Update AdGuard Blog: The basic principles of digital hygiene

Gandalf_The_Grey

Level 51
Verified
Trusted
Content Creator
Apr 24, 2016
4,019
The rapid increase of people's personal data abuse by companies and individuals calls for the creation of some kind of self-defense checklist, and here is ours.

It answers a simple question: what is most important if you don't want to be hurt because someone knows too much about you.

It is not a guide on cybersecurity. It is far from being exhaustive and contains some obvious points. But nothing is forgotten more often than what everyone's sure they know. With that in mind, here are some pieces of advice that will help protect your private sensitive data form being harvested uncontrollably for profit of others:

1. Do not neglect the fundamentals​

You probably brush your teeth twice a day and regularly take a shower, just so that people would be comfortable around you, and you would be comfortable around them. These are hygiene fundamentals that everyone agrees on (hopefully). So make sure you take care of your online hygiene too: take a habit of changing passwords from time to time, at least for critically important websites and services. These include those that have access to your financial information, to your location and everyday routes, home and work addresses, information about your health issues, and so on. But how to choose a new password?

1.1. Basic principles of a good password:

  • Strong. At least 12 characters including numbers and capital letters)
  • Unique. Don't get scared, there are cognitive techniques to generate unique passwords and memorize them without much effort. Alternatively, you can store them in a trustworthy password manager app (also protected by password or biometry).
  • Not written anywhere. Yes, don't be this guy from TV who left a post-it note with all passwords on the monitor and got the entire office hacked.
  • Not put in any forms except for the one made for it. Those "check your password strength" websites are scams. Those "check if your password has leaked" services are most probably scams too. Those fake website pages mimicking real websites are scams (they are called phishing for a reason). It’s okay to use services that check it by an email or by a phone number like Have I been pwned.

2. Use 2-step authentification wherever possible​

Relax, this is not for long. Companies promise us a passwordless future, biometric identification, and blockchain-based digital money that just can not be stolen or lost (not to be confused with cryptocurrencies). It's all going to happen soon, but not tomorrow, and until then you'll have plenty of chances to be hurt in plenty of ways. Escape the dubious honor to be the last person on Earth robbed by cybercriminals and use 2FA with important services (see above the definition of important).

3. Protect your devices with a password and lock them when not in use​

Smartphones, tablets, laptops, desktop computers — what do people do with all these huge amounts of time they spare not locking devices? Most of them can be unlocked with a fingerprint or face ID in a fraction of a second. And yes, if you are in the office and leave your workplace for a short trip to the cooler — lock the computer. Maybe there are no evil hackers around, but you can fall victim to a practical joke or idle curiousity of colleagues. And of course, set up automatic locking after a minute of inactivity.

4. Update your apps and the system​

Most people let software updates live their own mysterious lives, but power users often optimize the updates in order to save battery, traffic, or their own nerves from the cases when Windows demands a restart in the middle of a Zoom meeting (or a Minesweeper game, if the day is slow). Some people switch to manual updates and then forget to run them. They more often fall victim to vulnerabilities found by hackers and spammers that could have been fixed by a postponed update. You do not want to belong to these people.

5. Do not insert USB drives found somewhere into your computer​

It doesn't matter: a personal computer, an office computer. Friend's computer. Enemy's computer (even the enemy might not deserve the consequences).

I just can hear you scream "Oh come on, I'm not five years old"!
You have no idea how many cats curiosity has killed. You will not even need to launch anything from a malicious drive or open any files to get your computer attacked, and even a freshly updated antivirus might not be enough.

5.1 An advice of the same level of obviousness and the same level of public neglect: do not keep Bluetooth, Wi-Fi and geolocation active on your device when you do not need them. Even if you do not care about data, you probably care about battery life. It's just a bad idea to let your device connect automatically to public Wi-Fi networks — most unexpected things can happen that will be exploited by cybercriminals sooner or later.

6. Do not overshare​

Data is the new oil, they say, so why walk around leaking that valuable liquid? Fill only the required fields in the forms. Participate in polls only if you get something for it, and it's worth it. Trade your information, don't gift it. And why actually would a flashlight app on your smartphone ask for the access to your geolocation and contacts? Why a weather forecast app wants access to data storage and camera? I mean, they know what to do with it (spoiler: they'll sell it to advertisers, at best), but what is there for you?

6.1 Delete unused accounts. It is hard to remember everything you've ever signed up to, but at least pay attention to notifications and emails. It is sad in some way: companies try to galvanize you as a customer with their newsletters, and you thank them by leaving and covering your tracks.

6.2 Do not do work stuff at home. Do not do personal stuff at work. Do not do any important stuff in public networks.

If you actually need something done as soon as possible, do it of course. But it is a nice lifehack to zone your activities in time and space, including the digital universe's space and time. Your office network administrator absolutely does not have to know anything about your personal finances, or whom you flirt with on Facebook. And all the shrinks of the world advise to leave your work at work (if in the midst of the pandemic world you are fortunate enough to possess a workplace separated from other places).

At least there is no dispute about public networks. Subway Wi-Fi, park Wi-Fi, cafe Wi-Fi, your neighbors' Wi-Fi — they are all shark pools, or at least you should treat them like that. Use a VPN and avoid passing somehow sensitive information, visit only thoroughly protected websites (Google services are more or less so, a small independent e-commerce website — rather not, if you want an example).

7. Know your rights​

Especially if you are in the EU. Or California. Or China. Or Russia. Do you get the idea?

Countries generally like to protect their citizens, and countries also like to be protected from their citizens. Explore the legislation around data, privacy, and digital services regulation in your country. Find out what you can and can not do. What can and can not be done to you. Ignorantia legis neminem excusat — ignorance of the law excuses no one.

8. Get yourself impressed​

You might change your view on privacy if you find out how much data they harvest and what happens to people because of that. You can start from here.

Or maybe you should request your data gathered by Facebook (you can ask them, and not only them, "what do you know about me") and try not to turn paranoid discovering how much they know about you.

One more way to have a lot of fun: check your advertising preferences, for example, on Facebook or Google. See yourself in the distorting mirror of Zuckerberg's eyes. You can even correct them if they think that you are a COVID dissident, live in a four-store house, or have been to North Korea.

9. Discover handy tools and use them​

VPN, DNS, ad blockers, antiviruses, browser incognito mode, cookie cleaning, private search engines and secure messengers — they are not made for criminals, spies, or celebrities. They are made for and used by real people, the Smiths next door. Browser incognito mode or a VPN can help you escape price discrimination (when airline tickets, hotels, rental cars, and many other things are more expensive for those who are considered by robots to be rich or more in need. An ad blocker saves you from attention draining, fatigue, procrastination, marketing manipulation, spontaneous spending, battery drain, and much more.

Of course, it is crucially important to choose a service provider or a vendor wisely. Use well-known solutions from experienced developers with positive feedback in independent reviews. Download apps only from official app stores and developers' websites (sometimes a mobile app can be downloaded only from a website because, let's say, Google does not allow apps with certain functions to their stores, wink-wink).

10. Give feedback, report violations​

Waste three or four taps, donate a second of your time to charity: report bad ads, spam, scam, bullying, and everything evil (or even just suspicious).

11. Think twice​

This is a good general advice for everyday life. Spontaneous emotional reactions exist to be abused. Don't act on impulse the next time you receive an email from a Nigerian prince.

12. Do not consider yourself protected and invulnerable by default​

If you are neither rich nor stupid, it doesn't mean that your data is not of interest, or that there are no ways to get to it. Your personal information is worth more than you think, and there are people and corporations willing to take it from you.

13. Look after the weaker ones​

Teach your children and your parents the rules of secure web experience that you learnt today (or knew beforehand). By protecting them, you protect yourself, if nothing else.


I really hope that at least some of these pieces of advice will be helpful for you. Even if there's too much to take in at once, start with something small: change your Google password that's been collecting dust for two years, or give VPN a go. Who knows, maybe you'll make a habit of keeping digital hygiene sooner than you'll notice.
 

plat1098

Level 25
Verified
Sep 13, 2018
1,468
Under section 1.1, AdGuard makes the sweeping statement that sites which check leaked passwords "are probably scams.." I don't believe haveibeenpwned has approached the realm of scam-hood (yet), unless I missed some recent development that changed its otherwise good reputation. Far as I know, it hasn't been snapped up by some online kraken like Google yet.

Most of the info here is OK and time tested but also very broad, vague, second-nature and redundant to many around here. Seriously, AdGuard should back-pedal a little bit on that "scam" statement if it wants to retain a measure of my goodwill.
 

Gandalf_The_Grey

Level 51
Verified
Trusted
Content Creator
Apr 24, 2016
4,019
Under section 1.1, AdGuard makes the sweeping statement that sites which check leaked passwords "are probably scams.." I don't believe haveibeenpwned has approached the realm of scam-hood (yet), unless I missed some recent development that changed its otherwise good reputation. Far as I know, it hasn't been snapped up by some online kraken like Google yet.

Most of the info here is OK and time tested but also very broad, vague, second-nature and redundant to many around here. Seriously, AdGuard should back-pedal a little bit on that "scam" statement if it wants to retain a measure of my goodwill.
It's a bit extreme and they say probably for leaked services, but they are okay with HIBP:
  • Not put in any forms except for the one made for it. Those "check your password strength" websites are scams. Those "check if your password has leaked" services are most probably scams too. Those fake website pages mimicking real websites are scams (they are called phishing for a reason). It’s okay to use services that check it by an email or by a phone number like Have I been pwned.
But it is good advice to be careful with those sites, especially the ones you are not familiar with.
Just use the trusted https://haveibeenpwned.com/
 
Top