Excellent Book On Digital Privacy and Cyber-Security by A Website Known As The New Oil

Excellent book on digital privacy and cyber-
security by a website known as The New Oil

About This Site
There's a lot of amazing resources for privacy and security out there. Many of them are geared towards
people who are moderately tech-savvy or better. However, there aren't many that are geared towards
beginners and non-tech people. There are many people who are interested in privacy or security, but are
just so overwhelmed and unsure. Where do I start? What's most important? What's not very important?
What do you mean there's more than one type of encryption? Are some better than others? Why does
metadata matter? Can't you just tell me what to use?
The answer, in a word, is no. I can't tell you what services and products to use any more than I can tell
you what to wear or what to eat. It varies from person to person. But I can help you understand the
concepts, services, and products available and make those decisions on your own.
How It Works
This site is designed in a book format. It is designed to go in-depth on various ideas, subjects, and
concepts, and make you - the reader - feel educated and capable of making decisions that are right for
you. But it is also designed to be standalone in the sense that you can feel free to skip around. If you're
here and you just want to know more about encrypted email, you can skip to that section. If you want to
know more about safe browsing, skip to that section. If you want to understand cybersecurity, identity
theft, and hackers, skip to that section. Additionally, this site/book is designed to feed back into itself.
Links will either go to other relevant sections on this site, or will link to outside articles as a way of
citing my sources.
This site/book is split up into three major sections. "Most Important" covers the things I think are most
important and most relevant to anyone: things like cybersecurity, identity protection, and basic good
internet hygiene. The middle section is called "Moderately Important" and deals with things that are
still important but not urgent: encryption, backups, and communication. Finally, "Less Important" deals
with things that will give you added layers of security and privacy, but probably aren't critically
important if you're practicing the other procedures.
Important Disclaimers
It is important to note that privacy and security are not either/or concepts. Despite what some elitists
might try to claim, you can have some privacy while keeping a Facebook account, but not as much as if
you got rid of it. Likewise you can have some security without using multifactor authentication, but not
nearly as much as if you used it. Privacy and security are spectrums. No matter how much you go live
in a cabin in the woods, if you piss off the right person with enough resources they will find you. (Just
look at Ted Kaczynski.) The goal of this site/book is not to teach you to drop off the grid and live in a
cabin in the woods with no risks whatsoever. For one, that's not possible. For another, I would argue
that's not a life worth living. (If you disagree, don't let me stop you.) Rather this site/book is to help you
learn how surveillance and tracking works, how to opt out of it, and decide what the right level is for
you. Not everything here will apply to everyone, and that's okay. Even taking some of the steps moves
you further along that scale.
This site/book will be updated as often as necessary, and I will announce any major changes on my
blog (as well as a "this site as last updated on" date in the Links section). The same blog may also be
used to post commentary on important news, but I promise not to spam you with daily posts. I tend to
only post once per week on weekends, so feel free to subscribe via email if you want to keep updated.
My goal is not to pull the rug out from under you, but rather to keep this site relevant, current, and
accurate. I also post a daily feed of privacy- and security-related news articles that you can feel free to
follow to stay on the cutting edge of this ever changing field.
Finally, I have made this book/site in good faith. I do not have any vested financial interest in any of
of the services, products, or companies I have listed. The following services I have listed referral
or affiliate links which will offer me some sort of financial compensation if you sign up using the
links provided: privacy.com, ProtonMail, ProtonVPN, and SimpleLogin. I have also provided non-
affiliate or non-referral links immediately next to the product for those who are uncomfortable using
those links for any reason. I am not a cybersecurity expert of any kind, but I have invested thousands of
hours into research and testing. I also spend much of my time listening to discussions on various up and
coming technologies, news, and emerging developments.
Having said all that, please enjoy this site/book. I hope you find it useful, and if you have any questions
or respectfully-worded feedback, I welcome them all. Thank you, and I hope this helps you take back
some of your civil liberties.
https://www.thenewoil.xyz/about.html
Accessed February 19th, 2021.
Introduction
In the 1900s, oil was discovered in the state of Texas and revolutionized the US economy. Coming right
on the heels of the industrial revolution, oil had became one of the most valuable resources on the
planet, and that meant anyone who owned the land it was found on now found themselves in various
states of fortune. Texas grew from a mostly rural state to one of the most populous in the country, and
this to date still has several major cities in the top ten list.
The phrase "data is the new oil" is a bit controversial in tech circles, mostly for nit-picking reasons.
Detractors argue that unlike data, oil is a finite resource and that it is only valuable in bulk after being
refined. However, according to Forbes, the top most valuable brands in the world in 2019 were Apple,
Google, Microsoft, Amazon, and Facebook, all companies notorious for their data collection and
targeted-advertising. No matter how you interpret it, data is a moneymaker.
Most of us are not strangers to the concept of surveillance capitalism and targeted advertising. Most of
us don't particularly care, either. After all, who wouldn't want relevant ads for movies or products that
might actually appeal to you or improve your life? The thing is, most of us don't understand the
aggressive measures these companies go to to create those marketing profiles, or the devastating effects
they can have on people.
It may sound paranoid, but it's actually a credible fact that entire companies exist simply to collect your
data and build profiles on you, and in their minds the ends will always justify the means. Often they
collect data in ways that range from questionable to straight-up illegal, collecting information that no
sane person would willingly consent to, but they do it in ways you can't detect. When your deepest,
most personal secrets are a data point for a marketing agency, abuse of any kind is only a small step
away, as could be seen in 2019 when the Egyptian government tracked opponents and activists through
phone apps, the Moroccan government spied on the phones of human rights defenders, and the Chinese
government hacked Asian telecommunications companies to spy on the Uighur, a minority Muslim
ethnic group living in China.
It sounds far-fetched, like something from a dystopian sci-fi movie, but just a few of the factual
methods of data collection include using high-pitched tones that only electronic devices (aka phones)
can hear to report how many people are watching a TV show, collecting sale information, tracking your
search history, tracking your car as you drive through the real world, tracking your phone as you
browse the store to see where you spend the most time, collecting your DNA from family heritage
testing services, selling your information to public data websites, government agencies selling your
driver's license information, and more.
"Wow," you may say, "that's intense. But why should I care? I have nothing to hide."
Why Care About Privacy

• Privacy is a human right according to Article 12 of the United Nation's Universal Declaration of
Human Rights.
• Laws are not an indicator of morality. The 13th Amendment, abolishing slavery in the United
States, was not ratified until December 6, 1865. Despite this, segregation legally continued until
the 1960s and racial issues continue to be fought in courtrooms today. Obergefell v Hodges
made same-sex marriage legal in the United States in 2015 but this issue is still being fought in
many jurisdictions.
• The US Government (and others) have been proven to spy on their own citizens, even peaceful,
positive movements.
• The US Government has been known to leak personal information of citizens who express
dissenting opinions, effectively discouraging people from exercising their freedom of speech.
• According to the Bureau of Justice: "During a 12-month period an estimated 14 in every 1,000
persons age 18 or older were victims of stalking" and "Approximately 1 in 4 stalking victims
reported some form of cyberstalking such as e-mail (83%) or instant messaging (35%)."
• Statistics show that lack of privacy leads to a population who is afraid to ask questions or
educate themselves, even if the issues are important and the motives are pure. People are afraid
to stand out lest they be mistaken for troublemakers, even if the cause is just.
• When you collect enough metadata, you can start to infer things that the person didn't
necessarily want to reveal.
• On a large enough scale, the profiles compiled on individuals by mass surveillance can reveal
unethical and personal information, such as how to successfully deceive people into doing
things they wouldn't normally do. In 2016, Cambridge Analytica was accused of convincing
entire countries to vote in ways they wouldn't normally vote, compromising democracy and
literally changing the course of the future permanently
• In the United States, the fourth amendent of the Bill of Rights guarantees protection against
search and seizure without a warrant based on probable cause. Mass surveillance collects
information indiscriminately where US citizens have a right to expectation of privacy, thereby
violating the constitutional rights of every American citizen. Additionally, the program has been
proven to be expensive and yields almost nothing in return.
• The United States Government's surveillance program is about control, not stopping crime. This
is most obviously demonstrated when the Federal Bureau of Investigation dropped charges
against members of a group of pedophiles in 2017 because continuing the case would've
required them to reveal the vulnerability they used to track the pedophiles, which would have
inevitably led to the exploit being fixed eventually.
• Multiple industries are now keeping "surveillance scores" on people, which can be used to
determine employability, overall consumer trustworthiness, insurance rates, and even whether
you're a good person to rent to.
• Some countries, including the United States, are working on implementing a China-style social
credit system fed by your online and collected data.
• 7.5 million people in the US were stalked in 2011, and one woman in 1989 was even murdered
by her stalker who found her address from DMV public records.
• Tech companies have been known to sell your data to law enforcement agencies. In 2011, GPS
data was sold to local police so they could issue traffic tickets.
• Countries have used digital communications to identify planned peaceful protests and stop them
before they start.
• Financial institutions have been known to penalize you financially because they don't like your
shopping habits. For example, AMEX lowered a person's credit limit because they shopped at
"deadbeat" establishments like Walmart.
• A Los Angeles man was killed after accidentally posting his address to Facebook and Instagram.
He had taken pictures of some goods he ordered online and the address was visible in the
packaging.
• The US military (and probably others) purchases location data from popular apps that track
weather, exercise, and even Muslim prayer to help target drone strikes.
• In Australia, data breaches from rogue employees were up 52% between 2019 and 2020.
Why Care About Security

• According to Edward Snowden (love him or hate him, he is a cyber-security expert), weak
passwords can be hacked within seconds. Softwares to perform this are legally available for free
all over the internet.
• Companies all over the world - big and small alike - are constantly suffering from data breaches
that can reveal anything from username and password to account numbers, government
identifications, and more.
• According to the Bureau of Justic Statistics, "Approximately 68% of the victims of cyber theft
sustained monetary loss of $10,000 or more." Often cyber crime isn't just about draining a
person's bank account, but also opening new accounts in that person's name, which that person
is then liable to prove is illegitimate.
• Internet of Things (aka smart devices) attacks were up 600% in 2017.
• According to Microsoft the vast majority of cyber attacks can be stopped completely by using
simple techniques like Multi-Factor Authentication and Password Managers.
• The number of new mobile malware targeting mobile devices increased by 54% in 2017.
• Failure to properly control access to your devices or accounts can result in information being
uncovered by unwanted parties even if they have little or no technical ability.
• Researchers in 2015 were able to successfully hijack a Jeep while it was in use, controlling the
HVAC, radio, windshield wipers and fluid, the digital display, the brakes, the steering, and the
transmission. The hackers were ten miles away.
• 2020 is seeing an average of 7 million records per day being exposed in data breaches.
• Australia alone suffered 1,050 data breaches in the 2019-2020 financial year, a 12-month
period. That's almost 3 data breaches per day in a single country with a population of only 25
million.
• For parents, child identity theft is on the rise, affecting over 1 million children in 2017 alone.
• In Australia, 91% of reported data breaches leaked sensitive information to criminals such as
home address, phone number, and email address.
• Rogue employees are on the rise, meaning that those people now have your information to stalk,
harass, or otherwise disrupt your life. Example, example.
https://www.thenewoil.xyz/index.html
Introduction: Section Introduction

I have divided this site up into standalone sections, but there are a few concepts that are universal and
critical to the world of privacy and security. The next few pages of this site are dedicated to explain
basic concepts that will come up over and over again throughout this site, such as how surveillance
works, how most networked digital communications work, and what "open source" means (and why it
matters). If you feel like you sufficiently understand these topics, you can feel free to skip this section,
or you can come back to the pages as you need.
Previous Next
https://www.thenewoil.xyz/intro.html
Threat Modeling
In order for any of this site to make sense – and in order to know what tools are right for you – you
have to understand “threat modeling.” The term “threat model” is just a fancy way to say “what are
you hiding and who are you hiding it from?” For example:
• A journalist may want to protect their sources from harm or retaliation. Therefore their threat
model will include ways to avoid location tracking, encrypt or otherwise protect the uncensored
information they receive from their source, and other similar information that might reveal who
their source is or allow others to track them to their source.
• A member of law enforcement may protect their home location in a variety of ways to avoid
putting their families in danger from criminals seeking revenge or just general criminals with a
grudge against the system.
• An activist in a repressive country make take steps to hide their research, gatherings, or other
activities so the government can’t track their real identity so easily and use it against them.
• Most people are worried about identity theft and loss of financial resources through their bank
account. Some of their defensive strategies could include using a password manager, two-factor
authentication, and freezing their credit.
While threat modeling can be applied to a wide variety of situations (as shown above), on this site I
want to focus specifically on threat modeling for your personal data. The Electronic Frontier
Foundation defines data as “any kind of information, typically stored in a digital form. Data can include
documents, pictures, keys, programs, messages, and other digital information or files.” So with this in
mind, our threat model question becomes “what data am I protecting and from who?”
While there’s basic “best practices” that do apply to almost (if not) everyone, there’s really no one-size-
fits-all threat model for everyone. Some people need more security or privacy, and some need less.
Most people want to find a healthy balance between protection and ease of use.
The threat model that I focus mostly on in this site is defense against common, non-targeted attacks.
The example I like to use is infamous serial killer Richard Chase. Chase stalked the Los Angeles area
between 1977 and 1978. One of the reasons he was so difficult to catch was because he didn’t have a
pattern. He said on record after he was caught that he would just cruise around neighborhoods until he
spotted a house he felt compelled to try. But here’s what made Chase odd: if the doors and windows
were locked, he would go on his way and try a different house. He didn’t force his way in.
My goal with this site is to teach you how to "digitally lock your doors and windows" to protect
against yourself against the Richard Chase's of the digital world. In other words, make yourself harder
to hack than the other guy so that hackers looking for an easy payday give up and move on to someone
else. That’s not to say that the tools and techniques I discuss can’t be used for more advanced threats,
but know that I’m not trying to teach you to be invisible, I’m trying to teach you to live a normal life
while being safe.
What’s your threat model? You can't know how to properly defend yourself against attacks if you don't
know what attacks you are likely to face. While I teach the basics here, some readers may need to
continue their education after my site, and all readers will have to examine the numerous tools and
techniques I share here to figure out which is best for them. You can't know any of that without
defining your threat model. So how do you determine your threat model?
1. What do I want to protect?
This is typically known as assets, and in my opinion those come in both physical and non-physical
forms. A physical asset would be something like a laptop, phone, or file cabinet - a place that holds the
data you wish you to protect. A non-physical asset would be something like a bank account, email
account, or cloud storage backup account. You need to identify all your assets.
2. Who do I want to protect it from?
“Bad guys” is a pretty bad answer to this. Different types of bad guys have different resources and
motivations. For example, a typical "hacker" doesn't target you specifically (see Understading Data
Breaches). A potential employer, on the other hand, is targeting you specifically. Try to be specific
when identifying the "who" of your threat model, and know that it can vary from asset to asset.
3. How bad are the consequences if I fail?
To use the examples from #2: the "hacker" is trying to steal all your money and maybe even open fake
accounts in your name that you will then be responsible for. Your prospective employer is simply trying
to decide if they want to hire you. Both are consequences, and both are serious, but they require
different levels and methods of defense. There's nothing wrong with going above and beyond the bare
minimum of defense, but make sure that you know what's actually necessary and likely and don't ruin
your relationships or mental health because you went too far. It's all about balance.
4. How likely is it that I will need to protect it?
This ties into both #2 and #3. An unrelated example: a person who shops online frequently and with
many different retailers will almost certainly have their card details stolen at some point. The need to
protect their card details, funds, and financial rating are extremely high as the likelihood of attack is
extremely high.
5. How much trouble am I willing to go through to try to prevent potential consequences?
Not all threats warrant the same level of action and investment. This is the “cost/benefit analysis.”
Some security and privacy strategies involve much more work and may not be right for you depending
on your level of skill and the sensitivity of the information being protected. Always remember: nothing
is unhackable. Trying to protect all your data against everything all the time is impossible and
exhausting. Instead, the goal should be to find a balance where you protect against or mitigate the most
likely and most harmful threats as much as possible without harming yourself or those around you.
Renowned cyber expert Gene Spafford once famously said "The only truly secure system is one that is
powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even
then I have my doubts." Don't go crazy trying to be bulletproof. It's not possible. Find the balance
between security and privacy and quality of life.
In the coming pages of this site, I will offer you a variety of tools, how they can be used, and the pros
and cons of each. With your threat model in hand, I hope this site can help you decide which tools are
right for you to help secure and protect your data.
Large parts of this page were borrowed from or inspired by EFF’S Surveillance Self Defense Guide.
Previous
https://www.thenewoil.xyz/threatmodel.html

Understanding Surveillance
In order to make informed decisions, one must first have information. So in this section, I want to give
a brief overview of some of the most common ways surveillance works. This is not an exhaustive list,
but it should give you a general idea to recognize potential surveillance mechanisms.
Generally speaking, the most common form of surveillance is Surveillance Capitalism, meaning
companies like Amazon or Google who collect information about you in order to serve more relevant
ads or products. Governments also perform surveillance, but typically government surveillance
piggybacks off existing surveillance capitalism infrastructures (see PRISM), meaning while ending up
on "a list" is probably a fairly easy, common, and automated thing, getting an actual person to watch
you individually is less likely than you'd think. Most surveillance is performed automatically by
algorithms and automated systems. The bad news is, this means such surveillance is everywhere. The
good news is, that means it's aimed at the masses and therefore relatively easy to get out of.
Before I go any further, I also want to point out that there are organizations known as data brokers
who collect your information for profiling purposes. Amazon and Apple may not be sharing data with
each other, but they are likely sharing it with companies like Acxiom and LexisNexis who in turn sell
your profile back to companies who use it for advertising.
The Three Types of Surveillance (According to Me)

The most obvious form of surveillance is what I'll call "consented surveillance." This is when you
give up obvious forms of information. For example, if you sign up to both Amazon and eBay using the
same email address, then obviously any purchases made on both are automatically tied back to you. As
I said in the previous paragraph, Amazon and eBay may not be sharing your purchase history with each
other, but they definitely share it with data brokers. Their automated systems easily correlate the two
accounts and combine them.
The next form of surveillance I'll call "unconscious surveillance." Technically you consent to this
form whenever you click "I agree to the terms of service" but let's be honest: who reads those? This is
when you click that button without reading and the company does more invisible things: maybe they
plant a cookie on your computer that tells them every site you visit, or you unwittingly agree to share
your contacts list even though the app has nothing do with contacts. It could also include bots that
automatically scan your emails for keywords or that aggregate your browsing habits based on your
stored cookies.
The final form of surveillance I'll call "secret surveillance." This is the kind that, honestly, probably is
only an issue if you're already getting the attention of the government. This is the kind that isn't
automated, the kind where they plant a fake version of an app on your phone or computer to track your
entire phone or just that app specifically, or where they actively capture and read your communications
by a person and not just a machine. This is expensive and rare, and generally speaking falls outside the
scope of this book/site.
This site will focus primarily on the first two forms of surveillance and how to opt out of them.
Narrow AI is the AI you're already familiar with: Siri, Alexa, Netflix's viewing algorithms, Google's
navigation. They're really good at what they do, but what they do is very specific and limited. The
upside is that because it is so narrow, it's relatively easy to avoid it, and because companies already
make so much money off the data of those who don't avoid it, they probably don't really care about you
escaping.
Previous
https://www.thenewoil.xyz/surveillance.html
Accessed February 19th, 2021
Security vs Privacy vs Anonymity

In the privacy community, there's often a lot of debate over the perceived superiority of certain
products because of their various shortcomings with no regard for the intention of these products. For
example, many people lambaste Signal for requiring a phone number. This is a fair complaint, as
someone who is trying to remain anonymous should be cautious who they hand out a valid phone
number to. Other messengers, such as Session, allow for usernames, meaning the person who uses it
can still maintain a degree of privacy when handing out their username. But even those services have
shortcomings. Wire, for example, does log information such as IP Address on sign up, meaning that
unless you take additional measures it is not completely anonymous.
On this page, I want to explain privacy, security, and anonymity. These subjects often compliment each
other, but they are not always dependent on each other. It is important to remember that to some extent,
there are no wrong answers here. It is okay to pick a product because you value security even though
that product may offer little in the way of privacy (though I don't encourage that). It's also okay to pick
a product that provides privacy even though it doesn't provide anonymity. And it's even okay to pick a
product that doesn't provide security if it does provide one of the other features. The important thing is
that you need to be aware what these products and services are offering you so that you can use
them correctly.
• Security is defined as "freedom from danger," or “protection; measures taken to guard against
espionage or sabotage, crime, attack, or escape.” Think of it the ability to keep unauthorized
people from accessing information, accounts, or other similar things. A real world example
could be the way a lock is designed to keep unauthorized people outside of your home.
• Privacy is “the quality or state of being apart from observation; secrecy.” I call it the ability to
control information. This can refer to your identity, but can also refer to information about your
identity, like your words, ideas, beliefs, images, or bank information. Using the above house
again, privacy can be thought of as your ability to control who has the key or the address.
• Anonymity is the state of being anonymous, or “of unknown authorship or origin, not named or
identified.” It is the ability to be completely unknown by anyone. Anonymity can be thought of
as privacy on steroids, but while privacy refers more to information ABOUT you, anonymity
refers more to your actual identity.
• All definitions courtesy of Merriam-Webster Dictionary.
As I said, these topics often overlap. Privacy can help your security because if people don't know
information about you, they can't pretend to be you to answer security questions. Security can protect
your privacy by controlling who has access to that information about you. The best example I like to
use is a home: security is the door lock. Privacy is the key, and you can decide who gets a copy of it.
Anonymity is when nobody gets a copy of the key, or even the address.
Examples
Security without Privacy or Anonymity
The most obvious example of this, as I mentioned before, is Google. Google has had almost no major
data breaches in all their years of existence, yet they know almost everything about everyone to the
point that the former CEO Eric Schmidt remarked "We can more or less know what you're thinking
about." Google offers world-class security with zero privacy or anonymity.
Privacy without Anonymity
MySudo is, in my opinion, a great example of this. MySudo is non anonymous. They can see your
messages, they can see your metadata, and if you sign up for their masked-card service, they know
exactly who you are. However, they help you protect your privacy by giving you phone numbers, email
addresses, and cards to give to other companies and individuals so that you can protect your real
information. The same goes for privacy.com, who allows you to use masked debit cards with literally
any information attached to them. Privacy has to know who you are by law to prevent fraud, so they're
not anonymous, but they can help you protect some of your privacy.
Anonymity without Security
Cash is a great example of this. Paying for a product in cash preserves your anonymity - unless the
business requires it, you don't have to give any kind of information at all. Yet, you have no security if
the seller doesn't deliver the item (unless you have a receipt). You have no protection from fraud or
anything like that.
Security & Privacy without Anonymity
Once again, I'm going to cite Signal. Because your phone number is required, you can be unmasked by
a court order or even a web search depending on the phone number you use. However, Signal is
renowned for having some of the best security in the world, and the content of your messages and the
information you transfer will be protected and controlled even if your identity is not.
Privacy without Security or Anonymity
Forgive me if this a gross example, but think of using the restroom when you go camping. You can find
some bushes to hide behind and that will give you privacy, but have no security or anonymity. There is
nothing to stop anyone from finding you, and if the police decide to ask for ID you have no protection
from that request.
Security with Privacy & Anonymity
I would argue that XMPP is a perfect example of this. XMPP allows you to sign up without any real
information, over a VPN or Tor connection for total anonymity. Additionally, the conversations can be
protected by OMEMO encryption, meaning the data itself is also private. When used properly, this is as
closed to perfect as you can get (if a bit user-unfriendly).
Closing Thoughts
As I said before, these three concepts are not necessarily dependent on each other. A secure product
does not guarantee privacy, a private product does not guarantee security, and anonymity does not
guarantee either. Also as I said before, there is nothing wrong with valuing one facet over another.
While I discourage it, it is okay to use Gmail because of Google's top-notch security even though it
offers no privacy. It's also okay to use Signal even though it doesn't give you total anonymity. Just be
sure you understand how a product is used. It would be awful to use Google thinking that it will give
your communications privacy and then your financial details get stolen by a rogue employee. Or if you
used a service like Signal to organize protests in a hostile country only to be arrested once your phone
number is unmasked with a warrant. Know the limitations of the services you choose and decide what
features are important to you.
Previous
https://www.thenewoil.xyz/privsecanon.html
Open Source vs Proprietary

In this book/site, I will only preach open source software wherever possible. For the sake of diversity, I
will mention proprietary softwares where unavoidable (such as under the VoIP section, there's no open-
source VoIP solutions I'm aware of), but wherever possible I will stick to open source software. Let me
explain what open source is, and why I plan to stick to that exclusively.
Digital Rights Management

While I’m explaining the concept of open source, I want to take a second to explain DRM as that will
come into play later. DRM stands for digital rights management, which is basically a fancy way of
saying anti-piracy or anti-copyright abuse. It allows companies to ensure that you’re using a legitimate
copy of their software, game, or ebook (or other digital files) rather than a pirated version, and also that
you're using it in accordance with the terms of service (ex: not hosting a movie theater in your home).
On the surface, this is a great thing. I personally am a firm believer that people who create a product
have the right to charge for it if they want to, and as such they deserve to be protected from piracy and
other forms of theft. DRM is, however, prone to abuse, which I’ll get into in a moment.
So What is Open Source?
Open source refers to something who’s process has been publicly posted or made transparent. For
example, one might create a program and then post the source code publicly on a site like GitHub.
Open source software is usually free, and usually the source code is posted for two reasons: one is so
that people can modify it as they wish and improve it or self-host it independently to ensure the safety
of their data, and another is for trust and transparency so people can rest assured there’s nothing
unethical going on in the background such as unnecessary data collection. A great example I read once
said to think of open source as cooking at home and proprietary or closed-source as eating at a
restaurant: at home you can see each ingredient and have total control over which ones to add,
exclude, substitute, or modify. In the restaurant, your knowledge of the ingredients and control over
them is limited to varying degrees (think of the “secret sauce” at a fast-food chain).
The Ethics and Abuses

As I mentioned above, I personally am of the belief that creating a product or service entitles you to
charge for it if you so choose. However, as with most things in life, that can be taken too far. Let's take
two real-life examples: two separate people purchased different proprietary products: a printer and
fridge. Those products come with additional accessories that provide a revenue stream, ink and water
filters in these cases. In today’s competitive market, it’s often more frugal to find a third-party off-
brand who offers a compatible part for less than the manufacturer’s product that works just as well.
There is nothing illegal about this, and personally I find nothing unethical about it either.
Manufacturers are beginning to respond by making their products digitally refuse to use third-party
accessories (we’ve already seen Apple do this to some third party charging cables for years).
One could argue that this is a company protecting it’s investment or intellectual property, but I think it
sets a dark trend where corporations control all the products in our lives, all but crushing out
competition simply because it’s not compatible. When multiple products work across brand lines, it's
call "competitive interoperability." Think of an Android phone charger. Whether your phone is from
LG, Samsung, or Motorola, and no matter who made the charger, it will work for all of them.
In my opinion, competitive interoperability is a good thing. It encourages innovation and competition
and drives down prices. Anyone who’s been in college during the digital age has seen the gross abuses
of DRM and monopolies. Pearson is a striking example of DRM gone wrong, often overpricing digital
books and creating clunky, buggy systems for accessing them. Even with their ridiculous prices, books
are often rented and not owned during the duration of the student’s course, meaning the book stops
being accessible once the semester or license period is up. Nightmarish situations like these can leak
beyond protecting intellectual property and copyrights, like when Pearson decided to remove many of
their books from the digital libraries of people who had already paid for them.
The Coming Age of DRM

Recently we entered a new chapter of the digital age of truly 24/7 online connectivity. Our cars can
host apps just like our phones can, and some even have their own modems built in to connect to the
internet. Even our appliances like thermostats, fridges, washing machines, and coffee makers are
constantly connected. As connectivity begins to permeate every second of our lives, it's important to
not only be aware of what data those devices are sending and who's collecting that data, but also to
know that they now have the ability to enforce the terms of service at any time for any reason. And as
someone who actually reads the terms of service, I can tell you that the vast majority of them say word
for word that they can change at any time without warning. Your car might not report you for speeding
right now, but it has the ability to and at any time the service provider can change the rules and start
reporting your speeding habits to insurance and law enforcement. In the future your car may only
allow you to repair it with manufacturer parts, or may decide that attempting repairs at home
voids your warranty. More and more of us are becoming increasingly dependent on technology and
the connectivity of it all. Take for example the driver who got stranded when his rental car couldn't
connect to a network to call home.
Open Source products protect against situations like these because they are designed to be
proliferated. You can’t control the competition if you make the product freely available without
restriction. You can’t stop anonymous users from sharing and modifying it. Even if you tried to enforce
DRM, the source code can be modified to remove that enforcement. An open source fridge, for
example, could easily be modified to remove the digital locks requiring the manufacturer’s filters. It
protects consumers. Additionally, it’s a trust measure. Open-source means that anyone can verify that
the code does what it claims to. There’s no mystery, conspiracy theories, or lies (theoretically). And
with many eyes on the code, weaknesses and bugs can be quickly identified and corrected. As we
continue to navigate the murky waters of corporate greed in the digital always-online era, it's time to
start being aware and future-proofing ourselves as much as possible.
Previous
https://www.thenewoil.xyz/oss.html
How Network Communication Works

You’re probably already aware that cell phones don’t communicate directly with other cell phones,
they communicate with cell towers who make a mesh network with other cell towers to bounce
your call, text, or other data from tower to tower until it reaches its destination. But you may not
know that the internet works in a similar fashion. In this section, I want to explain how modern digital
communication works to help you understand how some of the tools and techniques in later sections
protect your communications.
Your Phone is a Radio

Without getting too deep into the weeds, all wireless signals run on the electromagnetic spectrum.
Remember ROYGBIV from school, aka the rainbow? This is electromagnetic radiation, the kind we
know as “the visible light.” Believe it or not, this is the entirety of wireless signal. Radio, X-Ray, cell
phones, wifi, they’re all just light waves carrying information around. The only thing that separates
them is the frequency of the waves on the electromagnetic spectrum.
Wireless microphones, radios, cell phones, and even WiFi all falls under the “radio waves” section. All
of these devices use the same basic technology to work and the only thing that keeps them from
interfering with each other is that they operate on different sections of the radio frequencies.
Needless to say, your phone is pretty small, and trying to shoot out enough radio radiation to reach
anywhere in the world would be extremely damaging to your health, and would require your phone to
be literally massive, too big to be mobile. So instead, your small phone has a limited range, just enough
to connect to larger towers which in turn relay the signal where it needs to go. You’ve experienced this
limitation yourself whenever you lose reception in the middle of nowhere.
The Internet Works the Same Way

Whether it’s WiFi or a physical ethernet cable, the internet communicates mostly the same way as
cell phones in the sense that your data jumps around from location to location before reaching its
final destination rather than going straight to the destination. Once your data leaves your router, it
basically jumps through a series of other routers to get to its destination. These routers are not owned
by individuals, they’re owned by corporations and internet service providers (ISPs), but the principle is
the same.
What is DNS?
DNS - which stands for Domain Name Server - is the address book of the internet. When you type
"Amazon.com" into your browser, your computer doesn't understand that address. It contacts your
DNS, who looks up that address and tells your browser "oh, that's 52.88.253.183," which your
computer understands. Your computer contacts that address, and Amazon is displayed on your screen
for you to browse. Most internet service and VPN providers have their own DNS, but you can actually
change most devices to use alternate DNS resolvers. There's a lot of advantages to that. For one,
most default DNS providers keep a log of the sites you ping, which then gets sold to data brokers and
added to your profile. For another, many alternate DNS providers block known advertising domains or
malware, meaning a safer and less frustrating experience online. PrivacyTools.io offers a great list of
alternate DNS providers, and if you're unsure how to change your DNS, try doing a web search for the
device or browser you're using plus "change DNS."
The basic principle to take away from this section is that no communication goes straight to its
destination. Whether it's text, phone call, email, Netflix streaming, Google searches, what-have-you.
All communications bounce from place to place, sometimes trading hands of companies and
jurisdictions multiple times along the way. Your email to your friend across town might actually
cross continents before arriving, and your text message to your friend in the store next door might
bounce through several cell phone providers’ networks before reaching them. This kind of relaying
ability has made data access ubiquitous and fast in most areas of the developed world, but it also opens
you up to incredible risk in terms of protecting your data in transit: you risk having your data
unknowingly read or copied or even altered by any number of organizations, companies, hackers, or
other people who have access to it along it’s path, whether legitimate or not.
Previous
https://www.thenewoil.xyz/communication.html
Most Important: Section Introduction

I have titled this section "Most Important." As the name implies, this section is full of techniques and
services that apply to everyone everywhere (generally speaking). This section is related to issues
like cyber security, identity theft, and mobile devices. This is the kind of stuff I feel confident saying
that if you're reading this, it almost certainly applies to you. Of course, everyone is different, but
honestly if this doesn't apply to you, I'm willing to bet you're the exception.
This section begins by giving some context, explaining how your information gets compromised and
leaked to public or unauthorized places. Then it goes on to give you specific strategies and tools to
protect that information. If you only read one section of this site, I recommend you make it this one.
Doing these few techniques will dramatically improve your security in today's increasingly digital
landscape.
I like to compare this section with infamous serial killer Richard Chase, who I mentioned in the threat
modeling page. Chase stalked the Los Angeles area between 1977 and 1978. One of the reasons he was
so difficult to catch was because he didn’t have a pattern. He said on record after he was caught that he
would just cruise around neighborhoods until he spotted a house he felt compelled to try. But here’s
what made Chase odd: if the doors and windows were locked, he would go on his way and try a
different house. He didn’t force his way in. If the doors were unlocked, he took that as permission to
kill whoever was inside.
We should all be trying to defend ourselves from the Richard Chase’s of the digital world. Many people
argue that security is inconvenient. It is. It’s much more convenient to use your daughter’s name and
birth year for every single account password instead of a randomly-generated password. It’s very
convenient to stay logged in or not use multifactor authentication. It’s also inconvenient to have to
unlock your door and open it up whenever you come home, but the amount of security you get from not
leaving my door wide open at all times and using a simple $2 key more than pays for itself. The same
principle applies with information security. Even little things like strong password practices and
multifactor authentication can provide massive security that outweighs the inconvenience, and it
only takes a few weeks or even days for it to become second nature.
This section of the site/book will teach you to lock your digital door. These techniques are not designed
to make you unhackable or untraceable, but they are designed to make you a difficult, annoying target
and make it not worth the malicious actor's time to bother with you so they move on to someone else.
Previous
https://www.thenewoil.xyz/most_important.html
Understanding Data Breaches

One of the top responses I get whenever I talk about cyber security with somebody is something along
the lines of "eh, I don't think anybody has any reason to hack me." And let's be honest: 99% of the
time, this is true. Rarely is a hacker going to sit down and go "let me use my skills that I spent years
mastering and perfecting just to mess with John Doe that I've never met who might not even have
anything worthwhile." But this train of though betrays a fundamental misunderstanding of how today's
digital hacking landscape works. Here's how data breaches and modern hacking really work most
of the time:
If you're reading this, I'm willing to bet that you have a Gmail account, or an Amazon account, or an
eBay account, or a Facebook account, or some sort of account on a website with hundreds of
thousands, if not millions, of users. Smart hackers - and skilled ones - target these major companies.
These companies endure anywhere from thousands to millions of attacks every day. The defender
needs to get it right every single time, the attacker only needs to be successful once. Once the attacker
is successful, they steal everything they can: usernames, passwords, card numbers, IP addresses, etc.
Anything the service logs, they take.
It's important to note that usually (but not always) the most sensitive information like passwords and
card numbers is encrypted while things like username and IP address (which betrays your exact
location) are not. This matters because step two is to decrypt whatever information the hacker has
stolen. So if they stole usernames and passwords, they now need to decrypt the passwords only.
Various programs exist - totally legal and for free - to help hackers crack your password.
Password cracking deserves its own explanation. There's two main methods of guessing a password.
The first is called a "dictionary attack." The way these work is that the hacker loads a dictionary
into the software and it checks your password against the dictionary, including common
variations. For example, "P4ssw0rd" is a common variation of "password," so the program will check
for that. Various dictionaries are available for free, including song lyrics, famous names, quotes, and
more. A hacker can even make their own dictionary tailored to you with information like names of
family members, important dates, pets, sports teams, and more. It's as easy as making a text file.
The second method is called a "brute force attack." This is where the hacker specifies a length,
parameters (such as "upper and lower case letters") and the software guesses every possibility. For
example, it may guess "aaaaaa" and if that doesn't work, it tries "aaaaab" and if that doesn't work, it
tries "aaaaac" and so on. Passwords less than six characters, regardless of complexity, can be guessed in
less than a second.
Previous
https://www.thenewoil.xyz/data_breaches.html
Data Breach Defense: Strong Passwords

The single most important thing you can do to protect your accounts is to use strong, unique
passwords that are not reused anywhere. Every account you have should have a unique, strong
password. I discussed in the Understanding Data Breaches section how passwords can be stolen in an
encrypted format from a service's database. So what makes a password "strong"?
A strong password should consist of sixteen or more characters consisting of upper and lower case
letters, numbers, and special characters, and should not be reused anywhere. This, of course, means that
your password is impossible to remember. Also, as mentioned in Understanding Data Breaches, weak
passwords can be quickly and easily cracked through a variety of methods. The solution to this
paradox is to use a password manager.
A password manager is a program or service that allows you to record login information such as
username, password, login link, and other information that varies from service to service. This database
is stored in such a way that makes it reasonably secure from data breaches. The advantage of this
service is you only ever need to remember one password: the password to log in to your password
manager, which should ideally be a passphrase.
A passphrase is a series of words rather than a single word. A good passphrase should be at least five
random words. That means that quotes aren't a good idea. The good news is, if you're using a
passphrase as a master for your password manager, you only need to memorize that one passphrase.
And five words, even random words, are much easier to remember than a complex password. A good
passphrase has the potential take upwards of hundreds of years to brute force or guess.
In today's landscape where privacy is becoming a growing concern, password managers are dime a
dozen. The most important thing is to look for a service that claims to be "zero knowledge," or
put another way "we can't see your passwords." A good provider will ensure that your password
database is encrypted in such a way that no employee of the company can see your passwords and
information. Remember: if they can see it, so can a hacker who gains access.
You should also consider whether or not cloud-based services are right for you. Cloud-based
services offer incredible convenience, but you also run the risk that the provider is lying about not
being able see your passwords or the risk that a hacker will download your database and then have all
the time in the world to guess your master password, just like they would on any other account they
steal passwords for. Using a strong master passphrase as mentioned above, this shouldn't be an issue.
On the other hand, locally-stored databases run the risk of getting deleted, lost, or corrupted if you don't
keep reliable backups.
Note: There are dozens of password managers, even open source ones. For the purposes of this site and
to avoid having my readers drowned with too many options, I have narrowed down a handful of
choices. I picked only open source options, I ignored forks, I picked services that are still maintained
and updated, and I picked services that are reputable and have appeared on either best-of lists or
frequently get mentioned in the privacy community.
Product/Service Pros Cons

Listed in alphabetical order, not order of recommendation
• Audited
• Available on all operating systems • Cloud-based
• Can be self-hosted
Bitwarden
• Available on all operating systems (Android & iOS

• Not audited
forks here)
• Not cloud
• Has a feature to remind users to change passwords at
based
intervals of the user's choice
KeepassXC
Getting Started
I suggest you stop what you're doing immediately and adopt secure passwords for your most
critical accounts. Bank, email, and other accounts you can't afford to live without. Do it right now
before you do anything else.
For the rest of your accounts, there's two main ways to go about it. The first is "all at once." Basically,
clear out an afternoon when the kids are at the movies and the spouse is out with their friends and
change everything all in one sitting. This isn't a bad idea, but it can be exhausting and mind-numbing.
For most people, I recommend the "as you go" approach where you change passwords as you use
them. For example, next time you log into Amazon, change your password. Then, next time you order
pizza, change that password. In time every account will have a unique, strong password.
Tips & Tricks

Password managers typically include a note-taking section. This is a great spot to take notes like MFA
backup codes, answers to security questions, or other account-specific details you want to remember.
A common strategy for added account security is to give false answers to security questions. For
example, a common security question is "what is your father's middle name?" This kind of information
is easy to find online. A hacker could call the bank posing as you, answer the question, and transfer all
your funds out of your account. Instead of the true answer, answer with a passphrase and record it in
the notes section.
Previous
https://www.thenewoil.xyz/passwords.html
Data Breach Defense: Multifactor

Authentication
Another powerful thing a person can do to protect their online accounts is to use multi-factor
authentication. According to Microsoft, this one technique can stop up to 99.9% of unauthorized
account accesses.
Multifactor Authentication (also known as MFA, Two-Factor Authentication, or 2FA) is a system that
requires additional steps beyond username and password to log in to a given account. The most
common form of MFA is the SMS text: you log into a site, they text you a code, you enter the code on
the next screen, and now you access your account. This is useful because with MFA, even if a hacker
were to gain access to your login credentials, they would still need access to your physical device
to complete the login process.
When picking an MFA solution, the most important thing is to look for something you will use
consistently and won't interfere negatively with your life. If you need the ability to log into your
account from any computer at any given time, a hardware key may not be your best bet.
Hardware authentication keys, such as the Yubikey, Librem Key, and other similar devices, are
physical devices that plug into your computer and act as a hardware multifactor authentication option.
They are great additional security, but aren't very durable and may not be a good choice for a laptop or
a person who needs to be able to access things remotely. Likewise, these keys require you to put extra
thought into your backups (ex "what if I lose this?") It is worth noting, though, that hardware keys are
incredibly secure. It's how companies like Google have managed to avoid major data breaches so well
in the past, because they can't be remotely hijacked the way that other forms can.
Generally speaking you should try to avoid SMS 2FA whenever possible because it is relatively easy
for a malicious actor or hacker to hijack your phone number in any number of ways therefore recieve
the incoming 2FA text, defeating the purpose of 2FA and rendering the extra step useless. Use SMS if
nothing else is available, but try to use something else if you have the option. The order of
recommended 2FA methods from strongest to weakest are hardware keys, software apps, push
notifications, SMS/Email. Software apps will be the sweet spot for most people.

• Open source
• Offers backups
• The vault can be encrypted • Android Only
Aegis (optional)
Authenticator • Available on F-Droid
• Open source
• Offers backups • Android Only
• Available on F-Droid
andOTP
• Open source
• Supports time-based and • iOS Only
counter-based passwords
Authenticator
• Open source
• Android and iOS
• The program is sponsored and
• OTP codes are hidden until
maintained by Red Hat, which was
the user clicks on them,
purchased by IBM. Some users may
adding a small layer of
be put off by corporate involvement.
additional security
• Available on F-Droid
FreeOTP
• Android only
• Open source
• Not available on F-Droid
FreeOTP+ • Back ups available
• Search feature
• Open source
• Search function available to
• iOS only
quickly and easily find
desired OTP code
Tofu
Getting Started
MFA can typically be enabled under the "Security" settings of your account, though it may sometimes
be under a similar but different setting such as "Login" or "Account." It also sometimes goes by other
names such as "two-step login" or "Authenticator App." Stop reading right now and go enable MFA
on your important email account(s). Seriously, right this second. If I hack your email account that
you use for banking, for medical communication, or for other critical things, I can lock you out and
take over your life. All I have to do is hit that little button that says "forgot password" and have them
email me a reset link. So you need to secure your important email accounts first and foremost.
My preferred strategy for implementing MFA on existing accounts is to start by enabling it on every
critical account first - email, banking, work accounts, etc. Take the time right now to decide what
accounts you absolutely cannot afford to lose access to and sit down and knock those out right now. For
less critical accounts like your personal Twitter or game accounts, I recommend you enable it next time
you use it. The idea of sitting down and knocking out hundreds of accounts at once is daunting, so
instead I advocate an "as you go" strategy to avoid being overwhelmed. Before you know it, you'll have
enabled it everywhere offered.
Honorable Mention: Hardware Tokens

As I mentioned above, for most people software apps will provide the best blend of security and
usability. However, for those who require additional proteciton - or simply want to go the extra mile -
many hardware keys exist that provide maximum protection at very little additional cost of user-
friendliness. Some of the more common and recommended hardware keys include Yubikey, OnlyKey",
and LibremKey. Each offers different features but all will provide roughly the same level of protection.
Note: I recommend purchasing two of whatever product you decide on and keeping the second as a
backup.
Tips & Tricks

Most sites have an option during the second login screen to "remember this device for 30 days" or
something similar. This will keep you logged in without requiring your MFA code for the indicated
amount of time. I'm not opposed to this, but make sure that you're not enabling this on a public
computer, family computers, or a computer that stays unlocked often. Only use this option on personal
computers that you don't leave unattended.
When you sign up for MFA, most sites will issue you backup codes. Be sure to write these down
somewhere safe in case you lose your MFA device, it will save a lot of time and headache. I
recommend saving them in the notes section of your password manager.
Some password managers offer the ability to store your MFA key with a little extra work to make your
login process easier and more centralized. This can be helpful if you're sharing accounts with someone
(a family member, for example) or if you just want to rely on your phone less. However, be aware of
the risk: by putting your password and two-factor code in the same place, you're creating a single point
of failure. Make sure you're taking extra precautions if this is the path you decide to take.
Many websites will explicitly list "Google Authenticator" as a two-factor option, but don't let this fool
you. Any software authenticator app listed on this page (and many others) will work just fine.
Some apps offer the ability to backup your two-factor database, sometimes even in the cloud. As
someone who has lost their two-factor database before, I understand the appeal of this. But be aware of
the risks. 1) Anything stored in the cloud has the risk of becoming exposed either through a data breach
or a rogue employee if the service is not zero-knowledge. Do your research and make sure you've
accepted this risk. 2) If the backup requires a password, be sure to use a strong password, or else it will
be easily cracked as discussed in the "Understanding Data Breaches" section.
Previous Next
https://www.thenewoil.xyz/mfa.html
Data Breach Defense: Payment Masking

In the Christian Bible, Jesus said, "Where your treasure is, there your heart will be also." Put another
way, "show me your bank statement and I'll tell you what matters most to you." Your bank and/or
card issuers are selling your transaction data to data broker companies, who use this information
to figure out things like your income, net worth, and what you're likely to buy. They can correlate this
data with marketing campaigns to figure out how to better sell you things. They can also correlate
things like where you live based on the geographic areas you spend money. And of course, I need not
tell you that credit card information on the internet is highly vulnerable to being stolen in a data
breach. Protecting your transactions is a critical part of protecting both your privacy and security.
Fortunately, this is quite easy to do.
Cash
Step one is to use cash whenever possible. The advantages of cash are numerous. For one, cash has
been proven to help people spend less, so it'll save you money. Another is that it keeps you from
overspending by removing the possibility. One common fear is that by carrying cash you make yourself
a target for mugging. Frankly, this is ridiculous. Criminals don't have x-ray vision. They don't know if
you're carrying credit cards, cash, or how much.
My strategy is to figure out how much cash I'm likely to need during any given pay period - gas,
groceries, entertainment, etc - and withdraw that amount at my local ATM. Of course I am giving away
a general location of where I live by doing that, but all my other transactions remain private. How
much I drink can't be used against me in health insurance quotes in the future, nor can how much I
drive be determined based on my gas purchases, or any other number of invasive facts about my private
life. Additionally, I never have to worry about my card being skimmed at a machine.
Online Payments
Of course, cash can't be used everywhere, primarily online. In those situations, you have a variety of
options. If you live in the United States, I recommend Privacy.com (non-referral link). The service
is free, they make their money from transaction fees from the vendor at no cost to you (just like a
normal credit card would), as well as a premium tier of services and features. The service links to your
bank account and allows you to create digital debit cards that can be limited by total, month, per-
transaction, or one time use (or unlimited, if you so choose). The cards link to the vendor they're used
at, so for example if you use a card on Amazon and Amazon suffers a data breach, the card can't be
used anywhere else. It's essentially useless to the hacker. Likewise, since each vendor will require a
unique card, a stolen card number doesn't require you to cancel your card, get a new one, and
painstakingly update every service you use. Just cancel the one and update it with almost no disruption
to your daily life. For European readers, Michael Bazzell mentions Revolut, although this service does
seem to come with a flat monthly fee. One of my Canadian contributors also mentioned PayAware.
They cautioned me that it does not allow for false information the way Privacy.com does but it's still a
way to safely use an online card without risking your regular card.
Some people may not be comfortable giving their bank information to a third party, or may live in a
country where Privacy.com doesn't operate. In those situations, I would recommend using pre-paid
gift cards or Visa vanilla gift cards, paid for in cash. You also have a variety of pre-paid digital
options. Among the ones I would recommend are MySudo, Abine Blur, Neteller, and for European
readers Kevin Mitnick suggests ViaBuy (Neteller should also work in Europe). Note that none of theses
situations, including Privacy.com, is actually totally private the way cash is. Somewhere along the line
a trail has been created that, with enough effort, can be traced back to you, so don't use this as an
excuse to do anything illegal. This is purely to throw off automated tracking systems and protect your
card number from being stolen in a data breach.
Bitcoin & Cryptocurrencies

A few years ago, Bitcoin exploded in popularity in the media when the value rose dramatically. While
I'm not necessarily opposed to Bitcoin and other forms of cryptocurrency, I don't think the average
person needs to pay much attention to them. For one, contrary to mainstream media portrayals,
Bitcoin is not 100% private or anonymous by it's design either. It takes a lot of work and effort to
set up an anonymous Bitcoin wallet and to use it in a way that maintains that anonymity. Generally
speaking, I think cryptocurrencies are fun, and I'm very much of a fan of the idea of decentralized,
government-free currencies. I also think it's a good idea to diversify your money. However, I would
caution one against getting too interested in Bitcoin. At this time, it's a hobby and an ideology more
than a practical thing. I wouldn't put too much money into it for a variety of reasons.
Previous
https://www.thenewoil.xyz/payments.html
Identity Theft: Freezing Your Credit

Freezing your credit is something every American should do. Hard stop. Period. End of story. And if
you have kids, do it for them, too. It literally costs nothing.
Freezing your credit is exactly what it sounds like: you sign up for a credit freeze, they send you a PIN
(don't lose this PIN), and then nobody can open an account without your PIN. It's like multifactor
authentication for your credit. As an added bonus, they send you a letter whenever your credit changes,
such as an adding an address or account inquiry. Freezing your credit must be done on individually
with each credit union: Equifax, Experian, TransUnion. As I said, each time they will issue you a PIN,
don't lose it.
Unfortunately it doesn't stop there. Some people have discovered that one can work around a freeze
with enough cleverly-gathered information, so make sure to place a fraud alert as well, which adds yet
another layer of security to your credit. While freezes last indefinitely, fraud alerts need to be placed
once every year, so make sure to set a reminder. The good news is, they only need to be placed with
one agency, and the alert will be passed around to the others, so that cuts your work in 1/3.
If you think this sounds like a lot of unnecessary work, then clearly you're lucky enough to have never
been the victim of identity theft. No matter how bad your credit, I promise I can find someone willing
to open a high-interest credit card in your name, and then I can sell whatever I buy from them and I
don't have to worry about the interest rate or payments because I don't plan to honor them. Now it's on
you to go through the headache of proving that it wasn't you, and I promise you it's a nightmare.
Previous
https://www.thenewoil.xyz/credit.html

Securing Mobile: Introduction
Mobile devices - specifically smartphones - are the cutting edge of surveillance technology. They're
miniature super computers that live in your pocket everywhere you go. They track your movement,
your communications, your content intake, your interests (via the apps you download and sites you
visit), and in some cases they even track your health or sleep habits. Most of us use a phone as an alarm
clock, right?
It goes much deeper though. Imagine if your phone got lost. Imagine a stranger picking up your
phone and checking it. Maybe they're a good person trying to get it back its owner. Maybe they're not.
They can see your bank app on the front page, maybe even access your account just by opening it. They
can read all your texts and scroll through your pictures. They can even check your web history or map
history. Losing your phone is more than an inconvenience, it's a massive personal risk.
How can we minimize this surveillance and maximize our security? The biggest step would be to
become less reliant on your phone. Going somewhere you already know? No need for navigation,
leave it at home. Going shopping? Take a physical shopping list written on a piece of paper. Using an
encrypted messenger like Signal? Use it on desktop.
But try as we might, sometimes our phones are unavoidable. We need them when going to a new or
unfamiliar place or while working off-site, etc. So the next best step is to minimize the data
collection. In this sub-chapter, I'm going to share settings, apps, and other advice for both iOS and
Android that can be changed to maximize your privacy settings.
Before I dive into that, let me answer the age old question: Android vs iOS? Androids are popular in
the privacy community because certain models can be flashed with a different operating system,
fundamentally altering the phone and reducing data collection. But for this site, I'm going to be
discussing the stock, unaltered operating system. In this scenario, I'd recommend the iOS device for
one simple reason: superior security. Because iOS devices are manufactured in-house with very little
variation between the hardware, pushing out updates is incredibly easy.
Android devices, on the other hand, are made by a wide variety of manufacturers with various different
components, meaning every time a new update gets released it must be delivered to the manufacturers
first so they make it work with the various devices before pushing it out. (Source) Additionally, the
Apple store has a better vetting system for apps. It seems like a few times a month I read a new story
about a malicious app (or scores of them) being removed from the Google Play store. Malicious Apple
app removal is significantly more rare. Not impossible or unheard of, but much more rare.
I also want to add that I highly discourage you from ever jailbreaking your phone or putting it into
developer mode unless you plan to flash a different operating system onto it, in which case you're
probably too advanced for this site. Compromising a phone like that disables many of the security
features, prevents you from getting security updates, and generally makes you significantly more
susceptible to malware. Just play with the settings that are already in the phone.
Previous
https://www.thenewoil.xyz/mobile.html
Securing Mobile: Settings

iOS 14
• Apple ID: Password & Security: Two-Factor Authentication: On
• Apple ID: iCloud: Disable everything
• Apple ID: Find My: Share My Location: Off
• Wi-Fi: Ask to Join Networks: Off
• Wi-Fi: Auto-Join Hotspot: Off
• Cellular: SIM PIN: Create a custom PIN
• Bluetooth: Off unless needed.
• Notifications: Show Previews: Never
• General: Software Update: Automatic Updates: On
• General: AirDrop: Off unless needed, then restricted to contacts.
• General: AirPlay & Handoff: Disable everything unless needed
• General: Background App Refresh: Off
• Display & Brightness: Auto-Lock: the shortest option you can reasonably put up with. Do not
set it to leave the screen turned on.
• Touch ID & Passcode: Use Touch ID For: iPhone Unlock: Off
• Touch ID & Passcode: iTunes & App Store: Apple Pay: Off
• Touch ID & Passcode: iTunes & App Store: Password AutoFill: Off
• Touch ID & Passcode: Turn Passcode On: Try to set a password if possible, otherwise use a six-
digit PIN
• Touch ID & Passcode: Require Passcode: Immediately
• Touch ID & Passcode: Allow Access When Locked: the fewer the better
• Touch ID & Passcode: Erase Data: Enabled (Beware of this setting, make sure you understand
it).
• Siri & Search: Disable everything completely
• Exposure Notifications: Disable unless required or you want to opt-in.
• Privacy: Location Services: Disable for everything except navigation apps, and set those to
"While Using"
• Privacy: Location Services: System Services: Disable all (trust me, it won't cause any problems)
• Privacy: review all the other settings and make sure apps only have access to the settings they
actually need. Otherwise, disable them. Disable as many as you can without breaking the app
functionality.
• Privacy: Analytics & Improvements: Share iPhone Analytics: Off
• Privacy: Analytics & Improvements: Improve Siri & Dictation: Off
• Privacy: Analytics & Improvements: Share iCloud Analytics: Off
• Privacy: Advertising: Limit Ad Tracking: On
• Privacy: Advertising: Reset Advertising Identifier
• Safari: Search Engine: DuckDuckGo
• Safari: Search Engine Suggestions: Disabled
• Safari: Safari Suggestions: Disabled
• Safari: Quick Website Search: Off
• Safari: Preload Top Hit: Off
• Safari: Autofill: Use Contact Info: Off
• Safari: Autofill: Credit Cards: Off
• Safari: Frequently Visited Sites: Off
• Safari: Block Pop-Ups: On
• Safari: Close Tabs: After One Day
• Safari: Prevent Cross-Site Tracking: On
• Safari: Fraudulent Website Warning: On
• Safari: Check for Apple Pay: Off
• Finally, scroll back to Screen Time: Content & Privacy Restrictions: Enable, and set every
setting to "Don't Allow." This will ensure that Apple doesn't make any changes to your privacy
settings automatically when updating the OS.
Android 9.0
NOTE: Due to the nature of Android devices, the exact layout of the menu may vary from device to
device, but here's how the Samsung Galaxy 8+ worked:
• Connections: Bluetooth: Off
• Connections: NFC and payment: Off
• Connections: More connection settings: Nearby device scanning: Off
• Connections: More connection settings: printing: default print service: Off
• Connections: More connection settings: Private DNS: Try one from PrivacyTools.io's list
• Notifications: (select app): In-app notification settings: Show: Name only or No name or
message
• Lock screen: Screen lock type: Try to set a password if possible, otherwise use a six-digit PIN
• Lock screen: Smart Lock: Don’t enable
• Lock screen: Secure lock settings: Lock Automatically: Yes
• Lock screen: Secure lock settings: Lock Automatically: Auto factory reset
• Lock screen: Secure lock settings: Lock Automatically: lock network and security: On
• Lock screen: Secure lock settings: Lock Automatically: Show lockdown options: Off
• Lock Screen: Contact information: Leave this blank unless you have a good reason not to
• Biometrics and security: No biometrics at all
• Biometrics and security: Find My Device: I recommend no unless you're prone to losing your
devices
• Biometrics and security: Secure folder: Couldn't hurt, but up to you
• Biometrics and security: Secure startup: Enable
• Biometrics and security: Encrypt SD Card: Yes
• Biometrics and security: Privacy: Location: Off (If you need it on for certain apps, then enable
it but disable location permissions in all the apps that don't need it)
• Biometrics and security: Privacy: App permissions: Go through each app and reevaluate their
permissions
• Biometrics and security: Privacy: Send diagnostic data: Off
• Biometrics and security: Other security settings: Set up SIM card lock
• Biometrics and security: Other security settings: Security policy updates: Auto update
• Accounts and backup: Backup and restore: Back up my data
• Advanced features: Send SOS messages
• Advanced features: Emergency mode
By enabling all of these settings, you are significantly reducing the amount of tracking and data
collection these devices handle. Keep in mind that you're not completely eliminating it, but you're
reducing as much as you reasonably can.
Previous Next
https://www.thenewoil.xyz/settings.html
Securing Mobile: Replacement Apps

Stock App Alternatives Reason
• For Android: Brave,
Your browser is often your mobile gateway to random
DuckDuckGo or
searches such as "when does Starbucks close" or "what is
Firefox + plugins
the capitol of Ecuador". While it's probably not too
recommended in
revealing compared to other phone apps like your
Web Browser next section.
messages or your bank account, it still helps paint a more
• For iOS: Safari +
complete picture of you as a person so you should protect
the changes in the
your browsing information.
previous section.
Navigation apps like Google Maps, Waze, or Apple Maps

all record everywhere you go and add that location history
to your profile. While using an alternative navigator won't
stop your phone from tracking your location, location
• OsmAnd Maps tracking isn't always very accurate, especially if your
Navigation
phone's WiFi is turned off. This means using alternative
navigation apps can help reduce the accuracy of location
data that is stored on you. Instead of knowing exactly
what store you went to downtown, they can only tell the
general block you were on.
Your calendar might be the most revealing piece of
information about you. It contains all your plans and
• Nextcloud
locations: upcoming dates, shifts at work, events you plan
• EteSync
Calendar to attend, and more. Would you be comfortable handing
• Tutanota
all that over to a total stranger so they can stalk you in
advance? Use an encrypted calendar instead.
• Encrypted email
Please see the "Encrypted Messaging" page for more
provider of your
E-Mail information on this subject.
choice
• Encrypted
Please see the "Encrypted Messaging" page for more
Text messaging provider
information on this subject.
Messenger of your choice
Phone firewalls are designed to stop apps from contacting

unnecessary servers. For example, many apps contact
Firewall & • Lockdown (iOS)
Facebook or Google when you fire them up, often giving
Content • NetGuard (Android)
those companies information like the device and
Blocker (None • Adguard DNS
timestamp. This makes even using your apps quite
Included by (Android, iOS)
revealing. Some of these firewalls may require you to
Default)
tweak them for optimal performance and effectiveness.
I encourage you to remove as many unused or infrequenly-used apps from your phone as possible.
Mobile apps are proven to be a security risk, so the more unnecessary apps you have, the more you're
putting yourself at risk. If you don't use it often or at all, just delete it. Additionally, if your phone is
stolen and unlocked, having sensitive apps like work email and banking can offer immense
insight into your life and risks allowing further abuse or theft. Just skip the headache altogether
and remove as many apps as you can live without.
Previous Next
https://www.thenewoil.xyz/apps.html
Privacy: Securing Your Browser

Your browser is your gateway to the internet in most cases, and therefore is worth securing properly.
Generally speaking, on the user end, most of them operate roughly the same, so it's worth making the
switch if one can offer you significantly more privacy or security.
Currently Chrome is the favorite browser of most frequent internet users, but I would argue this is a
mistake. Chrome is very fast and secure, but it's basically just spyware, even going so far as to turn on
your microphone and eavesdrop on you while you browse. Other popular browsers include Safari and
Edge, as well as a few niche browsers like Opera and Vivaldi. Instead, you can get almost identical
performance and security with a massive improvement in privacy by switching to Firefox. In this
section, I'm going to walk you through some setting changes and plugins you can set up in Firefox to
improve your privacy and security. While it may not seem as important as freezing your credit or
payment masking, securing your browser will change almost nothing in your day-to-day life but
will offer an immense amount of privacy and security in return, therefore I consider this to be a
critically important and worthwhile step.
Disclaimers
Before I go any further, I'm sure some of my more experienced users will ask why I recommend
Firefox and not Waterfox, Iceweasel, or any number of other Firefox variations. The answer simply
comes down to security updates. Firefox will receive important security updates faster than a
downstream variation such as Waterfox. Other experienced users will ask why I don't recommend
Brave (see below), Ungoogled Chromium, or regular Chromium. There are several answers. For one,
personal ethics. I think competition and decentralization makes the world a better place. For another,
ease of use. Not including Brave, Chromium and Ungoogled Chromium are both very difficult to set up
on a mainstream operating system like Mac and Windows. Not to mention they also suffer the same
downstream security delay as Waterfox and Iceweasel. And of course, let's not forget that Firefox-based
browsers allow you to edit the about:config, meaning that more experienced users will have more
control over the customization and privacy of their browser. Even though I don't cover this on my site,
my hope is that my readers will eventually outgrow this site and make those changes in the future.
I also want to take a moment to acknowledge Mozilla's imperfection. Below in my "Honorable
Mention: Brave" section, I mention that Brave has made some questionable business choices. I want to
be fair and not gloss over the fact that Mozilla has also drawn some heat from the privacy community.
They regularly draw criticism for making their telemetry opt-out rather than opt-in, but personally I
find the most troubling incident to be the fact that they pay their CEO over $3 million USD per year as
a salary and yet are struggling to be financially solvent. This strikes me as very irresponsible, and it
jeopardizes the future of the entire project. There are other, nitpicky complaints, but I won't list them all
here. The point is, I want to be transparent and fair to everyone: I recommend Firefox because they get
security patches faster than any of the forks and because I believe it is the most flexible and can be
made the most private compared to a Chromium-based browser. This is not to say Mozilla is the ideal
company or that I support everything they do, but I believe it is the best option we currently have.
Plugins
Let's start with plugins. I think this is where users will get the most bang for their buck. Let's begin by
installing uBlock Origin, a powerful, lightweight ad- and tracker-blocker. Ads may seem like a minor
inconvenience to you, but actually misleading ads are a common method of delivering malware and
tracking. There is even a such thing as "drive-by malvertising" where malicious ads can infect
your computer without you even clicking on anything, as well as a recent rash of malware being
implanted via social media sharing buttons, so it’s best just to block them altogether (and it makes
your browsing experience much more pleasant). Once installed, open the plugin and open the settings.
Be sure to enable "Prevent WebRTC from leaking local IP addresses" and "Block CSP reports." Now
click on the tab “Filter lists” and enable everything under “Built-In,” “Ads,” "Privacy," “Malware
domains,” “Annoyances,” and "Multipurpose." I would also recommend checking the "Regions,
languages" section if you live outside North America and enable for your location, too.
If you've taken my advice to use Firefox, the next plugin to install is going to be Firefox Multi-Account
Containers. This one is going to require much more work to set up, but it will be worth it. The
basic idea of Containers is that it isolates every cookie in the same container, prevent cross-site
tracking. How you decide to set it up is completely up to you, but here's some tips I recommend: first, I
recommend grouping combined accounts together. For example, Gmail and YouTube rely on the same
account, so I would simply create a single "Google" container and set it to open all Google sites in that
container. Second, I encourage you to find lists of subsidiary companies owned by the big five data
collecting tech companies and group them together. For example, IMDB is owned by Amazon, so I
would set IMDB to open in my Amazon container. Finally, I recommend setting up your search engines
in a single "search" container so that your random searches are all contained to that single container,
even if you click on any links and navigate away. Finally, I recommend creating containers for any
individual leftover sites that you frequent. For most people, containers are very helpful and once
configured will cause little or no problems and provide extensive protection. I also recommend you
install Temporary Containers to catch the things that your configured containers will miss.
The next plugin is LocalCDN. LocalCDN is a plugin that will replace a lot of third-party libraries like
JQuery, Google, and Microsoft and inject them locally from privacy-respecting alternate sources. These
third party libraries and CDNs can be used to track you, so this plugin helps to reduce tracking. If all
that went over your head, just know that this blocks a large number of trackers without any
configuration or interaction required on your end. Just install it and let it run.
The next plugin, ClearURLs, is a plugin that removes tracking links from URLs that you share. One of
the many ways that companies track people on the internet is with tracking links. For example, if I send
you a link on Facebook, that link contains a bunch of useless crap that exists only to tell Facebook
about you: what device you opened the link with, your IP address, your operating system, apps that
were installed, and much more. This plugin helps to automatically remove many of those junk links and
strip them down to only the necessary parts, helping respect the privacy of your friends as you share
with them.
The final plugin will only be installed if you are not using Firefox 83 or later. You can check which
version you're using under the "General" page of your browser settings. HTTPS Everywhere is a plugin
that forces websites to use secure connections whenever possible. Once it finishes installing, click on it
and enable “Encrypt All Sites Elligible.” You can still access insecure sites with this setting enabled,
but it’ll bring up a big warning page first, which allows you to make the decision over whether or not
it’s worth the risk. Over 87% of the internet uses HTTPS, so this warning page should be very rare. As
such, this is also, in my opinion, the least important plugin to have but it's nice to know when a site is
trying to redirect you somewhere insecure.
Settings
Settings are probably just as important as plugins. Start by going to Options. On the first tab,
“Options,” scroll all the way to the bottom where it says “Network Settings.” Open these by clicking
the gray “Settings” button, scroll to the bottom, and check the box that says “Enable DNS over
HTTPS," then choose "NextDNS" if the option is available (Cloudflare is fine if not). Click “Okay”
then go down to the "Search" tab on the left. Under "Default Search Engine," select "DuckDuckGo,"
then unclick "Provide search suggestions." I also recommend removing all the other search engines
listed under "One-Click Search Engines." Please resist the urge to stick with Google search as a
default, Google is one of the top privacy offenders and they will collect and store all your searches and
use them to build a profile about you. Finally, visit the “Privacy & Security” tab on the left. The first
section is “Enhanced Tracking Protection.” Click the third option, “Custom,” and set Cookies to “All
third-party cookies,” set Tracking content to “In all windows,” and turn on Cryptominers and
Fingerprinters. Finally, at the bottom, under "HTTPS-Only Mode" click "Enable HTTPS-Only Mode in
all windows."
There are also a lot of usage-reporting settings that are enabled by default. These statistics are reported
to Mozilla for the purpose of improving the browser. However, if you are uncomfortable submitting
that data - and I totally understand - you can disable it in several ways. First, under the "General" tab,
scroll all the way down to "Browsing." Make sure to uncheck "Search for text when you start typing,"
"Recommend extensions as you browse," and "recommend features as you browse." In the "Home" tab,
uncheck "Top Sites" and "Highlights." Finally, under "Privacy & Security," under "Firefox Data
Collection and Use," uncheck everything.
That's it. We're done, we've created a reasonably secure browser, and to top it off, this concludes the
"Most Important" section of the book/site. If you've done all this, you can rest easy knowing you've
made yourself a fairly difficult target to compromise digitally and moved yourself into the top
tier of private and secure internet users.
Honorable Mention: Tor Browser

The Tor Browser is actually a very common daily browser for many privacy enthusiasts for a few
reasons. If you're unfamiliar with Tor, check out this link. The Tor browser routes only your browser
traffic through the Tor network and not all app traffic, which is probably a good thing anyways if you're
using an operating system like Windows or Mac. The telemetry those operating systems send back
home can quickly identify you and lose the anonymity benefits of Tor. Because Tor comes pre-
packaged with HTTPS Everywhere and a more advanced content blocker called No-Script, it has the
same potential to block ads and trackers as a modified Firefox browser. The Tor Browser also isolates
each tab and changes your relay path with every new website you visit to help further protect your
anonymity. I think using the Tor Browser as your main browser is a great idea, but keep in mind
that many legitimate websites such as banking and e-commerce sites block known Tor addresses to
prevent abuse and fraud, so you'll want to keep a copy of Firefox on hand as well for when that
happens. Additionally, it should go without saying, but using the Tor Browser alone does not make you
truly, 100% anonymous, so don't do anything illegal. Finally, because all nodes are volunteer-run and
therefore work on an "honor system," be sure to check that any site you login or transfer personal data
across is using HTTPS and is the actual, real site.
Honorable Mention: Brave Browser

Sometimes people require a Chromium-based browser for any number of reasons. Or alternately,
sometimes people need an easy-to-set-up tool. I tried my best to pick only the most essential settings
and plugins above, and to explain them as easily as possible. However, in some cases you may want a
browser that you can just install on a friend's or family member's machine and let it handle itself. In
these situations, the Brave browser is worth a mention.
Brave is a Chromium-based browser that comes with built in ad-blockers, as well as various technical
improvements that attempt to hide your browser fingerprint. The reason I don't recommend this
browser by default is because they do have a history of ethically questionable business practices.
However, despite this, it would be remiss of me to discredit their user-friendliness and ability to protect
users who aren't tech-savvy enough to do it themselves. I encourage the use of Brave as a last resort
or as a secondary Chromium-based browser.
Previous Next
https://www.thenewoil.xyz/browser.html
Moderately Important: Section Introduction

Section two of this site/book is titled "Moderately Important." These are things that are pretty
important, but not "drop everything and do it right now" important. This section pertains mostly to data
tracking and privacy and offers some concepts, tools, and tips to protect your privacy. As we sadly
learned in the 2016 Cambridge Analytica scandal, data collection can easily be abused for more than
just targeted advertising. It can easily be abused to sway entire populations of people to vote in ways
they wouldn't normally vote and change entire courses of history on a macroscopic level. Protecting
your privacy isn't just about not being swayed by an advertisement, it's about protecting yourself from
literal mind control and oppression.
The section starts by explaining metadata and encryption, the two most important concepts in data
protection and privacy. It then goes on to discuss data backups, their importance, and some practical
advice. Then it offers some advice on how to make your desktop computer environment more privacy
friendly. Finally, it moves on to encrypted messaging, which is - in my opinion - one of the most
exciting parts of privacy offers some advice on steps you can take to make improve mobile device
privacy.
Once again, it bears repeating that this section will not make you anonymous or unhackable, but it
will help you outsmart a lot of the "unconscious surveillance" I mentioned in Understanding
Surveillance. It will help protect you from bots that read your emails and texts, from location-scraping
apps and services, and from being a victim of bad luck and ill preparation.
Previous Next
https://www.thenewoil.xyz/moderately_important.html
Understanding Metadata
Earlier on the site, I cited a statistic that 87% of the web is encrypted. This means that when you visit,
say Facebook, that your Internet Service Provider (ISP) can see that you visited and how long you hung
out for, but they can’t see your login credentials (username and password) or which exact pages you
went to. This is done with the use of Transport Layer Security, or TLS, a powerful and increasingly
popular encryption protocol used online. It’s quite effective and difficult to break.
So in effect even the average person has - generally speaking - a basic level of powerful security in
their online lives (which is why I listed installing HTTPS Everywhere as "Most Important). This begs
the question that privacy enthusiasts everywhere have come to despise like nails on a chalkboard: “why
should I care?” If your sensitive details such as password and credit card number are safely encrypted,
who cares if your ISP or the Starbucks IT guy can see what websites you visit? (Spoiler alert: the
introduction.)
For starters, because TLS breaks down at the end point. When you connect to Amazon, your ISP can
see that you visited Amazon, but not what you bought or your card number. Amazon, however, can see
it all without restriction. But more importantly, often you don't need to see the content itself to start
making powerful and dangerous inferences.
What is Metadata?
This information in question is called “metadata,” sometimes described as “data about the data.”
Maybe I can’t see exactly what you said in your email, but I can see who you emailed, what time, and
the size of the email. And on the surface it doesn’t seem so bad. Who cares if you know that I emailed
my mom at 7pm and the email was 7KB?
As is the case with most privacy and security concerns in the modern era, the problem isn’t so much
what’s collected but rather how it has the potential to be used. Take this excellent article from the
Electronic Frontier Foundation, for example. A couple examples they list of metadata that has the
potential to be too revealing include:
• They know you called a gynecologist, spoke for a half hour, and then called the local Planned
Parenthood's number later that day. But nobody knows what you spoke about.
• They know you got an email from an HIV testing service, then called your doctor, then visited
an HIV support group website in the same hour. But they don't know what was in the email or
what you talked about on the phone.
• They know you called the suicide prevention hotline from the Golden Gate Bridge. But the
topic of the call remains a secret.
(Lifted directy from EFF's Surveillance Self Defense page)
As you can see, metadata has the potential to be just as revealing as content itself, and therefore
should be protected just as much as the actual data. You might say to yourself, “You said potential
abuse, do you really think that’s likely?” The answer is absolutely, 100% without a doubt, not-
just-being-paranoid: "yes." China is already notorious for their incredibly invasive, 1984-like “Social
Credit System.” The United States is starting to implement the use of your social network in insurance
industries. Oh, and the United States is working on their own “Social Credit System” too. So yeah,
metadata is an important part of your attack surface that you need to consider as you protect your
privacy and security.
So What to Do?
There's no surefire or one-size-fits-all solution to protecting your metadata. It depends, as with
most things on this site, on what you're using and who you're trying to hide from. It's safe to assume
that any digital action creates metadata, so if your threat level is high enough, don't trust any digital
medium. This is one reason that Edward Snowden chose to deliver his documents in person. However,
if it is safe or necessary to use digital communications, there are two general methods of handling
metadata: ephemeral and obfuscation.
Ephemeral metadata refers to metadata that is not logged and therefore - in theory - goes away
after a certain period of time. For example, reputable VPN providers and messengers delete metadata
very quickly and only use it as needed to make the service work. This is desirable but should not
always be trusted. For example, a sophisticated enough adversary can watch your traffic in real time
and record the metadata before it even goes to the service provider or log the metadata the provider
collects before it disappears. This is unlikely unless your threat level is very high, but it is possible.
Instead, ephemeral metadata should be used in conjunction with obfuscation of metadata.
Obfuscation of metadata refers to metadata that has been changed to give off false or misleading
information. A good example is using a VPN or Tor browser to access a website: the website now
thinks your IP address is that of the VPN provider or exit node. However, this is actually much
trickier than it first appears and requires a more expanded knowledge of the types of metadata
collected. For example, some apps and sites might collect your MAC address. On computers these
are fairly easy to randomize and manipulate. On phones, not so much. So even if you use a VPN on
your phone, your phone's IMEI - a unique number that can't be changed similar to a serial number or
MAC address - is often still be collected by multiple apps, thereby identifying your phone across each
service. This is one reason I encourage using your phone as little as possible. You also have to consider
other permanent identifiers, such as usernames. If two usernames are repeatedly communicating with
each other on a service, even if the IP and content change that log of communication can still be
revealing. This is where ephemeral metadata comes back into the picture: a service that doesn't keep
logs won't have records of two services communicating. Again, this is all very complicated and requires
a lot of thought.
Most of us probably don’t need to be 100% anonymous for any reason, but it's a good idea for us to
protect our metadata just as much as our actual communications whenever possible. I wish I had
some concrete advice, but instead it simply comes down to asking yourself “what metadata am I giving
up and to who?” Using a VPN means you’re transferring a considerable amount of your metadata away
from your ISP and over to your VPN provider. Assuming you use a reputable, trustworthy VPN
provider, that’s a good strategy. Encrypted emails are the same thing. Many of these companies will
surrender what they can if given a warrant, but reputable companies rarely have much to turn over
aside from a few login locations and times. It’s a multi-layered approach but it’s one worth considering
until technology can catch up to protect our metadata by default.
Previous
https://www.thenewoil.xyz/metadata.html
Understanding Encryption
Encryption is basically using a code to hide your data. For example, when you were young, you may
have used a hidden language to pass notes to your friends in class. Maybe A=1, B=2, etc. Or maybe
you even drew your own unique symbols. Those are, technically, a type of encryption. Weak
encryption, but still encryption nonetheless. More modern encryption protocols, like Signal and AES
are significantly more advanced but at it’s root, the concept is the same: we’re replacing easily
understood words with complex substitutes and – in a perfect world – you can only figure out
how to turn them back into the easily understood words with a “key,” which explains the code. In
the grade school example I gave earlier, the “key” is knowing that A=1, B=2, and so forth. In more
advanced software encryption, the key is your password or passphrase. This is, of course, a
tremendously high-level overview that dramatically oversimplifies things, but it gets the basic point
across.
Encryption is a central concept in this section and privacy in general, specifically what’s called
“End-to-End Encryption” or “E2EE” (also sometimes called zero-knowledge). Technically a majority
of the internet is encrypted when using HTTPS. Additionally, most services and websites offer at least a
basic level of encryption when it comes to things like saving passwords, credit card information, and
even sending messages. The thing is, those types of encryption only work against outsiders. Facebook
messages, for example, are encrypted to anyone outside of Facebook. Google can’t read them, the
random hacker can’t read them, but Facebook employees can read them as if you sent it to them. E2EE
defeats this. E2EE messages can ONLY be read by you and the recipient, provided you used the
service correctly. Even the provider can’t read them. For example, if both you and the recipient are
using ProtonMail to email each other, Proton can’t read your emails.
Encryption, however, is not limited simply to your communications. Encryption can be used on your
various devices to protect them when not in use. I briefly mentioned encrypting your mobile devices in
the last section, but in this section I'll talk more about encrypting your other devices.
Previous
https://www.thenewoil.xyz/encryption.html
Protection: Device Encryption

Encrypting phones is easy. iPhones are encrypted simply by activating the passcode lock feature.
Android devices are encrypted via the settings, which I listed in my recommended settings changes.
Encrypting other devices is a little difficult.
First off: priorities. I recommend putting emphasis on encrypting devices that are easily capable of
travel, whether they travel or not. Phones should be encrypted as they get lost and stolen constantly
and contain tons of sensitive information like banking apps, emails, messages, and more. Phones are
critically important and should always be encrypted. Next would be laptops, even if you don't travel
with them. It's easy for a thief to pick them up and take off with them, so they should be encrypted. The
same logic goes for external harddrives and backups. Finally, desktop computers. Encryption is literally
free, so I recommend encrypting everything, just be careful not to lose your password or else you're in
trouble.
Mac devices come with a proprietary encryption program called FileVault. This is relatively secure and
should work for most people. Some Windows devices also come with an easy-to-use proprietary
service called “BitLocker” that should work for those who have it. But if you want to go a step further,
or if you have a Windows device without BitLocker, then I recommend VeraCrypt. Veracrypt is a free,
open source software that allows various forms of encryption. For devices like computers and external
harddrives, you'll want to use "full disk encryption," meaning that the entire device is encrypted
completely.
Using Veracrypt
In this paragraph I'll talk you through how to encrypt an external device using Veracraypt. In the future
I hope to add a section on full-disk encryption, but until I'm able to get that, try try this video tutorial.
To encrypt an external device, run Veracrypt, go to the "Volume Creation Wizard" under the Tools
menu, and select "Encrypt a non-system partition/drive." Pick "Standard VeraCrypt Volume," then
"Create encrypted volume and format it." Please be aware: this will wipe all the data already on your
drive, so I recommend only using this with a fresh, empty drive. Finally, make sure the algorithms are
set to AES and SHA-512, select a good password on the next screen, then pick your file system format.
If you're only using Windows systems, NTFS is the best choice. If you plan to switch between various
operating systems like Mac or Linux, then exFAT is is the better choice, but keep in mind exFAT can't
support files over 4GB. After making this choice, simply continue on and follow the prompts
accordingly.
NOTE: while installing Veracrypt, you will be asked to create a "recovery USB." I highly encourage
you to do so and to store it somewhere safe. Even something as simple as a routine update has the
potential to go wrong and the only way to recover your data will be to decrypt the drive using this
USB.
Previous Next
https://www.thenewoil.xyz/devices.html
Protection: Backups
Backups are probably not a foreign concept to most of us. Even if we don't keep them ourselves we've
heard of them, had that them preached at us, and kicked ourselves for not keeping them when our
computer suddenly dies unexpectedly or our phone finds its way into the wash.
To develop good backup habits, first you need to decide how much space you need. If you're only
worried about backing up important text files and financial documents, you probably don't need more
than a few gigabytes. If you'll be backing up videos and pictures, you'll want something more in the
hundreds of gigabytes or few terabytes range.
Next, you'll need to decide how often you need to back up and how far back you need to keep
your backups. This will play a part in deciding your storage size. Even if your one-time backup is
small, keeping weekly copies can add up quickly. Decide if you want to keep a specific amount of
backups (ex: six-month's worth of weekly backups) or just the most recent however-many it can hold
(or less), with the oldest ones being deleted to make space for the newest ones.
Third, you'll need to decide if a cloud-based or a local storage solution is better for you. Clouds
have the advantage of being safe from local disasters: burglaries, fires, etc. If your home gets robbed or
floods, a cloud will probably be unaffected by that. But on the other hand, you do run the risk of data
breaches, or the service disappearing one day without warning if you pick a smaller, newer service.
Finally, come up with a system. Windows and Mac have features that allow you to automate the
backup process including frequency, which files to include, and where to store them. Mobile devices
will have to be backed up manually. These are fine systems to put in place, just remember to make sure
your encrypted storage location is unlocked if encrypted so the backup is able to take place. If you
decide to manually handle your backups, be sure to set regular reminders so you don't forget.
The 3-2-1 Rule
The 3-2-1 Rule is a good rule of thumb when considering how to organize your backups effectively.
You should have 3 copies of your data - 2 backups plus your daily-use copy. You should have 2
separate formats for your backups - such as an external harddrive and a cloud copy. Finally, you should
have 1 of those copies offsite - again, a cloud copy or a USB at a friend's house - in case of physical
damage or disaster at your location.
Using Veracrypt to Secure Your Backups

If your backup solution is a local hard drive, I discussed using Veracrypt in the previous section to
encrypt your device. But what if you want to create a secure cloud backup? My first
recommendation would be Sync or SpiderOak's One Backup. Both is an end-to-end encrypted services
similar to Dropbox. Sync offers a free tier with 5 gigabytes of space, while One Backup costs $6 USD
per month for 150 gigabytes of space. However, neither of theses sources are open source. A better
solution is to self-host a Nextcloud server (or find a privacy-respecting provider) that's end-to-end
encrypted (sometimes called "zero knowledge") so you can control the data yourself on a trust, open
source platform. Because Sync and Backup One are not open source and because Nextcloud self-
hosting is not always feasible, I will provide a solution for more mainstream services.
Generally speaking, I would advise against using Google Drive, Dropbox, Apple iCloud, or similar
services simply because they can see that you have an encrypted container in your storage space, and
we don't know if someday they'll decide to take an anti-encryption stance and delete it or your account.
Furthermore, Google Drive and Apple iCloud use weak encryption standards in some cases. Sync
and SpiderOak, allegedly, can't see your files and therefore is unlikely to be swayed into action based
on what's in your account. But if for some reason you decide to stick with another non-privacy-oriented
service, I have two suggestions. The first is Cryptomater, an open source tool that allows you to encrypt
each individual file and sync it with the cloud. It works for Google Drive and Dropbox, and is generally
well-regarded in the privacy community. If you aren't using one of those services or otherwise don't
want to use Cryptomater, then consider the following strategy:
First, figure out how much storage you have. Google Drive offers 15 gigabytes for free, Apple iCloud
offers 5 gigabytes for free, and Dropbox offers 2 gigabytes for free. Next, make sure you have installed
the service's file sync application. This is typically an app that will create a folder on your computer,
and that folder acts as a real-time sync between your account and your computer. It's designed to make
working directly from the file in your account effortless.
Now open up Veracrypt, select the "Tools" menu, and choose "Volume Creation Wizard." Pick "Create
an encrypted file container," "Standard VeraCrypt Volume," then click "Select File" and navigate to
your Google Drive or Dropbox folder. Once in the folder, you'll have to makeup a nonexistant file
name. Anything works, from "Backup" to "veracrypt_containter" or whatever you want. Once you hit
"save," it should you the file path. Continue onward, make sure you've selected "AES" and "SHA-512"
for your algorithms (these are the default so you shouldn't have to adjust it), and then move on. The
next screen will ask you for a volume size. Ideally, I would say use as much as you can. If you use your
Dropbox or Google Drive for other sharing purposes, maybe leave a gigabyte or so free for that, or
maybe only use the exact amount of space you require for your backup strategy. Either way, decide
what storage size is appropriate for you, then go to the next screen where it requires a password. From
there, it's pretty self explanatory. Just answer the questions and it will pick the best formats and such for
you.
If you follow these steps, you should have created secure, consistent backups that will protect you
in the event of a lost, stolen, or damaged device, or even the dreaded ransomware.
Previous Next
https://www.thenewoil.xyz/backups.html
Privacy: Securing Computers

It's a sad fact that just like cell phones, stock operating systems like Windows and Mac track their users
to an excessive degree. Not to pick on them unfairly, but Windows 10 is by far the worst offender.
However, you shouldn't assume that using Mac is the better option.
In a perfect world, the best option is Linux. Linux is an open-source operating system with dozens of
variants, each offering their own unique set of features. Most linux distributions are very private and
secure compared to Windows and Mac by default, though some place additional emphasis on privacy
or security. I recommend Debian in most situations. It has the most support, it is built on open-source
freeware, and it can support the most programs that users of mainstream softwares have come to rely
on. At very least, I recommend it as a starting point to get used to linux and explore the world of
alternative operating systems. However, other distributions worth noting are Linux Mint (if you want a
more Windows-XP feel) and Fedora (apps may not work as smoothly on Fedora, but Fedora's security
is significantly better than Debian).
However, I realize that not everybody has the luxury of switching to Linux for any number of
reasons, such as needing a mainstream OS for your job or being in possession of a device that is
technically not yours and therefore you can't make such changes to. In those situations, I have listed a
set of recommend settings for both Windows and Mac that I encourage you to change to make your
device a little more private and secure.
Mac OS: Catalina

• General: Default web browser: Firefox
• Siri: Enable Ask Siri: Off
• Touch ID: Don’t use
• Security & Privacy: General: Require password immediately after sleep or screen saver begins
• Security & Privacy: General: Disable automatic login
• Security & Privacy: General: Allow apps downloaded from: App Store and identified
developers
• Security & Privacy: FileVault: Turn On FileVault
• Security & Privacy: Firewall: Turn On Firewall
• Security & Privacy: Privacy: Evaluate app settings
• Software Update: Automatically keep my Mac up to date
• Bluetooth: Turn Bluetooth Off
• Keyboard: Dictation: Off
• Sharing: Off
• Time Machine: Back Up Automatically
• Time Machine: Select Backup Disk
• Avoid setting up the machine with an Apple ID if possible
• Advanced users who want more granular control and feel comfortable making extreme changes
may want to look into Little Snitch.
• Advanced users are encouraged to set up DNSCrypt.
Windows 10
• System: Shared experiences: Share across devices: Off
• Devices: Typing: Everything off
• Devices: AutoPlay: Off
• Phone: Do not link
• Network & Internet: Use random hardware addresses: On
• Apps: Startup: Go through each app and see if you need it to start automatically when the
computer does. If not, disable it. This will help your computer boot faster
• Accounts: Use a local account when possible, when signing up on a new computer, disconnect
internet to force local account
• Accounts: Sign-in options: Require sign-in: When PC wakes up from sleep
• Accounts: Sign-in options: Password: Use a passphrase
• Accounts: Sign-in options: Privacy: Show account details on sign-in screen: Off
• Privacy: General: All off
• Lock Screen: Contact information: Leave this blank unless you have a good reason not to
• Privacy: General: All off
• Privacy: Diagnostics & feedback: Diagnostic data: Basic
• Privacy: Diagnostics & feedback: Improve inking & typing recognition: Off
• Privacy: Diagnostics & feedback: Tailored experiences: Off
• Privacy: Diagnostics & feedback: Activity history: All off
• Privacy: Diagnostics & feedback: Location: Location service: Off
• Privacy: Diagnostics & feedback: Camera: Check permissions
• Privacy: Diagnostics & feedback: Microphone: Check permissions
• Privacy: Diagnostics & feedback: Account info: Allow apps to access your account info: Off
• Privacy: Diagnostics & feedback: Contacts: Allow apps to access your contacts: Off
• Privacy: Diagnostics & feedback: Calendar: Allow apps to access your calendar: Off
• Privacy: Diagnostics & feedback: Call history: Allow apps to access your call history: Off
• Privacy: Diagnostics & feedback: Email: Allow apps to access your email: Off
• Privacy: Diagnostics & feedback: Tasks: Allow apps to access your tasks: Off
• Privacy: Diagnostics & feedback: Messaging: Allow apps to access your messages: Off
• Privacy: Diagnostics & feedback: Radios: Let apps control radios: Off
• Privacy: Diagnostics & feedback: Other devices: Communicate with unpaired devices: Off
• Privacy: Diagnostics & feedback: Background apps: Off
• Privacy: Diagnostics & feedback: App diagnostics: Off
• Privacy: Diagnostics & feedback: Documents: Allow apps to access your documents library:
Off
• Privacy: Diagnostics & feedback: Pictures: Allow apps to access your picture library: Off
• Privacy: Diagnostics & feedback: Videos: Allow apps to access your video library: Off
• Privacy: Diagnostics & feedback: File system: Allow apps to access your file system: Off
• Update & Security: Windows Security: Open Windows Defender: Security Center: Virus &
Threat Protection: Firewall & Network Protection: All firewalls on.
• Download WindowsSpyBlocker and run it. Select option 1 "Telemetry," then option 1
"Firewall," and finally options 1 and 2, "Add extra rules," "Add spy rules." After that's done,
type "back" to go back to the previous menu, then select option 2 "NCSI," then select either
option 2 or option 3, "Apply Debian NCSI" or "Apply Firefox NCSI."
• Download DNSCrypt. I recommend using Simple DNSCrypt for most users. So click that link,
download the .msi(x64 Installer). Install it, then launch it when done. Under "Main Menu:
Configuration" ensure all boxes are checked. In the settings (the gear icon in the top right)
ensure "Start SimpleDNSCrypt in tray" and "Check for updates on startup" are checked.
• Advanced users who want more granular control and feel comfortable making extreme changes
may want to look into W10Privacy.
By enabling all of these settings, you are significantly reducing the amount of tracking and data
collection these devices handle. Keep in mind that you're not completely eliminating it, but you're
reducing as much as you reasonably can.
Good Practices for Any OS

By default, both Mac and Windows will create an administrator account when you sign up. After
signing up, create a second non-admin account and use that as your main account. This makes it
harder for programs to be installed without your knowledge and reduces the risk of malware and
viruses getting installed.
Personally, I think third-party antivirus software has become unnecessarymessag. Using a good ad
blocker and good online habits is generally enough to keep any generic malware off your device.
Unless someone is targeting you specifically, this is usually enough. However, both Windows and
Mac both come with built-in antimalware that I encourage you to make use of. On Windows it's
called Defender. While Microsoft's antivirus used to be a joke in the past, experts now agree that the
modern Defender is quite powerful and will protect you from most mainstream threats. Macs come
with XProtect. Viruses on Linux are relatively rare because of the small market share, technical skill
of the user base, and many variations, but if you desire more protection there as well you'll have to
download a third-party software as most distributions don't come pre-packaged with antimalware. Clam
AV is considered the most desirable.
Even with all the plugins, tweaks, and changes we've made to the operating system and the browser,
sometimes tracking and garbage files still get through. Cleaning out these files will not only protect
your privacy and security, but improve your computer's performance. My first recommendation is
the open source software BleachBit. This is a powerful program that securely deletes your unused files,
removes errors from the registry, and fixes broken shortcuts among other things. BleachBit is not a
difficult program to use, but if you need something a little more intuitive and user-friendly, there is the
proprietary CCleaner, which offers all the same features as BleachBit plus a few. I recommend
BleachBit because CCleaner has had a few hiccups in the past, but if you find Bleachbit overwhelming
or confusing than CCleaner is an acceptable alternative.
Just as with phones, I encourage you to keep your computer as clean of apps and files as possible.
Obviously sometimes this is either impossible or just not a reasonable request. You may choose to keep
family photos or video games. But, for example, use your browser instead of an app to access Netflix
or Hulu. I also encourage you to get rid of files you no longer want or need, such as photos of exes or
documents you downloaded once so you could print them off. While these types of things shouldn't
really be an issue if you keep your devices encrypted, why risk it?
Keep in mind that forensic software can still often recover "deleted" items so if you have anything you
want gone for good, be sure to perform a disk wipe which is offered by both Bleachbit and CCleaner.
Don't do disk wipes on Solid State Drives as this will shorten their lifespans.
Previous
https://www.thenewoil.xyz/desktop.html

Privacy: Encrypted Messaging"Encrypted Messaging" is a bit of a misnomer. These days, all messages
are encrypted (except SMS text messages), but the service provider (Google, Facebook, etc) has the
keys to decrypt your messages and can read them if they want to or are ordered to by a warrant. In the
context of this site, "Encrypted Messaging" refers to "End-to-End Encrypted" or "E2EE" Messaging.
E2EE Messaging means messaging protocols that can only be read by the people involved in the
message. The messages are encrypted in between sender and receiver so spies and eavesdroppers can't
read them, even the company hosting the service, the device manufacturer, or cell service provider. In
this section I'm going to break up encrypted messaging into two subsections: instant messaging,
and email.
Encrypted Instant Messaging

Encrypted instant messaging is meant to replace regular SMS to provide you and the people you're
talking to with a secure, real-time communication method. Why protect your day-to-day texts?
Regular SMS text messages can be read by anyone who intercepts them at any point along their
journey, even amateurs. Even private messaging services like Facebook and Snapchat can be read by
employees of the company.
There's also horrifying devices known as IMSI-catchers, or "Stingrays" after the leading manufacturer.
In the US, these devices are on the rise and increasingly popular with law enforcement agencies and
criminals all over the country. These are small, mobile devices that emulate cell towers and - without
knowledge or consent from the user - capture the content of your phone calls and text messages if you
are in range, even if you're not the target of them. This can include sensitive information, which the
police are not obligated to discard even if it is irrelevant to their investigation. These devices can be
easily and legally purchased by anyone with a few hundred dollars.
Furthermore, in late 2018 the FCC gave cell carriers new powers in an effort to curb spam and robo
calls, and the poor wording of the law allows carriers to block or alter messages entirely at will.
When deciding on an encrypted messaging service, the most important thing is to make sure the
person you're contacting is using the same service as you. These services only work if both parties
are using the same encryption system.
Note: Avoid WhatsApp. WhatsApp is owned by Facebook, who has a notoriously abysmal privacy
record. WhatsApp is notorious for collecting metadata, which is often just as harmful as the content
itself.

• Open source
• Completely Free
• Available on all operating • Not audited
systems • Does not automatically
• Can be bridged to attempt to hide or resist
Matrix communicate with other metadata
services such as Slack,
Telegram, Signal, Discord,
Facebook, and more.
• Does not require any
personally identifiable
information to sign up,
allowing for anonymous
accounts
• Decentralized
• Can be self-hosted
• Not audited
• Very early project, still
• Open source under active development
• Completely Free so expect some bugs and
• Available on all operating glitches
systems • Recently removed multi-
• Sign-up is forcibly device support until they
completely anonymous can work out more bugs.
Session • Designed to be metadata • Allegations have been
resistant made of the developer's
• Decentralized connection to and active
support of the alt-right
community.
• Uses phone number as a

• Open source username
• Completely Free • Based in the United
• Available on all operating States
systems • Centralized
• Incredibly easy to set up • Signal has come under
Signal
• Audited fire recently for a number
• Does not log metadata of ethically questionable
business practices
• Based in the United

Kingdom
• Not Audited
• Partially Open source
• Centralized
• Does not attempt to
• Supports usernames,
obfuscate metadata
allowing you to not reveal
• Messages are not
your phone number to others
encrypted by default, and
• Available on all operating
group messages cannot
systems
be encrypted at all
Telegram
• Requires a phone number
to set up (even if it's not
public)
• Stores your keys
• Open source • Centralized
• Audited • No free tier
• Username-based • No desktop app, web
Threema
• Based in the Switzerland only
• Based in the United

• Open source States
• Audited • Centralized
• Supports usernames, • Stores a limited amount
allowing you to not reveal of metadata to fight fraud
your phone number to others • Has been known to
• Available on all operating change the terms of
Wire systems service without notifying
users.
• Does not support phone

• Open source or video calls in most
• Supports usernames, cases
allowing you to not reveal • Not as user friendly as
your phone number to others any of the other solutions
• Available on all operating on this list
systems • Does not automatically
XMPP • Decentralized attempt to hide or resist
metadata
Encrypted Email
Why encrypt your inbox, especially since most other people don't? Email providers like Google,
Yahoo, and others regularly read your emails for a variety of purposes such as advertising and training
their AI. The fact that these communications are readable by employees (even if only certain ones)
means that any sensitive information is not safe and can be potentially stolen.
In the United States, police do not need a warrant to access emails older than six months. The fact that
they can access these emails without your knowledge or consent means a hacker could, too. Even if the
people you contact aren't using encryption, it's a reduction (not elimination) of risk to have your inbox
encrypted in the way an encrypted email provider offers. If your inbox gets caught up in a data breach,
an encrypted inbox will still be protected.
The most important thing to consider when deciding on an encrypted email provider is to make
sure the provider promises "zero knowledge" or "end to end encryption." This means that the
provider can't read your emails even if they want to without you giving them technical access.
Make sure to see how the provider makes money. Running an email server is expensive and requires
great technical knowledge. "If a product is free, you are the product." Make sure the company has a
viable business plan or else assume they are likely selling your data, which compromises your privacy
and security.
If you want to take full advantage of encrypted email services, be sure to pick a provider that is also
being used by the people you email regularly. Having an encrypted inbox can prevent warrantless
searches and data breaches, but once the email leaves your inbox it will be decrypted. If you want the
email to be encrypted from start to finish, you'll need to both be using the same service or protocol.

• Does not work with PGP
• Does not offer a way to
start secure
• Open source communications with non-
• Uses the Signal Protocol Criptext users
Criptext • Free • Still in beta
• Based in The United
States
• Not audited
• Open source
• Works with PGP
• Based in Iceland
• Anonymous sign-up
• Anonymous payments
CTemplar • Audited
• Offers a free tier

• Open source
• Dark Mail protocols, when
States
used properly, are virtually
• No free tier
immune to remote hacks.
Lavabit • Not audited
• Based in Germany
• Open source
• No free tier
• Works with PGP
• Not audited
Mailbox.org
• Open source
• Includes a free-tier VPN
account
• Based on PGP (you can
ProtonMail securely email other
(Non-Affiliate Link) providers as long as the
recipient is using PGP)
• Based in Switzerland
• Offers a way to start secure
communication with non-
Proton users
• Audited

States
• Open source • No mobile apps
• Free • Aimed more at activists,
Riseup may not be available for
everyone
• Open source
• Offers a way to start secure
• Based in Germany
communication with non-
Tutanota
Tutanota users
Honorable Mention: PGP

Finally, I want to take a moment to give an honorable mention to PGP and explain how you can use it
yourself. PGP stands for Pretty Good Privacy and is an open-source encryption program.
Generally speaking, it is most commonly used for encrypted email but it can actually be used to encrypt
just about anything.
Explaining how PGP works is actually much more complicated than actually using it. It's one of those
things that sounds complicated but it's really not. When you use any type of encryption, including PGP,
it creates two keys. One is called the “private key” and one is called the “public key.” The private key
is private: it stays with you. Never share it, keep it safe. Maybe create a backup of it somewhere safe.
The public key, on the other hand, can be spread around as much as you want. The more the better.
Think of the public key as your address and the private key as your door key. The more people you give
your address to, the more people can write you. But only you can unlock the door and enter the house
where you have some privacy. So when you set up PGP on an email account, you'll be given your two
keys. You spread the public key to anyone who wants it so they can initiate a private email chain with
you, and you keep the private key somewhere safe. It sounds complicated, but it's really not. There's
tons of programs and plugins that handle this process for you.
I don’t think you should stick with your current Gmail or Yahoo Mail for lots of reasons. A major
advantage to using an encrypted email provider is that even in your inbox, the emails are encrypted.
This means they’re safe from data breaches or warrantless police surveillance. However, I get it. If you
want to use PGP with your existing email provider, there’s two relatively easy ways to do it.
The first is a browser plugin called Mailvelope. For most people, this will be the best solution. If
you’re the type of person who goes to “gmail.com” to check your email, this is the solution you’ll
want. You simply add it to your browser as a plugin, it generates all your various keys, and you simply
use it whenever you want to encrypt, decrypt, or sign an email. The second option is if you’re a mail-
client type of person – aka Outlook. If this is your preferred method of accessing your email, then
consider switching to Thunderbird. This open-source mail client recently updated to ship stock with
Enigmail, an email plugin that enables PGP. Just like Mailvelope, you’ll have lots of options to encrypt,
sign, or decrypt messages on an as-needed basis.
Getting Started
Encrypted instant messaging is probably the easiest one to get started with. Sign up with the
service of your choosing then invite your friends. In my experience, I've had a lot of success getting my
friends to switch with a humble, no-ultimatum plea. "Hey, I've decided I want to start improving my
privacy and security. I don't like Apple/Google/Verizon/Sprint/Whoever reading my messages so I'd
like to switch to Signal. I'd really appreciate it if you did, too, when talking to me. I'd even be happy to
help you set it up." In my experience, most people are willing to humor you when you frame it that
way. I don't recommend being obnoxious. Don't say "Switch to Signal or I'm gonna stop talking to
you." Don't expect strangers to jump through hoops either. I've seen people who tell potential dates that
they will only talk via PGP-encrypted messaging and then wonder why they can't get laid. Learn to
pick your battles and how to kindly ask people to respect your wishes for more privacy.
Encrypted email is simultaneously easier and harder to get started with. It's easier because you
don't have to convince anyone else to join you (though I think you should, everyone should care
about their privacy). It's harder because to do it effectively requires you to change all your email
addresses manually. Just like with using strong passwords and multifactor authentication, I recommend
changing emails as you use a service. Next time you check your bank account, update your email. Next
time you login to social media, change your email. I also encourage you to go to your old email and
setup email forwarding to your new account, that way in case you overlook any accounts you'll still get
the email and be reminded to update them.
Tips & Tricks

Never assume an email is secure. Email was never designed to be a secure communication method,
and even with PGP or other encryption protocols you can never guarantee that an email won't be
screenshotted, printed, or otherwise shared with unauthorized people. Never put anything in writing
you wouldn't be willing to have publicly displayed.
For high-risk individuals, the jurisdiction of the provider (aka "what country they're based out
of") is important. Jurisdiction determines what laws they follow and who can issue legal orders. For
example, see the story of Lavabit in 2013. Lavabit chose to shut down rather than betray its users, but
the next company may not be so ethical. For most users this is highly unlikely, but always keep a
backup and never submit anything life-threatening over email anyways.
Some additional resources for deciding which secure messaging is right for you could include Secure
Messaging Apps Comparison, Intel Techniques, and this chart. These are visual comparison charts that
might help you decide what services are best for you.
Previous Next
https://www.thenewoil.xyz/messaging.html
Privacy: Mobile Habits

In the "Most Important" chapter, I talked about some settings to help reduce the data collection on your
phone and improve your mobile security. I also briefly touched on replacement apps and habits. In this
section, I want to expand on that and talk about some additional practices and considerations to further
improve your mobile device privacy and security. As I said before, phones are the most powerful
surveillance devices we have, not only because they travel with us everywhere but also because
they're not really very safely customizable.
The biggest thing you can do with your phone is consider your metadata. The biggest habit you can
change, as I said before, is just to not have your phone around as often as possible. I bought a classic
non-smart alarm clock at Target for $10. My phone charges overnight in the study, which is on the
other side of the house from the bedroom. When I go out on date nights, I leave my phone at home. It
forces me to pay more attention to my partner, to be more in the moment, and reduces the GPS location
tracking.
Second, consider what you do on your phone. Try to send emails from your computer rather than
your phone because you have significantly more control over your computer's data collection than your
phone's. Most apps have privacy policies that allow them to see what else you do on your phone, what
other apps you have installed, and sometimes even more invasive things. Overall, the less you can use
your phone, the better.
Third, try to keep your phone as clean as possible. Apps are a potential risk, both in terms of the data
they could be collecting and the malware they could be hiding. The less apps you have, the better off
you are. Do you really need to be able to check your bank account anywhere, any time? Usually no, it
can wait til you get home, so it's better just to not have your bank app (this is also safer if your phone
gets lost or stolen, now whoever posses the phone doesn't have one-click access to your bank). Same
thing with games. Do you really need every copy of Angry Birds and Wordsearch and Pokemon GO?
I'm not saying don't have any apps at all, but I am saying weigh how much you actually need or
use them against the risks they present and consider if you can't find a workaround in another way. I
have Spotify on my phone, I'm pretty sure I'd die without it. But Spotify means there's no need to
download a game to keep myself occupied while standing in line. Same thing with news apps. Using
Firefox Focus to check the news directly on their site is much safer than taking up space and risking
data collection with an app. Again though, if possible, it's better to check the news on my computer
than on my phone because my computer is more effective at blocking trackers.
A more advanced step is to get a phone that's not in your name. Rather than buying a phone on
credit - which unavoidably ties it back to you - you can buy a phone up front in cash, then get a pay-as-
you-go plan. These plans are also incredibly inexpensive in addition to offering much more privacy.
Keeping the phone out of your name will help to reduce the amount of personal data that leaks to
public search engines, which will be discussed in the next section. However, other metadata such as
location at home every night means your identity can easily be determined. So this isn't a foolproof
strategy to hide from advanced adversaries, just simple automated data collection.
I strongly urge anyone privacy-oriented to stop using your SIM number and instead use Voice-
over-IP for all non-encrypted communications. This is a large subject, and as such I have dedicated
an entire page to explaining this, and I encourage you to check it out if you're interested.
Finally, for those desiring maximum privacy, I encourage you to combine all of this along with getting
a Linux-based phone. This is a more advanced technique that falls outside the scope of this website, but
I can at least point you in a starting direction. I recommend flashing the devices yourself and the two
most popular and well-supported ROMs for this purpose are LineageOS and GrapheneOS. Of these
two, Graphene is generally regarded as more secure while Lineage tends to have more support
available. There are two "out of the box" solutions that are quite popular in the privacy community,
Pinephone and Librem 5. However, having dug in deep to some reviews from others who have
purchased these devices, I hesitate to recommend these for average users. Both of them come with their
fair share of bugs, from missing camera software (making the camera useless) to having to custom
install the OS upon unboxing. These devices are worth mentioning as you search for a linux phone,
however please do your research and remember that both of these devices are still very new and still
working out the kinks.
Previous Next
https://www.thenewoil.xyz/mobile2.html
Protection: Trusts, LLCs, and Public Data

Before I jump in all the way here, I want to caveat this by saying I am not a lawyer. Laws vary from
place to place and I can only write my experiences and what I've read from other experts. If you are
intrigued by this subject, I highly recommend you read "Extreme Privacy" by Michael Bazzell or "How
to be Invisible (3rd Edition)" by JJ Luna. The second book is relatively old, but the general concepts
should be the same.
I mentioned on several pages how public information gets sold, resold, and scraped up and eventually
finds its way onto the internet. Just go ahead and Google your full name, your SIM number, your
address, or your email address (or any combination of those). You might be floored what you find.
Bazzell offers a free workbook that you can use to help scrub this information, but the sad fact is it will
just come back. These sites are populated by DMV sales, USPS address change forms, utility accounts,
and more. So if you want to truly stay off the internet, you'll have to take some extreme measures.
Why Should I Care?
Previously, this was not a subject I included on my website, but recently I've felt it more and more
important to list it. With the rise of people search websites, and the rise of ideologically based
violence in the US, I feel like not only has this extreme measure become worth listing, but also
one worth taking seriously. I know this sounds super paranoid and extreme, but, consider the
following:
Good privacy and security are proactive, not reactive. You never know when you might suddenly end
up in the spotlight. You never know when a family member will do or say something controversial that
comes back to reflect on you, or if a seemingly benign social media post will go viral, or some angry
kid on the internet SWATS you. You could even lose your job over it or have your life literally ruined
by false accusations and honest mistakes. By the time you're in the hot seat, it's too late. You can't
unpublish your information or nicely ask the press to leave you alone. So while you may not have
aspirations of becoming a politician or a rockstar, and while you may not have any particularly
controversial opinions yourself, I consider it extremely important to try to keep your home address and
personal information out of public record.
How It's Done

There are a number of ways to tackle these issues, and they range from complicated to straight up
illegal. While some of the illegal techniques may not necessarily be unethical, I will still refrain from
suggesting any for the sake of covering my own butt. I also don't think that privacy is worth doing
anything illegal unless your life is in danger. I also want to again remind you that I am not encouraging
you to use these techniques to defraud anyone. Pay attention to your finances, pay your bills, and keep
true to your word.
I've already talked extensively about how to keep your SIM number off public record. Buy a
phone in cash, use pay-as-you-go plans, use fake information when registering, and use VoIP so
nobody even knows what number to look for. But what about your home and utility bills, which are
easily the most expensive and accurate form of public record? DMV records? What about your car and
license plate readers that are becoming so ubiquitous these days?
Let's start with home and utilities because these are "easiest." Depending on your lifestyle, you
have several options here. The easiest is to rent a room from an individual landlord and ask them to
keep all the utilities out of your name. This is a risky and unusual request, so expect to be met with
resistance. You'll have better luck if you offer all or a large chunk of the rent up front or if you agree to
pay a premium. You could also try a white lie, say that you have an abusive ex or stalker in your past
and you're trying to keep your name off public records. That might help sway them to your cause. As
long as you can get them to trust that you're good for the money, they probably won't mind.
The second option depends on whether you plan to buy or rent. If you plan to buy, buy your home in a
trust and cite "estate planning purposes" as your reason. That way the trust will show up in public
records but not your name. Bazzell talks about this extensively in his book. If you plan to rent from a
larger landlord who won't let you stay there under the table, a shell corporation is typically the best
approach. When seeking an apartment that will rent to a shell corporation, ask if they do "corporate
rentals." When they ask about it during the lease, just say you recently relocated for work and part of
the arrangement is that the company is paying for housing. Be sure to do your research and check
your local laws. Most states require an LLC to publicly name an agent. If you have enough money, you
could hire a lawyer and have them listed, protecting you by attorney-client privilege. If you do it
yourself, a small few states do still keep that stuff off public record. Typically as long as you don't do
any business or have any income as that shell corporation, you won't have to pay any taxes (though you
probably still have to file). Some states do have annual renewal fees regardless. New Mexico and
Wyoming are the states most promoted for this purpose by Luna, but do your own research. This is a
complex subject but in most cases I think this is ideal for most people. There's a lot of options that you
can employ depending on the resources available to you and your threat level.
At this point, utilities and vehicles are easy. If your threat level is low, you can just register them in the
same name as the trust/LLC. For most people, this is adequate. If you need additional layers of
protection, I recommend registering your vehicle in a different trust/LLC. You could also do utilities
but since the utilities will be servicing the home address anyways, I think this is overkill in most
situations. Your car insurance may cost a bit more due to being a "company vehicle" but sadly some of
the more advanced privacy techniques require extra funds.
So now we've got a phone, a home, a car, and utilities all in names that don't tie back to us. The last
question is DMV records. I mention on my home page the tragic story of Rebecca Shaeffer, an actress
in the late 80s who was killed when a stalker obtained her home address from public DMV records.
Shaeffer's death resulted in the passage of several privacy laws, but DMVs continue to sell records -
including photos - to various data brokers. As we learned with Equifax, there is no company to high or
sensitive to be breached. The best way to defend against this is a nomad driver's license, but again these
are complicated. According to Bazzell, Texas and South Dakota are the best states for this, but even so
this may not be an ideal strategy for lots of people. There are a lot of factors at play regarding the state
you wish to reside in. Consult Bazzell's book (or Bazzell himself) for more details.
Previous
https://www.thenewoil.xyz/llc.html
Less Important: Section Introduction

The final section of this site (for most people) is titled "Less Important." That name was chosen for a
reason: these things aren't unimportant, and they should be implemented as possible. But they're not as
critically important as the other steps, and they're a bit more abstract. With multifactor authentication or
encrypted messaging, it's easy to go "here's a list of apps to check out." With things like changing your
online habits, there's a list of suggestions but really it requires much more intentional thought and
understanding of the concepts. Using the apps and techniques listed in the other sections are much
more straightforward and require less understanding of the concepts. Using the techniques listed here
require you to understand how surveillance and metadata work and how to introspectively ask
yourself questions about your involvement.
I start with a section on Voice-over-IP and email masking, why that's important and how to do it. Next I
discuss changing your online habits. Most of us, even with good passwords and secure softwares, still
give out way too much unnecessary information online, both in the form of social media posts and in
filling out profiles on websites. Next I discuss VPNs, if they're necessary, and what exactly they can do
for you.
The main idea behind this section can be summed up with "does this person need to know what
they just asked?" If they don't need to know, don't tell them. Buying a physical product online
requires a valid shipping address. Signing up for a forum does not.
Previous Next
https://www.thenewoil.xyz/less_important.html
Protection: Voice-over-IP
This section, to me, wavers somewhere between "optional" and "critical" depending on your situation.
If you are a freelancer, if you're still dating around, if you work in a high-profile or sensitive position, if
you're job hunting, or any other similar situation, this section is critical for you. I would define a
"similar situation" as any situation where you hand your phone number out frequently to
strangers or you have an increased need for privacy (such as the "high profile position" caveat). If
you don't feel you fall into this category, consider this section "not mandatory but highly
recommended."
Voice-over-IP is the technology allowing phone calls to be sent over the internet rather than phone
protocols. The capability has been around for decades and has actually been extremely common in the
commercial world as an efficient way to manage multiple phone numbers in office environments. The
technology has recently started to become popular with cell phones as a way to circumvent needing to
"use minutes," and even more recently has become popular for its privacy implications.
Why SIM is Bad

Regular SIM phone numbers are tied to individuals. In some parts of the world, an identification is
needed. Here in America, the most common way it gets tied to a person is by setting up a phone plan in
your real name, often accompanied by a credit check so you can buy an expensive smartphone on a
payment plan. Once that happens, the phone number issued by your cell provider basically becomes
a type of social security number, and there are numerous websites where I can type in your phone
number and get varying degrees of information about the owner of that number. Usually at a bare
minimum I can get the provider and general location of the the owner (often accurate to within
the city). Sometimes I can get a full address, a full name, roommates, historical information, and
more.
Voice-over-IP numbers are significantly less regulated and therefore give away immensely less
information. Often with a VoIP number I'm lucky if I can find the registrar who assigned the number,
much less a name or location associated with it. So by using a VoIP number instead of your real
number, you dramatically reduce risk to yourself.
Advantages of VoIP
Using VoIP is a great way to compartmentalize your life. For example, using a VoIP number
exclusively for dating is a great way to protect against potential stalkers. Rarely will a
manipulative or dangerous person reveal this on the first date. You may not start seeing red flags for
quite some time. As such, a VoIP number is handy here. The person won't be able to research the
number and find any information about you, and once you start to see the red flags you can cut off the
number and lose them before you put yourself in danger.
Another handy feature of VoIP is the professional protection. As a freelancer, I can give out my work
phone number to anyone they want and not have to worry about an angry client doxxing me or
discovering any personal aspects of my life that I may not want them to know. Consider this: in some
states, public records are so open that many people search websites are able to connect your phone
number to your voter records and publish your registered party online. I, personally, try to be apolitical
in my professional life, and I would hate for a client to not hire me based on my political leanings
without getting to know me first. I have frequently worked for clients who openly voice different
political opinions than me and almost all of them have become regular customers. Imagine if I'd lost
that reliable income stream because they looked my number up online and decided to pass based on a
snap judgment of me exercising my legal rights.
Additionally, on the topic of work, with many people now working from home, a VoIP number allows
you to create and enforce a healthy work/life balance. I do not have my work email on my phone,
and if after-hours calls or texts ever become an issue, I can set my VoIP number to turn off after hours
so that it doesn't even ring. My coworkers would have no choice in this situation but to wait for me to
decide to check my messages and contact them. It should go without saying that I don't recommend this
if your job actually demands that you be on call, such as an EMT or tech support, but in all other
situations this can be a great way to enforce those healthy boundaries.
Note: None of these options are highly privacy respecting, and none of them are open source. As
explained below the table, VoIP is not meant to be a replacement for encrypted messaging. As such,
I'm presenting a wide rang of options for your consideration, but be aware that none of them are truly
private or safe.
Product/
Pros Cons
Service
• US and Canada
• No group chats
• No video chats
• App only
• Unlimited numbers available
• No disappearing messages
• Free
Google • Forwards numbers to your
Voice SIM
• No privacy, requires Google
• Based in The United States
• US, Canada, and UK

• Up to 9 numbers available
numbers only
• Includes fully functional email, web browser,
• No group chats
and digital masked cards
• No video chats
• Works independently of your SIM number
• Desktop client in beta, web-
• Zero-knowledge
MySudo based only
• End-to-end encrypted (to other MySudo
• No disappearing messages
users)
• Based in The United States
• Group chats
• Video chats
• Destkop client • External messaging and
• Zero-knowledge calling cost extra
• End-to-end encrypted (to other Viber users) • Only one number available
Viber • Disappearing messages • Based in Japan
• Worldwide usage
• Independent of your SIM number
Getting Stared
Almost across the board, I recommend MySudo. It is available for both iOS and Android, and usable
plans (meaning plans that will give you the ability to communicate with non-MySudo users, which is
most people) begin at $1 USD per month, or $10 per year. I would recommend SudoPro or SudoMax
($5/$50 and $15/$150 respectively) for most people depending on your needs. Pro will probably suit
most people, as it allows 3 phone numbers which can be used for work, personal, and other. More
advanced readers may want the 9 numbers allowed by Max. If you're on a tight budget, I
recommend Google Voice. This will allow you to create VoIP numbers that forward to your real
number. If you live outside the US, UK, or Canada, then Viber is the clear choice.
Tips & Tricks

Keep in mind that VoIP is not meant to replace secure messaging. Just as with a regular SIM phone
call or SMS message, you should assume that anything you say or type might be recorded and be
plainly visible to any employees or law enforcement. VoIP is recommended in this context purely as a
way to keep your data out of people search websites and protect against relatively-unsophisticated
threats like a stalker or doxxer.
Previous Next
https://www.thenewoil.xyz/voip.html
Data Breach Defense: Email Masking

There's a dark side to data breaches that doesn't always get considered, and that's the exposure of your
email address. Consider the following: a random online game you play - it could be an app on your
phone or a video game on your computer - gets caught up in a data breach. When you registered for
this game, you registered with your main email, yourname@gmail.com. There are now a variety of
ways that I can search for this email address to see where else you have accounts, such as Twitter,
Facebook, even bank accounts. Furthermore, I can see from your email address that you use Gmail
and I already have one half of your login. Now I just need to guess your password.
I mentioned in Multifactor Authentication that if I get access to your primary email, I own your life.
Now, of course, if you're using MFA and strong passwords, the odds of that happening are low.
However, now it becomes easy for me to correlate all the various services you use and stalk you
digitally. There are ways to mitigate this. You could, for example, have all your social media profiles
set to maximum privacy so you leak as little information as possible. You could also compartmentalize
your life by having one email account for social media, one for shopping, one for banking, etc. This is a
great idea, but personally I find the idea of keeping up with multiple email accounts annoying and
inconvenient. Rather, I have a solution that is both convenient and even more effective than having
a couple of different email accounts: email masking.
The basic premise of these services is quite simple: let's say I sign up for a new shopping account.
Rather than signing up with shopping@protonmail.com or whatever, I make an account with one of the
two services below. Using the service, I create a masking email address that I use to sign up for my new
shopping account. Any email sent to that address gets forwarded to my real email address, which I can
then respond to if I want from that address. This allows me to give every single website I use a
completely unique email address while still managing them all from a single inbox. This helps to
keep my various accounts from getting connected to me by automatic surveillance. Additionally,
if any website suffers a data breach, a hacker can't correlate my account with any other sites and
doesn't even know who my email provider is to attempt to take over my email account. The
amount of privacy and compartmentalization gained is immense.
Below I have listed two services that offer email masking. Both services offer a free tier that should
work just fine for most users, but offer additional useful features for paid users. I have signed up for
both and found them both to be functionally the same. The only real difference between the two
services is their user interface and their pricing, both of which are affordable and reasonable. I
encourage you to try both out and go with whichever one you find most appealing.
SimpleLogin
AnonAddy (Non-Affiliate Link)
• Open source
• Supports PGP
• Multiple recipients
• Works with custom domains
Getting Started + Tips & Tricks

Like any other service, I encourage you to make the changes one by one. Every time you use a website,
take a moment to change your email address to a masked, forwarding email address. I then encourage
you to use your masked email addresses going forward. I use them for everything myself from ordering
pizza to signing up for newsletters and joining giveaways. If an email address starts collecting too
much spam, I just shut it off.
The biggest tip I have for using these services is to not use them for critically important accounts such
as banking, medical, or other accounts you cannot afford to lose access to. Email forwarding services
are still relatively new and are constantly getting blacklisted by various companies as part of the
neverending cat-and-mouse game tech companies play with privacy companies over control of user
data. It would be horrible to use one of these services for your bank only for the service to go out of
business and now you can't access your bank's important messages, or for your bank to decide to
blacklist that email provider and put your account access at jeopardy. Have a separate encrypted email
account for use with important services like this.
Previous Next
https://www.thenewoil.xyz/email.html
Protection: Change Your Online Habits

The topic of "changing your online habits" is a big one, but as I said in the introduction, this chapter of
the site/book is dedicated to teaching you how to fish - that is, rather than giving you a to-do list, it's
about teaching you to recognize things and make your own informed decisions.
Phishing & Clicking Links

Speaking of fishing, let's start there. Phishing historically has been and remains one of the top ways
to gain unauthorized access to a specific machine, account, or network. Phishing occurs when a
person clicks on a link and either enters information or downloads a payload that gives a
malicious actor access to an account or device, which they can use to access the data on that
machine or the network the machine is connected to. Typically this link-clicking occurs in the form
of an email that appears to be legitimate, such as an email that appears to be from your bank asking you
to confirm account details. Those details are actually logged by a hacker who now has your bank login
information. Or it could be a text seemingly from your mother saying "here's a link to some old pictures
I found" and it's actually a virus.
Phishing could also come in the form of a link on a website that appears to be legitimate. This is why
ad-blockers are so important. In the early days of the internet, it was common to search for a specific
software (such as a codec to play a certain type of video) and stumble on a website with an ad that says
"click here to download your codec!" when in reality the true link was further down the page. This is
called "malvertising," or "malicious advertising," and using an adblocker is a critical part of preventing
this type of deception. There is even a such thing as "drive-by malvertising" where malicious ads can
infect your computer without you even clicking on anything. Ad blockers are important!
In the case of direct messages, there's a lot of ways actors pretend to be someone they're not. Many of
them are easy to see through. The email may say it's from "Chase Bank," but looking at the actual email
address quickly reveals that its from "chasingbanks@gmail.com," clearly not your actual bank.
Sometimes a technique may be more complex: a hacker may have gained access to a relative's account
(usually through phishing) and then send an email from them, appearing totally legitimate in every
way. In cases like this, your best defense is to be cautious. If something seems out of character,
contact the person and ask about it. If your notoriously serious aunt sends you a funny video, ask her
if that was actually her. If your bank sends an email requiring confirmation of something, ignore the
email and go straight to their website. If it's legitimate, the same warning will pop up when you log in
or be waiting in your messages. If you're still not sure, contact their support team and ask.
Sharing Information
Another important digital habit to change is the handing out of information. I'm not opposed to
sharing your life or picture online. I have a personal Mastodon account where I share my day-to-day
and I even have a selfie as my profile picture. But think about what you're sharing and what it reveals.
Back in the early days of social media, it was common that people would publicly share that they were
going on vacation for a week, so criminals in the area would find their house and rob it while they were
gone. That exact crime may or may not live on, but the principle still does. One woman had a stalker
find her because she took a selfie where the street sign was visible. Again, I'm not saying don't share
things online, but be mindful of what information is visible in the photo, such as a company logo
on your shirt or financial information in your screenshot.
Sharing Information (Continued)

Additionally, when I say "handing out of information," that includes actual information. Try this
experiment: next time you sign up for a website or pay for something online, try submitting as little as
possible. Try filling out just your email address and password. It will likely stop you from moving on
and ask for some more information, but you might be surprised exactly what information is optional. It
may not need a last name, or maybe the phone number is optional. You should view every website as
a data breach waiting to happen, and anything that isn't a password or card number is probably not
encrypted, so the less personal information you hand over the better. If you are required to hand over
information but the requesting site or service doesn't actually need it, consider using disinformation.
Social Media
While I am opposed to mainstream social media services for a number of reasons, I understand that
sometimes you have no choice in using them. My recommendation would be to not use the apps
whenever possible, post as little as possible, and make your profile as private as possible.
If you feel the need to have social media, try checking out the decentralized and more privacy-
respecting Fediverse. This is a volunteer run, peer-to-peer social networking system, and one of the
coolest things about it (in my opinion) is the way it interacts universally. Imagine if you had a Twitter
account but wanted to follow someone on Instagram. In mainstream social media, you have to sign up
for Instagram. On the Fediverse, you can follow them from your own platform even without having an
account with that service. For Twitter fans, I recommend Mastodon. For Instagram fans, PixelFed.
Facebook users might feel more comfortable on Frendica and YouTube users might find new content
on PeerTube.
Search Engines
Change your default search engine. Google tracks all of your searches and records them, and these are
all added to your profile to create a more complete picture of you as a person; your likes, dislikes,
interests, and more. Try a privacy-respecting, no-logging search engine such as SearX, or MetaGer.
DuckDuckGo and Startpage are popular search engines that claim to be privacy-respecting, but due to a
wide variety of past questionable actions of both and the availablity of better options that are stable and
user friendly, I don't particularly encourage them.
Account Hygiene
Delete any and all unused accounts. This includes old social media accounts, library accounts, work
accounts, and services you signed up for once and never used again. If you can't delete them for
whatever reason, change it to a secure password and hold onto it somewhere safe. My only exception to
this is that I recommend holding onto old email accounts. You never know what you once used them
for and when you might need them again for that purpose. It's better to have them stored safely behind
a strong password and 2FA and not need them than to need them and not have access anymore.
Mindful Digital Correspondence

Also remember that even with encryption, no digital communication method should be considered
secure for a variety of reasons. You never know if the person is going to print it out and share it or leave
their messages open while they step away from their device briefly. Be careful what you send
digitally, even if it is properly encrypted. There is always a risk.
Previous Next
https://www.thenewoil.xyz/habits.html
Protection: Disinformation
I mentioned in my online habits section the concept of knowingly handing out false information. This
is probably one of the most powerful techniques for preserving your privacy in a digital world.
However, it's important to understand how to use this properly lest you land yourself in some hot legal
water.
What Not to Do
Never knowingly give false information on a legal document, to a law enforcement officer, to a federal
agency, to the IRS, or to medical personnel. Honestly that pretty much sums it up. When using
disinformation as a strategy, the main question to ask yourself is "does this person need the
information they are requesting?" Does a cop need your real name when pulling you over? Yes. It's
illegal to lie to the police when they are performing official duties. Does your doctor need your real
contact information? Yes. Does the IRS need your real social security number? Absolutely. Does
Facebook need your phone number? Absolutely not.
What to Do
In almost all situations, the best defense is invisibility. Rather than providing false information, you
should see to provide as little information as possible. When being asked to fill out a form, don't be
afraid to ask "what information on this is actually mandatory? What parts do you need?" Privacy is
becoming less stigmatized these days as data breaches continue to happen on an almost-daily basis. As
long as you're not obnoxious, most clerks will be willing to find out what information is mandatory.
Sometimes this is pretty obvious. Again, does Applebee's actually need your email? No, not really.
Does your doctor actually need your home address? Maybe not. Maybe a PO Box is okay. Ask.
Once you know what information is required, you're now faced with the decision only you can
answer of what information to provide and what to fake. Like many people, I do my fair share of
online shopping. A name and address is needed, so I use a generic name and a PO Box. An email and a
phone number are both required. For email, I'll use an email masking service. After all, I do want
updates on my item and I can always delete the address if it gets too spammy. For phone number, I use
my area code plus 867-5309, which is from a hit 80's pop song. They don't need my number. They have
my email (so they think). They have a way to contact me with any problems. I'm probably too busy to
answer during the day anyways.
What about taking my cats to the vet? I book the appointment online using a masked email. If any
phone numbers are required, I give a fake number. If any address is required, I have a hotel nearby
saved in my notes. I pay in cash. I don't need the vet selling my information to various pet-care
companies who are going to spam me with crap they don't need. They're cats. Give them an empty egg
crate in the sun and they're happy.
Finally, an important part of this strategy is to have both excuses and addresses on hand for
everything. I have a list of numbers and addresses saved in my notes. If someone asks for one I haven't
memorized, I pull out my phone and make the excuse "sorry, I just moved so I haven't memorized my
address yet" or "sorry, I just switched phone providers and I haven't memorized my new number yet." I
like to have a variety of addresses to pull from in the local area. Some are quite close by. Others are in
surrounding towns up to an hour away. Whatever backs up my story. Public libraries, hotels, and other
public buildings are all great choices here. Typically only official businesses - like the DMV or a bank -
will be verifying those addresses, and in those situations you shouldn't be lying anyways.
Remember: the big question is "does this person need this piece of information?" Treat every request
for information as a data breach waiting to happen.
Previous Next
https://www.thenewoil.xyz/disinformation.html
Cybersecurity: The Internet of Things

If you're reading this, I'm willing to bet that you have some kind of smart device in your possession.
Maybe it's a smart TV or a Roku Stick. Maybe it's an Alexa or Google Home. Maybe it's a Nest
Thermostat or a Ring doorbell. Once upon a time, I would've said that you should simply avoid these
devices, however I think that we're moving into an age where that advice is antiquated. It's becoming
harder and harder to escape the "Internet of Things," so rather than avoidance I want to use this section
to teach you hardening.
But Still, Avoidance

Having said that, let's start with avoidance. Obviously none of us really needs any of the modern
"creature comforts" to survive, so I'm not going to be the curmudgeonly old man decrying kids and
their newfangled gadgets. However, it is important that we realize that each one of these devices we
bring into our lives puts us at risk, both in terms of privacy and security. The smart TV you purchase
not only reports invasive usage statistics, but these devices also offer hackers a way into your home
with things like lack of updates and default passwords. Yes, believe it or not, you can use a light bulb to
access all the other devices on the network.
So again, while I'm not here to say "don't buy the smart device," I am here to ask "is it worth the risk?"
Do you really need to know the second a package arrives at your doorstep? (First off, you should be
using a PO Box instead of your home address, so no). Do you really need a fridge that tells you the
milk has gone bad? Maybe if your nose doesn't work, but otherwise I'd say no. However, these answers
vary from person to person. I can live just fine without TV, so a smart TV is definitely something I
would rather pass on. Someone else may be a film buff and may find a lot of value out of a TV that can
stream from dozens of services easily. There are no wrong answers here, but I do encourage you to first
ask yourself if the value a smart device brings you is worth the privacy invasion and security risk that
comes with it. If not, either find a dumb device or pass altogether. In my experience lower-end stores
like Walmart still offer dumb devices, but there's also always the choice of a re-use market like
Craigslist or Goodwill.
If You Must
If you decide that you want a smart device, or for some reason you are unable to locate a dumb version
of the device, there's several key pieces of conventional wisdom that will help to dramatically increase
your privacy and security while using said devices.
• Make sure to change all default passwords and login information. Most devices - including
routers - come with a default username and password. There are free databases all over the
internet (and manuals) that disclose this information to anyone, meaning criminals and hackers
have easy access to the admin privileges of those devices. Change the default password (and
username, if possible) using a password manager to prevent easy access.
• Go through every setting on your device and make sure that you have disabled all settings that
share data and analytics.
• Make sure all your devices are set to auto-update. If there is no auto-update option, set a
reminder to periodically check for updates and install them when they become available.
• Buy a router that supports "VLANs," which are virtual second networks. Without going into
detail, putting two devices on separate VLANs (for example, a computer and a TV) makes the
devices act and think as if they are in completely separate locations. The devices are completely
isolated from each other on the network, so if one gets compromised the other is safe. Ideally
you'll want to have all your IoT devices on one VLAN, then all your network devices (phones,
laptops, etc) on another. IoT devices requiring network connectivity (such as smart TVs or
assistants) can still be given network access through the router's settings.
• Make sure to couple all this advice with other advice on this site (for example, use a forwarding
email to set up your accounts and use strong passwords and two factor authentication on all
accounts.
Previous Next
https://www.thenewoil.xyz/iot.html
Protection: Virtual Private Networks

For a lot of people, Virtual Private Networks, or VPNs, are their first introduction to any type of
privacy or security tool. Some people get introduced to the concept because of remote work, or to get
around location restrictions in content viewing. Whatever the case, VPNs are a fairly well-known and
common tool.
For those who don't know, a VPN is an encrypted connection from your device to a server. All your
internet traffic is routed through that server. A VPN is different from a proxy in that a VPN is system-
wide. Generally speaking, proxies tend to only apply to a specific browser or app, while a VPN applies
to entire device. A VPN would not only protect Firefox, for example, but the Netflix app, your mail
client, and even any system telemetry that your OS might submit.
From a security perspective, a VPN provides you protection from local hackers. While most of the
internet is encrypted, not all of it is, and sadly important websites like government are typically the
worst offenders for expired certificates. Even at home, your Internet Service Provider can see your
traffic as well. A VPN encrypts your traffic, hiding this from local spies.
From a privacy perspective, the VPN makes your traffic appear to be coming from your provider's
server, making it hard to trace the traffic back to your actual, unique IP address. Your traffic has the
potential to blend in with the traffic of many other users and add to the anonymity.
As of 2018, Net Neutrality is dead in the United States. This means that Internet Service Providers are
legally allowed to block or slow down any website they want with or without any justification. Abuses
of this nature have happened in the past, but now they are no longer illegal and are happening again.
The best way to prevent this is to not let your provider see your traffic, then they won't know what to
block.
The most important thing is to look for when picking a VPN provider is a provider who doesn't
keep logs. A provider who logs your activity is no better than your current internet provider. Your
traffic can be sold, censored, or spied on just as if you weren't using a VPN. All you've done at that
point is move the abuse to someone else. Unfortunately, "no logs" is pretty much just a buzzword these
days, and numerous providers have been caught lying about this. The best way I'm aware of to verify
this claim is to search "[VPN provider] logs" on your privacy-respecting search engine of choice. If the
provider has been around for any amount of time and has any considerable reputation, you will likely
find articles detailing a time when they were ordered to hand over customer data to law enforcement
for an investigation and what they had to hand over (if they're a good provider, they'll have nothing or
very little to hand over). You'll also be alerted to any potential accusations of logging, discussions on
that claim, and other information to help you decide if the company is serious or not.
Depending on your threat model, you may want to consider a provider who is located outside the
jurisdiction of the Fourteen Eyes Gloabl Intelligence Community. A government attempting to access
your VPN traffic will potentially have a harder time when dealing with a company outside their
surveillance network.
Make sure to see how the provider makes money. Running an VPN server is expensive and requires
great technical knowledge. "If a product is free, you are the product." Make sure the company has a
viable business plan or else assume they are likely logging and selling your data, or worse.
Note that there are literally hundreds of VPN providers out there. Some quality, many not. The handful
I've selected below are the ones that seem to consistently be promoted within the privacy community as
reputable and more desirable than most mainstream companies. These companies seem to have a vested
interest in the cause of privacy. If you want a detailed breakdown of a specific VPN provider, please
visit ThatOnePrivacySite.

• Available on all • Not audited
operating systems • Partially Open source
BolehVPN
• Based in Malaysia
• Open source
• Audited
• Available on all
operating systems
• Based in Gibraltar
• Supports Wireguard
IVPN (cutting edge new VPN
protocol)
• Open source • Not available on all operating

• Supports Wireguard systems, requring a little bit of
(cutting edge new VPN technical know-how to set it up for
Mullvad protocol) mobile.
• Audited • Based in Sweden
• Available on all
operating systems
• Based in Switzerland
• Offers a limited number
Proton of free servers
(Non-Affiliate Link) • Open source
• Audited
• Offers split-tunneling
Tips & Tricks

I recommend using a VPN at all times on all devices. For mobile devices, this will not fool your
provider. They will still be able to track your real location at all times using cell phone tower pings.
However, this will fool your browser and most apps, and more importantly it allows for a secure,
encrypted connection at all times. This means that things like your browsing, your messages, and your
app usage are all safe from local observers. Again, keep in mind that this data will still be freely
available to your provider and anyone else who has access to the information (ex, Apple and Uber), this
only provides local protection.
For things like Netflix and Hulu, many VPN providers offer specific servers that support streaming. Be
sure to check their site or contact customer service for more information.
Please note that a VPN is not a perfect anonymity solution. They can be defeated with things like real-
time analysis and other legal maneuvers. Even a provider that doesn't keep logs can be issued a gag
order - "comply and don't tell anyone." For a real-world example of this, see the story of Lavabit in
2013. Lavabit chose to shut down rather than betray its users, but the next company may not be so
ethical. For most users this is highly unlikely, but for high-risk users this is worth considering when
deciding what information to transmit over a VPN.
Previous Nex
https://www.thenewoil.xyz/vpns.html
Final Thoughts
Technology in general, especially cyber security and data privacy, is a constantly evolving
landscape. Laws change, technologies change, and companies start, go under, or change owners. That's
one of the reasons I wanted to present this site as a book: it's not enough just to list some apps and say
"use this." You have to understand why they work, or how to use them correctly. Everybody has a
different "threat model," aka "what am I protecting and from who?" Signal is a great
communication app for someone who needs security but not so much anonymity. I wouldn't
recommend Signal to someone with a stalker or who is trying to anonymously whistleblow (without
some extra steps, at least).
You also have to understand that because of the ever-changing landscape of this field, things come and
go. Encryption algorithms get cracked, companies change owners and start keeping logs, or techniques
become obsolete. I will strive to keep this site updated as often as possible, and significant updates will
be posted about in my blog. You can also follow my daily feed for news and discussion on current
privacy-related events, as well joining my Matrix room and Telegram room for group discussions.
Thank you for reading. I hope you found this site helpful. Please consider supporting my project at
the links on the next page, contact me with any questions or comments, or check out the other
resources listed.
Previous
https://www.thenewoil.xyz/final.html
Contact Information & Helpful Links
Resources
Books Websites Podcasts/Videos
• Extreme Privacy by Michael
Bazzel
• Chris Were Digital
• Click Here to Kill Everybody
• Linux Journey • The Great Hack
by Bruce Shneier
• Prism-Break • The Hated One
• Data and Goliath by Bruce
• The Privacy, Security, • Kill Chain: The Cyber
Shneier
& OSINT Show War on America's
• The Art of Invisibility by
• Privacy Subreddit Elections
Kevin Mitnick
• Privacy Tools • Nothing to Hide
• The Age of Surveillance
• Surveillance Self • The Social Dilemma
Capitalism by Shoshana
Defense by EFF • Techlore
Zuboff
• That One Privacy Site • Terms and Conditions
• The Personal Digital
May Apply
Resilience Handbook by
David Wild
Contact
Blog
Podcast Mastodon
TheNewOil@ProtonMail.com
PGP Key
TheNewOil@Tutanota.com
Matrix: @TheNewOil:matrix.org Signal: +15123841422

Room: #TheNewOil:matrix.org
Telegram: @TheNewOil1 XMPP:

Channel: TheNewOilXYZ thenewoil@jabber.calyxinstitute.org
Some groups may be invite-only to help fight spam, but please feel free to message me and ask
for an invite! I'd love to have you join the conversation!
Support
Monero (XMR) ZCash (ZEC)
Bitcoin (BTC)
Patreon
Note: I do not encourage the use of Patreon. Please
consider Liberapay instead.
Liberapay
Upcoming Events
Date/Time/
Event Notes
Location
• This event is expected to last one to two
May 15, 2021
The New Oil Presents: hours
2:00PM CST
Taking Control of Your Data • This event is free of charge
Twitch
Still overwhelmed? Unsure of where to start or what tool is right for you? I offer personalized
consulting and coaching.
This site last updated February 19, 2021
Changelog
Previous
https://www.thenewoil.xyz/links.html

Excellent Book On Digital Privacy and Cyber-Security by A Website Known As The New Oil

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Excellent Book On Digital Privacy and Cyber-Security by A Website Known As The New Oil

Uploaded by

Copyright:

Available Formats

Excellent book on digital privacy and cyber-

security by a website known as The New Oil

Why Care About Privacy

Why Care About Security

Accessed February 19th, 2021.

Introduction: Section Introduction

Accessed February 19th, 2021.

Accessed February 19th, 2021.

The Three Types of Surveillance (According to Me)

Accessed February 19th, 2021

Security vs Privacy vs Anonymity

Accessed February 19th, 2021.

Open Source vs Proprietary

Digital Rights Management

The Ethics and Abuses

The Coming Age of DRM

Accessed February 19th, 2021.

How Network Communication Works

Your Phone is a Radio

The Internet Works the Same Way

Accessed February 19th, 2021.

Most Important: Section Introduction

Accessed February 19th, 2021.

Understanding Data Breaches

Accessed February 19th, 2021.

Data Breach Defense: Strong Passwords

Product/Service Pros Cons

• Available on all operating systems (Android & iOS

Tips & Tricks

Accessed February 20th, 2021.

Data Breach Defense: Multifactor

Product/Service Pros Cons

Honorable Mention: Hardware Tokens

Tips & Tricks

Accessed February 20th, 2021.

Data Breach Defense: Payment Masking

Bitcoin & Cryptocurrencies

Accessed February 20th, 2021.

Identity Theft: Freezing Your Credit

Accessed February 20th, 2021.

Accessed February 20th, 2021.

Securing Mobile: Settings

Accessed February 20th, 2021

Securing Mobile: Replacement Apps

Navigation apps like Google Maps, Waze, or Apple Maps

Phone firewalls are designed to stop apps from contacting

Accessed February 20th, 2021.

Privacy: Securing Your Browser

Honorable Mention: Tor Browser

Honorable Mention: Brave Browser

Accessed February 20th, 2021.

Moderately Important: Section Introduction

Accessed February 20th, 2021.

Accessed February 20th, 2021

Protection: Device Encryption

Accessed February 20th, 2021.

Using Veracrypt to Secure Your Backups

Privacy: Securing Computers

Mac OS: Catalina

Good Practices for Any OS

Accessed February 20th, 2021.

Encrypted Instant Messaging

Product/Service Pros Cons