Computer Security and Privacy.          Please send any comments to me.       



Online Security section ( Password security,
       Password-protect your phone number, Software updating, Anti-virus software, Connection security,
       Application-level encryption, Report freezing, Opt-out of tracking, Phishing )
Online Privacy section ( Fake data, Blockers, Browser fingerprinting, Privacy controls,
       Virtual Machine, Smartphones )
Anticipate problems section ( Back up your data )
Miscellaneous section ( Threats, Low-tech solutions, Testing your privacy and security,
       New things we need )

My "Connection Security and Privacy" page
My "Authentication" page
My "Privacy In General" page
My "Computer Theft Recovery" page



TL;DR about computer privacy, security and safety:
         



Levels of privacy, security and safety (my opinion):
  1. No backups, no passwords on devices, same password on many online accounts.

    A disaster waiting to happen. Accidentally delete many files, hard disk crashes, or someone steals your phone, and you're in a world of pain.

  2. Backups (multiple, at least one off-site, and you've tested restoring from them), passwords on devices, important software auto-updating, anti-virus.

  3. Password manager to handle online accounts, ad-blockers and script-blockers in browsers, credit-report freezes, use HTTPS web sites, set privacy settings on accounts, password-protect your phone number, be careful with your smartphone, pay cash for as many things as possible.

  4. Full encryption on devices, two-factor authentication on important online accounts, reduce browser fingerprint, VPN, opt out of data-broker tracking.

  5. Change to Linux, use secure email and messaging, special firewall/router, redirected email and phone numbers and credit cards, postal-mail forwarding service.

  6. TOR browser, two computers (one secure and non-networked, other for routine use and network access), gift-cards.

  7. Burner phones, clean OS every time (e.g. Tails), security-centric OS (e.g. Qubes), run your own mail server and VPN, crypto-currency, fake personas and fake ID.

         



Terms:









Online Security



  1. Password security:

    Use the password and security features of your device and software; many people don't even bother to set a password !

    It's especially important on smartphones, because a lot of smartphone apps don't even have a "log out" feature. They assume that if you have the phone and were able to log in once, a while ago, you must be the account owner, no account password needed.

    Don't use the same password on multiple sites. If one site is breached, all the others become vulnerable.
    Do NOT use Facebook login or Google login as your login to lots of other web sites. Not only does it let your activity get shared to Facebook or Google, but if Facebook or Google ever deactivates your account for some reason, you've lost access to those other sites too.

    Similarly, don't use a Microsoft login to your Windows PC, use a local login.

    Really, you should have only 2 or 3 passwords you remember; the rest should be in a password manager. And in general, length is more important than complexity (but having both is even better).

    See my Authentication page.


  2. Other "managers".

    Don't let web sites save your important data if you can avoid it. Store it in an encrypted, private "manager" application on your machine.

    Some types of "managers":
    Often the last four types are together in a "Personal Information Manager" (PIM). Some email client applications will include those functions too.

    Most of the PIMs I see are more complex than I want, and don't say anything about encrypting their database. Probably best to pick a simple PIM and put its database inside a Veracrypt container.
    Osmo (Linux only, database not encrypted, files under ~/.config/osmo and ~/.local/share/osmo by default)

    If you don't use a specialized application, you could use a text file inside a Veracrypt container. But you'd lose the ability to sort by various fields, alert on calendar events, view the calendar in standard calendar format, have a tree-view for to-do items, etc.

    But I decided I'll use ProtonMail's calendar when they come out with it, since I use them for email. And I don't need special software for contact manager and to-do list.


  3. Password-protect your phone number.

    Mobile-service providers often let you set a PIN to control changes to account settings (such as adding or transferring a phone number). This can stop "SIM Swapping" (AKA "SIM Hijacking", but really it's "phone number hijacking" or "number-porting").

    Emily Price's "Add a PIN to Your Smartphone Account"
    Zack Whittaker's "Cybersecurity 101: How to protect your cell phone number and why you should care"


  4. Give "them" as little data as possible.

    Don't let web sites save your credit-card data. If possible, give them a fake phone number and address.


  5. Use fake data as answers to the "security questions".

    If you give fake data as your mother's maiden name, town where you were born, etc, no attacker can look that up somewhere and know what answer to give. Of course, you have to write down those answers yourself.


  6. Software updating:

    Run the newest stable version of your operating system, and turn on auto-updating. Same for browsers, anti-virus, VPN.


    But this is a major problem for Android smartphones: on older phones, you can't update the OS to a newer version, unless you install a "custom ROM". Android's update mechanism is somewhat broken, because phone vendors have no incentive to test and provide updates.

    See Android Custom ROMs section of my Android page.

    For less-important software, I would turn off auto-updating. I don't want a lot of little check-for-update background processes running all the time, and I don't have confidence that the maker of some genealogy application or something has invested a lot of effort into making their update process secure.

    A corollary of "do updates" is "don't use software that has been end-of-lifed or abandoned". If you're using something where the vendor no longer provides updates, you're vulnerable.


    The more I think about it, updating is a major security issue for all OS's. What controls guarantee that an installer or updater will update only the application or component it is associated with ? Is the communication channel encrypted ?

    If something is updated through Windows Update or Linux's manager (Update Manager, on Mint) or an app store, maybe you can have some confidence that the process is efficient and secure. But if an individual app is reaching out of your system to its update server every day in some unknown way, that is questionable. If you have 20 such apps doing so every day, an attacker has lots of surface to attack, and there is lots of traffic for you to monitor or analyze for threats. Not to mention lots of little look-for-update processes running in the background all the time, maybe.

    What is the long-term solution for this ? Lobby Microsoft to let third-party apps use the Windows Update mechanism ? On Linux, only install apps via the main software manager on the system ? Add some kind of OS controls so an installer/updater can touch only the associated component's folder and registry tree ? I assume Windows Update and Linux's managers and app stores use TLS on their connection back to the server; true ?

    In response, someone pointed out: evilgrade



  7. Anti-virus software:

    Install it, set it to update automatically, run a full scan every now and then.

    Two main "modes": real-time protection (catches every file write or download and scans it), and user-initiated (user runs a full-disk scan every week or two). The real-time protection could be disk-only (catches file writes) or also wired into the browser (to prevent access to known-dangerous web sites).

    Things that loosely fall into this category:
    • Anti-virus protection.
      Quora "What is the best open source antivirus software?"

    • Malware removal (such as Malwarebytes, Spybot ).

    • Keylogger detection and removal.

      A "keylogger" may do one or more of these:
      • Capture keystrokes as you type them.
      • Capture the contents of your clipboard.
      • Capture screenshots.
      • Capture input from your computer's camera and microphone.

      A keylogger may:
      • Log the data into a log file.
      • Email the data to somewhere.
      • Send the data across the internet to somewhere.

      There seem to be three types of keylogger:
      • Hardware: some device attached to your computer or keyboard or installed into it.
      • Software: an application and/or service installed on your computer. It may try to hide in various ways, not showing up in list of installed apps, or choosing a name similar to a standard app or service.
      • Rootkit: software installed into the firmware of your computer, or the boot loader of your OS, or the kernel of your OS.

      Detect or defend against keyloggers:

      Testing your defenses to see if they actually work:
      Run a test program that does keylogging and see if your software detects/stops it:
      Mike Williams' "Anti-Keylogger Tester 3.0"
      SpyShelter's "Security Test Tool"

      Install a real keylogger and see if your software detects it:
      Spyrix Free Keylogger
      Revealer Keylogger Free
      StupidKeylogger


    • Firewall.
      From someone on reddit's /r/Windscribe:
      > I've recently signed up for Windscribe VPN (firewall enabled).
      > I have an ASUS RT-AC66U router (firewall enabled),
      > and on top of that Norton Security with its built-in
      > super aggro "smart firewall". All of this seems a bit
      > redundant and ridiculous.

      Windscribe firewall blocks traffic that tries to go outside of the VPN, including if the server you're connected to goes down. It's different from a program/port firewall that allows or blocks certain traffic completely based on a ruleset.

      Your Norton firewall is designed to prevent malicious programs from calling home to download more malware or upload your information.

      Your router firewall is designed to prevent open ports from being abused by programs or attackers.

      Windscribe firewall is designed to prevent your traffic from going through the normal unencrypted route to your ISP. If the connection drops for some reason nothing will get through because the Windscribe firewall blocked all other ways in or out.

      So all three serve different purposes (the router and Norton firewalls overlap a bit but they still do different things).
      Gufw (Linux only)

    • Crapware or bloatware removal (such as PC Decrapifier, Should I Remove It?, AdwCleaner ).



    Testing your defenses to see if they actually work:

    EICAR Standard Anti-Virus Test File

    Where to get virus samples, to check your AV ?
    MalShare
    TekDefense
    VirusShare.com
    greg5678 / Malware-Samples (Linux only)
    Packet Storm's "Unix rootkits" (have to compile some from source)

    On Windows, I use AVG (free) and Malwarebytes (free). But I found that AVG and MWB (with RTP) don't stop/report keylogging as tested by AKLT.

    If you use Adblock Plus, you can then install a malware site filter.

    Aurelian Neagu's "10 Warning Signs That Your Computer is Malware Infected"
    /r/techsupport's "Official Malware Removal Guide"


  8. Browser:

    Set your browser to update automatically; browsers contain security features that should be kept up to date.

    Things you may want to turn off:
    • Any "suggestion" or "prediction" feature (probably sends your keystrokes to a server).
    • Any "usage-reporting" or "telemetry" feature.
    • Any "crash-reporting" feature (actually, I leave this one enabled).
    • Any "syncing" feature.
    • Any "password-remembering" feature.
    • Any "let vendor run experiments" feature.
    • Any "security-screening" feature (debatable; I leave enabled; maybe your VPN or ad-blocker does this).

    From someone on reddit 11/2018:
    "Chrome has a whole host of services that send data to/from Google (auto-complete, prediction services, spell check, translation, safe browsing, etc...). ... if you don't want Google to know anything about you, you can't use Google products." [Also password syncing, and "login to Google automatically logs you in to Chrome". And check options carefully to see what is turned on.]

    These days, users probably spend 90% of their time in a browser. So, take the time to go through ALL of your browser's settings/options. Generally turn off things that send data to a cloud service. Turn off features you don't need.

    Brian King's "Towards a Quieter Firefox"

    Enable security features in your browser: IE's "SmartScreen Filter", Firefox's Options/Security tab, Chrome's "Enable phishing and malware protection", Opera's "Enable Fraud Prevention".

    Use as few browser extensions/plug-ins/add-ons as possible; each additional extension installed means a greater chance of getting a malicious extension or a security hole or a performance hit.
    Chris Hoffman's "Browser Extensions Are a Privacy Nightmare: Stop Using So Many of Them"

    Use an "ad-blocker" add-on in your browser to protect against ads that contain malware (malvertising).
    uBlock Origin (get from here ?)

    Show what your browser presents to a web site:
    BrowserSpy.dk


  9. Manufacturer's software:

    Your machine may come with manufacturer's apps (for launching, printing, help, support, updating, diagnostics, recovery) pre-installed and doing stuff in the background. How secure is that software ?

    Bill Demirkapi's "Remote Code Execution on most Dell computers" (offered more as an example of how much is going on in the background, rather than a realistic threat)
    Dan Timpson's "Lenovo’s Superfish Adware and the Perils of Self-Signed Certificates"
    Wang Wei's "Pre-Installed Keylogger Found On Over 460 HP Laptop Models"


  10. Computer firmware:

    There might be firmware in: management engine, motherboard/BIOS, Linux microcode on top of the MB/BIOS firmware, HDD, SSD.

    Usually you have to manually check for updates to the firmware, on the manufacturer's web site.

    Idea:

    Is the firmware (say, BIOS firmware) readable ? Can an OS or user process read it and compare to the last-installed version, and flag "hey, firmware has changed since the last time you booted !" ? Do any current OS's do that ? It could even be a user-level feature.

    Shouldn't all devices (routers, security cams, disk drives, etc) come with a "read out the current firmware contents" feature ? Maybe a very clever malicious firmware could mimic a legit firmware, but it might not be easy if firmware memory is full (excess space padded with random static stuff when legit firmware is generated).

    In Linux, do "sudo grep ROM /proc/iomem". If it returns "000f0000-000fffff : System ROM", you can read BIOS via "sudo dd if=/dev/mem of=pcbios.bin bs=64k skip=15 count=1 # 15*64k + 64k" or "sudo dd if=/dev/mem of=pcbios.bin bs=1k skip=960 count=64". Also relevant "sudo dmidecode". Maybe someone could make a little daemon or cron job that uses them to report any changes.

    How about Linux's /dev/microcode ? Also would be nice to know if the router/gateway MAC address has changed ("arp" command).

    Processor "Management Engines":

    /u/SupposedlyImSmart on reddit 11/2018

    Intel's "Management Engine":
    Intel ME seems to be a big problem; maybe just avoid Intel chip-sets next time you buy a computer ?
    Wikipedia's "Intel Management Engine"
    Lily Hay Newman's "Intel Chip Flaws Leave Millions of Devices Exposed"
    Erica Portnoy and Peter Eckersley's "Intel's Management Engine is a security hazard, and users need a way to disable it"
    From someone on reddit:
    "Do you have an Intel CPU from the last 10+ years? If so, then yes ME is enabled. If it weren't via HAP, you'd know."
    Shane McGlaun's "Here's How To Disable Intel Management Engine And Slam Its Alleged Security Backdoor Shut"
    "Sakaki's EFI Install Guide / Disabling the Intel Management Engine"
    Steven J. Vaughan-Nichols' "Computer vendors start disabling Intel Management Engine"
    corna's "me_cleaner"

    Test your system ?
    Intel's "INTEL-SA-00086 Detection Tool". Run it on Linux CLI via:
    sudo python2 intel_sa00086.py
    

    From someone on reddit:
    "After I did the firmware update for my version of IME, I just made sure and disabled everything relating to IME/vPro in my BIOS/UEFI settings and also disabled its related services and related serial port in device manager in Windows."

    AMD's "Secure Processor" (previously known as PSP):
    Chiefio's "For deep security, use ARM, avoid Intel & AMD processors"

    coreboot (Wikipedia's "coreboot")

    Anton Shilov's "HP's Endpoint Security Controller: More Details About A New Chip in HP Notebooks"
    Jessie Frazelle's "Why open source firmware is important for security"


  11. Sandbox applications:

    Run application such as browser inside a "sandbox" which prevents it from accessing files on your computer, or controls which files are accessible.

    Sandboxie (Windows only)
    Firejail (Linux only)
    AppArmor (Linux only)


  12. Separate computers for separate functions:

    It may be tempting to run a web server and database and routing software and network-storage disk and your personal stuff (browser, password manager, files, etc) all on the same box. It can be done, under Windows or Linux etc. But that greatly increases the chance of some bug or exploit, some incoming attacker being able to access your personal files. It's better to run all the server (incoming) stuff on one box, and all the personal (outgoing) stuff on another box. And set the firewall rules on each box to allow only what is needed on that box.

    Even better, run server-stuff on some commercial hosting service. Let them worry about 24/365 availability, bandwidth, disk space, updating, etc. But you'll have to pay for it.


  13. Turn off the computer:

    When not using the computer, turn it off, so attacks can't get in. Maybe turn off your entire LAN (by turning off the router) before going to bed at night ?

    Maybe put critical data on a thumb-drive or external drive, and only mount that drive for brief periods when you need to use that data.


  14. Connection security (protecting "data in motion"):

    Use encryption on your connection: encrypted Wi-Fi, HTTPS web sites, maybe VPN (see VPN section of my "Connection Security and Privacy" page). If you're using a mail application (such as Thunderbird) or an FTP application, make sure they're using encryption on their connection to the server.

    On your home network, make connections using Ethernet cables instead of Wi-Fi where possible (client device is close to router/modem). Wired connection is faster and more secure than wireless. Similar when transferring data between phone and PC: using a USB cable is more secure than emailing the data or using some other across-the-internet method.

    Consider having separate home networks for your critical (computers, file server, phones) and untrusted (TV, refrigerator, security camera, baby monitor, game consoles, guest, etc) devices. This may mean having to use two routers.

    When choosing a name for your home Wi-Fi network, choose something bland such as "network27". Don't include your name or address or brand of router in the network name; that information would help an attacker. And the information may be included in bug reports and such.

    ilGur's "Smart HTTPS" browser extension

    wikiHow's "How to Secure Your Wireless Home Network"
    Eric Griffith's "12 Ways to Secure Your Wi-Fi Network"
    Decent Security's "Router configuration - easy security and improvements"
    David Murphy's "How to Make Your Wifi Router as Secure as Possible"
    Easy Linux tips project's "Wireless security: four popular myths and 12 tips"
    Lifehacker's "Top 10 Ways to Stay Safe On Public Wi-Fi Networks"
    Smart Home Gear Guide's "17 Lockdown Strategies To Secure Your WiFi Network From Hackers"
    Chris Hoffman's "How to See Who's Connected to Your Wi-Fi Network"
    UIC-ACCC's "How can I secure my internet connection?"
    But: Nick Mediati's "The EFF wants to improve your privacy by making your Wi-Fi public"

    From discussion on reddit, and elsewhere:

    Securing home Wi-Fi:
    • Use the WPA2 protocol. It has now been broken but the chances anyone will use it against you are slim.
    • Use a strong passphrase. Longer is better than more complex.
    • If you have a guest network, isolate it so it can access your internet but not your local network.
    • Where possible, use 5Ghz. It doesn't have good penetration so it's less likely to broadcast your network to your neighbors. Otherwise some routers will let you adjust the power of your broadcast.
    • Don't bother with MAC address filtering. It's just a headache and it's easy to bypass.
    • Apply any patches that are available, to clients and router.
    • Turn off WPS and uPnP and access to web interface/console from Wi-Fi.
    • Probably turn off telnet, SNMP, TFTP and SMI; they're usually unencrypted and/or insecure.

    Test your router configuration (turn off VPN first):
    See the "Port scanning and router testing" section of this page.

    Turn off any VPN, use IPChicken to get your network's current public IP address, then paste that into your browser's address bar, and see how your router responds when someone from outside tries to access your router on port 80. Also try the address with ":443" appended to it.

    Symantec's "Check Your Router for VPNFilter"

    Alan Henry's "Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs)"
    That One Privacy Site (VPN and email comparisons)


  15. Application-level encryption:

    For communication apps, person at other end has to use same software.

    Browser add-ons:
    SafeGmail (GMail only; Chrome only)
    Encipher.it (Chrome add-on, or client app; encrypt/decrypt blocks of text in any web page)

    Other solutions require you (and person at other end) to change email providers or use different applications. Not feasible, in my opinion.

    In your email client, if possible, turn off automatic display of HTML, images, and Javascript. It's dangerous to let some random person send you a piece of software that executes in your client.

    Some security guys say it's safer to use browser-based email instead of a client application (such as Thunderbird). The browser is somewhat of a sandbox, and highly tested, and you need it for other reasons too. A mail client application is an additional complex piece of software that probably is less secure.

    End-to-end encrypted email:

    Features encrypted email should have:
    • End-to-end encryption: encrypt/decrypt done as close to the user as possible. Even so, it's still possible for a keylogger or something to grab the plaintext.
    • Encryption code installed once on user's machine, not every time you access email, so it's less likely to be suborned.
    • Encryption keys generated and held by the user: if code from the email provider is used to handle the keys, you can't be certain that the keys are safe.
    • Easy interoperability with other secure-email providers. Today, this is non-existent, to my knowledge. The best that is offered is that a user could extract keys and do PGP themselves.
    • Privacy statement that the email provider keeps no logs, doesn't read messages, etc. But usually they say they WILL cooperate (to the extent possible) with a valid court order.
    • Open-source policy. But this is not an absolute guarantee; how do you know if the source being released is what is actually run by the service, and how well has that source been reviewed ?
    • Located in a country with good privacy laws, and separate from your country. Having multiple jurisdictions makes it harder for someone to track you and serve legal papers to get your data.
    • Zero-knowledge policy on accounts: the provider shouldn't require your real name, address, credit card. Should allow access through a VPN.

    Highly recommended by security people: ProtonMail
    Eric Mann's "End-to-End Crypto: Secure Email"

    But they may have quirks. For example, apparently ProtonMail is incapable of sending a normal, plaintext email; only HTML-plus-plaintext or HTML-encrypted or internal-encrypted are supported ? Because the ProtonMail server can't decrypt your messages, it can't do vacation-forwarding or server-based content-based filtering.

    From someone on reddit 11/2018:
    Gmail is decades ahead of ProtonMail in terms of feature support.
    • really good spam filtering
    • nested labels w/ coloring, multiple star icons
    • multiple inbox support
    • machine learning based importance detection
    • autosuggested replies and autocomplete
    • advanced plugin ecosystem
    • plain HTML fallback version when JS isn't available

    12/2018: Some people are having issues because ProtonMail is fairly strict/correct about encryption headers/certs (maybe SPF) on incoming mail from other systems. Partly-bad mail that may be accepted straight into another provider gets bounced, delayed, and re-tried before it makes it into ProtonMail.

    From someone on reddit 12/2018:
    There is one downside to ProtonMail worth mentioning. They comply with OpenPGP standards so the mail envelope remains stored unencrypted thus allowing search requests on sender, recipients and subjects. But the mail body and attachments are encrypted so forget about webmail search on that content. You'll need an offline copy in a mail client to index and search locally. Unfortunately, the only way to do this with ProtonMail is to use their bridge application. I've tried and tried and it just won't sync an IMAP mailbox with 2GB of mails (less than 20k emails). I've sent logs to their support team without any solution in the end. I monitored the connection and it downloaded over 10GB to sync less than 200MB worth of emails. They throttle the connection or something. It's not easy to debug since everything is encrypted. But that's the point in the first place ...

    Don't get me wrong, ProtonMail is great, they have improved impressively in a short amount of time. They now allow the use of personal domains. But are they a suitable main email provider replacement? Not yet in my case. So I stick to FastMail for now which has a web interface much faster and feature full than GMail or ProtonMail. But I must rely on a computer with a mail client to send pgp encrypted emails. And I am super worried about the Australian AA bill. Fastmail is Australian-based and the servers are in the US, so enjoy worldwide mass surveillance. But it's still better than GMail, I believe fastmail will not use my data to train some AI or to profile me to sell advertisers my soul.

    On any service where you aren't the sole holder of the keys, there are vulnerabilities:
    Wired's "Mr. Robot Uses ProtonMail, But It Still Isn't Fully Secure"
    Nadim Kobeissi's "An Analysis of the ProtonMail Cryptographic Architecture" (PDF)

    That One Privacy Site's "Email Section"
    PrxBx's "Privacy-Conscious Email Services"


    We need transparent encryption of email:

    I wish some large email provider, such as GMail or Yahoo Mail, would start using end-to-end (client-to-client) encryption routinely, and transparently. When you click the Send button, software (maybe an open-source browser plug-in) looks to see if your recipient has a preferred encryption method and public key registered anywhere (or if one is cached locally, via prior key-exchange). If recipient does, the message gets encrypted (by open-source browser plug-in) via that method before sending. If recipient is not registered anywhere, message goes unencrypted, as usual. Simple ! And now the email provider itself can't read or decrypt the messages, and can't decrypt them for the government.

    The company that does this first could seize the mantle of "privacy champion".

    They still could do targeted advertising based on keywords: the plug-in that does the encryption first extracts a few keywords, and then passes them on along with the encrypted message.

    Searching your messages on the server would be affected; the server wouldn't be able to read the text of the messages. I suppose you could do a search by sending all of the encrypted messages to the client (browser), and decrypting them and doing the search there, but that would be horribly inefficient (but possible). Or search-keywords could be sent to the server along with each encrypted message (compromising security a fair amount, but enabling searching).

    Spam-filtering would be affected. If a spammer is willing to look up your public key and encrypt their message to you, it will have to be caught on the client, not the server. That's an issue. Need an open-source spam-filter plug-in or something.

    The reason I want an existing large provider to do this, as opposed to new secure-email startups, is that the change by an existing large provider would immediately make encryption easily available to hundreds of millions of existing users. No need for users to change providers, with new UI and new email addresses and having to transfer their contact lists. Most users will NOT move to new secure-email services; we need to get encryption into existing services.

    Mailvelope is a bit like what I want, although it's far from as transparent and integrated as what I outlined (which requires changes by Google, Yahoo, etc).

    Google and Yahoo were working on a couple of end-to-end things, but as of 2/2017 seem to have dropped their efforts.

    This change is happening in the VOIP and IM markets, with WhatsApp and Skype changing to end-to-end encryption.

    Once we have end-to-end encrypted message bodies, a few changes could secure the meta-data better. Move the subject line inside the message body before encrypting, and move it back out when decrypting, so all of the servers and middlemen see only a dummy subject line. Encrypt the destination user's email address in some way that the destination server can decrypt, so only the originating client and the destination server and destination client know the full destination address (all other servers and middlemen can see the destination server name, but not the real destination user name). Do same with originating user's email address, in way that only originating server and originating client and destination client can decrypt. Example: a middleman would see "From: 5$33!8*AW@gmail.com To: 7^h$g#FS@yahoo.com Subject: none".

    GitHub's "Overview of projects working on next-generation secure email"


    Secure messaging (text, chat, voice, video):

    Some people say that internet email fundamentally can not be made very secure, without a total redesign. So they use non-email messaging.

    There is a convergence between text-chat and voice-call and video-call applications. Text-chat applications are adding voice and video, Skype has text, etc.

    Justin Carroll pointed out on a podcast:
    Many/most IM applications have the bad quality of using your phone number as your userID/username, making it impossible to keep your phone number private, and allowing people to voice-call or SMS you instead of only contacting you inside the IM application, etc. That's unfortunate.
    [Some that don't use phone number: Kik, Discord, Threema, Wickr Me, Riot, Wire, Tox ?]

    Some major choices:
    WhatsApp
    Signal
    Wire

    Don't just start using a service and assume it's totally secure by default. Go through all the account settings and maybe dial them down tighter.

    David Nield's "Best encrypted messaging apps 2019 for Android"
    Micah Lee's "Battle of the Secure Messaging Apps: How Signal Beats WhatsApp"
    Thorin Klosowski's "Secure Messaging App Showdown: WhatsApp vs. Signal"
    Hiding From The Internet's "Signal – Private Messenger"



  16. Data encryption (protecting "data at rest"):

    See "Data Encryption" section of my "Computer Theft Recovery" page


  17. Specific problems:

    Known bad software:

    Do not use these:

    Detect my Browser

    Remote-access software:
    Be very careful if you have remote-access software installed on your computer for some reason. If someone hacks it or it's misconfigured, the attacker can do anything you can do sitting at the computer, and it will look just like you doing it.

    Jason Fitzpatrick's "How to Lock Down TeamViewer for More Secure Remote Access"
    Rick Rouse's "Protect your Windows PC from hackers by disabling Quick Assist / Remote Assistance"

    Turn off macroes in Microsoft Office.

    A bit suspicious, and a general way to stop specific applications from running in Windows:
    Martin Brinkmann's "How to block the Chrome Software Reporter Tool"


  18. Turn off features you don't use.

    Either turn them off permanently, or enable them only when you want to use them.

    Don't use Bluetooth, NFC, infrared, Cortana, Siri, location/GPS services, voice controls ? Turn them off completely, at the OS level. Don't use some old applications ? Uninstall them, or turn off their update background services.
    Rick Rouse's "How to turn off 'File and Printer Sharing' in Microsoft Windows"

    Maybe turn off location-monitoring services and apps in your smart-phone and browser. But your cell-phone company will always know where your phone is, if it's turned on, or maybe even just if it has a battery in it.

    Turn off the whole device if you're not going to use it for a while. Does your internet-connected computer need to be running 24/7 ?

    Put tape over the webcam on your laptop.
    Or software:
    Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?"

    Turn off the microphone on your laptop or smartphone.
    Maybe put a dummy plug into the external microphone jack.
    Tape over the built-in microphone opening doesn't really work.
    Or software:
    Alan Henry's "How to Stop Web Sites from Potentially Listening to Your Microphone" (Chrome only)
    Jignesh Padhiyar's "How to Find and Prevent Apps from Accessing Your iPhone's Microphone in iOS 7"
    Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?"
    The highest-confidence solution: physically unplug the built-in microphone inside the case, and always use an external microphone (plugged in only when you need it).

    Note: iPhones have 1 to 4 microphones, depending on model. Most Android phones have 1, some have 2.


  19. Know the features of your devices.



    Mozilla's "*privacy not included"
    David Murphy's "How to Keep Your Internet-Connected Device From Spying on You"

    Using router/modem supplied by your ISP:

    Parts of a router/modem:
    • WAN connector: connects to outside cable or phone line.
    • Modem: from WAN connector, converts fiber or phone signal to digital, sends to router.
    • Router: intelligence that converts between internal (LAN) and external (WAN) IP addresses, using NAT.
    • LAN Switch: connects all the parts of the local network: LAN side of router, Ethernet ports, Wi-Fi AP.
    • LAN Ethernet connector: wired connection to client device in home.
    • Telephone connector: wired connection to telephone in home.
    • USB connector: for a disk drive to be shared on the LAN.
    • Wi-Fi access point: wireless connection to Wi-Fi devices in home.

    From someone on reddit:
    If your ISP can access your modem (and if you're using an ISP-supplied modem, it'd be foolish to assume they can't), they can see anything your modem can potentially log (think SSIDs, MACs) via a little-known protocol known as CWMP. And this is to not even begin the implications that they could not simply be retrieving logs, but actively tampering with data. So yes, do not use ISP-given devices, get your own. This is critical.

    At the least, your ISP-supplied router could be reporting names and MAC addresses of all devices on your LAN. Names may be easy to change to something uninformative such as "laptop1". But MAC addresses could be more revealing, and used for tracking. Harrison Sand's "Your ISP is Probably Spying On You"

    From someone on reddit:
    > Do ISPs update router firmware and watch for malware ?

    Routers, in general, are not updated if they are not the latest and greatest router in their class. Long term support is typically lacking unless you install a 3rd party firmware. European ISPs are typically far better at updating their software than American and Canadian ISPs due to no laws requiring ISPs accountable to update their software if possible. More damning, routers typically don't even have patches available as they were discontinued support long ago.
    So it sounds like if you can't find firmware updates for your router, and it's more than a couple of years old, maybe best to just replace it. If it's ISP-owned, maybe ask if they have a newer model available, and if you can upgrade for low or no fee. If you own it, replace it or install DD-WRT or OpenWrt on it.

    Ways to avoid the ISP-supplied router/modem:
    • Ask ISP if you can replace it with a router/modem you own yourself.

      From someone on reddit:
      "Google for modem compatibility lists. You can generally find a site that sorts by state and ISP and lists which current model modems would or should work."

      If you want to run custom software in the router you own:
      Easy Linux tips project's "Tomato: set your router free"
      Easy Linux tips project's "DD-WRT on your router"

    • Check router's admin page, or ask ISP, if their router/modem can be set into "bridge mode", so you can add your own router behind it.

      This amounts to turning off the router and Wi-Fi in the ISP-supplied router/modem box, using router and Wi-Fi in your own new router box, and connecting the two boxes via an Ethernet cable. Connect all home devices (except telephone ?) to your box, not the ISP's box. Now the ISP-supplied box doesn't have access to your LAN, it just sees what comes out of the bridge-Ethernet port of your new router box.
    Ethan Robish's "Home Network Design - Part 1"



    Keep it simple. If you have your smartphone controlling your door-locks and security-cameras and automatically uploading photos to Google+ and accessing your LAN and the internet and the cell network, you really don't know everything that is happening and everything that can go wrong. Better to have some compartmentalization, some things that happen only on one device or happen only manually.



  20. Know the vulnerabilities of your devices.

    "The 'S' in 'IoT' stands for 'Security'."
    -- from Grumpy Old Geeks Podcast

    Are there any known security flaws in your internet-connected devices, especially devices you can't update ? For example, security cameras: article1, article2. And home Wi-Fi routers: article3.

    For each of your devices, read the manual, and do some internet searches for "exploit/vulnerability/hack/problem MANUFACTURERNAME model NNN".

    Some of the simpler-looking devices (tablets) may be the most vulnerable, because you probably don't install anti-virus on them, and they may not get security updates. Yet they're in your trusted local network, and could attack other devices.
    Rhett Jones's "A New Reason to Not Buy These Cheap Android Devices: Complimentary Malware"


    Especially dangerous are all-in-one devices with multiple connections. A fax-modem-copier-printer may connect to both a phone line and to your LAN; a flaw could let an attack come in the phone line and onto the LAN. A simpler attack could exhaust your expensive toner cartdridge. Is the firmware updatable ? Is the manufacturer known and providing updates ? Don't leave the device powered on 24/365 unless absolutely necessary. Or unplug it from phone line and/or LAN except when needed.

    A smartphone probably is connected to both the cell data network and to your LAN; that's a potential vulnerability.

    Devin Coldewey's "Cheap Internet of Things gadgets betray you even after you toss them in the trash"
    OWASP's "Internet of Things (IoT) Top 10 2018" (PDF)
    Brian Krebs' "Some Basic Rules for Securing Your IoT Stuff"
    Router Security's "Test Your Router" (also cameras, printers, etc)

    Testing webcam / security camera from inside (LAN side):

    Assuming camera's LAN IP address is 192.168.0.100:

    192.168.0.100 /err.htm
    192.168.0.100:10554
    192.168.0.100:81
    192.168.0.100:23 (Telnet)
    192.168.0.100:2323 (Telnet)
    192.168.0.100

    If test from LAN side gives suspicious results, investigate from WAN side.

    Testing networked printer from inside (LAN side):

    Assuming printer's LAN IP address is 192.168.0.100:

    192.168.0.100:23 (Telnet)
    192.168.0.100:2323 (Telnet)
    192.168.0.100
    Probably ports 9100, 631, 515 will be open on the LAN side; this is normal. But they shouldn't be exposed on the WAN side.

    If test from LAN side gives suspicious results, investigate from WAN side.



  21. Would you know if your device was compromised ?

    Set honeytraps on your devices:


    Have log-files:

    • How can you turn on logging ?

    • Is there anything useful in the logs ? Do they record logins, commands run, etc ? Do you know how to read them and understand them ?

    • Are the logs copied to somewhere else for storage ? (Called "log shipping".) Otherwise an intruder could erase them.

    • How long are the logs kept ? How long a time-period do they cover ?

    Logging Made Easy (Windows only)



  22. Don't routinely use an Administrator-privileged account, use a non-Administrator account.

    Rick Rouse's "Why you should use a 'Standard' user account in Windows"

    From someone on reddit:
    > If I already have my account as admin
    > is there a way to demote it?

    Create another user account. Name it Admin or Bambi or whatever floats your boat at that particular second. Set that account as a system administrator. Log out of your current account and into the new account. Change your normal account to a standard user. Log out of the new admin account and back into your regular account.

    All of this is done through the 'User accounts' control panel applet.

    Similar in Linux: use a normal user account, and "sudo" when you need to do something as root.


  23. Keep account security info up-to-date:

    If your bank or credit card company sends you a security alert, but they send it to your old email address or old postal address, it doesn't do any good.

    If you have a login problem somewhere, and the web site says "no problem, verify by clicking link in your email", but they send it to your old email address, you're in trouble.

    If you never receive routine communications or verifications from your account at some company, figure out why and fix it, don't let it slide.


  24. Monitor your accounts for evidence of problems:

    At this point, there have been so many and such huge breaches (e.g. at OPM, Equifax, Anthem, more) that you should assume your Social Security number and DOB and credit-card info and email address have been stolen.

    Periodic checking:


    Maybe use an identity-theft warning service.

    Report freezing:

    Maybe freeze your credit (a "credit freeze" or "security freeze"; usually free to apply and $5 to remove) or institute a fraud alert (free, but not as good).
    US credit agencies: Equifax, Experian, TransUnion, Innovis, NCTUE, SageStream.
    Jason Lloyd's "Why You Should Freeze Your Credit Report"
    FTC's "Credit Freeze FAQs"
    William Charles' "Two Credit Bureaus You Should Freeze Before You Apply For A U.S Bank Credit Card"
    AJ Dellinger's "Equifax Operates Another Credit Bureau, and You Can't Freeze Your Report Online"
    From Brian Krebs' "The Lowdown on Freezing Your Kid's Credit":
    Some fans of my series explaining why I recommend that all adults place a freeze on their credit files have commented that one reason they like the freeze is that they believe it stops the credit bureaus from making tons of money tracking their financial histories and selling that data to other companies. Let me make this abundantly clear: Freezing your credit will not stop the bureaus from splicing, dicing and selling your financial history to third parties; it just stops new credit accounts from being opened in your name.
    Also, a credit freeze does not prevent a background check (by govt or corporation etc) from getting your data.

    Even if you have a credit freeze enabled, still check your credit reports every year or two, to make sure nothing incorrect or fraudulent appears on them.

    Maybe freeze your salary/employment history report.
    Salary/employment history agencies: Equifax Workforce Solutions (AKA The Work Number, AKA TALX), AccuSource, InVerify.
    [I requested my TALX report. It only had the very last year of my work history (I retired almost 20 years ago), but it did have my employer, job title, and salary for that year.]
    Alicia Adamczyk's "How to Review (and Dispute) the Salary Data Equifax Collects on You"
    KrebsOnSecurity's "How to Opt Out of Equifax Revealing Your Salary History"

    European credit-reporting agencies:
    Spain: Asnef-Equifax
    Spain: RAI (Registro de Aceptaciones Impagadas)
    Spain: Experian España
    Spain: CIRBE
    Germany: Schufa
    UK: TransUnion / Callcredit
    many more ...
    Haven Mortgages' "Credit Bureaus Around the World" (PDF)

    Check your status in a bank-account-monitoring service:
    ChexSystems' "Consumer Disclosure"
    LexisNexis' "Accurint Individual Access Program"
    [I requested my LexisNexis report. 42 pages, much of it repetitive. It showed 2/3 of the addresses I've lived at, and one address that was wrong. A boat that I had owned, but none of the cars I owned. None of my bank accounts or my credit card. Nothing about school or employment history.]
    [Sent an opt-out request to LexisNexis, and got a response (paraphrased): "Your request is approved and in process. Note that your info will remain in the following services: restricted public records products available to commercial and govt entities that meet credential requirements and are used to detect and prevent fraud, enforce transactions, perform due diligence and other critical business and govt functions; products regulated by the Fair Credit Reporing Act, third-party data available through real-time gateways; news; legal documents."

    Bruce Schneier's "Protecting Yourself from Identity Theft"

    Kelli B. Grant and Katie Young's "How to protect yourself from medical identity theft"

    A limited number of people can set a PIN on their IRS filings:
    IRS's "Get An Identity Protection PIN (IP PIN)"

    I think anyone can create an online account with the IRS, and better that you do it before some scammer does it for you:
    IRS's "View Your Account Information"

    Apparently the US Post Office has a notification service where they send email to you when something is about to be delivered. You want to register for this before some bad actor does so in your name.

    Sign up for your online US Social Security account (may require a trip to a SS office).
    Carissa Ratanaphanyarat's "Your Social Security Number Was Stolen! Now What?"
    Brian Krebs' "Crooks Hijack Retirement Funds Via SSA Portal"

    When someone uses your public reputation to get jobs:
    Relja Damnjanovic's "Freelancer Identity Theft: It Happened to Me - Here's What You Should Know"

    You can opt-out of some of this tracking:

    Opting out of everything probably is impossible, and a game of Whack-A-Mole. But at least hit some of the top places.

    Some opt-out services (on data-brokers, and on such services as Yahoo Mail) work by putting a cookie on your computer, telling their advertising code not to track you. But this conflicts with my desire to delete all cookies every time I close the browser.

    LexisNexis' "Individual Requests for Information Suppression Policy"
    SageStream Opt Out
    Acxiom Opt Out
    Palantir privacy statement

    Yael Grauer's "Here's a Long List of Data Broker Sites and How to Opt-Out of Them"
    Michael Bazzell's "Personal Data Removal Workbook & Credit Freeze Guide" (PDF)
    StopDataMining.me's "Opt Out List"
    ParanoidsBible's "The Master Opt-Out List"
    Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"
    Elizabeth Harper's "How to Remove Yourself From People Search Directories"
    Alicia Adamczyk's "Run a Comprehensive Background Check on Yourself"

    From interesting audio podcast interview of a guy who runs people-search sites, The Complete Privacy & Security Podcast episode 071:

    There are maybe 6 big players in the people-search industry ( Pipl's "Removal from Search Results", BeenVerified, Spokeo, TruthFinder, Radaris, MyLife, Intelius ), and a hundred subsidiaries/affiliates of them, and a hundred smaller competitors. And maybe 3000 web sites, owned by those companies. But they may create dozens of new web sites every week or month, trying to get into the top-ten results on Google Search.

    Some of the companies make money through ads, but mostly they make money when someone views their free report and decides to subscribe to get their full report.

    These companies are scraping data from everywhere: from each other, from govt, from companies such as real-estate agencies, from any account you create that allows sharing your data with third parties, etc. Some governments will sell driver's license data or car registration data.

    Getting a company to "delete your record" is not best, because your info probably will flow back in from somewhere else a week or a month later, and they'll treat it as a new record because they no longer have a record of you. It's better to have them "block your info", so they keep a record but don't give it out (if they're ethical).

    Disinformation can work, but it won't hide any real information, and you have to be consistent, using the same false info again and again, as many places as possible.

    Name, address, phone are the key items used to correlate data from various places, but I'm sure SSN, DOB, credit-card number are used when available.

    Some big services used by private investigators and law-enforcement: Tracers, TLO, IRBsearch.

    Michael Bazzell's "Personal Data Removal Workbook & Credit Freeze Guide" (PDF)
    Kristen V Brown's "Deleting Your Online DNA Data Is Brutally Difficult"
    Michael Bazzell's "Hiding from the Internet"

    If you're a victim of Identity Theft:

    • Immediately report it to your banks and other financial companies. Cancel cards and get new ones.

    • Immediately report it as "fraud alert" to one or more of the credit-reporting agencies.

    • If you know or suspect how it was done, change password and/or make report to that source.

    • Review past transactions going back a year or more; this may have been going on for a while. Dispute any fraudulent charges, correct any wrong info on credit reports.

    • Make a report to local police, even if they will do absolutely nothing about it and even if the problem is entirely online, not local. You will be putting a sworn statement on the record, and that will be useful to give to your banks, use in court, etc.

    • File identity-theft report with FTC: IdentityTheft.gov

    • Do items in the Report freezing section above, if you haven't done them already.

    • Change important passwords, even if they may seem unrelated to this problem.

    • Check social media postings to see if they could have revealed info used to create this problem.

    • Get copies of your credit reports every couple of months for the foreseeable future.

    ASecureLife's "Identity Theft Recovery Checklist" (PDF)
    Neil J. Rubenking's "5 Ways Identity Theft Can Ruin Your Life"
    Kelli B. Grant and Katie Young's "How to protect yourself from medical identity theft"



  25. Simplify your life:

    Do you really need email accounts at N different providers ? Each one has to be secured. Really need accounts at Twitter, LinkedIn, Facebook, Snapchat, Instagram, Flickr, YouTube, 20 different online stores, etc ? Each one is a possible security or privacy problem. Really need 5 credit cards and accounts at 5 banks ? Reduce, simplify.


  26. Be smart:
    Be aware of security threats, and don't fall for them. Know how to recognize spam, scams, phishing attempts. False alerts that say "something is wrong with your computer, better run this scanning software right away !". Be especially careful when downloading and installing software.

    Phishing:
    Phishing is when someone sends you something to trick you into giving away important information (such as your username and password, or credit card details).

    Phishing attempts usually come through email, but also they could be done through Instant Messaging, chat, SMS, a Facebook post, a web page you find through searching, even paper mail.

    My quiz about phishing emails to home users: Go to Phishing Test page 1 of 6

    Google's "Phishing Quiz"
    [I got only 6/8. I think that quiz proves that users need a LOT more help from browsers and email clients. Maybe email pages should have:
    • A same-origin policy to require all email addresses and links to be in the same domain.
    • An icon next to every URL so you can click and see the owner of the domain.
    • Text of every link forced to match exactly the URL of the link.
    ]

    SonicWall's "How is your Phishing IQ?"
    PhishingBox's "Phishing Test"
    OpenDNS's "Phishing Quiz"
    ProProfs' "5kazen Quiz - Phishing Scams"

    Wikipedia's "Phishing"

    Be especially careful in a big-money rushed situation such as closing a real-estate transaction (buying a house). A scammer may jump into the middle of the process and send you an email saying "okay, send the deposit money to bank account NNNNNNN, ASAP !". Always call to verify such things (better yet, get them in person and in writing), and find out up front how and where the money will be transferred.

    Max Eddy's "How To Protect Yourself From Social Engineering"
    Alan Henry's "Why Social Engineering Should Be Your Biggest Security Concern"
    IC3's "Internet Crime Prevention Tips"
    Decent Security's "How Computers Get Infected"

    If someone says "I got a strange email from you, your account must be hacked !":
    This does not necessarily mean someone has been "hacked". Perhaps some software scanned Facebook, found that A and B are Friends, and found A's email address in A's Facebook profile. Then a scammer sends an email to A, claiming to be from B.

    One way to check: A's email client may have a "show details" button or link, where you can see the actual email address the email originated from. It probably isn't B's email address, even though the displayed "from" name is "B".

    If you start getting a flood of junk emails from many sites, it could be that someone is harassing you, or it could be something more serious: If someone manages to break into your Amazon account, for example, and place an order, they might flood your InBox with junk so you don't see the real order confirmation email from Amazon.

    And of course scams are not just online, they also can come via phone or snail-mail or in person.
    Alan Henry's "Five Common Scams Directed at Seniors (and How to Avoid Them)"
    ACCC's "Scamwatch - Types of scams"


Kashmir Hill's "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy"
Andrew Cunningham's "A beginner's guide to beefing up your privacy and security online"
ProtonVPN's "12 mistakes that can get your data hacked - and how to avoid them"
Decent Security's "Windows Security From The Ground Up"
Wired's "Guide to Digital Security"
PRISM Break
Security-in-a-Box
Kashmir Hill's "Journalist Invited Hackers To Hack Him. Learn From The Mistakes."
Adam Clark Estes' "How to Encrypt Everything"
Spread Privacy's "How to Set Up Your Devices for Privacy Protection"
Justin Carroll's "Thirty-Day Security Challenge"
Open Reference Architecture for Security and Privacy
Filippo Valsorda's "I'm throwing in the towel on PGP, and I work in security"
ProtonMail's "A complete guide to Internet privacy"
Fried's "The Ultimate Guide to Online Privacy"
Andy Greenberg's "How To Bust Your Boss Or Loved One For Installing Spyware On Your Phone"











Online Privacy



  1. Don't put really private stuff online. At all.

    Naked pictures of yourself or your spouse ? Personal embarrassments ? Dark secrets ? Something illegal ? Just don't put it online, or transmit it over the internet. Maybe don't even put it on your computer or phone or camera.

    Either stop using social media, or use it more carefully.


  2. Give "them" as little data as possible.

    Don't fill in all of those "profile" fields. Why tell Facebook where you've worked, where you went to school, who your family members are ?


  3. Give them fake data.

    Don't give them your real birthday, or real mailing address, or real phone number. Misspell your name slightly.
    [But: if Facebook or whoever later challenges you to produce real ID to verify your account, and your info doesn't match, you'll lose the account.]

    Set Facebook profile fields for school, work, places lived to real, big places that have no actual connection to you. Let them sell misinformation.

    Similar when installing an OS, or using a brand-new PC for the first time. Give your PC a generic name like "laptopJ", create a user account with a generic name like "userK", instead of using your real full name. Those names will appear on networks and other places.

    But you can't give fake data to police or government or schools or insurance or banks. That may be illegal, or may come back to bite you later in some way.

    Location Guard
    mcastillof's "FakeTraveler" (Android only; fake GPS location)

    Maybe Create fake personas:

    Create a fake name who lives at your real address:

    • Pick a simple, neutral name, such as "Alex Smith".

    • Create an email address that fits, such as A.Smith at gmail.

    • Get a pay-as-you-go SIM phone and use it for this person.

    • Get a Privacy.com virtual credit-card in their name.

    • Use one set of fake data (phone number, email address, gender, DOB, SSN, photo [not a stock photo from the internet], CC number, school history, work history) for this persona, and stick with it. Write it all down, print it out for easy use.

    • Use your real postal address.

    • Subscribe to a couple of cheap or free magazine trials (Forbes, Wired) in their name, using your real postal address.

    • Use this persona when ordering things online.

    The goal of this persona is to avoid giving out your real data, and make it look like someone else is living at your address, so maybe you have moved out.

    Associate your real name with lots of fake data:

    • Pick one set of fake data (phone number, postal address, email address, DOB not too far from your real DOB, SSN, school history, work history) and stick with it. Write it all down, print it out for easy use.

    • Use your real name, your real gender, your real photo.

    • For the postal address, maybe pick the address of some big hotel in the same county as your real address.

    • Maybe create a fake company ID-card with this data on it ? But there are few cases where you'd need to use it. Could be useful to hand over to a store-clerk when they demand your data, or just to help you remember your fake data.

    • Maybe create a Privacy.com credit card with this data on it ? But there are few cases where you'd be able to use it, since it would not be a physical card, and it would not be connected to your real postal address. The bills would be paid, so using it is not fraud, probably.

    • Create a free Wordpress blog page, giving the data of this persona, about some subject unrelated to you. If it looks like a personal business, you have an excuse to give address, phone number, and email address.

    • Maybe buy a domain-name that matches your real name, giving the data of this persona (although I think you'll need to give real email address). Create a web page giving this persona's data and unrelated subjects. [Probably a lot of work.]

    • Some people-search sites let you submit "corrected" data. Give them this persona's data.

    • Online, request quotes for home alarm-monitoring services.

    • Online, make a PasteBin page containing the info; they get scraped frequently.

    • If you have a burner phone number to use, maybe create a LinkedIn account for the fake persona.

    • Use this persona anywhere that data is demanded but you don't need/want to receive anything in postal mail or email. In retail stores, for unimportant online accounts, etc.

    The goal of this persona is to create fresh misleading data (in your real name) that is newer than your real data.

    Remember that you can't give fake data to police or government or schools or insurance or banks. That may be illegal, or may come back to bite you later in some way.

    Email address:

    What Google harvests from your accounts (mainly GMail), from someone on reddit 12/2018:

    ... I downloaded what supposedly is all the data Google keeps about me ...

    In my Takeout archive, there is a folder called "Purchases and reservations", which contains many files with all the anonymous* data that Google collected from my e-mails. This includes my purchases on all sorts of websites (Amazon, etc.), shipping updates and my flight/train reservations. ...

    My location data file freaked me out a little bit too, with all of its "ON_FOOT", "STILL" and "IN_ROAD_VEHICLE" strings, but I had my location history on, so that was to be expected. That text file alone is 82.7 megabytes - not bad, huh?

    If you have a Google account, I suggest you download all of your data from Google Takeout and check what it looks like with your own eyes.

    *Anonymous, in this particular case, means that my home address and my full name (albeit only in the reservation files), are written in plain text.

    It may be a good idea to have separate email addresses for family, work, financial, social, shopping.
    Hiding From The Internet's "Compartmentalization"

    You can get a disposable email address, which exists just long enough to finish registering somewhere: 10 Minute Mail, Mailinator, others.

    A service which will "screen" your real email address, phone number, credit card number by giving out different info which relays to your info: Blur (Stop giving out your real personal info online with MaskMe, a new privacy tool).

    A service which will "screen" your real email address, phone number, credit card number by giving out virtual info (but not relaying to your existing providers, I think): Sudo

    Another: "PlusPrivacy feature - email identity management"

    In your email client, turn off automatic display of HTML, images, and Javascript. It's dangerous to let some random person send you a piece of software that executes in your client.

    Some security guys say it's safer to use browser-based email instead of a client application (such as Thunderbird). The browser is somewhat of a sandbox, and highly tested, and you need it for other reasons too. A mail client application is an additional complex piece of software that probably is less secure.

    On the other hand, if you use an email client application (such as Thunderbird), your email is not stored on the email provider's server for very long, it's stored on your personal machine. Maybe you can find a provider that promises to erase your messages completely from their server after you retrieve them to your machine.

    Nitrous's "The Easy Way to Use PGP for Encrypting Emails on Windows, Mac & Linux " (if using Thunderbird)

    Changing your email address:
    Changing your email address on all accounts (such as from old insecure email service to a new secure email service) can be tricky. If your email address is used as your username on an account, the service may or may not let you change it. But if you can't change username, you still might be able to change email address used within the account. Worst case, you may have to delete the account and create a new one.

    You may be able to set your old email account to forward all messages to a new account. But this is bad as a permanent thing: makes everything less reliable, old provider still sees your mail, still have to manage old account as well as new one.
    Rick Rouse's "How to forward your Yahoo mail to another email account"


    Phone number:

    It may be a good idea to have separate phone numbers for family, work, financial, social, shopping.

    Nomad Gate's "How to Build Your Own Virtual Phone in Minutes"

    Sudo
    Google Voice
    Aircall
    flynumber
    SMS: Hushed
    TextNow

    Credit-card info:

    Even if you have a credit card with a chip in it, the magnetic stripe on that card still contains all of the info needed to do a transaction, and the stripe is easy to read. So keep a close eye on any merchant you hand your credit card to. And monitor your account for any unauthorized charges.

    If you want a fake number to satisfy a "free trial" web site, see .

    Virtual Credit Cards:
    You can get one or more Virtual Credit Card numbers. You may be able to set a purchase limit or time limit on the number. You might be able to get such a number from your existing credit card company.

    Such a number is virtual, not physical, so you can use it only online, not in a store. Don't use it for something you buy online but then pick up in person: air travel, hotel, rental car. Virtual numbers often don't work for overseas transactions, only within the country of origin. If your real number and all virtual numbers are issued by the same company, that company still can see all of your activity.

    I wonder about the legal implications of this. In USA at least, consumers have a lot of rights to dispute credit card charges and be protected against losses. What happens to those rights if charges are going through another service first ?

    Also, real credit cards often give accident insurance when renting a car, or trip-cancellation insurance when buying plane tickets.

    Online, paying with a service such as PayPal gives less data to the merchant than paying with a credit card. But not all merchants accept PayPal, and I'm not sure about protections and benefits when paying with PayPal.

    Neil J. Rubenking's "5 Things You Should Know About Virtual Credit Cards"
    Alan Henry's "Privacy Lets You Create 'Virtual' Credit Card Numbers, Deactivate One Instantly If It's Stolen"
    Rebecca Lake's "Why Virtual Credit Card Numbers Aren't Worth It"
    Simon Zhen's "Virtual Account Numbers: What You Need to Know"

    Blur
    Privacy.com
    Sudo (MySudo)

    My experience with Privacy.com 1/2018:

    Requires USA mailing address, requires email that can be verified, US phone number that can receive an SMS for verification. Will pay directly out of your bank account, so it requires your bank account username and password.

    Gave it credentials to my bank account at ETrade, but connection kept failing, they said there's a bug.

    A month later, I asked if they had fixed that bug, and instead they turned on ability to give ABA routing number and account number. I gave those numbers, they did 2 deposits to my account to confirm that it existed.

    A few days later, tried to create a number, and it failed. Turned out I hadn't quite finished the process, I was supposed to tell them exactly the amounts of the test-deposits.

    You can't create a physical credit card that carries a number created through Privacy.com, it won't work.

    Apparently each card you create can only be used at one merchant, the first where you use it. Not specified anywhere on the web site.

    Also not specified: what name is on the card. Asked Support, and got:
    In terms of name / billing, you can use any name and billing address / zip code with the merchant you would like, and we will return that it's correct when the merchant runs the charge.

    Please keep in mind though, merchants have sophisticated fraud checks on their end sometimes, so don't get too creative with the billing info or it might raise a flag in their system. Also if the transaction requires a shipping address, generally using a billing address in the same city is a good idea (for example, if the shipping address in San Francisco and the billing address is in New York it may trigger their fraud checks as well).
    So, you just have to give the right card number, CCV, and expiration date, and the card will work.
    From someone on reddit about Privacy.com 7/2018:
    Don't make multiple cards for same merchant, probably best to use same card for eBay and PayPal; there is an unstated daily spending limit as well as the stated monthly limit.

    Prepaid (debit) cards:
    You can get a physical card, so not just for online use. But refunds may get complicated. Any balance you load into the card might not be protected by banking laws, certainly not at the $50 limit of protection on a credit card.

    From someone on reddit 2/2018:
    Any card sold in the USA that is "reloadable" in some way must have a real SSN with matching name and Date of Birth on file. The only exception is the cards that are only loadable once and after the funds are gone, it is useless. You must have bought a reloadable one. You know that little folded-up piece of paper that folds out to about a legal-size sheet of paper with fine print on it? It is all in there. It also lets you know that the card can only be used within the USA and not outside of it. This includes online merchants and many online merchants in general are starting to block those cards regardless.

    Netspend


    Photo ID card:

    Official government ID that doesn't give away your address: passport, or US passport card (available for $55 when you renew your passport).

    Some people carry a fake ID, to show to businesses that demand photo ID. I think it's legal as long as it's not a fake of a government ID, and you're not committing fraud. A fake corporate employee ID card from a fake corporation, maybe. Maybe add this fake person as an authorized user to your real credit card ?

    Maybe in the future we'll get "decoy" tools or services: something that posts fake info online to make it harder for others to figure out your true info. Fake pictures of you, fake address, fake postings, etc.


  4. Maybe use login/password info from elsewhere, instead of using your own.

    BugMeNot
    login2.me


  5. Use "blockers".

    Several ways to do this:


    Many sites will stop working properly if you block scripts, some will refuse to work if ads are blocked, and some sites will not work even if you whitelist them in the blockers. You'll have to keep a "clean" copy of a browser (or browser profile) to use on those sites, and keep track of which sites require that special treatment.

    Side-effects of using too many privacy controls:
    • Increased chance of bugs.
    • Slower performance.
    • Increased attack surface (mainly in browser).
    • More things to keep updated.
    • More things to turn off if you really need to use some web site (such as your bank's site) that refuses to run without Javascript or cross-domain access or ads or something.

    Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"
    Mozill Blog's "Make your Firefox browser a privacy superpower with these extensions"


  6. Set the "do not track" option in your browser to (maybe) stop "ad tracking".

    In Firefox, it's: Preferences - Privacy & Security - Content Blocking - Send websites a "Do Not Track" signal ...

    But: Jon Brodkin's "Yahoo is the latest company ignoring Web users' requests for privacy"


  7. Reduce "browser fingerprinting".

    When you use a browser to fetch a web page, the browser sends a "user agent" string that may say something like "firefox 54.0 on Windows 10". Same happens when a game console or media player application etc accesses the web. See WhoIsHostingThis's "What's My User Agent?". Other information is sent: an "accept header" saying what types of media can be returned, your preferred language(s).

    Then after the page is retrieved, Javascript code in the page can access your browser and determine more details about your configuration, such as your time-zone, your screen resolution, (with some effort, maybe using Canvas) what fonts are installed in your system, your browser's default language.

    All of this information can be used to form a "browser fingerprint" that may be unique to you, or close to unique.
    Am I Unique?'s "What is browser fingerprinting?"
    Lance Cottrell's "Browser fingerprints, and why they are so hard to erase"
    Mozilla Wiki's "Fingerprinting"

    This fingerprint can be used to track you, even across multiple web sites, even if you turn off cookies, change IP address, use a VPN, etc.

    Testing your fingerprint:
    EFF's "Is your browser safe against tracking?"
    BrowserLeaks.com
    Device Info
    Am I Unique ?
    Privacy.net's "Privacy Analyzer"
    BrowserAudit
    Detect my Browser

    Key ways to avoid fingerprinting:
    • Use an ad-blocker.
      uBlock Origin
    • Turn off Javascript.
      NoScript
      But this will break some sites (mostly some banks and govt sites), even if you whitelist them. Sometimes I have to switch to a different browser that does not have NoScript installed.
    • Minimize the number of browser add-ons you use.
    • Use a common browser and keep it updated.
    • Install multiple different browsers on your system, and use each for a different set of web sites.
    • Set the "do not track" option in your browser to (maybe) stop "ad tracking".
    • Set browser so it doesn't save usernames and passwords; verify using demo linked at Gunes Acar's "Web trackers exploit browser login managers".
    • New features coming in Firefox, from Tor: set privacy.resistFingerprinting to true.
    • Fake or random user-agent string.
      Paul Ferson's "How to Change the User Agents in Firefox, Chrome and IE"
    • Fake or disabled Canvas fingerprint.
      CanvasBlocker
      Canvas Defender
    • Fake or disabled WebGL fingerprint.
      CanvasBlocker
    • Fake or disabled WebRTC.
      CanvasBlocker ?
      Or in Firefox about:config, set "media.peerconnection.enabled" to false ?
    • Control system font list returned by browser ?
      In Firefox about:config, create a new string "font.system.whitelist" and set value to something like "Helvetica, Courier, Verdana". But for me, this made my fingerprint a lot worse.
    • Control installed plug-in list returned by browser.
      In Firefox about:config, set "plugins.enumerable_names" to empty.


  8. Minimize the number of things you use.

    Do you really need to use:
    • Each add-on you have installed in your browser ?
    • Each app you have installed on your phone ?
    • Each app you have installed on your computer ?
    • Each app you have allowed to access your Facebook account ?
    • Each app you have allowed to access your email account ?
    • Each social media site you use ?
    Every one of these is potential point of failure, a thing that could be stealing and selling your data, or accidentally having a security vulnerability.


  9. Use the privacy controls in the ISP and social networks and sites you use.

    Very important: Log on to the web site for your ISP and find any privacy settings they have for your account.

    Facebook lets you control the access that Apps and external sites get to your data: go to Account - Privacy Settings - Apps and Websites - Edit your settings.
    Melanie Pinola's "The 'Nuclear' Option for Total Facebook App Privacy"

    Turn off your Google search history: here. Also Rick Rouse's "How to prevent Google from storing your search history and tracking your online activities"

    YouTube: profile - Video Manager - History - Clear All Viewing History, and then History - Pause Viewing History, and then Search History and do the same clear-and-pause.

    See and turn off data aggregating by BlueKai: here

    Handy central places to start:
    MyPermissions

    Instead of Google Search, use a service that promises not to track you:
    DuckDuckGo
    searx

    Privacy settings in Firefox browser:
    Privacy Settings add-on

    Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"


  10. Apparently, "opting out" via NAI stops targeted ads, but does not stop companies from tracking your activities.


  11. Delete most cookies every now and then.

    This does two things: gets rid of tracking cookies, and means that if someone sits down at your computer and opens a site they won't automatically be logged in to that site.

    BleachBit
    CCleaner

    Or delete all cookies every time you close the browser:
    Ian Paul's "How to automatically delete your cookies every time you close your browser"
    Chris Hoffman's "How to Automatically Clear Private Data When You Close Your Browser"
    But if you do this, you'll probably want to be using a password manager, because you'll be logging in to sites a lot.

    Or use extension Cookie AutoDelete to delete most cookies but save some of them.


  12. Encrypt your traffic: use HTTPS web sites, and/or a proxy or VPN.

    Definitely use HTTPS on all of your sensitive sites: email, financial.

    But not every HTTPS site implements security to the same level; you can test a site using:
    Qualys SSL Labs' "SSL Server Test"
    testssl.sh

    See my "Connection Security and Privacy" page about proxy and VPN.


  13. Don't always use the same IP address, or hide your IP address via a proxy or VPN.



    Changing IP address periodically:

    If you're connecting through a home Wi-Fi and cable router/modem (and no VPN), you probably can't change your external IP address. The router/modem probably is using one external IP address for all devices on your home network. To test this, open browsers on two devices simultaneously and go to showip.net on both devices. You'll probably see the same (external) IP address for both devices.

    Try power-cycling the fiber router/modem, and see if it comes up with a new external IP address. It may not. Try powering it off for longer, such as overnight.

    Try contacting your ISP and asking if they can change your IP address. If they ask for a reason, I guess you could say "to increase my privacy, to make it harder for advertisers to track me" ?

    If you're connecting some other way, you may have a chance of changing IP address. On Windows, create a CMD file containing "ipconfig /release && ipconfig /renew" and run it as Administrator. Check before and after, using showip.net.

    WikiHow's "How to Refresh Your IP Address on a Windows Computer"

    See my "Connection Security and Privacy" page for information about VPN, Proxy, Firewall, DNS, and more.

    If you're doing illegal things, don't expect a VPN or proxy company and their ISP to shield you if they're served with a court order. They may be forced to log your activity and trace you and give the data to law enforcement.

    If you're abusing the VPN itself, such as sending out millions of spam emails through the VPN, don't expect a VPN or proxy company and their ISP to shield you. They may report you to law enforcement, or happily cooperate with law enforcement.


  14. Stay logged out of Google and Facebook et al as much as possible, as you browse other sites.

    Or use some kind of "container" feature in your browser to isolate one tab from another (test via BrowserLeaks.com / Social Media Login Detection). Or use separate browsers or separate instances for multiple pages.


  15. Don't use everything from one company.

    If you use Google Apps, Google Docs, Google Sites, Chrome browser, GMail, Google search, Google Maps, and Google Drive, then of course Google is going to know a lot about you. Instead, compartmentalize it: ProtonMail, Facebook, some free web hosting service, Firefox browser, DuckDuckGo search, etc. Use Google only where you have to.


  16. You can delete your accounts on various services, although often they make it hard to find out how to do that.

    justdelete.me
    AccountKiller
    Deseat.me

    Some people say: instead of just deleting an account, first go in and delete as much of your data as you can, and change as much of the rest as you can to fake data (this is called "data poisoning"). Maybe let it sit in that state for a couple of weeks. Then delete your account.

    David Nield's "The Complete Guide to Dumping Google"


  17. Some people say: Don't use anything from the biggest tech companies: Google, Apple, Microsoft, Facebook, Amazon.

    I don't agree; I say be aware of the costs and benefits. Sure, maybe it's good to use alternatives when possible.

    But there seems to be no good alternative for Microsoft Office (apparently when you go beyond the simplest uses, LibreOffice just doesn't cut it). Maybe no good alternative for Facebook (80% of my friends and family are on there, and the Groups contain a wealth of knowledge and helpful people).

    For Android phone operating system, there are good alternatives (such as LineageOS), but installing them is not for the faint of heart. For e-readers, there are decent alternatives to the Amazon Kindle. For desktop/laptop OS, Linux is a viable alternative to Windows and Mac.

    Some people say: before deleting your social-media account (on Facebook, reddit, Google+, etc), "poison" it by adding false data, deleting or editing posts and comments, Liking lots of spurious stuff, etc. And let it sit that way for a couple of weeks before deleting the account. I don't agree. Editing your profile is fine. But deleting or editing existing posts and comments will damage the work of other people, those who responded to your post or had a conversation stimulated by your post. Doing lots of spurious posts or comments or Likes will flood your Friends with nonsense. Just edit your profile, let it sit, then delete your account.

    Kashmir Hill's "I Tried to Block Amazon From My Life. It Was Impossible."
    Kashmir Hill's "I Cut Facebook Out of My Life. Surprisingly, I Missed It"
    Kashmir Hill's "I Cut Google Out Of My Life. It Screwed Up Everything"
    Kashmir Hill's "I Cut Microsoft Out of My Life - or So I Thought"
    Kashmir Hill's "I Cut Apple Out of My Life. It Was Devastating"
    Kashmir Hill's "I Cut the 'Big Five' Tech Giants From My Life. It Was Hell"
    Daniel Oberhaus's "How I Quit Apple, Microsoft, Google, Facebook, and Amazon"
    Mike Felch's "How to Purge Google and Start Over - Part 2"

    switching.social (ethical alternatives)


  18. Deleting browser history really does nothing for your privacy, unless someone steals your computer and looks at your history.

    Bracelet


  19. Anything you store on a server may reduce your privacy.

    Your contact list in email, buddy list on instant messaging, Friends list on Facebook, etc. Any emails in your Inbox, or saved long-term in a "folder" within your email service. Okay, email or IM or Facebook won't function without those contact lists. But maybe you shouldn't use your email as a data store. And maybe you shouldn't keep anything except name and email/IM address or phone number in each Contact entry. Store postal addresses and anything else in some private contact manager.


  20. Using someone else's device.

    You have few rights to anything you store on or do with your employer's or school's computers or phones or networks. And you don't know how many administrators have access to the data, or what other companies the data may be shared with. Don't use them for private things.

    You don't know what software or viruses may be installed on a computer you use at a library, in an internet cafe, at work, at school, or at a friend's house. There may be a keylogger, a clipboard-scraper, some browser plug-in that harvests data from webmail, something that logs all your internet traffic, something that copies any USB drive you plug in, ransomware, viruses, etc. Be very reluctant to use your password manager or email or other accounts on such a machine. Two-factor authentication on logins can reduce some of the threat.

    If you have to stick a USB drive into such a machine, for example to print a document on their printer, treat the drive as infected from then on. And have as few documents as possible on the drive to begin with; all of them may get infected, or encrypted by ransomware.

    Kashmir Hill's "How To Tell If Your Boss Is Spying On You"


  21. Letting someone else onto your network.

    Your friend comes over to your place, and asks for the Wi-Fi password to connect their phone to your LAN.

    You have no idea what malware is on their device, or who else they may give that password to, or what traffic they may do through your internet connection. Suppose malware on their device starts spamming people on the internet, and your ISP shuts down your service ? Suppose your internet has a monthly data-cap, and their device starts torrenting or something ?

    It would be best to have a "guest" network defined in your router, but I think few ISP-supplied routers support that.


  22. There are more-aggressive things you can do, but I think the cost/inconvenience is too high for the benefit, in most cases. (And some of them require your friends to use the same applications, or adapt to your behavior.)



    Peter Bright and Dan Goodin's "Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away?"
    "The Hostile Email Landscape" (maybe from Jody Ribton)
    The Tin Hat's "How Do I Start An Anonymous Blog?"
    Kickball / awesome-selfhosted

    See "Windows User Moving to Linux" section of my Linux page.

    When you get to some high level of OPSEC, your behavior is as important as the tools you use. You may have to never use internet or phone from your known home location, always from elsewhere, for example.
    Douglas Goddard's "Technical Anonymity Guide"

    Virtual Machine:

    You can run a VM inside your real OS. It will look like a real machine to software, but then when you're finished doing stuff, you end the VM, and anything that happened inside it (including any bad stuff) is deleted.

    But some things I don't understand about this: So you can't bookmark any sites, unless you hop out of the VM and update the browser in your real OS ? If you download a picture or something, you can't get it out to the real machine, it's going to disappear when you shut down the VM ? If you want to copy something from web email to the clipboard, then save it in a file, that file will be in the VM, not the real OS ? If you log in to web email or reddit in the VM, and have a virus in the VM, it could do something nasty to your web email or reddit ? Do you never run a browser in the real OS ? Or you do only lightweight, throwaway browsing in the VM and do "serious" web stuff in the real OS ?

    From someone on reddit:
    Virtual box has fixes for a lot of these. The clipboard is shared between OS and VM. It's essentially its own computer, so shutting it down keeps its state and everything. There are plugins for shared folders as well. Putting a document in the folder will make it available to both the VM and main OS.

    If you're using it for virus protection then you still need to be cautious. If you're on the VM and a pop-up comes up asking for your log in for a website, you should still not do it.

    The expectation sort of is that if you're technically literate enough to set up a VM, you should know how to avoid viruses, but if you do get ransomware on your machine or something, resetting the VM is much easier than on your main OS.
    From someone else on reddit:
    Note that a few of the "fixes" mentioned reduce the security of the VM. Many viruses can notice that they are being run in a VM by checking if those plugins are installed and act like a normal, legitimate program if they are running in a VM.

    Also, sharing resources (like files) between your real ("host") OS and the VM can put them at risk. If a ransomware runs in a VM where your files show up as a shared drive, those files will be affected too, even if you reset the VM.

    Despite all that, yeah, if you want very good security you can run things in a VM. It has many advantages.

    David Murphy's "How to Set Up a Virtual Machine for Free"



  23. Your friends and relatives are a threat to your privacy. They may post about you on social networks, put pictures of you online, mention you in emails.


  24. There is no such thing as total privacy, or perfect security. If the government or a spy agency or law enforcement really wants to get your data, they can get it.


Be safe on the internet
Watch Your Hack
privacytools.io
Paul Bischoff's "75+ free tools to protect your privacy online"
Fried's "The Ultimate Guide to Online Privacy"
Karegohan-And-Kamehameha's "privacyguide"
Noah Kelley's "A DIY Guide to Feminist Cybersecurity"
Sarah Jeong's "The Motherboard Guide to Avoiding State Surveillance"
"The Motherboard Guide to Not Getting Hacked"
PRISM Break
For Linux, mainly: "The paranoid #! Security Guide"
Do Son's "Destroy-Windows-10-Spying: Destroy Windows Spying tool"
Do Son's "Hardentools: disables a number of risky Windows features"
xkcd's "Security"



My desktop computer configuration:



Smartphones: Android, iPhone, etc
Smartphones are horrible for security and privacy. They constantly broadcast your location (to all cell-towers, not just those of your provider), they constantly look for known Wi-Fi networks, the cell-service provider knows your location and calls and messages, they're pre-loaded with apps you can't remove, all apps have a lot of access to your data, some apps have terrible security, etc. Fieke Jansen and Helen Kilbey's "Cybersecurity Self-Defense: How to Make Your Smartphone More Secure"
Spread Privacy's "How to Set Up Your Devices for Privacy Protection"
Attedz's "Android Privacy Guide"
Brendan Hesse's "Double-Check That Your Android Antivirus App Actually Works"
PRISM Break
Joseph Cox's "T-Mobile, Sprint, and AT&T are selling access to their customers' location data ..."




My smartphone configuration:
Mainly, I use my phone for WhatsApp to a couple of people, for photography while walking around, and occasionally while in an airport or something. I try to keep as little as possible on it.




Facebook:
Facebook is a special case, because they know so much about you, and they have code on many other web sites, and they sell login services to many sites, and they buy data about you from other services.

Just for info: Facebook actually doesn't "sell your data". They provide two main services to advertisers: I'm sure they also sell more traditional services such as "display ad X to all people in ZIP code 12345".

Vicki Boykis' "What should you think about when using Facebook?"
Paul Bischoff's "How to stop Facebook from tracking you on sites that aren't Facebook"
Emily Price's "See if You're Using These Popular Android Apps That Overshare Info to Facebook"



Apple:
iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment



Minimizing knowledge and connections

Yegor S's "How to (actually) be anonymous online"



Reporting violations:

Suppose some software (app, browser add-on, application, web site) doesn't have a privacy policy, or has a policy that breaks the law, or has no way to request closing your account or deleting your data.




My account configurations:

[I don't use SMS 2FA; often my phone doesn't have cell service, what if I lost my phone, and SMS is insecure anyway.]











Anticipate problems



Back up your data:



Data you could back up:


Places to back up to:


Ways to manage the back up process:

Note that a "sync" feature is not a backup. If something is deleted or corrupted on one end of it, that thing will be deleted or corrupted on the other end too. Usually.
David Murphy's "Why Did iCloud Delete All of My Photos?"

Think about how you would restore to a complete new computer if necessary:





Maintain a secondary email account, preferably on a different provider from your primary email. If something happens to your primary, you can use the secondary to send critical messages until you fix the primary.



Think ahead: what happens if your laptop display suddenly fails, and you need to send it out for repair ? Is any important info on disk encrypted ? Or can you remove the disk entirely before sending the laptop to the shop ? Also, for other repairs, make it clear to the repair shop whether wiping all the data is okay.

Think ahead: what happens if your phone suddenly fails or is stolen ? How would people contact you ? Would any accounts with two-factor authentication be disabled ?

If your laptop or phone is absolutely critical to you, can't be without it for more than a few hours, maybe you should have a spare waiting ready to use.

Think ahead: what happens if your wallet or purse is stolen ? Do you have the info needed to notify your credit-card company, your bank, etc ? Do you have any papers in there with login details or PINs written down ?



Don't ignore the account-recovery settings on your accounts, or put bad data in there. Sure, you'd rather not let Google or Yahoo or Facebook know your phone number or your second email address. But that information can save you if their security triggers get pulled for some reason. You travel, you try to access your email from laptop or internet cafe (seems not to happen when accessed from phone), you get "hey, we see a login attempt from a new country, we're turning off account access until you give us the code we're SMSing to your phone or emailing to your other account". Better hope you've kept the account-recovery options up-to-date.

Similar can happen if someone tries to brute-force their way into your cloud or email account. The provider won't let them log in, but may turn off account access for everyone (including you) until you provide extra verification. Better hope you have that info.



From DrStephenPoop on reddit:

> BACK UP YOUR DATA

And not just what's on your hard drive.

Do not trust the cloud!

Google recently ended my account for an unidentified TOS violation. I am not sure what I did. I just logged into gmail one day and instead of an inbox I saw a message saying my account had been disabled. I lost:

8 years of email contacts

6 years of favorited YouTube videos

About a dozen videos I made with my brother that were uploaded to YouTube.

All my Drive/Doc files including original writing.

My passwords to several sites, including banking and insurance sites.

Three albums I had purchased from Google Play.

Here's the kicker: I was a google believer. I am one of the 5 or so non-developers who actually owns a first generation Chromebook. I believed in the cloud!

Use and enjoy Google's services, but do NOT rely on them. Even though you buy their computers and purchase music from them, you are STILL not the consumer with google. You are the product (sold to advertisers). So when you are shut out from their garden, you have no customer service to appeal to, or to even find out why you got tossed. You might as well be staring at an angel with a flaming sword, wondering where your pants are.

> Didn't you contact Support ?

When you get the "your account has been disabled" screen, they give you a link to voice your grievance. After submitting, you get a message that says something to the effect of: "If we find we have reason to contact you, we will contact you."

You can also go the community forums and plead for help. Sometimes someone associated with google will actually say: "I'll have people take a look at this." In all my pleas, I never got a response. That is as far as support goes. You are not a customer. You are the product, and you are merely a commodity. Have you ever heard of "commodity support"?
Tienlon Ho's "Can You Live Without Google?"

From someone on reddit:

A few days ago my Facebook account was disabled suddenly and without warning. I've gone through what I thought was a fairly routine appeals process - filled in the form they link you to when you try to log in and included a scan of my photo ID as they requested to prove I'm a real person etc. However, I just received an email from Facebook saying the following:

> ... Upon investigation, we have determined that you
> are ineligible to use Facebook. ... Unfortunately, for
> safety and security reasons, we cannot provide
> additional information as to why your account
> was disabled. This decision is final. ...

This is really bizarre and quite upsetting - it's easy to forget just how much we rely on this service. If I can't get my account reactivated, that's six years of content (and memories) lost, and a huge blow to my ability to keep in contact with some friends and family.

The only possible reason I can think of for my account being disabled is what I was doing at the time - sending some photos to someone through the private messaging system. Some of the photos were (mildly) adult in nature (at her request!) which could be deemed a breach of the Community Standards if you look at it in strict black and white terms ("Facebook has a strict policy against the sharing of pornographic content"). However I can't bring myself to believe that there is someone monitoring private message attachments and instantly banning people if they see boobs. Beyond that, I genuinely can't conceive of a reason as to why my account was singled out for anything.

Any advice would be appreciated as to what I should do next - I am not yet willing to just give up and lose all of that content. I have replied to the email, though I doubt anyone will read it, but beyond that there's really no other contact options I can see, and Googling this problem does not produce much beyond more horror stories like this.

From /u/sugarbreach on reddit:

I am writing this to warn Google users to back up their data, and to realize that everything you take for granted can be taken away in an instant.

About a week ago I attempted to log into my Gmail account and was greeted with a page saying my account was disabled. It says that it was disabled due to a perceived violation of the terms of service and product specific polices. I have read and reread the google terms of service, and I know I haven't done anything to violate them. The only possibility I can think of is that someone may have hacked into my account. I have been an enthusiastic gmail user since it first came out in beta, and you had to be invited to get an account. I have relied on google apps to make my life easier. I have filled in their account recovery form, and even tried calling members of the Gmail team, but have had no luck. I also have posted on the gmail help forum, but an expert there said he contacted google and there was nothing he could do and google wouldn't tell him anything "for privacy reasons".

This has created the ultimate real-life nightmare, and has turned my life upside down, a few examples of which are listed below.

All of my contacts were linked to this account. I now do not have access to emails, phone numbers, addresses, etc.

My google voice telephone number is no longer working. I had this phone number on my business cards and email signature, and now when someone dials the number, they are given an error recording. "We could not complete your call, please try again".

My youtube account with many videos I cherished of my children are now gone.

I have all of my photos backed up to the account for nearly my entire life, as I thought this was the safest place to keep them (the cloud!) I have photos of my beloved grandparents who have since passed away, and the thought that I can no longer access these photos makes me sick. I also have thousands of pictures from vacations and of my children that I fear are gone forever.

A nice chromebook that I purchased to access all of the google apps is now almost useless since my account has been disabled.

I have multiple documents in my google drive that I have spent hours of work on, and can no longer access them.

I placed an enormous amount of faith and trust into google's products and services, as millions of people have worldwide. It is a shame that something this important in someone's life cannot even warrant a response from a live person at Google.

I have been very depressed because my entire life was encased in google's products, and now everything is gone.

Again, I am writing this to warn others that this can happen to anyone at any time, so it would be wise to back up treasured items in your google account. Ironically, google provides the means to do this through their "takeout" app, which I did not learn about until after my account was disabled. If there is anyone out there reading this that can offer any guidance for getting my account reinstated, I would sure appreciate it!

If you lose a cloud account, you can lose stored data, your calendar, remaining time on a subscription, any accumulated credit or gift cards, network link that makes some device (such as Amazon Echo, Google Home, etc) work.

Do NOT use Facebook login or Google login as your login to lots of other web sites. Not only does it let everything get shared, but if Facebook or Google ever deactivates your account for some reason, you've lost access to those other sites too.

Maybe some people don't consider their email to be "cloud data", but it is. If you're saving 10 years of past emails in GMail or Hotmail or something, it may be valuable to you, and it may be used by a hacker if your account gets hacked. It's also hard to back up. I'm a big believer in keeping your email account as close to empty as feasible. Clean it out !

If you do backups to the cloud, don't leave those backups accessible via a "cloud drive" that is always mounted (shows up as drive H: or something). If you get a virus, it may affect files on all physical drives and mounted cloud drives.

Apparently, automatic cloud backups of your phone data can expire and be deleted if you don't use your phone for many months. Android backups in Google Drive Backup are deleted if you don't use the phone for 2 months ? iPhone backups in iCloud are deleted if the iCloud account is not used for 6 months ?

A factor to consider: today's cloud backup may be encrypted so well that no one can crack it. But that encrypted data may still be available somewhere in the cloud 20 years from now, and maybe 20-years-future technology WILL be able to crack today's encryption.

Do "backups" of old non-electronic data, such as family photos and diplomas and such. Scan them and back up the images.

From Justin Carroll on an ITRH podcast:
Kinds of information (for you and everyone in family, and pets) you should have backed up and available (carry with you) in event of a disaster:

Do a "backup" of your own memory: in a simple text file, write a summary autobiography. Dates and places you lived, went to school, worked, traveled, etc. Names of friends, roommates, coworkers, etc. Memory fades over time.

Jon Christian's "Deleting the Family Tree"
DanDeals' "PSA: Don't Mess With The Google!"
Alex Hern's "Pixel phone resellers banned from using Google accounts"
"A few reasons not to organise on Facebook"

Eric Griffith's "Back Up Your Cloud: How to Download All Your Data"
Adam Dachis's "How to Protect Your Data in the Event of a Webapp Shutdown"

And of course back up your local data, not just your cloud data.
How-To Geek's "What's the Best Way to Back Up My Computer?"
Eric Griffith's "The Beginner's Guide to PC Backup"
/r/techsupport's "backuptools wiki"

Rick Rouse's "How to create a System Repair Disc and System Image Backup in Windows 10"

Rick Rouse's "Why you need a battery backup device for your computer"

Is there any one thing you have where you can say "geez, if I ever lost that I'd be TOTALLY screwed" ? Then figure out a way to back up that thing, or reduce your reliance on that thing.

See My "Computer Theft Recovery" page







Miscellaneous



From someone on reddit:

The basic methods of "hacking" accounts are:







Threats:

[Generally from most likely to least likely:]
  1. Your own actions. (The biggest threat of all. You accidentally post something private in the wrong place, expose a password, mis-configure your device or account, drop your device, lose your device, accidentally delete your data, trust a scammer.)

  2. Your family, friends, associates. (They post about you, snoop on you, accidentally leave your house or car unlocked, mis-configure their device, use their infected device on your LAN, sit next to you with their unprotected phone running, drop your device, accidentally delete your data, trust a scammer. They expose their Contacts list, which contains your name and email and address and phone number and birthday. They tag you in Facebook photographs, or mention that you were with them at some wild party.)
    Your browser history


  3. Your ex-spouse, former friends who now are enemies, former coworkers who you fired or angered. (They may be highly motivated, but probably don't have access or skill to cause high-tech harm. Unless you forgot to change the passwords they know. But they may have private info they could post.
    Cyrus Farivar's "If you're a revenge porn victim, consider this free, helpful legal guide")

  4. Your software. Some application or web site you use may be sending your data to somewhere else that you don't know about (some apps harvest your email address book or phone contact list or Friends list). Or storing your data in an unsafe way in a server.

  5. Corporations selling your meta-data or data to advertisers.

  6. Corporations reading your data to enforce their contract rights (terms of service) and maybe look for criminal activity.

  7. Organizations accidentally exposing data you've entrusted to them, through careless practices or by getting hacked.

  8. Data criminals and hackers. (Identity thieves, credit-card thieves, blackmailers, ransomware, etc. Hackers who want to use your device as part of a botnet or coinmining network. Criminals who want to make your phone call their $3/hour phone service repeatedly, running up a $10K phone bill that you have to pay. And you may be a special target if you have something valuable on your computer:)
    Laura Shin's "Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers"
    Alex Hernandez's "Chase eATM user has mobile app hacked and loses $3,000"

  9. Casual snoops or thieves.
    (Although with snooping software, "casual" capabilities are increasing.)

  10. Law enforcement (recording everyone's activity, such as cell-phone locations and car license plates).

  11. Internet vigilantes or lynch mobs or public shaming.
    (E.g. someone decides a picture shows you mistreating your dog, and whips up a mob to punish you.)
    Kashmir Hill's "When a Stranger Decides to Destroy Your Life"

  12. Reporters.

  13. Private investigators and lawyers. (They have some access to government databases and powers.)

  14. Law enforcement (specifically targeting you).
    Jonathan Zdziarski's "Protecting Your Data at a Border Crossing"
    Andy Greenber's "A Guide to Getting Past Customs With Your Digital Privacy Intact"
    EFF's "Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud"

  15. Foreign government intelligence agency. (Highest technical ability, but no legal authority.)

  16. Government intelligence agency. (NSA, DHS, etc. Highest technical ability, PLUS legal authority.)

Sean Gallagher's "How I learned to stop worrying (mostly) and love my threat model"
Wired's "Guide to Digital Security - Choose Your Security Profile"
EFF's "Your Security Plan"

No matter what protection you propose, some people will say "oh, the NSA has cracked that !". First, how do they know ? Second, a counter-measure still may be worth using even if the NSA could crack it; NSA is not the only threat or main threat. Third, just because NSA could crack something, doesn't mean they would spend the resources to crack your messages.

And some people say "trust no one !". Well, I think it is reasonable to trust the CPU chip vendors, and the compiler-writers. I don't see how useful "backdoors" could be built into those things (and I have BS and MS degrees in Computer Science). Trusting the OS vendors is a little more dubious; I guess I trust the basic OS, but maybe not all of the standard apps and services supplied with them. Same for trusting browser vendors.

Of course, if you trust no one, you'll never be able to get anything done. Can't drive my car, because I shouldn't trust the manufacturer. Better not eat anything, because I shouldn't trust the food companies or stores.

Some people say "it's all over, we've lost our privacy, it's done". No, it's an arms race, and right now consumers don't have very good weapons. We need to get convenient, good, routine encryption. We need more sites, applications, and protocols designed with security and privacy as priorities from the foundation up. Maybe "mesh" networking, peer-to-peer systems, distributed systems ("6 Anti-NSA Technological innovations that May Just Change the World"). We in USA need better regulation of spy agencies, via FISA and Congress. It's not over. You're generating new private data every day; you can protect that. And you can create fake data.

A worrisome trend: intelligence agencies being pressed to use their powers for non-intelligence purposes.
From Alex Hern's "David Cameron: GCHQ will be brought in to tackle child abuse images": "GCHQ [the British intelligence agency] will be brought in to tackle the problem of child abuse material being shared on peer-to-peer networks."
From NSA spokesman quoted in Barton Gellman and Ashkan Soltani's "NSA collects millions of e-mail address books globally": "[The NSA] is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers."
John Shiffman and Kristina Cooke's "U.S. directs agents to cover up program used to investigate Americans"
Conor Friedersdorf's "The NSA's Porn-Surveillance Program: Not Safe for Democracy"



Costs of counter-measures:


Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"



When living away from home:

If you're staying in a hotel room, AirBNB, or friend's house, and connecting to their network:



General counter-measures:




How to attack cryptography:

[From hardest to easiest:]
  1. Find a flaw in the mathematics (extremely unlikely).

  2. Find a flaw in the algorithm.

  3. Find a flaw in the crypto software.

  4. Brute-force password-guessing.

  5. Find or create a flaw in the surrounding software (operating system, networking, key-logger, etc).

  6. Find a flaw in the configuration (software not updated, password not set, place where data is not encrypted, etc).

  7. Human problems (password exposed or easily guessed, social engineering, etc).

  8. Legal tools (warrant or subpoena to get encryption keys or tap traffic).




Low-tech solutions:




Things that may not increase security and privacy:




Operating systems and environments:



Buying or setting up a brand-new device:




Buying or setting up a used device:

Be VERY careful if you've bought a device through EBay or Craigslist or similar, especially if the device has anything to do with financial or security stuff.

Maybe start with a factory reset ? Update or re-install software, and change passwords.

Kai Sedgwick's "Man's Life Savings Stolen from Hardware Wallet Supplied by a Reseller"



Getting rid of a device:

Lexy Savvides' "How to wipe your phone or tablet before you sell it"
Patrick Lucas Austin's "Disable iCloud Before You Get Rid of Your Mac"
Devin Coldewey's "Cheap Internet of Things gadgets betray you even after you toss them in the trash"



Living dangerously:

If you really, really want to download and run something that could be dangerous:



Testing your privacy and security:

Linux Security's "Security Tools"
Micah Lee's "It's Impossible to Prove Your Laptop Hasn't Been Hacked. I Spent Two Years Finding Out."



New things we need to increase our privacy or security:



"Privacy" from incoming abuse:

If people are saying nasty things to and about you online: Rebecca Fishbein's "What to Do If You're a Victim of Revenge Porn"



Physical security and privacy:



Family issues:

ProtonMail's "How to protect your children's privacy online"



Do a periodic check and cleanup:




If you own a web site:



Port scanning or router testing:

Web sites (testing from WAN side) (turn off your VPN to use these):


Testing router from inside (LAN side):
Assuming router's LAN IP address is 192.168.0.1:

These should give 404 or nothing:
192.168.0.1/HNAP1
192.168.0.1/cgi-in/config.exp
192.168.0.1/cgi-bin/export_debug_msg.exp
192.168.0.1/cgi/ cgi_status.js
192.168.0.1/ BRS_netgear_success.html
192.168.0.1/ /cgi-bin/;echo$IFS'Vulnerable'
192.168.0.1:32764 (backdoor on some routers)
192.168.0.1:19541
192.168.0.1:8080
192.168.0.1:8443
192.168.0.1:7547 (TR-069 or CPE WAN Management Protocol (CWMP))
192.168.0.1:23 (Telnet)
192.168.0.1:2323 (Telnet)
This probably should give a login page:
192.168.0.1:80 (HTTP)
This probably will give 404 or nothing:
192.168.0.1:443 (HTTPS)

If you have nmap:
# increase verbosity level, aggressive scan, no ping / skip discovery,
# open ports, show reason it's open, probe for service version info,
# use default script, do all ports, address 192.168.0.1
nmap -v -A -Pn --open --reason -sV -sC -p 1-65535 192.168.0.1

# increase verbosity level, no ping / skip discovery,
# open ports, UDP scan, max delay 50ms between probes,
# no retries, do all ports, address 192.168.0.1
sudo nmap -v -Pn --open -sU --max-scan-delay 50ms --max-retries 0 -p 1-65535 192.168.0.1
If test from LAN side gives suspicious results, go to previous section and investigate from WAN side.

Testing IPv6:
Your PC's IPv6 localhost address: [::1]
Same address written fully: [0000:0000:0000:0000:0000:0000:0000:0001]
Real IPv6 address on public internet: [2600::] (Sprint)

There is no standard IPv6 LAN address for the router, equivalent to 192.168.0.1 in IPv4. IPv6 addresses on your LAN are used on the WAN too, so your router's IPv6 address has to be assigned by your ISP.

IPv6 addresses starting with FC00 or FD00 are LAN-only.

Depending on your /etc/hosts file, IPv6 names may include: ip6-localhost, ip6-loopback, ip6-allnodes, ip6-allrouters, or similar starting with "ipv6-" instead of "ip6-". Try "ping6" to them.

If you have nmap:
# not sure these are right, I have IPv6 disabled so I can't test them !

# IPv6, increase verbosity level, aggressive scan, no ping / skip discovery,
# open ports, show reason it's open, no DNS resolution, probe for service version info,
# use default script, do all ports, address ::1
nmap -6 -v -A -Pn --open --reason -n -sV -sC -p 1-65535 ::1

# IPv6, increase verbosity level, no ping / skip discovery,
# open ports, UDP scan, max delay 50ms between probes,
# no retries, no DNS resolution, do all ports, address ::1
sudo nmap -6 -v -Pn --open -sU --max-scan-delay 50ms --max-retries 0 -n -p 1-65535 ::1

Free Android apps:


PC applications:

Lee Munson's "Penetration testing for the home computer user"
TechIncidents' "Penetration Testing Checklist with Android, windows, Apple & Blackberry Phones"
Online Tech Tips' "How to Scan Your Network for Devices and Open Ports"
SpiceWork's thread "How can I pen test my own network?" (more about business networks)
Paul Wagenseil's "Your Router's Security Stinks: Here's How to Fix It"


From StackExchange's "Best way to test my home network from the outside":
If you decide to perform a scan from the Internet you may want to give your ISP a heads-up to avoid any trouble.

I run scans on my home IP from a Linode account [virtual Linux box on a cloud service]. Any VPS that doesn't filter your outbound traffic should work (just make sure it doesn't violate your TOS).

First run a full scan against your home IP address. Expect to find only the ports you know you have explicitly opened open. Expect everything else to be "filtered".

Then verify that it is your home router that is performing the filtering and not your ISP. To do this, open a port on your router and rerun the scan. Expect that the port you have opened is detected as open by your scanner. If you find that you still see this port as filtered, then your ISP may be blocking that port. If so, this isn't necessarily a problem, but it means that the previous test didn't test your router, it tested the network connection to your router. Don't forget to disable the port when you're done.

If you want to test your router in isolation, and your router isn't built in to the modem, then you can test it as follows:
  1. Disconnect the router from your modem. (Where "modem" is whatever device connects from your LAN to your ISP's network.)

  2. Connect a second computer to the WAN port on the router. Configure this computer with a static IP address that is independent of the LAN addresses used by your router.

  3. You may need to turn on a DHCP server on the second computer so that the router's WAN interface gets an IP address as usual.

  4. Perform the scans described above from the second computer.


To deliberately create an open port on your computer (to see if your testing catches it), on Linux run "netcat -4 -k -l -v PORTNUM" (IPv4 TCP) or "netcat -6 -k -l -u -v PORTNUM" (IPv6 UDP) or similar. Use port number 22 (SSH) or 80 (HTTP) if it should be closed in your system; that open port should be caught by any tester.



Good audio podcasts:
The Complete Privacy & Security Podcast
Security In Five Podcast

Crypto|Seb's "The Crypto | Paper"

Brendan Hesse's "How to Submit a Bug Report to Apple, Google, Facebook, Twitter, Microsoft, and More"





Bookmark and Share

This page updated: March 2019

Home     Site Map

Privacy policy