Distilling tips down for regular users who don't use SSH or are intimidated by compiling KeePassX for Linux themselves, my tips would be:<p>1. Use a user-friendly password manager like Dashlane or 1password with a long unique password and a second factor (that isn't SMS based). Password re-use is the #1 way accounts are being compromised at the moment and there are now good password managers that are easy to use with a low barrier to entry<p>2. Use an extensive ad blocker like uBlock Origin and use <i>multiple profiles in your browser to separate your serious accounts like webmail and banking from general web browsing</i>. The other common way of being exploited is drive-by malware and web-based exploits. A combination of blocking third-party content and separating your browsing profiles will prevent a lot of it. Don't feel guilty about blocking ads - most publishers are extremely negligent with what they allow on their sites via ad networks. Bonus: switch to Chromium[0] (firefox isn't sandboxed and exploits are too common) (but alert yourself to Chromium updates with an IFTTT of the release blog to <pick your notification method>) or alternatively remove Google, Flash, Java etc.<p>3. Get a VPN subscription and set it up on your laptop & mobile devices. Seriously, don't use open WiFi networks or shared networks without wrapping your connections in encryption. sslstrip is extremely effective and many apps either don't verify/authenticate SSL connections or don't pin certificates. IVPN, PIA, the Sophos VPN product - take a pick.<p>4. Most home routers are super shit and full of holes. Upgrade to a router that supports open firmware and pick one of openwrt, dd-wrt, monowall, pfsense etc. bonus: run an UTM like Untangled (commercial) or Sophos (free up to 50 CALs iirc)<p>5. Encrypt your stuff - VeraCrypt is a decent TrueCrypt fork but most operating systems now have support for volume encryption - your local disk, USB sticks[1], or a file-based volume. Backups should be to encrypted media<p>6. Be anonymous - create a disposable email with a fake name to signup to services with. even better sinkhole a random domain name you register. No service outside of banking, insurance, health, etc. <i>really</i> need to know your actual identity details.<p>[0] <a href="https://download-chromium.appspot.com/" rel="nofollow">https://download-chromium.appspot.com/</a><p>[1] <a href="http://www.theinstructional.com/guides/encrypt-an-external-disk-or-usb-stick-with-a-password" rel="nofollow">http://www.theinstructional.com/guides/encrypt-an-external-d...</a>
> Use unique SSH keys for each service (sharing a SSH key on your GitHub/Gitlab account, network router and AWS/Azure instance is a very stupid idea); use ssh-keygen -t rsa -b 4096 to generate a 4096 bit RSA SSH key.<p>I tried this. Turns out to be a bad idea. SSH will walk through each private key and attempt to authenticate with it in order. That means a lot of bad login attempts which in turn leads to getting locked out. SSH public keys are public for a reason.<p>What attack is this even preventing - that someone will be able to reverse ssh public keys and get the private? A better approach is to generate a unique key per client so that if you lose access to a device you can remove only its public key.<p>> Also, you should download the source code, compile it (using a Linux machine) and always look over the source code for rogue functions<p>So I becoming an Underhanded C Contest judge is the price of admission to using the internet? Can anyone really be expected to do that? Can we blame anyone who gets owned because they didn't?
<i>I highly recommend using KeepassX as a password manager, secured using a key file and not a password.</i><p>I like KeePassX as well, but prefer to unlock using a password. I have a Yubikey programmed to output a 32 random password that I generated and I append to that a 16 character password that's in my head. I keep the Yubikey and the SD card on which I have the password vault separate. The SD card itself is encrypted* and the version of KeePassX I run is on the card and is one I compiled myself.<p>Not sure I'd be getting additional protection with a key file. But perhaps I am wrong.<p>*I did that so that someone couldn't just copy the KeePassX database off it when I wasn't looking and run some offline attack against it. The SD card also has a kind of social engineering defence mechanism on it to dissuade the curious from playing with it... I wrote the word INFECTED on it.
> Also, you should download the source code, compile it (using a Linux machine) and always look over the source code for rogue functions, you CANNOT afford a vulnerability inside the password manager.<p>I'm not sure that this actually possible in any reasonable sense. Its not that hard to throw in an obfuscated back door into source code, especially in a complex system (ignoring the build chain and the whole trusting trust thing.)<p>Even if there are a small number of people who have the time and expertise to audit such systems, it just doesn't scale.
Nice list of browser extensions. Just to add on a few that I use that might not get a lot of exposure but is still very comprehensive<p>Privacy Settings: <a href="https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/" rel="nofollow">https://addons.mozilla.org/en-US/firefox/addon/privacy-setti...</a><p>Decentraleyes: <a href="https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/" rel="nofollow">https://addons.mozilla.org/en-US/firefox/addon/decentraleyes...</a>
This is overboard and paranoid for the average user. You are almost certainly not a target for your government and probably not a criminal and so don't need to worry about full disk encryption, your google search history, a judge compelling you to unlock your phone, etc.<p>Most people should just use an adblocker and strong passwords.
It is scary to realize that there is no realistic real-life way to be at least close to keeping information secure. We are just closing holes in a sieve.
If you're seriously concerned that someone will break into your house and remove the screws on your laptop to mess with it, you have problems way beyond what strong passwords and ad blockers can solve.
I'd rather a fingerprint to lock my phone and always lock on screen blank, than a pin so complex I'll hardly ever lock my phone.<p>If you're living as some kind of enemy of the state maybe it's just time to stop developing software. And do you really need to holiday in North Korea?
The part about the browser is a bit too short.<p>If you are privacy conscious you should configure your browser to<p>a) block 3rd party cookies (all browsers except Safari have them enabled by default, even Firefox)<p>b) delete all cookies when the browser is closed.<p>Make it a habit to close the browser every now and then.
Getting a Yubikey? What about this?
<a href="https://news.ycombinator.com/item?id=11690774" rel="nofollow">https://news.ycombinator.com/item?id=11690774</a>
Very nice read. I would add a subscription to "have i been pwned?" to learn of data breaches.<p><a href="https://haveibeenpwned.com/" rel="nofollow">https://haveibeenpwned.com/</a>
<i>Use unique SSH keys for each service (sharing a SSH key on your GitHub/Gitlab account, network router and AWS/Azure instance is a very stupid idea)</i><p>I don't see how this makes sense. Assuming your private keys all live on the same machine (presumably with 0600 in /.ssh), then if your machine is stolen and your user password compromised, access to one private key is the same as access to all of them.
The advice here recommends generating an RSA keys. Mozilla recommend using ED25519 keys "when backwards compatibility is not required" [1]<p>[1] <a href="https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Key_generation" rel="nofollow">https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Key_gen...</a>
The sad thing about this and other otherwise good privacy guides is that it can be properly applied only by a small fraction of all people who really need this privacy in their everyday work and life. Especially I like the "look over the source code for rogue functions" part.
What about mobile privacy? which OS? which Phone? which app? the author forgot there is even more privacy info we could lose via mobile with its built in sensors and features.
I assume everything is hacked/unsecure and any information put on the net will be able to be accessed by all sorts of bad actors.<p>I laugh when websites etc ask for a phone number to help secure. My first thought is great idea so now when you get hacked you can give up my phone number too!<p>Internet has been and always will be Mos Eisley spaceport to me.
About full disk encryption for Windows: what is the safest bet here? I mean, what if a single sector of my disk gets corrupted, will I lose my entire data because of that? What kind of encryption is less prone to data corruption?<p>I'm worried about this. And how about .tar.gpg backups, if I lose a single byte I lose the entire file?
I'd add apparmor or selinux or virtualization (or all at once) for untrusted closed-source crap like Skype. Well, for things with large attack surface, like web browsers, it's important, too.<p>This is hard to recommend to everybody, but I use SELinux and this way I am more sure that my private keys won't get stolen.
For those who want to learn more about Duck Duck Go bangs, I regularly update a blog that showcases useful Duck Duck Go bangs: <a href="http://wp.me/P7uQ4N-7" rel="nofollow">http://wp.me/P7uQ4N-7</a>
Does anyone know of any good hardware password managers?<p>I'd love to switch from a software to an offline, open source, and self maintainable solution that will work for everything, not just websites/when I have my browser open.
I'm assuming OS X's FileVault is fine for full-disk encryption? It only sends your key to Apple if you choose to, and it's completely transparent from the end-user's perspective.
I think it's somewhat negligent to recommend people use the only browser that doesn't have a sandbox.<p>You're trading privacy for security, and where you have less security your privacy is long gone.
<i>You should be using either Bitlocker (for Windows platforms, warning ahead) or LUKS (Linux platforms) full disk encryption</i><p>Using encryption on laptop can be very battery-greedy unfortunately.
Amazing the post and no comments here have mentioned the Tor Project.<p><a href="https://www.torproject.org/" rel="nofollow">https://www.torproject.org/</a>
<i></i><i>Begins blatant plug</i><i></i><p>If your looking for a tool which has a ton of easy security guides all in one place, you might like to try Umbrella App. It has lessons and checklists on everything from how to send a secure email to how to deal with a kidnapping. Built by the human rights and tech community, it's open source and available on Android.<p><a href="https://play.google.com/store/apps/details?id=org.secfirst.umbrella" rel="nofollow">https://play.google.com/store/apps/details?id=org.secfirst.u...</a><p><i></i><i>Ends blatant plug :)</i><i></i>
Trying to save privacy is like trying to save horses for transportation, or bows and arrows for warfare.
We should figure out how to build a society that thrives on transparency instead!
The browser configuration here (disable various features) seemed too complex and reminded me of another, simpler, approach: do not power on your computer ever.
I get it, you probably want to be private and rather not have someone read everything you do. But if you follow this checklist to the letter, you'll have a big fat "SUSPECT" warning on your file in no time.<p>Hiding non-suspect behavior is, for everyone watching, the same as hiding very suspect behavior. If you do this and make a single mistake (anything really, speeding could be enough) there could be a red flag on your file that makes sure your possessions will be searched (and possibly taken) and be prepared to spend some time in jail.<p>I get it, everyone should be hiding all their activity online so that hiding your activity online isn't suspect behavior. But I really don't think that will ever happen and I'd rather be an open book about all my behavior then try to hide as much as possible while becoming a target.