Fortify your assets, protect your wallets.
Your mobile device is a treasure of data for ad companies to target you by your interests. Android, as an open platform is flexible, and with flexibility, you get loose ends. Apple’s iOS as a closed system isn’t any more secure. Almost every week, malicious code found in apps call for hundreds of apps to be removed from app stores. Latest hardware vulnerabilities (Meltdown and Specter) are key example in compromising your valuable information, simply by visiting a webpage loaded with malicious javascript code. If you are still within warranty, you might get a security update, but expect it to break things more than fixing as happened with latest Intel patch for Meltdown and Specter.
A Windows PC or a Mac should -in theory- be more secure than mobile devices, but this is far from the truth. The OS constantly uploads your data to the cloud. Most application love to send all kinds of user data including a partial RAM dump, for analysis to improve their services. The problem escalates when your data is being shared with third party companies, entrusting our data to employees with nothing preventing them from snooping except moral. When a company is hacked, gigabytes of personal data are sold or released publicly. Encrypted RAM shall prevent this in the future, but until then, on an unlikely chance that the galaxies and planets line up, your precious DeepOnion private keys may be stolen, and when that happens, you will get extra grey hairs if there is any hair left at all. Don’t relax yet, Encrypted RAM doesn’t prevent Key Logging. Two-Channel Auto-Type comes to the rescue, but it isn’t secure if you have to enter your passphrase to unlock your password database, in order to use Two-Channel Auto-Type.
Enough with the scare. You can’t trust your device because every day there are new vulnerabilities. We install all kinds of apps and programs without second thought. Both closed and open-source programs can have modified code without the owner’s knowledge. Always verify file hash and hope it is not modified by man-in-the-middle attack. Independent auditing is necessary to find un-intentional, as well as intentional vulnerabilities. It is better to find and fix a vulnerability before someone else finds and announce it publicly, which will be devastating for any project. So how to keep our data and mostly our wallets secure? I tried to come up with this simple guide to tighten the leash on your network cable. Casual users may find this intimidating, spend some time learning and you can sleep better at night. I already linked everything related to make it easier for you.
1. Start with a fresh Windows installation.
Mac is too closed to fully control, and Linux is more flexible but it isn’t easy for casual users.
Recommended OS: Windows LTSB.
2. Install a firewall that blocks ALL communications.
Then whitelist the programs you need individually. This is not practical, but it works. It should block all Windows telemetry unless you enable some services. The firewall will prevent all unwanted communication except during startup and shutdown, or whenever the firewall is terminated. Open-Source hardware firewall is another topic.
Recommended Open-Source: SimpleWall by Henry++.
Recommended Closed-source: TinyWall.
3. Disable all data telemetry in Windows.
You can find the option to disable most data telemetry at gpedit.msc in Windows LTSB. These programs can block the rest.
Recommended Open-Source: Destroy Windows Spying.
Recommended Closed-source: O&O ShutUp10 or Spybot Anti-Beacon.
4. Use a non-administrative Windows account.
After you fully set up Windows the way you like with all the necessary programs, create a non-administrative account for your daily usage. This way you will have to enter the admin password before running executables. This will prevent you from running applications by mistake. However, this will not prevent you from running code files (powershell, .bat, .com, .html, .vbs) nor will it prevent zero-day vulnerabilities.
When you get your windows ready for use, I recommend Clonezilla to make a clone of your entire drive. This will save a lot of time if you needed to reinstall windows for any reason. Clonezilla is an open-source that makes a small (~30GB) bitmap Image of your entire OS drive, to be restored in about 30 minutes with all your modified settings and programs intact.
5. Use Sandboxing to run any program.
Remember that all executables, scripts, office files, PDF and webpages are a potential compromise to your security and privacy. Always use a sandboxing program to run them. USB Auto-Run isn’t as dangerous as it used to be but I prefer to disable it.
Recommended Closed-Source: Sandboxie.
6. You don’t need an Anti-Virus.
I’ve been running my PC for 3 years now without an AV. Anti-Viruses are an additional layer of compromise to your data and they are not immune to zero-day vulnerabilities anyway. Not all AVs are updated in time and they are a wasteful resource hog. However, you must;
7. Be smart.
Installing unidentified programs can compromise your system. Browser extensions can leak your data. I have EFF HTTPS Everywhere, EFF Privacy Badger and uBlock Origin. I do have a Dim the Lights extension when reading articles at night. I use a hardened version of Chromium with disabled cookies and disabled javascript. I enable them for individual sites as needed.
8. Mobile wallet and funds protection.
Finally, how to use a mobile wallet safely? Easy, create a new wallet on your mobile device, then send the amount of funds you need from your secured Windows wallet to your mobile device wallet. It is not convenient, but it is a better remedy for grey hair and hair loss. You can use an offline wallet with manual updating if you are paranoid.
