gf4
/
personal-security-checklist
mirror of https://git.hackliberty.org/Awesome-Mirrors/personal-security-checklist
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:Lissy93/personal-security-checklist into gh-pages

pull/41/head
Alicia Sykes 2020-06-09 23:06:35 +01:00
parent 51f284c2ea d73241c76d
commit ca3bcd1ea4
7 changed files with 1335 additions and 575 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

101
0_Why_It_Matters.md
View File

@ -1,72 +1,95 @@
## Digital Privacy and Security- The Current Situation
# Digital Privacy and Security- Why is Matters
Privacy is a fundamental right. It is being abused by governments (with mass-surveillance), corporations (making money out of selling our personal data) and cyber criminals (stealing our poorly-secured personal data and using it against us).
**TLDR;** Privacy is a fundamental right, and essential to democracy, liberty, and freedom of speech. Our privacy is being abused by governments (with mass-surveillance), corporations (profiting from selling personal data), and cyber criminals (stealing our poorly-secured personal data and using it against us). Security is needed in order to keep your private data private, and good digital security is critical to stay protected from the growing risks of cybercrime.
----
## What is Personal Data?
Personal data is any information that relates to an identified or identifiable living individual. Even data that has been de-identified or anonymized can often still be used to re-identify a person, especially when combined with a secondary data set.
This could be sensitive documents (such as medical records, bank statements, card numbers, etc), or user-generated content (messages, emails, photos, search history, home CCTV, etc) or apparently trivial metadata (such as mouse clicks, typing patterns, time spent on each web page, etc)
## How is Data Collected?
One of the most common data collection methods is web tracking. This is when websites use cookies, device fingerprints, and other methods to identify you, and follow you around the web. It is often done for advertising, analytics, and personalization. When aggregated together, this data can paint a very detailed picture of who you are.
## How is Data Stored?
Data that has been collected is stored in databases on a server. These servers are rarely owned by the companies managing them, [56% of servers](https://www.canalys.com/newsroom/global-cloud-market-Q3-2019) are owned by Amazon AWS, Google Cloud, and Microsoft Azure. If stored correctly the data will be encrypted, and authentication required to gain access. However that usually isn't the case, and large data leaks [occour almost dailey](https://selfkey.org/data-breaches-in-2019/). As well as that data breaches occur, when an adversary compromises a database storing personal data. In fact, you've probably already been caught up in a data breach (check your email, at [have i been pwned](https://haveibeenpwned.com))
## What is Personal Data Used For?
Data is collected, stored and used by governments, corporations and sometimes criminals:
### Government Mass Surveillance
Intelligence and law enforcement agencies need surveillance powers to tackle serious crime and terrorism. However, since the Snowden revelations, we now know that this surveillance is not targeted at those suspected of wrongdoing- but instead the entire population. All our digital interactions are being logged and tracked by our very own governments.
Mass surveillance is a means of control and suppression. When you know you are being watched, you subconsciously change your behavior, it has this chilling effect. A society of surveillance is just 1 step away from a society of submission.
### Cyber Crime
Hackers and cybercriminals pose an ongoing and constantly evolving threat. With the ever-increasing amount of our personal data being collected and logged - we are more vulnerable to data breaches and identity fraud than ever before.
In the same way, criminals will go to great lengths to use your data against you: either through holding it ransom, impersonating you, stealing money or just building up a profile on you and selling it on, to another criminal entity.
Mass surveillance is a means of control and suppression, it takes away our inerrant freedoms and breeds conformity. When we know we are being watched, we subconsciously change your behavior. A society of surveillance is just 1 step away from a society of submission.
### Corporations
On the internet the value of data is high. Companies all want to know exactly who you are and what you are doing. They collect data, store it, use it and sometimes sell it on.
Everything that each of us does online leaves a trail of data. These traces make up a goldmine of information full of insights into people on a personal level as well as a valuable read on larger cultural, economic and political trends. Tech giants (such as Google, Facebook, Apple, Amazon, and Microsoft) are leveraging this, building billion-dollar businesses out of the data that are interactions with digital devices create. We, as users have no guarantees that what is being collected is being stored securely, we often have no way to know for sure that it is deleted when we request so, and we don't have access to what their AI systems have refered from our data.
Everything that each of us does online leaves a trail of data. If saved and used correctly, these traces make up a goldmine of information full of insights into people on a personal level as well as a valuable read on larger cultural, economic and political trends. Tech giants (such as Google, Facebook, Uber, Amazon, and Spotify) are leveraging this, building billion-dollar businesses out of the data that are interactions with digital devices create. We, as users have no gaurantees that what is being collected is being stored securly, we often have no way to know for sure that it is deleted when we request so, and we don't have access to what theit AI systems have refered from our data.
Our computers, phones, wearables, digital assistants and IoT have been turned into tracking bugs that are plugged into a vast corporate-owned surveillance network. Where we go, what we do, what we talk about, who we talk to, and who we see everything is recorded and, at some point, leveraged for value. They know us intimately, even the things that we hide from those closest to us. In our modern internet ecosystem, this kind of private surveillance is the norm.
Our computers, phones, wearables, digital assistants and IoT have been turned into bugs that are plugged into a vast corporate-owned surveillance network. Where we go, what we do, what we talk about, who we talk to, and who we see everything is recorded and, at some point, leveraged for value. They know us intimately, even the things that we hide from those closest to us. In our modern internet ecosystem, this kind of private surveillance is the norm.
### Cybercriminals
Hackers and cybercriminals pose an ongoing and constantly evolving threat. With the ever-increasing amount of our personal data being collected and logged - we are more vulnerable to data breaches and identity fraud than ever before.
In the same way, criminals will go to great lengths to use your data against you: either through holding it ransom, impersonating you, stealing money or just building up a profile on you and selling it on, to another criminal entity.
---
## Why Data Privacy Matters
## What data is Collected about You
Every interaction that you have an internet-connected device is logged. This includes all the data that you physically enter, as well as everything that is passively collected, such as your clicks/ scrolls amount of time spent looking at each part, etc, and finally data that is aggressively collected through background processes, GPS, gyroscope measurements, microphones and sometimes cameras. All this data is sent to servers, where you have no guarantee of how it is stored, what it will be used for, or if it will ever be sold. When you request for your information to be deleted- it often isn't- the data is almost ever-lasting.
#### Data Privacy and Freedom of Speech
Privacy is a fundamental right, and you shouldn't need to prove the necessity of fundamental right to anyone. As Edward Snowden said, "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say". There are many scenarios in which privacy is crucial and desirable like intimate conversations, medical procedures, and voting. When we know we are being watched, our behavior changes, which in turn suppresses things like free speech.
#### Data Can Have Control Over You
Knowledge is power; Knowledge about you is power over you. Your information will be used to anticipate your actions and manipulate the way you shop, vote, and think. When you know you are being watched, you subconsciously change your behavior. Mass surveillance is an effective, means of fostering compliance with social norms or with social orthodoxy. Without privacy, you might be afraid of being judged by others, even if you're not doing anything wrong. It can be a heavy burden constantly having to wonder how everything we do will be perceived by others.
## What Happens to Data that is Collected about You
- It can be sold. Data brokers pay a high price for peoples personal details and habits
- It can be used to show you ads. You may see different search results than someone else because your search engine is subtly trying to sell things to you.
- It can get into the wrong hands. Criminals use people's personal details to pull off scams, hold you to ransom, impersonate you to extract funds or further control over your digital life.
- It can allow both local and foreign governments to profile, and track you.
- It can be stored, indefinitely- and some of it can be potentially used against you in the future
#### Data Can Be Used Against You
Your personal information and private communications can be "cherry-picked" to paint a certain one-sided picture. It can make you look like a bad person, or criminal, even if you are not. Data often results in people not being judged fairly- standards differ between cultures, organisations, and generations. Since data records are permanent, behavior that is deemed acceptable today, may be held against you tomorrow. Further to this, even things we don't think are worth hiding today, may later be used against us in unexpected ways.
---
#### Data Collection Has No Respect For Boundaries
Data collection has no respect for social boundaries, you may wish to prevent some people (such as employers, family or former partners) from knowing certain things about you. Once you share personal data, even with a party you trust, it is then out of your control forever, and at risk of being hacked, leaked or sold. An attack on our privacy, also hurts the privacy of those we communicate with.
## Got nothing to hide?
#### Data Discriminates
When different pieces of your data is aggregated together, it can create a very complete picture of who you are. This data profile, is being used to influence decisions made about you: from insurance premiums, job prospects, bank loan eligibility and license decisions. It can determine whether we are investigated by the government, searched at the airport, or blocked from certain services. Even what content you see on the internet is affected by our personal data. This typically has a bigger impact on minority groups, who are unfairly judged the most. Without having the ability to know or control what, how, why and when our data is being used, we loose a level of control. One of the hallmarks of freedom is having autonomy and control over our lives, and we cant have that if so many important decisions about us are being made in the dark, without our awareness or participation.
Privacy isnt about hiding information; privacy is about protecting information, and surely you have information that youd like to protect. Even with nothing to hide, you still put blinds on your window- and you wouldn't want your search history, bank statements, photos, notes or messages to be publicly available to the world.
Privacy is a fundamental right, and you shouldn't need to prove the necessity of fundamental right to anyone. As Edward Snowden said, "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say". There are many scenarios in which privacy is crucial and desirable like intimate conversations, medical procedures, and voting. When we know we are being watched, our behaviour changes, which in turn suppresses things like free speech.
You need privacy to avoid unfortunately common threats like identity theft, manipulation through ads, discrimination based on your personal information, harassment, the [filter bubble](https://spreadprivacy.com/filter-bubble/), and many other real harms that arise from invasions of privacy. An attack on our privacy, also hurts the privacy of those we communicate with.
In addition, what many people dont realize is that several small pieces of your personal data can be put together to reveal much more about you than you would think is possible. When different pieces of your data is aggregated together, it can create a very complete picture of who you are, where you spend your time. Further to this, even things we don't think are worth hiding today, may later be used against us in unexpected ways.
#### The "I Have Nothing to Hide" Argument
Privacy isnt about hiding information; privacy is about protecting information, and everyone has information that theyd like to protect. Even with nothing to hide, you still put blinds on your window, locks on your door, and passwords on your email account.- Nobody would want their search history, bank statements, photos, notes or messages to be publicly available to the world.
#### Data Privacy needs to be for Everyone
For online privacy to be effective, it needs to be adopted my the masses, and not just the few. By exercising your right to privacy, you make it easier for others, such as activists and journalists, to do so without sticking out.
----
#### There's more to check out!
## So What Should we Do?
- Educate yourself about what's going on and why it matters
- Be aware of changes to policies, revelations, recent data breaches and related news
- Take steps to secure your online accounts, protect your devices
- Understand how to communicate privately, and how use the internet anonymously
- Use software and services that respect your privacy, and keep your data safe
- Support organisations that fight for your privacy and internet freedom
- Find a way to make your voice heard, and stand up for what you believe in
----
## Further Links
- [Ultimate Personal Security Checklist](/README.md)
- [Why Privacy & Security Matters](/0_Why_It_Matters.md)
- [Privacy-Respecting Software](/5_Privacy_Respecting_Software.md)
- [Privacy & Security Gadgets](/6_Privacy_and-Security_Gadgets.md)
- [Further Links + More Awesome Stuff](/4_Privacy_And_Security_Links.md)
<a href="https://twitter.com/intent/follow?screen_name=Lissy_Sykes">
<img src="https://img.shields.io/twitter/follow/Lissy_Sykes?style=social&logo=twitter" alt="Follow Alicia Sykes on Twitter">
</a>
----
#### Notes
*Thanks for visiting, hope you found something useful here :) Contributions are welcome, and much appreciated - to propose an edit [raise an issue](https://github.com/Lissy93/personal-security-checklist/issues/new/choose), or [open a PR](https://github.com/Lissy93/personal-security-checklist/pull/new/master). See: [`CONTRIBUTING.md`](/.github/CONTRIBUTING.md).*
*I owe a lot of thanks others who've conducted research, written papers, developed software all in the interest of privacy and security. Full attributions and referenses found in [`ATTRIBUTIONS.md`](/ATTRIBUTIONS.md).*
*I owe a lot of thanks others who've conducted research, written papers, developed software all in the interest of privacy and security. Full attributions and references found in [`ATTRIBUTIONS.md`](/ATTRIBUTIONS.md).*
#### License
*Licensed under [Creative Commons, CC BY 4.0](https://creativecommons.org/licenses/by/4.0/), © [Alicia Sykes](https://aliciasykes.com) 2020*
@ -74,10 +97,10 @@ In addition, what many people dont realize is that several small pieces of yo
----
Found this helpful? Consider sharing it with others, to help them also improvde their digital security 😇
Found this helpful? Consider sharing it with others, to help them also improve their digital security 😇
[![Share on Twitter](https://i.ibb.co/2hqF59H/share-twitter.png)](http://twitter.com/share?text=Check%20out%20the%20Personal%20Cyber%20Security%20Checklist-%20an%20ultimate%20list%20of%20tips%20for%20protecting%20your%20digital%20security%20and%20privacy%20in%202020%2C%20with%20%40Lissy_Sykes%20%F0%9F%94%90%20%20%F0%9F%9A%80&url=https://github.com/Lissy93/personal-security-checklist)
[![Share on LinkedIn](https://i.ibb.co/9Ngh9jg/share-linkedin.png)](
[![Share on Twitter](https://img.shields.io/badge/Share-Twitter-17a2f3?style=for-the-badge&logo=Twitter)](http://twitter.com/share?text=Check%20out%20the%20Personal%20Cyber%20Security%20Checklist-%20an%20ultimate%20list%20of%20tips%20for%20protecting%20your%20digital%20security%20and%20privacy%20in%202020%2C%20with%20%40Lissy_Sykes%20%F0%9F%94%90%20%20%F0%9F%9A%80&url=https://github.com/Lissy93/personal-security-checklist)
[![Share on LinkedIn](https://img.shields.io/badge/Share-LinkedIn-0077b5?style=for-the-badge&logo=LinkedIn)](
http://www.linkedin.com/shareArticle?mini=true&url=https://github.com/Lissy93/personal-security-checklist&title=The%20Ultimate%20Personal%20Cyber%20Security%20Checklist&summary=%F0%9F%94%92%20A%20curated%20list%20of%20100%2B%20tips%20for%20protecting%20digital%20security%20and%20privacy%20in%202020&source=https://github.com/Lissy93)
[![Share on Facebook](https://i.ibb.co/cc6tFVj/share-facebook.png)](https://www.linkedin.com/shareArticle?mini=true&url=https%3A//github.com/Lissy93/personal-security-checklist&title=The%20Ultimate%20Personal%20Cyber%20Security%20Checklist&summary=%F0%9F%94%92%20A%20curated%20list%20of%20100%2B%20tips%20for%20protecting%20digital%20security%20and%20privacy%20in%202020&source=)
[![Share on Pinterest](https://i.ibb.co/x8L70b0/share-pinterest.png)](https://pinterest.com/pin/create/button/?url=https%3A//repository-images.githubusercontent.com/123631418/79c58980-3a13-11ea-97e8-e45591ef2d97&media=The%20Ultimate%20Personal%20Cyber%20Security%20Checklist&description=%F0%9F%94%92%20A%20curated%20list%20of%20100%2B%20tips%20for%20protecting%20digital%20security%20and%20privacy%20in%202020)
[![Share on Facebook](https://img.shields.io/badge/Share-Facebook-4267b2?style=for-the-badge&logo=Facebook)](https://www.linkedin.com/shareArticle?mini=true&url=https%3A//github.com/Lissy93/personal-security-checklist&title=The%20Ultimate%20Personal%20Cyber%20Security%20Checklist&summary=%F0%9F%94%92%20A%20curated%20list%20of%20100%2B%20tips%20for%20protecting%20digital%20security%20and%20privacy%20in%202020&source=)
[![Share on Mastodon](https://img.shields.io/badge/Share-Mastodon-56a7e1?style=for-the-badge&logo=Mastodon)](https://mastodon.social/web/statuses/new?text=Check%20out%20the%20Ultimate%20Personal%20Cyber%20Security%20Checklist%20by%20%40Lissy93%20on%20%23GitHub%20%20%F0%9F%94%90%20%E2%9C%A8)

45
2_TLDR_Short_List.md
View File

@ -12,32 +12,49 @@ It lays out the 20 most essential security + privacy tips, that you should compl
### Authentication
- Use strong, unique passphrases for each of your accounts (12+ alpha-numeric upper and lower-case letters + symbols). Avoid predicitable patterns, dictionary words and names.
- Use a password manager: It is going to be almost impossible to remember hundreds of unique passwords. A password manager will generate strong passwords, securly store and auto-fill them, with a browser extension and mobile app. All you will need to do, is remember 1 master password. [BitWarden](https://bitwarden.com) is a great option, as is [1Password](https://1password.com) (not open source). [KeePass XC](https://keepassxc.org) is more secure, but without any cloud-sync functionality.
- Use 2-factor authentication for all secure accounts (email, cloud storage, financial accounts and social media). You can do this with [Authy](https://authy.com) (proprietary) which will also let you back up and sync your tokens across multiple devices. Or you can use [Aegis](https://getaegis.app) or [AndOTP](https://github.com/andOTP/andOTP) which are both open source.
- Be cautious when logging into your accounts on someone elses device, as you cannot be sure that it is free of malware. If you do need to access one of your accounts, use incognito mode (Ctrl+Shift+N) so your credentials don't get cached.
- Use a long, strong and unique password for each of your accounts (see [HowSecureIsMyPassword.net](https://howsecureismypassword.net))
- Use a secure [password manager](/5_Privacy_Respecting_Software.md#password-managers), to encrypt, store and fill credentials, such as [BitWarden](https://bitwarden.com) or KeePass (no cloud-sync)
- Enable 2-Factor authentication where available, and use an [authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication) or hardware token
- Sign up for breach alerts (with [Firefox Monitor](https://monitor.firefox.com) or [HaveIBeenPwned](https://haveibeenpwned.com)), and update passwords of compromised accounts
### Browsing
- Don't enter any personal details on websites that are not HTTPS
- Switch to [Firefox](https://www.mozilla.org/en-GB/firefox/new/) or [Brave Browser](https://brave.com/?ref=ali721), both of which have strong privacy and security configurations by default, and will also make loading websites faster. Consider using [Tor](https://www.torproject.org/) for the greatest privacy.
- Consider using search engine that doesn't track you, such as [DuckDuckGo](https://duckduckgo.com/) or [StartPage](https://www.startpage.com/), which show unbiased results and don't keep logs.
- Install [PrivacyBadger](https://www.eff.org/privacybadger) extension to block invisible trackers, and [HTTPS Everywhere](https://www.eff.org/https-everywhere) to force sites to load via HTTPS. You can use [Panopticlick](https://panopticlick.eff.org/) to quickly check if your browser is safe against tracking.
- Use a Privacy-Respecting Browser, [Brave](https://brave.com) and [Firefox](https://www.mozilla.org/en-US/exp/firefox/new) are gtrat options. Set your default search to a non-tracking search engine, such as [DuckDuckGo](https://duckduckgo.com)
- Do not enter any information on a non-HTTPS website (look for the lock icon), consider using [HTTPS-Everywhere](https://www.eff.org/https-everywhere) to make this easier
- Block invasive 3rd-party trackers and ads using an extension like [Privacy Badger](https://privacybadger.org) or [uBlock](https://github.com/gorhill/uBlock)
- Don't allow your browser to save your passwords or auto-fill personal details (instead use a [password manager](https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md#password-managers), and [disable your browsers own auto-fill](https://www.computerhope.com/issues/ch001377.htm))
- Clear your cookies, session data and cache regularly. An extension such as [Cookie-Auto-Delete](https://github.com/Cookie-AutoDelete/Cookie-AutoDelete) to automate this
- Don't sign into your browser, as it can link further data to your identity. If you need to, you can use an open source [bookmark sync](/5_Privacy_Respecting_Software.md#browser-sync) app
- Consider using [Decentraleyes](https://decentraleyes.org) to decrease the number of trackable CDN requests your device makes
- Consider using compartmentalization to separate different areas of your browsing (such as work, social, shopping etc), in order to reduce tracking. This can be done with [Firefox Containers](https://support.mozilla.org/en-US/kb/containers), or by using separate browsers or browser profiles
- Test your browser using a tool like [Panopticlick](https://panopticlick.eff.org) to ensure there are no major issues. [BrowserLeaks](https://browserleaks.com) and [Am I Unique](https://amiunique.org/fp) are also useful for exploring what device info your exposing to websites
- Keep your browser up-to-date, explore the privacy settings and remove unnecessary add-ons/ extensions (as they may make you more trackable)
- For anonymous browsing use [The Tor Browser](https://www.torproject.org/), and avoid logging into any of your personal accounts
### Phone
- Have a strong pin/password on your mobile device.
- Turn off WiFi when your not using it, and delete saved networks that you no longer need (Settings --> WiFi --> Saved Networks).
- Don't grant apps permissions that they don't need. For Android, you can use [Exodus](https://exodus-privacy.eu.org/en/) to quickly see the permissions and trackers for each of your installed apps.
- Set a device PIN, ideally use a long passcode
- Encrypt your device, in order to keep your data safe from physical access. To enable, for Android: `Settings --> Security --> Encryption`, or for iOS: `Settings --> TouchID & Passcode --> Data Protection`
- Keep device up-to-date. System updates often contain patches for recently-discovered security vulnrabilities. You should install updates when prompted
- Review application permissions. Don't grant access permissions to apps that do not need it. (For Android, see also [Bouncer](https://play.google.com/store/apps/details?id=com.samruston.permission&hl=en_US) - an app that allows you to grant temporary permissions)
- Disable connectivity features that aren't being used, and 'forget' WiFi networks that you no longer need
- Disable location tracking. By default, both Android and iOS logs your GPS location history. You can disable this, for Android: `Maps --> Settings --> Location History`, and iOS: `Settings --> Privacy --> Location Services --> System Services --> Places`. Be aware that third-party apps may still log your position, and there are other methods of determining your location other than GPS (Cell tower, WiFi, Bluetooth etc)
- Use an application firewall to block internet connectivity for apps that shouldn't need it. Such as [NetGuard](https://www.netguard.me/) (Android) or [Lockdown](https://apps.apple.com/in/app/lockdown-apps/id1469783711) (iOS)
- Understand that apps contain trackers, that collect, store and sometimes share your data. For Android, you could use [Exodus](https://exodus-privacy.eu.org/en/page/what/) to reveal which trackers your installed apps are using.
### Email
- It's important to protect your email account, as if a hacker gains access to it he/she will be able to reset the passwords for all your other accounts. Ensure you have a strong and unique password, and enable 2FA.
- Emails are not encrypted by default, meaning they are able to be read by anyone who intercepts them as well as your email provider (Google, Microsoft, Apple, Yahoo etc all monitor emails). Consider switching to a secure mail provider using end-to-end encryption, such as [ProtonMail](https://protonmail.com/) or [Tutanota](https://tutanota.com/).
It's important to protect your email account, as if a hacker gains access to it they will be able to pose as you, and reset the passwords for your other online accounts. One of the biggest threats to digital security is still phishing, and it can sometimes be incredibly convincing, so remain vigilant, and understand [how to spot malicious emails](https://heimdalsecurity.com/blog/abcs-detecting-preventing-phishing), and avoid publicly sharing your email address
- Use a long, strong and unique password and enable 2FA
- Consider switching to a secure and encrypted mail provider using, such as [ProtonMail](https://protonmail.com) or [Tutanota](https://tutanota.com)
- Use email aliasing to protect your real mail address, with a provider such as [Anonaddy](https://anonaddy.com) or [SimpleLogin](https://simplelogin.io/?slref=bridsqrgvrnavso). This allows you to keep your real address private, yet still have all messages land in your primary inbox
- Disable automatic loading of remote content, as it is often used for detailed tracking but can also be malicious
- Using a custom domain, will mean you will not loose access to your email address if your current provider disappears. If you need to back up messages, use a secure IMAP client [Thuderbird](https://www.thunderbird.net)
### Networking
- Use a reputable VPN to keep your IP protected and reduce the amount of browsing data your ISP can log. (Note: VPN's do not provide ultimate protection as advertisers commonly state). See [thatoneprivacysite.net](https://thatoneprivacysite.net/) for a detailed comparison chart. [ProtonVPN](https://protonvpn.com/) has a free starter plan, [Mullvad](https://mullvad.net/) is great for anonymity. Other good all-rounders include [IVPN](https://www.ivpn.net/), NordVPN, TorGuard and AirVPN.
- Use a reputable VPN to keep your IP protected and reduce the amount of browsing data your ISP can log, but understand their limitations. Good options include [ProtonVPN](https://protonvpn.com) and [Mullvad](https://mullvad.net), see [thatoneprivacysite.net](https://thatoneprivacysite.net/) for detailed comparisons
- Change your routers default password. Anyone connected to your WiFi is able to listen to network traffic, so in order to prevent people you don't know from connecting, use WPA2 and set a strong password.
- Update your router settings to use a secure DNS, such as [Cloudflare's 1.1.1.1](https://1.1.1.1/dns/), this should also speed up your internet. If you cannot modify your roters settings, you can set the DNS on your phone (with the [1.1.1.1. app](https://1.1.1.1/)), or [Windows](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/windows/), [Mac](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/mac/) or [Linux](https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/linux/). DNS is the system used to resolve URL's to their server addresses, many DNS providers collect data on your browsing habbits and use it to target you with ads or sell it on.

564
4_Privacy_And_Security_Links.md
View File

@ -1,47 +1,31 @@
# Awesome Privacy & Securty [![Awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re) [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg?style=flat-square)](http://makeapullrequest.com) [![License](https://img.shields.io/badge/LICENSE-CC_BY_4.0-00a2ff?&style=flat-square)](https://creativecommons.org/licenses/by/4.0/) [![Contributors](https://img.shields.io/github/contributors/lissy93/personal-security-checklist?color=%23ffa900&style=flat-square)](https://github.com/Lissy93/personal-security-checklist/graphs/contributors)
> A curated list of useful tools and resources online, that help protect your privacy and keep you safe.
*A curated list of notable guides, articles, tools and media - relating to digital security, internet freedom and online privacy*
**See also**: [Personal Security Checklist](https://github.com/Lissy93/personal-security-checklist/blob/master/README.md) | [Privacy-Respecting Software](https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md) 🔐
**See also**: [Personal Security Checklist](https://github.com/Lissy93/personal-security-checklist/blob/master/README.md) | [Privacy-Respecting Software](https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md) | [Security Gadgets](/6_Privacy_and-Security_Gadgets.md) | [Why Privacy Matters](/0_Why_It_Matters.md) | [TLDR](/2_TLDR_Short_List.md)🔐
- **Information and Guides**
- [Getting Started Guides](#getting-started-guides)
- [Specific How-To Guides](#how-to-guides)
- [Notable Articles](#notable-articles)
- [How-To Guides](#how-to-guides)
- [Articles](#articles)
- [Blogs](#blogs)
- **Media**
- [Books](#books)
- [Podcasts](#podcasts)
- [Videos](#videos)
- **Websites & Services**
- **Security Tools & Services**
- [Online Tools](#online-tools)
- [Anonymous Services](#anonymous-services)
- [Interesting Websites](#interesting-websites)
- [Privacy-Respecting Software](#privacy-respecting-software)
- Privacy-Respecting Software, moved to [here](/5_Privacy_Respecting_Software.md)
- Security Hardware, moved to [here](/6_Privacy_and-Security_Gadgets.md)
- **Research**
- [Data and API's](#data-apis-and-visualisations)
- [Academic](#academic)
- **Organisations**
- [Foundations](#foundations)
- [Government Organisations](#government-organisations)
- **Research**
- [Data and API's](#data-and-apis)
- [Academic Journals](#academic-journals)
- [Implementations and Standards](#implementations-and-standards)
- **More Lists**
- [Mega Guides](#mega-guides)
- [Other GitHub Security Lists](#unrelated-awesome-lists)
## Getting Started Guides
- [EFF SSD](https://ssd.eff.org) - Tips for safer online communications
- [PrivacyTools.io]( https://www.privacytools.io) - Tools to protect against mass surveillance
- [PrismBreak](https://prism-break.org/en/all) - Secure app alternatives
- [The VERGE guide to privacy](https://bit.ly/2ptl4Wm) - Guides for securing mobile, web and home tech
- [Email Self-Defense](https://emailselfdefense.fsf.org) - Complete guide to secure email
- [Security Planner](https://securityplanner.org) - Great advise for beginners
- [My Shaddow](https://myshadow.org) - Resources and guides, to help you take controll of your data
- [TwoFactorAuth.org](https://twofactorauth.org) - A direcory of websites, apps and services supporting 2FA
- [Just Delete Me](https://justdeleteme.xyz) - A directory of direct links to delete your account from web services
- [Other GitHub Security Lists](#more-awesome-github-lists)
## How-To Guides
@ -50,6 +34,9 @@
- Protect against SIM-swap scam: via [wired](https://www.wired.com/story/sim-swap-attack-defend-phone)
- How to spot a phishing attack: via [EFF](https://ssd.eff.org/en/module/how-avoid-phishing-attacks)
- Protection from Identity Theft: via [Restore Privacy](https://restoreprivacy.com/identity-theft-fraud)
- Harden your MacOS Security: via [@drduh on GitHub](https://github.com/drduh/macOS-Security-and-Privacy-Guide)
- Protecting from key-stroke-logging, with KeyScrambler: via [TechRepublic](https://www.techrepublic.com/blog/it-security/keyscrambler-how-keystroke-encryption-works-to-thwart-keylogging-threats)
- Permanently and Securely Delete Files and Directories in Linux: via [TechMint](https://www.tecmint.com/permanently-and-securely-delete-files-directories-linux/)
- **Netowkring**
- How to enable DNS over HTTPS: via [geekwire](https://geekwire.co.uk/privacy-and-security-focused-dns-resolver)
- How to resolve DNS leak issue: via [DNSLeakTest](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html)
@ -60,61 +47,163 @@
- Beginners guide to I2P: via [The Tin Hat](https://thetinhat.com/tutorials/darknets/i2p.html)
- How to Use a VPN and Tor together: via [ProPrivacy](https://proprivacy.com/vpn/guides/using-vpn-tor-together)
- **Communication**
- Configure your email client securly, from scratch - via [FSF](https://emailselfdefense.fsf.org)
- Overview of projects working on next-generation secure email: via [OpenTechFund](https://github.com/OpenTechFund/secure-email)
- Email Self-Defense, Configure your mail client securly, from scratch - via [FSF.org](https://emailselfdefense.fsf.org)
- How to avoid Phishing Attacks: via [EFF](https://ssd.eff.org/en/module/how-avoid-phishing-attacks)
- How to use PGP: Via EFF - [Windows](https://ssd.eff.org/en/module/how-use-pgp-windows), [MacOS](https://ssd.eff.org/en/module/how-use-pgp-mac-os-x) and [Linux](https://ssd.eff.org/en/module/how-use-pgp-linux)
- **Devices**
- How to Enable Encryption on your Devices: via [SpreadPrivacy.com](https://spreadprivacy.com/how-to-encrypt-devices/)
- How to Delete your Data Securely: Via EFF - [Windows](https://ssd.eff.org/en/module/how-delete-your-data-securely-windows), [MacOS](https://ssd.eff.org/en/module/how-delete-your-data-securely-macos) and [Linux](https://ssd.eff.org/en/module/how-delete-your-data-securely-linux)
- Layers of Personal Tech Security: via [The Wire Cutter](https://thewirecutter.com/blog/internet-security-layers)
- Improving security on iPhone: via [lifehacker](https://lifehacker.com/the-privacy-enthusiasts-guide-to-using-an-iphone-1792386831)
- Device-Specific Privacy Guides: via [SpreadPrivacy](https://spreadprivacy.com/tag/device-privacy-tips/)
- For: [Windows 10](https://spreadprivacy.com/windows-10-privacy-tips/), [MacOS](https://spreadprivacy.com/mac-privacy-tips/), [Linux](https://spreadprivacy.com/linux-privacy-tips/), [Android](https://spreadprivacy.com/android-privacy-tips/) and [iOS](https://spreadprivacy.com/iphone-privacy-tips/)
- Guide to scrubbing Windows OSs from forensic investigation: by u/moschles, via [Reddit](https://www.reddit.com/r/security/comments/32fb1l/open_guide_to_scrubbing_windows_oss_from_forensic)
- A curated list of Windows Domain Hardening techniques: by @PaulSec, via: [GitHub](https://github.com/PaulSec/awesome-windows-domain-hardening)
- Settings to update on iPhone, for better privacy: via [lifehacker](https://lifehacker.com/the-privacy-enthusiasts-guide-to-using-an-iphone-1792386831)
- **Software**
- How to use Vera Crypt: via [howtogeek](https://www.howtogeek.com/108501/the-how-to-geek-guide-to-getting-started-with-truecrypt)
- How to use KeePassXC: via [EFF](https://ssd.eff.org/en/module/how-use-keepassxc)
- How to use uMatrix browser addon to block trackers: via [ProPrivacy](https://proprivacy.com/privacy-service/guides/lifehacks-setup-umatrix-beginners)
- How to set up 2-Factor Auth on common websites: via [The Verge](https://www.theverge.com/2017/6/17/15772142/how-to-set-up-two-factor-authentication)
- **Physical Security**
- Hiding from Physical Surveillance: via [Snallabolaget](http://snallabolaget.com/hiding-from-surveillance-how-and-why)
- Guide to opting-out of public data listings and marketing lists: via [World Privacy Forum](https://www.worldprivacyforum.org/2015/08/consumer-tips-top-ten-opt-outs)
- Living Anonymously, Workbook: via [Intel Techniques](https://inteltechniques.com/data/workbook.pdf)
- **Enterprise**
- A basic checklist to harden GDPR compliancy: via [GDPR Checklist](https://gdprchecklist.io)
- **Reference Info**
- A direcory of websites, apps and services supporting 2FA: via [TwoFactorAuth.org](https://twofactorauth.org)
- A directory of direct links to delete your account from web services: via [JustDeleteMe.xyz](https://justdeleteme.xyz)
- Product reviews from a privacy perspective, by Mozilla: via [Privacy Not Included](https://foundation.mozilla.org/en/privacynotincluded)
- Surveillance Catalogue - Database of secret government surveillance equipment, Snowden: via [The Intercept](https://theintercept.com/surveillance-catalogue)
- See also: The source code, on WikiLeaks [Vault7](https://wikileaks.org/vault7) and [Vault8](https://wikileaks.org/vault8), and the accompanying [press release](https://wikileaks.org/ciav7p1)
- Who Has Your Back? - Which companies hand over your comply with Government Data Requests 2019: via [EFF](https://www.eff.org/wp/who-has-your-back-2019)
- Open project to rate, annotate, and archive privacy policies: via [PrivacySpy.org](https://privacyspy.org)
- Check who your local and government representatives in your local area are [WhoAreMyRepresentatives.org](https://whoaremyrepresentatives.org)
- Impartial VPN Comparison Data: via [ThatOnePrivacySite](https://thatoneprivacysite.net/#detailed-vpn-comparison)
- Hosts to block: via [someonewhocares/ hosts](https://someonewhocares.org/hosts) / [StevenBlack/ hosts](https://github.com/StevenBlack/hosts)
- Magic Numbers - Up-to-date file signature table, to identify / verify files have not been tampered with: via [GaryKessler](https://www.garykessler.net/library/file_sigs.html)
- List of IP ranges per country: via [Nirsoft](https://www.nirsoft.net/countryip)
- Database of default passwords for various devices by manufacturer and model: via [Default-Password.info](https://default-password.info)
## Notable Articles
- Twelve Million Phones, One Dataset, Zero Privacy: via [NY Times](https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html)
- Windows data sending: via [The Hacker News](https://thehackernews.com/2016/02/microsoft-windows10-privacy.html)
- Is your Anti-Virus spying on you: via [Restore Privacy](https://restoreprivacy.com/antivirus-privacy)
- What does your car know about you?: via [Washington Post](https://www.washingtonpost.com/technology/2019/12/17/what-does-your-car-know-about-you-we-hacked-chevy-find-out)
- Turns Out Police Stingray Spy Tools Can Indeed Record Calls: via [Wired](https://www.wired.com/2015/10/stingray-government-spy-tools-can-record-calls-new-documents-confirm)
- UK Police Accessing Private Phone Data Without Warrant: via [Restore Privacy](https://restoreprivacy.com/uk-police-accessing-phone-data)
## Articles
- **General**
- 8-point manifesto, of why Privacy Matters: via [whyprivacymatters.org](https://whyprivacymatters.org)
- Rethinking Digital Ads: via [TheInternetHealthReport](https://internethealthreport.org/2019/rethinking-digital-ads)
- **Encryption**
- Overview of projects working on next-generation secure email: via [OpenTechFund](https://github.com/OpenTechFund/secure-email)
- **Surveillance**
- Twelve Million Phones, One Dataset, Zero Privacy: via [NY Times](https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html)
- Windows data sending: via [The Hacker News](https://thehackernews.com/2016/02/microsoft-windows10-privacy.html)
- Is your Anti-Virus spying on you: via [Restore Privacy](https://restoreprivacy.com/antivirus-privacy)
- What does your car know about you?: via [Washington Post](https://www.washingtonpost.com/technology/2019/12/17/what-does-your-car-know-about-you-we-hacked-chevy-find-out)
- Turns Out Police Stingray Spy Tools Can Indeed Record Calls: via [Wired](https://www.wired.com/2015/10/stingray-government-spy-tools-can-record-calls-new-documents-confirm)
- UK Police Accessing Private Phone Data Without Warrant: via [Restore Privacy](https://restoreprivacy.com/uk-police-accessing-phone-data)
- Rage Against Data Dominance: via [Privacy International](https://privacyinternational.org/long-read/3734/rage-against-data-dominance-new-hope)
- NSA Files Decoded, What the revelations mean for you: via [The Guardian](https://www.theguardian.com/world/interactive/2013/nov/01/snowden-nsa-files-surveillance-revelations-decoded)
- How to Track a Cellphone Without GPS—or Consent: via [Gizmodo](https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371)
- Apps able to track device location, through power manager: via [Wired](https://www.wired.com/2015/02/powerspy-phone-tracking/)
- Hackers and governments can see you through your phones camera: via [Business Insider](https://www.businessinsider.com/hackers-governments-smartphone-iphone-camera-wikileaks-cybersecurity-hack-privacy-webcam-2017-6)
- How a highly targeted ad can track your precise movements: via [Wired](https://www.wired.com/story/track-location-with-mobile-ads-1000-dollars-study/)
- Based on the paper, Using Ad Targeting for Surveillance on a Budget: via [Washington.edu](https://adint.cs.washington.edu/ADINT.pdf)
- Law Enforcement Geo-Fence Data Requests- How an Innocent cyclist became a suspect when cops accessed his Google location data: via [Daily Mail](https://www.dailymail.co.uk/news/article-8086095/Police-issue-warrant-innocent-mans-Google-information.html)
- **Breaches**
- Grindr and OkCupid Spread Personal Details Study Says: via [NY Times](https://www.nytimes.com/2020/01/13/technology/grindr-apps-dating-data-tracking.html)
- The Asia-Pacific Cyber Espionage Campaign that Went Undetected for 5 Years: via [TheHackerNews](https://thehackernews.com/2020/05/asia-pacific-cyber-espionage.html)
- **Threats**
- 23 reasons not to reveal your DNA: via [Internet Health Report](https://internethealthreport.org/2019/23-reasons-not-to-reveal-your-dna)
- Security of Third-Party Keyboard Apps on Mobile Devices: via [Lenny Zelster](https://zeltser.com/third-party-keyboards-security)
- Mobile Websites Can Tap Into Your Phone's Sensors Without Asking: via [Wired](https://www.wired.com/story/mobile-websites-can-tap-into-your-phones-sensors-without-asking)
## Blogs
- [Spread Privacy](https://spreadprivacy.com) - Raising the standard of trust online, by DuckDuckGo
- [Restore Privacy](https://restoreprivacy.com) - Tools and guides about privacy and security
- [That One Privacy Site](https://thatoneprivacysite.net) - impartial comparisons and discussions
- [The Hated One](https://www.youtube.com/channel/UCjr2bPAyPV7t35MvcgT3W8Q) - Privacy and security videos
- [12Bytes](https://12bytes.org/articles/tech) - Opinion Articles about Tech, Privacy and more
- [BringBackPrivacy](https://bringingprivacyback.com) - Easy-reading, sharable privacy articles
- [Heimdal](https://heimdalsecurity.com/blog) - Cyber Security Blog
- [Tech Crunch](https://techcrunch.com/tag/cybersecurity-101) - Cyber Security 101
- [OONI](https://ooni.org/post), Internet freedom and analysis on blocked sites
- [Pixel Privacy](https://pixelprivacy.com/resources) - Online privacy guides
- [The Privacy Project](https://www.nytimes.com/interactive/2019/opinion/internet-privacy-project.html) - Articles and reporting on Privacy, by the NYT
- [The Tin Hat](https://thetinhat.com) - Tutorials and Articles for Online Privacy
- [FOSS Bytes- Cyber Security](https://fossbytes.com/category/security) - News about the latest exploits and hacks
- **Privacy**
- [EFF SSD](https://ssd.eff.org) - Tips for safer online communications
- [Spread Privacy](https://spreadprivacy.com) - Raising the standard of trust online, by DuckDuckGo
- [Restore Privacy](https://restoreprivacy.com) - Tools and guides about privacy and security
- [That One Privacy Site](https://thatoneprivacysite.net) - impartial comparisons and discussions
- [The Hated One](https://www.youtube.com/channel/UCjr2bPAyPV7t35MvcgT3W8Q) - Privacy and security videos
- [12Bytes](https://12bytes.org/articles/tech) - Opinion Articles about Tech, Privacy and more
- [Pixel Privacy](https://pixelprivacy.com/resources) - Online privacy guides
- [The Tin Hat](https://thetinhat.com) - Tutorials and Articles for Online Privacy
- [PrivacyTools.io]( https://www.privacytools.io) - Tools to protect against mass surveillance
- [PrismBreak](https://prism-break.org/en/all) - Secure app alternatives
- [The VERGE guide to privacy](https://bit.ly/2ptl4Wm) - Guides for securing mobile, web and home tech
- [BringBackPrivacy](https://bringingprivacyback.com) - Easy-reading, sharable privacy articles
- **Cyber Security**
- [FOSS Bytes- Cyber Security](https://fossbytes.com/category/security) - News about the latest exploits and hacks
- [Heimdal](https://heimdalsecurity.com/blog) - Personal Cyber Security Tutorials and Articles
- [Tech Crunch](https://techcrunch.com/tag/cybersecurity-101) - Cyber Security 101
- [Email Self-Defense](https://emailselfdefense.fsf.org) - Complete guide to secure email
- [Security Planner](https://securityplanner.org) - Great advise for beginners
- [My Shaddow](https://myshadow.org) - Resources and guides, to help you take controll of your data
- **Internet Freedom**
- [OONI](https://ooni.org/post), Internet freedom and analysis on blocked sites
- [Internet Health Report](https://foundation.mozilla.org/en/internet-health-report) - Mozilla is documenting and explaining whats happening to openness and freedom on the Internet
- [Worth Hiding](https://worthhiding.com) - Posts about privacy, politics and the law
- **News and Updates**
- [The Privacy Project](https://www.nytimes.com/interactive/2019/opinion/internet-privacy-project.html) - Articles and reporting on Privacy, by the NYT
- [The Hacker News](https://thehackernews.com) - Up-to-date Cybersecurity News and Analysis
## Books
- [Permanent Record](https://amzn.to/30wxxXi) by Edward Snowden
- [Sandworm](https://amzn.to/2FVByeJ) by Andy Greenberg
- [Permanent Record](https://www.amazon.co.uk/Permanent-Record-Edward-Snowden/dp/1529035651) by Edward Snowden
- [Sandworm](https://www.amazon.co.uk/Sandworm-Cyberwar-Kremlins-Dangerous-Hackers/dp/0385544405) by Andy Greenberg: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
- [Extreme Privacy](https://www.amazon.co.uk/Extreme-Privacy-Takes-Disappear-America/dp/1093757620) by Michael Bazzell: Thoroughly detailed guide for protecting your privacy both electronically and physically
- [Ghost in the Wires](https://www.amazon.co.uk/gp/product/B00FOQS8D6) by Kevin Mitnick: Kevin tells his story of being the world's most wanted hacker
- [The Art of Invisibility](https://www.amazon.com/Art-Invisibility-Worlds-Teaches-Brother/dp/0316380504), by Kevin Mitnick: You How to Be Safe in the Age of Big Brother
## Podcasts
- [Darknet Diaries] by Jack Rhysider: Stories from the dark sides of the internet. Listen on [Stitcher][da-stitch]
- Listen on [Stitcher][da-stitch], [iTunes][da-itunes], [Spotify][da-spotify], [PocketCasts][cy-pocketcasts]
- [CYBER] by Motherboard: News and analysis about the latest cyber threats
- Listen on [Stitcher][cy-stitch], [SoundCloud][cy-soundcloud], [iTunes][cy-itunes], [Spotify][cy-spotify], [PocketCasts][cy-pocketcasts]
- [The Privacy, Security, & OSINT Show] by Michael Bazzell: Comprehensive guides on Privacy and OSINT
- Listen on [Stitcher][tp-stitcher], [SoundCloud][tp-soundcloud], [iTunes][tp-itunes], [Spotify][tp-spofify], [PocketCasts][tp-pocketcasts]
- [Smashing Security] by Graham Cluley and Carole Theriault: Casual, opinionated and humerous chat about current cybersecurity news
- Listen on [Stitcher][sm-stitcher], [iTunes][sm-itunes], [Spotify][sm-spofify], [PocketCasts][sm-pocketcasts]
- [Darknet Diaries] by Jack Rhysider: Stories from the dark sides of the internet.<br>
[![Stitcher](https://img.shields.io/badge/Listen-Stitcher-E88923?logo=stitcher&style=flat-square)][da-stitch]
[![iTunes](https://img.shields.io/badge/Listen-iTunes-FB5BC5?logo=itunes&style=flat-square)][da-itunes]
[![Spotify](https://img.shields.io/badge/Listen-Spotify-1ED760?logo=spotify&style=flat-square)][da-spotify]
[![Google Podcasts](https://img.shields.io/badge/Listen-Google%20Podcasts-4285F4?logo=Google%20Podcasts&style=flat-square)][da-google]
[![PocketCasts](https://img.shields.io/badge/Listen-PocketCasts-F43E37?logo=Pocket%20Casts&style=flat-square)][cy-pocketcasts]
- [CYBER] by Motherboard: News and analysis about the latest cyber threats<br>
[![Stitcher](https://img.shields.io/badge/Listen-Stitcher-E88923?logo=stitcher&style=flat-square)][cy-stitch]
[![iTunes](https://img.shields.io/badge/Listen-iTunes-FB5BC5?logo=itunes&style=flat-square)][cy-itunes]
[![Spotify](https://img.shields.io/badge/Listen-Spotify-1ED760?logo=spotify&style=flat-square)][cy-spotify]
[![SoundCloud](https://img.shields.io/badge/Listen-SoundCloud-FF6600?logo=soundcloud&style=flat-square)][cy-soundcloud]
[![PocketCasts](https://img.shields.io/badge/Listen-PocketCasts-F43E37?logo=Pocket%20Casts&style=flat-square)][cy-pocketcasts]
- [The Privacy, Security, & OSINT Show] by Michael Bazzell: Comprehensive guides on Privacy and OSINT<br>
[![Stitcher](https://img.shields.io/badge/Listen-Stitcher-E88923?logo=stitcher&style=flat-square)][tp-stitch]
[![iTunes](https://img.shields.io/badge/Listen-iTunes-FB5BC5?logo=itunes&style=flat-square)][tp-itunes]
[![Spotify](https://img.shields.io/badge/Listen-Spotify-1ED760?logo=spotify&style=flat-square)][tp-spotify]
[![SoundCloud](https://img.shields.io/badge/Listen-SoundCloud-FF6600?logo=soundcloud&style=flat-square)][tp-soundcloud]
[![PocketCasts](https://img.shields.io/badge/Listen-PocketCasts-F43E37?logo=Pocket%20Casts&style=flat-square)][tp-pocketcasts]
- [Smashing Security] by Graham Cluley and Carole Theriault: Casual, opinionated and humerous chat about current cybersecurity news<br>
[![Stitcher](https://img.shields.io/badge/Listen-Stitcher-E88923?logo=stitcher&style=flat-square)][sm-stitch]
[![iTunes](https://img.shields.io/badge/Listen-iTunes-FB5BC5?logo=itunes&style=flat-square)][sm-itunes]
[![Spotify](https://img.shields.io/badge/Listen-Spotify-1ED760?logo=spotify&style=flat-square)][sm-spotify]
[![Google Podcasts](https://img.shields.io/badge/Listen-Google%20Podcasts-4285F4?logo=Google%20Podcasts&style=flat-square)][sm-google]
[![PocketCasts](https://img.shields.io/badge/Listen-PocketCasts-F43E37?logo=Pocket%20Casts&style=flat-square)][sm-pocketcasts]
- [IRL Podcast] by Mozilla: Online Life is Real Life, Stories about the future of the Web<br>
[![Stitcher](https://img.shields.io/badge/Listen-Stitcher-E88923?logo=stitcher&style=flat-square)][irl-stitch]
[![iTunes](https://img.shields.io/badge/Listen-iTunes-FB5BC5?logo=itunes&style=flat-square)][irl-itunes]
[![Spotify](https://img.shields.io/badge/Listen-Spotify-1ED760?logo=spotify&style=flat-square)][irl-spotify]
[![Google Podcasts](https://img.shields.io/badge/Listen-Google%20Podcasts-4285F4?logo=Google%20Podcasts&style=flat-square)][irl-google]
[![PocketCasts](https://img.shields.io/badge/Listen-PocketCasts-F43E37?logo=Pocket%20Casts&style=flat-square)][irl-pocketcasts]
- [Random but Memorable] by 1Password - A Security advice podcast<br>
[![Stitcher](https://img.shields.io/badge/Listen-Stitcher-E88923?logo=stitcher&style=flat-square)][rbm-stitch]
[![iTunes](https://img.shields.io/badge/Listen-iTunes-FB5BC5?logo=itunes&style=flat-square)][rbm-itunes]
[![Spotify](https://img.shields.io/badge/Listen-Spotify-1ED760?logo=spotify&style=flat-square)][rbm-spotify]
[![Google Podcasts](https://img.shields.io/badge/Listen-Google%20Podcasts-4285F4?logo=Google%20Podcasts&style=flat-square)][rbm-google]
[![PocketCasts](https://img.shields.io/badge/Listen-PocketCasts-F43E37?logo=Pocket%20Casts&style=flat-square)][rbm-pocketcasts]
More Security Podcasts on [player.fm](https://player.fm/featured/security)
More Podcasts (Verification Required): [Naked Security](https://nakedsecurity.sophos.com) | [Open Source Security Podcast](opensourcesecuritypodcast.com) | [Defensive Security Podcast](https://defensivesecurity.org) | [Malicious Life](https://malicious.life) | [Down the Security Rabbit Hole](http://podcast.wh1t3rabbit.net) | [Cyber Wire](https://thecyberwire.com/podcasts/daily-podcast) | [Hacking Humans](https://thecyberwire.com/podcasts/hacking-humans) | [Security Now](https://twit.tv/shows/security-now) | [Cyber Security Interviews](https://cybersecurityinterviews.com) | [Security Weekly](https://securityweekly.com) | [The Shared Security Podcast](https://sharedsecurity.net) | [Risky Business](https://risky.biz/netcasts/risky-business) | [Crypto-Gram Security Podcast](https://crypto-gram.libsyn.com) | [Off the Hook](https://player.fm/series/off-the-hook-84511)
[Darknet Diaries]: https://darknetdiaries.com
[da-stitch]: https://www.stitcher.com/podcast/darknet-diaries
[da-itunes]: https://podcasts.apple.com/us/podcast/darknet-diaries/id1296350485
[da-spotify]: https://open.spotify.com/show/4XPl3uEEL9hvqMkoZrzbx5
[da-pocketcasts]: https://pca.st/darknetdiaries
[da-google]: https://podcasts.google.com/?feed=aHR0cHM6Ly9mZWVkcy5tZWdhcGhvbmUuZm0vZGFya25ldGRpYXJpZXM%3D
[CYBER]: https://www.vice.com/en_us/article/59vpnx/introducing-cyber-a-hacking-podcast-by-motherboard
[cy-stitch]: https://www.stitcher.com/podcast/vice-2/cyber
@ -124,23 +213,40 @@
[cy-pocketcasts]: https://pca.st/z7m3
[The Privacy, Security, & OSINT Show]: https://inteltechniques.com/podcast.html
[tp-stitcher]: https://www.stitcher.com/podcast/michael-bazzell/the-complete-privacy-security-podcast
[tp-stitch]: https://www.stitcher.com/podcast/michael-bazzell/the-complete-privacy-security-podcast
[tp-soundcloud]: https://soundcloud.com/user-98066669
[tp-itunes]: https://podcasts.apple.com/us/podcast/complete-privacy-security/id1165843330
[tp-spofify]: https://open.spotify.com/show/6QPWpZJ6bRTdbkI7GgLHBM
[tp-spotify]: https://open.spotify.com/show/6QPWpZJ6bRTdbkI7GgLHBM
[tp-pocketcasts]: https://pca.st/zdIq
[Smashing Security]: https://www.smashingsecurity.com
[sm-stitcher]: https://www.stitcher.com/podcast/smashing-security
[sm-stitch]: https://www.stitcher.com/podcast/smashing-security
[sm-itunes]: https://podcasts.apple.com/gb/podcast/smashing-security/id1195001633
[sm-spofify]: https://open.spotify.com/show/3J7pBxEu43nCnRTSXaan8S
[sm-spotify]: https://open.spotify.com/show/3J7pBxEu43nCnRTSXaan8S
[sm-pocketcasts]: https://pca.st/47UH
[sm-google]: https://podcasts.google.com/?feed=aHR0cHM6Ly93d3cuc21hc2hpbmdzZWN1cml0eS5jb20vcnNz
[IRL Podcast]: https://irlpodcast.org
[irl-stitch]: https://www.stitcher.com/podcast/smashing-security
[irl-itunes]: https://geo.itunes.apple.com/podcast/us/id1247652431?mt=2&at=1010lbVy
[irl-spotify]: https://open.spotify.com/show/0vT7LJMeVDxyQ2ZamHKu08
[irl-pocketcasts]: https://pca.st/irl
[irl-google]: https://www.google.com/podcasts?feed=aHR0cHM6Ly9mZWVkcy5tb3ppbGxhLXBvZGNhc3RzLm9yZy9pcmw
[Random but Memorable]: https://blog.1password.com/random-but-memorable-the-security-advice-podcast-from-1password
[rbm-stitch]: https://www.stitcher.com/podcast/1password/random-but-memorable
[rbm-itunes]: https://podcasts.apple.com/us/podcast/random-but-memorable/id1435486599
[rbm-pocketcasts]: https://pca.st/43AW
[rbm-spotify]: https://open.spotify.com/show/5Sa3dy0xDvMT0h3O5MGMOr
[rbm-google]: https://podcasts.google.com/?feed=aHR0cHM6Ly9mZWVkcy5zaW1wbGVjYXN0LmNvbS9lRVpIazJhTA
## Videos
- **General**
- [You are being watched](https://youtu.be/c8jDsg-M6qM) by The New York Times
- [The Power of Privacy](https://youtu.be/KGX-c5BJNFk) by The Guardian
- [Why Privacy matters, even if you have nothing to hide](https://youtu.be/Hjspu7QV7O0) by The Hated One
- [The Unhackable Email Service](https://youtu.be/NM8fAnEqs1Q) by Freethink
- **TED Talks**
- [How Online Trackers Track You, and What To Do About It](https://youtu.be/jVeqAemtC6w) by Luke Crouch
- [Why you should switch off your home WiFi](https://youtu.be/2GpNhYy2l08) by Bram Bonné
@ -161,39 +267,157 @@
See also: [awesome-sec-talks](https://github.com/PaulSec/awesome-sec-talks) by @PaulSec
## Online Tools
- [Have I been Pwned](https://haveibeenpwned.com) and [Dehashed](https://www.dehashed.com) - Check if your details have been compromised
- [Redirect Detective](https://redirectdetective.com) - Check where a suspicious URL redirects to
- [εxodus](https://reports.exodus-privacy.eu.org) - Check which trackers any app on the Play Store has
- [VirusTotal](https://www.virustotal.com) - Analyse a suspicious web resource for malware
- [ScamAdviser](https://www.scamadviser.com) - Check if a website is a scam, before buying from it
- [Deseat Me](https://www.deseat.me) - Clean up your online presence
- [33Mail](http://33mail.com/Dg0gkEA) or [Anonaddy](https://anonaddy.com) or [SimpleLogin](https://simplelogin.io?slref=bridsqrgvrnavso) Protect your email address, by auto-generating unique permant aliases for each account, so all emails land in your primary inbox
- [Panopticlick](https://panopticlick.eff.org) - Check if, and how your browser is tracking you
- [Disroot](https://disroot.org) - A suit of online tools, with online freedom in mind
- [Blocked by ORG](https://www.blocked.org.uk) - Check if your website is blocked by certain ISPs
- [Data Rights Finder](https://www.datarightsfinder.org) - Find, understand and use information from privacy policies
- [Browser Leaks](https://browserleaks.com) - Check which information is being leaked by your browser
- [DNSLeakTest](https://www.dnsleaktest.com) - Check for and fix a DNS leak
- [IP Leak](https://ipleak.net) - Shows your IP address, and other associated details
- [ExifRemove](https://www.exifremove.com) - Remove Meta/ EXIF data online
## Anonymous Services
- [NixNet](https://nixnet.services)
- [Snopyta](https://snopyta.org)
- [Disroot](https://disroot.org)
- **Check and Test**
- [εxodus](https://reports.exodus-privacy.eu.org) - Check which trackers any app on the Play Store has
- [Have I been Pwned](https://haveibeenpwned.com) and [Dehashed](https://www.dehashed.com) - Check if your details have been compromised
- [Redirect Detective](https://redirectdetective.com) - Check where a suspicious URL redirects to
- [Botometer](https://botometer.iuni.iu.edu/) - An AI script to check if a certain username is a bot
- **Utilities**
- [ExifRemove](https://www.exifremove.com) - Remove Meta/ EXIF data online
- [Secure Password Check](https://password.kaspersky.com) - Fun little tool, to demonstrate how long it could take to crack a password
- [33Mail](http://33mail.com/Dg0gkEA) or [Anonaddy](https://anonaddy.com) or [SimpleLogin](https://simplelogin.io?slref=bridsqrgvrnavso) Protect your email address, by auto-generating unique permeant aliases for each account, so all emails land in your primary inbox
- [Deseat Me](https://www.deseat.me) - Clean up your online presence
- **Anti-Tracking Analysis**
- [Panopticlick](https://panopticlick.eff.org) - Check if, and how your browser is tracking you
- [Browser Leaks](https://browserleaks.com) - Check which information is being leaked by your browser
- [DNSLeakTest](https://www.dnsleaktest.com) - Check for and fix a DNS leak
- [IP Leak](https://ipleak.net) - IP Leak test
- [Am I Unique?](http://amiunique.org) - If your fingerprint is unique, then websites can track you
- [Qualys SSL Client Test](https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html) - Check the SSL/TLS capabilities of your browser
- **Phishing, Hacking and Abuse**
- [VirusTotal](https://www.virustotal.com) - Analyse a suspicious web resource for malware
- [ScamAdviser](https://www.scamadviser.com) - Check if a website is a scam, before buying from it
- [Abuse IP DB](https://www.abuseipdb.com) - Report an IP address for abuse, spam or attacks, and check the status of any IP
- [Phish Tank](https://www.phishtank.com) - Check if a link is a known phishing URL, Submit a phishing URL, browse recent phishing URLs
- [Is It Hacked?](http://www.isithacked.com) - Check if a website or page appears to be hacked, hijacked or generally suspicious
- **IP Tools**
- [I Know What You Download](https://iknowwhatyoudownload.com) - Shows torrents that have been downloaded or distributed from your IP address
- [Hetrix Tools - Blacklist Check](https://hetrixtools.com/blacklist-check/) - Check if your Domain or IP appears on any common blacklists
- **Public Domain and Website Scanning Tools**
- [URL Scan](https://urlscan.io) - Scan and analyse websites, shows IP, DNS, domain and host data, as well as info about resources and requests
- [Security Trails](https://securitytrails.com/#search) - Shows all DNS records, historical DNS data and sub domains
- [crt.sh](https://crt.sh) - Shows current and previous SSL/ TLS certificates for a given domain, has advanced search option
- [Virus Total](https://www.virustotal.com) - Scans any URL, web asset or file for malware
- [DomainTools WhoIs](https://whois.domaintools.com) - Who Is Lookup. Check who registered a domain name, and find contact details
- [Pentest Tools Vulnerability Scanner](https://pentest-tools.com/website-vulnerability-scanning/website-scanner) - Light scan searches for client and server-side vulnerabilities and missing HTTP security headers
- [Qualys SSL Server Test](https://www.ssllabs.com/ssltest) - Perform a deep analysis of the configuration of any SSL web server on the public Internet
- [Abuse IP DB](https://www.abuseipdb.com) - Check if an IP or domain has been reported for abuse, or file a report
- [RIPEstat](https://stat.ripe.net) - Detailed analysis of IP Addresses (Routing, DNS, Abuse History, Activity etc)
- [Multirbl](http://multirbl.valli.org) - Complete IP check for sending Mailservers
- [IPVoid](https://www.ipvoid.com) - Full suit of Domain, IP, and DNS tools for Tracing, Lookup, Checking and Pinging
- **Net Neutrality**
- [Blocked by ORG](https://www.blocked.org.uk) - Check if your website is blocked by certain ISPs
- [Data Rights Finder](https://www.datarightsfinder.org) - Find, understand and use information from privacy policies
- [Down For Everyone Or Just Me](https://downforeveryoneorjustme.com) - Quickly determine if a website is down, or just unavailable for you
- **Anonymous Services** - The following sites host a veriety of anonymous online services
- [NixNet](https://nixnet.services)
- [Snopyta](https://snopyta.org)
- [Disroot](https://disroot.org)
- **Archives**
- [The Way Back Machine](https://archive.org/web/web.php) - See previous versions of any website. An archive of 431 billion snapshots over 20 years
- [PolitiTweet](https://polititweet.org) - Archives Tweets from powerful public figures, and records silent retractions and deleted tweets
- [Internet Archive Software Collection](https://archive.org/details/software) - The largest vintage and historical software library
- [OpenLibrary](https://openlibrary.org) - A free, digital library of over 2 million eBooks, and information on over 20 million books
- [Archive-It](https://archive-it.org) - Collecting and accessing cultural heritage on the web
## Interesting Websites
- [The Intercept: Surveillance Catalogue](https://theintercept.com/surveillance-catalogue) - A database secret of government and military surveillance equpment, that was leaked in the Snowden files
- See also: The source code for these projects, on WikiLeaks [Vault7](https://wikileaks.org/vault7) and [Vault8](https://wikileaks.org/vault8), and the accompanying [press release](https://wikileaks.org/ciav7p1)
## Privacy-Respecting Software
This section has moved to [here](https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md)
This section has moved to [here](/5_Privacy_Respecting_Software.md). Complete list of privacy-respecting software and services
## Security Hardware
This section has moved to [here](/6_Privacy_and-Security_Gadgets.md). Products, gadgets and DIY projects to help improve security
## Data, API's and Visualisations
- **Research Results**
- [Internet Census Data](https://ant.isi.edu/datasets) - Includes data on address space allocation, traffic, DNS, service enumeration, internet outages and other internet topology data
- [Web Tracking Data](https://webtransparency.cs.princeton.edu/webcensus/#data) by Princeton University - This is the largest and most detailed analysis of online tracking to date, and measures both stateful (cookie-based) and stateless (fingerprinting-based) tracking. The crawls were made with [OpenWPM](https://github.com/mozilla/OpenWPM)
- [Who has your Back?](https://www.eff.org/files/2019/06/11/whyb_2019_report.pdf) by EFF - Anual report assessing how companies handle personal data
- Historic Reports: [2012](https://www.eff.org/files/who-has-your-back-2012_0.pdf) | [2013](https://www.eff.org/sites/default/files/who-has-your-back-2013-report-20130513.pdf) | [2014](https://www.eff.org/files/2014/05/15/who-has-your-back-2014-govt-data-requests.pdf) | [2015](https://www.eff.org/files/2015/06/18/who_has_your_back_2015_protecting_your_data_from_government_requests_20150618.pdf) | [2016](https://www.eff.org/files/2016/05/04/who-has-your-back-2016.pdf) | [2017](https://www.eff.org/files/2017/07/08/whohasyourback_2017.pdf) | [2018](https://www.eff.org/files/2018/05/31/whyb_2018_report.pdf) | [2019](https://www.eff.org/files/2019/06/11/whyb_2019_report.pdf)
- [Sensor Access Data](https://databank.illinois.edu/datasets/IDB-9213932) - A Crawl of the Mobile Web Measuring Sensor Accesses, Illinois
- [Canalys Newsroom](https://www.canalys.com/newsroom) - Research Studies on Security, Privacy, Technology and Finance
- [Data Never Sleeps](https://web-assets.domo.com/blog/wp-content/uploads/2019/07/data-never-sleeps-7-896kb.jpg) - An infographic visualizing how much data is generated every minute (2019)
- **Databases**
- [Exodus](https://reports.exodus-privacy.eu.org/en/trackers/stats) - Trackers in Android Apps
- [Exploit Database](https://www.exploit-db.com) - A database or Current software vulnerabilities
- [URLScan](https://urlscan.io) - Service scanning for malicious domains, with historical results
- [Dehashed](https://www.dehashed.com/breach) - Data Breaches and Credentials
- [VirusTotal](https://developers.virustotal.com/v3.0/reference) - Detailed virus scans of software
- [Abuse IP DB](https://www.abuseipdb.com) - Database of IPs reported for abuse
- [SnusBase](https://snusbase.com) - Long standing database hosting breached data
- [OpenPhish](https://openphish.com) - A feed of current phishing endpoints
- [HashToolkit](http://hashtoolkit.com) - Database of 'cracked' hashes
- [SecLists](https://github.com/danielmiessler/SecLists) - Starter list of leaked databases, passwords, usernames etc (Great for programming)
- [Qualys SSL Pulse](https://www.ssllabs.com/ssl-pulse) - A continuous and global dashboard for monitoring the quality of SSL / TLS support over time across 150,000 SSL- and TLS-enabled websites, based on Alexas list of the most popular sites in the world
- **Fun with Live Data** 🌠
- **Internet**
- [Tor Flow](https://torflow.uncharted.software) - Real-time data flow between Tor nodes
- [Internet Census](http://census2012.sourceforge.net/images/geovideo.gif) - 24-hour world map of average utilization of IPv4 addresses
- ICMP ping requests were sent out via the Carna botnet. Read how this was done on the [Official Site](http://census2012.sourceforge.net) or download similar [datasets](https://ant.isi.edu/datasets/all.html)
- [Map of Mobile Internet](https://labs.mapbox.com/labs/twitter-gnip/brands/) - Shows world data coverage, according to Twitter data
- [DomainTools Statistics](https://research.domaintools.com/statistics) - Domain registration Numbers and Charts
- [Insecam](http://www.insecam.org) - A directory and feed of insecure or public live webcams
- [IKnow](https://iknowwhatyoudownload.com/en/stat/GB/daily) - Live data showing what content is being downloaded + distributed via torrents
- [Semantic Internet Map](http://internet-map.net) - Shows how different websites link together
- **Unrelated, but Awesome Data**
- [BGP Stream](https://bgpstream.com) - Shows all current outages
- [Submarine Cable Map](https://www.submarinecablemap.com) - An up-to-date map of major global internet cables (see also [he.net globe](https://he.net/3d-map) and [this map](https://submarine-cable-map-2016.telegeography.com))
- [FlightRadar24](https://www.flightradar24.com) - World-wide map of live aircraft positions
- [Airport WiFi Map](https://www.google.com/maps/d/u/0/viewer?mid=1Z1dI8hoBZSJNWFx2xr_MMxSxSxY) - Shows WiFi networks and their passwords for airports around the world
- [Stuff in Space](http://stuffin.space) - Shows objects orbiting Earth
- [Wiggle](https://wigle.net) - Worlds largest WiFi Map showing personal hotspot statistics geographically
- **Threat Maps** - Real-time hack attempts (malware, phishing, exploit and spam), visualised geographically
- [Checkpoint](https://threatmap.checkpoint.com)
- [FortiGuard](https://threatmap.fortiguard.com)
- [Fire Eye](https://www.fireeye.com/cyber-map/threat-map.html)
- [Kaspersky](https://cybermap.kaspersky.com)
- [BitDefender](https://threatmap.bitdefender.com)
- [ESET](https://www.virusradar.com)
- [Threat But Map](https://threatbutt.com/map)
- [Looking Glass Cyber Map](https://map.lookingglasscyber.com)
- [Digital Attack Map](https://www.digitalattackmap.com)
- [Kaspersky LogBook](https://apt.securelist.com) - Historic Threat Time Line
## Academic
- **Journals**
- Rethinking information privacysecurity: Does it really matter? By Waseem Afzal: via [Wiley](https://asistdl.onlinelibrary.wiley.com/doi/10.1002/meet.14505001095)
- Crypto Paper: Privacy, Security, and Anonymity For Every Internet User, by Crypto Seb: via [GitHub](https://github.com/cryptoseb/cryptopaper)
- Challenges in assessing privacy impact, Tales from the Front Line: via [Wiley](https://onlinelibrary.wiley.com/doi/10.1002/spy2.101)
- A privacypreserving multifactor authentication system: via [Wiley](https://onlinelibrary.wiley.com/doi/10.1002/spy2.88)
- Web Browser Privacy: What Do Browsers Say When They Phone Home?: via [scss.tcd.ie](https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf)
- Online Tracking, A 1-million-site Measurement and Analysis: via [Princeton University](https://www.cs.princeton.edu/~arvindn/publications/OpenWPM_1_million_site_tracking_measurement.pdf)
- Detecting and Defending Against Third-Party Tracking on the Web: via [Franziska Roesner](http://www.franziroesner.com/pdf/webtracking-NSDI2012.pdf)
- Is Google degrading search? Consumer Harm from Universal Search: via [law.berkeley.edu](https://www.law.berkeley.edu/wp-content/uploads/2015/04/Luca-Wu-Yelp-Is-Google-Degrading-Search-2015.pdf)
- A Comprehensive Evaluation of Third-Party Cookie Policies: via [WhoLeftOpenTheCookieJar.com](https://wholeftopenthecookiejar.com/static/tpc-paper.pdf)
- Recognizing Speech From Gyroscope Signals: via [Stanford](https://crypto.stanford.edu/gyrophone/)
- A Study of Scripts Accessing Smartphone Sensors: via [sensor-js.xyz](https://sensor-js.xyz/webs-sixth-sense-ccs18.pdf)
- Pixel Perfect, Fingerprinting Canvas in HTML5: [hovav.net](https://hovav.net/ucsd/dist/canvas.pdf)
- Shining the Floodlights on Mobile Web Tracking — A Privacy Survey: via [semanticscholar.org](https://pdfs.semanticscholar.org/80bb/5c9119ff4fc2374103b4f3d6a8f614b3c2ed.pdf)
- Characterizing the Use of Browser-Based Blocking Extensions To Prevent Online Tracking: via [aruneshmathur.co.in](http://aruneshmathur.co.in/files/publications/SOUPS18_Tracking.pdf)
- Privacy implications of email tracking: via [senglehardt.com](https://senglehardt.com/papers/pets18_email_tracking.pdf)
- Battery Status Not Included, Assessing Privacy in Web Standards: via [princeton.edu](https://www.cs.princeton.edu/~arvindn/publications/battery-status-case-study.pdf)
- De-anonymizing Web Browsing Data with Social Networks: via [princeton.edu](https://www.cs.princeton.edu/~arvindn/publications/browsing-history-deanonymization.pdf)
- The Surveillance Implications of Web Tracking: via [senglehardt.com](https://senglehardt.com/papers/www15_cookie_surveil.pdf)
- Understanding Facebook Connect login permissions: via [jbonneau.com](http://jbonneau.com/doc/RB14-fb_permissions.pdf)
- Corporate Surveillance in Everyday Life, How Companies Collect, Combine, Analyze, Trade, and Use Personal Data on Billions: By Wolfie Christl, via [crackedlabs.org](https://crackedlabs.org/dl/CrackedLabs_Christl_CorporateSurveillance.pdf)
- Using Ad Targeting for Surveillance on a Budget: via [washington.edu](https://adint.cs.washington.edu/ADINT.pdf)
- Cross-Site WebSocket Hijacking: via [christian-schneider.net](http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html)
- Location Tracking using Mobile Device Power Analysis: [scribd.com](https://www.scribd.com/doc/256304846/PowerSpy-Location-Tracking-using-Mobile-Device-Power-Analysis)
- Trackers Vs Firefox, Comparing different blocking utilities: via [GitHub- @jawz101](https://github.com/jawz101/TrackersVsFirefox)
- **Implementations and Standards**
- [The GNU Privacy Guard](https://www.gnupg.org)
- [OpenPGP JavaScript Implementation](https://openpgpjs.org)
- [WireGuard](https://www.wireguard.com/papers/wireguard.pdf)
- [Nym](https://as93.link/nym-blog-post) - Next Generation of Privacy infrastructure
- [REC-X.509](https://www.itu.int/rec/T-REC-X.509) - The standard defining the format of public key certificates, used across most internet protocols and applications
@ -216,6 +440,9 @@ This section has moved to [here](https://github.com/Lissy93/personal-security-ch
- [American Civil Liberties Union](https://www.aclu.org/issues/privacy-technology)
- [Free Software Foundation](https://www.fsf.org)
- [Courage Foundation](https://www.couragefound.org) - Supports those who risk life / liberty to make significant contributions to the historical record
- [Fight for the Future](https://www.fightforthefuture.org) - Fighting for a future where technology liberates
- [Public Citizen](https://www.citizen.org) - Standing up to corporate power and hold the government accountable
## Government Organisations
@ -227,86 +454,16 @@ This section has moved to [here](https://github.com/Lissy93/personal-security-ch
- **Cybercrime**
- [Consumer Fraud Reporting](http://consumerfraudreporting.org) - US's Catalogue of online scams currently circulating, and a means to report cases
- [Action Fraud](https://www.actionfraud.police.uk) - UKs national reporting centre for fraud and cyber crime
- **CERT** - Your local jurisdiction will likely have a Computer emergency response team (historically known as CERT). Who is in charge of handline handles domestic and international computer security incidents.
- Australia - [auscert.org.au](https://www.auscert.org.au)
- Austria - [cert.at](https://www.cert.at)
- Bangladesh - [cirt.gov.bd](https://www.cirt.gov.bd)
- Bolivia - [cgii.gob.bo](https://cgii.gob.bo)
- Brazil - [cert.br](https://www.cert.br)
- Canada - [cyber.gc.ca](https://cyber.gc.ca/en/about-cyber-centre)
- China - [cert.org.cn](https://www.cert.org.cn)
- Columbia - [colcert.gov.co](http://www.colcert.gov.co)
- Croatia - [carnet.hr](https://www.carnet.hr)
- Czech Republic - [csirt.cz](https://csirt.cz)
- Denmark - [cert.dk](https://www.cert.dk)
- Ecuador - [ecucert.gob.ec](https://www.ecucert.gob.ec)
- Egypt - [egcert.eg](https://www.egcert.eg)
- Estonia - [ria.ee / CERT-EE](https://ria.ee/en/cyber-security/cert-ee.html)
- Finland - [kyberturvallisuuskeskus.fi](https://www.kyberturvallisuuskeskus.fi/en/homepage)
- France - [cert.ssi.gouv.fr](https://www.cert.ssi.gouv.fr)
- Germany - [cert-bund.de](https://www.cert-bund.de)
- Ghana - [nca-cert.org.gh](https://nca-cert.org.gh)
- Hong Kong - [hkcert.org](https://www.hkcert.org)
- Iceland - [cert.is](https://www.cert.is)
- India - [CERT-IN](https://www.cert-in.org.in)
- Indonesia - [idsirtii.or.id](https://idsirtii.or.id)
- Iran - [cert.ir](https://cert.ir)
- Italy - [cert-pa.it](https://www.cert-pa.it)
- Japan - [JPCERT](https://www.jpcert.or.jp)
- Kyrgyzstan - [cert.gov.kg](http://cert.gov.kg)
- Luxembourg - [circl.lu](https://circl.lu)
- Macau - [mocert.org](www.mocert.org)
- Malaysia - [mycert.org.my](http://www.mycert.org.my)
- Morocco - [educert.ma](http://www.educert.ma)
- Netherlands - [ncsc.nl](https://www.ncsc.nl)
- New Zealand - [cert.govt.nz](https://www.cert.govt.nz)
- Nigeria - [cert.gov.ng](https://cert.gov.ng)
- Norway - [norcert](https://www.nsm.stat.no/norcert)
- Pakistan - [pakcert.org](http://www.pakcert.org)
- Papua New Guinea - [pngcert.org.pg](https://www.pngcert.org.pg)
- Philippines - [cspcert.ph](https://cspcert.ph)
- Poland - [cert.pl](https://www.cert.pl)
- Portugal - [cncs.gov.pt/certpt](https://www.cncs.gov.pt/certpt)
- Qatar - [qcert.org](https://qcert.org)
- Rep of Ireland - [ncsc.gov.ie](https://www.ncsc.gov.ie)
- Romania - [cert.ro](https://www.cert.ro)
- Russia - [gov-cert.ru](http://www.gov-cert.ru) / [cert.ru](https://www.cert.ru)
- Singapore - [csa.gov.sg/singcert](https://www.csa.gov.sg/singcert)
- Slovenia - [sk-cert.sk](https://www.sk-cert.sk)
- South Korea - [krcert.or.kr](https://www.krcert.or.kr)
- Spain - [incibe.es](https://www.incibe.es)
- Sri Lanka - [cert.gov.lk](https://www.cert.gov.lk)
- Sweden - [cert.se](https://www.cert.se)
- Switzerland - [govcert.ch](https://www.govcert.ch)
- Taiwan - [twcert.org.tw](https://www.twcert.org.tw)
- Thailand - [thaicert.or.th](https://www.thaicert.or.th)
- Tonga [cert.to](https://www.cert.to)
- Ukraine - [cert.gov.ua](https://cert.gov.ua)
- UAE - [tra.gov.ae/aecert](https://www.tra.gov.ae/aecert)
- United Kingdom - [ncsc.gov.uk](https://www.ncsc.gov.uk)
- United States - [us-cert.gov](https://www.us-cert.gov)
## Data and API's
- [Exploit Database](https://www.exploit-db.com) - A database or Current software vulnerabilities
- [That One Privacy Site](https://thatoneprivacysite.net/#detailed-vpn-comparison) - Detailed VPN Comparison Data
- [Exodus](https://reports.exodus-privacy.eu.org/en/trackers/stats) - Trackers in Android Apps
- [URLScan](https://urlscan.io) - Service scanning for malisious domains
- [Dehashed](https://www.dehashed.com/breach) - Data Breaches and Credentials
- [VirusTotal](https://developers.virustotal.com/v3.0/reference) - Detailed virus scans of software
- Hosts to block: [someonewhocares/ hosts](https://someonewhocares.org/hosts) and [StevenBlack/ hosts](https://github.com/StevenBlack/hosts)
## Academic Journals
- [Crypto Paper](https://github.com/cryptoseb/cryptopaper) by Crypto Seb- Privacy, Security, and Anonymity For Every Internet User
## Implementations and Standards
- [The GNU Privacy Guard](https://www.gnupg.org)
- [OpenPGP JavaScript Implementation](https://openpgpjs.org)
- [WireGuard](https://www.wireguard.com/papers/wireguard.pdf)
- [Nym](https://as93.link/nym-blog-post) - Next Generation of Privacy infrastructure
- **Fact Checkling**
- [Full Fact](https://fullfact.org) - UK independent fact checking charity, campaigning to expose bad information, and the harm it does
- **CERT** - Your local jurisdiction will likely have a Computer emergency response team (historically known as [CERT](https://online.norwich.edu/academic-programs/resources/how-computer-emergency-response-teams-and-computer-security-incident-response-teams-combat-cyber-threats)). Who is in charge of handline handles domestic and international computer security incidents.
- **A-C** - Australia: [auscert.org.au](https://www.auscert.org.au) | Austria: [cert.at](https://www.cert.at) | Bangladesh: [cirt.gov.bd](https://www.cirt.gov.bd) | Bolivia: [cgii.gob.bo](https://cgii.gob.bo) | Brazil: [cert.br](https://www.cert.br) | Canada: [cyber.gc.ca](https://cyber.gc.ca/en/about-cyber-centre) | China: [cert.org.cn](https://www.cert.org.cn) | Columbia: [colcert.gov.co](http://www.colcert.gov.co) | Croatia: [carnet.hr](https://www.carnet.hr) | Czech Republic: [csirt.cz](https://csirt.cz)
- **D-G** - Denmark: [cert.dk](https://www.cert.dk) | Ecuador: [ecucert.gob.ec](https://www.ecucert.gob.ec) | Egypt: [egcert.eg](https://www.egcert.eg) | Estonia: [ria.ee / CERT-EE](https://ria.ee/en/cyber-security/cert-ee.html) | Finland: [kyberturvallisuuskeskus.fi](https://www.kyberturvallisuuskeskus.fi/en/homepage) | France: [cert.ssi.gouv.fr](https://www.cert.ssi.gouv.fr) | Germany: [cert-bund.de](https://www.cert-bund.de) | Ghana: [nca-cert.org.gh](https://nca-cert.org.gh)
- **H-M** - Hong Kong: [hkcert.org](https://www.hkcert.org) | Iceland: [cert.is](https://www.cert.is) | India: [CERT-IN](https://www.cert-in.org.in) | Indonesia: [idsirtii.or.id](https://idsirtii.or.id) | Iran: [cert.ir](https://cert.ir) | Italy: [cert-pa.it](https://www.cert-pa.it) | Japan: [JPCERT](https://www.jpcert.or.jp) | Kyrgyzstan: [cert.gov.kg](http://cert.gov.kg) | Luxembourg: [circl.lu](https://circl.lu) | Macau: [mocert.org](www.mocert.org) | Malaysia: [mycert.org.my](http://www.mycert.org.my) | Morocco: [educert.ma](http://www.educert.ma)
- **N-P** - Netherlands: [ncsc.nl](https://www.ncsc.nl) | New Zealand: [cert.govt.nz](https://www.cert.govt.nz) | Nigeria: [cert.gov.ng](https://cert.gov.ng) | Norway: [norcert](https://www.nsm.stat.no/norcert) | Pakistan: [pakcert.org](http://www.pakcert.org) | Papua New Guinea: [pngcert.org.pg](https://www.pngcert.org.pg) | Philippines: [cspcert.ph](https://cspcert.ph) | Poland: [cert.pl](https://www.cert.pl) | Portugal: [cncs.gov.pt/certpt](https://www.cncs.gov.pt/certpt)
- **Q-S** - Qatar: [qcert.org](https://qcert.org) | Rep of Ireland: [ncsc.gov.ie](https://www.ncsc.gov.ie) | Romania: [cert.ro](https://www.cert.ro) | Russia: [gov-cert.ru](http://www.gov-cert.ru) / [cert.ru](https://www.cert.ru) | Singapore: [csa.gov.sg/singcert](https://www.csa.gov.sg/singcert) | Slovenia: [sk-cert.sk](https://www.sk-cert.sk) | South Korea: [krcert.or.kr](https://www.krcert.or.kr) | Spain: [incibe.es](https://www.incibe.es) | Sri Lanka - [cert.gov.lk](https://www.cert.gov.lk) | Sweden: [cert.se](https://www.cert.se) | Switzerland: [govcert.ch]
- **T-Z** - Taiwan: [twcert.org.tw](https://www.twcert.org.tw) | Thailand: [thaicert.or.th](https://www.thaicert.or.th) | Tonga: [cert.to](https://www.cert.to) | Ukraine:[cert.gov.ua](https://cert.gov.ua) | UAE: [tra.gov.ae/aecert](https://www.tra.gov.ae/aecert) | United Kingdom: [ncsc.gov.uk](https://www.ncsc.gov.uk) | United States: [us-cert.gov](https://www.us-cert.gov)
- **Global**: [first.org](https://www.first.org) - The global Forum of Incident Response and Security Teams
## Mega Guides
- by [Fried](https://fried.com/privacy)
@ -318,26 +475,47 @@ This section has moved to [here](https://github.com/Lissy93/personal-security-ch
## More Awesome GitHub Lists
- [privacy-respecting](https://github.com/nikitavoloboev/privacy-respecting) by @nikitavoloboev
- [awesome-privacy](https://github.com/KevinColemanInc/awesome-privacy) by @KevinColemanInc
- [Security_list](https://github.com/zbetcheckin/Security_list) by @zbetcheckin
- [awesome-security](https://github.com/sbilly/awesome-security) by @sbilly
- [awesome-sec-talks](https://github.com/PaulSec/awesome-sec-talks) by @PaulSec
- [awesome-crypto-papers](https://github.com/pFarb/awesome-crypto-papers) by @pFarb
- [awesome-threat-intelligence](https://github.com/hslatman/awesome-threat-intelligence) by @hslatman
- [awesome-incident-response](https://github.com/meirwah/awesome-incident-response) by @meirwah
- [awesome-anti-forensic](https://github.com/remiflavien1/awesome-anti-forensic) by @remiflavien1
- [awesome-malware-analysis](https://github.com/rshipp/awesome-malware-analysis) by @rshipp
- [awesome-honeypots](https://github.com/paralax/awesome-honeypots) by @paralax
- [awesome-hacking](https://github.com/carpedm20/awesome-hacking) by @carpedm20
- [awesome-pentest](https://github.com/enaqx/awesome-pentest) by @enaqx
- [awesome-ctf](https://github.com/apsdehal/awesome-ctf) by @apsdehal
## Unrelated Awesome Lists
- [awesome]( https://github.com/sindresorhus/awesome) by @sindresorhus
- [lists](https://github.com/jnv/lists) by @jnv
- **Awesome Open Source Apps**
- [awesome-windows-apps](https://github.com/Awesome-Windows/Awesome) by 'many'
- [awesome-macOS-apps](https://github.com/iCHAIT/awesome-macOS) by @iCHAIT
- [awesome-linux-software](https://github.com/luong-komorebi/Awesome-Linux-Software) by @luong-komorebi
- [open-source-ios-apps](https://github.com/dkhamsing/open-source-ios-apps) by @dkhamsing
- [open-source-android-apps](https://github.com/pcqpcq/open-source-android-apps) by @pcqpcq
- [awesome-selfhosted](https://github.com/awesome-selfhosted/awesome-selfhosted) by 'many'
- [privacy-respecting](https://github.com/nikitavoloboev/privacy-respecting) by @nikitavoloboev
- [awesome-privacy](https://github.com/KevinColemanInc/awesome-privacy) by @KevinColemanInc
- [privacy-respecting-software](https://github.com/Lissy93/personal-security-checklist/blob/master/5_Privacy_Respecting_Software.md) by @lissy93
- **Guides**
- [MacOS-Security-and-Privacy-Guide](https://github.com/drduh/macOS-Security-and-Privacy-Guide) by @drduh
- [personal-security-checklist](https://github.com/Lissy93/personal-security-checklist) by @lissy93
- **Security (Hacking / Pen Testing / Threat Inteligence / CFTs)**
- [Security_list](https://github.com/zbetcheckin/Security_list) by @zbetcheckin
- [awesome-security](https://github.com/sbilly/awesome-security) by @sbilly
- [awesome-sec-talks](https://github.com/PaulSec/awesome-sec-talks) by @PaulSec
- [awesome-threat-intelligence](https://github.com/hslatman/awesome-threat-intelligence) by @hslatman
- [awesome-incident-response](https://github.com/meirwah/awesome-incident-response) by @meirwah
- [awesome-anti-forensic](https://github.com/remiflavien1/awesome-anti-forensic) by @remiflavien1
- [awesome-malware-analysis](https://github.com/rshipp/awesome-malware-analysis) by @rshipp
- [awesome-lockpicking](https://github.com/fabacab/awesome-lockpicking) by @fabacab
- [awesome-hacking](https://github.com/carpedm20/awesome-hacking) by @carpedm20
- [awesome-honeypots](https://github.com/paralax/awesome-honeypots) by @paralax
- [awesome-forensics](https://github.com/Cugu/awesome-forensics) by @cugu
- [awesome-pentest](https://github.com/enaqx/awesome-pentest) by @enaqx
- [awesome-ctf](https://github.com/apsdehal/awesome-ctf) by @apsdehal
- [awesome-osint](https://github.com/jivoi/awesome-osint) by @jivoi
- [SecLists](https://github.com/danielmiessler/SecLists) by @danielmiessler
- **Misc**
- [awesome-crypto-papers](https://github.com/pFarb/awesome-crypto-papers) by @pFarb
- **Awesome Lists of Awesome Lists**
- [awesome]( https://github.com/sindresorhus/awesome) by @sindresorhus
- [lists](https://github.com/jnv/lists) by @jnv
- **More In This Repo**
- [Personal Security Checklist](/README.md) by @lissy93
- [Privacy-Respecting Software](/5_Privacy_Respecting_Software.md)
- [Importance of Privacy & Security](/0_Why_It_Matters.md)
- [Digital Security Gadgets / DIY hardware](/6_Privacy_and-Security_Gadgets.md)
- [TLDR - Condensed Summary of this Repo](/2_TLDR_Short_List.md)
---
*Thanks for visiting, hope you found something useful here :) Contributions are welcome, and much appreciated - to propose an edit [raise an issue](https://github.com/Lissy93/personal-security-checklist/issues/new/choose), or [open a PR](https://github.com/Lissy93/personal-security-checklist/pull/new/master). See: [`CONTRIBUTING.md`](/.github/CONTRIBUTING.md).*

624
5_Privacy_Respecting_Software.md
View File

File diff suppressed because it is too large Load Diff

86
6_Privacy_and-Security_Gadgets.md
View File

@ -7,6 +7,9 @@ A curated list of (DIY and pre-built) devices, to help preserve privacy and impr
**Too long? 🦒** See the [TLDR version](/2_TLDR_Short_List.md#security-hardware) instead.
**Note**: This section is intended just to be a bit of fun, it is entirely possible to stay secure and anonymous, without having to build or buy anything
---
#### Contents
@ -60,18 +63,20 @@ Don't want to spend money? Most of the products above, plus some that wearn't in
See Also [DIY Networking Hardware](#diy-networking-hardware)
- **Network-wide add-block** - [Pi Hole](https://pi-hole.net) is a simple yet powerful app, that can be installed on a [Raspberry Pi](https://amzn.to/36GNpsm), and once you've updated your routers DNS servers to point to it, all resources on the blacklist will be blocked, at the point of origin. This makes it much more powerful than a browser add-on, and will also speed your internet up
- **Encrypted USB** - You can use [VeraCrypt](https://www.veracrypt.fr/en/Home.html) to create an encrypted USB drive, using any off-the shelf [USB drive](https://amzn.to/2RykcLD)
- **USB Sanitiser** - [CIRCLean](https://www.circl.lu/projects/CIRCLean) is a hardware solution to clean documents from untrusted (obtained) USB drives. It automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.
- **Hardware Wallet** - Using the Trezor Shield or [Trezor Core](https://github.com/trezor/trezor-firmware) and a Raspberry Pi, you can create your own hardware wallet for safley storing your crypto currency private keys offline. See [this guide](https://github.com/Multibit-Legacy/multibit-hardware/wiki/Trezor-on-Raspberry-Pi-from-scratch) for building. If you enjoyed that, you can also run your own BitCoin and Lightning Node [Raspiblitz](https://github.com/rootzoll/raspiblitz)
- **Bootable Drive Eraser** - You can flash the [DBAN](https://dban.org) or [KillDisk](https://www.killdisk.com/bootablecd.htm) ISO file onto a USB, boot from it and securly, fully wipe your hard drives. This is useful to do before selling or disposing of a PC.
- **Deauth Detector** - Since most wireless attacked begin by sending out deauthentication packets, you can flash SpaceHuhns [DeatuhDetector](https://github.com/spacehuhn/DeauthDetector), onto a standard [ESP8266 NodeMCU](https://amzn.to/2v5grV0), plug it in, and wait to be notified of wireless deauth attacks
- **AI Assistant Mod** - [Project Alias](https://github.com/bjoernkarmann/project_alias) runs on a Pi, and gives you more control and increased privacy for both Google Home and Alexa, through intercepting voice commands, emitting noise interference + lots more. If your interested in voice assistants, then also check out [Mycroft](https://mycroft.ai)- an open source, Pi-based alternative to Google Home/ Alexa
- **Tor WiFi Network** - Using [OnionPi](https://github.com/breadtk/onion_pi), you can create a second wireless network, that routed traffic through Tor. This is very light-weight so can be done with just a [Pi Zero W](https://amzn.to/2Urc0hM). Here is a configuration [guide](https://www.sbprojects.net/projects/raspberrypi/tor.php)
- **Credential Recall Card** - A password card is a unique grid of random letters and digits, that lets you generate, store and recall unique and strong passwords for your accounts. Generate your own unique password card, and read more via: [PasswordCard.org](https://www.passwordcard.org/en)
- **Faraday Case** - If you want to block signals for devices such as car keys, smart phone, laptop or even just RFID-enabled cards and passports, you can line a box or pouch with [Faraday Fabric](https://amzn.to/2ORKtTr)
- **Hardware Wallet** - Using the Trezor Shield or [Trezor Core](https://github.com/trezor/trezor-firmware) and a Raspberry Pi, you can create your own hardware wallet for safley storing your crypto currency private keys offline. See [this guide](https://github.com/Multibit-Legacy/multibit-hardware/wiki/Trezor-on-Raspberry-Pi-from-scratch) for building. If you enjoyed that, you can also run your own BitCoin and Lightning Node [Raspiblitz](https://github.com/rootzoll/raspiblitz)
- **Encrypted USB** - You can use [VeraCrypt](https://www.veracrypt.fr/en/Home.html) to create an encrypted USB drive, using any off-the shelf [USB drive](https://amzn.to/2RykcLD)
- **Home VPN** - [Pi_VPN](https://www.pivpn.io) lets you use [OpenVPN](https://openvpn.net) to connect to your home network from anywhere, through your [Pi](https://amzn.to/2uniPqa). See [this guide](https://pimylifeup.com/raspberry-pi-vpn-server) for set-up instructions. This will work particularly well in combination with Pi Hole.
- **USB Password Manager** - Storing your passwords in the cloud may be convinient, but you cannot ever be certain they won't be breached. [KeePass](https://keepass.info/help/v2/setup.html) is an offline password manager, with a portable ddition that can run of a USB. There's also an [app](https://play.google.com/store/apps/details?id=com.korovan.kpass). See also [KeePassX](https://www.keepassx.org) and [KeePassXC](https://keepassxc.org) which are popular communnity forks with additional functionality
- **Automated Backups** - [Syncthing](https://syncthing.net) is a privacy-focused continuous file synchronization program. You can use it to make on-site backups as well as encrypted and sync your data with your chosen cloud storage provider
- **Bootable Drive Eraser** - You can flash the [DBAN](https://dban.org) or [KillDisk](https://www.killdisk.com/bootablecd.htm) ISO file onto a USB, boot from it and securly, fully wipe your hard drives. This is useful to do before selling or disposing of a PC.
- **Deauth Detector** - Since most wireless attacked begin by sending out deauthentication packets, you can flash SpaceHuhns [DeatuhDetector](https://github.com/spacehuhn/DeauthDetector), onto a standard [ESP8266 NodeMCU](https://amzn.to/2v5grV0), plug it in, and wait to be notified of wireless deauth attacks
- **Tor WiFi Network** - Using [OnionPi](https://github.com/breadtk/onion_pi), you can create a second wireless network, that routed traffic through Tor. This is very light-weight so can be done with just a [Pi Zero W](https://amzn.to/2Urc0hM). Here is a configuration [guide](https://www.sbprojects.net/projects/raspberrypi/tor.php)
- **Faraday Case** - If you want to block signals for devices such as car keys, smart phone, laptop or even just RFID-enabled cards and passports, you can line a box or pouch with [Faraday Fabric](https://amzn.to/2ORKtTr)
- **GPS Spoofer** - If you don't want to be tracked with GPS, then using a SDR you can send out spoof GPS signals, making near-by GPS-enabled devices think that they are in a totally different location. (Wouldn't recommend using this while on an airplane though!). You can use [gps-sdr-sim](https://github.com/osqzss/gps-sdr-sim) by [@osqzss](https://github.com/osqzss), and run it on a [Hacker RF](https://greatscottgadgets.com/hackrf) or similar SDR. Here's a [guide](https://www.rtl-sdr.com/tag/gps-spoofing) outlineing how to get started, you'll also need a [NooElec HackRF One](https://amzn.to/2Ta1s5J) or similar [SDR](https://amzn.to/39cLiOx). Check your local laws first, you may need a radio license.
- **No-Mic Laptop** - You can go one step further than using a mic-blcoker, and physically remove the microphone from your laptop. (And then use a removable external mic when needed). See how, for [Apple MacBook and iPhone](https://www.wired.com/story/remove-the-mic-from-your-phone/) | [Video Guide](https://www.youtube.com/watch?v=Eo-IwQMeVLc). If that seems to extreme, there are [other options](https://security.stackexchange.com/a/130402)
If you are confident with electronics, then you could also make:
- **USB Data Blocker** - By simple removing the data wires from a USB adapter, you can create a protector to keep you safe while charing your device in public spaces. See [this guide](https://www.instructables.com/id/Making-a-USB-Condom) for more info (note: fast charge will not work)
@ -87,22 +92,39 @@ If you are confident with electronics, then you could also make:
We can go even further, these products are far from essential and are maybe a little over-the-top. But fun to play around with, if you really want to avoid being tracked!
- **Self-Destroying PC** - The ORWL PC will wipe all data if it is compromised, and has many other safeguards to ensure no one other than you can access anything from your drive. Comes with QubeOS, Windows or Linux, and requires both a password and fob to log in. See more: [orwl.org](https://orwl.org)
- **True Random Number Generator** - FST-01SZ is a tiny stand alone USB 32-bit computer based on a free hardware design. (NeuG is an implementation of a TRNG for GD32F103 MCU). See More: [Free Software Foundation: Shop](https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator)
- **Card Skimmer Detector** - Ensure an ATM or card reader does not have an integrated skimming device. See more at [Lab401](https://lab401.com/products/hunter-cat-card-skimmer-detector)
- **Voice Changer** - Useful to disguise voice, while chatting online. See more: [UK](https://amzn.to/3bXqpsn) | [US](https://amzn.to/2PqUEyz)
- **Ultra-Sonic Microphone Jammer** - Blocks phones, dictaphones, voice assistants and other recording devices. Uses built-in transducers to generate ultrasonic signals that can not be heard by humans, but cause indistinct noise, on redording devices, making it impossible to distinguish any details of the conversations. See more [UK](https://amzn.to/2Hnk63s) | [US](https://amzn.to/2v2fwVG)
- **Reflective Glasses** - Blocks faces from most CCTV and camera footage, and stops facial recognition from being able to map your face. See more: [Reflectacles](https://www.reflectacles.com)
- **Bug Detector** - Able to detect radio waves, magnetic fields, in order to find hidden wired or wireless recording or camera equipment and transmitting devices, Note: has limited accuracy. See more: [UK](https://amzn.to/2V8z8C1) | [US](https://amzn.to/2V9AnkI)
- **Active RFID Jamming** - Armour Card is a slim credit-card shaped device, which when in contact with any readers creates an electronic force field, strong enough to "jam" and readings from being taken by emmiting arbitrary data. Aimed at protecting cred cards, identity documents, key cards and cell phones. [US](https://amzn.to/38bJxB9) | [ArmourCard Website](https://armourcard.com)
- **Anti-Facial Recognition Clothing** - Carefully printed patterns that confuse common facial recognition algorithms. See more: [Amazon UK](https://amzn.to/32dnYgO) | [Redbubble](https://www.redbubble.com/people/naamiko/works/24714049-anti-surveillance-clothing?p=mens-graphic-t-shirt) | [Monoza](https://www.monoza.mobi/hyperface-anti-surveillance-shirt/?sku=1045-19321-423696-174028)
- **Tor Travel-Router** - Plug-and-play travel router, providing WiFi with VPN or Tor for more private internet access, also has Wi-Fi uplink and range extender with a clear user interface. See more: [Anonabox.com](https://www.anonabox.com) | [Amazon](https://amzn.to/2HHV0fG)
- **Active RFID Jamming** - Armour Card is a slim credit-card shaped device, which when in contact with any readers creates an electronic force field, strong enough to "jam" and readings from being taken by emmiting arbitrary data. Aimed at protecting cred cards, identity documents, key cards and cell phones. [US](https://amzn.to/38bJxB9) | [ArmourCard Website](https://armourcard.com)
- **Ultra-Sonic Microphone Jammer** - Blocks phones, dictaphones, voice assistants and other recording devices. Uses built-in transducers to generate ultrasonic signals that can not be heard by humans, but cause indistinct noise, on redording devices, making it impossible to distinguish any details of the conversations. See more [UK](https://amzn.to/2Hnk63s) | [US](https://amzn.to/2v2fwVG)
- **GPS Jammer** - In the DIY list, there was a link to how to build a GPS spoof device using an SDR. But you can also buy a GPS jammer, which may be useful if you fear that you are being tracked. They are aimed at preventing UAVs from operating in your area, but can also be used to confuse other tracking devices near by, there's a variety of models with varying power and range availible from $50 - $500. [AliExpress](https://www.aliexpress.com/item/4000214903055.html)
- **Faraday Cases** - A Faraday cage or Faraday shield is an enclosure used to block electromagnetic fields. This can be really useful for electronics, since many devices are constantly transmitting and recieving, which is the worst when you are trying to avoid being tracked. Their have been numerous reportings that governments can apparently track phones, even when they are [powered off](https://slate.com/technology/2013/07/nsa-can-reportedly-track-cellphones-even-when-they-re-turned-off.html), and since smart phones often do not have removable batteries, the only option is often to shield them from any em waves. See [SilentPocket.com](https://silent-pocket.com/collections/all-products) | [Faraday Box](https://amzn.to/3cj9z7r) | [Faraday Phone Pouch](https://amzn.to/38faum5)
- **Audio Jammer/ White Noise Generator** - protects your private room conversations by generating a un-filterable masking sound which desensitizes any near-by microphones. Sounds like random static to your ears but it is a variable oscillating frequency that masks your in person conversations. via [SpyGadgets.com](https://www.spygadgets.com/rechargeable-audio-jammer-white-noise-generator-aj-40/)
- **LibremKey: USB Token** - A USB security token to make encryption, key management, and tamper detection convenient and secure. [Purism](https://puri.sm/products/librem-key/)
- **Secalot: All-in-one Security Key** - An open source, small USB, that functions as a hardware Hardware cryptocurrency wallet, OpenPGP smart card, U2F authenticator, and one-time password generator. via [Secalot](https://www.secalot.com/)
- **Slim Hardware OTP Generator** - A reprogrammable TOTP hardware token authenticator. Unlike USB security keys, this does not need to be connected, and instead is used like a mobile OTP generator, where you enter the 6-digit code. Useful as a backup, in case your phone is not accessible. Via [Protectimus](https://www.protectimus.com/protectimus-slim-mini/)
- **p@ss™ Bracelet** - Fun password generator wristband, allowing you to generate hard to guess, unique passwords for each of your online accounts, and not have to remember them. [Tindie](https://www.tindie.com/products/russtopia/psstm-bracelet/)
- **Credential Recall Cards** - An easy method for generating and recalling secure passwords. You could [make your own](https://www.passwordcard.org/en), or buy one such as the C@RD™ Mark II, available via: [Tindie](https://www.tindie.com/products/russtopia/crdtm-mark-ii-credential-ccess-recall-device/)
- **Card Skimmer Detector** - Ensure an ATM or card reader does not have an integrated skimming device. See more at [Lab401](https://lab401.com/products/hunter-cat-card-skimmer-detector)
- **Deauth Detector** - Most WiFi-based attacks involve sending deauth packets at some point, a deauth-detector will notify you whenever these packets are detected. This particular model uses SpaceHuhns code, running on an ESP8266. via: [Tindie](https://www.tindie.com/products/lspoplove/dstike-deauth-detector-pre-flashed-with-detector/) | [Amazon](https://www.amazon.com/MakerFocus-ESP8266-Detector-Pre-flashed-Deauther/dp/B07WKDPBRY)
- **Bug Detector** - Able to detect radio waves, magnetic fields, in order to find hidden wired or wireless recording or camera equipment and transmitting devices, Note: has limited accuracy. See more: [UK](https://amzn.to/2V8z8C1) | [US](https://amzn.to/2V9AnkI)
- **Advanced Multi-Frequency RF Detector** - Get instantly notified whenever a threat enters your environment. Detects the following frequencies: CDMA (824849MHz), GSM(880-920MHz), GS-DCS(17101790MHz), WCDMA, 3G, GSM-PCS, DECT(19202480MHz), Bluetooth, WiFi(24002480MHz), Wi-Max(30007000MHz). via [spygadgets.com](https://www.spygadgets.com/1207i-multi-frequency-rf-bug-detector-cdma-gsm-bluetooth-wimax/)
- **Laser Surveillance Defeater** - Sophisticated spies could potentially use a laser microphone, which bounces an invisible infrared laser off of a window and back to a light sensor. By measuring any interference in that reflected light, the laser microphone can detect vibrations in the window pane and reconstruct sound on the other side of the glass. A laser surveillance defeater creates small in-audible vibrations, which can stop all vibration-based evesdropping. [shomer-tec](https://www.shomer-tec.com/laser-surveillance-defeater.html) | [Amazon](https://www.amazon.com/Surveillance-Defeater-Countermeasure-Protection-Device/dp/B00383Z5L0)
- **Voice Changer** - Useful to disguise voice, while chatting online. See more: [UK](https://amzn.to/3bXqpsn) | [US](https://amzn.to/2PqUEyz)
- **Anti-Facial Recognition Clothing** - Carefully printed patterns that confuse common facial recognition algorithms. See more: [Amazon UK](https://amzn.to/32dnYgO) | [Redbubble](https://www.redbubble.com/people/naamiko/works/24714049-anti-surveillance-clothing?p=mens-graphic-t-shirt) | [Monoza](https://www.monoza.mobi/hyperface-anti-surveillance-shirt/?sku=1045-19321-423696-174028)
- **Reflective Glasses** - Blocks faces from most CCTV and camera footage, and stops facial recognition from being able to map your face. See more: [Reflectacles](https://www.reflectacles.com)
- **Hardware Password Manager** - MooltiPass is an offline, hardware encrypted USB password manager, with desktop and mobile browser integrations. You can export your KeePass database onto it, for secure authentication on the road, and the hardware is open source. See More: [TheMooltiPass.com](https://www.themooltipass.com) | [Hackaday](https://hackaday.com/tag/mooltipass/)
- **QUANTUM** - Multifunctional crypto device, is an open source secure, reliable and simple cross-platform cryptocurrency wallet and password manager. See more: [crypto-arts.com](https://security-arts.com/) | [Tindie](https://www.tindie.com/products/security-arts/quantum-multifunctional-crypto-device/)
- **Faraday Cases** - A Faraday cage or Faraday shield is an enclosure used to block electromagnetic fields. Useful for electronics, since many devices are constantly transmitting and recieving, which is the worst when you are trying to avoid being tracked. Their have been numerous reportings that governments can apparently track phones, even when they are [powered off](https://slate.com/technology/2013/07/nsa-can-reportedly-track-cellphones-even-when-they-re-turned-off.html), and since smart phones often do not have removable batteries, the only option is often to shield them from any em waves. See [SilentPocket.com](https://silent-pocket.com/collections/all-products) | [Faraday Box](https://amzn.to/3cj9z7r) | [Faraday Phone Pouch](https://amzn.to/38faum5)
- **DNA Invisble** - An open source recipe that erases and deletes 99.5% of DNA left behind, and obfuscates the remaining 0.5%. You leave your DNA behind all the time, once analysed this is able to say a lot about your genetic makeup, and who you are. Learn more about this threat in [this video](https://youtu.be/MoX_BDWZUG0), See [DNA Invisible](http://biogenfutur.es)
- **Forensic bridge kit** - Allows for write blocking to prevent unauthorized writing to a device, and for crating images with out modifying data. See more: [Amazon](https://www.amazon.com/dp/B00Q76XG5W)
- **Firewalla** - Tiny open source smart firewall. Has many useful features: VPN Server, Ad-blocker, powerful monitoring, security analysis and family controls. [Firewalla.com](https://firewalla.com) | [Tindie](https://www.tindie.com/products/firewallallc/firewalla-smart-internet-security-for-your-home/)
- **IoTMATE v2b-CL** - Plug-and-play open source home automation module, does not require internet access and has some good privacy controls, making it a more secure alternative to big-name IoT hubs (Note: requires technical and electrical knowledge to install and configure). [Tindie](https://www.tindie.com/products/iotmate/iotmate-v2b-cl-home-automation-with-alexa-support/)
- **Stand-alone Drive Eraser** - Allows you to erase drives, without connecting them to your PC. Availible in different modesls for different needs. See More: [Amazon](https://www.amazon.com/StarTech-com-Hard-Drive-Eraser-Standalone/dp/B073X3YZNL)
- **Shredder** - It is important to safely dispose of any documents that contain personal information. This is a very affordable shredder - it cuts pieces into security level P-4 sizes (5/32" by 15/32"). It also shreds credit cards into the same size. [Amazon](https://www.amazon.com/AmazonBasics-6-Sheet-High-Security-Micro-Cut-Shredder/dp/B00Q3KFX8U)
- **Device Timer** - This non-smart device can be used to turn various devices (such as lights or radio) on or off at certain times. It's useful to deter people when you are away. [Amazon](https://www.amazon.com/Century-Digital-Programmable-Packaging-Security/dp/B00MVF16JG)
- **SurfEasy Key** - A portable web browser you can carry in your pocket for private and secure browsing on the go. Provides encrypted storage and anonymous browsing features. Again, you can make your own version with an encrypted USB, and a portable executable. [fightforthefuture.org](https://shop.fightforthefuture.org/products/surfeasy-key)
- **Private Texting LoRa Transceivers** | A pack of 2 private texting unit, which are small companion radios for a smartphone, allowing you to communicate independently from celluar networks, great for privacy, security and when you have no service. [Tindie](https://www.tindie.com/products/DLSpectrum/two-private-texting-lora-transceivers/)
- **TrueRNG** - Generates a stream of True Random Numbers for use in Simulations, Security, and Gaming. [Tindie](https://www.tindie.com/products/ubldit/truerng-v3/)
- **Wire Tap Detector** - Easily check both single and multi-line phone systems for series and parallel taps. Via [BrickHouseSecurity](https://www.brickhousesecurity.com/counter-surveillance/wiretap/)
- **True Random Number Generator** - FST-01SZ is a tiny stand alone USB 32-bit computer based on a free hardware design. (NeuG is an implementation of a TRNG for GD32F103 MCU). See More: [Free Software Foundation: Shop](https://shop.fsf.org/storage-devices/neug-usb-true-random-number-generator)
## Network Security
@ -112,6 +134,8 @@ Gadgets that help protect and anonamise your internet, detect & prevent intrusio
- **Anonabox** - Plug-and-play Tor router. Wi-Fi uplink and range extender with user interface, also has VPN options and USB ports for local file sharing. [Amazon](https://amzn.to/38bwZIA) | [Anonabox.com](anonabox.com)
- **FingBox** - Network monitoring and security, for what it offers Fing is very affordable, and there is a free [app](https://www.fing.com/products/fing-app) that you can use before purchasing the hardware to get started. [Fing.com](https://www.fing.com/products/fingbox) | [US](https://amzn.to/2wlXfCT) | [UK](https://amzn.to/2I63hKP)
- **BitdefenderBox** - Cybersecurity home firewall hub, for protecting IoT and other devices. Has other features such as parental controlls and is easy to set up. [US](https://amzn.to/2vrurZJ) | [UK](https://amzn.to/34Ul54w)
- **Flashed-Routers** - Pre-configured branded routers, flashed with custom open source firmware, for better security, privacy and performance. [flashrouters.com](https://www.flashrouters.com/routers)
- **Firewalla** - Tiny open source smart firewall. Has many useful features: VPN Server, Ad-blocker, powerful monitoring, security analysis and family controls. [Firewalla.com](https://firewalla.com) | [Tindie](https://www.tindie.com/products/firewallallc/firewalla-smart-internet-security-for-your-home/)
- **Trend Micro Box** - Protect home networks from external and internal cyber attacks. Detects intrusions, vulnrabbilities, remote access, web threats and provides other security features. [US](https://amzn.to/2wk3Y0s) | [US](https://amzn.to/2uqX4Wv)
- **AlwaysHome Duo** - USB VPN with accelerated virtual networking to your home or office network, crossing geo-blocking and firewall mechanisms. [US](https://amzn.to/2Ts6oSn) | [UK](https://amzn.to/3bi4cF0)
- **Firewalla Red** - An intrusion detection and intrusion prevention system, with a web and mobile interface. Also has Ad-block, VPN, internet controll features and insights. [US](https://amzn.to/388BlAw) | [Firewalla.com](https://firewalla.com)
@ -126,6 +150,7 @@ Gadgets that help protect and anonamise your internet, detect & prevent intrusio
- **[IPFire](https://www.ipfire.org)** - A hardened, versatile, state-of-the-art open source firewall based on Linux. Its ease of use, high performance and extensibility make it usable for everyone
- **[PiVPN](https://pivpn.io)** - A simple way to set up a home VPN on a any Debian server. Supports OpenVPN and WireGuard with elliptic curve encryption keys up to 512 bit. Supports multiple DNS providers and custom DNS provividers- works nicley along-side PiHole
- **[E2guardian](http://e2guardian.org)** - Powerful open source web content filter
- **[OpenWRT](https://openwrt.org)** Powerful custom router firmware, with great security, performance and customization features. See more [custom router firmware](/5_Privacy_Respecting_Software.md#router-firmware)
- **[SquidGuard](http://www.squidguard.org)** - A URL redirector software, which can be used for content control of websites users can access. It is written as a plug-in for Squid and uses blacklists to define sites for which access is redirected
- **[PF Sense](https://www.pfsense.org)** - Widley used, open source firewall/router
- **[Zeek](https://www.zeek.org)** - Detect if you have a malware-infected computer on your network, and powerful network analysis framework and monitor
@ -180,8 +205,8 @@ Small, low-cost but essential devise. It attaches inbetween your USB cable and t
- PortaPow 3rd Gen, USB A, 2-Pack. [Red](https://amzn.to/39aStqE) | [White](https://amzn.to/2TqXl4i) | [Black](https://amzn.to/38imYd2)
- PortaPow Dual USB Power Monitor with Data Blocker, usful for monitoring power consumption and managing which devices are allowed data connections. [US](https://amzn.to/2I7HT7J) | [UK](https://amzn.to/3chnWcJ)
- Privise USB A Data Blocker. [US](https://amzn.to/3cig0rr) | [UK](https://amzn.to/2VAbX3K)
- Data-only Micro-USB cable. Be sure that it is actually data-only, you can count the pins at each end. Again PortaPow make a legitimate safe-charge cable [US](https://amzn.to/2Tq09ys) | [UK](https://amzn.to/38chHDF)
- Data-only Micro-USB cable. Be sure that it is actually data-only, you can count the pins at each end. Again PortaPow make a legitimate safe-charge cable. [US](https://amzn.to/2Tq09ys) | [UK](https://amzn.to/38chHDF)
- USB-C ondom. An open source power-with-no-data USB-C data blocker. [Tindie](https://www.tindie.com/products/CrowbarTech/usb-c-ondom/)
PortaPow (3rd gen) is one of the best options, since it has a SmartCharge chip (which isn't usually possible without the data wire).
@ -192,19 +217,18 @@ Word of Warning: Sometimes the cable itself can be dangerous. See [O.M.G Cable](
## FIDO U2F Keys
Using a physical 2-factor authentication key can greatly improve the security of your online accounts. See [twofactorauth.org](https://twofactorauth.org) for a list of websites that provide 2FA.
Physical 2-factor authentication keys are a secure and convinient method of authentication. See [twofactorauth.org](https://twofactorauth.org) for a list of websites that provide 2FA.
- **[Solo Key](https://solokeys.com)** - An open source U2F and FIDO2 key, with NFC. via [SoloKeys.com](https://solokeys.com)
- **[LibremKey](https://puri.sm/products/librem-key/)** - A USB security token to make encryption, key management, and tamper detection convenient and secure. via [Puri.sm](https://puri.sm/products/librem-key/)
- **[OnlyKey](onlykey.io/alicia)** - A pin-protected open source hardware password manager with FIDO2/ U2F. It's very affordable, considering the broad feature set, but initial setup is a little complex. Via [OnlyKey.com](onlykey.io/alicia)
- **[NitroKey](https://www.nitrokey.com/)** - An open source secure USB, providing authentication (OTP, U2F and static passwords), email encryption (GnuPG, OpenGPG, S/MIME etc), file encryption (with VeraCrypt, GnuPG and more), key and certificate management and SSH keys for server administration. via [NitroKey.com](https://www.nitrokey.com/)
- **[Secalot](https://www.secalot.com/)** - A small open source USB, that functions as a hardware Hardware crypto wallet, OpenPGP smart card, U2F authenticator, and one-time password generator. via [Secalot.com](https://www.secalot.com/)
- **[Protectimus](https://www.protectimus.com/protectimus-slim-mini/)** - A credit-card sized, slim TOTP hardware token. Allows you to generate 6-digit OTP codes, without the need for a mobile device. Useful as a backup, in case your phone is not accessible. Via [Protectimus.com](https://www.protectimus.com/protectimus-slim-mini/)
- **[Yubikey](https://www.yubico.com/products/)** - Extremely popular, easy-to-use and reliable authentication keys, availible in a variety of form factors- from Micro keys, USB-C, Slim USB-A, and dual lightning + USB. Note, that neither the hardware, nor software is open source. Via [yubico.com](https://www.yubico.com/products/)
- **[Thetis](https://thetis.io)** - Extremely durable, mobile-friendly USB-A FIDO U2F Key. via [Thetis.io](https://thetis.io)
- **[U2F Zero](https://u2fzero.com/)** - Simple, open source U2F token, with write-only keys, tamper-resistance and hardware true random number generator to ensure high entropy.
- **Yubico USB A + NFC Key** - classic key with solid reputation. [UK](https://amzn.to/38ddnUG) | [US]() | [Yubico](https://www.yubico.com/store)
- **YubiKey 5 Mobile and Nano Keys** - [USB A Nano](https://amzn.to/2wkCmbe) | [USB C](https://amzn.to/2VGkClz) | [USB C Nano](https://amzn.to/39b2zYA)
- **Thetis** - Durable. mobile-friendly USB-A FIDO U2F Key. [US](https://amzn.to/39f6Dqu) | [UK](https://amzn.to/3cm9xvK) | [Thetis.io](https://thetis.io)
- **Solo Key** - An open source U2F and FIDO2 key, USB A + NFC. [US](https://amzn.to/39cJR2P) | [UK](https://amzn.to/3ajnBo0) | [SoloKeys.com](https://solokeys.com)
- **OnlyKey** - A pin-protected hardware password manager with FIDO2/ U2F. It allows a user to log in without a password or typing out a 2FA code. [OnlyKey.com](onlykey.io/alicia) | [US](https://amzn.to/38blkd3) | [UK](https://amzn.to/3clwTli)
- **Librem Key** - Makes encryption, key management, and tamper detection convenient and secure. Includes an integrated password manager, random number generator, tamper-resistant smart card plus more. [Puri.sm](https://puri.sm/products/librem-key)
The Verge has a good [article](https://www.theverge.com/2019/2/22/18235173/the-best-hardware-security-keys-yubico-titan-key-u2f) comparing hardware keys.
If you are interested in reserarching how to build your own key, see [U2f-Zero](https://github.com/conorpp/u2f-zero) by Conor Patrick, lets you turn a Pi Zero into a second-factor auth method. Note: project no longer activley maintained, see [NitroKey](https://github.com/nitrokey) instead
You can also build your own key, see [U2f-Zero](https://github.com/conorpp/u2f-zero) by Conor Patrick, lets you turn a Pi Zero into a second-factor auth method. Or check out [NitroKey](https://github.com/nitrokey), for a guide on building U2F with an ESP-8266, see [this Hackaday article](https://hackaday.com/2018/01/04/two-factor-authentication-with-the-esp8266/)
@ -215,10 +239,10 @@ The most secure medium to store your currency is cold (offline) wallets, since t
- Trezor is fully open source and implements a firmware-based security on top of known hardware. [Trezor.com](https://trezor.io)
- Ledger takes a more black box approach, but their devices are very well tested and secure. They are also easy to use and durable, with good support for a range of crypto. [Ledger.com](https://shop.ledger.com/pages/hardware-wallets-comparison)
- Indestructible Steel Wallet, for private key. [US](https://amzn.to/2Px0EFV) | [UK](https://amzn.to/2VLeVmr)
- QUANTUM is a Multifunctional crypto device, that is an open source secure, reliable and simple cross-platform cryptocurrency wallet and password manager. [crypto-arts.com](https://security-arts.com/) | [Tindie](https://www.tindie.com/products/security-arts/quantum-multifunctional-crypto-device/)
Always ensure the packaging has not been tampered with, buy direct from the manufacturer when possible.
---
## See Also

122
ATTRIBUTIONS.md
View File

@ -31,14 +31,125 @@ Thanks goes to these wonderful people
<!-- To add yourself to the table, copy the row above and replace with your details. Max 7 <td> (columns) per <tr> (row). -->
This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification.
Contributions of any kind welcome!
*This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification.*
[Contributions](/CONTRIBUTING.md) of any kind welcome!
Special Thanks to [Stefan Keim](https://github.com/indus) and [Matt (IPv4) Cowley](https://github.com/MattIPv4) from [JS.org](https://js.org), for providing the domain used for our GitHub Page ([security-list.js.org](https://security-list.js.org)).
And of course, and huge thank you to the awesome developers behind the projects listed in the [Privacy-Respecting Software list](/5_Privacy_Respecting_Software.md). The effort, time and love they've put into each one of those applications is immediately apparent, they've done an amazing job 💞
## References 📝
// Todo
<blockquote>
"2019 Data Breach Investigations Report - EMEA", Verizon Enterprise Solutions, 2020. [Online]. Available: https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report-emea.pdf. [Accessed: 25- Apr- 2020]
"Web Browser Privacy: What Do Browsers Say When They Phone Home?", Feb 2020. [Online].
Available: https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf. [Accessed: 27- Apr- 2020]
"Comments on the Competition and Markets Authoritys interim report on online platforms and digital advertising", Privacyinternational.org, Jan 2020. [Online].
Available: https://privacyinternational.org/sites/default/files/2020-04/20.02.12_CMA_PI_Comments_Interim_Report_FINAL.pdf. [Accessed: 02- May- 2020]
"Cracking DES: Secrets of Encryption Research, Wiretap Politics, and Chip Design", 1998. [Online].
Available: https://dl.packetstormsecurity.net/cracked/des/cracking-des.htm. [Accessed: 25- Apr- 2020]
"Digital Identity Guidelines", 2020. [Online].
Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf. [Accessed: 25- Apr- 2020]
"DNS Security - Getting it Right", Open Rights Group, 2020. [Online].
Available: https://www.openrightsgroup.org/about/reports/dns-security-getting-it-right. [Accessed: 25- Apr- 2020]
"DNS-over-HTTPS performance | SamKnows", Samknows.com, 2020. [Online].
Available: https://www.samknows.com/blog/dns-over-https-performance. [Accessed: 25- Apr- 2020]
J. Eckenrode and S. Friedman, "The state of cybersecurity at financial institutions", 2018. [Online].
Available: https://www2.deloitte.com/us/en/insights/industry/financial-services/state-of-cybersecurity-at-financial-institutions.html. [Accessed: 25- Apr- 2020]
E. Foundation, "Cracking DES", Shop.oreilly.com, 1998. [Online].
Available: http://shop.oreilly.com/product/9781565925205.do. [Accessed: 25- Apr- 2020]
"Google data collection, research and findings", Digital Content Next, 2020. [Online].
Available: https://digitalcontentnext.org/blog/2018/08/21/google-data-collection-research/. [Accessed: 25- Apr- 2020]
S. Lekies, B. Stock, M. Wentzel and M. Johns, "The Unexpected Dangers of Dynamic JavaScript", UseNix & SAP, 2020. [Online]. Available: https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-lekies.pdf. [Accessed: 25- Apr- 2020]
"Privacy concerns with social networking services", 2020. [Online]. Available: https://en.wikipedia.org/wiki/Privacy_concerns_with_social_networking_services. [Accessed: 25- Apr- 2020]
D. Tian, G. Hernandez, J. Choi, V. Frost, C. Ruales, P. Traynor, H. Vijayakumar, L. Harrison, A. Rahmati, M. Grace and K. Butler, "Vulnerability Analysis of AT Commands Within the Android Ecosystem", Cise.ufl.edu, 2020. [Online].
Available: https://www.cise.ufl.edu/~butler/pubs/usenix18-atcmd.pdf. [Accessed: 25- Apr- 2020]
S. Topuzov, "Phone hacking through SS7 is frighteningly easy and effective", Blog.securegroup.com, 2020. [Online].
Available: https://blog.securegroup.com/phone-hacking-through-ss7-is-frighteningly-easy-and-effective. [Accessed: 25- Apr- 2020]
J. Heidemann, Y. Pradkin, R. Govindan, C. Papadopoulos and J. Bannister, "Exploring Visible Internet Hosts through Census and Survey", Isi.edu, 2020. [Online].
Available: https://www.isi.edu/~johnh/PAPERS/Heidemann07c.pdf. [Accessed: 10- May- 2020]
Michalevsky, Y., Boneh, D. and Nakibly, G., 2014. Recognizing Speech From Gyroscope Signals. [online] Usenix.org. Available at: <https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-michalevsky.pdf> [Accessed 26 May 2020].
Favaretto, M., Clercq, E. and Simone Elger, B., 2019. Big Data And Discrimination: Perils, Promises And Solutions. A Systematic Review. [online] springeropen. Available at: <https://journalofbigdata.springeropen.com/articles/10.1186/s40537-019-0177-4> [Accessed 26 May 2020].
Web Browser Privacy: What Do Browsers Say When They Phone Home?, n.d. https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf.
A Comprehensive Evaluation of Third-Party Cookie Policies, n.d. https://wholeftopenthecookiejar.com/static/tpc-paper.pdf.
A Study of Scripts Accessing Smartphone Sensors, n.d. https://sensor-js.xyz/webs-sixth-sense-ccs18.pdf.
Acar, Abbas, Wenyi Liu, Raheem Beyah, Kemal Akkaya, and Arif Selcuk Uluagac. “A PrivacyPreserving Multifactor Authentication System.” Security and
Privacy 2, no. 6 (2019). https://doi.org/10.1002/spy2.94.
Afzal, Waseem. “Rethinking Information Privacy-Security: Does It Really Matter?” Proceedings of the American Society for Information Science and
Technology 50, no. 1 (2013): 110. https://doi.org/10.1002/meet.14505001095.
Battery Status Not Included, Assessing Privacy in Web Standards, n.d. https://www.cs.princeton.edu/~arvindn/publications/battery-status-case-study.pdf.
Christl, Wolfie. Corporate Surveillance in Everyday Life, How Companies Collect, Combine, Analyze, Trade, and Use Personal Data on Billions, n.d.
https://crackedlabs.org/dl/CrackedLabs_Christl_CorporateSurveillance.pdf.
Das, Anupam, Gunes Acar, Nikita Borisov, and Amogh Pradeep. “The Webs Sixth Sense.” Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018. https://doi.org/10.1145/3243734.3243860.
Englehardt, Steven, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W. Felten. “Cookies That Give You Away.” Proceedings of the 24th International Conference on World Wide Web - WWW 15, 2015. https://doi.org/10.1145/2736277.2741679.
Englehardt, Steven, Jeffrey Han, and Arvind Narayanan. “I Never Signed up for This! Privacy Implications of Email Tracking.” Proceedings on Privacy Enhancing Technologies 2018, no. 1 (January 2018): 10926. https://doi.org/10.1515/popets-2018-0006.
Ferra, Fenia, Isabel Wagner, Eerke Boiten, Lee Hadlington, Ismini Psychoula, and Richard Snape. “Challenges in Assessing Privacy Impact: Tales from the Front Lines.” Security and Privacy 3, no. 2 (2019). https://doi.org/10.1002/spy2.101.
hmathur, arunes. Characterizing the Use of Browser-Based Blocking Extensions To Prevent Online Tracking, n.d. http://aruneshmathur.co.in/files/publications/SOUPS18_Tracking.pdf.
Lebeck, Kiron, Kimberly Ruth, Tadayoshi Kohno, and Franziska Roesner. “Towards Security and Privacy for Multi-User Augmented Reality: Foundations with End Users.” 2018 IEEE Symposium on Security and Privacy (SP), 2018. https://doi.org/10.1109/sp.2018.00051.
Location Tracking using Mobile Device Power Analysis, n.d. https://www.scribd.com/doc/256304846/PowerSpy-Location-Tracking-using-Mobile-Device-Power-Analysis.
Online Tracking, A 1-million-site Measurement and Analysis, n.d. https://www.cs.princeton.edu/~arvindn/publications/OpenWPM_1_million_site_tracking_measurement.pdf.
Pixel Perfect, Fingerprinting Canvas in HTML5, n.d. https://hovav.net/ucsd/dist/canvas.pdf.
Recognizing Speech From Gyroscope Signals, n.d. https://crypto.stanford.edu/gyrophone/.
Roesner, Franziska. Detecting and Defending Against Third-Party Tracking on the Web, n.d. http://www.franziroesner.com/pdf/webtracking-NSDI2012.pdf.
Schneider, Christian. Cross-Site WebSocket Hijacking, n.d. http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html.
Seb, Crypto. Crypto Paper: Privacy, Security, and Anonymity For Every Internet User, n.d. https://github.com/cryptoseb/cryptopaper.
Shining the Floodlights on Mobile Web Tracking — A Privacy Survey, n.d. https://pdfs.semanticscholar.org/80bb/5c9119ff4fc2374103b4f3d6a8f614b3c2ed.pdf.
Su, Jessica, Ansh Shukla, Sharad Goel, and Arvind Narayanan. “De-Anonymizing Web Browsing Data with Social Networks.” Proceedings of the 26th International Conference on World Wide Web, March 2017. https://doi.org/10.1145/3038912.3052714.
The Surveillance Implications of Web Tracking, n.d. https://senglehardt.com/papers/www15_cookie_surveil.pdf.
Trackers Vs Firefox, Comparing different blocking utilities, n.d. https://github.com/jawz101/TrackersVsFirefox.
Understanding Facebook Connect login permissions, n.d. http://jbonneau.com/doc/RB14-fb_permissions.pdf.
Vines, Paul, Franziska Roesner, and Tadayoshi Kohno. “Exploring ADINT.” Proceedings of the 2017 on Workshop on Privacy in the Electronic Society - WPES 17, 2017. https://doi.org/10.1145/3139550.3139567.
Yelp, Luca Wu. Is Google degrading search? Consumer Harm from Universal Search, n.d. https://www.law.berkeley.edu/wp-content/uploads/2015/04/Luca-Wu-Yelp-Is-Google-Degrading-Search-2015.pdf.
</blockquote>
**Above References apply to the Content in the Following Files**:<br>
[TLDR](/2_TLDR_Short_List.md) | [Intro](/0_Why_It_Matters.md) | [The Personal Security Checklist](/README.md) | [Privacy-Respecting Software](/5_Privacy_Respecting_Software.md) | [Security Hardware](/6_Privacy_and-Security_Gadgets.md) | [Further Links](/4_Privacy_And_Security_Links.md)
## Stars 🌟
@ -46,3 +157,8 @@ Contributions of any kind welcome!
Thank you [@caarlos0](https://github.com/caarlos0) for the above [Star Chart](https://github.com/caarlos0/starcharts) ☺️
---
Licensed under [Creative Commons, CC BY 4.0](/LICENSE.md), © [Alicia Sykes](https://aliciasykes.com) 2020

368
README.md
View File

@ -3,134 +3,179 @@
[![License](https://img.shields.io/badge/LICENSE-CC_BY_4.0-00a2ff?&style=flat-square)](https://creativecommons.org/licenses/by/4.0/)
[![Contributors](https://img.shields.io/github/contributors/lissy93/personal-security-checklist?color=%23ffa900&style=flat-square)](https://github.com/Lissy93/personal-security-checklist/graphs/contributors)
# Personal Security Checklist
<p align="center"><img src="https://i.ibb.co/rGQK71g/personal-security-checklist-6.png" /></p>
> A curated checklist of tips to protect your dgital security and privacy
*<p align="center">A curated checklist of tips to protect your digital security and privacy</p>*
### Contents
[<img src="https://i.ibb.co/XbyGTrP/1-authentication-2-36x36.png" width="28" height="28" /> Authentication](#authentication)<br>
[<img src="https://i.ibb.co/r2L4D8X/2-internet-36x36.png" width="28" height="28" /> Browsing the Web](#web-browsing)<br>
[<img src="https://i.ibb.co/7NrXW3L/5-email-36x36.png" width="28" height="28" /> Email](#emails)<br>
[<img src="https://i.ibb.co/GFYyXMd/6-social-media-36x36.png" width="28" height="28" /> Social Media](#social-media)<br>
[<img src="https://i.ibb.co/SPVd9zt/3-networks-36x36.png" width="28" height="28" /> Networks](#networking)<br>
[<img src="https://i.ibb.co/F3WwqsV/7-phones-36x36.png" width="28" height="28" /> Mobile Phones](#mobile-devices)<br>
[<img src="https://i.ibb.co/ZftcgJq/8-computers-36x36.png" width="28" height="28" /> Personal Computers](#personal-computers)<br>
[<img src="https://i.ibb.co/b2S9372/9-smart-home-36x36.png" width="28" height="28" /> Smart Home](#smart-home)<br>
[<img src="https://i.ibb.co/KVPV1Lk/10-human-36x36.png" width="28" height="28" /> Human Aspect](#sensible-computing)<br>
**Too long? 🦒** See the [TLDR version](/2_TLDR_Short_List.md) instead.
#### See Also
### See Also
- [Why Privacy & Security Matters](/0_Why_It_Matters.md)
- [Privacy-Respecting Software](/5_Privacy_Respecting_Software.md)
- [Privacy & Security Gadgets](/6_Privacy_and-Security_Gadgets.md)
- [Further Links + More Awesome Stuff](/4_Privacy_And_Security_Links.md)
## Contents
----
[![-](https://i.ibb.co/0ZV22MT/1-passwords.png) Passwords](#passwords)<br>
[![-](https://i.ibb.co/thf142G/2-2fa.png) 2 Factor Authentication](#2-factor-authentication)<br>
[![-](https://i.ibb.co/N7D7g6D/3-web.png) Browsing the Web](#browser-and-search)<br>
[![-](https://i.ibb.co/7yQq5Sx/5-email.png) Email](#emails)<br>
[![-](https://i.ibb.co/HT2DTcC/6-social.png) Social Media](#social-media)<br>
[![-](https://i.ibb.co/NjHcZJc/4-vpn.png) Networking](#networking)<br>
[![-](https://i.ibb.co/J255QkL/7-devices.png) Mobile Phones](#mobile-devices)<br>
[![-](https://i.ibb.co/SvMPntJ/10-os.png) Personal Computers](#personal-computers)<br>
[![-](https://i.ibb.co/3N3mszQ/9-router.png) Smart Home](#smart-home)<br>
## Authentication
## Passwords
Most reported data breaches are caused by the use of weak, default or stolen passwords (according to [this Verizon report](http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf)).
Most reported data breaches are caused by the use of weak, default or stolen passwords (according to [this Verizon report](http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf)). Massive amounts of private data have been, and will continue to be stolen because of this.
Use strong passwords, which can't be easily guessed or cracked. Length is more important than complexity (at least 12+ characters), although it's a good idea to get a variety of symbols. Ideally you should use a different and secure password to access each service you use. To securely manage all of these, a password manager is usually the best option. [This guide](https://heimdalsecurity.com/blog/password-security-guide/) gives a lot more detail about choosing and managing passwords.
Use long, strong and unique passwords, manage them in a secure password manager, enable 2-factor authentication, keep on top of breaches and take care while logging into your accounts.
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Use a strong password** | Recommended | Try to get a good mixture of upper and lower-case letters, numbers and symbols. Avoid names, places and dictionary words where possible, and aim to get a decent length (a minimum of 12+ characters is ideal). Have a look at [HowSecureIsMyPassword.net](https://howsecureismypassword.net) and [How Long will it take to Crack my Password](https://www.betterbuys.com/estimating-password-cracking-times/) to get an idea of what a strong password is. See [this guide](https://securityinabox.org/en/guide/passwords/) for more information.
**Dont save your password in browsers** | Recommended | Most modern browsers offer to save your credentials when you log into a site. Dont allow this! As they are not always encrypted, hence can allow someone to gain easy access into your accounts. Also do not store passwords in a .txt file or any other unencrypted means. Ideally use a reputable password manager.
**Use different passwords for each account you have** | Recommended | If your credentials for one site get compromised, it can give hackers access to your other online accounts. So it is highly recommended not to reuse the same passwords. Again, the simplest way to manage having many different passwords, is to use a [password manager](https://en.wikipedia.org/wiki/Password_manager). Good options include [BitWarden](https://bitwarden.com), [1Password](https://1password.com), or for an offline app without sync [KeePass](https://keepass.info) / [KeePassXC](https://keepassxc.org).
**Be cautious when logging in on someone elses device** | Recommended | When using someone else's machine, ensure that you're in a private session (like Incognito mode, Ctrl+Shift+N) so that nothing gets saved. Ideally you should avoid logging into your accounts on other people's computer, since you can't be sure their system is clean. Be especially cautious of public machines, or when accessing any of your secure accounts (email, banking etc.).
**Avoid password hints** | Optional | Some sites allow you to set password hints. Using this feature makes it easier for hackers.
**Never answer online security questions truthfully** | Optional | If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide real answers. It is a trivial task for hackers to find out this information. Instead, create a password inside your password manager to store your fictitious answer.
**Dont use a 4-digit PIN to access your phone** | Optional | Dont use a short PIN to access your smartphone or computer. Instead, use a text password. Pins or numeric passphrases are much easier crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code).
**Use an offline password manager** | Advanced | Consider an offline password manager, encrypted by a strong password. If you work across two or more computers, this could be stored on an encrypted USB. [KeePass](http://keepass.info/) is a strong choice.
**If possible, try to avoid biometric and hardware-based authentication** | Advanced | Fingerprint sensors, face detection and voice recognition are all hackable. Where possible replace these with traditional strong passwords.
**See also** [Recommended Password Managers](/5_Privacy_Respecting_Software.md#password-managers)
**Use a Strong Password** | Recommended | If your password is too short, or contains dictionary words, places or names- then it can be easily cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively, use a password generator to create a long, strong random password. Have a play with [HowSecureIsMyPassword.net](https://howsecureismypassword.net), to gen an idea of how quickly common passwords can be cracked. Read more about creating strong passwords: [securityinabox.org](https://securityinabox.org/en/guide/passwords)
**Don't reuse Passwords** | Recommended | If someone was to reuse a password, and one site they had an account with suffered a leak (data breaches occur aprox. every [39 seconds](https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds)), then a criminal could easily gain unauthorized access to their other accounts. This is usually done through large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all too common, but it's simple to protect against- use a different password for each of your online accounts
**Use a Secure Password Manager** | Recommended | For most people it is going to be near-impossible to remember hundreds of strong and unique passwords. A password manager is an application that generates, stores and auto-fills your login credentials for you. All your passwords will be encrypted against 1 master passwords (which you must remember, and it should be very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on, your passwords can be auto-filled. A good all-rounder is [BitWarden](https://bitwarden.com), or see [Recommended Password Managers](/5_Privacy_Respecting_Software.md#password-managers)
**Enable 2-Factor Authentication** | Recommended | 2FA is where you must provide both something you know (a password) and something you have (such as a code on your phone) to log in. This means that if anyone has got your password (e.g. through phishing, malware or a data breach), they will no be able to log into your account. It's easy to get started, download [an authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication) onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next time you log in on a new device, you will be prompted for the code that displays in the app on your phone (it works without internet, and the code usually changes every 30-seconds)
**Sign up for Breach Alerts** | Optional | After a websites suffers a significant data breach, the leaked data often ends up on the internet. There are several websites that collect these leaked records, and allow you to search your email address to check if you are in any of their lists. [Firefox Monitor](https://monitor.firefox.com), [Have i been pwned](https://haveibeenpwned.com) and [Breach Alarm](https://breachalarm.com) allow you to sign up for monitoring, where they will notify you if your email address appears in any new data sets. It is useful to know as soon as possible when this happens, so that you can change your passwords for the affected accounts. Have i been pwned also has domain-wide notification, where you can receive alerts if any email addresses under your entire domain appear (useful if you use aliases for [anonymous forwarding](/5_Privacy_Respecting_Software.md#anonymous-mail-forwarding))
**Keep Backup Codes Safe** | Optional | When you enable multi-factor authentication, you will usually be given several codes that you can use if your 2FA method is lost, broken or unavailable. Keep these codes somewhere safe, to prevent loss or unauthorised access. You could store them in your password manager, in an encrypted note, or write them down somewhere safe
**Shield your Password/ PIN** | Optional | When typing your password in public places, ensure you are not in direct line of site of a CCTV camera and that no one is able to see over your shoulder. Cover your password or pin code while you type, and do not reveal any plain text passwords on screen
**Update Passwords Periodically** | Optional | Database leaks and breaches are common, and it is likely that several of your passwords are already somewhere online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing that all your passwords are long, strong and unique, there is no need to do this too often- annually should be sufficient. Enforcing mandatory password changes within organisations is [no longer recommended](https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes), as it encourages colleagues to select weaker passwords
**Dont save your password in browsers** | Optional | Most modern browsers offer to save your credentials when you log into a site. Dont allow this, as they are not always encrypted, hence could allow someone to gain access into your accounts. Instead use a dedicated password manager to store (and auto-fill) your passwords
**Be cautious when logging in on someone elses device** | Optional | When using someone else's machine, ensure that you're in a private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will ensure that none of your credentials, cookies, browsing history of session data gets saved. Ideally you should avoid logging into your accounts on other people's computer, since you can't be sure their system is clean. Be especially cautious of public machines, as malware and tracking is more common here
**Avoid password hints** | Optional | Some sites allow you to set password hints. Using this feature can make it easier for social engineers to guess your credentials
**Never answer online security questions truthfully** | Optional | If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead, create a fictitious answer, and store it inside your password manager
**Dont use a 4-digit PIN** | Optional | Dont use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin. Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code)
**Avoid using SMS for 2FA** | Optional | When enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is susceptible to a number of common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking) and [interception](https://secure-voice.com/ss7_attacks). There's also no guarantee of how securely your phone number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when you have signal, and can be slow
**Avoid using your PM to Generate OTPs** | Advanced | Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a dedicated [authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication) on your phone or laptop
**Avoid Face Unlock** | Advanced | Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/) and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password- there are likely photos of your face on the internet, and videos recorded by surveillance cameras
**Watch out for Keyloggers** | Advanced | A hardware [keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) is a physical device planted between your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server. It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password manager can not be intercepted by a hardware keylogger, so if you are on a public computer, consider typing passwords with the on-screen keyboard
**Consider a Hardware Token** | Advanced | A U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to verify your identity, instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and [NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits, since the browser communicates directly with the device and cannot be fooled as to which host is requesting authentication, because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled
**Consider Offline Password Manager** | Advanced | For increased security, an encrypted offline password manager will give you full control over your data. [KeePass](https://keepass.info) is a popular choice, with lots of [plugins](https://keepass.info/plugins.html) and community forks with additional compatibility and functionality. Popular clients include: [KeePassXC](https://keepassxc.org) (desktop), [KeePassDX](https://www.keepassdx.com) (Android) and [StrongBox](https://apps.apple.com/us/app/strongbox-password-safe/id897283731) (iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up, and store it securely
**Consider Unique Usernames** | Advanced | Having different passwords for each account is a good first step, but if you also use a unique username, email or phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where [anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see [Mail Alias Providers](/5_Privacy_Respecting_Software.md#anonymous-mail-forwarding)). Usernames are easier, since you can use your password manager to generate, store and autofill these. Virtual phone numbers can be generated through your VOIP provider
## 2-Factor Authentication
**Recommended Software**: [Password Managers](/5_Privacy_Respecting_Software.md#password-managers) | [2FA Authenticators](/5_Privacy_Respecting_Software.md#2-factor-authentication)
This is a more secure method of logging in, where you supply not just your password, but also an additional code usually from a device that only you have access to.
Check which websites support multi-factor authentication: [twofactorauth.org](https://twofactorauth.org)
## Web Browsing
**2FA Apps**: [Authy](https://authy.com/) *(with encrypted sync- not open source)*, [Authenticator Plus](https://www.authenticatorplus.com), [Microsoft Authenticator](https://www.microsoft.com/en-us/account/authenticator) and [LastPassAuthenticator](https://lastpass.com/auth/) (synced with your LastPass). For open source Android-only apps, see [Aegis](https://getaegis.app), [FreeOTP](https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp) and [AndOTP](https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp). [See more](/5_Privacy_Respecting_Software.md#2-factor-authentication)
Most websites on the internet will use some form of tracking, often to gain insight into their users behaviour and preferences. This data can be incredibly detailed, and so is extremely valuable to corporations, governments and intellectual property thieves. Data breaches and leaks are common, and deanonymizing users web activity is often a trivial task
There are two primary methods of tracking; stateful (cookie-based), and stateless (fingerprint-based). Cookies are small pieces of information, stored in your browser with a unique ID that is used to identify you. Browser fingerprinting is a highly accurate way to identify and track users wherever they go online. The information collected is quite comprehensive, and often includes browser details, OS, screen resolution, supported fonts, plugins, time zone, language and font preferences, and even hardware configurations.
This section outlines the steps you can take, to be better protected from threats, minimise online tracking and improve privacy. A summarized shorter version of this list can be found [here](/2_TLDR_Short_List.md#browsing)
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Enable 2FA on Security Critical Sites** | Recommended | In account settings, enable 2-factor authentication. Ideally do this for all your accounts, but at a minimum for all security-critical logins, (including your password manager, emails, finance and social sites).
**Keep backup codes safe** | Recommended | When you enable 2FA, you'll be given a few one-time codes to download, in case you ever lose access to your authenticator app or key. It's important to keep these safe, either encrypt and store them on a USB, or print them on paper and store them somewhere secure like a locked safe. Delete them from your computer once you've made a backup, in case your PC is compromised.
**Don't use SMS to receive OTPs** | Optional | Although SMS 2FA is certainly better than nothing, there are many weaknesses in this system, (such as SIM-swapping) ([read more](https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin)). Therefore avoid enabling SMS OTPs, even as backups.
**Don't use your Password Manager to store 2FA tokens** | Optional | One of the quickest approaches is to use the same system that stores your passwords, to also generate and fill OTP tokens, both LastPass and 1Password have this functionality. However if a malicious actor is able to gain access to this, they will have both your passwords, and your 2FA tokens, for all your online accounts. Instead use a separate authenticator from your password manager.
**Consider a hardware 2FA Key** | Optional | A physical 2FA key generates an OTP when inserted. Have a look at [NitroKey](https://www.nitrokey.com/) (open source), [YubiKey](https://www.yubico.com/) or [Solo Key](https://amzn.to/2Fe5Icw). You can also use it as a secondary method (in case your phone is lost or damaged). If this is your backup 2FA method, it should be kept somewhere secure, such as a locked safe, or if you use as physical key as your primary 2FA method, then keep it on you at all times.
**Ensure Website is Legitimate** | Basic | It may sound obvious, but when you logging into any online accounts, double check the URL is correct. When visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, on-site spam and pop-ups. You can also check a website using a tool, such as: [Virus Total URL Scanner](https://www.virustotal.com/gui/home/url), [IsLegitSite](https://www.islegitsite.com), [Google Safe Browsing Status](https://transparencyreport.google.com/safe-browsing/search) if you are unsure
**Watch out for Browser Malware** | Basic | Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects, adware etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking, don't proceed to a website if your browser warns you it may be malicious. Common sighs of browser malware include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal explain [signs of browser malware](https://heimdalsecurity.com/blog/warning-signs-operating-system-infected-malware), [how browsers get infected](https://heimdalsecurity.com/blog/practical-online-protection-where-malware-hides) and [how to remove browser malware](https://heimdalsecurity.com/blog/malware-removal)
**Use a Privacy-Respecting Browser** | Recommended | [Firefox](https://www.mozilla.org/en-US/firefox/new) and [Brave](https://brave.com) are secure, private-by-default browsers. Both are fast, open source, user-friendly and available on all major operating systems. Your browser has access to everything that you do online, so if possible, avoid Google Chrome, Microsoft IE and Apple Safari as (without correct configuration) all three of them, collect usage data, call home and allow for invasive tracking. See more: [Privacy Browsers](/5_Privacy_Respecting_Software.md#browsers)
**Use a Private Search Engine** | Recommended | Using a privacy-preserving, non-tracking search engine, will ensure your search terms are not logged, or used against you. Consider [DuckDuckGo](https://duckduckgo.com), [Quant](https://www.qwant.com), or [SearX](https://searx.me) (self-hosted). Google implements some [incredibly invasive](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) tracking policies, and have a history of displaying [biased search results](https://www.businessinsider.com/evidence-that-google-search-results-are-biased-2014-10). Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your [browsers default search](https://duckduckgo.com/install) to a privacy-respecting search engine
**Remove Unnecessary Browser Addons** | Recommended | Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. Websites can see which extensions you have installed, and may use this to enhance your fingerprint, to more accurately identify/ track you. Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while
**Keep Browser Up-to-date** | Recommended | Browser vulnerabilities are constantly being [discovered](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=browser) and patched, so its important to keep it up to date, to avoid a zero-day exploit. You can [see which browser version your using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) for instructions on how to update. Some browsers will auto-update to the latest stable version
**Check for HTTPS** | Recommended | If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. <br>[HTTPS-Everywhere](https://www.eff.org/https-everywhere) (developed by the EFF) is a lightweight, open source (on [GitHub](https://github.com/EFForg/https-everywhere)) browser addon, that by enables HTTPS encryption automatically on sites that are known to support it. Is included in Brave, Tor and mobile Onion-Browser, and is available for [Chromium](https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp), [Firefox](https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) and [Opera](https://addons.opera.com/en/extensions/details/https-everywhere/)
**Use DNS-over-HTTPS** | Recommended | Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. A popular option is [CloudFlare's 1.1.1.1](https://1.1.1.1/help), or [compare providers](https://www.privacytools.io/providers/dns)- it is simple to [enable](https://www.maketecheasier.com/enable-dns-over-https-various-browsers) in-browser. Note that DoH comes with it's [own issues](https://blog.mozilla.org/netpolicy/2020/02/25/the-facts-mozillas-dns-over-https-doh/), mostly preventing web filtering
**Multi-Session Containers** | Recommended | Compartmentalisation is really important to keep different aspects of your browsing separate. For example, using different profiles for work, general browsing, social media, online shopping etc will reduce the number associations that data brokers can link back to you. One option is to make use of [Firefox Containers](https://support.mozilla.org/en-US/kb/containers) which is designed exactly for this purpose. Alternatively, you could use [different browsers for different tasks](https://medium.com/fast-company/incognito-mode-wont-keep-your-browsing-private-do-this-instead-dd64bc812010) (Brave, Firefox, Tor etc). For Chromium-based browsers, you can create and use [Profiles](https://www.chromium.org/developers/creating-and-using-profiles), or an extension such as [SessionBox](https://sessionbox.io), however this addon is not open source
**Use Incognito** | Recommended | When using someone else's machine, ensure that you're in a private/ incognito session (Use `Ctrl+Shift+N`/ `Cmd+Shift+N`). This will prevent browser history, cookies and some data being saved, but is not [fool-proof](https://www.howtogeek.com/117776/htg-explains-how-private-browsing-works-and-why-it-doesnt-offer-complete-privacy/)- you can still be tracked
**Understand Your Browser Fingerprint** | Recommended | Browser [Fingerprinting](https://pixelprivacy.com/resources/browser-fingerprinting) is an incredibly accurate method of tracking, where a website identifies you based on your device information, including: browser and OS versions, headers, time zone, installed fonts, plugins and applications and sometimes device hardware among other data points. You can view your fingerprint at [amiunique.org](https://amiunique.org/fp)- The aim is to be as un-unique as possible
**Manage Cookies** | Recommended | Clearing cookies regularly is one step you can take to help reduce websites from tracking you. Cookies may also store your session token, which if captured, would allow someone to access your accounts without credentials (often called [Session Hijacking](https://en.wikipedia.org/wiki/Session_hijacking)). <br>To mitigate this you should [clear cookies](https://kb.iu.edu/d/ahic) often. [Self Destructing Cookies](https://add0n.com/self-destructing-cookies.html) is a browser addon, which will kill cookies when you close the browser
**Block Third-Party Cookies** | Recommended | [Third-party cookies](https://en.wikipedia.org/wiki/HTTP_cookie#Privacy_and_third-party_cookies) placed on your device by a website other than the one youre visiting. This poses a privacy risk, as a 3rd entity can collect data from your current session. [This guide](https://www.digitalcitizen.life/how-disable-third-party-cookies-all-major-browsers) explains how you can disable 3rd-party cookies, and you can [check here](https://www.whatismybrowser.com/detect/are-third-party-cookies-enabled) ensure this worked
**Block Ads** | Recommended | Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. [uBlock Origin](https://github.com/gorhill/uBlock) is a very efficient and open source browser addon, developed by Raymond Hill. <br>When 3rd-party ads are displayed on a webpage, they have the ability to track you, gathering personal information about you and your habits, which can then be sold, or used to show you more targeted ads, and some ads are plain malicious or fake. Blocking ads also makes pages load faster, uses less data and provides a less cluttered experience
**Block Third-Party Trackers** | Recommended | Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in the background. [Privacy Badger](https://privacybadger.org), [DuckDuckGo Privacy Essentials](https://help.duckduckgo.com/duckduckgo-help-pages/desktop/adding-duckduckgo-to-your-browser/), [uBlock Origin](https://github.com/gorhill/uBlock) and [uMatrix](https://github.com/gorhill/uMatrix) (advanced) are all very effective, open source tracker-blockers available for all major browsers. Alternatively you can block trackers at the network level, with something like [Pi-Hole](https://pi-hole.net) (on your home server) or [Diversion](https://diversion.ch) (Asus routers running Merlin firmware. Some VPNs offer basic tracking blocking (such as [TrackStop on PerfectPrivacy](https://www.perfect-privacy.com/en/features/trackstop?a_aid=securitychecklist))
**Beware of Redirects** | Optional | While some redirects are harmless, others, such as [Unvalidated redirects](https://www.credera.com/blog/technology-insights/java/top-10-web-security-risks-unvalidated-redirects-forwards-10/) are used in phishing attacks, it can make a malicious link seem legitimate. If you are unsure about a redirect URL, you can check where it forwards to with a tool like [RedirectDetective](https://redirectdetective.com). It is also recommended to disable redirects in your [browser settings](https://appuals.com/how-to-stop-automatic-redirects-on-google-firefox-and-edge/).
**Do Not Sign Into Your Browser** | Optional | Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across devices. However this not only allows for further data collection, but also increases attack surface through providing another avenue for a malicious actor to get hold of personal information. For Chrome users, you can get around forced sign-in by navigating to [chrome://flags](chrome://flags/#account-consistency) and disabling the `account-consistency` flag. If you still need to sync bookmarks + browser data between devices, there are open source [alternatives](/5_Privacy_Respecting_Software.md#bonus-3---self-hosted-services), such as [xBrowserSync](https://www.xbrowsersync.org)
**Disallow Prediction Services** | Optional | Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill. If this is enabled then data is sent to Google (or your default search engine) with every keypress, rather than when you hit enter. You may wish to disable this to reduce the amount of data collected
**Avoid G Translate for Webpages** | Optional | When you visit a web page written in a foreign language, you may be prompted to install the Google Translate extension. Be aware that Google [collects all data](https://www.linkedin.com/pulse/google-translate-privacy-confidentiality-concerns-alex-gheorghe/) (including input fields), along with details of the current user. Instead use a translation service that is not linked to your browser
**Disable Web Notifications** | Optional | Browser push notifications are a common method for criminals to encourage you to click their link, since it is easy to spoof the source. Be aware of this, and for instructions on disabling browser notifications, see [this article](https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused)
**Disable Automatic Downloads** | Optional | Drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated by [disabling auto file downloads](https://www.ghacks.net/2017/05/18/you-should-disable-automatic-downloads-in-chrome-right-now/), and be cautious of websites which prompt you to download files unexpectedly
**Disallow Access to Sensors** | Optional | Mobile websites can [tap into your device sensors](https://www.wired.com/story/mobile-websites-can-tap-into-your-phones-sensors-without-asking/) without asking. If you grant these permissions to your browser once, then all websites are able to use these capabilities, without permission or notification, take a look at the [sensor-js](https://sensor-js.xyz) study for more. The best solution is to not grant any permissions to your browser, and to use a privacy browser such as FireFox Focus ([Android](https://play.google.com/store/apps/details?id=org.mozilla.focus) / [iOS](https://apps.apple.com/app/id1055677337)) or DuckDuckGo ([Android](https://play.google.com/store/apps/details?id=com.duckduckgo.mobile.android&hl=en_US) / [iOS](https://apps.apple.com/us/app/duckduckgo-privacy-browser/id663592361))
**Disallow Location** | Optional | Location Services lets sites ask for your physical location to improve your experience. This should be disabled in settings ([see how](https://support.ipvanish.com/hc/en-us/articles/360037874554-How-to-Disable-Location-Tracking-on-Browsers)). Note that there are still other methods of determining your approximate location (IP address, time zone, device info, DNS etc)
**Disallow Camera/ Microphone access** | Optional | Check browser settings to ensure that no websites are granted access to [webcam](https://www.howtogeek.com/210921/how-to-disable-your-webcam-and-why-you-should/) or microphone. It may also be beneficial to use [physical protection](/6_Privacy_and-Security_Gadgets.md) such as a webcam cover and microphone blocker
**Disable Browser Password Saves** | Optional | Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed. Chrome does protect this data behind your Windows credentials, but these can be simple to obtain thanks to password reset utilities such as [Offline NT Password and Registry Editor](https://www.lifewire.com/offline-nt-password-and-registry-editor-review-2626147). Instead use a password manager
**Disable Browser Autofill** | Optional | Turn off autofill for any confidential or personal details. This feature was designed to make online shopping and general browsing more convenient, but storing this sensitive information (names, addresses, card details, search terms etc) can be extremely harmful if your browser is compromised in any way. Instead, if essential, consider using your password manager's Notes feature to store and fill your data
**Protect from Exfil Attack** | Optional | The CSS Exfiltrate attack is a where credentials and other sensitive details can be snagged with just pure CSS, meaning even blocking JavaScript cannot prevent it, read more [this article](https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense) by Mike Gualtieri. You can stay protected, with the CSS Exfil Protection plugin (for [Chrome](https://chrome.google.com/webstore/detail/css-exfil-protection/ibeemfhcbbikonfajhamlkdgedmekifo) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/css-exfil-protection/)) which sanitizes and blocks any CSS rules which may be designed to steal data. Check out the [CSS Exfil Vulnerability Tester](https://www.mike-gualtieri.com/css-exfil-vulnerability-tester) to see if you could be susceptible.
**Deactivate ActiveX** | Optional | [ActiveX](https://en.wikipedia.org/wiki/ActiveX) is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly used by legitimate sites any more, but since it gives plugins intimate access rights, and can be dangerous, therefore you should disable it ([see how](https://www.howtogeek.com/162282/what-activex-controls-are-and-why-theyre-dangerous/))
**Deactivate Flash** | Optional | Adobe Flash is infamous for its history of security vulnerabilities (with over [1000 issues](https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html)!). See [how to disable Flash](https://www.tomsguide.com/us/disable-flash-how-to,news-21335.html) and [Flash alternatives](https://www.comparitech.com/blog/information-security/flash-vulnerabilities-security). Adobe will end support for Flash Player in December 2020
**Disable WebRTC** | Optional | [WebRTC](https://webrtc.org/) allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are not using a proxy or VPN. In FireFox WebRTC can be disabled, by searching for, and disabling `media.peerconnection.enabled` in about:config. For other browsers, the [WebRTC-Leak-Prevent](ttps://github.com/aghorler/WebRTC-Leak-Prevent) extension can be installed. [uBlockOrigin](https://github.com/gorhill/uBlock) also allows WebRTC to be disabled. To learn more, [check out this guide](https://buffered.com/privacy-security/how-to-disable-webrtc-in-various-browsers/)
**Spoof HTML5 Canvas Sig** | Optional | [Canvas Fingerprinting](https://en.wikipedia.org/wiki/Canvas_fingerprinting) allows websites to identify and track users very accurately though exploiting the rendering capabilities of the [Canvas Element](https://en.wikipedia.org/wiki/Canvas_element). You can use the [Canvas-Fingerprint-Blocker](https://add0n.com/canvas-fingerprint-blocker.html) extension to spoof your fingerprint or use [Tor](https://www.torproject.org) - Check if you are susceptible [here](https://webbrowsertools.com/canvas-fingerprint/)
**Spoof User Agent** | Optional | The [user agent](https://en.wikipedia.org/wiki/User_agent) is a string of text, telling the website what device, browser and version you are using. It is used in part to generate your fingerprint, so switching user agent periodically is one small step you can take to become less unique. You can switch user agent manually in the Development tools, or use an extension like [Chameleon](https://sereneblue.github.io/chameleon) (Firefox) or [User-Agent Switcher](https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg) (Chrome)
**Disregard DNT** | Optional | [Do Not Track](https://www.eff.org/issues/do-not-track) is a HTTP header, supported by all major browsers, once enabled is intended to flag to a website that you do not wish to be tracked. Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since it is rarely used, it may also add to your signature, making you more unique, and therefore actually easier to track
**Prevent HSTS Tracking** | Optional | HTTP Strict Transport Security (HSTS) was designed to help secure websites, by preventing HTTPS downgrading attacks. However [privacy concerns](https://arstechnica.com/information-technology/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway) have been raised, as it allowed site operators to plant super-cookies, and continue to track users in incognito. It can be disabled by visiting `chrome://net-internals/#hsts` in Chromium-based browsers, or following [this guide for Firefox](https://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/), and [this guide](https://appuals.com/how-to-clear-or-disable-hsts-for-chrome-firefox-and-internet-explorer/) for other browsers
**Prevent Automatic Browser Connections** | Optional | Even when you are not using your browser, it may call home to report on usage activity, analytics and diagnostics. You may wish to disable some of this, which can be done through the settings, see instructions for: [Firefox](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections), [Chrome](https://www.ghacks.net/2018/01/20/how-to-block-the-chrome-software-reporter-tool-software_reporter_tool-exe/), [Brave](https://support.brave.com/hc/en-us/articles/360017905872-How-do-I-enable-or-disable-automatic-crash-reporting-)
**Enable 1st-Party Isolation** | Optional | First party isolation means that all identifier sources and browser state are scoped (isolated) using the URL bar domain, this can greatly reduce tracking. In Firefox (under `network.cookie.cookieBehavior`), it is now possible to block cross-site and social media trackers, and isolate remaining cookies. Alternatively, to enable/disable with 1-click, see the [First Party Isolation](https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/) add-on
**Strip Tracking Params from URLs** | Advanced | Websites often append additional GET paramaters to URLs that you click, to identify information like source/ referrer. You can [sanitize manually](https://12bytes.org/articles/tech/firefox/firefox-search-engine-cautions-and-recommendations#Sanitizing_manually), or use an extensions like [ClearUrls](https://github.com/KevinRoebert/ClearUrls) (for [Chrome](https://chrome.google.com/webstore/detail/clearurls/lckanjgmijmafbedllaakclkaicjfmnk) / [Firefox](https://addons.mozilla.org/en-US/firefox/addon/clearurls/)) or [SearchLinkFix](https://github.com/palant/searchlinkfix) (for [Chrome](https://chrome.google.com/webstore/detail/google-search-link-fix/cekfddagaicikmgoheekchngpadahmlf) / [Firefox](https://addons.mozilla.org/el/firefox/addon/google-search-link-fix/)) to strip tracking data from URLs automatically in the background
**First Launch Security** | Advanced | After installing a web browser, the first time you launch it (prior to configuring it's privacy settings), most browsers will call home (send a request to Microsoft, Apple, Google or other developer) and send over your device details (as outlined in [this journal article](https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf)). Therefore, after installing a browser, you should first disable your internet connection, then launch it and go into settings and configure privacy options, before reenabling your internet connectivity. This does not apply to all browsers, in [this article](https://brave.com/brave-tops-browser-first-run-network-traffic-results) Brave claims to be the on of the only browser to call out to a single, controlled TLD exclusively
**Use The Tor Browser** | Advanced | [The Tor Project](https://www.torproject.org) provides a browser that encrypts and routes your traffic through multiple nodes, keeping users safe from interception and tracking. The main drawbacks are speed and user experience, as well as the possibility of DNS leaks from other programs (see [potential drawbacks](https://github.com/Lissy93/personal-security-checklist/issues/19)) but generally Tor is one of the more secure browser options for anonymity on the web
**Disable JavaScript** | Advanced | Many modern web apps are JavaScript-based, so disabling it will greatly decrease your browsing experience. But if you really want to go all out, then it will really reduce your attack surface, mitigate a lot of client-side tracking and [JavaScript malware](https://heimdalsecurity.com/blog/javascript-malware-explained/)
**See also** [Recommended 2FA Apps](/5_Privacy_Respecting_Software.md#2-factor-authentication)
## Browser and Search
Most modern web browsers support add-ons and extensions. These can access anything that you do online so avoid installing anything that may not be legitimate and check permissions first. Be aware that every website that you interact with, including search engines, will likely be keeping records of all your activity. Last year Kaspersky reported [over a million data exploits caused by malicious sites](https://securelist.com/it-threat-evolution-q1-2017-statistics/78475/).
For more browser security pointers, check out: [Heres How To Get Solid Browser Security](https://heimdalsecurity.com/blog/ultimate-guide-secure-online-browsing/).
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Deactivate ActiveX** | Recommended | [ActiveX](https://en.wikipedia.org/wiki/ActiveX) is a browser extension API that is only supported by Microsoft Internet Explorer. It's enabled by default but is barely used for legitimate plugins these days. However, it gives plugins so much control that ActiveX malware is still around and as dangerous as ever. See [this article](https://www.howtogeek.com/162282/what-activex-controls-are-and-why-theyre-dangerous/) for more details. Better yet, use a modern browser instead of Internet Explorer. Note that Microsoft Edge doesn't support ActiveX.
**Disable Flash** | Recommended | Adobe Flash is infamous for its history of security vulnerabilities (a few of which you can [read about here](https://www.comparitech.com/blog/information-security/flash-vulnerabilities-security/)). See [this guide](https://www.howtogeek.com/222275/how-to-uninstall-and-disable-flash-in-every-web-browser/), on how to disable Flash player, or [this guide for more details on how dangerous it can be](https://www.tomsguide.com/us/disable-flash-how-to,news-21335.html). Adobe will end support for Flash Player in December 2020.
**Block Trackers** | Recommended | Consider installing a browser extension, such as [Privacy Badger](https://www.eff.org/privacybadger), to stop advertisers from tracking you in the background.
**Block scripts from bad origin** | Recommended | Use an extension such as [uBlock Origin](https://github.com/gorhill/uBlock), to block anything being loaded from an external or unverified origin.
**Force HTTPS only traffic** | Recommended | Using an extension such as [HTTPS Everywhere](https://www.eff.org/https-everywhere), will force all sites to load securely.
**Only use trusted browser add-ons and extensions** | Recommended | Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while. Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions.
**Always keep your browser up-to-date** | Recommended | Browser vulnerabilities are constantly being discovered and patched, so its important to keep it up to date, to avoid a zero-day exploit. You can [see which browser version your using here](https://www.whatismybrowser.com/), or follow [this guide](https://www.whatismybrowser.com/guides/how-to-update-your-browser/) for instructions on how to update.
**Use a private search engine** | Optional | Google tracks, logs and stores everything you do, but also displays biased results. Take a look at [DuckDuckGo](https://duckduckgo.com) or [StartPage](https://www.startpage.com). Neither store cookies nor cache anything. [Read more](https://hackernoon.com/data-privacy-concerns-with-google-b946f2b7afea) about Google Search Privacy.
**Consider a privacy browser** | Optional | Google openly collects usage data on Chrome usage, as does Apple and Microsoft. Switching to a privacy-focused browser will minimize background data collection, cross-origin cookies and third-party scrips. A popular option is [Brave Browser](https://brave.com/?ref=ali721), or [Firefox](https://www.mozilla.org/en-GB/firefox/new/) with a [few tweeks](https://restoreprivacy.com/firefox-privacy). Others include [Bromite](https://www.bromite.org/), [Epic Browser](https://www.epicbrowser.com/index.html) or [Comodo](https://www.comodo.com/home/browsers-toolbars/browser.php), [see more](/5_Privacy_Respecting_Software.md#browsers). The most secure option is [Tor Browser](https://www.torproject.org/).
**Use DNS-over-HTTPS** | Optional | Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. You can follow [this guide to enable in Firefox](https://support.mozilla.org/en-US/kb/firefox-dns-over-https), for see [CoudFlares 1.1.1.1 Docs](https://1.1.1.1/help).
**Disable WebRTC** | Optional | [WebRTC](https://webrtc.org/) allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are not using a proxy or VPN. In FireFox WebRTC can be disabled, by searching for, and disabling `media.peerconnection.enabled` in about:config. For other browsers, the [WebRTC-Leak-Prevent](ttps://github.com/aghorler/WebRTC-Leak-Prevent) extension can be installed. [uBlockOrigin](https://github.com/gorhill/uBlock) also allows WebRTC to be disabled. To learn more, [check out this guide](https://buffered.com/privacy-security/how-to-disable-webrtc-in-various-browsers/).
**Don't Connect to Open WiFi networks** | Optional | Browsing the internet while using public or open WiFi may leave you vulnerable to man-in-the-middle attacks, malware distribution and snooping. Some hotspots may also be unencrypted, or even malicious. If you do need to briefly use a public WiFi network, ensure you disable file sharing, only visit HTTPS websites and use a VPN. Also remove the network from your saved WiFi list after. See the [networking](#networking) section for more details.
**Use Tor** | Advanced | [The Tor Project](https://www.torproject.org/) provides a browser that encrypts and routes your traffic through multiple nodes, keeping users safe from interception and tracking. The main drawbacks are speed and user experience, as well as the possibility of DNS leaks from other programs (see [potential drawbacks](https://github.com/Lissy93/personal-security-checklist/issues/19)) but generally Tor is one of the most secure browser options for anonymity on the web.
**Use different browsers, for different tasks** | Advanced | Compartmentalizing your activity can make it significantly harder for a malicious actor, company or government to get a clear picture of you through your browsing activity. This may include doing online shopping on 1 browser, using another browser, such as Tor for general browsing, and then a 3rd for, say social media.
**Disable JavaScript** | Advanced | Many modern web apps are JavaScript based, so disabling it will greatly decrease your browsing experience. But if you really want to go all out, then it will really reduce your attack surface. Read more about the growing [risk of JavaScript malware](https://heimdalsecurity.com/blog/javascript-malware-explained/).
**Route all desktop traffic via Tor** | Advanced | [Whonix](https://www.whonix.org/) allows for fail-safe, automatic, and desktop-wide use of the Tor network. It's based on Debian, and runs in a virtual machine. Straight-forward to install on Windows, OSX or Linux.
**Recommended Software**
- [Privacy Browsers](/5_Privacy_Respecting_Software.md#browsers)
- [Non-Tracking Search Engines](/5_Privacy_Respecting_Software.md#search-engines)
- [Browser Extensions for Security](/5_Privacy_Respecting_Software.md#browser-extensions)
- [Secure Browser & Bookmark Sync](/5_Privacy_Respecting_Software.md#browser-sync)
## Emails
Nearly 50 years since the first email was sent, theyre still very much a big part of our day-to-day life, and will probably continue to be for the near future. So considering how much trust we put in them, its surprising how fundamentally insecure this infrastructure is. Email-related fraud [is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html), and without taking basic measures you could be at risk.
Nearly 50 years since the first email was sent, it's still very much a big part of our day-to-day life, and will continue to be for the near future. So considering how much trust we put in them, its surprising how fundamentally insecure this infrastructure is. Email-related fraud [is on the up](https://www.csoonline.com/article/3247670/email/email-security-in-2018.html), and without taking basic measures you could be at risk.
If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised, therefore email security is paramount for your digital safety.
If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised (through password resets), therefore email security is paramount for your digital safety.
The big companies providing "free" email service, don't have a good reputation for respecting users privacy: Gmail was caught giving [third parties full access](https://www.wsj.com/articles/techs-dirty-secret-the-app-developers-sifting-through-your-gmail-1530544442) to user emails and also [tracking all of your purchases](https://www.cnbc.com/2019/05/17/google-gmail-tracks-purchase-history-how-to-delete-it.html). Yahoo was also caught scanning emails in real-time [for US surveillance agencies](http://news.trust.org/item/20161004170601-99f8c) Advertisers [were granted access](https://thenextweb.com/insider/2018/08/29/both-yahoo-and-aol-are-scanning-customer-emails-to-attract-advertisers) to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
It's strongly advised not to use non end-to-end encrypted email, if you can't you should at least follow these guides for simple steps to improve security: [Yahoo](https://heimdalsecurity.com/blog/complete-guide-e-mail-security/#yahoo), [Gmail](https://heimdalsecurity.com/blog/complete-guide-e-mail-security/#gmail), [Outlook](https://heimdalsecurity.com/blog/complete-guide-e-mail-security/#outlook) and [AOL](https://heimdalsecurity.com/blog/complete-guide-e-mail-security/#aol). The easiest way to stay protected is to use a secure mail provider, such as [ProtonMail](https://protonmail.com/) or [Tutanota](https://tutanota.com/).
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Have more than one email address** | Recommended | Keeping your important and safety-critical messages separate from trivial subscriptions such as newsletters is a very good idea. Be sure to use different passwords. This will also make recovering a compromised account after an email breach easier.
**Keep security in mind when logging into emails** | Recommended | Your email account is one of the most important to protect with a secure password. Only sync your emails with your phone, if it is secured (encrypted with password). Dont allow your browser to save your email password. Prevent man-in-the-middle attacks by only logging in on a secured browser.
**Always be wary of phishing and scams** | Recommended | If you get an email from someone you dont recognize, dont reply, dont click on any links, and absolutely dont download an attachment. Keep an eye out for senders pretending to be someone else, such as your bank, email provider or utility company. Check the domain, read it, ensure its addressed directly to you, and still dont give them any personal details. Check out [this guide, on how to spot phishing emails](https://heimdalsecurity.com/blog/abcs-detecting-preventing-phishing/).
**Disable automatic loading of remote content in emails** | Recommended | Sometimes advertisers send emails which make reference to remote images, fonts, etc. If these remote resources are loaded automatically, they indicate to the sender that this specific email was received by you.
**Dont share sensitive information over email** | Optional | Emails are very very easily intercepted. Also you cant know how secure your recipient's environment is. Dont share anything personal, such as bank details, passwords, and confidential information over email. Ideally, dont use email as a primary method of communication.
**Dont connect third-party apps to your email account** | Optional | If you give a third-party app (like Unroll.me) full access to your inbox, this makes you vulnerable to cyber attacks. The app can be compromised and, as a consequence, cyber criminals would gain unhindered access to all your emails and their contents.
**Consider switching to a more secure email provider** | Optional | Email providers such as [ProtonMail](https://protonmail.com), [CounterMail](https://countermail.com), [HushMail](https://www.hushmail.com/tapfiliate/?tap_a=44784-d2adc0&tap_s=724845-260ce4&program=hushmail-for-small-business) (for business users) or [MailFence](https://mailfence.com?src=digitald) allow for end-to-end encryption, full privacy as well as more security-focused features. See [this guide](https://github.com/OpenTechFund/secure-email) for details of the inner workings of these services.
**Use Aliasing / Anonymous Forwarding** | Advanced | Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. Effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address. <br>[Anonaddy](https://anonaddy.com) is an open source anonymous email forwarding service allowing you to create unlimited email aliases, with a free plan. As is [33Mail](http://33mail.com/Dg0gkEA), and this feature is also included with [ProtonMail](https://protonmail.com/pricing)'s Visionary package.
**Have more than one email address** | Recommended | Consider using a different email address for security-critical communications from trivial mail such as newsletters. This compartmentalization could reduce amount of damage caused by a data breach, and also make it easier to recover a compromised account
**Keep Email Address Private** | Recommended | Do not share your primary email publicly, as mail addresses are often the starting point for most phishing attacks
**Keep your Account Secure** | Recommended | Use a long and unique password, enable 2FA and be careful while logging in. Your email account provides an easy entry point to all your other online accounts for an attacker
**Disable Automatic Loading of Remote Content** | Recommended | Email messages can contain remote content such as images or stylesheets, often automatically loaded from the server. You should disable this, as it exposes your IP address and device information, and is often used for tracking. For more info, see [this article](https://www.theverge.com/2019/7/3/20680903/email-pixel-trackers-how-to-stop-images-automatic-download)
**Dont connect third-party apps to your email account** | Optional | If you give a third-party app or plug-in (such as Unroll.me, Boomerang, SaneBox etc) full access to your inbox, they effectively have full unhindered access to all your emails and their contents, which poses [significant security and privacy risks](https://zeltser.com/risks-of-email-search-services/)
**Don't Share Sensitive Data via Email** | Optional | Emails are very easily intercepted. Further to this you cant be sure of how secure your recipient's environment is. Therefore emails cannot be considered safe for exchanging confidential or personal information, unless it is encrypted/ or both parties are using a secure mail provider
**Consider Switching to a Secure Mail Provider** | Optional | Secure and reputable email providers such as [ProtonMail](https://protonmail.com) and [Tutanota](https://tutanota.com) allow for end-to-end encryption, full privacy as well as more security-focused features. Unlike typical email providers, your mailbox cannot be read by anyone but you, since all messages are encrypted. Providers such as Google, Microsoft and Yahoo scan messages for advertising, analytics and law enforcement purposes, but this poses a serious security threat
**Use Aliasing / Anonymous Forwarding** | Advanced | Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. Effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address. More importantly, you do not need to reveal your real email address to any company. <br>[Anonaddy](https://anonaddy.com) and [SimpleLogin](https://simplelogin.io/?slref=bridsqrgvrnavso) are open source anonymous email forwarding service allowing you to create unlimited email aliases, with a free plan
**Subaddressing** | Optional | An alternative to aliasing is [subaddressing](https://en.wikipedia.org/wiki/Email_address#Subaddressing), where anything after the `+` symbol is omitted during mail delivery, for example you the address yourname+tag@example.com denotes the same delivery address as yourname@example.com. This was defined in [RCF-5233](https://tools.ietf.org/html/rfc5233), and supported by most major mail providers (inc Gmail, YahooMail, Outlook, FastMail and ProtonMail). It enables you to keep track of who shared/ leaked your email address, but unlike aliasing it will not protect against your real address being revealed
**Use a Custom Domain** | Advanced | Using a custom domain, means that even you are not dependent on the address assigned my your mail provider. So you can easily switch providers in the future and do not need to worry about a service being discontinued
**Sync with a client for backup** | Advanced | Further to the above, to avoid loosing temporary or permanent access to your emails during an unplanned event (such as an outage or account lock). Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your primary device
**Be Careful with Mail Signatures** | Advanced | You do not know how secure of an email environment the recipient of your message may have. There are several extensions (such as [ZoomInfo](https://www.zoominfo.com)) that automatically crawl messages, and create a detailed database of contact information based upon email signitures, and sometimes message content. If you send an email to someone who has something like this enabled, then you are unknowingly entering your details into this database
**Be Careful with Auto-Replies** | Advanced | Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all too often people reveal too much information- which can be used in social engineering and targeted attacks
**Choose the Right Mail Protocol** | Advanced | Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security.
**Self-Hosting** | Advanced | Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is critical yet requires strong networking knowledge - [read more](https://www.reddit.com/r/selfhosted/comments/6h88qf/on_selfhosted_mail_servers/). That being said, if you run your own mail server, you will have full control over your emails. [Mail-in-a-box](https://github.com/mail-in-a-box/mailinabox) and [docker-mailserver](https://github.com/tomav/docker-mailserver) are ready-to-deploy correctly-configured mail servers that provide a good starting point
**Always use TLS Ports** | Advanced | There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely supported so should always be used instead of plaintext email ports. By default, the ports are: POP3= 995, IMAP=993 and SMTP= 465
**DNS Availability** | Advanced | For self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with secondary and tertiary MX records for redundancy when the primary MX record fails
**Prevent DDoS and Brute Force Attacks** | Advanced | For self-hosted mail servers (specifically STMP), limit your total number of simultaneous connections, and maximum connection rate to reduce the impact of attempted bot attacks
**Maintain IP Blacklist** | Advanced | For self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks. You may also want to activate a [reverse DNS lookup](https://en.wikipedia.org/wiki/Reverse_DNS_lookup) system
**See also** [Recommended Encrypted Email Providers](/5_Privacy_Respecting_Software.md#encrypted-email)
**Recommended Software:**
- [Encrypted Email Providers](/5_Privacy_Respecting_Software.md#encrypted-email)
- [Anonymous Mail Forwarding](/5_Privacy_Respecting_Software.md#anonymous-mail-forwarding)
- [Pre-Configured Mail Servers](/5_Privacy_Respecting_Software.md#pre-configured-mail-servers)
## Social Media
Online communities have existed since the invention of the internet, and give people around the world the opportunity to connect, communicate and share. Although these networks are a great way to promote social interaction and bring people together, that have a dark side - there are some serious [Privacy Concerns with Social Networking Services](https://en.wikipedia.org/wiki/Privacy_concerns_with_social_networking_services), and these social networking sites are owned by private corporations, and that they make their money by collecting data about individuals and selling that data on, often to third party advertisers.
Secure your account, lock down your privacy settings, but know that even after doing so, all data intentionally and non-intentionally uploaded is effectively public. If possible, avoid using conventional social media networks.
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Check your privacy settings** | Recommended | Most social networks allow you to control your privacy settings. Ensure that your profile can only be viewed by people who are in your friends list, and you know personally.
**Only put info on social media that you wouldnt mind being public** | Recommended | Even with tightened security settings, dont put anything online that you wouldnt want to be seen by anyone other than your friends. Dont rely solely on social networks security.
**Dont give social networking apps permissions they dont need** | Recommended | By default many of the popular social networking apps will ask for permission to access your contacts, your call log, your location, your messaging history etc.. If they dont need this access, dont grant it.
**Revoke access for apps your no longer using** | Recommended | Instructions: [Facebook](https://www.facebook.com/settings?tab=applications), [Twitter](https://twitter.com/settings/applications), [LinkedIn](https://www.linkedin.com/psettings/third-party-applications), [Instagram](https://www.instagram.com/accounts/manage_access/).
**Use a secure email provider** | Optional | Most email providers completely invade your privacy intercepting both messages sent and received. [ProtonMail](https://protonmail.com) is a secure email provider, that is open source and offers end-to-end encryption. There are alternative secure mail providers (such as [CounterMail](https://countermail.com), [HushMail](https://www.hushmail.com) and [MailFence](https://mailfence.com))- but [ProtonMail](https://protonmail.com) has both a clear interface and strong security record.
**Remove metadata before uploading media** | Optional | Most smartphones and some cameras automatically attach a comprehensive set of additional data to each photograph. This usually includes things like time, date, location, camera model, user etc. Remove this data before uploading. See [this guide](https://www.makeuseof.com/tag/3-ways-to-remove-exif-metadata-from-photos-and-why-you-might-want-to/) for more info.
**Dont have any social media accounts** | Advanced | It may seem a bit extreme, but if you're serious about data privacy and security, stay away from entering information on any social media platform.
**Secure you Account** | Recommended | Profiles media profiles get stolen or taken over all too often. To protect your account: use a unique and strong password, and enable 2-factor authentication. See the [Authentication](#authentication) section for more tips
**Check Privacy Settings** | Recommended | Most social networks allow you to control your privacy settings. Ensure that you are comfortable with what data you are currently exposing and to whom. But remember, privacy settings are only meant to protect you from other members of the social network- they do not shield you or your data from the owners of the network. See how to set privacy settings, with [this guide](https://securityinabox.org/en/guide/social-networking/web)
**Think of All Interactions as Public** | Recommended | There are still numerous methods of viewing a users 'private' content across many social networks. Therefore, before uploading, posting or commenting on anything, think "Would I mind if this was totally public?"
**Don't Reveal too Much** | Recommended | Profile information creates a goldmine of info for hackers, the kind of data that helps them personalize phishing scams. Avoid sharing too much detail (DoB, Hometown, School etc)
**Be Careful what you say** | Recommended | Status updates, comments and photos can unintentionally reveal a lot more than you intended them to (such as location, preferences, contacts etc)
**Don't Share Email or Phone Number** | Recommended | Posting your real email address or mobile number, gives hackers, trolls and spammers more munition to use against you
**Don't Grant Unnecessary Permissions** | Recommended | By default many of the popular social networking apps will ask for permission to access your contacts, call log, location, messaging history etc.. If they dont need this access, dont grant it. For Android users, check out [Bouncer](https://play.google.com/store/apps/details?id=com.samruston.permission) - an app that gives you the ability to grant permissions temporarily
**Be Careful of 3rd-Party Integrations** | Recommended | Avoid signing up for accounts using a Social Network login, revoke access to social apps you no longer use, see instructions for: [Facebook](https://www.facebook.com/settings?tab=applications), [Twitter](https://twitter.com/settings/applications), [Insta](https://www.instagram.com/accounts/manage_access/) and [LinkedIn](https://www.linkedin.com/psettings/permitted-services)
**Remove metadata before uploading media** | Optional | Most smartphones and some cameras automatically attach a comprehensive set of additional data (called [EXIF data](https://en.wikipedia.org/wiki/Exif)) to each photograph. This usually includes things like time, date, location, camera model, user etc. It can reveal a lot more data than you intended to share. Remove this data before uploading. You can remove meta data [without any special software](https://www.howtogeek.com/203592/what-is-exif-data-and-how-to-remove-it/), use [a CLI tool](https://www.funkyspacemonkey.com/how-to-remove-exif-metadata), or a desktop tool like [EXIF Tage Remover](https://rlvision.com/exif/)
**Consider False Information** | Recommended | If you just want to read, and do not intend on posting too much- consider using an alias name, and false contact details. Remember that there are still methods of tracing your account back to you, but this could mitigate a lot of threats. Consider using separate accounts/identities, or maybe different pseudonyms, for different campaigns and activities. Don't link accounts in any way- don't comment on / liking inter-account posts, avoid logging in from the same IP and use different passwords (so the accounts cannot be linked in the case of a data breach)
**Dont have any social media accounts** | Advanced | Social media is fundamentally un-private, so for maximum online security and privacy, avoid using any mainstream social networks
**Recommended Software**
- [Alternative Social Media](/5_Privacy_Respecting_Software.md#social-networks)
@ -140,64 +185,75 @@ It's strongly advised not to use non end-to-end encrypted email, if you can't yo
## Networking
This section covers how you connect your devices to the internet, including configuring your router and setting up a VPN.
A Virtual Private Network (VPN) protects your IP, and allows you to more securely connect to the internet. Use it when connecting to public WiFi or to restrict your ISP from seeing all sites you've visited. Note: VPNs are not a perfect solution and it is important to select a reputable provider, to entrust your data with. Tor provides greater anonymity.
This section covers how you connect your devices to the internet securely, including configuring your router and setting up a VPN.
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Use a VPN** | Recommended | Use a reputable, paid-for VPN. Choose one which does not keep logs and preferably is not based under a [5-eyes](https://en.wikipedia.org/wiki/Five_Eyes) jurisdiction. See [That One Privacy Site](https://thatoneprivacysite.net/) for a detailed comparison. As of 2020, [NordVPN](https://nordvpn.com/) and [SurfShark](https://surfshark.com/) are both good all-rounders (for speed, simplicity and security), and [Mullvad](https://mullvad.net/), [OVPN](https://www.ovpn.com/en) and [DoubleHop](https://www.doublehop.me/) are excellent for security.
**Dont use a default router password** | Recommended | Change your router password- [here is a guide as to how](https://www.lifewire.com/how-to-change-your-wireless-routers-admin-password-2487652).
**Use WPA2** | Recommended | WPA and WEP make it very easy for a hacker to gain access to your router. Use a [WPA2](https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access) password instead. Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words.
**Keep router firmware up-to-date** | Recommended | Manufacturers release firmware updates that fix security vulnerabilities, implement new standards and sometimes add features/ improve the performance your router. It's important to have the latest firmware installed, to avoid a malicious actor exploiting an un-patched vulnerability. You can usually update your router by navigating to [192.168.0.1](192.168.0.1) or [192.168.1.1](192.168.1.1) in your browser, entering the credentials on the sticker on the back of you of your router (not your WiFi password!), and following the on-screen instructions. Or follow a guide from your routers manufacturer: [Asus](https://www.asus.com/support/FAQ/1005484/), [D-Link](https://eu.dlink.com/uk/en/support/faq/routers/mydlink-routers/dir-810l/how-do-i-upgrade-the-firmware-on-my-router), [Linksys (older models)](https://www.linksys.com/us/support-article?articleNum=140365), [NetGear](https://kb.netgear.com/23442/How-do-I-update-my-NETGEAR-router-s-firmware-using-the-Check-button-in-the-router-web-interface) and [TP-Link](https://www.tp-link.com/us/support/faq/688/). Newer Linksys and Netgear routers update automatically, as does Google's router.
**Configure your router to use VPN** | Optional | If you set your VPN up on your router, then data from all devices on your home network is encrypted as it leaves the LAN. Again, it's important to select a secure VPN provider, as they will see what your ISP previously had been logging. Follow a guide from your router manufacturer or VPN provider, or see [this article](https://www.howtogeek.com/221889/connect-your-home-router-to-a-vpn-to-bypass-censorship-filtering-and-more/) to get started. Note that depending on your internet connection, and VPN provider, this could slow down your internet.
**Protect against DNS leaks** | Optional | When using a VPN, it is extremely important to exclusively use the DNS server of your VPN provider. For OpenVPN, you can add: `block-outside-dns` to your config file (which will have the extension `.ovn` or `.conf`). If you are unable to do this, then see [this article](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html) for further instructions. You can check for leaks, using a [DNS Leak Test](https://www.dnsleaktest.com/)
**Use a secure VPN Protocol** | Optional | [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) is widely used, and currently considered as a secure [tunneling protocol](https://en.wikipedia.org/wiki/Tunneling_protocol), it's also open source, lightweight and efficient. [L2TP](https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol) can be good, but only when configured correctly, whereas it's much harder to go wrong with OpenVPN. Don't use [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol), which is now legacy, and not considered secure, and avoid [SSTP](https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol) (proprietary, owned by Microsoft and due to lack of transparency, could be vulnerable to exploits). [IKEv2](https://en.wikipedia.org/wiki/Internet_Key_Exchange) and the new [WireGuard](https://www.wireguard.com/) protocol *(experimental)* are also good options.
**Avoid the free router from your ISP** | Optional | Typically theyre manufactured cheaply in bulk in China, and firmware updates which fix crucial security flaws arent released regularly. Consider an open source based router, such as [Turris MOX](https://www.turris.cz/en/mox/overview/)
**Ideally hide your SSID** | Optional | An SSID (or Service Set Identifier) is simply your network name. If it is not visible, it is much less likely to be targeted. You can usually hide it after logging into your router admin panel, [see here for more details](https://www.lifewire.com/hide-your-wireless-network-from-your-internet-leeching-neighbors-2487655).
**Whitelist MAC Addresses** | Optional | As well as a strong password, and hidden SSID, you can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately connect to your network, even if they know your credentials. A malicious actor can bypass this, by cloning their address to appear the same as one of your trusted devices, but it will add an extra step for them.
**Secure DNS** | Advanced | Use [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) which performs DNS resolution via the HTTPS protocol, encrypting data between you and your DNS resolver. See [CoudFlares 1.1.1.1 Docs](https://1.1.1.1/help) for more details. Don't use Google DNS or other services which collect a lot of data.
**Use the Tor Network** | Advanced | VPNs have their weaknesses, since the provider knows your real details, whereas Tor is anonymous. For optimum security, route all your internet traffic through the Tor network. On Linux you can use [TorSocks](https://gitweb.torproject.org/torsocks.git) and [Privoxy](https://www.privoxy.org/), for Windows you can use [Whonix](https://www.whonix.org/), and on OSX [follow thsese instructions](https://maymay.net/blog/2013/02/20/howto-use-tor-for-all-network-traffic-by-default-on-mac-os-x/). Finally, you can use [OnionPi](https://learn.adafruit.com/onion-pi/overview) to use Tor for all your connected devices, by [configuring a Raspberry Pi to be a Tor Hotspot](https://lifehacker.com/how-to-anonymize-your-browsing-with-a-tor-powered-raspb-1793869805)
**Change your Router's Default IP** | Advanced | Modifying your router admin panels default IP address will makes it more difficult for malicious scripts in your web browser targeting local IP addresses, as well as adding an extra step for local network hackers
**Kill unused processes and services on your router** | Advanced | Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, [any service thats not used should be disabled](https://www.securityevaluators.com/knowledge/case_studies/routers/soho_service_hacks.php) to reduce attack surface.
**Use a VPN** | Recommended | Use a reputable, paid-for VPN. This can help protect sites you visit logging your real IP, reduce the amount of data your ISP can collect and increase protection on public WiFi. However VPNs alone do not make you anonymous or stop tracking, it's important to understand their [limitations](/5_Privacy_Respecting_Software.md#word-of-warning-2). <br>[ProtonVPN](https://protonvpn.com) and [Mullvad](https://mullvad.net) may be good options for many, but for an unbiased comparison, see: [That One Privacy Site](https://thatoneprivacysite.net). Select a service with a good reputation, that does not keep logs, and is not in the [5-eyes](https://en.wikipedia.org/wiki/Five_Eyes) jurisdiction
**Change your Router Password** | Recommended | After getting a new router, change the password. Default router passwords are publicly available (see [default-password.info](https://default-password.info)), meaning anyone within proximity would be able to connect. See [here](https://www.lifewire.com/how-to-change-your-wireless-routers-admin-password-2487652), for a guide on changing router password
**Use WPA2, and a strong password** | Recommended | There are different authentication protocols for connecting to WiFi. Currently the most secure is [WPA2](https://en.wikipedia.org/wiki/IEEE_802.11i-2004), since WEP and WPA are moderately [easy to crack](https://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wep-passwords-with-aircrack-ng-0147340/). Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words. You can set this within your routers admin panel
**Keep router firmware up-to-date** | Recommended | Manufacturers release firmware updates that fix security vulnerabilities, implement new standards and sometimes add features/ improve the performance your router. It's important to have the latest firmware installed, to avoid a malicious actor exploiting an un-patched vulnerability. <br>You can usually do this by navigating to [192.168.0.1](192.168.0.1) or [192.168.1.1](192.168.1.1), entering the admin credentials (on the back of you of your router, not your WiFi password!), and follow the instructions, see: [Asus](https://www.asus.com/support/FAQ/1005484/), [D-Link](https://eu.dlink.com/uk/en/support/faq/routers/mydlink-routers/dir-810l/how-do-i-upgrade-the-firmware-on-my-router), [Linksys (older models)](https://www.linksys.com/us/support-article?articleNum=140365), [NetGear](https://kb.netgear.com/23442/How-do-I-update-my-NETGEAR-router-s-firmware-using-the-Check-button-in-the-router-web-interface) and [TP-Link](https://www.tp-link.com/us/support/faq/688/). Some newer routers update automatically
**Implement a Network-Wide VPN** | Optional | If you configure your VPN on your router, firewall or home server, then traffic from all devices will be encrypted and routed through it, without needing individual VPN apps. This reduces the chance: of IP leaks, VPN app crashes, and provides VPN access to devices which don't support VPN clients (TV's, Smart Hubs, IoT devices etc)
**Protect against DNS leaks** | Optional | When using a VPN, it is extremely important to exclusively use the DNS server of your VPN provider or secure service. For OpenVPN, you can add: `block-outside-dns` to your config file (which will have the extension `.ovn` or `.conf`). If you are unable to do this, then see [this article](https://www.dnsleaktest.com/how-to-fix-a-dns-leak.html) for further instructions. You can check for leaks, using a [DNS Leak Test](https://www.dnsleaktest.com/)
**Use a secure VPN Protocol** | Optional | [OpenVPN](https://en.wikipedia.org/wiki/OpenVPN) and [WireGuard](https://www.wireguard.com/) are open source, lightweight and secure [tunneling protocol](https://en.wikipedia.org/wiki/Tunneling_protocol)s. Avoid using [PPTP](https://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol) or [SSTP](https://en.wikipedia.org/wiki/Secure_Socket_Tunneling_Protocol). [L2TP](https://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol) can be good, but only when configured correctly
**Secure DNS** | Optional | Use [DNS-over-HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) which performs DNS resolution via the HTTPS protocol, encrypting data between you and your DNS resolver. Although DoH is [not perfect](https://www.netsparker.com/blog/web-security/pros-cons-dns-over-https/), it does remove the need for trust - see [CoudFlares 1.1.1.1 Docs](https://1.1.1.1/help) for more details
**Avoid the free router from your ISP** | Optional | Typically theyre manufactured cheaply in bulk in China, with insecure propriety firmware that doesn't recieve regular security updates. Consider an open source router (such as [Turris MOX](https://www.turris.cz/en/mox/overview/)) or a comercial router with [secure firmware](/5_Privacy_Respecting_Software.md#router-firmware)
**Whitelist MAC Addresses** | Optional | You can whitelist MAC addresses in your router settings, disallowing any unknown devices to immediately connect to your network, even if they know your credentials. Note that a malicious actor may be able to bypass this, by cloning their address to appear the same as one of your trusted devices, but it will add an extra step
**Hide your SSID** | Optional | Your routers Service Set Identifier is simply the network name. If it is not visible, it may receive less abuse. However understand that finding hidden networks is a [trivial task](https://www.acrylicwifi.com/en/blog/hidden-ssid-wifi-how-to-know-name-of-network-without-ssid/) (e.g. with [Kismet](https://www.kismetwireless.net/)). See, [how to hide SSID](https://www.lifewire.com/hide-your-wireless-network-from-your-internet-leeching-neighbors-2487655)
**Change your Router's Default IP** | Optional | Modifying your router admin panels default IP address will makes it more difficult for malicious scripts in your web browser targeting local IP addresses, as well as adding an extra step for local network hackers
**Kill unused processes and services on your router** | Optional | Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, [any service thats not used should be disabled](https://www.securityevaluators.com/knowledge/case_studies/routers/soho_service_hacks.php) to reduce attack surface
**Disable UPnP** | Optional | Universal Plug and Play may allow you to save time with Port Forwarding, but it opens doors to many [security risks](https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/). It can be disabled from your routers admin panel
**Don't have Open Ports** | Optional | Close any open ports on your router that are not needed. Open ports provide an easy entrance for hackers. You can use a port scanner (such as [AngryIP](https://angryip.org)), or a [web service](https://www.yougetsignal.com/tools/open-ports/)
**Route all traffic through Tor** | Advanced | VPNs have their weaknesses- you are simply moving your trust from your ISP/ mobile carrier to a VPN provider- Tor is much more anonymous. For optimum security, route all your internet traffic through the Tor network. On Linux you can use [TorSocks](https://gitweb.torproject.org/torsocks.git) or [Privoxy](https://www.privoxy.org/), for Windows you can use [Whonix](https://www.whonix.org/), and on OSX [follow thsese instructions](https://maymay.net/blog/2013/02/20/howto-use-tor-for-all-network-traffic-by-default-on-mac-os-x/), for Kali see [TorGhost](https://github.com/SusmithKrishnan/torghost). Alternativley, you can use [OnionPi](https://learn.adafruit.com/onion-pi/overview) to use Tor for all your connected devices, by [configuring a Raspberry Pi to be a Tor Hotspot](https://lifehacker.com/how-to-anonymize-your-browsing-with-a-tor-powered-raspb-1793869805)
**Disable WiFi on all Devices** | Advanced | Connecting to even a secure WiFi network increases your attack surface. Disabling your home WiFi and connect each device via Ethernet, and turning off WiFi on your phone and using a USB-C/ Lightening to Ethernet cable will protect against WiFi exploits, as Edward Snowden [says here](https://twitter.com/snowden/status/1175431946958233600?lang=en).
**Recommended Software**
- [Virtual Private Networks](/5_Privacy_Respecting_Software.md#virtual-private-networks)
- [Mix Networks](/5_Privacy_Respecting_Software.md#mix-networks)
- [Router Firmware](/5_Privacy_Respecting_Software.md#router-firmware)
- [Open Source Proxies](/5_Privacy_Respecting_Software.md#proxies)
- [DNS Providers](/5_Privacy_Respecting_Software.md#dns)
- [Firewalls](/5_Privacy_Respecting_Software.md#firewalls)
- [Network Analysis Tools](/5_Privacy_Respecting_Software.md#network-analysis)
- [Self-Hosted Network Security Tools](#self-hosted-network-security)
## Mobile Devices
Most smartphone apps run in the background, collecting and logging data, making network requests and ultimately creating a clear picture of who you are, just from your data. This is a big problem from both a security and privacy perspective.
Smart phones have revolutionized so many aspects of life and brought the world to our fingertips. For many of us, smart phones are our primary means of communication, entertainment and access to knowledge. But while they've brought convenience to whole new level, there's some ugly things going on behind the screen.
Even non-smart phones, (and even when the screen is off) are constantly connecting to the nearest cell phone towers, (it does this by broadcasting its IMEI and MEID number). The towers then relay this information, along with any communications, to your mobile carrier, who will store these records indefinitely. The movements of your phone are the movements of you as a person, so all phone proximity and data records can always be linked directly back to you. So whenever your phone is on, there is a record of your presence at that place, being created and maintained by companies.
Geo-tracking is used to trace our every move, and we have little control over who has this data- your phone is even able to [track your location without GPS](https://gizmodo.com/how-to-track-a-cellphone-without-gps-or-consent-1821125371). Over the years numerous reports that surfaced, outlining ways in which your phone's [mic can eavesdrop](https://www.independent.co.uk/life-style/gadgets-and-tech/news/smartphone-apps-listening-privacy-alphonso-shazam-advertising-pool-3d-honey-quest-a8139451.html), and the [camera can watch you](https://www.businessinsider.com/hackers-governments-smartphone-iphone-camera-wikileaks-cybersecurity-hack-privacy-webcam-2017-6)- all without your knowledge or consent. And then there's the malicious apps, lack of security patches and potential/ likely backdoors.
Using a smart phone generates a lot of data about you- from information you intentionally share, to data silently generated from your actions. It can be scary to see what Google, Microsoft, Apple and Facebook know about us- sometimes they know more than our closest family. It's hard to comprehend what your data will reveal, especially in conjunction with other data.
This data is used for [far more than just advertising](https://internethealthreport.org/2018/the-good-the-bad-and-the-ugly-sides-of-data-tracking/) - more often it's used to rate people for finance, insurance and employment. Targeted ads can even be used for fine-grained surveillance (see [ADINT](https://adint.cs.washington.edu))
More of us are concerned about how [governments use collect and use our smart phone data](https://www.statista.com/statistics/373916/global-opinion-online-monitoring-government/), and rightly so, federal agencies often [request our data from Google](https://www.statista.com/statistics/273501/global-data-requests-from-google-by-federal-agencies-and-governments/), [Facebook](https://www.statista.com/statistics/287845/global-data-requests-from-facebook-by-federal-agencies-and-governments/), Apple, Microsoft, Amazon, and other tech companies. Sometimes requests are made in bulk, returning detailed information on everybody within a certain geo-fence, [often for innocent people](https://www.nytimes.com/interactive/2019/04/13/us/google-location-tracking-police.html). And this doesn't include all of the internet traffic that intelligence agencies around the world have unhindered access to.
SMS texting and traditional phone calls are not secure, so it's important to avoid using that to send or receive anything secure (such as log in codes, OTPs or any personal details). Instead use encrypted messaging, like Signal whenever you can. Be wary of who you share your phone number with.
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Turn off connectivity features that arent being used** | Recommended | When you're not using WiFi, Bluetooth, NFC or anything else, turn those features off. These are commonly used to easily hack individuals.
**Encrypt your Device** | Recommended | In order to keep your data safe from physical access, use file encryption. To enable, for Android: `Settings --> Security --> Encryption`, or for iOS: `Settings --> TouchID & Passcode --> Data Protection`. This will mean if your device is lost or stolen, no one will have access to your data
**Turn off connectivity features that arent being used** | Recommended | When you're not using WiFi, Bluetooth, NFC etc, turn those features off. There are several common threats that utilise these features
**Keep app count to a minimum** | Recommended | Uninstall apps that you dont need or use regularly. As apps often run in the background, slowing your device down, but also collecting data.
**Dont grant apps permissions that they dont need** | Recommended | If an app doesnt need access to your camera, dont grant it access. Same with any features of your phone, be wary about what each app has access to.
**Only install Apps from official source** | Recommended | Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them less likely to be malicious. Avoid downloading .apk or .ipa files from unverified source. Also check the reviews before downloading a new application.
**Only Charge your Device from a Trusted Source** | Recommended | When you charge your device via USB in a public space, it is possible for malicious actors to gain full access to your device, via [AT Commands](https://en.wikipedia.org/wiki/Hayes_command_set). You can read more about this at https://atcommands.org/ or from [this seminar](https://www.usenix.org/node/217625). To protect yourself, either only charge your phone from trusted sources, or use a [USB Data Blocker](https://amzn.to/30amhja). A Data blocker allows your phone to charge, while blocking the data transfer wires, blocking this exploit or any file transfers to run. ([PortaPow](https://portablepowersupplies.co.uk/) is recommended, since it still allows for fast-charge.) Available in both [USB-A](https://amzn.to/309kPh3) and [USB-C](https://amzn.to/39Wh5nJ).
**Set up a mobile carrier PIN** | Recommended | [SIM hijacking](https://securelist.com/large-scale-sim-swap-fraud/90353/) is when a hacker is able to get your mobile number transferred to their sim (often through social engineering your mobile carrier). This then allows them to receive 2FA SMS codes (enabling them to access your secure accounts, such as banking), or to pose as you. The easiest way to protect against this is to set up a PIN through your mobile provider, thus disallowing anyone without this PIN to make any changes to your account. The PIN should not be easily guessable, and it is important that you remember it, or store is somewhere secure. Using a non-SMS based 2FA method will reduce the damage that can be done if someone is able to take control of your SIM. [Read more](https://us.norton.com/internetsecurity-mobile-sim-swap-fraud.html) about the sim swap scam.
**Opt-out of personal ads** | Optional | In order for ads to be personalized, Google collects data about you, you can slightly reduce the amount they collect by opting-out of seeing personalized ads. See [this guide](https://www.androidguys.com/tips-tools/how-to-disable-personalized-ads-on-android/), for Android instructions.
**App Permissions** | Recommended | Dont grant apps permissions that they dont need. For Android, [Bouncer](https://play.google.com/store/apps/details?id=com.samruston.permission) is an app that allows you you to grant temporary/ 1-off permissions.
**Only install Apps from official source** | Recommended | Applications on Apple App Store and Google Play Store are scanned and cryptographically signed, making them less likely to be malicious. Avoid downloading .apk or .ipa files from unverified source, unless you know it is safe. Also check the reviews, and app info before downloading a new application.
**Be Careful of Phone Charging Threats** | Optional | [Juice Jacking](https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations) is when hackers use public charging stations to install malware on your smartphone or tablet through a compromised USB port. You can mitigate this, either by using a power bank or AC wall charger, or by using a simple data blocker device (See [USB Condom](https://shop.syncstop.com/products/usb-condom?variant=35430087052) or [PortaPow Blocker](http://portablepowersupplies.co.uk/))
**Set up a mobile carrier PIN** | Recommended | [SIM hijacking](https://securelist.com/large-scale-sim-swap-fraud/90353/) is when a hacker is able to get your mobile number transferred to their sim (often through social engineering your mobile carrier). This then allows them to receive 2FA SMS codes (enabling them to access your secure accounts, such as banking), or to pose as you. The easiest way to protect against this is to set up a PIN through your mobile provider, thus disallowing anyone without this PIN to make any changes to your account. Using a non-SMS based 2FA method will reduce the damage, [Read more](https://us.norton.com/internetsecurity-mobile-sim-swap-fraud.html) about the sim swap scam.
**Opt-out of Caller ID Listings** | Optional | When one of your friends or colleagues has your number in their contacts, and also has a caller ID app, then your Name, Phone Number and any other saved contact details will be uploaded. To keep your details private, you can unlist it here: [TrueCaller](https://www.truecaller.com/unlisting), [CallApp](https://callapp.com/how-to/unlist-phone-number), [SyncMe](https://sync.me/optout), [cia-app](https://cia-app.com/self-service/delist-number), [Hiya](https://hiyahelp.zendesk.com/hc/en-us/requests/new?ticket_form_id=824667). Note that it is possible to opt-out, even before your number has been added, and this will prevent your details being uploaded in the future.
**Opt-out of personalized ads** | Optional | In order for ads to be personalized, Google collects data about you, you can slightly reduce the amount they collect by opting-out of seeing personalized ads. See [this guide](https://www.androidguys.com/tips-tools/how-to-disable-personalized-ads-on-android/), for Android instructions.
**Erase after too many login attempts** | Optional | To protect against an attacker brute forcing your pin, if you lose your phone, set your device to erase after too many failed login attempts. See [this iPhone guide](https://www.howtogeek.com/264369/how-to-erase-your-ios-device-after-too-many-failed-passcode-attempts/). You can also do this via Find my Phone, but this increased security comes at a cost of decreased privacy.
**Monitor Trackers** | Optional | A tracker is a piece of software meant to collect data about you or your usages. [εxodus](https://reports.exodus-privacy.eu.org/en/) is a great service which lets you search for any app, by its name, and see which trackers are embedded in it. They also have [an app](https://play.google.com/store/apps/details?id=org.eu.exodus_privacy.exodusprivacy) which shows trackers and permissions for all your installed apps.
**Install a Firewall** | Optional | To prevent applications from leaking privacy-sensitive data, you can install a firewall app. This will make it easier to see and control which apps are making network requests in the background, and allow you to block specific apps from roaming when the screen is turned off. For Android, check out [NetGuard](https://www.netguard.me/), and for iOS there is [LockDown](https://apps.apple.com/us/app/lockdown-apps/id1469783711), both of which are open source. Alternatively there is [NoRootFirewall](https://play.google.com/store/apps/details?id=app.greyshirts.firewall) *Android*, [XPrivacy](https://github.com/M66B/XPrivacy) *Android (root required)*, [Fyde](https://apps.apple.com/us/app/fyde-mobile-security-access/) *iOS* and [Guardian Firewall](https://guardianapp.com/) *iOS*.
**Use secure, privacy-respecting apps** | Optional | Mainstream apps have a reputation for not respecting the privacy of their users, and they're usually closed-source meaning vulnerabilities can be hidden. [Prism-Break](https://prism-break.org) maintains a list of better alternatives, see [Android](https://prism-break.org/en/categories/android/) and [iOS](https://prism-break.org/en/categories/ios/).
**Use Signal, instead of SMS** | Optional | SMS may be convenient, but it's [not secure](https://www.fortherecordmag.com/archives/0315p25.shtml). [Signal](https://signal.org) is both the most secure and private option. [Silence](https://silence.im/) (encrypted SMS), [Threema](https://threema.ch), [Wire](https://wire.com/en/)(enterprise) and [Riot](https://about.riot.im/) are also encrypted.[iMessage](https://techcrunch.com/2014/02/27/apple-explains-exactly-how-secure-imessage-really-is/) and [WhatsApp](https://www.whatsapp.com) do claim to be [end-to-end-encrypted](https://signal.org/blog/whatsapp-complete/), but since they are not open source, verifying this is harder, and the private companies which own them (Apple and Facebook), have a questionable reputation when it comes to protecting users privacy. Keep in mind that although the transmission may be secured, messages can still be read if your or your recipients' devices have been compromised.
**Avoid using your real phone number when signing up for an account or service** | Optional | Where possible, avoid giving out your real phone number while creating accounts online. You can create phone numbers using services such as [Google Voice](https://voice.google.com) or [Skype](https://www.skype.com/en/features/online-number/). For temporary usage you can use a service like [iNumbr](https://www.inumbr.com) that generates a phone number that forwards messages and calls to your main number.
**Use Mobile a Firewall** | Optional | To prevent applications from leaking privacy-sensitive data, you can install a firewall app. This will allow you to block specific apps from making data requests, either in the background, or when on WiFi or mobile data. Consider [NetGuard](https://www.netguard.me/) (Android) or [LockDown](https://apps.apple.com/us/app/lockdown-apps/id1469783711) (iOS), or see more [Firewalls](/5_Privacy_Respecting_Software.md#firewalls)
**Reduce Background Activity** | Optional | For Android, [SuperFreeze](https://f-droid.org/en/packages/superfreeze.tool.android) makes it possible to entirely freeze all background activities on a per-app basis. Intended purpose is to speed up your phone, and prolong battery life, but this app is also a great utility to stop certain apps from collecting data and tracking your actions while running in the background
**Sandbox Mobile Apps** | Optional | Prevent permission-hungry apps from accessing your private data with [Island](https://play.google.com/store/apps/details?id=com.oasisfeng.island). It is a sandbox environment to clone selected apps and isolate them from accessing your personal data outside the sandbox (including call logs, contacts, photos and etc.) even if related permissions are granted
**Tor Traffic** | Advanced | [Orbot](https://guardianproject.info/apps/orbot/) provides a system-wide [Tor](https://www.torproject.org/) connection, which will help protect you from surveillance and public WiFi threats
**Avoid Custom Virtual Keyboards** | Optional | Android and iOS allow you to download and use third-party keyboard apps. These apps will be able to access everything that you type on your phone/ tablet: passwords, messages, search terms etc. It is recommended to stick with your devices stock keyboard. If you choose to use one of these apps, ensure it is reputable, block internet access (can be done with a [firewall app](/5_Privacy_Respecting_Software.md#firewalls)), don't grant it permissions it does not need, and turn off analytics or other invasive features in it's settings. [This article](https://zeltser.com/third-party-keyboards-security) by Lenny Zelster explains things further
**Restart Device Regularly** | Optional | Over the years there have vulnerabilities relating to memory exploits (such as [CVE-2015-6639](https://www.cvedetails.com/cve/CVE-2015-6639) + [CVE-2016-2431](https://www.cvedetails.com/cve/CVE-2016-2431)). Restarting your phone at least once a week will clear the app state cached in memory. A side benefit is that your device may run more smoothly after a restart.
**Avoid SMS** | Optional | SMS may be convenient, but it's [not particularly secure](https://www.fortherecordmag.com/archives/0315p25.shtml). It is susceptible to threats, such as interception, sim swapping (see [this article](https://www.forbes.com/sites/kateoflahertyuk/2020/01/21/the-surprising-truth-about-sms-security)), manipulation and malware (see [this article](https://www.securitynewspaper.com/2019/09/13/hack-any-mobile-phone-with-just-a-sms)). <br>SMS should not be used to receive 2FA codes, (as demonstrated in the video in [this article](https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin)), instead use an [authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication). SMS should not be used for communication, instead use an [encrypted messaging app](/5_Privacy_Respecting_Software.md#encrypted-messaging), such as [Signal](https://signal.org)
**Keep your Number Private** | Optional | [MySudo](https://mysudo.com/) allows you to create and use virtual phone numbers for different people or groups. This is great for compartmentalisation. Alternativley, use a VOIP provider like [Google Voice](https://voice.google.com) or [Skype](https://www.skype.com/en/features/online-number/), or for temporary usage you can use a service like [iNumbr](https://www.inumbr.com). Where possible, avoid giving out your real phone number while creating accounts online.
**Watch out for Stalkerware** | Optional | This is a malware that is installed directly onto your device by someone you know (partner, parent, boss etc.). It allows them to see your location, messages and other app data remotely. The app likely won't show up in your app draw, (but may visible in Settings --> Applications --> View All). Sometimes they can be disguised as a non-conspicuous app (such as a game, flashlight or calculator) which initially don't appear suspicious at all. Look out for unusual battery usage, network requests or high device temperature. If you suspect that stalkerware is on your device, the best way to get rid of it is through a factory reset. See [this guide](https://blog.malwarebytes.com/stalkerware/2019/10/how-to-protect-against-stalkerware-a-murky-but-dangerous-mobile-threat/) for more details.
**Sandbox Mobile Apps** | Advanced | Prevent permission-hungry apps from accessing your private data with [Island](https://play.google.com/store/apps/details?id=com.oasisfeng.island). It is a sandbox environment to clone selected apps and isolate them from accessing your personal data outside the sandbox (including call logs, contacts, photos and etc.) even if related permissions are granted.
**Consider Orbot** | Advanced | [Orbot](https://guardianproject.info/apps/orbot/) provides a system-wide [Tor](https://www.torproject.org/) connection. Although more secure than a VPN, it will be slower- see [Networking](#networking) section for more details.
**Consider running a custom ROM if you have an Android device** | Advanced | Your default OS tracks information about your usage, and app data, constantly. Consider a privacy-focused custom ROM, such as [Lineage](https://lineageos.org) or [CopperheadOS](https://copperhead.co/android/).
**Consider running a custom ROM if you have an Android device** | Advanced | For Android users, if your concerned about your device manufacturer collecting too much personal information, consider a privacy-focused custom ROM, such as [Lineage](https://lineageos.org) or [CopperheadOS](https://copperhead.co/android/) - [see more](/5_Privacy_Respecting_Software.md#mobile-operating-systems)
**Recommended Software**
- [Mobile Apps, for Security + Privacy](/5_Privacy_Respecting_Software.md#mobile-apps)
@ -210,22 +266,46 @@ Although Windows and OS X are easy to use and convenient, they both are far from
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Keep your OS up-to-date** | Recommended | Microsoft, Apple and Google release regular OS updates, which fix security flaws. Always keep your device updated.
**Enable Firewall** | Recommended | A firewall is a program which monitors the incoming and outgoing traffic on your network, and blocks requests based on rules set during its configuration. Properly configured, a firewall can protect against some (but not all) attempts to remotely access your computer. <br>Follow these instructions to enable your firewall in [Windows](https://support.microsoft.com/en-us/help/4028544/windows-10-turn-windows-defender-firewall-on-or-off), [Mac OS](https://support.apple.com/en-us/HT201642), [Ubuntu](https://wiki.ubuntu.com/UncomplicatedFirewall) and other [Linux ditros](https://www.tecmint.com/start-stop-disable-enable-firewalld-iptables-firewall)
**Attach only known and trusted external hardware** | Recommended | Over the years there have been a variety of vulnerabilities in each major operating system relating to connecting untrusted hardware. In some cases the hardware talks to the host computer in a way the host computer does not expect, exploiting a vulnerability and directly infecting the host
**Don't charge unknown mobile devices from your PC** | Optional | If friends or colleagues want to charge their devices via USB, do not do this through your computers ports (unless you have a data blocker). By default the phone will want to sync to the host computer, but there is also specially crafted malware which takes advantage of the face that computers naturally trust connected USB devices. The owner of the phone may not even realize their device is infected
**Encrypt and Backup Important Files** | Optional | Backing up your phone can help keep your important data safe, if your device is lost, stolen or broken. But if you put your backup encrypted in the cloud, cloud providers will have access to it (if you don't pay for the service, then you are the product!). <br>[Cryptomator](https://cryptomator.org/) is an open source tool that makes this easy. It also works alongside [MountainDuck](https://mountainduck.io/) for mounting your remote drives on Windows and Mac. Other non-open-source options are [BoxCrypter](https://www.boxcryptor.com/), [Encrypto](https://macpaw.com/encrypto) and [odrive](https://www.odrive.com/).
**Uninstall Adobe Acrobat** | Optional | Adobe Acrobat was designed in a different age, before the Internet. Acrobat has had vulnerabilities that allowed specially crafted PDFs to load malware onto your system for the last two decades. Undoubtedly more vulnerabilities remain. You can use your browser to view PDFs, and browser-based software for editing
**Consider Switching to Linux** | Optional | Linux is considerably [more secure](https://www.pcworld.com/article/202452/why_linux_is_more_secure_than_windows.html) than both OSX and Windows. Some distros are still more secure than others, so its worth choosing the right one to get a balance between security and convenience.
**Avoid PC Apps that are not secure** | Optional | Mainstream apps have a reputation for not respecting the privacy of their users, and they're usually closed-source meaning vulnerabilities can be hidden. See here for compiled list of secure PC apps for [Windows](https://prism-break.org/en/categories/windows/), [OSX](https://prism-break.org/en/categories/macos/) and [Linux](https://prism-break.org/en/categories/gnu-linux/).
**Use a Security-Focused Distro** | Advanced | [QubeOS](https://www.qubes-os.org/) is based on “security by compartmentalization”, where each app is sandboxed. [Whonix](https://www.whonix.org/) is based on Tor, so 100% of your traffic will go through the onion router. [Tails](https://tails.boum.org/) is specifically designed to be run on a USB key and is ideal if you dont want to leave a trace on the device your booting from. [Subgraph](https://subgraph.com/) is an “adversary resistant computing platform”, but also surprisingly easy to use
**Password protect your BIOS and drives** | Advanced | A BIOS or UEFI password helps to make an inexperienced hacker's life a little bit harder if they get a hold of your PC or hard drive, [here is a guide on how to do it](https://www.howtogeek.com/186235/how-to-secure-your-computer-with-a-bios-or-uefi-password/).
**Canary Tokens** | Advanced | Network breaches happen, but the longer it takes for you to find out about it, the more damage is done. A canary token is like a hacker honeypot, something that looks appealing to them once they've gained access to your system. When they open the file, unknowingly to them, a script is run which will not only alert you of the breach, but also grab some of the hackers system details. <br>[CanaryTokens.org](https://canarytokens.org/generate) and [BlueCloudDrive](https://blueclouddrive.com/generate) are excellent sites, that you can use to generate your tokens. Then just leave them somewhere prominent on your system. [Learn more](https://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html) about canary tokens, or see [this guide](https://resources.infosecinstitute.com/how-to-protect-files-with-canary-tokens/) for details on how to create them yourself.
**Keep your System up-to-date** | Recommended | New vulnerabilities are constantly being discovered. System updates contain fixes/ patches for these security issues, as well as improve performance and sometimes add new features. You should install new updates when prompted, to avoid any critical issues on your system from being exploited
**Encrypt your Device** | Recommended | If your computer is stolen, seized or falls into the wrong hands, without full disk encryption anyone is able to access all of your data, without a password (by booting to a live USB or removing the hard drive). You can enable encryption very easily, using [BitLocker](https://support.microsoft.com/en-us/help/4028713/windows-10-turn-on-device-encryption) for Windows, [FileVault](https://support.apple.com/en-us/HT204837) on MacOS, or by enabling [LUKS](https://en.wikipedia.org/wiki/Linux_Unified_Key_Setup) on Linux, during install. Or using an open source, program, such as [VeraCrypt](https://www.veracrypt.fr/en/Home.html) or [DiskCryptor](https://www.diskcryptor.org/). For encrypting cloud files, consider [Cryptomator](https://cryptomator.org/) or [CryFS](https://www.cryfs.org/). Note that you should select a long and strong password, and keep it somewhere safe, as there is no way to recover your password if you loose it
**Backup Important Data** | Recommended | Maintaining a copy of important data will prevent loss in the case of ransomware, theft or damage to your system. You should encrypt these backups, to keep the data safe. One solution would be to use [Cryptomator](https://cryptomator.org/) to encrypt files, and then sync them to a regular cloud storage provider. Or you could have a USB drive, with an encrypted volume (e.g. using [VeraCrypt](https://www.veracrypt.fr/en/Home.html)). The best backup solution, should include 2 additional copies of your data- such as a physical off-site copy, and a cloud copy of your data
**Be Careful Plugging USB Devices into your Computer** | Recommended | Think before inserting a USB device into your PC, as there are many threats that come in the form of a USB device. Something like a [USB Killer](https://usbkill.com/products/usb-killer-v3) will destroy your computer, by rapidly charging and discharging capacitors. A Bad USB (such as [Malduino](https://malduino.com/) or [Rubber Ducky](https://shop.hak5.org/products/usb-rubber-ducky-deluxe)), will act as a keyboard, once plugged in, it will proceed to rapidly type commands at lighning speed, often with severe consequences. There's also remote access tools (such as the [OMG Cable](https://hackaday.com/tag/omg-cable/) or [P4wnP1_aloa](https://github.com/RoganDawes/P4wnP1_aloa)), giving a hacker full remote access to your PC, even after the device has been removed. And of course, there's traditional USB drives, that contain malware that infect your device once inserted. <br>One solution to this, is to make a USB sanitizer, using [CIRCLean](https://www.circl.lu/projects/CIRCLean/) on a Raspberry Pi. It allows you to plug an obtained USB device into the Pi, and it'll convert the untrusted documents into a readable but disarmed format, and save them on a new USB key, which you can then safely insert into your computer
**Activate Screen-Lock when Idle** | Recommended | Get in the habit of locking your computer, whenever you step away from it. Reduce the amount of time that your computer is idle for, before the screensaver activates, and ensure that it will lock when the mouse is moved, so no one can access your data, when you step away from your desk. In Windows, check `Personalization --> Screensaver --> On resume, display login screen`, and in MacOS, check `Security & Privacy --> General --> Require password immediately after screensaver starts`. In Linux, `Brightness & Lock --> Require my password when waking up from suspend`. Better still, never leave your computer unattended, even in trusted environments
**Disable Cortana or Siri** | Recommended | Using a voice-controlled assistant, sends commands back to Microsoft or Apple as well as data about your files for local search, which have some [serious privacy implications](https://www.theatlantic.com/technology/archive/2016/05/the-privacy-problem-with-digital-assistants/483950/). They're always listening, waiting for the trigger word, and this can lead to parts of conversations being accidentally recorded. To disable this, in Windows, navigate to `Settings --> Cortana` and switch it to `Off`. You should also stop your speech, typing and handwriting patterns being sent to Microsoft, since this can be used to identify you, as well as potentially leaking sensitive data - navigate to `Settings --> Privacy --> Speech, Inking, & Typing`, and click `Turn off`. In Mac it's not easy to fully disable Siri, but you can stop it from always listening, go to `System Preferences --> Siri`, and uncheck `Enable Siri`
**Review your Installed Apps** | Recommended | Its good practice to keep installed applications to a minimum. Not only does this keep your machine lean, it also reduces your exposure to vulnerabilities. You should also clear application cache's regularly. As well as looking through your application list manually, there are also tools that make this easier, such as [BleachBit](https://www.bleachbit.org/)
**Manage Permissions** | Recommended | In a similar way to phones, your OS can grant certain permissions to applications. It's important to keep control over which apps and services have access to your location, camera, microphone, contacts, calendar and other account information. Some systems let you restrict which apps can send or recieve messages, as well as which apps can which processes can control radios such as Bluetooth and WiFi. In Windows, navigate to `Settings --> Privacy`, and for MacOS, go to `System Preferences --> Security & Privacy --> Privacy`. <br>Note that there are other methods that apps can use to access this data, and this is just one step towards protecting it. You should check back regularly, as sometimes system updates can cause some privacy settings to be modified or reverted
**Disallow Usage Data from being sent to the Cloud** | Recommended | Both Windows and MacOS collect usage information or feedback, which is send to the cloud for analytics, diagnostics and research. Although this data should be anonymized, it can often be linked back to your identity when compared with other usage data. In Windows, there is no way to disable this fully, but you can limit it- navigate to `Settings --> Privacy --> Feedback & diagnostics`, and select `Basic`. You also have the option to disallow your advertising ID from being shared with apps on your system. In MacOS, it can be turned off fully, go to `System Preferences --> Privacy --> Diagnostics & Usage`, and untick both options
**Avoid Quick Unlock** | Recommended | Use a password to unlock your computer, ensure it is long and strong. Avoid biometrics such as facial recognition and fingerprint. These can be spoofed, allowing an intruder access to your account. Also, for Windows devices, avoid using a short PIN to unlock your machine.
**Don't link your PC with your Microsoft or Apple Account** | Optional | Create a local account only. This will prevent some data about your usage being uploaded and synced between devices. Avoid syncing your iPhone or Android device to your computer, as this will automatically lead to it being associated with your Apple, Microsoft or Google account. <br>If sync is important to you, there are open source services that encrypt you data, and sync between devices. For example [XBrowserSync](https://www.xbrowsersync.org/) for bookmarks, history and browser data, [ETESync](https://www.etesync.com/accounts/signup/?referrer=QK6g) for calendar, contacts and tasks, [Syncthing](https://syncthing.net/) for files, folders and filesystems
**Check which Sharing Services are Enabled** | Optional | The ability to share files and services with other machines within your network, can be useful, but also acts as a gateway for common threats. You should disable the network sharing features that you are not using. For Windows, navigate to `Control Panel --> Network and Internet --> Network and Sharing Center --> Advanced sharing settings`, and for MacOS, just go to `System Preferences --> Sharing` and disable anything that you do not need. For Windows users, you should ensure that [remote desktop is disabled](https://www.laptopmag.com/articles/disable-remote-desktop). And also control apps ability to sync with non-pairing devices, such as beacons that transmit advertising information- this is also in the privacy settings
**Don't use Root/ Admin Account for Non-Admin Tasks** | Optional | You should not use administrator / root account for general use. Instead, use an unprivileged user account, and temporarily elevate permissions when you need to make administrator changes. This will [mitigate a large proportion of vulnerabilities](https://www.ghacks.net/2017/02/23/non-admin-accounts-mitigate-94-of-critical-windows-vulnerabilities/), because a malicious program or an attacker can do significantly less damage without an administrator power. See [this guide for Windows and MacOS](https://www.maketecheasier.com/why-you-shouldnt-use-admin-account/), on how to implement this. You should also ensure that a password is required for all system wide changes, as this helps protect against malware doing widespread damage. In Windows this is enabled by default, in MacOS, navigate to `System Preferences --> Security & Privacy --> General --> Advanced`
**Block Webcam + Microphone** | Optional | To prevent the potential risk of [being watched](https://opendatasecurity.io/hackers-can-watch-you-via-your-webcam/) through your webcam, consider covering it with a sticker, slider or electrical tape, while it's not being used. There are also application solutions- such as [Oversight](https://objective-see.com/products/oversight.html) (MacOS) or [CamWings](https://schiffer.tech/camwings.html) (Windows) - for ultimate protection, consider physically [removing the webcam](https://www.wired.com/story/remove-the-mic-from-your-phone/) all together. Blocking unauthorized audio recording, can be done with a [mic block](https://mic-lock.com/), which works by disabling the primary sound input source- but is not fool proof
**Don't Charge Devices from your PC** | Optional | Connecting your smart phone to a computer can be a security risk, it's possible for [a self-signed malicious app](https://www.pcworld.com/article/2465320/the-biggest-iphone-security-risk-could-be-connecting-one-to-a-computer.html) to be installed, without your knowledge. Also both iPhone or Android device have sync capabilities, which can lead to data being unintentionally shared. If you need to charge your device, consider using a [USB data-blocker](/6_Privacy_and-Security_Gadgets.md#usb-data-blockers).
**Randomize your hardware address on Wi-Fi** | Optional | A [MAC Address](https://en.wikipedia.org/wiki/MAC_address) is an identifier given to a device (specifically the Network Interface Controller), and is is one method used to identify, and track you across different WiFi networks. Some devices allow you to modify or randomize how this address appears. See how, on [Windows](https://support.microsoft.com/en-us/help/4027925/windows-how-and-why-to-use-random-hardware-addresses), [MacOS](https://poweruser.blog/how-to-spoof-the-wifi-mac-address-on-a-macbook-25e11594a932) and [Linux](https://itsfoss.com/change-mac-address-linux/). <br>You should also disallow you device from automatically connect to open Wi-Fi networks
**Use a Firewall** | Optional | A firewall is a program which monitors incoming and outgoing traffic, and allows you to blocks internet access for certain applications. This is useful to stop apps from collecting data, calling home, or downloading unnecessary content- correctly configured, firewalls can help protect against remote access attacks, as well as protect your privacy. <br>Your system will have a built-in firewall (Check it's enabled: [Windows](https://support.microsoft.com/en-us/help/4028544/windows-10-turn-windows-defender-firewall-on-or-off), [Mac OS](https://support.apple.com/en-us/HT201642), [Ubuntu](https://wiki.ubuntu.com/UncomplicatedFirewall) and other [Linux ditros](https://www.tecmint.com/start-stop-disable-enable-firewalld-iptables-firewall)). Alternatively, for greater control, consider: [LuLu](https://objective-see.com/products/lulu.html) (MacOS), [gufw](http://gufw.org/) (Linux), [LittleSnitch](https://github.com/evilsocket/opensnitch), [SimpleWall](https://github.com/henrypp/simplewall) (Windows), there's plenty more [firewall apps](/5_Privacy_Respecting_Software.md#firewalls) available
**Protect Against Software Keyloggers** | Optional | A software keylogger is a malicious application running in the background that logs (and usually relays to a server) every key you press, aka all data that you type (passwords, emails, search terms, financial details etc). The best way to stay protected, is to keep your systems security settings enabled, and periodically check for rootkits- which will detect most loggers. Another option, is to use a key stroke encryption tool. For Windows there is [GhostPress](https://schiffer.tech/ghostpress.html), [Spy Shelter](https://www.spyshelter.com/) or [KeyScrambler](https://www.qfxsoftware.com) (developed by Qian Wang) which encrypt your keystrokes at the keyboard driver level, and then decrypting them at the application level, meaning any software keylogger would just receive encrypted data.
**Check Keyboard Connection** | Optional | Check your keyboards USB cable before using, bring your own keyboard to work and watch out for sighs that it may have been tampered with. A hardware keylogger is a physical device that either sits between your keyboard and the USB connection into your PC, or is implanted into a keyboard. It intercepts and stores keystrokes, and in some cases can remotely upload them. Unlike a software logger, they can not be detected from your PC, but also they can not intercept data from virtual keyboards (like [OSK](https://support.microsoft.com/en-us/help/10762/windows-use-on-screen-keyboard)), clipboard or auto-fill password managers.
**Don't use Free Anti-Virus** | Optional | The included security tools, which come with bundled your operating system (such as Windows Defender), should be adequate at protecting against threats. Free anti-virus applications are often more of a hinder than a help- as they require admin permissions, full access to all data and settings, and internet access. They usually collect a lot of data, which is uploaded to the cloud and sometimes [sold to third-parties](https://www.forbes.com/sites/thomasbrewster/2019/12/09/are-you-one-of-avasts-400-million-users-this-is-why-it-collects-and-sells-your-web-habits/). Therefore, you should avoid programs such as Avast, AVG, Norton, Kasperky, Avira etc- even the paid plans come with privacy concerns. If you need a dedicated anti-virus application, consider [CalmAV](https://www.clamav.net/), which is open source. And for scanning 1-off files, [VirusTotal](https://www.virustotal.com/) is a useful tool
**Periodically check for Rootkits** | Advanced | You should regularly check for rootkits (which may allow an attacker full control over your system), you can do this with a tool like [chkrootkit](http://www.chkrootkit.org/), once installed just run `sudo chkrootkit`. For Windows users, see [rootkit-revealer](https://docs.microsoft.com/en-us/sysinternals/downloads/rootkit-revealer) or [gmer](http://www.gmer.net/)
**BIOS Boot Password** | Advanced | A BIOS or UEFI password once enabled, will need to be entered before the system can be booted, which may help to prevent an inexperienced hacker from getting into your OS, booting from a USB, tampering with BIOS as well as other actions. However, it can be easy to bypass, don't put too much trust in this - it should only be used as an additional step, to exhaust your adversaries resources a little faster. [Here is a guide on how to enable password](https://www.howtogeek.com/186235/how-to-secure-your-computer-with-a-bios-or-uefi-password/).
**Use a Security-Focused Operating System** | Advanced | Microsoft, Apple and Google all have practices that violate users privacy, switching to Linux will mitigate most of these issues. For more advanced users, consider a security-focused distro- such as [QubeOS](https://www.qubes-os.org/), which allows for compartmentalization of applications and data, and has strong encryption and Tor networking build in. For some actions, [Tails](https://tails.boum.org/) a live operating system with no memory persistence is as close as you can get to not leaving a data trail on your system. BSD is also great for security, see [FreeBSD](https://www.freebsd.org/) and [OpenBSD](https://www.openbsd.org/). Even a general purpose distro, will be much better for privacy compared to a propriety counterpart: [Fedora](https://getfedora.org/), [Debian](https://www.debian.org/), [Arch](https://www.archlinux.org/) / [Manjaro](https://manjaro.org/), [see more](/5_Privacy_Respecting_Software.md#pc-operating-systems)
**Compartmentalize** | Advanced | Security by [Compartmentalization](https://en.wikipedia.org/wiki/Compartmentalization_(information_security)) is a strategy, where you isolate different programs and data sources from one another as much as possible. That way, attackers who gain access to one part of the system are not able to compromise all of the users privacy, and corporate tracking or government surveillance shouldn't be able to link together different compartments. At the simplest level, you could use separate browsers or [multi-account containers](https://support.mozilla.org/en-US/kb/containers) for different activities, but taking it further you could have a virtual machine for each category (such as work, shopping, social etc). Alternativley, consider [Qubes OS](https://www.qubes-os.org), which is designed for exactly this, and sandboxes each app in it's own Xen Hypervisor VM, while still providing great user experience
**Disable Undesired Features (Windows)** | Advanced | Microsoft Windows 10 is far from lean, and comes with many bundles "features" that run in the background, collecting data and using resources. Consider disabling are: Windows Script Host, AutoRun + AutoPlay, powershell.exe and cmd.exe execution via Windows Explorer, and the execution of commonly abused file extensions. In MS Office, consider disabling Office Macros, OLE object execution, ActiveX, DDE and Excel Links. There are tools that may make these fixes, and more easier, such as [HardenTools](https://github.com/securitywithoutborders/hardentools), or [ShutUp10](https://www.oo-software.com/en/shutup10). Note: This should only be done if you are competent Windows user, as modifying the registry can cause issues
**Secure Boot** | Advanced | For Windows users, ensure that [Secure Boot](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot) is enabled. This security standard, ensures that your device boots only to trusted software when the PC starts. It prevents malware, such as a rootkit from maliciously replacing your boot loader, which could have serious consequences. Some Linux distros also work with secure boot (if they've applied to have their boot loaders signed by Microsoft), while others are incompatible (in which case, secure boot will need to be disabled)
**Secure SSH Access** | Advanced | If you access your system remotely, via SSH you should take steps to protect it from automated and targeted attacks. Change the port away from 22, use SSH keys to authenticate, disallow root login with a password and consider using a firewall, and only allow certain IPs to gain SSH access, consider using a Virtual Private Cloud as a gateway. Carry out regular service audits, to discover the services running on your system. For more info, see [this guide, on OpenSSH security tweeks](https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html)
**Close Un-used Open Ports** | Advanced | Some daemons listen on external ports, if they are not needed, then they are [exposed to exploits](https://www.acunetix.com/blog/articles/danger-open-ports-trojan-trojan/). Turning off these listening services will protect against some remote exploits, and may also improve boot time. To check for listening services, just run `netstat -lt`
**Implement Mandatory Access Control** | Advanced | Restricting privileged access enables users to define rules, that limit how applications can run, or affect other processes and files. This means, that if a vulnerability is exploited, or your system is compromised, the damage will be limited. There are many options available, such as [Rule Set Based Access Control](https://www.rsbac.org/), [AppArmor](https://gitlab.com/apparmor) or [SELinux](https://github.com/SELinuxProject)
**Use Canary Tokens** | Advanced | Breaches happen, but the longer it takes for you to find out about it, the more damage is done. A [canary trap](https://en.wikipedia.org/wiki/Canary_trap) can help you know that someone's gained access to your files or emails much faster, and gain a bit of inform about the incident. A canary token is a file, email, note or webpage that's like a little hacker honeypot, something that looks appealing to them once they've gained access to your system. When they open the file, unknowingly to them, a script is run which will not only alert you of the breach, but also grab some of the intruders system details. These have been used to catch Dropbox employees opening users files, and Yahoo Mail employees reading emails. <br>[CanaryTokens.org](https://canarytokens.org/generate) and [BlueCloudDrive](https://blueclouddrive.com/generate) are excellent sites, that you can use to generate your tokens. Then just leave them somewhere prominent on your system. [Learn more](https://blog.thinkst.com/p/canarytokensorg-quick-free-detection.html) about canary tokens, or see [this guide](https://resources.infosecinstitute.com/how-to-protect-files-with-canary-tokens/) for details on how to create them yourself.
**Recommended Software**
- [Secure Operating Systems](/5_Privacy_Respecting_Software.md#pc-operating-systems)
- [Linux Defenses](/5_Privacy_Respecting_Software.md#linux-defences)
- [Windows Defenses](/5_Privacy_Respecting_Software.md#windows-defences)
- [Mac OS Defenses](/5_Privacy_Respecting_Software.md#mac-os-defences)
- [Anti-Malware](/5_Privacy_Respecting_Software.md#anti-malware)
- [Firewalls](/5_Privacy_Respecting_Software.md#firewalls)
- [File Encryption](/5_Privacy_Respecting_Software.md#file-encryption)
- [AV and Malware Prevention](/5_Privacy_Respecting_Software.md#anti-virus-and-malware-prevention)
- [Operating Systems](/5_Privacy_Respecting_Software.md#operating-systems)
## Smart Home
@ -255,6 +335,23 @@ The most privacy-respecting option, would be to not use "smart" internet-connect
- [Home Automation](/5_Privacy_Respecting_Software.md#home-automation)
- [AI Voice Assistants](/5_Privacy_Respecting_Software.md#ai-voice-assistants)
## Personal Finance
Credit card fraud is the most common form of identity theft (with [133,015 reports in the US in 2017 alone](https://www.experian.com/blogs/ask-experian/identity-theft-statistics/)), and a total loss of $905 million, which was a 26% increase from the previous year. The with a median amount lost per person was $429 in 2017. It's more important than ever to take basic steps to protect yourself from falling victim
Note about credit cards: Credit cards have technological methods in place to detect and stop some fraudulent transactions. Major payment processors implement this, by mining huge amounts of data from their card holders, in order to know a great deal about each persons spending habits. This data is used to identify fraud, but is also sold onto other data brokers. Credit cards are therefore good for security, but terrible for data privacy.
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**Sign up for Fraud Alerts and Credit Monitoring** | Recommended | A Fraud Alert is a note on your credit report, that asks any business seeking your credit report to contact you to confirm your identity before granting credit in your name. Credit Monitoring tracks your credit history, and will alert you to any suspicious activity. You can enable fraud alerts and credit monitoring through credit the bureau's websites: [Experian](https://www.experian.com/fraud/center.html), [TransUnion](https://www.transunion.com/fraud-alerts) or [Equifax](https://www.freeze.equifax.com/)
**Apply a Credit Freeze** | Recommended | A credit freeze will prevent anyone from requesting your credit report, hence stop someone applying for a financial product in your name, or a corporation requesting your details without your consent. You will need to temporarily disable your credit freeze before getting a loan, or any other financial product. You can freeze your credit through credit the bureau's website: [Experian](https://www.experian.com/freeze/center.html), [TransUnion](https://www.transunion.com/credit-freeze) and [Equifax](https://www.freeze.equifax.com/)
**Use Virtual Cards** | Optional | Virtual card numbers let you pay for items without revealing your real card or banking details. They also offer additional features, such as single-use cards and spending limits for each card. This means you will not be charged more than you specified, or ongoing subscriptions or in the case of a data breach. [Privacy.com](https://privacy.com/join/VW7WC), [MySudo](https://mysudo.com/) and [others](/5_Privacy_Respecting_Software.md#virtual-credit-cards) offer this service
**Use Cash for Local Transactions** | Optional | Unlike any digital payment method, cash is virtually untraceable. Using cash for local and everyday purchases will prevent any financial institution building up a comprehensive data profile based on your spending habits
**Use Cryptocurrency** | Optional | Unlike card payments, most cryptocurrencies are not linked to your real identity. However many blockchains have a public ledger, where transaction details can be publicly viewed online. A privacy-focused currency, such as [Monero](https://www.getmonero.org) or [ZCash](https://z.cash) (see [more](/5_Privacy_Respecting_Software.md#cryptocurrencies)) will allow you to pay for goods and services without any direct link to your identity
**Buy Crypto Anonymously** | Advanced | If you are buying a common cryptocurrency (such as BitCoin), in order to use it as a payment method avoid paying by card on an online exchange, since this will link directly back to your real identity. Instead use a service like [LocalBitcoins](https://localbitcoins.com), an anonymous exchange, such as [Bisq](https://bisq.network), or buy from a local BitCoin ATM ([find one here](https://coinatmradar.com)). Before converting BitCoin back to currency, consider using a [bitcoin mixer](https://en.bitcoin.it/wiki/Mixing_service), to make your transaction harder to trace.**Use an alias details for online shopping** | Advanced | When you pay for goods or services online, you do not know for sure who will have access to your data. Using an alias name, forwarding mail address and not disclosing your personal phone number will go a long way in keeping you safe. Services such as [SimpleLogin](https://simplelogin.io/?slref=bridsqrgvrnavso) or [Anonaddy](https://anonaddy.com) will allow you to create anonymous forwarding email addresses
**Use alternate delivery address** | Advanced | When online shopping, if possible get goods delivered to an address that is not associated to you. For example, using a PO Box, forwarding address, corner-shop collection or pickup box
## Sensible Computing
@ -263,7 +360,7 @@ Many data breaches, hacks and attacks are caused by human error. The following l
**Security** | **Priority** | **Details and Hints**
--- | --- | ---
**If an email asks you to take a sensitive action, verify it first** | Recommended | Emails are easy for an attacker to spoof, and it is unfortunately common practice. So whenever an email asks you to take a sensitive action, call the company first, to verify it is authentic
**Verify Recipients** | Recommended | Emails are easy for an attacker to spoof, and unfortunately happens all too often. So whenever an email asks you to take a sensitive action, first verify that the sender is authentic, and when possible enter the URL yourself (rather than clicking a link in the message)
**Dont Trust Your Popup Notifications** | Recommended | It is a trivial task for a malicious actor to deploy fake pop-ups, either on your PC, phone or browser. If you click a popup, ensure the URL is correct before entering any information
**Never Leave Device Unattended** | Recommended | Even with a strong password, it's straight-forward to retrieve the data from your phone or computer (unless it is encrypted). If you lose your device, and have find my phone enabled, then remotely erase it
**Prevent Camfecting** | Recommended | It is a good idea to invest in some webcam covers, and microphone blockers to protect against [*camfecting*](https://en.wikipedia.org/wiki/Camfecting), where a malicious actor, or app is able spy on you and your physical space, without your knowledge. See [this guide](https://blog.malwarebytes.com/hacking-2/2019/09/15000-webcams-vulnerable-how-to-protect-webcam-hacking/) for more tips. Mute home assistants, (Alexa, Google Home and Siri) when you are not using them, or at least when you are discussing anything sensitive or anything conversation involving personal details
@ -273,13 +370,18 @@ Many data breaches, hacks and attacks are caused by human error. The following l
**Install Reputable Software from Trusted Sources** | Recommended | It may seem obvious, but so much of the malware many PC users encounter is often as a result of accidentally downloading and installing bad software. Also, some legitimate applications try to offer you slightly dodgy freeware (such as toolbars, anti-virus, and other utilities). Be sure to pay attention while completing the installation process. Only download software from legitimate sources (often this isn't the top result in Google) so it's important to double check before downloading. Before installing, check it in [Virus Total](https://www.virustotal.com), which scans installable files using multiple AV checkers
**Store personal data securely** | Recommended | Backing up important data is important. But ensure that all information that is stored on your phone/laptop, USB or in a cloud is encrypted. That way, if it is accessed by a hacker (which unfortunately is all too common), it will be almost impossible for them to get to your personal files. For USB devices, see [VeraCrypt](https://www.veracrypt.fr/en/Home.html). For cloud backup, see [Cryptomator](https://cryptomator.org), and for your phone and laptop, see [this guide](https://www.howtogeek.com/260507/psa-encrypt-your-pc-phone-and-tablet-now.-youll-regret-it-later-if-you-dont)
**Do not assume a site is secure, just because it is `HTTPS`** | Recommended | Unlike HTTP, data sent over HTTPS is encrypted. However that does not mean you should trust that website by default. HTTPS Certificates can be obtained by anybody, so a cloned or scam site may have a valid certificate (as denoted by the padlock icon). Always check the URL, and don't enter any personal details unless you are certain a website is legitimate. Avoid entering data on any site that is not HTTPS
**Use Credit Cards, or Virtual Cards when paying online** | Optional | There are risks involved in entering your card details on any website. Credit cards have better consumer protection, compared to debit or bank cards, meaning you are more likely to be recompensated for fraudulent transactions. Better still, paying with a virtual, 1-time card will mean that even if those credentials are compromised a hacker will not be able to lift any of your money. [Privacy.com](https://privacy.com/join/VW7WC) offer virtual payment cards for that you can use anywhere on the internet, as does [Revolut Premium](revolut.ngih.net/Q9jdx)
**Use Virtual Cards when paying online** | Optional | There are risks involved in entering your card details on any website. Credit cards have better consumer protection, compared to debit or bank cards, meaning you are more likely to be recompensated for fraudulent transactions, however they collect and sometimes sell your transaction history. A better option would be to pay with a virtual, 1-time card. This will mean that even if those credentials are compromised a hacker will not be able to lift any of your money. You can also set limits, or create single-use cards, to prevent being over-charged. [Privacy.com](https://privacy.com/join/VW7WC) offer virtual payment cards for that you can use anywhere on the internet, as does [Revolut Premium](revolut.ngih.net/Q9jdx)
**Review application permissions** | Optional | Ensure that no app have unnecessary access to your photos, camera, location, contacts, microphone, call logs etc. See these guides for how to manage app permissions on [Android](https://www.howtogeek.com/230683/how-to-manage-app-permissions-on-android-6.0) and [iOS](https://www.howtogeek.com/211623/how-to-manage-app-permissions-on-your-iphone-or-ipad). On Android, there is a great app called [Exodus Privacy](https://play.google.com/store/apps/details?id=org.eu.exodus_privacy.exodusprivacy), that displays all permissions, and trackers for each of your installed apps
**Opt-out of data sharing** | Optional | Many apps and services automatically opt you in for data collection and sharing. Often this data is sold onto third-parties, who buy customer logs from many companies, and are therefore able to combine them together and easily deduce your identity, and combine it with your habits, purchases, personal details, location etc. For instructions on how to opt-out, see [Simple Opt Out](https://simpleoptout.com)
**Opt-out of public lists** | Optional | In many countries there are public databases that include citizens names, addresses, contact numbers and more. This can often result in unwanted contact from marketing companies, but in some cases used for harassment, stalking and fraud. [This guide](https://www.worldprivacyforum.org/2015/08/consumer-tips-top-ten-opt-outs) from The World Privacy Forum provides good instructions for how to approach this. This includes opting out of: Marketing, Financial Institution Listings, Mail Spam, FERPA Education Listings, Data Brokers and Advertising, as well as joining the National Do Not Call Registry
**Never Provide Additional PII When Opting-Out** | Optional | When removing yourself from less mainstream data sharing services, do not enter any additional intormation in the opt-out form than what is already publicly availible through that site. There have been cases where this extra info is used elsewhere to add more details to your record
**Opt-out of data sharing** | Optional | Many apps, services and software automatically opt you in for data collection and sharing. You should opt-out of this, for instructions on how to opt-out, see [Simple Opt Out](https://simpleoptout.com). <br>Often this collected data is sold onto third-parties, who combine multiple data sets together, allowing them to easily deduce your identity, along with your habits, purchases, personal details, location etc
**Review and update social media privacy** | Optional | Companies regularly update their terms, and that often leads to you being opted back. Check you Facebook, Twitter, Google etc. activity and privacy settings. See also [re-consent](https://github.com/cliqz-oss/re-consent) and [Jumbo](https://www.jumboprivacy.com) which are tools aimed at making this clearer and easier
**Compartmentalize** | Advanced | [Compartmentalization](https://en.wikipedia.org/wiki/Compartmentalization_(information_security)) is where to keep several categories of digital activity and files totally separate from each other. It means that if one area is breached, then an attacker will only have a proportion of your data, and the rest will still be safe. For example, store your work and personal files on separate devices, or use different web browsers for different types of activity, or even run certain tasks in a contained VM or on a separate device (such as having a work phone, and personal phone, or using a separate browser for social media/ chat rooms, or even running a VM for using specialist software)
**WhoIs Privacy Guard** | Advanced | Owning your own domain can prevent you loosing access to your email addresses, or being locked-in with a certain provider. However if you do not use a privacy guard, or enter false web admin details, your data will be publicly accessible through a [WhoIs](https://who.is) search. Most reputable domain registrars will have a WhoIs Privacy option
**Use a forwarding address** | Advanced | Have all mail addressed to a PO Box or forwarding address, to prevent any commerce, utility, finance, media or other companies knowing your read address. This would give you an extra layer of protecting if they suffered a breach, sold on personal details or were presented with a court order
**Use anonymous payment methods** | Advanced | Paying online with credit or debit card involves entering personal details, including name and residential address. Paying with cryptocurrency will not require you to enter any identifiable information. Both [Monero](https://www.getmonero.org) and [Zcash](https://z.cash/) are totally anonymous, and so best for privacy. See also: [Anonymous Payment Methods](/5_Privacy_Respecting_Software.md#payment-methods)
**See also**: [Online Tools](/5_Privacy_Respecting_Software.md#online-tools)
----