Internet Security and you
Over years i've seen time and time again people make gross internet mistakes when it comes to internet security. It's sad we live in a world where you have to take such measures, but it is what it is. I have been educating friends for many years now on how to increase online safety and privacy and it's about time I share some of that with everyone else on my webpage here. Especially since it's a hot topic again with the celebrity targeting.
Multiple Email Addresses:
- Create a throw away email account (such as hotmail or gmail). The purpose of this email is simple. It's one you couldn't care less about. This is email you will use to sign up for forums, online offers, etc. Basically, any site or person who is a stranger to you that wants your email. You want to sign up to billy bobs discussion board? You're putting faith in billy bob when you are giving them information, so don't give them information you care about. Thus, the throw away email. You don't know what kind of security billy bob has or even if he himself isn't snooping through info given to him and going "anything juicy here?". Remember, your email is half of your login creds. So make sure when you are giving ANY person or site access to have of your login information, it's login information that doesn't get them into anything important.
- Have an email for friends and family. This is one you use for contact with other people.
- Have a sensitive email that no one but you knows. Or maybe significant other knows if you're at a stage of trust (but even then it can be iffy because scorned ex's can do a crap ton of damage). This is email you use for online bill payment or banking or what not. Basically, a separate login from email number 2 so in case even if one of your "close" friends who does happen to know your birthdate, the name of your first pet, your mothers maiden name, etc tries to get into your business, they fail because they assume that they are using correct email address when in fact they are merely using your social email only.
- Most of us like to hold onto a common username. For example, pretty much everyone knows mine is MysticalOS. However, never under estimate what this means for an internet trail. If there are things online you want to be kept private, use DIFFERENT user names than your highly public profiles. Me, I keep very little private so if you type in "MysticalOS" in google you're going to find like 15+ years of internet history. You want to do a test on your own privacy, go ahead and google your fav username and see what comes up. THE INTERNET DOES NOT FORGET
- This is two fold when usernames are also login creds. Some sites/networks use a username to login rather than an email. This goes back to the same rule as above about ensuring that sometimes, you just use a diff username to ensure you aren't giving one half of your important login creds unwittedly to another person or organization.
- For the love of all that is holy, don't use simple passwords. Make sure it has letters, numbers, even special characters like !@%#^. Use mixed cases. Below I list the various ways passwords are lost and their counter measures.
- Even with a good password that adheres to all of above, CHANGE it periodically. If you use the same password for 10 years, EVENTUALLY someone behind you is going to see you typing it in, or have had ample time to finally guess it, etc. Even if your account does not appear compromised anywhere, doesn't mean someone isn't accessing it and just doing a good job hiding it and not burning their access just yet. After all, referring to celeb targeting again, it's clear in some of chose cases the person who had password was accessing accounts for MONTHS. Had they changed their password more often, it may have locked intruder out from getting as much as they did.
- If a site offers two factor authentication (2FA), USE IT. These ensure that you get notified faster if something is fishy. They also help ensure that you are on genuine version of site and not a phishing scam. Of course just make sure it's a trusted establishment. I wouldn't trust Billy Bob's discussion board with my phone number for SMS protect. However, you better believe my banking site has my SMS and is setup to text me if anything funny is going on.
- Predictable. These are compromised by simply being guessable. If you're a horse breeder and your password is your favorite breed of horse, chances are, it'd take someone about 10 minutes to login to your account.
- Brute force. Be aware that there is something called "brute forcing" which is literally a bot that automatically tries every password combination possible such as aaaaa, aaaab, aaaac until it reaches /////. This is actually impossible to fully counter as eventually a bot starting at 1 character password of a will EVENTUALLY get to a 100 character z password in brute force, however what you can do is make sure your password isn't a 1 character a. The best counter here is longer is better. The recent alleged iCloud compromise was actually brute forcing which basically means it compromised passwords via trial and error. MOST sites have anti brute forcing throttles in place to prevent the ease of such tactics though in the form of attempts per time frame, or total number of tries before account lock and notification. In the Apple iCloud compromise, the brute forcers found a loop hole around anti brute forcing which allowed them to bypass any said throttle or protection which allowed them unlimited attempts of of password. This shortcoming is on Apple but it's also the responsibility of password holder to use a password that isn't short so it doesn't come easy in the absence of brute force protection. Although in the iCloud case, length may not have mattered enough if the person was determined, even if it meant running bot MUCH longer. As such, more tips on brute force protection (outside of host being better at blocking it) can be found in TMI section further in document.
- Bad Memory. If you have trouble remembering your passwords to the point where you keep an password saved on computer or written down, then this is a sure way for someone close to you to get it. It's best to use a password you can remember and not keep any written record of it anywhere for people to find.
- Habit. You always use the same password everywhere and you probably never change it. When you sign up for any site anywhere, you need to give a password. When you give said password, remember, that site now knows that password. If you sign up for billy bob's forum with a password that's same password as what you used for your online banking, you just gave mr billy 50% of what he needs to take your money. All he needs now is your email. This goes back to number 1 in email advice above too. Does this mean you need to remember 100 different passwords? Nah. For example, I actually do use the same password on many forum boards. Why? Because they pretty much have a false name and throw away email. Basically, if Billy Bob tries to use the creds I used to join his site anywhere else, the most he'll get access to is Billy Joe's. The paramount thing is that you use diff passwords for social media and banking or anything else far more sensitive. It's also strongly advised that any and all emails have unique passwords too. The worst thing to have compromised is email because that's a gateway to password recovery. In the event someone does manage to nab a password of yours such as gaining access to your iCloud password, ensure that this password doesn't also enable them to access your gmail (or whatever) as well.
- Password Recovery: Many places offer password recovery where you can reset a password provided you know certain details about someone and can answer security questions. You generally also need access to either the persons email account or mobile phone. How you combat this? Ensure you don't leave your phone unattended around other people and ensure you do same for email. For even greater protection, when you create security answers in first place, don't actually use real answers, but ensure they are still answers you know. If it asks what your mothers maiden name is, LIE. Birthdate? LIE. Remember the lie though or you yourself can't even recover your own password. However this is greatest protection against an scorned ex or anyone else gaining access to your password through simply knowing things about you.
- Key Loggers. This is when there is spyware on your device that tracks keystrokes and thus grabs a password the moment you type it. The best counter to this is to keep anti virus/spyware software up to date and of course only download said software through reliable sources and absolutely do not just hop on google and type in "antivirus" and trust first thing you see. Many spyware programs are distributed under the guise of said protection. In addition to that, just be weary of the sites you visit. If you aren't savvy in these matters, then find someone who is (that you trust) to help set you up and give you the "do" and "don't" of things.
- Phishing emails/texts. This is when you are tricked into giving your login information to a bogus site or person claiming to be a place you actually have an account. These are commonly sent via email and are designed to look just like site they are phishing for. NEVER click links in said emails. If you suspect email may be real, instead of clicking anything in email or replying to it, manually go to your already established and valid bookmark of said organization and login directly and if there is anything true to email. Trust me, if there is a real problem, it'll be there. If you are still unsatisified after a REAL login seems fine, reach out to support through valid email or number off the valid site you manually went to. Basically just never trust text or emails.
- Phishing phone scams. Much like texts and emails, these are meant to scam you out of personal information. Again, do not trust these without serious validation. If they are calling about a bank, credit card, social, car, etc, before you answer ANYTHING you make them answer your questions. You ask them "what account/card/vehicle/etc". You get very specific. Models, serials, name/address, etc. Scammers will try to circle around any questions and use alarmist tactic to start and quickly escalate to threats but never actually have any knowledge about your account, because they don't have it, it's why they are calling you to get it.
- We all love to share things about yourselves. Post on your twitter or Facebook wall or maybe even jump out there on dating sites and put ourselves out there. TMI is when you share too much information. Always be aware of what you post and who it's visible to. I've actually scared people I barely knew when I ran an internet profile on them to see how secure their information was and I showed them just how easy it was for a complete stranger to know their routines, their personal email address, their phone number, even address sometimes, from about 5 minutes of googling using information they provided. Remember this one thing, THE INTERNET DOES NOT FORGET. Once it's out there, you can do as much effort you want to get it taken down, but the internet doesn't forget. I have people who have had the leaked nudes still be findable 10 years later, and these are average people like you and I. Celebrities unfortunately are just especially victimized
- Quid pro quo. Give some, get some. Any time you put your trust in someone, ensure they are doing same with you. To put into blunt terms, ensure that if they have leverage, so do you. You sharing nudes with them? Make sure you are getting theirs. That way, you both have something on the line. Trust should go both ways otherwise you should reconsider. If that person is too eager to get and not give, take a pause and evaluate whether or not you should be sharing. Someone obvious has to go first, but first isn't buck naked on bed spread with a 15 picture set. Well, unless you flat out don't care. If you are an exhibitionist then you go girl/guy (just don't be a disrespectful prick and ask before sending). This of course is still not a sure thing because you may value privacy on something they do not so they make not care what you do with their stuff. This is why even with leverage, exposing yourself in any kind of way is a risky move to not be taken lightly.
TMI Oversharing Risks:
- Location. Biggest thing is location sharing. These days you simply follow someone on twitter and you pretty much know they are at grocery store, or mall or wherever, at all times. You can basically walk right up to them and go "hey, I'm a creepy person who follows you on twitter and decided I'm going to run into you randomly". Does this happen often? To average person probably not but it still happens. To someone like a celeb, yeah don't go there. Be aware of location sharing and vague it up a bit. Sometimes, it's better to say "going out with friends" than to say "going to X with friends". You can then turn around and say "leaving X with friends" when the location is now expired so you still share your awesome activity but ensured you shared it after it's point of usefulness to a potential stalker.
- Contact. Be wary of sharing things like phone numbers or personal emails with strangers. Use your throw away email for a stranger at first. Instead of using a phone number use an instant messenger such as KiK which achieves same objective and still has all same bells and whistles (texting, pictures, video) but without giving out your private phone number.
- Pictures. Many love sharing pictures. We love the feedback, we love being sexy. Just remember, anything you send, even in privacy and confidence, can be saved and re-shared for all world to see. Especially if you are considering nude photography or sexting. My strongest advice to sexting is, try to avoid permanence as much as possible. Use SnapChat/Instagram instead of SMS for example. Programs that expire and delete a photo automatically. Even this of course is not 100% because expert phone/computer guru's know ways to still save photo. However, most people are not experts. It still goes a long way to make things harder, even if harder isn't foolproof. Doing cam/video? FaceTime is a little safer than Skype. Why? Skype is stupid easy for even a computer newbie to record on PC or Mac. FaceTime, is more difficult to record since it's a little more locked down. Again, nothing is fool proof, but that doesn't mean you can't go for "more difficult". Avoid cloud storage of anything private, period. If it's something you care about getting out in public, simply don't put it in a cloud, ever. To put in perspective. 3 major clouds alone in last few years had security flaws that allowed easier access to private documents. Yes, even giants fail. Google, Apple are among those recently that failed to help protect people in their privacy. That said, good habits and extra steps on each persons own part go a long way. Wedding photos, PhotoStream is fine. Personal photos taken for one person, send them to said person and not anywhere else unless you mean for them to go somewhere else. Disable things like iCloud photo sync, OR set it up to only sync certain albums. Excluding things like the NSFW album.
- GIS. Basically pictures, but I wanted to explain this one separately. Google Image Search is basically a search engine that can be fed a pic then used to find everywhere on internet that picture is. This means that even a picture leaves a trail. TMI can be as simple as posting same picture in many places. I've known cam girls for example who try to keep their professional life separate from private life. They cover all bases like user name, real name, location etc. All actor information basically for their cam profile. However, I've seen despite all that, simply right clicking their profile image and doing a GiS and bam you now have their Facebook and dating profiles. We all have our photos that come out horrible and then we have those ones that come out really good that we use on all of our things. However using same photo on all of those things gives them a common link, THAT PHOTO. It makes it possible to connect the dots with google image search. As such, it's important to be aware that if you don't want those dots connectable, avoid using same picture in multiple places, or at very least exclude it from the places you want omitted from your personal map.
- EXIF data. Basically more pictures stuff. Make sure if you are taking pictures with a camera or phone, be aware if the geotagging is on or not. A simple picture can literally be embedded with the coordinates to your house. That can be quite scary.
- Privacy. Many social media sites like Facebook and twitter offer privacy settings, if you are going to be posting anything private, then make profile private. Don't let non friends see it, period. In fact, always take time to review privacy settings on any site, especially Facebook to ensure things like email, number, birthdate are hidden from people who are not friends. You can often have a public profile that still hides a lot of that information. Basically, watch what you share. Even harmless chatter in a public forum.
- Vulnerabilities. Be mindful of mentioning weaknesses. You may not even realize what is a weakness. Example, you announce the family is all going on vacation. However, what you also announced is that you are leaving an empty house. This doesn't mean avoid sharing your vacation joy, it just means be aware of WHO can see it. This goes back to privacy. If your FB profile is "friends only" it's probably fine. if it's "public", you may want to consider withholding certain details about your life sometimes.
Fetlife specific tips:
- Use a different user name on fetlife from anywhere else if you want to keep your kinky side a little more private from family, friends, and coworkers. Don't make it so easy to find your profile by typing in same name you have on twitter/facebook/etc everywhere else. Obviously this security tip doesn't apply if you INTEND to be found easily such as marketting adult work.
- Alter identifying specifics. Even with a different user name, you are still easy to find depending on where you live. If someone sees your profile on OKCupid or somewhere else and sees you are 27 and live in podunk, indiana, then can go right over to fetlife and type in podunk, indiana and find there are less than 1000 users there. Narrow it down to 27 years old and the search button on browser, they can go through 50, even 100 pages of users from that town in under 30 minutes until they find your profile. This is a big aggressive stalker behavior but in sadly poeple go that far when they feel protected by anonymity of their keyboard. To prevent this happening, some suggestions are to set town to a different town than other profiles. Maybe same general area but choose the bigger town. The one that has over 50,000 profiles. You can also set age differently to break search routines/scripts to make it far more difficult to automate such a search. I recently did an audit on this particular issue and was able to find the fetlife profile of random okcupid profiles like 7 times out of 10 with next to no effort. The ones that defeated it were ones that probably used those techniques (huge town, invalid town, invalid age, etc). This test I did was only performed on people on OKCupid that mentioned fetlife on their profile (but didn't share it) and results were quickly .
- Trimming the Harassment on FL. Ok your profile is secured on fetlife and 1 and 2 are pretty much non issue now. However, you still get so many messages from fuckbois who are like "DTF bb?". How can you reduce this? The more places you expose yourself the more visible profile is. So one thing to consider is whether or not you actually NEED 23634634 kinks or to be in 150 groups. if your plan is to have as much exposure as possible and be top of kinky and popular then that's fine. If you want to sort of be lower profile and are trying to use fetlife to engage with specific people and communities, narrow the scope of groups you join to ones you ACTUALLY post in. Don't add kinks to list just for sake of putting them in list, since every single kink allows a user to pull up a user list they can basically "shop" for someone to message. Other tips include fact you can set photos to friends only. I often find people don't realize that. They choose not to post photos at all, or post them and take them down before too many message going "bb, you're so fucking hot". You can set photos to friends only. The caveat to that is that they aren't eligible for Kinky and Popular. Just be aware that if you over hide photos (maybe you have no public photos) people are going to be more guarded in approaching you for fear you might be a catfish or have something to hide. However that may work to benefit if you really do want to fly under the radar. You cou can disable the following feature. Following basically lets people follow you WITHOUT YOUR APPROVAL. Disabling this can at least prevent people from readily seeing what you're doing on their timeline if you don't friend them. They can still view history on your profile so the very aggressive can't be shut out this way, but at very least if someone is stalking you, they are doing this to others so don't make it easy for them to have all of the women they may be harassing in one place (their timeline/homepage).
- This one is new, since it's more recent to site. It's an expansion of number 3. You can now control inbox behavior!. This is huge quality of life that is long overdo. You can go right into account settings and change behavior so that people can't message you at all unless they follow or are an approved friend. You can control strictness of this. Basically you can really shut down unwanted engagement from private messages now and force people to approach you publically in groups or writing/photo comments. Definitely make use of this feature. I promise you very few realize it was added.
So in light of recent events, I wanted to put my experience and knowledge down in internet security out there for others to see and learn from so they can avoid the common mistakes others have made. Not all of us are news worthy, but it doesn't make it less important to make sure these things don't happen to us or those we care about. Please, pass this page on to others as well.
Also, if you feel I'm missing anything (I'm sure I am) or that I could explain anything better, please contact me and I'll be constantly revising this. I also realize structurally it could probably follow a better format but I wanted to sort of articulate something quickly then maybe patch it up later so the layout is sort of blah right now.