Well I have another entry for you here on my journey to internet privacy, though this one will focus a bit more on security. As this is also the basics, I think it's something that everyone should know. Therefore it is the only time in this blog where I will ask you to share this information with everyone. The more people who know the better.

Factors of Authentication

The number one priority both with cybersecurity and privacy is that only the intended individuals have access to certain information. Now one way to do this very easily is to simply keep all information stored locally on a single device. Nothing comes in, and nothing goes out. However that prevents any form of communication between computers. So in order for us to do banking, use social media, or countless other things we have certain factors in order to recognize certain individuals. Largely speaking there are three ways to identify someone.

1. Knowledge
2. Characteristics
3. Possessions

Knowledge

Knowledge is the first of these. You can see this in real life by asking someone something only they would know, such as when you first met, when your birthday is, important events and so forth. However that requires you and the person to both be thinking human beings. Online we give one another passwords that enable us to quickly find and confirm one another's identity. The problem with this is that if either party is irresponsible with the password then it's gone and there's no way to know who has access to it. There's nothing you can do about how other services save your passwords, however there are some easy tips to making safer passwords.

1. Use different passwords for everything. That way if one website or app is compromised you don't lose everything. This does risk you forgetting your passwords and so you want a way to remember them.
2. Don't write down your passwords, or at the very least not the whole thing. That may seem odd after I just said you risked forgetting your passwords. However, if you store them online such as with google sheets or with cloud storage some company out there has all of your passwords, and there's no telling who can look at them. Likewise if anyone gets their hands on your password cheat sheet they have access to everything. I recommend writing down only hints or coded messages that will help you remember without actually being your passwords. If you speak multiple languages this can be very helpful.
3. Don't store your passwords online. See above.

Of course if you don't use a website that often, or don't care if the account is compromised you can disregard some of these, but they are still good rules to follow.

Characteristics

Characteristics is a different kind of thing altogether. These are things unique to you, such as fingerprints, facial structures, voice, anything that allows close family to recognize you from someone else. Online these serve a very similar purpose, and in theory biometrics are the perfect solution, because they are immutable. You won't find someone suddenly wearing your face. Unfortunately, the inability to change them makes them a vulnerability online. If someone gets a digital file of your fingerprint or face they can use it in your place, or to access your account and there isn't a way for you to change it.

Possessions

Using something in your possession to authenticate yourself is pretty simple. In person we use keys in a similar way. If you have the key you are allowed in. Online this takes a different approach. Certain apps or other features will send specific signals to each other, with randomization codes stored on your device. The way they work would take a long time to explain, but basically using the almighty powers of MATH you can take a really long sequence of letters and numbers, mix it with the time and create a six digit code every thirty seconds. When you establish these authenticators you set up a single code, and from that time forward. That's the secret behind authenticator apps, like google authenticator and whatnot. I'll talk more about encryption later. However, this does mean that if someone ever got access to that string of letters and numbers they could get your authentication codes.

Phishing

Phishing is basically the act of trying to get you to give up your username and password to a website. This is often done through email, either by asking for the information, or by sending a link to a website owned by the scammer that looks like the target website, often a bank. When you try and log in that information goes straight to the scammer. Always be alert, read the URLs carefully, and don't click on suspicious links in emails.

Two Factor Authentication

Basically everything right now uses passwords, and it is becoming increasingly common to use 2FA, or two factor authentication. Which is to use passwords with one of the other factors, commonly text(SMS) messaging or an authenticator app. This is great for security, as it is a lot harder for someone unwanted to get ahold of both your passwords and your phone. There are a few things to be aware of however. The first is that SMS messages are not secure. In transit they aren't encrypted, and your cell service provider can read them, as can others. And as I will speak on shortly they can be compromised. However, if you use an authenticator app this is largely resolved, with a few other caveats I don't feel like getting into right now, but if someone wants I will explain in the replies.

SIM Fraud

For those of you who don't know a SIM card is a component in your phone that allows it to connect to cell towers. It's where cell phone companies store your phone number and other information. One of the reasons that SMS messages or phone calls don't work really well as 2FA is that it is really common for scammers who get access to your information(another great reason to want both security and privacy online) calls pretending to be you and has your number transferred to a different SIM card. They are now in possession of your phone number and receive all texts meant for you.

Security Keys

I found out about these recently and haven't had the opportunity to use them yet. I will let you know how it goes once I do however. Security keys are physical objects that look like thumb drives, and they take everything that authenticator apps try to do and turn it up to eleven. Basically instead of using the time and a string of numbers and letters to create a code the key shares a code with the host website/app, and then keeps track of a whole bunch of information, such as the number of times you've logged in, and a lot of other math that my brain doesn't entirely understand to generate a unique code each time you log into a website. With that done, it becomes next to impossible to log in without having that physical security key, even if someone gets your password. As most of these keys use your fingerprint in order to work, and that scanner is reliant on a physical input, not just a scan, even if someone steals the key, or it gets lost they can't get access to your accounts either. On top of that the key will remember what websites you've been to, and won't allow you to give the code to the wrong one, even if they look legitimate. It is highly recommended however that if you use security keys you set two up at the same time and leave one of those keys in a secure location, because if you only have one and it gets lost, you are locked out of that account and there is no way to recover it. The success can be demonstrated by google making them mandatory with zero successful phishing attempts after that.

Privacy

Now having gone over that I'll move to more of a privacy focused angle.

Nothing is Free

Shocker, but things cost money. That is true on the internet as well. Any service that is being offered requires someone out there to be spending money to make it available to you. As a result, with few exceptions, they also have some way of making money off of that service. In privacy circles this has taken the form of the adage: "If you don't pay for the product, you are the product." Take Facebook for example, the ordinary user doesn't pay anything to use Facebook, yet Facebook is a company worth more money than most of us can even comprehend. How? The answer is simple, Facebook sells its users to other people, in this case to advertising companies. Something to always keep in mind is, how are is this service being funded. When I get to offering alternatives to big tech I'll go out of my way to point out how they get their funding.

Ads and their problems

Many people today will say that ads are the problem with privacy. Some more politically minded individuals will blame capitalism. Neither of those statements are true. Targeted ads however, are a big part of it. Ads unto themselves are just a way for companies to show you products they have that they believe you want to buy. This can be a very helpful and mutually beneficial relationship. However, when a middleman enters the picture with the ability to spy on your data and is willing to sell it to advertisers to optimize their ability to find people we have trouble. This is why if there is a weakness in your privacy, the first place you will see it is in personalized ads. You can easily see this if you are traveling. Watch ads in New York and then fly to Colorado. Immediately political ads will change to local candidates without you ever doing anything.

Fingerprinting

The way that companies make and market these ads is though what is called fingerprinting. This is basically the ability for them to identify who you are and link it to what you are doing. With enough information they can even do this across different platforms, so that multiple websites, accounts, and profiles can all be tied back to you. That is mostly in the realms of government agencies, and should worry us all.

Websites over Apps

Apps have a lot of permissions and access to data from your phone or computer. Generally if at all possible you should use webpages rather than apps.

Ecosystems

A common saying is "Don't put all of your eggs in one basket." Realistically speaking however, most of us do this all the time. How many of us have at one point or another been in the google ecosystem? Writing in google docs, recording information in google sheets, Gmail, google chat, google hangouts, google chrome, google search engine, google, google, google. Other ecosystems like Microsoft office also exist. This allows them to build large records of your past behavior and if that account gets hacked, or deleted everything is gone and there's nothing you can do about it.

Open Source

Everything online runs on code. Most large companies don't let anyone anywhere near their code. Try asking google how the YouTube algorithm works sometime. They won't tell you. Other companies and organizations have a different approach. The full code is open and on display for all to see. This means that anyone can look at, improve, or build their own off brand version, basically for free. It also means anyone can inspect it for potential problems or spyware. Open source providers are thus highly trustworthy, and I will say which of my recommendations are open source or not.

Third-party verification

This is basically when one company pays another to look at their products and try and break them. If the hired hackers can get in then they fail the inspection. If they can't the product passes the verification. Third party reviews are also highly valuable.

Trade offs

Just like as I said above nothing is free. That also often means that few things are universally better. In exchange for more privacy you also have to give something else up. This might be money, or convenience, but there is always a price. That's why I don't think there's a one size fits all for privacy. Everyone has to make their own decisions.

Starting here soon, I'll give more step by step tips on improving your personal privacy.