strong VPN provider. Something like supporting ipv6 is not on most people's priority list, including not your VPN provider, except the best-in-class ones that at least prevent leaks at the client no matter which IP protocol they use.

    ...

    Most budget/end user VPNs only cover IPv4 traffic, and anything sent over IPv6 is ignored.

    ...

    I have seen anecdotally IPv6 messing up network applications. On more than one occasion.

    Campbell Simpson's "CSIRO: Most Mobile VPNs Aren't Secure"
    Sven Taylor's "VPNs are Using Fake Server Locations"
    Violet Blue's "Is your VPN lying to you?"
    Sunday Yokubaitis on companies behind various VPN brands

    If you want to host your own outbound-to-internet VPN, you shouldn't do it on your home network, because you'll still be using your home ISP. Instead, you need to have a different ISP for your VPN server. Which probably means hosting the VPN server in a cloud service.
    Jim Salter's "How to build your own VPN if you're (rightfully) wary of commercial options"

    One reason to build your own outbound-to-internet VPN (maybe hosted on a cloud service): some public networks (in hotels or schools or fast-food places) may block access to the IP addresses of well-known commercial VPNs, but the IP address of your personal VPN won't be in their block-list.

    I tried ProtonVPN free, starting 9/2017:
    Torrenting not allowed when using free version.

    I don't see any slow-down, but I am in Spain and mostly using USA web sites, so my speeds probably already were slightly low.

    If I'm using a VPN server in another country, and do a Google search, Google changes country to France or Latvia or wherever the VPN server is. So I get results in French or Latvian or whatever.

    Each time I change to a VPN server in a new country:
    • Yahoo Mail may warn about new time zone, sends email about login from new location.
    • FB says suspicious activity, answer questions, or sends email about login from new location.
    In Windows 10, if you run the VPN and then click on the Network icon in the system tray and connect to Wi-Fi, it's possible to get connected to both the VPN and the normal Wi-Fi simultaneously. To fix this, I think you have to disconnect from both, then connect to Wi-Fi, then run the VPN.

    I started using Windscribe 2/2018:
    Free license. I installed only the Windows (VPN) part, not the Firefox (ad-blocker) part.

    Limited to 10 GB per month in free version, less if you don't give an email address when you sign up. And 10 GB goes faster than you'd expect. Torrenting works.

    Has a "kill switch": if the VPN connection goes down, your internet connection gets severed, instead of silently becoming non-VPN. Misleadingly, Windscribe calls this "firewall".

    I'm sure some privacy-guys will say don't use Windscribe because they're a Canadian company, and 2/3 of their servers are in USA or Canada.

    Seems to work well, good reviews online, turns out there are discount codes you can use to get a great deal. So I paid $41 for a Lifetime Pro subscription, unlimited devices, unlimited usage.

    Installed it on my Android 7 phone, works okay.

    I've done some occasional speed tests using my cheapo Dell laptop, Windows 10, Firefox, Vodafone fiber internet in Spain, VPN server in Spain or France. I'd say I see a performance penalty of 0 to 20% when using the VPN.

    A few sites behave badly if I use Windscribe:
    If I'm using Windscribe, PayPal USA makes me verify identity and then forces me to change password.
    If I'm using Windscribe, Ryanair won't let me log in.
    If I'm using a non-USA Windscribe server, TaxAct Online won't let me log in.

    I was able to connect from my location in Spain, to a Windscribe server in USA, and then to a streaming web site, and stream a football (soccer) game in Spain, although the window was only 640x480, I think.

    There are several ways to install Windscribe client on Windows:

    There is a special setup procedure for uTorrent application: Windscribe's "uTorrent Setup Guide". But you're still protected if you don't do that.

    Windscribe client can be installed in a router: see "Windscribe for Your Router" section of Windscribe's "Setup Guides". Only one Windscribe server can be listed, so if that one goes away, no internet. Windscribe firewall runs in the client OS, not the router. If connection to server drops, what happens depends on your router firmware, nothing to do with Windscribe.

    If you run Windscribe in the router and nothing at all in the clients, all traffic does go over the VPN.

    People online say that in IOS (Apple), the "firewall" doesn't work, because of the architecture of IOS. What functionality is lost ?

    I changed my laptop to Linux, and installed Windscribe client Beta on it. If I try to turn on Linux firewall, the two firewalls fight each other, apparently. Windscribe Support says use one or the other. Support also says:
    "There is currently no way to add rules to the Windscribe Firewall unfortunately. It either blocks everything that isn't coming from the VPN IP or it allows any connections to your direct IP. On and off. The only rule that we have built-in as an option is to allow LAN traffic so you can have the Firewall on and still connect to devices on your location network."
    And then they said:
    "The Windscribe Firewall is the Linux Firewall. The Windscribe CLI is using IPtables. Windscribe makes a rule to block everything that isn't in the VPN tunnel. The LAN traffic rule is just there if you do need it. The Firewall will block LAN traffic as well unless you don't want it to. And yes, there are instances where you'd want the Firewall to have exceptions for certain apps or services but since the Windscribe CLI is still in beta, we don't have those whitelisting options yet."

    10/2018 Windscribe announced their servers block IPs of known sources of malware, and soon their DNS's will be doing ad-blocking. The level of filtering will be adjustable.


    Proxy:

    A proxy just redirects your traffic, making it come out from a different computer with a different IP address. Doesn't add any encryption.

    Proxies have most of the same drawbacks as VPNs (added point of failure, some sites may not allow, have to trust provider, etc), but the performance penalty for a proxy should be much less than that for a VPN.

    Privacy.net's "What proxy servers are and how they differ from VPNs"
    Jason Fitzpatrick's "What's the Difference Between a VPN and a Proxy?"
    NewIPNow.com

    Hide My Ass! (free proxy server)
    Proxify
    Public CGI (Web, PHP) anonymous proxy free list
    search for Firefox proxy add-ons

    Firewall:

    A firewall lets you control what kinds of traffic flow in and out of your network.

    Some types:
    • Level 3 (packet filtering): filter by IP address, port number, and protocol type (TCP, UDP, ICMP) ?

    • Level 4 (stateful filtering): filter TCP and maybe UDP by connection and session state.

    • Level 7 (application level): understand application protocols such as FTP, SMTP, Telnet, HTTP, etc.

    • WAF: Web Application Firewall (understand HTTP and associated).


    Wikipedia's "Firewall (computing)"
    Palo Alto Network's "What Is a Firewall?"
    Cisco's "What Is a Firewall?"
    Chris Hoffman's "Do I Need a Firewall if I Have a Router?"

    A firewall could be:


    Torrent Seedbox:

    A Seedbox is a torrent client on a cloud/server computer. All torrents go to that server, then you FTP from that server to your computer. So if your ISP doesn't allow torrenting, or you're downloading copyrighted material, this evades those problems.

    Seedbox Guide's "What is a seedbox?"

    DNS:

    DNS is how domain names such as "google.com" are resolved into IP addresses such as "1.2.3.4".

    Most likely, your computer is using either Google's Public DNS (8.8.8.8 or 8.8.4.4), or a DNS run by the ISP or VPN you are using, or is set to find a DNS automatically (which probably means: DNS run by the ISP or VPN).

    To find out what DNS you are using, open a command prompt and run "nslookup google.com". First address shown is your DNS's address. But an IPv4 address that starts with "10.", "172." or "192." likely is an "internal" address, meaning that something in your computer or VPN or router or ISP is grabbing that address and mapping it to something else. See Tim Fisher's "Private IP Address". A leak-test such as Doileak.com will tell your what DNS server actually is being used.

    The DNS can see what sites (domains) you are connecting to, but not which pages or URLs or searches you are doing on those sites.

    If you're using Google's DNS, and don't want Google to know what sites (domains) you visit, you can change to another DNS.

    If you're using the ISP's DNS, and are not using a VPN, there's no point in changing DNS, the ISP sees all of the sites you use regardless of the DNS.

    If you're using the ISP's DNS, and are using a VPN, you could change to another DNS, accessed through the VPN, and the ISP will not be able to see anything except that you're accessing the VPN. No sites (domains), no pages or URLs or searches.

    If you're using a VPN or proxy or Tor to hide your normal traffic from your ISP or someone spying on your network, yet your DNS traffic is NOT going through the VPN etc, this is called a "DNS leak". A web page may be able to use Javascript to find out your real IP address, even though you're using a VPN etc.
    Wikipedia's "DNS leak"
    DNS leak test
    Anonymster's "VPN Free DNS Leak Test & DNS Leak Protection"

    Nykolas Z's "DNS Security and Privacy - Choosing the right provider"

    Some good reasons to use Google's Public DNS:
    Joseph Caudle's "Why and How to Use Google's Public DNS"
    Vijay Prabhu's "How to Change Your Default DNS to Google DNS for Fast Internet Speeds"

    Choosing a DNS by speed:
    John E Dunn's "Best 6 free DNS services"
    Remah's "How to Find the Best DNS Server"
    Chris Frost's "Clearing the DNS Cache on Computers and Web Browsers"

    My computer (running Windows 10) was set to "find DNS automatically", which meant it was using the DNS run by my ISP. I ran namebench several times, and results varied, but generally the DNS run by my ISP was fastest or among the fastest. So I left my computer set to "find DNS automatically".

    From someone on reddit:
    "some routers ignore individual device settings, so if that's the case you have to change the DNS settings on your router to whatever server you want to use"

    There are various flavors of encrypted connection to DNS, it's confusing:
    • Plain DNS: connection between Browser/OS and DNS is not encrypted.

    • DNSCrypt:
      DNSCrypt
      Supported by DNSCrypt-Proxy and OpenDNS clients.

    • DNS-over-TLS: new.
      Supported by Quad9 and OpenDNS clients.
      rfc7858

    • DNS-over-HTTPS: new.
      Being tested by Mozilla/Firefox, servers provided by Cloudflare and Google.
      Supported by DNSCrypt-Proxy client.
      Martin Brinkmann's "Configure DNS Over HTTPS in Firefox"

      From someone on reddit:
      "Doing DNS requests is the task of the OS not an application, I really dislike this behavior [DOH in Firefox]. An application will not respect any rules in my hosts file and this will prevent me from having local servers with (fake) domain or blocked domains." [Instead, use a DNS proxy.]

    • Just use a VPN, and use their DNS: then the connection to DNS doesn't matter, it's all protected by the overall VPN encryption. But make sure you ARE using their DNS; it should have a non-public address such as one starting with 10 or 172 or 192.

    Sean Gallagher's "How to keep your ISP's nose out of your browser history with encrypted DNS"
    DNSCrypt
    DNSCrypt Proxy
    Domain Name System Security Extensions (DNSSEC)

    OpenDNS (includes blacklist of bad sites, at the DNS server)

    If you're doing illegal things, don't expect a VPN or proxy company and their ISP to shield you if they're served with a court order. They may be forced to log your activity and trace you and give the data to law enforcement.

    If you're abusing the VPN itself, such as sending out millions of spam emails through the VPN, don't expect a VPN or proxy company and their ISP to shield you. They may report you to law enforcement, or happily cooperate with law enforcement.

    MAC Address:

    This is an address unique to the network access card/hardware in your device.

    Your MAC address doesn't get out to the Internet. Only people/devices on the same LAN as you can see your MAC address. (That sometimes includes people sharing Wi-Fi with you.) But if you're using public or store or hotel Wi-Fi, now the operator of that network knows your MAC address, and can sell that info. It can be used to track your activity across networks and sites.

    In TCP/IP, your MAC address doesn't go beyond your local network (if using a router) or your ISP (if using only a modem). It would be possible for an app on your computer/phone to grab the MAC address and send it out in some custom way.

    Change your MAC address:
    Mac Makeup
    Technitium MAC Address Changer (Windows only)
    Linux Geekster's "3 Ways to change the MAC address in Linux and Unix"
    OSTechNix's "How to change MAC address in Linux"

    Certificates in the browser:

    What are the security and privacy implications of these ?

    Some questionable certs may appear under "Authorities": a couple from China, DigiNotar. Various CA's have been hacked from time to time. Firefox is in process of removing trust for Symantex-issued certs.

    Certs that appear under "Servers" reveal a little bit about your browsing history: they may show what domains you've visited.

    As far as I know, there is no downside to removing Server certificates, and removing a few Authorities is okay too (as long as you don't remove them all).

    Will any of the browsers report "hey, a new certificate was installed since last time the browser was running" ? I think they should.

    Ctrl blog's "Installing VPN root certificates leaves you more vulnerable to snooping"
    Pieter Arntz's "When you shouldn't trust a trusted root certificate"
    Hanno Bock's "Check for bad certs from Komodia / Superfish"

    Location leaks:

    Probably we're all familiar with IP leaking, when some outside person/app gets your real IP address and usually can determine your approximate location, and if they get help from your ISP can determine your identity.

    But is there "location leaking" inside the software in our computers ? Apps can query our Wi-Fi or router or ISP to get our GPS location or at least postcode ? I assume apps all can get our real IP address, even if we're using a VPN.

    And yesterday, my Linux Mint 19 system installed an update which included "freedesktop" which runs a "GeoClue" location service for applications. I don't know quite what this does and how much it knows and how to turn it off (eventually I was able to uninstall it).

    Any software inside our system that gets our real location or IP address potentially could leak it, accidentally or routinely or maliciously. The information might be included in crash dumps or traces in bug reports.

    How do we stop this ? What other sources of location data are there inside our systems ? How do we set them all to report "none" or some fixed value of our choosing ?

    Inside Android, an app can use Google Location Services API or Network Location Provider.

    Inside Linux, while running a VPN and through a router, there are four kinds of IPv4 address:
    • LAN address (192.n.n.n).
    • VPN client's WAN address (10.n.n.n in my case).
    • Router's WAN address (77.n.n.n in my case).
    • VPN server's WAN address (89.n.n.n in my case).
    I haven't found a way yet that an app on my computer can get the Router's WAN address, either with VPN on or VPN off. But with VPN off, an app could talk to a server outside and ask it "what IP address am I coming from ?".

    Browser is a key point for storing/providing location data. Set preferences in each browser you use. And maybe use an add-on such as Location Guard



  14. Stay logged out of Google and Facebook et al as much as possible, as you browse other sites.

    Or use some kind of "container" feature in your browser to isolate one tab from another. Or use separate browsers or separate instances for multiple pages.


  15. Don't use everything from one company.

    If you use Google Apps, Google Docs, Google Sites, Chrome browser, GMail, Google search, Google Maps, and Google+, then of course Google is going to know a lot about you. Instead, spread it around: Yahoo Mail, Facebook, some free web hosting service, Firefox browser, Google search, etc.


  16. You can delete your accounts on various services, although often they make it hard to find out how to do that.

    justdelete.me
    AccountKiller
    Deseat.me

    Some people say: instead of just deleting an account, first go in and delete as much of your data as you can, and change as much of the rest as you can to fake data. (This is called "data poisoning"; reddit's "/r/datapoisoning"). Maybe let it sit in that state for a couple of weeks. Then delete your account.

    David Nield's "The Complete Guide to Dumping Google"


  17. Some people say: Don't use anything from the biggest tech companies: Google, Apple, Microsoft, Facebook, Amazon.

    I don't agree; I say be aware of the costs and benefits. Sure, maybe it's good to use alternatives when possible.

    But there seems to be no good alternative for Microsoft Office (apparently when you really go beyond the simplest uses, LibreOffice just doesn't cut it). Maybe no good alternative for Facebook (80% of my friends and family are on there, and the Groups contain a wealth of knowledge and helpful people).

    For Android phone operating system, there are good alternatives (such as LineageOS). For e-readers, there are decent alternatives to the Amazon Kindle. For desktop/laptop OS, maybe Linux is a viable alternative to Windows.

    Some people say: before deleting your social-media account (on Facebook, reddit, Google+, etc), "poison" it by adding false data, deleting or editing posts and comments, Liking lots of spurious stuff, etc. And let it sit that way for a couple of weeks before deleting the account. I don't agree. Editing your profile is fine. But deleting or editing existing posts and comments will damage the work of other people, those who responded to your post or had a conversation stimulated by your post. Doing lots of spurious posts or comments or Likes will flood your Friends with nonsense. Just edit your profile, let it sit, then delete your account.


  18. Turn off features you don't use.

    Either turn them off permanently, or enable them only when you want to use them.

    Don't use Bluetooth, NFC, infrared, Cortana, Siri, location/GPS services ? Turn them off completely, at the OS level. Don't use some old applications ? Uninstall them, or turn off their update background services.
    Rick Rouse's "How to turn off 'File and Printer Sharing' in Microsoft Windows"

    Maybe turn off location-monitoring services and apps in your smart-phone and browser. But your cell-phone company will always know where your phone is, if it's turned on, or maybe even just if it has a battery in it.

    Turn off the whole device if you're not going to use it for a while. Does your internet-connected computer need to be running 24/7 ?

    Put tape over the webcam on your laptop.
    Or software:
    Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?"

    Turn off the microphone on your laptop or smartphone.
    Maybe put a dummy plug into the external microphone jack.
    Tape over the built-in microphone opening doesn't really work.
    Or software:
    Alan Henry's "How to Stop Web Sites from Potentially Listening to Your Microphone" (Chrome only)
    Jignesh Padhiyar's "How to Find and Prevent Apps from Accessing Your iPhone's Microphone in iOS 7"
    Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?"
    The highest-confidence solution: physically unplug the built-in microphone inside the case, and always use an external microphone (plugged in only when you need it).

    Note: iPhones have 1 to 4 microphones, depending on model. Most Android phones have 1, some have 2.


  19. Know the features of your devices.


    Mozilla's "*privacy not included"

    Using router/modem supplied by your ISP:

    Parts of a router/modem:
    • WAN connector: connects to outside cable or phone line.
    • Modem: from WAN connector, converts fiber or phone signal to digital, sends to router.
    • Router: intelligence that converts between internal (LAN) and external (WAN) IP addresses, using NAT.
    • LAN Switch: connects all the parts of the local network: LAN side of router, Ethernet ports, Wi-Fi AP.
    • LAN Ethernet connector: wired connection to client device in home.
    • Telephone connector: wired connection to telephone in home.
    • USB connector: for a disk drive to be shared on the LAN.
    • Wi-Fi access point: wireless connection to Wi-Fi devices in home.

    From someone on reddit:
    If your ISP can access your modem (and if you're using an ISP-supplied modem, it'd be foolish to assume they can't), they can see anything your modem can potentially log (think SSIDs, MACs) via a little-known protocol known as CWMP. And this is to not even begin the implications that they could not simply be retrieving logs, but actively tampering with data. So yes, do not use ISP-given devices, get your own. This is critical.

    At the least, your ISP-supplied router could be reporting names and MAC addresses of all devices on your LAN. Names may be easy to change to something uninformative such as "laptop1". But MAC addresses could be more revealing, and used for tracking. Harrison Sand's "Your ISP is Probably Spying On You"

    From someone on reddit:
    > Do ISPs update router firmware and watch for malware ?

    Routers, in general, are not updated if they are not the latest and greatest router in their class. Long term support is typically lacking unless you install a 3rd party firmware. European ISPs are typically far better at updating their software than American and Canadian ISPs due to no laws requiring ISPs accountable to update their software if possible. More damning, routers typically don't even have patches available as they were discontinued support long ago.
    So it sounds like if you can't find firmware updates for your router, and it's more than a couple of years old, maybe best to just replace it. If it's ISP-owned, maybe ask if they have a newer model available, and if you can upgrade for low or no fee. If you own it, replace it or install DD-WRT or OpenWrt on it.

    Ways to avoid the ISP-supplied router/modem:
    • Ask ISP if you can replace it with a router/modem you own yourself.

      From someone on reddit:
      "Google for modem compatibility lists. You can generally find a site that sorts by state and ISP and lists which current model modems would or should work."

    • Check router's admin page, or ask ISP, if their router/modem can be set into "bridge mode", so you can add your own router behind it.

      This amounts to turning off the router and Wi-Fi in the ISP-supplied router/modem box, using router and Wi-Fi in your own new router box, and connecting the two boxes via an Ethernet cable. Connect all home devices (except telephone ?) to your box, not the ISP's box. Now the ISP-supplied box doesn't have access to your LAN, it just sees what comes out of the bridge-Ethernet port of your new router box.


    Keep it simple. If you have your smartphone controlling your door-locks and security-cameras and automatically uploading photos to Google+ and accessing your LAN and the internet, you really don't know everything that is happening and everything that can go wrong. Better to have some compartmentalization, some things that happen only on one device or happen only manually.


  20. Know the vulnerabilities of your devices.

    "The 'S' in 'IoT' stands for 'Security'."
    -- from Grumpy Old Geeks Podcast

    Are there any known security flaws in your internet-connected devices, especially devices you can't update ? For example, security cameras: article1, article2. And home Wi-Fi routers: article3.

    For each of your devices, read the manual, and do some internet searches for "exploit/vulnerability/hack/problem MFR model NNN".

    Some of the simpler-looking devices (tablets) may be the most vulnerable, because you probably don't install anti-virus on them, and they may not get security updates. Yet they're in your trusted local network, and could attack other devices.
    Rhett Jones's "A New Reason to Not Buy These Cheap Android Devices: Complimentary Malware"


    Especially dangerous are all-in-one devices with multiple connections. A fax-modem-copier-printer may connect to both a phone line and to your LAN; a flaw could let an attack come in the phone line and onto the LAN. A simpler attack could exhaust your expensive toner cartdridge. Is the firmware updatable ? Is the manufacturer known and providing updates ? Don't leave the device powered on 24/365 unless absolutely necessary.

    A smartphone probably is connected to both the cell data network and to your LAN; that's a potential vulnerability.


  21. Set honeytraps on your devices.



  22. Don't routinely use an Administrator-privileged account, use a non-Administrator account.

    Rick Rouse's "Why you should use a 'Standard' user account in Windows"

    From someone on reddit:
    > If I already have my account as admin
    > is there a way to demote it?

    Create another user account. Name it Admin or Bambi or whatever floats your boat at that particular second. Set that account as a system administrator. Log out of your current account and into the new account. Change your normal account to a standard user. Log out of the new admin account and back into your regular account.

    All of this is done through the 'User accounts' control panel applet.

    Similar in Linux: use a normal user account, and "sudo" when you need to do something as root.


  23. Deleting browser history really does nothing for your privacy, unless someone steals your computer and looks at your history.

    Bracelet


  24. Anything you store on a server may reduce your privacy.

    Your contact list in email, buddy list on instant messaging, Friends list on Facebook, etc. Any emails in your Inbox, or saved long-term in a "folder" within your email service. Okay, email or IM or Facebook won't function without those contact lists. But maybe you shouldn't use your email as a data store. And maybe you shouldn't keep anything except name and email/IM address or phone number in each Contact entry. Store postal addresses and anything else in some private contact manager.


  25. Using someone else's device.

    You have few rights to anything you store on or do with your employer's or school's computers or phones or networks. And you don't know how many administrators have access to the data, or what other companies the data may be shared with. Don't use them for private things.

    You don't know what software or viruses may be installed on a computer you use at a library, in an internet cafe, at work, at school, or at a friend's house. There may be a keylogger, a clipboard-scraper, some browser plug-in that harvests data from webmail, something that logs all your internet traffic, something that copies any USB drive you plug in, ransomware, viruses, etc. Be very reluctant to use your password manager or email or other accounts on such a machine. Two-factor authentication on logins can reduce some of the threat.

    If you have to stick a USB drive into such a machine, for example to print a document on their printer, treat the drive as infected from then on. And have as few documents as possible on the drive to begin with; all of them may get infected, or encrypted by ransomware.

    Kashmir Hill's "How To Tell If Your Boss Is Spying On You"


  26. There are more-aggressive things you can do, but I think the cost/inconvenience is too high for the benefit, in most cases. (And some of them require your friends to use the same applications, or adapt to your behavior.) Tor browser, I2P, run Linux (because you don't trust Microsoft or Apple), use a clean-boot OS, use a virtual machine inside your real OS, multiple throwaway email accounts, encryption everywhere, prepaid throwaway phones, email and VoIP services and social networks specifically designed to be more private, run your own email server, use two computers (one networked and other not), etc.
    Peter Bright and Dan Goodin's "Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away?"
    "The Hostile Email Landscape" (maybe from Jody Ribton)
    The Tin Hat's "How Do I Start An Anonymous Blog?"

    See "Windows User Moving to Linux" section of my Linux page.

    When you get to some high level of OPSEC, your behavior is as important as the tools you use. You may have to never use internet or phone from your known home location, always from elsewhere, for example.
    Douglas Goddard's "Technical Anonymity Guide"

    Tor:

    Tor is a network, where the Tor browser talks to an entrance node, which talks to a middle node, which then talks to either an exit node (for normal internet traffic) or an onion web site.

    It is possible to use Tor and still not have privacy or anonymity. If you're the only person on your network using Tor, perhaps your activity can be correlated with the traffic coming out of the exit node. If you log in to a web site using your real info, that site will know who you are. If you use HTTP, the exit node and its ISP can see your traffic.

    If you're using Tor browser instead of a VPN, only the browser's traffic is going through the Tor network; traffic from other applications does not.

    Tails is a Linux system where all internet traffic goes through the Tor network.

    Privacy.net's "Everything you wanted to know about Tor but were afraid to ask"
    Andy Greenberg's "The Grand Tor: How to Go Anonymous Online"
    Tor Project's "Check your Tor browser"
    Matt Traudt's "VPN + Tor: Not Necessarily a Net Gain"

    Virtual Machine:

    You can run a VM inside your real OS. It will look like a real machine to software, but then when you're finished doing stuff, you end the VM, and anything that happened inside it (including any bad stuff) is deleted.

    But some things I don't understand about this: So you can't bookmark any sites, unless you hop out of the VM and update the browser in your real OS ? If you download a picture or something, you can't get it out to the real machine, it's going to disappear when you shut down the VM ? If you want to copy something from web email to the clipboard, then save it in a file, that file will be in the VM, not the real OS ? If you log in to web email or reddit in the VM, and have a virus in the VM, it could do something nasty to your web email or reddit ? Do you never run a browser in the real OS ? Or you do only lightweight, throwaway browsing in the VM and do "serious" web stuff in the real OS ?

    From someone on reddit:
    Virtual box has fixes for a lot of these. The clipboard is shared between OS and VM. It's essentially its own computer, so shutting it down keeps its state and everything. There are plugins for shared folders as well. Putting a document in the folder will make it available to both the VM and main OS.

    If you're using it for virus protection then you still need to be cautious. If you're on the VM and a pop-up comes up asking for your log in for a website, you should still not do it.

    The expectation sort of is that if you're technically literate enough to set up a VM, you should know how to avoid viruses, but if you do get ransomware on your machine or something, resetting the VM is much easier than on your main OS.
    From someone else on reddit:
    Note that a few of the "fixes" mentioned reduce the security of the VM. Many viruses can notice that they are being run in a VM by checking if those plugins are installed and act like a normal, legitimate program if they are running in a VM.

    Also, sharing resources (like files) between your real ("host") OS and the VM can put them at risk. If a ransomware runs in a VM where your files show up as a shared drive, those files will be affected too, even if you reset the VM.

    Despite all that, yeah, if you want very good security you can run things in a VM. It has many advantages.

    David Murphy's "How to Set Up a Virtual Machine for Free"



  27. Your friends and relatives are a threat to your privacy. They may post about you on social networks, put pictures of you online, mention you in emails.


  28. There is no such thing as total privacy, or perfect security. If the government or a spy agency or law enforcement really wants to get your data, they can get it.


privacytools.io
Paul Bischoff's "75+ free tools to protect your privacy online"
Fried's "The Ultimate Guide to Online Privacy"
Karegohan-And-Kamehameha's "privacyguide"
Noah Kelley's "A DIY Guide to Feminist Cybersecurity"
Sarah Jeong's "The Motherboard Guide to Avoiding State Surveillance"
"The Motherboard Guide to Not Getting Hacked"
PRISM Break
For Linux, mainly: "The paranoid #! Security Guide"
xkcd's "Security"



My desktop computer configuration:



Smartphones: Android, iPhone, etc
Smartphones are horrible for security and privacy. They constantly broadcast your location (to all cell-towers, not just those of your provider), they constantly look for known Wi-Fi networks, the cell-service provider knows your location and calls and messages, pre-loaded with apps you can't remove, all apps have a lot of access to your data, etc. Fieke Jansen and Helen Kilbey's "Cybersecurity Self-Defense: How to Make Your Smartphone More Secure"
Spread Privacy's "How to Set Up Your Devices for Privacy Protection"
Attedz's "Android Privacy Guide"
PRISM Break




My smartphone configuration:
Mainly, I use my phone for WhatsApp to a couple of people, for photography while walking around, and occasionally while in an airport or something. I try to keep as little as possible on it.




Facebook:
Facebook is a special case, because they know so much about you, and they have code on many other web sites, and they sell login services to many sites, and they buy data about you from other services.

Just for info: Facebook actually doesn't "sell your data". They provide two main services to advertisers: I'm sure they also sell more traditional services such as "display ad X to all people in ZIP code 12345".

Vicki Boykis' "What should you think about when using Facebook?"
Paul Bischoff's "How to stop Facebook from tracking you on sites that aren't Facebook"



Minimizing knowledge and connections

Yegor S's "How to (actually) be anonymous online"



My account configurations:
[I don't use SMS 2FA; often my phone doesn't have cell service, what if I lost my phone, and SMS is insecure anyway.]











Anticipate problems



Back up your data:

Data you could back up:


Places to back up to:


Ways to manage the back up process:

Note that a "sync" feature is not a backup. If something is deleted or corrupted on one end of it, that thing will be deleted or corrupted on the other end too. Usually.
David Murphy's "Why Did iCloud Delete All of My Photos?"

Think about how you would restore to a complete new computer if necessary:





Maintain a secondary email account, preferably on a different provider from your primary email. If something happens to your primary, you can use the secondary to send critical messages until you fix the primary.



Think ahead: what happens if your laptop display suddenly fails, and you need to send it out for repair ? Is any important info on disk encrypted ? Or can you remove the disk entirely before sending the laptop to the shop ? Also, for other repairs, make it clear to the repair shop whether wiping all the data is okay.

Think ahead: what happens if your phone suddenly fails or is stolen ? How would people contact you ? Would any accounts with two-factor authentication be disabled ?

If your laptop or phone is absolutely critical to you, can't be without it for more than a few hours, maybe you should have a spare waiting ready to use.

Think ahead: what happens if your wallet or purse is stolen ? Do you have the info needed to notify your credit-card company, your bank, etc ? Do you have any papers in there with login details or PINs written down ?



Don't ignore the account-recovery settings on your accounts, or put bad data in there. Sure, you'd rather not let Google or Yahoo or Facebook know your phone number or your second email address. But that information can save you if their security triggers get pulled for some reason. You travel, you try to access your email from laptop or internet cafe (seems not to happen when accessed from phone), you get "hey, we see a login attempt from a new country, we're turning off account access until you give us the code we're SMSing to your phone or emailing to your other account". Better hope you've kept the account-recovery options up-to-date.



From DrStephenPoop on reddit:

> BACK UP YOUR DATA

And not just what's on your hard drive.

Do not trust the cloud!

Google recently ended my account for an unidentified TOS violation. I am not sure what I did. I just logged into gmail one day and instead of an inbox I saw a message saying my account had been disabled. I lost:

8 years of email contacts

6 years of favorited YouTube videos

About a dozen videos I made with my brother that were uploaded to YouTube.

All my Drive/Doc files including original writing.

My passwords to several sites, including banking and insurance sites.

Three albums I had purchased from Google Play.

Here's the kicker: I was a google believer. I am one of the 5 or so non-developers who actually owns a first generation Chromebook. I believed in the cloud!

Use and enjoy Google's services, but do NOT rely on them. Even though you buy their computers and purchase music from them, you are STILL not the consumer with google. You are the product (sold to advertisers). So when you are shut out from their garden, you have no customer service to appeal to, or to even find out why you got tossed. You might as well be staring at an angel with a flaming sword, wondering where your pants are.

> Didn't you contact Support ?

When you get the "your account has been disabled" screen, they give you a link to voice your grievance. After submitting, you get a message that says something to the effect of: "If we find we have reason to contact you, we will contact you."

You can also go the community forums and plead for help. Sometimes someone associated with google will actually say: "I'll have people take a look at this." In all my pleas, I never got a response. That is as far as support goes. You are not a customer. You are the product, and you are merely a commodity. Have you ever heard of "commodity support"?
Tienlon Ho's "Can You Live Without Google?"

From someone on reddit:

A few days ago my Facebook account was disabled suddenly and without warning. I've gone through what I thought was a fairly routine appeals process - filled in the form they link you to when you try to log in and included a scan of my photo ID as they requested to prove I'm a real person etc. However, I just received an email from Facebook saying the following:

> ... Upon investigation, we have determined that you
> are ineligible to use Facebook. ... Unfortunately, for
> safety and security reasons, we cannot provide
> additional information as to why your account
> was disabled. This decision is final. ...

This is really bizarre and quite upsetting - it's easy to forget just how much we rely on this service. If I can't get my account reactivated, that's six years of content (and memories) lost, and a huge blow to my ability to keep in contact with some friends and family.

The only possible reason I can think of for my account being disabled is what I was doing at the time - sending some photos to someone through the private messaging system. Some of the photos were (mildly) adult in nature (at her request!) which could be deemed a breach of the Community Standards if you look at it in strict black and white terms ("Facebook has a strict policy against the sharing of pornographic content"). However I can't bring myself to believe that there is someone monitoring private message attachments and instantly banning people if they see boobs. Beyond that, I genuinely can't conceive of a reason as to why my account was singled out for anything.

Any advice would be appreciated as to what I should do next - I am not yet willing to just give up and lose all of that content. I have replied to the email, though I doubt anyone will read it, but beyond that there's really no other contact options I can see, and Googling this problem does not produce much beyond more horror stories like this.

From sugarbreach on reddit:

I am writing this to warn Google users to back up their data, and to realize that everything you take for granted can be taken away in an instant.

About a week ago I attempted to log into my Gmail account and was greeted with a page saying my account was disabled. It says that it was disabled due to a perceived violation of the terms of service and product specific polices. I have read and reread the google terms of service, and I know I haven't done anything to violate them. The only possibility I can think of is that someone may have hacked into my account. I have been an enthusiastic gmail user since it first came out in beta, and you had to be invited to get an account. I have relied on google apps to make my life easier. I have filled in their account recovery form, and even tried calling members of the Gmail team, but have had no luck. I also have posted on the gmail help forum, but an expert there said he contacted google and there was nothing he could do and google wouldn't tell him anything "for privacy reasons".

This has created the ultimate real-life nightmare, and has turned my life upside down, a few examples of which are listed below.

All of my contacts were linked to this account. I now do not have access to emails, phone numbers, addresses, etc.

My google voice telephone number is no longer working. I had this phone number on my business cards and email signature, and now when someone dials the number, they are given an error recording. "We could not complete your call, please try again".

My youtube account with many videos I cherished of my children are now gone.

I have all of my photos backed up to the account for nearly my entire life, as I thought this was the safest place to keep them (the cloud!) I have photos of my beloved grandparents who have since passed away, and the thought that I can no longer access these photos makes me sick. I also have thousands of pictures from vacations and of my children that I fear are gone forever.

A nice chromebook that I purchased to access all of the google apps is now almost useless since my account has been disabled.

I have multiple documents in my google drive that I have spent hours of work on, and can no longer access them.

I placed an enormous amount of faith and trust into google's products and services, as millions of people have worldwide. It is a shame that something this important in someone's life cannot even warrant a response from a live person at Google.

I have been very depressed because my entire life was encased in google's products, and now everything is gone.

Again, I am writing this to warn others that this can happen to anyone at any time, so it would be wise to back up treasured items in your google account. Ironically, google provides the means to do this through their "takeout" app, which I did not learn about until after my account was disabled. If there is anyone out there reading this that can offer any guidance for getting my account reinstated, I would sure appreciate it!

If you lose a cloud account, you can lose stored data, your calendar, remaining time on a subscription, any accumulated credit or gift cards, network link that makes some device (such as Amazon Echo, Google Home, etc) work.

Do NOT use Facebook login or Google login as your login to lots of other web sites. Not only does it let everything get shared, but if Facebook or Google ever deactivates your account for some reason, you've lost access to those other sites too.

Maybe some people don't consider their email to be "cloud data", but it is. If you're saving 10 years of past emails in GMail or Hotmail or something, it may be valuable to you, and it may be used by a hacker if your account gets hacked. It's also hard to back up. I'm a big believer in keeping your email account as close to empty as feasible. Clean it out !

If you do backups to the cloud, don't leave those backups accessible via a "cloud drive" that is always mounted (shows up as drive H: or something). If you get a virus, it may affect files on all physical drives and mounted cloud drives.

Apparently, automatic cloud backups of your phone data can expire and be deleted if you don't use your phone for many months. Android backups in Google Drive Backup are deleted if you don't use the phone for 2 months ? iPhone backups in iCloud are deleted if the iCloud account is not used for 6 months ?

A factor to consider: today's cloud backup may be encrypted so well that no one can crack it. But that encrypted data may still be available somewhere in the cloud 20 years from now, and maybe 20-years-future technology WILL be able to crack today's encryption.

Do "backups" of old non-electronic data, such as family photos and diplomas and such. Scan them and back up the images.

From Justin Carroll on an ITRH podcast:
Kinds of information (for you and everyone in family, and pets) you should have backed up and available (carry with you) in event of a disaster:

Do a "backup" of your own memory: in a simple text file, write a summary autobiography. Dates and places you lived, went to school, worked, traveled, etc. Names of friends, roommates, coworkers, etc. Memory fades over time.

Jon Christian's "Deleting the Family Tree"
DanDeals' "PSA: Don't Mess With The Google!"
Alex Hern's "Pixel phone resellers banned from using Google accounts"
"A few reasons not to organise on Facebook"

Eric Griffith's "Back Up Your Cloud: How to Download All Your Data"
Adam Dachis's "How to Protect Your Data in the Event of a Webapp Shutdown"

And of course back up your local data, not just your cloud data.
How-To Geek's "What's the Best Way to Back Up My Computer?"
Eric Griffith's "The Beginner's Guide to PC Backup"
/r/techsupport's "backuptools wiki"

Rick Rouse's "How to create a System Repair Disc and System Image Backup in Windows 10"

Rick Rouse's "Why you need a battery backup device for your computer"

Is there any one thing you have where you can say "geez, if I ever lost that I'd be TOTALLY screwed" ? Then figure out a way to back up that thing, or reduce your reliance on that thing.

See My "Computer Theft Recovery" page







Miscellaneous



From someone on reddit:

The basic methods of "hacking" accounts are:







Threats:

[Generally from most likely to least likely:]
  1. Your own actions. (The biggest threat of all. You accidentally post something private in the wrong place, expose a password, mis-configure your device or account, drop your device, lose your device, accidentally delete your data, trust a scammer.)

  2. Your family, friends, associates. (They post about you, snoop on you, accidentally leave your house or car unlocked, mis-configure their device, use their infected device on your LAN, sit next to you with their unprotected phone running, drop your device, accidentally delete your data, trust a scammer. They expose their Contacts list, which contains your name and email and address and phone number and birthday. They tag you in Facebook photographs, or mention that you were with them at some wild party.)
    Your browser history


  3. Your ex-spouse, former friends who now are enemies, former coworkers who you fired or angered. (They may be highly motivated, but probably don't have access or skill to cause high-tech harm. Unless you forgot to change the passwords they know. But they may have private info they could post.
    Cyrus Farivar's "If you're a revenge porn victim, consider this free, helpful legal guide")

  4. Your software. Some application or web site you use may be sending your data to somewhere else that you don't know about (some apps harvest your email address book or phone contact list or Friends list). Or storing your data in an unsafe way in a server.

  5. Corporations selling your meta-data or data to advertisers.

  6. Corporations reading your data to enforce their contract rights (terms of service) and maybe look for criminal activity.

  7. Organizations accidentally exposing data you've entrusted to them, through careless practices or by getting hacked.

  8. Data criminals and hackers. (Identity thieves, credit-card thieves, blackmailers, ransomware, etc. Hackers who want to use your device as part of a botnet or coinmining network. Criminals who want to make your phone call their $3/hour phone service repeatedly, running up a $10K phone bill that you have to pay. And you may be a special target if you have something valuable on your computer:)
    Laura Shin's "Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers"
    Alex Hernandez's "Chase eATM user has mobile app hacked and loses $3,000"

  9. Casual snoops or thieves.
    (Although with snooping software, "casual" capabilities are increasing.)

  10. Law enforcement (recording everyone's activity, such as cell-phone locations and car license plates).

  11. Internet vigilantes or lynch mobs or public shaming.
    (E.g. someone decides a picture shows you mistreating your dog, and whips up a mob to punish you.)
    Kashmir Hill's "When a Stranger Decides to Destroy Your Life"

  12. Reporters.

  13. Private investigators and lawyers. (They have some access to government databases and powers.)

  14. Law enforcement (specifically targeting you).
    Jonathan Zdziarski's "Protecting Your Data at a Border Crossing"
    Andy Greenber's "A Guide to Getting Past Customs With Your Digital Privacy Intact"
    EFF's "Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud"

  15. Foreign government intelligence agency. (Highest technical ability, but no legal authority.)

  16. Government intelligence agency. (NSA, DHS, etc. Highest technical ability, PLUS legal authority.)

Sean Gallagher's "How I learned to stop worrying (mostly) and love my threat model"
Wired's "Guide to Digital Security - Choose Your Security Profile"

No matter what protection you propose, some people will say "oh, the NSA has cracked that !". First, how do they know ? Second, a counter-measure still may be worth using even if the NSA could crack it; NSA is not the only threat or main threat. Third, just because NSA could crack something, doesn't mean they would spend the resources to crack your messages.

And some people say "trust no one !". Well, I think it is reasonable to trust the CPU chip vendors, and the compiler-writers. I don't see how useful "backdoors" could be built into those things (and I have BS and MS degrees in Computer Science). Trusting the OS vendors is a little more dubious; I guess I trust the basic OS, but maybe not all of the standard apps and services supplied with them. Same for trusting browser vendors.

Of course, if you trust no one, you'll never be able to get anything done. Can't drive my car, because I shouldn't trust the manufacturer. Better not eat anything, because I shouldn't trust the food companies or stores.

Some people say "it's all over, we've lost our privacy, it's done". No, it's an arms race, and right now consumers don't have very good weapons. We need to get convenient, good, routine encryption. We need more sites, applications, and protocols designed with security and privacy as priorities from the foundation up. Maybe "mesh" networking, peer-to-peer systems, distributed systems ("6 Anti-NSA Technological innovations that May Just Change the World"). We in USA need better regulation of spy agencies, via FISA and Congress. It's not over. You're generating new private data every day; you can protect that. And you can create fake data.

A worrisome trend: intelligence agencies being pressed to use their powers for non-intelligence purposes.
From Alex Hern's "David Cameron: GCHQ will be brought in to tackle child abuse images": "GCHQ [the British intelligence agency] will be brought in to tackle the problem of child abuse material being shared on peer-to-peer networks."
From NSA spokesman quoted in Barton Gellman and Ashkan Soltani's "NSA collects millions of e-mail address books globally": "[The NSA] is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers."
Eric Boehm's "Reuters: Law enforcement use info from NSA phone database to go after common criminals"
Conor Friedersdorf's "The NSA's Porn-Surveillance Program: Not Safe for Democracy"



Costs of counter-measures:


Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"



When living away from home:

If you're staying in a hotel room, AirBNB, or friend's house, and connecting to their network:



General counter-measures:




How to attack cryptography:

[From hardest to easiest:]
  1. Find a flaw in the mathematics (extremely unlikely).

  2. Find a flaw in the algorithm.

  3. Find a flaw in the crypto software.

  4. Brute-force password-guessing.

  5. Find or create a flaw in the surrounding software (operating system, networking, key-logger, etc).

  6. Find a flaw in the configuration (software not updated, password not set, place where data is not encrypted, etc).

  7. Human problems (password exposed or easily guessed, social engineering, etc).

  8. Legal tools (warrant or subpoena to get encryption keys or tap traffic).




Low-tech solutions:




Things that may not increase security and privacy:




Operating systems and environments:




Buying or setting up a brand-new device:




Buying or setting up a used device:

Be VERY careful if you've bought a device through EBay or Craigslist or similar, especially if the device has anything to do with financial or security stuff.

Maybe start with a factory reset ? Update or re-install software, and change passwords.

Kai Sedgwick's "Man's Life Savings Stolen from Hardware Wallet Supplied by a Reseller"



Getting rid of a device:

Patrick Lucas Austin's "Disable iCloud Before You Get Rid of Your Mac"



Living dangerously:

If you really, really want to download and run something that could be dangerous:



Testing your privacy and security:

Linux Security's "Security Tools"
Micah Lee's "It's Impossible to Prove Your Laptop Hasn't Been Hacked. I Spent Two Years Finding Out."



New things we need to increase our privacy or security:




"Privacy" from incoming abuse:

If people are saying nasty things to and about you online: Rebecca Fishbein's "What to Do If You're a Victim of Revenge Porn"



Physical security and privacy:



Family issues:

ProtonMail's "How to protect your children’s privacy online"



Do a periodic check and cleanup:




If you own a web site:



Port scanning or router testing:
Web sites (turn off your VPN to use them):
Free Android apps:
PC applications:
Lee Munson's "Penetration testing for the home computer user"
TechIncidents' "Penetration Testing Checklist with Android, windows, Apple & Blackberry Phones"
Online Tech Tips' "How to Scan Your Network for Devices and Open Ports"
SpiceWork's thread "How can I pen test my own network?" (more about business networks)


From StackExchange's "Best way to test my home network from the outside":
If you decide to perform a scan from the Internet you may want to give your ISP a heads-up to avoid any trouble.

I run scans on my home IP from a Linode account [virtual Linux box on a cloud service]. Any VPS that doesn't filter your outbound traffic should work (just make sure it doesn't violate your TOS).

First run a full scan against your home IP address. Expect to find only the ports you know you have explicitly opened open. Expect everything else to be "filtered".

Then verify that it is your home router that is performing the filtering and not your ISP. To do this, open a port on your router and rerun the scan. Expect that the port you have opened is detected as open by your scanner. If you find that you still see this port as filtered, then your ISP may be blocking that port. If so, this isn't necessarily a problem, but it means that the previous test didn't test your router, it tested the network connection to your router. Don't forget to disable the port when you're done.

If you want to test your router in isolation, and your router isn't built in to the modem, then you can test it as follows:

  1. Disconnect the router from your modem. (Where "modem" is whatever device connects from your LAN to your ISP's network.)

  2. Connect a second computer to the WAN port on the router. Configure this computer with a static IP address that is independent of the LAN addresses used by your router.

  3. You may need to turn on a DHCP server on the second computer so that the router's WAN interface gets an IP address as usual.

  4. Perform the scans described above from the second computer.


To deliberately create an open port (to see if your testing catches it), on Linux run "netcat -4 -k -l -v PORTNUM" (IPv4 TCP) or "netcat -6 -k -l -u -v PORTNUM" (IPv6 UDP) or similar. Use port number 22 (SSH) or 80 (HTTP) if it should be closed in your system; that open port should be caught by any tester.



Good audio podcasts:
The Complete Privacy & Security Podcast
Security In Five Podcast

Crypto|Seb's "The Crypto | Paper"





Bookmark and Share

This page updated: November 2018

Home     Site Map

Privacy policy