Virtual Bullproofing my Life
June 9, 2013 8:50 AM   Subscribe

I'm interested in asserting a lot more control of my personal information and communications to prevent prying eyes of both governmental and criminal types. I'm interested in general best practices to secure my personal information, passwords, data and communication (including phones, texting and email). I am not an expert in software or anything of the kind. I use an iPhone and Apple computers. There's a few more specific requests inside.

1). There seems to be a lot of conflicting information on how to protect passwords, security questions, and logging onto websites. What's the current best practice on passwords? Is it a central password program? If so which one is best?

2). I'm interested in the ability to record video or other data on my iphone in a manner that allows it to be sent directly to someplace else so that, for example, I could record video of something, have my phone seized and still be able to access the video. What's the best program for this?

3). I currently use dropbox to store data. Recent news seems to suggest it is not or will soon not be secure. Is there a secure cloud-based data-storage system?

4). I should just delete my Facebook profile, right?

5). I currently have my own email address from my own domain (as opposed to gmail). What are the best services for preventing hacking and identity theft?

6). I was recently shocked to find a website that had collected the last four places that I had lived and had published the data publicly. What can I do to scrub the web of information like this? And how can I prevent it from happening in the future?
posted by anonymous to Computers & Internet (15 answers total) 47 users marked this as a favorite
That's a lot of questions. I'm going to tackle #6. That is public data, it's always been available. in phone books, at the county courthouse, etc; the internet just makes it easier. I'm not saying you can't get it removed by trying but it comes from a lot of sources - property tax records, phone records, voter registrations - some of which are absolutely public, for good reason.
posted by donnagirl at 9:04 AM on June 9, 2013 [1 favorite]

Can't help you with any but #6, but re: #6, many of these sites have privacy policies that allow you to write in to request removal. You may have to send a copy of your driver's license, though. In the future, you could de-register from voting and be sure to use a non-residential address for all things possible--even your driver's license can have a PO box. So many companies sell your personal info, even the really random ones.
posted by juliagulia at 9:06 AM on June 9, 2013

I'm certainly not an expert, but I'll give some recommendations:

1) Passwords
Use two factor authentication when available
Use SSL (aka HTTPS) when available (Chrome extension HTTPS Everywhere helps)
Use a VPN when on public wifi
Use a different password for each site, so a breach of one site doesn't compromise any others
Use randomized strings of letters (non-guessable answers) to answer security questions
Use a random password generator to generate more complex passwords
Use a password manager to store security answers and passwords

Since breaching of a password may come from a keylogger or a database breach at the website, I'd argue "difficult" passwords are less important than something like two factor authentication, but they're also easy to implement with a password manager.

2) There are several apps which record audio or video directly to dropbox in case a phone is seized. (Side note: passcode your phone and have FindMyPhone enabled so you can remote wipe.) Of course the dropbox thing is counter to your question about dropbox in #3.

3) AeroFS is like dropbox but the files are only stored on your home computer, never the cloud. I think some of problems come in when an app (like, say, a PDF reader) supports dropbox loading in app whereas something like AeroFS won't be supported. Spideroak also seems to be a more privacy conscious online backup service, although I haven't used it personally.

4) Up to you, really. Facebook can be a valuable too for connecting with distant friends, especially if you closely monitor the privacy settings. They can only mine what you put into it. There are Chrome/Firefox extensions that block it mining other cookie data.

5) Two factor authentication with your cell phone

6) is a site which helps you scrub yourself from databases. Some database sites are more helpful with removal than others (send a fax, really!?) and it's definitely a constant battle as public databases are mined for data again and again.
posted by bluecore at 9:33 AM on June 9, 2013 [2 favorites]

An article linked in the Metafilter thread "beyond brute force" last month has a good graph and explanation showing why it's important for passwords to have at least nine characters:

Passwords should also be things that couldn't be stored in a database, like actual words. I'm no expert, but using a password manager seems to be highly recommended.
posted by Sleeper at 9:35 AM on June 9, 2013 [1 favorite]

I don't have a lot to add, but this list of recommendations is a good start:
This is copied in full from: The original page includes links to everything mentioned below.

Don't ask your government for your Privacy, take it back:

Browser Privacy: HTTPS Everywhere, AdBlock Plus + EasyList, Ghostery, NoScript (FireFox), NotScript (Chrome)
VPNs: BTGuard (Canada), ItsHidden (Africa), Ipredator (Sweden), (Cyprus / Netherlands)
Internet Anonymization: Tor, Tor Browser Bundle, I2P
Disk Encryption: TrueCrypt (Windows / OSX / Linux), File Vault (Mac).
File/Email Encryption: GPGTools + GPGMail (Mac), Enigmail (Windows / OSX / Linux)
IM Encryption: Pidgin + Pidgin OTR
IM/Voice Encryption: Mumble, Jitsi
Phone/SMS Encryption: WhisperSystems, Ostel, Spore, Silent Circle ($$$)
Google Alternative: DuckDuckGo
Digital P2P Currency: BitCoin
Live Anonymous/Secure Linux: TAILS Linux
If you have any problems installing or using the above software, please contact the projects. They would love to get feedback and help you use their software.

Have no clue what Cryptography is or why you should care? Checkout the Crypto Party Handbook or the EFF's Surveillance Self-Defense Project.

Just want some simple tips? Checkout EFF's Top 12 Ways to Protect Your Online Privacy.

If you liked this comment, feel free to copy/paste it.
posted by Folk at 9:59 AM on June 9, 2013 [14 favorites]

In regard to Dropbox, I created a small disk image file and then used TruCrypt to encode the file.

Any Sensitive Information lives there, under the heaviest TruCrypt encryption available.

That lives on Dropbox. The file size is small enough to upload quickly over DSL or 3G.

This is mainly for data integrity purposes and protection of some client information. The laptop drive is already encrypted, and the TruCrypt volume itself adds one more layer of encryption (under the same or a different key) and has the added benefit of in mounting after 15 minutes. So if the laptop is stolen and hacked, the TruCrypt volume ideally remains a bit of a strong box.

The numbers in my accounts are the same as on my tax returns, so there's not a lot of tinfoil hat ph33r here. I don't have any illusions that the NSA will be able to hack yesterday's crypto tomorrow in the time of a latte. They could read the date of a quarter on the ground from space in the 1970s, so anything you know about is going to be leagues behind what's at the forefront now.

If you're going for Next Level Protection of your weird tax haven data or some money laundering scheme, TruCrypt is probably a good start, combine with its two level password feature. Instead of Dropbox, use a USB drive that you keep on a lanyard around either your neck or the neck of a large black cat named Sir Winston.
posted by nickrussell at 10:00 AM on June 9, 2013

Good suggestions above, so I won't repeat them. One more thing to consider for a dropbox alternative is owncloud.
posted by Brian Puccio at 10:02 AM on June 9, 2013

If you are managing your own domain, one extra step that you can take is:

(a) never use the actual login ID for the email account for anything other than logging in to read email
(b) configure the account to forward all email to your domain to your "administrator" account.
(c) use a unique email address for every online account

So if your admin account is and you are setting up, say, a groupon account, you might use as the login ID. While this is a hassle to keep up with all of these one-off IDs, it prevents someone "sidehacking" other accounts with the same login ID if one of your accounts gets discovered through a breach or something. This is assuming you are already using a unique password for every account (an even more basic step to take). If you are using a password manager to keep up with things, it isn't any more work to have unique ID/password pairs than it is to have unique passwords.

One of the side effects of this approach is that when you get spam, you'll have a good idea of where it came from.
posted by kovacs at 10:06 AM on June 9, 2013 [1 favorite]

I'm going to offer some general observations relevant to your questions rather than tackling them one-by-one.

The first is that there is usually an inverse relationship between security and convenience. You'll need to decide how much security you need and how much convenience you're willing to sacrifice to find your sweet spot.

Using closed-source operating systems means that you can never guarantee that "governmental" types, as you say, do not have backdoor access to your system. It's simply an unknown. If this is important to you, use an open-source operating system. This won't make you impervious to attacks, but it does decrease the likelihood of there being a secret backdoor in your system.

You should use full disk/full device encryption on your computing devices. This will make it difficult for criminals (or anyone else) to retrieve sensitive data from your devices in the event that they are stolen or seized. This is not the same as having a password on your user accounts, which is trivial to bypass.

In general, wired is more secure than wireless. This applies to corded phones vs cordless phones, landlines vs cell phones, Ethernet vs WiFi, and wireless keyboards and mice vs wired keyboards and mice.

Regardless of the recent news about Dropbox, they've had a questionable security record for years. More broadly, any "cloud" service that you don't control can never be fully trusted. Even if you upload encrypted data to cloud services, it's important to remember that vast quantities of this data is being stored against the day that cryptanalysis and/or computing resources are such that it can be decrypted.

You can deactivate your Facebook profile, but it's my understanding that the data is never really gone.

Secure communication with others is probably the most difficult thing to do, because it requires the cooperation of other people. You can install Linux, encrypt your hard drive, etc. without troubling anyone else, but the moment you want to send an encrypted email or text message or have an encrypted IM conversation with someone else, you need their cooperation: they have to be willing to get S/MIME or PGP working with their email, or OTR working with their IM program. If you can get your correspondents to cooperate, you can look into GNUPG for email (look at Thunderbird with the Enigmail extension), pidgin and pidgin-otr for IM, and SIP/ZRTP for secure voice and video chat. There are applications for encrypting text messages, but I'm not familiar with them.
posted by jingzuo at 10:25 AM on June 9, 2013 [1 favorite]

Communicate face to face for most important financial issues. Shut down on-line banking. Drop credit cards, they are massively tracked.

Your first realization should be that the government is likely going to be the entity tracking you the least. Corporations are the ones with a financial interest in doing so.

Drop your cell phone and carry only a burner for emergencies.
posted by Ironmouth at 11:48 AM on June 9, 2013

I forgot to say this earlier...always unsubscribe from mailings, especially credit cards. After you get a credit card, you have 30 days to "opt out" before they can begin selling your info. Same with all financial institutions, I believe. I have found myself on numerous lists just because of one credit card from years ago.
posted by juliagulia at 3:07 PM on June 9, 2013

- Use 12 character passwords with mixed case, mixed letters/numbers/non-alpha-numeric characters. I use a generic passwords for sites like, where I don't care if it gets hacked, but I use complex, unique passwords for banking, email, etc.
- I use a yahoo email address for commercial accounts, email lists, etc. With tagging, I can see the few emails I want, and ignore the rest. My primary account is on gmail.
- Don't give your accurate date of birth; it's often used to verify identity. Facebook thinks I'm much older, but so what.
- On public wifi, use https, and be careful about sensitive data. I probably wouldn't do online banking at a coffee shop.
- Use cash, don't use loyalty cards, give a fake zip code when asked for it.
- Don't post too much information on facebook. Don't use facebook apps.
posted by theora55 at 6:45 PM on June 9, 2013 [1 favorite]

To add to what I'm saying, because the private sector tracks you the most, it is the first place any government agency will go. The first thing it goes for is your cell location then your credit card/atm activity. Keep your phone's card out of the phone until you have to use it, check messages once write them down and delete them. Withdraw cash face to face. Its harder to bore down on video camera recordings then your financial records by far.

A land line with a cord is your best bet.
posted by Ironmouth at 9:32 PM on June 10, 2013

It may very well be a good idea to break free from Google.
Some good alternatives:

Google search => Startpage (anonymized Google search).
Google maps => Bing maps
Google mail => Lavabit and a mail client
Chrome browser => Chromium (similar, but doesn't 'phone home' to Google)

Oh, and a physical copy of your passwords, hidden inside a book that's stored with hundreds of other books, might not be your worst option.
posted by Too-Ticky at 12:12 AM on June 11, 2013 [3 favorites]

Dropbox => Boxcryptor
posted by blue_beetle at 3:26 AM on June 11, 2013

« Older Say I'm a blue-collar Canadian in the 00s. What do...   |   What form of exercise should I try? Newer »
This thread is closed to new comments.