Professional Documents
Culture Documents
Excellent Book On Digital Privacy and Cyber-Security by A Website Known As The New Oil
Excellent Book On Digital Privacy and Cyber-Security by A Website Known As The New Oil
How It Works
This site is designed in a book format. It is designed to go in-depth on various ideas, subjects, and
concepts, and make you - the reader - feel educated and capable of making decisions that are right for
you. But it is also designed to be standalone in the sense that you can feel free to skip around. If you're
here and you just want to know more about encrypted email, you can skip to that section. If you want to
know more about safe browsing, skip to that section. If you want to understand cybersecurity, identity
theft, and hackers, skip to that section. Additionally, this site/book is designed to feed back into itself.
Links will either go to other relevant sections on this site, or will link to outside articles as a way of
citing my sources.
This site/book is split up into three major sections. "Most Important" covers the things I think are most
important and most relevant to anyone: things like cybersecurity, identity protection, and basic good
internet hygiene. The middle section is called "Moderately Important" and deals with things that are
still important but not urgent: encryption, backups, and communication. Finally, "Less Important" deals
with things that will give you added layers of security and privacy, but probably aren't critically
important if you're practicing the other procedures.
Important Disclaimers
It is important to note that privacy and security are not either/or concepts. Despite what some elitists
might try to claim, you can have some privacy while keeping a Facebook account, but not as much as if
you got rid of it. Likewise you can have some security without using multifactor authentication, but not
nearly as much as if you used it. Privacy and security are spectrums. No matter how much you go live
in a cabin in the woods, if you piss off the right person with enough resources they will find you. (Just
look at Ted Kaczynski.) The goal of this site/book is not to teach you to drop off the grid and live in a
cabin in the woods with no risks whatsoever. For one, that's not possible. For another, I would argue
that's not a life worth living. (If you disagree, don't let me stop you.) Rather this site/book is to help you
learn how surveillance and tracking works, how to opt out of it, and decide what the right level is for
you. Not everything here will apply to everyone, and that's okay. Even taking some of the steps moves
you further along that scale.
This site/book will be updated as often as necessary, and I will announce any major changes on my
blog (as well as a "this site as last updated on" date in the Links section). The same blog may also be
used to post commentary on important news, but I promise not to spam you with daily posts. I tend to
only post once per week on weekends, so feel free to subscribe via email if you want to keep updated.
My goal is not to pull the rug out from under you, but rather to keep this site relevant, current, and
accurate. I also post a daily feed of privacy- and security-related news articles that you can feel free to
follow to stay on the cutting edge of this ever changing field.
Finally, I have made this book/site in good faith. I do not have any vested financial interest in any of
of the services, products, or companies I have listed. The following services I have listed referral
or affiliate links which will offer me some sort of financial compensation if you sign up using the
links provided: privacy.com, ProtonMail, ProtonVPN, and SimpleLogin. I have also provided non-
affiliate or non-referral links immediately next to the product for those who are uncomfortable using
those links for any reason. I am not a cybersecurity expert of any kind, but I have invested thousands of
hours into research and testing. I also spend much of my time listening to discussions on various up and
coming technologies, news, and emerging developments.
Having said all that, please enjoy this site/book. I hope you find it useful, and if you have any questions
or respectfully-worded feedback, I welcome them all. Thank you, and I hope this helps you take back
some of your civil liberties.
https://www.thenewoil.xyz/about.html
Accessed February 19th, 2021.
Introduction
In the 1900s, oil was discovered in the state of Texas and revolutionized the US economy. Coming right
on the heels of the industrial revolution, oil had became one of the most valuable resources on the
planet, and that meant anyone who owned the land it was found on now found themselves in various
states of fortune. Texas grew from a mostly rural state to one of the most populous in the country, and
this to date still has several major cities in the top ten list.
The phrase "data is the new oil" is a bit controversial in tech circles, mostly for nit-picking reasons.
Detractors argue that unlike data, oil is a finite resource and that it is only valuable in bulk after being
refined. However, according to Forbes, the top most valuable brands in the world in 2019 were Apple,
Google, Microsoft, Amazon, and Facebook, all companies notorious for their data collection and
targeted-advertising. No matter how you interpret it, data is a moneymaker.
Most of us are not strangers to the concept of surveillance capitalism and targeted advertising. Most of
us don't particularly care, either. After all, who wouldn't want relevant ads for movies or products that
might actually appeal to you or improve your life? The thing is, most of us don't understand the
aggressive measures these companies go to to create those marketing profiles, or the devastating effects
they can have on people.
It may sound paranoid, but it's actually a credible fact that entire companies exist simply to collect your
data and build profiles on you, and in their minds the ends will always justify the means. Often they
collect data in ways that range from questionable to straight-up illegal, collecting information that no
sane person would willingly consent to, but they do it in ways you can't detect. When your deepest,
most personal secrets are a data point for a marketing agency, abuse of any kind is only a small step
away, as could be seen in 2019 when the Egyptian government tracked opponents and activists through
phone apps, the Moroccan government spied on the phones of human rights defenders, and the Chinese
government hacked Asian telecommunications companies to spy on the Uighur, a minority Muslim
ethnic group living in China.
It sounds far-fetched, like something from a dystopian sci-fi movie, but just a few of the factual
methods of data collection include using high-pitched tones that only electronic devices (aka phones)
can hear to report how many people are watching a TV show, collecting sale information, tracking your
search history, tracking your car as you drive through the real world, tracking your phone as you
browse the store to see where you spend the most time, collecting your DNA from family heritage
testing services, selling your information to public data websites, government agencies selling your
driver's license information, and more.
"Wow," you may say, "that's intense. But why should I care? I have nothing to hide."
https://www.thenewoil.xyz/index.html
Previous Next
https://www.thenewoil.xyz/intro.html
Threat Modeling
In order for any of this site to make sense – and in order to know what tools are right for you – you
have to understand “threat modeling.” The term “threat model” is just a fancy way to say “what are
you hiding and who are you hiding it from?” For example:
• A journalist may want to protect their sources from harm or retaliation. Therefore their threat
model will include ways to avoid location tracking, encrypt or otherwise protect the uncensored
information they receive from their source, and other similar information that might reveal who
their source is or allow others to track them to their source.
• A member of law enforcement may protect their home location in a variety of ways to avoid
putting their families in danger from criminals seeking revenge or just general criminals with a
grudge against the system.
• An activist in a repressive country make take steps to hide their research, gatherings, or other
activities so the government can’t track their real identity so easily and use it against them.
• Most people are worried about identity theft and loss of financial resources through their bank
account. Some of their defensive strategies could include using a password manager, two-factor
authentication, and freezing their credit.
While threat modeling can be applied to a wide variety of situations (as shown above), on this site I
want to focus specifically on threat modeling for your personal data. The Electronic Frontier
Foundation defines data as “any kind of information, typically stored in a digital form. Data can include
documents, pictures, keys, programs, messages, and other digital information or files.” So with this in
mind, our threat model question becomes “what data am I protecting and from who?”
While there’s basic “best practices” that do apply to almost (if not) everyone, there’s really no one-size-
fits-all threat model for everyone. Some people need more security or privacy, and some need less.
Most people want to find a healthy balance between protection and ease of use.
The threat model that I focus mostly on in this site is defense against common, non-targeted attacks.
The example I like to use is infamous serial killer Richard Chase. Chase stalked the Los Angeles area
between 1977 and 1978. One of the reasons he was so difficult to catch was because he didn’t have a
pattern. He said on record after he was caught that he would just cruise around neighborhoods until he
spotted a house he felt compelled to try. But here’s what made Chase odd: if the doors and windows
were locked, he would go on his way and try a different house. He didn’t force his way in.
My goal with this site is to teach you how to "digitally lock your doors and windows" to protect
against yourself against the Richard Chase's of the digital world. In other words, make yourself harder
to hack than the other guy so that hackers looking for an easy payday give up and move on to someone
else. That’s not to say that the tools and techniques I discuss can’t be used for more advanced threats,
but know that I’m not trying to teach you to be invisible, I’m trying to teach you to live a normal life
while being safe.
What’s your threat model? You can't know how to properly defend yourself against attacks if you don't
know what attacks you are likely to face. While I teach the basics here, some readers may need to
continue their education after my site, and all readers will have to examine the numerous tools and
techniques I share here to figure out which is best for them. You can't know any of that without
defining your threat model. So how do you determine your threat model?
1. What do I want to protect?
This is typically known as assets, and in my opinion those come in both physical and non-physical
forms. A physical asset would be something like a laptop, phone, or file cabinet - a place that holds the
data you wish you to protect. A non-physical asset would be something like a bank account, email
account, or cloud storage backup account. You need to identify all your assets.
2. Who do I want to protect it from?
“Bad guys” is a pretty bad answer to this. Different types of bad guys have different resources and
motivations. For example, a typical "hacker" doesn't target you specifically (see Understading Data
Breaches). A potential employer, on the other hand, is targeting you specifically. Try to be specific
when identifying the "who" of your threat model, and know that it can vary from asset to asset.
3. How bad are the consequences if I fail?
To use the examples from #2: the "hacker" is trying to steal all your money and maybe even open fake
accounts in your name that you will then be responsible for. Your prospective employer is simply trying
to decide if they want to hire you. Both are consequences, and both are serious, but they require
different levels and methods of defense. There's nothing wrong with going above and beyond the bare
minimum of defense, but make sure that you know what's actually necessary and likely and don't ruin
your relationships or mental health because you went too far. It's all about balance.
4. How likely is it that I will need to protect it?
This ties into both #2 and #3. An unrelated example: a person who shops online frequently and with
many different retailers will almost certainly have their card details stolen at some point. The need to
protect their card details, funds, and financial rating are extremely high as the likelihood of attack is
extremely high.
5. How much trouble am I willing to go through to try to prevent potential consequences?
Not all threats warrant the same level of action and investment. This is the “cost/benefit analysis.”
Some security and privacy strategies involve much more work and may not be right for you depending
on your level of skill and the sensitivity of the information being protected. Always remember: nothing
is unhackable. Trying to protect all your data against everything all the time is impossible and
exhausting. Instead, the goal should be to find a balance where you protect against or mitigate the most
likely and most harmful threats as much as possible without harming yourself or those around you.
Renowned cyber expert Gene Spafford once famously said "The only truly secure system is one that is
powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even
then I have my doubts." Don't go crazy trying to be bulletproof. It's not possible. Find the balance
between security and privacy and quality of life.
In the coming pages of this site, I will offer you a variety of tools, how they can be used, and the pros
and cons of each. With your threat model in hand, I hope this site can help you decide which tools are
right for you to help secure and protect your data.
Large parts of this page were borrowed from or inspired by EFF’S Surveillance Self Defense Guide.
Previous
https://www.thenewoil.xyz/threatmodel.html
Previous
https://www.thenewoil.xyz/surveillance.html
Examples
Security without Privacy or Anonymity
The most obvious example of this, as I mentioned before, is Google. Google has had almost no major
data breaches in all their years of existence, yet they know almost everything about everyone to the
point that the former CEO Eric Schmidt remarked "We can more or less know what you're thinking
about." Google offers world-class security with zero privacy or anonymity.
Privacy without Anonymity
MySudo is, in my opinion, a great example of this. MySudo is non anonymous. They can see your
messages, they can see your metadata, and if you sign up for their masked-card service, they know
exactly who you are. However, they help you protect your privacy by giving you phone numbers, email
addresses, and cards to give to other companies and individuals so that you can protect your real
information. The same goes for privacy.com, who allows you to use masked debit cards with literally
any information attached to them. Privacy has to know who you are by law to prevent fraud, so they're
not anonymous, but they can help you protect some of your privacy.
Anonymity without Security
Cash is a great example of this. Paying for a product in cash preserves your anonymity - unless the
business requires it, you don't have to give any kind of information at all. Yet, you have no security if
the seller doesn't deliver the item (unless you have a receipt). You have no protection from fraud or
anything like that.
Security & Privacy without Anonymity
Once again, I'm going to cite Signal. Because your phone number is required, you can be unmasked by
a court order or even a web search depending on the phone number you use. However, Signal is
renowned for having some of the best security in the world, and the content of your messages and the
information you transfer will be protected and controlled even if your identity is not.
Privacy without Security or Anonymity
Forgive me if this a gross example, but think of using the restroom when you go camping. You can find
some bushes to hide behind and that will give you privacy, but have no security or anonymity. There is
nothing to stop anyone from finding you, and if the police decide to ask for ID you have no protection
from that request.
Security with Privacy & Anonymity
I would argue that XMPP is a perfect example of this. XMPP allows you to sign up without any real
information, over a VPN or Tor connection for total anonymity. Additionally, the conversations can be
protected by OMEMO encryption, meaning the data itself is also private. When used properly, this is as
closed to perfect as you can get (if a bit user-unfriendly).
Closing Thoughts
As I said before, these three concepts are not necessarily dependent on each other. A secure product
does not guarantee privacy, a private product does not guarantee security, and anonymity does not
guarantee either. Also as I said before, there is nothing wrong with valuing one facet over another.
While I discourage it, it is okay to use Gmail because of Google's top-notch security even though it
offers no privacy. It's also okay to use Signal even though it doesn't give you total anonymity. Just be
sure you understand how a product is used. It would be awful to use Google thinking that it will give
your communications privacy and then your financial details get stolen by a rogue employee. Or if you
used a service like Signal to organize protests in a hostile country only to be arrested once your phone
number is unmasked with a warrant. Know the limitations of the services you choose and decide what
features are important to you.
Previous
https://www.thenewoil.xyz/privsecanon.html
Previous
https://www.thenewoil.xyz/oss.html
Wireless microphones, radios, cell phones, and even WiFi all falls under the “radio waves” section. All
of these devices use the same basic technology to work and the only thing that keeps them from
interfering with each other is that they operate on different sections of the radio frequencies.
Needless to say, your phone is pretty small, and trying to shoot out enough radio radiation to reach
anywhere in the world would be extremely damaging to your health, and would require your phone to
be literally massive, too big to be mobile. So instead, your small phone has a limited range, just enough
to connect to larger towers which in turn relay the signal where it needs to go. You’ve experienced this
limitation yourself whenever you lose reception in the middle of nowhere.
Previous
https://www.thenewoil.xyz/communication.html
Previous
https://www.thenewoil.xyz/most_important.html
Previous
https://www.thenewoil.xyz/data_breaches.html
KeepassXC
Getting Started
I suggest you stop what you're doing immediately and adopt secure passwords for your most
critical accounts. Bank, email, and other accounts you can't afford to live without. Do it right now
before you do anything else.
For the rest of your accounts, there's two main ways to go about it. The first is "all at once." Basically,
clear out an afternoon when the kids are at the movies and the spouse is out with their friends and
change everything all in one sitting. This isn't a bad idea, but it can be exhausting and mind-numbing.
For most people, I recommend the "as you go" approach where you change passwords as you use
them. For example, next time you log into Amazon, change your password. Then, next time you order
pizza, change that password. In time every account will have a unique, strong password.
Previous
https://www.thenewoil.xyz/passwords.html
• Open source
• Offers backups • Android Only
• Available on F-Droid
andOTP
• Open source
• Supports time-based and • iOS Only
counter-based passwords
Authenticator
• Open source
• Android and iOS
• The program is sponsored and
• OTP codes are hidden until
maintained by Red Hat, which was
the user clicks on them,
purchased by IBM. Some users may
adding a small layer of
be put off by corporate involvement.
additional security
• Available on F-Droid
FreeOTP
• Android only
• Open source
• Not available on F-Droid
FreeOTP+ • Back ups available
• Search feature
• Open source
• Search function available to
• iOS only
quickly and easily find
desired OTP code
Tofu
Getting Started
MFA can typically be enabled under the "Security" settings of your account, though it may sometimes
be under a similar but different setting such as "Login" or "Account." It also sometimes goes by other
names such as "two-step login" or "Authenticator App." Stop reading right now and go enable MFA
on your important email account(s). Seriously, right this second. If I hack your email account that
you use for banking, for medical communication, or for other critical things, I can lock you out and
take over your life. All I have to do is hit that little button that says "forgot password" and have them
email me a reset link. So you need to secure your important email accounts first and foremost.
My preferred strategy for implementing MFA on existing accounts is to start by enabling it on every
critical account first - email, banking, work accounts, etc. Take the time right now to decide what
accounts you absolutely cannot afford to lose access to and sit down and knock those out right now. For
less critical accounts like your personal Twitter or game accounts, I recommend you enable it next time
you use it. The idea of sitting down and knocking out hundreds of accounts at once is daunting, so
instead I advocate an "as you go" strategy to avoid being overwhelmed. Before you know it, you'll have
enabled it everywhere offered.
Previous Next
https://www.thenewoil.xyz/mfa.html
Cash
Step one is to use cash whenever possible. The advantages of cash are numerous. For one, cash has
been proven to help people spend less, so it'll save you money. Another is that it keeps you from
overspending by removing the possibility. One common fear is that by carrying cash you make yourself
a target for mugging. Frankly, this is ridiculous. Criminals don't have x-ray vision. They don't know if
you're carrying credit cards, cash, or how much.
My strategy is to figure out how much cash I'm likely to need during any given pay period - gas,
groceries, entertainment, etc - and withdraw that amount at my local ATM. Of course I am giving away
a general location of where I live by doing that, but all my other transactions remain private. How
much I drink can't be used against me in health insurance quotes in the future, nor can how much I
drive be determined based on my gas purchases, or any other number of invasive facts about my private
life. Additionally, I never have to worry about my card being skimmed at a machine.
Online Payments
Of course, cash can't be used everywhere, primarily online. In those situations, you have a variety of
options. If you live in the United States, I recommend Privacy.com (non-referral link). The service
is free, they make their money from transaction fees from the vendor at no cost to you (just like a
normal credit card would), as well as a premium tier of services and features. The service links to your
bank account and allows you to create digital debit cards that can be limited by total, month, per-
transaction, or one time use (or unlimited, if you so choose). The cards link to the vendor they're used
at, so for example if you use a card on Amazon and Amazon suffers a data breach, the card can't be
used anywhere else. It's essentially useless to the hacker. Likewise, since each vendor will require a
unique card, a stolen card number doesn't require you to cancel your card, get a new one, and
painstakingly update every service you use. Just cancel the one and update it with almost no disruption
to your daily life. For European readers, Michael Bazzell mentions Revolut, although this service does
seem to come with a flat monthly fee. One of my Canadian contributors also mentioned PayAware.
They cautioned me that it does not allow for false information the way Privacy.com does but it's still a
way to safely use an online card without risking your regular card.
Some people may not be comfortable giving their bank information to a third party, or may live in a
country where Privacy.com doesn't operate. In those situations, I would recommend using pre-paid
gift cards or Visa vanilla gift cards, paid for in cash. You also have a variety of pre-paid digital
options. Among the ones I would recommend are MySudo, Abine Blur, Neteller, and for European
readers Kevin Mitnick suggests ViaBuy (Neteller should also work in Europe). Note that none of theses
situations, including Privacy.com, is actually totally private the way cash is. Somewhere along the line
a trail has been created that, with enough effort, can be traced back to you, so don't use this as an
excuse to do anything illegal. This is purely to throw off automated tracking systems and protect your
card number from being stolen in a data breach.
Previous
https://www.thenewoil.xyz/payments.html
Previous
https://www.thenewoil.xyz/credit.html
Previous
https://www.thenewoil.xyz/mobile.html
Android 9.0
NOTE: Due to the nature of Android devices, the exact layout of the menu may vary from device to
device, but here's how the Samsung Galaxy 8+ worked:
• Connections: Bluetooth: Off
• Connections: NFC and payment: Off
• Connections: More connection settings: Nearby device scanning: Off
• Connections: More connection settings: printing: default print service: Off
• Connections: More connection settings: Private DNS: Try one from PrivacyTools.io's list
• Notifications: (select app): In-app notification settings: Show: Name only or No name or
message
• Lock screen: Screen lock type: Try to set a password if possible, otherwise use a six-digit PIN
• Lock screen: Smart Lock: Don’t enable
• Lock screen: Secure lock settings: Lock Automatically: Yes
• Lock screen: Secure lock settings: Lock Automatically: Auto factory reset
• Lock screen: Secure lock settings: Lock Automatically: lock network and security: On
• Lock screen: Secure lock settings: Lock Automatically: Show lockdown options: Off
• Lock Screen: Contact information: Leave this blank unless you have a good reason not to
• Biometrics and security: No biometrics at all
• Biometrics and security: Find My Device: I recommend no unless you're prone to losing your
devices
• Biometrics and security: Secure folder: Couldn't hurt, but up to you
• Biometrics and security: Secure startup: Enable
• Biometrics and security: Encrypt SD Card: Yes
• Biometrics and security: Privacy: Location: Off (If you need it on for certain apps, then enable
it but disable location permissions in all the apps that don't need it)
• Biometrics and security: Privacy: App permissions: Go through each app and reevaluate their
permissions
• Biometrics and security: Privacy: Send diagnostic data: Off
• Biometrics and security: Other security settings: Set up SIM card lock
• Biometrics and security: Other security settings: Security policy updates: Auto update
• Accounts and backup: Backup and restore: Back up my data
• Advanced features: Send SOS messages
• Advanced features: Emergency mode
By enabling all of these settings, you are significantly reducing the amount of tracking and data
collection these devices handle. Keep in mind that you're not completely eliminating it, but you're
reducing as much as you reasonably can.
Previous Next
https://www.thenewoil.xyz/settings.html
• Encrypted email
Please see the "Encrypted Messaging" page for more
provider of your
E-Mail information on this subject.
choice
• Encrypted
Please see the "Encrypted Messaging" page for more
Text messaging provider
information on this subject.
Messenger of your choice
I encourage you to remove as many unused or infrequenly-used apps from your phone as possible.
Mobile apps are proven to be a security risk, so the more unnecessary apps you have, the more you're
putting yourself at risk. If you don't use it often or at all, just delete it. Additionally, if your phone is
stolen and unlocked, having sensitive apps like work email and banking can offer immense
insight into your life and risks allowing further abuse or theft. Just skip the headache altogether
and remove as many apps as you can live without.
Previous Next
https://www.thenewoil.xyz/apps.html
Disclaimers
Before I go any further, I'm sure some of my more experienced users will ask why I recommend
Firefox and not Waterfox, Iceweasel, or any number of other Firefox variations. The answer simply
comes down to security updates. Firefox will receive important security updates faster than a
downstream variation such as Waterfox. Other experienced users will ask why I don't recommend
Brave (see below), Ungoogled Chromium, or regular Chromium. There are several answers. For one,
personal ethics. I think competition and decentralization makes the world a better place. For another,
ease of use. Not including Brave, Chromium and Ungoogled Chromium are both very difficult to set up
on a mainstream operating system like Mac and Windows. Not to mention they also suffer the same
downstream security delay as Waterfox and Iceweasel. And of course, let's not forget that Firefox-based
browsers allow you to edit the about:config, meaning that more experienced users will have more
control over the customization and privacy of their browser. Even though I don't cover this on my site,
my hope is that my readers will eventually outgrow this site and make those changes in the future.
I also want to take a moment to acknowledge Mozilla's imperfection. Below in my "Honorable
Mention: Brave" section, I mention that Brave has made some questionable business choices. I want to
be fair and not gloss over the fact that Mozilla has also drawn some heat from the privacy community.
They regularly draw criticism for making their telemetry opt-out rather than opt-in, but personally I
find the most troubling incident to be the fact that they pay their CEO over $3 million USD per year as
a salary and yet are struggling to be financially solvent. This strikes me as very irresponsible, and it
jeopardizes the future of the entire project. There are other, nitpicky complaints, but I won't list them all
here. The point is, I want to be transparent and fair to everyone: I recommend Firefox because they get
security patches faster than any of the forks and because I believe it is the most flexible and can be
made the most private compared to a Chromium-based browser. This is not to say Mozilla is the ideal
company or that I support everything they do, but I believe it is the best option we currently have.
Plugins
Let's start with plugins. I think this is where users will get the most bang for their buck. Let's begin by
installing uBlock Origin, a powerful, lightweight ad- and tracker-blocker. Ads may seem like a minor
inconvenience to you, but actually misleading ads are a common method of delivering malware and
tracking. There is even a such thing as "drive-by malvertising" where malicious ads can infect
your computer without you even clicking on anything, as well as a recent rash of malware being
implanted via social media sharing buttons, so it’s best just to block them altogether (and it makes
your browsing experience much more pleasant). Once installed, open the plugin and open the settings.
Be sure to enable "Prevent WebRTC from leaking local IP addresses" and "Block CSP reports." Now
click on the tab “Filter lists” and enable everything under “Built-In,” “Ads,” "Privacy," “Malware
domains,” “Annoyances,” and "Multipurpose." I would also recommend checking the "Regions,
languages" section if you live outside North America and enable for your location, too.
If you've taken my advice to use Firefox, the next plugin to install is going to be Firefox Multi-Account
Containers. This one is going to require much more work to set up, but it will be worth it. The
basic idea of Containers is that it isolates every cookie in the same container, prevent cross-site
tracking. How you decide to set it up is completely up to you, but here's some tips I recommend: first, I
recommend grouping combined accounts together. For example, Gmail and YouTube rely on the same
account, so I would simply create a single "Google" container and set it to open all Google sites in that
container. Second, I encourage you to find lists of subsidiary companies owned by the big five data
collecting tech companies and group them together. For example, IMDB is owned by Amazon, so I
would set IMDB to open in my Amazon container. Finally, I recommend setting up your search engines
in a single "search" container so that your random searches are all contained to that single container,
even if you click on any links and navigate away. Finally, I recommend creating containers for any
individual leftover sites that you frequent. For most people, containers are very helpful and once
configured will cause little or no problems and provide extensive protection. I also recommend you
install Temporary Containers to catch the things that your configured containers will miss.
The next plugin is LocalCDN. LocalCDN is a plugin that will replace a lot of third-party libraries like
JQuery, Google, and Microsoft and inject them locally from privacy-respecting alternate sources. These
third party libraries and CDNs can be used to track you, so this plugin helps to reduce tracking. If all
that went over your head, just know that this blocks a large number of trackers without any
configuration or interaction required on your end. Just install it and let it run.
The next plugin, ClearURLs, is a plugin that removes tracking links from URLs that you share. One of
the many ways that companies track people on the internet is with tracking links. For example, if I send
you a link on Facebook, that link contains a bunch of useless crap that exists only to tell Facebook
about you: what device you opened the link with, your IP address, your operating system, apps that
were installed, and much more. This plugin helps to automatically remove many of those junk links and
strip them down to only the necessary parts, helping respect the privacy of your friends as you share
with them.
The final plugin will only be installed if you are not using Firefox 83 or later. You can check which
version you're using under the "General" page of your browser settings. HTTPS Everywhere is a plugin
that forces websites to use secure connections whenever possible. Once it finishes installing, click on it
and enable “Encrypt All Sites Elligible.” You can still access insecure sites with this setting enabled,
but it’ll bring up a big warning page first, which allows you to make the decision over whether or not
it’s worth the risk. Over 87% of the internet uses HTTPS, so this warning page should be very rare. As
such, this is also, in my opinion, the least important plugin to have but it's nice to know when a site is
trying to redirect you somewhere insecure.
Settings
Settings are probably just as important as plugins. Start by going to Options. On the first tab,
“Options,” scroll all the way to the bottom where it says “Network Settings.” Open these by clicking
the gray “Settings” button, scroll to the bottom, and check the box that says “Enable DNS over
HTTPS," then choose "NextDNS" if the option is available (Cloudflare is fine if not). Click “Okay”
then go down to the "Search" tab on the left. Under "Default Search Engine," select "DuckDuckGo,"
then unclick "Provide search suggestions." I also recommend removing all the other search engines
listed under "One-Click Search Engines." Please resist the urge to stick with Google search as a
default, Google is one of the top privacy offenders and they will collect and store all your searches and
use them to build a profile about you. Finally, visit the “Privacy & Security” tab on the left. The first
section is “Enhanced Tracking Protection.” Click the third option, “Custom,” and set Cookies to “All
third-party cookies,” set Tracking content to “In all windows,” and turn on Cryptominers and
Fingerprinters. Finally, at the bottom, under "HTTPS-Only Mode" click "Enable HTTPS-Only Mode in
all windows."
There are also a lot of usage-reporting settings that are enabled by default. These statistics are reported
to Mozilla for the purpose of improving the browser. However, if you are uncomfortable submitting
that data - and I totally understand - you can disable it in several ways. First, under the "General" tab,
scroll all the way down to "Browsing." Make sure to uncheck "Search for text when you start typing,"
"Recommend extensions as you browse," and "recommend features as you browse." In the "Home" tab,
uncheck "Top Sites" and "Highlights." Finally, under "Privacy & Security," under "Firefox Data
Collection and Use," uncheck everything.
That's it. We're done, we've created a reasonably secure browser, and to top it off, this concludes the
"Most Important" section of the book/site. If you've done all this, you can rest easy knowing you've
made yourself a fairly difficult target to compromise digitally and moved yourself into the top
tier of private and secure internet users.
Previous Next
https://www.thenewoil.xyz/browser.html
Understanding Metadata
Earlier on the site, I cited a statistic that 87% of the web is encrypted. This means that when you visit,
say Facebook, that your Internet Service Provider (ISP) can see that you visited and how long you hung
out for, but they can’t see your login credentials (username and password) or which exact pages you
went to. This is done with the use of Transport Layer Security, or TLS, a powerful and increasingly
popular encryption protocol used online. It’s quite effective and difficult to break.
So in effect even the average person has - generally speaking - a basic level of powerful security in
their online lives (which is why I listed installing HTTPS Everywhere as "Most Important). This begs
the question that privacy enthusiasts everywhere have come to despise like nails on a chalkboard: “why
should I care?” If your sensitive details such as password and credit card number are safely encrypted,
who cares if your ISP or the Starbucks IT guy can see what websites you visit? (Spoiler alert: the
introduction.)
For starters, because TLS breaks down at the end point. When you connect to Amazon, your ISP can
see that you visited Amazon, but not what you bought or your card number. Amazon, however, can see
it all without restriction. But more importantly, often you don't need to see the content itself to start
making powerful and dangerous inferences.
What is Metadata?
This information in question is called “metadata,” sometimes described as “data about the data.”
Maybe I can’t see exactly what you said in your email, but I can see who you emailed, what time, and
the size of the email. And on the surface it doesn’t seem so bad. Who cares if you know that I emailed
my mom at 7pm and the email was 7KB?
As is the case with most privacy and security concerns in the modern era, the problem isn’t so much
what’s collected but rather how it has the potential to be used. Take this excellent article from the
Electronic Frontier Foundation, for example. A couple examples they list of metadata that has the
potential to be too revealing include:
• They know you called a gynecologist, spoke for a half hour, and then called the local Planned
Parenthood's number later that day. But nobody knows what you spoke about.
• They know you got an email from an HIV testing service, then called your doctor, then visited
an HIV support group website in the same hour. But they don't know what was in the email or
what you talked about on the phone.
• They know you called the suicide prevention hotline from the Golden Gate Bridge. But the
topic of the call remains a secret.
(Lifted directy from EFF's Surveillance Self Defense page)
As you can see, metadata has the potential to be just as revealing as content itself, and therefore
should be protected just as much as the actual data. You might say to yourself, “You said potential
abuse, do you really think that’s likely?” The answer is absolutely, 100% without a doubt, not-
just-being-paranoid: "yes." China is already notorious for their incredibly invasive, 1984-like “Social
Credit System.” The United States is starting to implement the use of your social network in insurance
industries. Oh, and the United States is working on their own “Social Credit System” too. So yeah,
metadata is an important part of your attack surface that you need to consider as you protect your
privacy and security.
So What to Do?
There's no surefire or one-size-fits-all solution to protecting your metadata. It depends, as with
most things on this site, on what you're using and who you're trying to hide from. It's safe to assume
that any digital action creates metadata, so if your threat level is high enough, don't trust any digital
medium. This is one reason that Edward Snowden chose to deliver his documents in person. However,
if it is safe or necessary to use digital communications, there are two general methods of handling
metadata: ephemeral and obfuscation.
Ephemeral metadata refers to metadata that is not logged and therefore - in theory - goes away
after a certain period of time. For example, reputable VPN providers and messengers delete metadata
very quickly and only use it as needed to make the service work. This is desirable but should not
always be trusted. For example, a sophisticated enough adversary can watch your traffic in real time
and record the metadata before it even goes to the service provider or log the metadata the provider
collects before it disappears. This is unlikely unless your threat level is very high, but it is possible.
Instead, ephemeral metadata should be used in conjunction with obfuscation of metadata.
Obfuscation of metadata refers to metadata that has been changed to give off false or misleading
information. A good example is using a VPN or Tor browser to access a website: the website now
thinks your IP address is that of the VPN provider or exit node. However, this is actually much
trickier than it first appears and requires a more expanded knowledge of the types of metadata
collected. For example, some apps and sites might collect your MAC address. On computers these
are fairly easy to randomize and manipulate. On phones, not so much. So even if you use a VPN on
your phone, your phone's IMEI - a unique number that can't be changed similar to a serial number or
MAC address - is often still be collected by multiple apps, thereby identifying your phone across each
service. This is one reason I encourage using your phone as little as possible. You also have to consider
other permanent identifiers, such as usernames. If two usernames are repeatedly communicating with
each other on a service, even if the IP and content change that log of communication can still be
revealing. This is where ephemeral metadata comes back into the picture: a service that doesn't keep
logs won't have records of two services communicating. Again, this is all very complicated and requires
a lot of thought.
Most of us probably don’t need to be 100% anonymous for any reason, but it's a good idea for us to
protect our metadata just as much as our actual communications whenever possible. I wish I had
some concrete advice, but instead it simply comes down to asking yourself “what metadata am I giving
up and to who?” Using a VPN means you’re transferring a considerable amount of your metadata away
from your ISP and over to your VPN provider. Assuming you use a reputable, trustworthy VPN
provider, that’s a good strategy. Encrypted emails are the same thing. Many of these companies will
surrender what they can if given a warrant, but reputable companies rarely have much to turn over
aside from a few login locations and times. It’s a multi-layered approach but it’s one worth considering
until technology can catch up to protect our metadata by default.
Previous
https://www.thenewoil.xyz/metadata.html
Understanding Encryption
Encryption is basically using a code to hide your data. For example, when you were young, you may
have used a hidden language to pass notes to your friends in class. Maybe A=1, B=2, etc. Or maybe
you even drew your own unique symbols. Those are, technically, a type of encryption. Weak
encryption, but still encryption nonetheless. More modern encryption protocols, like Signal and AES
are significantly more advanced but at it’s root, the concept is the same: we’re replacing easily
understood words with complex substitutes and – in a perfect world – you can only figure out
how to turn them back into the easily understood words with a “key,” which explains the code. In
the grade school example I gave earlier, the “key” is knowing that A=1, B=2, and so forth. In more
advanced software encryption, the key is your password or passphrase. This is, of course, a
tremendously high-level overview that dramatically oversimplifies things, but it gets the basic point
across.
Encryption is a central concept in this section and privacy in general, specifically what’s called
“End-to-End Encryption” or “E2EE” (also sometimes called zero-knowledge). Technically a majority
of the internet is encrypted when using HTTPS. Additionally, most services and websites offer at least a
basic level of encryption when it comes to things like saving passwords, credit card information, and
even sending messages. The thing is, those types of encryption only work against outsiders. Facebook
messages, for example, are encrypted to anyone outside of Facebook. Google can’t read them, the
random hacker can’t read them, but Facebook employees can read them as if you sent it to them. E2EE
defeats this. E2EE messages can ONLY be read by you and the recipient, provided you used the
service correctly. Even the provider can’t read them. For example, if both you and the recipient are
using ProtonMail to email each other, Proton can’t read your emails.
Encryption, however, is not limited simply to your communications. Encryption can be used on your
various devices to protect them when not in use. I briefly mentioned encrypting your mobile devices in
the last section, but in this section I'll talk more about encrypting your other devices.
Previous
https://www.thenewoil.xyz/encryption.html
Accessed February 20th, 2021.
Using Veracrypt
In this paragraph I'll talk you through how to encrypt an external device using Veracraypt. In the future
I hope to add a section on full-disk encryption, but until I'm able to get that, try try this video tutorial.
To encrypt an external device, run Veracrypt, go to the "Volume Creation Wizard" under the Tools
menu, and select "Encrypt a non-system partition/drive." Pick "Standard VeraCrypt Volume," then
"Create encrypted volume and format it." Please be aware: this will wipe all the data already on your
drive, so I recommend only using this with a fresh, empty drive. Finally, make sure the algorithms are
set to AES and SHA-512, select a good password on the next screen, then pick your file system format.
If you're only using Windows systems, NTFS is the best choice. If you plan to switch between various
operating systems like Mac or Linux, then exFAT is is the better choice, but keep in mind exFAT can't
support files over 4GB. After making this choice, simply continue on and follow the prompts
accordingly.
NOTE: while installing Veracrypt, you will be asked to create a "recovery USB." I highly encourage
you to do so and to store it somewhere safe. Even something as simple as a routine update has the
potential to go wrong and the only way to recover your data will be to decrypt the drive using this
USB.
Previous Next
https://www.thenewoil.xyz/devices.html
Protection: Backups
Backups are probably not a foreign concept to most of us. Even if we don't keep them ourselves we've
heard of them, had that them preached at us, and kicked ourselves for not keeping them when our
computer suddenly dies unexpectedly or our phone finds its way into the wash.
To develop good backup habits, first you need to decide how much space you need. If you're only
worried about backing up important text files and financial documents, you probably don't need more
than a few gigabytes. If you'll be backing up videos and pictures, you'll want something more in the
hundreds of gigabytes or few terabytes range.
Next, you'll need to decide how often you need to back up and how far back you need to keep
your backups. This will play a part in deciding your storage size. Even if your one-time backup is
small, keeping weekly copies can add up quickly. Decide if you want to keep a specific amount of
backups (ex: six-month's worth of weekly backups) or just the most recent however-many it can hold
(or less), with the oldest ones being deleted to make space for the newest ones.
Third, you'll need to decide if a cloud-based or a local storage solution is better for you. Clouds
have the advantage of being safe from local disasters: burglaries, fires, etc. If your home gets robbed or
floods, a cloud will probably be unaffected by that. But on the other hand, you do run the risk of data
breaches, or the service disappearing one day without warning if you pick a smaller, newer service.
Finally, come up with a system. Windows and Mac have features that allow you to automate the
backup process including frequency, which files to include, and where to store them. Mobile devices
will have to be backed up manually. These are fine systems to put in place, just remember to make sure
your encrypted storage location is unlocked if encrypted so the backup is able to take place. If you
decide to manually handle your backups, be sure to set regular reminders so you don't forget.
The 3-2-1 Rule
The 3-2-1 Rule is a good rule of thumb when considering how to organize your backups effectively.
You should have 3 copies of your data - 2 backups plus your daily-use copy. You should have 2
separate formats for your backups - such as an external harddrive and a cloud copy. Finally, you should
have 1 of those copies offsite - again, a cloud copy or a USB at a friend's house - in case of physical
damage or disaster at your location.
Previous Next
https://www.thenewoil.xyz/backups.html
Accessed February 20th, 2021.
Windows 10
• System: Shared experiences: Share across devices: Off
• Devices: Typing: Everything off
• Devices: AutoPlay: Off
• Phone: Do not link
• Network & Internet: Use random hardware addresses: On
• Apps: Startup: Go through each app and see if you need it to start automatically when the
computer does. If not, disable it. This will help your computer boot faster
• Accounts: Use a local account when possible, when signing up on a new computer, disconnect
internet to force local account
• Accounts: Sign-in options: Require sign-in: When PC wakes up from sleep
• Accounts: Sign-in options: Password: Use a passphrase
• Accounts: Sign-in options: Privacy: Show account details on sign-in screen: Off
• Privacy: General: All off
• Lock Screen: Contact information: Leave this blank unless you have a good reason not to
• Privacy: General: All off
• Privacy: Diagnostics & feedback: Diagnostic data: Basic
• Privacy: Diagnostics & feedback: Improve inking & typing recognition: Off
• Privacy: Diagnostics & feedback: Tailored experiences: Off
• Privacy: Diagnostics & feedback: Activity history: All off
• Privacy: Diagnostics & feedback: Location: Location service: Off
• Privacy: Diagnostics & feedback: Camera: Check permissions
• Privacy: Diagnostics & feedback: Microphone: Check permissions
• Privacy: Diagnostics & feedback: Account info: Allow apps to access your account info: Off
• Privacy: Diagnostics & feedback: Contacts: Allow apps to access your contacts: Off
• Privacy: Diagnostics & feedback: Calendar: Allow apps to access your calendar: Off
• Privacy: Diagnostics & feedback: Call history: Allow apps to access your call history: Off
• Privacy: Diagnostics & feedback: Email: Allow apps to access your email: Off
• Privacy: Diagnostics & feedback: Tasks: Allow apps to access your tasks: Off
• Privacy: Diagnostics & feedback: Messaging: Allow apps to access your messages: Off
• Privacy: Diagnostics & feedback: Radios: Let apps control radios: Off
• Privacy: Diagnostics & feedback: Other devices: Communicate with unpaired devices: Off
• Privacy: Diagnostics & feedback: Background apps: Off
• Privacy: Diagnostics & feedback: App diagnostics: Off
• Privacy: Diagnostics & feedback: Documents: Allow apps to access your documents library:
Off
• Privacy: Diagnostics & feedback: Pictures: Allow apps to access your picture library: Off
• Privacy: Diagnostics & feedback: Videos: Allow apps to access your video library: Off
• Privacy: Diagnostics & feedback: File system: Allow apps to access your file system: Off
• Update & Security: Windows Security: Open Windows Defender: Security Center: Virus &
Threat Protection: Firewall & Network Protection: All firewalls on.
• Download WindowsSpyBlocker and run it. Select option 1 "Telemetry," then option 1
"Firewall," and finally options 1 and 2, "Add extra rules," "Add spy rules." After that's done,
type "back" to go back to the previous menu, then select option 2 "NCSI," then select either
option 2 or option 3, "Apply Debian NCSI" or "Apply Firefox NCSI."
• Download DNSCrypt. I recommend using Simple DNSCrypt for most users. So click that link,
download the .msi(x64 Installer). Install it, then launch it when done. Under "Main Menu:
Configuration" ensure all boxes are checked. In the settings (the gear icon in the top right)
ensure "Start SimpleDNSCrypt in tray" and "Check for updates on startup" are checked.
• Advanced users who want more granular control and feel comfortable making extreme changes
may want to look into W10Privacy.
By enabling all of these settings, you are significantly reducing the amount of tracking and data
collection these devices handle. Keep in mind that you're not completely eliminating it, but you're
reducing as much as you reasonably can.
Previous
https://www.thenewoil.xyz/desktop.html
• Not audited
• Very early project, still
• Open source under active development
• Completely Free so expect some bugs and
• Available on all operating glitches
systems • Recently removed multi-
• Sign-up is forcibly device support until they
completely anonymous can work out more bugs.
Session • Designed to be metadata • Allegations have been
resistant made of the developer's
• Decentralized connection to and active
support of the alt-right
community.
Encrypted Email
Why encrypt your inbox, especially since most other people don't? Email providers like Google,
Yahoo, and others regularly read your emails for a variety of purposes such as advertising and training
their AI. The fact that these communications are readable by employees (even if only certain ones)
means that any sensitive information is not safe and can be potentially stolen.
In the United States, police do not need a warrant to access emails older than six months. The fact that
they can access these emails without your knowledge or consent means a hacker could, too. Even if the
people you contact aren't using encryption, it's a reduction (not elimination) of risk to have your inbox
encrypted in the way an encrypted email provider offers. If your inbox gets caught up in a data breach,
an encrypted inbox will still be protected.
The most important thing to consider when deciding on an encrypted email provider is to make
sure the provider promises "zero knowledge" or "end to end encryption." This means that the
provider can't read your emails even if they want to without you giving them technical access.
Make sure to see how the provider makes money. Running an email server is expensive and requires
great technical knowledge. "If a product is free, you are the product." Make sure the company has a
viable business plan or else assume they are likely selling your data, which compromises your privacy
and security.
If you want to take full advantage of encrypted email services, be sure to pick a provider that is also
being used by the people you email regularly. Having an encrypted inbox can prevent warrantless
searches and data breaches, but once the email leaves your inbox it will be decrypted. If you want the
email to be encrypted from start to finish, you'll need to both be using the same service or protocol.
• Open source
• Works with PGP
• Based in Iceland
• Anonymous sign-up
• Anonymous payments
CTemplar • Audited
• Offers a free tier
• Based in Germany
• Open source
• No free tier
• Works with PGP
• Not audited
Mailbox.org
• Open source
• Offers a free tier
• Includes a free-tier VPN
account
• Based on PGP (you can
ProtonMail securely email other
(Non-Affiliate Link) providers as long as the
recipient is using PGP)
• Based in Switzerland
• Offers a way to start secure
communication with non-
Proton users
• Audited
• Open source
• Offers a free tier
• Does not work with PGP
• Offers a way to start secure
• Based in Germany
communication with non-
Tutanota
Tutanota users
Getting Started
Encrypted instant messaging is probably the easiest one to get started with. Sign up with the
service of your choosing then invite your friends. In my experience, I've had a lot of success getting my
friends to switch with a humble, no-ultimatum plea. "Hey, I've decided I want to start improving my
privacy and security. I don't like Apple/Google/Verizon/Sprint/Whoever reading my messages so I'd
like to switch to Signal. I'd really appreciate it if you did, too, when talking to me. I'd even be happy to
help you set it up." In my experience, most people are willing to humor you when you frame it that
way. I don't recommend being obnoxious. Don't say "Switch to Signal or I'm gonna stop talking to
you." Don't expect strangers to jump through hoops either. I've seen people who tell potential dates that
they will only talk via PGP-encrypted messaging and then wonder why they can't get laid. Learn to
pick your battles and how to kindly ask people to respect your wishes for more privacy.
Encrypted email is simultaneously easier and harder to get started with. It's easier because you
don't have to convince anyone else to join you (though I think you should, everyone should care
about their privacy). It's harder because to do it effectively requires you to change all your email
addresses manually. Just like with using strong passwords and multifactor authentication, I recommend
changing emails as you use a service. Next time you check your bank account, update your email. Next
time you login to social media, change your email. I also encourage you to go to your old email and
setup email forwarding to your new account, that way in case you overlook any accounts you'll still get
the email and be reminded to update them.
Previous Next
https://www.thenewoil.xyz/messaging.html
Accessed February 20th, 2021.
Previous Next
https://www.thenewoil.xyz/mobile2.html
Accessed February 20th, 2021.
Previous
https://www.thenewoil.xyz/llc.html
Accessed February 20th, 2021.
https://www.thenewoil.xyz/less_important.html
Accessed February 20th, 2021.
Protection: Voice-over-IP
This section, to me, wavers somewhere between "optional" and "critical" depending on your situation.
If you are a freelancer, if you're still dating around, if you work in a high-profile or sensitive position, if
you're job hunting, or any other similar situation, this section is critical for you. I would define a
"similar situation" as any situation where you hand your phone number out frequently to
strangers or you have an increased need for privacy (such as the "high profile position" caveat). If
you don't feel you fall into this category, consider this section "not mandatory but highly
recommended."
Voice-over-IP is the technology allowing phone calls to be sent over the internet rather than phone
protocols. The capability has been around for decades and has actually been extremely common in the
commercial world as an efficient way to manage multiple phone numbers in office environments. The
technology has recently started to become popular with cell phones as a way to circumvent needing to
"use minutes," and even more recently has become popular for its privacy implications.
Advantages of VoIP
Using VoIP is a great way to compartmentalize your life. For example, using a VoIP number
exclusively for dating is a great way to protect against potential stalkers. Rarely will a
manipulative or dangerous person reveal this on the first date. You may not start seeing red flags for
quite some time. As such, a VoIP number is handy here. The person won't be able to research the
number and find any information about you, and once you start to see the red flags you can cut off the
number and lose them before you put yourself in danger.
Another handy feature of VoIP is the professional protection. As a freelancer, I can give out my work
phone number to anyone they want and not have to worry about an angry client doxxing me or
discovering any personal aspects of my life that I may not want them to know. Consider this: in some
states, public records are so open that many people search websites are able to connect your phone
number to your voter records and publish your registered party online. I, personally, try to be apolitical
in my professional life, and I would hate for a client to not hire me based on my political leanings
without getting to know me first. I have frequently worked for clients who openly voice different
political opinions than me and almost all of them have become regular customers. Imagine if I'd lost
that reliable income stream because they looked my number up online and decided to pass based on a
snap judgment of me exercising my legal rights.
Additionally, on the topic of work, with many people now working from home, a VoIP number allows
you to create and enforce a healthy work/life balance. I do not have my work email on my phone,
and if after-hours calls or texts ever become an issue, I can set my VoIP number to turn off after hours
so that it doesn't even ring. My coworkers would have no choice in this situation but to wait for me to
decide to check my messages and contact them. It should go without saying that I don't recommend this
if your job actually demands that you be on call, such as an EMT or tech support, but in all other
situations this can be a great way to enforce those healthy boundaries.
Note: None of these options are highly privacy respecting, and none of them are open source. As
explained below the table, VoIP is not meant to be a replacement for encrypted messaging. As such,
I'm presenting a wide rang of options for your consideration, but be aware that none of them are truly
private or safe.
Product/
Pros Cons
Service
Listed in alphabetical order, not order of recommendation
• US and Canada
• No group chats
• No video chats
• App only
• Unlimited numbers available
• No disappearing messages
• Free
Google • Forwards numbers to your
Voice SIM
• No privacy, requires Google
• Based in The United States
• Group chats
• Video chats
• Destkop client • External messaging and
• Zero-knowledge calling cost extra
• End-to-end encrypted (to other Viber users) • Only one number available
Viber • Disappearing messages • Based in Japan
• Worldwide usage
• Independent of your SIM number
Getting Stared
Almost across the board, I recommend MySudo. It is available for both iOS and Android, and usable
plans (meaning plans that will give you the ability to communicate with non-MySudo users, which is
most people) begin at $1 USD per month, or $10 per year. I would recommend SudoPro or SudoMax
($5/$50 and $15/$150 respectively) for most people depending on your needs. Pro will probably suit
most people, as it allows 3 phone numbers which can be used for work, personal, and other. More
advanced readers may want the 9 numbers allowed by Max. If you're on a tight budget, I
recommend Google Voice. This will allow you to create VoIP numbers that forward to your real
number. If you live outside the US, UK, or Canada, then Viber is the clear choice.
https://www.thenewoil.xyz/voip.html
Accessed February 20th, 2021.
SimpleLogin
AnonAddy (Non-Affiliate Link)
• Open source
• Supports PGP
• Multiple recipients
• Works with custom domains
Previous Next
https://www.thenewoil.xyz/email.html
Accessed February 20th, 2021.
Sharing Information
Another important digital habit to change is the handing out of information. I'm not opposed to
sharing your life or picture online. I have a personal Mastodon account where I share my day-to-day
and I even have a selfie as my profile picture. But think about what you're sharing and what it reveals.
Back in the early days of social media, it was common that people would publicly share that they were
going on vacation for a week, so criminals in the area would find their house and rob it while they were
gone. That exact crime may or may not live on, but the principle still does. One woman had a stalker
find her because she took a selfie where the street sign was visible. Again, I'm not saying don't share
things online, but be mindful of what information is visible in the photo, such as a company logo
on your shirt or financial information in your screenshot.
Social Media
While I am opposed to mainstream social media services for a number of reasons, I understand that
sometimes you have no choice in using them. My recommendation would be to not use the apps
whenever possible, post as little as possible, and make your profile as private as possible.
If you feel the need to have social media, try checking out the decentralized and more privacy-
respecting Fediverse. This is a volunteer run, peer-to-peer social networking system, and one of the
coolest things about it (in my opinion) is the way it interacts universally. Imagine if you had a Twitter
account but wanted to follow someone on Instagram. In mainstream social media, you have to sign up
for Instagram. On the Fediverse, you can follow them from your own platform even without having an
account with that service. For Twitter fans, I recommend Mastodon. For Instagram fans, PixelFed.
Facebook users might feel more comfortable on Frendica and YouTube users might find new content
on PeerTube.
Search Engines
Change your default search engine. Google tracks all of your searches and records them, and these are
all added to your profile to create a more complete picture of you as a person; your likes, dislikes,
interests, and more. Try a privacy-respecting, no-logging search engine such as SearX, or MetaGer.
DuckDuckGo and Startpage are popular search engines that claim to be privacy-respecting, but due to a
wide variety of past questionable actions of both and the availablity of better options that are stable and
user friendly, I don't particularly encourage them.
Account Hygiene
Delete any and all unused accounts. This includes old social media accounts, library accounts, work
accounts, and services you signed up for once and never used again. If you can't delete them for
whatever reason, change it to a secure password and hold onto it somewhere safe. My only exception to
this is that I recommend holding onto old email accounts. You never know what you once used them
for and when you might need them again for that purpose. It's better to have them stored safely behind
a strong password and 2FA and not need them than to need them and not have access anymore.
Previous Next
https://www.thenewoil.xyz/habits.html
Accessed February 20th, 2021.
Protection: Disinformation
I mentioned in my online habits section the concept of knowingly handing out false information. This
is probably one of the most powerful techniques for preserving your privacy in a digital world.
However, it's important to understand how to use this properly lest you land yourself in some hot legal
water.
What Not to Do
Never knowingly give false information on a legal document, to a law enforcement officer, to a federal
agency, to the IRS, or to medical personnel. Honestly that pretty much sums it up. When using
disinformation as a strategy, the main question to ask yourself is "does this person need the
information they are requesting?" Does a cop need your real name when pulling you over? Yes. It's
illegal to lie to the police when they are performing official duties. Does your doctor need your real
contact information? Yes. Does the IRS need your real social security number? Absolutely. Does
Facebook need your phone number? Absolutely not.
What to Do
In almost all situations, the best defense is invisibility. Rather than providing false information, you
should see to provide as little information as possible. When being asked to fill out a form, don't be
afraid to ask "what information on this is actually mandatory? What parts do you need?" Privacy is
becoming less stigmatized these days as data breaches continue to happen on an almost-daily basis. As
long as you're not obnoxious, most clerks will be willing to find out what information is mandatory.
Sometimes this is pretty obvious. Again, does Applebee's actually need your email? No, not really.
Does your doctor actually need your home address? Maybe not. Maybe a PO Box is okay. Ask.
Once you know what information is required, you're now faced with the decision only you can
answer of what information to provide and what to fake. Like many people, I do my fair share of
online shopping. A name and address is needed, so I use a generic name and a PO Box. An email and a
phone number are both required. For email, I'll use an email masking service. After all, I do want
updates on my item and I can always delete the address if it gets too spammy. For phone number, I use
my area code plus 867-5309, which is from a hit 80's pop song. They don't need my number. They have
my email (so they think). They have a way to contact me with any problems. I'm probably too busy to
answer during the day anyways.
What about taking my cats to the vet? I book the appointment online using a masked email. If any
phone numbers are required, I give a fake number. If any address is required, I have a hotel nearby
saved in my notes. I pay in cash. I don't need the vet selling my information to various pet-care
companies who are going to spam me with crap they don't need. They're cats. Give them an empty egg
crate in the sun and they're happy.
Finally, an important part of this strategy is to have both excuses and addresses on hand for
everything. I have a list of numbers and addresses saved in my notes. If someone asks for one I haven't
memorized, I pull out my phone and make the excuse "sorry, I just moved so I haven't memorized my
address yet" or "sorry, I just switched phone providers and I haven't memorized my new number yet." I
like to have a variety of addresses to pull from in the local area. Some are quite close by. Others are in
surrounding towns up to an hour away. Whatever backs up my story. Public libraries, hotels, and other
public buildings are all great choices here. Typically only official businesses - like the DMV or a bank -
will be verifying those addresses, and in those situations you shouldn't be lying anyways.
Remember: the big question is "does this person need this piece of information?" Treat every request
for information as a data breach waiting to happen.
Previous Next
https://www.thenewoil.xyz/disinformation.html
Accessed February 20th, 2021.
If You Must
If you decide that you want a smart device, or for some reason you are unable to locate a dumb version
of the device, there's several key pieces of conventional wisdom that will help to dramatically increase
your privacy and security while using said devices.
• Make sure to change all default passwords and login information. Most devices - including
routers - come with a default username and password. There are free databases all over the
internet (and manuals) that disclose this information to anyone, meaning criminals and hackers
have easy access to the admin privileges of those devices. Change the default password (and
username, if possible) using a password manager to prevent easy access.
• Go through every setting on your device and make sure that you have disabled all settings that
share data and analytics.
• Make sure all your devices are set to auto-update. If there is no auto-update option, set a
reminder to periodically check for updates and install them when they become available.
• Buy a router that supports "VLANs," which are virtual second networks. Without going into
detail, putting two devices on separate VLANs (for example, a computer and a TV) makes the
devices act and think as if they are in completely separate locations. The devices are completely
isolated from each other on the network, so if one gets compromised the other is safe. Ideally
you'll want to have all your IoT devices on one VLAN, then all your network devices (phones,
laptops, etc) on another. IoT devices requiring network connectivity (such as smart TVs or
assistants) can still be given network access through the router's settings.
• Make sure to couple all this advice with other advice on this site (for example, use a forwarding
email to set up your accounts and use strong passwords and two factor authentication on all
accounts.
Previous Next
https://www.thenewoil.xyz/iot.html
• Open source
• Audited
• Available on all
operating systems
• Based in Gibraltar
• Supports Wireguard
IVPN (cutting edge new VPN
protocol)
• Available on all
operating systems
• Based in Switzerland
• Offers a limited number
Proton of free servers
(Non-Affiliate Link) • Open source
• Audited
• Offers split-tunneling
Previous Nex
https://www.thenewoil.xyz/vpns.html
Accessed February 20th, 2021.
Final Thoughts
Technology in general, especially cyber security and data privacy, is a constantly evolving
landscape. Laws change, technologies change, and companies start, go under, or change owners. That's
one of the reasons I wanted to present this site as a book: it's not enough just to list some apps and say
"use this." You have to understand why they work, or how to use them correctly. Everybody has a
different "threat model," aka "what am I protecting and from who?" Signal is a great
communication app for someone who needs security but not so much anonymity. I wouldn't
recommend Signal to someone with a stalker or who is trying to anonymously whistleblow (without
some extra steps, at least).
You also have to understand that because of the ever-changing landscape of this field, things come and
go. Encryption algorithms get cracked, companies change owners and start keeping logs, or techniques
become obsolete. I will strive to keep this site updated as often as possible, and significant updates will
be posted about in my blog. You can also follow my daily feed for news and discussion on current
privacy-related events, as well joining my Matrix room and Telegram room for group discussions.
Thank you for reading. I hope you found this site helpful. Please consider supporting my project at
the links on the next page, contact me with any questions or comments, or check out the other
resources listed.
Previous
https://www.thenewoil.xyz/final.html
Accessed February 20th, 2021.
Contact Information & Helpful Links
Resources
Books Websites Podcasts/Videos
• Extreme Privacy by Michael
Bazzel
• Chris Were Digital
• Click Here to Kill Everybody
• Linux Journey • The Great Hack
by Bruce Shneier
• Prism-Break • The Hated One
• Data and Goliath by Bruce
• The Privacy, Security, • Kill Chain: The Cyber
Shneier
& OSINT Show War on America's
• The Art of Invisibility by
• Privacy Subreddit Elections
Kevin Mitnick
• Privacy Tools • Nothing to Hide
• The Age of Surveillance
• Surveillance Self • The Social Dilemma
Capitalism by Shoshana
Defense by EFF • Techlore
Zuboff
• That One Privacy Site • Terms and Conditions
• The Personal Digital
May Apply
Resilience Handbook by
David Wild
Contact
Blog
Podcast Mastodon
TheNewOil@ProtonMail.com
PGP Key
TheNewOil@Tutanota.com
Support
Bitcoin (BTC)
Patreon
Note: I do not encourage the use of Patreon. Please
consider Liberapay instead.
Liberapay
Upcoming Events
Date/Time/
Event Notes
Location
• This event is expected to last one to two
May 15, 2021
The New Oil Presents: hours
2:00PM CST
Taking Control of Your Data • This event is free of charge
Twitch
Still overwhelmed? Unsure of where to start or what tool is right for you? I offer personalized
consulting and coaching.
This site last updated February 19, 2021
Changelog
Previous
https://www.thenewoil.xyz/links.html
Accessed February 20th, 2021.