From zero to privacy hero

Obtain a proper level of privacy and security online with these simple 5 steps. It's easy, really!

Do you have a single, historical email that you've been using for 13 years to sign up for every social network, website, e-commerce platform, and account possible—always using the same password, which is a variation of the classic 'password123'?

Do you receive millions of spam emails from Nigerian princes and tax agency agents asking you to click on a phosphorescent green link? Do you catch a virus at least once a year that forces you to take your PC in for repair?

Or maybe you're just someone who wants to understand how to live in the digital world without getting scammed, but you don't feel like reading two hundred different guides?

Well, then maybe this is the article for you.

Before continuing, leave a like!

It's easy to talk about privacy… It’s easy to talk about online privacy (is it even necessary to specify 'online'?), but the big problem is that achieving a minimum level of privacy requires some effort and work. The internet is not designed to guarantee any kind of privacy, and often the same can be said for the tools we use every day.

Taking the first step is often the hardest, but I assure you that once you move from 0 to 1, then it’s mostly downhill from there.

Many people believe that striving for online privacy is like putting a hood over your head, installing a Linux distro with some exotic, impossible-to-use name, and spending three hours to write an email. This causes a state of anxiety and frustration that pushes people to do nothing at all.

First of all, let's avoid hysteria. No—there are no criminal groups particularly interested in what you do, and no—the CIA, KGB, and FBI are not spying on you, at least not directly.

Having said that, the best way to approach the issue is to use the OpSec (operations security) methodology that can help us create our own threat model. That is, what I’ve already talked about here.

However, I realize that even talking about OpSec and threat modeling can be a barrier for those who are starting from absolute zero, so today I’ll strive to give some practical advice on how to get started.

From zero to (privacy) hero

I'll do the threat modeling scenario for you this time.

Let's assume that you're probably not at zero, but at -10. At a minimum, someone somewhere has stolen your email address and maybe some other type of data. Maybe there's also some malware on your PC because you like to download and click on any .exe within reach.

• Assets to protect: personal information, contact data, communications.

• Threats and adversaries: data breaches, malware, identity theft. In this case, the adversaries are criminal groups that exploit vulnerabilities and industrial logic to try to compromise large-scale information systems.

• Vulnerabilities: reuse of email and passwords (even with the same combination), systems not updated and/or infected by malware, data and communications in clear text (not encrypted).

• Risk: without precisely calculating, we can say that we are facing a medium risk: it is plausible that an adversary could exploit a vulnerability, but the consequences would generally be manageable in most cases. Among the consequences, we could include spam, social account theft, malware, fraud attempts.

• Countermeasures: we’ll look at those together now…

Avoid spreading your personal emails

Your email address is your online alias. Even before being a tool for receiving messages, it is a way to create accounts and authenticate on thousands of different services, often very sensitive.

Having a compromised email address greatly increases the risk of violations and attacks (phishing, scam attempts, and viruses).

First, check if your email is compromised. To do this, visit haveibeenpwned.com and enter your email address in the text field. If the result looks something like this, you might have a problem:

You can do at least two things to greatly improve the situation:

1. It might be a good idea to discard that email you have. Perhaps using a privacy-friendly provider, without tracking and profiling, like Tutanota or ProtonMail. Allocate about an hour of your time to update the email on your main accounts.

2. For the future, avoid registering on every silly site with your main email address. Instead, use a service like Anonaddy or SimpleLogin that allows you to create aliases to use instead of your real email, while still being able to receive communications and notifications.

By doing so, you will immediately and almost at zero cost have huge advantages, both in terms of risk (your email will be less exposed) and in terms of privacy, since your messages will not be tracked and profiled by Google and friends.

Use a password manager and an authentication app

The password is the only thing that separates your data and your life from the entire world. Once discovered, it’s game over. It’s worth paying attention because I assure you that out there is a bot that is currently trying to crack one of your accounts. Something like password123 or p4sSwOrd123 can be cracked in about 0.02 seconds with today’s tools.

It would be better to avoid simple passwords like these and choose combinations that at least fall into the yellow zone of the matrix:

In this case, there are also very simple and useful countermeasures to take, which also greatly increase the quality of life:

Use a password manager, possibly not cloud-based, even if they are convenient. My favorite is KeePassXC which can also be used on Android. The password manager can automatically create complex passwords for you and store them securely, so you don’t even have to remember them. Just copy and paste when needed.

Use an app for multi-factor authentication

This is probably the most important measure of all, and not using it in 2023 is foolish. Multi-factor authentication adds an extra layer of security to access online services: a temporary code displayed on a device that only you own, such as your smartphone. This means that if someone has the email and password for your home banking account, without that code, they still can’t access.

There are many to choose from, to suit all tastes, such as Authy or Aegis. Google Authenticator is also fine. However, I would avoid using apps that require identification and communication of personal data to have Cloud backups.

A good practice that applies both to passwords and other information that must remain secret, like the seed words of a Bitcoin wallet, is to never write them down in clear text nor online.

Avoid like the plague notes and various .txt files with passwords and seeds—and especially never store them in the Cloud, which is someone else’s PC.

Make backups and encrypt your hard disk

Make a backup of your PC’s data and settings periodically, so you don’t lose anything in case of problems and find yourself with a PC more or less identical to how you left it. The general system-level backup can be managed directly via Windows on a separate memory unit or you can do it in the Cloud on OneDrive.

Ideally, you should also make a periodic backup of your most important data and folders, so you always have a secure copy. I recommend: each backup should then be encrypted, especially if you decide to store copies in the Cloud—which is someone else’s PC. Encrypting data is very easy, and you can do it even with a simple .zip, which allows you to encrypt files with an AES-256 algorithm. It takes very little and is not difficult: you just need to choose a password.

Finally, don’t forget to encrypt your hard disk if you travel frequently for leisure or work. Otherwise, in case of theft, it will be extremely easy to gain access to all your data (yes, even if you have a password to access). For Windows, you can use the integrated BitLocker solution, while for Linux you can use LUKS, also integrated.

For Windows, activating BitLocker is very simple:

1. Open the Control Panel (you can search for it in the Start menu).

2. Click on "System and Security".

3. Click on "BitLocker Drive Encryption".

4. Choose the drive you want to encrypt and click on "Turn on BitLocker".

5. Follow the on-screen instructions to configure BitLocker. This will include choosing the method to unlock the drive at startup and how to back up the recovery key.

For Linux, unfortunately, it is necessary to reinstall the operating system, unless you activated disk encryption during installation (extremely simple for Ubuntu and other user-friendly systems, just select the option).

Use secure communication systems

Communications are perhaps the most important part of the information assets to protect. What you need to do first is understand that the messaging services integrated into social networks are not secure communication tools. In fact, they are tools directly monitored by law enforcement and intelligence, as has been demonstrated multiple times even with the Twitter Files.

The same goes for Instagram, Facebook, TikTok, and so on. Never spread sensitive information through these channels. The worst part? Soon they will be legally surveilled in broad daylight due to laws like Chatcontrol.

Better to prefer different tools with methods of encrypting communications, such as Signal or Telegram. There are also others, even better, but they have little distribution and it will be up to you to evaluate whether and how to use them. If you prefer Meta... even WhatsApp is encrypted end-to-end.

Minimize your exposure when browsing online

If you like to travel or are one of those who like to work from the armchairs of Starbucks then you should learn to use a VPN, which is a very useful tool for protecting your browsing data from prying eyes and security vulnerabilities typical of public networks like those of bars or hotels.

In addition, some VPNs have ad-blocking tools that can also help reduce the risk of catching malware while browsing.

It is also worth considering a VPN to reduce the exposure of our traffic data to state surveillance. Maybe you don’t know, but many governments require Internet and telephone providers to keep navigation data available to authorities for very long periods of time, up to years.

You're almost there

By doing this, the risk of violations of your data and accounts, of having malware infections or of suffering identity theft will decrease greatly. Then it will all be downhill.

The important thing is not to freak out and not go from one extreme to another. There’s always a trade-off between security and convenience, but there can be no security without convenience, because we all constantly seek what is easiest for us to do.

Now all you have to do is continue reading Privacy Chronicles and go down the rabbit hole.