A Guide to Not Getting Hacked

Everything that&#x27;s in this piece that&#x27;s true is on the Tech Solidarity guide. What isn&#x27;t, is false.<p><a href="https:&#x2F;&#x2F;techsolidarity.org&#x2F;resources&#x2F;basic_security.htm" rel="nofollow">https:&#x2F;&#x2F;techsolidarity.org&#x2F;resources&#x2F;basic_security.htm</a><p>In particular:<p>* Do NOT install antivirus on your computers. Antivirus software is absurdly dangerous. The closest you&#x27;ll come to benign AV is Microsoft&#x27;s, but that&#x27;s an asymptotic kind of safety.<p>* Do NOT go out of your way to funnel your traffic through a commercial VPN provider. If you need a VPN for your NGO or journalism outlet, let me or someone else trustworthy know, and we&#x27;ll set up Algo for you. No commercial VPN provider is safe for at-risk users.<p>* Do NOT EVER use Tor Browser. It&#x27;s the least safe browser you can use: a lagged fork of Firefox for which whole classes of security bugs are potentially WONTFIX&#x27;d, and also the only browser that goes out of it&#x27;s way to collect high-value targets.<p>* Do NOT install Adium or Pidgin to speak to people over OTR. It&#x27;s difficult to find exploitable bugs in libotr, but it is <i>not</i> difficult to find them in libpurple. Use Signal, WhatsApp, or Wire.<p>* You would have to be out of your fucking mind to install mobile AV.

I&#x27;ve lately only been using Linux on my laptop and desktop, but my grandparents recently asked me about advice on a new computer. Is the current best practice to avoid all antivirus software and assume Windows 10 is secure with whatever is built in?<p>Grandpa thinks Avast makes his computer secure and is using their custom browser for his banking. Is my great distrust in all antivirus systems as worse than the viruses they theoretically find still valid?

This is a pretty thorough introduction to personal digital security. It starts by emphasizing Threat Modeling, which lay users often forget.<p>Most of the recommendations are standard (password manager, two factor authentication, basic OPSEC, ad blocking plugins) but it also has a fairly detailed discussion about the TOR browser. The recommendation to use a VPN may be controversial, but it includes a discussion of the relevant threat model, which helps.

&gt; Do use antivirus<p>I think the standard advice from the security community is to <i>not</i> use any antivirus at all and maybe only Windows Defender if you&#x27;re on windows.<p>The advice to use Tor browser is also terrible. The Tor browser is based on an older version of Firefox ( currently version 52 vs 57 for upstream Firefox ) and so might contain known bugs.<p>On a side note what does the security community think about Qubes OS [0]? The approach of security by isolation is interesting.<p>[0] <a href="https:&#x2F;&#x2F;www.qubes-os.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.qubes-os.org&#x2F;</a>

&gt; Mac users can install Adium, PC (and Linux) users will have to install Pidgin and the OTR plugin.<p>No word about OMEMO[1] or Conversations[2]. I think running your own XMPP Server with end-to-end encryption should be pretty safe (if needs to be safer run it within a VPN). After that the unsafest part is probably to device you use your app with (closed source firmwares nobody has ever seen).<p><a href="https:&#x2F;&#x2F;xmpp.org&#x2F;extensions&#x2F;xep-0384.html" rel="nofollow">https:&#x2F;&#x2F;xmpp.org&#x2F;extensions&#x2F;xep-0384.html</a> <a href="https:&#x2F;&#x2F;conversations.im" rel="nofollow">https:&#x2F;&#x2F;conversations.im</a>

This is overwhelmingly terrible advice.<p>It even tells you to install a <i>mobile antivirus</i>!

Regarding web extensions like Adblock or others, this seems to be quite risky I&#x27;m using because the developers of the plug-in could get hacked and silenly release a version that captures your password fields.<p>Are we really ok giving full read&#x2F;write access to our webpages from companies we know nothing about?<p>I&#x27;m considering removal of all web extensions that have read&#x2F;write access.<p>Thoughts?

&quot;Camera access&quot; - let&#x27;s discuss this in more detail. So I am not convinced that I need to put that ugly piece of sticker onto my laptop camera. Is this really a big problem on Mac or no. Is there another alternative than putting some ugly sticker on a beautiful laptop?

....With my 32 years and tech affinity I simply can&#x27;t imagine owning a credit card. The missing security being one thing, but it may also have to do with relatives being perpetually short on money for debt they accumulated themselves.

I don&#x27;t understand why their first point for mobile was &quot;Get an iPhone&quot; but they didn&#x27;t do something similar for desktop. Why didn&#x27;t they say &quot;Run OpenBSD&quot;?

But nobody really wants to understand anything. They want a turn key solution. An intro to threat modeling is good. But it’s lost on deaf ears. The weakest link in compsec will always be the person using the device.

Everyone should appropriately consider the source (and their security concerns), but this also exists:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;iadgov" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;iadgov</a><p>It provides some advice and references a number of other government sources once you dig into it.

Ban China, Russia and India IP space. Problem solved.<p>Edit: what’s with the downvotes? Burned much? Hey, try looking at your failed ssh login attempts before and after doing this. You’re welcome.

Pretty solid guide, considering sharing this with all your family and friends on Facebook, email etc as an average Joe can learn a lot from this.

For the parents and grandparents:<p>Do as much as you can with just a Chromebook<p>Use 2 factor authentication<p>Don&#x27;t go anywhere near Windows