If you’re interesting in protecting your privacy online, you need to operate with a privacy mindset. One of the best ways of doing that is by learning from the book The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data by Kevin D. Mitnick. I’d like to share my summary of the book with you. I also encourage you to read the book for yourself!

Note: this post contains affiliate links.

Get the audio podcast version of this post.

Book Summary

This book is packed with strategies and tactics for increasing your digital security and privacy. It instills a privacy mindset. Each chapter raises awareness by explaining some privacy challenges in a not overly-technical way, usually with specific examples or stories, then gives instructions and advice on how to protect your privacy in the face of those challenges.

Average computer and phone users will likely be overwhelmed; this book is most useful to those whose tech-savviness is above average. But, even average users will find useful tips and the privacy mindset.

You’ll quickly learn that the title of Chapter 14 is very true: obtaining anonymity is hard work. Mitnick explains that,

A persistent attacker will succeed given enough time and resources. … All you are really doing by trying to make yourself anonymous is putting up so many obstacles that an attacker will give up and move on to another target.

Mitnick says Rule #1 is

To be invisible online, you more or less need to create a separate identity, one that is completely unrelated to you. … you must also rigorously defend the separation of your life from that anonymous identity.

Even though the book offers a wealth of privacy-protecting measures, you can still benefit by acting on a subset of them. It’s not an all-or-nothing proposition.

Here are my notes from the book.

Your Password Can Be Cracked

Haveibeenpwned.com will tell if you have compromised accounts.

Use passwords of 20-25 random characters.

Use password manager (Mitnick likes Password Safe and KeePass that run locally and aren’t cloud-connected).

Use a PIN of more than 4 characters to lock your phone. 7 characters is good. Use letters and numbers if phone allows.

If you use a lock pattern, use a complex, non-obvious pattern.

Phone biometrics are vulnerable, so use as a 2nd, not only, factor.

Provide creative (or false) answers to security questions.

If someone hacks your email: 1) reset password, 2) check Sent folder to see what hacker sent, 3) see if hacker set up any forwards.

Use two-factor authentication (2FA) or multi-factor authentication (MFA). An authentication app (such as Google Authenticator) is more secure than receiving authentication codes by SMS (text message).

Use separate device (such as Chromebook or tablet) for working with finances (and maybe medical stuff) online.

Who Else Is Reading Your E-mail?

Use PGP, OpenPGP, or GPG to encrypt email.

When you encrypt a message (email, text, phone call), use end-to-end encryption. There are PGP browser plugins such as Mailvelope.

You can hide your IP address by using a proxy, remailer (such as Mixminian), or Tor (torproject.org, Orbot app for Android, Onion Browser app for iOS).

Use Tor on a separate device.

Wiretapping 101

Signal app is a free VoIP system with end-to-end encryption for iOS and Android.

If You Don’t Encrypt, You’re Unequipped

Text (SMS) messages aren’t private. They’re sent unencrypted and are stored by carriers for some amount of time.

All popular messaging apps encrypt data in transit, but not all use strong encryption, and most don’t encrypt data at rest. WhatsApp provides end-to-end encryption, and Facebook Messenger provides it if you opt in to “Secret Conversations.”

Whisper, Secret, and Telegram apps aren’t secure and private enough.

Look for messaging apps that provide off-the-record (OTR) messaging, and perfect forward secrecy (PFS). Mitnick recommends Chat Secure, Signal, Cryptocat.

Now You See Me, Now You Don’t

HTTPS Everywhere browser plugin forces HTTPS whenever possible, and can secure otherwise insecure connection negotiation.

Beware free proxy services. When using a commercial proxy service, read privacy policy, looking for how it handles data in motion, law enforcement, government requests for info.

Set privacy options in Google account, and/or use DuckDuckGo, which doesn’t track users.

Every Mouse Click You Make, I’ll Be Watching You

One way to minimize tracking is to browse in a virtual machine (VM).

NoScript plugin blocks ads and third-party referrers, reducing tracking.

Adblock Plus browser plugin blocks potentially dangerous ads, but Adblock tracks you.

Ghostery browser plugin allows you to limit tracking.

Use a variety of email addresses tailored to individual purposes to make it harder for marketers and hackers to build profile of you.

Cookies from normal browsing will apply to private mode browsing.

Consider removing cookies on case-by-case basis to limit tracking. You should delete referrer cookies, super cookies. CCleaner can help.

Don’t use social sign-in options (e.g., OAuth) on websites, because if someone hacks your social account they can access all those linked sites.

Browser extensions Facebook Disconnect and Facebook Privacy List for Adblock Plus give you control over what you share with Facebook.

Browser plugins CanvasBlocker and CanvasFingerprintBlock block canvas fingerprinting.

Use cryptocurrency (e.g., Bitcoin) to pay anonymously.

Pay Up Or Else!

If your router has an open/guest network, lock down its settings or disable it.

Update router firmware regularly.

Change WiFi name (SSID) to something that doesn’t identify you or the make and model of the router. Change router admin username and password. Use WPA2. Disable WiFi Protected Setup (WPS).

It’s easy for malicious software to activate camera and microphone on computers and mobile devices. Put tape over cameras when not in use.

In general, don’t respond to unsolicited messages requesting personal info. Instead, contact the alleged sender through a known trustworthy channel (e.g., public phone number) to ensure they actually sent request.

Keep full backups of PCs and mobile devices as precaution against ransomware.

It’s difficult to decrypt ransomware, so consider paying ransom if you don’t have backup.

Believe Everything, Trust Nothing

Don’t use unencrypted public WiFi, at least not for anything involving personal data. Instead, use your cellular connection or personal hotspot.

Disable device’s automatic connection to saved WiFi networks, or delete saved WiFi networks when you no longer need them, so device doesn’t connect to malicious networks with the same name as saved networks.

Consider using a virtual private network (VPN) when using others’ WiFi. Make sure it uses PFS. If the VPN provider keeps logs, make sure it doesn’t retain traffic or connection logs, or make data available to law enforcement (as that would mean they log). Mitnick named OpenVPN, TorGuard, ExpressVPN.

Turn off WiFi when you don’t need it, to avoid being tracked by your MAC address.

To be invisible, prior to connecting to any WiFi you should change your MAC address to one not associated with you.

Never use public PCs for anything sensitive. Assume they have malware.

You Have No Privacy? Get Over It!

To request that photos of you be removed from a website, email abuse@domain.com, admin@domain.com. If they don’t remove photos, email dmca@domain.com, or file a DMCA request with the website’s host or ISP.

Limit personal info you put in social media profiles. Set privacy settings. Don’t display your birthday.

Be very careful whom you friend or connect with on social media, as they instantly get access to a lot of personal info.

Disable location broadcasting in all apps or for entire phone.

Review Android app permissions before deciding whether to install.

iOS is much more secure than Android (if you don’t jailbreak your Apple device).

You Can Run but Not Hide

Periodically delete location history from your phone.

Wearables (fitness bands, smart watches, etc.) can track your location. Lock down privacy settings.

Hey, KITT, Don’t Share My Location

Mass transit isn’t anonymous unless you pay with cash, or with commuter card you paid for with cash.

Car infotainment systems store info (including your contacts) from paired phones. Don’t pair your phone with cars that aren’t yours. Delete data from infotainment system before you sell car.

The Internet Of Surveillance

Change default username and password on all Internet of Things (IoT) devices.

Most smart TVs record audio in the room while they’re on, and transmit that audio unencrypted to the manufacturer. To stop this, disable voice recognition in settings.

Turning your phone off should prevent it from eavesdropping, but to be sure, pull the battery out.

Listening software and devices (Google Assistant, Siri, Cortana, Alexa, etc.) record audio searches/questions/commands indefinitely.

To avoid eavesdropping, put tape over cameras and put dummy mic plug (cut-off end of headphones) in mic jack.

Delete voice data from Amazon Echo devices before you get rid of them (do in your account).

When possible, turn off voice activation feature in voice-activated devices, to limit eavesdropping.

DIY home security systems that use your home network and home Internet connection are vulnerable to being disabled or triggering false alarms.

Things Your Boss Doesn’t Want You To Know

Your employer probably monitors you, so if you’re concerned about privacy, don’t do anything personal at work, or use a personal device with your own cellular connection.

IMSI catchers (such as StingRay) are used by law enforcement to see which phones were at locations, such as protests.

Skype is monitored by NSA.

Securely wipe drives of printers, copy machines, video conferencing systems, etc. before getting rid of them.

Encrypt files before sharing via file sharing services if you don’t want NSA reading them. Even when services encrypt data in transit or at rest, service provider has the keys, and can access or give access to your files.

SpiderOak provides 100% data privacy (they have no knowledge of your password and data).

Obtaining Anonymity Is Hard Work

VeraCrypt can create a visible or hidden encrypted folder.

On iPhone, set a password for encrypted iTunes backups to prevent someone from backing up your phone to their PC without your knowledge.

When traveling, take your laptop with you everywhere. If you must leave it somewhere, power it completely off so an attacker can’t dump the memory to get your drive encryption keys.

The Tails OS can be booted up on any modern computer and not leave any forensically recoverable data on the hard drive. Run Tails from a USB drive or DVD.

Windows BitLocker is OK for average user, but isn’t ideal because it’s privately owned and may contain back doors, and you must share your key with Microsoft unless you pay $250.

Other disk encryption software: PGP Whole Disk Encryption, WinMagic, Apple’s FileVault 2.

Don’t let encryption software save its keys to the provider’s online account, as that grants them access to your data.

Encryption is often enough to foil common thieves, but not dedicated governments.

Hotel safes aren’t much safer than keeping items in your suitcase in your room.

Loyalty cards track your purchasing habits. Register with a false name, address, phone number to prevent data from being linked to you.

Don’t install software updates when on others’ WiFi, unless you use your own cellular connection to verify from the vendor’s site that the update is legit. If update isn’t critical, wait to install when you’re on a trusted network.

Mastering The Art Of Invisibility

Protonmail.com and tutanota.com provide email accounts without identity verification. Use Tor to get to the sites to register anonymously.

Further Reading

I recommend that you read the book, The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data by Kevin D. Mitnick.

The Resources page has additional cybersecurity and privacy books.

The Art of Invisibility by Kevin D Mitnick book cover.jpg
View book on Amazon (aff. link)

What You Should Do

Read the book. Yes, I’ve summarized it here, but that’s not a substitute for reading the book. The book includes specific examples or stories that will help you better understand the material, and more effectively adopt a privacy mindset.

Here are several tips I’ve hand-picked from the book. The list is long because the book is packed!

  1. Use Have I Been Pwned to see if any of your accounts have been compromised. Change passwords or take other action as necessary.
  2. Use passwords of 20-25 random characters.
  3. Use a password manager (Mitnick likes Password Safe and KeePass; I like LastPass; there are others).
  4. Lock your phone with a PIN of more than 4 characters; 7 characters is good. Use letters and numbers if your phone allows. If you use a lock pattern, use a complex, non-obvious pattern.
  5. Provide creative (or false) answers to security questions.
  6. If someone hacks your email, take these steps: 1) reset your password, 2) check your Sent folder to see what the hacker sent, and 3) see if the hacker set up any forwards.
  7. Use two-factor authentication (2FA) or multi-factor authentication (MFA). An authentication app (such as Google Authenticator) is more secure than receiving authentication codes by SMS (text message).
  8. Look for messaging apps that provide off-the-record (OTR) messaging, and perfect forward secrecy (PFS). Mitnick recommends Chat Secure, Signal, Cryptocat.
  9. Set privacy options in your Google account, and/or use DuckDuckGo, which doesn’t track users.
  10. Don’t use social sign-in options (e.g., OAuth) on websites, because if someone hacks your social account they can access all those linked sites.
  11. If your router has an open/guest network, lock down its settings or disable it.
  12. Update your router firmware regularly.
  13. Change your WiFi name (SSID) to something that doesn’t identify you or the make and model of the router. Change the router admin username and password. Use WPA2. Disable WiFi Protected Setup (WPS).
  14. In general, don’t respond to unsolicited messages requesting personal info. Instead, contact the alleged sender through a known trustworthy channel (e.g., public phone number) to ensure they actually sent request.
  15. Keep full backups of PCs and mobile devices as a precaution against ransomware.
  16. Don’t use unencrypted public WiFi, at least not for anything involving personal data. Instead, use your cellular connection or personal hotspot.
  17. Disable your device’s automatic connection to saved WiFi networks, or delete saved WiFi networks when you no longer need them, so your device doesn’t connect to malicious networks with the same name as saved networks.
  18. Never use public PCs for anything sensitive. Assume they have malware.
  19. Limit the personal info you put in social media profiles. Set your privacy settings. Don’t display your birthday.
  20. Be very careful whom you friend or connect with on social media, as they instantly get access to a lot of personal info.
  21. Disable location broadcasting in all apps or for your entire phone.
  22. Delete data from your car’s infotainment system before you sell your car.
  23. Change the default username and password on all Internet of Things (IoT) devices.
  24. To avoid eavesdropping, put tape over cameras and put a dummy microphone plug in microphone jacks. You can make a dummy mic plug by cutting off the end of a broken pair of headphones or earbuds.
  25. When possible, turn off voice activation and voice recognition feature in voice-activated devices, to limit eavesdropping.
  26. Securely wipe the drives of printers, copy machines, video conferencing systems, etc. before getting rid of them.
  27. If you have an iPhone, set a password for encrypted iTunes backups to prevent someone from backing up your phone to their PC without your knowledge.
  28. Use full-disk encryption software on your computers. Consider PGP Whole Disk Encryption, WinMagic, and FileVault 2 (built into Macs). Windows BitLocker is OK for the average user, but it isn’t ideal because it’s privately owned and may contain back doors, and you must share your key with Microsoft unless you pay.
  29. Don’t let encryption software save its keys to the provider’s online account, as that grants them access to your data. Save the keys yourself; you could use your password manager, such as LastPass.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.