Personal IT Security

This is what I recommend for personal electronic security in the US in 2017.

• Use the one best product for a particular function,
  • Phone: iPhone
  • Desktop or laptop: Mac
  • Email: Gmail
  • Web browser: Chrome with uBlock Origin ad-blocking

• Evaluate each for possible replacement every 2-3 years, 
• Enable automatic software updates, 
• Use web-based services (do use Google Drive or Office365) rather than locally-installed software (don’t use Microsoft Office) whenever feasible, 
• Uninstall all Adobe software if possible,
  At least, uninstall Flash and Acrobat.

• Use ad-blockers,
  (Ublock Origin on Chrome, and Purify on iPhone)

• Use junk call screening,
  (Nomorobo)

• Use multi-factor (AKA two-factor) authentication everywhere possible – especially at important service providers,
  (such as a passphrase and SMS verification)
  (note: SMS verification is inadequate if you’re targeted by resourceful attackers. Instead, use Google Authenticator or a Yubikey.)

• Use a password manager,
  (1Password)

• Back up your data,
  (Backblaze, and keep a paper copy of critical passwords in a sealed envelope in a home safe, or your credit union’s safe deposit box)

• Be skeptical when you receive alarming messages about money and passwords,

• (How to avoid social engineering and phishing attacks .  See also this guide.)

• And always ensure your software is up to date.

Perspective

Here’s where I stand, so you can weigh my advice accordingly.

Personal/political: I’m an upper-middle-class father of small children, in a dual-income household, in a quiet and safe beach town in what has been a politically stable corner of the world. As a white heterosexual male in the US, I have always played life on “easy” mode. Even so, I vividly remember the poverty of my childhood, and I know many people who continue to struggle in that context. My family and friends include a broad spectrum of humanity, and I believe in the inherent worth and equality of all.

Professional: I work in computer security at a large university. My work involves poring through collections of computer network logs for indications of compromise, identifying patterns and practices of attackers, and translating lessons learned to preventive engineering tasks and well-informed organizational decisionmaking. I’ve held similar positions at two other universities.  I was also an information security architect at a multinational venture-funded renewable energy company.  I first began working on challenging network security problems in 1993.  All of this has taught me to balance caution with pragmatism, and to respect the fact that patterns and practices are more effective than any one particular security solution.

Intended Audience

This document is for people in the US or Canada who use the internet, but aren’t generally at risk of targeted attacks by resourceful jerks.

This document is probably inadequate for people who are at risk of a targeted attack by resourceful jerks. If you are an activist, please use this document as a baseline and then supplement it with the EFF’s generally good advice on the matter.  If you’re anticipating or currently under online attack by organized gangs of misanthropes, this Geek Feminism document is an excellent resource.

A future version of this document will begin to address steps to mitigate unwanted interest from geopolitical adversaries such as Trump’s “alt-right” neo-nazis and their patrons, Putin’s mafia state.

Details

• Phone: iPhone
  

• iPhones are hands down, without question, the most secure and cost-effective smartphone.  A $350 iPhone purchased four years ago remains just as secure today, if kept current with free Apple software updates.
  
• I recommend against Android.  It’s possible to have a reasonably secure Android phone, but it’s difficult and expensive to do so.Android phones can be relatively cheap, but they don’t last more than a year or two before they lose support for new versions of Android OS. Older version of Android OS = internet security equivalent of the slower person running away from the bear.
• If you must get an Android, get a Google Pixel phone and hope Google doesn’t stop offering and supporting that product line as quickly as they did its Nexus predecessor.
  
• “Feature phones” (non-smartphones) aren’t exactly secure, but they also can’t do as much, so it’s kind of a wash if all you need is conventional voice+text.
  
• Phone security gets complicated if you travel internationally.
  
• Always protect your phone with fingerprint, PIN, or password authentication. This will prevent thieves and other adversaries from accessing your data if your phone is lost or stolen. (This gets more complicated in the context of protests and police activity in general.)
  

• Computer:
  

• Mac (great)
  

• As with any computer, ensure you’re always running the latest version of the operating system and all other software. Best to enable automatic updates.
  

• ChromeBook (also great)
  
• iPad (also great)
  
• Windows 10 (probably OK, depending on what you buy and where you bought it).
  

• Any PC you get at Costco, Best Buy, etc. will have “bloatware” on it which has a very significant negative impact on security – potentially even after uninstallation. Better to buy a “Signature Edition” PC from Microsoft, as those have little or no bloatware to begin with. The Surface tablets are pretty good.
  
• Any Windows version older than 10 is substantially less secure. If you’re running Windows, you really need to run Windows 10.
  
• As with any computer, ensure you’re always running the latest version of the operating system and all other software. Best to enable automatic updates.
  
• It’s possible to have a reasonably secure Linux desktop or laptop computer, but it can be difficult, time-consuming, and error-prone to do so. If you don’t mind the extra effort, I recommend Ubuntu Desktop LTS.
  

• Email service: Gmail, ProtonMail, or Outlook.com.
  

• Gmail remains by far the most secure, on every level. Email is difficult to do well, especially with regard to security.  Gmail is leaps and bounds better than the rest.
  

• Ideally, pay $5/mo per user to use G Suite or whatever they’re calling it this week.  That’ll provide you with some features (and privacy protections) not available to free Gmail users.
  

• ProtonMail is a Swiss company that emphasizes security, but mostly is effective against corporate data-mining and overzealous non-Swiss law enforcement. They’re a smaller and more customer-focused company than Google, but they’re not as good as Gmail at protecting you from phishing attacks and other common email security threats.  Even so, they’re much better than some other email providers such as Yahoo, ATT, and Comcast.
• Outlook.com (and the Office365 corporate email equivalent) is pretty good. Not as good as Gmail, but pretty good.
• Hotmail was once good, then was awful for a long time, then started getting better again, and might remain good – time will tell.
• Avoid and/or promptly migrate away from Yahoo mail, Riseup, and ISP-hosted email (especially Comcast).
  

• Yahoo has had awful security for a long time, and every indication is that it will not get better.
  
• Riseup is intensely targeted by a wide array of attackers whose skill and resources exceed those of the well-meaning people at Riseup.
• ISP email is always poorly run from a security standpoint, even at good local ISPs.
• Comcast is extra terrible because they’re intrusive with regard to data-mining and indifferent with regard to security.
  

• Some smart security people currently like Fastmail.com.  Fastmail was sub-par when I evaluated them in 2010, but it sounds like they’ve improved since then. I haven’t tried them recently.
  
• If your employer’s email is based on internally-managed email servers, it’s best to assume it’s compromised and partially controlled by organized crime. Sorry. 😦  What made sense for email in 2007 no longer is feasible in 2017.  Best to promptly migrate to a hosted email service such as Google Apps or Office365.
  

• Web browser (laptop/desktop): Chrome. (best, by far.)  Or Microsoft Edge, if necessary.
  

• Important:  It’s not safe to use Safari on your laptop or desktop. Firefox is also seriously lagging in terms of security, and is presently not safe to use. Internet Explorer is obsolete (and thus not safe to use), having been replaced by Microsoft Edge.
  

• Web browser (iPhone/iPad): Safari, with a content blocker enabled.
  

• Purify is a good option for ad-blocking on iPhone/iPad.
  

• Web browser (Android): Use Brave.  Chrome on Android is merely OK because it doesn’t support ad-blocking. Brave supports ad-blocking on Android.

• You should really switch to an iPhone.
  

• Web: Ublock Origin ad-blocking software.
  

• (To install, search the Chrome Web Store or Microsoft Store for “Ublock Origin”).
  
• “But advertising pays for the internet! I should do my share by allowing ads.”  That’s a principled argument, but impractical. The fact is that advertising networks are very effective at delivering unauthorized control over your computer to organized criminal gangs. Even Google’s ad network has been abused repeatedly for such purposes. You should protect yourself. You don’t need to be visiting a dodgy web site or even click on an ad for it to execute malicious code on your computer. Malicious software has repeatedly been delivered by ads on the New York Times and other reputable web sites. I wish I were exaggerating. If you don’t want to share control of your computer with organized crime, you need to block ads.
  

• Office software: Google Docs, or web-based version of Office365.
  

• If you have to use the locally-installed version of Microsoft Office, it’s vital to use the absolute latest version (no more than 30 days old) otherwise you’re at greater risk of losing control of your computer from infected documents. As with your operating system, it’s wise to enable automatic software updates.
  
• Much safer to use the web-based versions, though.
  

• Photo hosting & sharing:  Google Photos, Apple iCloud Photo Library, or SmugMug.
  
• Security software: Cisco OpenDNS Umbrella (or the home version) (Mac or Windows)

• “What about antivirus?”
  Windows 10 includes Windows Defender, which is the best antivirus/antimalware on the market. Unfortunately, nearly all of the Mac antivirus/antimalware software causes more harm than good. Malwarebytes is a possible worthy exception. Avoid Symantec, Norton, McAfee, Avira, AVG, and Kaspersky.
  

• Messaging: WhatsApp (easy, and commonly used), and Signal (stronger privacy, easy to use, but not as commonly used)

• Using these secure messaging tools will make it harder for people to intercept your communications. Even if you don’t personally feel at risk of such a thing, your use of such tools will help provide cover for groups currently targeted by the US government such as LGBTQs, non-Christians, non-males, non-whites, and the young.
  
• In January 2017, the Guardian published a poorly-researched story which falsely claimed that WhatsApp has significant security failures. A large and diverse group of respected security professionals responded publicly to refute the Guardian, and assert that WhatsApp is secure and worth using.  At the end of June 2017, the Guardian belatedly addressed this critique, reluctantly acknowledging that they were wrong, and that WhatsApp is safe for most people.If you use Facebook, using WhatsApp is much safer than other instant messaging tools such SMS, AIM, Yahoo IM, Skype, Telegram, etc.