Guide: OpSec for The Masses
Okay, let's go over some key things:
- Google knows you. It's better if Google knows you a little bit than if 100 different companies know you a lot.
- It might seem contradictory, but try to avoid Google products. I am putting a lot of emphasis on the "little bit" from the previous line.
- Using a VPN is not the ultimate solution. In many cases, it's even worse.
- Don't reuse passwords, especially crappy ones.
- Password managers are your friends. DO NOT STORE PASSWORDS ON CHROME.
- Don't use Google Chrome. There are plenty of great alternatives. Brave is one of them. Also, most browsers are just Chromium based, so they are not that much faster or slower than one another.
People need to understand that email is not a bulletproof means of communication for plenty of reasons, but first, let's go over the agents that we are facing:
- The Dark Forces: hackers and companies looking to mine and/or collect your data. Both want to use you/your data and online persona for profit.
- Governments: They believe that they need to surveil you to protect the security of the nation or if you are under investigation, breach your privacy. I am not here to discuss the deontological and ethical principles that empower laws. After all, we live in a society with rules. However, I have concerns about overreaching rules.
ProtonMail is sold to people as a security option, but is it 100% secure? Kind of... Some data has been provided to authorities, but in their defense, it was inevitable due to how email technology works. But other than that, they do a great job protecting against The Dark Forces. Also, the fact that they are based in Switzerland helps in dealing with the Government side of things.
What about Gmail? If you have a Gmail account, you can be sure that the only Dark Force is Google, and that could be worse. They will also comply with any subpoena. But in this day and age, can we live without the G-suite products? Probably yes, but it's very inconvenient, especially if you are unwilling to pay for replacing services, and that's where they get you.
My suggestion is that you filter what is mission-critical for your life and act accordingly. Use Gmail for convenience and ProtonMail for security. If you are willing to buy a mailbox, there are quite good alternatives. But again, we are talking about the masses here.
Also, the reaction that Google has when an unknown device logs in is great. They make it their mission to ensure that the only Dark Force in your account is Google. It's something like this when you log into your cousin's laptop to show your latest trip to Benidorm (Fort Lauderdale of Spain):
2FA
Two-factor authentication is of great importance. It's extremely tamper-proof. Let's rank the options:
- SMS
- App on your phone
- Hardware Authenticators
Avoid using email alone. It's pointless if you don't combine it with a second method, and only if you have different passwords for everything (think about using a password manager).
SMS is a good starting point, but there are some flaws. Social engineering is a concern. If I call your phone provider pretending to be you, they might believe me, and there might be many ways of impersonating you. I invite you to watch some videos on this topic. For the sake of simplicity and the "masses," I will ignore the problems with carrier-based communication, but you get the idea.
Authenticator apps are your friends. Pick one and save the original key of each account that needs authentication on paper in a safe place. Also, don't use cloud authenticators or store the key digitally.
Hardware authenticators are another method. If you can and are willing, this is the best way to go.
Password Managers
Use a password manager, preferably NOT Google Chrome's password manager. I recommend 1Password. It's even better if you can convince your family to use it too. Their family plan offers great value. Now, there are plenty of options to choose from, so do some research. However, I must mention that even though 1Password is very safe, it's still a cloud provider. Ideally, you would use something like KeePassXC locally on your machine.
BONUS: I strongly recommend keeping the email, password encryption keys, etc., unique if you choose to use a cloud password manager. This minimizes intrusion points.
Home Wi-Fi
If you have an old router, persuade your Internet provider to give you a newer one, OR try to keep your router firmware up to date.
Now, regarding passwords, here are some options. All of them require changing the password in the router:
- Generate a password and keep it in your password manager. Give it to your guests as needed.
- Create an easy-to-memorize sentence with all the elements of a good password (12+ characters, different cases, numbers, symbols). For example:/
My2020CatsPissed55%OfMyBed.
Public Wi-Fi
Don't use it.
If you really need to, avoid doing anything very confidential, and always make sure you are using HTTPS (the lock in the URL bar is green). Use a VPN.
VPN
This article was brought to you by NordVPN... LOL JK.
You can use a VPN, but it's essential to pick the right one. Don't use your university or work VPN; that's not the type of VPN you want.
The thing about VPNs is that you need to trust what the provider is going to do with your traffic. What does this mean? The less logging, the better. However, take this with a grain of salt—it's inevitable that some logging will occur. Additionally, if you pay with credit card, bank account, etc., your identity becomes associated with that particular traffic.
Here are some recommended use cases for VPNs:
- Avoiding location-based blocking
- Using public Wi-Fi
- Being in a country with mass online surveillance
I recommend Mullvad; they accept crypto and even take cash!
Payments & Crypto
If you think that paying with crypto makes you secure from all evils, you're dead wrong. It's very public, especially if you are trying to hide your identity. Let me ask you: How did you buy your crypto? Was it from a sketchy guy in the park, and did you pay in cash? No? Then you probably bought it on an exchange with KYC, and now your identity is associated with the transaction of a €1000 furry costume. Congratulations! If you want to "disappear" using crypto, think about Monero, but I won't get into that right now.
Regarding non-crypto online payments, I won't cover all the different options available in every region, but there are some excellent options out there. Now, don't put all your online purchases on one credit card. Use disposable options when possible (although some places may not accept them) or virtual cards. Be cautious about where you enter your card information. While it might just be an old or unattractive website, and everything is fine, you never know. This is why it's important to try using a card with a capped limit, disposable option, or virtual card when possible.
The End
Well, I can't write all day giving examples of every everyday tech interaction and how to defend your online "health" from attackers. But what I can say is:
- Be conservative, minimize risk, and practice damage reduction when necessary.
- Instant messaging the only real option is Signal (check my project on private self-sufficient messaging here)
- Don't share passwords between different services.
- If something looks wrong, feels wrong, or sounds wrong, chances are high that it might be wrong. Companies spend a lot of money making things feel right.
- Try to avoid using Android from a cybersecurity standpoint. Even an old iPhone is superior to plenty of new Androids. Keep an eye on the phones of major company CEOs, politicians, etc.
Remember, taking steps to enhance your online security and privacy can go a long way in protecting yourself from potential threats. Stay vigilant and informed, and always prioritize your digital well-being.