The Cyberspace Survival Guide

Over the last couple of decades we have had huge increase in computing speed and storage capacity. We haven’t gotten anywhere near as big of a jump forward in functionality. The increased computing power has allowed the operating systems to grow and bloat faster than a cancerous tumor. The more complex the systems get the more points of failure and exploitation are introduced. Software has become bloated and internally convoluted just like our laws full of loopholes and back doors. With the push for centralized control more single points of failure keep popping up. Just ask Delta Airlines how much that can hurt. This has opened the door to all sorts of malware, viruses, and scams to do even more widespread harm. Where is the NSA for all of that?

So much of our lives have become linked to the global Internet. The information age is still relatively young, and society hasn’t fully adjusted to this new reality. There are as many dangers on the cyber frontier as there are in meatspace but because we feel “safe” behind our devices we let our guard down. There is no end to criminals and predators that use this complacency to victimize people. The global collective of information can be a huge asset, but it is not without its problems. While it is extremely difficult to eliminate all risks, it is not as daunting of a challenge as one might think to significantly reduce the risks to your information and privacy with some simple common sense counter measures. Security is only as good as the weakest link. It is next to impossible to eliminate all weak links, but is it easy to eliminate a lot of them.

Don’t sacrifice privacy for convenience. Having access to everything on all of your devices (using the cloud) may be a time saver, but it puts your data at risk. It may seem like a good idea to be able to lock doors and access your security from the Internet, but it opens the possibility for other people that you don’t trust to also access the same systems. Internet enabled baby monitors can be accessed by predators. Criminals use this convenience as a weapon.

Security is not a magical black box that is way to complex for mere mortals. The establishment relies on the intimidation of users over this perceived complexity so you will rely on them to manage your security. When you have to rely on anyone else to manage your data and security you serve up all of your data to whatever vulnerabilities they have. Large corporations that manage customer data are a much larger and tastier target for criminals than individuals. With one breach all of those customers are victims to be exploited.

While it is much easier for experienced users to secure their data, there is a huge amount of information on the net on how to do practically anything. Even if you know very little about computers it is still best to rely on yourself. The experts had to become experts somehow, and some the best ones learned from freely available information on the Internet. With a little time anyone can find solutions to even the most complicated technical problem on the net.

We have been used to avoiding bad neighborhoods and high crime areas and being on guard. Online, those bad neighborhoods are always right next door. There are as many predators and criminals online as there are in all of the bad neighborhoods combined. Common sense is the number one security defense in the real world and online. With changes to our habits we can be quite a bit less likely to fall victim to crime. We start by not making it easy for the criminals. Don’t be a soft target.

At least half of the threats can be avoided with awareness and common sense precautions and require no technical knowledge. There are easy active counter measures that will get rid of about half of whats left. There are more advanced options that can get some more threats patched at the expense of complication and effort. You’ve got to decide how important your data and privacy is so that you can take action.

If your data is important to you take steps to make regular backups. Whether it is your laptop or your phone, have a way to restore your data without relying on anything on the Internet. For PCs you can use software such as Acronis for FULL system backups. Find good backup software. Don’t rely on the Microsoft “restore points” alone.

Don’t use the cloud. It’s like taking your hard drive and giving it to a corporation and saying, here you take care of my data. If you use the cloud for this your data is out of your control. Manage your own data. (contacts, photos, etc) When another company does this, if they get hacked your information is compromised.

Use a privacy respectful search engine that isn’t tracking your history.

If you get infected with ransomware wipe your computer and restore your backup. Often enough paying the criminals will not retrieve your data. With a good backup regimen this will be at worst a minor inconvenience.

One of the avenues that malvertising, scammers, and criminals use to exploit people on the web is Javascript. There are sites that are very heavy on Javascript that is poorly coded and at the very least makes your system run slow because it is busy with unknown tasks that aren’t needed for proper content delivery. Firefox has a plugin called “noscript” ( that gives you control of what Javascript you allow to run on your browser. Some sites do need a little for proper functioning but it is ridiculous that 90% of the CPU is taken with ads, data collection, spamming and who knows what else. Block everything that you do not trust. Its a good habit to be in. It will make for a safer web experience and your browser will run much better.

If you find USB flash drives, SD cards, external hard drives, etc, assume they are infected with malware unless you know the source and the history of the device. Criminals will leave these things where people can find them where they get infected as soon as they are used.

Don’t post your email address on a website in plain text anywhere if you don’t like spam. You do it in a bitmap where the text of the email address can’t be harvested by spammers crawling the web sucking up every email address they can find. It’s likely that they sell their lists to spread it around.

No matter who calls or emails you and who they claim to be NEVER give them any passwords or personal information. If there is a legitimate need to verify information (like from your bank) call them back to make sure you are really talking with the right people. They will never ask for your online passwords. Anyone can spoof caller id and email pretending they are from anywhere.

Criminals will try to trick the user into compromising their own security by a technique called social engineering. Always verify anyone that wants information. If it doesn’t make sense ignore them.

Don’t read or respond to unknown SMS. Lots of scams and crimes will try to trick people into a response that can be costly even when it seems innocent enough. Ignore or block those kind of messages. SMS, email, and even caller ID can be spoofed. Even if the origin seems authentic be aware that this alone is not a certainty and a common method used by criminals.

Dialing *67 to block your outgoing caller ID doesn’t hide that number from the establishment telecommunications companies and governments. They use a different system that predates caller ID.

There are area codes that cost a lot of money to call. Beware of attempts to get you to call these costly area codes. If you don’t recognize it, don’t call it, or at least verify that the call doesn’t have a nasty additional toll attached to it.

NEVER open unknown and unexpected attachments from anyone. Even those you know can be infected with malware and their online identity used to trick people into infecting themselves.

Shred all personal information that gets discarded such as bills and bank statements. Divide the shredding and dispose them at different times and places so there is little chance to reconstruct the data. Burn some of it, or flush some of it, or burn then flush some of it.

Before discarding computers and old smart devices erase and overwrite them before discarding. If you are not letting anyone else re-purpose them, destroy the storage after erasing. Nobody is getting data off of a hard drive that is in 1000 pieces.

Go through all of your online accounts for email, phones, Apple, Google, Microsoft, television and everything else to make sure you opt out of privacy invading information leaks and spam advertising. They always assume that everyone wants to opt in to all their data collection and spam advertising unless you state otherwise. Don’t trust a provider without verifying your privacy.

When possible delete all data they have in your accounts like Google and don’t allow more “syncing”. Since you manage your own data and backups this is not needed. It opens up your data to risk if the provider is ever hacked.

The overt reason for the data grab is to send us even more ads (who wants that anyway?) Once your data is collected there is no stopping other uses.

It’s not just government and corporations that can abuse that data, stalkers and criminals can acquire it to use against you too.

If you are getting something for free you should ask yourself why it is free. Big business doesn’t do anything that they don’t get something from. There are free email services such as GMail, Yahoo, Hotmail, and the like. They have used this to make it much easier for big brother to monitor our communications. Its much easier for them to access all of this information if it is in one place. Email, Voicemails, SMS, and other data that lives on any machines not under your control are at the mercy of that provider’s security.

If you can, use email service on a smaller provider’s servers it will be less of a target. If you are able run your own email server you’ll at least know if your privacy is getting invaded. If you can’t do it yourself maybe you have friends that can. Its even possible to run your own voicemail and VOIP phone service, but this does require a fair amount of work. However all the information and software to do it is freely available on the Internet.

Change your passwords periodically. NEVER reuse passwords on multiple sites. If a password does get compromised you don’t want that compromise to lead to access of your entire online life. Pick strong passwords not based on publicly available information or dictionary words. Never store them electronically. Don’t have web browsers and email clients remember passwords. Don’t use password managers or electronic wallets. The convenience of never having to remember a password is dangerous and not worth the risk.

Avoid using fingerprints to unlock devices. They are easy to steal and don’t offer the security one might think. When we touch things in public you leave finger prints behind. Criminals that target you can easily steal them to bypass security on your devices.

Bill Gates, back during the controversy over breaking into the iPhone of the San Bernardino patsy, admitted that there have been back doors in Windows for a long time. The privacy intrusion has reached a whole new level with Windows 10. It’s not possible to turn these features completely off even when the OS gives you the option. It continues to gather data after you turn it off giving you a false sense of security. With their track record they cannot be trusted.

All MSN accounts can be compromised with malicious code on a web page. This bug has existed for decades and they are in no hurry to fix it. Since windows 8 they have been pushing to link the security on your machine to a Microsoft account. Do the math.

The new Windows 10 Anniversary update does a seek and destroy on any other operating systems you have installed and wipes the data. Remember it’s good to make backups. Avoid Microsoft Windows 10 and consider moving away from Microsoft entirely.

Microsoft has come up with a BIOS feature that is built into some new computers called Secure Boot. On its face it would seem like a good idea, but there are some major problems. It prevents you from using any non Microsoft OS and has its own hard coded back doors that have already been discovered and are in the hands of criminals that will bypass all the security on your computer. Avoid this as well.

Microsoft has also taken to using peer to peer technology on your machine to send updates to other Windows users. This consumes your bandwidth and if you have metered service it can be quite costly. With updates coming from peer machines rather than Microsoft servers we can definitely see yet another way malicious code can be injected by hackers.

Apple is not an exception to this behavior nor is Google with their Android system.

Booting Linux off optical read only media such as a DVD can’t be infected. Rebooting the computer always gives you a clean system. It’s the safest way to browse the web especially if you need anything from untrusted sites.

Open source software is a great thing, but in and of itself doesn’t guaranty security. Someone with development experience should look through the code and test for vulnerabilities. Thankfully there is an entire community of users that can see the source code and there aren’t any secretes. It is possible for the development software itself to introduce back doors into otherwise clean code. Open source software should be built with a trusted compiler.

Open source encryption is another double edged sword. It is possible to see if there are any back doors and know the software isn’t intentionally compromised. In order to break encryption two things need to be known, the method and the key. Of the two an unknown method is the hardest to overcome. If the method is known the key can be brute force hacked with sufficient computer power. Even the best new “unbackdoored” encryption methods are exposed with open source software. The best way to overcome this is to create an unknown method to wrap the stronger encryption with. Even a weak unknown method will keep any code breakers guessing. Any assumptions made that only standard software is being used will greatly increase your security. Even multiple layers of nested encryption make things much harder to break. A more secure platform would be an open source operating system built with a trusted compiler booted from read only media with custom encryption.

Remove unneeded software. Avoid free toolbar and utility apps that are pushed on you. Remember they are likely getting something else from your use of the software.

If you have any doubts about whether or not your devices have been compromised install a fresh copy of OS from a trusted source. Avoid special OEM versions that come with extra bloatware.

Don’t link and credit card information to online accounts even with Apple, Google, or retailers. When they get hacked your banking information can be compromised.

If you have to use credit cards online don’t use them wireless devices even at home.

Have your phone provider block charges for purchases to your mobile accounts. Scammers often find ways of spending money on your behalf.

Don’t use RFID credit cards. They can be stolen at small distance with very inexpensive hardware. Leave them at home or at least use a shielded wallet. Test any such wallets to make sure a purchase cannot be made until it is removed from the protection. You can get a false sense of security from credit card shields that don’t actually work. This chip for extra security actually gives you LESS security.

Whenever possible use cash. A pocket can’t be hacked and the banks can’t take cash out of your pockets.

Even bitcoin has problems and it subject to hacking and bail-ins.

Avoid other devices that are networked. You don’t need a smart refrigerator to tell you what to get at the store. You don’t need to access your coffee maker from the Internet. You certainly don’t want hackers to be able to control your lights in your house and be able to monitor when you aren’t home. Even networked adult toys have been hacked allowing cyber rape.

Cars that are networked are a very bad idea, and not just the self driving ones. We have seen how some of these vehicles have been hijacked and can potentially cause fatal accidents. Auto thieves that can remotely unlock and start your car have a much easier time ripping you off. Airplanes can and have been hijacked in this manner as well.

Most phones and tablets use USB to charge. USB Can deliver power but it can also communicate with the devices attached to it. Don’t use untrusted USB chargers. By the nature of how they work they can be used to exploit devices. It is also a good idea not to hook unknown and untrusted USB devices to your computer.

Embrace the old school dumb devices. We got by just fine without this push toward smart everything. Most smart devices can be a risk.

Don’t over share on social media. For example, while it might seem okay to let all your friends know you are going on vacation it advertises that you will be away from home and the thieves shopping for easy targets can easily find you this way. Even a well established schedule that can be discovered this way can open you up to a host of other problems. Social media is also a rich hunting ground for patsies to blame all sorts of bad things on. It best not to even use it. Again, we got by fine without it. It’s government funded for a reason. Why make it easy for them by spying on yourself?

Bullies are another added bonus social media has that you don’t want. This is much more likely to effect your kids. Pay close attention to their Internet activities. They are less likely to be aware of potential threats. Talk to your kids and maintain open communication. Learn the jargon your kids are using so you can be informed about what they are talking about and whether they are engaging in risky online behavior. They will always find a way to get online so it is better if you can keep it where you can monitor it. Using software to track your kids with GPS is a double edge sword. We always want to know where our children are at. We however don’t want people that intend harm to have access to that same information.

Finding real criminals in this ocean of data collection is like finding a needle in a haystack. The government solution to this is more data collection on everyone making for a bigger haystack and pool of victims.

VPN (Virtual Private Networking) technology can be a useful tool to increase your privacy especially from untrusted networks. This too will not make you immune to some threats out there. Don’t operate with a false sense of security. There are many providers out there that offer low cost VPN access. Bear in mind that if you can’t trust your VPN provider you are no more secure than when you started.

For best communication privacy talk face to face with people like we used to. Whenever there are electronic devices involved there will always be some amount of risk no matter how good you think your security is. Treat anything electronic as potentially compromised. No matter how much the establishment will argue to the contrary these systems were not designed to be completely secure.

The less you accept default configuration and software options the better your security will be. Hackers will make assumptions about your setup. Never ever use default login passwords for devices even when you think they cannot be accessed. The more often they are wrong the more difficult it is for them to find ways in.

You should assume that 100% of traffic on every public network is compromised. Treat it like you are on a PA system in a crowded room and don’t do anything that you don’t want anyone else to see. Chances are relatively good that most of your traffic will go unnoticed, but it is a bad idea to take unnecessary risks.

The corporate provided approved tools to make you more secure in fact often do not and sometimes open up more holes in your system. There are many cases where this software will break important apps like accounting software that can be a costly loss of productivity.

Avoid wifi (and bluetooth) when possible. Wifi is IMPOSSIBLE to completely secure. Anything transmitted over the air can be stolen at a distance. Network cards have a hardware address called a MAC address that is unique to your hardware. A MAC address is 6 hexadecimal numbers such as FF:00:0D:04:7C:9A. All wifi devices also have this address and can be used to track you even on anonymous public hotspots. There is software that can randomly change this address. The real hackers will always use this making wireless intrusions into your wifi much harder to track. If you have to use public wifi on a regular basis this might be something to consider adding to the toolbox.

For better security used wired networks. This isn’t always possible with tablets and phones, but at least be aware of the risks. keep your bluetooth and wifi off when you are not using it.

Some routers support a free open source Linux firmware called dd-wrt that has MANY additional features above stock firmware. Being open source it is also easier to find any potential back doors. You just have to trust the closed source commercial firmware not to have back doors to allow bad people to access your network from a remote location.

External firewalls are far more secure than internal software firewalls. Once malicious code is executed on your computer it is quite trivial for it to bypass any security software on that computer. Malware cannot access a firewall that is on a completely different piece of hardware. You can use the external firewall to monitor and log traffic to watch for suspicious activity. Try to identify unknown traffic to determine if it should be there or not.

Firewalls are only as good as their configuration and implementation. Just accepting all defaults won’t help you anywhere near as much as going through and customizing the configuration to only allow what you need and blocking everything else. People’s needs will vary from person to person family to family. The Linux kernel has some very advanced firewall and network security features built in. A Linux computer with a couple of network interfaces when properly configured is a formidable firewall, and its free. In this game you don’t always get what you pay for.

Don’t give a smart TV (or other device) network access because of the track record of these things being used to spy with both cameras and microphones. If you do decide to network them, firewall the hell out of them to keep them from being used against you. Put tape over camera lenses not in use. Place a loud noise source beside any microphones you can’t unplug.

The next advance in display technology is to have each pixel in the display to also function as a camera.  The idea of two way pixels to see the people watching the television can be defeated with a bright infra red light. All CCD technology is sensitive to IR light and can be blinded by this bright light that is not visible to the naked eye.  For that matter security cameras can be defeated in the same way.

Full audio and video uploads take lots of bandwidth and is easily noticed by examining your network traffic. Even something as simple as blinking traffic indicators when there shouldn’t be activity can be a sign of a problem.

Don’t use smartphone GPS unless absolutely necessary. Keep it off. The providers such as phone companies, Google, or Apple will keep a record of where the device goes. It might be useful if it gets stolen, but otherwise it is gathering data that can be used against you even if you are doing nothing wrong. The idea of “I have nothing to hide” is a cop out. See if you feel the same way if a stalker uses that to track your wife. Use paper maps. If you want GPS use a non-networked external unit.

Smartphones and tablets can be secured best with a blender or sledgehammer. There aren’t enough counter measures to completely secure one of these devices. Use them at your own risk.

If you can’t avoid smartphones, be very careful about what you give them access to. Use the mobile data as little as possible and use your own wifi secured with an external firewall. It is necessary to break the security on the phone to remove unwanted bloatware that they insist on putting on your devices. Just because you don’t actually run or configure the application doesn’t mean that it isn’t actively doing something. This process for Android phones is called “rooting” and on Apple it is called “jailbreaking”. There is a ton of information on the net on how to do this. If we could trust these devices I would recommend against this, but since we cannot you may actually be able to better secure your devices with the additional access. You should do your homework. Android phones will let you install software from anywhere with minimal effort without rooting the phone. However on the Apple platform the only way to get software that Apple hasn’t blessed is to jailbreak. Cydia is the jailbreak app store and has many features Apple doesn’t think you should have.

It’s next impossible to have an iPhone without iTunes even if you don’t use it. It is possible to have an Android phone without Google. Because of the way apps are created with the Android Software Development kit it can cause you to have to work around apps that complain about the Google Play service not running even though most of the apps will function just fine without it. You also can block nearly all of the ads. Recently the Android platform has been plagued with lots of pop up ads. When there is an ad being flashed at the bottom of the screen it is far less intrusive that being assaulted with pop up ads.

When you get an Android device one of the first things the initial setup asks for is your GMail address. Every Google service tries very hard to push their email service. It is possible to have a Google account without GMail. An Internet search will show you how.

Removing Google from an Android phone is like removing a trojan from your computer. It will fight you every step of the way because they don’t want you to break the link Google has into everything you do with your device. It can be safely done, it just takes a bit of work.

It is possible to avoid Google and other restrictions by loading am open source firmware. This is an option that you don’t really have with Apple. The Google apps have to be installed separately and are not open source nor are they required for the proper function of the device. There are a plethora of options for open source firmware for most of the Android devices some even specializing in privacy and security. It’s definitely worth the reduction in risk and unpleasantness. At first glance the procedure looks daunting. It really is fairly trivial and there are great step by step guides on the net, as are there for just about anything you want to know. Just do your homework.

Android devices with Qualcomm processors have an exploit that can compromise your data. You might want to avoid them until (if) this is patched.

Apple spies just like the rest of them. They have been caught keeping a tracking log of everywhere your device has been and the only way to prevent this is from apps available to jailbroken devices. They have an illusion of being more secure than the rest. The San Bernardino controversy was just PR to make Apple look secure.

When choosing an Android device an external SD card storage slot is another must have. Why trap your data if the phone is damaged? This is not an option for Apple devices.

Another must have is a removable battery. Its impossible for a device to spy on you that has no power to carry it out. And besides it’s nice to have the option of easily replacing the battery and not having to discard the entire device. This too is not an option for Apple products.

On either platform airplane mode cuts radios and breaks the link to the world. (Or is supposed to anyway) You can tell if this actually works by monitoring the battery drain. No information can leave your phone without being transmitted, and these transmitters require battery power to function. If you have successfully turned off the transmitters the battery can last a couple weeks with very light usage. With the transmitters on you will be lucky to get more than a couple of days on standby. You can get a feel for whether or not your phone is doing things that it shouldn’t by paying attention to the battery.

All smartphones have two separate operating systems. We see the Application level OS also called firmware. For Apple it is iOS and for Google it is Android. You also have Windows phones and Backberries. These application level OS have enough security holes on their own to give one pause. The second OS is called the baseband. This is what controls the cellular radio. You will never see open source baseband software. They keep a tight lid on it. This is where they can activate your phone from remote and access the hardware directly bypassing any security software on the Application OS that one could ever dream of. Even dumb old flip phones have a baseband OS in order to function.

Remember no matter how good their back doors are they can only steal what you give the device access to.

Be very careful selecting apps to install on ANY device. Pay attention to number of downloads, ratings, and comments. Remember that in a way installing an app on your device is like inviting a house guest. Delay getting new releases and updates. Wait for it to be out for a while to see if there are problems. Being first is being careless. Some 20% of all apps on the Google Play Store (GPS – really?!?) have malware. For all devices, if it ain’t broke don’t fix it. If you need a fix, update, otherwise why risk breaking what already works?

In order for hardware back doors in CPU or other hardware to be exploited a program has to run on your machine to use it. Those kind of back doors allow this program to bypass ALL of the security. Its dangerous. This is another reason to be careful who you invite into your device.

It’s actually quite surprising how much of the extra software that is bundled in with the modern OS really isn’t needed for it to function properly. You can boot Mini Windows XP off a flash drive with minimal files and it works fine. Routers can run a Linux that is contained in just a few megabytes of code (No I didn’t mean gigabytes).

Some developers are lazy and include large libraries of code just for a few functions that trigger alerts on more than what is used. They also re-purpose code from other projects accessing functions other than what is being used. There are Android firmware packages that come with a way to block apps from doing certain things. There are also apps that you can get to do the same thing. Just because it asks for it doesn’t mean it will use it, but your privacy apps can notify you of the attempt. Any software that oversteps should be removed immediately. Not all bible and flashlight apps are compromised. Some definitely are. Some of the bible apps access their content online rather than downloaded to your device. Network access might be this. It could also be uploading all of your pictures.

Remember cyberspace is dangerous. Your default setting should be distrust until proven trustworthy. From all the criminals out there to the unethical business we have our work cut out for us just staying out of trouble. Be careful. Stay safe. Stay free.

Send comments and questions to: