Towards improving day-to-day security practice, with recommendations from a free handbook available under GPL.
For a long time, I was very lax about my practice of privacy and security online. Nothing bad had ever happened to make me take stock of my vulnerabilities and ways to address them, so I just kept doing things the same way, not bothering to take control of my digital life.
One of the events that precipitated a change in my habits was finding out about https://haveibeenpwned.com/ , a tool that lets you check to see whether your email address has been involved in data breaches. It turned out that the mail Gmail address I have used for nearly 15 years has been involved in 8 (!) data breaches. It looked like it was time to make some changes.
I've been implementing a number of security improvements. Here's a partial list:
- VPN service (I've had a great experience with NordVPN) for all online activity
- overhauling my password management (in particular, using KeePassX on all my devices, which made it much easier to adopt secure passwords and stop relying on a handful of passwords for all my accounts)
- changing the settings on my home router (typical default settings are a security nightmare)
- switching to encrypted email
- moving away from Chrome and towards Firefox and Tor
I've been looking at a lot of resources that discuss online security. Perhaps the best single resource I've found so far is this:
This great guide includes many of the topics above along with many others. It's a few years old but everything discussed in the book is still relevant. It's a project of FLOSS Manuals, a volunteer organization which produces a wide range of open source manuals and other resources.
Just about everyone can benefit from the information and recommendations in this handbook. Take a little time to look through it and follow the recommendations, and your online security will see a dramatic improvement. One of my biggest pet peeves is to hear people say, "Well, there's no real privacy online anymore" (or some variant of this statement). This is just simply wrong, and it's incredibly bad advice. Perhaps in some ultimate philosophical sense there is no perfect privacy or security unless you withdraw completely from society and never go online (though even this wouldn't insure privacy). But that's completely beside the point for most of us. The question is one of practical improvements to the privacy and security of our data and online interactions. The "no real privacy" argument is dangerously misleading, particularly for those who are not well-informed about this issues, and rely on others (journalists, security specialists, etc.) to make recommendations about privacy. When people hear that there is "no real privacy", they often take this to mean that it is futile to try to improve the privacy and security of one's data because ultimately there is always the risk of these things being exposed, so why bother if you might get hacked anyway?
This bad advice has led millions of internet users to conclude, fatalistically, that online security is outside of their control. This, of course, is a terrible attitude. You can never ensure, with 100% certainty, that your data will be safe - but that doesn't mean you shouldn't take whatever steps you reasonably can to reduce the likelihood that your important information will stay out of the hands of hackers, corporations, and other bad actors. There is always risk in life, but that doesn't mean you just give up autonomy and stop trying to make informed decisions that reduce risk and help you achieve your goals. There are many steps that you can take to make your online activity safer. Most of them are inexpensive and easy. Using a password manager, for example, dramatically simplified my online life - it made things more secure and easier.
The security handbook linked above will help you to be more informed about what the risks are and what you can do to mitigate them. Its recommendations are easy ways to make significant improvements in your security and privacy, and to be an empowered internet user.