TL;DR about computer safety, security and privacy:

+/-
  • Don't put really private stuff on electronic devices or on the internet. Or keep it on an external hard drive that usually is disconnected, or in an encrypted container that usually is unmounted.

  • Set passwords on your devices. Even the same 4-digit PIN on all of your devices; some password is better than no password.

  • Write email address on outsides of your devices and on lock screens, so if they're lost, someone can return them to you.

  • Make backups of your important data. Using both an external disk drive and a cloud service.

  • Keep your important software updated. Turn on auto-update where possible.

  • Install an anti-virus program.

  • Use a password manager (such as KeePassXC) so you can use strong passwords without having to memorize all of them.

  • Use the privacy controls in the ISP and social networks and sites you use. Important: Log on to the web site for your ISP and find any privacy settings they have for your account.

  • Password-protect your phone account.

  • Don't carry a paper "agenda" book full of your appointments, contacts, notes, and username/password information. Guaranteed you will lose it someday, and there is no password protection on it. Same thing with Post-It notes in your wallet or purse, giving login details or PINs. Don't do it.

         



Levels of safety, security and privacy (my opinion):

+/-
  1. No backups, no passwords on devices, same password on many online accounts.

    A disaster waiting to happen. Accidentally delete many files, hard disk crashes, or someone steals your phone, and you're in a world of pain.

  2. Backups (multiple, at least one off-site, and you've tested restoring from them) link, passwords on devices link, important software auto-updating link, anti-virus link.

  3. Password manager link to handle online accounts, ad-blockers and script-blockers link in browsers, credit-report freezes link, use HTTPS web sites link, set privacy settings on accounts link, password-protect your phone account link, be careful with your smartphone link, pay cash for as many things as possible.

  4. Full encryption on devices link, two-factor authentication link on important online accounts, reduce browser fingerprint link, VPN link, opt out of data-broker tracking link.

  5. Change to Linux link, use secure email and messaging link, special firewall/router, redirected email and phone numbers and credit cards link, postal-mail forwarding service.

  6. Tor browser link, two computers (one secure and non-networked, other for routine use and network access), gift-cards.

  7. Burner phones, clean OS every time (e.g. Tails), security-centric OS (e.g. Qubes), run your own mail server and VPN, crypto-currency, fake personas link and fake ID.

         



Terms:

  • Safety: make mistakes less likely.
  • Preservation: prevent loss of your data.
  • Security: mechanisms to control reading and modifying your data.
  • Privacy: prevent unauthorized use of your data.
  • Anonymity: prevent connecting your activities/data to your identity.



Some Key Principles to Follow:

  • Analyze: know what assets you have and why.
  • Minimize Attack Surface: turn off things you don't need.
  • Compartmentalize: have barriers and isolation where possible.
  • Defense in Depth: have layers of protection, no single point of failure.
  • Best Tools and Practices: know what is recommended, and do it.
  • Test: don't assume something is working, test it.
  • Be Dynamic, not Static: keep learning, keep improving.





Safety



These are good practices to reduce the chance of mistakes or accidents. More info in the Physical security and preparation section.





Data Preservation







Online Security



[If you're planning to make big changes to your situation, do the big changes first. Such as: changing to Linux, changing to Firefox, starting to use a password manager, changing email provider. Then do the smaller tweaks and additions.]



Password securitylink

+/-
Use the password and security features of your device and software; many people don't even bother to set a password !

It's especially important on smartphones, because a lot of smartphone apps don't even have a "log out" feature. They assume that if you have the phone and were able to log in once a while ago, you must be the account owner, no account password needed.

Don't use the same password on multiple sites. If one site is breached, all the others become vulnerable. pick a password
Do NOT use Facebook login (or Google, or Apple, or Microsoft) as your login to lots of other web sites. Not only does it let your activity get shared to Facebook (or etc), but if Facebook (or etc) ever deactivates your account for some reason, you've lost access to those other sites too. Similarly, don't use a Microsoft login to your Windows PC, use a local login.

Really, you should have only 2 or 3 passwords you remember; the rest should be in a password manager.

See my Authentication page.



Other "managers":

+/-
Don't let web sites or browsers save your important data if you can avoid it. Store it in specialized encrypted, private "manager" applications on your machine.

Some types of "managers":
+/- Often the last four types are together in a "Personal Information Manager" (PIM). Some email client applications will include those functions too; I use Thunderbird.

Most of the PIMs I see are more complex than I want, and don't say anything about encrypting their database. Probably best to pick a simple PIM and put its database inside an encrypted container.
Osmo (Linux only, database not encrypted, files under ~/.config/osmo and ~/.local/share/osmo by default)

If you don't use a specialized application, you could use a text file inside an encrypted container. But you'd lose the ability to sort by various fields, alert on calendar events, view the calendar in standard calendar format, have a tree-view for to-do items, etc.



Password-protect your phone-service-provider account:

+/-
Mobile-service providers often let you set a PIN to control changes to account settings. So if you (or a scammer) calls them and says "move this phone number to a different SIM", the provider won't do it unless the proper PIN or password is given. This can stop "SIM Swapping" (AKA "SIM Hijacking", but really it's "phone-number hijacking" or "number-porting").

Days after you set a PIN on your account, call your provider again and try to make a change, and see if they actually do ask for the PIN.

Emily Price's "Add a PIN to Your Smartphone Account"
Zack Whittaker's "Cybersecurity 101: How to protect your cell phone number and why you should care"
Brendan Hesse's "How to Prevent and Respond to a SIM Swap Scam"
CipherBlade's "The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You"

If you're going to abandon a phone number, first remove it from any accounts that may have it, and inform your contacts. Assume that the number will be re-issued to some new customer within a year. What will happen if they start getting calls or messages intended for you ?



Give "them" as little data as possible:

+/-
Don't let web sites save your credit-card data. If possible, give them a fake phone number and address.



Use fake data as answers to the "security questions":

+/-
Security question - grandmother
If you give fake data as your mother's maiden name, town where you were born, etc, no attacker can look that up somewhere and know what answer to give. Of course, you have to save those questions and answers yourself (in your password manager).



Software updating:

+/-
Run the newest stable version of your operating system, and turn on auto-updating. Same for browsers, anti-virus, VPN.
windows update

But this is a major problem for Android smartphones: on older phones, you can't update the OS to a newer version, unless you install a "custom ROM". Android's update mechanism is somewhat broken, because phone vendors have no incentive to test and provide updates. At some point, it might be best to buy a new phone (or flash a custom ROM), just to get onto newer software.

See Android Custom ROMs section of my Android page.

For less-important software, I would turn off auto-updating. I don't want a lot of little check-for-update background processes running all the time, and I don't have confidence that the maker of some genealogy application or something has invested a lot of effort into making their update process secure.

Keep an eye out for news about the software you use.

A corollary of "do updates" is "don't use software that has been end-of-lifed or abandoned". If you're using something where the vendor no longer provides updates, you're vulnerable.

+/-
The more I think about it, updating is a major security issue for all OS's. What controls guarantee that an installer or updater will update only the application or component it is associated with ? Is the communication channel encrypted ?

If something is updated through Windows Update or Linux's manager (Update Manager, on Mint) or an app store, maybe you can have some confidence that the process is efficient and secure. But if an individual app is reaching out of your system to its update server every day in some unknown way, that is questionable. If you have 20 such apps doing so every day, an attacker has lots of surface to attack, and there is lots of traffic for you to monitor or analyze for threats. Not to mention lots of little look-for-update processes running in the background all the time, maybe.

What is the long-term solution for this ? Lobby Microsoft to let third-party apps use the Windows Update mechanism ? On Linux, only install apps via the main software manager on the system ? Add some kind of OS controls so an installer/updater can touch only the associated component's folder and registry tree ? I assume Windows Update and Linux's managers and app stores use TLS on their connection back to the server; true ?

In response, someone pointed out: evilgrade




Anti-virus software:

+/-
Two main "modes":

  • Real-time / constantly-active protection (catches every file write or download and scans it).

    Could be disk-only (catches file writes) or also wired into the browser (to prevent access to known-dangerous web sites) and email (to scan attachments).

    Set it to update automatically.

  • User-initiated / manual-scan (user runs a full-disk scan every week or two, or user right-clicks on a suspicious file and selects "scan it").


Two main "sources":
  • Supplied by the OS vendor. Usually best; doesn't destabilize or increase attack-surface of the system.

  • Third-party (a separate app / service you install into the system).


Prevention / detection:
+/-
  • Anti-virus protection.

    For Windows 10, I use Windows Defender, in constantly-active mode.

    For Linux, I use ClamAV in manual-scan mode, doing a scan every few weeks.

    If you use Adblock Plus, you can then install a malware site filter.

    Quora "What is the best open source antivirus software?"


  • Keylogger.
    +/-
    A "keylogger" may do one or more of these:
    +/-
    • Capture keystrokes as you type them.
    • Capture the contents of your clipboard.
    • Capture screenshots.
    • Capture input from your computer's camera and microphone.

    A keylogger may:
    +/-
    • Log the data into a log file.
    • Email the data to somewhere.
    • Send the data across the internet to somewhere.

    There seem to be three types of keylogger:
    +/-
    • Hardware: some device attached to your computer or keyboard or installed into it.
    • Software: an application and/or service installed on your computer. It may try to hide in various ways, not showing up in list of installed apps, or choosing a name similar to a standard app or service.
    • Rootkit: software installed into the firmware of your computer, or the boot loader of your OS, or the kernel of your OS.

    Detect or defend against keyloggers:
    +/-
    On Windows, I used AVG (free) and Malwarebytes (free). But I found that AVG and MWB (with RTP) don't stop/report keylogging as tested by AKLT. [And when AVG and MWB got more aggressive about change-to-paid-version pop-up ads, I got rid of them and now just rely on Windows Defender.]



  • Firewall.
    From someone on reddit's /r/Windscribe:
    +/-
    > I've recently signed up for Windscribe VPN (firewall enabled).
    > I have an ASUS RT-AC66U router (firewall enabled),
    > and on top of that Norton Security with its built-in
    > super aggro "smart firewall". All of this seems a bit
    > redundant and ridiculous.

    Windscribe firewall blocks traffic that tries to go outside of the VPN, including if the server you're connected to goes down. It's different from a program/port firewall that allows or blocks certain traffic completely based on a ruleset.

    Your Norton firewall is designed to prevent malicious programs from calling home to download more malware or upload your information.

    Your router firewall is designed to prevent open ports from being abused by programs or attackers.

    Windscribe firewall is designed to prevent your traffic from going through the normal unencrypted route to your ISP. If the connection drops for some reason nothing will get through because the Windscribe firewall blocked all other ways in or out.

    So all three serve different purposes (the router and Norton firewalls overlap a bit but they still do different things).
    Gufw (Linux only)


Aurelian Neagu's "10 Warning Signs That Your Computer is Malware Infected"

See Testing your Anti-Virus section of my Testing Your Security and Privacy page.

"Normal" apps or services could be used to spy on you:
+/-
Many legitimate standard apps or services, if set incorrectly, or set maliciously without your consent, could be used to spy on you or track you.

For example, Google Maps on your phone will let you share your location with other people, maybe with your spouse or children. That's fine if you consent to that and know you're doing that. It's bad if you're having issues with your spouse and they turn that on without your consent.

Various browsers and operating systems can be set to collect data about your behavior and report it to the manufacturer (usually called "telemetry"). Maybe the data is anonymized. Maybe it is limited to just crash reports. Or maybe it includes what sites you visit and what searches you do, even local searching of the hard disk. Check those settings. [Windows 10 in particular has an astonishing amount of this (article1), but you can turn most of it off, I think: article2. Or change OS to Windows 10 Ameliorated]

But see Chris Hoffman's "Stop Criticizing Apps for 'Phoning Home'. Instead, Ask Why"

Suppose you install a remote-access application, or open an incoming VPN connection, so that you can access your home computer from work if you need to. But accidentally you allow anyone on the internet to access it, or someone in your house turns on access for themselves without your consent.

A "sync" feature that automatically copies data among your devices is multiplying the places your data could be stolen. Smartphones tend to have the worst security, so syncing data from laptop to phone is weakening security. For example: "... Apple's universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: passwords, work documents, sensitive emails, financial information. Anything." from Zak Doffman article.

I don't think any of the anti-virus scanners will report such settings to you as "potentially unwanted".

CyberWire's "The Malware Mash"



Browser:

+/-
General recommendation: use Firefox or Brave.

On Linux, consider running the browser either in a container (snap or flatpak) or in a security context (Firejail or AppArmor).

Important: After you install a browser, disconnect from the internet, launch the browser for the first time, turn off telemetry and other features you don't want, quit, connect to internet again, launch the browser again.

Don't log in to a cloud service associated with your browser, such as Google Chrome login or Firefox login. That's a recipe for having unknown ties between browser and service, including automatic backups or sharing, telemetry, etc.

Set your browser to update automatically; browsers contain security features that should be kept up to date.

Set your browser to ask you each time a page wants to do certain things: download a file, use camera or microphone, etc.

Things you may want to turn off:
+/-
  • Any "suggestion" or "prediction" feature (probably sends your keystrokes to a server).
  • Any "usage-reporting" or "telemetry" or "let vendor run studies" features.
  • Any "crash-reporting" feature (I leave this one enabled).
  • Any "syncing" feature.
  • Any "password-remembering", "payment methods", "address-remembering" features.
  • Any "security-screening" or "safe-browsing" feature (debatable; maybe your VPN or ad-blocker does this; apparently now browsers use Update API which avoids sending your URLs out to a server).

These days, users probably spend 90% of their time in a browser. So, take the time to go through ALL of your browser's settings/options. Generally turn off things that send data to a cloud service. Turn off features you don't need.

From someone on reddit 11/2018:
"Chrome has a whole host of services that send data to/from Google (auto-complete, prediction services, spell check, translation, safe browsing, etc...). ... if you don't want Google to know anything about you, you can't use Google products." [Also password syncing, and "login to Google automatically logs you in to Chrome". And check options carefully to see what is turned on.]
So: ungoogled-chromium (have to uninstall Chromium first, if it's installed)

Brian King's "Towards a Quieter Firefox"
yokoffing / Better-Fox
Douglas J. Leith's "Web Browser Privacy: What Do Browsers Say When They Phone Home?"

Use as few browser extensions/plug-ins/add-ons as possible; each additional extension installed means a greater chance of getting a malicious extension or a security hole or a performance hit.
Chris Hoffman's "Browser Extensions Are a Privacy Nightmare: Stop Using So Many of Them"

If you can, avoid using browser extensions associated with other applications on your machine, such as anti-virus or VPN or password manager. The combination of application and extension gives enormous access to all of your data, inside and outside your browser, and an easy connection to the internet.

To see what's running/open in your browser and how much RAM each is taking:
In Firefox, type "about:performance" in the address bar, or click Hamburger / More / Task Manager.
In Chrome, type Shift-Esc, or click "..."" / More tools / Task manager.

Use an "ad-blocker" add-on in your browser to protect against ads that contain malware (malvertising).
I use uBlock Origin (get from uBlock - installation ?). I used uMatrix for a while, but it required constant tweaking (and 9/2020 development is ceasing).
Test the ad-blocking: AdBlock Tester.

An add-on that tries to protect you from look-alike domain names (e.g. "amaz0n.com"): Donkey Defender

If you hover your mouse over this link, do you see "apple.com" in the browser's status bar ? If so, your browser has a vulnerability. The link address actually is "https://www.xn--80ak6aa92e.com/". In Firefox, in about:config, change "IDN_show_punycode" to true.

Show what your browser reveals to a web site: BrowserSpy.dk

Some sites (eBay, banks ?) use WebSockets to do a port-scan of your system (to localhost, from the web page, from the inside !), to see if you look like an IoT device that is part of a botnet (article1, article2). If you want to stop this scanning, in uBlock Origin go to the Dashboard and then My Filters and add a rule "*$websocket". (I'm told Adblock Plus uses same filter syntax.) An add-on that tries to protect you from this scanning (and other things): Behave! by Minded Security. Test before and after with WebSockets test. The block in uBlock Origin may break some sites (but it didn't break any of my bank logins, but broke eBay login).

Is there any add-on that monitors what certificates and extensions are installed/enabled in your browser, and values of all of the settings, and warns you if anything has changed between quit/relaunch of the browser ?

Browsers are far too bloated and complicated, we should re-design them:
+/-
Drew DeVault's "The reckless, infinite scope of web browsers"
Open Hub's analysis of Firefox (30M lines including comments and blanks, in 48 programming languages)

Move many functions out to add-ons or external apps or OS stacks or OS features:
  • Bookmarking, link-sharing.
  • Password management (and auto-fill).
  • History.
  • Media-handling (audio, video, etc).
  • Networking (DNS, proxy, socks, DNS over HTTPS, VPN should be in OS network stack).
  • Caching (should be in OS network stack).
  • Certificates (use OS store or keyring, or secret server).
  • Search engines, suggestions, predictive typing in address bar.
  • Ad-blocking.
  • Header-setting (do not track, user-agent).
  • Security policy (HTTPS Everywhere, padlock icon, tracking protection, malware-blocking, site whitelist/blacklist).
  • Cookie and site local storage and management.
  • Language and appearance settings (get from system settings).
  • Download manager.
  • File and application handling (save or open, where to open, ask each time, etc).
  • Browser update (use the OS mechanism, not a custom mechanism built into browser).
  • Add-on update (use a separate app, or the OS update mechanism).
  • Sync (use apps such as rsync, Syncthing, etc).

The browser proper should just do:
  • Page rendering.
  • DOM.
  • Page operation (scrolling, buttons, etc).
  • Scripting with DOM and hooks to storage etc.
  • Page/DOM dev tools.
  • Application framework (tabs, menus, windows, connecting everything together).

Maybe I just want a minimal browser. On Linux: I've tried about 8-10 of them, and so far they all have fatal flaws, except GNOME Web (Epiphany). But that browser isn't very minimal, and is working to add more features.

Maybe I could start with Firefox, delete the code-modules I don't want, and build a custom version.

Also: We need better control of browser add-ons:
+/-
Apparently, today, when you do a web request or get a response, all installed add-ons get a chance to process/modify it, in parallel or in unspecified order. Then their modifications (including discarding it) get merged somehow.

Instead, the user should be able to specify:
  • Rules for order of execution of add-ons.
  • Domain whitelist/blacklist for each add-on.
  • Information accessible by each add-on.
  • Types of operation (request/response, HTTP/HTTPS, GET/POST, etc) that can be processed by each add-on.
  • Changes allowed by each add-on.




Manufacturer's software:

+/-
Your machine may come with manufacturer's apps (for launching, printing, help, support, updating, diagnostics, recovery) pre-installed and doing stuff in the background. How secure is that software ?

Bill Demirkapi's "Remote Code Execution on most Dell computers" (offered more as an example of how much is going on in the background, rather than a realistic threat)
Peleg Hadar's "OEM Software Puts Multiple Laptops At Risk"
Dan Timpson's "Lenovo's Superfish Adware and the Perils of Self-Signed Certificates"
Wang Wei's "Pre-Installed Keylogger Found On Over 460 HP Laptop Models"



OS Settings:

+/-
Don't log in to a cloud service associated with your OS, such as Microsoft login or AppleID. That's a recipe for having unknown ties between OS and service, including automatic backups or sharing, telemetry, etc.

For example: "... Apple's universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: passwords, work documents, sensitive emails, financial information. Anything." from Zak Doffman article.

Run as few operating-system services as possible; turn off the ones you don't need.
Look for privacy and security settings in the OS settings / control panel.

All for Windows only:
Mayank Parmar's "Windows 10 Privacy Guide: Settings Everyone Should Use"
Martin Brinkmann's "Comparison of Windows 10 Privacy tools"
Windows 10 Ameliorated
Chris Titus' "Windows 10 Optimization Guide"
Privatezilla



Computer firmware:

+/-
There might be firmware in: management engine, motherboard/BIOS, Linux microcode on top of the MB/BIOS firmware, HDD, SSD, printer, router, TV.

Usually you have to manually check for updates to the firmware, on the manufacturer's web site.

Record firmware version number from your ISP's router every now and then, to make sure they're updating it.

Idea:
+/-
Is the firmware (say, BIOS firmware) readable ? Can an OS or user process read it and compare to the last-installed version, and flag "hey, firmware has changed since the last time you booted !" ? Do any current OS's do that ? It could even be a user-level feature.

Shouldn't all devices (routers, security cams, disk drives, etc) come with a "read out the current firmware contents" feature ? Maybe a very clever malicious firmware could mimic a legit firmware, but it might not be easy if firmware memory is full (excess space padded with random static stuff when legit firmware is generated).

In Linux, do "sudo grep ROM /proc/iomem". If it returns "000f0000-000fffff : System ROM", you can read BIOS via "sudo dd if=/dev/mem of=pcbios.bin bs=64k skip=15 count=1 # 15*64k + 64k" or "sudo dd if=/dev/mem of=pcbios.bin bs=1k skip=960 count=64". Also relevant "sudo dmidecode". Maybe someone could make a little daemon or cron job that uses them to report any changes.

How about Linux's /dev/microcode ? Also would be nice to know if the router/gateway MAC address has changed ("arp" command).

Maybe enhance the "fwupdmgr" command to be able to read/verify existing firmware contents.
Does "fwupdmgr verify DEVICEID" do that ?
"fwupdmgr --show-all-devices get-devices", "fwupdmgr refresh", "fwupdmgr verify DEVICEID", "fwupdmgr get-updates", "fwupdmgr update".
There is a timer running; see it in "sudo systemctl list-timers".
Maybe do "sudo systemctl disable fwupd-refresh.timer" and "sudo systemctl disable fwupd-refresh.service" ?

Processor "Management Engines":
+/-
Types of "engine":
+/- [not sure this is right:]
  • Management engine which can do many things, including network access and remote control.

  • Trusted module which contains crypto keys and runs crypto algorithms.

  • Trusted store which contains an audit trail of system actions.

Some/all of these used to be separate chips from the CPU, but now often they're being moved onto the same silicon ("SoC") so no one can spy on the connection between CPU and security.

/u/SupposedlyImSmart on reddit 11/2018

Intel's "Management Engine":
+/-
Wikipedia's "Intel Management Engine"
Intel's "Intel Converged Security and Management Engine (Intel CSME)"
Lily Hay Newman's "Intel Chip Flaws Leave Millions of Devices Exposed"
Erica Portnoy and Peter Eckersley's "Intel's Management Engine is a security hazard, and users need a way to disable it"
coreboot Wiki's "Intel Management Engine"
From someone on reddit:
"Do you have an Intel CPU from the last 10+ years? If so, then yes ME is enabled. If it weren't via HAP, you'd know."
Shane McGlaun's "Here's How To Disable Intel Management Engine And Slam Its Alleged Security Backdoor Shut"
"Sakaki's EFI Install Guide / Disabling the Intel Management Engine"
Steven J. Vaughan-Nichols' "Computer vendors start disabling Intel Management Engine"
corna's "me_cleaner"

Test your system ?
Intel's "INTEL-SA-00086 Detection Tool". Run it on Linux CLI via:

sudo python2 intel_sa00086.py

intelmetool from coreboot / coreboot ? But the project's build process is very strange, and failed for me. Also tried to build just intelmetool, and failed.

From someone on reddit:
"After I did the firmware update for my version of IME, I just made sure and disabled everything relating to IME/vPro in my BIOS/UEFI settings and also disabled its related services and related serial port in device manager in Windows."

From someone on reddit:
"Intel ME listens on ports 623, 664 and 16992-16995. So if you're behind a firewall block these ports. Though you'd be better off to create a whitelist instead."

AMD's "Secure Processor" (previously known as PSP):
Chiefio's "For deep security, use ARM, avoid Intel & AMD processors"
But ARM has "TrustZone" ? Article

Anton Shilov's "HP's Endpoint Security Controller: More Details About A New Chip in HP Notebooks"

Eduard Kovacs' "Microsoft Unveils 'Pluton' Security Processor for PCs"

Raspberry Pi has GPU acting as a management engine:
Run on Linux CLI:

cat /sys/devices/system/cpu/vulnerabilities/*
One idea: don't connect network to motherboard's network interface, instead use a third-party network interface board, which the ME shouldn't know how to use.

coreboot (Wikipedia's "coreboot")

Brendan Hesse's "How to Check Your USB Devices for Unsafe Firmware" (but see the comments)
Jessie Frazelle's "Why open source firmware is important for security"
Catalin Cimpanu article about infected firmware in smartphones
Dan Goodin's "Google confirms that advanced backdoor came preinstalled on Android devices"



Sandbox applications:

+/-
Run application such as browser inside a "sandbox" which prevents it from accessing files on your computer, or controls which files are accessible.

See my Linux Network and Security Controls page.
See my (Linux) VMs and Containers/Bundles page.



File access controls:

+/-
For various files and folders, set which applications are allowed to access them.

Brendan Hesse's "Why You Should Use Windows Defender's Ransomware Prevention"



Separate computers for separate functions:

+/-
It may be tempting to run a web server and database and routing software and network-storage disk and your personal stuff (browser, password manager, files, etc) all on the same box. It can be done, under Windows or Linux etc. But that greatly increases the chance of some bug or exploit, some incoming attacker being able to access your personal files. It's better to run all the server (incoming) stuff on one box, and all the personal (outgoing) stuff on another box. And set the firewall rules on each box to allow only what is needed on that box.

Even better, run server-stuff on some commercial hosting service. Let them worry about 24/365 availability, bandwidth, disk space, updating, etc. But you'll have to pay for it.



Turn off the computer:

+/-
When not using the computer, turn it off, so attacks can't get in. Maybe turn off your entire LAN (by turning off the router) when going on vacation ? But then updates won't happen.

Maybe put critical data on a thumb-drive or external drive, and only mount that drive for brief periods when you need to use that data. Separate drives for personal, work, school, family data ?



Connection security (protecting "data in motion"):

+/-

Encrypt network:

+/-
Use encryption on your connection: encrypted Wi-Fi, maybe VPN (see VPN section of my "Connection Security and Privacy" page).

On your home network, make connections using Ethernet cables instead of Wi-Fi where possible (client device is close to router/modem). Wired connection is faster and more secure than wireless (and old custom wireless is worst of all; at least Wi-Fi and Bluetooth have been improved). Similar when transferring data between phone and PC: using a USB cable is more secure than emailing the data or using some other across-the-internet method. Similar with printer: use a USB cable.

Consider having separate home networks for your critical (computers, file server, phones) and untrusted (TV, refrigerator, security camera, baby monitor, game consoles, guest, etc) devices. This may mean having to use two routers.

When choosing a name for your home Wi-Fi network, choose something unusual but bland such as "network2793". Don't include your name or address or brand of router in the network name; that information would help an attacker. And the network name may be included in bug reports and such. article

wikiHow's "How to Secure Your Wireless Home Network"
Eric Griffith's "12 Ways to Secure Your Wi-Fi Network"
Decent Security's "Router configuration - easy security and improvements"
David Murphy's "How to Make Your Wifi Router as Secure as Possible"
Easy Linux tips project's "Wireless security: four popular myths and 12 tips"
Lifehacker's "Top 10 Ways to Stay Safe On Public Wi-Fi Networks"
Smart Home Gear Guide's "17 Lockdown Strategies To Secure Your WiFi Network From Hackers"
Chris Hoffman's "How to See Who's Connected to Your Wi-Fi Network"
But: Nick Mediati's "The EFF wants to improve your privacy by making your Wi-Fi public"

From discussion on reddit, and elsewhere:
+/-
Securing home Wi-Fi:
  • Use the WPA2 protocol. It has now been broken but the chances anyone will use it against you are slim. [Use AES, not TKIP. Use WPA3 if available.]
  • Use a strong passphrase. Longer is better than more complex.
  • If you have a guest network, isolate it so it can access your internet but not your local network.
  • Where possible, use 5Ghz. It doesn't have good penetration so it's less likely to broadcast your network to your neighbors. Otherwise some routers will let you adjust the power of your broadcast.
  • Don't bother with MAC address filtering. It's just a headache and it's easy to bypass.
  • Apply any patches that are available, to clients and router.
  • Turn off WPS and uPnP and access to web interface/console from Wi-Fi.
  • Probably turn off telnet, SNMP, TFTP and SMI; they're usually unencrypted and/or insecure.

You could look in your router admin to check what devices are connected. Supposedly there are TWO lists: a list of devices which obtained an address via DHCP (which may not include all devices), and also a MAC address list of all connected devices.

Test your router configuration (turn off VPN first):
See the Port scanning or router testing section of my Testing Your Security and Privacy page.

Turn off any VPN, use IPChicken to get your network's current public IP address, then paste that into your browser's address bar, and see how your router responds when someone from outside tries to access your router on port 80. Also try the address with ":443" appended to it.

Alan Henry's "Why You Should Start Using a VPN (and How to Choose the Best One for Your Needs)"
VPN Comparison by That One Privacy Guy

Encrypt your traffic: use HTTPS web sites:

+/-
Definitely use HTTPS to all of your sensitive sites: email, financial.

ilGur's "Smart HTTPS" browser extension
Firefox 83 has added a similar capability natively in the browser.

If you're using a mail application (such as Thunderbird) or an FTP application, make sure they're using encryption on their connection to the server.

But not every HTTPS site implements security to the same level; you can test a site using:
CDN77's "TLS Checker"
Qualys SSL Labs' "SSL Server Test"
testssl.sh

See my "Connection Security and Privacy" page about proxy and VPN.




Application-level encryption:

See my "Secure Communication" page.



Data encryption (protecting "data at rest"):

See "Data Encryption" section of my "Computer Theft Recovery" page




Specific problems:

+/-
Known bad software:
+/-
Do not use these:

Detect my Browser

Remote-access software:
+/-
Be very careful if you have remote-access software installed on your computer for some reason. If someone hacks it or it's misconfigured, the attacker can do anything you can do sitting at the computer, and it will look just like you doing it.

Jason Fitzpatrick's "How to Lock Down TeamViewer for More Secure Remote Access"
Rick Rouse's "Protect your Windows PC from hackers by disabling Quick Assist / Remote Assistance"

Aggregation services:
+/-
  • Don't use online financial/budget aggregation services that will connect to all of your bank accounts and credit-card accounts and Amazon etc to consolidate the data and summarize what's happening. They just have too much access to your data, and can sell it. Instead, maybe find a local desktop application, download CSV files from your banks etc, and import the CSV files into the local application.
    Jason Baker's "5 open source personal finance tools for Linux"

  • Online income-tax-filing services ? You're giving a LOT of info to them, from many sources. But they're very convenient, and you need something that is updated every year. You could use paper forms instead, if your affairs are fairly simple.
    OpenTaxSolver (OTS)

  • Don't use online mailbox-client services that will connect to all of your email accounts and show everything in one web page. They just have too much access to your data, and can sell it. Instead, use a local application such as Thunderbird or K-9 Mail.


Things that are full of telemetry (but hard to stop using):
+/-
  • Windows 10.

  • Chrome browser (maybe use Chromium or ungoogled-chromium).


Turn off macroes in Microsoft Office.

Remove bloatware installed by computer's manufacturer: those system-tray applications that offer manufacturer's Help Center or Support or Driver Updater, for example. They're poor quality, constantly-running, and probably offer a huge attack surface.

A bit suspicious, and a general way to stop specific applications from running in Windows:
Martin Brinkmann's "How to block the Chrome Software Reporter Tool"

Wireless devices are less secure than wired devices, and often wireless has greater range than you'd expect. Old custom wireless is worst of all; at least Wi-Fi and Bluetooth have been improved.



Turn off features you don't use:

+/-
Either turn them off permanently, or enable them only when you want to use them.

Don't use Bluetooth, mobile Hotspot, mobile tethering, NFC, Z-Wave, Zigbee, infrared, Cortana, Siri, location/GPS services, voice controls ? Turn them off completely, at the OS level. Don't use some old applications ? Uninstall them, or turn off their update background services.
Rick Rouse's "How to turn off 'File and Printer Sharing' in Microsoft Windows"

Maybe turn off location-monitoring services and apps in your smart-phone and browser. But your cell-phone company will always know where your phone is, if it's turned on, or maybe even just if it has a battery in it. And various map and taxi apps will be unhappy that they can't read your location.

Turn off services you're not going to use for a while. Turn off any remote-access service when you're at home.

Turn off the whole device if you're not going to use it for a while. Does your internet-connected computer need to be running 24/7 ?

Put tape over the webcam on your laptop.
Or software:
Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?"

Turn off the microphone on your laptop or smartphone.
Maybe put a dummy plug into the external microphone jack.
Tape over the built-in microphone opening doesn't really work.
Or software:
Alan Henry's "How to Stop Web Sites from Potentially Listening to Your Microphone" (Chrome only)
Jignesh Padhiyar's "How to Find and Prevent Apps from Accessing Your iPhone's Microphone in iOS 7"
Kioskea's "Windows 8.1 - Prevent apps from using your webcam or microphone?"
The highest-confidence solution: physically unplug the built-in microphone inside the case, and always use an external microphone (plugged in only when you need it).

Note: iPhones have 1 to 4 microphones, depending on model. Most Android phones have 1, some have 2.



Know the features of your devices:

+/-
Mozilla's "*privacy not included"
David Murphy's "How to Keep Your Internet-Connected Device From Spying on You"

Using router/modem supplied by your ISP:
+/-
See Router And Modem section of my Connection Security page

From someone on reddit:
If your ISP can access your modem (and if you're using an ISP-supplied modem, it'd be foolish to assume they can't), they can see anything your modem can potentially log (think SSIDs, MACs) via a little-known protocol known as CWMP. And this is to not even begin the implications that they could not simply be retrieving logs, but actively tampering with data. So yes, do not use ISP-given devices, get your own. This is critical.

At the least, your ISP-supplied router could be reporting names and MAC addresses of all devices on your LAN. Names may be easy to change to something uninformative such as "laptop1". But MAC addresses could be more revealing, and used for tracking. Harrison Sand's "Your ISP is Probably Spying On You"

From someone on reddit:
> Do ISPs update router firmware and watch for malware ?

Routers, in general, are not updated if they are not the latest and greatest router in their class. Long term support is typically lacking unless you install a 3rd party firmware. European ISPs are typically far better at updating their software than American and Canadian ISPs due to no laws requiring ISPs accountable to update their software if possible. More damning, routers typically don't even have patches available as they were discontinued support long ago.
So it sounds like if you can't find firmware updates for your router, and it's more than a couple of years old, maybe best to just replace it. If it's ISP-owned, maybe ask if they have a newer model available, and if you can upgrade for low or no fee. If you own it, replace it or install DD-WRT or OpenWrt on it.

Ways to avoid the ISP-supplied router/modem:
[Note: things get more complicated if the router is providing cable-TV service in addition to internet.]

  • Ask ISP if you can replace it with a router/modem you own yourself.

    From someone on reddit:
    "Google for modem compatibility lists. You can generally find a site that sorts by state and ISP and lists which current model modems would or should work."

    If you replace the modem, you'll have to register/configure the new modem with your ISP.

    If you want to run custom software in the router you own, see Router And Modem section of my Connection Security page.

  • Check router's admin page, or ask ISP, if their router/modem can be set into "bridge mode", so you can add your own router behind it.

    This amounts to turning off the router and Wi-Fi in the ISP-supplied router/modem box, using router and Wi-Fi in your own new router box, and connecting the two boxes via an Ethernet cable. Connect all home devices (except telephone ?) to your box, not the ISP's box. Now the ISP-supplied box doesn't have access to your LAN, it just sees what comes out of the bridge-Ethernet port of your new router box. See Router And Modem section of my Connection Security page.

Ethan Robish's "Home Network Design - Part 1"

Michael Horowitz's "Router Security"
Michael Horowitz's "Using VLANs for Network Isolation"

"Complexity is the enemy of security."

Keep it simple. If you have your smartphone controlling your door-locks and security-cameras and automatically uploading photos to Instagram and accessing your LAN and the internet and the cell network, you really don't know everything that is happening and everything that can go wrong. Better to have some compartmentalization, some things that happen only on one device or happen only manually.

I work in IT



Know the vulnerabilities of your devices:

+/-
"The 'S' in 'IoT' stands for 'Security'."
-- from Grumpy Old Geeks Podcast

Are there any known security flaws in your internet-connected devices, especially devices you can't update ? For example, security cameras: article1, article2. And home Wi-Fi routers: article3.

For each of your devices, read the manual, and do some internet searches for "exploit/vulnerability/hack/problem MANUFACTURERNAME model NNN".

Some of the simpler-looking devices (tablets) may be the most vulnerable, because you probably don't install anti-virus on them, and they may not get security updates. Yet they're in your trusted local network, and could attack other devices.
Rhett Jones's "A New Reason to Not Buy These Cheap Android Devices: Complimentary Malware"


Especially dangerous are all-in-one devices with multiple connections. A fax-modem-copier-printer-scanner may connect to both a phone line and to your LAN; a flaw could let an attack come in the phone line and onto the LAN. A simpler attack could exhaust your expensive toner cartridges. Is the firmware updatable ? Is the manufacturer known and providing updates ? Don't leave the device powered on 24/365 unless absolutely necessary. Or unplug it from phone line and/or LAN except when needed.

A smartphone probably is connected to both the cell data network and to your LAN; that's a potential vulnerability.

Game consoles seem to be fairly secure, from what I read. Since they're going to be sold for years and in hundreds of millions of units, and used to handle DRM and in-game purchases, I guess the manufacturers work hard to make them secure. Usually they commmunicate mostly to the manufacturer's central game servers, which are walled gardens. The biggest issue may be that they also provide communication services: what could other players say or send to your child as they're playing the game ?
Heard on a podcast: Nintendo is notorious for resetting your privacy options each time the software is updated; check the settings often.
ProtonVPN's "The complete guide to online gaming privacy"

Interesting items from "Hackable?" podcasts:
+/-
Host invited hackers to attack his home LAN and devices. Some of the hackers were local (just outside his house), others were far away across the internet.

  • Local hackers were able to set up a fake router with same Wi-Fi network name, force all the LAN devices to reconnect, and they connected to the fake router. Since many of those devices store the Wi-Fi password, that password was revealed to the fake router.

  • The admin credentials of the home router appeared in an old data breach, and hadn't been changed since then.

  • IoT devices on the LAN had various default or hard-coded admin credentials.

  • Once onto the LAN, hackers were able to intercept traffic from security webcams that were set to LAN-only and thus thought safe.

  • Once onto the LAN, hackers were able to provide a MITM DNS, and redirect traffic to send the user to a fake Facebook login page, and capture the login credentials.

  • A fax/printer connected to a phone line was vulnerable to some malicious document faxed to it. Then it was used to access documents across the LAN and fax/send them out to the hackers.


YourThings Scorecard (evaluations of a number of common devices)
Devin Coldewey's "Cheap Internet of Things gadgets betray you even after you toss them in the trash"
OWASP's "Internet of Things (IoT) Top 10 2018" (PDF)
Brian Krebs' "Some Basic Rules for Securing Your IoT Stuff"
Router Security's "Test Your Router" (also cameras, printers, etc)

Testing webcam / security camera from inside (LAN side):
+/-
Assuming camera's LAN IP address is 192.168.0.100:

192.168.0.100 /err.htm
192.168.0.100:10554
192.168.0.100:81
192.168.0.100:23 (Telnet)
192.168.0.100:2323 (Telnet)
192.168.0.100

If test from LAN side gives suspicious results, investigate from WAN side.

Testing networked printer from inside (LAN side):
+/-
Assuming printer's LAN IP address is 192.168.0.100:

192.168.0.100:23 (Telnet)
192.168.0.100:2323 (Telnet)
192.168.0.100
Probably ports 9100, 631, 515 will be open on the LAN side; this is normal. But they shouldn't be exposed on the WAN side.

If test from LAN side gives suspicious results, investigate from WAN side.




Mobile devices are vectors for infection:

+/-
Suppose you routinely carry your phone / tablet / laptop / USB stick from home to work and back, connecting to Wi-Fi or plugging in at each place. And your partner does the same with their devices and their work. And the kids carry devices from home to school and back, and to friend's houses, connecting to Wi-Fi in each place. Maybe some of you use Wi-Fi in fast-food places or hotels or something.

Any of these systems could carry malware from one network to another, if not properly protected and isolated.

A sophisticated attacker could try to take advantage of this situation. Suppose they want to get data from the corporation you work for. So they sit outside your house probing the Wi-Fi, and find your kid's phone is vulnerable. They use that to attack your laptop, get some malware onto the laptop, and the next day you take that laptop to work.

Segment, isolate, compartmentalize, protect, test. Don't assume that "inside the router" means "safe".

Similar connections occur if you access personal email or cloud storage from your work computer, or the kids access school email or group homework-project docs or their sports-team docs on a home computer. Malware can be copied from one place to the other.

Public computers in print shops or internet cafes are the worst. Assume they are full of malware. Probably 3/4 of the times I've plugged a USB stick into a print shop computer to print an airline ticket, the stick has come back infected.



Would you know if your device was compromised ?

+/-
Set honeytraps on your devices:
+/-

Have log-files:
+/-
  • How can you turn on logging ?

  • Is there anything useful in the logs ? Do they record logins, commands run, etc ? Do you know how to read them and understand them ?

  • Are the logs copied to somewhere else for storage ? (Called "log shipping".) Otherwise an intruder could erase them. Send with rsyslog, analyze with LOGalyze or LogAnalyzer ? Or use a cloud service (Papertrail) ?

  • How long are the logs kept ? How long a time-period do they cover ?

Logging Made Easy (Windows only)




Routinely use a non-Administrator account:

+/-
This issue is a bit overblown, for a desktop single-user machine. In such a situation, all the interesting files are owned by the non-admin user. The only added risks from compromise of the admin account would be that the attacker might be able to do privileged operations such as spying on all LAN traffic.

I think this issue is a bit overblown in Win10, also. If you install Win10 and only log in as "administrator", really what you're doing is running in an "administrator-capable" account. If you try to do something that requires actual administrator privileges, you will see a "UAC" dialog and have to click "yes" to achieve administrator privileges. If you're running in a "normal" user account and try to do something that requires actual administrator privileges, you will see a "UAC" dialog and have to type an administrator password to achieve administrator privileges.

Rick Rouse's "Why you should use a 'Standard' user account in Windows"

From someone on reddit, about Windows:
> If I already have my account as admin, is there a way to demote it?

Create another user account. Name it Admin or Bambi or whatever floats your boat at that particular second. Set that account as a system administrator. Log out of your current account and into the new account. Change your normal account to a standard user. Log out of the new admin account and back into your regular account.

All of this is done through the 'User accounts' control panel applet.

Similar in Linux: use a normal user account, and "sudo" when you need to do something as root.

But see: xkcd's "Authorization"



Keep account security info up-to-date:

+/-
If your bank or credit card company sends you a security alert, but they send it to your old dead email address or old postal address, it doesn't do any good.

If you have a login problem somewhere, and the web site says "no problem, verify by clicking link in your email", but they send it to your old dead email address, you're in trouble.

If you never receive routine communications or verifications from your account at some company, figure out why and fix it, don't let it slide.



Monitor your accounts for evidence of problems:

+/-
At this point, there have been so many and such huge breaches (e.g. at OPM, Equifax, Anthem, more) that you should assume your Social Security number and DOB and credit-card info and email address have been stolen.

Alerts:
+/-
  • Set Firefox Monitor to monitor your email addresses.

  • Set up Google Alerts about your email addresses. Maybe also an alert on your home postal address ?

  • Some services (such as Privacy.com, Transferwise) can be set to send you an email every time a transaction occurs.

  • Some of the credit-agencies may send you an email if a credit card is created or closed under your name.

  • Maybe use an identity-theft warning service.


See Check your accounts section of my Testing Your Security and Privacy page.

Report freezing:
+/-
Maybe freeze your credit (a "credit freeze" or "security freeze"; usually free to apply and $5 to remove) or institute a fraud alert (free, but not as good).
US credit agencies: Equifax, Experian, TransUnion, Innovis, NCTUE, SageStream.
Jason Lloyd's "Why You Should Freeze Your Credit Report"
FTC's "Credit Freeze FAQs"
William Charles' "Two Credit Bureaus You Should Freeze Before You Apply For A U.S Bank Credit Card"
AJ Dellinger's "Equifax Operates Another Credit Bureau, and You Can't Freeze Your Report Online"
From Brian Krebs' "The Lowdown on Freezing Your Kid's Credit":
Some fans of my series explaining why I recommend that all adults place a freeze on their credit files have commented that one reason they like the freeze is that they believe it stops the credit bureaus from making tons of money tracking their financial histories and selling that data to other companies. Let me make this abundantly clear: Freezing your credit will not stop the bureaus from splicing, dicing and selling your financial history to third parties; it just stops new credit accounts from being opened in your name.
Also, a credit freeze does not prevent a background check (by govt or corporation etc) from getting your data.

Even if you have a credit freeze enabled, still check your credit reports every year or two, to make sure nothing incorrect or fraudulent appears on them.

Maybe freeze your salary/employment history report.
Salary/employment history agencies: Equifax Workforce Solutions (AKA The Work Number, AKA TALX), AccuSource, InVerify.
[I requested my TALX report. It only had the very last year of my work history (I retired almost 20 years ago), but it did have my employer, job title, and salary for that year.]
Alicia Adamczyk's "How to Review (and Dispute) the Salary Data Equifax Collects on You"
KrebsOnSecurity's "How to Opt Out of Equifax Revealing Your Salary History"

European credit-reporting agencies:
Spain: Asnef-Equifax
Spain: RAI (Registro de Aceptaciones Impagadas)
Spain: Experian España
Spain: CIRBE
Germany: Schufa
UK: TransUnion / Callcredit
many more ...
Haven Mortgages' "Credit Bureaus Around the World" (PDF)

Bruce Schneier's "Protecting Yourself from Identity Theft"

Kelli B. Grant and Katie Young's "How to protect yourself from medical identity theft"
Beth Skwarecki's "What Happens to Your Stolen Medical Data"

A limited number of people (update: anyone, starting some time in 2021) can set a PIN on their IRS filings:
IRS's "Get An Identity Protection PIN (IP PIN)"

I think anyone can create an online account with the IRS, and better that you do it before some scammer does it for you:
IRS's "View Your Account Information"

Apparently the US Post Office has a notification service where they send email to you when something is about to be delivered. You want to register for this before some bad actor does so in your name.

Creating an account before some bad actor does so in your name is called "planting your flag". Maybe do this with the credit-reporting agencies, IRS, USPS, SSA, unemployment agency, ISP, etc.
Brian Krebs' "Why & Where You Should Plant Your Flag"

Sign up for your online US Social Security account (may require a trip to a SS office).
Carissa Ratanaphanyarat's "Your Social Security Number Was Stolen! Now What?"
Brian Krebs' "Crooks Hijack Retirement Funds Via SSA Portal"

When someone uses your public reputation to get jobs:
Relja Damnjanovic's "Freelancer Identity Theft: It Happened to Me - Here's What You Should Know"

You can opt-out of some of this tracking:
+/-
Opting out of everything probably is impossible, and a game of Whack-A-Mole. But at least hit some of the top places.

If you're using a PO Box or PMB to hide your real address, probably don't opt-out in places where they have only your PO Box or PMB address. You want to have your data associated with that address, not your real location.

Don't copy a standard opt-out request letter or email from some workbook, and send that to services. They're aware of standard formats, and ignore them. Instead, compose a request in your own words. Don't say you're doing it "for privacy", instead say your family has been getting strange phone calls giving personal information and threats, and is feeling endangered and stalked. Emphasize that you need your data removed from both their search results and their deeper listings.

Often the first response to a "remove my data" request is an automated response. Respond to it and repeat your request, maybe changing it a little.

Some opt-out services (on data-brokers, and on such services as Yahoo Mail) work by putting a cookie on your computer, telling their advertising code not to track you. But this conflicts with my desire to delete all cookies every time I close the browser.

A couple of US states have registries of data-brokers ( Vermont and California), so maybe you can use those to find opt-out addresses.

LexisNexis' "Individual Requests for Information Suppression Policy"
SageStream Opt Out
Acxiom Opt Out
Palantir privacy statement

World Privacy Forum's "Data Brokers Opt Out List"
Yael Grauer's "Here's a Long List of Data Broker Sites and How to Opt-Out of Them"
Michael Bazzell's "Personal Data Removal Workbook & Credit Freeze Guide" (PDF)
StopDataMining.me's "Opt Out List"
ParanoidsBible's "The Master Opt-Out List"
Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"
Elizabeth Harper's "How to Remove Yourself From People Search Directories"
Alicia Adamczyk's "Run a Comprehensive Background Check on Yourself"

There are some mass-opt-out services, but they just store preferences in cookies in your browser, so if you delete cookies, your preferences are deleted:
EU: Your Online Choices
USA: WebChoices

Idea:
+/-
Instead of opt-out lists/sites, I'd like:

  • A big comma-separated list of email addresses, so I can paste the whole list into the BCC field in my email client and send one "please delete my info from your site" email to all of them in one operation.

  • A browser add-on or app that will let me push one button, and the add-on/app will go to N opt-out web pages and fill in the forms to tell each of them "please delete my info from your site".


From interesting audio podcast interview of a guy who runs people-search sites, The Complete Privacy & Security Podcast episode 071:
+/-
There are maybe 6 big players in the people-search industry ( Pipl's "Removal from Search Results", BeenVerified, Spokeo, TruthFinder, Radaris, MyLife, Intelius ), and a hundred subsidiaries/affiliates of them, and a hundred smaller competitors. And maybe 3000 web sites, owned by those companies. But they may create dozens of new web sites every week or month, trying to get into the top-ten results on Google Search.

Some of the companies make money through ads, but mostly they make money when someone views their free report and decides to subscribe to get their full report.

These companies are scraping data from everywhere: from each other, from govt, from companies such as real-estate agencies, from any account you create that allows sharing your data with third parties, etc. Some governments will sell driver's license data or car registration data.

Getting a company to "delete your record" is not best, because your info probably will flow back in from somewhere else a week or a month later, and they'll treat it as a new record because they no longer have a record of you. It's better to have them "block your info", so they keep a record but don't give it out (if they're ethical).

Disinformation can work, but it won't hide any real information, and you have to be consistent, using the same false info again and again, as many places as possible.

Name, address, phone are the key items used to correlate data from various places, but I'm sure SSN, DOB, credit-card number are used when available.

Some big services used by private investigators and law-enforcement: Tracers, TLO, IRBsearch.

Michael Bazzell's "Personal Data Removal Workbook & Credit Freeze Guide" (PDF)
Kristen V Brown's "Deleting Your Online DNA Data Is Brutally Difficult"
Michael Bazzell's "Hiding from the Internet"
Wolfie Christl's "Corporate Surveillance in Everyday Life"

If you're a victim of Identity Theft:
+/-
  • Immediately report it to your banks and other financial companies. Cancel cards and get new ones.

  • Immediately report it as "fraud alert" to one or more of the credit-reporting agencies.

  • If you know or suspect how it was done, change password and/or make report to that source.

  • Review past transactions going back a year or more; this may have been going on for a while. Dispute any fraudulent charges, correct any wrong info on credit reports.

  • Make a report to local police, even if they will do absolutely nothing about it and even if the problem is entirely online, not local. You will be putting a sworn statement on the record, and that will be useful to give to your banks, use in court, etc.

  • File identity-theft report with FTC: IdentityTheft.gov

  • Do items in the Report freezing section above, if you haven't done them already.

  • Change important passwords, even if they may seem unrelated to this problem.

  • Check social media postings to see if they could have revealed info used to create this problem.

  • Get copies of your credit reports every couple of months for the foreseeable future.

ASecureLife's "Identity Theft Recovery Checklist" (PDF)
Neil J. Rubenking's "5 Ways Identity Theft Can Ruin Your Life"
Kelli B. Grant and Katie Young's "How to protect yourself from medical identity theft"

OSINT Framework



Simplify your life:

+/-
Do you really need email accounts at N different providers ? Each one has to be secured. Really need accounts at Twitter, LinkedIn, Facebook, Snapchat, Instagram, Flickr, YouTube, 20 different online stores, etc ? Really need 5 credit cards and accounts at 5 banks ? Each one is a possible security or privacy problem.

Reduce, simplify. But you do need a backup email account, and a second bank account and debit card, IMO.



Be smart:

+/-
won the lottery
Be aware of security threats, and don't fall for them. Know how to recognize spam, scams (composite scam), phishing attempts. False alerts that say "something is wrong with your computer, better run this scanning software right away !". Be especially careful when downloading and installing software.

One way to think of it: be wary of any "incoming" stuff. Email you receive, SMS or WhatsApp texts you receive, Facebook posts or comments you receive, a USB drive you find on the ground, a USB drive given/mailed to you, a phone call you receive, software you download, a recommendation that you do or install something. "Incoming" == "potential threat".

Be wary of threats in search results. Lots of sites have been set up to provide "GMail Support phone number" or similar in search-engine results. But these big vendors with free services (Google, Facebook, WhatsApp, etc) deliberately do not HAVE a phone support number you can call. They have hundreds of millions or billions of free users; the LAST thing they want is for users to be able to call humans at their company. Any search result that gives you such a phone number is trying to connect you to a scammer. At best, they'll try to sell you something. At worst, they'll install ransomware, steal your money, and sell your information.

Check to see if a web site is suspect:
Scambunkers
Lenny Zeltser's "Tools for Looking up Potentially Malicious Websites"

When you see scams or spam or abuse, report them if you can. You may save someone else from getting scammed or abused.
PhishTank
StopBadware
Google's "Safe Browsing" (report links at bottom-right)

If something strange starts happening with your phone (service turned off, or lots of SMS messages, or requests to confirm transactions you didn't initiate), or similar in your email (requests to confirm transactions you didn't initiate), react immediately, don't let it slide. You may be under attack. Check your key accounts and devices. Call your bank and phone service provider. Run anti-virus scans. Don't panic, but check on things.

If you receive a 2FA code on your phone when you didn't try to login, someone may have your username and password for that account, or may have just your email address and requested a password-reset for that account. Check your account and probably you should change your password.

Sometimes a scammer will say they just sent a code to your phone, and you have to read it back to them to confirm your phone number. Don't do it ! They may have requested a password-reset for one of your accounts, and the code is coming from Google or Facebook or wherever the account is. If you give the code to the scammer, they'll take over your account.

Phishing:
+/-
Phishing is when someone sends you something to trick you into giving away important information (such as your username and password, or credit card details).

Phishing attempts usually come through email, but also they could be done through Instant Messaging, chat, SMS, a Facebook post, a web page you find through searching, even paper mail.

People rightly are told to be suspicious of links and domain names. Be doubly suspicious of QR codes, which really just resolve to a link (URL). Don't just blindly scan a QR code and assume it sent you to a legit page. QR Code

My quiz about phishing emails to home users: Go to Phishing Test page 1 of 6

Google's "Phishing Quiz"
[I got only 6/8. I think that quiz proves that users need a LOT more help from browsers and email clients. Maybe email pages should have:
  • A same-origin policy to require all email addresses and links to be in the same domain.
  • An icon next to every URL so you can click and see the owner of the domain.
  • Text of every link forced to match exactly the URL of the link.
]

SonicWall's "How is your Phishing IQ?"
PhishingBox's "Phishing Test"
OpenDNS's "Phishing Quiz"
WeLiveSecurity's phishing quiz (video)
ProProfs' "5kazen Quiz - Phishing Scams"
Tyler Omoth's "10 quick tips to identifying phishing emails"

Wikipedia's "Phishing"

Send any suspect links or files to VirusTotal for checking. (Maybe also URLVoid or urlscan.io or Zscaler's Zulu or Trend Micro's "Site Safety Center" or Talos Intelligence or Hybrid Analysis or Joe Sandbox)

Report any suspicious emails to the company they're pretending to come from, or to your email provider, or to FTC Report Fraud.

Report any phishing or look-alike web sites to Google Safe Browsing or Microsoft SmartScreen or Netcraft Anti-Phishing.

Don't click on a link in the email to report it or say "no, I didn't request a password reset"; that link could be malicious.

A browser add-on that tries to protect you from look-alike domain names (e.g. "amaz0n.com"): Donkey Defender

Be especially careful in a big-money rushed situation such as closing a real-estate transaction (buying a house). A scammer may jump into the middle of the process and send you an email saying "okay, send the deposit money to bank account NNNNNNN, ASAP !". Always find out up front how and where the money will be transferred, and get it in writing. If there is any change, get the new info in person and in writing (or at least initiate a phone call to verify such things).

Don't copy/paste scripts or commands straight from an untrusted web page onto the shell/commandline. Instead copy/paste them into a text editor and see if they look the same. Then copy from there to shell if you wish. [Or in Firefox set dom.event.clipboardevents.enabled = false.] See Brian Tracy's "Don't Copy Paste Into A Shell" and example.

IP Logging:
+/-
Generally, clicking on a link is not enough to hurt you. Your browser will load a web page. There is a small chance that code on that page could find some vulnerability in your browser, if you haven't kept your software updated. But it's unlikely.

A bigger risk is that the page could fool you into doing something bad, such as giving your login credentials.

A valid risk is that the page could collect as much information as possible about you and your browser and machine, and send that information somewhere. At a minimum, it could record your IP address ("IP logging"). It could record what browser you're using, what OS you're using, etc. All the stuff listed in the Browser fingerprinting section.

If you're using a VPN, and have turned on privacy and anti-tracking settings in your browser, maybe there will not be much info. But suppose the link looks like something you really want to see ("we tried to deliver a package to you"), and the page says "blocked because you're using a VPN; turn off your VPN" ? You might do it. Then the attacker could find out more information.

Watch out for fleeceware apps or sites: subscriptions that say $10/year in big print and then $10/week next to the button where you're paying.

Watch out for ridiculously-priced items on web sites such as eBay or Craigslist. Some people buy things on Amazon for $20 and then put them for sale on eBay for $40 to see if anyone will bite.

Watch out for deceptive items for sale. It may look like they're selling a phone, when in fact they're selling a case for a phone or a model of a phone.

Max Eddy's "How To Protect Yourself From Social Engineering"
Alan Henry's "Why Social Engineering Should Be Your Biggest Security Concern"
IC3's "Internet Crime Prevention Tips"
Decent Security's "How Computers Get Infected"
Dark Patterns

"I got a strange email from you, your account must be hacked !":
This does not necessarily mean someone has been "hacked". Perhaps some software scanned Facebook, found that A and B are Friends, and found A's email address in A's Facebook profile. Then a scammer sends an email to A, with a few cosmetic changes to make it look like it came from B, and saying "hey, this is B, check out this [dodgy] site" or something. A says to B "I got a strange email from you, your account must be hacked !".

One way to check: A's email client may have a "show details" button or link, where you can see the actual email address the email originated from. It probably isn't B's email address, even though the displayed "from" name is "B".

If you start getting a flood of junk emails from many sites, it could be that someone is harassing you, or it could be something more serious: If someone manages to break into your Amazon account, for example, and place an order, they might flood your InBox with junk so you overlook the real order confirmation email from Amazon.

Some scams work by trying to claim a special bond. We're members of the same religion or political party, for example.

And of course scams are not just online, they also can come via phone or snail-mail or in person.
Alan Henry's "Five Common Scams Directed at Seniors (and How to Avoid Them)"
FTC's "Phone Scams"
ACCC's "Scamwatch - Types of scams"

If you get scammed, report it to local police. Sometimes scammers are fairly local, not in some faraway country. Sometimes police will be able to combine your info with that of other victims to see a pattern that you don't see.



Kashmir Hill's "10 Incredibly Simple Things You Should Be Doing To Protect Your Privacy"
Andrew Cunningham's "A beginner's guide to beefing up your privacy and security online"
ProtonVPN's "12 mistakes that can get your data hacked - and how to avoid them"
Decent Security's "Windows Security From The Ground Up"
Wired's "Guide to Digital Security"
PRISM Break
Security-in-a-Box
Kashmir Hill's "Journalist Invited Hackers To Hack Him. Learn From The Mistakes."
Adam Clark Estes' "How to Encrypt Everything"
Spread Privacy's "How to Set Up Your Devices for Privacy Protection"
Justin Carroll's "Thirty-Day Security Challenge"
Open Reference Architecture for Security and Privacy
Filippo Valsorda's "I'm throwing in the towel on PGP, and I work in security"
ProtonMail's "A complete guide to Internet privacy"
Fried's "The Ultimate Guide to Online Privacy"
Michael Horowitz's "A Defensive Computing Checklist"
Lissy93 / personal-security-checklist
CISA's "Tips"
kaiiyer / rajappan's "Privacy Guides"
Andy Greenberg's "How To Bust Your Boss Or Loved One For Installing Spyware On Your Phone"



security T-shirt





Online Privacy



Don't put really private stuff online. At all.

+/-
Naked pictures of yourself or your spouse ? Personal embarrassments ? Dark secrets ? Something illegal ? Something embarrassing about your friends or family ? Just don't put it online, or transmit it over the internet. Maybe don't even put it on your computer or phone or camera.

Either stop using social media, or use it more carefully.

Use multiple throwaway accounts on social media (mainly reddit) where that's easy to do and people don't need to find you by your real name.



Other people are a threat to your privacy.

+/-
Don't tell other people about stupid or illegal stuff you've done; maybe they'll post or WhatsApp about it, or tell someone else and then they'll post about it.

Have a friend or family member who likes to gossip about you, who betrays your trust ? Now they can do it online, to the whole world. Be careful what you tell them, online or offline. Be careful how you connect to them online, and what you expose on those connections. And you may be exposing other people to them, online.



"Privacy" is not just about your data, it's about the data of others too.

+/-
You have lots of data about your friends and family and employer and coworkers and neighbors. Treat it carefully. Encrypt your devices. Think twice before posting about someone else, or about something you did with someone else.



Give "them" as little data as possible:

+/-
Don't fill in all of those "profile" fields. Why tell Facebook where you've worked, where you went to school, who your family members are ? Why tell LinkedIn everyone you've worked with ?

Registering for professional conferences is particularly bad; those directly give your data to all 500 vendors at the conference.



Give them fake data:

+/-
Don't give them your real birthday, or real mailing address, or real phone number. Misspell your name slightly.
[But: if Facebook or whoever later challenges you to produce real ID to verify your account, and your info doesn't match, you'll lose the account.]

Set Facebook profile fields for school, work, places lived to real, big places that have no actual connection to you. Let them sell misinformation.

Maybe have multiple people (your whole family, or half a dozen of your friends) share one social-media account (Facebook, Twitter, Pinterest, reddit). But I'm not sure what happens if the service sees one account logged in from several locations simultaneously.

Maybe you could have multiple accounts on one social-media site, and use a different account every day.

For map/GPS applications, set home and work addresses to nearby addresses, not your exact addresses.

But you can't give fake data to police or government or schools or insurance or banks. That may be illegal, or may come back to bite you later in some way.

When installing an OS, or using a brand-new PC for the first time: Give your PC a generic name such as "laptop2". Create a user account with a generic name such as "user3", instead of using your real full name. Or use your initials: "userJD". Those names will appear on networks and other places.

Geo-location:
Your computer or browser or ISP may reveal your physical location to web sites.

Ways your location can be determined or set:
+/-
  • GPS, in smartphone.
  • Cell towers that your smartphone can see.
  • Adapters (networks) that your Wi-Fi can see.
  • Adapters or devices that your Bluetooth can see.
  • Adapters or devices that your device can see through a mesh network.
  • Location set by the owner of the LAN's router ?
  • Location set by the ISP that connects to the router.
  • Small clues set in your OS, such as system time-zone and language and country-code.
  • Location you set in your browser or other application (VoIP?) or OS.
  • Location you set in your online accounts (social media, etc).
  • Location set or known in other devices on your LAN or Bluetooth, such as TV or game consoles or car's GPS ?
  • Location set or calculated in body-devices on Bluetooth, such as watch or fitness-tracker ?
  • Location acquired from connected nearby devices not owned by you, through hookup apps ?

Defenses:
+/-
  • Operating system:

    Windows 10 gives a setting to turn off location and set a "predetermined location" to give to apps. I think you get to it through "Diagnostic Settings".
    It seems Linux does not have a similar facility.

  • Set location in your browser:

    Location Guard
    In Firefox, do about:config and look at "geo." entries. Someone says set something like:
    geo.wifi.uri = data:,{"location":{"lat": 51.50,"lng":-0.12},"accuracy":1000}
    In Chrome, maybe "Manual Geolocation" extension, or:
    "developer console / 3 dots / more tools / sensors / enter geo you want or choose from presets"

  • Smartphone:

    Go through app permissions and disable Location wherever possible. But I have a couple of bank or other financial apps that insist on having location turned on, I guess as part of fraud detection.
    mcastillof's "FakeTraveler" (Android only; fake GPS location)


Test via: IP Location

Maybe Create fake personas:
+/-
Create a fake name who lives at your real address:
+/-
  • Pick a simple, neutral name, such as "Alex Smith".

  • Create an email address that fits, such as A.Smith at gmail.

  • Get a pay-as-you-go SIM phone and use it for this person.

  • Get a Privacy.com virtual credit-card in their name.

  • Use one set of fake data (phone number, email address, gender, DOB, SSN, photo [not a stock photo from the internet; maybe from This Person Does Not Exist], CC number, school history, work history) for this persona, and stick with it. Write it all down, print it out for easy use.

  • Create an email address that fits, such as A.Smith at gmail.

  • Use your real postal address.

  • Subscribe to a couple of cheap or free magazine trials (Forbes, Wired) in their name, using your real postal address.

  • Subscribe the email address to a couple of newsletters, so there's activity in the account. Set the account to forward the newsletters to some other junk account, so there's outgoing traffic too.

  • Use this persona when ordering things online.

The goal of this persona is to avoid giving out your real data, and make it look like someone else is living at your address, so maybe you have moved out.

Associate your real name with lots of fake data:
+/-
  • Pick one set of fake data (phone number, postal address, email address, DOB not too far from your real DOB, SSN, school history, work history) and stick with it. Write it all down, print it out for easy use.

  • Use your real name, your real gender, your real photo.

  • For the postal address, maybe pick the address of some big hotel in the same county as your real address.

  • Maybe create a fake company ID-card with this data on it ? But there are few cases where you'd need to use it. Could be useful to hand over to a store-clerk when they demand your data, or just to help you remember your fake data.

  • Maybe create a Privacy.com credit card with this data on it ? But there are few cases where you'd be able to use it, since it would not be a physical card, and it would not be connected to your real postal address. The bills would be paid, so using it is not fraud, probably.

  • Create a free Wordpress blog page, giving the data of this persona, about some subject unrelated to you. If it looks like a personal business, you have an excuse to give address, phone number, and email address.

  • Maybe buy a domain-name that matches your real name, giving the data of this persona (although I think you'll need to give real email address). Create a web page giving this persona's data and unrelated subjects. [Probably a lot of work.]

  • Some people-search sites let you submit "corrected" data. Give them this persona's data.

  • Online, request quotes for home alarm-monitoring services.

  • Online, make a PasteBin page containing the info; they get scraped frequently.

  • If you have a burner phone number to use, maybe create a LinkedIn account for the fake persona.

  • Subscribe the email address to a couple of newsletters, so there's activity in the account. Set the account to forward the newsletters to some other junk account, so there's outgoing traffic too.

  • Use this persona anywhere that data is demanded but you don't need/want to receive anything in postal mail or email. In retail stores, for unimportant online accounts, professional conferences, etc.

The goal of this persona is to create fresh misleading data (in your real name) that is newer than your real data.

Maybe have a separate different-colored wallet for each persona, so you can keep everything straight and it doesn't look funny if someone sees multiple names in your wallet.

Remember that you can't give fake data to police or government or schools or insurance or financial companies. That may be illegal, or may come back later to bite you in some way.

For a work history or company ID card, invent some fake anonymous small company, don't use a big well-known corporation with an HR department that can be contacted.

I think Sudo (MySudo) creates and manages email addresses and phone numbers, but not the rest of a persona's information. I think Blur creates and manages email addresses and phone numbers and credit-card numbers (but with fees), but not the rest of a persona's information.

Fake Name Generator

Email address:
+/-
What Google harvests from your accounts (mainly GMail), from someone on reddit 12/2018:
+/-
... I downloaded what supposedly is all the data Google keeps about me ...

In my Takeout archive, there is a folder called "Purchases and reservations", which contains many files with all the anonymous* data that Google collected from my e-mails. This includes my purchases on all sorts of websites (Amazon, etc.), shipping updates and my flight/train reservations. ...

My location data file freaked me out a little bit too, with all of its "ON_FOOT", "STILL" and "IN_ROAD_VEHICLE" strings, but I had my location history on, so that was to be expected. That text file alone is 82.7 megabytes - not bad, huh?

If you have a Google account, I suggest you download all of your data from Google Takeout and check what it looks like with your own eyes.

*Anonymous, in this particular case, means that my home address and my full name (albeit only in the reservation files), are written in plain text.

It may be a good idea to have separate email addresses for family, work, financial, social, shopping.
Hiding From The Internet's "Compartmentalization"

You can get a disposable email address, which exists just long enough to finish registering somewhere: 10 Minute Mail, Mailinator, others.

A service which will "screen" your real email address, phone number, credit card number by giving out different info which relays to your info: Blur (Stop giving out your real personal info online with MaskMe, a new privacy tool).

A service which will "screen" your real email address, phone number, credit card number by giving out virtual info (but not relaying to your existing providers, I think): Sudo

Another: "PlusPrivacy feature - email identity management"

In your email client, turn off automatic display of HTML, images, and JavaScript. It's dangerous to let some random person send you a piece of software that executes in your client.

Some security guys say it's safer to use browser-based email instead of a client application (such as Thunderbird). The browser is somewhat of a sandbox, and highly tested, and you need it for other reasons too. A mail client application is an additional complex piece of software that probably is less secure.

On the other hand, if you use an email client application (such as Thunderbird), your email is not stored on the email provider's server for very long, it's stored on your personal machine. Maybe you can find a provider that promises to erase your messages completely from their server after you retrieve them to your machine.

Nitrous's "The Easy Way to Use PGP for Encrypting Emails on Windows, Mac & Linux " (if using Thunderbird)

Changing your email address:
Changing your email address on all accounts (such as from old insecure email service to a new secure email service) can be tricky. If your email address is used as your username on an account, the service may or may not let you change it. But if you can't change username, you still might be able to change email address used within the account. Worst case, you may have to delete the account and create a new one.

You may be able to set your old email account to forward all messages to a new account. But this is bad as a permanent thing: makes everything less clear and reliable, old provider still sees your mail, still have to manage old account as well as new one.
Rick Rouse's "How to forward your Yahoo mail to another email account"


Virtual phone numbers:
+/-
It may be a good idea to have separate phone numbers for family, work, financial, social, shopping.

Nomad Gate's "How to Build Your Own Virtual Phone in Minutes"
Ben Stockton's "5 of the Best Virtual Cell Phone Number Apps for Android"

Sudo
Google Voice
Aircall
flynumber
SMS: Hushed (cheapest plan $5/month, but there are many limits by country, maybe have to address-verify, etc)
TextNow (available only in USA, Canada, and some others)

Credit-card info:
+/-
Even if you have a credit card with a chip in it, the magnetic stripe on that card still contains all of the info needed to do a transaction, and the stripe is easy to read. So keep a close eye on any merchant you hand your credit card to. And monitor your account for any unauthorized charges.

If you want a fake number to satisfy a "free trial" web site, see Get Credit Card Numbers.

Virtual Credit Cards:
Such a card or card number is connected to a real credit card or a bank account. Any transactions you do get "passed through" to the real account backing the virtual card or card number. Multiple cards or card numbers can be backed by the same real account.

You can get one or more Virtual Credit Card numbers. You may be able to set a purchase limit or time limit on the number. You might be able to get such a number from your existing credit card company.

Such a number is virtual, not physical, so you can use it only online, not in a store. Don't use it for something you buy online but then pick up in person: maybe air travel, hotel, rental car, event tickets. Virtual numbers often don't work for overseas transactions, only within the country of origin. If your real number and all virtual numbers are issued by the same company, that company still can see all of your activity.

I wonder about the legal implications of this. In USA at least, consumers have a lot of rights to dispute credit card charges and be protected against losses. What happens to those rights if charges are going through another service first ?

Also, real credit cards often give accident insurance when renting a car, or trip-cancellation insurance when buying plane tickets.

Online, paying with a service such as PayPal gives less data to the merchant than paying with a credit card. But not all merchants accept PayPal, and I'm not sure about protections and benefits when paying with PayPal.

Rules and fees vary greatly from company to company. Some allow only citizens or residents of certain countries. Some are accepted only by merchants in a specific country. Some have an annual fee per card, or a fee per transaction.

Neil J. Rubenking's "5 Things You Should Know About Virtual Credit Cards"
Alan Henry's "Privacy Lets You Create 'Virtual' Credit Card Numbers, Deactivate One Instantly If It's Stolen"
Rebecca Lake's "Why Virtual Credit Card Numbers Aren't Worth It"
Simon Zhen's "Virtual Account Numbers: What You Need to Know"
Zahra's "Best Virtual and Prepaid Cards for International Shoppers"

Blur (article)
Privacy.com
Token (smartphone app only; Chrome extension being developed)
Sudo (MySudo)
Revolut (Premium plan, €8/month)

My experience with Privacy.com since 1/2018:
+/-
Available to US or Canadian citizens only. Requires USA mailing address, requires email that can be verified, US phone number that can receive an SMS for verification. Will pay directly out of your bank account, so it requires your bank account username and password.

Gave it credentials to my bank account at ETrade, but connection kept failing, they said there's a bug.

A month later, I asked if they had fixed that bug, and instead they turned on ability to give ABA routing number and account number. I gave those numbers, they did 2 deposits to my account to confirm that it existed.

A few days later, tried to create a number, and it failed. Turned out I hadn't quite finished the process, I was supposed to tell them exactly the amounts of the test-deposits.

You can't create a physical credit card that carries a number created through Privacy.com, it won't work. [But it seems legal to possess a credit card writer; they're for sale on Amazon, eBay, etc. And you can buy blank white credit cards there, too. You might need a special printer to print on them; search for "credit card printer embosser". I'm not sure if any card-printing services will create a real, working credit card for you, unless you're a business, and ordering in largish quantities.] But 9/2019 Privacy.com says they MAY offer a physical card within the next 12 months.

Each card you create can only be used at one merchant, the first where you use it. You can't create one card which you can use for any merchant.

Also not specified: what name is on the card. Asked Support, and got:
In terms of name / billing, you can use any name and billing address / zip code with the merchant you would like, and we will return that it's correct when the merchant runs the charge.

Please keep in mind though, merchants have sophisticated fraud checks on their end sometimes, so don't get too creative with the billing info or it might raise a flag in their system. Also if the transaction requires a shipping address, generally using a billing address in the same city is a good idea (for example, if the shipping address in San Francisco and the billing address is in New York it may trigger their fraud checks as well).
So, you just have to give the right card number, CCV, and expiration date, and the card will work.

Other than putting a "nickname" on each card on their web site, the web site gives no help for managing the cards. You can't tag each one with the name and address you're using with the card, for example. (Maybe better to do that in a password manager, anyway.)

In my bank account, Privacy.com transactions show up as "direct debit" and description "something PRIVACYCOM". The "something" comes from the vendor, it's not the nickname of the card. You can change this by going to YourName / Account / Private Payments.

My referral code for anyone who wants to create an account.

Free account works fine. If you want 1% cash-back cards, you have to have $10/month account.
From someone on reddit about Privacy.com 7/2018:
Don't make multiple cards for same merchant, probably best to use same card for eBay and PayPal; there is an unstated daily spending limit as well as the stated monthly limit.

From someone on reddit about Blur 7/2019, in response to "looking for a virtual card provider in UK/EU":
Don't. I have Blur and they're terrible for privacy. In the UK they don't have virtual cards at all, the only option they give you is the ability to have a masked email. They also (as of about a month ago) have removed masked numbers.

On top of that they were involved in a security breach that they still haven't acknowledged or issued a statement surrounding (to the best of my knowledge).

Prepaid (debit) cards:
+/-
Such a card or card number has to have money deposited into it ahead of time; you have to maintain a positive balance in the account. Any transactions you do are paid from that balance. If you have multiple cards or card numbers, maybe each one has a separate balance ? Not sure.

You can get a physical card, so not just for online use. But refunds may get complicated. Any balance you load into the card might not be protected by banking laws, certainly not at the $50 limit of protection on a credit card.

From someone on reddit 2/2018:
Any card sold in the USA that is "reloadable" in some way must have a real SSN with matching name and Date of Birth on file. The only exception is the cards that are only loadable once and after the funds are gone, it is useless. ... You know that little folded-up piece of paper that folds out to about a legal-size sheet of paper with fine print on it? It is all in there. It also lets you know that the card can only be used within the USA and not outside of it. This includes online merchants and many online merchants in general are starting to block those cards regardless.

Pre-paid cards often have a web site you can use to track the purchases and remaining balance. All you need to access that info is the data printed on the card itself. So be wary of buying a card from somewhere sketchy, or using a card you received in the mail: someone could have copied that login information, and will use it to track you. Buy cards only from mainstream, reputable stores.

Rules and fees vary greatly from company to company. Some allow only citizens or residents of certain countries. Some are accepted only by merchants in a specific country. Some have an annual fee per card, or a fee per transaction, or charge a percentage of the money you load into a card. Check to see how unused balances are handled; can you transfer money among cards, or get a refund, or do you just lose the unused money ? There seems to be a lot of turnover in this industry; what happens if your card-company stops offering cards or goes out of business ?

Netspend
Zahra's "Best Virtual and Prepaid Cards for International Shoppers"
Gunjan's article (with misleading title)
Nick Beeny's article (with slightly misleading title)

Skrill
ecoPayz
ePayService


Photo ID card:
+/-
Official government ID that doesn't give away your address: passport, or US passport card (available for $55 when you renew your passport).

Some people carry a fake ID, to show to businesses that demand photo ID. I think it's legal as long as it's not a fake of a government ID, and you're not committing fraud. A fake corporate employee ID card from a fake corporation, maybe. Maybe add this fake person as an authorized user to your real credit card ?

Maybe in the future we'll get "decoy" tools or services: something that posts fake info online to make it harder for others to figure out your true info. Fake pictures of you, fake address, fake postings, etc.



Maybe use login/password info from elsewhere, instead of using your own:




Use "blockers":

+/-
Blockers usually prevent: tracking scripts/images, ads that clutter your page, malware that might come in via ads/scripts/downloads, ads/images/scripts that would reduce performance.

Some of these scripts can be very dangerous, even doing key-logging (AKA "session recording") while you use the web page (article).

Several ways to do this:
+/-
  • Browser settings / functionality

    This may include pop-up blocking, safe-domain checking, dangerous download blocking, tracker-blocking, Containers, camera/microphone permissions, cookie blocking or deletion. [I don't block cookies, but I have the browser delete all of them when it closes. And I use Containers to keep sites from seeing cookies from other sites.]

    Dave Camp's "Firefox Now Available with Enhanced Tracking Protection ..."


  • Browser extensions / plug-ins / add-ons

    The must-have extension is: uBlock Origin (get inside your browser, or from uBlock - installation ?)
    Important: use it to turn off JavaScript on sites that can tolerate that.

    Also worth having:
    Behave!
    CanvasBlocker
    Location Guard
    Privacy Badger


  • Filtering in DNS or VPN.

    Advantage: affects all browsers and all applications, from one place.
    Cloudflare's "Introducing 1.1.1.1 for Families"


  • Hosts file modifications.

    Advantage: affects all browsers and all applications, from one place.
    HostsMan
    hBlock
    StevenBlack / hosts


  • In your network router.

    Advantages: Affects all devices and all browsers and all applications, from one place. New or guest devices get protected automatically. Protects devices which don't allow installation of a blocker on them (smart TV, game console, some phones). No changes needed on your device (such as rooting a smartphone).

    Disadvantages: If you take your phone/laptop to another network, all of the blocking is gone. Many routers may not support blocking. If a web site ceases to function because of the blocking, you have to administer the router to allow ads/scripts on that site, affecting everyone.

    Rob Turner's "Install and Configure pfBlockerNg for DNS Black Listing in pfSense Firewall"


  • In a device between your ISP's modem and your network router.

    Advantages: Affects all devices and all browsers and all applications, from one place. New or guest devices get protected automatically. Protects devices which don't allow installation of a blocker on them (smart TV, game console, some phones). No changes needed on your device (such as rooting a smartphone).

    Disadvantages: If you take your phone/laptop to another network, all of the blocking is gone. Another hardware device to buy and install and maintain. Won't work if your ISP supplies a single integrated modem/router device, unless you buy a second router and bridge to it. If a web site ceases to function because of the blocking, you have to administer the device to allow ads/scripts on that site, affecting everyone.

    "Pi-hole setup guide: Ad-free better internet in 15 minutes"
    LabZilla's "Your Smart TV is probably ignoring your Pi-hole"
    "Pi-hole is effective only when paired with NAT rules on your router to capture all DNS lookups."


  • For Android smartphone:

    Non-rooted: AdGuard, Netguard, Dns66, AdClear, Block This, Cygery AdSkip.
    Rooted: AdAway, MinMinGuard Xposed.


  • General OS controls.

    Spybot Anti-Beacon (prevents Windows sending info to Microsoft)
    Martin Brinkmann's "Block all outbound traffic in Windows Firewall"
    O&O ShutUp10 (helps you manage Windows 10 privacy-related settings)
    For Windows 10, some info in Wallace Chu's "Should You Disable Windows 10 Telemetry?"
    In Windows 10, also see "Diagnostic Settings", I think.
    For Mac: Little Snitch (limits outbound traffic)



Many sites will stop working properly if you block scripts, some will refuse to work if ads are blocked, and some sites will not work even if you whitelist them in the blockers. You'll have to keep a "clean" copy of a browser (or browser profile) to use on those sites, and keep track of which sites require that special treatment.

Side-effects of using too many privacy controls:
  • Increased chance of bugs.
  • Slower performance.
  • Increased attack surface (mainly in browser).
  • More things to keep updated.
  • More things to turn off if you really need to use some web site (such as your bank's site) that refuses to run without JavaScript or cross-domain access or ads or something.

Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"
Mozilla Blog's "Make your Firefox browser a privacy superpower with these extensions"
Kingpin's "How to disable WebRTC ..."



Set the "do not track" option in your browser to (maybe) stop "ad tracking":

+/-
In Firefox, it's: Preferences - Privacy & Security - Content Blocking - Send websites a "Do Not Track" signal ...

But: Jon Brodkin's "Yahoo is the latest company ignoring Web users' requests for privacy"

One form of tracking is a "super-cookie": your ISP remembers what domains your IP address accesses, and maybe remembers some useful data (a unique ID number identifying you) for each site, and sells that data to sites and advertisers. The only way to stop that is to use a VPN (and also not use the ISP's DNS).



Reduce "browser fingerprinting":

+/-
When you use a browser to fetch a web page, the browser sends a "user agent" string that may say something like "Firefox 54.0 on Windows 10". Same happens when a game console or media player application etc accesses the web. See WhoIsHostingThis's "What's My User Agent?". Other information is sent: an "accept header" saying what types of media can be returned, your preferred language(s).

Then after the page is retrieved, JavaScript code in the page can access your browser and determine more details about your configuration, such as your time-zone, your screen size, (with some effort, maybe using Canvas) what fonts are installed in your system, your browser's default language, your history in the current tab. On Chrome, I think the code can get the full list of extensions.

Your ISP may add more information, such as your postal code or approximate lat/long.

All of this information can be used to form a "browser fingerprint" that may be unique to you, or close to unique.
Am I Unique?'s "What is browser fingerprinting?"
Lance Cottrell's "Browser fingerprints, and why they are so hard to erase"
Mozilla Wiki's "Fingerprinting"

This fingerprint can be used to track you, even across multiple web sites, even if you turn off cookies, change IP address, use a VPN, etc.

Some things a web page, Javascript, or web server can not read, without special cooperation from a browser extension or some other unusual addition: your Wi-Fi network name (SSID), your MAC address, the list of extensions/plug-ins/add-ons in your browser (although it may be possible to check for specific extensions: article, and maybe Chrome gives away extension info), your phone's IMEI number, your phone SIM's IMSI number, your phone number.

Testing your fingerprint:
EFF's "Cover Your Tracks"
EFF's "Is your browser safe against tracking?"
BrowserLeaks.com
Device Info
Am I Unique ?
Privacy.net's "Privacy Analyzer"
BrowserAudit
Detect my Browser
And see my Testing Your Security and Privacy page.

Key ways to avoid fingerprinting:
+/-
  • Use an ad-blocker.
    uBlock Origin
    Plus any ad-blocking features in your VPN or LAN/router.
    And test it: AdBlock Tester
  • Turn off JavaScript.
    NoScript
    But this will break some sites (mostly some banks and govt sites), even if you whitelist them. Sometimes I have to switch to a different browser that does not have NoScript installed.
  • Minimize the number of browser add-ons you use.
  • Use a common browser and keep it updated.
  • Install multiple different browsers on your system, and use each for a different set of web sites.
  • Set the "do not track" option in your browser to (maybe) stop "ad tracking".
  • Set browser so it doesn't save usernames and passwords; verify using demo linked at Gunes Acar's "Web trackers exploit browser login managers".
  • New features coming in Firefox, from Tor: set privacy.resistFingerprinting to true.
  • Fake or random user-agent string.
    Matthew Muller's "How to Change User Agents in Chrome, Firefox and Edge Browsers"
    In Kubuntu 20.10: System Settings / Network / Settings / Browser Identification ? But doesn't affect browsers.
  • Fake or disabled Canvas fingerprint.
    CanvasBlocker
    Canvas Defender
  • Fake or disabled WebGL fingerprint.
    CanvasBlocker
  • Fake or disabled WebRTC.
    CanvasBlocker ?
    Or in Firefox about:config, set "media.peerconnection.enabled" to false ?
  • Control system font list returned by browser ?
    In Firefox about:config, create a new string "font.system.whitelist" and set value to something like "Helvetica, Courier, Verdana". But for me, this made my fingerprint a lot worse.
    Daniel Aleksandersen's "Fluxfonts"
  • Control installed plug-in list returned by browser.
    In Firefox about:config, set "plugins.enumerable_names" to empty.
Septimiu-Vlad Mocan's "Browser Fingerprinting and You"



Minimize the number of things you use:

+/-
Do you really need to use:
  • Each add-on you have installed in your browser ?
  • Each app you have installed on your phone ?
  • Each app you have installed on your computer ?
  • Each app you have allowed to access your Facebook account ?
  • Each app you have allowed to access your email account ?
  • Each social media site you use ?
Every one of these is potential point of failure, a thing that could be stealing and selling your data, or accidentally having a security vulnerability.



Reduce "behavior fingerprinting":

+/-
If you always do the same set of operations in the same order each day, someone who can see all that activity can "fingerprint" you, maybe tying your identity to an IP address.

For example, suppose every morning you go to web sites of NPR, NYTimes, BBC, USAToday, LATimes, your local newspaper. Always in that order. You may be the ONLY person who does that every day. Someone who has code on all those sites (Google or Facebook or Amazon, maybe), or sees all that traffic (your ISP or VPN company or ad-blocking service or DNS), could see the pattern and determine your IP address and identity and track you.

Same is true of any automated application you start up each morning. Your email client, or feed-reader, maybe ? Any script you run that accesses a number of web sites ?
Daniel Aleksandersen's "Feed readers can be uniquely fingerprinted"



Use the privacy controls in the ISP and social networks and sites you use:

+/-
The default settings are chosen to benefit the company, not you.

Very important: Log on to the web site for your ISP and find any privacy settings they have for your account.

Facebook lets you control the access that Apps and external sites get to your data: go to Account - Privacy Settings - Apps and Websites - Edit your settings.
Melanie Pinola's "The 'Nuclear' Option for Total Facebook App Privacy"

Turn off your Google search history: myactivity.google. Also Rick Rouse's "How to prevent Google from storing your search history and tracking your online activities"

YouTube: profile - Video Manager - History - Clear All Viewing History, and then History - Pause Viewing History, and then Search History and do the same clear-and-pause.

Windows 10 activity history

See and turn off data aggregating by BlueKai: BlueKai optout

Handy central places to start:
MyPermissions

Instead of Google Search, use a service that promises not to track you:
DuckDuckGo (or DuckDuckGo non-JavaScript)
searx

Privacy settings in Firefox browser:
Privacy Settings add-on

Michael Franco's "How to Reclaim Your Digital Privacy From Online Tracking"

Apparently, "opting out" via NAI stops targeted ads, but does not stop companies from tracking your activities.



Delete most cookies every now and then:

+/-
This does two things: gets rid of tracking cookies, and means that if someone sits down at your computer and opens a site they won't automatically be logged in to that site.

BleachBit
CCleaner

Or delete all cookies every time you close the browser:
Ian Paul's "How to automatically delete your cookies every time you close your browser"
Chris Hoffman's "How to Automatically Clear Private Data When You Close Your Browser"
But if you do this, you'll probably want to be using a password manager, because you'll be logging in to sites a lot.

Or use extension Cookie AutoDelete to delete most cookies but save some of them.



Don't always use the same IP address, or hide your IP address via a proxy or VPN:

+/-
addresses

Changing IP address periodically:
+/-
If you're connecting through a home Wi-Fi and cable router/modem (and no VPN), you probably can't change your external IP address. The router/modem probably is using one external IP address for all devices on your home network. To test this, open browsers on two devices simultaneously and go to showip.net on both devices. You'll probably see the same (external) IP address for both devices.

Try power-cycling the fiber router/modem, and see if it comes up with a new external IP address. It may not. Try powering it off for longer, such as overnight.

Try contacting your ISP and asking if they can change your IP address. If they ask for a reason, I guess you could say "to increase my privacy, to make it harder for advertisers to track me" ?

If you're connecting some other way, you may have a chance of changing IP address. On Windows, create a CMD file containing "ipconfig /release && ipconfig /renew" and run it as Administrator. Check before and after, using showip.net.

WikiHow's "How to Refresh Your IP Address on a Windows Computer"

See my "Connection Security and Privacy" page for information about VPN, Proxy, Firewall, DNS, and more.

If you're doing illegal things, don't expect a VPN or proxy company and their ISP to shield you if they're served with a court order. They may be forced to log your activity and trace you and give the data to law enforcement.

If you're abusing the VPN itself, such as sending out millions of spam emails through the VPN, don't expect a VPN or proxy company and their ISP to shield you. They may report you to law enforcement, or happily cooperate with law enforcement.



Don't always use the same MAC address:

+/-
The MAC address is associated with your network interface hardware (Ethernet or Wi-Fi chip). Generally it is visible only inside your LAN. But malicious software could send it out to some site. Routers or firewalls who want to block you may do it by deny-listing your MAC address. And if you're often on a public LAN (public Wi-Fi), you may want to change MAC address to avoid tracking.

For Linux:
+/-
It's FOSS's "How to Change MAC Address in Linux"
Chris Hoffman's "How (and Why) to Change Your MAC Address on Windows, Linux, and Mac"
Ubuntu Community Help Wiki's "Anonymizing Network MAC Addresses"

sudo apt install macchanger
# I see little harm in setting it to run automatically, each time a
# network interface is taken down or up.  But it might be confusing
# to have random devices appear and disappear on your LAN.
# So maybe set it to manual mode, then change only the 2nd half of the address.

sudo macchanger -e enp19s0	# keep 1st half (vendor) real, 2nd half new
sudo macchanger -p enp19s0	# change back to original/real address

sudo macchanger -e wlp18s0

# address will revert to original/real address next time you reboot

Also for Wi-Fi only maybe could edit /etc/NetworkManager/NetworkManager.conf to add:
[connection-mac-randomization]
wifi.cloned-mac-address=random
Thomas Haller's "MAC Address Spoofing in NetworkManager 1.4.0"




Stay logged out of Google and Facebook et al, as you browse other sites:

+/-
Or use some kind of "container" feature in your browser to isolate one tab from another:

Containers

+/-
I use Firefox, with the Facebook Container extension, Google Container extension, Firefox Multi-Account Containers extension, and Temporary Containers extension. and enable the "Container Tabs" option in Preferences / General / Tabs. People have created specific Container extensions for other sites such as reddit, Amazon.

The Help for FMAC says if you use both FMAC and Facebook Containers, don't use FMAC to manage any Facebook-owned sites. I assume that is true for the other site-specific container extensions too.

Some people point out: Container settings don't sync across multiple devices, and add-ons such as uMatrix know nothing about containers.

Seems to be no way to save/export/import settings for Firefox Multi-Account Containers extension. Old instructions no longer work because of recent storage changes in FF.

In Firefox about:config, set privacy.firstparty.isolate and privacy.firstparty.isolate.restrict_opener_access to false. Otherwise Yahoo Mail login doesn't work.

Have to whitelist the FMAC extension in uMatrix.

Containers sometimes screw up the browser history. You're in a uncontained page, you follow a link to a contained page, then the Back button has lost your history (no way to go Back to uncontained page).

I suspect that making a separate container for PayPal or credit card, or enabling the "open external link in a new container" features of Temporary Containers, will interfere with paying for things online. If you're in an AirBNB container and on the AirBNB site and you want to pay with PayPal, you need the PayPal cookies accessible from the AirBNB container.

I created a Containers import/export extension (Containers settings export import), but it's really limited, all it imports/exports is the container names and icons and colors. IMO the architecture of Containers is badly done. All of the working guts of each container, the mapping to a domain and such, is saved in the local storage of each separate extension such as Multi-Account Containers, Facebook Container, Google Container, etc. So my extension can't really get at those to import/export them.

The Containerise extension is an alternative to the Firefox Multi-Account Containers extension; use one or the other but not both. I couldn't understand Containerise and get it to work for me. Also it has a far smaller user base. And 9/2019 the main dev is mulling a total rewrite of it.

Test via BrowserLeaks.com / Social Media Login Detection.

Or use separate browsers or separate instances for multiple sites.

Whitson Gordon's "Watch Age Restricted YouTube Videos Without Signing In"



Don't use everything from one company:

+/-
If you use Google Apps, Google Docs, Google Sites, Siri, Google Translate, Chrome browser, GMail, Google search, Google Maps, YouTube, and Google Drive, and don't block Google Ads and Google Analytics, then of course Google is going to know a lot about you.

Instead, compartmentalize it: some file-sharing service, ProtonMail or other email, some web hosting service, Firefox browser, DuckDuckGo search, use blockers, etc. Use Google only where you have to.



Delete your accounts on various services:

+/-
Often they make it hard to find out how to do that.

justdelete.me
AccountKiller
Deseat.me

Some people say: instead of just deleting an account, first go in and delete as much of your data as you can, and change as much of the rest as you can to fake data (this is called "data poisoning"). Maybe let it sit in that state for a couple of weeks. Then delete your account.

David Nield's "The Complete Guide to Dumping Google"
tycrek / degoogle



Some say: Shun the biggest companies (Google, Apple, Microsoft, Facebook, Amazon, Cloudflare, Akamai):

+/-
I don't agree; I say be aware of the costs and benefits. Sure, maybe it's good to use alternatives when possible.

But there seems to be no good alternative for Microsoft Office (apparently when you go to fancy features, or need exact compatibility with MS Office, LibreOffice doesn't quite cut it). There may be no good alternative for Facebook (80% of my friends and family are on there, and the Groups contain a wealth of knowledge and helpful people).

For Android phone operating system, there are good alternatives (such as LineageOS), but installing them is not for the faint of heart. For e-readers, there are decent alternatives to the Amazon Kindle. For desktop/laptop OS, Linux is a viable alternative to Windows and Mac.

Some people say: before deleting your social-media account (on Facebook, reddit, etc), "poison" it by adding false data, deleting or editing posts and comments, Liking lots of spurious stuff, etc. And let it sit that way for a couple of weeks before deleting the account. I don't agree. Editing your profile is fine. But deleting or editing existing posts and comments will damage the work of other people, those who responded to your post or had a conversation stimulated by your post. Doing lots of spurious posts or comments or Likes will flood your Friends with nonsense. Just edit your profile, let it sit, then delete your account.

Kashmir Hill's "I Tried to Block Amazon From My Life. It Was Impossible."
Kashmir Hill's "I Cut Facebook Out of My Life. Surprisingly, I Missed It"
Kashmir Hill's "I Cut Google Out Of My Life. It Screwed Up Everything"
Kashmir Hill's "I Cut Microsoft Out of My Life - or So I Thought"
Kashmir Hill's "I Cut Apple Out of My Life. It Was Devastating"
Kashmir Hill's "I Cut the 'Big Five' Tech Giants From My Life. It Was Hell"
Daniel Oberhaus's "How I Quit Apple, Microsoft, Google, Facebook, and Amazon"
Mike Felch's "How to Purge Google and Start Over - Part 2"
tycrek / degoogle

switching.social (ethical alternatives)



Deleting browser history really does nothing for your privacy:


Deleting browser history only helps if someone steals your computer and looks at your history.
Bracelet



Anything you store on a server may reduce your privacy:

+/-
Your contact list in email, buddy list on instant messaging, Friends list on Facebook, etc. Any emails in your Inbox, or saved long-term in a "folder" within your email service.

Okay, email or IM or Facebook won't function without those contact lists. But maybe you shouldn't use your email as a data store. And maybe you shouldn't keep anything except name and email/IM address or phone number in each Contact entry. Store postal addresses and anything else in some private contact manager.



Cloud services for backup or storage:

+/-
  • For generic storage services (that look like a disk drive), encrypt the data yourself locally before sending it to the cloud. Hold the keys yourself. The service may add another layer of encryption, but they have the keys to that layer.

  • For backup services (where you run their backup app locally), keep your data on disk in an encrypted container (e.g. a VeraCrypt or LUKS container), so that what the service backs up already is encrypted. The service may add another layer of encryption, but they have the keys to that layer.

  • If you're using a generic storage service (that look likes a disk drive), but then running someone else's backup app locally, check that the backup app is encrypting the data, and save any recovery keys. Since the storage service and the app are from separate vendors, the storage service will not have the encryption keys.

  • For specific services such as iCloud or Google's cloud, you really have to just rely on the service's encryption. The ability to constantly back up or sync your Contacts and photos and app settings etc really prevents you from inserting your own encryption layer into the process. An advantage is that when you replace your phone, you just press one button and everything is restored from the cloud to the new phone, which is massively convenient.

For any service, read the TOS and check the account settings.

Note that a "sync" feature is not a backup. If something is deleted or corrupted on one end of it, that thing will be deleted or corrupted on the other end too. Similar if you're directly using a cloud drive: if you delete a file from it, that file is gone, probably you can't recover it, you don't have a separate copy on your hard disk.



Using someone else's device:

+/-
You have few rights to anything you store on or do with your employer's or school's computers or phones or networks. And you don't know how many administrators have access to the data, what cloud place the data may be copied to, or what other companies the data may be shared with. Don't use them for private things.

You don't know what software or viruses may be installed on a computer you use at a library, in an internet cafe, at work, at school, or at a friend's house. There may be a keylogger, a clipboard-scraper, some browser plug-in that harvests data from webmail, something that logs all your internet traffic, something that copies any USB drive you plug in, ransomware, viruses, etc. Be very reluctant to use your password manager or email or other accounts on such a machine. Two-factor authentication on logins can reduce some of the threat.

If you have to stick a USB drive into such a machine, for example to print a document on their printer, treat the drive as infected from then on. And have as few documents as possible on the drive to begin with; all of them may get infected, or encrypted by ransomware. Have backups of those documents.

Kashmir Hill's "How To Tell If Your Boss Is Spying On You"
David Nield's "How to Find Spyware Your Employer Installed on Your Computer and What to Do About It"



Letting someone else onto your network:

+/-
Your friend comes over to your place, and asks for the Wi-Fi password to connect their phone to your LAN.

You have no idea what malware is on their device, or who else they may give that password to, or what traffic they may do through your internet connection. Suppose malware on their device starts spamming people on the internet, and your ISP shuts down your service ? Suppose your internet has a monthly data-cap, and their device starts torrenting or something ?

It would be best to have a "guest" network defined in your router, but I think few ISP-supplied routers support that.



There are more-aggressive things you can do:

+/-
But you may judge the cost/inconvenience to be too high for the benefit. (And some of them require your friends to use the same applications, or adapt to your behavior.)


Easier:
+/-
  • Encryption everywhere (all external and flash drives, internal drives, etc).
  • Tor browser
  • Multiple user accounts on your computer: one for critical personal stuff, another for general browsing, another for work stuff, etc.
  • Two computers (one secure and other not; EFF's "Keeping Your Data Safe" ). But that other computer will have to be updated sometimes, which means connecting to internet sometimes. I guess have all the critical data encrypted or disconnected when you do that.
  • Pay someone to buy/receive/register things using their info, not yours. Or designate a single family member to do that for everyone in the family. AKA a "nominee".
  • Pay neighbor to let you use their Wi-Fi. Probably violates ISP's TOS.

Harder:
+/-
  • Linux
    Don't have to trust Microsoft or Apple.
    See "Windows User Moving to Linux" section of my Linux page.
    A contrary view, from Artem S. Tashkinov's "Best Linux Distro for the Desktop in 2019":
    If you are a privacy / big brother / surveillance concerned person, you should not use Linux - Linux users are easily identifiable (even when using Tor/VPN) since there are too many things a remote website can learn about you using your web browser. ... If you want to get lost, firstly, use Windows [10] 64 bit (the most common OS, thus not easily distinguishable) and Firefox or Google Chrome without any addons or extensions installed, secondly, use Tor or VPN.
  • Specialized OS:
    +/-
    • Windows 10 Ameliorated

    • A clean-boot OS (such as Tails; needs 8+ GB drive).

    • A security-centric OS (such as Qubes).

    • Build your own installation of Linux (maybe using Gentoo) that had modules removed and parameters set for tighter security.

    • Use a virtual machine inside your real OS (maybe Whonix) and throw away the VM after each session.

      Virtual Machine:
      +/-
      You can run a VM inside your real OS. It will look like a real machine to software, but then when you're finished doing stuff, you end the VM, and anything that happened inside it (including any bad stuff) is deleted.

      But some things I don't understand about this: So you can't bookmark any sites, unless you hop out of the VM and update the browser in your real OS ? If you download a picture or something, you can't get it out to the real machine, it's going to disappear when you shut down the VM ? If you want to copy something from web email to the clipboard, then save it in a file, that file will be in the VM, not the real OS ? If you log in to web email or reddit in the VM, and have a virus in the VM, it could do something nasty to your web email or reddit ? Do you never run a browser in the real OS ? Or you do only lightweight, throwaway browsing in the VM and do "serious" web stuff in the real OS ?

      From someone on reddit:
      Virtual box has fixes for a lot of these. The clipboard is shared between OS and VM. It's essentially its own computer, so shutting it down keeps its state and everything. There are plugins for shared folders as well. Putting a document in the folder will make it available to both the VM and main OS.

      If you're using it for virus protection then you still need to be cautious. If you're on the VM and a pop-up comes up asking for your log in for a website, you should still not do it.

      The expectation sort of is that if you're technically literate enough to set up a VM, you should know how to avoid viruses, but if you do get ransomware on your machine or something, resetting the VM is much easier than on your main OS.
      From someone else on reddit:
      Note that a few of the "fixes" mentioned reduce the security of the VM. Many viruses can notice that they are being run in a VM by checking if those plugins are installed and act like a normal, legitimate program if they are running in a VM.

      Also, sharing resources (like files) between your real ("host") OS and the VM can put them at risk. If a ransomware runs in a VM where your files show up as a shared drive, those files will be affected too, even if you reset the VM.

      Despite all that, yeah, if you want very good security you can run things in a VM. It has many advantages.

      David Murphy's "How to Set Up a Virtual Machine for Free"


  • Multiple throwaway email accounts (not just deltas off your real email address).
  • Prepaid throwaway phones.
  • Email, messaging, VoIP services, and social networks specifically designed to be more private.
  • I2P.
  • Self-hosting: Run your own email server.
    "Email Services" section of my "Secure Communication" page
  • Self-hosting: Run your own VPN server.
  • Crypto-currency.
  • Secure hardware/system:
    +/-
    Business/govt-oriented systems are expensive, but cheaper consumer alternatives are being developed).



Hardest:
+/-
  • A "don't do anything from home" policy. Turn off phone before you go home, or have a non-home phone you turn off and a home-only phone you turn on. Do internet only from cafes or using someone else's network.
  • Willingness to change/replace everything periodically. Change phone, phone number, cell-provider, credit card, ISP, online accounts (including email and social media), bank, car, job, etc. Wipe and sell computer, buy new one. Move to a new address, or better yet a new country. Change patterns of behavior, interests. Drop friends who are not close.


The Tin Hat's "How Do I Start An Anonymous Blog?"
awesome-selfhosted / awesome-selfhosted

If you do any self-hosting things, what happens to them when you die ? Who else and what else depends on those servers ? What is to be done with them ? See "Electronic Assets" section of my "Legal Stuff" page.

When you get to some high level of OpSec, your behavior is as important as the tools you use. And having the discipline to always follow your rules, never making a mistake, is very hard.
Douglas Goddard's "Technical Anonymity Guide"
The Grugq's "Hacker's Guide to Stay out of Jail"
AnonymousPlanet's "The Hitchhiker's Guide to Online Anonymity"



Your friends, relatives, coworkers are a threat to your privacy:

+/-
They may post about you on social networks, put pictures of you online, mention you in emails. They may widely repost something that you posted to a small audience.

Your family may submit their DNA (which is partly your DNA) to testing services. Their family medical history is your family medical history.

Push back, calmly, if they post something you wish they wouldn't.

Don't give them information that you don't want them to put in Contacts lists in email or phone.



Know your legal rights:

+/-
You can say "no" if police ask to enter your house or search your phone or computer or car. Don't give in to the temptation to be friendly or helpful; politely say "no".

Remember that if you give police permission to enter/search your home/car/computer/phone, that thing may contain private possessions/data of your family/friends, not just your stuff.



There is no such thing as total privacy, or perfect security:

+/-
If the government or a spy agency or law enforcement really wants to get your data, they can get it. The software we use is extremely large and complex and has lots of bugs and vulnerabilities. If an agency seizes all your devices and really digs into them, they'll probably get your data. Do your best to protect yourself, but be realistic about the limits.

If you see a claim that a tool or technique will give you "100% security" or "make you disappear online", or something is unhackable or "impossible to crack", assume that's false.



Brian Lovin's "Security Checklist"
Watch Your Hack
privacytools.io
Paul Bischoff's "75+ free tools to protect your privacy online"
Fried's "The Ultimate Guide to Online Privacy"
Karegohan-And-Kamehameha's "privacyguide"
Noah Kelley's "A DIY Guide to Feminist Cybersecurity"
CISA's "Tips"
Sarah Jeong's "The Motherboard Guide to Avoiding State Surveillance"
"The Motherboard Guide to Not Getting Hacked"
PRISM Break
For Linux, mainly: "The paranoid #! Security Guide"
Do Son's "Destroy-Windows-10-Spying: Destroy Windows Spying tool"
Do Son's "Hardentools: disables a number of risky Windows features"
xkcd's "Security"



See "Security and Privacy" section of my "Smartphone" page



Facebook:

+/-
Facebook is a special case, because they know so much about you, and they have code on many other web sites, and they sell login services to many sites, and they buy data about you from other services.

Just for info: Facebook actually doesn't "sell your data". I think they provide two main targeting mechanisms to advertisers:
  • Advertiser says "I want to display ad X to people who have Liked FB page X, or joined FB group Y, or used web site Z, and/or Friends of those people."

  • Advertiser says "I want to display ad X to people who are age 25-34, female, religious, in ZIP code 12345, and FB thinks are parents of young children."
Facebook takes that ad from the advertiser, figures out the right FB users to show it to, and shows it to them. Data about individual users is never shown to the advertiser.

Article

  • On phones, the Facebook app requires a huge set of permissions, and certainly harvests your Contacts list. Use m.facebook.com or mbasic.facebook.com through a browser instead of installing the Facebook app (or, some people say use apps Tinfoil for Facebook or FaceSlim).

  • Don't fill in all of those "profile" fields. Or put in fake data. Why tell Facebook where you've worked, where you went to school, who your family members are ?

  • Don't post really private things about yourself, and be even more careful about what you post about your family and friends.

  • In the browser, use blockers such as Disconnect for Facebook or Facebook Container. Or in uBlock Origin, add and activate "Fanboy's Social Blocking list".


  • Do NOT use Facebook login (or Google, or Apple, or Microsoft) as your login to lots of other web sites. Not only does it let your activity get shared to Facebook (or etc), but if Facebook (or etc) ever deactivates your account for some reason, you've lost access to those other sites too.

  • Maybe have multiple people (your whole family, or half a dozen of your friends) share one account.

  • Maybe you could have multiple accounts, and use a different account every day.

Check what activity other sites have reported to Facebook: Facebook's "Off-Facebook Activity"

Vicki Boykis' "What should you think about when using Facebook?"
Paul Bischoff's "How to stop Facebook from tracking you on sites that aren't Facebook"
Emily Price's "See if You're Using These Popular Android Apps That Overshare Info to Facebook"



Apple:
iOS, The Future Of macOS, Freedom, Security And Privacy In An Increasingly Hostile Global Environment



Minimizing knowledge and connections:

+/-
  • You want to minimize the knowledge that any particular company has about you.

    A "zero-knowledge" company would:
    • Not require your real name.
    • Not require your real phone number.
    • Not require your email address.
    • Not log any information about your activities.
    • Use end-to-end encryption, so the company itself can't read your data.
      Telegra.ph's "On end-to-end encryption"
      A test: if the company can reset your password and then you still have access to data saved using the old password, they can read your data.
    • Accept payment in cash or gift card or something.
    • Not know your home IP address.


  • You want to break connections between different pieces of your data.

    Some ways to break connections:
    • Pay for things with cash, so your name and credit card don't get attached to those things. Or (online) use PayPal, which gives less info to the merchant than using a credit card gives. use cash
    • Use multiple, virtual credit-card numbers, so vendors don't know N different transactions are all from your single real credit-card, and can't tie them to your real credit-record, and so a stolen number can be disabled easily.
    • Use multiple, virtual phone numbers, so vendors can't tie them to your real phone account data, and so a number that is sold can be disabled easily.
    • Use multiple, virtual email addresses, so vendors don't know N different accounts are for a single person (you), and can't tie them to your real data, and so an address that is sold can be disabled easily.
    • On sites that allow it, use a unique login name, not your email address or real name, so if a login database at one company is stolen and decrypted, the login information won't work on other sites you use.
    • Use a unique virtual email address for each site, so if a login database at one company is stolen and decrypted, the email address won't work to login on other sites you use.


Yegor S's "How to (actually) be anonymous online"



Reporting violations:

+/-
Suppose some software (app, browser add-on, application, web site) doesn't have a privacy policy, or has a policy that breaks the law, or has no way to request closing your account or deleting your data.




A confession:

+/-
My wife still uses Windows 10, no password manager, no VPN.

The reason is that changing each of those imposes some cost, either in terms of requiring fiddling by the user, or in terms of things that may not work. Moving to Linux would make PDF files and MS Office files not quite work in some situations. The password manager I use, KeePassXC, uses a bunch of key-combinations you should memorize to use it quickly. Script-blockers and VPN sometimes make some sites fail.

So I feel unable to convert my wife's situation to have better security and privacy. She does have 2FA on a number of accounts.





Anticipate problems



Think ahead:

+/-
Maintain a secondary email account, on a different provider from your primary email. If something happens to your primary, you can use the secondary to send critical messages until you fix the primary. [Same for other things in your life: second bank account with ATM card, second credit card, etc.]

What happens if your laptop display suddenly fails, and you need to send it out for repair ? Is any important info on disk encrypted ? Or can you remove the disk entirely before sending the laptop to the shop ? Also, for repairs, make it clear to the repair shop whether wiping all the data is okay. Smartphones often are "repaired" by completely replacing the entire guts of the device, so you lose all data.

What happens if your phone suddenly fails or is stolen ? How would people contact you ? Would any accounts with two-factor authentication be disabled ?

If your laptop or phone is absolutely critical to you, can't be without it for more than a few hours, maybe you should have a synced-up hot spare waiting, ready to use. Same for your internet router and modem on your LAN.

What happens if your wallet or purse is stolen ? Do you have the info needed to notify your credit-card company, your bank, etc ? Do you have any papers in there with login details or PINs written down ? If your housekeys are lost/stolen, do they have your house address written on them ? It's safest to put your email address on physical things (keys, outside of phone and laptop, wallet, etc) so police or finder could contact you to return them. Put your email address on the lock screen of your phone, for same reason.

What happens if the police come and confiscate ALL your devices to investigate something ?
Christian Haschek's "That (not so) awesome time the police raided my home"

Is there any one thing you have where you can say "geez, if I ever lost that I'd be TOTALLY screwed" ? Then figure out a way to back up that thing, or reduce your reliance on that thing.



Account-recovery info:

+/-
Don't ignore the account-recovery settings on your accounts, or put bad data in there. Sure, you'd rather not let Google or Yahoo or Facebook know your phone number or your second email address. But that information can save you if their security triggers get pulled for some reason. You travel, you try to access your email from laptop or internet cafe (seems not to happen when accessed from phone), you get "hey, we see a login attempt from a new country, we're turning off account access until you give us the code we're SMSing to your phone or emailing to your other account". Better hope you've kept the account-recovery options up-to-date.

Similar can happen if someone tries to brute-force their way into your cloud or email account. The provider won't let them log in, but may turn off account access for everyone (including you) until you provide extra verification. Better hope you have that info.

Similar can happen if someone wants to disable your email account to hide a scam. Suppose they get your Amazon credentials somehow, order something, then do a bunch of bad login attempts to your email account, to get your email account locked, so you can't see the Amazon order confirmation message.



See "Don't just keep your data online" section of my "Backups" page.



See "Backups to the cloud" section of my "Backups" page.



And of course back up your local data, and non-digital data, not just your cloud data.
My "Backups" page

Rick Rouse's "Why you need a battery backup device for your computer"

Make rescue disks or recovery disks/drives for your machines / OSs:

+/-
The time to do this is while everything still is working, before you have a problem. Make a USB stick or something, test it briefly, then label it and put it in a drawer.

For Linux, see Rescue Disk section of my Using Linux page.

For Windows:

Josh Norem's "How to create a Windows 10 recovery USB drive"
Katie Rapid's "How to Use and Create Windows 10 Recovery USB Disk"
Rick Rouse's "How to create a System Repair Disc and System Image Backup in Windows 10"
Need 16 GB flash stick. One large partition, NTFS, or unformatted. Don't insert stick yet. Go to Control Panel / Security / Create Recovery Disk and follow directions. Takes several hours to write to the flash stick.
Gecko & Fly's "5 Bootable Windows PE ISO To Boot, Recover And Repair Windows"
MajorGeeks' "F-Secure Rescue CD"

Lawrence Abrams' "Microsoft quietly created a Windows 10 File Recovery tool, how to use"


windows apple

See My "Computer Theft Recovery" page





Miscellaneous



How accounts are hacked:

+/-
[From someone on reddit:]
The basic methods of "hacking" accounts are:
  • You forgot to log out.

  • Guess the password. Many people have incredibly simple passwords and guessing can work. Many websites have some kind of measure against repeated guessing (e.g. captchas). I think Facebook's countermeasures are good enough that pure guessing can rarely work on that specific site.

  • Find your password in a list of leaked username and passwords. Often when there is a breach of a huge database the list ends up on the Internet and people who want to hack you can search for your name, e-mail and common usernames to see if your password has ever been leaked. If it has they can try that password and it will often work, or sometimes a simple change to your password will work.

  • Guessing your secret questions. Often the answers can be learned from just searching your Facebook or other social media accounts, or at least it can be narrowed down to a small list.

  • Tricking you into entering your username and Facebook on their website. Maybe they send you an e-mail that claims to be from Facebook and gives you a link that looks to be from facebook where they want you to log in. For example they may say that your account was compromised and that they need you to log in to verify your details. Another common one is that they claim that you've won something, but you just need to log in with your facebook credentials to verify it.

  • Calling customer support claiming to be you and asking for a password reset saying that you have lost access to your account and e-mail. This is especially useful if they can find a lot of information about you online so it seems like they're really you. Often a lot of what they ask about has already been leaked in another breach. This can sometimes even get around two-factor authorization.




Threats:

+/-
[Generally from most likely to least likely:]
  1. Your own actions. (The biggest threat of all. You accidentally post something private in the wrong place, expose a password, mis-configure your device or account, drop your device, lose your device, accidentally delete your data, trust a scammer.)

  2. Your family, friends, associates. (They post about you, snoop on you, accidentally leave your house or car unlocked, mis-configure their device, use their infected device on your LAN, sit next to you with their unprotected phone running, drop your device, accidentally delete your data, trust a scammer. They expose their phone or email Contacts list, which contains your name and email and address and phone number and birthday. They put your info into Amazon or eBay when buying a gift for you. They tag you in Facebook photographs, or mention that you were with them at some wild party.)
    Your browser history

    accidental photo

  3. Your ex-spouse, former friends who now are enemies, former coworkers who you fired or angered. (They may be highly motivated, but probably don't have access or skill to cause high-tech harm. Unless you forgot to change the passwords they know. But they may have private info they could post.
    Cyrus Farivar's "If you're a revenge porn victim, consider this free, helpful legal guide")

  4. Your software. Some application or web site you use may be sending your data to somewhere else that you don't know about (some apps harvest your email address book or phone contact list or Friends list). Or storing your data in an unsafe way in a server.

  5. Corporations selling your meta-data or data to advertisers.

  6. Corporations reading your data to enforce their contract rights (terms of service) and maybe look for criminal activity.

  7. Organizations accidentally exposing data you've entrusted to them, through careless practices or by getting hacked.

  8. Data criminals and hackers. (Identity thieves, spammers, credit-card thieves, blackmailers, ransomware, etc. Hackers who want to use your device as part of a botnet or crypto-coin-mining network. Criminals who want to make your phone call their $3/hour phone service repeatedly, running up a $10K phone bill that you have to pay. And you may be a special target if you have something valuable on your computer:)
    Laura Shin's "Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers"
    Alex Hernandez's "Chase eATM user has mobile app hacked and loses $3,000"


  9. Casual snoops or thieves.
    (Although with snooping software, "casual" capabilities are increasing.)

  10. Companies (recording everyone's activity, such as cell-phone locations and car license plates, and then selling it to police and repo men and bounty-hunters).

  11. Random mass attacks looking for any weak passwords, unpatched systems, etc.

  12. Local law enforcement (recording everyone's activity, such as cell-phone locations and car license plates).

  13. Internet vigilantes or lynch mobs or public shaming.
    (E.g. someone decides a picture shows you mistreating your dog, and whips up a mob to punish you.)
    Kashmir Hill's "When a Stranger Decides to Destroy Your Life"

  14. Reporters.

  15. Private investigators and lawyers. (They have some access to government databases and powers.)

  16. Law enforcement (specifically targeting you; and local police may pass data or devices up to FBI for analysis).
    Jonathan Zdziarski's "Protecting Your Data at a Border Crossing"
    Andy Greenber's "A Guide to Getting Past Customs With Your Digital Privacy Intact"
    EFF's "Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud" ANSSI's "Best Practices For Business Travellers"

  17. Foreign government intelligence agency. (Highest technical ability, but no legal authority.)

  18. Government intelligence agency. (NSA, DHS, etc. Highest technical ability, PLUS legal authority and local personnel and access to govt records.)

Sean Gallagher's "How I learned to stop worrying (mostly) and love my threat model"
Wired's "Guide to Digital Security - Choose Your Security Profile"
EFF's "Your Security Plan"

No matter what protection you propose, some people will say "oh, the NSA has cracked that !". First, how do they know ? Second, a counter-measure still may be worth using even if the NSA could crack it; NSA is not the only threat or main threat. Third, just because NSA could crack something, doesn't mean they would spend the resources to crack your messages.

And some people say "trust no one !". Well, I think it is reasonable to trust the CPU chip vendors, and the compiler-writers. I don't see how useful "backdoors" could be built into those things (and I have BS and MS degrees in Computer Science). Trusting the OS vendors is a little more dubious; I guess I trust the basic OS, but maybe not all of the standard apps and services supplied with them. Same for trusting browser vendors.

Of course, if you trust no one, you'll never be able to get anything done. Can't drive my car, because I shouldn't trust the manufacturer. Better not eat anything, because I shouldn't trust the food companies or stores.

Some people say "it's all over, we've lost our privacy, it's done". No, it's an arms race, and right now consumers don't have very good weapons. We need to get convenient, good, routine encryption. We need more sites, applications, and protocols designed with security and privacy as priorities from the foundation up. Maybe "mesh" networking, peer-to-peer systems, distributed systems ("6 Anti-NSA Technological innovations that May Just Change the World"). We in USA need better regulation of spy agencies, via FISA and Congress. It's not over. You're generating new private data every day; you can protect that. And you can create fake data.

A worrisome trend: intelligence agencies being pressed to use their powers for non-intelligence purposes.
From Alex Hern's "David Cameron: GCHQ will be brought in to tackle child abuse images": "GCHQ [the British intelligence agency] will be brought in to tackle the problem of child abuse material being shared on peer-to-peer networks."
From NSA spokesman quoted in Barton Gellman and Ashkan Soltani's "NSA collects millions of e-mail address books globally": "[The NSA] is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers."
John Shiffman and Kristina Cooke's "U.S. directs agents to cover up program used to investigate Americans"
Conor Friedersdorf's "The NSA's Porn-Surveillance Program: Not Safe for Democracy"



Types of cyber-crime:

+/-
  • Old crimes that now have a small cyber connection: tax fraud, social engineering (con games), Nigerian prince, identity theft, propaganda, misinformation, vandalism, harassment.

  • Old crimes that have changed a lot: bank fraud, payment fraud, deep fakes.

  • Totally new crimes: ransomware, DOS, cryptojacking, click fraud.




Costs of counter-measures:

+/-
  • Makes system harder to use. (Extra steps to do things, dialogs popping up, more software to install and update, etc.)

  • Inconvenience / more tweaking. (Loading a web page fails. Is it because of settings of uMatrix/uBlock, Privacy Badger, Canvas-blocker, the VPN, the ad-blocker in the VPN, the browser Containers, the anti-virus, the browser settings, site is Chrome-only, site is down, or what ? If one or more things have to be turned off to use that site, have to remember to turn them back on afterward.)

  • Performance penalty. (Encryption takes cycles. Tor and VPNs impose multiple hops.)

  • Worse results. (Such as worse search-engine results if you use something other than Google Search.)

  • Have to get other people to use it, too. (Biggest problem with using encryption on email, or using a social network optimized for privacy.)

  • Can't use some features. (To use Tor browser for best privacy, I think you're advised to disable Flash, JavaScript, ads: Seth Rosenblatt's "NSA tracks Google ads to find Tor users". If you turn off location-tracking on your phone, you lose some features.)

  • Reduced reliability or recoverability. (If your disk is encrypted, and some key sectors go bad, the whole thing may be toast. There are many recovery tools for non-encrypted disks.)

  • Greater dependence on fewer vendors. (If your encryption vendor or encrypted-email service goes bankrupt, what happens ? And if you demand good encryption or privacy above all else, maybe you can't use the most popular and best services.)

  • Money and time costs. (For example, some people say you should run your own DNS, VPN, and email servers, use a custom firewall such as pfSense or Pi-hole. Sounds like a lot of work.)


Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"



Your home:

+/-
Jack Morse's "How to blur your house on Google Street View"

If your house has ever been listed on a real-estate site, they may still display the exterior and interior pictures of your house from that time. Companies to check include Redfin, Realtor.com, Zillow, Trulia. Check their sites, and if they have info about your house, send them a request to delete it.
Ilyce Glink and Samuel J. Tamkin's "Do you have the right to have photos of your home removed from realty sites after the sale?"



When living away from home:

+/-
If you're staying in a hotel room, AirBNB, or friend's house, and connecting to their network:



General counter-measures:

+/-
  • Best to do encryption/decryption at the extreme ends of a transaction, not on short segments in the middle. (But even that can be defeated by a keylogger.)

  • Peer-to-peer architecture better than central-server architecture. (So no one can grab all of your data by going to one place.)

  • Don't put really private or valuable stuff on electronic devices, or on internet. (There is no such thing as total privacy or perfect security.)




How to attack cryptography:

+/-
[From hardest to easiest:]
  1. Find a flaw in the mathematics (extremely unlikely).

  2. Find a flaw in the algorithm.

  3. Find a flaw in the crypto software.

  4. Find a flaw in the key-generation.

  5. Brute-force password-guessing.

  6. Find or create a flaw in the surrounding software (operating system, networking, key-logger, etc).

  7. Intercept the keys somehow.

  8. Find a flaw in the configuration (software not updated, password not set, place where data is not encrypted, etc).

  9. Human problems (password exposed or easily guessed, social engineering, etc).

  10. Legal tools (warrant or subpoena to get encryption keys or tap traffic).




Low-tech solutions:

+/-
  • Put tape over cameras when you're not using them, or have the phone camera facing down onto a desktop.

  • Turn off devices when you're not using them. But a phone may be completely off only when the battery is removed. Going away for a week ? Maybe power off your router, to take down your whole LAN.

  • Don't carry your phone with you if you don't need it.

  • Maybe put your phone in a "Faraday bag" (or wrap in four layers of aluminum foil with no gaps), or put it in Airplane mode, when you don't need to receive incoming calls and messages, and don't want the cell company to track you. Test that the bag or wrapping works, maybe by calling the phone from another phone.

  • If you have cards with RFID, maybe put them in RFID-blocking sleeves. Your passport may have RFID, but is supposed to have it blocked when the passport is closed. Test the sleeves to see if they work, by trying to use the card while it's still in the sleeve. But there are different RFID frequencies, so make sure you're buying a sleeve for the right frequency.

  • Use encrypted external drives to store really sensitive data, and unplug them when not using them.

  • If you use encrypted containers such as VeraCrypt, or encrypted drives, dismount them when not using them.

  • Don't put really critical stuff on networked devices if you don't have to. trust technology

  • Connect devices through the safest way feasible for your use: USB is best, wired Ethernet less secure, wireless least secure of all.

  • Don't have very sensitive conversations in front of devices with microphones.

  • Pay cash for things when possible.

  • Pay for a PO Box and use that instead of your real home address.
    [But a box at a UPS store may require a lot less ID than a USPS PO Box.
    And a PMB at a mail-forwarding service can be located far from your real address, offer additional services such as scanning, and be more acceptable to banks etc.]

  • Shred any trash that has your name, address, phone number, email address, and/or account number on it.

  • Some people advocate: Don't register to vote, don't have a driver's license, don't own a car, don't donate to political campaigns. [The last item is particularly bad: databases showing contributions are completely open and contain lots of info about you.] [9/2020: Apparently I can buy for $100 (from the govt) a list of all registered voters in my county in NJ. Not sure how much info there is about each voter.]

  • Some people advocate: Don't use tax software or a tax web site such as TurboTax or Taxact, because they get your info. File by paper, or maybe direct free-filing with IRS (if possible). Or use software to create a draft return (with fake personal info), then copy the numbers onto paper and file that.

  • Don't carry a paper "agenda" book full of your appointments, contacts, notes, and username/password information. Guaranteed you will lose it someday, and there is no password protection on it. Same thing with Post-It notes in your wallet or purse or on your desk, giving login details or PINs. Don't do it.




Things that may not increase security and privacy:

+/-
  • Trying to remove yourself from people-search sites.

    Seems an enormous amount of effort, and exposing more information, for little gain. Your info is out there; accept that fact.

  • Following news about specific data breaches to see if they affect you.

    If you have an account involved in a breach, probably you'll be notified by the company, or be forced to do a password-reset next time you try to log in.

    Instead, focus on keeping as little info as possible in each account, and don't re-use passwords, and use 2FA.

  • Notices about Privacy policies or Cookie policies on web sites.

    Just having a privacy policy, and telling you about cookies, does nothing. The content of the privacy policy probably says "you have no privacy".

  • Padlock icons and other HTTPS indicators on connections to web sites.

    HTTPS encrypts data in motion between your browser and the web site. It adds protection and privacy against spying or attacks by third parties against that connection and that data in motion. But it says nothing about the trustworthiness of the web site, or what the site does with your data.

  • Private browsing or incognito mode in browser.

    This mostly just prevents your activity from being recorded in the History in your browser, so the next person who sits down at your computer and uses your browser won't see a record of your activity. It does nothing to prevent spying on your activity as it travels across the internet.
    Computer Hope's "How do I set my browser to Incognito or Private mode?"

  • Full-disk encryption.

    This prevents someone from stealing your turned-off computer or phone and reading your disk or SD card. But once you sit down at your computer and enter the password for the encrypted disk, the decrypted contents are available to all of the software on your computer. So a virus or malware could access the data on the disk, send it out over the internet, encrypt it for ransom, etc. If you get up and someone else sits down at your computer, they have full access to your data. I prefer encrypted containers, each of which you have open (decrypted) only when you actually need to use it.

    And sometimes encryption can be defeated by a sophisticated attacker with physical access.
    HDDGuru thread "Forgot WD My Passport password"
    GitHub / reallymine thread "Forgot password of WD My Passport Ultra"
    Iain Thomson's "Western Digital's hard drive encryption is useless. Totally useless"
    Lucian Constantin's "Western Digital encrypted external hard drives have flaws that can expose data"

  • RAID disk.

    There are many forms of RAID, and they have varying effects on effective disk reliability. Probably a mistake to use RAID instead of having good backups. Certainly you still need off-site backups.

  • Using "sync" where you should use "backup".

    Syncing your primary disk to a secondary disk, or syncing a primary disk to the cloud, is not the same as backing up that primary disk. With syncing, if you delete something from the primary or it gets corrupted, the problem will be synced to the other place, and you've lost data.

  • Open-source software.

    Major security bugs have been found in some open-source software after many years of use. It's not enough that the software be open-source, but it also has to be examined by experts, and not so complex that it defies understanding, and maintained/updated/patched by someone. And also you need some way to verify that the source you see matches the binary you are running.

    Jarrod Overson's "Exploiting Developer Infrastructure Is Ridiculously Easy (The open-source ecosystem is broken)"

  • Cleaning or optimizing the Windows registry.

    Don't do it. This is a big gamble, you don't know what will happen, rarely helps.

  • Using crypto-currency.

    The Tin Hat's "Is Bitcoin Actually Private?"





Operating systems and environments:

+/-
  • Windows: large closed-source system with tons of features and modifications, popular target, frequent OS updates.

  • IOS and Apple: closed-source system with more closed design, less-popular target, frequent OS updates.

  • Linux: open-source system with modifications, less-popular target, less-frequent OS updates.

  • Android: closed-source system, popular target, mostly broken OS update system.

  • "Captive" devices such as Kindle, Chromium OS, etc: closed-source system, less-popular target, frequent OS updates ?




Buying or setting up a brand-new device:

+/-
For all devices in general:
  1. Change or set password.

  2. Turn off features you don't want.

  3. Connect to internet.

  4. Update OS, and set it to auto-update.

  5. Update apps, and set them to auto-update.

For computers, and maybe other devices:
  • Might be a good idea to immediately wipe the whole operating system and re-install from a source of your choosing. You don't know what might have been done to the system by the vendor or store or during shipping.

  • Create a local account to log in, not a Microsoft or Google account.

  • Go through all the privacy and feature settings to tweak them as you wish.

  • Once it's set up reasonably, do a backup or save a restore point. And make a bootable recovery disk or flash-drive.




Buying or setting up a used device:

+/-
Be VERY careful if you've bought a device through eBay or Craigslist or similar, especially if the device has anything to do with financial, crypto-currency, security, or encryption stuff.

Maybe start with a factory reset. Maybe format the disk. Definitely install new firmware and operating system.

When you buy a used house or used car, what devices or services or apps are in it or connected to it ? Some of them can take a while to switch from old owner to new owner. Double-check that old owner's access has been revoked.

Kai Sedgwick's "Man's Life Savings Stolen from Hardware Wallet Supplied by a Reseller"
Trail of Bits' "From The Depths Of Counterfeit Smartphones"



Getting rid of a device:

+/-
Get new device working, especially with any accounts that have 2FA enabled, before getting rid of old device. Go into cloud accounts and remove any trust of old device.

On old device, delete optional added apps and data files. Delete any connection to email account, VPN, calendar, delete contacts, etc. Go in at file level and look for anything to delete. Go in through standard apps (Contacts, Gallery, Calendar, etc) and look for anything you forgot to delete.

Maybe: Factory-reset the old device, then boot it and try to connect to accounts. Then factory-reset again.

Lexy Savvides' "How to wipe your phone or tablet before you sell it"
Patrick Lucas Austin's "Disable iCloud Before You Get Rid of Your Mac"
David Murphy's "How to Get Your MacBook Ready to Sell"
Devin Coldewey's "Cheap Internet of Things gadgets betray you even after you toss them in the trash"

Many disk-erase utilities will not erase certain parts of a disk: HPA, DCO, bad sectors that have been re-mapped.

Some disk-erase utilities are not appropriate for erasing an SSD or flash drive. Either use a utility provided by the manufacturer of the drive, or completely fill the device with random nonsense data.

When you sell a house or car, what devices or services or apps are in it or connected to it ? Some of them can take a while to terminate.



After getting new internet service (ISP, router):

+/-
  • Change router's admin password.
  • Look for features of router: VLANs, IPv6, guest network, firewall ?
  • Go through router settings: turn off PnP, turn on firewall, check IPv6 status, etc.
  • Record equipment numbers and addresses, router settings, Wi-Fi network name and password, phone number, etc.

  • Port-scan router from LAN side.
  • Port-scan network from public internet.
  • Run browser and DNS leak tests, including IPv6 tests.
  • Check that various features/apps work, on computer and phone, especially with router security tightened: VPN, torrenting, videoconferencing, VoIP.

  • Log into your account on ISP's web site and tighten privacy/marketing settings.
  • Get a copy of your ISP contract.
  • Log into your account on ISP's web site and check fees/charges/limits.



Living dangerously:

+/-
If you really, really want to download and run something that could be dangerous:
  • Have good backups.
  • After downloading it, run a virus-check on it. Also send it to VirusTotal.
  • If possible, run a hash-signature check on it.
  • Before running it, disconnect from the internet.
  • Disconnect or unmount any external drives or USB sticks or network drives or encrypted containers.
  • Do not run the dangerous thing when you're logged in as a privileged user.
  • Create and login as a new non-privileged user, different from your normal user login, just to run the new thing.
  • Run the dangerous thing in a sandbox or virtual machine ?
  • Afterward, do whole-system virus scans.
  • If you're going to keep using the new thing, maybe always use it when logged in as that special non-privileged user.
If you have to attach your USB drive to a public computer (such as at a print shop or internet cafe, to print documents):
  • Put only the minimum possible documents on the drive.
  • If possible, make the drive read-only or mount it read-only.
  • Do virus-checks before and after.
  • If possible, don't copy the documents back to your main disk afterward. Delete them.
  • Erase/reformat the drive afterward.



See Testing your privacy and security section of my Testing Your Security and Privacy page.

New things we need to increase our privacy or security:

+/-
  • To use when someone (law enforcement) is forcing you to surrender your password:

    +/-
    • Dummy access password: a special password that you enter, and the device or account gives access to only a special "dummy" version of the data.

      Known as "plausible deniability encryption" ? Maybe VeraCrypt provides something like this on desktop OS's ? Maybe smartphone app "Protect My Privacy" does this ?

    • Self-destruct password: a special password that you enter, and the device or account wipes itself clean.

      (Note: factory reset probably doesn't overwrite all data, just removes pointers to it.)

    • Limited self-destruct OS password: a special OS login password, and browser cookies and selected files get deleted as you get logged in.

    Ken Kinder's "The travel-only Gmail account: A practical proposal for digital privacy at the US border"
    Quincy Larson's "I'll never bring my phone on an international flight again. Neither should you."
    Kristin Wong's "What to Do Before Packing Your Laptop in a Checked Bag"

  • End-to-end encryption, running on the client machines, so the service companies (Facebook, email service, etc) can't read our data and can't surrender it to law enforcement.

  • Apps or extensions to pad our phone Contacts list and email Address Book and Amazon and eBay address lists with lots of fake people (with reasonable names and addresses and phone numbers), so apps and brokers who grab that info and sell it get lots of disinformation.

    Some people have pointed out that this is hard to do well enough to fool bots and data-miners. You'd want to update the "last contacted" date in the Contacts list periodically, and it would be best if Contact lists from multiple phones had the same information for bogus contacts.

  • A "privacy noise-generator":

    +/-
    At random intervals, it would do random searches, page-hits, chats, VOIP calls, pings. Millions of people would run it routinely, and generate traffic that would obscure the patterns of real activity. A government or company trying to analyze our traffic would have a more difficult time separating the real and false data.

    TrackMeNot
    AdNauseam (browser extension; blocks ads and clicks on them)
    Internet Noise
    Track This
    Chaff (browser add-on; Chrome only)
    Noiszy (browser add-on; Chrome only)
    Needl (Linux only)
    benyanke / internet_noise_bash (Linux only; maybe doesn't work)
    davideolgiati / PartyLoud (Linux only)
    Noisy (Linux only; article)
    Ruin My Search History
    reddit's /r/datapoisoning

    Thorin Klosowski's "Generating a Bunch Of 'Internet Noise' Isn't Going to Hide Your Browsing Habits"

    mcastillof's "FakeTraveler" (Android only; fake GPS location)



  • Notifications to tell us if our accounts have been accessed by an intruder.

    For example, create a throwaway email account that does nothing but automatically send a notification to your real email account if someone logs in to the throwaway account. Then put the login info for the throwaway account in your password manager.

    You can create an HTML email message in your InBox, and get an alert if anyone reads that message, using Canarytokens.




"Privacy" from incoming abuse:

+/-
If people are saying nasty things to and about you online:
  • Be the adult in the room: if you keep on topic, don't respond to insults, don't get mad, often a troll will give up. Even if they don't, others reading along will see who is sane and who is not.

  • You don't have to respond to everything. If some comment is idiotic, maybe ignore it. If someone throws 20 claims at you, maybe address only the top 1 or 2.

  • Take a break, don't obsess. Log off for a day, or go exercise, or do some involved project to drag your mind away from the abuse.

  • Focus on the positive; don't read or respond to only the negative.

  • Use report/block features of the site.

  • If you may end up reporting to police, don't delete the abuse, and print it out.

  • If someone has posted something illegally about you (nudes, or fake nudes), and the site won't take it down, try complaining to Cloudflare about it. These sites don't want to lose the protection they get from Cloudflare.

Rebecca Fishbein's "What to Do If You're a Victim of Revenge Porn"



Physical security and preparation:

+/-
  • Is your computer on a stable surface with no exposed cables, so it won't fall on the floor ? Does your phone have a case to protect it when (not if) you drop it ?

  • Is your laptop's AC adapter secure, so it won't fall on the floor, maybe damaging the power connector on the laptop ?

  • Is your computer protected from power surges ? A UPS is better than a cheap extension-cord surge protector.

  • Is your AC electricity properly grounded ?

  • Is your computer protected from overheating ? Buy a fan-tray to put underneath it. Don't ever set it on a bed or sofa or carpet to use it; you'll block the ventilation.

  • Is your computer protected from liquids ? Both from someone spilling a coffee or soda on it, and from rain coming in through an open window ? How about a pet going wild while you're sleeping ?

  • Is your phone protected if you drop it ? A case is mandatory; a screen-covering is a good idea.

  • Are your devices protected from the fingers of your toddler or the paws of your cat ? Maybe tape cardboard flaps over power switches so one errant poke doesn't cause you grief. Maybe knot/tie cables around something so a yank on the cable doesn't pull it out of the computer or damage the connector.

  • How good are the locks on your house or apartment or car ? What is the weakest point of entry ? Alarm system ?
    Justin Carroll's "Basic Alarm System Best Practices"

  • Buy a cable-lock (about $15) for your laptop. Useful any time you need to leave the laptop in your car, or in an AirBnB room or hotel room or dorm room, or briefly unattended in a cafe or library or at school. Check the manual to see what kind of lock-slot your laptop has; there are several kinds (Avram Piltch's "Laptop Lock Buying Guide: 5 Things You Need to Know").

  • A fireproof "money and document bag" ($35 or so) or small fireproof box or safe ($50 to $200) to store your backup drives ?
    See "Fire Protection" section of my "Disaster Preparation" page.

  • Paper-shredder for documents you throw away.

  • Deterrence: motion-activated lights, security-service sticker, alarm system, security cameras, dog (or fake evidence of a dog).

    Be careful with security cameras. There are laws about what they can record and how you have to notify about them. Always consider how they could be breached and used to spy on you. Keep them mainly on the exterior or entrances of your home, not on sensitive interior rooms. Do you want "alerting/monitoring" (able to see what is happening now, from work or something), or "evidence" (go back a day and see what happened) ? Maybe have two systems, one of each type, covering different areas.

  • Be aware that people can make a copy of your house-key if they can get a good photo of it. For example: KeyMe.

  • Disaster preparation. A huge field in its own right. Just a few tidbits:
    • If the power goes out, how will you power your devices ?
    • If the power goes out, will anything critical such as door-locks stop working ?
    • If you never power down your various devices (phone, computer), test what happens if you do power them down: turn them off and back on. Do you know the passwords ?
    • If your power hasn't failed in a long time, test what happens if it does go out: turn off all the power in your whole house and turn it back on.
    • If you get evacuated, or cut off from your home, can you access electronic copies of your ID and medical documents ?
    See my Disaster Preparation page.




Family issues:

+/-
  • Do your spouse and children know about backups and security and privacy ?

  • Maybe create an official family privacy policy, maybe something like:
    • What happens at home is private, by default.
    • If you want to record something, you have to warn people.
    • If you want to upload or post a recording, you have to get permission.


  • Children will face a lot of threats and peer pressure from their friends. Bad behavior, bad sites, I have a smartphone and you don't, let's all make posts telling X she's ugly and stupid, etc.

  • Don't set up a child's device or account to pay things out of your credit card or bank account. You may get a nasty surprise a month later.

  • School and sports leagues will demand a lot of information about your children (such as birth certificates) and you and your spouse (address, phone number, email, etc).

  • School may require that your children have a laptop for schoolwork, and use Google or other cloud accounts.

  • Think ahead to how your family would cope if you died suddenly. Are you the only one who knows the passwords, knows what software is being used, knows how to make and recover from backups ? Maybe write down instructions, and leave a copy of your password manager database, or a copy of a subset of it. Then leave the master password with a trusted friend who doesn't have access to the database or devices. Or leave half of the master password with one trusted friend and the other half with another trusted friend. But this may not work if you have two-factor authentication.
    Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"

  • Maybe do credit freezes for each of your children, as soon as they have SSNs.
    Brian Krebs' "The Lowdown on Freezing Your Kid's Credit"

ProtonMail's "How to protect your children's privacy online"
Michelle Woo's "Teach Your Kid About Digital Safety With the 'Be Internet Awesome' Program"
Troy Hunt's "Sharenting, BYOD and Kids Online: 10 Digital Tips for Modern Day Parents"
Amer Owaida's "3 things to discuss with your kids before they join social media"



See "Do a periodic check and cleanup" section of my Testing Your Security and Privacy page.



If you own/run a web site:

See my "Your Personal Web Site" page.



See Port scanning or router testing section of my Testing Your Security and Privacy page.



Good audio podcasts:
The Complete Privacy & Security Podcast
Security In Five Podcast

Blogs:
Justin Carroll's "Operational-Security.com"

cryptoseb / CryptoPaper

Brendan Hesse's "How to Submit a Bug Report to Apple, Google, Facebook, Twitter, Microsoft, and More"

Humor:
"OPSEC - The Most Secure Man in the World" (video)





This page updated: December 2020