How to Stay Safe Online: Tips for Personal Security

2023-04-202023-05-19VintaMisc

How to Stay Safe Online: Tips for Personal Security

env #security

How I learned to "start worrying" and love the illusion of feeling safe.

Digital security and privacy have become more important than ever. With cyber threats constantly evolving, it is crucial to stay up-to-date with best practices and take proactive measures to protect your online presence. This comprehensive guide covers a wide range of security and privacy recommendations for various platforms and scenarios, aiming to help you fortify your digital life.

General

Use a password manager: 1Password or Bitwarden.
- Never reuse passwords.
Don't store real passwords of critical accounts in password managers.
- Instead, store the password altered by a secret rule that only you know.
- Apply to accounts related to your real-world identity or money.
Avoid using your password manager to generate one-time password.
- Instead, use a separate authenticator app.
- Otherwise, it would become a single point of failure if compromised.
Use different emails and different passwords when registering services.
- Use a secure email provider if possible: Proton Mail.
Always enable 2FA, but avoid SMS-based 2FA when possible.
- Be aware of SIM swap attack.
- Use Yubikey.
Install any security updates as soon as possible.
Don't blindly click on any website you see in your Google search results; they could be scams!
- Instead, add your frequently visited websites to your bookmarks.
Do things that can ease your paranoia.
Read Personal Security Checklist.

Privacy

Read Awesome Privacy.
Read The Hitchhiker's Guide to Online Anonymity.

macOS

Use an application firewall and network monitor: Little Snitch.
Create separate browser profiles for different usages.
- One for daily activities.
- One for financing activities, and don't install any extensions other than the password manager for this profile.
- Use Incognito mode.
- Even better: use separate computers.
The fewer browser extensions installed, the better.
- Be aware of developers might sell their extension to someone else.
Disable all browser extensions when updating passwords.
Don't use any apps that can read your clipboard or what you type.
Don't use third-party input tools.
Automatically lock your screen when idle.
- System Settings > Lock Screen > Require password after screen saver begins or display is turned off
Set one of Hot Corners to "Lock Screen" and always trigger it when you're away from keyboard.
- System Settings > Desktop & Dock > Hot Corners
Disable AirDrop and Handoff.
- System Settings > General > Airdrop & Handoff > Off
Exclude sensitive folders from Spotlight.
- System Settings > Siri & Spotlight > Spotlight Privacy
Turn on FileVault which provides full disk encryption.
Power off your computer when not in use, in order for the disk to be encrypted.
Use Dangerzone if you are working with PDFs.
Use an ad blocker: uBlock Origin.
Read macOS Security and Privacy Guide.

iOS

Change the default PIN of your SIM card.
- Settings > Cellular > SIM PIN > Change PIN
Disable Predictive Text.
- Settings > General > Keyboards > Predictive
- Settings > General > Transfer or Reset iPhone > Reset > Reset Keyboard Dictionary
Don't use third-party keyboard apps.
Turn off AirDrop.

Crypto

For large amounts of assets, always store them in hardware wallets or multisig wallets.
Use multiple hardware wallets from different vendors; don't put all your eggs in one basket.
- Some should only hold assets and never interact with DeFi apps.
- Some are used for trading or DeFi stuff.
- Or use an old phone to create wallets, and NEVER connect it to the Internet.
Write your seed phrases on paper or metal, and store them in a (physical) safe.
- Modify the seed phrase with a secret rule that only you know.
- Keep at least 2 copies in different locations.
- Never store a hardware wallet's seed phrase digitally, NEVER.
Verify backups of your seed phrases every 6 months.
Use multisig wallets, such as Gnosis Safe.
Only store a small amount of assets in hot wallets.
- If you follow this rule, it might be acceptable to store the seed phrase in a password manager.
- Furthermore, encrypt the seed phrase before storing it.
Rotate your hot wallets regularly.
When transferring tokens to a new address, always send a small amount first, and make sure you can transfer out.
- It may waste gas, but it's better than losing funds.
Add addresses to contacts or whitelists.
Always approve tokens with the exact amount, never use type(uint256).max.
- It may waste gas, but it's better than losing funds.
Always check the slippage setting before swapping.
Review your token approvals regularly: Revoke.cash.
Signing could be dangerous.
- If it's a clear, human-readable message, it's probably safe to sign.
- If it contains a large amount of data, read carefully before signing.
- Especially, there are "permit" signatures.
Use browser extensions or wallets that can simulate transactions.
Learn to decode a transaction.
- Search the first 10 characters on Ethereum Signature Database
- Simulate the transaction raw data on Tenderly.
Use Etherscan's Watch List to monitor your account activities.
Website (domain or frontend code) can be hacked, even if smart contracts are secure.
Read Blockchain Dark Forest Selfguard Handbook.
Read officercia.eth's articles.

Developer

Always create API keys with minimum permissions.
Create distinct API keys for different purposes, services, or machines.
Sign your Git commits.
If you're unsure, run the program or script inside a non-root container.
The fewer IDE/editor plugins installed, the better.
Enable GitHub Copilot only for specific languages or files.
- Especially, disable it for .env files or any file types that may contain sensitive data.

Wi-Fi

Always change the default password of your router or IoT devices.
Keep your router firmware up-to-date.
Only use WPA3-Personal.
Avoid using public Wi-Fi.

Physical

Cover your laptop's camera with a sticky note.
Be cautious when plugging USB devices into your computer.
Be vigilant for keyloggers.
- Bring your own keyboard and USB hub when necessary.
Shred or redact sensitive documents.
- Instead of simply disposing of them in the trash.
Don't reveal information during "inbound" calls.
- Only share sensitive data during outbound calls or communications that you initiate.
Use a certified and well-protected extension cord.
Get fire and earthquake insurance for your house.

你都去哪裡看技術文章？

2015-09-012019-10-22VintaMisc

因為前陣子跟朋友們一起弄了一個技術週刊：CodeTengu Weekly 碼天狗週刊，每個禮拜在考慮要放哪些內容的時候，突然覺得：「你都去哪裡看技術文章？」或許也會是個有價值而且實用的主題，所以乾脆就來跟大家分享一下，我覺得不錯的每日資訊來源。

你可以訂閱的週報

五花八門

CodeTengu Weekly - 內容包含 Web 前端後端、Mobile app 開發、DevOps、機器學習
Hacker Newsletter - Hacker News 的每週精華版
码农周刊 - 开发者头条的每週精華版
湾区日报 - 講技術的部分其實不多，大部份說的是創業、管理、UX 之類的主題

程式語言

資料庫

DevOps

Machine Learning

你可以瀏覽的網站

如果要推薦值得一看的網站或網誌，說八年都說不完，而且現在大家也都不用 RSS reader 了（真的很可惜，明明就很方便），這裡就只提幾個「內容聚合網站」（news aggregator）。你可以在這些網站上 follow 特定的主題，例如 Python、Golang、Apache Cassandra、Docker 之類的，他們就會自動把相關的文章推送給你，比較特別的是，網站還會根據你的個人喜好和你在 Twitter 上關注的對象來調整推送給你的內容。

我最早用過這一類的服務是 Zite，但是直到它老是推薦「印度一條六公尺的巨蟒（Python）吞食了一個人類小孩」的新聞給我之後，我就把它刪掉了。雖然說 Zite 已經被收購，整合進 Flipboard 裡，但是我已經對它沒信心啦。

2015.09.06 更新：

你可以關注的人

以下列出的是許多喜歡在 Twitter 上分享技術文章而且推文頻率又比較高的開發者：

出沒於 Twitter

@vinta - 像這樣幽默又率性的 developer 在這個世道也是不多的，大家可以關注一下
@codetengu - 碼天狗的推特帳號
@c9s
@caterpillar
@dlackty
@Evan_Lin
@ferrari_tw
@fukuball
@gslin
@honglong0420
@hiroshiyui
@hsatac
@ihower
@ingramchen
@jaceju
@jserv
@kakashiliu
@keitheis
@lovecankill
@othree
@pahudnet
@ruanyf
@saiday
@siuying
@timdream
@tzangms
@uranusjr
@WanCW
@william_yeh
@yorkxin
@zmx

出沒於 Facebook

陳上進 - 是的，就是這篇文章的作者本人
CodeTengu 碼天狗 - 碼天狗的 Facebook Page
Ant Yi-Feng Tzeng
Chia-liang Kao
Ian Tsai
Mosky Liu
Will Huang

Computer Names for Sci-Fi Maniac Developers

2015-06-182023-05-19VintaMisc

The list is collected from books I read, movies I watched, and video games I played.

ADA (from Zone of the Enders: The 2nd Runner)
Albedo (from Hyperion) --> used for one of my code projects
Asurada (from Future GPX Cyber Formula)
BrainPal (from Old Man's War)
ctOS (from Watch Dogs)
Deep Thought (from The Hitchhiker's Guide to the Galaxy)
Eddie (from The Hitchhiker's Guide to the Galaxy)
EDI (from Mass Effect) --> used for one of my code projects
EVA-00 (from Neon Genesis Evangelion)
EVA-01 (from Neon Genesis Evangelion)
EVA-02 (from Neon Genesis Evangelion)
Fine Till You Came Along (from Culture: Look to Windward)
GERTY 3000 (from Moon)
GLaDOS (from Portal)
HAL 9000 (from 2001: A Space Odyssey) --> used for one of my code projects
Jane (from Ender's Game: Speaker for the Dead) --> used for My AirPods
JARVIS (from Iron Man)
KOS-MOS (from Xenosaga)
Limiting Factor (from The Culture: The Player of Games)
MAGI (from Neon Genesis Evangelion) --> used for my iPad
Melchizedek (from Gunnm Last Order)
Mike (from The Moon Is a Harsh Mistress)
Of Course I Still Love You (from The Culture: The Player of Games)
Pip-Boy 3000 (from Fallout) --> used for my iPhone
Project 2501 (from Ghost in the Shell)
Samantha (from Her)
Skynet (from The Terminator)
SAL-9000 (2010: The Year We Make Contact)
Sol-9000 (from Xenogears)
Sophon (from The Three-Body Problem)
Tachikoma (from Ghost in the Shell)
TARS (from Interstellar)
TechnoCore (from Hyperion) --> used for my Macbook Pro
Ummon (from Hyperion) --> used for one of my code projects
VIKI (from I, Robot)
Wheatley (from Portal)

ref:
https://en.wikipedia.org/wiki/List_of_fictional_computers
https://en.wikipedia.org/wiki/Artificial_intelligence_in_fiction