Hacker News new | comments | show | ask | jobs | submitlogin
Ask HN: Extremely easy steps towards extra security/privacy?
49 points by EduardoBautista 9 months ago | hide | past | web | 35 comments | favorite

1. LastPass / 1Password

2. AdBlocker Extension

3. Modify your /etc/hosts to block a lot of malicious sites.

4. Signup for https://haveibeenpwned.com/

5. VPNs on all wifis not your own.

6. 2-factor wherever you can. But also a place where you can print out your backup 2-factor keys, since losing your phone happens.

7. Have a email for newsletters/spam/signup, another that you use for friends.

8. Use credit cards that can generate on-demand numbers. IE. Both Bank of America and Citi let you generate one time use credit card numbers with set limits.

9. Signup (one time) with your credit cards to warn you for sudden changes in your credit score (ie. to prevent someone opening a loan in your name).

There's probably a lot more that I forgot I do ... it's amazing how little people do here.

1) use Keepass [1] and sync (via Dropbox or Google Drive) from your PC to your smartphone. It is free and remebere that LastPass had been compromised already.

2) Do not bother with adblocker - instead use properly configured Chrome with javascript OFF by default, and ON only on trusted sites, use incognito mode, set your own DNS and 204 and some other settings, also use Decentraleyes extension and switch off remote fonts etc.

3) Use DNSCrypt whenever possible - on your home router if you can, and on RaspberryPI acting as a router when traveling.

4) Block malicious hosts, trackers, advertising etc via /etc/hosts/ Block all Facebook server entirely. Block Gravatar and other trackers. Keep your own blacklist and whitelist.

This is better then adblock extensions in browser because it can block tracking and advertising also on your tablets and iPhones.

Try using dnsmasq for caching and splitting DNS so queries for Apple and Google and AmazonAWS servers are geo-smart and the rest of queries goes to DNSCrypt server in Iceland.

5) set up your own VPN (you can get VPS for that starting at 10$ per year) possibly with Strongswan IKE and use it on your mobile phone always ON. Your server should also use DNSCrypt and perhaps also act as your private DNS server.

6) Use Fastmail[2] and make use of email aliases. Fastmail have tons of various domains so I have set up alias me@nospammail.net and can use disposable addresses like first@me.nospammail.net, second@me.nospammail.net etc.

You will know who leaked your email address. You can block certain addresses easily.

7) Set text alerts for your card transactions over certain limit.

8) On Google, Microsoft and other important accounts set Pushover[3] email address for security alerts. You will be receiving immediate alerts via push on your phone

[1]: https://en.wikipedia.org/wiki/KeePass

[2]: https://www.fastmail.com/

[3]: https://pushover.net/

While I don't think your wrong that these are better solutions, I feel you missed the "Extremely easy" part. Keepass is significantly less user friendly than LastPass/1password. VPSs can be very inaccessible for non-computer savvy people also.

For simple, secure use (which is what we are talking about) there is little functional difference between Keepass and Lastpass.

> Do not bother with adblocker - instead use properly configured Chrome with javascript OFF by default, and ON only on trusted sites, use incognito mode, set your own DNS and 204 and some other settings, also use Decentraleyes extension and switch off remote fonts etc

All these same things except...not chrome. It is terrible for privacy. Use firefox with telemetry turned off, or perhaps waterfox, palemoon, or brave. Degoogled chromium may be ok but is not recommended.

> Set text alerts for your card transactions over certain limit

SMS is notoriously bad, and carriers can easily keep old messages. Don't recommend this.

For on-demand credit card generation, there's also privacy.com if you're in the U.S

This is awesome! I haven't heard about this before. Thanks!

There is also Abine Blur (I just signed up today) which can be a password manager, email/phone alias/blocking manager, and has on demand credit card generation features.

Regarding #6, use Authy.

Does everything Google authenticator does, but you can upgrade your phone and use other devices as backups (in case of device loss)

1Password can also do that and then you don’t need a second app if you decide to use it as a password manager

This would make your wallet a single point of vulnerability. If someone gains access to your wallet, they would know your passwords and your 2FA tokens.

While it's certainly better than no 2FA, it's not as good as having the token and password in different places.

Please note though: The backup feature makes Authy vulnerable to phone porting attacks.

True, but it's optional. Their 'by default' options are pretty reasonable.

1.5. Use a separate browser for sensitive sites, e.g. banks. (possibly, avoid storing these passwords if you can)

I feel this is pretty simple, way simpler than many other recommendations here, and has its benefits especially for people that tend to browse without paying too much attention.

Regarding #3, I'd recommend https://github.com/StevenBlack/hosts/

Good list, 1,5 and 6 will have the most impact.

Additionally, keep all your devices up to date with patches. Run windows update, update iOS/Android etc.

Use your own domain for your email and host it with ProtonMail.

If your primary email gets hacked and you're using your own domain, you can regain access to your online banking, utilities etc by moving your email address to another hosting provider via a few DNS changes. (Think about how password reset works).

It also protects you from google/hotmail/aol/yahoo shutting down your account.

Whenever you can, use cash instead of credit card. Records of who buy what are more widely spread than I’m comfortable with. Also, there is a large risk that cash will be removed in the next one or two decades and then all semblance of privacy re what we buy will be gone.


Surprised this hasn't been mentioned yet, but https://securityplanner.org/ is a great resource for exactly this.

It asks you a few easy questions (what device you use, what are you concerned about) and provides you with personalized advice along with ratings on how easy it is to setup (Setting up 2FA is easy v/s setting up a VPN is medium).

A list of all their recommendations is at https://securityplanner.org/#/all-recommendations, and they even offer printer-friendly versions you can use.

You can toggle the "quick-and-easy+free" fixes, which I'm listing:

1. Install HTTPS Everywhere

2. Use Chrome/Firefox

3. Privacy Badger

4. Security Checkups (Google/Facebook - Includes 2FA + More)

5. Password Alert

6. 2FA

7. Privacy Settings for online accounts

Go check it out for more detailed instructions.

> Use Chrome/Firefox

As I already recommended on another commend, chrome is an INCREDIBLY BAD IDEA for privacy. Use ungoogled chromium if you need a google-only site, otherwise just firefox (with telemetry turned off).

Ditch and block Facebook and all related domains. Will likely increase your productivity.

Use a password manager. Use a VPN. Use Signal.

Any good reason to use Signal over Wire?

For me - just because I trust Moxie.

If your threat model includes state level actors - Wire's Swiss-based company might provide some protection over potential problems of Moxie and WhisperSystem being in the US - but if you're trying to protect against the NSA I hope you've got better sources of advice than an Ask HN...

As a "low hanging fruit" - and of Signal or Wire or maybe even WhatsApp are better than SMS or Google Chat... If your friend group has already chosen one of them - use that. If you get to choose, I'd recommend Signal - but not in a super strongly opinionated way.

Browser addons (if available):

* ublock origin (add reek anti-adblock or whatever the newest alternative to it is)

* refcontrol (firefox <=56 only, I use waterfox)

* umatrix

* privacy badger

* https everywhere

* cookie autodelete

Get a VPN

Use a browser that is not chrome, chromium, edge, IE, opera. Firefox (disable the firefox health report (FHR) and telemetry!!), waterfox, vivaldi, palemoon, brave, and degoogled chromium are ok.

Use a password manager, I recommend keepass.

Different passwords and usernames for every website. To make that easy you get a password manager. (pass, LastPass, etc, etc)

Some good suggestions. Don't forget to install extensions to block web based crypto mining.

This can be blocked by any regular content blocker, no need for a specialized extension. Also, by discriminating against alternatives to advertising you are helping the advertising industry.

if you have an extra raspberry pi laying around you can install an ad blocker for your entire network with pi-hole.

Or configure whatever caching DNS serveryou currently have installed on your LAN to do the same.

Oh, you don't have a DNS cache on your LAN? Strongly recommended for performance reasons, if not privacy as well. I don't remember what actual measurements I ended up with, but latency realmy hurts!

An alternative:

I run dnscrypt-proxy locally, encrypting (TLS) all my DNS traffic between me and OpenDNS, also giving me the option for my system resolver to give NXDOMAIN for any names on a local blacklist.

It was remarkably easy to setup, just install the package.

  $ cat /etc/dnscrypt-proxy/blacklist

Good suggestion. I sandwhich Dnsmasq between applications and dnscrypt-proxy[1] because the opennic anycast servers were too slow otherwise.

[1]: https://two-wrongs.com/secure-dns-on-a-laptop-with-debian.ht...

Install an ad blocker extension.

Install uBlock Origin ad blocker

uBlock and uMatrix for your browser, the most important things in your day to day security. As a bonus, throws off fingerprinting.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact