What would you recommend for non-tech people to improve their online security? \ stacker news ~security

What would you recommend for non-tech people to improve their online security?

872 sats \ 31 comments \ @MalwareLab 21 Aug security

Food for thought: what would you recommend for non-tech people and BFU to improve their online security? Just one recommendation for people who do not like technology, they are not able to install OS such as Qubes, Tails, Whonix, Linux, etc. Let’s assume the standard Windows user with OS preinstalled on their computers, with enabled security updates.

================ What about these recommendations:

more privacy-oriented browser?
password manager?
2FA? ================

With privacy oriented browser they could prevent their tracking and leaking info. Moreover, they will see more cleaner websites without lot of junk and even YouTube videos will be ad-free. They will love it.

With password manager, they will prevent easy to guess passwords and password spraying. In top of that, with browser extension’s checks of URLs/Domains they can prevent phishing sites. But using local password manager (e.g. keepassxc) can be very annoying for them, especially when they will want to login from some other device (computer at work, smartphone, tablet). Alternatively, they could use cloud password manager (or local password manager with db synchronised via cloud) and mobile app. So they will always have access to their passwords, but still very annoying when they will need to manually type 20-chars long random password from mobile to some other computer (e.g at work). They will hate it.

With 2FA enabled and their habit to use 3-4 passwords everywhere, they will prevent successful login with password spraying (because of 2FA). They will partially prevent phishing (except scenarios such as 2FA MITM, Browser in Browser for hijack sessions). They will be able to login even from other devices.
It is relatively easy to install auth app on smartphone and enable 2FA everywhere possible. Most of important services already support TOTP. Lot of them can send notification after successful password attempt from non-usual location, so users will be notified about problem and hopefully they realize that 3-4 passwords are not a good long-term approach. They will accept it.

What are your opinions?

Privacy-oriented browser9.4%

Password manager46.9%

Two-factor authentication (2FA)28.1%

Something other (please comment)15.6%

32 votes \ poll ended

view all related items

182 sats \ 4 replies \ @SimpleStacker 21 Aug

The biggest security gains will come from your own behavior, not from software. No amount of privacy browsers or password managers or security oriented OS will help if you don't practice good operational security

20 sats \ 3 replies \ @tony_ 21 Aug

While I agree with the spirit of your statement, I think its important to remember something. In the same way we expect everyone to be in ultimately in charge of their own health, we simultaneously don't expect everyone to have the same knowledge that a doctor has. It should be clear and obvious to me that something like smoking will damage my health even without education, hence the warning label.

Software engineers and security experts have a duty to make it as easy as possible to do the right thing, and the reality of the situation we have now is that its actually kind of hard for a normal person to practice decent security online.

For example, telling everyone to use a unique password everywhere and simultaneously remember all of them. Its hard to even explain why that is important. Its all far too complex for most people. Especially the elderly. Password managers are a good step but the facts are websites are breaking compatibility with them all the time and it is still hard to use them without paying for a subscription. Passkeys are a good further step. Hopefully we get to a place where no one is expected to have a photographic memory for random strings or pass phrases.

41 sats \ 1 reply \ @SimpleStacker 22 Aug

Yeah, I agree with you too.

I think the point I was more trying to make was: don't just think you're safe just because you have the right tools. If you don't have good security practices along with those tools, you can still easily be compromised.

Phishing and social engineering are the obvious examples, but there are other simple ones too like turning off clipboard history (which is turned on by default in windows), setting an automatic lock time on your password manager, etc.

0 sats \ 0 replies \ @MalwareLab OP 22 Aug

"don't just think you're safe just because you have the right tools." - exactly.

This reminds me the quote from Bruce Schneier: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."

And yes, my first recommendation for the people is to educate themselves and others. Cyber awareness. However, I sometimes got the question about the "top" (tech) thing what the non-tech people could do for better protection. In addition to the education. Something which helps with preventing the common attacks. Some quick-win or low hanging fruit. Obviously, we cannot expect that 1, 3, 10, or hundreds technical countermeasures will stop all attacks. However, with several simple things, we can help people to prevent or at least recognize lot of common attacks.

0 sats \ 0 replies \ @MalwareLab OP 22 Aug

Very nice. My professor at the University once told us, that regarding Security, the Computer Science failed in one thing: while we have lot of proofs that bricks are safe and secure, we still cannot guarantee that the house built using those bricks will be safe and secure too. Basically, we do not have simple techniques how to connect the bricks together, how to use glue in the way that we do not affect their security. There are lot of formal proofs using Turing machines and finite-state automata, but we lack of proofs for the computers and software we use on daily basis.

41 sats \ 3 replies \ @tony_ 21 Aug freebie

Adblocker is a big one, and pretty easy to use. The biggest problem is that it will break some websites for some people, but as long as you explain how to turn it off and when you might need to, they always seem to love it and it tangibly reduces the chances of being a victim to a scam or drive-by malware.

10 sats \ 0 replies \ @random_ 21 Aug

https://ublockorigin.com/

https://addons.mozilla.org/en-US/firefox/addon/adnauseam/ <-- this adblock also obfuscates your ad profile

10 sats \ 0 replies \ @Bell_curve 21 Aug

Brave browser

My brother had no idea what Brave was

0 sats \ 0 replies \ @MalwareLab OP 22 Aug

In the past, I used adblock or adblock plus, but nowadays they are too often detected by so many websites, as you wrote. Ublockorigin seems to be better alternative. (Moreover, it blocks all advertisements, unlike the adblock, where is possible for advertisers to bypass your filters with "non-intrusive" ads).

Ad brave browser is good option with privacy by default

110 sats \ 0 replies \ @Jer 22 Aug

I agree with @SimpleStacker - online behavior is key. Here is a great link that sent me down a rabbit hole. Speaking from experience: Lesson 1 - it's very tough, to try and undo what has already been done from years of sloppy online presence.

https://anonymousplanet.org/

62 sats \ 2 replies \ @flat24 22 Aug

It is very complicated for the average citizen to be interested in these issues, I know and I affirm it, I was one of them until recently, and I was one of those who used the same password 🔑 for Facebook, bank, and school locker. Fortunately I eradicated those bad habits and all thanks to the Bitcoin burrow. But if it weren't for coming across and getting interested in Bitcoin I would never be using tools like Proton, Tutanota, Aegis, Bitwarden, mullvad paid with XMR, they are small examples of tools or habits that culés use frequently today and that years ago were simply unthinkable. It is very difficult to talk to an average person about how bad it is to publish your entire life on social networks, and how bad it is to not have security tools or processes to move around the internet, I think you will convince them to buy Bitcoin faster hahaha 😆 than convincing them of the other two options.

0 sats \ 1 reply \ @MalwareLab OP 25 Aug

From Bitcoin to security. I like this option. Definitely, there are lot of people who started with Bitcoin, then learnt something about the Bitcoin itself, the technology and then security. To protect their coins, and their privacy, too

0 sats \ 0 replies \ @flat24 26 Aug

certainly!! since it is impossible to get seriously involved with Bitcoin without going through the other rabbit holes. Security, privacy, anonymity, hard money, soft money, monetary policies, scarcity, game theory, cryptography, geopolitics, politics, basic economics, mathematics, among others, all important aspects to understand Bitcoin and they are usually fields of information that are not handled by ordinary 👥 people, when we are still very asleep about what is happening in the world and what we can really do with our lives, we are very trapped by our eternal 🔄short-term circle which almost never allows us to raise our face like a meerkat to see what is happening around us.🌎🌍

20 sats \ 1 reply \ @Solomonsatoshi 21 Aug

Keep it simple and deal directly with the fundamental problem. Just install Linux- Ubuntu maybe easiest. Its not that difficult to install and operate. Otherwise you will forever be struggling to securer an inherently insecure state sponsored surveillance embedded OS be it windows or apple.

50 sats \ 0 replies \ @MalwareLab OP 22 Aug

Agree. In the past, I installed Linux for several people... I used Ubuntu or Ubuntu-based distros such as ZorinOS. For many people it was only the minimal change in their workflows - especially if they use mostly web browser. Otherwise if needed, with little tinkering, the ZorinOS could look very similar to Windows.

20 sats \ 1 reply \ @ken 22 Aug

I recommend a custom DNS server (like a pi-hole). It's a nice layer of protection for your home network.

0 sats \ 0 replies \ @MalwareLab OP 22 Aug

Yes, for home network it is good. It is pity that there is not some really available and cheap home router/AP which people can buy and use in their home networks - something you can buy in all local shops and stores with electro.

On the other hand, we also need VPN then for protecting the mobile devices of people when they are not in their home networks.

20 sats \ 2 replies \ @kepford 21 Aug

Reusing the same weak passwords and account creds everywhere is probably the lowest hanging fruit to grab. Using a good open source password manager like Bitwarden is an easy win.

I'd say using 2FA (not SMS where possible) is a close second if not equally as important. Don't use some TOTP app that isn't open source and doesn't allow for exporting your secrets either. Aegis on Android is really good.

You can also use Bitwarden for this but I like to keep those separate.

For non-tech people this is a great place to start but as @SimpleStacker said the biggest issue is between their ears. They need to start thinking and realize what the risks are and the impact of their laziness or ignorance. Then you can use these tools to avoid being easy prey. No app is gonna protect you. They are tools that you can use to secure your secrets.

220 sats \ 1 reply \ @kepford 21 Aug

Now, I will say getting off of Windows is a must. It is much harder to be secure on Windows when the OS is literally showing you ads. When your OS is the biggest target on the planet. When your OS is a mess of legacy crap piled on top of itself.

I don't recommend people switch to Apple but rather Linux. But Apple would be far better in many ways. I recommend people try Mint or PopOS. Both come with UIs that are similar to Windows. Most people in my exp do not really need Windows or MacOS. They mostly use web apps, email, and a few built in things. They could pretty easily switch to Linux. Its the people that REALLY use the OS that have a harder time switching to Linux.

0 sats \ 0 replies \ @MalwareLab OP 22 Aug

Yes, if someone use only web apps, then switching from Windows to Linux is really simple. I sometimes use also Zorin OS, with little tinkering it could look almost exactly as Windows 10 - including the icons and the wallpaper. Moreover, after several months of using Linux, we can ask those people (especially elder people) if they notice something. Usually not, or someone tell that the system is faster, it can start in few seconds, etc. Only if I asked them, they realized that the annoying windows updates on shutdown have gone...

31 sats \ 0 replies \ @nichro 22 Aug

I'm always surprised at the amount of people around me, both non-tech-savvy and surprisingly tech-savvy folks too, who do not use a password manager. I falsely assumed, being in my own bubble, that was considered barebones these days.

So it gets my vote.

2FA is not far behind, but most of them use it and are often forced to by their apps and services, even if it's the insecure SMS kind.

0 sats \ 0 replies \ @beorange 22 Aug

The most effective and most low tech advice is:

Be very careful with what you publish online.
Always be suspicious of anything you see/read online

0 sats \ 0 replies \ @nullama 22 Aug

Privacy and simplicity are usually on opposing ends of a spectrum.

The simplest way of living online these days is to sign up and use multiple services from big tech companies. That's clearly not private, but it's super easy.

Running everything on your own server and using open source apps only, etc, is clearly more private, but it's not easy for the average person.

I don't think there will be a time in which the mainstream is private.

0 sats \ 0 replies \ @JesseJames 22 Aug

Start with simple email service, stop using google and use services like protonmail. Good tips for starters. It's the people that is the problem, not the technology.

0 sats \ 0 replies \ @sasasuina 22 Aug

Use different usernames on different websites/apps. Search for yourself on www.perplexity.ai and you will be surprised. Anyone can find quite detailed information about you.
Do not share your daily life on the internet. If you have to, keep it to a minimum.

0 sats \ 0 replies \ @DawnoftheDead 22 Aug

Take it easy

0 sats \ 0 replies \ @kriptan 22 Aug

Hello good gentlemen, thank you for the good topic and good comments in the answers, be kind, greetings from Moscow

0 sats \ 0 replies \ @SatsMate 22 Aug

Many, something sketches me out still about password managers. These are huge honeypots and if they get hacked - the hackers would have access to so many kingdoms of wealth across the world. I think having complex unique passwords is key, and 2FA/Privacy browser would be a good idea.

0 sats \ 0 replies \ @Malachi17 21 Aug

Air gap. Stay offline.

0 sats \ 0 replies \ @Warrior 22 Aug outlawed

stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.

0 sats \ 0 replies \ @Warrior 22 Aug outlawed

stackers have outlawed this. turn on wild west mode in your /settings to see outlawed content.