General Online Habits

This section is a collection of general advice and miscellaneous tips that don't really make sense on any other pages.

Phishing & Clicking Links

Phishing has been and remains one of the top ways to gain unauthorized access to a specific machine, account, or network. Phishing occurs when a person clicks on a link and either enters information or downloads a payload that gives a malicious actor access to an account or device. In the case of malware, the attacker can access the data on that machine or the network the machine is connected to. Typically this link-clicking occurs in the form of an email that appears to be legitimate, such as an email that appears to be from your bank asking you to confirm account details or to see an enclosed attachment. Phishing could also come in the form of malicious advertising. This is why ad-blockers are so important. The final common phishing technique is when an attacker calls you claiming to be an official (ex, from the IRS) and asks you information about yourself.

The best way to avoid phishing is to be overly cautious. If something seems out of character, contact the person and ask about it. For example, if your bank sends an email requiring confirmation of something, ignore the email and go straight to their website. If it's legitimate, the same warning will pop up when you log in or be waiting in your messages. If you're still not sure, contact their support team and ask.

Sharing Information

Think carefully about what information you share and what it reveals. Back in the early days of social media, it was common that people would publicly share that they were going on vacation for a week, so criminals in the area would find the house androb it while they were gone. That exact crime may or may not live on, but the principle still does. One woman had a stalker find her because she took a selfie where the street sign was visible. I'm not saying don't share anything online, simply to be mindful of what information is visible in the photo, such as a company logo on your shirt or financial information in your screenshot.

Additionally, this extends into non-public internet spaces. For example, next time you sign up for a website or pay for something online, try submitting no information at all. It will likely relaod the page and mark the mandatory fields, but you might be surprised what information is optional. You should view every website as a data breach waiting to happen, and anything that isn't a password or card number is probably not encrypted, so the less personal information you hand over the better. If you are required to hand over information but the requesting site or service doesn't actually need it, consider using disinformation.

Social Media

While I discourage mainstream social media services for a number of reasons, I understand that sometimes you have no choice in using them. My recommendation would be to not use the apps, post as little as possible, and make your profile as private as possible.

If you feel the need to have social media, try checking out the decentralized and more privacy-respecting Fediverse. This is a volunteer run, peer-to-peer social networking system, and one of the coolest things about it (in my opinion) is the "federation" for which it's named. Imagine if you had a Twitter account but wanted to follow someone on Instagram. In mainstream social media, you have to sign up for Instagram. On the Fediverse, you can follow them from your own platform even without creating a new account. For Twitter fans I recommend Mastodon. For Instagram fans, PixelFed. Facebook users might feel more comfortable on Friendica and YouTube users might find new content on PeerTube.

I discourage using the same username or handle across all your social media accounts unless you're building a professional brand. I suggest using your password manager to generate a two or three random word passphrase and then use that as your handle. Repeat as needed for every site and account. If somebody decides to cyberstalk you, this can make it harder for them to find all of your accounts.

Search Engines

Change your default search engine. Google tracks all of your searches and records them, and these are all added to your profile to create a more complete picture of you as a person. Try a privacy-respecting, no-logging search engine such as SearX, or MetaGer. DuckDuckGo and Startpage are popular search engines that claim to be privacy-respecting, but due to a wide variety of past questionable actions of both and the availablity of better options, I don't particularly encourage them except as backups.

Account Hygiene

Delete any and all unused accounts. This includes old social media accounts, library accounts, work accounts, services you signed up for once and never used again, etc. If you can't delete them for whatever reason, change it to a secure password and hold onto it somewhere safe. The exceptions to this is that I recommend holding onto old email accounts, and I recommend "planting your flag" on important accounts that are prone to fraud, such as unemployment. For the email accounts, you never know what you once used them for and when you might need them again for that purpose.