cross-posted from: https://lemmy.ml/post/74540

Hello! I think it is a nice time to re-mention some 101 tips of IT security for folks here, that I also practice. Pegasus malware investigation will be big news for a good while, so the more awareness it helps spread, the better.

RULE 1

DO NOT CLICK ON RANDOM SMS AND EMAIL LINKS. Please, do not do this, ever. Just do not do it. Do not do it. Do not do it. Do not do it.

Yes, that is how many times I repeated that line. That is how important this rule is.

Also, do not download random email attachments.

Phishing is such a common tactic that one would think this problem has been solved by now, but it has not.

RULE 2

Keep OFF auto download of photos, videos, documents and so on on WhatsApp, Signal and such apps.

Drive by downloads being self executable surprise bombs is not a new thing. Basically, this rule is similar to keeping off AutoPlay for external USB sticks on Windows computers.

RULE 3

Avoid using popular software too much.

I get it, this is a hard rule to workaround considering how much we need to use WhatsApp, Signal, Telegram and so on, so it is a lot better to compartmentalise your activities among multiple messengers.

Pegasus and a lot of specialised malware uses zero-days to be able to design zero click deployment tricks, which is what these government surveillance tools are good at reserving. They use their millions of dollars of funding and R&D properly, so you have to be careful.

As an example, try to keep WhatsApp internet turned off most of the times via NetGuard, and turn it on only when needed, a good method I have earlier suggested as well in my smartphone hardening guide.

CONCLUSION

Those were some thoughts on the top of my head, before I go to sleep. Stay safe against surveillance! And feel free to ask whatever you want to!

  • uthredii@lemmy.ml
    link
    fedilink
    arrow-up
    6
    ·
    3 years ago

    It might be a good idea for journalists and other targeted people to have multiple burner phones for different activities.

    That way if your personal device is infected itnisnkess likely to compromise your human rights work.

    You would probably want to turn off any phone you are not using as they are able to access the camera and mic.

    • TheAnonymouseJoker@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      3 years ago

      Camera and mic access is not hard to prevent as long as the device is not infected. Avoiding infection not hard itself either, if the user or activist has a good grasp of 101 rules.

      This is a reason I try to make guides like this, so my stuff can be a good reference for everyone.

      • DnuOLp0@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        3 years ago

        It seems to me like your rules might protect me from known threats (or not). But I don’t think it is easy to protect against unknown threats. At least when the advice is not using popular technologies and people like journalists necessarily need to use popular communication technologies. Also they may not be able to explain everyone of their contacts that they can’t open any links or documents.

        • TheAnonymouseJoker@lemmy.mlOP
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          3 years ago

          Using sandboxed VMs in computers is an excellent way to open links if one is so endangered. VMs can be created infinitely, and you can save snapshots for VMs as well. Moreover, there is always the good old TailsOS USB that runs on RAM, and nothing can infect RAM permanently.

          Now if they choose to use phones to open all kinds of links, that is on them. Phones are vulnerable technology, so they should be used as temporary communication tools and not as mini computer portals for now.

          • DnuOLp0@lemmy.ml
            link
            fedilink
            arrow-up
            3
            ·
            3 years ago

            I agree vut I think you missed my point. You said it’s easy and I disagree with that. It may be a simple concept but it’s definitely more work on an everyday basis and you need to spend a significant amount of time and effort on learning and preparing all of that. These are significant barriers.

            • TheAnonymouseJoker@lemmy.mlOP
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              3 years ago

              The most you can do against the unknown threat is take a whitelisting approach in life, unless you have a crystal ball that shows future. And that is how I laid out the rules. Not clicking random links, not downloading random files and not using common software is as far as you can go, and only the last one is considerably hard.