Welcome to digitalsafety.tips, a guidebook aimed at simple solutions to keep people safe, secure, and private in the digital world.

Need a quick overview? You can jump to the summary.

person reading

Browse safely

Desktop

Use Chrome or Brave on your computer with the following extensions:

Ublock Origin
HTTPS Everywhere
Privacy Badger
Cookie Autodelete
Bitwarden

Mobile

Use Brave (iOS/Android) or Bromite (Android) on mobile.

Browser setup

Switch the search engine to duckduckgo in the browser settings.

Uncheck “allow Chrome sign-in” in Chrome’s settings

Disable Brave Rewards in Brave’s settings

If you have an objection for whatever reason to using a Chromium based browser, you can use Firefox with the extensions listed above, but know that it has much less protection against exploits and security hardening.

Keep conversations yours

Signal Messenger for Mobile and Desktop

Signal is a fun and peer-reviewed messaging app that allows you to connect in a way that respects you. Signal is non-profit, supports video/audio calls, messaging, Giphy, and group chats. It’s available on iOS, Android, MacOS desktop, Windows desktop, and Linux desktop. Make your conversations with people just between you and them, not between you and a company that sees you as a product.

Use passwords wisely

Every account should have its own unique password because it is dangerous to reuse the same password or a variant of the same password across sites. It’s unlikely that most people will remember a unique string of characters for every login, so it’s recommended to use a password manager to store passwords securely.

A password manager generates new passwords for you, and stores them until you need them. All you need to remember is one passphrase that protects all the other ones. As long as the password manager has a strong passphrase and a second-factor code to unlock it, the passwords will stay safe.

Create passphrases

A passphrase is usually longer and more memorable than the shorter but harder to remember password. You’ll need a master passphrase for your password manager which is best accomplished with the Diceware method. This method involves rolling physical die to randomly select 6 to 7 words from a word list. One simply strings these words together, all as one word and creates a mnemonic to remember it.

Despite what you may have heard from other sources, the math behind this method is sound since “a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.”¹

For now, we’ll create two passphrases this way: one for your password manager and one for your home computer. Passphrases are mainly good at securing top level information like your computer login, password managers, or keys. For all your accounts (email, bank, social media, etc.), you’ll want to use passwords generated with a password manager.

Go to EFF’s diceware list
Roll a die 5 times (or you can roll 5 dice once) and write down the numbers in groups of five on a piece of paper.
Do this 6 times. Believe it or not, this is the basis for your first passphrase which will protect your password manager.
Once you have done this, find the corresponding words in the word list and write them next to the numbers
Create a mnemonic story with the words
Write down the 6 generated words on a piece of paper that will fit in your wallet.
This is your master password for your password generator
Do not use it anywhere else.
Repeat this process to create the second passphrase for your computer login.
Shred the paper that you’ve carried with you after you’ve sufficiently memorized both passphrases. With a good mnemonic story, it shouldn’t take longer than a week.

Bitwarden password manager

Bitwarden is a password manager that has undergone security audits, encrypts your passwords without being able to access them, is open source, free, and multi-platform. You can even securely share passwords with others. If you’re technically apt, you can even host your own server. I recommend using the app on mobile and the browser plugin on desktop.

Passwords aren’t enough. Use 2FA.

Security is strongest in layers, with passwords being only the first layer in the system. Most people carry a phone which can easily be used as a second layer of security. 2FA (2 factor authentication) usually works by entering a code from your phone after using your password to login, ensuring you are the only person who can access the account.

There are three main types of authentication:

Type of authentication	How it works
Text message or phone call	Get an automated text or phone call and enter the code you read or hear.
App on your phone	Copy the time based code from an app on your phone.
Specialized device like a Yubikey, Onlykey, or Trezor	Press a button on the device or tap the device to your phone (see next level steps).

Prefer apps and specialized devices over text message authentication. However, text message based 2FA is better than not having any at all.

Go to https://twofactorauth.org/ to see some sites that support 2FA. Most banks, social media networks, and email providers have 2FA.

Note that security questions don't count as a second-factor. Security questions are very easy to guess or find out about a person, and are extremely risky to use in place of the above methods. If you must use a security question, I recommend using a random string of characters as the answer to the question. Then save it in your password manager.

andOTP for Android

Important—andOTP has the ability to backup security keys to wherever you would like. It is highly recommended to keep consistent and encrypted backups of your 2FA keys.

Tofu for iOS

Important—2FA keys are stored on your iPhone's secure keychain, so only iTunes/iCloud encrypted backups will include a backup to these keys. If you're restoring your device from an iTunes/iCloud backup, the app and all keys will be restored as well.

Created by security expert Troy Hunt, “Have I been Pwned?” is a service that keeps track of data breaches. Pronounced “pone,” pwn is internet slang for “to own” or to conquer to gain ownership. Enter your email at the site to see if any of your accounts have been breached. If anything has been breached in the past, don’t panic. Go to the website that was breached and change your password there. Be sure to subscribe to get notified of further breaches right away. Do this for each email you use.

Phishing, scams, remote access, behaviors

In general:

If it sounds too good to be true, it usually is.
Verify that you are seeing “https” when visiting websites.
Don’t click on links in emails you don’t know.
Don’t open or download files from a source you don’t know.
If it’s a supposed government agency, they will get a hold of by official means (the IRS will never call you, they will send you postal mail).
Don’t be fooled by visual similarities, always verify who is contacting you.
Pay attention to browser alerts and security exceptions.
Be very careful of shortened links.

phonecall

Inspect emails carefully

“Phishing is when a scammer uses fraudulent emails or texts, or copycat websites to get you to share valuable personal information – such as account numbers, Social Security numbers, or your login IDs and passwords. Scammers use your information to steal your money or your identity or both. Scammers also use phishing emails to get access to your computer or network then they install programs like ransomware that can lock you out of important files on your computer. Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or family member.” -Federal Trade Commission

Don’t trust; verify.

It’s relatively easy to trust what people say. When it comes to your personal information remember the above maxim. Verify who people are and what they are doing is essential when dealing with tech support, financial institutions, or businesses. This process helps you avoid social engineering. In general, don’t allow people to remote access your computer unless your business-place has this setup to begin with.

Keep it secret; keep it safe.

As the wise wizard said. Corollaries to this phrase include:

Additionally, avoid using "smart" appliances or home assistants (Amazon's Alexa, Google Home, etc.). These are set up to listen in constantly, using the information from your everyday life as a means for profit.

For more on phishing, check out this comic from The Intercept.

Healthy behaviors

Security Researcher Alec Muffett created “Your Cyber-5-A-Day” which I think sums up a lot of behavioral ways we can create digital safety:

In an attempt to encapsulate good security practice in just five rules that you should practice daily, as part of your “business as usual”, I would propose the following —but be aware that this is not an exhaustive list of security practices, it’s just my top five “healthy behaviours” for home or business:

Install all software updates and patches promptly; if you use anti-malware software, then update it promptly, too.

Stop using, even erase, delete or destroy, any software or devices which are past their end-of-life, end-of-support, or for which you can no longer obtain software updates. Make sure to save any data that you want or need.

Use, and promote use of, different passwords for every site and app that relies upon passwords; using password management software may help.

Consider each piece of data you create and what would happen if you lost it, or if it leaked to the public at large. Make backups accordingly.

Review your security settings — iOS, Android, Facebook, Gmail, Linux, MySQL, VCL, Junos — check out what’s publicly visible and who and how can access your account or system. Keep it tidy.

Be your own cloud

Usually, a cloud is comprised of a specific company’s servers. Servers are just computers and storage devices that are accessible over a network. In this case, when you access something on Apple’s cloud, Dropbox, Google drive, etc., your device is actually logging onto that company’s server and accessing from there. This solves a great many problems, but it creates a few weighty ones too. The weightiest is that your personal data exists on a device controlled by companies that want to make money off of you.

Syncthing

Syncthing allows you to sync folders and files to each of your devices and work collaboratively with others. You could sync your photos in a family folder, edit files for a collaborative project, or keep the photos on your phone backed up to your main computer. This tool currently works with Android, MacOS, Windows, and Linux. An iOS version does not currently exist. If you need a cloud tool that works with iOS, check out Cryptomator below.

Cryptomator

Cryptomator is a tool that works with current cloud providers (Google Drive, iCloud, Dropbox, and more). The main benefit is that your data stays yours—those companies aren’t able to access your data since it’s encrypted. It works on all the major platforms.

Update. Update now! Turn on auto-updates.

Updating is the digital hygiene equivalent to flossing your teeth. It can be annoying to take a few seconds or minutes to update and restart your devices, but just do it. Vulnerabilities in the code need to be flossed out. There are people actively looking for non-updated software in order to hack it.

Google Play and Android

To automatically update apps on your Android device:

Open the Google Play Store app Google Play. Tap Menu Menu and then Settings. Tap Auto-update apps. Select an option:
- Auto update apps at any time to update apps using either Wi-Fi or mobile data.
- Auto-update apps over Wi-Fi only to update apps only when connected to Wi-Fi.

For the Android System

You’ll get notifications when updates are available for you.

Apple iOS

For the iOS system:

With iOS 12, you can have your iOS device update automatically. To turn on automatic updates, go to Settings > General > Software Update > Automatic Updates. Your iOS device will automatically update to the latest version of iOS. Some updates might need to be installed manually.

For apps on your iPhone:

Tap Settings > [your name] > iTunes & App Store. Turn on the content that you want to automatically download.

Apple MacOS

To automatically download updates in the future, choose Apple menu > System Preferences, click App Store, then select ”Download newly available updates in the background.” Your Mac will notify you when updates are ready to install.

-Apple Support

Microsoft Windows

For Windows 10 app store

Select the Start screen, then select Microsoft Store.

In Microsoft Store at the upper right, select the account menu (the three dots) and then select Settings.

Under App updates, set Update apps automatically to On.

For Windows 8.1 and Windows RT 8.1 app store

On the Start screen, select Store to open the Store.

Swipe in from the right edge of the screen, and then tap Settings. (If you’re using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, and then click Settings.)

Tap or click App updates.

Make sure Automatically update my apps is set to Yes.

-Windows Support

For the Windows operating system

Windows Update automatically offers updates to eligible devices. To double check that your device is up to date, open Settings > Update & Security > Windows Update to see your update status.

Linux

It depends on what Linux distribution you have and how it have it configured. If you are running Debian, you can install gnome-packagekit and the gnome extension Apt Update Indicator. This will automatically tell you when updates are available and allow you to update the system graphically.

Keep your devices on lock

Please keep a passcode on your phone! Today, most modern phones (both Android and iOS) also encrypt your data so you can be sure that if you lose your device or if someone steals it, no one else can have access to it.

phonelock

On Windows, you may want to consider using Veracrypt.

Apple computers also have FileVault, which protects the data on your Mac. Go into the settings and activate it.

On Linux, you can enable encryption on install.

If you want to learn more about this subject, the EFF has an excellent guide on keeping your data safe.

Stay informed

From the Security Editor at Tech Crunch Zack Whittaker, the This Week in Security Newsletter gives you a weekly overview of security stories from the week.

EFF

“The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows.”

The EFF has stories out almost everyday about your rights online. Follow them and consider joining to support online freedom.

Motherboard

Motherboard reports on all sorts of tech issues. They have robust security coverage.

“The real protection comes when we recognize that privacy is a team sport” -EFF

Get close friends and family on Signal, tell them about Brave browser being able to block ads, and show them how to make secure passphrases. This way we can help everyone be safe, secure, and private.

Other tools

These tools are in addition to the basic tools that I recommend above. You may or may not have a use case for them.

Mobile/Desktop: Communicate securely with Wire messenger

Using a similar protocol to Signal, Wire is a commercial company that allows for secure communication with others. It’s free for personal use. You can also use it for your business with their paid plans.

Desktop: Encrypt files or disks with Veracrypt

Veracrypt allows one to keep files in a secure container or encrypt whole disks.

Mobile/Desktop: Keep your searches and perusing anonymous with Tor

The Tor browser is an amazing tool that allows one to freely browse the web anonymously. It connects to volunteers who operate servers all over the world and encrypt your web traffic in layers like an onion. It does this 3 times so that no one can connect the requester of the data with the data itself. If you would like to be anonymous on the web, the tor browser is your ticket.

“Tor protects the network communications. It separates where you are from where you are going on the Internet. What content and data you transmit over Tor is controlled by you. If you login to Google or Facebook via Tor, the local ISP or network provider doesn’t know you are visiting Google or Facebook. Google and Facebook don’t know where you are in the world. However, since you have logged into their sites, they know who you are. If you don’t want to share information, you are in control.” -Tor Project FAQ

FAQ

What kind of phone should I get?

The best option you can have in your hand right now is a Pixel or an iPhone according to Daniel Micay, who is a prominent mobile security developer.

What kind of computer should I get?

Get a computer that can run MacOS, ChromeOS, or QubesOS.

Macbook

Get a new Macbook air or Macbook pro. Apple has gone great lengths to protect their users privacy and security. This doesn’t mean to blindly trust their claims (I still wouldn’t use iCloud for storage without cryptomator and I would much prefer Signal over iMessage). If you’re technically literate, read about Apple’s T2 security chip.

Chromebook

ChromeOS is developed first by the open-source team behind Chromium. Google then adds in their stuff to make ChromeOS. Before buying, just remember Google isn’t privacy friendly if you use their services (Gmail, Google Drive, etc.). For a in-depth view at how the Chromium team is approaching security, read this page.

QubesOS on ThinkPad X200, X220, or X230

You can pick one of these up on Ebay for less than $400. They are robust, easy to use, and will last a while. These should work well for QubesOS. I use QubesOS on a X220, and I love it. Watch Micah Lee’s talk on why qubesOS is awesome.

If you really need run Linux, Fedora is the least bad security-wise

Thinkpad X220 or X230 should run what you need for Fedora.

If you are a non-techie, feel free to ignore this blurb. Before fellow privacy nerds freak out, I will just say: I agree with you on principle, it would be better for all things to have source code published and code developed in an open democratic way (and copyleft or creative commons). I get it. However, the reality of the situation---even if you're running hardened gentoo or believe that SElinux solves all your problems---is that the hardware and firmware are not totally open source (even if you're running on a Talos II) . Further, the Linux kernel and distro security management (I'm looking at you Debian), are light-years behind MacOS, AOSP, or Windows. I used to believe that Linux was more secure. That was what the community told me at least. It wasn't until I started digging that I found problems. This piece in the Washington Post details the issue pretty well. I don't believe you can have privacy (one of the three aspects of digital safety) without security. Voyeurs would have there way without locks on doors. Privacy can't be had without security. Secrets leak without proper security management. Remember Dirty COW? "Earlier this week, Linus Torvalds admitted that 11 years ago he first spotted this issue and also tried to fix it, but then he left it unpatched because at the time it was hard to trigger." If you really like Linux, just use QubesOS. It will keep you actually safe.

If you really must have a recommendation that’s suitable for regular people, then get either a Chromebook or a Macbook and use the standard OS with the security features intact.

In general, the assumption that open source software is any more secure or even private in practice is totally wrong and not based on reality.

-Daniel Micay

Why should I care about privacy? I don’t have anything to hide.

I found that these two quotes best sum up the issue:

Over the last 16 months, as I’ve debated this issue around the world, every single time somebody has said to me, “I don’t really worry about invasions of privacy because I don’t have anything to hide.” I always say the same thing to them. I get out a pen, I write down my email address. I say, “Here’s my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you’re doing online, read what I want to read and publish whatever I find interesting. After all, if you’re not a bad person, if you’re doing nothing wrong, you should have nothing to hide.” Not a single person has taken me up on that offer.
- Glenn Greenwald Why privacy matters - TED Talk

and

Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.
- Edward Snowden on Reddit

For more:

Watch Greenwald’s TED Talk
Read Professor Daniel Solove’s paper
Browse the Wikipedia article about this issue.

Next Level Steps. Finished with the steps above? Here are some more steps you can take.

Change your email

Email is fundamentally an insecure protocol, you should use Signal or Wire to keep your conversations safe.

Encrypting email is asking for a calamity. Recommending email encryption to at-risk users is malpractice. Anyone who tells you it’s secure to communicate over PGP-encrypted email is putting their weird preferences ahead of your safety.

-Latacora

That being said, the following four email providers have shown dedication to keeping your information safe. This will not “secure your email”, but it is safer than using gmail or most other popular services, since their business models aren’t based on advertising. Pick one and make the migration from less friendly services.

Cost: 12 € per year

Free

Cost: 12 € per year

Backup your files

No one wants to lose all their data. Keeping encrypted backups on an external hard drive allows you to keep a snapshot of your system over time. If something goes wrong, you can restore to a previous time. For a cross-platform tool, check out Duplicati.

I recommend using BorgBackup for MacOS and Linux.
A graphical app that uses Borgbackup is called Vorta. It makes backups simple.

You may want to consider keeping cloud backups. This means that you’re storing your files on a company’s servers (they take care of redundancy). It’s recommended to use software like Cryptomator so that these companies don’t have access to the contents of your files.

Cloud backup providers that support zero-knowledge backups (where the provider can’t see your data) by default:

Upgrade and protect your home network

Most consumer routers are horribly outdated and riddled with bugs. In 2018, the U.S. government advised that U.S. citizens reset their routers since the Russian government attacked and successfully subverted hundreds-of-thousands of routers throughout the world. Most consumer routers never get updated. These are actually small computers that need regular updates to patch for security issues or bugs.

PFsense router and firewall with a wireless access point

PFsense is an open source operating system that specializes as a firewall, router, gateway, and more. Netgate makes PFsense appliances that I recommend.

In addition to the router, you’ll need a wireless access point for WiFi. Pick up a wireless access point, like one made by Ubiquiti and you should be set.

Vox released a video entitled “Why every social media site is a dumpster fire”. The video explains how social media sites are very good at increasing tribalism and minimizing good conversation.

Cal Newport, professor of computer science at Georgetown University recommends digital minimalism as the antidote to the scourge of social media on our attention.

There’s this sense right now out there in the culture where people say, “Okay, wait a second. Who ever said that the right way to use a smartphone is I have to look at it all the time? When did I sign up for that? When did I think like, ‘You know what I really need to do is look at this little screen three to four hours a day’?” No one signed up for that, and they’re waking up one day and realizing they’re doing it. These companies have gone too far and gotten too good into making that into an addictive experience…

-Cal Newport on the brainfluence podcast

The popular Youtube channel Yes Theory released a video detailing how 30 days without social media helped their focus.

Roger McNamee, one-time advisor to Mark Zuckerberg and author of the book Zucked: Waking Up to the Facebook Catastrophe brought to our attention how there are no rules in the current system to protect our digital safety:

Consumers feed the machine because of the convenience it provides. But we, the people, have little say in this new data economy. We are merely the subject, and, increasingly, the victims of it.

There are few rules in this country when it comes to the gathering or use of data. Important questions need to be asked. Why, for example, is it legal to sell or trade data about our credit card purchases, our personal health, geolocation, or Internet activity?

Why is it legal for smart devices to listen in on us in our bedrooms and offices? Why is it legal to collect any data at all about minors? Why do data companies generally bear no liability when they take or use our data without permission?

-Roger McNamee, PBS Newshour

Edward Snowden, the whistle-blower and former NSA contractor stated that:

Businesses that make money by collecting and selling detailed records of private lives were once plainly described as “surveillance companies.” Their rebranding as “social media” is the most successful deception since the Department of War became the Department of Defense.

-@Snowden, 2018.03.17

Social media can:

Take away meaningful connections
Waste time
Use you as a product
Aide government surveillance
Make you feel like you are missing out, when you’re not

Using optional online activity in an intentional and minimalist way can:

Be empowering
Create true connection
Allow time for focus
Inspire mindfulness

Carry a second-factor token with you

“When it comes to online security, confusion about the risks can lead people to obsess over obscure threats while ignoring key innovations that could truly protect them. Even highly-targeted users like politicians and activists don’t fully appreciate the scourge of phishing, and many aren’t familiar with an emerging form of two-factor authentication known as “Security Keys” that we hope can stop it in its tracks … phishing is the silent killer, and relying on a password alone is a recipe for disaster. Two-factor authentication (even with a code delivered by SMS) is still way better than the alternative, but if you’re an at-risk user — like a political figure, celebrity, activist, or journalist — please consider FIDO Security Keys for all your sensitive accounts. Anything less would be uncivilized. 🔐” -Mark Risher’s Phishing and Security Keys

Trezor

Yubikey

Onlykey

You can use a commercial VPN if you want, but remember: “A VPN is an ISP”

Privacy and anonymity researcher Sarah Jamie Lewis points out that using a virtual private network (VPN) doesn’t keep you anonymous. Rather, you’re taking the burden of potential surveillance and moving it from your current Internet service provider (ISP) and moving it to another by using a VPN. This doesn’t mean “don’t use a VPN”. It means treat your VPN just like an ISP.

For more tools, head over to privacytools.io.

Summary

Use a Chromium based browser for most tasks (Chrome, Brave, Bromite)
Use Signal for communication
Use Dice based passphrases
Use a password manager
Use two-factor authentication
Sign up for haveibeenpwned
Educate yourself on how to spot phishing and best daily practices
Use Syncthing to keep your data in sync
Turn on auto-updates
Keep a passcode on your phone
Stay informed, sign up for updates from the This Week in Security newsletter and the EFF
Use other tools like Tor browser, Wire and veracrypt depending on your needs
Phone: get a pixel or iPhone
Computer: get a Macbook, Chromebook, or Qubes capable laptop
Privacy is important
Email: it’s an insecure protocol, but Posteo, Tutanota, Protonmail, and Mailbox.org are a bit better than others
Use Borg and Vorta to backup your devices. Perhaps use borgbase or Tarsnap.
Get a PFsense router for your home network
Social media is a dumpster fire; leave it.
Carry a second factor token (Yubikey, Trezor, Onlykey)
VPNs aren’t really privacy friendly. Tor is better for private activities.

About

This site was aimed at the layperson and was intended to get privacy-security preserving tech into the hands of as many people as possible. Therefore, it may not meet your needs if you require a higher level of anonymity or have a complex threat model. If your needs are greater than this project, please check out the following:

QubesOS
Tails
One-time Pad Encryption
Dulle’s Rules of Tradecraft and the Moscow Rules
Auditor App by Daniel Micay
GrapheneOS

Contact

I’m Grant. For the past many years I’ve spent a large amount of hours learning more about technology, security, Linux, and network infrastructure.

My handle is @increasingawareness. I’m not currently on any social media platforms.

Wire messenger - @increasingawareness
XMPP - gmj@conversations.im
Email - digitalsafety@tuta.io

Contribute

If you feel that anything on this site needs to be changed, redacted, or added, please feel free to open an issue or submit a pull request on Github.

Credits

To Tom Preston-Werner and Jekyll contributors for Lanyon-theme and associated CSS under the MIT license.
Font-Awesome used under the Font Awesome Free License.
To Bjørn Erik Pedersen for the wonderful static site generator Hugo under the Apache 2.0.
To my family and friends for their patience and support. =)

Legal

Original content of this site is published into the public domain under the creative commons zero. This creator is dedicated to the free exchange of ideas, art, and science.

Additionally, the end-user retains all liability of using the services listed here and will not hold liable digitalsafety.tips or its creators.

Logos and screenshots used under fair-use. This site will comply with DMCA notices or takedown messages. Please contact the site by emailing digitalsafety@tuta.io

https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/ ^[return]

digitalsafety.tips safe, secure, private