Tutorial: Privacy Survival Guide (Updated 10/29/21)
As a hacker, I'm a big advocate for privacy on your devices. Privacy and security go hand and hand. With privacy, you also have security. Because in order to get complete privacy, everything will need to be secure/encrypted. And with security, you'll also have some privacy.
Privacy means keeping your metadata safe. Metadata is the content of an email, your location, the details of your device, what you've searched online, etc. Metadata can be used against you.
In one case, googling a medical symptom can potentially cause your health insurance cost to rise. Which isn't right, we all need some form of privacy. The argument "I'm not doing anything wrong, so I have nothing to hide" is a null argument. Just because you think it's harmless or not illegal doesn't make it so. And can be used against you. Benjamin Franklin said it best by saying "Those who surrender liberty for security, shall have neither".
In this tutorial, I break down the level of privacy you want within stages. Please take note of what your possible threat model is. For most, the threat model is black hat hackers. For others, it might be your ISP [internet service provider], advertisers, and even governments.
Pick the stage that works best for what you believe is your threat model and follow the steps within the stage.
To manage your child's android devices, follow my how-to here before doing this guide.
STAGE #1: [For Most]
1. Use Signal as your SMS and video chat app instead of other apps. Signal uses end-to-end encryption from one device using Signal to another device using Signal. This keeps your discussions private and away from praying eyes, don't use WhatsApp. OTR Encryption is good for Windows.
Side Note (10/31/21): Check out Signals recent law enforcement request for metadata. Spoiler: They have two things, phone number & last connection.
2. Use a VPN. For this stage, any VPN will do, except for the listed providers below. VPN encrypts your data from other sniffing out traffic on a WIFI network or a cellular network.
Note: ProtonVPN has a completely free plan.
VPN apps listed as 'dangerous':
- SuperVPN Free VPN Client
- TapVPN Free VPN
- Best Ultimate VPN - Fastest Secure Unlimited VPN - Korea VPN - Plugin for OpenVPN
- Wuma VPN-PRO (Fast & Unlimited & Security) (Removed from Google Play store)
- VPN Unblocker Free unlimted Best Anonymous Secure - VPN Download: Top, Quick & Unblock Sites (Removed from Google Play store) - Super VPN 2019 USA - Free VPN, Unblock Proxy VPN - Secure VPN-Fast VPN Free & Unlimited VPN (Removed from Google Play store) - Power VPN Free VPN (Removed from Google Play store)
VPN apps listed as 'dangerous':
- SuperVPN Free VPN Client
- TapVPN Free VPN
- Best Ultimate VPN - Fastest Secure Unlimited VPN - Korea VPN - Plugin for OpenVPN
- Wuma VPN-PRO (Fast & Unlimited & Security) (Removed from Google Play store)
- VPN Unblocker Free unlimted Best Anonymous Secure - VPN Download: Top, Quick & Unblock Sites (Removed from Google Play store) - Super VPN 2019 USA - Free VPN, Unblock Proxy VPN - Secure VPN-Fast VPN Free & Unlimited VPN (Removed from Google Play store) - Power VPN Free VPN (Removed from Google Play store)
(Updated 1/1/21)
3. Use Firefox, Bromite, or Brave as your browser. I prefer Brave, it is secure by default and is very fast. Plus they keep their browser patched regularly, keeping you safe from any browser exploits. Make sure to enable "do not track" within the settings. Some websites will honor this request, but others will not. Additionally, Brave randomizes your browser fingerprint and blocks ads for protection against trackers by default.
Test your browser's fingerprint and other security items:
4. Cover your camera. Whether it's your computer, tablet or phone, cover the camera. A lot of third parties have access to it without needing advanced permission (see me hacking this below). Plus, with the numerous malicious apps within the app stores, it's a good idea either way. There are covers you can buy on Amazon for $6, or a cheaper alternative is to use electrical tape.
( UPDATED 1/17/21 )
4a. In Android 10 & up, You can also enable "Sensors Off" in the Android pull down quick menu. This will shutdown the sensor hardware (ex. Camera, Microphone, etc). To enable this you'll need to:
- Go to Settings, search for Build Number.
- Tap the Build Number 10 times to enable Developer Mode.
- Go to the Developer Menu and look for Quick Settings Developer Tiles
- Open Quick Settings Developer Tiles and enable Sensors Off.
- The Sensors Off icon will show up in the pull down quick menu selection.
- Enable USB Debugging.
4b. Disable System Trace in Developer Menu.
4c. Disable "Always Allow Wifi Scanning" and Bluetooth scanning.
5. Use 2 factor authentication app. Do not use the SMS code feature of the account and do not use Google authenticator. Both of these have exploits. Instead use an app called Authy or andOTP.
How do I setup 2 factor authentication?
6. Check your data breach status. Go to https://haveibeenpwned.com/ to see if your account was found in a data breach. If it was, change the password and use the 2 factor authentication app.
Note: Use this password generator and save them to your password manager.
7. Turn on automatic updates for all OS software.
8. Adjust your baby monitor settings. Most baby monitors are hacked because users don’t know to change the default settings. When you set up any internet-enabled camera, create a unique username and password. Also, turn off the babycam when it’s not in use. That will make hackers less likely to discover it.
9. Adjust your smart tv default settings. Automatic content recognition (ACR) systems built into many smart televisions transmit data to analytics companies that may use it for marketing. You’ve already paid for your TV with money. If you don’t want to pay again with your data, hunt through your TV’s “smart” settings for the feature. It may be called Live Plus, SynPlus, or ACR—and turn it off.
10. If you want to hide your number from caller ID. Dial *67 before the number you want to call.
11. On Android use Simple Mobile Tools apps. Replace the Google contacts, dialer, photo explorer, contacts, calendar, calculator, etc with the Simple Mobile Tools apps. Simple Mobile doesn't collect anything and needs to bare-bone permissions. It won't get your data.
11. On Android use Simple Mobile Tools apps. Replace the Google contacts, dialer, photo explorer, contacts, calendar, calculator, etc with the Simple Mobile Tools apps. Simple Mobile doesn't collect anything and needs to bare-bone permissions. It won't get your data.
https://play.google.com/store/apps/dev?id=9070296388022589266&hl=en_US&gl=US
Additionally, I would suggest you get rid of the Amazon Alexa, Google Nest, etc. But within this stage, it's an option.
Additionally, I would suggest you get rid of the Amazon Alexa, Google Nest, etc. But within this stage, it's an option.
Side Note:
I would disable the Amazon Alexa Sidewalk feature. See this how-to on disabling it.
And go here to properly adjust the settings for the most privacy possible on your smart assistant (ie Alexa):
11. Turn off WIFI and bluetooth when you're not using it. And forget open wifi networks. If not, your device will automatically connect to a network with the same name. Which might be a black hat hacker getting into your device.
12. Opt out of Google personalized ads within your Google account on your device's settings. Also do this with your Amazon & Apple account.
Go through your Google privacy setting and disable history settings, location settings, etc.
13. Use Jumbo to protect for your social media security. See my tutorial:
https://www.boredhacker.biz/2020/02/tutorial-how-to-easily-protect-your-data.html?m=1
13a. Don't use the social media app. Use your browser and create a "Add to Home" shortcut.
14. Your default keyboard could be (most likely) is gathering your data via keyboard. By using a keyboard to spy, data brokers can get everything you type. To get around this I suggest using Simple Keyboard or AnySoftKeyboard as your default keyboard. These are open source and doesn't collect, send, or get data. It is strictly just a keyboard.
15. Disable image loading in your email to block pixel tracking. See the link below for more info:
16. Install AirGuard. This will protect you and your data from others "Find My Device" devices (ex. Apple AirTag):
On F-Droid:
17. Follow my steps in the following link to complete your Stage #1 privacy and security.
SIDE NOTE:
1.) If most of your contacts use iOS, then iOS is the best option within this stage. Things are end-to-end encrypted from one iOS to another iOS. Another alternative is using Signal for your SMS.
2.) iOS and Google Pixel devices have good security, but lack privacy. For alternative, see Stage #6. But they're working on the privacy portion.
Here is an example of it (10/8/20):
STAGE #2: [Little more protection for Most]
Do all of Stage #1, plus the following:
1. Turn off third party cookies and turn on 'do not track me' within firefox, Bromide, or Brave. This will block out some advertiser's metadata collection and tells websites not to follow you while using their website [caugh, caugh, Amazon, Google, Apple caught, caugh].
2. DO NOT USE GOOGLE. Google's search engine is free because your data and metadata data is the product for advertisers and other 3rd parties. USE DUCKDUCK GO or BRAVE SEARCH they're well known not to track you or log anything about you. Plus they filter out Google search results, it's a win-win.
Here is an example of why you do not use Google (10/8/20):
3. Enable "HTTPS ONLY MODE" in Firefox and Bromite. Brave has this enabled by default. Some websites use both http [not secure] and https [secure]. Using https everywhere or HTTPS only mode forces the browser to use https of every website that has https. And warns you when your entering a http only site. To find HTTPS ONLY MODE in Firefox. Go into Settings and type "https only mode" in the settings search bar.
4. Use Protonmail instead of gmail for email. ProtonMail is well known for its privacy and security. It's based in Switzerland, which is fantastic. And it gives you a lot of great features. One being, it'll show you the actual URL before opening it. This is great to prevent phishing attacks.
5. DO NOT USE DROPBOX. Instead use Mega cloud storage. It's end-to-end encrypted, free, and gives you 20GB free. Plus, they're additional space prices are cheap.
Help us out and use this referral:
6. Get rid of the Amazon Alexa, Google Nest, etc. They've been known to secretly record and the data is handed to law enforcement upon request, without a warrant.
Go here to find out more as to why:
STAGE #3: [Advertiser Conerns]
Do everything from Stage 2, except get a NO LOG VPN provider. I would suggest NordVPN or ProtonVPN. Nordvpn works with streaming apps, ProtonVPN is more secure/private. And do the following:
1. No log vpn recommendation:
Side Note
Switzerland & Iceland are privacy-friendly countries. With very strong data privacy laws.
Sweden is recalled as privacy-friendly. But being they're a member of the 14 eyes, I would say Sweden is not privacy-friendly. Minus Mullvad VPN because of their minimal info needed for account.
See this detailed article on what is the 5 eyes, 6 eyes, 9 eyes, & 14 eyes:
2. In firefox, Bromite, or Brave, turn off cookies and javascript. These give out a lot of data. Note: Most websites might not function properly.
3. Get a firefox extension to block Webrtc. This gives out your real ip, which makes the no log vpn useless. To test what your browser is giving out go here: https://panopticlick.eff.org/
Note: To disable WebRtc on your browser, here's how:
4. Use Privacy Badger, it's a firefox extension that protects your data and privacy.
5. Block all permissions. On android, you can use a permissions manager. This will turn on an apps permissions when the app is open and automatically turn off the apps permissions when the app is closed.
Android permissions manager:
https://www.boredhacker.biz/2019/12/tutorial-auto-manage-permissions-for.html?m=1
STAGE #4: [little more protection for advertiser concerns]
Do all of Stage #3, except use the Tor Browser instead of firefox. And do the following:
1. Depending on what you are doing, you would use a VPN with Tor before the Tor connection or after. For most, connecting to a VPN or a Tor bridge before connecting to Tor will be just fine. The Tor browser encrypts your location, while the VPN encrypts that you are using Tor from your ISP. Using a VPN after the Tor connection, encrypts your data from the Tor network. For further protection, use the Tor bridge option.
Dont Forget to set the Tor security to Maximum.
Side Note:
Only change the Tor security option. Tor makes you just like millions of other Tor users. Changing anything else will make you standout and identifiable.
2. Do not use your real information online. Use a fake name for free accounts and use a prepaid credit card for online purchases. Bitcoin is also a good alternative if the site accepts it.
3. Block location permissions from all apps. Using the app permissions manager will help on Android.
4. Do not use social media. If you have any social media, delete the account, Uninstall the app, and delete the data. Social media services are sneaky and get access to all kinds of data on your device.
5. Use GnuPG to encrypt your email messages.
6. Delete old accounts you're not using. Use https://www.accountkiller.com/en/home to get a guide on how to remove specific account services.
7. De-Google your device. Newer Android do not need a Google account to function. Disable all Google apps and remove their permissions. Use open source apps that can be found on the F-Droid app market to replace the Google apps.
Download F-Droid:
8. To find out who's selling your data. Follow my tutorial here:
9. Find out what apps have trackers/loggers, how many, and from where. Note that there are lots of privacy friendly alternatives to popular apps. Use this simple search to find out the status of an apps trackers:
10. Use a privacy friendly DNS. Here's a good list of DNS servers. You may have to try a few to find the one you like. Some will be slower than others.
I use NextDNS. See my how-to setup:
Also test what trackers are blocked by your DNS selection. Using this test site:
STAGE #5: [Government Surveillance Concerns]
Do all of Stage #4, plus the following:
1. Use a VM [virtual machine]. A vm is an operating system within an operating system. Except, it doesn't have your information. For android, use VMOS.
2. Remove yourself from data brokers. When you give a company your information online, they share the crap out of it. By going to https://www.optoutprescreen.com/ and https://dmachoice.thedma.org/, you can request your information to be removed from databases.
3. Read through all the privacy policies and terms of use of all the services you use. Most will hide the devilish details there.
(Updated 1/1/21)
4. If using Android, de-Google your device. Android 9 and newer can be setup without signing into Google. Use F-Droid and Aurora Store for apps. F-Droid has system replacement apps with nearly zero permissions. But, still use Bouncer to manage permissions.
STAGE #6: [little more protection for Government surveillance concerns]
Do all of Stage #5, except use the following:
1. DO NOT USE WINDOWS, ANDROID, OR APPLE. Use Tails OS by using a live USB or cd on your PC. Tails OS is privacy by default and pushes all traffic through the Tor network only. Tails OS will leave NO TRACE ON THE PC.
The alternate option is Whoniex in a VM.
Note: The host OS (Windows, Mac) can monitor anything you do within the VM. Which makes Tails OS the absolute best option.
How Do I Install Tails OS?
2. On Android, do not use the default OS. Especially Google pixel devices. Instead, flash a firmware called GrapheneOS.
It has solid privacy and security by default. The project's website has good installation instructions.
3. Use 7zip for sending and storing files.
4. Change your writing style often and purposefully misspell words. Government entities have software that'll match up your writing style to identify you. Yeah, government surveillance can get pretty intense and mind boggling.
5. Keep all your cellular connected devices away from each other and never use them on the same network. Your IMEI and IMSI is logged, what other IMSI/IMEI device was near, for how long, when, where, etc. Using a burner device also helps with this, but buy the device and call/data for it with cash only.
6. For more privacy and security use all this on an open public wifi, like a library.
7. Use the screen keyboard on TailsOS. Some manufacturers have been known to place keylogger backdoor in their products. Using the Tails screen keyboard protects you from the keylogger.
8. Do not make your web browser full screen. This will create a unique identifier. Instead make the browser partially the screen size.
9. Use ip-check.info for more detailed metadata information.
7. Use the screen keyboard on TailsOS. Some manufacturers have been known to place keylogger backdoor in their products. Using the Tails screen keyboard protects you from the keylogger.
8. Do not make your web browser full screen. This will create a unique identifier. Instead make the browser partially the screen size.
9. Use ip-check.info for more detailed metadata information.
10. Use an email forwarder
11. If you need to type a comment on a website. Use the notepad program and copy/paste the comment into the site from notepad. Sites will log your key strokes within their website.
For more tips, check out the EFF website:
https://www.eff.org/
For more tips, check out the EFF website:
https://www.eff.org/
Following these steps will keep you protected from your threat model, depending on what that is. But staying up to date with technology and privacy news will also help you make decisions and keep you safe as well.
πHACK THE PLANETπ