CYBERSECURITY 101
OOOPS, YOUR FILES HAVE BEEN DECRYPTED!
just kidding. probably.
but statistically speaking, someone has already tried.
your neighbor's router is named "FBI Surveillance Van".
your password is in a database somewhere. yes, that one.
anyway. read the guide. or don't. we're not your dad.
ATTENTION!
* PRIVACY IS AN ILLUSION. ANONYMITY IS AN EFFORT
* STAY PARANOID. IT'S NOT PARANOIA IF THEY'RE ACTUALLY WATCHING.
* IF SOMETHING FEELS OFF, IT PROBABLY IS. TRUST YOUR GUT.
0%
click anywhere to skip
// CYBERSECURITY_101.exe //
SYS.OK // 0xF3A1
NODE.ACTIVE

Protect yourself online

[!] ALREADY COMPROMISED? [!]

Execute incident response sequence

[ BASIC LEVEL ]
Essential steps everyone should follow

Identity & Privacy

Identity & contact information

  • Don't share your real email or social links publicly
  • Use aliasesAlternate names or email addresses that forward to your real inbox or throwaway addresses for forums, giveaways, and game servers
  • Use multiple emails: one primary for important accounts, separate ones for signups, gaming, and social
  • Use email aliases/forwarding services so you can disable an address if it gets spammed or traced
  • Don't put personal contact info in your public profile or Discord bio
  • Use different usernames for different platforms to prevent cross-referencingLinking your different accounts together to build a profile about you
  • Use a separate "burnerTemporary/disposable phone number you can throw away" number for signups (Google Voice, MySudo, Burner)
  • Be careful about giving your real phone number to any platform — many services have a "find friends by phone number" feature that cross-references your number against every other user's contact list, even people you've never interacted with. This can silently link your account to your real identity or other accounts you wanted kept separate
  • Enable WHOIS privacy on all domains you own — without it, your name, email, phone, and address are publicly searchable. Most registrars offer privacy protection for $3–5/year

Digital footprint & social media

  • Limit social media exposure — attackers research targets on social media. Don't post workplace details, vacation plans, family info, or location data. Set profiles to private
  • Don't tag your location in real-time — wait until after you've left
  • Don't post information that reveals your daily routines or patterns
  • Disable people tagging you in photos without approval
  • Regularly audit your privacy settings on all platforms — they change frequently
  • Limit who can see your posts, friends list, and personal information
  • Review and revoke app permissions regularly (especially third-party apps)
  • Google yourself periodically to see what information is publicly available about you — Google also allows you to request the removal of search results that display personal information about you via their Results about you tool
  • Request data deletion from old accounts you no longer use
  • Be careful about "fun" quizzes and personality tests — they often harvest data
  • Check if your email has been in a known breach at haveibeenpwned.com and subscribe to breach alerts — if your password manager has a compromised password check, run it regularly
  • For deeper breach searches, check intelx.io (Intelligence XOSINT search engine that indexes data breaches, paste sites, and leaked databases — can reveal if your email, username, or password appeared in a dump) — goes deeper than HIBP and indexes raw dump content including paste sites
  • Don't send face pics or identifying media to people you don't fully trust
  • Don't share photos that can be reverse-searchedUsing Google Images or TinEye to find where else a photo appears online — can link your photos to your other accounts or real identity or traced back to your other accounts
  • Avoid posting the same photo across multiple platforms — identical images can be cross-referenced to link your accounts together
  • Watch out for background details in photos you share: reflections, documents, street signs, recognizable locations, and window views can all reveal where you are or live
  • Assume everything you post online is permanent and could be screenshotted, leaked, or subpoenaed — even in private chats
  • Don't announce when you're away from home, traveling, or on vacation — it signals an empty house

Data brokers & removal

  • Data brokers are companies that collect and sell your personal information — name, address, phone number, relatives, employment history — often without your knowledge. Sites like Spokeo, WhitePages, BeenVerified, and dozens of others aggregate this data and make it publicly searchable
  • You can request manual removal from most brokers individually by filling out their opt-out or content removal forms — it's tedious but free. Search "[site name] opt out" to find the form. Results don't always stick and may need to be repeated periodically
  • In regions covered by GDPRGeneral Data Protection Regulation — EU law that gives individuals the right to access, correct, and delete personal data held by companies or similar privacy laws, you have the legal right to request deletion of your data — most brokers must comply within 30 days. Look for a "right to erasure" or "do not sell my information" link on their site
  • Automated removal services like DeleteMe, Incogni, and Optery can handle opt-outs across hundreds of brokers on your behalf — research them carefully before paying, their coverage and effectiveness vary significantly. Some are more thorough than others and pricing models differ
  • No removal service gets everything — treat them as a reduction in exposure, not a complete solution. Run periodic checks on your own to see what's resurfaced

Account Security

Passwords & authentication

  • Use a strong password manager + generator — consider open-source options like Bitwarden for transparency and auditability; if you want full control over your data, KeePass and Vaultwarden are solid self-hosted alternatives
  • Use a unique password for every single account — if you reuse passwords and one service is breached, attackers run credential stuffingAutomated attack that tries leaked email/password combinations across hundreds of other sites. Extremely common and effective against password reuse. attacks across hundreds of other sites with your credentials until they get a hit. It doesn't matter how strong the password was — they already have it
  • Never rely on yourself to invent strong passwords — always use your password manager's built-in generator. Create passwords as long and complex as the service allows: mixed case, numbers, special characters
  • For passwords you must memorize (master password, device encryption), use a diceware passphraseA passphrase created by rolling physical dice and looking up words from a word list. Each word adds ~12.9 bits of entropy. 6 words = ~77 bits. Impossible to brute force, surprisingly easy to remember. — roll five dice, look up each result in the EFF large word list, chain 6+ words together. Example: viewable fastness reluctant squishy seventeen pencil — a 7-word passphrase has ~90 bits of entropy and is one of 1.7 octillion possible combinations
  • The process must be fully random — do not re-roll words until you get ones you like. That defeats the entropy
  • Never use password hints — they're often guessable and can partially reveal your password
  • Never share passwords, even with trusted people — use password manager sharing features instead
  • Write your master passphrase on paper and store it somewhere physically secure — losing it means losing access to everything inside
  • Rotate passwords periodically on important accounts — use your password manager's generator every time, never reuse or slightly modify old ones. Most managers let you set expiry reminders per account

Two-factor authentication

  • Enable 2FATwo-Factor Authentication — requires a second verification step beyond your password. Even if your password is leaked, an attacker still can't log in without your second factor on every account that supports it — the hierarchy from weakest to strongest is: SMS → authenticator app → hardware security key
  • Avoid SMS-based 2FA when possible — SMS can be hijacked via SIM swappingAttack where an attacker convinces your carrier to transfer your number to their SIM card, intercepting all your SMS codes and SS7 attacksFlaws in the global phone network protocol that allow attackers to intercept SMS messages and calls from anywhere in the world. Use an authenticator app or hardware key instead
  • Protect against SIM swapping — contact your carrier to enable a SIM lock PIN so your number can't be transferred without it
  • Use TOTPTime-based One-Time Password — generates a 6-digit code every 30 seconds using a shared secret. Works offline, not interceptable via SIM swap authenticator apps — Aegis (Android, open source, encrypted local backup) or Ente Auth (cross-platform, end-to-end encrypted cloud sync) are the best options — avoid Authy (closed source, phone number tied) and Google Authenticator (no encryption at rest)
  • Wherever passkeysCryptographic credentials stored on your device that replace passwords entirely — phishing-proof, nothing to type, nothing to intercept. Based on FIDO2/WebAuthn standards are supported, migrate to them — passkeys are cryptographically bound to the legitimate site, which means they are completely immune to phishing, credential stuffing, and server-side breaches. TOTP is still better than SMS, but passkeys are the strongest option available and should be your default wherever offered

Email security

  • Use ProtonMail for sensitive communications — avoid Gmail, which scans message content for ad targeting. Use masked emailsAlso known as email aliases — unique, randomly generated email addresses that forward to your real inbox, keeping your actual address hidden (email aliases) for everything else — these are unique, randomly generated addresses that forward to your main inbox. They protect your identity in breaches since your true email is never exposed, keep your real address hidden from marketers building ad-targeting profiles, let you permanently block any alias that starts getting spam, and are handy for redeeming extra free trials or new customer discounts. You can generate them directly from Bitwarden's built-in generator using DuckDuckGo Email Protection
  • Never click links in unsolicited emails — navigate to sites directly by typing the URL
  • Check sender addresses carefully — attackers use look-alike domains (paypa1.com vs paypal.com)
  • Be suspicious of any urgent request involving money, credentials, or account access — verify through a separate channel
  • Beware of fake password reset emails — always go to the site directly, never through an email link
  • Disable automatic image loading in emails — tracking pixelsInvisible 1x1 images that report back to senders when you open an email, revealing your IP and time report when you open emails and can reveal your IP
  • Don't reply to spam — it confirms your email address is active
  • Use temporary email providers (Temp-Mail.org, Guerrilla Mail, RovixCloud) for throwaway signups — warning: you can't recover accounts if you lose access
  • Use separate email accounts for different purposes (personal, work, shopping, throwaway)

Messaging apps

App choice & trust

  • Most mainstream messaging apps are not private
  • SimpleX and Session are the most privacy-oriented options available — SimpleX has no user identifiers whatsoever, not even a username or phone number, while Session routes messages through a decentralized network with no account registration required. Use them with awareness: no tool is bulletproof, and the people you communicate with are always the weakest link
  • If you want to compare messengers in depth, offshore.cx has a detailed breakdown of popular apps across encryption, metadata collection, jurisdiction, and more
  • Even on a private app, assume the conversation can be compromised from the other end — you can control your device, not theirs

Hardening what you already use

  • If you use WhatsApp, disable automatic media downloads in settings — images, documents, and audio from unknown senders can deliver malicious payloads without you ever opening anything manually
  • Consider using auto-deletion tools that automatically wipe your messages shortly after sending — many people assume private servers or closed communities protect them, but message history is a liability regardless of where it lives; open-source tools exist for platforms like Discord and Telegram that can automate this, or you can write your own
  • Enable disappearing messages natively where the app supports it — Signal, WhatsApp, and Telegram all have this option per conversation
  • Never accept files or links from people you don't know, even in group chats — group members are rarely vetted and a single compromised account can target everyone in it

Safe Browsing & Downloads

  • Don't click unknown links — even in DMs, Discord, or texts from people you know
  • Treat verification links, prize-claiming links, and bot DMs as suspicious by default
  • Never click links in SMS, iMessage, or WhatsApp texts — smishingSMS phishing — fake texts impersonating banks, delivery services, or contacts to steal credentials or install malware is widespread. Attackers fake delivery alerts, bank warnings, and "verify your account" texts. Always go to the site directly or call the official number
  • Don't download files from strangers or unknown sources
  • Malicious code isn't limited to obvious executables — project files like Visual Studio solutions, Unity projects, or modded game files can all execute code silently alongside the legitimate program; treat anything from an untrusted source as a potential threat regardless of the file type
  • Avoid opening executablesPrograms that can run on your computer (.exe, .app, .dmg files), scriptsCode files that automate tasks (.bat, .sh, .py files), archives, or macrosAutomated commands in documents that can execute malicious code from unknown people
  • Never run commands or terminal scripts copied from the internet unless you understand exactly what they do
  • Enable file extension visibility — malware hides as harmless files (e.g., "invoice.pdf.exe"). Windows: File Explorer → View → Show file extensions. Mac: Finder → Preferences → Show all filename extensions
  • Scan suspicious files at VirusTotal, MetaDefender, Hybrid Analysis, and Jotti — run the file through all of them, not just one. Each uses different engines and detection methods, so a file that comes back clean on one scanner might get flagged by another. Even then, a clean result across all four doesn't guarantee the file is safe — treat it as reducing uncertainty, not eliminating it

Platform & community safety

  • Don't link Spotify, Steam, or other social accounts to your Discord profile — it leaks personal info and makes you easier to identify across platforms
  • Don't share your Spotify playlists or profile publicly — listening habits can be used to identify or track you
  • Don't put other people in your profile or bio without their consent
  • Don't authorize unknown Discord bots or random OAuthOpen Authorization - allows apps to access your account without giving them your password flows — they can harvest account data or permissions
  • Avoid verifying accounts via links sent by bots — many are IP loggersMalicious links that capture your IP address the moment you click them
  • Do not log into other people's accounts — it exposes your IPInternet Protocol address - your device's unique network identifier and location to them
  • Be cautious with community content (modsModifications - user-created add-ons that change how a game works, pluginsSoftware components that add specific features to existing programs) — only download from trusted sources (CurseForge, Modrinth, Steam Workshop, Nexus Mods)
  • Avoid joining private or unknown Minecraft servers — server hosts can see your real IP address
  • Verify if mod installers ask to run scripts or external installers — that's a red flag
  • Check comment sections for warnings before downloading anything from community sources
  • To hide your email from GitHub commitsSaved code changes that publicly log your email by default — go to Settings → Emails → enable "Keep my email addresses private". This only applies to future commits

Browser Privacy

VPN & network privacy

  • Use a reputable no-logs VPNVirtual Private Network — encrypts your internet traffic and hides your IP address from sites you visit and from your ISPMullvad is a strong choice: strict no-logs policy, accepts anonymous payment, and doesn't require an email to sign up
  • Never use public WiFi without a VPN — cafes, airports, and hotels are prime spots for MitM attacksMan-in-the-Middle — attacker sits between you and the network, intercepting traffic to steal credentials or inject malicious content
  • A VPN hides your IP and encrypts traffic from your ISP — but it does not stop fingerprinting, malware, phishing, or tracking by sites you're logged into
  • Always check a VPN's no-logs policy and jurisdiction — some countries legally require providers to retain data

Browser basics

  • Use Brave or Firefox with uBlock OriginOpen-source ad and tracker blocker — blocks fingerprinting scripts, malicious ads, and trackers. One of the most effective privacy extensions available for daily browsing — blocks ads, trackers, and fingerprinting scripts by default with minimal setup
  • Use privacy-respecting search engines — DuckDuckGo or Brave Search instead of Google, which builds a detailed profile from every search
  • Clear cookiesSmall data files websites store on your device to track sessions and remember you across visits and cacheTemporary stored web content — can be used to track browsing patterns regularly, or enable automatic clearing on browser close
  • Disable third-party cookies in browser settings — they're the primary mechanism for cross-site tracking
  • Enable cookie isolation if your browser supports it — Firefox's Total Cookie Protection confines each site's cookies to their own jar so they can't be used to track you across the web; Brave does this automatically through storage partitioning. Both prevent a tracker on one site from reading data it set on another
  • Resist installing lots of extensions — every extension adds detectable signals that make your browser fingerprint more unique and identifiable

Device & System Security

Hardware & physical security

  • Use full-disk encryptionEncrypts your entire hard drive so data is unreadable without your password if the device is stolenVeraCrypt for Windows, FileVault for Mac, LUKS for Linux
  • Cover your webcam when not in use — use a physical shutter or tape
  • Disable microphone access for apps you don't fully trust
  • Never use public USB charging stations (airports, hotels, cafes) — juice jackingAttack where a compromised USB port installs malware or steals data while charging your device can install malware silently. Use your own charger and wall outlet, or carry a power bank
  • Never plug in unknown USB drives — they can contain malware that auto-executes on insert. Treat all found USBs as hostile
  • Disable USB auto-run on your system to prevent automatic malware execution
  • Enable automatic screen lock after short idle periods — set it to 1–2 minutes
  • Consider a separate device for sensitive activities (banking, private communications)

Proactive defense — antimalware

  • The best antivirus is Windows Defender + common sense — if you don't click shady links, don't download random files, don't run unknown executables, and don't disable security features for "convenience", you eliminate the vast majority of infection vectors before any software has to step in. Defender is a solid, built-in, always-on baseline that doesn't require installing extra closed-source software you can't audit. Prevention will always beat detection
  • Don't wait to be infected to think about malware — run antimalware tools actively, not just when something feels wrong. Windows Defender is solid baseline protection if kept updated, but layering additional tools catches what signature-based scanners miss
  • Malwarebytes (free tier) and HitmanPro use behavioral and cloud-based detection — run periodic scans even if nothing seems wrong, especially after installing new software or running unfamiliar files
  • For always-on paid protection, CrowdStrike Falcon, Bitdefender, and ESET are strong options — all offer real-time threat detection, ransomware protection, and endpoint monitoring that goes well beyond what free tools provide
  • Enable Windows Defender's tamper protectionPrevents malware and unauthorized software from disabling Windows Defender's real-time protection — found in Windows Security → Virus & threat protection settings — many malware strains try to disable antivirus as their first step

Software & system security

  • Keep your OSOperating System — Windows, macOS, Linux. Most attacks target unpatched vulnerabilities and software updated, but treat them differently — apply security updates immediately as they patch actively exploited vulnerabilities, but wait 1-2 weeks before installing general software updates since new releases can introduce vulnerabilities that haven't been caught yet
  • Disable location services when not needed — many apps track you unnecessarily in the background
  • Turn off Bluetooth and WiFi when not actively using them — both can be exploited for proximity attacks
  • Enable your firewall — Windows Firewall, macOS Firewall, or UFW on Linux. The default settings block most inbound threats without any configuration
  • Run your day-to-day user account without administrator privileges — most malware needs admin rights to do serious damage. Use a standard account and only elevate when you actually need to
[ ADVANCED LEVEL ]
For those who want deeper control over their digital security
CLICK TO UNLOCK

Identity & Privacy

Media & metadata stripping

  • Strip metadataHidden information embedded in files — location, date, device model, sometimes even serial number (EXIFExchangeable Image File Format — hidden data embedded in photos that can reveal GPS coordinates, camera model, firmware version, and exact timestamps) from every file before sharing — use ExifToolCommand-line tool to view and bulk-remove metadata from images, documents, and audio files or MAT2Metadata Anonymisation Toolkit — removes metadata from a wide range of file types including PDFs, Office files, and images. A photo taken on your phone contains your exact GPS coordinates, device model, and timestamp by default
  • Even after stripping EXIF, images may still carry steganographicHidden data embedded within the image pixels themselves — invisible to the eye but detectable by tools. Used by some platforms to watermark images to trace the original uploader watermarks — some platforms embed invisible identifiers to trace leaks back to the source account
  • Documents (PDF, DOCX) carry metadata too — author name, edit timestamps, tracked changes, and sometimes previous content. Strip with ExifTool or use MAT2 before sending sensitive files

Account Security

Hardware security keys

  • FIDO2Fast IDentity Online 2 — open authentication standard that uses public-key cryptography. The private key never leaves the device and the challenge is domain-bound, making phishing mathematically impossible / WebAuthnWeb Authentication API — the browser standard that implements FIDO2. When you insert a key and tap it, the key signs a challenge tied to the exact domain — a fake site gets a different challenge and the signature will never match hardware keys (e.g. YubiKey) are the gold standard for account security — they are phishing-resistant by design
  • What hardware keys protect against: remote brute-force attacks (attacker has no key), phishing (keys are cryptographically bound to the real domain — they simply won't authenticate on a fake site), and credential database leaks (stolen password + no key = no access)
  • What hardware keys do not protect against: a compromised machine (malware can act as you after login), physical threats, bad security habits elsewhere, the website itself being hacked, or accounts that don't support FIDO2
  • Think of it like a good lock on your front door — it doesn't help if your walls are made of glass. Security is about layers. A hardware key is one strong layer, not a complete solution
  • Always register two keys on every account — one primary, one backup stored safely offline. If you lose your only key you can get permanently locked out
  • YubiKey 5 series supports FIDO2, TOTP, OpenPGP, PIV, and more — the Security Key series is cheaper and covers FIDO2/WebAuthn only, which is sufficient for most people

2FA backups & recovery

  • Always save your recovery codesOne-time backup codes provided when you enable 2FA — store them in your password manager or printed in a physically secure location. Each code can only be used once when enabling 2FA — store them in your password manager or printed and locked away, not in a screenshot on your phone
  • When using TOTP, back up the shared secrets — either export encrypted from Aegis, use Ente Auth's encrypted cloud sync, or copy the QR code secret into an encrypted container like VeraCrypt at setup time
  • Hardware key users: register two keys with the same accounts — never rely on a single physical device. Keys can be lost, stolen, or simply stop working over time
  • Don't reuse recovery emails or phone numbers across accounts — a single compromised recovery contact cascades across everything
  • Use a secondary, dedicated recovery email address that is not publicly connected to your identity and has its own strong password and 2FA

Email hardening

  • Enable SPFSender Policy Framework - validates that emails are sent from authorized servers, DKIMDomainKeys Identified Mail - cryptographically verifies email authenticity, and DMARCDomain-based Message Authentication - tells servers how to handle emails that fail authentication if you own a domain — prevents email spoofing in your name

Browser Privacy

VPN leaks & DNS hardening

  • Use WireGuardModern VPN protocol — faster, leaner, and more auditable than OpenVPN or IKEv2. Smaller codebase means smaller attack surface. Mullvad supports it natively as your VPN protocol — it's faster and has a far smaller attack surface than OpenVPN or IKEv2. Set it in Mullvad's app under Settings → VPN settings → Tunnel protocol
  • Enable multi-hopRoutes your traffic through two separate VPN servers in different countries — the entry server only knows your real IP, the exit server only knows the destination. Neither knows both at once (double VPN) — your traffic enters through one server and exits through a second in a different country. The entry node sees your IP but not your destination; the exit node sees your destination but not your IP. Found in Mullvad app → Settings → VPN settings → Enable multi-hop
  • Enable quantum-resistant tunnelsAdds a post-quantum key exchange layer on top of WireGuard — protects against future quantum computers that could break current encryption. Mullvad implements this using Kyber-1024 alongside the standard Curve25519 handshake in Mullvad — protects against future quantum computers that could retroactively decrypt intercepted traffic. Enable under Settings → VPN settings → Quantum-resistant tunnel. Requires WireGuard
  • Disable WebRTCWeb Real-Time Communication — browser API that can expose your real local IP address even when you're behind a VPN. Sites use it to unmask VPN users in your browser — it leaks your real IP even with a VPN active. Disable it via uBlock Origin's settings or browser flags. Test at browserleaks.com/webrtc
  • Use encrypted DNSDomain Name System — translates domain names into IP addresses. Unencrypted DNS is plaintext — your ISP sees every domain you visit even through a VPN to prevent your ISP from logging every domain you visit — Mullvad's hardened DNS over HTTPS/TLS resolver blocks ads, trackers, and malware at the DNS level. Without it, DNS queries leak outside the VPN tunnel even when traffic is encrypted
  • Enable Mullvad's DAITADefence Against AI-guided Traffic Analysis — adds noise to your traffic patterns to defeat AI-based analysis that can identify VPN users and their activities even through encryption feature — defeats AI-guided traffic analysis that can profile VPN users even through encryption by adding cover traffic
  • Check for DNS leaksWhen your DNS queries bypass the VPN tunnel and go directly to your ISP's resolver — exposing every domain you visit despite being on a VPN regularly at mullvad.net/check — a leaking VPN provides a false sense of security
  • Use Mullvad's SOCKS5 proxyUsed on top of the VPN — routes a specific app or browser through a different Mullvad server than your main VPN connection, adding an extra hop. The proxy runs inside the VPN tunnel so traffic is still encrypted alongside the VPN for per-app routing — while the VPN covers all your traffic, you can point a specific app or browser through a separate Mullvad exit node via the proxy. This further minimizes your computer's identity from being revealed, reduces CAPTCHAs, and adds an extra routing layer without exposing unencrypted traffic. Configure it in your app's proxy settings while the VPN is active. Setup guide here

Browser hardening & compartmentalization

  • Use Mullvad Browser or Tor Browser for sessions requiring strong anonymity — never use your regular browser for these
  • Use container tabsBrowser feature that fully isolates websites from each other — Facebook in one container can't see cookies or sessions from your bank in another (Firefox Multi-Account Containers) to isolate different activities from each other — each container has its own cookies, storage, and identity
  • Disable JavaScriptPowers most fingerprinting, tracking, and browser exploits — disabling it breaks many sites but massively reduces attack surface on untrusted pages on untrusted or unfamiliar sites using uBlock Origin's blocking mode or NoScript — most drive-by exploits require JS
  • Compartmentalize browsers by purpose — never mix sensitive sessions with everyday use. Use Mullvad/Tor for anonymous activity, Brave or Firefox for daily browsing, and a separate profile for accounts tied to your real identity
  • LibreWolf is a hardened Firefox fork with privacy defaults already configured — a good daily driver if you prefer Firefox's extension ecosystem with less manual setup

Browser fingerprinting — blend in, don't hide

  • A browser fingerprintA near-unique profile built from your GPU rendering, fonts, screen size, audio quirks, and more — works even with VPNs and cookie deletion is built from GPU rendering, fonts, audio quirks, screen metrics and more — VPNs and cookie deletes don't stop it
  • The goal is to blend into the largest crowd possible, not to disappear or randomize wildly — over-spoofing makes you look more suspicious to modern ML-based detectorsMachine learning systems that flag browsers with inconsistent or unusual fingerprint signals as automated/suspicious
  • Best for anonymity: Mullvad Browser or Tor Browser — both force a large anonymity set where thousands of users look identical to sites
  • Best daily drivers: Brave with Shields set to Aggressive — blocks fingerprinting scripts and randomizes signals per session; or Firefox with uBlock Origin and privacy.resist.fingerprinting enabled in about:config. Both are solid choices, combine either with a no-logs VPN
  • Firefox option: Enable Enhanced Tracking Protection → Strict, then set privacy.resistFingerprinting = true and privacy.resistFingerprinting.letterboxing = true in about:config. Add uBlock Origin — avoid heavy customization or extra extensions
  • Limit extensions to 2–4 max — every extension adds detectable signals that make your fingerprint more unique
  • Compartmentalize — use Mullvad/Tor for sensitive sessions, Brave/Firefox for daily browsing. Never mix personal logins across them
  • Test your fingerprint at coveryourtracks.eff.org (aim for "randomized" or "not unique") and amiunique.org — don't guess, verify
  • CanvasHTML element used to render graphics — the exact pixel output varies per GPU/driver, making it a powerful fingerprinting vector, WebGLBrowser API for 3D graphics — reveals GPU model and driver details, highly unique per device, and audio fingerprintingTiny differences in how your system processes audio are used to identify you across sites are the hardest vectors to spoof — purpose-built browsers handle these automatically; extensions rarely do it well

Mullvad Browser — what it protects and what breaks it

  • Mullvad Browser is private until you touch the settings — out of the box it randomizes canvas fingerprintsEach render produces slightly different pixel values, making the output non-unique across Mullvad users, disables WebGLDisabled by default to prevent GPU-based fingerprinting and WebAuthnWeb Authentication — disabled by default to prevent device-based fingerprinting, standardizes language/audio/input devices across all users, and wipes cookies, supercookies, and stored data on close
  • Don't install extensions and don't touch about:config — any extension can modify page behavior and shady scripts can detect which extensions you're running, reporting it back to the server
  • You can run multiple isolated profiles — start from command line with mullvad-browser -P. Use one for anonymous browsing (no extensions), another for social networks with your own settings. Profiles are fully isolated from each other
  • If you customize, know what breaks: disabling letterboxingGray padding added around the page to hide your exact window size — disabling it reveals your screen resolution exposes your real window size; turning off privacy.resistFingerprinting.randomDataOnCanvasExtract breaks canvas randomization; privacy.resistFingerprinting.spoofOsInUserAgentHeader likely makes you more unique, not less
  • Relatively safe to enable: security.webauth.webauthn for hardware security keys, and privacy.resistFingerprinting.target_video_res to allow video above 480p
  • Restart the browser regularly and rotate your VPN server/location — this clears all cookies and tracking data and changes your exit IP
  • Be careful with proxy extensions — they save your proxy exit after closing the browser, persisting your identity across sessions
  • Logging in anywhere with real data breaks your anonymity for that session — use temp mailDisposable email addresses for signups — keeps your real identity separate and temporary phone numbers
  • Don't ignore DAITADefence Against AI-guided Traffic Analysis — Mullvad VPN feature that adds noise to your traffic patterns to defeat AI-based traffic analysis — Mullvad VPN's obfuscation feature that defeats AI-guided traffic analysis

Device & System Security

Hardware & physical security

  • Enable Secure BootUEFI feature that verifies the bootloader hasn't been tampered with before loading the OS — prevents bootkits and rootkits installed before Windows/Linux starts in your UEFI settings — it verifies the bootloader hasn't been tampered with before your OS loads, blocking bootkits and rootkits
  • Set a strong BIOS/UEFIBasic Input/Output System — firmware that initializes hardware before the OS loads. A password prevents boot-level tampering password — without it, an attacker with brief physical access can disable Secure Boot or boot from external media
  • For maximum anonymity, run Tails OS from USB — it leaves no trace after shutdown and routes all traffic through Tor
  • Dead man's switches — some laptops support presence detection and can lock automatically when you step away. Check your OS settings. For stronger protection, BusKill is a USB cable that automatically locks or wipes your machine the moment it's physically disconnected — designed for high-risk situations where someone might grab your device while it's unlocked
  • Evil maid attacks — if a device leaves your possession even briefly, assume it could be physically tampered with. When possible, buy devices in person from a physical store rather than having them shipped to your address (shipping intercept attacks exist). Never leave a laptop unattended in a hotel room or public space. Full-disk encryption + Secure Boot mitigates most evil maid scenarios but not all

Software & system security

  • Close unnecessary open ports — scan your own system with Nmap to see what's exposed, then close what you don't need
  • Configure your firewall beyond defaults — pfSense or UFW with explicit allow rules, default deny posture
  • Use intrusion detection — Snort or Suricata can detect attacks in real-time on your network

Data, files & secure transfers

  • For truly secure file transfers use OnionShare — it hosts files as a temporary Tor hidden service so the recipient downloads directly from your machine with no third-party server involved
  • Magic Wormhole gives quick end-to-end encrypted peer-to-peer transfers via a short one-time code — nothing touches a server
  • Encrypt files before transferring them regardless of the channel — use 7-Zip with AES-256 or VeraCrypt to wrap files before sending. Share the password through a separate channel so interception of one doesn't expose both
  • Verify file integrity with checksumsA unique hash of a file — if the checksum matches the official one, the file hasn't been tampered with (SHA-256) when downloading important software — compare against the official hash on the developer's site

Cloud security — if you must use it

  • If you use cloud storage or services, enable MFA on every cloud account — AWS, GCP, Dropbox, Google Drive — a compromised cloud account with no 2FA is an open door to everything you've stored
  • Use client-side encryptionEncrypting data on your own device before it's uploaded — the cloud provider only ever sees ciphertext and cannot read your files even if subpoenaed before uploading anything sensitive — tools like rclone with the --crypt backend let you encrypt files locally and sync them to any cloud provider. The provider sees only ciphertext
  • Regularly audit who has access to your cloud resources — revoke old app authorizations, inactive accounts, and OAuth tokens you no longer use
  • Review access logs if your provider offers them — unexpected logins from unknown IPs or regions are a red flag
  • Apply the principle of least privilegeGrant only the minimum permissions necessary. A service that only reads files should never have delete permissions. — each app or service should only have the exact permissions it needs, nothing more
  • Prefer providers that publish transparency reports and have a clear no-logging policy — Proton Drive is end-to-end encrypted by default and cannot read your files even internally

Backups & secure file handling

  • Follow the 3-2-1-1 ruleAn enhanced version of the classic 3-2-1 backup rule — adds a mandatory air-gapped/immutable copy to defend against ransomware that can encrypt or delete any connected backup — 3 copies of your data total (production + 2 backups), on 2 different storage types (e.g. SSD + NAS), 1 copy stored off-site (geographically separate — a trusted person's house, a bank safe deposit box), plus +1 extra copy that is fully air-gappedPhysically disconnected from all networks and power — ransomware cannot encrypt or delete what it cannot reach. Connect only briefly during scheduled updates, then disconnect and store securely/offline — this last copy is the key enhancement and cannot be altered, deleted, or reached by malware even if your main machine and NAS are both compromised
  • Your production copy lives on your daily machine or NAS — your local backup syncs automatically to a secondary NAS or a separate volume (use restic, rsync, or VeraCrypt-encrypted volumes) — your off-site copy is an encrypted drive stored away from home that you rotate in every 1-4 weeks to update — and your air-gapped +1 copy is a completely disconnected encrypted drive stored in a fireproof safe or second off-site location, updated infrequently (e.g. quarterly or after major changes), connected only briefly to refresh then immediately disconnected again
  • The air-gapped copy is your last line of defense — ransomware can encrypt every drive on your network, wipe NAS shares, and even corrupt cloud sync copies in seconds, but it cannot touch a drive that is physically unplugged and locked away. Without this copy, a single infection can destroy every backup you have
  • Use versioned backups — keep multiple versions so you can restore from before a ransomware hit or corruption event, not just the most recent state
  • Test your backups periodically — a backup you've never restored from is a backup you don't actually have. Run a test restore on a non-critical file at least once every few months
  • Encrypt all your backups — an unencrypted NAS or portable drive is a liability if accessed or stolen. Use VeraCrypt containers for all backup volumes
  • Prioritize what actually matters — at minimum back up: documents, photos, passwords (already in your manager), 2FA secrets, and anything irreplaceable
  • Avoid cloud storage for sensitive files — store locally with encryptionConverting data into unreadable code that only you can decrypt with the right key or password (VeraCrypt). If you must use cloud, use Proton Drive or self-hostRun your own storage server instead of relying on third-party cloud providers
  • Securely delete files when you no longer need them — standard deletion leaves data recoverable. Use BleachBit or Eraser to wipe data properly
  • Don't screenshot or save sensitive info in unencrypted notes apps
  • Use password-protected archivesCompressed file containers (.zip, .7z) — use 7-Zip with AES-256 encryption for secure sharing (7-Zip with AES-256Advanced Encryption Standard with 256-bit keys — military-grade symmetric encryption) for sending sensitive files
  • Never store passwords, private keysSecret cryptographic keys used to decrypt data or access crypto wallets — losing them means losing access forever, or sensitive documents in plain text

Router & IoT security

  • Change your router's default password immediately — default credentials are publicly known and actively scanned for
  • Disable WPSWiFi Protected Setup — convenient but has severe security flaws that allow attackers to crack your WiFi password in hours on your router — it has known vulnerabilities that can be exploited to crack your WiFi password
  • Use WPA3 encryption if your router supports it — if not, use WPA2-AES at minimum. Never use WPA or WEP
  • Disable UPnPUniversal Plug and Play — automatically opens ports for devices, which attackers can exploit. Disable it and configure port forwarding manually when needed on your router — it automatically opens ports and creates security holes
  • Put IoTInternet of Things — smart devices like cameras, thermostats, speakers, and locks that connect to the internet devices on a separate guest network — if compromised, they can't reach your main computers
  • Never expose IoT devices directly to the internet — use a VPN for remote access instead
  • Change default credentials on ALL IoT devices — cameras, NAS drives, printers all ship with known default passwords
  • Update router firmware regularly — routers are rarely updated by default but contain critical vulnerabilities
  • Disable remote management on your router unless absolutely necessary
  • Review connected devices regularly — an unknown device on your network is a red flag

Data classification

  • Not all data needs the same level of protection — categorize before you store or share: Public (can be freely shared), Sensitive (personal but not critical — treat with care), Confidential (financial, medical, legal, credentials — strong encryption, access control, minimal sharing)
  • Apply protections proportional to the category — confidential data should never touch unencrypted cloud storage, public Wi-Fi, or devices without full-disk encryption
  • Be honest about what category something falls into — most people underclassify. Your home address combined with your schedule is confidential, not public
  • Minimize how much confidential data you store at all — data you don't hold can't be stolen from you

Zero-trust mindset

  • Zero trustSecurity model where no user, device, or network is trusted by default — every request must be verified regardless of where it comes from, even inside your own network is a security model built on one assumption: nothing is safe by default. Not your home network, not your work VPN, not your own devices. Every access request should be verified, authenticated, and limited
  • Treat your internal network the same as a public one — segment devices, require authentication between them, and don't assume something is safe just because it's on your LAN
  • Don't trust a device just because you own it — if it's been out of your control, treat it as potentially compromised
  • Assume breach — operate as if an attacker may already be inside. Log, monitor, and limit blast radius by keeping systems compartmentalized
  • Access should expire — temporary access, rotating credentials, and session timeouts reduce the window an attacker can exploit a stolen token

Advanced network tools

  • Use VLANsVirtual Local Area Networks — logical network segments that isolate traffic. IoT devices on one VLAN can't reach your computers on another, even on the same physical router to segment your network — put IoT devices, guest devices, and personal computers on separate VLANs. If a smart bulb or camera is compromised, it can't reach your main machines
  • Pi-hole is a DNS-level ad and malware blocker you run on your local network — it blocks known malicious domains before a connection is even made, for every device on your network including ones you can't install software on (smart TVs, consoles)
  • Combine Pi-hole with DNS-over-HTTPSEncrypts DNS queries so your ISP can't see which domains you're resolving. Normally DNS is plaintext and fully visible to your provider. (DoH) or DNS-over-TLS upstream resolvers (Cloudflare 1.1.1.1, Mullvad DNS) to prevent your ISP from seeing your DNS queries
  • Wireshark lets you capture and inspect actual network traffic — useful for auditing what your devices are phoning home to. Run it occasionally to see what's leaving your network
  • Keep your firewall set to default-deny — explicitly allow only what you need. Every open port is an attack surface
  • Replace stock router firmware with OpenWrt for deeper control, proper security updates, and features like VLANs and custom DNS — far more secure than most ISP-supplied firmware

OPSEC & Mindset

Operational security (OPSECOperations Security — the practice of protecting sensitive information through careful behavior, compartmentalization, and awareness)

  • Don't discuss sensitive plans or activities on monitored, public, or third-party platforms — assume any platform can be subpoenaed or breached
  • Don't mix personas — keep different online identities completely separate: different accounts, devices, browsers, and email addresses. One slip links them permanently
  • Be aware of timezone leaksThe time you post can reveal your approximate location or timezone, especially across multiple posts over time in posts and timestamps — consistent posting hours across accounts can be used to correlate them
  • Vary your patterns — don't be predictable in login times, posting times, locations, or online habits. A pattern looks like: posting on the same account every day between 9pm and 11pm, always from the same city — over time that alone can be used to correlate accounts or narrow down who you are
  • Use different writing styles for different personas — writing patterns (stylometryLinguistic analysis of writing style — word choice, sentence length, punctuation habits — used to link anonymous writing to real identities) can be used to link anonymous accounts to your real identity
  • Don't reuse unique phrases, jokes, or expressions across different identities
  • Be cautious about what you "like" or interact with — engagement creates a detailed profile of your interests, beliefs, and habits
  • Minimize personal details shared anywhere: hometown, workplace, school, family, birthdate
  • Every detail is another data point someone investigating you can use
  • Human error is the greatest vulnerability — think before you click, post, share, or trust
  • If you think you're targeted, preserve evidence and consider immediately rotating all keys, passwords, and contact points
  • Consult professionals if needed — some situations require legal, forensic, or law enforcement involvement

AI tools & data exposure

  • AI assistants like ChatGPT, Claude, Gemini, and others process and in many cases store the content of your conversations — by default, many use your inputs to improve their models. Treat them like a public forum: don't paste anything you wouldn't want logged
  • Sensitive data people commonly paste without thinking: source code with API keys or credentials, internal company documents, personal medical or legal information, private messages, and financial data. Any of it could be stored server-side, reviewed by employees, or exposed in a breach
  • Most providers offer an opt-out from training data collection — find it in account settings and disable it if you use these tools regularly. Some offer a "temporary chat" or incognito mode that doesn't retain history
  • Browser-based AI integrations and extensions may have access to everything you type and every page you visit — read the permissions before installing any

Incident response (breached / rattedInfected with a RAT (Remote Access Trojan) — malware that gives an attacker full remote control of your device)

  • Immediately disconnect from the internet — unplug ethernet, disable WiFi and Bluetooth
  • Do NOT log into any accounts from the compromised device
  • Change all passwords from a different, clean device
  • Enable 2FA on all accounts if you haven't already
  • Check for unauthorized logins and active sessions across all accounts and revoke them
  • Revoke all API tokensAccess keys that allow apps to use your account without your password — revoke all if compromised and active sessions immediately
  • Scan the compromised device with multiple tools — Malwarebytes, HitmanPro, Windows Defender Offline; if scans return clean but you still suspect infection, do not trust that result — a rootkitMalware that hides itself and other malicious software from the OS and security tools by operating at a lower level than what scans can see or bootkitA rootkit that infects the bootloader or firmware, loading before the OS and making it invisible to any software running inside the OS can hide from the OS it lives in
  • Check startup programs, scheduled tasksAutomated programs set to run at specific times — common persistence mechanism for malware, and browser extensions for anything suspicious
  • If you know or strongly suspect you have malware, the only reliable remediation is a full wipe and clean OS reinstall — disconnect from the internet entirely before doing anything, then boot from a trusted offline USB installer, delete all existing partitions during setup (do not simply format the system partition — delete them all and let the installer create new ones from scratch), then reinstall Windows while the network cable is unplugged; only reconnect after the OS is fully installed and updated; do not attempt to "clean" the infection and continue — a compromised system cannot be trusted, and every minute it runs is another opportunity to collect passwords, keystrokes, files, and credentials
  • If it is a rare firmware/BIOS/UEFI rootkitAn infection embedded in the motherboard firmware itself — survives OS reinstalls and drive replacements because it lives below the OS level entirely (very uncommon on consumer hardware but possible), even the above may not suffice — you might need to reflash the firmware using vendor tools or, worst case, replace hardware
    The safest way to attempt a firmware reflash for a suspected UEFI rootkit:
    - Physically disconnect all storage drives (SSD/HDD) to prevent any OS-level reinfection during the flash process
    - Boot into the BIOS/UEFI setup directly, or use the manufacturer's dedicated flash method from a USB in a pre-boot environment if supported
    - Download the latest official firmware from the vendor on a separate, clean computer — verify file hashes if the vendor provides them — and prepare a bootable USB flash tool
    - Perform the flash completely offline, with no network connection and no storage drives connected where possible
    - After flashing, wipe or replace storage, reinstall the OS from trusted offline media as described above, and enable Secure BootA UEFI feature that prevents the system from booting unsigned or untrusted code, blocking most bootkits, TPMTrusted Platform Module — a hardware chip that stores cryptographic keys and integrity measurements, used to detect tampering with the boot process, and any firmware-level protections available in your BIOS
    - If normal flashing fails — for example it is blocked, reverts, or the infection persists — options narrow significantly: the only remaining path is replacing the motherboard
  • Monitor your financial accounts for unauthorized transactions
  • Consider freezing your creditLocks your credit file so no new accounts can be opened in your name without your explicit approval if personal information was exposed
  • Document everything — timestamps, suspicious activity, files accessed, what was on the device
  • Notify contacts — a compromised account will often be used to attack people who trust you
  • Assume all data that was accessible on the device is stolen
  • Report to relevant platforms and authorities where appropriate

Common Cyber Attacks

Ransomware

Malware that encrypts a victim's files, with attackers demanding a ransom to restore access.

Phishing / Social Engineering

Deceptive emails or messages designed to steal sensitive data like passwords or credit card numbers.

DDoS Attacks

Distributed Denial of Service: Flooding a system with traffic to overwhelm resources and crash services.

Man-in-the-Middle (MitM)

Intercepting communication between two parties to steal information.

Insider Threats

Security risks originating from within the organization, such as employees or contractors.

SQL Injection

Injecting malicious code into a server to view or steal data from a database.

Zero-Day Exploits

Attacks targeting unknown software vulnerabilities before a patch is released.

Business Email Compromise (BEC)

Targeted phishing scams aimed at employees to authorize fraudulent bank transfers.

Credential Theft

Using stolen usernames and passwords to gain unauthorized access.

SIM Swapping

Convincing your phone carrier to transfer your number to a new SIM card to gain account access.

Keylogger

Software that records everything you type to steal passwords and sensitive data.

Spyware

Software installed to monitor device activity, location, and communications—often by someone you know.

RAT (Remote Access Trojan)

Malware that gives attackers full remote control of your device, allowing them to spy, steal data, or execute commands.

Cryptojacking

Using your device's resources to mine cryptocurrency without your permission or knowledge.

IP Grabbing

Capturing your IP address on peer-to-peer (P2P) platforms where users connect directly to each other (Skype calls, some games) using tools like Wireshark. Discord uses centralized servers—all traffic goes through Discord's servers, not directly between users—so IP grabbing cannot happen on Discord.

Emerging Threats

  • AI-Powered Threats: Voice cloning, deepfakesAI-generated fake audio or video that realistically impersonates real people, and hyper-personalized phishing are being used to impersonate loved ones, enable sextortion, and make scams nearly indistinguishable from reality.
  • AI-Adaptive Malware: Malware that uses AI to mutate its own code in real time, evading signature-based detection by never looking the same twice — can autonomously probe for vulnerabilities and adapt its attack path based on the target's defenses.
  • Supply Chain Attacks: Compromising a trusted vendor to gain access to their customers' systems.
  • Cloud-Based Attacks: Targeting misconfigured cloud storage and services to steal data.