How to Stay Safe Online: Tips for Personal Security

How to Stay Safe Online: Tips for Personal Security

How I learned to "start worrying" and love the illusion of feeling safe.

Digital security and privacy have become more important than ever. With cyber threats constantly evolving, it is crucial to stay up-to-date with best practices and take proactive measures to protect your online presence. This comprehensive guide covers a wide range of security and privacy recommendations for various platforms and scenarios, aiming to help you fortify your digital life.

General

  • Use a password manager: 1Password or Bitwarden.
    • Never reuse passwords.
    • Use strong passwords, at least 18 characters long.
  • Don't store real passwords of critical accounts in password managers.
    • Instead, store the password altered by a secret rule only you know.
    • Apply to accounts related to your real-world identity or money.
    • Cloud-based password manager could be hacked too, e.g. LastPass.
  • Use different emails and different passwords when registering services.
  • Avoid using your password manager to generate one-time password.
    • Instead, use a separate authenticator app: Yubico Authenticator.
    • Otherwise, the password manager would become a single point of failure if compromised.
  • Always enable 2FA (or MFA), but avoid SMS-based 2FA if possible.
    • Be aware of SIM swap attack.
    • Even you don't use SMS-based 2FA, your phone number might be used as a "Recovery Method".
    • Turn off "Cloud Syncing" feature if you're using Google Authenticator.
    • Write down backup codes on paper and store them in a safe.
  • Always use HTTPS.
  • Use Passkey or security keys.
    • You could use your Mac/iOS/Android devices or YubiKey.
  • Don't provide real personal information to any cloud service if possible.
  • Install any security updates as soon as possible.
  • Don't blindly click any link you see in your emails or search results; they could be scams!
    • Instead, add your frequently visited websites to your browser bookmarks.
  • Carefully review requested permissions when you connect third-party apps to your Google, Twitter, Discord, or other critical accounts.
  • Regularly review authenticated devices or sessions of your critical accounts.
    • Revoked them if you're not sure what they are.
    • Explicitly logout after finishing your operations.
  • Do things that can calm your anxiety.
  • Read Personal Security Checklist.
  • Read An ultimate list of rules any on-chain survivor should follow to stay safe.

Privacy

macOS

  • Use an application firewall and network monitor: Little Snitch.
  • Turn on Firewall
    • System Settings > Network > Firewall > Options > Block all incoming connections
  • Turn on FileVault which provides full disk encryption.
    • System Settings > Privacy & Security > FileVault
  • Power off your computer when not in use, in order for the disk to be encrypted.
  • Automatically lock your screen when idle.
    • System Settings > Lock Screen > Require password after screen saver begins or display is turned off
  • Set one of Hot Corners to "Lock Screen" and always trigger it when you're away from keyboard.
    • System Settings > Desktop & Dock > Hot Corners
  • Disable AirDrop and Handoff.
    • System Settings > General > Airdrop & Handoff
  • Exclude sensitive folders from Spotlight.
    • System Settings > Siri & Spotlight > Spotlight Privacy
  • Don't use any apps that can read your clipboard or what you type.
  • Don't use third-party input tools if possible.
  • Create separate browser profiles for different usages.
    • One for daily activities.
    • One for financial activities, don't install any extensions other than the password manager for this profile.
    • Use Incognito mode.
    • Even better: use separate computers.
  • The fewer browser extensions installed, the better.
    • Carefully review requested permissions when installing/upgrading browser extensions.
    • Be aware of developers might sell their extension to someone else.
  • Use Dangerzone if you are working with PDFs.
  • Use an ad blocker: uBlock Origin.
  • Read macOS Security and Privacy Guide.

iOS

  • Enable Data Protection (Erase all data after 10 failed passcode attempts).
    • Settings > Touch ID & Passcode > Erase Data
  • Change the default PIN of your SIM card.
    • Settings > Cellular > SIM PIN > Change PIN
  • Disable Predictive Text.
    • Settings > General > Keyboards > Predictive
    • Settings > General > Transfer or Reset iPhone > Reset > Reset Keyboard Dictionary
  • Turn off AirDrop.
  • Don't use third-party keyboard apps.
    • These apps will be able to access everything you type: passwords, messages, search terms, etc.
  • Restart your device regularly, ex: once a week.
  • Rapidly press the side button 5 times to enter Emergency SOS mode when needed.
    • Under Emergency SOS mode, your passcode is required to re-enable Touch ID or Face ID.
    • Use it when your device is about to be taken away.
  • Read Telegram & Discord Security Best Practices.
  • Read Privacy Guides - iOS Overview.

Crypto

  • For large amounts of assets, always store them in hardware wallets or multisig wallets.
  • Use multiple hardware wallets from different vendors; don't put all your eggs in one basket.
    • Some should only hold assets and never interact with DeFi apps.
    • Some are used for trading or DeFi stuff.
    • Or use an old phone to create wallets, and NEVER connect it to Internet.
  • Use hardware wallet's hidden wallet with passphrase.
  • Write your seed phrases on paper or metal, and store them in a physical safe.
    • Modify the seed phrase with a secret rule only you know.
    • Keep at least 2 copies in different locations.
    • Never store a hardware wallet's seed phrase digitally, NEVER.
  • Verify backups of your seed phrases every 3 months.
  • Use multisig wallets: Gnosis Safe.
  • Only store a small amount of assets in hot wallets.
    • If you follow this rule, it might be acceptable to store the seed phrase in a password manager.
    • Furthermore, encrypt the seed phrase before storing it.
  • Rotate your hot wallets regularly.
  • When transferring tokens to a new address, always send a small amount first, and make sure you can transfer out.
    • It may waste gas, but it's better than losing funds.
  • Add addresses to contacts or whitelists.
  • Always approve tokens with the exact amount, never use infinite (type(uint256).max) approval.
    • It may waste gas, but it's better than losing funds.
  • Always check the slippage setting before swapping.
  • Review your token approvals regularly: Revoke.cash.
    • Before revoking an approval, you should check the original approve() tx is initiated by you.
    • Attackers can create a fake ERC-20 token and set allowance for you.
  • Signing could be dangerous.
    • If it's a clear, human-readable message, it's probably safe to sign.
    • If it contains a large amount of data, read carefully before signing.
    • If the message starts with 0x, just don't sign.
    • Especially, there are "permit" signatures.
  • Use browser extensions or wallets that can simulate/preview transactions.
  • Learn how to decode a transaction.
  • Use Etherscan's Watch List to monitor your account activities.
    • Though the notification might be a bit delayed, it's not real-time.
  • Website (domain or frontend code) can be hacked, even if smart contracts are secure.
  • Read Blockchain Dark Forest Selfguard Handbook.
  • Read officercia.eth's articles.

Developer

  • Always create API keys with minimum permissions and set a short expiration time if possible.
  • Create distinct API keys for different purposes, services, or machines.
    • Deactivate the API key if you're not using it.
  • If you're unsure, run the program inside a non-root Docker container.
  • The fewer IDE/editor plugins installed, the better.
  • Enable GitHub Copilot only for specific languages or files.
    • Especially, disable it for .env files or any files that may contain sensitive data.
  • Sign your Git commits.

Wi-Fi

  • Always change the default username/password of your router or IoT devices.
  • Keep your router firmware up-to-date.
  • Only use WPA3-Personal or higher.
  • Disable remote access on your router.
    • If you really want to visit your router's management console through Internet, set IP whitelist at least.
  • Disable WPS (Wi-Fi Protected Setup) which is vulnerable to brute-force attack.
  • Avoid using public Wi-Fi.

Physical

  • Cover your laptop's camera with a sticky note.
  • Be cautious when plugging USB devices into your computer.
    • Don't charge devices from your computer if possible.
  • Be vigilant for key loggers.
    • Bring your own keyboard and USB hub when necessary.
  • Shred or redact sensitive documents.
    • Instead of simply disposing of them in the trash.
  • Don't reveal information during "inbound" calls.
    • Only share sensitive data during outbound calls or communications that you initiate.
  • Use a certified and well-protected extension cord.
  • Get fire and earthquake insurance for your house.
你都去哪裡看技術文章?

你都去哪裡看技術文章?

因為前陣子跟朋友們一起弄了一個技術週刊:CodeTengu Weekly 碼天狗週刊,每個禮拜在考慮要放哪些內容的時候,突然覺得:「你都去哪裡看技術文章?」或許也會是個有價值而且實用的主題,所以乾脆就來跟大家分享一下,我覺得不錯的每日資訊來源。

你可以訂閱的週報

五花八門

程式語言

資料庫

DevOps

Machine Learning

你可以瀏覽的網站

如果要推薦值得一看的網站或網誌,說八年都說不完,而且現在大家也都不用 RSS reader 了(真的很可惜,明明就很方便),這裡就只提幾個「內容聚合網站」(news aggregator)。你可以在這些網站上 follow 特定的主題,例如 Python、Golang、Apache Cassandra、Docker 之類的,他們就會自動把相關的文章推送給你,比較特別的是,網站還會根據你的個人喜好和你在 Twitter 上關注的對象來調整推送給你的內容。

我最早用過這一類的服務是 Zite,但是直到它老是推薦「印度一條六公尺的巨蟒(Python)吞食了一個人類小孩」的新聞給我之後,我就把它刪掉了。雖然說 Zite 已經被收購,整合進 Flipboard 裡,但是我已經對它沒信心啦。

2015.09.06 更新:

你可以關注的人

以下列出的是許多喜歡在 Twitter 上分享技術文章而且推文頻率又比較高的開發者:

出沒於 Twitter

出沒於 Facebook

MkDocs: Deploy your Markdown documents on GitHub Pages

MkDocs: Deploy your Markdown documents on GitHub Pages

MkDocs is a static site generator that builds modern webpages based on your Markdown documents and a simple YAML file.

ref:
https://www.mkdocs.org/

Here is the website which is generated by MkDocs in this post:
https://awesome-python.com/
https://github.com/vinta/awesome-python

Installation

$ pip install mkdocs

Configuration

in mkdocs.yml

site_name: Awesome Python
site_url: https://awesome-python.com
site_description: A curated list of awesome Python frameworks, libraries and software
site_author: Vinta Chen
repo_name: vinta/awesome-python
repo_url: https://github.com/vinta/awesome-python
theme:
  name: material
  palette:
    primary: red
    accent: pink
extra:
  social:
    - type: github
      link: https://github.com/vinta
    - type: twitter
      link: https://twitter.com/vinta
    - type: linkedin
      link: https://www.linkedin.com/in/vinta
google_analytics:
  - UA-510626-7
  - auto
extra_css:
    - css/extra.css
nav:
  - "Life is short, you need Python.": "index.md"

There are more themes:

in Makefile

site_install:
    pip install -r requirements.txt

site_link:
    ln -sf $(CURDIR)/README.md $(CURDIR)/docs/index.md

site_preview: site_link
    mkdocs serve

site_build: site_link
    mkdocs build

site_deploy: site_link
    mkdocs gh-deploy --clean

Custom Domain for GitHub Pages

in docs/CNAME

awesome-python.com

After deploying your GitHub Page, just pointing your domain to following IPs with DNS A records:

  • 185.199.108.153
  • 185.199.109.153
  • 185.199.110.153
  • 185.199.111.153

ref:
https://help.github.com/articles/setting-up-an-apex-domain/#configuring-a-records-with-your-dns-provider
https://help.github.com/articles/troubleshooting-custom-domains/#https-errors

Automatic Deployment Via Travis CI

You need to

language: python

python:
  - "3.6"

script:
  - cp README.md docs/index.md
  - mkdocs build

deploy:
  provider: pages
  local-dir: site
  skip-cleanup: true
  keep-history: true
  github-token: $GITHUB_TOKEN
  on:
    branch: master

ref:
https://docs.travis-ci.com/user/deployment/pages/

Upload your Java Artifacts to Maven Central Repository

Upload your Java Artifacts to Maven Central Repository

你需要:

  1. 一個使用 Maven 管理的 Java project(廢話)
  2. 一個 GPG key(deploy 的時候會用來 sign 要提交的 .jar)
  3. 一個 Sonatype JIRA 的帳號
  4. 開一張 JIRA 的 ticket 告訴 Sonatype 的人你要發佈 library,告知他們你的 groupId
  5. 按照 Requirements 的指示完善你的 pom.xml
  6. deploy 到 snapshot repository
  7. deploy 到 staging repository
  8. 在 OSSRH 的 Staging Repositories 把你剛剛 deploy 的 library 給 close 掉,這樣才算是 release
  9. 回到那張 ticket,通知 Sonatype 讓他們把你的 library 同步到 Maven Central Repositir

最後一個步驟只有第一次 release 的時候才需要
之後 release 就會自動同步了

Requirements

http://maven.apache.org/guides/mini/guide-central-repository-upload.html
http://central.sonatype.org/pages/requirements.html
http://central.sonatype.org/pages/ossrh-guide.html
http://central.sonatype.org/pages/apache-maven.html
http://central.sonatype.org/pages/releasing-the-deployment.html

參考 Pangu.java 的 pom.xml
https://github.com/vinta/pangu.java/blob/master/pom.xml

Deployment

You need following plugins:

  • maven-source-plugin
  • maven-javadoc-plugin
  • maven-gpg-plugin
  • nexus-staging-maven-plugin
  • maven-release-plugin

deploy 之前
必須確定你的 local 的程式碼跟 scm 的程式碼是同步的
如果你要發布 1.0.0 版本的話
你的 pom.xml 裡要寫 1.0.0-SNAPSHOT
然後執行:

# deploy to snapshot repository
$ mvn clean deploy

你可以在 https://oss.sonatype.org/ 搜尋到
SNAPSHOT 版本測試都沒問題之後(當然你要先設定讓 Maven 能夠下載 SNAPSHOT 版本的 libraries)
就可以正式 release 了:

# cleanup for the release
$ mvn release:clean

# 要回答一些關於版本號的問題
# 它會自動幫你新增一個 tag 並且把 pom.xml 裡的 `<version>` 改成下個版本
$ mvn release:prepare

# deploy to staging repository
# 然後 Maven 會把上一步新增的 git tag 和 pom.xml 的變更直接 push 到 GitHub
$ mvn release:perform

Maven 會自動在 library 進到 staging repository 的時候把 -SNAPSHOT 字串拿掉

(第一次 release 才需要以下的動作)

然後你就可以在 https://oss.sonatype.org/#stagingRepositories
找到你剛剛 deploy 的 library
通常長得像是 wsvinta-1000(前面是 groupId)
要把它 close
然後再 release

除了第一次 release 要去 ticket 留言之外
之後 release 就會自動同步到 Maven Central Repository
不過通常會需要等一陣子才會在 Maven 上看到

ref:
http://dev.solita.fi/2014/10/22/publishing-to-maven-central-repository.html
http://lkrnac.net/blog/2014/03/deploy-to-maven-central/
http://kirang89.github.io/blog/2013/01/20/uploading-your-jar-to-maven-central/
http://superwang.me/2014/03/22/publish-your-library-to-maven-central-repository-part-1/
http://www.kongch.com/2013/05/deploy-to-central-repo/

如果你在 release 的過程中出了錯
要重新 release 的話
你得 revert 你的 git commit 到執行 mvn release:prepare 之前
然後再重新跑一次

Maven: The De Facto Build Tool for JVM Projects

Maven: The De Facto Build Tool for JVM Projects

Install

# on Mac OS X
$ brew install maven
$ brew install maven-completion

ref:
https://maven.apache.org/index.html

Commands

# create project: interactive mode
$ mvn archetype:generate \
-DarchetypeArtifactId=maven-archetype-quickstart \
-DinteractiveMode=true

# create project: non-interactive mode
$ mvn archetype:generate \
-DarchetypeArtifactId=maven-archetype-quickstart \
-DinteractiveMode=false \
-DgroupId=ws.vinta.pangu \
-DartifactId=pangu

# download dependencies
$ mvn dependency:copy-dependencies

# download dependencies to a specific directory
$ mvn dependency:copy-dependencies -DoutputDirectory=jars

# analyze unused dependencies
$ mvn dependency:analyze

$ mvn compile

$ mvn test

# run a specific class
$ mvn exec:java -Dexec.mainClass="pangu_example.App"

# package a JAR
$ mvn package

# 提交到 central repository 之前可以用這個來測試一下安裝有沒有問題
$ mvn clean install

build lifecycle
http://openhome.cc/Gossip/JUnit/BuildLifeCycle.html

  • src/main/java 放置專案原始碼
  • src/test/java 放置單元測試用原始碼
  • src/main/resources 放置設定檔,例如 log4j.properties
  • src/test/resources 放置測試用設定檔,如同測試程式本身不會被打包進 jar

Configuration

in pom.xml

放 per project 的設定

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0http://maven.apache.org/maven-v4_0_0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>org.sonatype.oss</groupId>
    <artifactId>oss-parent</artifactId>
    <version>7</version>
  </parent>
  <groupId>ws.vinta</groupId>
  <artifactId>pangu</artifactId>
  <version>1.0.1-SNAPSHOT</version>
  <packaging>jar</packaging>
  <name>Pangu</name>
  <description>Paranoid text spacing for good readability, to insert whitespace between CJK (Chinese, Japanese, Korean), half-width English, digit and symbol characters automatically.</description>
  <url>https://github.com/vinta/pangu.java</url>
  <inceptionYear>2014</inceptionYear>
  <licenses>
    <license>
      <name>MIT License</name>
      <url>http://www.opensource.org/licenses/mit-license.php</url>
      <distribution>repo</distribution>
    </license>
  </licenses>
  <developers>
    <developer>
      <id>vinta</id>
      <name>Vinta</name>
      <email>[email protected]</email>
      <url>http://vinta.ws/</url>
    </developer>
  </developers>
  <scm>
    <connection>scm:git:[email protected]:vinta/pangu.java.git</connection>
    <developerConnection>scm:git:[email protected]:vinta/pangu.java.git</developerConnection>
    <url>[email protected]:vinta/pangu.java.git</url>
    <tag>HEAD</tag>
  </scm>
  <issueManagement>
    <system>GitHub Issues</system>
    <url>https://github.com/vinta/pangu.java/issues</url>
  </issueManagement>
  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
  </properties>
  <dependencies>
    <dependency>
      <groupId>junit</groupId>
      <artifactId>junit</artifactId>
      <version>4.11</version>
      <scope>test</scope>
    </dependency>
  </dependencies>
  <distributionManagement>
    <snapshotRepository>
      <id>ossrh</id>
      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
    </snapshotRepository>
    <repository>
      <id>ossrh</id>
      <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
    </repository>
  </distributionManagement>
  <profiles>
    <profile>
      <id>release</id>
      <build>
        <plugins>
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-gpg-plugin</artifactId>
            <version>1.5</version>
            <executions>
              <execution>
                <id>sign-artifacts</id>
                <phase>verify</phase>
                <goals>
                  <goal>sign</goal>
                </goals>
              </execution>
            </executions>
          </plugin>
        </plugins>
      </build>
    </profile>
  </profiles>
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-compiler-plugin</artifactId>
        <version>3.2</version>
        <configuration>
          <source>${maven.compile.source}</source>
          <target>${maven.compile.target}</target>
          <optimize>${maven.compile.optimize}</optimize>
          <encoding>UTF8</encoding>
        </configuration>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-source-plugin</artifactId>
        <version>2.4</version>
        <executions>
          <execution>
            <id>attach-sources</id>
            <goals>
              <goal>jar-no-fork</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-javadoc-plugin</artifactId>
        <version>2.10.1</version>
        <executions>
          <execution>
            <id>attach-javadocs</id>
            <goals>
              <goal>jar</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <groupId>org.sonatype.plugins</groupId>
        <artifactId>nexus-staging-maven-plugin</artifactId>
        <version>1.6.5</version>
        <extensions>true</extensions>
        <configuration>
          <serverId>ossrh</serverId>
          <nexusUrl>https://oss.sonatype.org/</nexusUrl>
          <autoReleaseAfterClose>true</autoReleaseAfterClose>
        </configuration>
      </plugin>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-release-plugin</artifactId>
        <version>2.5.1</version>
        <configuration>
          <autoVersionSubmodules>true</autoVersionSubmodules>
          <useReleaseProfile>false</useReleaseProfile>
          <releaseProfiles>release</releaseProfiles>
          <goals>deploy</goals>
        </configuration>
      </plugin>
    </plugins>
  </build>
</project>

ref:
http://maven.apache.org/pom.html
https://github.com/vinta/pangu.java/blob/master/pom.xml

Maven 的 groupId 基本上只是用來標示這個 artifact 屬於哪一個 group
基本上就是用你的 domain name 就好了
跟 Java 的 package 路徑沒有關係

in settings.xml

放 global 的設定

ref:
http://maven.apache.org/ref/3.2.3/maven-settings/settings.html

maven-source-plugin

maven-javadoc-plugin

How to attach source and javadoc artifacts?
http://maven.apache.org/plugin-developers/cookbook/attach-source-javadoc-artifacts.html

$ mvn source:jar
$ mvn javadoc:jar
# or
$ mvn package

Find packages

ref:
https://search.maven.org/
https://mvnrepository.com/

Issues

中文會是亂碼

<project>
  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
  </properties>
</project>

ref:
http://maven.apache.org/general.html#encoding-warning

新增額外的 Maven Repositories

in pom.xml

<project>
    <repositories>
        <repository>
            <id>spark-packages</id>
            <name>Spark Packages Repository</name>
            <url>https://dl.bintray.com/spark-packages/maven/</url>
        </repository>
    </repositories>
</project>

ref:
https://maven.apache.org/guides/mini/guide-multiple-repositories.html

允許下載 SNAPSHOT 版本的 libraries

in ~/.m2/settings.xml

<settings>
  <profiles>
    <profile>
      <id>allow-snapshots</id>
      <activation>
        <activeByDefault>true</activeByDefault>
      </activation>
      <repositories>
        <repository>
          <id>ossrh-snapshots-repo</id>
          <url>https://oss.sonatype.org/content/repositories/snapshots</url>
          <releases>
            <enabled>false</enabled>
          </releases>
          <snapshots>
            <enabled>true</enabled>
          </snapshots>
        </repository>
      </repositories>
    </profile>
  </profiles>
</settings>

你可以新增多個 snapshots repo 的來源

Could not find artifact com.sun:tools:jar

ref:
http://maven.apache.org/general.html#tools-jar-dependency