"I love Defensive Computing Checklist"

2022-05-16 14:56:19

A Defensive Computing Checklist byMichaelHorowitz F_ck Russia (except Navalny, of course) This is a list of both things to be aware of and specific defensive steps that we can take in response to the common threats of 2019. No list like this can ever be complete, nor would anyone want it to be complete as that list would never end. I tried to limit this to the most important issues, still its long (25,000 words). There is a bit of "Ball Four" here. Back in the 1970s, Jim Bouton's book told the inside story about what it was like to be a major league baseball player and about the players themselves. He offered a new perspective on baseball. People need a new perspective on computing. Much of the advice offered by techies is flatly wrong. They mean well but are either mis-informed or merely parroting back an accepted principal. Some of the advice is right for other techies, but wrong for the general public. Perhaps the most famous advice that turned out to be wrong, was the suggestion to periodically change your passwords. Ugh. Then too, we had "Use Tor, Use Signal." Ouch. The other source of advice, the main stream media, is also frequently wrong both by commission and by omission. Far too many articles are written by Art History majors covering tech this year, after covering some other beat previously and before they move on to yet another area. Very few main stream media stories (I'm looking at you WaPo and NY Times) are written by actual nerds. They don't even seem to be reviewed by qualified nerds. Case in point from July 2019: A report came out about web browser extensions that spy on you. This triggered long articles in the Washington Post and Ars Technica. Neither article suggested using a Chromebook, where Guest mode does not allow any extensions. Why trust me? I am a long time independent techie (About Me) with nothing to sell. This site will never be popular. Screaming THINGS ARE BAD! THINGS ARE BAD! gets attention. Offering people dull and boring errands to protect themselves gets no attention. If you find any of this too advanced or too mired in buzzwords, please let me know by email to defensivecomputing -at- michaelhorowitz dot com. This site was last updated: May 15, 2022. See the most recent updates. ALL TOPICS Airbnb | Amazon | Android | Batteries | Bluetooth | Cars | Cash Apps (Zelle,Venmo) | ChromeOS | DesktopOperatingSystems | DomainNames | Email | Encryption | EncryptedDNS | Facebook | FakeJobScams | FakeVoices | Gmail | Google | IdentityTheft | Instagram | iOS(AppleiPhone,iPad) | LocationTracking | macOS(AppleMacintosh‎) | MicrosoftOffice | MobileOSSpying | MobileScanningandSharing | Networking | NetworkAttachedStorage(NAS) | OneOffs | Passwords | PhoneScams | PhoneNumberHiding | PowerOutage | Printers | ProtectingChildrenfromBadAdults | PublicWi-Fi | RingDoorbells | ReportingBadStuff | SecureWebsites | SIMSwaps | Slack | SmartTVsGettingHacked | Stalkerware | SurgeProtectors | TaxFilingintheUS | TechsSupportScams | Texts(spam,scam,phishing,missing) | TikTok | TwoFactorAuthentication | TVWatchesYou | Twitter | VoiceAssistants(SmartSpeakers) | VPNs | WebBrowsers | WebBrowserFingerprinting | WebsiteIdentityVerification | WhatsApp | Zoom - - - - - - - - - - - - - - - - - - - - - - - ReadingList | ExtraCredit | TheCompetition | Bottom TLDR: If you read nothing else here, keep this in mind: --> When you get a text message, you have no idea who sent it --> When you get an email message, you have no idea who sent it --> When you get a phone call, you have no idea who the caller is Victims can be fooled because the scammers know so much about them. This is the inevitable fallout from far-too-many data breaches.A March 2022 article in the Washington Post suggested: "To avoid a scam using the conflict in Ukraine ... start with the premise that every direct message, link, email or text is fake and work from there. This should be your default response to any contact you did not initiate".Any time you are asked to pay for something with a gift card, it is a scam. Non technical people are often tricked into installing malicious software. As Brian Krebs says "If you didn't go looking for it, don't install it!" Some parts of this page are not displayed until you click a button. To see everything (for printing or searching), CLICK HERE. You are seeing the entire page. EMAIL Many times, perhaps most of the time, the first step in a company getting hacked is an email message. That's why this is the first topic. You never know who sent an email message, so think carefully before taking action based on a single message. It is fairly easy to forge the FROM address of an email. Be especially careful about doing anything involving money, passwords or personal information based on one lousy email message. Techies can look at the hidden email headers to get an idea who really sent a given message, but this is not a skill taught in nerd school. If you can figure out how to display the header of an email message, you can copy/paste it into www.iplocation.net/trace-email which will parse the header and tell you the sending/source IP address, country, ISP and organization. A similar tool is Email Header Analyzer by MxToolbox. Might help. In light of the above, victims might trust that an email was legit, if it knew something about us. However, our personal information has leaked time and time again, so including information about you, specifically, is no indication that the sender is who they claim to be or that the message is legit. For example, Starwood was hacked, so an email about the time you stayed at the Westin hotel in Cleveland in the summer of 2018, may not be from Starwood. Bad guys know you stayed there too. It is easy to assume that when you reply to an email message, the reply goes to the person that sent the message. Sure, this is the case almost all the time - but not all the time. Internet email has a rarely used ReplyTofeature that lets the sender specify an email address to receive replies. An email message from [email protected] might have a ReplyTo address of [email protected] or [email protected] or [email protected]. The ReplyTo address can be anything, but copying the sender's name while changing the domain makes it more likely the scam will not be noticed. If the ReplyTo is used in conjunction with a spoofed sender email address, then a victim can be fooled into an ongoing conversation with bad guys. Maybe your email software will display the ReplyTo field, maybe it won't. Gmail hides the ReplyTo address until you actually reply. Links: Links in email and web pages are complicated. Unless you are a techie it can be almost impossible to know where you will end up after clicking on a link. If an email message has a link to login to a service, DO NOT click it. Go to the website of the service on your own and login there. The use of official logos and images in an email message also does not indicate legitimacy. See How to spot suspicious emails and Dealing with Fake 'Ask Leo' which examines a scam email message for telltale signs. The more urgent the plea for you to take action, the more likely the message is a scam. Bad guys don't want you to have a chance to think about the issue or check with others. An email password is more important than many people think. In that light, make sure it is at least 12 characters long and that you do not use the password for anything else. If you use password manager software, do not keep the email password in the password manager. Keep it on paper instead. When bad guys learn your email password, they are likely to send scam messages to everyone in your address book. So that you see these messages as soon as possible, consider having both your own email address and a secondary one that also belongs to you, in your email address book. Terminology: "Phishing" means scam. A phishing email is lying to you about something. "Spear Phishing" is a scam specifically targeted at you. In a spear phish, the bad guys will have researched you and they use the information about you as the part of the lure in their scam. For example, they might learn who does the money transfers in a company, then pretend to be the boss and order a fake money transfer. Email attachments: Word documents, spreadsheets and PDF files are often malicious. The safest way to open any file attached to an email message is on a Chromebook running in Guest mode. The next safest option is to open it on an iOS device. The third safest environment is from Google Drive (hopefully from a Chromebook or an iOS device). Upload the attachment to Google Drive and open it from Google Drive. The least safe environment to deal with email attachments is Windows. If you must use Windows or macOS, download the attached file and go to VirusTotal.com to scan it with many different anti-virus programs before opening it. Any type of attached file can be dangerous.Secure Email: The only two companies offering this, that I know of, are ProtonMail and Tutanota. Neither company can read your email while it is stored on their servers. Messages sent between their customers are also safe from prying eyes. Email from either company to any other email provider can either be secure or not, but it is a very different type of security. In October 2021, I wrote about this: Using ProtonMail encrypted messages with a normal email account. Both companies offer free limited accounts. Both can be used with software on your computer but webmail lets the browser prove that encryption is being used in transit. Webmail can also be used on a Chromebook running in Guest mode to insure that no trace of your actions is left behind. Episode 149 of the Privacy, Security, & OSINT podcast was on Secure Email with a comparison of ProtonMail and Tutanota. Interesting point in the podcast: you may want to configure each service not to automatically save every email address you correspond with in the your Contacts list. If you use webmail, you should have a local (on your computer) backup of your contacts/address book. For Gmail, go to contacts.google.com and look for "Export" in the left side vertical column. Google offers three possible formats for the backup file, it can not hurt to make three backups, one in each format. Make a note to do this backup every few months. An email with a password protected attachment, that has the password in the body of the email message, is surely malicious. This is a trick bad guys use to prevent anti-virus programs from detecting malicious software. If you try to open an attached file on Windows and it fails to open, you can still get infected with a virus.An email that asks you to logon to read an encrypted message is a scam. REPORTING: Emails that pretend to be from a trusted organization for the purpose of stealing passwords or other personal information can be reported to Cisco PhishTank, SpamCop and the Anti-Phishing Working Group. Registration is required. You can also report any and all SPAM to SpamCop. Links from Daniel Aleksandersen. Sophos is also willing to accept SPAM and malicious emails on their Submit a Sample page. If the scam came from Hotmail or Outlook, report it to [email protected]. If the scam came from Gmail, then report it to [email protected]. Use MULTIPLE EMAIL ADDRESSES. This is a biggie. Far too many systems use an email address as their unique identifier, so when one system gets hacked, bad guys are halfway to hacking into your other accounts. Having multiple email addresses avoids putting too many eggs in one basket and (depending on how its done) can increase your privacy by hiding your real email address. The ultimate Defensive Computing goal is to use a different email address with every service that requires one. Of course, no one wants to check multiple inboxes, and there is more than one way to set this up where all your emails end up in one inbox. As a side benefit, multiple email addresses helps to confirm the legitimacy of an email message. If you get a message from your power company warning that the power will be cut off if you don't pay immediately, and it was not sent to the email address you use only with the power company, then its clearly fake. MULTIPLE EMAIL ADDRESSES (Last Update: March 30, 2022) As a first step, I suggest having a second email address for things you don't care about. A step up from that, is to use an email forwarding service. You can get dozens of alternate email addresses with a forwarding service such as 33mail.com, anonaddy.com or simplelogin.io. These are best for receiving email. Responding with your alternate address may cost money or not be an option at all. temp-mail.org offers temporary disposable email addresses. The email addresses are generated as soon as you load the website, there is no need to provide any personal information. The service is free. The temporary email address exists until you either manually delete it or until you close the browser window. Received messages display on the website. You can not send email with the service. SimpleLogin is an email forwarding service. They offer 15 forwarded email addresses and one real inbox for free. For $30/year you get unlimited forwarding, unlimited mailboxes, and your own domain name. They use the term alias incorrectly. Their service forwards emails, it is not a second name for an already existing email inbox. They generate nonsense email addresses and support two factor authentication. AnonAddy also offers email forwarding. You get a username with them and your email address is something like [email protected] Ten Minute Mail offers a random email address that is good for only 10 minutes (but you can get another 10 minutes just by clicking a button). You are assigned the email address as soon as you visit the website home page. Received emails also show up on the website home page. You need do nothing, other than give out the email address. The service uses multiple rotating domain names. It is a free service with no ads and donations are accepted. See a screen shot. Gmail offers email forwarding as a free service. If you are, for example, [email protected] and you coach a soccer team but don't want the soccer moms to have your real email address, you could create [email protected] and forward it [email protected]. This does not scale well, however. Customers of mailbox.org can use their disposable email address feature. There is no free version of mailbox.org but there is a 30 day free trial. Apple offers Sign in with Apple which has a Hide My Email option. The best method for creating dozens or hundred of email addresses, involves having your own domain, which costs roughly $15/year. This is what I do. Specifically, I own the michaelhorowitz.com domain. Many companies register domains, they are called Registrars. Many registrars offer free email forwarding. There is often no limit on the number of forwarded email addresses. Where do emails get forwarded? Wherever you want. With your own domain, there is an easy and a hard way to create dozens (or hundreds) of email addresses. The easy way is called catch-all email forwarding and it means that any email address at the domain that does not have a specific rule gets forwarded. The hard way is to create a new email address forwarding rule every time you need it. The upside to the hard method is that specific email addresses can be forwarded to a different email address. Either way, when shopping at Macys, I could use [email protected] and when shopping at JC Penny, I could use [email protected]. Another upside to forwarding email is that you can change email providers without anyone knowing or caring. You can change both the registrar doing the forwarding or the destination of the forwarding. Still another upside is that you can register a domain that does not self-identify you, for added privacy. I do that too. In September 2021, Cloudflare announced their new Email Routing offering. You register a domain with them and they can forward an unlimited number of email addresses to anywhere. The same service is offered by almost every website hosting company and domain registrar. Their sales pitch is that it is easy to create new forwarding rules. eh. Still another approach is to use aliases. An alias offers multiple names for one single email address/inbox. The advantage is that forwarding is not needed. Email providers differ in whether they offer aliases at all, and, in how many they offer. With iCloud Mail, you can have up to three active email aliases. At Fastmail, cheaper accounts offer a few aliases, more expensive accounts offer more. mailbox.org offers 25 aliases. Customers of Fastmail can use their Masked Email feature to generate what are, in effect, aliases. Masked email addresses are two random words and a number, such as [email protected]. Low end accounts are limited to the fastmail.com domain, higher end accounts can use a custom domain name. You can create a short description for each Masked address to remember what it is for/from. You can not send a new message from a Masked Email address but when you reply, to a message sent to one, Fastmail hides your real account name and uses the masked address as the FROM address. As of June 2021, iOS v15 is expected at the end of 2021. A new feature, part of iCloud+, will be Hide My Email. It will enable Apple customers to generate unique, random email addresses that function like aliases. Messages sent to these alias email addresses end up in the one and only inbox. This provides privacy and I presume Apple will let you delete an alias should you not want emails from a particular source. One downside is that a randomly generated email address has no meaning. In the earlier example, it will not be obvious if the scam email was sent to the email address dedicated to the power company or not. On the upside, the number of aliases is said to be unlimited. It is not clear if, when you reply to an email sent to an alias, if the from address will be the alias or the main account. Gmail also lets you add a plus sign at the end of your Gmail userid to make unique email addresses. You could, for example, be [email protected] and [email protected]. Basically, this is an alias. Sounds great, but, some (too many, in my experience) websites consider an email address with a plus sign to be invalid. And, this offers no privacy as it does not hide the actual email address. The Gmail "plus sign trick" illustrates another benefit to having multiple email addresses: it helps you detect who shared your email address with their "business partners" (spammers). For example, if I were to get emails for new credit cards sent to [email protected], then I know that JC Penny shared my email address. This article, How to Avoid Spam - Using Disposable Contact Information by David Nield (May 2020) discusses four email forwarding services: Sign in with Apple (for Apple customers only), 10 Minute Mail, Guerrilla Mail and Burner Mail.Firefox Private Relay will be another email forwarding service. As of October 2020, it is in public beta testing and allows for 5 aliases and supports forwarding of email attachments up to 150KB. You are assigned a random email address that ends in @relay.firefox.com.Need some motivation for creating multiple email addresses? See how often your email address(s) have been included in a data breach at haveibeenpwned.com If you opt for using your own personal domain, then you can use the Domain Search feature of haveibeenpwned.com to subscribe to your domain and be notified when any of your email addresses have been stolen in a data breach. Way cool. This also lets you download every breach involving your domain as this screen shot demonstrates.In July 2016, I wrote Defending yourself from Amazon.com which makes the case for having a dedicated Amazon email address. If you have an email account with a recovery email address (Gmail does this) you should check every now and then (yearly?) that the recovery email address is still valid. It is used for things like resetting the password. A special warning to Uber customers about malicious email that really looks like it came from Uber. More in this January 2, 2022 article: Uber ignores vulnerability that lets you send any email from Uber.com by Ax Sharma. Taking a step back, it seems to me like we are living in a time much like the one before seat belts were required in cars. The current norm, reading email on a computer with sensitive or important files (or LAN based access to such files), is much too risky. If you are not reading email on a Chromebook or an iOS device, you are doing it wrong. Using any other OS, in a corporate environment, is job security for the IT department and the assorted security companies they employ. I say this as someone who does not work in corporate IT. UNDERSTANDING DOMAIN NAMES top Some domain names are: google.com, columbia.edu, irs.gov and RouterSecurity.org. Fake websites are an extremely common scam. To identify the fakes, you need to understand the rules for domain names. Many scam website names look legit to someone who does not know the rules. And, there are lots of rules and scams targeted at people that don't know the rules. This topic has been moved to a Domain Name Rules page. PASSWORDS topThere are two big issues with passwords: how to create the dozens that we all need and how to retrieve them after they are created. It is tempting to avoid both problems by re-using a password. NEVER re-use passwords. This is the most important thing about passwords for two reasons. First, companies are hacked all the time, leaking passwords that bad guys then try at other systems/websites. This is made worse by the fact that so many different websites/companies use an email address as a userid. So, if a re-used password leaks it can open up access to multiple accounts. This article, Credential stuffing explained: How to prevent, detect and defend against it (Lucian Constantin Oct 2019) explains that the automated use of stolen usernames and passwords to access accounts is low risk, high reward for cybercriminals. There are millions of articles on the best way to deal with passwords. Almost every one of them is wrong. Typically, the author offers the best solution for them, not for you. There is no single approach to the two basic problems (creating and retrieving) that is appropriate for everyone. Computer techies always recommend a software solution. This is stupid on many levels. There is nothing wrong with storing passwords on paper. Even someone who uses a password management program, should still store a small number of their passwords on paper. Another piece of bad advice that is frequently repeated is that random passwords are good. They are not, because they ignore the human factor - they are impossible to remember and hard to type. Specifically, passwords such as "kdnH54#sadweD" and "mkJy$sCFqw" should be avoided in favor of something akin to "99HeavyRedbaseballs" or "reallyoldLemon$$trees". String together a few words (no mis-spellings needed) and add a number or a special character and use mixed case. Good enough. Typically, the length of a password is far more important than its randomness. I go into more detail on passwords, including the use of password formulas, in my Aug. 2019 blog The world's BEST password advice. Almost every computer nerd recommends password management software. I disagree. Techies that say this are thinking inside the box and over valuing the need for randomness in passwords. They also underestimate the hassle of new software for non techies. In May 2019, Maciej Cegłowski wrote What I Learned Trying To Secure Congressional Campaigns. Among things that went badly were his attempt at getting non-techies to use a password manager. Quoting:"I was never able to find a way to set people up on a password manager in the time available. Let me be very clear: I would like all people to use a password manager ... But I never found a way to get people onto 1password in a single training session. The setup process has a lot of moving parts, involving the desktop app, browser plugin, online service, mobile app, and app store. It requires repeatedly typing a long master passphrase. And then, once it is all set up, you have to train people on the unrelated skill of how to use the thing, starting with their most sensitive accounts. And then you leave. In the end, I told candidates to generate unique passwords and save them in the notes app on their phone, or write them down on a card they kept in their wallet."John Opdenakker is a rare techie willing to admit that password managers are not the best solution for everyone. He writes: "Knowing that many online services give password manager users a hard time, it's not very likely that non tech savvy people will be able to use them ... for a lot of users, like my mum or dad ... I recommended them to use different passwords for their accounts and write them down in a password book." Try using a formula to generate your passwords. A simple formula is to start every password with the same string of characters. Then, you can chose very simple passwords to append to the constant beginning. For example, a baseball fan might start every password with "BaseballRules!" Then, if "jungle" was their password for Amazon.com, the actual password is "BaseballRules!jungle" And, all you would have to remember would be that your Amazon password is "jungle". Pretty easy. Amazon. Jungle. And, the miserable password "book" for Barnes and Noble, becomes a good password ("BaseballRules!book") when run through the formula. Perhaps the worst password is the word password. But, as Leo Notenboom points out, "1234 password 1234" is a pretty good password. And, while I would not use this particular password, it can illustrate a simple formula: start and end every password with the same number, then put a word in the middle surrounded by spaces. You can check if any of your passwords have leaked in a data breach at haveibeenpwned.com/Passwords. Of course, someone else may have been using the same password. The best passwords have never leaked and a formula (above) should produce globally unique passwords fairly easily. Storing passwords: Using a formula lets you write down just the easy/right part of the password and still be secure. If someone saw your password list and read that "book" was your Barnes and Noble password, it would be useless without the formula. Passwords written on paper can not be hacked; just be sure to xerox the list every now and then in case you lose it. Traveling passwords: Paper passwords work everywhere, no matter the device, the Operating System or the software being used. I use a password manager for a small number of passwords and its useless on a Chromebook running in Guest mode which is where I do my sensitive transactions. Some passwords are much more important than others. Which, of your many passwords, would be the worst for bad guys to obtain? Keep those passwords off your computers. Store them on multiple pieces of paper in multiple places. Or, store them on a USB flash drive which is rarely connected to a computer. VERIFIED WEBSITE IDENTITY (Last update: Jan 20, 2021) top Everyone is told there are two types of websites: secure (HTTPS) and not secure (HTTP). In fact there are three types of websites. The third type is a "secure" site that has gone the extra mile and offers proof of its identity. In another type of attack, a web browser may display the correct something.citi.com, and yet, the website could still be a fake. To prevent this, companies that take this stuff seriously pay extra to have their identities verified. It used to be easy and obvious to tell the difference between websites with a verified identity and those site, like this one, without one. For example, citi.com used to say "Citigroup Inc. (US)" just to left of online.citi.com in the address bar. Bank of America does the same thing as you would expect any financial company to do (see example). Different browsers handle this differently but the one constant is that a verified identity is no longer any of your business. It still exists, but only for those who know where to look for it in the particular browser they are using. If the website of your financial institution has this extra identity protection, get in the habit of looking for it. If this information is not provided, take that as a bad sign about the company and its website. In techie terms, this website is Domain Validated (DV), the Citigroup and Bank of America websites have Extended Validation (EV). The home office of incompetence, Equifax, does not offer identity verification. Not a surprise. What is surprising is that neither does Amazon.com (shown in the screen shots). Web browsers have always been inconsistent in how they indicate that a site has had its identity verified. Worse still, each browser constantly fiddled with their padlock display. As an illustration, this Aug. 2019 image, from Twitter user Cryptoki, shows eight different browsers indicating this in eight different ways. Internet Explorer was, by far, the best. It turned the entire address bar green, a visual clue that no one could miss. Most browsers displayed the verified company name in green, somewhere on the address bar. An inconsistent User Interface is the good old days. As of September 2019 (give or take) there will be no user interface, at least, not one that is visible by default. The two major web browsers, Chrome and Firefox have decided to hide this. Already, many web browsers fail to indicate a verified identity in any way. Why have Google and Mozilla decided to remove the indicators of a verified identity? Because you are stupid. They won't say that directly, but that is clearly what they are thinking. They point out that non-techies do not understand what it means for a website to have a verified identity. Never mind that, in no small part, this is their own fault for not having a standard indicator. Given this lack of understanding, rather than try to educate the public, they are taking their ball home so we can't play the game. Nerds at their worst.Browsers will always be changing. As of January 2021, on Windows, you can tell the difference between a site with a verified identity and one without by clicking on the lock on the address bar (just left of the website name). In Chrome, Brave, Edge and Opera, if it just says "Certificate (Valid)" then there is no verified identity. However, if underneath this, it also says "Issued to: companyname" then the identity of the site has been verified. See a Chrome 87 screen shot showing it both ways. With Firefox, if it just says "Connection Secure" that is bad. However, if underneath this it also says "Certificate issued to: companyname" that is good. With Vivaldi (version 3.5.2115.87) there is no need to click, it displays a verified company identity in green on the address bar. The Vivaldi lock is also black without a verified identity and green with one. Whew. As with email messages, the content of a fake website can look exactly like the real thing. Anyone can copy images and text and fonts from the real site and use them to make a fake site. SECURE WEBSITES top If you visit a web page, everyone knows that HTTPS encrypts the content of the page. But that's not the whole story. As this blog by DuckDuckGo points out, parts of the URL are not encrypted. For example, if you visit https://cancer.mayoclinic.org/isitcontagious.html the fact that you visited the Mayo Clinic website and were interested in cancer will be visible to anyone watching network data transmissions. However, that you wondered whether cancer was contagious is not visible. In techie terms, everything after the domain name (isitcontagious.html) is encrypted in transit, however the domain name (mayoclinic.org) and sub-domains (cancer) are not encrypted. The concept of secure websites, indicated by HTTPS or a lock icon, is, in many ways, a scam. The security that people tout refers to a small piece of a large pie. Specifically, it refers to in-flight data; data being transmitted back and forth between your computer and a website. If, while traveling over the Internet, the data/web page is encrypted, then the entire site is said to be secure. Fact is, dozens of things can still leak your sensitive data. Take the just-discussed EV/DV validation of websites. Without real identity verification (EV), you could "securely" send passwords to bad guys. Another scam is that encryption is a binary thing, that it is either on or off. In reality, it is quite complicated. So much so, that there are security rating websites (next topic). Perfect Forward Secrecy (PFS) is another factor, one that is hardly every discussed. Without PFS spy agencies can very likely (no one knows for sure) decrypt the encrypted data traveling over the Internet. Another factor is keeping private encryption keys private. If they leak (its just a string of bits), encrypted data can, again, be decrypted. No one knows how well any website protects its private keys. Then too, many websites continue to support older security/encryption protocols with known flaws (TLS 1.0 and 1.1). And, websites have different sections, each section has its own security profile; one section may be more secure than another. For example, in 2016, I blogged about how www.ssa.gov was secure while secure.ssa.gov was not (since fixed). And, nothing about encryption in transit tells you anything about the strength of the security on the back end (think Facebook storing passwords in plain text) or whether software running on the back end is being updated with bug fixes (think Equifax), how good their defenses are against attacks, who they share your data with or whether the data is left publicly available to anyone who knows where to look, no attacking needed (this happens a lot). I could go on. Anyone who tells you to trust a website because it is secure, is either un-informed or lying on purpose because it serves their needs. A great website for evaluating the encryption used by a website is the Qualys SSL Server Test. Ironically, it does not have extended identity protection. Still, it offers both a ton of technical information about encryption and a simple letter grade at the top. I suggest testing your most important sites: banking, email and any website holding your sensitive information. Every site should get either and A or A+. Anything else is a failure. The orange horizontal stripes under the letter grade are security failures. To be thorough, you need to check each section of a website. For example, at the US Social Security Administration, you would check both www.ssa.gov and secure.ssa.gov. To put this in perspective, again, encryption is a small piece of a large pie. Nothing about the strength of the encryption used to send/receive data tells you anything about whether passwords are stored in plain text, or whether bug fixes are applied to the software running the website, or any other aspect of security. Some websites use secret questions as a way to identify you should you forget your password. Never answer these truthfully. You don't want the answer to be anything that someone could either guess or learn about you. In fact, don't even give reasonable answers. If it asks for the name of a person, use the name of a place instead. You never know if the answers are case sensitive or not, so it is safer to only use lower case. In my opinion, it is also safer to avoid spaces and special characters too. Just like passwords, these questions and answers need to be saved somewhere that you can find them later. Nothing wrong with paper and pencil.Any website that you can access with just a userid/password is not really secure. Stepping up the security requires a second factor/thingie. See the topic on Two Factor Authentication for more. TWO FACTOR AUTHENTICATION top To take money from an ATM requires both a plastic card and a password. Two things. Two factors. In computing "two factors" refers to needing a password and something else to gain access to a system. Thus, a stolen password becomes useless as its only half the story. The robotic response from every computer nerd is to use Two Factor Authentication (2FA). But, it is not that simple. In the topic on SIM Swaps there are links to articles by people who became vulnerable by using 2FA. First they had their cellphone number stolen, but that was done to abuse 2FA text messages and change the passwords on many accounts. No 2FA text messages, no password changes. And, everything breaks, so you need to be up to speed on the fallback system for when 2FA breaks. There are different types of 2FA and no one right answer for everyone. Perhaps the least secure type of 2FA, is a temporary code sent in a text message to a cellphone. It is very popular. Less popular, is the use of email for the exact same purpose. In the US, the Social Security Administration does this. Still another option is a phone call where a temporary code is spoken aloud. Or, a phone call where all you need to do is touch a button on the phone. A more secure type of 2FA involves a Time Based Onetime Password (TOTP) generated by an app running on a mobile device. Two such apps are Authy and Google Authenticator. A problem with both of these types of 2FA is a scam website. If you enter both your password and the temporary code into a scam website, the bad guys have it. This is exactly how Twitter was hacked in July 2020. According to the Twitter Investigation Report from the New York State Department of Financial Services (Oct. 2020), the bad guys called Twitter employees claiming to be from the IT department. "The Hackers claimed they were responding to a problem the employee was having with Twitter's VPN. Since switching to remote working, VPN problems were common at Twitter. The Hackers then tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA notification requesting that the employees authenticate themselves, which some of the employees did." To not be fooled by similarly named domains, see the topic here on Understanding Domain Names. The most secure option involves a physical thingy you connect to a computer/tablet/phone that verifies your identity. No thingy no access. Some downsides: the thingies cost money, different computing devices require different thingies, not many systems support this type of 2FA and the software on the thingies might be buggy. To check if the companies you deal with offer 2FA, see 2fa.directory. Google 2FA supports multiple one-time use backup codes, a great feature. How to retrieve your Google 2FA backup codes by Jack Wallen (Aug 2018) In Alternative Ways to Protect Yourself from Being Spearfished (Jan 2020) Ivan Drucker relates his struggles trying to get non-techies to use an authenticator app. Then, he suggests using Google Voice as an alternative to both authenticator apps and your real cellphone number. Background: Two-Factor Authentication Keeps the Hackers Out by Leo Notenboom (June 2016). Two-Factor Authentication: Who Has It and How to Set It Up by Eric Griffith (March 2019). PHONE SCAMS top When someone calls you, you NEVER know who they are. Callerid can be spoofed just like the FROM address in email. With so many companies being hacked and leaking data, the caller may know things that, at first, it seems only a legitimate caller would know. As with email: think carefully before taking action based on a single phone call, especially any action involving money, passwords or personal information. If anyone calls you, and their story ends with you paying them with a gift card or by wiring money, it is a scam. When someone calls you, you NEVER know who they are The more urgent the need to send money, the more likely the call is a scam. Bad guys don't want to give you a chance to think about their made-up situation. When someone calls you, you NEVER know who they are In the US, calls claiming to be from the Social Security Administration are a popular scam. Social Security numbers do not get suspended. The real Social Security Administration will never call to threaten your benefits. Beware of Calls Saying Your Social Security Number is Suspended (Bleeping Computer April 2019). This January 2020 advisory from SSA, explains how they work. Report Social Security impersonation scams to 800-269-0271 or secure.ssa.gov/ipff/home When someone calls you, you NEVER know who they are Those (not really) IRS calls from FTC. Report IRS impersonation scams here. Imposter scams from FTC Apple does not call their customers out of the blue. Neither does Microsoft or Windows. Some scammers pretending to be Apple make calls that display an Apple logo, address and their real phone number. More here and here. Contact Apple at support.apple.com/contact iOS 13 can send callers not in your contacts straight to voicemail. Unwanted calls can be reported to the US Government. Probably a waste of time. In the news: Voice Phishers Targeting Corporate VPNs by Brian Krebs (Aug. 2020). The headline is wrong it is not voice phishing, just normal scams targeting employees of large corporations. In large part these scams depend on fake corporate websites, so understanding the rules for domain names (above) is a critical defense. IDENTITY THEFT top Considering the many data breaches of personal information, along with the legal sharing of it, ID theft is all too likely. Here are some things to do to in preparation. Bad guys might try to open a credit card in your name. To prevent this, you can get a credit freeze with TransUnion and Experian and Equifax. Bad guys might use your credit card to buy themselves stuff. You can be alerted to this by having your credit card company notify you, in real time, about charges on your account.The US Federal Trade Commission runs identitytheft.gov where you can both report the identity theft and learn how to recover from it. Americans should open an account with the IRS (irs.gov) to prevent bad guys from opening an account in your name and getting your tax refund. Even if you never use this account, it is safer to have it. Brian Krebs: has more (January 2018). The IRS also offers an Identity Protection PIN (IP PIN), a six-digit number that prevents a bad guy from filing a tax return using your Social Security number. The IP PIN helps the IRS verify your identity when you file your tax return. Americans should also open an account with the Social Security Administration (ssa.gov) regardless of their age. This prevents bad guys with your stolen information from opening an account as you, and, for many people, is the only way to verify that their earnings are correctly reported. When you logon to the My Social Security website, it reports the last time you logged on. If you can track this yourself, then you can be sure no one has stolen your identity and logged on as you. According to this article, the Social Security Administration has greatly curtailed the number of paper statements it mails. It now mails statements only to people over 60 who are not yet getting benefits and who have not set up digital accounts.After an account is opened, you can block all electronic access to it. Of course, this blocking is only as good as the defenses against bad guys unblocking it and I don't know what those defenses are. The phone number of the Social Security Administration is 800-772-1213 For more see Crooks Hijack Retirement Funds Via SSA Portal by Brian Krebs. The Social Security Administration does not threaten to arrest people. Social Security numbers can not be suspended. These are common scams. Neither the IRS nor Social Security does a good enough job of identifying people. They both know where you live, they could send a code via postal mail to verify who you are ... but, no. The Social Security Administration uses Equifax data to verify your identity and we all know that Equifax was hacked in 2017 and lost their crown jewels (our personal information). If you have a credit freeze with Equifax, then you can not open a Social Security account. You can't make this stuff up. A free annual credit report, available at annualcreditreport.com can't hurt. However, two things about the site are a sham. For one, it says that you can order reports online. When I last tried this in December 2018, it was not true, reports had to be ordered via postal mail, and, I was not told this until after I entered all my personal information. Also, the site has not opted for extra identity validation for itself (see topic on VERIFIED WEBSITE IDENTITY). Requests on paper are the way to go. Credit Monitoring Services (CMS), such as Experian Idworks, are of iffy value. Far better to freeze your credit with as many credit reporting agencies as you can find (there are 3 big ones and at least 3 small ones). Someone told me they were being monitored by three Credit Monitoring Services when they opened a new credit card, and it took over a month, until the CMS companies notified him about the new card.Background: Identity Theft info from the FTC. 11 Ways to Tell If Your Identity Has Been Stolen by Paul Wagenseil April 2019. The Identity Theft Resource Center (idtheftcenter.org) offers free assistance for ID theft. They may be well-meaning, but their computer advice, is shamefully ancient and lame. SIM SWAP topA SIM swap is Identity Theft in which bad guys steal your mobile phone number and get it assigned to one of their phones. They do this because a phone number is often used to prove identity, with forgotten passwords. Other terms for this are SIM Hijacking and a port-out scam.First signs: A few people have noted that the first sign of trouble was no cell reception on their phone. For one person, the first hint of trouble was a text message from T-Mobile about a call to them that he did not make. First thing to do: If you lose cell service call your cell company immediately. AT&T:800-331-0500T-Mobile: 800-937-8997 Verizon: 800-922-0204Defense: A phone number from TextNow is a safer way to use a phone number for 2FA. For more see the Phone Number Hiding topic. This is my idea, I have not seen anyone else suggest it. Defense: Have the customer service number(s) for your cell company saved on your phone. Also save other information that could prove your identity to the cell company such as the credit card used to pay the bill, the date the account was opened, etc. And, save everything you need to logon to their website. Defense: To defend against SIM swaps, you can create a security code with your cellphone provider. This code needs to be provided over the phone, or in person at a store, before account changes are made. T-Mobile sometimes calls it an Account PIN, sometimes they call it a Port Validation feature (see Protect against phone number port-out scams). Verizon calls it both an Account PIN and a Billing Password. AT&T calls it a Security Passcode. How to Protect Yourself Against a SIM Swap Attack by Brian Barrett in Wired (Aug. 2018) has details on how to setup the extra PIN code for each cellphone company. AT&T Defense: AT&T has two defenses: both a passcode and Extra Security to enforce the use of the passcode. See Manage extra security for your wireless account. T-Mobile Defense: Account Takeover Protection is a free service from T-Mobile T-Mobile Defense: Update your Customer PIN/Passcode T-Mobile Defense: The company was hacked in August 2021. Anyone will a T-Mobile account, should have set a new PIN after this data breach. T-Mobile Defense: T-Mobile Has a Secret Setting to Protect Your Account From Hackers That It Refuses to Talk About by Lorenzo Franceschi-Bicchierai for Vice (Sept 2019). A feature called NOPORT requires customers to physically come to a store and present a photo ID in order to request their number to be ported out to a different carrier or a new SIM card. This is separate and distinct from their Port Validation. Verizon Defense: Call *611 and ask for a Port Freeze on your account (advice from CNet). Their website offers Two Factor Authentication which they also call Enhanced authentication. But it is only SMS. And even when its off, it is on (personal experience). I tried to turn it on (Jan 2020) and it broke the Verizon wireless website. Verizon Defense Documentation: Verizon mobile Account PIN FAQs from Verizon Defense: How to Stop Your Mobile Number from Being Hijacked by Paul Wagenseil (March 2018). Most victims seem to use T-Mobile. Poor defense: The PIN code defense is far from perfect. Brian Krebs wrote (Nov. 2018) that there is no defense against malicious employees of the cellphone company. He also wrote about lazy employees who ignore the system. Matthew Miller had his T-Mobile phone number stolen from him twice, despite having a PIN code on file. He writes that T-Mobile has two PIN codes, one for when you call into customer service, and another port validation PIN (6 -15 digits). After reading his story, you might want to avoid T-Mobile entirely. Then too, the TrickBot malware is known to modify the signon page for cellphone companies to steal these pin codes. (Secureworks Aug. 2019)Defense: If you use either AT&T or T-Mobile, and your PIN(s) were set prior to August 2018, change the PIN(s). In August 2018 were learned that T-Mobile was hacked and bad guys stole their customer billing information. In the same month, we learned that both AT&T and T-Mobile had their customer PINS exposed to the world. Defense: Use a land line for two factor authentication rather than a cellphone number, if possible. Rather than a text, the company calls you and speaks the temporary code. Apple supports this. A similar option, championed by Lorenzo Franceschi-Bicchierai (July 2018) is a Google Voice phone number. Defense: In Nov. 2018, Joseph Cox of Vice, suggested dedicating an iPod Touch to using Signal for secure phone calls. It's Wi-Fi only, and you can add a VPN for still more security. See How to Use an iPod Touch as a Secure Device Instead of a Phone. Immediately Afterwards: check that you still have access to your most important accounts. Email, bank, credit cards, etc.Afterwards: The US Federal Trade Commission runs identitytheft.gov where you can both report the identity theft and learn how to recover from it. Defending email from password resets: ProtonMail can block all password resets. In the web interface, click Settings and there is an option to "Allow password reset". Tutanota does not allow two factor authorization with text messages, they only support the stronger options: Time Based Onetime Passwords (TOTP) and physical keys like Yubikey. In the Email section, I discuss using multiple email addresses. This avoids having too many eggs in any one basket, should an email account get hacked. Consider that email may well be important enough to pay for, if for no other reason than to get tech support when things go bad. I suggest ProtonMail, Mailbox.org or Tutanota. Background: Much of the world has fixed this problem, but the US remains vulnerable. Why Phone Numbers Stink As Identity Proof by Brian Krebs (March 2019). Wave of SIM swapping attacks hit US cryptocurrency users by Catalin Cimpanu for ZDNet (June 2019). Lawsuits: AT&T Faces New $1.8 Million Lawsuit Over Sim Hijacking Attack by Karl Bode (Oct 2019). This is just the latest in a series of lawsuits attempting to hold cellphone carriers accountable. A subscriber had both his identity and life savings stolen via SIM swap. A different subscriber sued AT&T last year for $220 million. T-Mobile was also sued last year. Things are bad: Lawmakers Prod FCC to Act on SIM Swapping (Brian Krebs Jan 2020). The Republican FCC protects the cell companies, not consumers. Some Democrats in Congress are mad. Other countries protect consumers. Things are bad: A study by researchers at Princeton University: An Empirical Study of Wireless Carrier Authentication for SIM Swaps (Jan 2020). Quoting: "We examined the authentication procedures used by five prepaid wireless carriers when a customer attempts to change their SIM card, or SIM swap. We found that all five carriers use insecure authentication challenges that can easily be subverted by attackers." See also a Twitter thread by Arvind Narayanan.Things will only get worse: Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers by Joseph Cox (Jan 2020). Bad guys are using RDP to directly access the internal systems of T-Mobile, AT&T and Sprint to do their own SIM swaps. Bribing employees is so last year. One guys story: SIM swap horror story: I've lost decades of data and Google won't lift a finger By Matthew Miller of ZDNet (June 2019). This should convince people to take defensive steps. After getting control of his phone number, bad guys used it change the password on his Google and Twitter accounts and used his bank account to buy $25,000 of Bitcoin. Another guys story: How Twitter CEO Jack Dorsey's Account Was Hacked (Wired Aug. 2019) A SIM swap gave the bad guys access to his phone number. Then, they sent texts to his Twitter account, which appeared as Tweets, without needing to know his Twitter password.Big picture. As a rule, adding two factor authentication (2FA) makes an account more secure. But, in mid-2019 a couple techies wrote about being victimized by SIM swaps (articles are linked above), which, in turn, made it possible for bad guys to change many of their passwords. In these cases, the use of 2FA made them vulnerable. For more on the pros/cons of 2FA see the Two Factor Authentication section. What to expect: In June 2019, I tried to add Extra Security to an AT&T mobile phone number. The web page explaining exactly what this does was broken, so I don't know what it really does. Also, the system is poorly designed. When I first signed in to the AT&T website it sent a text with a one-time code to the phone. Had I been a victim of SIM swapping, this would have locked me out of the website. Dealing with AT&T is hard, you need to keep track of a userid (for which there are two definitions) a password, an Access ID (beats me), an email address, a security passcode and two security questions. When I got in to the website, it forced me to pick two new security questions even though I had already set this up long ago. Why? It didn't say. To add the mythical Extra Security: click on your first name is the top menu bar (on the right), then Profile, then Sign-in Info. Perhaps chose a particular phone number. Then, click on Manage Extra Security in the Wireless passcode section. Then turn on the checkbox for Add Extra Security to my account. Then enter your passcode. Whew. What to expect: In July 2019, I changed the passcode on an AT&T mobile phone number. The process starts by logging in to www.att.com/wireless/ which includes entering a code sent to the phone via a text message. Then, click on the account holder's first name in the upper right corner -> Profile -> Big box for SignIn Info -> click on the "Get a new passcode" link -> enter the last 4 digits of the social security number and the zip code -> then get a text message with another temporary code -> enter this code -> then, finally enter the new passcode. What is a valid passcode? They don't say. Must it be numeric? How long can it be? None of your business. At the end, you get another text message that the code was changed. Defense: The SIM Swapping Bible: What To Do When SIM-Swapping Happens To You by CipherBlade and MyCrypto (June 2019). Overwhelming article. WEB BROWSERS top Choosing: Web browsers are one area where the wisdom of the crowd does not apply. In the old days, the crowd used Internet Explorer, now it's Google's Chrome browser. Don't use either one. Or Edge. On a desktop Operating System (Windows, macOS, Linux) I suggest using either Firefox or the Brave browser. Brave has ad blocking and tracker blocking built in, it is based on Chrome, supports all Chrome extensions and also runs on Android and iOS. See some supporting articles: WEB BROWSER ARTICLES (Last Updated Nov 24, 2021)It's time to dump Chrome as your default browser on Android by Jack Wallen for TechRepublic (Nov 2021). Individual cookie controls are removed from Privacy and Security in Chrome 97 by Martin Brinkmann (Nov 2021) Ditching Google Chrome was the best thing I did this year (and you should too) by Adrian Kingsley-Hughes for ZDNet (Nov 2021). Why You Should Delete Google Chrome On Your Phone by Zak Doffman in Forbes (Nov 2021). Jan 7, 2021: Today I stumbled across another reason not to use the Chrome browser. I was using Chrome version 87 on Windows 10. In Settings -> Autofill a particular website (x.com for the sake of example) was set to never save the password. It had been configured this way for a while. I opened an Incognito window and went to the x.com website. When I went to login and clicked in the UserID box, what showed up? My userid for x.com. There is no way to tell Chrome not to save the userid. And what is the use of incognito mode anyway, if it has access to the userid of what I consider a sensitive website?A Long List of Ways Brave Goes Beyond Other Browsers to Protect Your Privacy. Written by Brave. No date. We're suing Google for harvesting our personal info even though we opted out of Chrome sync - netizens by Thomas Claburn of The Register (July 2020). The lawsuit claims that although Google promises that Chrome users can opt out of surveillance by not providing personal information and by not synching their data, people get spied on anyway. Google sued for at least $5 billion over claimed Incognito mode grab of potentially embarrassing browsing data by Ethan Baron (June 2020). A new incognito page does not warn that Google knows what you do. It does warn that websites you visit and your ISP know what you do, even with private browsing mode. Incognito mode detection still works in Chrome despite promise to fix by Catalin Cimpanu for ZDNet (June 2020). Google said last year that it would fix a bug that allowed sites to detect incognito mode, but no fix ever came.Both Firefox and Brave have defenses against browser fingerprinting that Chrome does not have.Still another reason not to use Chrome: Google: You know we said that Chrome tracker contained no personally identifiable info? Forget we ever said that by Thomas Claburn of The Register (March 2020) From ProtonMail: Most secure browser for your privacy in 2020 (Dec 2019). In brief: Chrome is bad. Firefox, Brave, Tor and DuckDuckGo (mobile only) are good.Chrome fails miserably at indicating when insecure data is being sent from a secure page. See my blog (Feb 2020).uBlock Origin works best on Firefox where it can undo CNAME Cloaking. See If you run uBlock Origin, use the Firefox version as it offers better protection by Martin Brinkmann (Feb 2020). These hidden cache files are bloating your Google Chrome by Adrian Kingsley-Hughes (April 2020). Chrome caches JavaScript files and there is no simple way to clear the cache, you have to find the folder and delete the files on your own. After reading this, I found data in the cache that was over 4 months old. Study finds Brave to be the most private browser by Martin Brinkmann (Feb 2020). Only default browser configurations were tested.Germany's cyber-security agency recommends Firefox as most secure browser by Catalin Cimpanu (Oct 2019). Firefox was tested against Chrome, Internet Explorer and Edge. Not tested were Safari, Brave, Opera, or Vivaldi. The big finding, to me, was that Chrome, IE and Edge have no option to block telemetry. It's Time to Switch to a Privacy Browser by David Nield in Wired (June 2019). Good article that covers the DuckDuckGo browser (iOS, Android and an extension), the Ghostery browser, Brave, Tor and much more. Google Chrome has become surveillance software. It’s time to switch. by Geoffrey Fowler in the Washington Post (June 2019) has a great quote: "having the world's biggest advertising company make the most popular Web browser was about as smart as letting kids run a candy shop." Alternate linkThere is a whole website (NoToChrome.org) devoted to the bad stuff about the Chrome browser.It's time you ditched Chrome for a privacy-first web browser by Matt Burgess in Wired (July 2019). Discusses Brave, Ghostery, Tor, DuckDuckGo and two Mozilla browsers. In June 2019, Firefox added "enhanced tracking protection" by default, but my opinion was formed beforehand. Firefox Now Available with Enhanced Tracking Protection by Default Plus Updates to Facebook Container, Firefox Monitor and Lockwise by Mozilla (June 2019) Private and Secure Browsers to Keep Your Data Safe by Sven Taylor of Restore Privacy. Created Sept. 2018, Last updated June 2019.I protected my privacy by ditching Chrome for Brave–and so should you by Michael Grothaus in Fast Company (March 2019)How I'm locking down my cyber-life by Larry Sanger Jan. 2019 Why I'm done with Chrome by Matthew Green (Sept 2018). Paraphrasing: I've loved Chrome in the past, but, due to Chrome's new user-unfriendly forced login policy, I won't be using it going forward. Bye, Chrome: Why I'm switching to Firefox and you should too by Katharine Schwab (May 2018). Quoting: "I can't even remember why I decided to use Chrome in the first place. The browser has become such a default for American internet users that I never even questioned it." Then too, there is the issue of certificate revocation. It is a poorly designed system and does not work very well. But all browsers support it - except Chrome. Chrome does its own thing in this regard and their system only works with a very small number of websites. In contrast, Cloudflare is working to improve this with OCSP Stapling. Do not logon to a website using your Google or Facebook identity. Your privacy is increased by creating a new account just for that one site. Global Privacy Control: Test your browser at globalprivacycontrol.org. The good result is "GPC signal detected". The bad result is: "GPC signal not detected". As of May 12, 2022 this was supported by default in the Brave and DuckDuckGo browsers. It was available, but not enabled by default in Firefox. It was not available in Chrome, Edge or Safari. Google, Microsoft and Apple want to spy on us. For a detailed verification, go to global-privacy-control.glitch.me where a blue thumbs up is a good test result. More.... Turn off Notifications: Websites normally have to ask to send you Notifications. The problem is that the notifications can be abused to trick people in assorted scams. This Nov. 2020 article from Malwarebytes, Turn off website Notifications explains how turn off Notifications in Chrome, Firefox, Safari, Opera and Edge. For Brave (v1.17.73) do: Settings -> Additional settings -> Privacy and security -> Site and Shields Settings -> Notifications. Track me not: If the websites you visit are determined to track you it is all but impossible to prevent it. Still, you can fight back. The biggest hammer in the toolbox to avoid being tracked is Guest mode on a Chromebook, which insures that all traces of your activity are erased when you exit Guest Mode. One step down, is private/incognito mode in your web browser. You are still tracked, but only until you close the browser. For background, see What Does Private Browsing Mode Do? by Martin Shelton July 2018. Another option is to manually delete cookies and other tracking data in your browser. In Chrome and Brave, enter chrome://settings/siteData in the address bar, then click the Remove All button. In Firefox, enter about:preferences#privacy and click on the Clear Data button. Perhaps bookmark these URLs. Firefox can automatically delete cookies when the browser shuts down. Using the same Firefox URL, turn on the checkbox for "Delete cookies and site data when Firefox is closed". Web browser extensions are a double-edged sword. If you let them, they can read and modify the contents of every displayed page. This is necessary, for example, with an ad blocking extension. However, it can be abused too. When installing extensions pay close attention to the permissions it requests. I have seen non-techies be tricked into installing malicious extensions. It is a good idea to periodically review the extensions installed in your browser and remove any you really don't need. To display the installed extensions, use these address bar URLs (perhaps bookmark them): In chrome chrome://extensions, in Brave brave://extensions, in Firefox about:addons. I blogged about potentially dangerous extensions here and here and here. A Reddit user wrote Why I removed Grammarly chrome extension and deleted my Grammarly account in March 2019. Sam Jadali spent much time researching malicious extensions and issued a detailed report called DataSpii that served as the basis for articles in the Washington Post and Ars Technica (July 2019). Neither article suggested a Chromebook in Guest mode which does not allow extensions. Best to avoid extensions from Avast and AVG. Brian Krebs covered this in Feb 2020: The Case for Limiting Your Browser Extensions. Install an ad blocker extension in your web browser. I say this not because it makes web pages load faster (it does) but because ads have been abused too many times to install malicious software or take you to scam websites. Even Chromebook users can be scammed at websites (no malware though). One highly recommended ad-blocker is uBlock Origin by Raymond Hill. The down sides are that some sites won't display without their ads and that it prevents sites from earning needed revenue. But, the ad blocker can be disabled on sites you wish to support. No website can be trusted to only show non-malicious ads because the website itself does not choose the ads. Except Krebs on Security. Install a tracker blocker extension such as Privacy Badger from the EFF or Disconnect. In desktop Firefox, review the Content Blocking (about:preferences#privacy) settings which offers defense against trackers and more. As of version 67, it should default to Standard, maybe raise it to Strict or Customize it. See the documentation on this. Mozilla also has a Facebook Container extension that blocks Facebook from tracking you around the web. Firefox users should also take a look at about:telemetry. It's intimidating, but look to see that "upload is disabled". From PrivacyTools.io: Firefox: Privacy Related "about:config" Tweaks. Safari on macOS can automatically delete your browsing history (as of Dec. 2020). On the menu bar, at the left, click on "Safari" -> "Preferences" -> General tab -> "Remove History Items". While there, also review "Remove download list items" which can automatically remove the names of the files you downloaded. It does not delete the actual files.Test your web browser: This is only for techies. deviceinfo.me, SSL Client Test from Qualys SSL Labs and How's My SSL? PUBLIC WIFI (Last update: August 14, 2021) top Public Wi-Fi is always dangerous, whether a password is required or not. If possible, keep your main/regular computing devices away from public networks. A Chromebook is a great substitute. Even with all the protection in the world, like that described below, there are some things best avoided on any public network. Wi-Fi networks are like children, the people who create it can give it any name at all. Bad guys can create wireless networks with the same name (SSID) as a legitimate network. The official term for this is an Evil Twin network. Non techies can not distinguish an Evil Twin from the legit network it is pretending to be. Neither can a computer/phone/tablet, which will happily connect to the evil twin network. Techies might look at the MAC address of a wireless network, but even that can be spoofed if the bad guy knows how.Typically, we focus on the fact that public Wi-Fi networks provide Internet access. This, however, ignores the other thing they provide, DNS. DNS is the system that translates a website name (cnn.com) into an IP address. Malicious DNS can send you to scam copies of websites or all sorts of malicious websites. The fake CNN site says you need to download software and bingo, your computer is hacked. Eating food found in the street is as safe as using DNS from strangers. More on DNS and links to check the DNS servers currently in effect, see my RouterSecurity.org site. In the old days, the fear with public Wi-Fi was limited to people intercepting plain text HTTP. Most websites now use HTTPS which encrypts data in transit. However, HTTPS is both flawed and complicated and should not be your sole defense. The Qualys SSL Server Test is an excellent site for illustrating both the complexity of HTTPS and that many websites do it poorly. Also, you can not tell if a mobile app is using HTTPS or not. The solution to Evil Twin, DNS and HTTPS problems is to use either a VPN or Tor. Both hide your Internet activity from the router creating the public network and the ISP providing it Internet access. For more on VPNs, see the VPN topic here. To insure they are working, check your Public IP address before and after connecting. Also, check your DNS servers before and after. A VPN should provide its own DNS servers, check with your VPN company to learn what their policy is. Many provide DNS on the VPN server itself which is especially easy to validate.If a VPN or Tor is too much for you, then on mobile devices, use the Cloudflare 1.1.1.1 app available on Android and iOS. Originally, it only provided DNS, now it can also, optionally, provide a VPN. Another danger with public networks (both wired and wireless) is on the LAN side. Your computing device can be attacked by other users of the same network. Local bad guys might attack open TCP/IP ports on your device or take advantage of bugs in the operating system. I blogged about this in August 2021: Hiding on a Wi-Fi network. Some VPN software offers a defense against this, a feature that will block LAN side access while the VPN is connected. Bad guys can not attack a computer they can't see. In my experience, however, this is a very rare feature. Disable Wi-Fi when you are not using it. It is not sufficient to simply disconnect from a public network. Many Wi-Fi devices will automatically re-join a network (SSID) they have seen before. To prevent this, after using a public Wi-Fi network, tell the operating system to Forget about it.- iOS instructions are in the iOS topic. - Windows 10: System Settings -> WiFi Settings -> Manage known networks -> click on an SSID, then the gray Forget button.- macOS: Wi-Fi symbol -> Network Preferences -> Advanced -> Preferred Networks -> Click on an SSID -> click the minus sign -> OK- Android systems vary, search in the Settings for "Saved networks" One way to avoid public Wi-Fi is to use the 4G/LTE data connection on a smartphone. With the hotspot feature, this data connection can be shared with a laptop. To do this, the phone creates a Wi-Fi network that the laptop connects to. One, or both, of the devices should be connected to a VPN. A public Wi-Fi network will always learn the MAC address of the Wi-Fi adapter in your computing device, even when using a VPN. To prevent this being tracked, you need to modify the MAC address (see Networking topic) before enabling Wi-Fi. To be really anonymous, use a computing device that was purchased with cash. If you often use a public network, then consider a privacy screen protector. This limits the field of view for the screen to hopefully block someone sitting nearby from seeing what you are doing. 3M sells privacy screens for laptops, tablets and phones. Both Dell and Lenovo sell them for their laptops. See Laptop Privacy Filters: What to Look For and Why You Need One b Brett Nuckles (June 2018) NETWORKING top Router: I have a whole website devoted to Router Security. At the least, try to make the eight router configuration changes in the short list on the home page. When it comes to making router changes, the first step, logging into the router, is likely to be the hardest. To make this easier, I suggest writing down the necessary info (router IP address or vendor-supplied name, router userid, router password) on a piece of paper and taping it to the router face down. Maybe include Wi-Fi passwords on the paper too. Networking equipment (router or combination modem/router) provided by Internet Service Providers is typically insecure and low quality. Anything you buy at retail is likely to be more secure. It may also be cheaper in the long run and makes you a lesser target (a million people are not using the same router model). Ethernet is more secure than Wi-Fi, so whenever possible connect via Ethernet for sensitive work. It's also faster. USB to Ethernet adapters cost about $15. Speaking of Ethernet, Google knows nearly every Wi-Fi password in the world. And if Google knows them, what are the odds that Apple (via iOS) does not? Use a Guest Wi-Fi network both for visiting humans and for IoT devices. Better yet, if your router supports it, use VLANs to further segregate devices (requires a techie). More here. At this point, it is common knowledge that Wi-Fi encryption should use WPA2 rather than the ancient WPA or WEP. If given a choice, WPA2 AES is more secure than WPA2 TKIP. Note that a long Wi-Fi password can prevent a brute force guessing attack; passwords should be 14 characters or longer. More here. Technitium MAC Address Changer (Tmac) is a freeware utility to spoof MAC addresses in Windows 7, 8 and 10.Comcast: Comcast Xfinity is Using your Router as a Wifi Hotspot, at your Expense. Here’s how to Opt Out (Aug. 2019) VPNs top On October 17, 2021, this topic was moved to a new VPN page. VOICE ASSISTANTS (SMART SPEAKERS) topAll of the smart assistants (from Amazon, Google and Apple) sometimes record at the wrong time. That is, they record without a person having said the wake word. And, since all three companies send some recordings to contractors, to help improve the system, strangers may hear your embarrassing conversations. Tony Soprano would not have allowed Siri in his home. Google lets you access your history, delete past recordings and automatically delete your data every couple of months. Amazon lets you manually delete past recordings and disable human review of Alexa recordings. Initially, Apple lost at this privacy game, they did not have any way to opt out. In early Aug 2019 they took their first step and did more in iOS 13.2.Disaster: Alexa and Google Home abused to eavesdrop and phish passwords by Dan Goodin October 2019. Everyone's worst fear came true. Malicious apps were developed that listened all the time. Wake word? We don't need no [expletive] wake word. Germany's Security Research Labs developed the apps and they passed the Amazon and Google security-vetting process. Some of the apps logged all conversations within earshot of the device and sent a copy to the app developer. Others mimicked the voice used by Alexa and Google Home to falsely claim a device update was available and prompted the victim user for a password to enable the update. Yikes. More: Malicious Apps on Alexa or Google Home Can Spy or Steal Passwords by Ionut Ilascu Oct. 2019. AMAZON ALEXA Bloomberg reported in April 2019 that Amazon Workers Are Listening to What You Tell Alexa. There are options in the app to disable this (Settings -> Alexa Account -> Alexa Privacy -> Manage How Your Data Improves Alexa) but they may not be honored.Another privacy issue with Alexa is that the devices phone home to Amazon and to others, even when they are not being used. No one knows why.Article: Alexa has been eavesdropping on you this whole time by Geoffrey Fowler May 2019. Amazon keeps a copy of everything Alexa records after it hears the wake word. Fowler listened to 4 years of his recordings and found that dozens of times it recorded when it should not. It even picked up some sensitive conversations. There are instructions for deleting these recordings via the Alexa app. Hear your archive at www.amazon.com/alexaprivacy. Also from Fowler: Amazon collects data about third-party devices even when you do not use Alexa to operate them. For example, Sonos keeps track of what albums, playlists or stations you listen to and shares that information with Amazon. You can tell Amazon to delete everything it has learned about your home, but you can not look at this data or stop Amazon from continuing to collect it.Researchers examined 90,000 Alexa Skills. Only a fraction have a privacy policy. When you ask Alexa a question, you have no idea where the answer comes from. Want to research a skill? It is easy for an attacker to impersonate any well-known manufacturer or service provider. Yes, Amazon certifies skills before they get published, but, the skill can change how it behaves at any time. From Why would you ever trust Amazon's Alexa after this? by Chris Matyszczyk for ZDNet (Feb 2021).Amazon has policies for skills published in the Alexa Skills Store. But, they are not enforced. In an academic study that lasted a full year, researchers created 234 skills that all violated a policy. They all got approved. From Academics smuggle 234 policy-violating skills on the Alexa Skills Store by Catalin Cimpanu for ZDNet (July 2020). They also identified 52 problematic skills already available on the Alexa store, all targeted at children.Alex initial configuration: the app wants to "periodically upload your contacts" - say Later (there is no NO). The app also wants to verify your phone number when first configured, there is no need for this, skip it.Alexa Defenses in the Settings of the Alexa app: Amazon Sidewalk started rolling out in Nov. 2020. It is on by default. To turn if off from the Alexa app: -> More tab (at the bottom) -> Settings -> Account Settings -> Amazon Sidewalk. Toggle off the Enabled button Turn off voice purchasing: Menu -> Settings -> Alexa Account -> Voice Purchasing. If you want to use Voice Purchasing then perhaps disable one-click payments. Or, set a spoken pin to stop anyone else from shopping using your account.Settings -> Alexa Privacy -> "Manage How Your Data Improves Alexa". This may have changed to "Manage Your Alexa Data". There are two options to prevent humans from listening to your recordings. Settings -> Alexa Privacy -> Review Voice History. Enable the deletion by voice option. Then delete saved recordings. After enabling this option, you can say "Alexa, delete everything I said today" or "Delete what I just said"Settings -> Alexa Privacy -> Manage Skill Permissions. Control which, if any, skills should have access to your name, your location, your street address, etc.Notifications -> Amazon shopping. Turn off "Receive personalized recommendations and deals based on your shopping activity." if you don't want Alexa to nag you to buy stuff. Maybe also disable "requests to rate products you’ve purchased" and "Order Updates (Inc. Subscribe & Save)" APPLE (Siri, Apple Watch and HomePod smart speakers)Apple contractors 'regularly hear confidential details' on Siri recordings by Alex Hern in The Guardian (July 2019). Accidental activations pick up extremely sensitive personal information, fairly often. The story came from a whistleblower; not a good look for Apple.If an Apple Watch detects it has been raised and then hears speech, Siri is activated. To prevent this, disable the Siri side button on the iPhone: Settings -> Siri & Search -> toggle off "Press Side Button for Siri".On the June 26, 2020 episode of The Privacy, Security, & OSINT Show the show host, Michael Bazzell, suggested disabling SIRI completely.Apple Suspends Listening to Siri Queries Amid Privacy Outcry by Mark Gurman of Bloomberg (Aug 2019).Defense as of mid-Aug 2019: If both Siri and dictation are disabled, Apple will delete your data and recent voice recordings. To disable Siri: Settings > Siri & Search -> Turn off both the Listen and Press Button options. To disable dictations: Settings -> General -> Keyboard -> turn off Enable Dictation. This process will change.Defense added in iOS 13.2: When upgrading to 13.2, which was released at the end of Oct. 2019, users see a pop-up message offering the ability to opt-out of having their voice commands stored and saved. It is called "allowing Apple to store and review audio of your Siri and Dictation interactions". Later, this can be adjusted in the Privacy settings under "Analytics & Improvements" where there are multiple options about sharing Analytics as well as the option to "Delete Siri & Dictation History" and an option to stop sharing voice recording with Apple. Also in Settings -> Siri, you can tell Apple to delete all the Siri voice recordings that it has stored. GOOGLE ASSISTANT Again from Fowler article: Google used to record conversations with its Assistant ("Hey Google") but in 2018, they stopped doing so by default on new setups. You can check the settings of your Assistant at myaccount.google.com/activitycontrols/audio. Look to Pause recordings. This How-ToGeek article adds instructions for deleting the previously saved recordings. The Nest thermostat, made by Google, phones home every 15 minutes, reporting the climate in the home and whether there is anyone moving around. The data is saved forever. (also from the Fowler article)Google Defense: in the Google Home app: Account -> More settings (under Google Assistant) -> Your data in the Assistant -> turn off Voice & Audio Activity. While there, also go to Manage Activity to review and/or delete voice recordings.To delete Google Assistant voice recordings, start at myaccount.google.com/intro/activitycontrols. Scroll to "Voice & Audio Activity" where Paused means disabled. Or, you can use these voice commands: "Hey Google, delete what I just said" or "Delete what I said on [date]" or "Delete my last conversation". This only works for the last 7 days. You can use the Voice Match function to insure your personal results are only available to you. See how.MICROSOFT: SKYPE, CORTANA and XBOX In Aug. 2019, Joseph Cox of Motherboard revealed that "Contractors working for Microsoft are listening to personal conversations of Skype users conducted through the app’s translation service ... [and] ... Microsoft contractors are also listening to voice commands that users speak to Cortana, the company's voice assistant." Shortly thereafter, Cox revealed that Microsoft Contractors Listened to Xbox Owners in Their Homes. As with all the other companies, recordings were sometimes triggered by mistake. At the Microsoft Account Privacy Settings page you can delete any recordings Microsoft has of you.General Defense: I own a smart speaker and it is powered off 99% of the time. When I want to use it, I plug it in and wait 30 seconds for it to start up.How to Delete Voice Recordings From Alexa, Google Assistant, Facebook Portal, and Siri by Brendan Hesse Aug. 2019Future: At some point, the US Government may force one of these companies to let it listen in on a target 24x7. If that happens, would you be surprised? LOCATION TRACKING topThere are four approaches here, and I am the very rare person suggesting the fourth one.The first approach is to play whack-a-mole; to configure access to location data on an app-by-app basis. This strikes me as ridiculous. Android 9: Settings -> Biometrics and security -> App permissions -> Location -> configure each app. Android 10: Settings -> Location -> App permission and configure each app. Android 12: Settings -> Location. If Use Location is off, turn it on. You then see the apps with Location permission and those that have recently used it. When done with your review, turn Use Location back off (if desired). From Google: Choose which apps use your Android device's location.New permission in Android 10: only let an app know your location when the app is open. Also new, periodic reminders about apps that are accessing your location in the background. Configure: Settings -> Apps and Notifications -> pick an app -> Permissions and Location. Or, Settings -> Privacy -> Permission manager -> Location -> click an app. If upgrade from v9 to v10, all existing apps need to be checked. iOS13: Settings -> Privacy -> Location Services and then choose, for each app, when it can access your location. While there, also configure "Share My Location" as you prefer. And, still more: configure each of the 13 System Services and the 4 Product Improvement services - whether they can access your location. iOS 13 added a new Location permission: share your location with an app just once. The next time the app wants it, it has to ask. iOS 12 only allowed sharing always, never or when the app was in use. iOS 13 also added periodic pop-ups when apps use your location in the background. A sort of FYI. iOS 13 Location: iOS 12 let you grant an app permission to track your location all the time when the app was installed. iOS 13 limits install-time location permissions to while the app is in use. To let an app track your location at all times, you have to go into the System Settings. iOS 13 treats this as a bad thing a periodically warns you about how often your location was used and lets you disable it. Sound good? But Apple does not warn customers about their own location tracking. By default, iOS users agree to 18 separate location-tracking system services during setup, including Apple's own location-based advertisements. Apple can add new features that utilize location tracking without asking for permission. From here: Apple says recent changes to operating system improve user privacy, but some lawmakers see them as an effort to edge out its rivals by Reed Albergotti in WaPo (Nov 2019). For iOS version 12, do Settings -> Privacy -> Location Services to see a list of apps. Each app is assigned one of three rules: never see your location, always see your location or only see it while using the app. Also here is a link to System Services and their location usage. Does a weather app really need your current location? Maybe just give it a couple zip codes where you often are instead, and only give it access to your current location when traveling. A second approach, is to still let the phone know where you are now, but tell Google not keep a history of where you have been. Disable Location History: Location history is a Google account thing, not an Android thing. At least with Android 12, there is no system setting for this. It is controlled at myaccount.google.com/activitycontrols/location. More from Google: Manage your Location History . This April 2019 article says to go to myactivity.google.com, select "Activity Controls" and turn off both "Web & App Activity" and "Location History"This May 2019 article by David Nield in Wired covers all the bases both for a Google account and on a mobile device.Keep a Location History but Automatically Delete it after a while: Start at myactivity.google.com, click on Activity controls, scroll to Location history, click Manage Activity, look for an icon shaped like a nut and then click Automatically delete location history. Whew. First find the Location section of system Settings (see the 3rd approach below). Then click on Google Location History to pause it (it can not be disabled, only paused). On Android 10, Location History is buried under "Advanced"). Note: this is done for a Google account, not for a device, thus you must be on-line to make changes. You may also want to click on Show All Activity Controls to see the Web and App Activity and pause that too. From Google: Manage your Android device's location settings. The article states that, with Location disabled, you can still get local search results and ads based on your public IP address. You can test this with a VPN. A third approach is to disable Location Services entirely. On Android, the "Use Location" option is the master on/off switch for Location services. Here are some paths to find it. Android 7 and 10 and 12: Settings -> Location Android 9: Settings -> Biometrics and security -> Location Android 8 and 9: Settings -> Security and Location -> Location On iOS13 there is only one path: Settings -> Privacy -> Location Services -> Turn Location Services OFF My advice, the fourth approach, is to prevent iOS and Android from knowing your location in the first place. To do this: Turn off 4G/LTE Internet Turn off Wi-Fi Turn off Bluetooth Turn off GPS by disabling "Location" (Android) or "Location Services" (iOS)With these four things disabled, a phone can still make/receive calls and text messages. A dedicated GPS app can be used to confirm the status of GPS. Note that your location can still be tracked by the cell tower the phone is talking to, but, this only provides a general idea of where you are rather than a precise location. The next step would be to enable airplane mode, and the step after that, is to turn the phone off.For ages, I was the only person suggesting this. Then, some allies showed up: In Dec. 2019, Proton (the company behind ProtonMail and ProtonVPN) said that a basic principle of using any smartphone is "...turn off all the connectivity you do not need. This goes for whatever smartphone, and whichever operating system, you have." In the June 26, 2020 episode of The Privacy, Security, & OSINT Show the show host, Michael Bazzell, suggested the same thing. In August 2020, we had this: NSA warns that mobile device location services constantly compromise snoops and soldiers (The Register). The National Security Agency issued advice on Limiting Location Data Exposure (PDF). Bonus benefit 1: better battery life. Bonus benefit 2: Billboards will not track you. See Digital Billboards Are Tracking You. And They Really, Really Want You to See Their Ads by Thomas Germain of Consumer Reports. Nov. 2019 Note that even with Bluetooth and Wi-Fi disabled, an Android device may still use either or both to determine your location. For more, see the topic on Mobile Scanning and Sharing. Taking a step back, consider who is the enemy here? That is, who is it we don't want tracking us. Some people/articles focus on apps. But, it also the Operating System vendors, Apple and Google, that learn our location. And, of course, the cell phone companies, who are being being sued for selling location data. Another reason for my approach to defense. Background: This December 2018 article in the NY Times, documents the tracking, but not defense. Same for this article. Google has a history with location tracking. See also London Underground to begin tracking passengers through Wi-Fi hotspots (May 2019). The only defense is to disable Wi-Fi. See the Mobile Scanning topic to learn how to insure that Wi-Fi is really off and stays off. In Stores, Secret Surveillance Tracks Your Every Move (June 2019) about Location Tracking with Bluetooth. Twelve Million Phones, One Dataset, Zero Privacy NY Times (Dec 2019).Cameras: On many computing devices the camera may embed the current location of the device in a photograph. I am no expert on disabling this in every operating system, so ... when you are away from home and posting photos on social media, people can tell you are away from home. If you are far, it is an invitation to rob your home. If you post photos taken at home, people can learn where you live. Spend the time to learn how to stop the camera from doing this. On iOS 13, I am pretty sure this can not be disabled but if you use the OS to share a photo there is an option to remove the location information. If you copy the photo on iOS 13 the location information is included. IrfanView on Windows reveals all the hidden information in pictures. MOBILE OS SPYING topIt's bad. Real bad. The only real defense is a VPN that blocks trackers, and for good luck, ads too. Also see the Location Tracking topic.Android Defense: Turn off Ad Personalization and periodically reset the Android advertising ID. On Android 7, 8, 9, 10, and 12 both options are at: Settings -> Google -> Ads. On Android 12 you can go further and delete the Advertising ID. Android Defense: At Settings -> Google. Google Account is the master list of everything Google. In Networking, maybe disable the Wi-Fi assistant. Check Nearby to see if any apps are sharing data. In Search, Assistant & Voice: Under General, look at Recent pages, Discover and Personal results. Under Voice, consider not allowing Bluetooth requests with the device locked (may be called Bluetooth headset). Also review Google Assistant. Things are bad: It's the middle of the night. Do you know who your iPhone is talking to? by Geoffrey Fowler in the Washington Post (May 2019). He found 5,400 app trackers spying on him. Things are bad: Android, iOS beam telemetry to Google, Apple even when you tell them not to – study by Thomas Claburn for The Register (April 2021). According to an academic study, Android and iOS phones transmit telemetry back to Google and Apple, even when users have chosen not to send analytics data. iPhones even rat out your LAN buddies when using Wi-Fi. They phone home the MAC addresses of other devices on a LAN. Yikes. Apple said nothing when pressed for comment. The defense is to use VLANs. Things are bad: iPhone Privacy Is Broken…and Apps Are to Blame by Joanna Stern in the Wall Street Journal (May 2019). Most apps are tracking you in ways you cannot avoid. Privacy controls are a scam. Interesting tidbit: paid apps spied the same as their free siblings. Defense: Privacy Pro SmartVPN from Disconnect.Things are bad: In a tweet thread Robert G. Reeve explains how, after spending a week with his mother, he is seeing ads for her brand of toothpaste. (May 2021) iOS Defense: The above two articles both suggested partial defenses: Disable "Background App Refresh" (Settings -> General) and Enable "Limit Ad Tracking" (Settings -> Privacy -> Advertising). While there, I would also suggest clicking on Reset Advertising Identifier. iOS Defenses: From 7 iPhone privacy settings you should enable now (Jack Morse June 2019). Review apps that have Camera (Settings -> Privacy -> Camera) and Microphone (Settings -> Privacy -> Microphone) access. Maybe turn Live Photos off. Turn off lock screen message previews (Settings -> Notifications -> Messages -> Show Previews). Reset your Advertising Identifier (Settings -> Privacy -> Advertising). Use a long (up to 9 digits) voicemail password (Settings -> Phone -> Change Voicemail Password). iOS Defense: How to Check and Tighten All Your iPhone’s Privacy Settings by Tim Brookes July 2019Stop Apple from spying on you. Details are in the iOS topic. As of iOS14: Settings -> Privacy -> Analytics & Improvements. While there, take a look at the Analytics Data.Things are bad: Perhaps the most damning article: I spy: How Android phones keep tabs on our every move (March 2019) is about the security hole that are the pre-installed Android apps. Based on an academic study that analyzed 1,742 phones from 214 manufacturers. 91% of the pre-installed apps are not in the Google Play store. No defense offered. Defense: Some VPNs can block tracking and/or ads. For more, see the VPN topic.iOS Defense: What should be a great defense against apps and web pages that track iOS users is the Guardian Mobile Firewall from Sudo Security. I say "should" because the app is new, it was released Aug. 1, 2019. Terminology, however, is being abused. It is not a firewall. It is a VPN that does tracker blocking. The VPN part is free, tracker blocking is $100/year or $10/month. It does not block ads and it does not offer a whitelist or blacklist that you can manually update. Everything points to the people behind the app being trustworthy. Read more from Glenn Fleishman (March 2019) Lily Hay Newman (July 2019) and Sudo Security (June 2019) and me (August 2019). Things are bad on Android: Thousands of Android Apps Break Google's Privacy Rules by Paul Wagenseil Feb. 2019. Researchers examined 24,000 Android apps and found that 70 percent were breaking the rules by sending out permanent IDs that ad networks can use to track you. The researchers notified Google of the policy violations and got no response. More bad on Android: TikTok Tracked User Data Using Tactic Banned by Google from The Wall Street Journal (Aug 2020). The article is about TikTok but that one app is not important. What is important, is that the app was able to learn the MAC address of an Android device even though Google had tried to prevent apps from doing so. Google's first attempt at blocking access to the MAC address was not foolproof and when told about this, Google did nothing to improve their blocking. My Defense: Use a phone and a tablet. Let most of the spying happen on the tablet, keeping the phone relatively clean. Each should use a different account be it an Apple or Google Apple account. The tablet account should use a throw-away email address. The phone should, as much as possible, be limited to apps needed while traveling. The tablet can have everything. For example, I will not install the MLB (baseball) app on my phone as it wants way too many permissions. Future: I know of three companies working on releasing a phone running Linux. The Librem 5 from Purism will be $700. It has been delayed a number of times and, as of Jan 2020, was still not finished. It started shipping sometime in 2020. It runs PureOS, has a user-replaceable battery and three hardware kill switches (WiFi & Bluetooth, Cellular baseband, Cameras & mic). The PinePhone from Pine64 runs multiple Linux distros. It has a removable back cover, a removable battery, and a set of hardware kill switches. It started shipping in January 2020. In Dec. 2020, Brad Linder wrote about new versions of Manjaro, Mobian, and OpenSUSE that all run on the PinePhone. As of January 2022, the first generation sells for $150 to $200 US. The second generation, the PinePhone Pro Explorer Edition, is expected to ship at the end of Jan. 2022. The price will be $600 US but early buyers get for $400. More here and here. Necuno Solutions is working on a phone that will be manufactured in Finland. MOBILE SCANNING AND SHARING topBoth Android and iOS want you to keep Wi-Fi and Bluetooth enabled for a number of reasons. Android may well use them both even if they appear to be disabled. And, if they really are disabled, each Operating System has a number of ways to automatically turn them back on. I suggest checking an Android device by searching the Settings for the words "scan" and "scanning". Plus, there are many other options for sharing data, that you might want to disable, at least as a starting point, to reduce your attack surface. IOS CONTROL CENTER SCAMiOS 11 and 12 have two ways to disable Wi-Fi and Bluetooth. One works, the other is a scam. The Control Center, which is what you see when swiping up from the bottom of the screen is the scam. The Settings app is the real deal. That is, when you disable these in Settings they are really disabled and stay that way until you re-enable them.In September 2017, Lorenzo Franceschi-Bicchierai wrote about this: Turning Off Wi-Fi and Bluetooth in iOS 11's Control Center Doesn’t Actually Turn Off Wi-Fi or Bluetooth. Quoting: "Apple wants the iPhone to be able to continue using AirDrop, AirPlay, Apple Pencil, Apple Watch, Location Services, and other features, according to the documentation". As of iOS 12, the Wi-Fi message is "Disconnecting nearby Wi-Fi until tomorrow." When tomorrow? Doesn't say (its 5 AM local time). And, "nearby"? There is no such thing a near and far Wi-Fi. Noted hacker Samy Kamkar tweeted on May 19, 2019: "This is so deceptive. When you 'disable' WiFi and Bluetooth in iOS Control Center and they gray out, they're technically still enabled. Even with Airplane Mode on, your device continues to transmit and your name can even be discovered nearby via AirDrop!". He later added "It's deceptive because it remains active after saying 'Disconnected until tomorrow'. Only the 'normal' Bluetooth functionality returns the following day, the phone itself keeps transmitting privacy-evading, identifiable BLE packets.". ULTRA WIDE BAND (UWB) Intro: While Wi-Fi and Bluetooth were designed to transfer data, UWB lets devices locate themselves in three dimensions. UWB radios are in newer (as of Jan. 2022) Android phones from Google, Samsung and others. On the Apple, side, it was introduced with the iPhone 11 (2019) and Apple watch Series 6 (2020). Perhaps the biggest use of UWB so far, is in Apple AirTags and AirDrop.Pixel 6 Pro: The Pixel 6 Pro now lets you disable a wireless tech you hardly need by Jay Bonggolto (Jan 2022). Starting Dec. 2021, you can turn UWB on and off if you have a Pixel 6 Pro. Other phones? It does not say. UWB is used by Nearby Share and a digital car key feature. The article does not say if this applies to Android 11 or 12 or both. Settings -> Connected Devices -> Connection preferences. And how nice of Google to add a feature that could not be turned off. iPhone 11: From What Is Ultra Wideband, and Why Is It In the iPhone 11? by Chris Hoffman Sept. 2019. iOS 13.1 on the iPhone 11 has a new Ultra Wideband radio. It is the first smartphone to offer UWB which only works over a short distance, shorter than Bluetooth. UWB allows an iPhone to precisely detect where objects are in physical space. AirDrop will suggest sharing with other iPhones that you point at. Longer term, it could be used to locate lost objects. Can you turn it off? Don't know. ANDROID SCAN EVEN WITH BLUETOOTH OFF Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Bluetooth scanning. Description: "Allow apps and services to scan for nearby devices at any time, even when Bluetooth is off. This can be used, for example, to improve location-based features and services.".Android 8.1: Settings -> Connections -> Location -> Improve accuracy -> Bluetooth scanning. Description: "Improve location accuracy by allowing apps and services to scan for and connect to nearby devices automatically via Bluetooth, even while Bluetooth is turned off." Android 8.1: Settings -> Security and Location -> Location -> Scanning -> Bluetooth scanning. Description: "Improve location by allowing system apps and services to detect Bluetooth devices at any time." Android 7.0: Settings -> Location -> Scanning -> Bluetooth scanning. Pretty much same description. Android 6: Settings -> WLAN -> advanced -> scanning settings -> Bluetooth scanning Nearby Device Scanning: I have seen an Android 8.1 Samsung tablet use Bluetooth scanning to find nearby devices, again, with Bluetooth seemingly disabled. The feature was called Nearby Device Scanning and it was enabled by default. The description said "Scan for and connect to nearby devices easily. Available devices will appear in a pop-up or on the notification panel. Nearby device scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device." The path to the setting was: Settings -> Connections -> More connection settings -> Nearby device scanning. ANDROID SCAN EVEN WITH WIFI OFF Android 12: Search settings for "Wifi scanning". Text says "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services". See a screen shot of the setting and a warning about it from Android itself. Warning: turning off this option does not stick. That is, when you do something (I don't know what) it turns itself back on and Android is again scanning WiFi networks when Wi-Fi seems to be off, but is not. Android 9: Settings -> Security and Location -> Location -> Advanced -> Scanning -> Wi-Fi scanning. Description: "Allow apps and services to scan for Wi-Fi networks at any time, even when Wi-Fi is off. This can be used, for example, to improve location-based features and services." Android 8.1 Samsung: Settings -> Connections -> Location -> Improve accuracy -> Wi-Fi scanning. Description: "Improve location accuracy by allowing apps and services to scan for Wi-Fi networks automatically, even while Wi-Fi is turned off." Android 7.0: Settings -> Location -> Scanning -> Wi-Fi scanning. Pretty much same description. Android 6 in the Advanced WLAN section, look for Scanning Always available. Description: "Let Google's location service and other apps scan for networks even when WLAN is off." Android 6: Settings -> WLAN -> advanced -> scanning settings -> WLAN scanning ANDROID TURN WIFI BACK ON Android 9: Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Turn on Wi-Fi automatically. Description: "Wi-Fi will turn back on near high quality saved networks, like your home network." This requires both Location and Wi-Fi scanning to be enabled. Android 8.1: Settings -> Connections -> Wi-Fi -> Advanced -> Turn of Wi-Fi automatically. Description: "Turn on Wi-Fi in places where you use Wi-Fi frequently". ANDROID WIFI AND OPEN NETWORKS Google wants you on-line even if it means using an insecure Open Wi-Fi network. To that end, Android might automatically connect to an open network, or, notify you when it finds one. See Connect automatically to open Wi-Fi networks. Samsung v9 tablet: Settings -> Connections -> Wi-Fi -> Advanced -> turn off Network notification ("Receive notifications when open networks in range are detected"). Google v9 Pixel phone: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> disable Open network notification ("when automatic connection isn't available"). There may also be an option here to Connect to open networks. Android v8: Settings -> Network & Internet -> Wi-Fi -> Wi-Fi preferences -> Open network notification This 2017 article does not say what version of Android it applies to. At Settings -> Wireless -> Gear icon -> are two relevant optons: Network Notification and Use open Wi-Fi automatically. Disable each. ANDROID WIFI AUTO-CONNECT Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Auto connect to AT&T Wi-Fi.Android 8.1 AT&T phone: Settings -> Connections -> Wi-Fi -> Advanced -> Hotspot 2.0. Description: "Automatically connect to Wi-fi access points that support Hotspot 2.0" NFC (Near Field Communication) is yet another wireless option for sharing data, but only between devices that are two inches apart. On Android, search the Settings for "NFC". On Android 9, its at: Settings -> Connected devices -> Connection preferences -> NFC. The description is "When this feature is turned on, you can beam app content to another NFC-capable device by holding the devices close together. For example, you can beam web pages, YouTube videos, contacts and more. Just bring the devices together (typically back to back) and then tap your screen. The app determines what gets beamed." NFC is the basis for Android Beam (aka NFC Beaming), yet another sharing protocol. Not every Android phone supports NFC. Another reason to disable NFC: Android bug lets hackers plant malware via NFC beaming by Catalin Cimpanu (Nov. 2019). An excellent article. Android 8, 9 and 10 are impacted. The bug was fixed in October 2019 but so few Android devices will get the fix. If NFC is needed, you can leave it enabled, just be sure to disable NFC file beaming as explained in the article. On iOS, NFC is used for Apple Pay and reading NFC tags. iOS 12 added background tag reading, where the system automatically looks for nearby tags whenever the screen is illuminated. In Settings, tap "Wireless and Networks" then "More" to see the NFC option. More here and here. This June 2019 article, Apple Expands NFC on iPhone in iOS 13, says there are enhancements to Apple Pay for NFC in iOS 13 and new support for peer-to-peer pairing. That is, just like Android Beam, NFC can be used to transfer movies or music between devices. Wi-Fi Direct allows two Wi-Fi devices to directly communicate without a router in the middle. It is popular on HP printers and some smart TVs as I always see some of each, when scanning from an Android device. HP printers create SSIDs like "DIRECT-xx-HP OfficeJet 4650" Sony TVs create SSIDs like "Direct-xx-BRAVIA". Wi-Fi Direct is also enabled on Roku Express devices. Background: What is Wi-Fi Direct? (June 2019). Android: I have checked a few Android devices and they all enable Wi-Fi direct without a way to disable it. It seems, however, that Wi-Fi direct scanning does not happen until you ask for it. Android 9: Settings -> Network and Internet -> Wi-Fi -> Wi-Fi preferences -> Advanced -> Wi-Fi Direct Android 8.1: Settings -> Connections -> Wi-Fi -> Wi-Fi Direct Android 8.1: Settings -> Network and Internet -> WLAN -> WLAN Preferences -> Advanced -> WLAN Direct Android 7.0: Settings -> Wi-Fi -> Advanced -> Wi-Fi Direct October 24, 2019: Wi-Fi Direct just became a very big deal. A bug in the Wi-Fi Direct driver from Realtek (RTLWIFI) lets bad guys crash or hack a Linux/Android device that has Wi-Fi enabled; even if the device is not connected to any Wi-Fi network. The bug is specific to Wi-Fi Direct but since Android users can not disable Wi-Fi Direct, Android devices are vulnerable whenever Wi-Fi is enabled. Many Android devices will never be patched. iOS: iOS has supported Wi-Fi Direct since version 7. It is part of AirDrop, Airplay and AirPrint. iOS 12: There are no settings for Wi-Fi Direct. When I scanned for nearby Wi-Fi networks, none of the Wi-Fi Direct networks that I could see from Android showed up. When I tried to print a web page, Safari found no AirPrint enabled printers. Perhaps because of the way my iOS device was configured? Don't know. Google Nearby, aka Nearby Device Scanning is designed to seamlessly let two Android devices talk to each other. I found this enabled by default on an Android 8.1 Samsung tablet. The description said "Scan for and connect to nearby devices easily ... Nearby devices scanning uses Bluetooth Low Energy scanning and the microphone. Bluetooth Low Energy scanning can be used even while Bluetooth is turned off on this device.". The path to the setting was: Settings -> Connections -> More connection settings. I have read that this also uses Wi-Fi and audio to find nearby Android devices. Creepy. More here, here and here. Google's version of AirDrop: In August 2020 Google started rolling out a new sharing system for Android. Originally called Fast Share, then called Nearby Sharing and finally Nearby Share (the final name). It will work with Android devices running version 6 and later and with Chromebooks. It transfers photos, videos, links and tweets. The recipient has to have the feature enabled and has to approve any transfer before it happens. It uses Bluetooth for device discovery and also requires Location Services to be enabled (not sure if this applies to just the sender, just the recipient or both). There is conflicting information on how data is transferred. One source said it uses Wi-Fi Direct. Another source said it will only work when devices are very close together, perhaps just one foot, which is not true of Wi-Fi direct. A screen shot here shows it can use "data" (which I assume means 4G/LTE) and/or Wi-Fi and/or transfer off-line. In Jan. 2020 they were working on it. In June 2020, it was in beta testing. After reading this August 2020 article, it seems too complicated to setup, too complicated to use, miserably documented, and I expect it be ignored. And, it beats me what this means for the older Google Nearby feature (above). Update: This was officially released in Aug 2020 and Google blogged about it here. It automatically chooses one of these protocols: Bluetooth, Bluetooth Low Energy, WebRTC or peer-to-peer WiFi. You can configure it so you are either hidden, visible to some contacts or to all contacts. Coming soon to Chromebooks. Documentation confirms you must have Bluetooth and Location turned on. AirDrop on iOS is used for easily sharing files between iOS devices. It is configured at: Settings -> General -> AirDrop. The safest option is to disable it ("Receiving Off"). The most dangerous option is enable anyone in the world to send you files ("Everyone"). The third option only lets people in your Contacts send you files via AirDrop ("Contacts Only"). I suggest leaving it off and only enabling it when needed. In July 2021 an airplane was delayed for hours when a teenager used AirDrop to send passengers a picture of a gun. AirDrop uses both Bluetooth and Wi-Fi. Bluetooth is used to find sharing partners and Wi-Fi, because it's faster, is used to transfer large files. The Wi-Fi is a form of Wi-Fi Direct, thus the two Apple devices do not have to be on the same Wi-Fi network to exchange data. In fact, they don't have to be connected to any Wi-Fi network or to the Internet. See a How To. WARNING: With Wi-Fi and Bluetooth off, if you enable AirDrop, it turns on both of them without notification. See The feature Apple needs to change in AirDrop (April 2019) and When Grown-Ups Get Caught in Teens' AirDrop Crossfire (June 2019). Bluetooth on iOS: It was previously known that Bluetooth allowed anyone nearby to learn the current status of the device, device name, Wi-Fi status, iOS version and more. In July 2019 it was revealed that Bluetooth can leak the phone number when using AirDrop or sharing Wi-Fi passwords. The leaking of phone numbers has been observed in iOS 10, 11, 12 and the beta of 13. You can disable AirDrop but have to remember not to share Wi-Fi passwords. More here and here and here. One of the Privacy Settings in iOS v12 is Bluetooth Sharing. Apps that are enabled for Bluetooth Sharing can share data even when you are not using them. Android Direct Share: Description: "Share content with specific people directly from the sharing panel in any app. The Direct Share icons will appear at the top of the sharing panel if an app supports this function." Find it on Android 8.1 with: Settings -> Advanced Features. Not sure if this uses Bluetooth, Wi-Fi or what. iOS 13: has a new "Find My" feature. When an Apple device is offline and sleeping, it sends out a secure (says Apple) Bluetooth beacon that can be detected by any nearby Apple device. These nearby devices (even those that are not yours) phone home to Apple to help you find a lost device. I have read that the Bluetooth beacons are even sent in Airplane mode. Not sure yet how to defend against this (turn off Bluetooth?) or if we even need to defend against it. Too new as of June 8, 2019. Apple AirPlay: coming .... BLUETOOTH (Last Update Oct 22, 2021) top There have been many bugs and data leaks involving Bluetooth, so its best to turn on it when needed, then turn it off when done. Be aware though, as I describe here in the Mobile Scanning and Sharing section, that both iOS and Android may not turn off Bluetooth when you think its off. Another reason to have it off: If you leave a laptop, tablet or phone in a car, bad guys can scan for cars with Bluetooth devices in them as per: Thieves Are Using Bluetooth to Target Vehicle Break-Ins by Wes Siler (Dec 2019). Below are some articles about the many bugs in Bluetooth. Oct 2021: Imperfections in your Bluetooth beacons allow for unstoppable tracking by Cory Doctorow. Rather than a software bug, this is about imperfections in the hardware.Sept 2021: Millions of smartphones, laptops, trucks, planes affected by new Bluetooth flaws - what you need to know by Paul Wagenseil for Toms Guide. Researchers found at least 16 different Bluetooth flaws. The number of affected devices may run into the tens of millions. At least 1,400 different devices use vulnerable hardware. Many (most?) of the devices will never be patched for assorted reasons. See too, the official BrakTooth website. Sept 2020: Billions of devices vulnerable to new 'BLESA' Bluetooth security flaw by Catalin Cimpanu for ZDNet. The BLESA (Bluetooth Low Energy Spoofing Attack) vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol. It turns out that the official BLE specification did not contain strong-enough language to describe the reconnection process. When previously connected devices, re-connect, they are supposed to re-authenticate but the re-authentication was optional, not mandatory. Many devices, such as Android and IoT will never be patched. iOS and Windows devices are not vulnerable. Sept 2020: Bluetooth Unveils Its Latest Security Issue, With No Security Solution by Shoshana Wodinsky in Gizmodo. The bug is called BLURtooth and there is no patch. When a mobile device links to a Bluetooth-powered device, such as speakers, the connection can be hijacked to give an attacker access to any bluetooth-powered app or service on the phone.Aug 2019: Bluetooth is bad and you should stop using it from Mashable.May 2019: Bluetooth's Complexity Has Become a Security Risk by Lily Hay Newman in Wired.Sept 2017: Hey, Turn Bluetooth Off When You're Not Using It by Lily Hay Newman in Wired. DESKTOP OPERATING SYSTEM top The most secure Operating Systems in widespread use are iOS and ChromeOS (the system on Chromebooks). Do not use Windows. Windows is a cesspool of hacking, ransomware, bugs and vulnerabilities. Has been for decades. With Windows 8 Microsoft lost all credibility. With Windows 10 Microsoft spies on you and has taken control over the installation of bug fixes. And, the quality of the bug fixes to Windows 10 is disgraceful, sometimes causing more problems than they solve. There is no Windows topic here because the best defense is avoiding it. Leo Laporte, aka, the Tech Guy is a bona fide techie. For years, he used all three desktop OSs (Windows, macOS, Linux) and now, he also uses Chromebooks. He has always fairly judged the pros and cons of each operating system. But, as of March 2020, he has given up on Windows. Too many bugs, flaws and problems. In discussing a Windows bug on the March 24, 2020 episode of the Security Now podcast he said "I swear to god, I don't run Windows on any machines anymore. It's just ridiculous." Windows 10 makes it clear that the corporate mind set at Microsoft has changed - they view Windows 10 as their computer, not yours. It is crammed full of junky software that very few people care about, much of which can not be removed. And, even the removal is a scam, as the crapware comes back if you logon with a different userid. Likewise, the spying (aka telemetry, customization) can only be partially disabled. Home edition users are forced to beta test bug fixes and even Professional edition users have limited options for delaying or preventing the installation of bug fixes. Microsoft know whats best for you and its bug fixes all the time. Only the largest of corporations can fully opt out of the spying, junky software and forced "updates" in Windows 10. How? Microsoft has a clean version of Windows 10 called LTSC (or LTSB) that the public can not get. See a screen shot of the difference.Then too, there is incompetence. Examples abound. Consider the monthly bug fixes for Windows that were released in April 2019. As documented by Woody Leonhard, nine different Windows patches conflicted with four different antivirus products, leading to multiple problems. Quoting Woody: "...whoever made the decision to release the six (now nine) problematic Windows patches either: Didn't know they'd wreak havoc on millions of computers, or Didn't care. You can choose which one's worse."If you do use Windows, do yourself a favor and follow this advice from Woody Leonhard to delay the installation of bug fixes: The case against knee-jerk installation of Windows patches (June 2019) If you do use Windows, use portable software when available. A great source is PortableApps.com. Portable software is harder for malware to find and corrupt and, most importantly, can be easily backed up. Normal Windows apps can not be backed up because they, and their dependencies, are scattered all over. I agree with the commonly held belief that an Apple Mac computer (macOS) is safer than Windows. However, it is slightly safer, not drastically safer. Both are ancient and the world has changed dramatically since they were designed. On the hardware side, Apple fans have been critical of the hardware in their laptops for many years, especially the keyboards. For more, see the macOS topic. Start using a Chromebook. Chromebooks are laptop computers that are drastically safer than Windows and macOS. Their operating system, ChromeOS, is the newest available system and thus the most advanced. It was designed, by Google, with security in mind. There are no viruses on a Chromebook. In addition to security, Chromebooks are extremely reliable. In what is virtually a revolution in computing, Chromebooks require no care and feeding on your part. They self-update quickly and quietly. They don't ask you or even tell you about bug fixes. The just do it. Thus, end users (you) can not screw them up. Chromebooks are not for everyone and not for every purpose. They are perfect for kids, seniors and non techies. Chromebooks are the home office of Defensive Computing. You normally use a Google account to logon to a Chromebook, but there is also a Guest mode that anyone can use without logging on. ---------ADDITIONAL CHROMEBOOK INFO----------- Guest mode starts and ends with a totally clean version of ChromeOS. That is, when Guest mode starts, there is no visible history of anything. Factory fresh if you will. When Guest mode ends, all activity is removed. Downloaded files, for example, are deleted. It's as if it never happened. Guest mode uses the Chrome browser, but without extensions. You can't even install an extension in Guest mode. It is the most secure environment available to non techies. It is perfect for online banking, opening suspicious email attachments and avoiding any and all website tracking. Originally, Chromebooks just ran the Chrome web browser (simplifying a bit). Later, Google added the ability to run Android apps, and, just recently, added Linux apps too. With an Android based emulator app, some Windows programs can also run on a Chromebook (requires an Intel CPU). Guest mode does not run Android, Linux or Windows apps, just the Chrome browser native to ChromeOS. Every computer company that makes Windows laptops, also makes Chromebooks. Most, but not all models have a touch screen. I suggest going for a touch screen. Models touted as 2-in-1 have a screen that can rotate fully around, letting them function as tablets too. Low end models start around $200. Mainstream models top out around $500 but there are some models that go up to $1,000. Chromebooks are your best defense against malicious USB flash drives. See the Extra Credit section for more on this. Google is up-front about how long a Chromebook will get software updates. Details for individual Chromebook models are in their Auto Update policy document. The latest models can get support for six years. For example, in June 2019, it showed the Acer Chromebook Spin 311 (R721T) would get updates until June 2025. Chromebooks have a full range of remote control options where they are the controller. This might be used to give a Chromebook access to software that runs on another operating system. However, options are limited for the Chromebook being controlled remotely. The only option for full remote control that I know of is the Chrome Remote Desktop extension from Google. To me, it is a pain to setup and use. There is a Team Viewer Quick Start app for Android that, once its installed, is very simple to use. It gives view-only access to the entire Chromebook (not just to the Android side) to a remote person. For more about Chromebooks see:-- Everything you knew about Chromebooks is wrong by Mike Elgan May 2018 -- Chromebook security from Google -- The Handiest Chromebooks For Hardworking Students by Christopher Null March 2019 -- Wake up and smell the Chrome by me Aug. 2012 -- Defensive Computing for online finances: Go with Chrome OS by me July 2012 Linux: Linux on a desktop/laptop computer is relatively safe. Whether it is inherently more secure than Windows or MacOS is debatable. OS expert Daniel Micay tweeted "The Linux kernel uses a fundamentally insecure architecture, insecure tools, and has a development culture treating correctness and especially security as an afterthought. It ultimately needs to replaced..." (Oct 2019). Either way, it is a lesser target which makes it more secure. Typically, however, it is not a realistic option. Few computers ship with Linux pre-installed and installing it is too difficult for non-techies. Also, where does a non techie go with their inevitable Linux questions and problems? And, the many distributions (flavors of Linux) and package managers makes it even harder to get help. That said, for help picking a distro see Why I Switched From Ubuntu to Manjaro Linux by Dave McKay (Aug 2019). As for hardware, Think Penguin, System76 and ZaReason offer both laptops and desktops with Linux pre-installed. Purism and Star Labs make just laptops. LAC Portland offers current Lenovo Thinkpads for those of us addicted to their keyboards. As for pricing, Linux laptops are often on the high side. For example, the Librem 13 laptop starts at $1,400. One exception is Pine64 which started taking orders for their $200 PineBook Pro laptop in July 2019. See reviews here and here and here. The Ministry of Freedom in England offers cheap, but older Lenovo laptops. On both Windows and macOS, it is safer to logon to the computer as a restricted (a.k.a. limited, standard) user rather than an unrestricted (i.e. administrator, admin or root) user. In each system, restricted users are limited in the changes they can make to the system without approval from an unrestricted user. This limits the damage that malicious software, that makes its way onto your computer can do. Any computer with a single userid is just asking for trouble. On a new Windows or macOS computer, consider creating two users based on your first name: MichaelAdmin and MichaelRestricted, for example. On an existing computer, create a new admin user, logon to it and then modify the existing userid to be restricted. This does not apply on a Chromebook.FYI: We can see the progression of Operating Systems in how they handle software updates. On ChromeOS all software is updated automatically. It is king of the hill in this regard. On Android and iOS, the apps can update automatically, but not the OS itself. On Windows, macOS and Linux, it's chaos. APPLE MACOS Last update: April 11, 2022 top I am not a Mac user, so the below is mostly links. If you have an M1 MacBook be very careful when closing the lid as per: Apple's M1 MacBook screens are stunning – stunningly fragile and defective, that is, lawsuits allege (Sept. 2021) Bug fixes: How long will a copy of macOS get bug fixes? None of your business is the official Apple policy. The current version is patched for a year from its initial release, at which point a new version of the OS is released. Apple has no policy regarding bug fixes on old versions of the system. They have somewhat been updating the previous and second previous editions. Somewhat. Monterey was released October 25, 2021Big Sur was released November 12, 2020Catalina was released October 7, 2019 This Nov. 2021 article describes a bug in Catalina that was not fixed for 234 days: PSA: Apple isn't actually patching all the security holes in older versions of macOS by Andrew Cunningham for Ars Technica. This April 2022 article describes bugs that were not fixed in either Big Sur or Catalina Apple patched critical flaws in macOS Monterey but not in Big Sur nor Catalina by Thomas Claburn of The Register. When asked about it, Apple said nothing. It is estimated that 35-40% of macOS installs run the two older versions of the OS. In addition to the two bugs in the headline, there are dozens of other vulnerabilities in Big Sur and Catalina. Firewalls: Firewalls control the flow of data on a network, each direction. For blocking unsolicited incoming connections, macOS includes a firewall but it is off by default. This is a miserable default. Turn it on with: Apple Menu -> System Preferences -> Security and Privacy -> Turn on Firewall. Stealth mode is the safest option. Next best is blocking all incoming connections. Other options let you specify the apps that are allowed to accept unsolicited input.For controlling outbound network activity, the Little Snitch firewall is a great product according to everyone. It offers total control over outgoing network traffic. It is not free and the initial setup takes time/effort as you have to decide what to allow and what to block. Does it also control incoming data? This is not clear from their website.A free outbound firewall is LuLu. It does not offer quite as much control as Little Snitch but is still a big improvement over nothing.Using Little Snitch to prevent Apple from spying on you: Minimizing macOS Telemetry by Michael Bazzell (Aug 2021). TripMode (at version 3 as of Feb. 2022) is marketed as a data saver, but really is a firewall. Pricing starts at $15 for one Mac. See a May 2021 review in Macworld. 8 Warning Signs Your Mac Might Have a Problem (and How to Fix It) by Tim Brookes for HowToGeek (Dec 2019) Walking away: There are a couple of options for what happens when you walk away from a Mac. After some inactivity, it can be logged out. Configure this: Apple Menu -> System Preferences -> Security and Privacy -> Advanced -> Log out after… minutes of inactivity. After it goes to sleep or the screen saver kicks in, it can require a password. Configure: Apple Menu -> System Preferences -> Security and Privacy -> General -> Require password… after sleep or screen saver begins. Privacy features are at System Preferences -> Security and Privacy -> Privacy. -- Click the lock icon in the bottom-left corner and enter the macOS password. Then review the options in the left pane and remove permissions that apps don't need. The most important permissions are location services, camera, microphone, input monitoring and screen recording.-- In the Analytics & Improvements section, uncheck everything in the right pane. Then select Apple Advertising and uncheck Personalized Ads. -- The MacOS Catalina Privacy and Security Features You Should Know by David Nield (Oct 2019)-- Take control of your Mac's privacy by Nathan Parker (May 2021). For macOS version 11 aka Big Sur. Some highlights: you can have an icon appear on the menu bar when a system service requests location data, you can enable/disable location services on a per-app basis, app file access can be restricted to specific folders and you decide how much Apple spies on you in the "Analytics and Improvements" section. To stop Siri from always listening: System Preferences --> Siri -> uncheck Enable Siri How to Set Up a Recovery Contact on iPhone, iPad, and Mac by Samir Makwana for How To Geek (Dec 2021). For when you forget your Apple ID password or device passcode. Requires macOS Monterey or later. A common scam on Macs is a pop-up window saying that you need to install a new version of Flash. Don't.Turn off the Universal Clipboard (aka Handoff) feature because it shares the clipboard with your iPhone. Instructions and background from Quincy Larson. These programs will save your ass when Mac users need you to remove malware by Kim Crawley (Jan 2018)The release of macOS Catalina in October 2019, was buggy as heck. Going forward, macOS users should wait a few months before installing a new release. See: How bad is Catalina? It's almost Apple Maps bad: MacOS 10.15 pushes Cupertino's low bar for code quality lower still by Thomas Claburn of The Register Oct 11, 2019 Ongoing laptop keyboard problems: In 2017, 2018 and 2019 the keyboards on Apple laptops were miserable (not sure about 2016). In 2020, Apple introduced a better keyboard. The bad keyboard is called "Butterfly", the good keyboard is "scissor-switch". That's in the real world. In the Apple world, the good 2020 keyboard is called "magic". When Apple sells the bad keyboards, as they do when they sell older refurbished laptops, they say nothing at all about they keyboard. Background: Apple's butterfly keyboard failed by prioritizing form over function (May 2020). The New 13-Inch MacBook Pro's Keyboard Really Is That Good (May 2020). Apple apologizes to people having problems with the MacBook's controversial keyboard CNBC (March 2019). Apple lied to me about the MacBook Air and now we have a problem by Chris Matyszczyk (May 2019) Buying a used Mac laptop: How to avoid scams and find the best deals by David Gewirtz (August 2019)Two macOS utilities can warn you when software is using either the microphone or camera. One is Micro Snitch ($4 as of Sept. 2020) from Objective Development. More here. The other is Oversight from Objective See (free as of Sept. 2020). Where get software from: It is safest to only download software from the App Store run by Apple. Even if this is not possible on a new Mac, limiting new software to the App Store makes sense after the initial setup. Configure: Apple Menu -> System Preferences -> Security and Privacy -> General -> Allowed apps downloaded from. How to Protect Your Mac From Ransomware by Tim Brookes (Aug 2020). Avoid pirated software and software passed around by friends. When possible, get software from the Mac App Store. Backup important files to a device that is off-line when not being used to create the backup. For malware removal use Malwarebytes. How to Open Apps from Unidentified Developers on Your Mac by Chris Hoffman (April 2017). An intro to the three levels of software trust in macOS: apps from the Mac App Store, apps from Identified Developers and apps from anywhere else.Setting up a Mac for young children by Mark Stockley of Sophos (Oct 2018)To run Apple Hardware Diagnostics, press and hold the D key while the system starts up. Can't hurt to do this periodically. Booting to Safe Mode also does a scan for errors. Press and hold the Shift key while the system starts up.Recovery Mode offers assorted utilities including Disk Utility that can check the disk and repair problems. Press and hold Command+R as the system boots up.FYI: macOS comes with a Wireless Diagnostics tool which can scan nearby networks and provide a summary of channel usage. There are also other advanced features. To see it: press and hold the Option key, then click on the WiFi icon in the menu bar. Look for "Open Wireless Diagnostics" Or, do a Spotlight search for "Wireless Diagnostics" FYI: macOS Monterey includes a Terminal command that tests the speed of the Internet connection. To test download and upload speed sequentially use: networkquality -s There has to be a space before the dash. Replace the "s" with a "v" to test both directions at the same time. More: Test Your Network Speed On a Mac.Battery: Keeping a laptop battery fully charged at all times shortens its lifespan. Batteries last the longest when operating between 30 and 80 percent charged. AlDente is a menu bar tool that limits the maximum charging percentage (Alternate link). For Mac laptops with Intel CPUs, there is a battery feature in the OS. See About battery health management in Mac notebooks. How to Encrypt and Password Protect Files on Your Mac by Jay Vrijenhoek and Kirk McElhearn of Intego. Last updated April 2021. Covers encrypting: System Data and the Startup Drive, External Drives, Documents and Files, Backups and Files You Send to Others. VIRUSES: Anti-virus software is needed on macOS. The free KnockKnock program from Objective-See looks for software installed on the system and can run it through VirusTotal.com to check if the software is malicious. It is not an always-on anti-virus program, you run manually. What to do if you think your Mac has a virus by Karen Haslam of MacWorld (Jan 2022). Covers how to get a free virus scan, how to get rid of Mac viruses for free, and how to avoid getting infected in the first place.macOS includes a number of security features. See Protecting against malware in macOS from Apple Feb. 2021. It discusses: the App Store, Gatekeeper, Notarization, XProtect and MRT (Malware Removal Tool). In August 2021, malware called AdLoad,was able to bypass both Gatekeeper and XProtect a good 10 months after it was first detected. Details here: New AdLoad malware variant slips through Apple's XProtect defenses (August 2021).DISK ENCRYPTION: Should a Mac laptop be lost or stolen, the data can be protected with FileVault, which offers full-disk encryption. FileVault was introduced in 2011 (macOS 10.7 Lion). Configure it: Apple Menu -> System Preferences -> Security and Privacy -> FileVault tab. This get complicated when there are multiple users defined. More: All About FileVault: Encryption for Your Mac by Peter Cohen of BackBlaze (June 2016) Use FileVault to encrypt the startup disk on your Mac from Apple Nov. 2018 Encrypt Mac data with FileVault from Apple Encrypt and protect a storage device with a password in Disk Utility from Apple. When you format an internal or external storage device, you can both encrypt it and protect it with a password. ERASE HARD DRIVE One good reason to use FileVault (above) is that it lets you securely erase a macOS hard drive when the time comes to get rid of the computer. Guide to How to Wipe a Mac or Macbook Clean by Andy Klein of BackBlaze (Aug 2021)Erase and reformat a storage device in Disk Utility on Mac by Apple. For macOS 12, 11, 10.15, 10.14 and High Sierra How to Securely Dispose of Your Old Mac by Kirk McElhearn of Mac software company Intego (October 2021) Safari: Click on Safari in the menu bar -> Preferences -> Passwords and look for any security recommendations (Oct 2021) Safari: can automatically delete your browsing history (as of Dec. 2020). On the menu bar, click on Safari -> Preferences -> General tab -> "Remove History Items". While there, also review "Remove download list items" which can automatically remove the names of the files you downloaded. It does not delete the actual files. Software: Leo Laporte, aka The Tech Guy, recommends Disk Inventory X, a disk usage utility for Mac OS X. It shows the sizes of files and folders so you can easily see which folders are consuming the most disk space. The software is free and open source. Software: Leo Laporte, aka The Tech Guy, recommends OnyX a free multi-function utility. It can clean up temp files, verify the structure of the system files, remove problematic folders and files, rebuild various databases and indexes and run other assorted maintenance tasks.Software: I have heard good things about Malwarebytes for Mac. As of March 2021: it is free for 14 days. After that, one computer is $40/year but the cost per computer is much cheaper when you buy it for multiple.Software: This August 2021 article suggests using DriveDx to monitor the health of the SSD in a Mac. It costs $20 to use on 3 Macs and there is a free trial. If you have an AppleID, then Apple is tracking you. According to Michael Bazzell (Oct 2019) macOS Catalina and Mojave can both be clean installed and used without an Apple ID.Periodically review the list of Wi-Fi networks your device has previously connected to and remove those you no longer need. macOS is not a priority for Apple as this story illustrates: On Feb. 22, 2019 a researcher reported a flaw in macOS to Apple. They acknowledged the flaw then stopped responding to his emails. After three months he disclosed the bug. After four months Apple still has not fixed the problem. CHROME OS (Last update: January 19, 2022) top ChromeOS is the operating system on Chromebook laptops and Chromeboxes (tiny desktop computers). Configuration settings for ChromeOS are in two places. Some are Chrome browser settings, others are ChromeOS settings. The browser settings are available either by clicking the three vertical dots in the top right corner, then click on "Settings". Or, in the address bar, typing chrome://settings. From the initial browser settings screen, click on "Chrome OS settings" to see the other settings.Suggested Browser Settings:Set the default Search Engine to something other than Google. Some pre-defined choices are DuckDuckGo, Ecosia, Yahoo and Bing. Note that DuckDuckGo gets its search results from Bing. Advanced -> downloads -> "Ask where to save each file before downloading" should be on Privacy and Security -> Security -> "Safe Browsing" should be set to "Enhanced protection" for an account used by a child. However, an adult may want this set to Standard or disabled because it require browsing data to be sent to Google. Cookies and other site data -> turn on "Block third-party cookies". In the same section, maybe turn on "Clear cookies and site data when you quit Chrome" It does not always work perfectly, but it helps.Suggested Sync and Google services (in browser settings) Turn off "Autocomplete searches and URLs" Turn off "Help improve Chrome's features and performance" which "Automatically sends usage statistics and crash reports to Google" Turn off "Make searches and browsing better" which "sends URLs of pages you visit to Google" Turn off Enhanced spell check which "sends the text you type in the browser to Google" Turn off "Google Drive search suggestions" which lets Chrome access the files on Google drive to make suggestions in the address bar Suggested ChromeOS settings:Just underneath the Preferred search engine, is "Google Assistant". Turn it off, if you don't use it.Security and Privacy -> Turn off "Help improve Chrome OS features and performance" which Automatically sends diagnostic and usage data to Google.Security and Privacy -> Turn off "Suggest new content to explore" Advanced -> Languages and inputs -> "Suggestions" -> Turn off "Emoji suggestions" Periodically: Safety Check-> click the blue "Check now" button to check for missing OS updates, malicious extensions, weak passwords and moreIn the Browser settings -> Cookies and other site data -> See all cookies and site data. This does just what it says. Maybe manually delete stuff here. This page can be bookmarked at chrome://settings/siteData Bluetooth is enabled by default. If you don't need it, turn it off. The On/Off switch for it is in the box that pops up when you click in the bottom right corner of the screen. DNS tip: You can specify an Encrypted DNS provider that works system-wide (for all Google accounts on the Chromebook, and Guest Mode too). As of Chrome OS version 88, do: Settings -> Security -> Use secure DNS. I am a big fan of NextDNS and you can get a free account at their website, nextdns.io. Then, in Chrome, select the Custom option for secure DNS and enter a URL such as https://dns.nextdns.io/zzzzzz/MikeysChromebook where zzzzzz is a NextDNS Profile ID. Guest Mode Explained: Think of it as private browsing mode on steroids. You start with a virgin copy of the operating system. No Android. No bookmarks. No extensions. Just the Chrome browser. While in Guest Mode, you can not create a bookmark or install a browser extension. When you log out of Guest Mode anything and everything you did is thrown away. To save a file from Guest mode, you have to copy it to a USB flash drive before logging out. This is one of my favorite aspects of a Chromebook. One down side is that you can not create a VPN connection while in Guest mode. Guest mode tips: Safe browsing has three options: Enhanced protection, Standard protection and no protection. Enhanced protection sends browsing data to Google, No protection does not. It is a bit iffy as to whether Standard protection, which is the default (last checked Oct. 2021), phones home to Google. You may, therefore, want to turn off Safe browsing. To turn it off: Settings -> Security -> Safe Browsing. This has to be done every time you enter Guest Mode. Turn off the Chrome OS setting "Suggest new content to explore". It is in the Security and Privacy section. The description says that it "...sends statistics to improve suggestions only if you have chosen to share usage data". It is also available from the Address Bar usingchrome://os-settings/osPrivacy (Note: case sensitive). this has to be done every time you enter Guest Mode.While in the Privacy and security section, verify that "Help improve Chrome OS features and performance" is disabled. The description says "Automatically sends diagnosticdata and usage data to Google". Turn off Bluetooth while in Guest mode if you don't need it. This setting seems to stick. Turn off the Chrome OS setting for "Emoji suggestions". It is at Languages and Inputs -> Suggestions. This has to be done every time you enter Guest Mode. Turn off the browser setting to "Preload pages for faster browsing and searching". It is in Privacy and Security -> Cookies and other site data. Maybe change the Search Engine from Google. The only options are Bing and Yahoo! This has to be done every time you enter Guest Mode. When a Chromebook wakes up from sleeping, it can either be ready to use immediately, or, require either a PIN or the Google account password to unlock it. There is no one right choice, just be aware that you can opt for security or convenience. The option is in Settings, look for Screen Lock. It is called "Show lock screen when waking from sleep". Chromebooks are Wi-Fi creatures, but you can also plug an Ethernet adapter into a USB port and make them more secure by using Ethernet for the Internet connection. It automatically uses Ethernet when available, still, you would be even safer if you disabled the Wi-Fi. When you first setup a new Gmail account on a Chromebook, there are a number of steps. Here are the highlights (as of Dec. 2020): Sign in to your Chromebook: enter a Gmail email address here There will be a checkbox to review Sync options after the initial setup. I would turn it on, can't hurt. There is a checkbox to backup to Google Drive that is on by default. No one right answer. There is a Use Location checkbox under Google Play apps and services. Turn that OFF as it lets Google spy on you. It is on by default. This is the Android side of the house. You can enable or block Google Assistant. I think it is a bit more private to have it off. The choice is "No thanks" or "Turn on" There is an option to sign up for Chromebook SPAM from Google that is on by default. Exactly what this is, is not explained. If you chose to review Sync settings, you end up at chrome://settings/syncSetup where there is an option: "Make searches and browsing better. Send URLs of pages you visit to Google". This is On by default, I would turn it Off. After setup you are dumped in a Welcome to Chromebook app. If you want to find it later, it is called "Explore" Buying a Chromebook? In November 2020, Kevin C. Tofel warned (Getting your first Chromebook? Here’s a buying guide of what to look for) that Amazon lists many old Chromebooks as "new", "newest" or "2020" models, when in fact, they are not. Buying a Chromebook? Check how long it will get bug fixes from Google here. In June 2019, the Chromebook with the longest expiration date expired in June 2025. Have a Chromebook? See How To: Check How Long Until Your Chromebook Stops Getting Updates. Own a Chromebook? Starting around Feb. 2020, the expiration date of the Operating System will be displayed in the About Chrome OS section. Click/press on "Additional Details". Kids on a Chromebook:Google has a SafeSearch option designed to prevent explicit content from showing up in search results. This is a Google search thing, not a Chrome OS thing. There are no settings on a Chromebook for this. To enable it, log into Google or Gmail and go to google.com/safesearchSettings -> Privacy and Security -> Security -> "Safe Browsing" should be set to "Enhanced protection" for an account used by a child. However, an adult may want this set to Standard or disabled because it requires browsing data to be sent to Google.How to securely set up your own Chromebook for your kid’s remote school learning by Kevin C. Tofel (April 2020). Process starts at Settings -> People -> Parental Controls -> "Set up" button while logged on as the child. Family Link is the name of this feature and it lets adults allow access to only specified websites, limit screen time and approve/block Android apps. Adult gets prompted to install the Family Link mobile app on their phone - it is optional. How to prepare a Chromebook for your child with family link controls by Shubham Agarwal (Nov 2020).Kids: Manage your child's account on a Chromebook from Google. Its complicated, lots of options.Thinkpad Chromebook: In February 2021, Lenovo released the first Chromebook with a Thinkpad keyboard. These are great keyboards. I blogged about my disappointment with the keyboard in the Chromebook in April 2021: First impressions of the Lenovo Thinkpad C13 Chromebook. It is expensive for a Chromebook and, if the keyboard is the attraction for you, not worth the money. Printing was never great from a Chromebook, but it has gotten better over time. HP printers work well. Canon does not seem interested in supporting Chrome OS. To add a printer, click the main menu button (bottom left corner) and in the search box type "add printer". Some printers can be found and configured automatically. My Canon laser printer was found, but had to be manually configured. That said, the only necessary configuration was providing the IP address of the printer. The default IPP protocol worked and did the default Que of IPP/Print. Some usability tips:To see the extensions installed in Chrome browser enter chrome://extensions The ChromeOS task manager is available at both Escape+Search or three vertical dots in top right corner -> More tools -> Task managerIf text on the screen is too big/small: Chrome OS Settings -> Device -> Displays -> Display SizeIf text on the screen is too big/small: Browser Settings -> Font size Mouse pointer too small? Chrome OS Settings -> Advanced -> Accessibility -> Manage accessibility features -> Show large mouse cursor If things go really bad: Fix hardware and system problems from Google Recover your Chromebook from Google. Covers removing and reinstalling the OS. Reset your Chromebook to factory settings from Google about Powerwashing FYI: A Chromebook can take dictation. When the option is enabled, a Microphone button will appear in the bottom right corner of the screen next to the time and the Wi-Fi indicator. Enable it: Chrome OS Settings -> Advanced -> Accessibility -> Enable dictation (speak to type).FYI: As of ChromeOS version 90, released April 2021, there is a new Diagnostics app that shows info about the battery, CPU and RAM memory. It also offers tests of each. Find it by searching for "diagnostics" in the search box that pops up after clicking on the start button/circle. The official term for this search box is the "Launcher search bar". FYI: How to revert Chrome OS to a prior version on a Chromebook by Kevin C. Tofel (Feb. 2022) FYI: You can transfer files from an Android device to a Chromebook using a USB cable. FYI: multiple peeks into the internals of ChromeOS are available from chrome://chrome-urls. Perhaps the most useful is chrome://device-log. APPLE IOS (Last update: May 5, 2022) top iOS users should hold off installing new versions of the operating system for a few weeks. By new version, I mean the major versions such as 13 and 14 and 15. iOS version 13, in particular, was a disaster with a flood of bugs fixes in the weeks just after it was released. iOS 15 had three updates in the first month after it was released. For updates such as 14.4 and 14.5 wait a few days before installing it. Minor updates, such as 14.5.1, should be installed immediately.Apple can read anything that is backed up to iCloud. To control what is sent to iCloud: Settings -> YourName -> iCloud where there is a huge list of apps. Disable those you don't want in iCloud. Also: Settings -> Privacy -> "Analytics & Improvements" and turn off "Share iCloud Analytics". You can disable iCloud completely and make local backups to a computer.How Apple Can Read Your Encrypted Messages by Jake Peterson of LifeHacker (Oct 2021). The security hole is in iCloud Backup, which can be disabled on your iOS device. However, you can not know if it is enabled on the device you communicate with. iPhone apps no better for privacy than Android, Oxford study finds by Paul Wagenseil for Toms Guide (Oct 2021). Apps on iOS and Android track and profile you equally. New study reveals iPhones aren't as private as you think by Paul Wagenseil of Toms Guide (March 2021). The study looked at the operating system, not apps. Android phones collect more data by volume, but iPhones collect more types of data. Both systems transmit telemetry, despite your explicitly opting out. iOS transmitted device location, the local IP address and the Wi-Fi MAC address of other devices on the local network. Even when logged out of an Apple account, the iPhone still sent identifying cookies to iCloud, Siri, the iTunes Store and Apple's analytics servers along with info about nearby devices on the same Wi-Fi network. When queried, Apple said nothing. iOS 13.6.1 was tested. You should know: When you 'Ask app not to track,' some iPhone apps keep snooping anyway from Washington Post (Sept 2021). Techies knew this all along, this article explains it to the general public. Interesting point is that when the paper reported bad apps to Apple, Apple did nothing. You can see the gory details for a few iOS apps at privacyreview.co. The article offers one lousy sentence on defense. See the section below on system-wide ad and tracker blockers.For people most at risk of being spied on: How to defend yourself against the powerful new NSO spyware attacks discovered around the world by the Security Team at The Intercept (July 2021). Long article, no summary would do it justice. Still, do not click on unknown links, practice device compartmentalization, use a VPN, use non-default web browsers. Scams often make it seem as if a response is needed immediately. These two articles, about the iVerify app from security firm Trail of Bits, have the exact same title. In This app will tell you if your iPhone has been hacked (Dec 2020) Adrian Kingsley-Hughes highly recommends the app. It costs $3 and includes how-to guides, tips, tricks and tweaks for improving privacy and reducing the chances of getting hacked. See also This App Will Tell You if Your iPhone Gets Hacked by Lorenzo Franceschi-Bicchierai for Vice (Nov 2019). iVerify requires iOS 12 or later, and is compatible with all iOS devices. Medical Emergency: First responders are trained to look at phones for emergency contacts and medical information. To configure: Health app -> your profile photo -> Medical ID -> Edit. Fill in anything an emergency responder should know. Make sure "Show when locked" is turned on, then Done. To see it, from the lock screen, tap on Emergency Call and then Medical Info. More here: Emergency contacts on your phone: Set it up right now by Jason Cipriani (Feb 2020). Emergency SOS: (aka Emergency Call) Use Emergency SOS on your iPhone from Apple (December 2021). It calls the local emergency number (911 in US) and you can also add emergency contacts who will be texted. And: Make emergency calls on iPhone from Apple. For iOS versions 15, 14, 13 and 12 as of Jan. 2022. More: Emergency SOS on iPhone: How to set it up and activate by Britta O'Boyle (May 2021) and How to Set an Emergency Contact on iPhone (and Why) by Tim Brookes (Nov 2021). TEXT SIZE: can be adjusted system-wide at Settings -> Display & Brightness -> Text SizeCLIPBOARDAll apps can read the clipboard, even when they are not running. This flew under the radar until June 2020 when beta versions of iOS 14 started reporting on it. Many apps were doing it. The camera app embeds your location in every photo. Copy a picture and apps can learn your location without having location access. There is no defense (that I know of) in iOS 13. In iOS 14 there is a warning, not yet (July 4, 2020) sure if there will be a defense.Anything copied to the iOS clipboard/pasteboard can be read by any app. If a picture is copied, then GPS location information, which is embedded in the image, is easily available to apps. Tested with iOS 13.3. Apple was told about this in Jan. 2020 and they will not change anything. The defense should be to deny the camera app access to location information, but iOS can not do that. From: Security demo reminds iOS users that any app (or widget) can read the clipboard silently by Benjamin Mayo (Feb 2020) iOS Defenses: Both articles cover a lot of ground. iPhone privacy checklist (2021 edition) by Adrian Kingsley-Hughes for ZDNet (Jan 2021). How to stay as private as possible on Apple's iPad and iPhone by Jonny Evans at Computerworld (Feb. 2019).iOS Defense video: 13 Things You Should Be Doing To Protect Your iPhone by Gary Rosenzweig (April 2022, 12 minutes, iOS v15). Among the suggestions are setting a SIM PIN, turning on Find My iPhone, insuring that iCloud backup is enabled, turning OFF both the "ask to join networks" WiFi option and the USB Accessories option. Also, review the many "Allow access when locked" options. iOS Defense: Dealing with a stolen iPhone Sept. 2019 by Marc Rogers iOS Defense: Every now and then turn the iOS device off and then back on a minute later. While every operating system benefits from a clean boot/startup, if you are targeted by bad guys, certain malicious stuff might be removed when the device is powered off. It is not a perfect defense, but the NSA recommends rebooting/restarting a phone every week. Reboots to install bug fixes count. More: Turn off, turn on: Simple step can thwart top phone hackers by AP News (July 2021) iOS Defense: How Jamie Spears Spied on Britney Spears Through iCloud by Lorenzo Franceschi-Bicchierai (Oct 2021). Using iCloud to spy on someone's iPhone is an extremely common way abusers spy on their loved ones. All that is needed is the password for the Apple ID of the victim. The article describes detecting this and stopping it. In a browser, I suggest (not in the article) a Chromebook running in Guest Mode. Login to iCloud.com -> Account Settings -> My Devices. iOS Defense: Advice on AirDrop is in the Mobile Scanning section.iPhone 12: Why you should keep your bank cards away from an iPhone 12 The Star (Nov. 2020). Hint, the very strong magnets on the back side of the phone. Wi-Fi: Some Wi-Fi devices will re-join a network (SSID) they have seen before. To prevent this, after using a public Wi-Fi network, tell the operating system to Forget it. On iOS version 14, remembered networks are in Settings -> Wi-Fi -> My Networks. Click the blue I in the blue circle, then click "Forget This Network". Also in the Wi-Fi Settings of iOS 14, change "Auto-Join Hotspot" to Never and "Ask to Join Networks" should be either Notify or Ask. FYI: The battery health information Apple provides in the iOS Settings (Battery -> Battery Health) is meaningless. From: Confirmed: Your iPhone is lying to you by Adrian Kingsley-Hughes for ZDNet (Jan 2022). VPN bug: A bug in VPNs on iOS 13 and 14 was first made public by ProtonVPN in March 2020: VPN bypass vulnerability in Apple iOS. As of Nov. 2020 the bug still exists. The problem is a VPN leak, some data leaves the device outside of the encrypted VPN tunnel. ProtonVPN suggests a work-around: connect the VPN, turn on airplane mode, turn off airplane mode. SafariiOS 14 introduced a Privacy Report that shows which trackers attempted to follow you and which ones it blocked. To see it, tap the "aA" at the left side of the address bar -> Privacy Report. Tweaks are at Settings -> Safari Turn on Prevent Cross-Site Tracking. More: How to view website trackers in mobile Safari by Lance Whitney Oct 2020Turn off Privacy Preserving Ad MeasurementTurn off the AutoFill optionsTurn off Quick Website Search and Preload Top Hit Turn off Search Engine Suggestions and Safari Suggestions because it sends some search queries to AppleMaybe change the Search Engine. DuckDuckGo does not spy on you, but it uses Bing for search results In the settings for websites section: adjust zoom level (no one right answer), set Camera, Microphone and Location to DenyAd blocking in the Content Blockers section. Installed blockers, such as Lockdown or 1Blocker need to be enabled here. For more: Best ad blockers for iPhone and iPad in 2021 by iMore.tip: Periodically (monthly?) erase Safari's memory (think the movie 2001). Advanced -> Website Data -> click the red "Remove All Website Data" tip: The Safari web browser is a prime target for hackers and there have been a number of vulnerabilities with it, such as this one (Jan. 2020), so you may be safer using a browser that is a lesser target, such as Firefox or Firefox Focus. tip: when you long-press on a link, you see a preview image of the target/destination website. To instead see the URL, look in the top right corner of the preview for a "Hide preview" link. Click it. More. For extreme privacy settings see Apple iOS 15 Privacy Guide by Michael Bazzell (Sept 2021) iOS 15.2: (released December 2021)The new App Privacy Report strikes me a as a big deal. It opens the black box of what apps do. You can see how often apps access Contacts, Camera, Location, Photos and the Microphone. It also shows network activity which is great for anyone able to block domains in their router. Off by default. Turn it on: Settings -> Privacy -> App Privacy Report. One flaw: network activity is not seen in the report when using a VPN. Another bug: calls an IP address a domain. More here (Nov 2021) and here (Jan 2022). The new Legacy Contact feature allows you to specify who can access your Apple account when you die. Configure: Settings -> Your Name -> Password & Security -> Legacy Contact. There can be up to five people. More: The iPhone Feature to Turn On Before You Die by Joanna Stern in WSJ (Dec 2021) and Data that a Legacy Contact can access from Apple.iOS 15: (released September 2021)The new App Privacy Report will show how many times an app has accessed these already-restricted things: location, photos, camera, microphone, and contacts. Eh. What is new and important is that it will report on the domains the app phones home to, and, how often. We will finally be able to see the apps reporting on us to ad/tracker companies. However, there is no blocking of the spy domains. For that see the section below on system-wide ad and tracker blockers. To enable it: Settings -> Privacy -> Record App ActivityHow to Set Up a Recovery Contact on iPhone, iPad, and Mac by Samir Makwana for How To Geek (Dec 2021). For when you forget your Apple ID password or device passcode. The new Hide My Email feature will create random alias email addresses. For more see the topic of Multiple Email Addresses in the email section.The new Private Relay feature is very limited. It will hide your public IP address, but only while using Safari. This means Apple sees all your web browsing. Only available if you pay for iCloud. It is not clear if it adds any layers of encryption. A VPN is a better way to hide your public IP address.New "Shared with Me" feature. Settings -> Messages -> Shared with You. Maybe disable sharing in some apps By default, iOS 15 on an iPhone 11 and newer does not completely turn off. See How to Find Your Lost iPhone, Even If It's Turned Off from LifeHacker (Oct 2021). Even off, it will send out Bluetooth Low Energy beacons for the Find My feature. If your iPhone is stolen, this is good news as bad guys immediately turn them off. If you don't want the phone location to be public, then the big hammer is to disable the Find My feature. Or, when the phone is being shut down look for a new button "iPhone Findable After Power Off" and click it. I tested this on an iPad running iOS 15 and there was no new button at shutdown, so it seems to be iPhone only. Settings -> Passwords. Turn off the AutoFill Passwords option. Also look at any Security Recommendations The new Focus feature is an improved version of Do Not Disturb that lets you set up different Focus modes for different tasks like work, reading, sleeping, etc. Each Focus allows you to choose which apps and which people can send you notifications. Configure this at Settings -> Focus. The plus icon creates a new Focus.You can change the default browser or email client in Settings. For a browser, click on any installed browser, then "Default browser app" You can change the size of the font on an app-by-app basis. First, you have to add the Text Size option to the Control Center. Do this at Settings -> Control Center -> click the green circle with a white plus sign next to Text Size. In the Control Center the icon is two As, one big, one small. Then run an app that you want to change, open Control Center and indicate that the change is only for the one app.Email tracking: to block tracking pixels and your public IP address: Settings -> Mail -> Privacy Protection -> Protect Mail Activity. Only applies to the iOS Mail app. More AirTags (new in iOS 14.5) Beware poisoned Apple AirTags that exploit unpatched "Lost Mode" flaw by Graham Cluley (Sept 2021). Apple has known of this bug for four months and not fixed it. AirTags can be put in Lost Mode. If someone finds the tag, they can scan it with NFC and be taken to a unique page for the tag at found.apple.com which has the owner's phone number. But bad guys can put scripts in the phone number field that manipulate the apple website to trick a Good Samaritan. Details from Bobby Rauch. If you are moving, an AirTag can track your stuff. See Army wife uses AirTag hack to track her movers while PCSing (Jan. 2022) Apple's AirTag trackers made it frighteningly easy to 'stalk' me in a test by Geoffrey Fowler for the Washington Post (May 2021). The article is behind a paywall. A big point in the article is that Apple does not do enough to prevent AirTags being used for domestic abuse. In a test in San Francisco, the AirTag updated its location every few minutes. When moving, the location was accurate to half a block. When stationary, it was precise. Video from the above article Apple's AirTags could be used by stalkers. Here's how to protect yourself What to do if you find an AirTag or get an alert that an AirTag is with you from Apple (April 2021). How to learn the serial number of an AirTag. It requires NFC and will work on Android too. Note that making a detected AirTag play a sound often failed in Fowler's tests (above). AirTag stalking defense: Use a Bluetooth scanner to locate the Bluetooth devices near you. An Apple Air Tag will show as being made by Apple. Once you find the AirTag, you can take ownership of it if you have an iPhone (or destroy it with a hammer). The LightBlue® scanner by Punch Through Design is available on iOS and Android. On Android, Location must be on system-wide for the app to work. From the Privacy, Security, & OSINT Show - Episode 219 by Michael Bazzell (June 2021) and How to Scan for Nearby AirTags Using an Android Phone by Chris Hoffman (May 2021) AirTag stalking no defense: AirTags are supposed to beep after 3 days (later changed to 1?) to warn people of their presence. But, the speaker in an AirTag can be physically removed. Android users can detect AirTags with the free AirGuard app from Secure Mobile Networking. Note that there is another app with the same name.iOS 14.5: (released April 2021)You can disable some system apps such as Safari, FaceTime, AirDrop, Siri and more with Settings -> Screen Time -> turn on Content & Privacy Restrictions -> Allowed Apps. You can disable Apple Advertising in the same section: Settings -> Screen Time -> Content & Privacy Restrictions -> Apple Advertising Settings -> Privacy -> Tracking and chose if apps should ask for permission to track you or if tracking should be banned system-wide. Note that this is a scam, apps still track you regardless of this setting.There is a new App Privacy section for iOS apps. Review it before installing any new app. Maybe review it for existing apps too.iOS 14: Some defensive improvements introduced in v14: realtime notice when any app uses the microphone or camera. Lists apps that recently accessed each. Realtime notice when an app accesses the clipboard. An app can be given access to one picture only. LAN access controls. Only allow an app access to your approximate location. Warns of hacked passwords in the Keychain. Somewhat randomized MAC addresses. Relevant articles: 8 Privacy Features iOS 14 Users Need to Know by Lance Whitney (Oct 2020) and iOS 14 Privacy Features: Approximate Location, Clipboard Access Warnings, Limited Photos Access and More by Juli Clover (Oct 2020).Settings -> Privacy -> "Analytics & Improvements": turn off all three options (Share iPad Analytics, Improve Siri & Dictation and Share iClouid Analytics). Settings -> Privacy -> "Apple Advertising": disable "Personalized Ads". While there, click on "View Ad Targeting Information" It might be interesting. Settings -> Privacy -> Tracking -> turn off "Allow Apps to Request to Track" Settings -> Privacy -> Location Services: If Location Services is enabled, then for each app that is allowed to use location data, turn off "Precise Location" except for a mapping app.At the bottom of the list of apps is "System Services". In this section, turn off the options under "PRODUCT IMPROVEMENT" (iPad Analytics, Popular Near Me, Routing & Traffic, Improve Maps). If Location Services are off, turn it on to make these changes, then disable it again.Review everything else in Settings -> PrivacyMost people (not everyone) want apps to be automatically be updated. This is controlled at Settings -> App Store -> App Updates Settings -> Siri & Search. Siri is like the Borg. To disable Siri use either "Press Home for Siri" or "Press Side Button for Siri". Maybe disable Listen for Hey Siri. Maybe delete Siri & Dictation History. Maybe delete some or all of the four types of Siri Suggestions. Then it gets ugly. Siri wants to spy on every installed app to learn how you use the app and include data from the app in Siri searches. For every app, you have to configure it to block Siri assimilating the app. Ugh. If nothing else, block Siri from financial apps. Probably a good idea to block web browsers too.A new Private Address option was added to the definition of each Wi-Fi network. This creates a MAC address that is used only on that specific Wi-Fi network. Previously the same MAC address was used on every Wi-Fi network. Good news: it is on by default. Settings -> Notifications > Show Previews. Opt for either "When Unlocked" or "Never" to prevent notifications from leaking information you don't want strangers to see. Or, in the same section configure notifications for individual apps. If you use the Apple Mail app: Settings -> Mail -> Privacy Protection and turn on "Protect Mail Activity" iMessage: chose how long to keep old messages at Settings -> Messages > Keep Messages iOS 13:Silence unknown callers is a great feature. If someone who is not in your Address Book calls, the phone will not ring, the call will go to voicemail. The call does show up in Recent Calls list. Enable it: Settings -> Phone -> Silence Unknown Callers. Review everything in Settings -> Privacy. This includes the "Analytics & Improvements" section where I would turn off all three options. In the Advertising section, turn on "Limit Ad Tracking" and reset the Advertising Identifier periodically. In the Location Services section, click on System Services and then turn off the three options under "PRODUCT IMPROVEMENT" For the iPhone 11 only. Settings -> Privacy -> Location Services -> System Services -> Networking and Wireless has a new Location toggle for the ultra-wideband service. This was a bug fix because the U1 chip was broadcasting your location even with the normal location settings turned off. Parental Controls: Guided Access can limit iOS to a single app. Enable it with: Settings -> Accessibility -> Guided AccessParental Controls: Screen Time can set all sorts of limits. Enable it with: Settings -> Screen Time. Prevent kids from using certain apps, installing new apps, disable in-app purchases, block access to certain websites and control who kids are are able to contact. It also does assorted usage auditing. More from Apple (Dec 2019) and Macrumors (Dec 2019). iOS 13.2 tips: Bad iPhone battery life? Here's how to diagnose and fix battery drain issues by Adrian Kingsley-Hughes (November 2019).As of June 6, 2019 it is early on this. Sign up for a website or app with your Apple ID and there is a new option to hide your email address. Do so, and Apple will create a new email address specifically for the one website or app. When the site or app sends you email, Apple forwards it to your real email address. Good thing? The downside to this is that Apple has access to your email and knows what apps and websites you use. See the Extra Credit section for better options. You can set an iOS device to erase all data after too many failed attempts to enter the PIN/passcode. In Settings, go to "Touch ID & Passcode" or "Face ID & Passcode". Then, enable "Erase Data". Seems like the only choice in both iOS 13 and 14 is 10 bad passcodes. The Jumbo privacy assistant is an iOS app to increase your privacy on Facebook, Twitter, Amazon, Google and Alexa. It was released in April 2019. It adjusts the 30-odd Facebook privacy settings, deletes old tweets, erases Google Search history and deletes the voice recordings stored by Alexa. More. Geoffrey Fowler, of the Washington Post, who focuses on Privacy, said it was his favorite app of 2019: "In clear language and colorful illustrations, it explains the real choices we have and makes recommendations like you'd get from a really clued-in friend." They also go by withjumbo.com One thing to learn from Jeff Bezos having his iPhone hacked is to periodically check the data used by the apps on your phone. I don't know if this is possible on an iPhone. Create password protected photos: The Lock Note feature of the Notes app can password protect Notes. Each Note can contain one or more photos. There is one password for all protected Notes. In iOS 15: First do Settings -> Notes. Disable "Save to Photos" so that photos inside a note do not appear in the camera roll. In the Password section, verify that it says "Require a password to view locked notes". Then, open the Notes app, create a new note, tap the camera icon -> Take Photo or Video. To password protect the Note, click the three dots in a circle (don't blame me), then Lock, then enter the password. The first time you lock a note, you can also enter a password hint. In Settings, there is also an "on My iPad account" but its not clear to me what this does. If you have existing photos, then see How to Password Protect Photos on iPhone and iPad by Benj Edwards (Oct. 2020). Cheatsheet: create a note, insert photos into the note, then lock the note with a password ... then go to the Photos app and delete the images you just password-protected ... then, go to the "Recently Deleted" folder in the Photos app and delete them there too. Locked notes are stored encrypted. Location tracking: All the Ways Your Location Can Be Tracked on an iPhone July 24, 2020. How-To Geek. Covers Find My iPhone, Sharing Locations With People, Apps You’ve Given Location Access To, Photos With Location Data, Bluetooth Tracking Beacons and Cell Towers. Fails to mention Wi-Fi which can also be used to learn the location of an iPhone. June 18, 2020: On iOS 13.5.1 (tested on an iPad) it seems that that it is no longer possible to block the camera from storing location information. Block the camera from having access to location information: Settings -> Privacy tab -> Location Services -> Camera -> select Never. To check if a photo includes location info: swipe up while viewing the picture in the photos app. If it does have location info there will be a map. To share the photo without location info, click the share button, click Options near the top of the screen, then switch off the toggle for Location.To blur your home in Apple maps either send email to mapsimagecollection at apple.com with your home address and an explanation of why or, in iOS, tap the Info button (blue letter "i"i in a white circle with a blue border) in the upper-right corner, then tap on Report an Issue. Express Transit is an Apple Pay feature that makes it easy to pay for transit rides in a handful of cities. Maybe too easy. In Jan. 2020, some NYC subway riders were double charged. See How to Set Up Express Transit With Apple Pay. To require a password before using an app, see How to Lock Apps on iPhone and iPad by Rosa Reyes (Nov. 2019). Covers five different techniques that work with iOS 13, iOS 12, iOS 11 and earlier: Screen Time, Restrictions (aka Parental Controls), Guided Access, Touch ID / Face ID and, on jailbroken phones, third-party apps. Beware of file conversion apps. Some 23 iOS file-conversion apps used by 3M people fail to encrypt documents by Ben Lovejoy (Feb 2020) Backup: Back up iPhone by Apple for both iOS 13 and 12. No date. From their iPhone User Guide. System-wide ad and tracker blockers:The Guardian Firewall +VPN app from Sudo Security blocks trackers, phishing, malware and page hijackers. It does not claim to block block ads. The app is free to install and see what it will block if you pay for the app. You can pay by the day, month ($10), quarter or year ($100). The paid app is a real VPN. Blocking is done at the VPN server, not on the iOS device. From a trustworthy source. See About the Guardian iOS Firewall App by me (Aug 2019). Website: guardianapp.com The Lockdown app (by Confirmed, Inc) blocks both ads and trackers. It is open source and blocking is free. Blocking is done on the iOS device, nonetheless, it installs as a VPN and can not run alongside a real VPN. When it is active, you do not see a VPN indicator. In my testing I found that the app said it was on even when it was off. It has a blacklist but no white list. There is a paid upgrade to a VPN but the website (lockdownhq.com) says nothing about who created the app and for that reason I can not recommend the paid VPN. As of Feb. 2020, the list of blocked domains had not been updated for 7 months. As of Sept 2021, the list on Github had not been changed since July 2019. They seem to have another website, no idea why. Both apps log what they block, and you can see the log on the iOS device, but neither pinpoints the app being blocked. Neither logs what they they did not block. Both claim to be a firewall, but they are not, at least, not in the traditional sense. They are domain blockers. iOS does not have a firewall. Disconnect has a number of privacy oriented products. Their Privacy Pro SmartVPN blocks trackers on iOS. Their Premium VPN blocks trackers on iOS, Android and macOS. No ad blocking. Great feature is that you can block whatever domains you want to block. It can not be used in conjunction with a VPN. The nextdns.io app competes more with Lockdown than Guardian. I prefer it over Lockdown because it is more functional and more customizable. To begin with, it logs all DNS activity, not just blocked domains, which helps you create your own black list. It also does white listing. It can apply to one device, multiple devices or an entire LAN. Logging is both customizable and optional. The app itself can be password protected. NextDNS also does encrypted DNS with DoT and DoH. Like Lockdown, it installs as a VPN but you do see an active VPN indicator on the status bar when it is running. One drawback is that the logs are not visible in the app, you have to use the nextdns.io website to see them.In Sept. 2021, I tested v5.14 of Blokada on iOS 14.8 and it did not work at all. I ran some apps and their DNS activity did not show up in the Activity section. Forget blocking. The log showed many errors. The software is free and it blocks nothing by default (poor UI) you have enable assorted blocking lists. How do you chose among the lists? It installs as a VPN but it is not a VPN. They offer a paid VPN service. To lock an iOS device, a password/passcode is more secure than a fingerprint or your face. In the US, the government can not compel you to reveal the password. The longer the password/passcode, the more secure.Block spam texts: The almost-secret hidden iPhone switch that blocks spam text messages and notifications by David Gewirtz (Jan 2020). Settings -> Messages -> turn on "Filter Unknown Messages". The texts arrive, but you are only notified if sender is in your Contacts. Article comments note that this may not work.Periodically review the list of Wi-Fi networks your mobile device has previously connected to and remove those you no longer need. When it comes time to dispose of an iOS device: How to erase your iPhone, iPad, or iPod touch from Apple. Published June 2019 and not updated as of Sept 2021. Also see the Mobile Scanning and Sharing topicAlso see the Mobile OS Spying section.Also see the WhatsApp section.Also see the Location Tracking section.Also see the Voice Assistant section for info on SIRI. Apple can read your iCould backups. To backup an iPhone securely, back it up to a Mac or Windows PC and password protect it. More.You can tell when a web browser is using a secure encrypted connection. Not so with mobile apps. Apple was supposed to mandate that iOS apps only use encrypted communication. They call this mandate App Transport Security (ATS). But, it's a scam and there is no defense. FYI: iOS network security seems poor and nothing can be done about it. For one thing, TCP/IP ports are closed rather than stealth (see nmap scan). iOS 13, and many earlier versions, seem to have a backdoor. TCP port 62078 is open and can not be closed - there is no firewall in iOS. The port is not listed in TCP and UDP ports used by Apple software products. This open port has been known about at least since 2013(here and here and here). I tested multiple VPNs (OpenVPN, Windscribe, ProtonVPN, Lockdown firewall and the Guardian firewall) and none blocked access to the port. FYI: Apple is not honest enough to admit when the software has been abandoned. That is, when there are no more bug fixes being issued because the software is too old. Just like Android, iOS lies and tells you the software is up to date. This October 2019 tweet by Will Dormann has examples. GOOGLE ANDROID top This section got quite big, so it is not included by default. ENCRYPTION topFor messaging apps, End-to-End encryption is the top of the line. It means that data/files are encrypted before leaving your device and stay encrypted until they arrive at the destination device. End to end encryption is offered by Signal, Wickr, Wire, Threema, WhatsApp and others. Be aware however that end to end encryption does not protect messages stored on the device that sent them or the device that received them. If either device is seized, the messages probably can be read (there may be an app configuration setting for this). On mobile devices, messages can also leak if: the sender's device was hacked, the recipient's device was hacked or the recipient is simply not trustworthy and leaks messages, either on purpose or by accident. Even with messages that self-destruct, the recipient can take a picture of their screen showing a message. On Android, someone could be tricked into installing a hacked app from outside the Play store. Even within the Play store, there may be multiple apps with the exact same name. A scam copy of an app can look exactly like the real thing, do what the real app does, but, also leak messages.Mobile is probably not the best place for secure communication. On mobile devices, you can not see the end to end encryption, so you have to take it on faith that data is really encrypted. In contrast, with secure websites, the browser indicates when encryption is used and assorted websites can test and verify the encryption. Also, when looking at a website, you can tell what computer you are communicating with. In contrast, this is hidden when using mobile apps. As for erasing messages after you send them, a Chromebook in Guest mode does not have this problem as everything is erased when you log off. Absolutely Everything. There are at least a dozen or more software programs that claim to offer secure communication. Amongst techies, Signal is well regarded. It's security is very good, but not perfect. It is worshiped like a religion despite using phone numbers, which obviously identify you, as userids. Another limitation: you can not put the same account on two phones so all you eggs are in one basket. Techies seemed focused on encryption while ignoring anonymity. This is a mistake, it can be critically important to hide who you communicate with. The exact same thing happened with PGP, which encrypted the body of email messages while leaving the sender and recipient visible. Competing with Signal is Wickr which does text messaging, audio calls, video calls, file transfer and more. From my research, Threema seems to be the best encrypted communication app. It does text and voice messages, voice and video calls, groups, distribution lists and file sharing. Users are identified in the system with a randomly generated 8-digit Threema ID. Users must create a username and password to log into the app. Optionally, users can link their Threema account to an email address or a phone number and give it access to their contacts. Optionally. Threema costs $2.99 in the US, a one-time charge. Steve Gibson, of the Security Now podcast, prefers Threema. The Mozilla foundation gave Threema an excellent rating on their Privacy Not Included website where they considered it a Best Of product. Sven Taylor of Restore Privacy also liked it. The biggest problem is that not enough people use it. On the Feb. 21, 2020 episode of his Privacy, Security, & OSINT podcast, Michael Bazzell recommended Wickr over Wire and Signal. For Signal, he suggested using it with a Google Voice number that is only used with Signal. He did not look into Threema. Arguing against three products: How WhatsApp, Signal & Co Threaten Privacy from TU Darmstadt University (Sept 2020). Researchers performed crawling attacks on WhatsApp, Signal, and Telegram. Maybe not the best choices. Quoting: " ... very few users change the default privacy settings, which for most messengers are not privacy-friendly at all." The Telegram contact discovery service exposes sensitive information even about owners of phone numbers who are not registered with the service. More here.Signal: This Oct. 2021 blog by Yael Grauer How To Use Signal Without Giving Out Your Phone Number Using a Chromebook and an Old Phone points out many of the problems with the Signal app. Her solution is ridiculous and it too shows why Signal is a poor choice. Signal: If you do use Signal, there are still quite a few dos and don'ts. This May 2017 article by Micah Lee is a good guide: How to keep your chats truly private with Signal Telegram: Telegram Harm Reduction for Users in Russia and Ukraine by Eva Galperin (March 2022). Miserable title, the article is about the security of Telegram. Channels, groups and private groups are not encrypted and thus are visible to Telegram. One-to-one chats are not encrypted by default, they are only encrypted if you turn on "secret chat." Even with secret chat, Telegram knows who you talked to and when you talked to them. Article also has assorted suggestions to increase Telegram security and a warning not to use Telegram when you need to communicate with a group and it is important that no one has access to the data or metadata. Best WhatsApp alternatives that respect your privacy by Douglas Crawford of ProtonMail (Feb. 2021). An overview and comparison of Signal, Telegram, Threema, Wickr Me, Wire, Element and Keybase.My suggestion for secure communication is to use plain old simple boring webmail, but, only between two users of the same secure email provider. Two good choices would be ProtonMail and Tutanota. Neither company can read messages sent between their customers. Both offer free limited accounts. Using webmail means that the browser can prove that encryption is being used. Webmail can also be used on a Chromebook running in Guest mode. Guest mode offers a virgin OS, with no information about you at all, and it is guaranteed to leave no trace of your actions. I am out of step here with every techie in the world.Most off-site file services can read your files. They may say that your files are encrypted in transit, but that matters not at all. They may say that your files are stored encrypted, but that too does not matter. What does matter is who can decrypt the stored files. Use Windows? Use the OneDrive feature? Then Microsoft can read the files you store there. Likewise, Apple can read anything stored in iCloud. And Google can read files stored on Google Drive (used by Android and ChromeOS), Dropbox can read your files too, and Amazon can read files stored on their Drive offering. And, if they can read your files, think what the US Government can compel them to do. To evaluate any file storage/backup service ask what happens if you lose/forget the password/key? If the answer is that they can't help you, and you have lost access to your data, then the vendor can not read your files. Me? I encrypt my files before sending them off-site. For encrypting files on a computer running Windows, Mac OSX or Linux, I suggest using VeraCrypt. The software is free and open source. It offers an advanced mode that encrypts entire hard drive partitions, but most people should use the simple mode which creates a single large password-protected file. You then store your sensitive files inside this file. On Windows, you get access to this big file by "mounting" it, which is nerd lingo for assigning it to a drive letter. I have not used it on Linux or Mac OSX. VeraCrypt is a version of the discontinued TrueCrypt software. See Wikipedia for more. FACEBOOK (Last Updated May 15, 2022) top No doubt there are many defensive strategies for Facebook, with the strongest one being avoidance. That's what I do. This section may be a bit haphazard because not being a Facebook user, I can't verify things. How to block Facebook from snooping on you by Geoffrey Fowler for the Washington Post (Aug 2021). Discusses changes that impact what Facebook and Instagram can learn about you outside of their apps. There’s no escape from Facebook, even if you don’t use it also by Geoffrey Fowler (Aug 2021). Discusses why you want to bother making all the changes in the prior article. Quoting: "It isn't just the Facebook app that's gobbling up your information. Facebook is so big, it has convinced millions of other businesses, apps and websites to also snoop on its behalf. Even when you're not actively using Facebook. Even when you're not online. Even, perhaps, if you've never had a Facebook account." Facebook's surveillance is hard to avoid. They partner with websites, apps and stores to track you when you are not using Facebook. Geoffrey Fowler of WaPo wrote about this in Jan. 2020: Facebook will now show you exactly how it stalks you - even when you’re not using Facebook. The article is focused on a new "Off-Facebook Activity" tool (see it at facebook.com/off_facebook_activity). To be spied on, you don't have to be logged in to the Facebook app or website. Companies can report other identifying information to Facebook, enough to match you to your Facebook account. Fowler found that Home Depot told Facebook when he visited its online store, viewed an item or added an item to a shopping cart. Other spies he found were The Atlantic, Amazon's Ring app, the Peet’s Coffee app and the website for an HIV drug. To limit this: Settings -> Your Facebook Information -> Off-Facebook Activity -> Manage Your Off Facebook Activity -> Manage Future Activity. Still not done. Click another "Manage Future Activity" button. Curse Facebook. You want the toggle next to "Future Off-Facebook Activity" to be gray. If it is blue, click it, then click "Turn Off" Basic Privacy Settings & Tools from Facebook. Quite long. Undated. Giving Facebook less data is a good idea. Even better: Just use it less by Rob Pegoraro in Fast Company (June 2020). You can take some steps to limit how much Facebook knows about you. But as long as you use the service, it can monetize your interests and activity. To see information Facebook knows about your activity in other apps and on other websites, see Off-Facebook Activity. From Facebook, you can get to the same data with Settings -> Your Facebook Information -> Off-Facebook Activity. This was introduced in Jan. 2020. Fowler (above) suggests clicking on "Clear History" to remove that data. To have Facebook stop using your off-Facebook activity, look for "Manage Future Activity" and then make sure "Future Off-Facebook Activity" is turned off. Note the word "using" - they will still collect the data. See the devices that are logged in to your account here. It should also show approximately where in the world those devices are located. The Facebook tracker pixel is JavaScript code that others put on their websites to report back to the Facebook mother ship. The NSA must be so jealous. One way to block this is to block the code from loading by blocking connect.facebook.net and graph.facebook.com in your router. Fowler is not a techie, so he is unaware of this option. I did some research into the domains used by Facebook and would also suggest blocking api.facebook.com, apps.facebook.com, staticxx.facebook.com and web.facebook.com. Not many routers can block websites/domains. One that can is the Pepwave Surf SOHO. Another approach is modifying the hosts file for your OS. FACEBOOK CONFIGURATION ARTICLES 16 Settings to Make Facebook Less Evil (or at Least More Private) by Pranay Parab for Life Hacker (Nov 2021) Facebook privacy settings to change now Washington Post (Sept. 2021) 7 Important Facebook Privacy Settings to Change Right Now by Tim Brookes (June 2021). The article covers: Delist Your Profile from Search Engines, Make Your Friends List Private, Restrict Visibility of Your Older Posts En Masse, Enable Timeline Review, Disable Facial Recognition, Restrict How You Are Found on Facebook, Review Connected Apps and Websites and Preview How Others See Your Profile. Cybersecurity 101: Protect your privacy from hackers, spies, and the government by Charlie Osborne and Zack Whittaker of ZDNet (Dec. 2020) has some tweaks for Facebook settings. How to Use Facebook Privacy Settings by Thomas Germain of Consumer Reports. Last updated Sept. 2019. How To Stop Facebook From Blabbing Out Your Phone Number by Monica Chin (March 2019) Hands off my data! 15 default privacy settings you should change right now by Geoffrey Fowler in Washington Post (June 2018).Suggestions from the article: In Timeline settings turn on the option to review posts you are tagged in before the post appears on your timeline. Settings -> Timeline and Tagging -> Review section -> enable both options. In the Facial Recognition settings, set "Do you want Facebook to be able to recognize you in photos and videos?" to No. In the Ad Preferences settings: Under Your information, turn off ads based on your relationship status, employer, job title and education. Under Ad settings, set "Ads based on data from partners" and "Ads based on your activity on Facebook Company Products that you see elsewhere" to Not allowed. Also, set "Ads that include your social actions" to No One. The Facebook Privacy Checkup is incomplete. Your profile information should be set to "Friends of Only Me" which, in English, means private. Also, set "Future Posts" and "Stories" to "Friends" and click the button for "Limit Past Posts" and select "Limit"Check the Facebook Privacy Shortcut Configure: In Settings --> Your Facebook Information --> Access Your Information --> Profile Information --> About --> Contact and Basic Info, set your birthday to "Only Me" CONFIGURE FACEBOOK: Privacy Settings: Profile and Tagging -> Reviewing. set both item to On Change "Who can see your friends list" from Public to Friends or Only me. Consider only letting friends see your posts rather than making them public. Consider changing who can send you friend requests. It defaults to Everyone. Another option is "Friends of Friends." Consider restrictions for "How people can find and contact you." Turn off Location and Face recognition. Set the default privacy setting for future posts to "Friends". Restrict the visibility of your past posts to Only Friends with "Limit The Audience for Old Posts on Your Timeline" -> Limit Last Posts. Anything that was shared publicly or with friends of friends will be changed. Set your phone number "Friends" or "Only Me" At Ads -> Ad Settings there is much to change. Under "Categories used to reach you" de-select all details about yourself. Remove anything under "Interest categories" and "Other categories". Set "Ads shown off Facebook" to "Not Allowed". Under "Social" select "Only me" for who can see what ads you have liked. Clearview AI does facial recognition and was profiled in the New York Times (Jan. 2020). They copy pictures from many sources including Facebook. To block them, change a privacy setting, so that search engines can not link to your profile.Configure: For help configuring Facebook for maximum privacy, consider the Jumbo mobile app. There are links to it in both the iOS and Android topics.Don't share: your birthday, your current location or that you will be away from home for a while.Goes without saying: use a long password for Facebook, and one that you do not use anywhere else. In Ad Preferences you can see how Facebook has categorized you.Location: How to disable Facebook location tracking by Jack Wallen (Oct 2019). Understanding Updates to Your Device’s Location Settings by Facebook (Sept 2019) is about new Location settings in Android 10 and iOS 13. How to stop Facebook from tracking your location by Lori Gil (March 2018). Thinking bigger, see the section here on Location Tracking. PERIODIC FACEBOOK MAINTENANCE: The Facebook Settings page is always changing so review it from time to time.Remove old devices that still have access to your account at the Security and Login page, in the Where You're Logged In section. Remove old apps that still have access to your account at the Apps and Websites page. Settings -> Apps and Websites. Mozilla created a Facebook container extension for Firefox. They claim it prevents Facebook from tracking you around the web. What it can not do, is block Facebook tracking on iOS or Android. Are you ready? Here is all the data Facebook and Google have on you by Dylan Curran for The Register (March 2018) From John Opdenakker (Oct. 2019). If you get a friend request from someone you don't know it's better not to accept it. This might be a scam and your online security and privacy might be in danger. Facebook friends can see all your profile information and even information about your friends. They can abuse this information to scam you and your friends.DELETING FACEBOOK CONTENT How to Delete Your Old Posts on Instagram, Facebook and Twitter by Dalvin Brown in the Wall Street Journal (Feb. 2022). Discusses the Manage Activity feature that was introduced in 2020 to help people remove large numbers of posts.Facebook's Clear History Tools Won't Actually Delete Your Data by Thomas Germain of Consumer Reports (Aug. 2019)QUITTING FACEBOOK: From Facebook: Deactivating or Deleting Your Account. They say that a deleted account will have all the posts and photos removed after a few days. They say. You've decided to quit Facebook. Here’s how to migrate your online life elsewhere. Washington Post (Oct 2021) How to Permanently Delete Your Facebook Account by Brian Barrett of Wired (Oct 2021). Also has info on downloading your data beforehand. The final section How to Limit Facebook Tracking You is un-informed.Smashing Security podcast episode 75: Quitting Facebook with Graham Cluley, Carole Theriault and Maria Varmazis. (April 2018) Background: A Guided Tour of the Data Facebook Uses to Target Ads by Bennet Cyphers of the EFF (Jan 2019). Not much defense offered. Background: How Facebook and Other Sites Manipulate Your Privacy Choices by Arielle Pardes in Wired (Aug 2020). The article is about how companies use Dark Patterns (confusing language, manipulative interface design) to trick people into saying yes, when they want to say no. One cited example is the Facebook Privacy Checkup. And, as a reminder, Facebook bad. In October 2020, Leo A. Notenboom had to take a break from Facebook. Quoting: "The divisiveness, the anger, the misinformation, the legions of otherwise rational people ready and willing to accept piles and piles of manure as truth ... become too much" He wrote about using Feedly and RSS as a substitute in My Solution to Social Media Overload.If You're Not Terrified About Facebook, You Haven't Been Paying Attention by Carole Cadwalladr of The Guardian (July 2020) In August 2019 we learned that Facebook Paid Contractors to Transcribe Users' Audio Chats (Bloomberg) just like all the providers of Voice Assistants. Contractors (it's always contractors, never employees) transcribed audio from people who opted in to having their Messenger app voice chats transcribed. Facebook inflated the average time users viewed video on the platform. Facebook to Pay $40M Under Proposed Settlement in Video Metrics Suit October 2019. Professor Scott Galloway summed this up: The viewership metrics were inflated by 150 to 900%. Whole companies shifted their strategy to video. Companies going bankrupt, people losing jobs, FB gets away with 0.18% of annual income ($40M / $22B), a slap on the wrist. Quite a quote about Facebook: "morally bankrupt pathological liars who enable genocide (Myanmar)" (ZDNet April 2019) Facebook does not remove bad guys until they are publicly shamed in a high profile way (Brian Krebs, April 2019) Mark Zuckerberg leveraged Facebook user data to fight rivals and help friends, leaked documents show NBC News April 2019 INSTAGRAM top Not a big user of Instagram personally, so the recommendations below are from others. To delete your stuff in bulk: go to your Profile, tap the menu in the upper right corner, then "Your activity" The Security Checkup feature walks you through: checking login activity, reviewing profile information, confirming the accounts that share login information and updating account recovery contact information. Go to your Profile -> menu in the upper right corner -> Settings -> Security -> Security Checkup. How to Limit Who Can Contact You on Instagram by David Nield of Wired (April 2022) Have a Hacked Instagram Account? How to Protect Yourself from the Identity Theft Resource Center (Oct. 2021). How to Use Instagram Privacy Settings by Thomas Germain of Consumer Reports (Nov 2018)Here's how to view, download, and delete your personal information online by Stan Horaczek June 2019. Covers Instagram and many other companies. FROM INSTAGRAM How to Stay Safe on Instagram (Feb. 2022) Keeping Instagram Safe and Secure About Security Checkup (July 2021) Multiple articles on Privacy Settings & Information AMAZON top Fake reviews, fake products, fake sales and toxic products. Even Amazon's Choice is purposely misleading. Identifying Whether an Email, Phone Call, Text Message, or Webpage is from Amazon from Amazon. Banning sellers: In September 2021, it looked like Amazon was doing something about paid-for reviews Amazon has removed goods from 600 Chinese merchants for review fraud by Brad Linder. But the ban was flawed: We bought gadgets from Amazon’s banned brands and it was a piece of cake by Sean Hollister (Oct 2021) How to tell real products from scams when shopping online Washington Post (Oct 2021). A long list of ways to research the seller of a product. Most of the article is not specific to Amazon. Amazon sells hand sanitizers that people buy as a defense against the COVID-19 coronavirus. To do that job, a sanitizer needs to be 60% alcohol. Many sanitizers have no alcohol and depend on benzalkonium chloride instead. Will Amazon do anything to protect us? No. Not only are ineffective products not flagged as such, then too, there is the price gouging on said products. When queried, Amazon said nothing. From: You Might Be Buying a Hand Sanitizer That Won’t Work for Coronavirus (March 2020) by Marshall Allen and Lisa Song of ProPublica.Toxic products: Amazon sells dangerous products both from third parties and from their own Amazon Basics line. August 2019: Huge expose from the Wall Street Journal Amazon Has Ceded Control of Its Site. The Result: Thousands of Banned, Unsafe or Mislabeled Products. Subhead: Amazon is unable or unwilling to effectively police third-party sellers on its site. The Journal found 4,152 items for sale that have been declared unsafe by U.S. government agencies, are deceptively labeled or are banned by federal regulators. Big-box retailers would not sell this stuff. Along with the expose, the Journal published a Defensive Shopping article: Amazon Shoppers: This Is How to Safety-Proof Your Order. July 2019: A month earlier, Vice had this story: Amazon Won't Stop Selling Toxic Products In the U.S. Amazon knows that some creams and cosmetics are dangerous, yet they allows them to be sold nonetheless, and without warnings. And, this: Amazon is shipping expired baby formula and other out-of-date foods. October 2020: AmazonBasics Electronics Fire Lawsuit from The Schmidt Firm LLC. A September 2020 investigation by CNN found at least 70 AmazonBasics® products linked to over 1,500 reviews describing serious safety hazards. Nearly 200 of the reviews involved property damage, such as burned walls. CNN warned that many are still for sale, despite Amazon being made aware of the problem. Amazon branded products to avoid include surge protectors, microwaves, USB cords, phone chargers, paper shredders and batteries. Fake books: What Happens After Amazon’s Domination Is Complete? Its Bookstore Offers Clues by David Streitfeld in the New York Times (June 2019). One book publisher bought 34 copies of their book on Amazon, as a test, and 30 were counterfeit. Amazon's business model is to have the same laid-back approach to bad guys as Facebook and YouTube. Follow-up by Streitfeld (Aug. 2019) about counterfeit George Orwell books: Paging Big Brother: In Amazon’s Bookstore, Orwell Gets a Rewrite. Eleven fake books were sold by Amazon as new. The author tried to find a way to report the counterfeit books, but failed. Fake UL safety certification: An Oct. 2021 tweet by @SwiftOnSecurity "There appears to be no way to alert Amazon to dangerous products fraudulently claiming UL safety certification. There's literally no mechanism on the largest e-commerce platform to flag abuse."Fake products: Fake and dangerous kids products are turning up for sale on Amazon by CNN (Dec 2019). Amazon sells both a good infant car seat for $500 and a counterfeit version of it that will kill a kid for $300. Seven different business owners told CNN their products were being actively targeted by counterfeiters.Fake products: Extra inventory. More sales. Lower prices. How counterfeits benefit Amazon by David Pierson of the LA Times (September 2018). Real and fake products are thrown into the same storage bin. A guy who owns a company bought his own product on Amazon and got sent a fake.Fake products: Trying to buy a microSD card proved to me that Amazon is becoming a scammers' paradise by Matt Hanson of TechRadar (April 2022). Avoid microSD cards that are too cheap. Bad guys use special software to make the cards appear to have a larger capacity than they actually do. "Once victims realize that they've been scammed, they invariably find that they can't contact the seller to ask for a refund." Some of the scam cards even showed up as 'sponsored' results. Fake "choice": Amazon's Choice is a label awarded by an algorithm based on customer reviews, price, and, of course, whether the product is in stock. After all, selling is what Amazon does. Two outlets have exposed it as a scam. First: 'Amazon's Choice' Does Not Necessarily Mean A Product Is Good by Nicole Nguyen of Buzzfeed (June 2019). The article documents many bad products marked as an 'Amazon Choice'. Amazon declined to answer questions about exactly how items are selected. The article also discusses fake products on Amazon. Then: Amazon’s Choice Isn't the Endorsement It Appears by the Wall Street Journal (Dec 2019). They examined 27,100 Amazon’s Choice items. Nearly 1,600 appeared to have been manipulated to get the Choice label. Worse, many Choice products were dangerous. Some products products have safety concerns, some make false claims and some violate Amazon's own policies. Amazon chose the word "Choice" rather than "Recommends" because they knew it was a scam. AMAZON SPIES ON USAmazon collects a lot of information about customers. They save everything customers search for, both on the website and with the Amazon app. This information is used in targeted advertising. Defense: Shop and browse using one browser in Private Mode while not logged in to Amazon. When you find what you want to buy, login to Amazon with another browser (also using Private Mode), copy the URLs of the items you want to purchase into this second browser, buy them, and then immediately log out of Amazon and shut down both browsers. Defense: You can disable the search history at Amazon.com. Click on the Account and Lists dropdown -> Browsing History -> Manage History and Turn Browsing History off. I did this and it did not seem to stick. Background: The data game: what Amazon knows about you and how to stop it by Kate O'Flaherty for The Guardian (Feb 2022). Excellent statement of the problem, not much on defense. Amazon is so good at figuring out what you will buy next, that they sell their algorithms as as a service called Amazon Forecast. Good explanation of why you should not store photos at Amazon. Defense: Turn off interest-based ads -> Click on the Account and Lists dropdown -> Account -> Advertising preferences (in the Communication and content box). Here, opt for "Do not show me interest-based ads provided by Amazon" No Defense: Amazon's Eero routers spy on you. The only way to stop Eero devices from gathering data is to not use them. From: Your Router Is Collecting Your Data. Here's What to Know, and What You Can Do About It by Ry Crist of CNET (Feb. 2022) Obvious defense: Do not use Alexa, a Kindle, Eero or a Ring doorbell. Use Roku rather than Fire TV. AMAZON SEARCH RESULTS Amazon's search results full of ads that may be 'unlawfully deceiving' consumers, complaint to FTC claims by Cat Zakrzewski and Jay Greene of The Washington Post (Dec 2021). Because Amazon does not clearly label sponsored search results, consumers could be deceived into clicking on them without knowing. More than a quarter of the search results on Amazon are paid ads, according to the complaint. Overflowing with sleaze: Amazon Puts Its Own Brands First Above Better-Rated Products from The Markup (Oct 2021). That Amazon prefers its own brand is no surprise. It prefers its own brands over competitors with higher ratings and more sales. And, it also prefers exclusive products are not obviously connected to Amazon. They identified more than 150 brands registered by or owned by Amazon where the connection to the company is not obvious. Those are in addition to the hundreds of third-party brands that are exclusive to the site. And, ads in the search results are not all labeled as ads. And, Amazon has been accused of knocking off existing popular products to sell under its house brands. FAKE REVIEWS ON AMAZON Posing as Amazon seller, consumer group investigates fake-review industry by Jon Brodkin of Ars Technica (Feb. 2021). Fake Amazon reviews are sold in bulk. A thousand reviews are roughly $11,000. Based on this report by Which?, a Consumers' Association in the UK that does product research and advocacy on behalf of consumers: How a thriving fake review industry is gaming Amazon marketplace by Hannah Walsh (Feb. 2021).Manipulating Amazon reviews: Inside Amazon’s Fake Review Economy by Nicole Nguyen of BuzzFeed (May 2018). There is a vast web of review fraud. Merchants pay for positive reviews. Sellers trying to play by the rules are struggling to stay afloat amid a sea of fraudulent reviews and Amazon is all but powerless to stop it. This article: Her Amazon Purchases Are Real. The Reviews Are Fake. by Nicole Nguyen (Nov. 2019), profiles a woman who gives 5 star reviews in exchange for keeping the items for free. One take-away is that this activity could be detected by Amazon, if they cared. Even the FTC is involved. FTC Brings First Case Challenging Fake Paid Reviews on an Independent Retail Website (Feb 2019)Don't Get Duped! Here's How to Spot Fake Reviews on Amazon by Michael Tedder for Money magazine (March 2021). Some red flags: a flood of reviews in one day and aggressive positivity. Also, click on the profile of the person who wrote a review. If their profile is empty or was created the same day as the review, that's suspicious.Another reason not to trust Amazon reviews, from one of the above articles, was the story of a one-star review that was removed by Amazon after the buyer got a refund. The buyer could not get Amazon to restore the bad review.Fake Helpful Reviews: Also from the above article - some sellers hire people to hit the 'Helpful' button on a particular review so that it appears first. Spotting fake reviews is a skill we all need to learn. Which? magazine has a short video (April 2019). How to Spot Fake User Reviews: Amazon, Best Buy and More by Louis Ramirez (Feb. 2018) Is It Really Five Stars? How to Spot Fake Amazon Reviews by Joanna Stern (WSJ Dec. 2018). ReviewMeta is a website that analyzes Amazon product reviews and filters out reviews that look unnatural. It also recommends similar products with trusted reviews. The Review Index also analyzes reviews looking for fakes.The good news about fakespot.com is that it analyzes reviews at Amazon, Best Buy, Sephora, Steam, Walmart, TripAdvisor and Yelp. The bad news is that it used to be a website, but it is now a browser plugin that is able to read the content of every web page you view. Because of this, only install it in one browser and only use that browser for shopping in the few stores it can analyze. And never buy anything in that browser. BAIT and SWITCH AMAZON REVIEWS Another type of fake review is one for a different product. Sellers take an existing product page, then update the photo and description to show an entirely different product. The goal is to retain the existing good reviews from the original product. Suggested defense: read the god and bad reviews and some old reviews. Just relying on the star rating and the number of reviews leaves you vulnerable to this scam. Here's Another Kind Of Review Fraud Happening On Amazon by Nicole Nguyen of BuzzFeed (May 2018). Hijacked Reviews on Amazon Can Trick Shoppers (Consumer Reports Aug 2019)Amazon still hasn’t fixed its problem with bait-and-switch reviews by Timothy Lee of Ars Technica (December 2020). A product has 6,400 reviews and a five-star rating. But most of the reviews are for a totally different item. Lesson: always check the most recent ratings. Three cases of this were brought to Amazon's attention by Ars Technica and they fixed only one.In Nov. 2021, Brian Krebs ran across an instance of this and tweeted: "So, searching for blood pressure monitors on Amazon is fun. None of the reviews seem to be about the actual product. Not sure if this just a glitch in the matrix or what. I'm used to inauthentic reviews, but this is a new one for me." Many people who responded said that they had seen this happen too. Interestingly, within a few hours, Amazon had removed all the reviews for the item Krebs referenced. Fake Chromebook descriptions: In November 2020, Kevin C. Tofel warned (Getting your first Chromebook? Here’s a buying guide of what to look for) that Amazon lists many old Chromebooks as "new", "newest" or "2020" models, when in fact, they are not. Fake sales: A warning about fake sales on Prime Day from Ars Technica. Quoting: "... most of this year's Prime Day deals aren't really deals at all. Amazon will promote thousands of 'discounts' over the next two days, but with that much volume, the majority of those offers will naturally have less-than-special prices or apply to less-than-desirable products. Many 'deal prices' are relative to MSRPs that products have not sold at for months..." (July 2019) Batteries: Test them immediately. This is a lesson I learned the hard way. In January 2020 I bought a package of AA Duracell batteries. In April 2020, I opened the package only to discover that they were all dead. The package claimed that the batteries last 10 years in storage. The batteries were dated March 2028 and they were sold by Amazon.Defense: Before buying from an unknown seller, be aware that you probably have no recourse for defective products. More here (Kate Cox July 2019) and here (Louise Matsakis July 2019). Sometimes, as seen here, it costs only 4 cents more to buy from Amazon. Defense: From Nicole Nguyen: Do a search to see if the company selling the product has a legitimate website. Also check if the item has been reviewed by a publication or site dedicated to consumer products. And, Here's One Way To Tell If An Amazon Product Is Counterfeit by Nicole Nguyen of BuzzFeed (March 2018).Defense: What to Do If You Think Your Amazon Purchase Is a Fake from The Wire Cutter (Feb 2020) Defense: In July 2016, I wrote Defending yourself from Amazon.com which makes the case for having a dedicated Amazon email address. Sidewalk: turned on everywhere on June 8, 2021. In the Alexa mobile app turn it off with: Settings -> Account Settings -> Amazon Sidewalk. You can either turn it off entirely or leave it half on with: Community Finding which lets your devices use Sidewalk but turns off locating sharing. (June 2021) PRIVACY: Amazon tracks everything you do on their website. To combat this, I suggest shopping/researching in one browser, and buying in another. The shopping browser should use a VPN and not be logged in to an Amazon account. The buying browser should be in private/incognito mode. Browsing History: Log in to your account at Amazon.com. If, under the big search rectangle at Amazon.com you see a Browsing History, click on it. Then click on the Manage history drop-down arrow on the right. Then switch off the "Turn Browsing History on/off" slider button. Targeted ads: Log in to your account at Amazon.com. Under Accounts & Lists, click "Account". Scroll down and click on Advertising preferences (in a box labeled Communication and content). Choose "Do not show me interest-based ads provided by Amazon", then click the yellow Submit button.Prime video Watch History: Log in to your account at Amazon.com. Under Account and Lists -> video purchases and rentals -> gear icon -> Settings -> Watch History. Each video has a "Hide this" link and the option not to use it for recommendations. Episode 208 (February 26, 2021) of The Privacy, Security, & OSINT podcast was on Amazon Privacy. By Michael Bazzell. All the ways Amazon tracks you and how to stop it by Matt Burgess for Wired (June 2021). Note that the links for Cookie Preferences do not work in the US (the article is for England) and there do not seem to be any Cookie related preferences available in the US. Make sure your lists are not public. From the amazon.com home page, on the horizontal menu bar click All (its on far left) -> Your Account (in the Help and Settings section at bottom) -> Your lists box. For each list, click on the three dots on the right and select Manage List. Security and Privacy by AmazonDon't use an Eero router Does Amazon know your Wi-Fi password? They want to save it to make setting up new Alexa devices easier. To check, login to Amazon, click Accounts & Lists at the top of the page, then Your apps and devices, then go to the Preferences tab, look for the Saved Wi-Fi Passwords section. Pricing: Tweet by Brett Glass on July 24, 2020: "Wow; @amazon must really think it’s customers are dupes. It just doubled the price of yet another item right after I 'subscribed' to it." I have no confirmation of this.Data: You can request the data Amazon has stored about you. Episode 165 (April 10, 2020) of The Privacy, Security, & OSINT podcast discussed this and offered this link: How Do I Request My Data? The show warned that Amazon requires a phone number, they send a text with a PIN code to the phone and they store the phone number as part of the account information. A security hole: A stranger's TV went on spending spree with my Amazon account – and web giant did nothing about it for months by Shaun Nichols Oct. 2019. Smart TVs and Roku devices do not appear in the list of devices associated with your Amazon account. Yet, each can be used to buy stuff. This story is about a Smart TV that was making purchases billed to someone who did not own the TV. How it happened is a mystery. Changing the Amazon password and 2FA did not stop the TV. There is no real defense. The response from Amazon was quite poor. FYI House panel flags Amazon and senior executives to Justice Department over potentially criminal conduct by John Wagner and Cat Zakrzewski in the Washington Post (March 2022). The article starts: "A bipartisan group of House Judiciary Committee members has alerted the Justice Department to 'potentially criminal conduct' by Amazon and senior executives in relation to a committee investigation into competition in digital markets." This is a significant escalation of lawmakers' years-long questioning of statements made by Amazon executives. Amazon suppliers linked to forced labor in China, watchdog group says by Louise Matsakis of NBC news. (March 2022). Amazon declined to comment on the specific allegations. "Millions of people's data is at risk" - Amazon insiders sound alarm over security by Vincent Manancourt for Politico (Feb 2021). Three former high-level information security employees warn that the company's efforts to protect the information it collects are inadequate. These employees were sidelined, dismissed or pushed out of the company. The corporate culture at Amazon prioritizes growth over other factors. Amazon has a poor grasp of what data it has, where it is stored and who has access to it. They found hundreds of thousands of instances where former employees still had system access. Amazon denies it all. You Might Be Buying Trash on Amazon - Literally by Wall Street Journal (Dec 2019). After becoming aware of dumpster divers selling discarded garbage on Amazon, the reporters did just that. It was easy. Amazon did not ask about the origins of the stuff they sold or, for food, the sell-by date. Warehouse workers are supposed to identify problematic products but often there is too much stuff and too few workers, so things get missed, both accidentally and on-purpose. Amazon Alexa is in the Voice Assistant section GOOGLE (Last Update: October 5, 2021) top Defending against Google tracking involves changing options in your Google account, which can be done on a website, as well as configuring options on your mobile device(s), when doing Google searches, in Google Assistant and in Nest devices. There is a lot to it.This May 2019 article in Wired: All the Ways Google Tracks You - And How to Stop It, touches most of the bases, configuring: a Google account, Android, iOS and searching. A must read. Similar: Are you ready? Here is all the data Facebook and Google have on you by Dylan Curran for The Register (March 2018) Google Account: Most tracking is configured at myaccount.google.com /activitycontrolsGoogle Account: Do a Google Privacy CheckupGoogle Account: Account settings -> People & sharing -> About me (under Choose what others see). Good is "Only you". Bad is "Anyone" Google Account: See what Google knows about your travels using their Maps Timeline. Sometime in Oct or Nov 2019, Google will introduce a new Incognito mode in the Google Maps app. To turn it on: tap on the account icon in the upper-right corner, then click Turn on Incognito mode. Google Account: See what Google is tracking of your activity at myactivity.google.com/myactivity. As of May 2021, we can password protect this page so a borrowed device does not leak this data. On the page: click "Manage My Activity verification" -> "Require extra verification". From How to password-protect your Google activity history (May 2021) Automatic Deleting: start at myaccount.google.com /activitycontrols. Note that if something is in a Paused status, it is still keeping a history. To set it to auto-delete, you will have to enable it first. Several Google products, including YouTube, can be set to auto-delete here. As of Oct. 2019 the only choices are auto-delete after 3 or 18 months. To auto-delete search history, use Web & App Activity. More: Google's auto-delete tools are practically worthless for privacy by Jared Newman (Oct 2019), You Should (Probably) Delete Your Google Data - Here’s How by Brendan Hesse (Aug 2020)See what, if any, apps are connected to your Google Account: Account settings -> Security -> Third-party apps with account access -> Manage third-party access.Turn off ad personalization at adssettings.google.com Searching: Minimize Google tracking by not being signed in to Google when making queries. You can tell if you are signed in by checking the upper right corner of the screen (see screen shots). A single letter in a circle means you are signed in, a blue "Sign in" button means you are not. Or, use a search engine that does not record your search history such as StartPage, which gets its results from Google. I used to suggest DuckDuckGo, but no more. One reason is that they get their results from Bing. Another reason is that they do not filter out bulls..t as well as Google does. See Fed Up With Google, Conspiracy Theorists Turn to DuckDuckGo New York Times (Feb 2022) and Top 5 Private Search Engines by Security Trails (Dec. 2019).Google Maps: is full of fake business listings. Big June 2019 story in the Wall Street Journal. More here and here. Hundreds of thousands of fake listings are created each month. Total scam businesses estimated at 11 million. In 2018, Google removed more than 3 million fake businesses. Google's PR response included this: "it's important that we make it easy for legitimate businesses to get their business profiles on Google". Translation: nothing will change. Here is where to report a fake. Google Maps: How to blur your house on Google Street View (and why you should) by Jack Morse (Sept 2020). Enter your home address into Google maps, look at your home in street view, click "Report a problem". And, do the same thing on Bing Maps. No mention of Apple maps. Browsing: Here is another reason not to be logged on to Google all the time - the latest version of their reCaptcha might be logging every web page you visit. The Voice Assistants section has a sub-section with Google Assistant defensesThe Location Tracking topic has a lot of defenses for Android and Google usersIf you have Nest Cam or Nest thermostat be aware that according to this April 2019 article in the Washington post, Nest security is sub-optimal. The article suggests using a unique password (always a good idea) and two factor authentication with the device. Taking a step back ... Google? Really? In a camera in your home? Really? Speaking of Nest: the Nest camera, Nest Hello doorbell and Dropcam cameras no longer (as of Aug 2019) let owners disable the status light that indicates the camera is on. Google did this for privacy reasons but some people don't like advertising the camera's existence to intruders in a dark room. Just cover the light with tape. And, be sure to apply bug fixes to the Nest Cam IQ (Aug 2019).Google Calendar: A new type of SPAM. Bad guys can email invites to scam events and Google will add them to your calendar without your confirmation. To stop this, go to calendar.google.com, login, click the gear icon, go to Settings, then Event settings, then "Automatically add invitations" and select "No, only show invitations to which I have responded". Maybe also disable automatically adding events from Gmail to your calendar. Google avoidance: The complete list of alternatives to all Google products by Sven Taylor of Restore Privacy (last updated October 2019). How to replace each Google service with a more privacy-friendly alternative by Ed Bott of ZDNet (October 2019). French software company Framasoft created the De-google-ify Internet website. Tip: If bad guys have taken control of your Google account, start here: Tips to complete account recovery steps You can ask Google to remove sensitive personal information from its search results. GMAIL (Last update: May 9, 2022) top Consider your Gmail password critically important. Never tell it to anyone. Never use the same password anywhere else. If there is a chance you might forget it, write it down on paper and store the paper somewhere secure. To me, the biggest issue with Gmail is that it is free. Any free email service comes at the price of no technical support. If something goes wrong with Gmail (or your Google account) tough luck. In my opinion, email is important enough that it is worth paying for, just to get technical support.The Best Gmail Settings You Might Not Have Used Yet by Eric Ravenscraft for Wired (March 2021). Some topics mentioned: Change Undo Send Time Limit, Confirm Actions on Mobile, Unread Message Icon and Customize Your Keyboard Shortcuts. To change the time period when you can undo a Sent message: at gmail.com, click the gear in the top right corner -> See all settings -> General tab (should be the default) -> Undo Send. How to recover your Google Account or Gmail from Google. Hopefully, you never need this.If you use two factor authentication with Gmail, good for you. Should something go wrong with the second factor, Google offers a fallback using backup codes. See Sign in with backup codes from Google. If you get a malicious email from a Gmail user, you can report it here: I would like to report a Gmail user who has sent messages that violate the Gmail Program Policies and/or Terms of Use. The form asks for the full email header, which is normally hidden. In Thunderbird, use View -> Message Source. May 2019: Google uses Gmail to track a history of things you buy by Todd Haselton and Megan Graham of CNBC. The story said you needed to delete the Gmail message to remove a purchase. However, later research found that there is no way to delete your purchase history. And Google also tracks your Reservations, Subscriptions and Payment Methods. See it all at myaccount.google.com/payments-and-subscriptions. From Google: See your purchases, reservations and subscriptions. The day before flying recently, Uber offered me a discount for getting to the airport. Gmail told Uber about my trip, I found it in the reservations and confirmations page. Avoiding Gmail 5 Reasons to Ditch Gmail for ProtonMail by David Nield for Gizmodo (March 2021). The article is wrong about End-to-end encryption. It only applies to messages between two ProtonMail users. How to Migrate from Gmail to ProtonMail by ProtonMail (undated). The steps: Transfer existing emails, Set up email forwarding, Transfer contacts, Inform your contacts and Update online accounts. Privacy-Conscious Email Providers from PrivacyTools.io These 4 Gmail alternatives put your privacy first (Fastcompany Aug 2019) TEXTS (SPAM,SCAM,PHISHING,MISSING) topTexting suffers from the same spam, scam and phishing as email. And, just like email, you can not trust the displayed identity of the sender. Caller ID spoofing is easy.Several mobile service providers allow you to block the sender by forwarding unwanted texts to 7726 (or "SPAM"). More here.Scam, SPAM and phishing texts: How to spot SMS fraud and stay safe by David Gewirtz January 2020 The FTC on Text Message Spam. Complain to them about it at ftccomplaintassistant.gov under "Robocalls, Unwanted Telemarketing, Text, or SPAM". From the FCC: Stop Unwanted Robocalls and Texts. The FCC is running their own scam. They say to file a complaint with them at their Consumer Complaint Center but there is no option there to gripe about SPAM texts.Both iOS and Android let you block the spammer from ever texting you again.Example: Uber security alert scam spoofs real Uber number - Watch out! from Malwarebytes (Sept 2021). A scam text message from the actual UBER phone number led to a scam copy of the UBER website.In March 2021, we learned of another way for bad guys to get your text messages. In this scheme, voice calls and 4G/LTE data still work. Only text messages are sent to the bad guy. The only way you know this has happened, is when, eventually, you don't get a text message that you were expecting. Bad guys simply fill out a Letter of Authorization form with fake information. From: A Hacker Got All My Texts for $16 by Joseph Cox for Vice and It's time to stop using SMS for anything by Lucky225. FAKE VOICES topArtificial Intelligence allows bad guys to learn someone's voice and vocal patterns and then manipulate it to scam people. Thomas Brewster has said "Once a technology confined to the realm of fictional capers like Mission: Impossible, voice cloning is now widely available." This scam is too new to have an official name yet. I have seen it referred to with all these terms: Voice fraudVoice phishing or the shortened version: vishingVoice cloning Voice swappingArtificial voiceAI voice cloning and A.I.-generated audioSynthetic Audio and Deepfake Audio and Audio DeepfakesDeep Voice, and the generic, DeepFakeExamplesOctober 2021: A bank manager in Hong Kong received a call from a man whose voice he thought he recognized and the bank was scammed out of $35 million dollars. Fraudsters Cloned Company Director's Voice In $35 Million Bank Heist, Police Find by Thomas Brewster in Forbes. Manipulating audio is easier to orchestrate than deep fake videos, so expect more in the future. July 2021: A documentary about Anthony Bourdain includes three scenes with a fake voice. The director admitted to one scene, no one knows what the other two are. The Ethics of a Deepfake Anthony Bourdain Voice by Helen Rosner for The New Yorker July 2020: Listen to This Deepfake Audio Impersonating a CEO in Brazen Fraud Attempt by Lorenzo Franceschi-Bicchierai of Vice. A security firm analyzed a suspicious voicemail left to a tech company employee, part of an attempt to get the employee to send money to criminals.August 2019: Fake voices help cyber-crooks steal cash (BBC July 2019). Symantec has seen three cases of faked audio of chief executives used to trick financial controllers into transferring cash. Fraudsters deepfake CEO’s voice to trick manager into transferring $243,000. The original story was reported in the Wall Street Journal.July 2019: Deepfake Audio Used to Impersonate Senior Executives (CPO Magazine). The attacks seen so far have used background noise to mask imperfections, for example simulating someone calling from a spotty cellular phone connection or being in a busy area with a lot of traffic.DefenseDefending against audio deepfakes before it's too late (Axios April 2019). A review of the state of the art both for creating and detecting fake audio. How To Spot Deepfake Audio Fraud (Aug. 2019). The quality of the fake voice can be excellent for non-conversational audio, such as a statement. However, it suffers when engaged in a conversation. When in doubt, call the person back. MICROSOFT OFFICE topLook at this research and you will never use Word or Excel for anything sensitive. Microsoft Office phones home to sixty different servers. Yes, 60. MS Office & Teams: Network Connection Target Hosts by Helge Klein (March 2021).When first installing Office 365 decline the option to send Microsoft "optional diagnostic and usage data" as shown here.If you have sensitive information, be very wary of using Office 365 as described here Newsrooms, let's talk about Office 365 by Martin Shelton (Jan. 2020) Another installation-time warning from Microsoft says "Office includes experiences that connect to online services ... When you use these experiences, Office collects service diagnostic data. In addition, some of these services analyze your content to deliver suggestions and recommendations. To adjust these privacy settings, go to File > Account > Account Privacy" Connected Experiences in Office by Microsoft, applies to Office 365 and says Microsoft will " ... use your Office content to provide design recommendations, editing suggestions, data insights, and similar features ... If you'd like to turn these experiences off, go to any Office 365 application ... and go to File > Account > Manage Settings (In Outlook it's under Office Account). There you can disable or enable, either category (or both)". Office spying was too much for Germany where it was banned from schools in July 2019. The Verge: German schools ban Microsoft Office 365 amid privacy concerns and Ars Technica: Office 365 declared illegal in German schools due to privacy risks. Documentation from Microsoft: Connected experiences in Office and Account Privacy Settings for Office 365From me: Is Word 2016 spying on users? (May 2019)Office 2016: In Word 2016, I did File -> Account and there was no option at all for Account Privacy. Instead, there was an option to "Sign in to Office". So, what level of spying is employed in this case? I don't know.FYI: How to Save Office Documents to This PC by Default by Chris Hoffman. For Office 365 on Windows 10 (Oct. 2019)This May 2019 article by Sergiu Gatlan for Bleeping Computer has defensive steps for Office 365. TWITTER (Last Update May 15, 2022) top Don't give Twitter your phone number. If you did, either change it or turn off the setting for "phone number discoverability". From How Twitter's Default Settings Can Leak Your Phone Number by Gennie Gebhart of the EFF (Feb 2020). To improve the security and privacy of Twiiter, logon to twitter.com in a browser, then do: More -> Settings and Privacy -> Privacy and Safety and Turn off Location information Turn off Photo tagging Turn off Personalization and data Review options to "Receive messages from anyone" and "Discoverability and contacts" Make it harder to reset the Twitter password. At twitter.com -> Settings -> Security and account access -> Security. Turn on the "Password reset protect" checkbox. This requires providing either the phone number or email address associated with your account in order to reset your password. Along with this, it would be best to have a dedicated email address that is only used with Twitter. See the section here on Email for a number of ways to create multiple email addresses.FROM TWITTERAbout account securityHow to protect and unprotect your TweetsAssorted articles on Privacy Stop Twitter from sharing your location here twitter.com/settings/location. According to this Feb 2020 Reddit posting this may not be sufficient. You may need to use a VPN to really hide your location.You can configure an account to accept Direct Messages (DMs) from just people following you or from anyone in the world. Don't share: your birthday, your current location or that you will be away from home for a while.7 steps to staying safe and secure on Twitter by Amer Owaida of Eset (March 2021). Covers hiding your location, protecting tweets from new followers, disabling photo tagging, limiting discoverability and more.How to Filter Out Twitter Trolls by Using Block Party by Yael Grauer for Consumer Reports (March 2021). The Block Party app can filter tweets according to a number of criteria and have the bad ones saved in a separate folder. It is a free service for those willing to apply and wait for an account. Or, for $8, you can get an account immediately. Twitter has a Safety and Security page with a section on dealing with abuse, including how to report it. From the article above.Two Factor Authentication: As of Nov. 22, 2019, Twitter lets you get started with 2FA using an Authenticator app. In the old days you had to start with SMS first which meant giving them your phone number. From twitter.com do: Settings & Privacy -> Account -> Security -> Two-Factor Authentication. TweetDelete is a service that can mass delete Twitter posts based on their age or specific text they contain.Twitter URLs Can Be Manipulated to Spread Fake News and Scams by Ionut Ilascu (June 2019). Not sure what the defense here is, other than just being aware of this.If you care about privacy, you are probably better off using Twitter in a web browser, rather than the Twitter app.FYI: You can download your data from Twitter. They will send you a ZIP file with an archive of your account information, history, apps and devices, activity, interests, and Ads data. From twitter.com (while logged in): Click More in the main navigation menu -> Settings and privacy -> Your Account -> Download an archive of your data -> enter your password -> get a verification code and enter it -> click the blue Request Archive button -> Wait. They say it can take 24 hours or longer. If you use the app, you will be notified in the app when the data is ready. If you use the website, they email you when its ready. I was emailed a link, then had to enter my Twitter password and enter a temporary code they emailed. Then, I had to click a blue Download Archive button, then a second blue Download Archive button. This downloaded a file with a name like twitter-yyyy-mm-dd-randomnoise.zip, that was 47MB and contained two folders and an HTML file. More: How to access your Twitter data from Twitter (undated as of Feb. 2022) How to control your data on Twitter June 2016 by Tactical Tech NAS topNAS stands for Network Attached Storage. Think external hard drive with an Ethernet port that plugs into a router. Two large vendors are Synology and QNAP.Avoid using the default admin account. First, create a new admin account. Then, either disable the system default admin account, or, make the password for it very long and very random. Don't allow direct access to the NAS from the Internet. On Synology, that means avoiding QuickConnect. Also, disable UPnP in the router to prevent the NAS from opening ports for itself. My Test your Router page links to many websites that offer tests of the firewall in a router.If open ports are necessary, do not use the default ports. If the NAS file system supports snapshots, take the time to get up to speed on the feature. This is a big deal. Speaking of snapshots, consider stepping up to a FreeNAS box from iXsystems that runs ZFS. The Mini is their entry level model. Chances are the NAS is able to turn itself on and off. If the NAS is off at night, then no data can escape. If data is being stolen during the day, it is more likely to be noticed. Plus, this saves electricity.As always, disable features not being used; perhaps SSH and Telnet access.As always, avoid short passwords.If there is lightning in your area, power off and unplug the NAS. No surge protector can stand up to lightning.Western Digital (WD) has a very poor track record as far as security goes. Probably best to avoid their NAS devices.In August 2021, I blogged about how I use a router firewall rule to prevent my NAS from making any outbound connections, except for 30 minutes a day: A firewall rule can help block ransomware. Synology Auto Block offers protection from brute force password guessing. In DSM 6: Control Panel -> Security -> Account tab. In DSM 5: Control Panel -> Security -> Auto Block tab. Security Advisor is an app that runs on the NAS. What can I do to enhance the security of my Synology NAS? Undated. As of Aug 2021, only for DSM versions 6 and 7. Still got v5? Tough luck. 10 security tips to keep your data safe March 12, 2020. Much like the above Protect Yourself against Encryption-Based Ransomware Undated and somewhat lame. What network ports are used by DSM services? Needless to day, no date. Synology Newsroom QNAP They finally recommend not using port forwarding and UPnP to open the NAS to the world. Take Immediate Actions to Secure QNAP NAS January 7, 2022 They have both a Malware Remover and a Security Counselor app in their App Center. Keep them up to date and run them periodically.The Network Access Protection feature offers protection from brute force password guessingBitcoin Miner Security Advisory from QNAP (Dec. 7, 2021). Still under investigation. Suggests the usual defenses with instructions. UK and US warn QNAP owners to upgrade firmware to block malware July 27, 2020 Security Advisory for eCh0raix Ransomware (Aug 2019) Security Advisory for Malware QSnatch (Nov. 2019). They also suggest enabling IP and account access protection to prevent brute force attacks. And, avoid using default port numbers 443 and 8080. TV WATCHES YOU (Last Updated November 8, 2021) top Streaming boxes such as Roku and FireTV: Leave them powered off when not in use. Less spying and you save on electricity.Privacy of Streaming Apps and Devices: Watching TV That Watches Us from Common Sense Media (Aug 2021). There are two things here, a large report on extensive testing that they did and a short privacy rating for assorted streaming hardware boxes and streaming services. Roku: Check these settings: System -> Advanced System Settings -> Control by Mobile Apps -> disable "Network Access" (verified on Roku OS 9.1.0) Privacy -> Advertising -> turn the Limiting of ad tracking on and reset the Advertising ID Privacy -> Microphone -> Channel microphone access -> Never allow System -> Screen Mirroring -> set Screen Mirroring Mode to either Prompt or Never Allow Fire TV: Go to Settings -> Preferences -> Advertising ID. Then, disable Interest based ads. This may be old (I don't have a Fire TV). If so, try: Settings -> Preferences -> Privacy Settings. From there, disable Interest-based Ads, Device Usage Data and Collect App Data Usage. Also do: Settings -> Preferences -> Data Monitoring and turn it off.Roku TV: From How to Disable Interactive Pop-Up Ads on Your Roku TV by Chris Hoffman October 2019. As of Roku OS 9.2, the TVs display pop-up advertisements over commercials on live TV. If an advertiser has partnered with Roku, that advertiser can display an interactive pop-up ad over the normal commercial. This only applies to Roku TVs, not the external sticks or boxes. To disable it: Settings -> Privacy -> Smart TV Experience -> disable "Use info from TV inputs".Vizio TVs: How to turn Viewing Data On, Off, or Delete by Vizio (no date). See also their Privacy Policy (Last Updated Jan 2021)Turn it off: How to Turn Off Smart TV Snooping Features by Consumer Reports. Last updated: September 2019. Smart TVs collect data about what you watch with a technology called ACR. Only covers TVs, nothing on Roku, Apple TV or Chromecast. Your smart TV is spying on you. Here are step-by-step instructions to stop it by Jefferson Graham in USA TODAY (Jan 2020). Covers Fire TVs, LG, TCL/Roku, Samsung, Sony and Vizio. Things are bad: You watch TV. Your TV watches back by Geoffrey Fowler for the Washington Post September 2019. No defense offered. Discusses ACR (automatic content recognition) on Smart TVs. Quote: "some TVs record and send out everything that crosses the pixels on your screen. It doesn’t matter whether the source is cable, an app, your DVD player or streaming box." They watched the data a TV transmits using IoT Inspector software from Princeton University.Things are bad: From Lily Hay Newman in Wired (Sept 2019) On Roku and Amazon Fire TV, Channels Are Watching You. The article discusses academic research from Princeton University and the University of Chicago that found over 2,000 streaming apps doing tracking even when told not to (see the Settings at the top of this topic). 89 percent of Amazon Fire TV channels and 69 percent of Roku channels contained easily spottable trackers that collected information about a viewing habits and preferences, along with unique identifiers. No defenses offered. Here is an article by the researchers: Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices (Sept 2019) and their more formal research paper Watching You Watch: The Tracking Ecosystem of Over-the-Top TV Streaming Devices (PDF) by Hooman Mohajeri Moghaddam, Gunes Acar, Ben Burgess, Arunesh Mathur, Danny Yuxing Huang, Nick Feamster, Edward W. Felten, Prateek Mittal and Arvind Narayanan. Defense: The article above notes that a profile is formed based on the public IP address of your home. One defense is to connect the TV to a router running VPN client software. This hides your public IP address.Defense: a router that supports outbound firewall rules, such as the Pepwave Surf SOHO, can block the TV from phoning home. First, watch where it sends data, then block these transmissions one a time (in case some of them are necessary). Using a Raspberry Pi running Pi-Hole for DNS should also be able to block a TV from phoning home. Or, a free account at OpenDNS lets you audit the DNS on your home network and block some domains. Defense: one type of attack comes from the LAN. Roku, and perhaps competing devices, can accept commands using HTTP from the LAN. To prevent this, isolate the streaming box. If using Wi-Fi, connect it to a Guest network. Some, not all, routers will isolate Guest network users from each other, blocking this type of attack. More advanced users can put the streaming box in a VLAN. The first suggested Roku setting above, should also block this, but it only applies to Roku and may change in the future. Defense: The ultimate defense is not to connect a Smart TV to the Internet (other than maybe to update the firmware).Defense: How to Stop Smart TVs From Snooping on You by Lance Whitney in PC Magazine (April 2020).There are many articles about blocking Roku monitoring by blocking access to assorted domains and sub-domains. For a long time now I have blocked all access from my LAN to scribe.logs.roku.com and cooper.logs.roku.com. My Roku box works just fine without these. I chose them because they were the most popular logs my Roku box was accessing. If your TV has a camera, cover it with tape. From the October 22, 2019 episode of the Hackable podcast. Background: Smart TV Makers Will Soon Make More Money Off Your Viewing Habits Than The TV Itself by Karl Bode (May 2021). We can not buy a "dumb" TV that's just a display with HDMI ports because consumer data is so profitable.Background: Reg reader returns Samsung TV after finding giant ads splattered everywhere by Gareth Corfield for The Register (Nov 2021). Note the excerpt at the end from the Samsung privacy policy: the manufacturer will collect "the networks, channels, websites visited, and programs viewed on your devices and the amount of time spent viewing them ". Roku networking: I have seen a Roku 2XS running firmware 9.1.0 make outbound requests to the Google DNS server at 8.8.8.8, port 53, using TCP. This is suspicious for multiple reasons, one being that the router assigns other DNS servers. Thus, the use of 8.8.8.8 is hard coded into either the Roku system or one of the channels. One reason to do this is to avoid DNS based restrictions in the router. Also, UDP is the norm for DNS, not TCP. I have not captured the actual packets. More Roku networking: I always see the same Roku 2XS box making outbound connections to IP address 172.29.243.255. This should never occur as this is a private IP address, one that can never exist on the Internet. These connections use UDP and both the source and destination port are always 1975. This seems to be part of the OS, I see it even when just powering on and not using any channels. I contacted Roku about this and they would not explain why this happens. Netflix: login to netflix.com with your userid/password. Click on the profile icon in the top right corner, then click Account. To see all the info Netflix has on you, click on "Download your personal information". To remove something from your viewing history: start at Account info, then click on a profile, then Viewing History. To remove an item, click the circle on the far right.Hulu: Log in to Hulu.com and open the Account page. Go to Privacy and Settings. Select Manage Nielsen Measurement and opt out. Select California Privacy Rights. Under Right to Opt Out, click Change Status and opt out. To clear the watch history: Under Manage Activity, click Watch History, then Clear Selected.Amazon Prime video suggested settings are in the Amazon sectionFYI: Samsung can remotely disable their TVs worldwide using TV Block by Sergiu Gatlan of Bleeping Computer (August 2021) SMART TVS GETTING HACKED (topic created Dec. 4, 2019) top Note: This is separate and distinct from smart TVs spying on you which requires no hacking. Oregon FBI Tech Tuesday: Securing Smart TVs (Nov 2019). A smart TV is a computer that bad guys might be able to hack into. Many Smart TVs have microphones so that you can shout at them to change the channel. Yet another thing that can be hacked. A number of smart TVs also have built-in cameras. If you can find the camera, but tape over it. Some TVs use the camera for facial recognition so the TV knows who is watching and can suggest programming appropriately. Ugh. Suggested defense: know exactly what features your TV has and how to control those features. Do a net search on the TV model using words like "microphone," "camera" and "privacy." Also, review security settings.Smart TVs getting hacked: Watch a Drone Take Over a Nearby Smart TV by Andy Greenberg in Wired (Aug 2019). About hacking into smart TVs that use the internet-connected HbbTV standard. Weaknesses in HbbTV could be combined with vulnerabilities in Samsung smart TVs to gain full remote access to the television sets. This remote access persists even after the TV is turned off. Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds (Feb 2018). Much ado about nothing. They found flaws in sets from TCL using the Roku TV platform and in Samsung, which uses their own Tizen operating system. Other brands that use the Roku TV platform, are also vulnerable, as are Roku boxes. However, the Roku attack has to come from your home and I have the defense in the TV watches you topic (first item). The article does not walk you through the defensive configuration. The Samsung attack can only be exploited "if the user had previously employed a remote control app on a mobile device that works with the TV, and then opened the malicious web page using that device." SURGE PROTECTORS (topic created Nov. 28, 2019) topWhen there is too much electricity a surge protector is designed to absorb the overload and perhaps even die, to protect the devices plugged into it. Some surge protectors look like a power strip, but there is a big difference. As a rule, you get what you pay for with surge protectors. If you need to protect something very important or very expensive, than spend more for the surge protector. It is very likely that any surge protector will eventually fail. What then? Some will continue providing un-protected power after they have failed. Others will cut off the power rather than leave you unprotected. Be sure to look for a surge protector that has a visible indicator of whether it is providing protection or not. Also, a Ground indicator is good to have. Surge protectors are sold based on Joules which is not the most important criteria. PenLight, a power company in the US, says "Joule ratings can be misleading ... Joule ratings are an unreliable measurement for determining a products surge capacity because there is no test standard. The Joule rating listed on a surge protector’s package is determined using an unknown method by the manufacturer."What is a surge? There is no one answer, different devices kick in at different levels. The amount of extra electricity that is allowed is referred to as both the let-through voltage and the clamping voltage. The lower the let-through voltage, the better the protection. The lowest (best) UL 1449 rating is 330 volts. You may see devices rated for 400 or 500 volts.Clamping response time is how quickly the device responds to a surge. Faster is better. Nanoseconds (billionths of a second) are good. Picoseconds (trillionths of a second) are the best.If you can't get the above specs for any particular surge protector, it might be that the vendor does not want you to know them because they are poor. If Internet access is important, then, at the least, protect the modem and router with a surge protector. If Internet access is very important, then protect them with a UPS. Surges are not limited to electrical lines, they can also be carried by telephone lines and cable TV coaxial cables. Some surge protectors also offer protection for cable and telephone lines. POWER OUTAGE (Updated Sept. 1, 2021) top Before the power goes out: Buy a portable battery charger (Anker is a big brand). Maybe a solar battery charger. Buy a UPS. A line interactive UPS costs more money but your devices get protected by both boosting power in a brown-out or trimming power when needed. If your only need is a big backup battery for a power outage, then a cheaper standby class UPS will do.Download the Google Maps map for your area. It can work using nothing but GPS, no Internet needed. In an emergency, you may find yourself traveling to new places.If fires, floods or storms happen often enough in your area, then maybe buy a satellite messenger. REI sells messengers from Garmin, Spot and ZOLEO. A subscription is required to the satellite service and there are two competing services. Some pair with a cell phone via Bluetooth, others are totally standalone, with their own screen and keyboard. Messages take a few minutes before they are sent, as a satellite has to be overhead. Some services only let you send messages, others are bi-directional. Prices vary, but a well reviewed model can be had for $200.Another option is a satellite phone. How to keep your phone charged and useful in a natural disaster by Washington Post Aug. 31, 2021. Some topics: Make cellphone battery last longer, Different ways to recharge your phone, Contact 911 or other assistance and Get the latest emergency updates. When the power goes out: Unplug computers, modems, routers and expensive electronics. Th power may come back on with a damaging surge.Unplug all wires that feed into these devices. A power surge can also be transmitted over the coaxial cable used by cable TV or the phone line used by DSL If you have a UPS, consider plugging a lamp into it at night, preferably, one with an LED bulb. Put a cellphone in low power mode. iPhone: Settings -> Battery (not available on iPads). Android: maybe swipe down from the top and look for Battery Saver. Maybe Settings -> Battery. Maybe Settings -> Battery and Device Care -> Battery -> Power Saving mode. BROWSER FINGERPRINTING (last updated August 15, 2021) top Anyone concerned with being tracked on-line needs to be familiar with web browser fingerprinting. Without using cookies, fingerprinting can convert the web browser on your computer into a unique identifier. Fingerprinting stems from looking at many, seemingly trivial, aspects of your computer and browser and combining that information into a profile/identifier. Most of the time, these profiles turn out to be unique, which lets websites track your behavior without cookies. Some attributes that are examined are: the computer operating system, what time zone are you in, what language your computer is using, how much RAM memory the computer has, the screen height and width in pixels, what web browser you are using, what version of the browser, what fonts are installed, what plug-ins are installed, what audio and video formats are supported by the browser, and much more.Testing: one website for testing the fingerprinting of a web browser is amiunique.org. As of Nov. 15, 2019 they had collected 1,408,000 fingerprints. By March 12, 2020 it was up to 1,713,000. Testing: the EFF has offered an online test similar to amiunique.org since 2010. It used to be called Panopticlick but now it is called Cover Your Tracks. In August 2021, I tried this on Windows. Brave with OpenDNS and no plug-ins did well: "your browser has a randomized fingerprint". Firefox using NextDNS and with uBlock Origin and Privacy Badger installed, failed, it had a unique fingerprint. Testing: Web browser fingerprinting - testing the testers by me Nov. 2019. How well do the above two tester websites work? Not as well as they could.Testing: fingerprintjs.com/demo is a demo of how good fingerprinting can be from a company offering it as a service.ChromeOS Defense: An excellent defense against fingerprinting is a Chromebook in Guest Mode. All Chromebooks of the same model running the same version of ChromeOS should share a fingerprint. Interesting fact: only 0.23% of the devices tested by amiunique.org were Chromebooks.Tor Browser Defense: The Tor browser has a number of anti-fingerprinting features enabled by default. It runs on Windows, macOS, Android and Linux. Note however that websites will be very slow to load. Firefox Defense: As of version 72, released in Jan. 2020, fingerprint defense is on by default. The browser blocks third-party requests from companies known to engage in fingerprinting. To verify this, look in Options -> Privacy & Security. To see if it blocked anything on the currently display web page click on the shield to the left of the address bar. See a screen shot from Computerworld and one from metageek.com (desktop Firefox v73 March 2020). Brave defense: Brave has two generations of defense. In March 2020 Brave announced their second defensive approach - randomizing fingerprintable values in ways that are imperceptible to humans, but which confuse fingerprints. Quoting: "This approach is fundamentally different from existing fingerprinting defense approaches ... [that] attempt to make all browsers look identical to websites (an impossible goal). Brave's new approach aims to make every browser look completely unique, both between websites and between browsing sessions." They claim this provides the strongest fingerprinting protections of any popular browser. Not sure when it will be released. Their older defense is the Device Recognition option in the Settings. I found that it worked, see it reporting that it blocked two fingerprint attempts by Ars Technica. I tried both fingerprinting test websites (above) and, on each one, their first generation blocker blocked a fingerprinting attempt. Defense: Disconnect offers a free browser extension that blocks trackers. Maybe it also blocks fingerprinting. They partnered with Mozilla in providing the Firefox defense. Unrealistic Defense: Turn off JavaScript in your web browser. Easier said than done. Without JavaScript most websites will break. The only way to even attempt this defense is to use more than one web browser. Disable JavaScript in the one where you need privacy and use another browser when you don't mind being tracked.No defense: Private browsing mode does not prevent fingerprinting. Neither does a VPN or the Tor network. Blocking cookies also does nothing.No defense: Chrome, of course, offers no defense. Tracking people is what Google does. FYI: The deviceinfo.me website shows many of the computer attributes used in fingerprinting.Background: Think you're anonymous online? A third of popular websites are fingerprinting you by Geoffrey A. Fowler in the Washington Post Oct. 2019. 500 popular websites were tested to see if they did fingerprinting. Some of the hardest things to fingerprint are iPhones, iPads and Macs running the Safari browser. OS Defense: The Tails operating system might be a defense. It is a version of Linux that runs off a boot CD/DVD/USB flash drive and always uses the Tor network and the Tor browser. Everyone using the same version of Tails will have much in common. However, attributes of the screen will differ. Also, it is a big pain to setup. And, again, the Tor network alone, is no defense. PROTECTING CHILDREN FROM BAD ADULTS (topic added Dec 10, 2019) topThis is not a subject I am at all familiar with. Thus, nothing but links and not many at that. Feel free to help me add to this topic. How to Protect Your Children From Online Sexual Predators by Michael Keller in New York Times (Dec 2019). All human defenses, no technology.Video Games and Online Chats Are Hunting Grounds for Sexual Predators by Nellie Bowles and Michael Keller in New York Times (Dec 2019). No defenses offered. Stop Sextortion from the FBI (Sept 2019). Contact the FBI at 800-CALL-FBI or tips.fbi.gov WHATSAPP (Last update January 7,2022) top I don't use WhatsApp, so all I can offer are these links. From I Accidentally Hacked a Peruvian Crime Ring by Albert Fox Cahn for Wired (Dec 2021). The article makes a strong case for securing an account with an optional PIN or two factor authentication. And, despite the WhatsApp end-to-end encryption, Facebook knows who your contacts are, what groups you belong to, and when and to whom you send messages. Quoting: "With a simple subpoena ... they can get much of your account information. With a full warrant, the platforms can provide records on every aspect of your digital network (apart from the message itself). They can record who we communicate with, how often, the groups we're part of, and the identity of every member, along with your full contacts list. Even worse, WhatsApp can do this in nearly real time, transforming a 'privacy-protective platform' into a government tracking tool."Private WhatsApp groups are not very private. See Google Is Letting People Find Invites to Some Private WhatsApp Groups by Joseph Cox of Vice (Feb 2020) How to minimise targeted ads on social media: WhatsApp from Privacy International (undated). Upgrading WhatsApp Security by Martin Shelton Feb. 2017. You are safer when WhatsApp does not automatically download stuff (pictures, audio, video, documents) because you never know if the file is malicious. To prevent automatic downloads: iPhone: Configuring auto-download from WhatsApp. By default, it automatically downloads images over a cellular connection. Audio and video will automatically download on Wi-Fi. To change this: WhatsApp -> Settings -> Data and Storage Usage. Tap on photos, audio, videos and documents and choose Never, Wi-Fi, or Wi-Fi and Cellular. Android: Configuring auto-download from WhatsApp. By default, it automatically downloads images over your cellular connection. Other types of files? Doesn't say. To configure: WhatsApp -> More options -> Settings -> Data and storage usage -> Media auto-download. There is no Never option, instead you have uncheck a bunch of checkboxes as per the video. AIRBNB (Last Update: August 14, 2021) top SCAMS: From one of the articles below: Scammers all over the world have figured how best to game the Airbnb platform: by engaging in bait and switches; charging guests for fake damages; persuading people to pay outside the Airbnb app; and, when all else fails, engaging in clumsy or threatening demands for five-star reviews to hide the evidence of what they have done. Cancel Your Trip Due to Coronavirus? Airbnb Refuses Scores of Refunds by Olivia Carville and Eric Newcomer of Bloomberg News (March 11, 2020). To put this in perspective, consider that the company was losing money even before the coronavirus. In the 4th quarter of 2019, they lost twice as much money as the 4th quarter of 2018. I stumbled across a huge Airbnb scam that’s taking over London by James Temperton for Wired (Feb 2020). Entire buildings have been turned into de facto hotels. Here Are the Most Common Airbnb Scams Worldwide by Anna Merlan for Vice (Jan 2020). I Accidentally Uncovered a Nationwide Scam on Airbnb by Allie Conti for Vice (Oct 2019). While searching for the person who grifted them in Chicago, the author discovered how easy it is for users of the short-term rental platform to get exploited. Much of the blame falls on Airbnb's loosely written rules and even looser enforcement. In April 2019, Brian Krebs wrote about a service called Land Lords that creates Airbnb scams. A key piece of these scams are domains that look like airbnb.com, but, are not. The scam domain in the article was airbnb.longterm-airbnb.co.uk. It looked exactly like the real Airbnb website and requested victims to sign. The fake site forwarded the legit Airbnb credentials to the real Airbnb, but only after recording them. Other domains used to scam Airbnb were: airbnb.longterm-airbnb.co.uk, airbnb.request-online.com and airbnb-invoice.com. For another defense against this scam see the topic below on verified website identities. How To Tell If There's A Security Camera In Your Airbnb by safety.com (Jan 2021) TAX FILING IN US (updated March 20, 2021) top Many developed countries allow most citizens to file their taxes for free. In the US, this was the stated intent, but the scheme was corrupted. According to Pro Publica, TurboTax tricked customers into paying for tax preparation they could have gotten for free. TurboTax even has a service with the word "free" in it - that is/was not free. US taxpayers owe a debt to Pro Publica for their reporting on this. How to File Your State and Federal Taxes for Free in 2021 by Kristen Doerer for ProPublica. March 17, 2021How to File Your State and Federal Taxes for Free in 2020 by Justin Elliott of ProPublica (Jan. 2020) From the IRS: Free File: Do Your Federal Taxes for Free and Free File: File Your Taxes Online for FreeThe free TurboTax filing site is turbotax.intuit.com /taxfreedomBackground: IRS Reforms Free File Program, Drops Agreement Not to Compete With TurboTax by ProPublica (Dec. 2019). Shamed into acting, the IRS barred Inuit and other tax prep companies from hiding their free products from search engines.Background: Inside TurboTax's 20-Year Fight to Stop Americans From Filing Their Taxes for Free by Pro Publica (October 2019) Background: TurboTax Deliberately Hid Its Free File Page From Search Engines by ProPublica (April 2019). Quoting: "TurboTax uses deceptive design and misleading advertising to trick lower-income Americans into paying to file their taxes, even though they are eligible to do it for free." Background: Here's How TurboTax Just Tricked You Into Paying to File Your Taxes by Pro Publica (April 2019). Not just Intuit, also H&R Block. PHONE NUMBER HIDING (Updated July 3, 2021) top Hide your main/actual phone number by having more than one and giving out an alternate second phone number when appropriate. For example, I once checked my coat at a museum and rather than give me a ticket, they wanted my phone number. Another reason for second phone number is for use with Signal. If you are interested in secure messaging, many people recommend the Signal app, which uses a phone number as the userid. So, maybe create a second number just for Signal. TextNow offers Wi-Fi only phone numbers (my term) that do voice and texting. Its a VOIP phone number and also works over 4G/LTE. The service is free with ads or $3/month without ads. No phone needed, its an app, so it can be installed on a tablet. Or multiple tablets. Or, an old Wi-Fi only cellphone. When a call comes in, and no device with the app installed is on-line, they take a message and email you that you missed a call. They also send a text transcript of any message left by the caller. I have used it for a while without ads and without complaint. If nothing else, its a great defense against SIM Swaps as no cellphone companies are involved.In January 2020, TextNow started offering cellphone numbers on the Sprint network. If you have a phone that works on Sprint, they charge $10 for a SIM card. The service is free with ads or $10/month without ads.Ting.com can be used for a permanent secondary, rarely used, cellphone number. To me, it makes the most sense to use it on an old cellphone. They do CDMA on Sprint or GSM on T-Mobile. It costs $6/month for the number and then you pay monthly for what you use: $3 for up to 100 minutes of talking, $3 for up to 100 texts and $3 for up to 100MB of data. Burner Accounts 101: How to Get Extra Numbers for a Smartphone by Eric Griffith for PC Magazine. Updated June 2020. Has a brief overview of Burner, Hushed, CoverMe, Line2, Flyp and Sideline. The MySudo mobile app combines a second phone number with three new email address into a profile/personality, which they refer to as a Sudo. You make phone calls, send/receive texts and send/receive emails from within the app. There is a limited free account, pricing starts at $1/month. iOS users also get three new disposable credit card numbers. Profiles can be deleted and new ones created. Ed Bott of ZDNet likes Line2. He explains (Dec. 2020) that it works on Android, iOS, Windows and macOS. It is a full-featured product offering voice, text messages, MMS messages, voicemail, etc. It can work over either a data connection (Wi-Fi, 4G) or a mobile network. The cheapest plan is $150/year.Vyke offers up to four phone numbers with a single Vyke account. The service only works over the Internet (Wi-Fi, 4G) it is not a cell thing. It runs on Android and iOS and the app can be installed on tablets. You pay either by the week/month/year or by the minute for phone calls. They have phone numbers in the US, UK, France, Canada, Netherlands and Poland (as of Dec. 2020). You need a cellphone number to setup an account. I have not used it. I have heard good things about textverified.com. They give you short-term use of a non-VOIP phone number that can be used for SMS and Text Verification on their website. They get the text and display it on their site. The explanation of their services for new users is miserable however, I could make little sense of it. Google Voice is free but I would rather not have Google know more about me than they already do. Plus, it requires a cellphone number when you sign up, not the best way to hide said number.In episode 141 (Oct 2019) of his Security, Privacy and OSIN podcast, Michael Bazzell told of how he gets a phone number for a week for $2.50. He buys two pre-paid Mint Mobile SIM cards for $5 on Amazon. Each comes with a one week free, limited trial. He uses them to setup assorted social media accounts. Once setup, converting the accounts to 2FA means never needing the phone number again.On the June 26, 2020 episode of The Privacy, Security, & OSINT Show the show host, Michael Bazzell, went into detail on using a Mint Mobile pre-paid SIM card as part of a private cellphone number. He suggested buying the SIM cards at Best Buy and paying cash. Amazon also sells them.There are many other companies offering similar services. ENCRYPTED DNS (Updated March 3, 2021) top Just like web pages migrated from insecure HTTP to encrypted HTTPS, so too, DNS is changing. Legacy DNS uses plain text over UDP (not important) on port 53 (also just for techies). New DNS is encrypted using either DNS over HTTPS (DoH) or DNS over TLS (DoT). New DNS uses TCP on port 853 or 443.Android leads the way among operating systems. Version 9, 10 and 11 have a Private DNS feature that uses DoT system-wide. See the Android topic for more. Android versions 4 through 8 can use the Intra app from the Jigsaw division of Google. It installs as a VPN but only to get control of DNS. More. The Quad9 Connect app enables encrypted DNS from Quad9.As of July 2020, macOS and Windows do not support encrypted DNS. Windows 10 will in the future. macOS will in version 11 due around October 2020. I don't know the status on either Linux or ChromeOS. iOS 13 does not offer system-wide encrypted DNS The Cloudflare 1.1.1.1 app offers it on iOS 13 but only with their own DNS service which does no blocking. The NextDNS and Adguard apps both offer blocking and encrypted DNS on iOS 13. iOS 14, released around October 2020, includes system-wide encrypted DNS (DoH) but it is complicated (on Android 9, 10 and 11 it is simple). I suggest reading the instructions for iOS 14 from your preferred DNS provider. There are at least three places within iOS where DNS can be specified. Which ones take precedence? One source is individual apps. Does encrypted DNS specified by an app over-ride competing specifications elsewhere in the system? Which apps do this? I don't know how you can tell. On a system level, DNS can be specified at Settings -> VPN & Network -> DNS. Then too, like any OS, DNS can come from a VPN. iOS also has profiles. NextDNS lets you generate an Apple Configuration Profile. This requires you to have a NextDNS account and it must be downloaded using Safari on the iOS device, which they don't say. With a VPN active, I found that the NextDNS profile was ignored and DNS from the VPN was being used instead. As explained by OpenDNS (DNS Resolver Selection in iOS 14 and macOS 11) its complicated. Without OS-wide support, you can still configure a browser to use encrypted DNS, at least on desktop OSs.How to configure web browsers on Windows to use Encrypted DNS (as of March 3, 2021) Chrome version 87: Settings -> Privacy and security -> Security section -> Use secure DNS Firefox version 86: Options -> General -> Network Settings -> Settings button -> Enable DNS over HTTPS Brave version 1.20.108: Settings -> Additional Settings -> Privacy and security -> Security section -> Use secure DNS Opera version 74.0.3911.160 Settings -> Basic -> System -> Use DNS-over-HTTPS instead of the system’s DNS settings Edge version 88.0.705.81 was miserable in my tests. To find the setting: Settings -> Privacy, search, and services -> Security section -> Use secure DNS to specify how to lookup the network address for websites On Windows 10 Home service pack 2004 with bug fixes as of Feb. 2021, I could not turn this on. The error was "This setting is turned off for managed browsers". There was nothing managed about the browser. On Windows 10 Pro service pack 2004 with bug fixes as of Nov. 2020, I was able to turn the setting on but when I selected Quad9 as the DNS provider, it warned "Please verify that this is a valid provider". It also did not support NextDNS. Typical Microsoft. Vivaldi version 3.6.2165.36 does not support encrypted DNS Here's how to enable DoH in each browser by Catalin Cimpanu (Feb 2020) Quad9 configuration instructions for their DoH service: DoH with Quad9 DNS Servers.I read (but have not verified) that forcing encrypted DNS in a browser can break captive portalsDNS over HTTPS at Github has a list of publicly available DoH serversNote that encrypted DNS is nice but not great security. Network observers can still see the IP addresses you communicate with and the domain names of secure web sites you visit. Not the full URL, just the domain name. And, it does nothing for HTTP web pages. Both a VPN and Tor hide everything, but, each is end-to-middle encryption, not end-to-end.As with VPNs and Tor, you can not hide the fact that you are using encrypted DNS. A network observer can see the initial old style DNS lookup for the encrypted DNS server name.Every coin has two sides: DNS over HTTPS causes more problems than it solves, experts say by Catalin Cimpanu (Oct 2019). ZOOM top In the video settings, turn on both the touch-up feature and "Always show video preview dialog when joining a meeting". Note that on a Chromebook, the Zoom PWA does not offer the touch-up feature. In the early days of Zoom (2020) it changed too quickly for me to keep up with it, so in August 2020, I removed my suggestions. To see the suggestions as they existed on May 5, 2020 click this button: --- SLACK (Last Updated Oct 29, 2020) top All the ways Slack (and your boss) tracks you and how to stop it by Matt Burgess for Wired (October 2020). By default, Slack never deletes your messages or files. The biggest risk for many people is bad passwords and the lack of two-factor authentication. Private channels and DMs could be revealed during a legal case or other type of investigation. When adding a new person to a Slack channel they are able to see past messages and files, including any gossip about them.7 Slack privacy settings you should enable now by Jack Morse in Mashable (July 2019). In the paid version of Slack, the article explains how to tell if your boss can read your direct messages. How to tweak the retention settings on your direct messages. The Chrome browser extension Shhlack, can encrypt messages. Use Signal instead for real privacy. Some Slack accounts track edits and maintain records of the messages before they were edited. What if All Your Slack Chats Were Leaked? by Gennie Gebhart in NY Times (July 2019). No defense, just things to be aware of. "Slack stores everything you do on its platform by default - your username and password, every message you've sent, every lunch you’ve planned ... That data is not end-to-end encrypted, which means Slack can read it, law enforcement can request it, and hackers ... can break in and steal it." On the free Slack service, all messages are kept forever. See the Slack Privacy Policy. RING DOORBELLS (Last Updated Feb 18, 2020) top I have never used a Ring doorbell. Thus, nothing but links. Ring Updates Device Security and Privacy - But Ignores Larger Concerns by Matthew Guariglia and Bill Budington of the EFF (Feb 2020). Mostly non-technical. Says nothing about domain blocking with DNS as a defense against tracking, too bad. What to Know Before You Buy or Install Your Amazon Ring Camera by Matthew Guariglia of the EFF (Feb 2020)How to Use Ring's New Control Center for Better Privacy and Security by Daniel Wroclawski of Consumer Reports (Jan 2020). To get to the new dashboard in the app, tap the menu button at the top-left, then Control Center. It includes some new privacy controls and needs to reviewed periodically. We Tested Ring's Security. It's Awful by Joseph Cox for Vice (Dec 2019). Great article about many things Ring could do to improve security. Read this before making a decision on trusting Ring. Some take-aways: change the password (even if its unique), add two factor authentication (everyone suggests this) and at initial setup give it a phony address and phone number (my idea, not tested). Ring's Security Woes Cause Some Tech Review Sites to Rethink Glowing Endorsements by Dell Cameron for Gizmodo (Dec 2019) We're not rescinding our recommendation of Ring’s cameras. Here's why by Mike Prospero for Toms Guide (Dec 2019). Suggested defense: Don’t share video or incident reports with the Neighbors app because it might let others learn where you live. And be aware that sharing video with a law enforcement agency will tell them your name and address and the video might be shared with other agencies.Don't Buy Anyone a Ring Camera by Adam Clark Estes for Gizmodo (Nov 2019) Ring Neighbors Is the Best and Worst Neighborhood Watch App by the Wirecutter (Sept 2019). From the article: There are no federal privacy regulations regarding home security cameras. Ring's privacy policy states that the company may supply video footage without notice based on "requests by government agencies" and "reasonable government request." A review of the privacy policies for Ring and Neighbors found a number of clauses that felt dicey such as the right to collect contact information, details about your Wi-Fi network, connections to third-party services and more. CASH APPS (Last Updated March 5, 2022) top This section is about payment apps (aka pay apps) such as PayPal, Venmo, Cash App, AppleCash, Google Pay and Zelle. The article How Private Is My Pay App? from The Markup (Nov 2020) discusses the data these apps share. The apps that most protect your privacy are Google Pay, AppleCash and Zelle.ZELLE Common Zelle scam: a text message from bad guys asks to confirm some banking activity. Bank customer says it was not them. Immediately, bad guys call the bank customer, pretend to be the fraud department at the bank and ask for assorted information to verify things. A customer that responds to this, immediately becomes a victim. As noted at the top of this page, you never know who calls you on the phone or who sent a text message. Me-to-Me scam: bad guys convince a Zelle user to send money to their own phone number. Sounds safe. But, the bad guys have assigned the victim's phone number to their account.The 'Zelle Fraud' Scam: How it Works, How to Fight Back by Brian Krebs (Nov 2021). Some victims have an active Zelle account and don't know they do. So, of course, they don't know how it works and they get scammed. Zelle hackers 'improve' their scam; banks won’t help - but victims have a new place to complain by Bob Sullivan (Nov 2021)Zelle fraud emergency kit and FAQ by Bob Sullivan (Nov 2019) CASH APPThey Were 'Calling to Help.' Then They Stole Thousands" by Becca Andrews in Wired (Feb. 2022). About a women who was scammed. One part describes the problems trying to get control back of the Cash App. VENMOVenmo is owned by PayPalThe app makes all transactions public by default. Configure: in the app, Menu icon (upper left) -> Settings -> Privacy -> Default Privacy Setting -> Private Configure: To retroactively privatize Venmo posts: Past Payments -> Change All to Private. It may instead be called "Past Transactions" From How to Venmo Without Being a Monster by Angela Lashbrook (Jan. 2020). Friend lists default to public. No other social network or service does that. For a long time they could not be made private. Configure: Settings -> Privacy -> More -> Friends List and set it to Private. Also, turn off "Appear in Other Users' Friends Lists" Configure: Settings -> Privacy -> More -> Location. Check that the app does not have access to your location (it does not need it) Configure: Settings -> Preferences -> Friends & Social. Turn off Facebook Connect, Phone Contacts and Facebook Contacts. FYI: We Found Joe Biden's Secret Venmo. Here’s Why That’s A Privacy Nightmare For Everyone by BuzzFeed News (May 2021). Quoting: Privacy advocates and journalists have warned about Venmo’s privacy problems for years, yet the PayPal-owned app has persisted with features that can place people at risk. Venmo Exposes Old Profile Photos, With No Way To Remove Them by Katie Notopoulos ofBuzzFeed News (May 2021) Venmo Users Are Being Inundated With Payment Requests From Strangers by Nicole Nguyen of BuzzFeed News (December 2019) EFF and Mozilla to Venmo: Clean Up Your Privacy Settings by The Electronic Frontier Foundation (August 2019).Venmo's Public Feed Is Bad And They Should End It by Katie Notopoulos of BuzzFeed News (July 2018)FYI: The Venmo Security page STALKERWARE (Last Updated Feb 28, 2022) top Dealing with technology side of abusive relationships.In February 2022, Zack Whittaker reported on a family of Android spyware apps that, while they looked different on the outside, were the same internally. The apps are: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. He offered advice on finding and removing them such as: in the Play store app, verify that play Protect is on. In Settings -> Accessibility look for any Downloaded services with names like "Accessibility" or "Device Health". Also look for any device admin apps. For more see Your Android phone could have stalkerware, here’s how to remove it. How Jamie Spears Spied on Britney Spears Through iCloud by Lorenzo Franceschi-Bicchierai (Oct 2021). Using iCloud to spy on someone's iPhone is an extremely common way abusers spy on their loved ones. All that is needed is the password for the Apple ID of the victim. The article describes detecting this and stopping it. In a browser, I suggest (not in the article) a Chromebook running in Guest Mode. Login to iCloud.com -> Account Settings -> My Devices. Stalkerware Apps Are Proliferating. Protect Yourself New York Times (Sept. 2021). Has nine defensive tips from The Coalition Against Stalkerware. FYI: An app icon can be changed to that of something innocent looking such as a calculator or calendar app. Apps to detect stalkerware: MalwareBytes, Certo AntiSpy, NortonLifeLock and Lookout. Stalkerware Resources and Help by Jack Rhysider of Darknet Diaries (undated)In August 2021, Lodrina Cherne spoke about Stalkerware at the BlackHat conference: A Survivor-Centric, Trauma-Informed Approach to Stalkerware. This link has the slides, she also published a list of Resources.How to Shut Stalkers Out of Your Tech by Yael Grauer for Consumer Reports (March 2021). People facing domestic abuse can take these steps to lock down their devices and eliminate stalkerware. The article has many many suggestions. For finding stalkerware on Android, use an antivirus app from Eset, Kaspersky and/or Trend Micro. On Windows, use BitDefender, Eset, Kaspersky, Norton and/or Malwarebytes. On an iPhone use the iVerify app from Trail of Bits.Apple's AirTag trackers made it frighteningly easy to 'stalk' me in a test by Geoffrey Fowler for the Washington Post (May 2021). The article is behind a paywall. A big point in the article is that Apple does not do enough to prevent AirTags being used for domestic abuse. In a test in San Francisco, the AirTag updated its location every few minutes. When moving, the location was accurate to half a block. When stationary, it was precise. An accompanying video is not behind the paywall. What to do if you find an AirTag or get an alert that an AirTag is with you from Apple (April 2021). How to learn the serial number of an AirTag. It requires NFC and will work on Android too. Note that making a detected AirTag play a sound often failed in Fowler's tests (above). Clinical Computer Security for Victims of Intimate Partner Violence A white paper and a video to help victims of partner and spousal abuse that are worried their devices are compromised. This is an excellent resource for those who think they're infected with spyware (August 2019). Concerned with stalkerware? Android users should install Kaspersky antivirus. From Hacker Eva Galperin Has a Plan to Eradicate Stalkerware Wired (April 2019) From the Coalition Against Stalkerware: Find direct support if you experience or suspect stalking and Stalkerware detection, removal and prevention The National Domestic Violence Hotline has trained experts. Call 800-799-7233Note however that when they say "Computers store information about the websites you visit. ... purchases you make ... messages or emails ... You should always consider that a computer might be monitored ... Safe computers can be found at your local library, Internet cafe, shelter, workplace .." they are leaving out an excellent option, a Chromebook running Guest Mode. It is impossible to install any type of spyware on a Chromebook running in Guest Mode and Guest Mode stores nothing, which makes it a far safer option than the ones they offer. They also say that "Using safe browsing practices (like using a VPN) can help prevent abusive partners from tracking your Internet history." To be clear, the purpose of a VPN is to hide activity from the ISP and from the router you are connected to. VPNs are not designed to hide activity on the computer where they are running. The National Network to End Domestic Violence The Safety Net Project Refuge Tech SafetyThe hardest computer to infect with something malicious is a Chromebook. Guest Mode in a Chromebook guarantees that no extra software is/can be installed. It can be used to access any webmail system, such as secure email from ProtonMail and Tutanota. Do not use the Chromebook with a NextDNS account as NextDNS offers logging. See the section on Chromebooks for setting DNS system-wide.Start using ProtonMail for email. Messages between two ProtonMail customers are end-to-end encrypted. It has a free tier.There are more secure versions of Android. In the Android section, see the sub-section on Replacing Android, for an overview of LineageOS, GrapheneOS and /e/ OS.Listen to The PRIVACY, SECURITY, & OSINT Show, a podcast by Michael Bazzell. He is in the extreme privacy business and has written a book on the subject.An app that lets you create a new profile/personality (new email address and new phone number) is MySudo. You can send and receive calls, texts and emails from the MySudo app. It runs on iOS and Android. There is a limited free account. Pricing starts at $1/month.Every now and then turn your phone off (really OFF) and then back on a minute later. While every operating system benefits from a clean boot/startup, if you are targeted by bad guys, certain malicious stuff might be removed when the device is powered off. This applies to routers too. FAKE JOB SCAMS topAvoid Online Job Post Scams With These 7 Simple Tips by Kim Key for PC Magazine (Feb 2022)How to Avoid Being Scammed by Fake Job Ads by Cezary Podkul for Pro Publica (Oct 2021). Phony job advertisements are proliferating, often as part of identity-theft schemes. The article has 10 tips. Tip 3: Be wary of job ads touting the need to verify your identity at the outset. Tip 4: Take the text of the job ad and put it in Google.From the FBI: FBI Warns Cyber Criminals Are Using Fake Job Listings to Target Applicants' Personally Identifiable Information (April 2021). The article has 9 indications that a job offer is a scam, 8 ways to protect yourself and 5 ways to report the scam. Also: Cyber Criminals Use Fake Job Listings To Target Applicants' Personally Identifiable Information (Jan 2020).Know that job boards do not validate that the person posting a job is actually affiliated with the company.An excellent scam/noscam indicator is whether you deal with someone who gives you a Gmail account or someone using the actual company domain. That said, this requires an understanding of the rules for Domain Names (topic number 2 above) so you don't get tricked into thinking [email protected] is the same as [email protected]. How to Tell a Job Offer from an ID Theft Trap by Brian Krebs (May 2021)How a remote tech writing gig proved to be an old-school scam by Lee Goldberg for Ars Technica (June 2019)Alison Doyle has written about this for The Balance Careers: List of Fake Job Scam Examples (July 2019), Common Job Scams and How to Avoid Them (Dec 2019), How to Report a Job Scam (Sept 2019)A tweet from Ian Sigalow (June 2019) shows that legit companies are also victims BATTERIES top Keeping a laptop battery fully charged at all times shortens its lifespan. Batteries last the longest when operating between 30 and 80 percent charged. A laptop that is plugged in all the time, should be set to never charge over 80 percent. In the best case, the battery should normally be charged somewhere in the 30-80 percent range and, when you expect to need it, then charge it up to 100%. Lenovo laptops have software that lets you set the maximum charge percentage. On macOS AlDente is a menu bar tool that limits the maximum charging percentage (Alternate link). For Mac laptops with Intel CPUs, there is a battery feature in the OS. See About battery health management in Mac notebooks. Heat is also bad for laptop batteries. Lenovo has software that lets you see the battery temperature. Laptop batteries can swell in size. A swollen battery should be replaced and kept cool. I would contact the hardware manufacture for specific instructions. See the Dell Swollen Battery Information and Guidance. Lenovo has a Battery Q & A CARS topCars spy on us: These Companies Track Millions Of Cars - Immigration And Border Police Have Been Grabbing Their Data by Thomas Brewster (April 2021). Cars constantly collect location and use information and that data can is provided to the government. In the last 18 months Customs and Border Protection and Immigrations Customs Enforcement officials demanded location data from three companies who collectively track the movements of tens of millions of vehicles: GM OnStar, Geotab and Spireon. No defense offered. Cars spy on us: Cars Have Your Location. This Spy Firm Wants to Sell It to the U.S. Military by Joseph Cox for Vice March 17, 2021. A company claims that it can locate specific cars in real time with data that comes from the cars themselves. The company is The Ulysses Group. Cars often include sensors that collect information and transmit it back to the home office. Such vehicle telematics include the airbag and seatbelt status, engine temperature, and current location. It is claimed that vehicle location data is transmitted on a constant and near real time basis while the vehicle is operating. For defense, Privacy4Cars.The Privacy4Cars app offers step-by-step instructions for deleting your personally-identifiable information from any car. The company also sells tools to help dealerships remove data from vehicles. How cars spy on the people using them: Insecure wheels: Police turn to car data to destroy suspects' alibis by Olivia Solon for NBC News (Dec 2020). Does not offer much in terms of defense. Cars spy on us: Your Car Knows When You Gain Weight by Bill Hanvey, CEO of the Auto Care Association. May 2019. Not much in the way of defense. PRINTERS top I hate printers. Background: There are two types of printers - those that squirt liquid ink and laser printers that, like a xerox machine, burn a toner (think colored dust) onto the paper. Liquid ink printers are called inkjets, those from HP are called deskjets. All inkjet printers print in color. Laser printers come in black/white or color versions. A laser printer should, in the long run, be more reliable, easier to maintain and cheaper to own and use. An inkjet printer is cheaper to buy. Most inkjets use very small ink cartridges that can not be refilled. A small number of inkjets use a large refillable ink tank. For more seeHow to Save Money on Your Next Printer: Weighing the Cost of Tank vs. Cartridge Ink by M. David Stone (Nov 2021).If you need a printer, you need two.As a rule the more you pay for a printer the cheaper it will be to operate over the years. A black/white laser printer is an excellent backup printer. Expect to pay about $100 US dollars.Some printers support Wi-Fi Direct which is a type of Wi-Fi that allows two devices to directly connect to each other, without needing to be on the same Wi-Fi network. You could unplug your router and this would still work. I mention it here because unless you use this feature, it should be turned off in the printer. At the very least, change the default Wi-Fi network password to something at least 15 characters long. This to prevent the Wi-Fi network created by the printer being used to hack into the LAN.If you are considering buying an inket printer, this article Oct 2021 article, Canon sued for disabling scanner when printers run out of ink, from Bleeping Computer shows that without ink, a Canon printer can not even scan, which uses no ink at all. It also would not send a fax, which again, uses no ink. And, without color ink, it will not print in greyscale. These gripes go back to at least 2016.FYI: Laser printers warn about the toner being almost empty well before it actually runs out. When a toner cartridge is low, you may be able to extend its life by shaking it. FYI: Most color laser printers and color copiers are designed to print invisible tracking codes on every page. These codes reveal which specific machine produced a document and, in some cases, when the document was printed or copied. From the EFF in 2017: it appears likely that all recent commercial color laser printers print some kind of forensic tracking codes, not necessarily using yellow dots. This is true whether or not those codes are visible to the eye. To be safe, use a black-and-white printer, black-and-white scanner, or convert a color image to black-and-white with an image editor. More from the BBC (June 2020), from Robert Graham (June 2017), from the EFF (undated) and from Snopes (June 2017). Very old printers may have trouble feeding paper because the rubber rollers have dried out. Some suggestions: Use a memory board or sandpaper or a nail file to roughen the rollers. Stroke side to side to make grooves in the rollers. Use a product that claims to rejuvenate rubber. One such product is CaiKleen RBR rubber cleaner and rejuvenator. It claims to: "Re-condition rubber surfaces and bring back its original surface texture, flexibility and usability." Clean the rollers with Windex. TIKTOK top No personal experience, so just links.Privacy and Security on TikTok from TikTok. Undated. TikTok Is Watching You - Even If You Don't Have an Account by Riccardo Coluccini for Vice (January 2021). The reporter submitted a request under the GDPR, and was shocked to see what data the app had been recording. No defense offered. TECH SUPPORT SCAMS top Some simple rules to know for defense:No tech company will call you about a problem, any problem If you get a phone call and callerid says it is from a tech company, the callerid has been faked The warning on your computer about a virus or malware is almost definitely a scam If the warning has a phone number to call, it is definitely a scam Any situation that requires you to install software is a scamEvery attempt to access your computer is maliciousThe safest computer for non technical people is a Chromebook. Right off the bat, it offers immunity from scammers calling and claiming to be from Microsoft, Windows or Apple. Most likely the bad guys do not have scripts, yet, that target Chrome OS users. Then too, a Chromebook requires no ongoing care and feeding making it a perfect fit for non technical people.Background info:Inside an International Tech-Support Scam by Doug Shadel and Neil Wertheimer of AARP (April 2021) Tech Support Scams from AARPThese scams succeed only when the victims don't know the rules of the road. Watch 6 Things That Can Be Faked To Compromise Your Security, an 11 minute video by Gary Rosenzweig from MacMost.com (April 2021). Another excellent source is episode 131 (April 2021) of the Tech Enthusiast Hour podcast by Gary Rosenzweig and Leo Notenboom. REPORTING BAD STUFF topThis section was expanded and renamed in January 2022 but it still needs to be greatly expanded. It could be a website all its own. Feel free to let me know of other places to report bad things.Gmail users can report spam to Google from within Gmail. Scams that came from a Gmail account, can be reported to [email protected] or on this page. However, the page is so poorly done, it may have been abandoned.Scam emails that came from Hotmail or Outlook, can be reported to [email protected] that pretend to be from a trusted organization for the purpose of stealing passwords or other personal information can be reported to Cisco PhishTank, SpamCop and the Anti-Phishing Working Group (registration is required) and Sophos. In the US, report a scam, fraud, bad business practice by a company or an unwanted call to the Federal Trade Commission at ReportFraud.ftc.gov. For ideas of what you might report to the FTC, see consumer.ftc.gov. In the US, report Social Security scams to 800-269-0271 or secure.ssa.gov/ipff/home or oig.ssa.gov/report.In the US, report IRS scams and fraud here The US Federal Trade Commission runs identitytheft.gov where you can report the identity theft Report a fake business listing on Google maps hereReport Abusive Behavior on Twitter here. More on their Safety and Security page. In the US, submit a complaint about a consumer financial product or service to the Consumer Financial Protection Bureau at www.consumerfinance.gov/complaint or call (855) 411-2372 Chase Bank has instructions for reporting fraud, including scam emails that pretend to be from Chase. In the UK, see Phishing: Spot and report scam emails, texts, websites and calls from the National Cyber Security Center. Suspicious emails can be forwarded to the NCSC's Suspicious Email Reporting Service at [email protected] the US and UK, most phone providers let you report a scam text for free by forwarding it to 7726 (SPAM). Verizon, AT&T and T-Mobile support this. On iOS: press and hold on the message bubble -> tap More -> Select the message you want to forward -> tap the arrow on the bottom right of the screen -> type 7726 and send. On Android: press and hold on the message bubble -> tap on the three vertical dots in the top right ->tap Forward -> enter 7726 and Send. How to Report spam texts on Android. From Google. No forwarding to 7726 needed.In the US, the FTC takes complaints about phone calls at reportfraud.ftc.gov. They claim to also accept gripes about Email and Text Messages but good luck figuring out how, as there is no category for them. In the US, unwanted phone calls can also be reported to complaints.donotcall.gov. In the US, the FCC has a Consumer Complaint Center that takes complaints about unwanted phone calls or texts from telemarketers. You can also gripe about your phone number being spoofed, blocked, or labeled as a spammer. In the UK, take a screenshot of a bad text message and send it to [email protected] of illegal activity involving a component of the Internet can file at the Internet Crime Complaint Center which is run by the FBI. Any crime that used the Internet to communicate false or fraudulent representations to consumers qualifies, including websites, chat rooms, and/or email. Report fake job scams here.See their Frequently Asked Questions.Amazon sells fake/counterfeit books and they have no interest in anyone reporting on it. ONE OFFS topThe items below are defensive measures that apply to just one website or just one system.The Eizo Monitor Tests are all done on web pages, no software to install.YouTube: Privacy and safety center from GoogleSnapchat: Privacy settings from Snapchat Tech Support. Undated. LinkedIn: Managing Your Account and Privacy Settings - Overview from LinkedIn. Last updated: Sept. 2020 UPS When shipping a box via United Parcel, take a picture, with your phone, of the label they create and put on the box. Maybe also take a picture of the box before bringing it to their office. At my local UPS office their printer is miserable and the tracking number is all but impossible to read.Uber customers can not trust any email that appears to come from Uber. See this January 2, 2022 article for details: Uber ignores vulnerability that lets you send any email from Uber.com by Ax Sharma.Apple Credit Card: You should opt out of the Apple Card’s arbitration clause — here’s how The Verge Aug 2019.Traveling on an airplane? The QR code on your phone or paper boarding pass contains lots of personal information. Keep it hidden and destroy paper boarding passes after the flight. For home security cameras I suggest the $15 eBook Take Control of Home Security Cameras. I have not read the book but I know the author, Glenn Fleishman, is excellent. As of March 10, 2021, the last update was February 23, 2021. Concerned your phone has been hacked? Civilsphere, from the Stratosphere Laboratory and the Czech Technical University, offers a great public service: an Emergency VPN. If they accept your application, they will install a VPN on your phone and monitor the data coming/going for up to three days. Then they do a security assessment of what they captured.Increase the security of Proton Mail: ProtonMail Five Years Later, Part III: Security Features by Justin Carroll (Nov 2019)MetroPCS customers can take one of two defensive steps against a sim swap attack made far too easy by poor security at MetroPCS. April 2019 Verizon Wireless customers can review their marketing settings at vzw.com/myprivacy or by calling 800-333-9956. I suspect that most people will not want their CPNI shared with Verizon "affiliates and agents". December 2021: Verizon had a program called "Verizon Selects" where they spied on their customers. It has been renamed "Verizon Custom Experience" seemingly to let them spy on everyone who opted out of the first program. Details on how to opt out here: Verizon overrides users' opt-out preferences in push to collect browsing history by Jon Brodkin of Ars Technica. The best solution is to use a VPN which blocks Verizon from seeing anything. T-Mobile: It seems that T-Mobile has poor internal security. Maybe don't use them. They were hacked in August 2021 for (I think) the 5th time in 3 years. The Aug 2021 attacker was quoted in the Wall Street Journal saying their security was miserable. Word to the wise? And: T-Mobile to Share Customers' Web Browsing Data With Advertisers Unless They Opt Out by Michael Kan for PC Magazine (March 2021). Customers can opt out at the T-Mobile Privacy Center (t-mobile.com/privacy-center/take-control-of-your-data). The company will share your Advertising ID, which you can change periodically. Chase Bank has security tips.Erasing storage by Royce Williams is for techies and includes an option many other articles omit - setting a hard disk password EXTRA CREDIT topBe very wary of files sent to you that you did not ask for. This applies on both desktop and mobile Operating Systems. Sometimes, just downloading them is enough to get infected with malware. Open these files on a Chromebook running in Guest Mode.Cellphone companies all want to show you ads and sell your information. In March 2021, the tl;dr sec Newsletter published instructions for opting out for T-Mobile, Metro, Sprint, AT&T and Verizon. URL shorteners (aka link shorteners), such as bit.ly, Twitter's t.co and Flipboard's flip.it, hide the ultimate destination of a link. You can check where a shortened link actually goes at assorted URL expanders such as: URLEX or expandurl.net or unshort.link or linkunshorten.com or GetLinkInfo.com or checkshorturl.com. Going a step further are urlscan.io and VirusTotal which offer opinions on whether the ultimate destination URL is malicious or not. In January 2020, Simon Frey (of unshort.link) introduced an extension for Firefox and Chrome that checks short links against a blacklist and prevents them from tracking you. The website JustGetMyData is a directory of links for you to obtain your data from assorted services. It rates each company as to whether the process is easy,medium or hard. Easy: Google, Facebook, Apple, Tinder. Hard: Zoom, Microsoft, Adobe, Craigslist. A companion website, JustDeleteMe offers links to delete your account from assorted services. More: This Simple Tool Will Help You See What Websites Know About You by Matthew Gault of Vice (Jan. 2021). Michael Bazzell has a Data Removal Guide for removing your personal information from data broker and credit reporting services (Last updated April 2022). Don't take computing advice from the mainstream media. Many reporters that cover technology are Art History majors that do not understand the stuff they write about. Thus, they often make bad Defensive Computing suggestions. For example, have you ever seen an article suggest using a Chromebook in Guest Mode when accessing sensitive/financial websites? I have not. Thinking about selling your Echo Dot - or any IoT device? Read this first by Dan Goodin of Ars Technica (July 2021). Wiping your data from any IoT device before getting rid of it can be hard. The more you know about DNS the better. My Router Security website has both a short and long explanation along with a list of websites that show your currently used DNS servers. Get in the habit of checking the active DNS servers, especially when traveling.Before you use a new USB flash drive, plug it into a Chromebook running in Guest mode and format it from there. In the same vein, If you don't know where a flash drive came from, the only computer you should plug it into is a Chromebook running in Guest mode. Malicious USB flash drives are a common tactic for infecting the computers of people who have not read this website. Running Linux off a bootable CD/DVD disc is also a safe environment. However, a USB flash drive can also destroy a computer. The usbkill.com drive overloads the circuits, converting a computer into a paper weight. So, a low end Chromebook is probably best. Speaking of USB, the cables normally carry both data and electricity. Data can be a problem, as it is an avenue through which a device can be hacked. Companies, such as Adafruit, PortaPow and SyncStop sell USB cables/adapters that only do power. They may be called Power-Only, Charge-Only, Data Block or a USB condom. The attack is called Juice Jacking (maybe Juice-Jacking). Without a power-only cable, you can still be protected by plugging into an electric outlet rather than a USB port. Or, use your portable charger, or, get a charge in a car. Also, don't use someone else's cable or charger. This excellent article USB Data Blocker Teardown (Aug 2020) explains three different types of USB data blockers. For an intro seeHow to Protect Yourself From Public USB Charging Ports (Aug 2018).There is a chance that the camera on a computing device could be activated without your being aware of it. The defense is old school: cover the camera lens with something opaque (band-aid, tape). Try to avoid adhesive directly over the lens.Speaking of laptop computers, they have microphones that are typically impossible to mute. This article: Why your laptop's always-listening microphone should be as easy to block as your webcam (June 2019) mentions some models that can disable the microphone. My T series Thinkpad can. Laptops from Framework have hardware off-switches for both the microphone and webcam. They are also extremely repairable (Sept 2021). The $200 PineBook Pro Linux laptop can also mute the mic. On macOS, you can install OverSight to be warned both when the mic is activated and when something accesses the webcam. Or, you can buy the Mic-Lock microphone blocker for $7 (as of Feb2020). It plugs into the 3.5mm microphone/headphone port on a laptop, phone, or tablet and tricks the device into thinking that a microphone is connected. For more on this, see the Dec 13, 2019 episode of the Privacy, Security and OSINT podcast, Camera & Microphone Blocking. In Windows 10, turn off the mic at: Settings -> Privacy -> Microphone. In macOS turn it off at: System Preferences -> Security & Privacy -> Privacy -> Microphone. Scam Alerts from the FTC Defensive search engine: This article describes a search engine trick pulled off by special interest groups. They scam people by abusing the data void for newly invented keywords. See The far right is dominating the information wars through keyword signaling by Corey Doctorow October 2019Whenever you are offered the choice to Login With Google or Login With Facebook, don't do it. iOS 13 will introduce a new competing system: Login with Apple. As of July 2019, it is too soon to form an opinion on it, but it will let Apple read your email, something they could not do without it.A very sneaky trick that some websites pull is making third party cookies look like first party cookies. Everyone allows first party cookies so this lets you be tracked. The website trackingthetrackers.com tests for this and reports on it. Great service.The Princeton IoT Inspector software only runs on macOS High Sierra and Mojave (not Catalina as of Feb 2020). It lets you spy on the IoT devices that normally spy on you. At dehashed.com you can search for your physical address, email address, userid and/or phone number to see if they have been leaked in a data breach. Why You Need to Make a 'When I Die' File - Before It's Too Late (August 2019). The article is about much more than computers, but serves as a reminder to plan, somehow, for the right people to obtain all your passwords when you are no longer around. Can you tell if a website is legit? IS FTCCOMPLAINTASSISTANT.GOV LEGIT? I read an article that said victims of Identity Theft should go to ftccomplaintassistant.gov and I wondered if that site was legitimate. That is, is it really from the Federal Trade Commission, a division of the US Government? We have already seen that just having "FTC" in the name means nothing. The FTC has their own website at ftc.gov, so why the need for another domain name? Instead of a new domain, they could (read should) have used complaintassistant.ftc.gov or ftc.gov/complaintassistant. Both leave no doubt that they are from the FTC. On thing pointing to its being a scam is that the home page of ftc.gov has a link to identitytheft.gov for reporting identity theft. There is no link on the FTC home page to ftccomplaintassistant.gov. And, identitytheft.gov has its own assistant (identitytheft.gov/Assistant) which does not link to ftccomplaintassistant.gov.Looking at the ftccomplaintassistant.gov site, the first thing to notice is that it does not have the extra identity assurance. If it is legit, that would be pretty ironic, eh? In techie terms the site is Domain Validated (DV) rather than having Extended Validation (EV). All domains have to be registered and whoever pays for the registration can chose to make their identity public, or not. Looking up this information is called a Whois search and every company that registers domains offers a Whois search. However, this turned out to be a dead end. I could find no Whois information for any .gov websites. A couple things point to the site being legit. There is a page on ftc.gov with consumer information about Identity Theft and it has a link to "File a Consumer Complaint" that goes to ftccomplaintassistant.gov. And, while the home page of identitytheft.gov has no links to ftccomplaintassistant.gov, an examination of the underlying html (i.e. page source) showed that pulls in a script from chat.ftccomplaintassistant.gov. So, is it legit? I would have to call the FTC on the phone and ask them. On a related note, ftccomplaintassistant.com is definitely bad news. That was an easy call. READING LIST topHow to tell real products from scams when shopping online Washington Post (Oct 2021). A long list of ways to research the seller of a product. What Are My Photos Revealing About Me? by Jon Keegan of The Markup (March 2020). Along the same line: How a Photo's Hidden 'Exif' Data Exposes Your Personal Information by Thomas Germain of Consumer Reports (Dec 2019) How to Lock Down Your Health and Fitness Data by David Nield of Wired Nov. 2019. Covers FitBit, Apple Health, Google Fit and StravaLeo Notenboom on The One Thing Every Non-technical Person Needs to Know. Hard to pick just one thing, but he offers good advice. Protecting Yourself from Identity Theft by Bruce Schneier May 2019. No good news here. Quoting: "there's nothing we can do to protect our data from being stolen by cybercriminals and others." True, but nonetheless, an easy out for anyone too lazy to do the things suggested here. How to Securely Get Rid of Your Devices by Lucian Constantin for Vice. Nov 2018. Covers phones, laptops, hard drives, SSDs. In some cases, data can not be securely wiped. Hands off my data! 15 default privacy settings you should change right now by Geoffrey Fowler in Washington Post June 2018. Advice for Facebook, Google, Amazon, Windows 10 and AppleGive up your password or go to jail: Police push legal boundaries to get into cellphones (NBC News June 2019). "... police need a warrant to search a cellphone, the question of whether police can force someone to share a passcode is far from settled, with no laws on the books and a confusing patchwork of differing judicial decisions." Here's how to view, download, and delete your personal information online by Stan Horaczek June 2019. Covers Instagram, Myspace, Apple, Google, Microsoft, Amazon, Snapchat, Twitter and data brokers. The Operational Security website by Justin Carroll covers Digital Security, Privacy and Physical Security. Seems pretty good. IoT devices are infamous for poor security. These articles offer advice before you buy: How to buy IoT gadgets sensibly (Tony Gee May 2019) and How to buy smart - and secure - gadgets (Dan Seitz March 2019). Speaking of reading, be aware that much, if not most, of the security and privacy advice offered in the main stream media is wrong. They hire reporters, not nerds. The New York Times, in particular offers sub-optimal computing advice.Slightly off topic: Safe Deposit Boxes Aren't Safe New York Times July 2019 THE COMPETITION topLots of other people and places offer Defensive Computing advice, though they don't call it that.6 Things That Can Be Faked To Compromise Your Security is an 11 minute video by Gary Rosenzweig from MacMost.com. April 2021. Pretty good. Gary and Leo Notenboom expanded on the topic in episode 131 (April 2021) of their Tech Enthusiast Hour podcast. Recommended.Surveillance Self-Defense from the Electronic Frontier Foundation is pretty big. But, it was funded by the Ford Foundation and the funding may have run out. The News section was last updated Nov. 2018. A couple Windows 10 examples are based on Service Pack 1703. The oldest page I saw was last reviewed July 2018, the newest was Feb. 2021. *Privacy Not Included evaluates the privacy of assorted products. From the Mozilla foundation, the company behind Firefox. Personal Security Checklist by Alicia Sykes. A curated checklist of 300+ tips for protecting digital security and privacy. Last update date is not obvious. Too bad its on GitHub which is not meant for non-techies. Curated lists of tools, tips and resources for protecting digital security and privacy by Alicia Sykes. Part of the above list, I think. Cyber security 101: Protect your privacy from hackers, spies, and the government by Charlie Osborne and Zack Whittaker of ZDNet. Very long. Been around for a couple years, no change log. Last updated Dec. 2020.Privacy Guides website PrivacyTools.io makes software recommendations. However, there is nothing on configuring the software. Continually updated. Security Guide by Maciej Cegłowski. Very short. Last updated April 2019.Information security resources for laypeople by John Opdenakker is a list of sites competing with this site. This site is not included. Despite claiming that the list will be continually updated, the last update was Sept. 2019. 31 Days of Security by John Opdenakker October 2019 GetSafeOnline claims to be "the UK's leading source of unbiased, factual and easy-to-understand information on online safety." I heard a segment on BBC radio 4 about two people in England who were scammed out of money in their bank accounts. Both were interesting and useful stories. This was followed by advice from GetSafeOnline and the advice was, in my opinion, bad. I would look elsewhere for advice. Compare their advice for being safe on Public Wi-Fi networks to mine.Watch Your Hack created by six professional hackers. More than just a checklist. Has a change log. Last updated Aug. 2021The Motherboard Guide to Not Getting Hacked. Very long, but now dated. The last update was Nov. 2018.securityplanner.org from Citizen Lab is a very mixed bag. For example, they recommend the Chrome browser. And, their trust in HTTPS is dangerously mis-placed. And they suggest installing Windows bug fixes ASAP which is clearly wrong. Last updated February 2020.A Family Security and Privacy Review by Gabriel Fair. Last update Oct. 2020. Depressingly long list, just like this site. Just a checklist however, no additional information. Digital Safety Kit for journalists from the Committee to Protect Journalists. Last Updated July 2019. This is much more a checklist than this site. In my opinion, the lack of context or background info makes these recommendations barely useful. The topic on encrypted email is really bad.30 Day Security Challenge by Shannon Morse. Undated but sometime in 2017Security Planner from Consumer Reports was introduced in Oct. 2020. I am not impressed. For Windows, they suggest installing Windows bug fixes immediately, which is wrong. For web browsers, they are fine with using Chrome; I am not. For file encryption they suggest using one of the two options built into Windows. To me, VeraCrypt is the better option. They buy into the cult of password manager software as the only solution for managing passwords. I strongly disagree. The advice seems to come from people who read about technology but are not actual computer nerds. I am a computer nerd. From the New York Times: How to Protect Your Digital Privacy. Yuch. Don't ever take computing advice from the New York Times. Really. That there is no date on this article is your first clue. Whew! Seems like a lot, it is a lot. All the credit/blame for this site falls on me, Michael Horowitz. If I left out anything important, or something is not clear, let me know at defensivecomputing -at- michaelhorowitz dot com.This site is as clean as clean gets. There are no ads. There are no trackers. It does not set any cookies. None of the links here are affiliate links, I do not profit from this site in any way. No need to believe me. You can test for setting cookies at cookieserve.com. Here is a screen shot of the clean bill of health. You can also test at Blacklight a website privacy inspector from The Markup. You can click here to run a live test of this site. For reference, here is a screen shot of a Blacklight scan from Sept. 23, 2020. If you see any ads here, something (your computer, browser or router) has been hacked. Average Daily Page Views: April 2022: 328 Older Months 2022: March 320 | Feb 315 | Jan 368 2021: Dec 293 | Nov 411 | Oct 315 | Sept 290 | Aug 275 | July 214 | June 227 | May 282 | April 246 | March 332 | February 377 | January 337 2020: Dec 332 | Nov 318 | Oct 333 | Sept 279 | Aug 282 | July 258 | June 267 | May 317 | April 296 | March 303 | Feb 377 | Jan 212 2019: Dec 200 | Nov 180 | Oct 194 | Sept 178 | Aug 176 See the full Change Log (Updates made to this site) Last Updated May 15, 2022TotalPage Views314,999Page ViewsToday194PreviousWebsite View7.8 minutes ago Website by Michael Horowitz @defensivecomputtop Copyright 2019 - 2022