Welcome to digitalsafety.tips, a guidebook aimed at simple solutions to keep people safe, secure, and private in the digital world.
Need a quick overview? You can jump to the summary.
Browse safely
Desktop
Use Chrome or Brave on your computer with the following extensions:
Ublock Origin
HTTPS Everywhere
Privacy Badger
Cookie Autodelete
Bitwarden
Mobile
Use Brave (iOS/Android) or Bromite (Android) on mobile.
Browser setup
Switch the search engine to duckduckgo in the browser settings.
Uncheck “allow Chrome sign-in” in Chrome’s settings
Disable Brave Rewards in Brave’s settings
Keep conversations yours
Signal Messenger for Mobile and Desktop
Signal is a fun and peer-reviewed messaging app that allows you to connect in a way that respects you. Signal is non-profit, supports video/audio calls, messaging, Giphy, and group chats. It’s available on iOS, Android, MacOS desktop, Windows desktop, and Linux desktop. Make your conversations with people just between you and them, not between you and a company that sees you as a product.
Use passwords wisely
Every account should have its own unique password because it is dangerous to reuse the same password or a variant of the same password across sites. It’s unlikely that most people will remember a unique string of characters for every login, so it’s recommended to use a password manager to store passwords securely.
A password manager generates new passwords for you, and stores them until you need them. All you need to remember is one passphrase that protects all the other ones. As long as the password manager has a strong passphrase and a second-factor code to unlock it, the passwords will stay safe.
Create passphrases
A passphrase is usually longer and more memorable than the shorter but harder to remember password. You’ll need a master passphrase for your password manager which is best accomplished with the Diceware method. This method involves rolling physical die to randomly select 6 to 7 words from a word list. One simply strings these words together, all as one word and creates a mnemonic to remember it.
Despite what you may have heard from other sources, the math behind this method is sound since “a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.”1
For now, we’ll create two passphrases this way: one for your password manager and one for your home computer. Passphrases are mainly good at securing top level information like your computer login, password managers, or keys. For all your accounts (email, bank, social media, etc.), you’ll want to use passwords generated with a password manager.
- Go to EFF’s diceware list
- Roll a die 5 times (or you can roll 5 dice once) and write down the numbers in groups of five on a piece of paper.
- Do this 6 times. Believe it or not, this is the basis for your first passphrase which will protect your password manager.
- Once you have done this, find the corresponding words in the word list and write them next to the numbers
- Create a mnemonic story with the words
- Write down the 6 generated words on a piece of paper that will fit in your wallet.
- This is your master password for your password generator
- Do not use it anywhere else.
- Repeat this process to create the second passphrase for your computer login.
- Shred the paper that you’ve carried with you after you’ve sufficiently memorized both passphrases. With a good mnemonic story, it shouldn’t take longer than a week.
Bitwarden password manager
Bitwarden is a password manager that has undergone security audits, encrypts your passwords without being able to access them, is open source, free, and multi-platform. You can even securely share passwords with others. If you’re technically apt, you can even host your own server. I recommend using the app on mobile and the browser plugin on desktop.
Passwords aren’t enough. Use 2FA.
Security is strongest in layers, with passwords being only the first layer in the system. Most people carry a phone which can easily be used as a second layer of security. 2FA (2 factor authentication) usually works by entering a code from your phone after using your password to login, ensuring you are the only person who can access the account.
There are three main types of authentication:
| Type of authentication | How it works |
|---|---|
| Text message or phone call | Get an automated text or phone call and enter the code you read or hear. |
| App on your phone | Copy the time based code from an app on your phone. |
| Specialized device like a Yubikey, Onlykey, or Trezor | Press a button on the device or tap the device to your phone (see next level steps). |
Prefer apps and specialized devices over text message authentication. However, text message based 2FA is better than not having any at all.
Go to https://twofactorauth.org/ to see some sites that support 2FA. Most banks, social media networks, and email providers have 2FA.
andOTP for Android
Tofu for iOS
Sign up for haveibeenpwned
Created by security expert Troy Hunt, “Have I been Pwned?” is a service that keeps track of data breaches. Pronounced “pone,” pwn is internet slang for “to own” or to conquer to gain ownership. Enter your email at the site to see if any of your accounts have been breached. If anything has been breached in the past, don’t panic. Go to the website that was breached and change your password there. Be sure to subscribe to get notified of further breaches right away. Do this for each email you use.
Phishing, scams, remote access, behaviors
In general:
- If it sounds too good to be true, it usually is.
- Verify that you are seeing “https” when visiting websites.
- Don’t click on links in emails you don’t know.
- Don’t open or download files from a source you don’t know.
- If it’s a supposed government agency, they will get a hold of by official means (the IRS will never call you, they will send you postal mail).
- Don’t be fooled by visual similarities, always verify who is contacting you.
- Pay attention to browser alerts and security exceptions.
- Be very careful of shortened links.
Inspect emails carefully
“Phishing is when a scammer uses fraudulent emails or texts, or copycat websites to get you to share valuable personal information – such as account numbers, Social Security numbers, or your login IDs and passwords. Scammers use your information to steal your money or your identity or both. Scammers also use phishing emails to get access to your computer or network then they install programs like ransomware that can lock you out of important files on your computer. Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or family member.” -Federal Trade Commission
Don’t trust; verify.
It’s relatively easy to trust what people say. When it comes to your personal information remember the above maxim. Verify who people are and what they are doing is essential when dealing with tech support, financial institutions, or businesses. This process helps you avoid social engineering. In general, don’t allow people to remote access your computer unless your business-place has this setup to begin with.
Keep it secret; keep it safe.
As the wise wizard said. Corollaries to this phrase include:
For more on phishing, check out this comic from The Intercept.
Healthy behaviors
Security Researcher Alec Muffett created “Your Cyber-5-A-Day” which I think sums up a lot of behavioral ways we can create digital safety:
In an attempt to encapsulate good security practice in just five rules that you should practice daily, as part of your “business as usual”, I would propose the following —but be aware that this is not an exhaustive list of security practices, it’s just my top five “healthy behaviours” for home or business:
- Install all software updates and patches promptly; if you use anti-malware software, then update it promptly, too.
- Stop using, even erase, delete or destroy, any software or devices which are past their end-of-life, end-of-support, or for which you can no longer obtain software updates. Make sure to save any data that you want or need.
- Use, and promote use of, different passwords for every site and app that relies upon passwords; using password management software may help.
- Consider each piece of data you create and what would happen if you lost it, or if it leaked to the public at large. Make backups accordingly.
- Review your security settings — iOS, Android, Facebook, Gmail, Linux, MySQL, VCL, Junos — check out what’s publicly visible and who and how can access your account or system. Keep it tidy.
Be your own cloud
Usually, a cloud is comprised of a specific company’s servers. Servers are just computers and storage devices that are accessible over a network. In this case, when you access something on Apple’s cloud, Dropbox, Google drive, etc., your device is actually logging onto that company’s server and accessing from there. This solves a great many problems, but it creates a few weighty ones too. The weightiest is that your personal data exists on a device controlled by companies that want to make money off of you.
Syncthing
Syncthing allows you to sync folders and files to each of your devices and work collaboratively with others. You could sync your photos in a family folder, edit files for a collaborative project, or keep the photos on your phone backed up to your main computer. This tool currently works with Android, MacOS, Windows, and Linux. An iOS version does not currently exist. If you need a cloud tool that works with iOS, check out Cryptomator below.
Cryptomator
Cryptomator is a tool that works with current cloud providers (Google Drive, iCloud, Dropbox, and more). The main benefit is that your data stays yours—those companies aren’t able to access your data since it’s encrypted. It works on all the major platforms.
Update. Update now! Turn on auto-updates.
Google Play and Android
To automatically update apps on your Android device:
Open the Google Play Store app Google Play. Tap Menu Menu and then Settings. Tap Auto-update apps. Select an option:
- Auto update apps at any time to update apps using either Wi-Fi or mobile data.
- Auto-update apps over Wi-Fi only to update apps only when connected to Wi-Fi.
For the Android System
You’ll get notifications when updates are available for you.
Apple iOS
With iOS 12, you can have your iOS device update automatically. To turn on automatic updates, go to Settings > General > Software Update > Automatic Updates. Your iOS device will automatically update to the latest version of iOS. Some updates might need to be installed manually.
Tap Settings > [your name] > iTunes & App Store. Turn on the content that you want to automatically download.
Apple MacOS
To automatically download updates in the future, choose Apple menu > System Preferences, click App Store, then select ”Download newly available updates in the background.” Your Mac will notify you when updates are ready to install.
Microsoft Windows
For Windows 10 app store
- Select the Start screen, then select Microsoft Store.
- In Microsoft Store at the upper right, select the account menu (the three dots) and then select Settings.
- Under App updates, set Update apps automatically to On.
For Windows 8.1 and Windows RT 8.1 app store
- On the Start screen, select Store to open the Store.
- Swipe in from the right edge of the screen, and then tap Settings. (If you’re using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, and then click Settings.)
- Tap or click App updates.
- Make sure Automatically update my apps is set to Yes.
For the Windows operating system
Windows Update automatically offers updates to eligible devices. To double check that your device is up to date, open Settings > Update & Security > Windows Update to see your update status.
Linux
It depends on what Linux distribution you have and how it have it configured. If you are running Debian, you can install gnome-packagekit and the gnome extension Apt Update Indicator. This will automatically tell you when updates are available and allow you to update the system graphically.
Keep your devices on lock
Please keep a passcode on your phone! Today, most modern phones (both Android and iOS) also encrypt your data so you can be sure that if you lose your device or if someone steals it, no one else can have access to it.
On Windows, you may want to consider using Veracrypt.
Apple computers also have FileVault, which protects the data on your Mac. Go into the settings and activate it.
On Linux, you can enable encryption on install.
If you want to learn more about this subject, the EFF has an excellent guide on keeping your data safe.
Stay informed
This Week in Security Newsletter
From the Security Editor at Tech Crunch Zack Whittaker, the This Week in Security Newsletter gives you a weekly overview of security stories from the week.
EFF
“The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows.”
The EFF has stories out almost everyday about your rights online. Follow them and consider joining to support online freedom.
Motherboard
Motherboard reports on all sorts of tech issues. They have robust security coverage.
“The real protection comes when we recognize that privacy is a team sport” -EFF
Get close friends and family on Signal, tell them about Brave browser being able to block ads, and show them how to make secure passphrases. This way we can help everyone be safe, secure, and private.
Other tools
These tools are in addition to the basic tools that I recommend above. You may or may not have a use case for them.
Mobile/Desktop: Communicate securely with Wire messenger
Using a similar protocol to Signal, Wire is a commercial company that allows for secure communication with others. It’s free for personal use. You can also use it for your business with their paid plans.
Desktop: Encrypt files or disks with Veracrypt
Veracrypt allows one to keep files in a secure container or encrypt whole disks.
Mobile/Desktop: Keep your searches and perusing anonymous with Tor
The Tor browser is an amazing tool that allows one to freely browse the web anonymously. It connects to volunteers who operate servers all over the world and encrypt your web traffic in layers like an onion. It does this 3 times so that no one can connect the requester of the data with the data itself. If you would like to be anonymous on the web, the tor browser is your ticket.
“Tor protects the network communications. It separates where you are from where you are going on the Internet. What content and data you transmit over Tor is controlled by you. If you login to Google or Facebook via Tor, the local ISP or network provider doesn’t know you are visiting Google or Facebook. Google and Facebook don’t know where you are in the world. However, since you have logged into their sites, they know who you are. If you don’t want to share information, you are in control.” -Tor Project FAQ
FAQ
What kind of phone should I get?
The best option you can have in your hand right now is a Pixel or an iPhone according to Daniel Micay, who is a prominent mobile security developer.
What kind of computer should I get?
Get a computer that can run MacOS, ChromeOS, or QubesOS.
Macbook
Get a new Macbook air or Macbook pro. Apple has gone great lengths to protect their users privacy and security. This doesn’t mean to blindly trust their claims (I still wouldn’t use iCloud for storage without cryptomator and I would much prefer Signal over iMessage). If you’re technically literate, read about Apple’s T2 security chip.
Chromebook
ChromeOS is developed first by the open-source team behind Chromium. Google then adds in their stuff to make ChromeOS. Before buying, just remember Google isn’t privacy friendly if you use their services (Gmail, Google Drive, etc.). For a in-depth view at how the Chromium team is approaching security, read this page.
QubesOS on ThinkPad X200, X220, or X230
You can pick one of these up on Ebay for less than $400. They are robust, easy to use, and will last a while. These should work well for QubesOS. I use QubesOS on a X220, and I love it. Watch Micah Lee’s talk on why qubesOS is awesome.
If you really need to run Linux, Fedora is the least bad security-wise
Thinkpad X220 or X230 should run what you need for Fedora.
If you really must have a recommendation that’s suitable for regular people, then get either a Chromebook or a Macbook and use the standard OS with the security features intact.
In general, the assumption that open source software is any more secure or even private in practice is totally wrong and not based on reality.
-Daniel Micay
Why should I care about privacy? I don’t have anything to hide.
I found that these two quotes best sum up the issue:
Over the last 16 months, as I’ve debated this issue around the world, every single time somebody has said to me, “I don’t really worry about invasions of privacy because I don’t have anything to hide.” I always say the same thing to them. I get out a pen, I write down my email address. I say, “Here’s my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you’re doing online, read what I want to read and publish whatever I find interesting. After all, if you’re not a bad person, if you’re doing nothing wrong, you should have nothing to hide.” Not a single person has taken me up on that offer.
- Glenn Greenwald Why privacy matters - TED Talk
and
Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.
- Edward Snowden on Reddit
For more:
- Watch Greenwald’s TED Talk
- Read Professor Daniel Solove’s paper
- Browse the Wikipedia article about this issue.
Next Level Steps. Finished with the steps above? Here are some more steps you can take.
Change your email
Email is fundamentally an insecure protocol, you should use Signal or Wire to keep your conversations safe.
Encrypting email is asking for a calamity. Recommending email encryption to at-risk users is malpractice. Anyone who tells you it’s secure to communicate over PGP-encrypted email is putting their weird preferences ahead of your safety.
That being said, the following four email providers have shown dedication to keeping your information safe. This will not “secure your email”, but it is safer than using gmail or most other popular services, since their business models aren’t based on advertising. Pick one and make the migration from less friendly services.
Cost: 12 € per year
Free
Free
Cost: 12 € per year
Backup your files
No one wants to lose all their data. Keeping encrypted backups on an external hard drive allows you to keep a snapshot of your system over time. If something goes wrong, you can restore to a previous time. For a cross-platform tool, check out Duplicati.
I recommend using BorgBackup for MacOS and Linux.
A graphical app that uses Borgbackup is called Vorta. It makes backups simple.
You may want to consider keeping cloud backups. This means that you’re storing your files on a company’s servers (they take care of redundancy). It’s recommended to use software like Cryptomator so that these companies don’t have access to the contents of your files.
Cloud backup providers that support zero-knowledge backups (where the provider can’t see your data) by default:
Upgrade and protect your home network
Most consumer routers are horribly outdated and riddled with bugs. In 2018, the U.S. government advised that U.S. citizens reset their routers since the Russian government attacked and successfully subverted hundreds-of-thousands of routers throughout the world. Most consumer routers never get updated. These are actually small computers that need regular updates to patch for security issues or bugs.
PFsense router and firewall with a wireless access point
PFsense is an open source operating system that specializes as a firewall, router, gateway, and more. Netgate makes PFsense appliances that I recommend.
In addition to the router, you’ll need a wireless access point for WiFi. Pick up a wireless access point, like one made by Ubiquiti and you should be set.
Leave Social Media Behind
Vox released a video entitled “Why every social media site is a dumpster fire”. The video explains how social media sites are very good at increasing tribalism and minimizing good conversation.
Cal Newport, professor of computer science at Georgetown University recommends digital minimalism as the antidote to the scourge of social media on our attention.
There’s this sense right now out there in the culture where people say, “Okay, wait a second. Who ever said that the right way to use a smartphone is I have to look at it all the time? When did I sign up for that? When did I think like, ‘You know what I really need to do is look at this little screen three to four hours a day’?” No one signed up for that, and they’re waking up one day and realizing they’re doing it. These companies have gone too far and gotten too good into making that into an addictive experience…
-Cal Newport on the brainfluence podcast
The popular Youtube channel Yes Theory released a video detailing how 30 days without social media helped their focus.
Roger McNamee, one-time advisor to Mark Zuckerberg and author of the book Zucked: Waking Up to the Facebook Catastrophe brought to our attention how there are no rules in the current system to protect our digital safety:
Consumers feed the machine because of the convenience it provides. But we, the people, have little say in this new data economy. We are merely the subject, and, increasingly, the victims of it.
There are few rules in this country when it comes to the gathering or use of data. Important questions need to be asked. Why, for example, is it legal to sell or trade data about our credit card purchases, our personal health, geolocation, or Internet activity?
Why is it legal for smart devices to listen in on us in our bedrooms and offices? Why is it legal to collect any data at all about minors? Why do data companies generally bear no liability when they take or use our data without permission?
-Roger McNamee, PBS Newshour
Edward Snowden, the whistle-blower and former NSA contractor stated that:
Businesses that make money by collecting and selling detailed records of private lives were once plainly described as “surveillance companies.” Their rebranding as “social media” is the most successful deception since the Department of War became the Department of Defense.
-@Snowden, 2018.03.17
Social media can:
- Take away meaningful connections
- Waste time
- Use you as a product
- Aide government surveillance
- Make you feel like you are missing out, when you’re not
Using optional online activity in an intentional and minimalist way can:
- Be empowering
- Create true connection
- Allow time for focus
- Inspire mindfulness
Carry a second-factor token with you
“When it comes to online security, confusion about the risks can lead people to obsess over obscure threats while ignoring key innovations that could truly protect them. Even highly-targeted users like politicians and activists don’t fully appreciate the scourge of phishing, and many aren’t familiar with an emerging form of two-factor authentication known as “Security Keys” that we hope can stop it in its tracks … phishing is the silent killer, and relying on a password alone is a recipe for disaster. Two-factor authentication (even with a code delivered by SMS) is still way better than the alternative, but if you’re an at-risk user — like a political figure, celebrity, activist, or journalist — please consider FIDO Security Keys for all your sensitive accounts. Anything less would be uncivilized. 🔐” -Mark Risher’s Phishing and Security Keys
Trezor
Yubikey
Onlykey
You can use a commercial VPN if you want, but remember: “A VPN is an ISP”
Privacy and anonymity researcher Sarah Jamie Lewis points out that using a virtual private network (VPN) doesn’t keep you anonymous. Rather, you’re taking the burden of potential surveillance and moving it from your current Internet service provider (ISP) and moving it to another by using a VPN. This doesn’t mean “don’t use a VPN”. It means treat your VPN just like an ISP.
For more tools, head over to privacytools.io.
Summary
- Use a Chromium based browser for most tasks (Chrome, Brave, Bromite)
- Use Signal for communication
- Use Dice based passphrases
- Use a password manager
- Use two-factor authentication
- Sign up for haveibeenpwned
- Educate yourself on how to spot phishing and best daily practices
- Use Syncthing to keep your data in sync
- Turn on auto-updates
- Keep a passcode on your phone
- Stay informed, sign up for updates from the This Week in Security newsletter and the EFF
- Use other tools like Tor browser, Wire and veracrypt depending on your needs
- Phone: get a pixel or iPhone
- Computer: get a Macbook, Chromebook, or Qubes capable laptop
- Privacy is important
- Email: it’s an insecure protocol, but Posteo, Tutanota, Protonmail, and Mailbox.org are a bit better than others
- Use Borg and Vorta to backup your devices. Perhaps use borgbase or Tarsnap.
- Get a PFsense router for your home network
- Social media is a dumpster fire; leave it.
- Carry a second factor token (Yubikey, Trezor, Onlykey)
- VPNs aren’t really privacy friendly. Tor is better for private activities.
About
This site was aimed at the layperson and was intended to get privacy-security preserving tech into the hands of as many people as possible. Therefore, it may not meet your needs if you require a higher level of anonymity or have a complex threat model. If your needs are greater than this project, please check out the following:
- QubesOS
- Tails
- One-time Pad Encryption
- Dulle’s Rules of Tradecraft and the Moscow Rules
- Auditor App by Daniel Micay
- GrapheneOS
Contact
I’m Grant. For the past many years I’ve spent a large amount of hours learning more about technology, security, Linux, and network infrastructure.
My handle is @increasingawareness. I’m not currently on any social media platforms.
Wire messenger - @increasingawareness
XMPP - gmj@conversations.im
Email - digitalsafety@tuta.io
Contribute
If you feel that anything on this site needs to be changed, redacted, or added, please feel free to open an issue or submit a pull request on Github.
Credits
- To Tom Preston-Werner and Jekyll contributors for Lanyon-theme and associated CSS under the MIT license.
- Font-Awesome used under the Font Awesome Free License.
- To Bjørn Erik Pedersen for the wonderful static site generator Hugo under the Apache 2.0.
- To my family and friends for their patience and support. =)
Legal
Original content of this site is published into the public domain under the creative commons zero. This creator is dedicated to the free exchange of ideas, art, and science.
Additionally, the end-user retains all liability of using the services listed here and will not hold liable digitalsafety.tips or its creators.
Logos and screenshots used under fair-use. This site will comply with DMCA notices or takedown messages. Please contact the site by emailing digitalsafety@tuta.io