
Ask HN: What steps can one take to increase security and privacy online? - whitepoplar
In light of the Cloudflare breach, I&#x27;m getting pretty nervous re: internet security and privacy. It seems that it&#x27;s only a matter of time before all of my private information and communications become searchable, public information.<p>What steps can one take, today, to protect themselves down the road? I currently use 1Password, have 2FA enabled on all available sites, use a VPN when using unsecured WiFi, and have attempted to disable tracking on my Google accounts. What else can I do? I don&#x27;t mind doing a lot of legwork! I just want peace of mind in 10, 20, or 50 years...
======
doubt_me
I use a random pass generator.

Avoid all password managers at all costs. I put it down manually.

I am going be getting a subscription to a non Google email. Not sure which one
yet. I think it's called fast mail.

Avoid everything Apple.

Avoid everything social media. I still use them for lurking but every single
service has its own email and generated pass.

Avoid posting anything anywhere forever. (As little as I possibly can)

Getting my info and my associates info completely wiped from all data brokers
and all links from all search engines purged.

Use a custom ROM and a rootable phone. I'm not a fan of how big Google is. I'm
not a fan of how little support they offer for their services (let's be honest
it doesn't exist). But at the same time Google really does make great software
at the cost of zero actionable support. It works for now. There are open
source alternatives in the works to replace the core of Google services I just
haven't checked if I can use it as a daily driver just yet (without many
bugs).

I use chrome with privacy badger extension by the EFF

Another extension which is called uMatrix (have been using it since Beta,
HTTPS-Everywhere). It will break your internet experience if you don't know
how to use it. Simply put the only firewall you will ever need. Doesn't use
many resources and is extremely straight forward.

I also use the signal app for communication. As much as I possibly can. (It
took me a year or two but I've converted over 50+ people into using it)

Stating the obvious. But I haven't gotten a single virus from torrents since
the Napster days. You'll get them from software most of the time anyways
(crack generators, old software etc...).

~~~
whitepoplar
1) Why avoid using a password manager, like 1Password?

2) Why avoid everything Apple? From what I hear from trusted individuals,
Apple has some of the most secure data practices in the industry.

3) Avoid posting anything, anywhere? That's not practical for me and most
people. Much of the internet's upside centers around posting and sharing
content.

4) I agree with purging information from databrokers. What's the best way to
do this?

~~~
doubt_me
1\. I'm not honestly sure what 1pass looks like. If it saves local versus
cloud and is somewhat open source then I don't have a problem with using these
apps (LastPass breach was pretty bad when it happened). For me personally I
just don't need them. Every single phone I've owned in the past has required
the bare minimum in software for my battery to last as long as possible even
with custom Roms. Every app counted. Only recently have I been able to enjoy
my phone all day with tons of apps. (LG V20)

2\. Of course a company like Apple has some of the most secure practices. What
it doesn't give them though is the power to completely ignore zero days and
attack white, gray or black hats for disclosure. Plenty of other companies are
guilty but not one as big as Apple. I'm all for prosecution when hacks are
used to cause damage and or steal company secrets. Beyond that point the
closed ecosystems + closed hardware that's built to be hard to repair is a
security nightmare waiting to happen. (Oh yea it did. They called it the
fappening). They also do everything possible to shut down jailbreaking (Didn't
they hire one of them eventually?). And even going further beyond that, they
share your info with the government. Under gag order or not it doesn't matter.
Yes I know all companies have to in order to operate stateside but the fact is
it's not hacker friendly. I also am aware of the fact that the majority of the
industry has been working on making this situation better. (Project zero,
Netflix just came out with something as well).

3\. Yup. I guess I meant in a more practical sense like personally
identifiable info. Being completely honest not everybody cares for security,
even most of the time they aren't even aware of what it is or how much is
actually out there. This point I made will never happen unless somebody is
completely devoted to being private and wants to be.

4\. I'm actually still working on that. I don't have a 100% sure method yet.
I've emailed plenty of them and I got mostly no response but a few did delete
some stuff.

Something I haven't tried is to simply get Google to remove the listings from
their search. Doesn't sound hard but knowing Google will be next to
impossible.

I have thought about using legal action against the data brokers but I haven't
looked into it yet. I'm assuming there are cases out there somewhere that were
successful that I can find.

------
johnnycarcin
Aside from the things you mentioned, I have started moving to self-hosting
everything on a VM with an encrypted disk and https for all app interactions.

For code I use gitea/gogs + self hosted drone. I have OpenVPN running their as
well and use it even at home since Comcast is my ISP.

Backups are done via Borg and shipped to another VM also with disk encryption.
I use pass for password management and push it to my gitea repo.

The one area I haven't solved 100% is email. I tried self-hosted but the
majority of my outgoing email was being flagged as spam, even after doing all
the suggested things to prevent that. I am using proton mail now and just have
to trust they are legit.

For texting I am using signal and have managed to get most of my frequent
contacts to start using it as well.

For online communities I use different handles and email aliases. Not sure if
that helps or not though.

~~~
pasbesoin
I haven't done it, but some years ago a Mike... C.? published a description of
how he did email, then. Public/private keypairs. Inbound email would arrive at
his server and immediately be encrypted using a public key. It would sit on
his server encrypted. When he pulled it off, he would decrypt it at his client
using the private key.

If the server was compromised, at that point in time, all the adversary would
get would be a bunch of encrypted messages to which the relevant key for
decryption was not present on the server.

Just to be clear, this was his keypair, used to keep incoming email at rest on
his server encrypted with no local means to decrypt. Irrespective of whether
the sender did or didn't use encryption when sending the email to him.

I presume one would want some sort of canary to warn of compromise with
respect to further messaging that might arrive or be sent.

Outbound, I presume he was not retaining copies on the server and was using
whatever degree of encryption the recipient could handle and the situation
warranted.

P.S. I realize this doesn't solve your "you're SPAM" labeling by an ever more
differentiating Internet email network.

P.P.S. I'm pretty sure this is it. Site/page design may have been redone a
bit. Just if and as this interests anybody -- I haven't taken the time to
reread it, right now.

[https://www.grepular.com/Automatically_Encrypting_all_Incomi...](https://www.grepular.com/Automatically_Encrypting_all_Incoming_Email)

------
remx
> I'm getting pretty nervous

Don't let leaks make you nervous. It's worth presuming your account info will
be leaked at some later date, and there are precautions you can take to dampen
the blow it has on you. For example, use prepaid credit cards instead of bank-
issued ones. That way if your CC ends up on some underground carder forum, it
has $0.00 in the balance (and the card can't have a negative balance).
Services like privacy.com offer these.

Use burner phones, disposable email addresses. _Always_ poison the well with
fake names. Never give out your real name to any service, even if the service
demands it. Religiously use Tor for any sensitive topics (Like politics,
health). Religiously use DuckDuckGo.

------
qrbLPHiKpiux
Do not put anything on the internet you want read back in a court room. Keep
it local.

------
qrbLPHiKpiux
Use a different passphrase for each service. Never reuse it.

------
bgrohman
Use Tor? Use applications that offer end to end encryption?

