How to Stay Safe Online: Tips for Personal Security

How to Stay Safe Online: Tips for Personal Security

How I learned to "start worrying" and love the illusion of feeling safe.

Digital security and privacy have become more important than ever. With cyber threats constantly evolving, it is crucial to stay up-to-date with best practices and take proactive measures to protect your online presence. This comprehensive guide covers a wide range of security and privacy recommendations for various platforms and scenarios, aiming to help you fortify your digital life.

General

  • Use a password manager: 1Password or Bitwarden.
    • Never reuse passwords.
    • Use strong passwords, at least 18 characters long.
  • Don't store real passwords of critical accounts in password managers.
    • Instead, store the password altered by a secret rule only you know.
    • Apply to accounts related to your real-world identity or money.
    • Cloud-based password manager could be hacked too, e.g. LastPass.
  • Use different emails and different passwords when registering services.
  • Avoid using your password manager to generate one-time password.
    • Instead, use a separate authenticator app: Yubico Authenticator.
    • Otherwise, the password manager would become a single point of failure if compromised.
  • Always enable 2FA (or MFA), but avoid SMS-based 2FA if possible.
    • Be aware of SIM swap attack.
    • Even you don't use SMS-based 2FA, your phone number might be used as a "Recovery Method".
    • Turn off "Cloud Syncing" feature if you're using Google Authenticator.
    • Write down backup codes on paper and store them in a safe.
  • Always use HTTPS.
  • Use Passkey or security keys.
    • You could use your Mac/iOS/Android devices or YubiKey.
  • Don't provide real personal information to any cloud service if possible.
  • Install any security updates as soon as possible.
  • Don't blindly click any link you see in your emails or search results; they could be scams!
    • Instead, add your frequently visited websites to your browser bookmarks.
  • Carefully review requested permissions when you connect third-party apps to your Google, Twitter, Discord, or other critical accounts.
  • Regularly review authenticated devices or sessions of your critical accounts.
    • Revoked them if you're not sure what they are.
    • Explicitly logout after finishing your operations or use Incognito mode.
  • Do things that can calm your anxiety.
  • Read Personal Security Checklist.
  • Read An ultimate list of rules any on-chain survivor should follow to stay safe.

Privacy

macOS

  • Use an application firewall and network monitor: Little Snitch.
  • Turn on Firewall
    • System Settings > Network > Firewall > Options > Block all incoming connections
  • Turn on FileVault which provides full disk encryption.
    • System Settings > Privacy & Security > FileVault
  • Power off your computer when not in use, in order for the disk to be encrypted.
  • Automatically lock your screen when idle.
    • System Settings > Lock Screen > Require password after screen saver begins or display is turned off
  • Set one of Hot Corners to "Lock Screen" and always trigger it when you're away from keyboard.
    • System Settings > Desktop & Dock > Hot Corners
  • Disable AirDrop and Handoff.
    • System Settings > General > Airdrop & Handoff
  • Exclude sensitive folders from Spotlight.
    • System Settings > Siri & Spotlight > Spotlight Privacy
  • Don't use any apps that can read your clipboard or what you type.
  • Don't use third-party input tools if possible.
  • Create separate browser profiles for different usages.
    • One for daily activities.
    • One for financial activities, don't install any extensions other than the password manager for this profile.
    • Use Incognito mode.
    • Even better: use isolated computers.
  • The fewer browser extensions installed, the better.
    • Carefully review requested permissions when installing/upgrading browser extensions.
    • Be aware of developers might sell their extension to someone else.
  • Disable Chrome's Preload pages.
    • Chrome > Settings > Performance > Preload pages
  • Use Dangerzone if you're working with PDFs.
  • Read macOS Security and Privacy Guide.

iOS

  • Enable Data Protection (Erase all data after 10 failed passcode attempts).
    • Settings > Touch ID & Passcode > Erase Data
  • Change the default PIN of your SIM card.
    • Settings > Cellular > SIM PIN > Change PIN
  • Disable Predictive Text.
    • Settings > General > Keyboards > Predictive
    • Settings > General > Transfer or Reset iPhone > Reset > Reset Keyboard Dictionary
  • Turn off AirDrop.
  • Don't use third-party keyboard apps.
    • These apps will be able to access everything you type: passwords, messages, search terms, etc.
  • Restart your device regularly, ex: once a week.
  • Rapidly press the side button 5 times to enter Emergency SOS mode when needed.
    • Under Emergency SOS mode, your passcode is required to re-enable Touch ID or Face ID.
    • Use it when your device is about to be taken away.
  • Read Telegram & Discord Security Best Practices.
  • Read Privacy Guides - iOS Overview.

Crypto

  • For large amounts of assets, always store them in hardware wallets or multisig wallets.
  • Use multiple hardware wallets from different vendors; don't put all your eggs in one basket.
    • Some should only hold assets and never interact with DeFi apps.
    • Some are used for trading or DeFi stuff.
    • Or use an old phone to create wallets, and NEVER connect it to Internet.
  • Use hardware wallet's hidden wallet with passphrase.
  • Write your seed phrases on paper or metal, and store them in a physical safe.
    • Modify the seed phrase with a secret rule only you know.
    • Keep at least 2 copies in different locations.
    • Never store a hardware wallet's seed phrase digitally, NEVER.
  • Verify backups of your seed phrases every 3 months.
  • Use multisig wallets: Gnosis Safe.
  • Only store a small amount of assets in hot wallets.
    • If you follow this rule, it might be acceptable to store the seed phrase in a password manager.
    • Furthermore, encrypt the seed phrase before storing it.
  • Rotate your hot wallets regularly.
  • When transferring tokens to a new address, always send a small amount first, and make sure you can transfer out.
    • It may waste gas, but it's better than losing funds.
  • Add addresses to contacts or whitelists.
  • Always approve tokens with the exact amount, never use infinite (type(uint256).max) approval.
    • It may waste gas, but it's better than losing funds.
  • Always check the slippage setting before swapping.
  • Review your token approvals regularly: Revoke.cash.
    • Before revoking an approval, you should check the original approve() tx is initiated by you.
    • Attackers can create a fake ERC-20 token and set allowance for you.
  • Signing could be dangerous.
    • If it's a clear, human-readable message, it's probably safe to sign.
    • If it contains a large amount of data, read carefully before signing.
    • If the message starts with 0x, just don't sign.
    • Especially, there are "permit" signatures.
  • Use browser extensions or wallets that can simulate/preview transactions.
  • Learn how to decode a transaction.
  • Use Etherscan's Watch List to monitor your account activities.
    • Though the notification might be a bit delayed, it's not real-time.
  • Website (domain or frontend code) can be hacked, even if smart contracts are secure.
  • Read Blockchain Dark Forest Selfguard Handbook.
  • Read officercia.eth's articles.

Developer

  • Always create API keys with minimum permissions and set a short expiration time if possible.
  • Create distinct API keys for different purposes, services, or machines.
    • Deactivate the API key if you're not using it.
  • If you're unsure, run the program inside a non-root Docker container.
  • The fewer IDE/editor plugins installed, the better.
  • Enable GitHub Copilot only for specific languages or files.
    • Especially, disable it for .env files or any files that may contain sensitive data.
  • Sign your Git commits.

Wi-Fi

  • Always change the default username/password of your router or IoT devices.
  • Keep your router firmware up-to-date.
  • Only use WPA3-Personal or higher.
  • Disable remote access on your router.
    • If you really want to visit your router's management console through Internet, set IP whitelist at least.
  • Disable WPS (Wi-Fi Protected Setup) which is vulnerable to brute-force attack.
  • Avoid using public Wi-Fi.

Physical

  • Cover your laptop's camera with a sticky note.
  • Be cautious when plugging USB devices into your computer.
    • Don't charge devices from your computer if possible.
  • Be vigilant for key loggers.
    • Bring your own keyboard and USB hub when necessary.
  • Shred or redact sensitive documents.
    • Instead of simply disposing of them in the trash.
  • Don't reveal information during "inbound" calls.
    • Only share sensitive data during outbound calls or communications that you initiate.
  • Use a certified and well-protected extension cord.
  • Get fire and earthquake insurance for your house.
Pipenv and Pipfile: The officially recommended Python packaging tool

Pipenv and Pipfile: The officially recommended Python packaging tool

You no longer need to use pip and virtualenv separately. Use pipenv instead.

ref:
https://github.com/pypa/pipenv
https://pipenv.kennethreitz.org/en/latest/

Install

$ pip install pipenv

ref:
https://pipenv.kennethreitz.org/en/latest/install/#installing-pipenv

Usage

$ pyenv global 3.7.4

# initialize project virtualenv with a specific Python version
# automatically generate both Pipfile and Pipfile.lock from requirements.txt if it exists
$ pipenv --three

$ cd /path/to/project-contains-Pipfile
$ pipenv install

$ pipenv install pangu
$ pipenv install -r requirements.txt

# install packages to dev-packages
$ pipenv install --dev \
autopep8 \
flake8 \
flake8-bandit \
flake8-blind-except \
flake8-bugbear \
flake8-builtins \
flake8-comprehensions \
flake8-debugger \
flake8-mutable \
flake8-pep3101 \
flake8-print \
flake8-string-format \
ipdb \
jedi \
mypy \
pep8-naming \
ptvsd \
pylint \
pylint-celery \
pylint-common \
pylint-flask \
pytest \
watchdog

# switch your shell environment to project virtualenv
$ pipenv shell
$ exit

# uninstall everything
$ pipenv uninstall --all

# remove project virtualenv
$ pipenv --rm

ref:
https://pipenv.kennethreitz.org/en/latest/install/

Example Pipfile

[[source]]
url = "https://pypi.python.org/simple" 
verify_ssl = true 
name = "pypi" 

[requires] 
python_version = "3.7"

[packages] 
celery = "==4.2.1"
flask = "==1.0.2"
requests = ">=2.0.0" 

[dev-packages] 
flake8 = "*" 
ipdb = "*" 
pylint = "*" 

[scripts]
web = "python -m flask run -h 0.0.0.0"
worker = "celery -A app:celery worker --pid= -l info -E --purge"
scheduler = "celery -A app:celery beat -l info --pid="
shell = "flask shell"

ref:
https://pipenv.kennethreitz.org/en/latest/basics/#example-pipfile-pipfile-lock

nvm: Node.js Version Manager

nvm: Node.js Version Manager

A simple Node.js version manager.

Install nvm

$ curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.34.0/install.sh | bash

ref:
https://github.com/nvm-sh/nvm

Install Node.js

You could also simply run brew install node if you don't really care about what version you installed.

# list available Node.js versions
$ nvm ls-remote

# install the latest LTS version
$ nvm install --lts

$ nvm install 12.13.0 && \
  nvm use 12.13.0 && \
  nvm alias default 12.13.0

# list installed Node.js versions
$ nvm ls

ref:
https://nodejs.org/en/

Install Node.js Packages

# install the package globally
$ npm install -g pangu

# install the package in the current folder
# which generate `package.json` in the same folder
$ npm init
$ npm install pangu
pyenv: Python Version Manager

pyenv: Python Version Manager

A simple Python version manager. It is recommended to use pyenv and pipenv together.

ref:
https://github.com/yyuu/pyenv

Install

Before doing the following steps, you must install Command Line Tools.

$ brew update
$ brew install readline openssl

$ brew install pyenv
# or
$ brew upgrade pyenv
To enable shims and autocompletion add to your profile:
  if which pyenv > /dev/null; then eval "$(pyenv init -)"; fi

$ pyenv --version
pyenv 1.2.14

ref:
https://github.com/vinta/HAL-9000/blob/master/playbooks/roles/python/files/pyenv_profile.sh

Usage

# list available Python versions
$ pyenv install -l

# install a certain version
$ pyenv install 2.7.16
$ pyenv install 3.7.4

# list installed Python versions
$ pyenv versions

# set the default Python version
$ pyenv global 3.5.1

# you can set both Python 2 and 3
$ pyenv global 3.7.4 2.7.16

# switch to the system default Python version
$ pyenv global system

# set the Python version for the current folder
# which generates `.python-version` in the same folder
$ pyenv local 3.7.4

# set the Python version for the current shell
$ pyenv shell 3.7.4

ref:
https://github.com/pyenv/pyenv/blob/master/COMMANDS.md