staying safe online

this is an E-mail I typed out and figured it'd be fitting as its own public post:

If you want the closest thing to true anonymity from software perspective, I'd suggest Tails because it's pre-configured to proxy everything through Tor. It can be run with a live CD / USB on bare metal, or it can be used in a virtual machine of the user's choosing (personally I use qemu for Linux, and I think virt-manager is a GUI frontend for it, but a lot of people may have heard of VirtualBox which is cross-platform). Even I use Tails for certain things although I consider myself to be proficient and able to set up my own anonymous system; sometimes it isn't worth the trouble when I need to be sure that my system is safe, though.

If you want an "everyday setup" where anonymity isn't key, but you still want security and casual privacy, drop Windows in favour of Linux, and grab the Tor Browser if you want to browse the Internet through Tor (not limited to onion websites, which seems to be a misconception for people "exploring the deep web"). Steam can play a lot of games in Linux, Wine can run many Windows programs, and as a last resort, a user can set up a Windows virtual machine or set up dual-booting (although from my understanding, Windows can fuck with dualboot partitioning, so this might be an advanced topic. Personally I don't trust Windows with hardware access at all, anymore). One big issue (that unfortunately I have to face as well) is NVidia graphics support in Linux. The best solution to any NVidia issues is to replace the NVidia GPU with AMD, because AMD ships open-source drivers, or, if the user doesn't do much gaming then it's likely fine to just use the integrated graphics from the CPU. It's an unfortunate fact that NVidia is very anti-consumer; if I had other suggestions you'd bet I would say, but my friend and I (and many other people) have had nothing but issues with NVidia.

For additional safety, no matter whether you use Tor Browser in Tails, or Tor Browser in Linux, or even a normal browser in Linux like I do: I strongly suggest disabling JavaScript by default for sites you don't trust. In Tor Browser, it's as simple as clicking the NoScript icon in the toolbar to whitelist a website. There was a NoScript bug found not too long ago that allowed sites to bypass settings regardless, but this has since been fixed and hopefully there will not be similar incidents in the future. This is why I strongly dislike modern Web browsers; they're too big to make sure that they're entirely bug-free. (I personally use uMatrix instead of NoScript, because it's much more configurable and can block more than scripts, but it's probably not best to suggest in a "basic tips" YouTube video.)

Like I said in my previous E-mail, a VPN does not help with anonymity in any way. You can still stick in that sponsorship for PIA if you make clear it's only to keep users' Internet activity away from their own ISP, and it gives them a different IP address perhaps in a different country, if they so choose. This can be useful for accessing region-locked websites, for instance, or for casual privacy to prevent other people from finding someone's home IP address. The VPN can still see and track all users' activity, but my opinions of PIA aside, I believe from a business standpoint they will be very careful about what they do with user information. Just know though, depending on what country a VPN is based in, they might be forced to comply with requests for user information by law.

Enough about software; usually people are able to follow along until it comes to something scary: they aren't safe until they change their own behaviours as well. I was taught one thing as a kid, practically every year in school there was a poster or a computer lab teacher telling us "don't share your personal information with strangers online". This seems to have been forgotten with the rise of social platforms that encourage or require users to use their real info, and it's really sad that things have taken a turn for the worse in this regard. Even before I knew what Tor was, I never gave people so much as my name, and to this day, while I did say some dumb shit in my early teenage years (who hasn't done things before that seem foolish to them now?) I can at least say I don't regret how I handled my personal information during all these years. Nowadays, the Internet is a more hostile place, with more people understanding the power of "big data" and keen on collecting user information, with all the serious threats regarding IoT security vulnerabilities (allowing for large-scale DDoS attacks for cheap, or potentially worse attacks against the devices themselves). So, it's more important than ever not to give anyone any information that one might regret sharing later.

Keeping a healthy amount of scepticism toward other users and services online has always been a rule of thumb as well, albeit one that's lesser talked about. (It's normally brought up by school librarians and English teachers, who urge students to ensure that their citation sources are credible.) A lot of people especially on Tor phrase it as "don't trust anyone" which is an imprecise piece of advice. It might be good advice for people who don't yet know what signs to look out for that tell apart a normal user from a con artist or a federal agent (and federal agents are perhaps best-equipped to produce convincing cover identities). I don't open up to many people online, but I have definitely made at least a couple real connections with Tor users. A lot of people, I don't need to trust, such as the people I ask to join the moderation team on Hidden Answers, or others I ask advice / questions from, for instance. In the former case, I give moderators just enough access to the site to do their jobs, and if a rogue moderator happens to slip through, the damage is normally easily reversible. And we have had some cases of rogue moderators -- usually just scammers who abused their position for extra credibility, though. In the latter case, I can use my own logic to verify whether someone's advice sounds reasonable, or I can cross-verify with other sources.