Security: Seat belts, Sunscreen and Smoke Detectors
When you first start to dig into the dark realms of computer security, it’s easy to go down a rabbit hole. There are lots of things that could go wrong, at least theoretically. It can be overwhelming, but it doesn’t have to be. Before you spend a lot of time and money on security, take the time to stop and assess your personal situation. That is, before you can choose a solution, you need to first understand the problem. In cybersecurity terms, you need to determine your threat model.
What is it that you need to protect? Who or what are you trying to protect it from? And what are the likely consequences of failure? Most people (at least in the Western world) do not have to worry about state-sponsored attackers, foreign or domestic. And unless you are rich or famous, you are not likely to be targeted (specifically) by hackers.
That means that your threats are most likely broad-spectrum, opportunistic attacks. You don’t need to be the fastest antelope in the herd, you just need to avoid being the slowest. And again, if you’re like most people, then the assets you need to protect are mundane: online accounts, a computer, a smartphone, your home network, and personal information that might be used to steal your identity.
Thankfully, there are many simple steps you can take to protect these things - most of which are free or fairly easy to do. Think of it like wearing a seat belt, putting on sunscreen and installing smoke detectors in the real world. Now you need to implement the same sorts of protections in the virtual world. And thankfully there are many great software solutions to help - most of them free and many open source.
So, let’s pick some of the tastiest, low-hanging security fruit!
Step One: Backup Everything
Any important files that you can’t replace need to have backups (plural). This includes documents, photos, home videos, ripped movies and music, and any other data that you can’t recreate easily. Follow the 3-2-1 backup rule: 3 copies of each file (the original and two copies), 2 different types of backup media, and 1 of which must be offsite. I would use an external hard drive plus a cloud backup service. This covers all the 3-2-1 criteria.
For local drive backups, I would use Time Machine on Mac, File History on Windows, and Cronopete or Timeshift for Linux. For cloud backup, iDrive and Backblaze work for all three platforms.
Step Two: Clean Up & Update
Once you have everything backed up, you should channel your inner Marie Kondo and get rid of any applications and files you no longer need. (If you screw up, you can restore from backup. That’s why backing up is Step One!) The less you have to maintain, the better off you will be - there’s less data to lose and a smaller attack surface. (We’re focusing on computers here, but you should also remove apps from your mobile devices that you no longer use, as well.)
Whatever software is left when the dust settles, get it updated. Bugs are found and fixed all the time - and bad guys love to exploit devices that aren’t patched. Set your operating system settings to automatically update and use the Apple and Microsoft app stores to keep your applications updated.
On Linux, how you manage software updates depends on which distro you’re using and whether you prefer to use the command line or a graphical tool. This article explains how to use the command line to set up automated, unattended updates for most popular distros.
Step Three: Manage Your Passwords
You shouldn’t know any of your passwords. Seriously, if you can remember them, then hacker tools can probably guess them. All of your online accounts should have long, random and unique passwords. The only way to do that properly is by using a password manager. A good password manager will generate strong passwords, store them securely, and provide client software to automatically fill them in for you. While some people cringe at the thought of storing their password vaults in the cloud, if you have more than one device (think computer and smartphone), you really need a way to synchronize your passwords. While you can try to manage this manually, I recommend that most people use a cloud-based service like Bitwarden or 1Password. (There are some interesting ways to make this more secure.) You can use password managers to store all sorts of other confidential information, as well.
Unfortunately, strong passwords aren’t enough today. You need a belt-and-suspenders approach - that is, you need defense in depth. Adding an additional layer of security to your most important accounts is crucial. You need to use two-factor authentication (2FA) - sometimes referred to as multi-factor authentication (MFA). Use free apps like Authy, Aegis or Raivo to manage your account codes.
One last note: keep an eye on passkey authentication. This “passwordless” technology can replace standard passwords and has several advantages. It will be rolling out over the next few years.
Step Four: Check Your Privilege
There’s a reason that intelligence agencies operate on a “need to know” basis. Benjamin Franklin was once quoted as saying “three men can keep a secret, if two of them are dead”. In the security world, this is called the principle of least privilege. We can apply this in two main ways to our digital lives.
First, you should limit your main account’s privileges. Remember that whatever you can do, malware can do, too. If you manage to get infected, the virus or ransomware will be able to do a lot more damage if it’s running with administrator or root privileges. On a Mac or Windows computer, this is accomplished by having at least two login accounts: a regular, “daily driver” account with normal permissions and an administrator account with full permissions. On Linux, you should disable the root (administrator) account and just use sudo to manage admin tasks. (If you’re operating a Linux server, you should also disable remote password-based logins in favor of SSH keys.)
Second, you should review all the permissions you’ve granted to your operating system and installed applications. You should be very careful sharing personal information like contacts, location, pictures and documents. You should restrict access to your camera and microphone, too. Finally, be wary of any application that wants access to “accessibility” features, which can be used to control your computer in weird ways and bypass security protections.
Going Further
This is, of course, just the tip of the iceberg. You should be using a privacy-respecting web browser like Firefox or Brave, enabling your built-in software firewall like UFW, hardening your home network, using secure message apps like Signal, and perhaps using a network monitor like Portmaster. I wrote a whole book on the basics of computer security and data privacy called Firewalls Don’t Stop Dragons, based on the analogy of protecting a medieval castle.
The instructions are targeted at non-Linux systems, but the explanations of security and privacy concepts are universal. It contains over 200 tips to protect your devices and data. I have a weekly podcast of the same name where I cover recent cybersecurity and surveillance topics, including interviews with top experts. And if that’s not enough, I have a biweekly blog and newsletter, as well.
If you have your own digital house in order, you should seriously consider helping others to do the same. Security and privacy are not just “me” things - they’re very much “we” things, too. If your devices are hacked, those around you will also be at risk. If your data leaks, it almost surely includes information about your friends and family, too.