In 2017, I led a
series of workshops aimed at teaching
beginners a better understanding of encryption, how the internet works, and
their digital security. Nearly a decade later, there is still a great need to
share reliable resources and guides on improving these skills.
I have worked professionally in computer security one way or another for well
over a decade, at
many major technology companies and in many open source
software projects. There are many inaccurate and unreliable resources
out there on this subject, put together by well-meaning people without a
background in security, which can lead to sharing misinformation, exaggeration
and fearmongering.
I hope that I can offer you a trusted, curated list of high impact things that
you can do right now, using whichever vetted guide you prefer. In addition, I
also include how long it should take, why you should do each task, and any
limitations.
This guide is aimed at improving your personal security, and does not apply to
your work-owned devices.
Always assume your company can monitor all of your
messages and activities on work devices.
What can I do to improve my security right away?
I put together this list in order of effort, easiest tasks first. You should be
able to complete many of the low effort tasks in a single hour. The medium to
high effort tasks are very much worth doing, but may take you a few days or
even weeks to complete them.
Low effort (<15 minutes)
Upgrade your software to the latest versions
Why? I don't know anyone who hasn't complained about software updates
breaking features, introducing bugs, and causing headaches. If it ain't broke,
why upgrade, right? Well, alongside all of those annoying bugs and breaking
changes, software updates also include security fixes, which will
protect your
device from being exploited by bad actors. Security issues can be found in
software at any time, even software that's been available for many years and
thought to be secure. You want to install these as soon as they are available.
Recommendation: Turn on automatic upgrades and always keep your devices as
up-to-date as possible. If you have some software you know will not work if you
upgrade it, at least be sure to upgrade your laptop and phone operating system
(iOS, Android, Windows, etc.) and web browser (Chrome, Safari, Firefox, etc.).
Do not use devices that do not receive security support (e.g. old Android or
iPhones).
Guides:
Limitations: This will prevent someone from exploiting known security
issues on your devices, but it won't help if your device was already
compromised. If this is a concern, doing a factory reset, upgrade, and turning
on automatic upgrades may help. This also won't protect against all types of
attacks, but it is a necessary foundation.
Use Signal
Why?
Signal is a trusted, vetted, secure
messaging application that allows you to send end-to-end encrypted messages and
make video/phone calls. This means that only you and your intended recipient
can decrypt the messages and someone cannot intercept and read your messages,
in contrast to texting (SMS) and other insecure forms of messaging. Other
applications advertise themselves as end-to-end encrypted, but
Signal provides
the strongest protections.
Recommendation: I recommend installing the Signal app and using it! My mom
loves that she can video call me on Wi-Fi on my Android phone. It also supports
group chats. I use it as a secure alternative to texting (SMS) and other chat
platforms. I also like Signal's "disappearing messages" feature which I enable
by default because it automatically deletes messages after a certain period of
time. This avoids your messages taking up too much storage.
Guides:
Limitations: Signal is only able to protect your messages in transit. If
someone has access to your phone or the phone of the person you sent messages
to, they will still be able to read them. As a rule of thumb, if you don't want
someone to read something,
don't write it down! Meet in person or make an
encrypted phone call where you will not be overheard. If you are talking to
someone you don't know, assume your messages are as public as posting on social
media.
Set passwords and turn on device encryption
Why? Passwords ensure that someone else can't unlock your device without
your consent or knowledge. They also are required to turn on device encryption,
which protects your information on your device from being accessed when it is
locked. Biometric (fingerprint or face ID) locking provides some privacy, but
your fingerprint or face ID can be used against your wishes, whereas if you are
the only person who knows your password, only you can use it.
Recommendation: Always set passwords and have device encryption enabled in
order to protect your personal privacy. It may be convenient to allow kids or
family members access to an unlocked device, but anyone else can access it,
too! Use strong passwords that cannot be guessed avoid using names,
birthdays, phone numbers, addresses, or other public information. Using a
password manager will make creating and managing passwords
even easier. Disable biometric unlock, or at least know how to disable it. Most
devices will enable disk encryption by default, but you should double-check.
Guides:
Limitations: If your device is unlocked, the password and encryption will
provide no protections; the device must be locked for this to protect your
privacy. It is possible, though unlikely, for someone to gain remote access to
your device (for example through malware or
stalkerware), which would bypass
these protections. Some
forensic
tools are also
sophisticated enough to work with physical access to a device that is turned on
and locked, but not a device that is turned off/freshly powered on and
encrypted. If you lose your password or disk encryption key, you may lose
access to your device. For this reason, Windows and Apple laptops can make a
cloud backup of your disk encryption key. However, a cloud backup can
potentially be
disclosed to law
enforcement.
Install an ad blocker
Why? Online ad networks are often
exploited to spread
malware to unsuspecting visitors.
If you've ever visited a regular website and suddenly seen an urgent, flashing
pop-up claiming your device was hacked, it is often due to a bad ad. Blocking
ads provides an additional layer of protection against these kinds of attacks.
Recommendation: I recommend everyone uses an ad blocker at all times. Not
only are ads annoying and disruptive, but they can even result in your devices
being compromised!
Guides:
Limitations: Sometimes the use of ad blockers can break functionality on
websites, which can be annoying, but you can temporarily disable them to fix
the problem. These may not be able to block all ads or all tracking, but they
make browsing the web much more pleasant and lower risk! Some people might also
be concerned that blocking ads might impact the revenue of their favourite
websites or creators. In this case, I recommend either donating directly or
sharing the site with a wider audience, but keep using the ad blocker for your
safety.
Enable HTTPS-Only Mode
Why? The "S" in "HTTPS" stands for "secure". This feature, which can be
enabled on your web browser, ensures that every time you visit a website, your
connection is always end-to-end encrypted (just like when you use Signal!) This
ensures that someone can't intercept what you search for, what pages on
websites you visit, and any information you or the website share such as your
banking details.
Recommendation: I recommend enabling this for everyone, though with
improvements in web browser security and adoption of HTTPS over the years, your
devices will often do this by default! There is a small risk you will
encounter some websites that do not support HTTPS, usually older sites.
Guides:
Limitations: HTTPS protects the information on your connection to a
website. It does not hide or protect the fact that you visited that website,
only the information you accessed. If the website is malicious, HTTPS does not
provide any protection. In certain settings, like when you use a work-managed
computer that was set up for you, it can still be possible for your IT
Department to see what you are browsing, even over an HTTPS connection, because
they have administrator access to your computer and the network.
Medium to high effort (1+ hours)
These tasks require more effort but are worth the investment.
Set up a password manager
Why? It is not possible for a person to remember a unique password for
every single website and app that they use. I have, as of writing, 556
passwords stored in my password manager. Password managers do three important
things very well:
- They generate secure passwords with ease. You don't need to worry about
getting your digits and special characters just right; the app will do it
for you, and generate long, secure passwords.
- They remember all your passwords for you, and you just need to remember one
password to access all of them. The most common reason people's accounts get
hacked online is because they used the same password across multiple
websites, and one of the websites had all their passwords leaked. When you
use a unique password on every website, it doesn't matter if your password
gets leaked!
- They autofill passwords based on the website you're visiting. This is
important because it helps prevent you from getting
phished. If you're
tricked into visiting an evil lookalike site, your password manager will
refuse to fill the password.
Recommendation: These benefits are extremely important, and setting up a
password manager is often one of the
most impactful things you can do for your
digital security. However, they take time to get used to, and migrating all of
your passwords into the app (and immediately changing them!) can take a few
minutes at a time... over weeks. I recommend you
prioritize the most important
sites, such as your email accounts, banking/financial sites, and cellphone
provider. This process will feel like a lot of work, but you will get to enjoy
the benefits of never having to remember new passwords and the autofill
functionality for websites. My recommended password manager is
1Password, but it stores passwords in the cloud and
costs money. There are some good free options as well if cost is a concern.
You can also use web browser- or OS-based password managers, but I do not
prefer these.
Guides:
Limitations: Many people are concerned about the risk of using a password
manager causing all of their passwords to be compromised. For this reason, it's
very important to use a vetted, reputable password manager that has passed
audits, such as 1Password or
Bitwarden. It is also
extremely important to choose a strong password to unlock your password
manager. 1Password makes this easier by generating a secret to strengthen your
unlock password, but I recommend using a
long, memorable
password in any case. Another risk is that if you
forget your password manager's password, you will lose access to all your
passwords. This is why I recommend 1Password, which has you set up an
Emergency Kit to recover access
to your account.
Set up two-factor authentication (2FA) for your accounts
Why? If your password is compromised in a website leak or due to a phishing
attack, two-factor authentication will require a second piece of information to
log in and potentially thwart the intruder. This provides you with an extra
layer of security on your accounts.
Recommendation: You don't necessarily need to enable 2FA on every account,
but prioritize enabling it on your most important accounts (email, banking,
cellphone, etc.) There are typically a few different kinds: email-based (which
is why your email account's security is so important), text message or
SMS-based (which is why your cell phone account's security is so important),
app-based, and hardware token-based. Email and text message 2FA are fine for
most accounts. You may want to enable app- or hardware token-based 2FA for your
most sensitive accounts.
Guides:
Limitations: The major limitation is that if you lose access to 2FA, you
can be locked out of an account. This can happen if you're travelling abroad
and can't access your usual cellphone number, if you break your phone and you
don't have a backup of your authenticator app, or if you lose your
hardware-based token. For this reason, many websites will provide you with
"backup tokens" you can print them out and store them in a secure location or
use your password manager.
I also recommend if you use an app, you choose one that will allow you to make
secure backups, such as Ente. You are also limited by the types of 2FA a
website supports; many don't support app- or hardware token-based 2FA.
Remove your information from data brokers
Why? This is a problem that mostly affects people in the US. It surprises
many people that information from their credit reports and other public records
is scraped and available (for free or at a low cost) online through "data
broker" websites. I have shocked friends who didn't believe this was an issue
by searching for their full names and within 5 minutes being able to show them
their birthday, home address, and phone number. This is a serious privacy
problem!
Recommendation: Opt out of any and all data broker websites to remove this
information from the internet. This is especially important if you are at risk
of being stalked or harassed.
Guides:
Limitations: It can take time for your information to be removed once you
opt out, and unfortunately search engines may have cached your information for
a while longer. This is also not a one-and-done process. New data brokers are
constantly popping up and some may not properly honour your opt out, so you
will need to check on a regular basis (perhaps once or twice a year) to make
sure your data has been properly scrubbed. This also cannot prevent someone
from directly searching public records to find your information, but that
requires much more effort.
"Recommended security measures" I think beginners should avoid
We've covered a lot of tasks you should do, but I also think it's important to
cover what
not to do. I see many of these tools recommended to security
beginners, and I think that's a mistake. For each tool, I will explain my
reasoning around why I don't think you should use it, and the scenarios in
which it might make sense to use.
"Secure email"
What is it? Many email providers, such as
Proton Mail, advertise themselves as providing secure
email. They are often recommended as a "more secure" alternative to typical
email providers such as GMail.
What's the problem? Email is fundamentally insecure by design. The email
specification
(
RFC-3207) states that
any publicly available email server MUST NOT require the use of end-to-end
encryption in transit. Email providers can of course provide additional
security by encrypting their copies of your email, and providing you access to
your email by HTTPS, but the messages themselves can always be sent without
encryption. Some platforms such as Proton Mail advertise end-to-end encrypted
emails so long as you email another Proton user. This is not truly email, but
their own internal encrypted messaging platform that follows the email format.
What should I do instead? Use Signal to send encrypted messages.
NEVER
assume the contents of an email are secure.
Who should use it? I don't believe there are any major advantages to using
a service such as this one. Even if you pay for a more "secure" email provider,
the
majority of your
emails
will still be delivered to people who don't. Additionally, while I don't
use or necessarily recommend their service, Google offers an
Advanced
Protection Program
for people who may be targeted by state-level actors.
PGP/GPG Encryption
What is it? PGP ("Pretty Good Privacy") and GPG ("GNU Privacy Guard") are
encryption and cryptographic signing software. They are often recommended to
encrypt messages or email.
What's the problem? GPG is decades old and its usability has always been
terrible. It is extremely easy to accidentally send a message that you thought
was encrypted without encryption! The problems with PGP/GPG have been
extensively documented.
What should I do instead? Use
Signal to send encrypted messages.
Again,
NEVER use email for sensitive information.
Who should use it? Software developers who contribute to projects where
there is a requirement to use GPG should continue to use it until an adequate
alternative is available. Everyone else should live their lives in PGP-free
bliss.
Installing a "secure" operating system (OS) on your phone
What is it? There are a number of self-installed operating systems for
Android phones, such as
GrapheneOS, that advertise
as being "more secure" than using the version of the Android operating system
provided by your phone manufacturer. They often remove core Google APIs and
services to allow you to "de-Google" your phone.
What's the problem? These projects are relatively niche, and don't
have nearly enough resourcing to be able to respond to the high levels of
security pressure Android experiences (such as against the
forensic
tools I mentioned earlier). You may suddenly lose security support
with no notice, as with
CalyxOS. You
need a high level of technical know-how and a lot of spare time to maintain
your device with a custom operating system, which is not a reasonable
expectation for the average person. By stripping all Google APIs such as
Google Play Services, some useful apps can no longer function. And some
law enforcement organizations have gone as far as
accusing people who install
GrapheneOS on Pixel phones to be
engaging in criminal activity.
What should I do instead? For the best security on an Android device, use a
phone manufactured by Google or Samsung (smaller manufacturers are more
unreliable), or consider buying an iPhone. Make sure your device is receiving
security updates and up-to-date.
Who should use it? These projects are great for tech enthusiasts who are
interested in contributing to and developing them further. They can be used to
give new life to old phones that are not receiving security or software
updates. They are also great for people with an interest in free and open
source software and digital autonomy. But these tools are not a good choice for
a general audience, nor do they provide more practical security than using an
up-to-date Google or Samsung Android phone.
Virtual Private Network (VPN) Services
What is it? A virtual private network or VPN service can provide you with a
secure tunnel from your device to the location that the VPN operates. This
means that if I am using my phone in Seattle connected to a VPN in Amsterdam,
if I access a website, it appears to the website that my phone is located in
Amsterdam.
What's the problem? VPN services are frequently advertised as providing
security or protection from nefarious bad actors, or helping protect your
privacy. These benefits are often far overstated, and there are predatory VPN
providers that can actually be harmful. It costs money and resources to provide
a VPN, so free VPN services are especially suspect. When you use a VPN, the VPN
provider knows the websites you are visiting in order to provide you with the
service. Free VPN providers may
sell this
data
in order to cover the cost of providing the service, leaving you with less
security and privacy. The average person does not have the knowledge to be able
to determine if a VPN service is trustworthy or not. VPNs also don't provide
any additional encryption benefits if you are already using HTTPS. They may
provide a small amount of privacy benefit if you are connected to an untrusted
network with an attacker.
What should I do instead? Always use HTTPS to access websites. Don't
connect to untrusted internet providers for example, use cellphone
network data instead of a sketchy Wi-Fi access point. Your local neighbourhood
coffee shop is probably fine.
Who should use it? There are three main use cases for VPNs. The first is to
bypass geographic restrictions. A VPN will cause all of your web traffic to
appear to be coming from another location. If you live in an area that has
local internet censorship policies, you can use a VPN to access the internet
from a location that lacks such policies. The second is if you know your
internet service provider is actively hostile or malicious. A trusted VPN will
protect the visibility of all your traffic, including which websites you visit,
from your internet service provider, and the only thing they will be able to
see is that you are accessing a VPN. The third use case is to
access a network
that isn't connected to the public internet, such as a corporate intranet. I
strongly discourage the use of VPNs for "general-purpose security."
Tor
What is it? Tor, "The Onion Router", is a free and open source software
project that provides anonymous networking. Unlike with a VPN, where the VPN
provider knows who you are and what websites you are requesting, Tor's
architecture makes it extremely difficult to determine who sent a request.
What's the problem? Tor is difficult to set up properly; similar to
PGP-encrypted email, it is possible to accidentally not be connected to Tor and
not know the difference. This usability has improved over the years, but Tor is
still not a good tool for beginners to use. Due to the way Tor works, it is
also extremely slow. If you have used cable or fiber internet, get ready to go
back to dialup speeds. Tor also doesn't provide perfect privacy and without a
strong understanding of its
limitations, it can be possible to deanonymize
someone despite using it. Additionally, many websites are able to detect
connections from the Tor network and block them.
What should I do instead? If you want to use Tor to bypass censorship, it
is often better to use a trusted VPN provider, particularly if you need high
bandwidth (e.g. for streaming). If you want to use Tor to access a website
anonymously, Tor itself might not be enough to protect you. For example, if you
need to provide an email address or personal information, you can decline to
provide accurate information and use a
masked email
address. A friend of mine
once used the alias "Nunya Biznes"
Who should use it? Tor should only be used by people who are experienced
users of security tools and understand its strengths and limitations. Tor also
is best used on a purpose-built system, such as
Tor Browser
or Freedom of the Press Foundation's
SecureDrop.
I want to learn more!
I hope you've found this guide to be a useful starting point. I always welcome
folks reaching out to me with questions, though I might take a little bit of
time to respond. You can always
email me.
If there's enough interest, I might cover the following topics in a future
post:
- Threat modelling, which you can get started with by reading the EFF's or
VCW's guides
- Browser addons for privacy, which Consumer
Reports has a tip for
- Secure DNS, which you can read more about here
Stay safe out there!
The original 
The twentythird release of 
If you d like to have a simple solution for managing all the secrets you re
using in your Ansible Playbooks, keep reading on. Bitwarden s Secrets Manager
You might have seen Policy will reject signature within a year warnings in apt(-get) update runs like this:
Ubuntu Pro is a subscription offering for Ubuntu users who want to pay for the assurance of getting quick and high-quality security updates for Ubuntu. I tested it out to see how it works in practice, and to evaluate how well it works as a commercial open source service model for Linux.
Anyone running Ubuntu can subscribe to it at 
If I had a large fleet of computers, Landscape might come in useful. Also it is obvious Landscape is intended primarily for managing server systems. For example, the default alarm trigger on systems being offline, which is common for laptops and desktop computers, is an alert-worthy thing only on server systems.
It is good to know that Landscape exists, but on desktop systems I would probably skip it, and only stick to the security updates offered by Ubuntu Pro without using Landscape.
If you care about supporting open source software, and still use MySQL in 2026, you should switch to MariaDB like so many others have already done.
The number of git commits on 
Due to newer MySQL versions deprecating many features, a lot of users also complained about significant struggles regarding both MySQL 5.7->8.0 and 8.0->8.4 upgrades. With few new features and heavy focus on code base cleanup and feature deprecation, it became obvious to many that Oracle had decided to just keep MySQL barely alive, and put all new relevant features (e.g. vector search) into Heatwave, Oracle s closed-source and cloud-only service for MySQL customers.
As it was evident that Oracle isn t investing in MySQL, Percona s Peter Zaitsev wrote 
In September 2025