Internet Security 101: A starter guide to avoid being an idiot online
Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say. – Edward Snowden
Last weekend I absentmindedly clicked on a link from a friend that looked just like those Google Hangout shortcut links. But of course it wasn’t, and when I tried to quickly close the window, a pop-up asked me if I really wanted “to stop the download?” — argh.
Somewhat panicked, I realized I got phished, and I spent the whole night trying to figure out what the malicious website was downloading on my Mac.
Things I learned (1) Yes, Virginia: Macs can get viruses and (2) keyloggers are very hard to find.
Being safe online has always been important to me, and after that incident, I learned a few things that I wish I could tell myself 10 years ago.
Wrap it up
Chris Olsen made waves earlier this year when he noticed that Zuck covers his camera and mic jack. And you, should too. It’s ridiculously easy for someone to remotely take control of your computer camera through your browser.
You can buy EFF laptop stickers here. They are re-stickable, which is great for Google Hangout time.
Check encryption
Now that we have a President-elect of the United States who does not like encryption, it’s more important than ever to protect your privacy.
Encryption protects our information when it’s sitting on our computers and when it’s being transmitted around the internet. It’s critical for today’s journalists and activists. And it’s critical for you. Some encryption is for obvious things — making sure no one steals your credit cards, passwords, and SSN. Encryption helps you avoid identity theft. And some reasons for encryption are more abstract, but also important. If foreign entities had access to your emails, messages, your documents — how might you change your behavior? Would you start self-censoring? Encryption ensures your data and messages stay between you and the people you want to see it.
If you use iMessage, WhatsApp, or Signal — congrats! You already are using end-to-end encrypted messaging. Bruce Schneier writes that “encryption should be enabled for everything by default, not a feature you turn on only if you’re doing something you consider worth protecting.” I agree, but not all products have encryption-as-default yet.
When transmitting passwords or credit cards, you should always check that a website is using HTTPS (and not HTTP). This is so important that Google Chrome is starting to shame sites that don’t. To be extra prepared, you can download HTTPS Everywhere (<10 seconds to install), which is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure. Coding Horror has a great post on joining the HTTPS party.
If you’re using cloud storage, check the encryption levels of the storage and see if you think it’s enough for you. For example, Dropbox has well documented encryption protocols — but it’s mostly designed for transmitting the data. Your documents are unencrypted on the cloud, so if someone has access to your password, they’ll be able to access your files.
You may want to encrypt your cloud-based files on Dropbox. For encrypting a file, or set of files, for your own use, check out FileVault and store the encrypted container in whatever cloud storage you use.
Use different passwords on every website
Password managers, 1Password, Dashlane, or LastPass, are surprisingly easy to install — and ensure that you have a different password on every site. When the Yahoo! breach was announced earlier this year, I wasn’t in crisis because I knew my Yahoo! password was contained.
In addition to helping you manage a different and strong password on every site — password managers make life on the internet easy and fast. The plug-in in your browser will automatically log you in, saving you time while giving you the peace of mind knowing that a security breach on one site doesn’t impact all of your log-ins. Password managers also nicely sync between computer and phone.
The best thing you can do after reading this post is to download a password manager. I know, you’ve probably been meaning to do this for months, but haven’t. Do it. It’s worth it.
Use two-factor-authentication (2FA)
In the physical world, a lock (e.g., a lock on a door) is rated by the number of minutes it would take a professional to break it. A similar mindset should be used for the digital world. With enough time and attempts, password and encryption are penetrable.
To increase your line of defense, set up two-factor authentication (2FA) whenever you can. 2FA requires two levels of verification before breaking into the service.
The “gold standard” is Universal 2nd Factor (U2F) authentication. You can set this two-factor authentication using a specialized USB.
For the rest of us who don’t want to carry around a physical device, you can set up an authenticator app on your phone, such as Google Authenticator. It will supply a unique code for the desired site. If you lose your phone, you’ll want to have a printed copy of the codes somewhere. Printing out the codes (or storing them in an encrypted note), while annoying, is critical because you’ll need them if you ever lose your phone / your phone gets stolen.
The weakest version of 2FA is text message. It’s surprisingly easy for someone to take control of your phone number and port it over to a new device. Check out this video where a female hacker at DEF CON was able to take over a reporter’s Verizon/T-Mobile/telco account by using a few social engineering tricks like pretending to be his wife while using a fake recording of a crying baby.
Back-up your stuff
Seriously, just do it. If you’re participating in the digital world, you’re likely going to get hacked at some point. It’s better to have back-up copy of the files that are important to you — and there are a lot of services that can help you (e.g., Dropbox, iCloud and more).
Minimize what advertisers collect on you
In response NSA and federal government’s ongoing collection of consumer data, many leading internet companies, including Google, Apple and Mozilla agreed to roll-out a universal “opt-out” for users called Do Not Track.
To prevent search engine tracking, make a habit of deleting your search history and cookies — or use Chrome’s “incognito” mode. You can opt-out of Google’s “shared endorsements” so they can’t use your information when displaying ads. You may also want to install a browser ad-blocker.
[Update April 2017: If you’re not paying for the product — you likely are the product. Case in point: Unroll.me, a popular GMail extension that was reading all of the user’s emails and selling their data to third-parties like Uber. Watch out for extensions.]
[Update June 2018: Highly recommend doing the 8-Day Digital Detox.]
Educate yourself
Our future will be defined by a constant tension between privacy and surveillance — and perhaps most importantly, and in many cases, it’s unclear whether privacy will provide additional safety or whether surveillance will.
Is privacy a right or a privilege?
Increasingly governments of Australia, Germany, the UK and the US are destroying your privacy — and many people don’t believe this is a problem. Loss of privacy leads to loss of freedom, and having “nothing to hide” is irrelevant.
Privacy is rarely lost in one fell swoop. It is usually eroded over time, little bits dissolving almost imperceptibly until we finally begin to notice how much is gone.
– Why Privacy Matters Even if You Have ‘Nothing to Hide’, Daniel J. Solove
The gradual erosion of privacy reminds us of the parable of the frog in hot water. In the beginning the frog does not notice the change in temperature — and may even benefit from the warm water, but over time, the frog slowly cooks.
In these moments, it’s important to take a stand. Read about the moral character of cryptographic work. Learn about what the Electronic Frontier Foundation (EFF) is working on. Check out the arguments from Edward Snowden. Watch a documentary on Aaron Swartz. Read Little Brother.
You may not agree with all the arguments, but in a world where technology is moving faster than regulation, it will be important for you to form a point of view and shape the discussion.
Let’s build a future we want, and not an accidental one.
Note: As Dave Kasten aptly called out, if you’re a human rights activist in an authoritarian country or other person facing serious adversaries, this guide is a first step, but you’ll need more advanced measures to protect your privacy. Amnesty International’s “tools to protect your online privacy” could be a good starting point.
