The Worst Guide to Digital Security on the Internet Today
It's no wonder that today more than ever, people are starting to pay attention and getting a bit paranoid when it comes to using computers and the internet. In response to the endless hacks and security scares, some websites have tried—with mixed results—to provide confused consumers with tips and advice on how not to get hacked.
The Observer, The Guardian's sister Sunday newspaper, is the latest to try to help with a guide titled "Extreme online security measures to protect your digital privacy," which was published last weekend.
Publishing guides that not only confuse users, but are also filled with inaccurate and dangerous advice, is not the answer.
Unfortunately, despite its best intentions and some good advice, the article contains some pretty awful, confusing, and misguided tips as well. Twitter's favorite security expert, Swift On Security, went as far as to ask The Observer to delete the article.
Here's what's wrong with it.
First of all, when giving security advice to users, it's important to consider the threats they face. Are we trying to help dissidents in Iran or China? Or just average users who might be victims of malware attacks that target indiscriminately? Also, is this guide specifically for protecting privacy, or security? Protecting yourself from being tracked and from being hacked are two very different things.
The piece seems to be for the most paranoid, given that it promotes "extreme online security measures." And yet, it fails to mention some of the most basic advice that is essential not just for the average Joe or Jane browsing the net, but also activists in repressive regimes: use a password manager, use two-factor authentication everywhere you can (definitely on email and social media), disable Flash Player, and use privacy-protecting browser extensions such as HTTPS Everywhere.
Protecting Your Email
As a first, the guide recommends getting a personal (SSL) digital security certificate, which allows you to ensure your email travels over the internet in an encrypted form, for your email.
Not only does this seem like a massive pain in the ass, but it's also unclear how effective it is compared to easier solutions. If you're worried about emails getting snooped on, you could just use encrypted instant messengers such as Signal or even WhatsApp. Or if you really want to use email, use relatively easy-to-manage plugins for PGP encryption, such as GPG Tools, or try providers such as ProtonMail, who do all the work for you.
Could it be a good idea to use a second, "secure" laptop for all your sensitive activities, as The Observer suggests? In theory, yes, but the guide recommends keeping "your banking and payment details safe by designating a second computer—perhaps an old laptop."
But, how old is this laptop? If has an old operating system on it and is not receiving security updates anymore, this is terrible advice: If anything, your banking credentials would be more at risk on this machine than your normal, up-to-date one. Compartmentalization can help you be safe online, but it needs to be done right.
Using a secure operating system
It's a good idea to clean up unwanted apps and software, usually known as bloatware, from your systems, as the guide recommends. But that might not be enough. The most important thing is to keep the operating system, and all software up to date. Also, Windows, especially the new versions (obviously, please don't use Windows XP for god's sake) isn't as awful as it used to be, despite The Observer scaring readers away from it.
"Hipster" apps? WTF?
"Just as you can avoid most viruses by switching away from Windows, you can reduce your risk by using less popular software that's less likely to be targeted," The Observer suggests, encouraging readers to "switch to hipster applications."
No, abandoning Chrome for the Opera browser doesn't make you less likely to be hacked. Chrome is one of the safest browsers out there, with a big and respected security team behind it. And on top of it all, it gets updated automatically on Windows and Mac, so you can't lazily click on "install later" like you (and everyone else) normally does when an update pop-up comes your way.
Tinfoil all the things?
It's good to be vigilant, but putting tinfoil on the walls of your apartment or house, as The Observer suggests, is ridiculous and is not going to keep the hackers out. The paper itself discredits its own advice in the same paragraph, quoting a security expert saying that's "the household equivalent of putting a tin hat around your head."
Using the Tor Browser is great for circumventing censorship or protecting your privacy, but recommending it as a general security tool is probably going to cause a lot of headaches for the ordinary consumer. Logging into your PayPal or online banking account through Tor, for example, is probably going to set off alarm bells, and end up with you getting locked out. What's the point in using a tool for security, if you can't actually do what it is you need to do?
What It Gets Right
Despite all that's wrong with it, the guide does get some things right: It's good to be mindful of what one shares online (don't tweet a picture of that shine new credit card, kids); using Virtual Private Networks (VPNs) can be a good idea, though you have to trust the VPN provider of your choice; and Chromebooks are good for general security (though not necessarily for privacy).
Finally, using virtual machines, or an operating system that's built around the general concept of separating tasks into different parts of the system such as Qubes, does greatly reduce the risk of getting hacked. For example, if you open a PDF laced with malware in a virtual machine, it will not infect your regular operating system.
But it's not trivial for average users to learn how to do that. So if you're simply worried about opening a PDF because of vulnerabilities in your reader, for example, it might be enough to upload the file to Google Drive and view its contents there instead.
Yes, security is hard. And yes, people need to start caring about it if they don't want their be hacked or get their identity stolen. But publishing guides that not only confuse users, but are also filled with inaccurate and dangerous advice, is not the answer.