2. AdBlocker Extension
3. Modify your /etc/hosts to block a lot of malicious sites.
4. Signup for https://haveibeenpwned.com/
5. VPNs on all wifis not your own.
6. 2-factor wherever you can. But also a place where you can print out your backup 2-factor keys, since losing your phone happens.
7. Have a email for newsletters/spam/signup, another that you use for friends.
8. Use credit cards that can generate on-demand numbers. IE. Both Bank of America and Citi let you generate one time use credit card numbers with set limits.
9. Signup (one time) with your credit cards to warn you for sudden changes in your credit score (ie. to prevent someone opening a loan in your name).
There's probably a lot more that I forgot I do ... it's amazing how little people do here.
3) Use DNSCrypt whenever possible - on your home router if you can, and on RaspberryPI acting as a router when traveling.
4) Block malicious hosts, trackers, advertising etc via /etc/hosts/ Block all Facebook server entirely. Block Gravatar and other trackers. Keep your own blacklist and whitelist.
This is better then adblock extensions in browser because it can block tracking and advertising also on your tablets and iPhones.
Try using dnsmasq for caching and splitting DNS so queries for Apple and Google and AmazonAWS servers are geo-smart and the rest of queries goes to DNSCrypt server in Iceland.
5) set up your own VPN (you can get VPS for that starting at 10$ per year) possibly with Strongswan IKE and use it on your mobile phone always ON. Your server should also use DNSCrypt and perhaps also act as your private DNS server.
6) Use Fastmail and make use of email aliases. Fastmail have tons of various domains so I have set up alias firstname.lastname@example.org and can use disposable addresses like email@example.com, firstname.lastname@example.org etc.
You will know who leaked your email address. You can block certain addresses easily.
7) Set text alerts for your card transactions over certain limit.
8) On Google, Microsoft and other important accounts set Pushover email address for security alerts. You will be receiving immediate alerts via push on your phone
All these same things except...not chrome. It is terrible for privacy. Use firefox with telemetry turned off, or perhaps waterfox, palemoon, or brave. Degoogled chromium may be ok but is not recommended.
> Set text alerts for your card transactions over certain limit
SMS is notoriously bad, and carriers can easily keep old messages. Don't recommend this.
Does everything Google authenticator does, but you can upgrade your phone and use other devices as backups (in case of device loss)
While it's certainly better than no 2FA, it's not as good as having the token and password in different places.
I feel this is pretty simple, way simpler than many other recommendations here, and has its benefits especially for people that tend to browse without paying too much attention.
Additionally, keep all your devices up to date with patches. Run windows update, update iOS/Android etc.
If your primary email gets hacked and you're using your own domain, you can regain access to your online banking, utilities etc by moving your email address to another hosting provider via a few DNS changes. (Think about how password reset works).
It also protects you from google/hotmail/aol/yahoo shutting down your account.
It asks you a few easy questions (what device you use, what are you concerned about) and provides you with personalized advice along with ratings on how easy it is to setup (Setting up 2FA is easy v/s setting up a VPN is medium).
A list of all their recommendations is at https://securityplanner.org/#/all-recommendations, and they even offer printer-friendly versions you can use.
You can toggle the "quick-and-easy+free" fixes, which I'm listing:
1. Install HTTPS Everywhere
2. Use Chrome/Firefox
3. Privacy Badger
4. Security Checkups (Google/Facebook - Includes 2FA + More)
5. Password Alert
7. Privacy Settings for online accounts
Go check it out for more detailed instructions.
As I already recommended on another commend, chrome is an INCREDIBLY BAD IDEA for privacy. Use ungoogled chromium if you need a google-only site, otherwise just firefox (with telemetry turned off).
* ublock origin (add reek anti-adblock or whatever the newest alternative to it is)
* refcontrol (firefox <=56 only, I use waterfox)
* privacy badger
* https everywhere
* cookie autodelete
Get a VPN
Use a browser that is not chrome, chromium, edge, IE, opera. Firefox (disable the firefox health report (FHR) and telemetry!!), waterfox, vivaldi, palemoon, brave, and degoogled chromium are ok.
Use a password manager, I recommend keepass.
If your threat model includes state level actors - Wire's Swiss-based company might provide some protection over potential problems of Moxie and WhisperSystem being in the US - but if you're trying to protect against the NSA I hope you've got better sources of advice than an Ask HN...
As a "low hanging fruit" - and of Signal or Wire or maybe even WhatsApp are better than SMS or Google Chat... If your friend group has already chosen one of them - use that. If you get to choose, I'd recommend Signal - but not in a super strongly opinionated way.
Oh, you don't have a DNS cache on your LAN? Strongly recommended for performance reasons, if not privacy as well. I don't remember what actual measurements I ended up with, but latency realmy hurts!
I run dnscrypt-proxy locally, encrypting (TLS) all my DNS traffic between me and OpenDNS, also giving me the option for my system resolver to give NXDOMAIN for any names on a local blacklist.
It was remarkably easy to setup, just install the package.
$ cat /etc/dnscrypt-proxy/blacklist