A Defensive Computing Checklist    by Michael Horowitz
HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

BASIC RULES OF THE ROAD

This website is huge, so if you read nothing else here, always remember these most basic rules of the road.

Act accordingly. If there were a contest for the most useful advice in the fewest words, the above would be my entry.

Expressing basically the same sentiment, a March 2022 article in the Washington Post suggested: "To avoid a scam using the conflict in Ukraine ... start with the premise that every direct message, link, email or text is fake and work from there. This should be your default response to any contact you did not initiate".

OTHER RULES

If you are prompted to install software, don't do it. This advice comes from Brian Krebs. Non techies can be easily scammed into installing malicious software because they don't know what software is really needed to perform any given task. In October 2023, Krebs wrote that "One of the oldest malware tricks in the book - hacked websites claiming visitors need to update their Web browser before they can view any content - has roared back to life in the past few months." The article is about a new wrinkle in the scam, hosting malware on a blockchain, but this is not important for Defensive Computing. The important point is that without detailed technical knowledge, the safest thing is to just say no.

Non-technical computer users should use a Chromebook. Compared to all other mainstream operating systems, ChromeOS (the name of the operating system on a Chromebook) is much more secure and requires no care and feeding. Also, no viruses. Only computer nerds should use Windows.

Do not re-use passwords. I know this is hard as it requires a system for managing the dozens of passwords we all need to keep track of. At the least, use different passwords for the most important accounts. Which accounts are the most important is up to you but certainly financial and email. I wrote a long article on passwords, The worlds best password advice where I introduce the concept of a password formula. It can provide reasonably secure, reasonably unique passwords that are easy to remember and safe to write down on paper.

The same advice applies to email addresses, the more the better. There is no simply answer to this however. The available options are on this site, here: Multiple Email Addresses.

The price of free software and free services is no technical support. Be especially aware of this if you rely on a free email service. If something goes wrong - tough. In my opinion, email is worth paying for.

If anyone calls and asks for your Medicare, Social Security, or bank or credit card information, hang up.

You are safer with an ad blocker installed into your web browser. I recommend uBlock Origin. On the flip side, the security with browser extensions is very poor, so I would not install any, other than uBlock Origin. Some sites you care about depend on ads, so may want to configure uBlock Origin to allow ads on those sites.

Another way to block ads and trackers is with DNS, the system that translates computer and website names into their underlying numbers (IP addresses). Some services translate anything and everything, while other services will not translate known trackers or ads or porn. Different DNS services offer different options. I am a big fan of NextDNS, but setting it up may be too much for someone without a technical background. It is worth the effort, however. NextDNS can be configured on either the operating system level or just for one web browser. A good starting point is the DNS Tester Page on my Router Security website.

Don't advertise to the world (Facebook, Instagram,etc) when your home will be empty (such as going on vacation).

Search Engines:
--Don't do Google searches while logged in to Google. This is a relatively easy one to obey.
--Whatever search engine you use be very attuned to which search results are ads and which are not. Some ads are scams that try install malicious software.

Advice from the mainstream media, such as the New York Times, the Washington Post and the Wall Street Journal is frequently bad. For whatever reason, they hire reporters, not nerds. You should not take technical computer advice from anyone without a technical computer background. No one writing for the mainstream media has a technical computer background. They may mean well, but they are rarely qualified to offer an opinion.

Avoid the cheapest Android devices. That includes phones, streaming TV devices and tablets. Especially avoid devices without a name brand. These things have often come with malicious software pre-installed. Another potential problem is the battery. I purchased an onn Android tablet from Walmart. Big mistake. The battery swelled up which is quite dangerous. I suspect that hardware or software that prevents this sort of thing costs money and a low end tablet will cut every corner it can.

When installing Android apps, be very careful that you have the real app, not a scam copy. Google does a very poor job in this regard, so it falls on you. You need to verify not only the name of the app, but the developer too. And the name must be an exact match for what you are looking for.

If you mother tweets something, don't believe it. Twitter is full of liars. There are hardly any employees there since Musk took over.

When you hear someone's voice, be it a famous person or a relative in distress, be aware that the voice and the words could both be faked.

Avoid crypto currencies (aka crypto) and NFTs. Crypto has many characteristics of a scam. NFTs were always a scam.

Some companies have behaved badly and the Defensive Computing thing to do is avoid their products.

  1. I would avoid Gazelle, which buys and sells smartphones. I tried to buy a used iPhone from them, the order was delayed. Why? They would not say. When would it ship? They would not say. Would it ever ship? No comment. And, they would not cancel the order either. Other opinions:
    My experience with Gazelle, a learning experience from Reddit, more about selling a used phone rather than buying.
    Gazelle Reviews at ConsumerAffairs.com
    Gazelle at the Better Business Bureau
    Their Terms and Conditions
  2. Western Digital and SanDisk fall into that category according to this August 2023 article. WD refused to answer our questions about its self-wiping SanDisk SSDs by Sean Hollister for The Verge. "For months, the company has been laughably silent about how its pricey portable SanDisk Extreme SSDs might lose all your data ... Months after our inquiries, Western Digital continues to sell these drives due to deep discounts, fake Amazon reviews, and issues with Google Search that rank favorable results far higher than warnings about potential failures." This issue has generated three lawsuits. "Western Digital was already forced into a class action settlement over a previous questionable practice: in 2020, the company brazenly tried to sneak SMR drives into its WD Red lineup marketed for network-attached storage devices. The company paid $5.7 million to settle those claims."
  3. Sandisk: A personal story - I bought a Sandisk Ultra Dual Drive USB Type-C flash drive in September 2023. The packaging (and the linked PDF) said to go to a URL for a list of compatible devices. The URL did not exist. When I navigated through the Western Digital Support website and found the support page for the thing, there was no list of compatible devices anywhere.
  4. If you are buying a printer, probably best to avoid HP. For more, see the Printers page here.
  5. If you are choosing a cellphone provider, be aware that T-Mobile has the most hacks and data breaches.
  6. As a rule, avoid software from Microsoft. Don't use their web browser (Edge), don't use Skype, don't use Teams, don't use Office (go with Libre Office instead), don't use Windows, etc.
  7. Avoid Lastpass (a password manager).
  8. Avoid Cisco, they have a miserable record both in terms of software bugs and hard coded admin passwords. More details are on both the News and Bugs pages of my RouterSecurity.org site.
  9. Avoid Microsoft. Enough said.
  10. Maybe avoid Tesla. This Reuters article describes how they have been dis-honest:
    Tesla blamed drivers for failures of parts it long knew were defective by Hyunjoo Jin, Kevin Krolicki, Marie Mannes and Steve Stecklow December 20, 2023.
  11. AT&T has behaved miserably in regard to a data breach they suffered in 2019. Simply put, the company is a lying weasel. It took them almost five years to confirm that the stolen data actually belonged to them and to alert their customers. And, they have said nothing about how the data was stolen. See
    AT&T now says data breach impacted 51 million customers by Bill Toulas of Bleeping Computer April 10, 2024
    The article details how AT&T said as little about this as they could get away with. In 2021 they told BleepingComputer that the data did not belong to them and that their systems had not been breached. In March 2024 they again told Bleeping Computer that the data did not originate from them and their systems had not been breached. Then it was confirmed that the data did belong to AT&T (and DirectTV). Only then, did AT&T come clean. They are facing multiple class-action lawsuits in the U.S.
  12. In April 2024, it came out that some D-Link NAS devices had a backdoor. That is, D-Link could get into the devices remotely, whenever they pleased. This is not something a reputable company does. See Critical takeover vulnerabilities in 92,000 D-Link devices under active exploitation by Dan Goodin for Ars Technica.
  13. Avoid Substack where Nazis are good and tits are bad. I say this not because of privacy or security or any Defensive Computing reason. I say it after reading this Ed Bott article from January 4, 2023: Happy New Year to everyone except Substack's owners. The company is managed by miserable human beings. If you want to create a newsletter, do not use them. This is not to say that everything there is bad, not at all. Many people creating newsletters do not have the technical ability of Ed Bott and can not move to another newsletter company. But, be aware that hate is good (and profitable) to the people in charge of Substack.
  14. Slightly off-topc: There is much that can be said about Boeing and their planes but, as this is a Checklist website, I will simply suggest not flying on any plane made Boeing. Their 737 Max gets most of the bad publicity, but the real problem, in my opinion, is the company itself. One example: In January 2024 a two month old 737 Max 9 blew apart while in the air: What to Know About Boeing’s 737 Max 9 and the F.A.A. Grounding by Christopher Schuetze, Keith Bradsher and Melissa Eddy for the New York Times (Jan 6, 2024).

If you depend on a VPN for privacy, do not use iOS devices. Apple sends data to their own servers outside of the established VPN tunnel. This has been ongoing for a long time and Apple can not be shamed into doing the right thing.

If someone on Twitter says that ice cubes are cold, don't believe it.

Ignore Passkeys, they are nothing more than a password that you are not allowed to know.

Avoid very cheap USB flash drives. The storage capacity that they claim to have can be faked. The faking extends to your operating system which reports the scam capacity. In fact, your operating system is likely to show nothing wrong because the flash drives lie to the operating system about the success of writing data, always reporting that it worked. Even formatting the thing reports no errors. This situation prompted Steve Gibson to create his ValiDrive program (only works on Windows) in September 2023.

For secure messaging use Proton Mail or Tutanota mail. Both email systems offer normal webmail so they can be used on a Chromebook in Guest mode to insure that they leave no traces behind. There is no need for a secure messaging app. Any app that runs on Android or iOS will never be as secure as a Chromebook, especially in Guest model. With each company, messages between their customers are secure by default. The public and the companies can see the FROM and TO email addresses but they can not see the body of the messages. Proton can also not see into any attached files. Not sure about Tutanota. Both companies offer free accounts that you can sign up for anonymously.

Many credit cards can send you an email for every charge when the credit card was not physically present. In my experience, this has been a free service. It is a great way to immediately learn if a bad guy is charging stuff to your credit card.

December 17, 2023: What to do when receiving unprompted MFA OTP codes by Lawrence Abrams for Bleeping Computer. If you receive an unprompted two factor code (typically via a text message) it probably means that bad guys have the password to whatever site/system sent the 2FA code. You should log into that site/system and change the password ASAP. Do not click on links in the text message or email message. If that password was also used at other sites/systems, change it there too.

SCAM INDICATORS

  1. A stranger wants remote access to your computer.
  2. You are prompted, out of the blue, to install some software. As Brian Krebs says "If you didn't go looking for it, don't install it!"
  3. You must act immediately or the Earth will stop spinning and all humans will fly off into space and die. OK, slight exaggeration to make a point. The point being that scams pretend that you must act quickly so that you don't have time to take a breath and question things.
  4. Official agents of the U.S. government will never message you on Facebook, WhatsApp or any other social media or messaging app. If you think you are being contacted by the U.S. government the best thing to do is to contact the agency directly.
  5. The person contacting you knows so much about you that they must be legitimate. No. As a result of far-too-many data breaches, the bad guys know a lot about you.

And,

Any time you are asked to pay for something with a gift card,

it is a scam. Here we see a drug store that fought back against these scams.

 

And, again

Rules of the road

Act accordingly.

 This page: 10 views per day (over 653 days)   Total views: 6,778   Created: August 16, 2022
This Page
Last Updated

April 22, 2024
Site Page
Views TOTAL

 910,891
Site Page
Views TODAY

  784
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2024