“Just because I’m paranoid… doesn’t mean they’re not watching me.”

Passwords

Use strong passwords (password manager preferred):

  • DO NOT share the same password between multiple accounts

If you create your own password:

  • BAD —- myp@$$w0rd ————————-> hard to remember, easy to crack
  • GOOD - notacommonphraseorpredictable -> easy to remember, hard to crack (length)

Wifi

Secure your home/office network with a strong password ☝️

  • Ensure your network is encrypted with WPA2 or WPA3.
  • Reboot your router at least once a month! (Increases performance and can disrupt malware)

Public Wifi

Avoid public wifi when possible (man in the middle attacks), tether from your device instead.
When using public wifi:

  • Using a VPN is recommended (I like Mullvad)
  • DO NOT click banners (Update your browser now! etc) hackers can insert banners in your browser (yes, really)
  • DO NOT update your passwords or sign up for new services
  • Autofill passwords when possible, rather than typing

Websites / Browsers

Use your web browser wisely!

  • Use browser plugins like ublock origin (ad blockers) and https everywhere
  • Avoid websites without SSL encryption –> https(good) vs http(bad)
  • NEVER give credit card or personal info to a http site (unencrypted)
  • Avoid seedy websites, advert links, and pop ups (ublock helps with this)
  • Watch out for url typos - faceboot vs facebook, http vs https
  • Private / incognito mode DOES NOT prevent third parties from seeing your browsing history, only OP from seeing your history. Mostly only useful if you’re using someone else’s computer…

On someone else’s computer:

  • Use incognito mode, for example at the library or at a friends house. DO NOT use their profile when signing in to personal or business accounts!

Email

Provenance matters!

  • Avoid links and downloads from unknown sources
  • Be skeptical about strange requests, even from your own contacts
  • Contacts can be spoofed, for example gregshoal@gmail vs greggshoal@gmail - unknown senders can appear as if they are someone you know.
  • For emails having to do with money (Banks, IRS) - don’t follow links from email. Look it up or sign in to your account. Assume you might be getting misdirected to a malicious site!

Personal Information:

  • Email is historically not secure. Avoid sharing sensitive information. For example, I would prefer to send my SSN over an https (SSL encrypted) form rather than an email. If use of email is needed, use PGP keys and encrypt sensitive information.

2FA

2 factor authentication is useful and adds security; however, you must make sure to back up your credentials so you don’t lock yourself out if you lose your phone etc.

Updates & maintenance

Schedule a routine:

  • Update your OS regularly (security updates patch vulnerabilities)
  • Backup your machine and valuable data on the cloud regularly.
  • Run cleanmyMac X or other virus scanning software regularly

Do a personal security audit once a year:

  • Change passwords for primary email and password manager (others if necessary)
  • Check your personal and business email addresses on HaveIBeenPwned
  • What was leaked? What risks can be mitigated?
  • Close unused accounts
  • Erase old emails and sensitive documents on the cloud where possible

Pro tips

Some extra helpful info:

  • You can modify your email by adding + and a modifier to the prefix. For example, if I were signing up for BestBuy I could use george+bestbuy@openaq.org.
    • This way you can have “unlimited” email handles, and can trace who shared your email if you start getting spammed.
  • Be proactive rather than reactive. Don’t blindly follow links; investigate and sign in to accounts directly. Don’t make rash decisions out of fear, ask a friend or a colleague for a second opinion
  • These days anything can be spoofed - even a video or the voice of a loved one.

Some of these ideas apply offline as well; be suspicious of calls, mail, and texts. For instance, if someone calls “from the IRS’ threatening you with legal action, hang up and contact the IRS directly if you think it might be legit.

Store your passwords and keys

Anyone can forget their passwords or lose their device. Having a paper backup or maybe a thumb drive with your passwords in a safe or lockbox is recommended. At the bare minimum:

  • Your computer password
  • Your primary email password
  • Your password manager password
  • Crypto wallet passwords or private keys
  • PGP keys
  • Safe combinations etc…

Be safe online! 🥷🏽👊😎