
A Guide to Not Getting Hacked - wnm
https://motherboard.vice.com/en_us/article/d3devm/motherboard-guide-to-not-getting-hacked-online-safety-guide
======
tptacek
Everything that's in this piece that's true is on the Tech Solidarity guide.
What isn't, is false.

[https://techsolidarity.org/resources/basic_security.htm](https://techsolidarity.org/resources/basic_security.htm)

In particular:

* Do NOT install antivirus on your computers. Antivirus software is absurdly dangerous. The closest you'll come to benign AV is Microsoft's, but that's an asymptotic kind of safety.

* Do NOT go out of your way to funnel your traffic through a commercial VPN provider. If you need a VPN for your NGO or journalism outlet, let me or someone else trustworthy know, and we'll set up Algo for you. No commercial VPN provider is safe for at-risk users.

* Do NOT EVER use Tor Browser. It's the least safe browser you can use: a lagged fork of Firefox for which whole classes of security bugs are potentially WONTFIX'd, and also the only browser that goes out of it's way to collect high-value targets.

* Do NOT install Adium or Pidgin to speak to people over OTR. It's difficult to find exploitable bugs in libotr, but it is _not_ difficult to find them in libpurple. Use Signal, WhatsApp, or Wire.

* You would have to be out of your fucking mind to install mobile AV.

~~~
ikeboy
Is tor browser inside whonix good? Would you recommend a different browser
inside of whonix instead?

~~~
Santosh83
It is explicitly warned _not_ to use the Tor Browser under Whonix because the
browser starts its own instance of Tor while Whonix already funnels every
network request through its gateway Tor and Tor over Tor is supposedly
undefined behaviour. So you have to go the additional step of disabling Tor
Browser from starting its bundled Tor...

Or under Whonix just use any normal browser like Firefox.

~~~
ikeboy
That's not what I see on
[https://www.whonix.org/wiki/Tor_Browser](https://www.whonix.org/wiki/Tor_Browser)

It explicitly says "There is no Tor over Tor scenario in the Whonix
environment." when using their modified Tor Browser.

~~~
Santosh83
Thanks. I stand corrected. I didn't realise they supplied their own modified
Tor Browser...

------
davidscolgan
I've lately only been using Linux on my laptop and desktop, but my
grandparents recently asked me about advice on a new computer. Is the current
best practice to avoid all antivirus software and assume Windows 10 is secure
with whatever is built in?

Grandpa thinks Avast makes his computer secure and is using their custom
browser for his banking. Is my great distrust in all antivirus systems as
worse than the viruses they theoretically find still valid?

~~~
theossuary
I think so. Antivirus systems are a huge attack surface. Maybe have windless
defender installed; make sure Windows automated patching is on; use the latest
version of Chrome or Firefox with an ad blocker installed, and don't give them
access to the admin account.

And if you're paranoid like me get a managed switch and setup Snort to monitor
your network. That'll protect you more than an antivirus will.

~~~
FreakLegion
I'll second the recommendation for Windows Defender, based on how well it
blocks the bad stuff. But to be clear, 1) Windows Defender isn't any more
secure than other AVs, e.g. [1], and 2) the risk from AVs is negligible and
far outweighed by the benefit, for the average user.

1\. [https://arstechnica.com/information-
technology/2017/05/windo...](https://arstechnica.com/information-
technology/2017/05/windows-defender-nscript-remote-vulnerability/)

~~~
megaman22
Windows Defender is at least unobtrusive. Got hit with a cryptolocker last
year, and then mandated usage of some garbage WebRoot product that brings a
quad-core i7, 32gb RAM and SSD workstation to its knees. Not sure which was
worse...

------
edraferi
This is a pretty thorough introduction to personal digital security. It starts
by emphasizing Threat Modeling, which lay users often forget.

Most of the recommendations are standard (password manager, two factor
authentication, basic OPSEC, ad blocking plugins) but it also has a fairly
detailed discussion about the TOR browser. The recommendation to use a VPN may
be controversial, but it includes a discussion of the relevant threat model,
which helps.

------
ploggingdev
> Do use antivirus

I think the standard advice from the security community is to _not_ use any
antivirus at all and maybe only Windows Defender if you're on windows.

The advice to use Tor browser is also terrible. The Tor browser is based on an
older version of Firefox ( currently version 52 vs 57 for upstream Firefox )
and so might contain known bugs.

On a side note what does the security community think about Qubes OS [0]? The
approach of security by isolation is interesting.

[0] [https://www.qubes-os.org/](https://www.qubes-os.org/)

~~~
polote
Why not use antivirus ? they are a good protection against downloaded content
(email attachements, downloaded file) no ?

~~~
strictnein
Non-tech users should antivirus

If you're highly technical and no one else touches your machines, then you may
be fine.

The claim that no one should use it is trendy right now. The idea that your
in-laws Windows box should be left with nothing on it is misguided. But all
you do need is to make sure Windows Defender is running and up to date.

------
qrbLPHiKpiux
But nobody really wants to understand anything. They want a turn key solution.
An intro to threat modeling is good. But it’s lost on deaf ears. The weakest
link in compsec will always be the person using the device.

~~~
ajb
"It is a profoundly erroneous truism, repeated by all copy-books and by
eminent people when they are making speeches, that we should cultivate the
habit of thinking of what we are doing. The precise opposite is the case.
Civilization advances by extending the number of important operations which we
can perform without thinking about them. Operations of thought are like
cavalry charges in a battle — they are strictly limited in number, they
require fresh horses, and must only be made at decisive moments." \- Alfred
North Whitehead

------
JepZ
> Mac users can install Adium, PC (and Linux) users will have to install
> Pidgin and the OTR plugin.

No word about OMEMO[1] or Conversations[2]. I think running your own XMPP
Server with end-to-end encryption should be pretty safe (if needs to be safer
run it within a VPN). After that the unsafest part is probably to device you
use your app with (closed source firmwares nobody has ever seen).

[https://xmpp.org/extensions/xep-0384.html](https://xmpp.org/extensions/xep-0384.html)
[https://conversations.im](https://conversations.im)

------
ryanlol
This is overwhelmingly terrible advice.

It even tells you to install a _mobile antivirus_!

~~~
paulryanrogers
Why else is it terrible?

~~~
ryanlol
It also recommends running an antivirus on desktop, using a VPN, using tor
browser, _pidgin_ and goes as far as discussing android as a viable option.

The “lock up your SIM” part is simply ridiculous too, this has never ever
stopped anyone.

This article is terrible because it has clearly been written by non-experts
who should not be writing any security guides.

~~~
drdaeman
Interesting. I'm not an security expert, but believe locking SIM card with a
PIN code is a reasonably good idea to ensure in case of a stolen smartphone
(non-targeted) it would be more likely thrown out as useless rather than used
for any nefarious purposes.

Or I'm wrong?

~~~
ryanlol
SIM card PINs are not discussed in the article. Instead they recommend asking
your telcos support rep to attach a note to your account to prevent sim
swapping, which doesn't work.

------
proee
Regarding web extensions like Adblock or others, this seems to be quite risky
I'm using because the developers of the plug-in could get hacked and silenly
release a version that captures your password fields.

Are we really ok giving full read/write access to our webpages from companies
we know nothing about?

I'm considering removal of all web extensions that have read/write access.

Thoughts?

~~~
jdietrich
uBlock Origin is GPL licensed. It collects no analytics. The code base is
concise and highly legible. The primary maintainer (Raymond Hill) appears to
be a principled man. I don't think that it has been independently audited, but
I trust it more than most of the software on my computer.

[https://github.com/gorhill/uBlock](https://github.com/gorhill/uBlock)

~~~
proee
Right, but do you trust that his entire system is locked down. Wouldn't this
be the ultimate target by a hacker at the highest level. They might even go so
far as to physically breach his location if they knew they could gain access
to his machine. Installing keyloggers, etc.

This might allow them to change the plugin at the last minute if he made an
update and pushed it out.

------
suyash
"Camera access" \- let's discuss this in more detail. So I am not convinced
that I need to put that ugly piece of sticker onto my laptop camera. Is this
really a big problem on Mac or no. Is there another alternative than putting
some ugly sticker on a beautiful laptop?

~~~
kfriede
I printed a blank strip of "White on Black" label tape and stuck it over on my
MBP. I only see it when I'm in a super bright environment, such as in
sunlight. Otherwise I forget its there.

------
mar77i
....With my 32 years and tech affinity I simply can't imagine owning a credit
card. The missing security being one thing, but it may also have to do with
relatives being perpetually short on money for debt they accumulated
themselves.

------
stoolpigeon
I don't understand why their first point for mobile was "Get an iPhone" but
they didn't do something similar for desktop. Why didn't they say "Run
OpenBSD"?

~~~
foodstances
Because an iPhone is easy to use for the vast majority of people and OpenBSD
is not.

~~~
folknor
I've installed Xfce/Gnome/Mate on new computers for senior family members and
they don't even notice half the time. They just think it's a new version of
Windows or Mac.

In age ranges from 40-72+.

The "vast majority" you speak of probably mostly use a web browser and a mail
client, so their interactions with the actual OS are minimal.

Sometimes I get calls about digital cameras (or phones nowadays), so then I
either go there and set it up, or have them open external access in some
manner (usually Teamviewer, because it's easier for them). But this is rare,
and of course I don't mind talking to them and helping them anyway.

And it would also happen when they used Windows.

~~~
unicornporn
Probably fine until they try to install Spotify, or some other life critical
piece of software.

------
SomeStupidPoint
Everyone should appropriately consider the source (and their security
concerns), but this also exists:

[https://github.com/iadgov](https://github.com/iadgov)

It provides some advice and references a number of other government sources
once you dig into it.

------
gggvvh
Ban China, Russia and India IP space. Problem solved.

Edit: what’s with the downvotes? Burned much? Hey, try looking at your failed
ssh login attempts before and after doing this. You’re welcome.

------
suyash
Pretty solid guide, considering sharing this with all your family and friends
on Facebook, email etc as an average Joe can learn a lot from this.

------
beamatronic
For the parents and grandparents:

Do as much as you can with just a Chromebook

Use 2 factor authentication

Don't go anywhere near Windows

