Vaguely, I remember something the retired soldier said about bullet-proof vests. He said there was no such thing.
Myself and a half-dozen other journalists were at a war correspondent training course in a farm somewhere in Virginia, listening to a former British special forces member talk about war-zone precautions. Inevitably, the topic of bullet-proof vests came up. The instructor cautioned that no matter how good the vest, there's always a better bullet. There would only ever be bullet-resistant vests, not bullet-proof ones.
It's worth keeping that sentiment in mind as you read this guide to building a more secure computer. Covered here are myriad tools and services to help protect you from malware, spam, bot-nets and even that amorphous threat of government monitoring. But even if you implement every piece of advice mentioned here and more, you'll still have, at best, a hack-resistant computer. Hack-proof computers don't exist.
Ever since former National Security Agency contractor Edward Snowden began leaking secret documents in the summer of 2013, millions of everyday computer users have taken a much greater interest in protecting their digital privacy and security. As such, we've put together this guide as a means of listing some of the tools we find most helpful in that endeavor. This is by no means an exhaustive guide. Indeed, if you have any suggestions to add, let us know. We'll try to periodically update the guide whenever we come across new software.
That said, virtually every tool and service in this guide adheres to three basic rules:
1: Free or Very Inexpensive
There are enough hurdles keeping most people from taking their digital security seriously, and we didn't want to add price to that list. Whenever possible, We've tried to recommend products and services that won't cost you any money.
Most of the software we use today, such as Microsoft Word, Adobe Photoshop or Apple Anything, is proprietary. You can't (legally) open it up and look at its inner workings. Open-source software, on the other hand, is generally free for inspection by anyone. This means two things: first, open-source software is generally cost-free (See Rule 1); but more importantly, open-source software is also usually subject to a kind of crowdsourced security audit by a large group of third-party experts. Another way to put this is, lots of geeks go through the code looking for bugs, and if they find one, they raise hell. That doesn't mean all open-source software is safer than the proprietary stuff (Microsoft has a huge financial incentive to keep its software bug-free, and the resources to hire the brightest tech minds on the planet), but open-source software at least offers some much-needed transparency as to what is actually happening under the hood. And most importantly...
3: A Flat Learning Curve
For this guide, We have purposely left out many superior security solutions for the simple reason that they require too much technical know-how. Sure, if you go back to school and earn a PhD in computer science, you can build a far more secure machine than the one we describe here, but this guide is aimed at the average (usually Windows-based) user who has little or no technical ability. If that person can't learn to use it pretty well within 30 minutes of starting it up, we've kept it out of this guide.
All that said, let's begin.
Prologue: A Floating Brothel on International Waters
The single most effective thing you can do right now to improve the security of your computer is unplug it from the Internet. Pull out that Ethernet cable; throw the wireless router in the microwave. The vast, vast majority of infections that plague your machine will arrive via the Web.
Unfortunately, if you want to get anything done, that's not an option. So, before we go into specific software tools, here are some general Internet safety tips to at least reduce the risk of contracting something nasty. Most if not all of these tips may sound obvious, but people still do these things, so it's worth repeating:
1) If someone calls you out of the blue claiming to be "from" Microsoft or Google or your bank, and asks for any information, it is a scam. Microsoft and Google aren't going to call you, their people have better things to do. And unless your "bank" is a crowbar-wielding loan shark, you're not going to get a phone call demanding anything. Hang up and, if possible, report it.
2) There are no European lottery commissions randomly e-mailing people to award them prizes they never entered to win in the first place. There are no Nigerian ministers' offspring looking to move massive sums of money out of the country. There is no reason why plastic surgeons hate that woman in the pop-up ad. It's all garbage, designed either to lure you into a lawless corner of the web, steal your personal information, or straight-up take your money. If you get an unsolicited e-mail offering the possibility of financial reward, don't reply. Please don't become this person.
3) The same goes for social media. If you get a friend request from someone you've never heard of named "Maxamad Maxxhamad," it's either the start of a fraud scam, or someone looking to scrape your personal information from your Facebook profile to create other fake accounts. If you receive a message from someone on Twitter saying, "Hey, this security camera caught you naked! Take a look!" and asking you to click a link, it's a ploy to get you to give up access to your Twitter account, so the sender can hijack it and use it to send more malicious messages. Don't click on it. There is no security camera footage of you naked on the Internet. Trust us, we checked.
4) Update your software. Download security patches when they become available. None of this is guaranteed to stop you from getting hacked or monitored (if there's one thing the Snowden leaks have shown us, it's that a lot of the big tech companies either don't know or don't care how susceptible their products are to unauthorized tampering – at least by certain groups). But for the most part, security patches and updates actually do fix serious weaknesses. If you're still using Internet Explorer 6, you probably deserve whatever apocalyptic malware catastrophe that befalls your computer.
5) Most people use terrible passwords. There are a number of reasons for this. One is the sheer variety of password-enabled devices we have to deal with every day (how many people still have the default "1234" as the password on their vehicle's Bluetooth connection?). Another is the fault of certain products and web sites that either don't care what sort of password you choose, or force you to jump through a bunch of hoops that result in the creation of a convoluted password you end up forgetting a week later. As Randall Munroe notes, the most important determinant of password strength is entropy. Basically, the more stuff there is to guess, the better the password. So choose a long password. And if you don't think you can remember multiple passwords and don't want to use a password manager (see Part III below), at least memorize a strong password and use it exclusively for your most important digital transaction. The last thing you want is your banking login compromised because someone hacked into a gaming forum you frequent and stole your password.
Much of Internet security boils down to your own appetite for risk. If you only go to trusted web sites, don't download shady programs from strange-looking web sites and generally follow the rules above, your risk profile is far lower than if you're constantly clicking the ads on porn sites, downloading pirated software or changing your Facebook privacy setting to "Anything Goes." That's not to say you can't do any of these things (to each their own), just understand the risks involved.
A crass but surprisingly apt metaphor is venereal disease. If you're using protection and only sleeping with people you trust, you're not guaranteed to avoid catching anything nasty, but your odds are pretty good. If you spend most of your time partaking in anonymous orgies in a floating brothel on international waters, you might get away with it, but the odds are not in your favour.
Tomorrow in The Globe and Mail guide to safer computing: Hardware
Follow me on Twitter at @OmarElAkkad.