The Motherboard Guide To Not Getting Hacked

The
Motherboard
Guide
to
Not
Getting
Hacked
VERSION_1.0 UPDATED_11.14.17
The Motherboard
Guide to Not
Getting Hacked
One of the questions we are asked most often at Motherboard is This guide isnt comprehensive and its not personalized; there is
how can I prevent myself from getting hacked? no such thing as perfect security and there are no one-size-fits
all solutions. Instead, we hope this will be a jumping-off point for
Because living in modern society necessitates putting an uncom- people looking to batten down the hatches on their digital lives.
fortably large amount of trust in third parties, the answer is often
not a whole lot. Take, for example, the massive Equifax hack Thats why weve tried to keep this guide as accessible as
that affected roughly half of the American population: Few peo- possible, but if you run into any lingo you dont know, theres a
ple voluntarily signed up for the service, and yet their information glossary at the end of this guide to help out.
was stolen anyway.
This guide is the work of many people on Motherboard staff both
Hackers steal hundreds of millions of passwords in one swoop past and present, and has been vetted by several of our sources,
and occasionally cause large-scale blackouts. The future is who we owe a great debt to. Large sections of it were written by
probably not going to get better, with real-life disasters caused by Lorenzo Franceschi-Bicchierai, Joseph Cox, Sarah Jeong, and
internet-connected knick-knacks, smart home robots that could Jason Koebler, but the tips within it have grown out of years of
kill you, flying hacker laptops, and the dangers of hackers getting writing and research on digital security by dozens of reporters
your genetic data. Meanwhile, an ever-growing and increasingly and infosec professionals. Consider it a forever-ongoing work-in-
passive surveillance apparatus that has trickled down to state and progress that will receive at least one big annual refresh, as well
local police is an ever-present threat to our digital privacy. as smaller updates when major new vulnerabilities are exposed.
Special thanks to Matt Mitchell of Crypto Harlem, and Eva
That doesnt mean its hopeless out there. There are lots of things Galperin, of the Electronic Frontier Foundation for reviewing
you can do to make it much more difficult for hackers or would- parts of this guide.
be surveillers to access your devices and accounts, and the aim
of this guide is to give you clear, easy-to-follow steps to improve Anyways, enough. This is the Motherboard Guide to Not
your digital security. There are, broadly speaking, two types of Getting Hacked.
hacks: Those that are unpreventable by users, and those you can
generally prevent. We want to help you mitigate the damage of
the first and prevent the second from happening.
You, as an individual user, cant do anything to prevent your

email provider, or the company that holds your financial details,
from getting hacked. But you can avoid phishing attacks that
will let a hacker get into your individual email account, and you
can also prevent a password obtained in a larger hack from being
reused on another, separate account you have.
2
Table of Contents
04 Digital Security Basics

05 Threat Modeling
06 Software Updates
07 Passwords
08 Two-Factor Authentication
11 Mobile Security
12 Threat Modeling
(Mobile edition)
12 iPhone vs Android
13 Android Security
13 SIM Card & Cell Account Security
14 Privacy, Messaging, and Avoiding

State and Police Surveillance
15 Threat Modeling
(Privacy and surveillance edition)
15 Signal & Messaging
16 Social Media
16 Cameras and Microphones
16 Lock Screen
16 OTR
17 Tor Browser
17 Virtual Private Networks
17 PGP
17 Email Providers and Servers
18 Hard Drive Encryption
18 Credit Cards
18 Notes for Journalists
19 The Future
20 Log Off
21 Glossary of Hacking and Cyber Terms
21 Glossary of Hacking and Cyber Terms
3
Digital
Security
Basics
4
Threat
Modeling
Everything in this guide starts with threat modeling, which Is your threat an ex who might want to go through your Facebook
is hacker lingo for assessing how likely it is you are going to account? Then making sure they dont know your password is a
get hacked or surveilled. When thinking about how to protect good place to start. (Dont share critical passwords with people,
your digital communications, it is imperative that you first think no matter who they are; if were talking Netflix, make sure you
about what youre protecting and who youre protecting it from. never reuse that password elsewhere.) Are you trying to keep
Depends on your threat model is a thing infosec pros say when opportunistic doxers from pulling together your personal infor-
asked questions about whether, say, Signal is the best messaging mationsuch as your birthdaywhich in turn can be used to
app or Tor is the most secure browser. The answer to any question find other details? Well, keeping an eye on what sort of stuff you
about the best security is, essentially: it depends. publish on social media would be a good idea. And two-factor au-
thentication (more on that below) would go a long way to thwart-
No one security plan is identical to any other. What sort of ing more serious criminals. If you are an activist, a journalist, or
protections you take all depend on who may try to get into your otherwise have reason to fear government, state, or law enforce-
accounts, or to read your messages. The bad news is that there are ment actors want to hack or surveil you, the steps you must take
no silver bullets (sorry!), but the good news is that most people to protect yourself are significantly different than if youre trying
have threat models in which they probably dont have to live like to keep plans for a surprise party secret from your best friend.
a paranoid recluse to be reasonably safe online.
Overestimating your threat can be a problem too: if you start
So before doing anything else, you should consider your threat using obscure custom operating systems, virtual machines, or
model. Basically, what are you trying to protect, and who are you anything else technical when its really not necessary (or you
trying to protect it from? dont know how to use it), youre probably wasting your time and
might be putting yourself at risk. At best, even the most simple
The Electronic Frontier Foundation recommends asking yourself tasks might take a while longer; in a worst-case scenario, you
these five questions when threat modeling: might be lulling yourself into a false sense of security with ser-
vices and hardware that you dont need, while overlooking what
What do you want to protect? actually matters to you and the actual threats you might be facing.
Who do you want to protect it from?
In certain places, this guide will offer specific steps to take if
How likely is it that you will need to protect it? you have a threat model that includes sophisticated actors. But,
How bad are the consequences if you fail? in general, its designed for people who want to know the basics
How much trouble are you willing to go through in order to of how to strengthen their digital security. If your threat model
try to prevent those? includes NSA hackers or other state-sponsored groups like Fancy
Bear, we recommend that you speak to a trained professional
about your specific situation.
5
Keep Your Apps

Up To Date
Probably the most important and basic thing you can do to protect Many common cyberattacks take advantage of flaws in outdated
yourself is to update the software you use to its newest version. software such as old web browsers, PDF readers, or spreadsheet
That means using an updated version of whatever operating sys- and word-processing tools. By keeping everything up to date, you
tem youre using, and updating all your apps and software. It also have a way lower chance of becoming a victim of malware, be-
means updating the firmware on your router, connected devices, cause responsible manufacturers and software developers quickly
and any other gadgets you use that can connect to the internet. patch their products after new hacks are seen in the wild.
Bear in mind that, on your computer, you dont necessarily have Hacking is often a path of least resistance: you go after the easy,
to use the latest iteration of an operating system. In some cases, soft, targets first. For example, the hackers behind the destructive
even slightly older versions of operating systems get security ransomware outbreak known as WannaCry hit victims who had
updates. (Unfortunately, this is no longer the case with Windows not applied a security update that had been available for weeks.
XPstop using it!) Whats most important is that your OS is still In other words, they knew they were going to get in because the
receiving security updates, and that youre applying them. victims had not changed the lock to their door even though their
keys had already been made available to everyone.
So if you come away with one lesson from this guide is: update,
update, update, or patch, patch, patch.
6
Passwords
We all have too many passwords to remember, which is why Intuitively, you might think its unwise to store your passwords
some people just reuse the same ones over and over. Reusing on your computer or with a third party password manager. What
passwords is bad because if, for example, a hacker gets control if a hacker gets in? Surely its better that Im keeping them all in
of your Netflix or Spotify password, they can then use it to get my head? Well, not really: The risk of a crook reusing a shared
into your ridesharing or bank account to drain your credit card. password that has been stolen from somewhere else is far greater
Even though our brains arent actually that bad at remembering than some sophisticated hacker independently targeting your da-
passwords, its almost impossible to remember dozens of unique, tabase of passwords. For example, if you used the same password
strong passwords. across different websites, and that password was stolen in the
massive Yahoo! hacks (which included 3 billion people), it could
The good news is that the solution to these problems is already easily be reused on your Gmail, Uber, Facebook, and other web-
out there: password managers. These are apps or browser exten- sites. Some password managers store your passwords encrypted
sions that keep track of passwords for you, automatically help in the cloud, so even if the company gets hacked, your passwords
you create good passwords, and simplify your online life. If you will be safe. For example, the password manager LastPass has
use a manger, all you have to remember is one password, the one been hacked at least twice, but no actual passwords were stolen
that unlocks the vault of your other passwords. because the company stored them securely. LastPass remains a
recommended password manager despite those incidents. Again,
That one password better be good though. Forget about capital its all about understanding your own threat model.
letters, symbols, and numbers. The easiest way to make a secure
master password is to make a passphrase: several random but So, please, use one of the many password managers out there,
pronounceableand thus easier to memorizewords. For ex- such as 1Password, LastPass, or KeePass. theres no reason not to
ample: floodlit siesta kirk barrel amputee dice (dont use this one do it. It will make youand the rest of us!safer, and itll even
though, we just burned it.) make your life easier.
Once you have that you can use unique passwords made of a lot And if your employer asks you to change passwords periodically
of characters for everything else, as long as you create them with in the name of security, please tell them thats a terrible idea. If
a password manager and never reuse them. The master password you use a password manager, two-factor authentication (see be-
is better as a passphrase because its easier to memorize, and the low), and have unique strong passwords for every account theres
other passwords dont need to be memorized because the manag- no need to change them all the timeunless theres a breach on
er will remember them. the backend or your password is stolen somehow.
7
Two-Factor
Authentication
Having unique, strong passwords is a great first step, but even company to issue a new SIM card to the attackers, allowing them
those can be stolen. So for your most important accounts (think to take over his phone number. That means when they used his
your email, your Facebook, Twitter accounts, your banking or first factor (the password) to login to his account, the second
financial accounts) you should add an extra layer of protection factor code was sent directly to them. This is an increasingly
known as two-factor (or two-step or 2FA) authentication. A lot of common hack.
services these days offer two-factor, so it doesnt hurt to turn it on
in as many places as you can. See all the services that offer 2FA Its hard to defend against an attack like that, and its a sad truth
at twofactorauth.org. that there is no form of perfect security. But there are steps you
can take to make these attacks harder, and we detail them below,
By enabling two-factor youll need something more than just in the mobile security section.
your password to log into those accounts. Usually, its a nu-
merical code sent to your cellphone via text messages, or it can SMS-based two-factor can be gamed, and its also possible to
be a code created by a specialized app (which is great if your leverage vulnerabilities in the telecommunications infrastruc-
cellphone doesnt have coverage at the time youre logging in), ture that carries our conversations or to use whats known as an
or a small, physical token like a USB key (sometimes called a IMSI-catcher, otherwise known as a Stingray, to sweep up your
YubiKey, named after the most popular brand). cellphone communications, including your verification texts. We
dont write this to scare you, its just worth noting that while all
Theres been a lot of discussion in the last year about whether forms of two-factor authentication are better than nothing, you
text messages can be considered a safe second factor. Activist should use an authentication app or better yet a physical key if at
DeRay McKessons phone number was hijacked, meaning hack- all possible.
ers could then have the extra security codes protecting accounts
sent straight to them. And the National Institute of Standards You should, if the website allows it, use another 2FA option that
and Technology (NIST), a part of the US government that writes isnt SMS-based, such as an authentication app on your smart-
guidelines on rules and measurements, including security, recent- phone (for example, Google Authenticator, DUO Mobile, or
ly discouraged the use of SMS-based 2FA. Authy), or a physical token. If that option is available to you, its
a great idea to use it.
The attack on DeRay was made possible by social engineering.
In this case, a customer service rep was tricked by a criminal into
making DeRay vulnerable. The attack involved getting his phone
8
Dos
&
Donts
9
Dos Donts
Do use antivirus: Yes, youve heard this before. But its still Dont use Flash: Flash is historically one of the most insecure
(generally) true. Antiviruses are actually, and ironically, full of pieces of software thats ever been on your computer. Hackers
security holes, but if youre not a person whos at risk of getting love Flash because its had more holes than Swiss cheese. The
targeted by nation-state hackers or pretty advanced criminals, good news is that a lot of the web has moved away from Flash
having antivirus is still a good idea. Still, antivirus software is so you dont really need it anymore to still enjoy a fully-featured
far from a panacea, and in 2017 you need more than that to be and rich browsing experience. So consider purging it from your
secure. Also, be aware that antivirus software, by definition, is computer, or at least change the settings on your browser so you
incredibly invasive: it needs to reach deep into your computer have to click to run Flash each time.
to be able to scan and stop malware. This reach can be abused.
For example, the US government accuses Kaspersky Lab, one of Dont overexpose yourself for no reason: People love to share
the most well-known antivirus software in the world, of having pretty much everything about their lives on social media. But
passed sensitive documents from one of its customers to the please, we beg you, dont tweet a picture of your credit card or
Russian government. flights boarding pass, for example. More generally, its a good
mindset to realize that a post on social media is often a post to
Do use some simple security plugins: Sometimes, all a hacker anyone on the internet who can be bothered to check your profile,
needs to pwn you is to get you to the right websiteone laden even if its guessing your home address through your running
with malware. Thats why its worth using some simple, install- routes on a site like Strava, a social network for runners and
and-forget-about-it plugins such as adblockers, which protect you cyclists.
from malware embedded in advertising presented by the shadier
sites you may wander across on the web, and sometimes even Personal information such as your home address or high school
legitimate sites. (Wed naturally prefer if you whitelisted Mother- (and the schools mascot, which is a Google away) can then be
board since web ads help keep our lights on.) used to find more information via social engineering schemes.
The more personal information an attacker has, the more likely
Another useful plugin is HTTPS Everywhere, which forces your they are to gain access to one of your accounts. With that in mind,
connection to be encrypted (when the site supports it). This wont maybe consider increasing the privacy settings on some of your
save you if the website youre going to has malware on it, but in accounts too.
some cases, it helps prevent hackers from redirecting you to fake
versions of that site (if theres an encrypted one available), and Dont open attachments without precautions: For decades,
will generally protect against attackers trying to tamper with your cybercriminals have hidden malware inside attachments such as
connection to the legitimate one. Word docs or PDFs. Antiviruses sometimes stop those threats, but
its better to just use commons sense: dont open attachments (or
Do use a VPN: Virtual Private Networks are a secure channel click on links) from people you dont know, or that you werent
between your computer and the internet. If you use a VPN, you expecting. And if you really want to do that, use precautions, like
first connect to the VPN, and then to the whole internet, adding opening the attachments within Chrome (without downloading
a layer of security and privacy. If youre using the internet in the files). Even better, save the file to Google Drive, and then
a public space, be it a Starbucks, an airport, or even an Airbnb open it within Drive, which is even safer because then the file is
apartment, you are sharing it with people you dont know. And being opened by Google and not your computer.
if some hacker is on your same network, they can mess up with
your connection and potentially your computer. Its worth doing
some research on VPNs before getting one, because some are
much better than others (most of the free ones dont do a great
job of protecting your privacy). We recommend Freedome, Pri-
vate Internet Access, or, if youre a technical user, Algo.
Do disable macros: Hackers can use Microsoft Office macros

inside documents to spread malware to your computer. Its an old
trick, but its back in vogue to spread ransomware. Disable them!
Do back up files: Were not breaking any news here, but if

youre worried about hackers destroying or locking your files
(such as with ransomware), then you need to back them up.
Ideally, do it while youre disconnected from the network to an
external hard drive so that even if you get ransomware, the
backup wont get infected.
10
Mobile
Security
11
Mobile Security
We now live in a world where smartphones have become our Get an iPhone
primary computing devices. Not only we use cellphones more Pretty much everyone in the world of cybersecurityexcept
than desktop computers, but we keep them with us pretty much perhaps the engineers working on Androidbelieves that
all the time. It goes without saying then, that hackers are targeting iPhones are the most secure cellphone you can get. There are a
mobile phones more and more every day. few reasons why, but the main ones are that iOS, Apples mobile
operating system, is extremely locked down. Apps go through
The good news is there are some basic steps and some precau- extensive checks before getting on the App Store, and there are
tions you can take to minimize the risks, and were going to tell extensive security measures in place, such as the fact that only
you what they are. code approved and digitally signed by Apple (a measure known
as code-signing) and the fact that apps are limited from reaching
Mobile Threat Modeling into other apps (sandboxing). These features make it really hard
Most people use passcodes, passwords, or patterns to lock their for hackers to attack the most sensitive parts of the operating sys-
phones. If you dont do this, you absolutely should! (Patterns tem. Because Apple controls the iOS infrastructure, iPhones get
are far easier to guess or shoulder surf than pins or passcodes, immediate, regular security updates and patches from Apple; crit-
however, according to a recent study.) ical security updates for many Android devices can take weeks
or months to be pushed to users. Even the iPhone 5s, which was
One of the biggest mobile threats is someone who has physical launched in 2013, is still supported.
access to your phone and can unlock it. This means your security
is only as good as your passcode: If at all possible, avoid giving So if you are paranoid, the iPhone is the most secure cellphone
out your code or password, and avoid using easily guessed pass- out of the box. But unless you have a really good reason for it, do
codes such as your birthday or address. Even simple passcodes NOT jailbreak it. While the jailbreaking movement and the hack-
and passwords are great to stop pickpockets or street thieves, but ers behind it have contributed to make the iPhone more secure,
not so great if what youre worried about is an abusive partner jailbreaking an iPhone at this point doesnt really provide you
who knows your PIN, for example. any feature thats worth the increased risks. In the past, hackers
have been able to target at scale only jailbroken iPhones.
With that in mind, heres a few basic things you can do to prevent
other common threats to your cellphone.
12
Nothing is unhackable though. We know some governments are Lock Up That Sim Card
armed with million-dollar hacking tools to hack iPhones, and Recently we revealed that hackers had been exploiting a nasty
perhaps some sophisticated criminals might have those too. Still, bug on a T-Mobile website to pull the personal data of customers
get an iPhone, install the updates, and dont jailbreak it and youll in an attempt to gather data that they could then use to imperson-
probably be fine. ate the victims and socially engineer T-Mobile support techni-
cians into issuing new SIM cards. These kind of attacks, known
But I Love Android! Fine... as SIM swapping or SIM hijacking, allow hackers to take
Android has become the most popular operating system in the over your cellphone number, and in turn anything thats connect-
world thanks to its decentralized, open-source nature and the ed to it. SIM hijacking is what makes two-factor authentication
fact that many handsets are available at prices much lower than via SMS so dangerous.
iPhones. In some ways, this open-sourced nature was Androids
original sin: Google traded control, and thus security, for market Your phone number is likely the gateway to multiple other,
share. This way, critical security updates depend on carriers and perhaps more sensitive, parts of your digital life: your email, your
device manufacturers, who have historically been lackadaisical bank account, your iCloud backups.
about pushing them out.
As a consumer, you cant control the bugs that your carrier leave
The good news is that in the last two years this has improved open for hackers. But you can make it a bit harder for hackers
a lot. Google has been pushing partners to give users monthly to impersonate you with gullible tech support employees. The
updates, and Googles own flagship devices have almost the same solution is easy, although not that many people know about it: a
kind of regular support that Apple provides to iPhones, as well as secondary password or passcode that you need to provide when
some of the same security features. you call your cellphone provider. Most US carriers now offer this
option.
So your best bet is to stick to Pixels or Nexus phones, whose
security doesnt depend on anyone but Google. If you really dont Call your provider and ask them to set this up for you. Mother-
want a Google phone, these cellphones have a good track record board confirmed that Sprint, T-Mobile, Verizon and U.S. Cellular
of pushing security updates, according to Google itself. all give customers this option. Verizon and U.S. Cellular have
made this mandatory, according to their spokespeople. Of course,
Whatever Android phone you own, be careful what apps you in- make sure you remember this phone password, or better yet,
stall. Hackers have traditionally been very successful at sneaking write it down in your password manager.
malicious apps on the Play Store so think twice before installing
a little-known app, or double check that the app youre install-
ing really is the one you want. Earlier this fall, a fake version of
WhatsApp was installed by more than a million Android users.
Also, stick to the Play Store and avoid downloading and install-
ing apps from third-party stores, which may very well be mali-
cious. On most Android phones, installing third-party apps is not
enabled by default, leave it that way.
To protect the data on your Android phone, make sure full disk
encryption is enabled. Open your Settings app, go to Security
and click on Encrypt Phone if its not enabled already. (If this
doesnt work on your device, Google for instructions on your
specific handset).
Finally, while not mandatory, it might be a good idea to install

a mobile antivirus such as Lookout or Zips. While these can be
effective against criminals malware, they probably wont stop
government hackers.
13
The Motherboard Guide

to Privacy, Messaging,
and Protecting Yourself
From State and Law
Enforcement Surveillance
In the wake of September 11th, the United States built out a mas- Director thinks that using encryption may itself be a red flag. If
sive surveillance apparatus, undermined constitutional protec- you have nothing to hide, your use of encryption can actually
tions, and limited possible recourse to the legal system. help people at risk by obfuscating that red flag. By following
this guide, you are making someone else safer. Think of it as
Given the extraordinary capabilities of state surveillance in herd immunity. The more people practice good security, the safer
the USas well as the capabilities of governments around the everyone else is.
worldyou might be feeling a little paranoid! Its not just the
NSAthe FBI and even local cops have more tools at their The security tips provided earlier in this guide still apply: If you
disposal to snoop on people than ever before. And there is a ter- can protect yourself from getting hacked, you will have a better
rifying breadth of passive and unexpected surveillance to worry shot at preventing yourself from being surveilled (when it comes
about: Your social media accounts can be subpoenaed, your to surveilling iPhones, for instance governments often have few
emails or calls can be scooped up in bulk collection efforts, and options besides hacking the devices). But tech tools dont solve
your cell phone metadata can be captured by Stingrays and IMSI all problems. Governments have a weapon in their hands that
catchers meant to target someone else. criminal hackers do not: the power of the law. Many of the tips
in this section of the guide will help you not only against legal
Remember, anti-surveillance is not the cure, its just one thing requests and government hacking, but also against anyone else
you can do to protect yourself and others. You probably arent the who may be trying to spy on you.
most at-risk person, but that doesnt mean you shouldnt practice
better security. Surveillance is a complicated thing: You can prac- You dont have to turn yourself into a security expert. Just
tice the best security in the world, but if youre sending messages start thinking about your risks, and dont be intimidated by the
to someone who doesnt, you can still be spied on through their technology. Security is an ongoing process of learning. Both the
device or through their communications with other people (if they threats and the tools developed to address them are constantly
discuss the information you told them, for instance). changing, which is one of the reasons why privacy and security
advice can often seem fickle and contradictory. But the tips below
Thats why its important that we normalize good security are a good starting point.
practices: If you dont have that much to be afraid of, its all the
more important for you to pick up some of these tools, because
doing that will normalize the actions of your friends who are, say,
undocumented immigrants, or engaged in activism. Trumps CIA
14
Threat Modeling (privacy and surveillance edition) It even has a desktop app, so you can use it the way that iOS/Mac
Keep in mind that different tools address different problems. OS people use iMessage on both their phones and computers.
Without threat modelling, its easy to feel overwhelmed by how Go to the Signal.org website and download the app for your
many tools are out there. Threat modeling for surveillance is sim- preferred operating system. Just follow the instructionstrust us,
ilar to threat modelling for hacking, but there are of course some theyre easy.
nuances that vary in every situation.
Signal also lets you set a timer for messages to automatically
Its easy for some people to say use Signal, use Tor, and be expire, thus deleting them from all devices. You can set the timer
done with it, but that doesnt work for everyone. For example, a for all kinds of lengths, including very short ones. This is a great
friend used to message people about her abusive ex-partner using feature for journalists who are concerned about protecting their
the built-in Words With Friends messenger, because she knew sources or their conversations with editors.
that he read her text messages and Gchat. Words With Friends
does not have a particularly secure messaging system, but in this These are great features, and theyre part of the reason why we
case it was a better option than Signal or Hangouts because he recommend Signal over many other end-to-end messaging apps.
didnt think to read her messages on the game. iMessage and WhatsApp also use end-to-end encryption, but they
both have drawbacks.
When it comes to state actors, it might be helpful to think of sur-
veillance in two different forms: surveillance of metadata (who We do not recommend WhatsApp, because WhatsApp is owned
you are, who youre talking to, when youre talking) and surveil- by Facebook, and has been sharing user information with its par-
lance of content (what you are saying). As with all things, when ent company. While this is only metadata, it is ultimately a roll-
you dig a little deeper, its not as simple as that. But if youre back of a privacy promise made when WhatsApp was acquired
thinking about this for the first time, its a good start. by Facebook. We think this says something negative about the
overall trustworthiness of the company in coming days.
Surveillance law is complicated, but long story short, both the
law and current technological infrastructure make it easier to It is a very good thing that Apple encrypts iMessages end-to-
grab metadata than content. Metadata isnt necessarily less im- end. But iMessage also backs up messages to iCloud by default,
portant or revealing than content. Say Planned Parenthood called which is why you can message from all your Apple devices. This
you. Then you call your partner. Then you call your insurance. is a great and fun feature, but if youre concerned about govern-
Then you call the abortion clinic. That information is going to be ment surveillance, remember that Apple complies with lawful
on your phone bill, and your telephone provider can easily give government demands for data in your iCloud: iMessage and
it up to the government. Your cell provider might not be record- SMS messages are backed up on iCloud for your convenience,
ing those callsthe content is still private. But at that point, the Apples privacy page states. You can turn this feature off, but in
content doesnt matterit would be easy for someone with the theory Apple could be forced to access the iMessages youve sent
metadata alone to have a reasonable idea of what your calls people who still have the feature enabled.
were about.
Signal keeps very little information. We know this, because Open
Start thinking about what is open and exposed, and what you can Whisper Systems was subpoenaed by the government last year,
protect. Sometimes, you have to accept that theres very little you and was forced to hand over information. But the information it
can do about a particular channel of communication. If circum- hadby designwas pretty minimal. Signal retains phone num-
stances are dire, youre going to just have to work around it. ber, account creation date, and the time of the users last connec-
tion to Signal servers. Yes, thats still something, but as you can
Signal see, its not very much.
Signal is an encrypted messaging service for smartphones and
desktop computers. It is, for manybut not allpeople, a good There are worse products to use than iMessage and WhatsApp.
option for avoiding surveillance. Because the government has the For example, you absolutely should avoid using Telegram for
capability to intercept electronic messages while theyre being sensitive communications. And Google can read your GChats
transmitted, you want to use end-to-end encryption for as many unless you take additional steps to encrypt them end-to-end.
of your communications as possible. There are several other products on the market that are decent
alternatives (for example, Wire), but like WhatsApp and iMes-
Using Signal is easy. You can find it and install it from your sage, theyre created and maintained by for-profit companies, and
phones app store. (In the iOS App Store and the Google Play we dont know how theyre planning to monetize in the future.
Store, its called Signal Private Messenger, and its made by Signal is an open source, nonprofit project. That has its own
Open Whisper Systems.) drawbacks (for example, Signal is not as slick as iMessage, nor
does it have the luxury of having a large security team behind it),
If you have the other persons phone number in your contacts list, so maybe donate money when you download it?
you can see them in Signal, and message them or call them. As
long as the other person also has Signal, the messages automati-
cally encryptall the work is invisible.
15
One thing thats worth mentioning about Signal is that it requires Beware of device cameras and microphones
you to associate the device with a phone number. This means Do you live around any cameras? If you use internet-connected
that you need to trust the people youre messaging to have your security cameras inside your home, or have a webcam running,
phone number (or need to jump through hoops to use Signal with dont leave these things unsecured. Make sure that youve
a dummy phone number); there are many reasons why you might changed any passwords from the default that they shipped with,
want to message people without giving them your phone number, and cover them when youre not using them.
which is one of the potential drawbacks of Signal. If this is a
concern for you, consider another option. If you have a laptop or a smartphone, use a sticker to cover the
front-facing camera. You dont have to stop Facetiming and tak-
Another thing to remember is that just because a communication ing selfies, you just want to cover things up so no ones looking
is end-to-end encrypted doesnt mean its invisible to the govern- at you when you dont want them to. The Electronic Frontier
ment. It just means the contents are encrypted between endpoints. Foundation sells removable laptop cover stickers (five for $5)
You can see the message, your recipient can see the message. If that wont leave a residue on your camera, so you can take it on
its intercepted in transit, its completely garbled, and the content and off whenever you need it. Consider buying several and giving
of your message is protected from spying eyes. them to friends who might be shorter on cash.
But if an endpoint is compromisedin other words, if your Finally, there is absolutely no way to make sure your microphone
own phone is hacked or physically seized by the government, is not recording. If youre concerned about being wiretapped,
or your texting partner is screencapping your conversationits consider turning off your phone and putting it in the microwave
game over. (temporarily, with the microwave off), or leaving your phone in
the other room. Turning your phone off alone does not necessar-
Encryption doesnt make it impossible for the government to ily protect you! And consider leaving all your devices outside of
snoop, it just makes it way more challenging. The point is that the bedroom when you have sex with your partner.
introducing friction into the equation does provide privacy.
In 2012, Khadija Ismayilova, an Azeri journalist, was black-
Be conscious of what you post on social media mailed with a surreptitiously filmed sex tape. The blackmailer
If you post publicly on social media, know that local police (and told Ismayilova to stop publishing articles critical of the govern-
likely federal agencies as well) keep tabs on activists online. For ment, or else have her tape released. (Ismayilova went public,
example, Facebook, Instagram, and Twitter have all fed data to and the tape was posted on the internet.) In 2015, the Azerbaijan
social media monitoring products that police departments used to government sentenced her to seven and a half years in prison on
track Black Lives Matter activists. tax evasion charges. She is currently out on probation.
Even if you keep your privacy settings on lockdown, social media Governments at home and abroad have used sex to blackmail
companies are subject to subpoenas, court orders, and data re- dissenters. Be aware of that, and protect your privacy.
quests for your information. And often times, theyll fork over the
information without ever notifying the user that its happening. Protect your devices with a lock screen
For the purposes of social media, assume that everything you post Put a password/passcode on your phone and your computer.
is public. This doesnt mean you should stop using social media, Dont rely on your thumbprint alone. The police are more likely
it just means you have to be mindful of how you use it. to be able to legally compel you to use your fingerprint to open
up your phone. You may have a stronger constitutional right not
If youre an activist, consider using a pseudonym for your activ- to speak your password.
ism. If you post online at all, take others safety and privacy into
consideration as well. Use OTR for chatting (if you have to)
Its best to use Signal for desktop when chatting with people. But
Who are you tagging into your posts? Are you adding location heres another option thats particularly useful for journalists.
information? Who are you taking a picture of, and why? Be
particularly careful with photos or posts about protests, rallies, Close your Gmail window and use OTR (Off The Record) instead
or meetings. Facial recognition technology is fairly sophisticat- to chat. Keep in mind that you can only use OTR if the other
ed now, so even if you leave people untagged, theoretically an person is also using OTR*.
algorithm could scan for and identify activists in a photograph
of a rally. You can already see this at work in Facebooks tag You can use your Gmail account as your chat ID. So whats going
suggestions. on is that youre engaging in Gchat, but with a layer of encryp-
tion on top. Open up a chat window and click the lock icon to
When you take a picture of someone at a protest, make sure that begin encryption. And make sure you tweak your settings so that
they consent, and that they know the implications of having a youre not retaining chat logs during encrypted conversations.
photo of themselves out there.
Again, end-to-end only goes so far. If the other person is logging
your conversations, it might not matter that you went this far. If
youre concerned, ask your friend to stop logging.
*Mac users can install Adium, PC (and Linux) users will have to install Pidgin and the OTR plugin.
16
Install the Tor Browser The computers that make up the Tor networkthe ones that
Torwhich takes its name from an acronym for The Onion your traffic bounces throughare run by volunteers, institutions,
Routerscrambles your internet traffic by routing it through and organizations all over the world, some of whom face legal
several layers of computers. This way, when you access a web- risks for doing so. They are not supposed to log the traffic that
site, it cant tell where youre connecting from. The easiest way goes through them, but because its a volunteer network, some
to use Tor is just to install the Tor Browser. Its just like Firefox might. The risk is mitigated by the fact that each node only sees
or Chrome or Internet Explorer, just a lot slower because of the a snapshot of the traffic running through it, and nobody has
privacy it provides. access to both the users IP and their unencrypted traffic. A bad
actor would have to run a very large number of Tor nodes to start
Using Tor for everything will give you a big privacy boost, logging meaningful trafficwhich would be difficultand the
but its a bit unwieldy. Dont, for instance, try to stream Netflix Tor project monitors for behavior that suggests anybody might be
over Tor. doing that.
Evaluate your needs and figure out how much Tor you need in Ultimately, for the purposes of state surveillance, Tor is better
your life. Always remember that your IP address (which can give than a VPN, and a VPN is better than nothing.
away where you are, and therefore, who you might be) is laid
bare if you arent using it. Its not clear whether Tor will continue to exist into the future.
Tor is run partly through grants from the government. (Like many
There are four reasons why you might want to use Tor. cutting edge technologies, Tor was originally developed by the
US military.) Its possible Tor will lose most of its funding in the
Youre trying to keep your identity hidden. very near-term. Consider donating to the Tor Project.
You use a lot of public WiFi.
Youre trying to get around government censorship. Virtual Private Networks
You are protecting the other people who use Tor. When it comes to state surveillance, VPNs wont help much. A
VPN will obscure your IP address, but when it comes to state
If youre an activist who is trying to hide their identity, you need surveillance, VPNs can be subpoenaed for user information that
Tor to mask your IP address. This is a limited use case scenario. may ultimately identify you. For example, many VPN companies
For example, its self-defeating for me to open up Tor, log into keep logs on what IP addresses log on when and what sites are
my public Twitter account, and tweet, What up, everyone, Im accessedwhich can end up pinpointing you, especially if you
tweeting from the Vice Media offices in New York City. I am used your credit card to pay for a VPN subscription.
giving away all the information that Tor is masking for mebe-
cause when it comes down to it, in that use case scenario, I was Some VPN companies claim not to log user information. You
never planning on keeping it private. need to evaluate how much you trust these companies, and make
that decision for yourself. If what youre concerned about is
If you connect to a lot of public Wi-Fi (think Starbucks, a hotel, government surveillance, our recommendation is that you stick
or the airport), though, you should use Tor. It provides similar with Tor.
benefits as VPNs , but without many of the drawbacks of a VPN
(see the next section for a discussion of that). PGP (probably isnt worth the trouble)
The only reliable way to encrypt your email is PGPalso known
If the United States begins to censor parts of the web, as many as Pretty Good Privacy. However, PGP is incredibly obnoxious to
other governments do, Tor might be able to help you get around use. Even PGPs creator Phil Zimmermann has stopped using it,
that. Tor certainly helps people connecting to the internet from since he cant use it on his phone. The problem isnt just that you
other countries that practice internet censorship. have to figure out PGP, everyone you talk to also has to figure it
out. Telling someone to download Signal is a lot easier than walk-
Finally, the thing about Tor is that the more people use it, the less ing them through public/private key encryption. This is where
trackable everyone else is. When a lot of random, unaffiliated your threat model comes in handy, to help figure out if PGP is
people from all over the world use it, it becomes stronger and actually worth it to you.
stronger. If you take the time to use Tor every day, you are help-
ing people who really do need it. If you absolutely must use encrypted email, this guide to PGP
might be helpful. Its tricky, so you might want to go to a crypto
A couple caveats, here: Tor is not bulletproof. The government party and have an activist or technologist help you set it up.
has been known to hack groups of users on Tor, just like its been
known to hack VPN users en masse. Tor, by itself, does not make
it more unlikely for you to get hacked. Tor is for privacy, not se-
curity. And Tor is designed to make it hard to log your traffic, not
impossible, so theres always a risk that you arent being hidden.
17
Dont run your own email server with VeraCrypt as far as the experts can tell, but if you have the
If 2016 did anything, it convinced everyone not to run their own option, use the full disk encryption that your operating system
private email server. already provided.
Its true that Google and other companies have to comply with If you use Linux, your distro probably supports encryption out of
court orders for your information, including your emails. But on the box. Follow the instructions while installing.
the other hand, Google knows how to run email servers way bet-
ter than you do. Email servers are hard! Just ask Hillary Clinton. If youre a journalist,
know the risk of hanging onto your notes
If you are encrypting email, Google can only hand over the Want to protect your sources? Your notes, your Slack chats, your
metadata (whos sending to whom and subject headers). Since en- Gchats, your Google Drive, your Dropbox, your recorded inter-
crypting email is a huge pain, try to keep all your sensitive stuff views, your transcripts, and your texts can all end up in court.
away from email, and in end-to-end encrypted channels instead. Depending on what kind of court case it is, it might not matter
Dont abandon your third-party email account, just be aware that that its encrypted.
the government can get at whats inside.
Dont wait until a lawsuit is imminent to delete all your stuff.
Encrypt your hard drive That might be illegal, and you might be risking going to jail.
Good news: this isnt as hard as it used to be! Every situation is different: your notes might be necessary to get
you out of trouble. So if youre the type to hoard notes, know the
Full-disk encryption means that once your device is locked (when risk, talk to a lawyer, and act responsibly.
its off, or when its on but showing a lock screen), the contents
of your hard drive cant be accessed without your password/key. Credit Cards
Know that credit card companies never stand up to the gov-
A lot of smartphones come with full disk encryption built in. If ernment. If you pay for anything using your credit card, know
you own an iPhone with a recently updated operating system that the government can get that information pretty easily. And
(like, in the last three years, really), just slap a passcode on that remember that once your identity touches something, theres a
sucker and youre golden. chain that the government can follow all the way back.
If you own an Android phone, it might already be encrypted by For example, if you get a prepaid Visa gift card using your per-
default (Google Pixel is). But chances are, its not. There isnt sonal credit card, and pay a VPN company with that, the govern-
an up-to-date guide on turning on encryption on all Android de- ment can just go backwards through the chain and find your per-
vices, so youre going to have to poke around yourself, or ask sonal credit card, and then you. If you pay a VPN company with
a friend. And if you own a Windows phone, god help you, be- Bitcoin, but you bought the Bitcoin through a Bitcoin exchange
cause we cant. using your personal credit card, thats traceable as well.
As for computers, things are again, much easier than they This applies to anything else you use money for, like buying do-
used to be. Use your operating systems full disk encryption mains or cheap, pay-as-you-go phones, known as burners. Practi-
option instead. For MacBooks running Lion or newer, just turn cally speaking, theres not a lot you can do about this. Its one of
on FileVault. the reasons why we recommend Tor instead of a VPN service.
Windows, on the other hand, is a lot more complicated. First off, Its also one of the reasons why its so hard to get a burner phone
some users have encryption by default. Some more users can thats really a burner. (How are you going to pay for continuing
turn it on, but its kind of a pain. And if youre using Microsofts phone service without linking your name to it?) There is no easy
Bitlocker, youre going to have to fiddle with some additional answer here. Were not going to pretend to be able to give good
settings to make it more secure. Apple doesnt retain the capa- advice in this instance. If you find yourself in a situation where
bility of unlocking your devices. Famously, if the government your life depends on staying anonymous, youre going to need a
goes to Apple, Apple cant just decrypt your phone for the feds, lot more help than any internet guide.
not without coming up with a hack that will affect every iPhone
in the world. But Microsoft isnt doing quite the same thingin One more thing: For now, organizations like the ACLU and
some cases they use whats known as key escrow, meaning NAACP have a constitutional right to resist giving up the names
they can decrypt your machineso you have to take additional of donors. But your credit card or PayPal might betray you any-
steps (outlined in this article) to get that same level of protection. ways. This doesnt mean you shouldnt donate to organizations
that resist oppression and fight for civil rights and civil liberties.
You may need to resort to using VeraCrypt. A lot of older guides Rather, it makes it all the more important that you do. The more
will say to use TrueCrypt, regardless of operating system. This ordinary people do so, the more that individual donors are pro-
is now outdated advice. VeraCrypt used to be TrueCrypt, and tected from scrutiny and suspicion.
the story of why its not any more is a convoluted crypto soap
opera with plot holes the size of Mars, and it is frankly outside
the scope of this guide. Long story short, theres nothing wrong
18
We dont know what the future holds Meet in person

Which brings us to our next point: we dont know what the future Many public places have cameras, some spots are wired with mi-
holds. This guide was written with the current technical and legal crophones. And theres always the possibility that you are being
capabilities of the United States government in mind. But that individually targeted for surveillance. But ultimately, its a lot
might all change in the future. Strong encryption might become harder to surveil someone in person than to collect the electronic
illegal. The United States might begin to practice internet censor- communications of many people at the same time.
ship the way that China and other countries do. The government
might institute a National ID policy for getting online, making it Take a break from the wired world and meet people in person. If
near-impossible to post anonymously. you stay out of earshot, you wont be overheard, and your words
will melt into the air, unsurveilled and unrecorded.
These things are harder to enforce and implement, so theyre not
likely to happen quickly. And besides, if youre reading this guide, chances are that you
really need a hug right now.
Its also not infeasible that the government pressures app stores to
take down Signal and other end-to-end encryption applications. So meet up with your friends, verify your Signal keys, and give
This guide might be only be so good for so long. Thats all the each other a big hug. Because youre probably both scared, and
more reason to become proactive against surveillance now, and to you need each other more than you need any of this technology.
keep adapting to changing circumstances.
19
Go Out
There
And
Be Safe
That is all for now. Again, this is just meant to be a basic
guide for average computer users. So if youre a human
rights activist working in a dangerous country or a war zone,
or an organization building IT infrastructure on the fly, this is
certainly not enough, and youll need more precautions.
But these are common sense essential tips that everyone

should know about.
Of course, some readers will leap at the chance to point out

everything that may have been missing from this guide, and
wed like to hear your feedback. Security is a constantly
changing world, and whats good advice today might not
be good advice tomorrow, so our goal is to keep this guide
updated somewhat regularly, so, please, do reach out if you
think we have something wrong or missing something.
And remember, always be vigilant!
20
Glossary
of
Hacking
and
Cyber
Terms
One of the challenges of writingand readingabout
hacking is that its a world full of jargon and technical terms.
Its our job as journalists to translate this lingo and make it
understandable to the average reader.
Still, accuracy is important and sometimes you have to use

the right terms. To help you navigate this guide, we thought
this glossarywhich includes some concepts and terms not
raised elsewhere in the guidewould help.
21
Attribution: Attribution is the process of establishing who is Crypto: Short for cryptography, the science of secret communica-
behind a hack. Often, attribution is the most difficult part of tion or the procedures and processes for hiding data and messages
responding to a major breach since experienced hackers may with encryption (see below).
hide behind layers of online services that mask their true location
and identity. Many incidents, such as the Sony hack, may never Chip-off: A chip-off attack requires the hacker to physically
produce any satisfactory attribution. remove memory storage chips in a device so that information
can be scraped from them using specialized software. This attack
Backdoor: Entering a protected system using a password can be has been used by law enforcement to break into PGP-protected
described as going through the front door. Companies may build Blackberry phones.
backdoors into their systems, however, so that developers can
bypass authentication and dive right into the program. Backdoors Dark web: The dark web is made up of sites that are not indexed
are usually secret, but may be exploited by hackers if they are by Google and are only accessible through specialty networks
revealed or discovered. such as Tor (see below). Often, the dark web is used by website
operators who want to remain anonymous. Everything on the
Black hat: A black hat hacker is someone who hacks for personal dark web is on the deep web, but not everything on the deep web
gain and/or who engages in illicit and unsanctioned activities. is on the dark web.
As opposed to white hack hackers (see below), who traditionally
hack in order to alert companies and improve services, black hat DDoS: This type of cyberattack has become popular in recent
hackers may instead sell the weaknesses they discover to other years because its relatively easy to execute and its effects are
hackers or use them. obvious immediately. DDoS stands for Distributed Denial of
Service Attack, which means an attacker is using a number of
Botnet: Is your computer part of a botnet? It could be, and you computers to flood the target with data or requests for data. This
might not know it. Botnets, or zombie armies, are networks of causes the targetusually a websiteto slow down or become
computers controlled by an attacker. Having control over hun- unavailable. Attackers may also use the simpler Denial of Service
dreds or thousands of computers lets bad actors perform certain attack, which is launched from one computer.
types of cyberattacks, such as a DDoS (see below). Buying thou-
sands of computers wouldnt be economical, however, so hackers Deep web: This term and dark web or dark net are some-
deploy malware to infect random computers that are connected to times used interchangeably, though they shouldnt be. The deep
the internet. If your computer gets infected, your machine might web is the part of the internet that is not indexed by search en-
be stealthily performing a hackers bidding in the background gines. That includes password-protected pages, paywalled sites,
without you ever noticing. encrypted networks, and databaseslots of boring stuff.
Brute force: A brute force attack is arguably the least sophisti- DEF CON: One of the most famous hacking conferences in the
cated way of breaking into a password-protected system, short US and the world, which started in 1992 and takes place every
of simply obtaining the password itself. A brute force attack will summer in Las Vegas.
usually consist of an automated process of trial-and-error to guess
the correct passphrase. Most modern encryption systems use Digital Certificate: A digital passport or stamp of approval that
different methods for slowing down brute force attacks, making it proves the identity of a person, website or service on the internet.
hard or impossible to try all combinations in a reasonable amount In more technical terms, a digital certificate proves that someone
of time. is in possession of a certain cryptographic key that, traditionally,
cant be forged. Some of the most common digital certificates
Bug: Youve probably heard of this one. A bug is a flaw or error are those of websites, which ensure your connection to them is
in a software program. Some are harmless or merely annoying, properly encrypted. These get displayed on your browser as a
but some can be exploited by hackers. Thats why many compa- green padlock.
nies have started using bug bounty programs to pay anyone who
spots a bug before the bad guys do. Encryption: The process of scrambling data or messages making
it unreadable and secret. The opposite is decryption, the decoding
Cracking: A general term to describe breaking into a security sys- of the message. Both encryption and decryption are functions of
tem, usually for nefarious purposes. According to the New Hack- cryptography. Encryption is used by individuals as well as corpo-
ers Dictionary published by MIT Press, the words hacking and rations and in digital security for consumer products.
hacker (see below) in mainstream parlance have come to sub-
sume the words cracking and cracker, and thats misleading. End-to-end encryption: A particular type of encryption where
Hackers are tinkerers; theyre not necessarily bad guys. Crackers a message or data gets scrambled or encrypted on one end, for
are malicious. At the same time, youll see cracking used to refer example your computer or phone, and get decrypted on the other
to breaking, say, digital copyright protectionswhich many peo- end, such as someone elses computer. The data is scrambled in a
ple feel is a just and worthy causeand in other contexts, such as way that, at least in theory, only the sender and receiverand no
penetration testing (see below), without the negative connotation. one elsecan read it.
22
Evil maid attack: As the name probably suggests, an evil maid HTTPS/SSL/TLS: Stands for Hypertext Transfer Protocol, with the
attack is a hack that requires physical access to a computerthe S for Secure. The Hypertext Transfer Protocol (HTTP) is the
kind of access an evil maid might have while tidying his or her basic framework that controls how data is transferred across the
employers office, for example. By having physical access, a web, while HTTPS adds a layer of encryption that protects your
hacker can install software to track your use and gain a doorway connection to the most important sites in your daily browsing
even to encrypted information. your bank, your email provider, and social network. HTTPS uses
the protocols SSL and TLS to not only protect your connection,
Exploit: An exploit is a way or process to take advantage of a bug but also to prove the identity of the site, so that when you type
or vulnerability in a computer or application. Not all bugs lead to https://gmail.com you can be confident youre really connecting
exploits. Think of it this way: If your door was faulty, it could be to Google and not an imposter site.
simply that it makes a weird sound when you open it, or that its
lock can be picked. Both are flaws but only one can help a burglar Infosec: An abbreviation of Information Security. Its the inside
get in. The way the criminal picks the lock would be the exploit. baseball term for whats more commonly known as cybersecurity,
a term that irks most people who prefer infosec.
Forensics: On CSI, forensic investigations involve a series of me-
thodical steps in order to establish what happened during a crime. Jailbreak: Circumventing the security of a device, like an iPhone
When it comes to a hack, however, investigators are looking for or a PlayStation, to remove a manufacturers restrictions, general-
digital fingerprints instead of physical ones. This process usually ly with the goal to make it run software from non-official sources.
involves trying to retrieve messages or other information from a
deviceperhaps a phone, a desktop computer or a serverused, Keys: Modern cryptography uses digital keys. In the case of
or abused, by a suspected criminal. PGP encryption, a public key is used to encrypt, or lock, mes-
sages and a secret key is used to decrypt, or unlock, them. In
GCHQ: The UKs equivalent of the US National Security other systems, there may only be one secret key that is shared by
Agency. GCHQ, or Government Communications Headquar- all parties. In either case, if an attacker gains control of the key
ters, focuses on foreign intelligence, especially around terrorism that does the unlocking, they may have a good chance at gaining
threats and cybersecurity. It also investigates the digital child por- access to.
nography trade. As these adversaries work in secret, so too must
GCHQ, the organization says on its website. We cannot reveal Lulz: An internet-speak variation on lol (short for laughing
publicly everything that we do, but we remain fully accountable. out loud) employed regularly among the black hat hacker set,
typically to justify a hack or leak done at the expense of another
Hacker: This term has becomewronglysynonymous with person or entity. Sample use: y did i leak all contracts and em-
someone who breaks into systems or hacks things illegally. Orig- ployee info linked to Sketchy Company X? for teh lulz
inally, hackers were simply tinkerers, or people who enjoyed ex-
ploring the details of programmable systems and how to stretch Malware: Stands for malicious software. It simply refers to
their capabilities, as the MIT New Hackers Dictionary puts any kind of a malicious program or software, designed to damage
it. Hackers can now be used to refer to both the good guys, also or hack its target. Viruses, worms, Trojan horses, ransomware,
known as white hat hackers, who play and tinker with systems spyware, adware and more are malware.
with no malicious intent (and actually often with the intent of
finding flaws so they can be fixed), and cybercriminals, or black Man-in-the-middle: A Man-in-the-Middle or MitM is a common
hat hackers, or crackers. attack where someone surreptitiously puts themselves between
two parties, impersonating them. This allows the malicious
Hacktivist: A hacktivist is someone who uses their hacking attacker to intercept and potentially alter their communication.
skills for political ends. A hacktivists actions may be small, such With this type of attack, one can just passively listen in, relaying
as defacing the public website of a security agency or other gov- messages and data between the two parties, or even alter and
ernment department, or large, such as stealing sensitive govern- manipulate the data flow.
ment information and distributing it to citizens. One often-cited
example of a hacktivist group is Anonymous. Metadata: Metadata is simply data about data. If you were to
send an email, for example, the text you type to your friend will
Hashing: Say you have a piece of text that should remain secret, be the content of the message, but the address you used to send
like a password. You could store the text in a secret folder on it, the address you sent it to, and the time you sent it would all be
your machine, but if anyone gained access to it youd be in metadata. This may sound innocuous, but with enough sources
trouble. To keep the password a secret, you could also hash it of metadatafor example, geolocation information from a photo
with a program that executes a function resulting in garbled text posted to social mediait can be trivial to piece together some-
representing the original information. This abstract representation ones identity or location.
is called a hash. Companies may store passwords or facial recog-
nition data with hashes to improve their security. NIST: The National Institute of Standards and Technology is an
arm of the US Department of Commerce dedicated to science and
metrics that support industrial innovation. The NIST is responsi-
ble for developing information security standards for use by the
federal government, and therefore its often cited as an authority
on which encryption methods are rigorous enough to use given
modern threats.
23
Nonce: A portmanteau of number and once, nonce literally means Phishing: Phishing is really more of a form of social engineering
a number only used once. Its a string of numbers generated by than hacking or cracking. In a phishing scheme, an attacker typ-
a system to identify a user for a one-time-use session or specific ically reaches out to a victim in order to extract specific infor-
task. After that session, or a set period of time, the number isnt mation that can be used in a later attack. That may mean posing
used again. as customer support from Google, Facebook, or the victims cell
phone carrier, for example, and asking the victim to click on a
OpSec: OpSec is short for operational security, and its all about malicious linkor simply asking the victim to send back infor-
keeping information secret, online and off. Originally a military mation, such as a password, in an email. Attackers usually blast
term, OpSec is a practice and in some ways a philosophy that out phishing attempts by the thousands, but sometimes employ
begins with identifying what information needs to be kept secret, more targeted attacks, known as spearphishing (see below).
and whom youre trying to keep it a secret from. Good OpSec
will flow from there, and may include everything from passing Plaintext: Exactly what it sounds liketext that has not been
messages on Post-Its instead of emails to using digital encryption. garbled with encryption. This definition would be considered
In other words: Loose tweets destroy fleets. plaintext. You may also hear plaintext being referred to as cleart-
ext, since it refers to text that is being kept out in the open, or
OTR: What do you do if you want to have an encrypted conver- in the clear. Companies with very poor security may store user
sation, but it needs to happen fast? OTR, or Off-the-Record, is a passwords in plaintext, even if the folder theyre in is encrypted,
protocol for encrypting instant messages end-to-end. Unlike PGP, just waiting for a hacker to steal.
which is generally used for email and so each conversant has one
public and one private key in their possession, OTR uses a single Pwned: Pwned is computer nerd jargon (or leetspeak) for the
temporary key for every conversation, which makes it more verb own. In the video game world, a player that beat another
secure if an attacker hacks into your computer and gets a hold of player can say that he pwned him. Among hackers, the term has
the keys. OTR is also generally easier to use than PGP. a similar meaning, only instead of beating someone in a game,
a hacker that has gained access to another users computer can
Password managers: Using the same, crummy password for all say that he pwned him. For example, the website Have I Been
of your loginsfrom your bank account, to Seamless, to your Pwned? will tell you if your online accounts have been compro-
Tinder profileis a bad idea. All a hacker needs to do is get mised in the past.
access to one account to break into them all. But memorizing a
unique string of characters for every platform is daunting. Enter RAT: RAT stands for Remote Access Tool or Remote Access
the password manager: software that keeps track of your various Trojan. RATs are really scary when used as malware. An attacker
passwords for you, and can even auto-generate super complicated who successfully installs a RAT on your computer can gain full
and long passwords for you. All you need to remember is your control of your machine. There is also a legitimate business in
master password to log into the manager and access all your RATs for people who want to access their office computer from
many different logins. home, and so on. The worst part about RATs? Many malicious
ones are available in the internets underground for sale or even
Penetration testing or pentesting: If you set up a security sys- for free, so attackers can be pretty unskilled and still use this
tem for your home, or your office, or your factory, youd want to sophisticated tool.
be sure it was safe from attackers, right? One way to test a
systems security is to employ peoplepentestersto purposely Ransomware: Ransomware is a type of malware that locks
hack it in order to identify weak points. Pentesting is related to your computer and wont let you access your files. Youll see
red teaming, although it may be done in a more structured, less a message that tells you how much the ransom is and where to
aggressive way. send payment, usually requested in bitcoin, in order to get your
files back. This is a good racket for hackers, which is why many
PGP: Pretty Good Privacy is a method of encrypting data, consider it now an epidemic, as people typically are willing to
generally emails, so that anyone intercepting them will only see pay a few hundred bucks in order to recover their machine. Its
garbled text. PGP uses asymmetric cryptography, which means not just individuals, either. In early 2016, the Hollywood Presby-
that the person sending a message uses a public encryption key terian Medical Center in Los Angeles paid around $17,000 after
to scramble it, and the recipient uses a secret private key to being hit by a ransomware attack.
decode it. Despite being more than two decades old, PGP is still a
formidable method of encryption, although it can be notoriously Rainbow table: A rainbow table is a complex technique that al-
difficult to use in practice, even for experienced users. lows hackers to simplify the process of guessing what passwords
hide behind a hash (see above).
Red team: To ensure the security of their computer systems and

to suss out any unknown vulnerabilities, companies may hire
hackers who organize into a red team in order to run opposi-
tional attacks against the system and attempt to completely take it
over. In these cases, being hacked is a good thing because organi-
zations may fix vulnerabilities before someone whos not on their
payroll does. Red teaming is a general concept that is employed
across many sectors, including military strategy.
24
Root: In most computers, root is the common name given to Social engineering: Not all hacks are carried out by staring at
the most fundamental (and thus most powerful) level of access in a Matrix-like screen of green text. Sometimes, gaining entry to
the system, or is the name for the account that has those privi- a secure system is as easy as placing a phone call or sending an
leges. That means the root can install applications, delete and email and pretending to be somebody elsenamely, somebody
create files. If a hacker gains root, they can do whatever they who regularly has access to said system but forgot their password
want on the computer or system they compromised. This is the that day. Phishing (see above) attacks include aspects of social
holy grail of hacking. engineering, because they involve convincing somebody of an
email senders legitimacy before anything else.
Rootkit: A rootkit is a particular type of malware that lives deep
in your system and is activated each time you boot it up, even Spearphishing: Phishing and spearphishing are often used
before your operating system starts. This makes rootkits hard to interchangeably, but the latter is a more tailored, targeted form
detect, persistent, and able to capture practically all data on the of phishing (see above), where hackers try to trick victims into
infected computer. clicking on malicious links or attachments pretending to be a
close acquaintance, rather than a more generic sender, such as a
Salting: When protecting passwords or text, hashing (see social network or corporation. When done well, spearphishing
above) is a fundamental process that turns the plaintext into can be extremely effective and powerful. As a noted security
garbled text. To make hashing even more effective, companies or expert says, give a man a 0day and hell have access for a day,
individuals can add an extra series of random bytes, known as a teach a man to phish and hell have access for life.
salt, to the password before the hashing process. This adds an
extra layer of protection. Spoofing: Hackers can trick people into falling for a phishing
attack (see above) by forging their email address, for example,
Script kiddies: This is a derisive term for someone who has a lit- making it look like the address of someone the target knows.
tle bit of computer savvy and whos only able to use off-the-shelf Thats spoofing. It can also be used in telephone scams, or to
software to do things like knock websites offline or sniff pass- create a fake website address.
words over an unprotected Wi-Fi access point. This is basically a
term to discredit someone who claims to be a skilled hacker. Spyware: A specific type of malware of malicious software de-
signed to spy, monitor, and potentially steal data from the target.
Shodan: Its been called hackers Google, and a terrifying
search engine. Think of it as a Google, but for connected devices State actor: State actors are hackers or groups of hackers who are
rather than websites. Using Shodan you can find unprotected backed by a government, which may be the US, Russia, or China.
webcams, baby monitors, printers, medical devices, gas pumps, These hackers are often the most formidable, since they have the
and even wind turbines. While thats sounds terrifying, Shodans virtually unlimited legal and financial resources of a nation-state
value is precisely that it helps researchers find these devices and to back them up. Think, for example, of the NSA. Sometimes,
alert their owners so they can secure them. however, state actors can also be a group of hackers who receive
tacit (or at least hidden from the public) support from their gov-
Signature: Another function of PGP, besides encrypting messag- ernments, such as the Syrian Electronic Army.
es, is the ability to sign messages with your secret encryption
key. Since this key is only known to one person and is stored on Threat model: Imagine a game of chess. Its your turn and
their own computer and nowhere else, cryptographic signatures youre thinking about all the possible moves your opponent could
are supposed to verify that the person who you think youre make, as many turns ahead as you can. Have you left your queen
talking to actually is that person. This is a good way to prove that unprotected? Is your king being worked into a corner check-
you really are who you claim to be on the internet. mate? That kind of thinking is what security researchers do when
designing a threat model. Its a catch-all term used to describe
Side channel attack: Your computers hardware is always the capabilities of the enemy you want to guard against, and
emitting a steady stream of barely-perceptible electrical signals. your own vulnerabilities. Are you an activist attempting to guard
A side-channel attack seeks to identify patterns in these signals in against a state-sponsored hacking team? Your threat model better
order to find out what kind of computations the machine is doing. be pretty robust. Just shoring up the network at your log cabin in
For example, a hacker listening in to your hard drive whirring the middle of nowhere? Maybe not as much cause to worry.
away while generating a secret encryption key may be able to
reconstruct that key, effectively stealing it, without your knowl-
edge.
Sniffing: Sniffing is a way of intercepting data sent over a net-

work without being detected, using special sniffer software. Once
the data is collected, a hacker can sift through it to get useful
information, like passwords. Its considered a particularly danger-
ous hack because its hard to detect and can be performed from
inside or outside a network.
25
Token: A small physical device that allows its owner to log in or Virus: A computer virus is a type of malware that typically is
authenticate into a service. Tokens serve as an extra layer of se- embedded and hidden in a program or file. Unlike a worm (see
curity on top of a password, for example. The idea is that even if below), it needs human action to spread (such as a human for-
the password or key gets stolen, the hacker would need the actual warding a virus-infected attachment, or downloading a malicious
physical token to abuse it. program.) Viruses can infect computers and steal data, delete
data, encrypt it or mess with it in just about any other way.
Tor: Tor is short for The Onion Router. Originally developed by
the United States Naval Research Laboratory, its now used by Vuln: Abbreviation for vulnerability. Another way to refer to
bad guys (hackers, pedophiles) and good guys (activists, jour- bugs or software flaws that can be exploited by hackers.
nalists) to anonymize their activities online. The basic idea is
that there is a network of computers around the worldsome Warez: Pronounced like the contraction for where is (wheres),
operated by universities, some by individuals, some by the gov- warez refers to pirated software thats typically distributed via
ernmentthat will route your traffic in byzantine ways in order technologies like BitTorrent and Usenet. Warez is sometimes
to disguise your true location. The Tor network is this collection laden with malware, taking advantage of peoples desire for free
of volunteer-run computers. The Tor Project is the nonprofit that software.
maintains the Tor software. The Tor browser is the free piece of
software that lets you use Tor. Tor hidden services are websites White hat: A white hat hacker is someone who hacks with the
that can only be accessed through Tor. goal of fixing and protecting systems. As opposed to black hat
hackers (see above), instead of taking advantage of their hacks or
Tails: Tails stands for The Amnesic Incognito Live System. If the bugs they find to make money illegally, they alert the compa-
youre really, really serious about digital security, this is the oper- nies and even help them fix the problem.
ating system endorsed by Edward Snowden. Tails is an amnesic
system, which means your computer remembers nothing; its like Worm: A specific type of malware that propagates and replicates
a fresh machine every time you boot up. The software is free and itself automatically, spreading from computer to computer. The
open source. While its well-regarded, security flaws have been internets history is littered with worms, from the Morris worm,
found. the first of its kind, and the famous Samy worm, which infected
more than a million people on MySpace.
Verification (dump): The process by which reporters and securi-
ty researchers go through hacked data and make sure its legiti- Zero-day: A zero-day or 0day is a bug thats unknown to the
mate. This process is important to make sure the data is authentic, software vendor, or at least its not patched yet. The name comes
and the claims of anonymous hackers are true, and not just an from the notion that there have been zero days between the
attempt to get some notoriety or make some money scamming discovery of the bug or flaw and the first attack taking advantage
people on the dark web. of it. Zero-days are the most prized bugs and exploits for hackers
because a fix has yet to be deployed for them, so theyre almost
VPN: VPN stands for Virtual Private Network. VPNs use guaranteed to work.
encryption to create a private and secure channel to connect to
the internet when youre on a network you dont trust (say a
Starbucks, or an Airbnb WiFi). Think of a VPN as a tunnel from
you to your destination, dug under the regular internet. VPNs
allow employees to connect to their employers network remote-
ly, and also help regular people protect their connection. VPNs
also allow users to bounce off servers in other parts of the world,
allowing them to look like theyre connecting from there. This
gives them the chance to circumvent censorship, such as Chinas
Great Firewall, or view Netflixs US offerings while in Canada.
There are endless VPNs, making it almost impossible to decide
which ones are the best.
26

The Motherboard Guide To Not Getting Hacked

Uploaded by

Copyright:

Available Formats

The Motherboard Guide To Not Getting Hacked

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Motherboard Guide To Not Getting Hacked

Uploaded by

Copyright:

Available Formats

The

You, as an individual user, cant do anything to prevent your

04 Digital Security Basics

14 Privacy, Messaging, and Avoiding

21 Glossary of Hacking and Cyber Terms

Keep Your Apps

Do disable macros: Hackers can use Microsoft Office macros

Do back up files: Were not breaking any news here, but if

Finally, while not mandatory, it might be a good idea to install

The Motherboard Guide

We dont know what the future holds Meet in person

But these are common sense essential tips that everyone

Of course, some readers will leap at the chance to point out

And remember, always be vigilant!

Still, accuracy is important and sometimes you have to use

Red team: To ensure the security of their computer systems and

Sniffing: Sniffing is a way of intercepting data sent over a net-

You might also like