Frequent Hacks - How to Ensure 'Digital Hygiene' Implementation?

Original Author: @karpathy, Co-Founder of @EurekaLabsAI
Translation: zhouzhou, BlockBeats

Editor's Note: This article introduces some basic techniques to improve computer privacy and security, covering topics such as password managers, hardware security keys, disk encryption, biometrics, and other security measures. It recommends using security tools like 1Password, YubiKey, Signal, while emphasizing avoiding insecure smart devices, using privacy-focused browsers and search engines, and adopting VPNs and ad blockers. The article also suggests protecting personal information through virtual credit cards, email management, and network monitoring to achieve digital security.

The following is the original content (reorganized for readability):

Essentially, you can take some simple steps to improve your computer's privacy and security, and this article covers some of these.

From time to time, I am reminded of the vast fraud machinery of the internet, which reignites my pursuit of basic digital hygiene for everyday computer privacy/security. The problem starts with some major tech companies, which have the motivation to build a comprehensive profile of you to either monetize directly through ads or sell to professional data brokers who further enrich, de-anonymize, cross-reference, and resell the data.

Inevitable and frequent data breaches eventually aggregate your information into black-market archives, nurturing a vast underground spam/scam industry, including hacks, phishing attacks, ransomware, credit card fraud, identity theft, etc. This guide is a collection of some of the most fundamental digital hygiene tips, starting from the simplest and progressing to some slightly more nuanced suggestions.

Password Manager

Your password is your "first factor," i.e., "something you know." Do not foolishly set new, unique, complex passwords for every registered website or service. Combined with a browser extension, you can quickly create and autofill them. For example, I use and love 1Password. This helps prevent your passwords from being: 1) easy to guess or crack, and 2) once leaked, opening the doors to many other services. In return, we now have a central repository for all first factors (passwords), so it must be thoroughly protected, leading to...

Hardware Security Key

Your most critical services in life (e.g., Google or 1Password) must be further fortified with a "second factor," i.e., "something you have." Attackers must possess both of these factors to access these services. The most common second factor implemented by many services is a phone number, where theoretically, you receive an SMS with a PIN, entering which verifies you in addition to the password.

Obviously, this is much better than having no second factor, but using a phone number is known to be very insecure due to SIM card swap attacks. Basically, an attacker finds out that they can easily call your phone company, pretend to be you, and request them to switch your phone number to a new phone controlled by them. I know this sounds completely crazy, but it's true, and I have many friends who have been victims of this attack.

Therefore, buy and set up a hardware security key—an industrial-grade security standard. Specifically, I like and use YubiKey. These devices generate and store private keys on a secure element, so the private key never touches a general computing device like a laptop. Once you set up these devices, attackers not only need to know your password, but they also need to physically have your security key to log in to services.

Your risk is reduced by about 1000 times. Purchase and set up 2 to 3 keys and store them in different physical locations in case you lose one. Security keys support various authentication methods. Look for "U2F" in the second factor settings of your service for the strongest protection. For example, Google and 1Password support it. If you have to use "TOTP," note that your YubiKey can store TOTP private keys, so you can easily get the PIN code for login through NFC contact with your phone using the YubiKey Authenticator app.

This is much better than storing TOTP private keys in other (software) authentication apps because you should not trust general computing devices. This article is not intended to delve deep, but basically, I strongly recommend using 2-3 YubiKeys to significantly enhance your digital security.

Biometrics

Biometrics is the third common authentication factor ("who you are"). For example, if you are an iOS user, I suggest setting up Face ID almost everywhere, such as accessing apps like 1Password.

Security Questions. Dinosaur companies are obsessed with security questions (e.g., "What is your mother's maiden name?") and occasionally force you to set up these questions. Obviously, these questions fall into the "something you know" category, so essentially, they are passwords, but for scammers, these questions can be easily found on the internet, and you should refrain from participating in this absurd "security" practice. Instead, treat security questions like passwords, generate random answers for each question, and store them along with your password in your 1Password.

Disk Encryption. Always ensure that your computer uses disk encryption. For example, on Mac, this brain-dead simple feature is called "FileVault." This feature ensures that if your computer is stolen, attackers cannot access your data by taking out the hard drive.

Internet of Things

More like @internetofshit. Try to avoid using "smart" devices, which are essentially highly insecure, internet-connected computers that collect vast amounts of data, are frequently targeted by hackers, and yet people willingly place them in their homes. These devices have microphones, regularly send data back to the parent company for analysis to "improve customer experience," haha, yeah right. For example, in my young and naive days, I purchased a CO2 monitor from China that, before telling me the CO2 levels in the room, requested all my personal information and precise location. These devices are a massive privacy and security vulnerability and should be avoided.

Messaging. I recommend Signal over SMS because it encrypts all communications end-to-end. Additionally, it does not store metadata like many other apps (e.g., iMessage, WhatsApp). Turning on message disappearing (e.g., default 90 days is a good choice). In my experience, message disappearing is a privacy placebo with no significant benefit.

Browser. I recommend using the Brave browser, a privacy-first browser based on Chromium. This means almost all Chrome extensions work out of the box, the browsing experience is similar to Chrome, but without Google having a full grasp of your entire digital life.

Search Engine

I recommend Brave Search, which you can set as the default search engine in your browser settings. Brave Search is a privacy-focused search engine with its index, unlike DuckDuckGo, which is essentially a Bing skin and has to make some odd compromises with Microsoft compromising user privacy. Like all services on this list, I pay $3 a month for Brave Premium because I prefer to be a customer rather than the product in my digital life. By experience, I find that 95% of search engine queries are straightforward website searches. Search engines essentially act as a small-scale DNS. If you can't find what you're looking for, just add "!g" before your search query to be redirected to Google.

Credit Card

Fabricate a new, unique credit card for each merchant. There is no need to use the same credit card across multiple services, which would allow them to "associate" your purchasing behavior across different services, plus it increases the risk of credit card fraud as service providers might expose your credit card number. I like and use privacy.com to fabricate a new credit card for every transaction or merchant.

You can view all your expenses through a great interface and receive notifications for each card swipe. You can also set spending limits for each credit card (e.g., $50 per month), greatly reducing the risk of being charged unexpected fees. In addition, with privacy.com's cards, you can enter completely random names and addresses when filling out billing information. This is crucial because there is no need for those random online merchants to know your actual address. Next, let's talk about...

Address

Most random services and merchants do not need to know your actual address. Use a virtual mailbox service. I currently use Earth Class Mail, but to be honest, I am a bit hesitant, so I plan to switch to Virtual Post Mail because of its stronger commitment to privacy, security, ownership structure, and reputation. In any case, you can provide an address, they will scan and digitize the mail once received, and you can quickly view it through the application and decide how to handle it (e.g., destroy, forward, etc.). This way, you not only get security and privacy protection but also enjoy a considerable level of convenience.

Email

I still use Gmail because it is just too convenient, but I have also started using ProtonMail partially. Also, there are some thoughts on email. Never click on any links in the emails you receive. Email addresses are very easy to spoof, and you can never be sure if the email you received is a scam phishing email. Instead, I will manually enter any services of interest and log in from there.

Additionally, it is recommended to disable image loading in email settings. If you receive an email that requires viewing images, you can click "Display images" to view them, which is completely fine. This is important because many services track you by embedding images—they hide information in the image's URL, so when your email client loads the image, they can see if you opened the email. There is absolutely no need for this. Moreover, scammers often use obfuscated images to hide information and avoid being filtered as spam by email servers.

VPN

If you want to hide your IP or location, you can do so indirectly through a VPN. I recommend Mullvad VPN. I keep my VPN turned off by default, but I choose to turn it on when dealing with less trusted services to get more protection.

DNS-based ad blocker. You can block ads by intercepting entire domain names at the DNS level. I like and use NextDNS, which can block various ads and trackers. For advanced users who like to tinker, pi-hole is a physical alternative solution.

Network Monitoring

I like and use The Little Snitch, which is installed on my MacBook. This tool allows you to see which applications are communicating, the amount of data transferred, and when the transfers occur, helping you track which apps are "calling home" and understanding their frequency. If an app has excessive communication, that's suspicious, and it may need to be uninstalled unless you expect that kind of traffic.

I only aim for a secure digital life and seek to establish a harmonious relationship with products and services that only disclose necessary information. I am willing to pay for the software I use to motivate and align interests, ensuring that I am always a customer. It's not a small feat, but with determination and discipline, it can be achieved.

Original post link: Original Post Link