
Ask HN: Extremely easy steps towards extra security/privacy? - EduardoBautista
I just wanted to see if there are any &quot;low hanging fruit&quot; in terms of increasing your security and&#x2F;or privacy.  Basically, anything that does not take any effort to maintain and does not make you lose any productivity.
======
jeffshek
1\. LastPass / 1Password

2\. AdBlocker Extension

3\. Modify your /etc/hosts to block a lot of malicious sites.

4\. Signup for [https://haveibeenpwned.com/](https://haveibeenpwned.com/)

5\. VPNs on all wifis not your own.

6\. 2-factor wherever you can. But also a place where you can print out your
backup 2-factor keys, since losing your phone happens.

7\. Have a email for newsletters/spam/signup, another that you use for
friends.

8\. Use credit cards that can generate on-demand numbers. IE. Both Bank of
America and Citi let you generate one time use credit card numbers with set
limits.

9\. Signup (one time) with your credit cards to warn you for sudden changes in
your credit score (ie. to prevent someone opening a loan in your name).

There's probably a lot more that I forgot I do ... it's amazing how little
people do here.

~~~
chewz
1) use Keepass [1] and sync (via Dropbox or Google Drive) from your PC to your
smartphone. It is free and remebere that LastPass had been compromised
already.

2) Do not bother with adblocker - instead use properly configured Chrome with
javascript OFF by default, and ON only on trusted sites, use incognito mode,
set your own DNS and 204 and some other settings, also use Decentraleyes
extension and switch off remote fonts etc.

3) Use DNSCrypt whenever possible - on your home router if you can, and on
RaspberryPI acting as a router when traveling.

4) Block malicious hosts, trackers, advertising etc via /etc/hosts/ Block all
Facebook server entirely. Block Gravatar and other trackers. Keep your own
blacklist and whitelist.

This is better then adblock extensions in browser because it can block
tracking and advertising also on your tablets and iPhones.

Try using dnsmasq for caching and splitting DNS so queries for Apple and
Google and AmazonAWS servers are geo-smart and the rest of queries goes to
DNSCrypt server in Iceland.

5) set up your own VPN (you can get VPS for that starting at 10$ per year)
possibly with Strongswan IKE and use it on your mobile phone always ON. Your
server should also use DNSCrypt and perhaps also act as your private DNS
server.

6) Use Fastmail[2] and make use of email aliases. Fastmail have tons of
various domains so I have set up alias me@nospammail.net and can use
disposable addresses like first@me.nospammail.net, second@me.nospammail.net
etc.

You will know who leaked your email address. You can block certain addresses
easily.

7) Set text alerts for your card transactions over certain limit.

8) On Google, Microsoft and other important accounts set Pushover[3] email
address for security alerts. You will be receiving immediate alerts via push
on your phone

[1]:
[https://en.wikipedia.org/wiki/KeePass](https://en.wikipedia.org/wiki/KeePass)

[2]: [https://www.fastmail.com/](https://www.fastmail.com/)

[3]: [https://pushover.net/](https://pushover.net/)

~~~
tazard
While I don't think your wrong that these are better solutions, I feel you
missed the "Extremely easy" part. Keepass is significantly less user friendly
than LastPass/1password. VPSs can be very inaccessible for non-computer savvy
people also.

~~~
frabbit
For simple, secure use (which is what we are talking about) there is little
functional difference between Keepass and Lastpass.

------
pards
Use your own domain for your email and host it with ProtonMail.

If your primary email gets hacked and you're using your own domain, you can
regain access to your online banking, utilities etc by moving your email
address to another hosting provider via a few DNS changes. (Think about how
password reset works).

It also protects you from google/hotmail/aol/yahoo shutting down your account.

------
danieka
Whenever you can, use cash instead of credit card. Records of who buy what are
more widely spread than I’m comfortable with. Also, there is a large risk that
cash will be removed in the next one or two decades and then all semblance of
privacy re what we buy will be gone.

[https://www.inc.com/emily-canal/google-credit-card-
purchases...](https://www.inc.com/emily-canal/google-credit-card-purchases-
track-online-ads.html)

------
captn3m0
Surprised this hasn't been mentioned yet, but
[https://securityplanner.org/](https://securityplanner.org/) is a great
resource for exactly this.

It asks you a few easy questions (what device you use, what are you concerned
about) and provides you with personalized advice along with ratings on how
easy it is to setup (Setting up 2FA is easy v/s setting up a VPN is medium).

A list of all their recommendations is at [https://securityplanner.org/#/all-
recommendations](https://securityplanner.org/#/all-recommendations), and they
even offer printer-friendly versions you can use.

You can toggle the "quick-and-easy+free" fixes, which I'm listing:

1\. Install HTTPS Everywhere

2\. Use Chrome/Firefox

3\. Privacy Badger

4\. Security Checkups (Google/Facebook - Includes 2FA + More)

5\. Password Alert

6\. 2FA

7\. Privacy Settings for online accounts

Go check it out for more detailed instructions.

~~~
earenndil
> Use Chrome/Firefox

As I already recommended on another commend, chrome is an INCREDIBLY BAD IDEA
for privacy. Use ungoogled chromium if you need a google-only site, otherwise
just firefox (with telemetry turned off).

------
Arubis
Ditch and block Facebook and all related domains. Will likely increase your
productivity.

------
bigiain
Use a password manager. Use a VPN. Use Signal.

~~~
EduardoBautista
Any good reason to use Signal over Wire?

~~~
bigiain
For me - just because I trust Moxie.

If your threat model includes state level actors - Wire's Swiss-based company
might provide some protection over potential problems of Moxie and
WhisperSystem being in the US - but if you're trying to protect against the
NSA I hope you've got better sources of advice than an Ask HN...

As a "low hanging fruit" \- and of Signal or Wire or maybe even WhatsApp are
better than SMS or Google Chat... If your friend group has already chosen one
of them - use that. If you get to choose, I'd recommend Signal - but not in a
super strongly opinionated way.

------
earenndil
Browser addons (if available):

* ublock origin (add reek anti-adblock or whatever the newest alternative to it is)

* refcontrol (firefox <=56 only, I use waterfox)

* umatrix

* privacy badger

* https everywhere

* cookie autodelete

Get a VPN

Use a browser that is not chrome, chromium, edge, IE, opera. Firefox (disable
the firefox health report (FHR) and telemetry!!), waterfox, vivaldi, palemoon,
brave, and degoogled chromium are ok.

Use a password manager, I recommend keepass.

------
jryan49
Different passwords and usernames for every website. To make that easy you get
a password manager. (pass, LastPass, etc, etc)

------
pknerd
Some good suggestions. Don't forget to install extensions to block web based
crypto mining.

~~~
nukeop
This can be blocked by any regular content blocker, no need for a specialized
extension. Also, by discriminating against alternatives to advertising you are
helping the advertising industry.

------
seangrant
if you have an extra raspberry pi laying around you can install an ad blocker
for your entire network with pi-hole.

~~~
kqr
Or configure whatever caching DNS serveryou currently have installed on your
LAN to do the same.

Oh, you don't have a DNS cache on your LAN? Strongly recommended for
performance reasons, if not privacy as well. I don't remember what actual
measurements I ended up with, but latency realmy hurts!

~~~
regecks
An alternative:

I run dnscrypt-proxy locally, encrypting (TLS) all my DNS traffic between me
and OpenDNS, also giving me the option for my system resolver to give NXDOMAIN
for any names on a local blacklist.

It was remarkably easy to setup, just install the package.

    
    
      $ cat /etc/dnscrypt-proxy/blacklist
      fbcdn.net
      facebook.com
      google-analytics.com
      www.google-analytics.com

~~~
kqr
Good suggestion. I sandwhich Dnsmasq between applications and dnscrypt-
proxy[1] because the opennic anycast servers were too slow otherwise.

[1]: [https://two-wrongs.com/secure-dns-on-a-laptop-with-
debian.ht...](https://two-wrongs.com/secure-dns-on-a-laptop-with-debian.html)

------
schappim
Install an ad blocker extension.

~~~
banku_brougham
Install uBlock Origin ad blocker

------
nukeop
uBlock and uMatrix for your browser, the most important things in your day to
day security. As a bonus, throws off fingerprinting.

