Maintain a secondary email account, on a different provider from your primary email. If something happens to your primary, you can use the secondary to send critical messages until you fix the primary. [Same for other things in your life: second bank account with ATM card, second credit card, alternative to PayPal, etc.]

Repairs:
What happens if your phone suddenly fails or is stolen ? How would people contact you ? Would any accounts with two-factor authentication be disabled ?

If your laptop or phone is absolutely critical to you, can't be without it for more than a few hours, maybe you should have a synced-up hot spare waiting, ready to use. Same for your internet router and modem on your LAN.

What happens if your wallet or purse is stolen ? Do you have the info needed to notify your credit-card company, your bank, etc ? Do you have any papers in there with login details or PINs written down ? If your housekeys are lost/stolen, do they have your house address written on them ? It's safest to put your email address on physical things (keys, outside of phone and laptop, wallet, etc) so police or finder could contact you to return them. Put your email address on the lock screen of your phone, for same reason.

What happens if the police come and confiscate ALL your devices to investigate something ?
Christian Haschek's "That (not so) awesome time the police raided my home"

Is there any one thing you have where you can say "geez, if I ever lost that I'd be TOTALLY screwed" ? Then figure out a way to back up that thing, or reduce your reliance on that thing.

Don't ignore the account-recovery settings on your accounts, or put bad data in there. Sure, you'd rather not let Google or Yahoo or Facebook know your phone number or your second email address. But that information can save you if their security triggers get pulled for some reason. You travel, you try to access your email from laptop or internet cafe (seems not to happen when accessed from phone), you get "hey, we see a login attempt from a new country, we're turning off account access until you give us the code we're SMSing to your phone or emailing to your other account". Better hope you've kept the account-recovery options up-to-date.

Similar can happen if someone tries to brute-force their way into your cloud or email account. The provider won't let them log in, but may turn off account access for everyone (including you) until you provide extra verification. Better hope you have that info.

Similar can happen if someone wants to disable your email account to hide a scam. Suppose they get your Amazon credentials somehow, order something, then do a bunch of bad login attempts to your email account, to get your email account locked, so you can't see the Amazon order confirmation message.

The time to do this is while everything still is working, before you have a problem. Make a USB stick or something, test it briefly, then label it and put it in a drawer.

For Linux, see Rescue Disk section of my Using Linux page.

For Windows:

Josh Norem's "How to create a Windows 10 recovery USB drive"
Katie Rapid's "How to Use and Create Windows 10 Recovery USB Disk"
Rick Rouse's "How to create a System Repair Disc and System Image Backup in Windows 10"
Need 16 GB flash stick. One large partition, NTFS, or unformatted. Don't insert stick yet. Go to Control Panel / Security / Create Recovery Disk and follow directions. Takes several hours to write to the flash stick.
Gecko & Fly's "5 Bootable Windows PE ISO To Boot, Recover And Repair Windows"
MajorGeeks' "F-Secure Rescue CD"

Lawrence Abrams' "Microsoft quietly created a Windows 10 File Recovery tool, how to use"

[Generally from most likely to least likely:]

1. Your own actions. (The biggest threat of all. You accidentally post something private in the wrong place, expose a password, mis-configure your device or account, drop your device, lose your device, accidentally delete your data, trust a scammer.)
   
   
2. Your family, friends, associates. (They post about you, snoop on you, accidentally leave your house or car unlocked, mis-configure their device, use their infected device on your LAN, sit next to you with their unprotected phone running, drop your device, accidentally delete your data, trust a scammer. They expose their phone or email Contacts list, which contains your name and email and address and phone number and birthday. They put your info into Amazon or eBay when buying a gift for you. They tag you in Facebook photographs, or mention that you were with them at some wild party.)
   Your browser history
   
   
   
   
3. Your ex-spouse, former friends who now are enemies, former co-workers who you fired or angered. (They may be highly motivated, but probably don't have access or skill to cause high-tech harm. Unless you forgot to change the passwords they know. But they may have private info they could post.
   Cyrus Farivar's "If you're a revenge porn victim, consider this free, helpful legal guide")
   
   
4. Some random guy on the internet who gets mad at you. They could cause a fair amount of annoyance to you if they got your email address or phone number.
   
   
5. Your software. Some application or web site you use may be sending your data to somewhere else that you don't know about (some apps harvest your email address book or phone contact list or Friends list). Or storing your data in an unsafe way in a server.
   
   
6. Companies recording everyone's activity, such as cell-phone locations and car license plates, and then selling it to police and repo men and bounty-hunters and advertisers. No accountability, no warrants.
   
   
7. Corporations reading your data to enforce their contract rights (terms of service) and maybe look for criminal activity.
   
   
8. Organizations accidentally exposing data you've entrusted to them, through careless practices or by getting hacked.
   
   
9. Random mass attacks looking for any weak passwords, unpatched systems, etc.
   
   
10. Data criminals and hackers. (Identity thieves, spammers, credit-card thieves, blackmailers, ransomware, etc. Hackers who want to use your device as part of a botnet or crypto-coin-mining network. Criminals who want to make your phone call their $3/hour phone service repeatedly, running up a $10K phone bill that you have to pay. And you may be a special target if you have something valuable on your computer:)
    Laura Shin's "Hackers Have Stolen Millions Of Dollars In Bitcoin -- Using Only Phone Numbers"
    Alex Hernandez's "Chase eATM user has mobile app hacked and loses $3,000"
    
    
11. Casual snoops or thieves.
    (Although with snooping software, "casual" capabilities are increasing.)
    
    
12. Local law enforcement recording everyone's activity, such as cell-phone locations and car license plates.
    
    
13. Internet vigilantes or lynch mobs or public shaming.
    (E.g. someone decides a picture shows you mistreating your dog, and whips up a mob to punish you.)
    Kashmir Hill's "When a Stranger Decides to Destroy Your Life"
    
    
14. Reporters.
    
    
15. Private investigators and lawyers. (They have some access to government databases and powers.)
    
    
16. Law enforcement (specifically targeting you; and local police may pass data or devices up to FBI for analysis).
    Jonathan Zdziarski's "Protecting Your Data at a Border Crossing"
    Andy Greenber's "A Guide to Getting Past Customs With Your Digital Privacy Intact"
    EFF's "Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud"
    ANSSI's "Best Practices For Business Travellers"
    Travel Blogs' "10 Tips For Travelling With Encrypted Data"
    Have your devices turned off completely when going through airport security, so that keys are not in RAM, nothing is decrypted, etc.
    
    
17. Foreign government intelligence agency. (Highest technical ability, but no legal authority.)
    
    
18. Government intelligence agency. (NSA, DHS, etc. Highest technical ability, PLUS legal authority and local personnel and access to govt records.)
    
    

Threat Modeling is partly nonsense, IMO

I've heard various definitions of "threat modeling", mostly with:

• Who do you want to protect from ?
• What data/activities do you want to protect ?
• What are the Consequences if various data/activities are compromised ?

I think the Who part is somewhat nonsense, for normal people. They want some protection against "everything". They have no specific threats. If you ask them "do you want to be protected from NSA reading your stuff ?", they would say "yes", right ? Who would say "no" ? They want to be protected against every one of the 18 types of threat listed above. Of course they can't get or afford total protection against some threats (say, NSA), but that's a separate question.

The What part is reasonable. But probably no need to enumerate every type of data someone has. If a person says "I just have bank accounts", that single item is enough to drive just about every decision they need to make, every counter-measure they need to use, to the same answers they'd get if they wrote up a huge list. They just need to do standard best practices: backups, encryption at rest, HTTPS, password manager, 2FA, update software, blockers in the browser, don't download dodgy stuff, anti-virus, etc.

The Consequences part is reasonable, but has more to do with "how much am I willing to pay for counter-measures ?" instead of "threats". I wouldn't call it part of a "threat model". You and I might have the same threat model, but I'm willing to pay more for defenses because I have more money in the bank, consequences of a compromised bank account are larger for me.

EFF's "Your Security Plan"
Privacy Guides' "Threat Modeling"
Wired's "Guide to Digital Security - Choose Your Security Profile"
Sean Gallagher's "How I learned to stop worrying (mostly) and love my threat model"
CupWire's "Finding your threat model" (privacy, not so much security)
Techlore's "How to PROPERLY threat model"
Cal Paterson's "Threat modelling case study: bicycles"
Wikipedia's "Threat model"
Wikipedia's "Operations security" (OPSEC)

No matter what protection you propose, some people will say "oh, the NSA has cracked that !". First, how do they know ? Second, a counter-measure still may be worth using even if the NSA could crack it; NSA is not the only threat or main threat. Third, just because NSA could crack something, doesn't mean they would spend the resources to crack your messages.

Some people say "trust no one !". But if you trust no one, you'll never be able to get anything done. Can't drive my car, because I shouldn't trust the manufacturer. Better not eat anything, because I shouldn't trust the food companies or stores.

So, instead minimize trust: compartmentalize, encrypt, use defense in depth, test, verify, don't post private stuff, maybe don't do illegal stuff. And give fake/anon info where possible: fake name, throwaway or unique email address, pay with gift card or virtual credit card or crypto or cash. You can use a VPN, ISP, bank, etc without having to trust them. Similar with eating food: have food-safety regulations, buy from a reputable place, eye and sniff food before eating it, have laws and courts so you can sue if you're harmed. You don't have to just "trust".

Some people say "it's all over, we've lost our privacy, it's done". No, it's an arms race, and right now consumers don't have very good weapons. We need to get convenient, good, routine encryption. We need more sites, applications, and protocols designed with security and privacy as priorities from the foundation up. Maybe "mesh" networking, peer-to-peer systems, distributed systems ("6 Anti-NSA Technological innovations that May Just Change the World"). We in USA need better regulation of spy agencies, via FISA and Congress. It's not over. You're generating new private data every day; you can protect that. And you can create fake data.

A worrisome trend: intelligence agencies being pressed to use their powers for non-intelligence purposes.
From Alex Hern's "David Cameron: GCHQ will be brought in to tackle child abuse images": "GCHQ [the British intelligence agency] will be brought in to tackle the problem of child abuse material being shared on peer-to-peer networks."
From NSA spokesman quoted in Barton Gellman and Ashkan Soltani's "NSA collects millions of e-mail address books globally": "[The NSA] is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers."
John Shiffman and Kristina Cooke's "U.S. directs agents to cover up program used to investigate Americans"
Conor Friedersdorf's "The NSA's Porn-Surveillance Program: Not Safe for Democracy"

Another trend: spying devices, software, and services may start out being used only by intelligence agencies, but eventually they are sold to the much larger market of police departments and private investigators.

• Old crimes that now have a small cyber connection: tax fraud, social engineering (con games), Nigerian prince, identity theft, propaganda, misinformation, vandalism, harassment.
  
  
• Old crimes that have changed a lot: bank fraud, payment fraud, deep fakes.
  
  
• Totally new crimes: ransomware, DOS, cryptojacking, click fraud.
  
  

• Makes system harder to use. (Extra steps to do things, dialogs popping up, more software to install and update, etc.)
  
  
• Inconvenience / more tweaking. (Loading a web page in Firefox fails. Is it because of settings of uMatrix/uBlock, Privacy Badger, Canvas-blocker, the VPN server's IP address is blocked, the ad-blocker in the VPN server, the browser Containers, the anti-virus, the browser settings, firewall in computer is blocking it, firewall in router is blocking it, Ethernet or Wi-Fi connection is down, site is Chrome-only, site is down, or what ? If one or more things have to be turned off to use that site, have to remember to turn them back on afterward.)
  
  
• Performance penalty. (Encryption takes cycles. Tor and VPNs impose multiple hops.)
  
  
• Worse results. (Such as worse search-engine results if you use something other than Google Search.)
  
  
• Have to get other people to use it, too. (Biggest problem with using encryption on email, or using a social network optimized for privacy.)
  
  
• Can't use some features. (To use Tor browser for best privacy, I think you're advised to disable Flash, JavaScript, ads: Seth Rosenblatt's "NSA tracks Google ads to find Tor users". If you turn off location-tracking on your phone, you lose some features.)
  
  
• Reduced reliability or recoverability. (If your disk is encrypted, and some key sectors go bad, the whole thing may be toast. There are many recovery tools for non-encrypted disks.)
  
  
• Greater dependence on fewer vendors. (If your encryption vendor or encrypted-email service goes bankrupt, what happens ? And if you demand good encryption or privacy above all else, maybe you can't use the most popular and best services.)
  
  
• Money and time costs. (For example, some people say you should run your own DNS, VPN, and email servers, use a custom firewall such as pfSense or Pi-hole. Sounds like a lot of work.)
  
  

Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"

Jack Morse's "How to blur your house on Google Street View"

If your house has ever been listed on a real-estate site, they may still display the exterior and interior pictures of your house from that time. Companies to check include Redfin, Realtor.com, Zillow, Trulia. Check their sites, and if they have info about your house, send them a request to delete it.
Kim Komando's "How to Remove Your Home's Photos from Zillow, Redfin, and Realtor.com"
Ilyce Glink and Samuel J. Tamkin's "Do you have the right to have photos of your home removed from realty sites after the sale?"

If you're staying in a hotel room, AirBNB, or friend's house, and connecting to their network:

• Best to do encryption/decryption at the extreme ends of a transaction, not on short segments in the middle. (But even that can be defeated by a keylogger.)
  
  
• Peer-to-peer architecture better than central-server architecture. (So no one can grab all of your data by going to one place.)
  
  
• Don't put really private or valuable stuff on electronic devices, or on internet. (There is no such thing as total privacy or perfect security.)
  
  

• Opening a bad email, or clicking on a bad link, or scanning a bad QR code, can infect you:
  
  If you open a phishing email or link, the bad thing would happen in the next step: you'll be asked to give your login credentials, and if you do that, you're in trouble.
  
  An exception: you click on a link sent to your email or phone, and the link is related to a password-reset or account-recovery operation. By clicking, you are confirming that the person at that email or on that phone is approving the action. Very bad.
  
  Another exception: you click on a link sent to your email or phone, and the link is to a site that you're already logged-into in the browser. The link could initiate some action you don't want, such as sending a message from your account.
  
  An HTML message could contain image SRC attributes that reference some tracking site, so the tracker could tell that you'd read the message, and gather some limited info about your browser and system.
  
  Clicking a link gives your IP address (and other data, such as approximate location) to the destination site. See next item in this list.
  
  Defenses: If your software (especially browser) is updated, and you have blockers (link) in the browser, chances are extremely low that anything bad will happen. If you are vulnerable just by viewing a web-page, you are not doing things right. Also, set your email client to not display images in email messages.
  
  
  
• If someone gets your IP address, they can hack you:
  
  If you're behind a router, an IP address does not uniquely identify your device. It uniquely identifies the router. And your ISP might be adding another layer, CG-NAT, which means many customers might be sharing the same public IP address.
  
  The IP address is public; scanners and bots can try all IP addresses. But the association between your ID (name, postal address, phone number, etc) and the IP address is not public.
  
  An attacker who got your IP address could port-scan your router, or try to DOS it. They could send fake traffic using your IP address as the source address, and try to get you blacklisted.
  
  They could determine your approximate physical location (city).
  
  Possibly if they found your IP address in a data-breach along with your account info and personal info, they could do something with the info. Correlate it with other accounts and personal info online, try to guess answers to security questions, see if you've used same password elsewhere.
  
  Possibly they could report your IP address as a spammer, try to get you put on ban-lists ? Unlikely.
  
  My experience is that this is not accurate, maybe because of CG-NAT: iknowwhatyoudownload
  
  Defenses: You should port-scan your router and machines yourself (link), to make sure nothing is open that shouldn't be. Maybe report any DOS attacks to your ISP.
  
  LiveOverflow's "I Leaked My IP Address!" (video)
  
  
  
• If someone learns your email address, they can hack you:
  
  They could subscribe you to lots of mailing-lists, flooding your InBox.
  
  They could try to guess your password on various sites, assuming your username is your email address.
  
  Possibly if they found your email address in a data-breach along with your account info and personal info, they could do something with the info. Correlate it with other accounts and personal info online, try to guess answers to security questions, see if you've used same password elsewhere.
  
  They could flood your email service with bad login attempts or password reset attempts, resulting in locking your email account.
  
  They could flood your other sites with bad login attempts or password reset attempts, assuming your username is your email address, resulting in locking your accounts on those sites.
  
  They could try a password-reset or account-recovery on your email service, hoping that you'll accidentally confirm the attempt (but then usually you will set a new password, not the attacker, so maybe not useful).
  
  Defenses: Use junk-controls or address-blocking in your email client or service. Don't click on suspicious links in email messages. Use email address aliases as usernames on web sites.
  
  
  
• If someone learns your phone number, they can hack you:
  
  They could subscribe you to lots of sales places, maybe flooding you with lots of annoying calls.
  
  They could try to fool your service-provider into moving your phone number to the attacker's SIM ("SIM-swapping").
  
  They could use your phone number to try to find your accounts on many services, and accumulate more info about you that way. One way is "contact syncing", where attacker puts your phone number in their phone's Contacts, then runs apps from Facebook, Instagram, WhatsApp, etc to see if they say "hey, you know Bob, he has an account here too, want to connect with him ?".
  
  Possibly if they found your phone number in a data-breach along with your account info and personal info, they could do something with the info. Correlate it with other accounts and personal info online, try to guess answers to security questions, see if you've used same password elsewhere.
  
  If they can correlate with your username on some service, they could call you and try to fool you into giving up 2FA code to do a pasword reset on your account. "Hello, this is PayPal, there's a problem with your account, please tell me the code we're texting to you now."
  
  They could make phone calls while setting the caller ID to your phone number, maybe getting your number reported as a spammer.
  
  Some utility companies have a "report an outage" page which can be used to map phone number to postal address.
  
  There are reverse-phone-book services which can be used to map phone number to name and postal address.
  
  From someone on reddit:
  "Look up 'skiptracing'. With access to the the right tools one can get your name, current address and address history, family members and their addresses/phones/details as well as your many of your neighbors both current and historical. Employment information/history ... the list goes on." article
  
  From someone on reddit:
  
  I want to start off by saying that this has been brought up to the WhatsApp support team. I even had a conversation with an "upper level" individual, and they didn't provide a solution.
  
  This is what attackers did to kick/ban me from WhatsApp:
  
  1- They installed WhatsApp on a phone and gave my phone number.
  
  2- WA sent a verification code to me, not them. So they can't use my account (which has 2FA anyway).
  
  3- They keep trying.
  
  That's it. Eventually WA will suspend my number for trying too many times. First 8 hours, then 24, then days, then weeks. Every time WA un-bans my number, the attackers do the same verification thing. That's all. End result is, I'm kicked from WhatsApp.
  
  I've tried using a different number, but they simply go through the process with the new number, and kick me again.
  
  Defenses: Block spam-call phone numbers. Have a password or fraud-protection on your account with your phone-service provider. Give your phone number to as few places as possible. Maybe use VOIP numbers where possible. Tell service providers you're being attacked, if there is a way to tell them. Change phone number (painful).
  
  
  
• If you use public Wi-Fi, someone can hack you:
  
  Someone else on the same LAN could see your device and port-scan you.
  
  If you use an up-to-date browser and OS, and use HTTPS, and heed any warnings from the browser, you should be safe against MITM and other attacks.
  
  Probably the most likely case is hijacking DNS and sending you to a typo-squatting domain. You try to go to amazon.com, the attacker's DNS sends you to amaz0n.com, it has a valid cert, you type in your amazon.com creds. So don't use the default DNS for the LAN, use encrypted connection to DNS (such as DNS through a VPN), and pay attention to domain names.
  
  
  

From article:
"... on average, 80% of consumers have had their emails leaked on the dark web, 70% have had their phone numbers compromised, 10% have had their driver's license leaked and 7% have had their Social Security Number exposed online."

[From hardest to easiest:]

1. Find a flaw in the mathematics (extremely unlikely).
   
   
2. Find a flaw in the algorithm.
   
   
3. Find a flaw in the crypto software.
   
   
4. Find a flaw in the key-generation.
   
   
5. Brute-force password-guessing.
   
   
6. Find or create a flaw in the surrounding software (operating system, networking, key-logger, etc).
   
   
7. Intercept the keys somehow.
   
   
8. Find a flaw in the configuration (software not updated, password not set, place where data is not encrypted, etc).
   
   
9. Human problems (password exposed or easily guessed, social engineering, etc).
   
   
10. Legal tools (warrant or subpoena to get encryption keys or tap traffic).
    
    

• Put tape over cameras when you're not using them, or have the phone camera facing down onto a desktop.
  
  
• Turn off devices when you're not using them, or disconnect them from the network. But a phone may be completely off only when the battery is removed. Going away for a week ? Maybe power off your router, to take down your whole LAN.
  
  
• Don't carry your phone with you if you don't need it.
  
  
• Maybe put your phone in a "Faraday bag" (or wrap in four layers of aluminum foil with no gaps), or put it in Airplane mode, when you don't need to receive incoming calls and messages, and don't want the cell company to track you. Test that the bag or wrapping works, maybe by calling the phone from another phone.
  
  
• If you have cards with RFID, maybe put them in RFID-blocking sleeves. Your passport may have RFID, but is supposed to have it blocked when the passport is closed. Test the sleeves to see if they work, by trying to use the card while it's still in the sleeve. But there are different RFID frequencies, so make sure you're buying a sleeve for the right frequency.
  
  
• Use encrypted external drives to store really sensitive data, and unplug them when not using them.
  
  
• If you use encrypted containers such as VeraCrypt, or encrypted drives, dismount them when not using them.
  
  
• Don't put really critical stuff on networked devices if you don't have to.
  
  
• Connect devices through the safest way feasible for your use: USB is best, wired Ethernet less secure, wireless least secure of all.
  
  
• Don't have very sensitive conversations in front of devices with microphones.
  
  
• Pay cash for things when possible.
  
  
• Pay for a PO Box and use that instead of your real home address.
  [But a box at a UPS store may require a lot less ID than a USPS PO Box.
  And a PMB at a mail-forwarding service can be located far from your real address, offer additional services such as scanning, and be more acceptable to banks etc. All Things Secured article ]
  
  
• Shred any trash that has your name, address, phone number, email address, and/or account number on it.
  
  
• Some people advocate: Don't register to vote, don't have a driver's license, don't own a car, don't donate to political campaigns. [The last item is particularly bad: databases showing contributions are completely open and contain lots of info about you.] [9/2020: Apparently I can buy for $100 (from the govt) a list of all registered voters in my county in NJ. Not sure how much info there is about each voter.]
  
  
• Some people advocate: Don't use tax software or a tax web site such as TurboTax or TaxAsct, because they get your info. File by paper, or maybe direct free-filing with IRS (if possible). Or use software to create a draft return (with fake personal info), then copy the numbers onto paper and file that.
  
  
• Don't carry a paper "agenda" book full of your appointments, contacts, notes, and username/password information. Guaranteed you will lose it someday, and there is no password protection on it. Same thing with Post-It notes in your wallet or purse or on your desk, giving login details or PINs. Don't do it.
  
  

• Trying to remove yourself from people-search sites.
  
  Seems an enormous amount of effort, and exposing more information, for little gain. Your info is out there; accept that fact.
  
  
• Following news about specific data breaches to see if they affect you.
  
  If you have an account involved in a breach, probably you'll be notified by the company, or be forced to do a password-reset next time you try to log in.
  
  Instead, focus on keeping as little info as possible in each account, and don't re-use passwords, and use 2FA.
  
  
• Notices about Privacy policies or Cookie policies on web sites.
  
  Just having a privacy policy, and telling you about cookies, does nothing. The content of the privacy policy probably says "you have no privacy".
  
  
• Padlock icons and other HTTPS indicators on connections to web sites.
  
  HTTPS encrypts data in motion between your browser and the web site. It adds protection and privacy against spying or attacks by third parties against that connection and that data in motion. But it says nothing about the trustworthiness of the web site, or what the site does with your data.
  
  
• Private browsing or incognito mode in browser.
  
  This mostly just prevents your activity from being recorded in the History in your browser, so the next person who sits down at your computer and uses your browser won't see a record of your activity. It does nothing to prevent spying on your activity as it travels across the internet.
  Harry Bone's "What is Incognito mode ?"
  Computer Hope's "How do I set my browser to Incognito or Private mode?"
  
  
• Full-disk encryption.
  
  This prevents someone from stealing your turned-off computer or phone and reading your disk or SD card. But once you sit down at your computer and enter the password for the encrypted disk, the decrypted contents are available to all of the software on your computer. So a virus or malware could access the data on the disk, send it out over the internet, encrypt it for ransom, etc. If you get up and someone else sits down at your computer, they have full access to your data. I prefer encrypted containers, each of which you have open (decrypted) only when you actually need to use it.
  
  And sometimes encryption can be defeated by a sophisticated attacker with physical access.
  HDDGuru thread "Forgot WD My Passport password"
  GitHub / reallymine thread "Forgot password of WD My Passport Ultra"
  Iain Thomson's "Western Digital's hard drive encryption is useless. Totally useless"
  Lucian Constantin's "Western Digital encrypted external hard drives have flaws that can expose data"
  
  
• RAID disk.
  
  There are many forms of RAID, and they have varying effects on effective disk reliability. Probably a mistake to use RAID instead of having good backups. Certainly you still need off-site backups.
  
  
• Using "sync" where you should use "backup".
  
  Syncing your primary disk to a secondary disk, or syncing a primary disk to the cloud, is not the same as backing up that primary disk. With syncing, if you delete something from the primary or it gets corrupted, the problem will be synced to the other place, and you've lost data.
  
  
• Open-source software.
  
  Major security bugs have been found in some open-source software after many years of use. It's not enough that the software be open-source, but it also has to be examined by experts, and not so complex that it defies understanding, and maintained/updated/patched by someone. And also you need some way to verify that the source you see matches the binary you are running.
  
  Jarrod Overson's "Exploiting Developer Infrastructure Is Ridiculously Easy (The open-source ecosystem is broken)"
  
  
• Cleaning or optimizing the Windows registry.
  
  Don't do it. This is a big gamble, you don't know what will happen, rarely helps.
  
  
• Using crypto-currency.
  
  The Tin Hat's "Is Bitcoin Actually Private?"
  
  
  

10 dumbest ideas in privacy communities, from someone on reddit 12/2021:

• Windows: large closed-source system with tons of features and modifications, popular target, frequent OS updates.
  
  
• IOS and Apple: closed-source system with more closed design, less-popular target, frequent OS updates.
  
  
• Linux: open-source system with modifications, less-popular target, less-frequent OS updates.
  
  
• Android: closed-source system, popular target, mostly broken OS update system.
  
  
• "Captive" devices such as Kindle, Chromium OS, etc: closed-source system, less-popular target, frequent OS updates ?
  
  

For all devices in general:

1. Change or set password.
   
   
2. Turn off features you don't want.
   
   
3. Connect to internet.
   
   
4. Update OS, and set it to auto-update.
   
   
5. Update apps, and set them to auto-update.
   
   
6. Record serial numbers, model number, configuration.
   
   
7. Put email address on tape somewhere on the case, and on the lock screen.
   
   

For computers, and maybe other devices:

• Might be a good idea to immediately wipe the whole operating system and re-install from a source of your choosing. You don't know what might have been done to the system by the vendor or store or during shipping.
  
  
• Create a local account to log in, not a Microsoft or Google account.
  
  
• Go through all the privacy and feature settings to tweak them as you wish.
  
  
• Once it's set up reasonably, do a backup or save a restore point. And make a bootable recovery disk or flash-drive.
  
  

Be VERY careful if you've bought a device through eBay or Craigslist or similar, especially if the device has anything to do with financial, crypto-currency, security, or encryption stuff.

Maybe start with a factory reset. Maybe format the disk. Definitely install new firmware and operating system.

When you buy a used house or used car, what devices or services or apps are in it or connected to it ? Some of them can take a while to switch from old owner to new owner. Double-check that old owner's access has been revoked.

Kai Sedgwick's "Man's Life Savings Stolen from Hardware Wallet Supplied by a Reseller"
Trail of Bits' "From The Depths Of Counterfeit Smartphones"
David Ruddock's "What is a 'factory reset'?"

Get new device working, especially with any accounts that have 2FA enabled, before getting rid of old device. Go into cloud accounts and remove any trust of old device.

On old device, delete optional added apps and data files. Delete any connection to email account, VPN, calendar, delete contacts, etc. Un-register from cloud service. Go in at file level and look for anything to delete. Go in through standard apps (Contacts, Gallery, Calendar, etc) and look for anything you forgot to delete.

Maybe: Factory-reset the old device, then boot it and try to connect to accounts. Then factory-reset again.

Lexy Savvides' "How to wipe your phone or tablet before you sell it"
Patrick Lucas Austin's "Disable iCloud Before You Get Rid of Your Mac"
David Murphy's "How to Get Your MacBook Ready to Sell"
David Ruddock's "What is a 'factory reset'?"
Devin Coldewey's "Cheap Internet of Things gadgets betray you even after you toss them in the trash"

Many disk-erase utilities will not erase certain parts of a disk: HPA, DCO, bad sectors that have been re-mapped.

Some disk-erase utilities are not appropriate for erasing an SSD or flash drive. Either use a utility provided by the manufacturer of the drive, or completely fill the device with random nonsense data. On Linux, "sudo nvme sanitize /dev/nvme0nX". Boomstick (Linux)

When you sell a house or car, what devices or services or apps are in it or connected to it ? Some of them can take a while to terminate.

• Record equipment numbers and addresses, router settings, Wi-Fi network name and password, phone number, etc.
  
  
• Change router's admin password.
• Look for features of router: VLANs, IPv6, guest network, firewall ?
• Go through router settings: turn off PnP, turn on firewall, check IPv6 status (I like to turn off IPv6), etc.
• Port-scan router from LAN side.
• Port-scan network from public internet.
• Run browser and DNS leak tests, including IPv6 tests.
• Check that various features/apps work, on computer and phone, especially with router security tightened: VPN, torrenting, videoconferencing, VoIP.
  
  
• Log into your account on ISP's web site and tighten privacy/marketing settings.
• Get a copy of your ISP contract.
• Log into your account on ISP's web site and check fees/charges/limits.

If you really, really want to download and run something that could be dangerous:

• If possible, do it on a spare machine you can afford to wipe and re-installs.
• Have good backups.
• After downloading it, run a virus-check on it. Also send it to VirusTotal.
• If possible, run a hash-signature check on it (this just checks that the actual file-download worked).
• Before running it, disconnect from the internet.
• Disconnect or unmount any external drives or USB sticks or network drives or encrypted containers.
• Do not run the dangerous thing when you're logged in as a privileged user.
• Create and login as a new non-privileged user, different from your normal user login, just to run the new thing.
• Run the dangerous thing in a sandbox or virtual machine ?
• Afterward, do whole-system virus scans.
• If you're going to keep using the new thing, maybe always use it when logged in as that special non-privileged user.

If you have to attach your USB drive to a public computer (such as at a print shop or internet cafe, to print documents):

• Put only the minimum needed documents on the drive.
• If possible, make the drive read-only or mount it read-only.
• Do virus-checks before and after.
• If possible, don't copy the documents back to your main disk afterward. Delete them.
• Erase/reformat the drive afterward.

• Do your spouse and children know about backups and security and privacy ?
  
  
• Maybe create an official family privacy policy, maybe something like:
  • What happens at home is private, by default.
  • If you want to record something, you have to warn people.
  • If you want to upload or post a recording, you have to get permission.
  
  
  
• Children will face a lot of threats and peer pressure from their friends. Bad behavior, bad sites, I have a smartphone and you don't, let's all make posts telling X she's ugly and stupid, etc.
  
  
• Don't set up a child's device or account to pay things out of your credit card or bank account. You may get a nasty surprise a month later. If you must give a card, maybe give a Privacy.com limited virtual card.
  
  
• Parental control apps are much more available and powerful on Android phones as opposed to Apple phones.
  
  
• School and sports leagues will demand a lot of information about your children (such as birth certificates) and you and your spouse (address, phone number, email, etc).
  
  
• School may require that your children have a laptop for schoolwork, and use Google or other cloud accounts.
  
  
• Think ahead to how your family would cope if you died suddenly. Are you the only one who knows the passwords, knows what software is being used, knows how to make and recover from backups ? Maybe write down instructions, and leave a copy of your password manager database, or a copy of a subset of it. Then leave the master password with a trusted friend who doesn't have access to the database or devices. Or leave half of the master password with one trusted friend and the other half with another trusted friend. But this may not work if you have two-factor authentication.
  Patrick Howell O'Neill's "Dealing with the digital afterlife of a hacker"
  
  
• Maybe do credit freezes for each of your children, as soon as they have SSNs.
  Brian Krebs' "The Lowdown on Freezing Your Kid's Credit"
  
  

Proton Mail's "How to protect your children's privacy online"
Michelle Woo's "Teach Your Kid About Digital Safety With the 'Be Internet Awesome' Program"
Troy Hunt's "Sharenting, BYOD and Kids Online: 10 Digital Tips for Modern Day Parents"
Amer Owaida's "3 things to discuss with your kids before they join social media"