I’m profoundly ignorant regarding general security and privacy online. Any tips, tricks, or resources would be appreciated. Maybe even starting a community, if there’s enough interest in this subject.

  • This will probably sound like a pain, but this is more or less my setup:

    • Use an open-source Linux distribution with a “libre” kernel (e.g. Debian)
    • Use Tor (Tor Browser for general use) for all traffic you really want to be anonymized (e.g. Lemmygrad). Use a VPN only where Tor isn’t feasible and privacy is less important (e.g. streaming high-resolution videos)
    • Don’t create accounts for anything unless it’s absolutely necessary – you need a Fediverse account to participate on Lemmygrad, but you don’t need a YouTube account to watch/download YouTube videos
    • Don’t use Tor or a VPN when you need to log in to an account that contains personal information, including if you created it or have ever accessed it without using Tor or a VPN
    • Always use HTTPS instead of HTTP, even when using Tor
    • Never log in to any account created through Tor without using Tor
    • Configure your firewall to only allow Tor traffic (and traffic to/from your VPN servers if you’re not just using Tor), ideally with some additional restriction like groups (e.g. only allow traffic through the root user, the Tor group and a custom “Internet” group, so no user-launched process has network access unless specified or the system is compromised)
    • Only install open-source software (if you really need something that’s closed-source, make sure it doesn’t have Internet access)
    • For private communication, use something with end-to-end encryption (i.e. you encrypt it locally and only the intended recipient can decrypt it) and that isn’t tied to any personal information, like Matrix. Email can be encrypted, but it’s a hassle


    I’ve probably missed some things but those are the basics

  • redtea@lemmygrad.ml
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    Some tips.

    Use an ad blocker.

    Turn scripts off in your PDF reader.

    Disable images in your emails (you’ll have to manually click ‘download images’ in any individual email if you want to see them). Having images enabled can help the sender know whether you opened the email and when.

    Use a browser that lets you block trackers and cookies, etc. Firefox and duckduckgo are two examples.

    Set your main browser to block all http sites.

    If you want to visit an http site, search the URL in archive.org and open a snapshot of it instead.

    If you must use http sites, only do so in another browser set to delete all cookies when you close the browser. Never use this browser for banking, shopping, personal or work email, etc.

    Use different browsers for different things, and don’t mix up what you use each browser for.

    Never open PDFs with personal details at the same time as other PDFs. PDFs can have trackers and send info back to the creator. This can also be used to send info back that is in other open PDFs. So if you open a tracked PDF and a bank statement, the tracker-creator might get your bank details.

    Don’t use random public WiFi.

    Turn off Bluetooth when not in use.

    Use strong passwords. And never the same password for different accounts.

    Immediately distrust every email you receive. Do not trust an email just because it says it comes from someone you trust.

    Use a different alias for every website.

    Do not tell people online where you live or work. Don’t give similar information out about your relatives or friends.

    Don’t trust the ‘anonymity’ of anonymous surveys, etc. Especially if it’s from work.

    Assume that everything you do online is public. Only do things in public online.

    Don’t trust encryption to keep your communications safe. It’s the other person you have to worry about.

    Try only to log into your services (especially banking) on certain devices. Don’t log on to your accounts on other people’s computers or, if you can help it, their WiFi.

    Don’t use Google/twitter/Facebook/etc to sign up to other services. Create a separate account for every service.

    Assume VPNs are compromised. At best, they can only protect your IP from random individuals and small- to medium-sized companies.

    If you don’t trust a website or company, do not engage with it while you are out and about as it may be possible to triangulate your position.

    Assume that the owner of any website will get your IP if you visit the website, at the very least. For example if you’re on Lemmygrad and someone from a dodgy instance wants your IP, they could give you a link to their blog and harvest data when you visit that site.

    When you do want to open a link, ‘copy link’ or ‘copy link address’ then open a new tab, window, or browser, paste it, and go. Clicking links can reveal where you were when you clicked it.

    If you don’t want different websites to know what other websites you visit, always open a new tab/window/browser when you type in the address.

    Don’t give your socials to companies when they ask for them.

    Don’t post your photos unless you know how to strip the meta data.

    Don’t post pictures, even with the meta data stripped, if there are any identifiable features in the image.

    Don’t tell people specific places where you’re going or where you’ve been.

    Don’t share intimate details on your [political] social accounts.

    Don’t share your [political] socials at work or with close friends or family.

    Assume that using tor will put you on a watch list.

    Don’t take your phone to protests.

    Tape over your camera.

    Go through every app on your phone/computer and disable permissions that you don’t want it to have. If it doesn’t work without those permissions disabled, don’t use it.

    Close unused tabs in case they can read the info in the used-tabs.

    Don’t use smart appliances.

    Don’t use any Amazon devices. If you must, assume Amazon is logging every conversation that the device can hear. Same goes for other smart devices, doorbell cameras, etc.

    Assume your phone/computer/etc is logging every conversation that it can hear.

    Give the minimum information needed to use any service.

    If you use things like a games console, turn off the option that lets people find you unless you want to add a particular person as a friend.

    Don’t use store ‘points’ cards unless you’re happy for the store to learn everything about you.

    Assume that somebody with bad intent will, one day, get access to the data that you do give to someone you trust.

    Be careful where you sign up to credit score monitoring. Avoid it if you can.

    If you’re thinking of giving sensitive data to a company, first search for the company name + privacy/security/beaches/violations, etc.

    You may be able to request that people who hold your personal data delete that data from their system.

    Assume that someone is watching your online/digital activities, just waiting for you to slip up so they can steal your identity, empty your bank account, arrest you, have you fired, have you kicked out an organisation, etc. They can build up a profile of you over time by piecing together all the little bits of ‘insignificant’ data that you give away.

    Search your name, phone number, and address (current and previous) (separately and together) on a few search engines and see what information about you is already online. If there’s something up there you don’t like, work out how to get it deleted.

    Hope these help! You can’t do everything perfectly. The safest thing is to not use the internet or give away any data, but that’s not really feasible. So instead, you need to work out a ‘best practices’ guide for yourself and follow it when you can, knowing that you will slip up. Lots. And all you can do is try.

    • TT17@lemmygrad.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Wow, that was an incredible response! It filled up my entire page of notes lol. Thank you for that. I will take these and apply them the best that I can.

      • redtea@lemmygrad.ml
        link
        fedilink
        arrow-up
        4
        ·
        1 year ago

        You’re welcome. Stay safe!

        PS I thought of a few others.

        Keep your system and apps updated. And delete unused apps (every app could have a vulnerability, which can’t be avoided for apps you need, but can be avoided for apps that you don’t use).

        If you use a screen dimmer on your phone, be careful what you type while it’s on, because it can record that info.

  • knfrmity@lemmygrad.ml
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    1 year ago

    The first and most important thing, which far too many people skip, is start to understand what threats there are to your privacy. Then reflect on what they mean to you. These threats can be many things, like activity tracking, personal information collection, profiling, etc. Then, based on what you are personally concerned about you can better choose which mitigation strategies to use against which invasive techniques, because you know what you’re trying to work against and why.

    Also don’t trust people who are just trying to sell you a VPN. They don’t make you “more private,” whatever that even means, and those people just want a referral click and sale.

    This seems to be a good practical and pragmatic intro into online privacy.

    https://auth0.com/blog/practical-privacy-a-guide-for-everyone/

    • silent_clash@lemmygrad.ml
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      1 year ago

      Yeah, identifying your threat model is step one! Is it corporations, your state’s government, the US government, hackers, or some combination of those?

    • TT17@lemmygrad.mlOP
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Excellent, I will check that out. Thank you for your feedback. As Sun-Tsu says, ‘know your enemy’!

  • Prologue7642@lemmygrad.ml
    link
    fedilink
    arrow-up
    6
    ·
    1 year ago

    This is a really deep rabbit hole you can get into. But basically, today you cannot have privacy. Steps you can do to increase it are things like:

    • Use open source OS (Linux)
    • Use open source OS on your mobile (I would recommend LineageOS)
    • Only use FOSS if you can
    • Don’t use Google/Bing/etc. you don’t really have a good option here, as there is no open source solution. Basically, you can try to trust things like duckduckgo/brave search, but personally I use searxng.
    • Don’t think that because you use VPN you are safe, most of the VPNs are dubious at best, if you really want privacy something like Tor is probably your best bet.

    But most importantly, even if you do everything perfectly, don’t think anything you do is private. It is only a matter of making things more difficult. Your best bet for privacy is just not doing anything online that would be worth the effort to spy on you.

    • TT17@lemmygrad.mlOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Yeah there definitely isn’t a silver bullet for this, anything short of a carrier pigeon will have its vulnerabilities. Thankfully I’m relatively safe, I don’t do anything that would get me in trouble. This is more of an extra precaution rather than an immediate threat. Thank you for your feedback. What kind of Linux OS do you recommend? I’ve used ubuntu in the past, mostly because I only have a basic understanding of PC’s.

  • pyska@lemmygrad.ml
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    You can only protect yourself from the threats you know about. Also, how paranoid you need to be depends on who you are protecting yourself against.

    For privacy:

    • Use TOR browser.
    • Don’t login anywhere which could trace back to you.
    • A few other things.

    For security:

    • Don’t open attachments from people you don’t trust.
    • Always check sender on e-mails.
    • Prefer in person meetings for important stuff (banks, for example).
    • Be careful where you are writing your passwords.
    • Don’t use the same password on 2 different websites. If one gets compromised, you don’t have to worry about the other.
    • Etc.

    Security is not which OS you use (it can be). But it is you. It doesn’t matter if you have the most secure system if you are it’s weakest link.

    • silent_clash@lemmygrad.ml
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      1 year ago

      There are so many tiny traps you can fall into. For example, downloading externally hosted images, etc from an email can let a smart person pinpoint your ip address.

    • TT17@lemmygrad.mlOP
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      Absolutely, just be smart, it’s way too easy to make a simple slip up and be exposed. Thank you for your feedback.

  • silent_clash@lemmygrad.ml
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    edit-2
    1 year ago

    This is such a huge rabbit hole, lol. The more I’ve learned, the more I’ve realized that you will eventually have to choose how much convenience you are willing to give up in exchange for privacy. It could be as simple as hardening your browser settings on Windows/Linux to as annoying as only browsing using Tor + a VPN paid for with Monero/mailed cash with Javascript turned completely off on a fully FOSS operating system designed for security like Tails, Kodachi, or Qubes.

    Javascript lays bare a LOT of info about your entire PC which can be used to track you by fingerprinting, or collecting a list of traits of your computer which can identify you. Cover your tracks is a great website that can show what your browser is freely giving up every time you visit a website. Try it before and after hardening + try visiting again with Tor browser.

    This is a huge playlist from a trustworthy source, Techlore on YouTube. Here is a 30 minute video that will get you a general overview.

    I’d start by hardening your browser, a relatively easy step that can really help you get tracked somewhat less without too much headache. Just search youtube for “harden (your browser)” and follow the steps. Mental outlaw has a good video on that as well as Techlore and Sun Knudsen. As for which browser, Brave is Chromium based but mostly de-googled and Firefox is what I prefer because it’s one of few alternatives to Chromium/Chrome.

    If you’re really serious about security from government tracking, for instance, you’d want to be researching Operation Security or OpSec. Here is a 10 minute primer on that topic. But if your threat model includes the government because you may be planning to do illegal stuff (do not talk about that on Lemmy, lol), you will want to invest a LOT of time to understand exactly what is required to really protect your identity. A single false step can make it easy for federal agents to track you down.

    • redtea@lemmygrad.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Good tips. Didn’t know ‘hardening’ had a name. It’s probably the most important first step because it’s relatively easy to do and can prevent future data leaking.

    • TT17@lemmygrad.mlOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Wow! That was a lot of great information, thank you for taking the time to write that. I will definitely check out all of your sources!