InfoSec 101 – a Fancy Way of Saying How to be Safer on the Internet with Your Phone and Computer
The world is under surveillance. It’s a fact of life that almost anywhere there is a concentration of people there will be a way to track them. These are some ways, increasing in difficulty as the article continues, to reduce that footprint. The reasons are many: personal safety, family protection, and reducing target ads are the most common.
Caveat: Technology iterates quickly so this article can go out of date within a few months. When possible it will be updated but www.eff.org has been a great choice for a long time and has the resources to keep their guide up to date. Use that for a launching point if all else fails.
Caveat 2: This article pre-supposes a certain level of resources (you probably have a personal smartphone and a computer). Some of the higher levels of difficulty have costs associated with them. Some steps will require a bit of time to use/implement them. It’s an imperfect world and that’s okay. Do what you can.
Caveat 3: Short of completely staying off the internet, getting paid and paying for everything with local currency and having several sets of ID, you are still on some level going to be tracked and findable. This is not a guide to that. This is instead about slowing down the flow of personal information about you that is out there as well as keeping you and your community safer.
Difficulty level 0: This level is the basics. Everything here should be doable in under 20 minutes, is free, and will at most add a few seconds onto your daily time usage.
(all free, Android and iPhone)
1. Install Signal on your phone. It’s a secure (encrypted) voice and text messaging app. While people can possibly still see who you are talking to they won’t see the content. Easy to send a link to folks that don’t have it yet. Best option currently out there for secure calls on a commercial phone. https://whispersystems.org/
2. Don’t use thumbprint to unlock your phone. Use a code (at least 6 digits) or a complex pattern.
3. US Only – Install the ACLU app for your area. In California it’s called CA Justice. It records and sends the recording to the ACLU immediately. You can report incidents as well. It has a quick page for your rights. Can send you alerts.
1. Install Signal on your desktop. You can use it in lieu of Facetime and Skype.
2. Install Privacy Badger, Facebook disconnect, and ublock origin in your web browser. These extensions (or ones like them for other flavors of browser) give you a reasonable amount of privacy and blocking. As you are installing them read the summary blurbs so you understand what they do and why they are important.
3. Install HTTPS everywhere in your web browser. Created by the EFF it will automatically send you to more secure versions of websites (like your email) whenever the webserver allows that protocol. You’ve probably seeing https (that little lock icon on the address bar) if you’ve done any online banking. HTTPS encrypts your information before it leaves your computer and de-crypts it on the receiving computers end. I strongly urge you to use this, especially if you like to sit in coffee shops and do your email. Anyone with a half-way decent set of hacking tools can read your email and all your other web traffic.
4. Use Duck Duck Go for your web searches instead of Google.
Difficulty level 1: This level is still (mostly) free but you are going to start seeing a higher burden of work and time for yourself. This is also the point where you’ll want to understand in more detail for yourself and aren’t quite sure where to start so I’m going to suggest the EFF again. They have a bunch of different guides in plain English that are solid tutorials: https://ssd.eff.org/
1. Turn off location services. Yep, that means you’ll need to spend that extra 10 seconds when you want to use your phone as a GPS.
2. Turn off wifi. Inherently your phone is broadcasting a LOT. Cut down on the eavesdropping. This could cost money depending on how much data your mobile plan includes. Be thoughtful about it.
*Sidebar: Wifi and GPS go hand in hand for location services. When your wifi is on the GPS is much more accurate. Keep that in mind as you use them. Also know that cellphone towers track you anyway (that’s how they know when you get a text and stop sending them to you, among other things). Turning off the GPS just means you aren’t broadcasting to say, Google, where you are at, but only the service provider for your phone (and potentially law enforcement).
3. Understanding mobile security and some basic stuff you can do: https://securityinabox.org/en/guide/mobile-phones
1. Use a separate web browser for Facebook and any other social media. Even with privacy blockers you aren’t going to be able to block everything. Yes, they will still be able to track you by IP address but it’s a basic layer of obfuscation. There are guides online to go through and delete cookies and web beacons like this one: http://www.digitaltrends.com/computing/how-to-delete-cookies-in-chrome-firefox-safari-and-ie/
2. If you use google drive, dropbox, iCloud and the like? Make sure you don’t have anything secure on there. Where possible move stuff off those accounts.
3. Create a backup email address that isn’t tied to any other account you’ve got (ie if you go with gmail don’t use your known gmail account as the ‘recovery’ address).
4. https://www.google.com/landing/2step/ – Use 2Factor Authentication (2FA) everywhere you can. (This link is for Google). 2FA simply means that once it is set up you get a text when you log into your bank/email/dropbox/facebook that you also have to enter before you can actually get down to business. This is GREAT if you think you are at risk of getting password hacked because they really can’t do anything without also having your phone.
*Sidebar: 2FA can be a hindrance if you lose possession of your phone. Here is a guide that is a backup of how to handle that if you think it is likely: http://lifehacker.com/what-do-i-do-if-i-use-two-factor-authentication-and-los-1668727532
Difficulty level 2: This is where money starts to get involved. This is also the level that most folks I know that are serious about their protest work or are a high risk of online harassment live at (there are sub-levels within, not everyone does all of these). Almost all these do not require any level of tech savvy to do and those that have some tend to have very good guides on how to set it up. Check in your local communities and find someone to help if you get really lost.
What happens when you are doxxed or think you might be a target for it:
This guide was written originally and focused around women since they are most often the targets of abuse in social media during GamerGate. The guide has gotten more sophisticated and robust since then and I highly recommend it. It’s a good step-by-step guide for scrubbing yourself from the internet including things like your physical location.
1. Costs money – Get 1Password or some other password database. Use a different password for each service.
2. Costs money – Get a burner phone with cash and spare minutes/texts. Keep a list of key phone numbers somewhere else. This will be good if you really want to go off the grid or your phone gets seized.
1. Get an email account on riseup or protonmail. Set it up from someplace like a library or web cafe with a shared computer.
2. Get a VPN account (again with a gift card bought with cash) and use it for any internet browsing at all, ESPECIALLY in public. That free Starbucks or Target wifi? You’re offering up tasty info to anyone with a basic set of skills for free, including handing over your browsing data to the corporation you are sitting in (and don’t they get enough of that already?). I don’t have a recommendation for any specific VPN service. They change frequently and you’ll need to judge for yourself who has the best mix of requirements for you. I will recommend you get one not based in the US because of the government oversight issues.
Difficulty level 2.5: I went back and forth about this one and where it lived so I’m making it a half step. This one does have a bit of a tech requirement (but not much) and is incredibly secure, especially if you live in a high risk environment where you cannot trust the computer that you use.
1. Use Tails (essentially an operating system and applications on a USB drive that runs from the drive and leaves no trace on the host computer) and Tor (There a lot of great posts on Tor; the tl;dr is its a way of hiding where you are on the internet by passing your traffic through a whole bunch of places first. It’s not foolproof but it raises the complexity quite a bit).
*Sidenote: Many people put Tor much earlier in the guide than I have. Tor’s obfuscation is great but it’s also a load on the system and if you are not at a high risk then please consider what your traffic is doing. It’s also, quite frankly, slow for web browsing especially during times of unrest. Balance your traffic needs versus privacy.
2. Use KeePass for your password database (it’s offline and inherently more secure than using something like 1Password but has some technical complexities to it). http://www.cio.com/article/3049476/security/how-to-set-up-a-portable-non-cloud-based-password-manager.html
Credit: Some of the resources for my guide came from here:
As well as the EFF and the Next 70 days guide.