Ep. #5: Preventing Accidents From Happening

Today's newsletter is based on something we normally don't consider: stopping problems before they begin. To be more specific, I want to focus this episode on choosing tools and techniques which minimize or eliminate some of the most common and widespread hacking vectors.

The Problem

Email is an extremely powerful way for hackers to gain control of your data or, worse: your computer. This is made possible because (a) it's very cheap for hackers to send millions of automated emails every hour and (b) most everyone checks emails and then usually clicks on the links in those emails — even though doing so is dangerous. Clicking on malicious links in emails (or when casually surfing online) is something that all of us — even security advocates — do from time to time. But what if there were a way to click those links safely? What if there were a way to check email and surf online without worrying about our computer system being corrupted by clicking on a link? Good news: I'm here to tell you that this is possible and, in some case, very easy to implement. Most people, especially those who work for any corporation, check their email and surf the web via a computer. I realize saying sounds ridiculous because you're probably thinking "What other option do I have to check my email or surf the web than a computer?!?"Quite a few as you're about to learn.

The Solutions

There are only a few categories of workarounds when it comes to hacking:avoid being hacked (not gonna happen)use a system that eliminates or minimizes hacking (easy to implement)use a system that can be hacked but quickly returned to a "clean" state (also easy to implement)Today, the solutions we'll be discussed will focus on the last two of these workarounds.

Solution #1: Only surf the web or check email with an iOS device.

There's no reason to beat around the bush on this: researchers now estimate that 99 percent of all mobile malware is targeted at Google’s Android operating system. Therefore, although you're not 100% safe on ANY platform, it's a very smart move to buy and use an iOS device to avoid the worst malware on the planet. How did Apple achieve this? Two reasons: both their OS and their App Store are extremely locked down. Because most traditional computers have a changeable operating system — think Windows10, the macOS or Ubuntu — viruses and malware you accidentally download can be granted admin rights to burrow into that operating system, make changes, and then hold you hostage. This is precisely what ransomware does. Therefore, if you use a computer or device with an unchangeable OS, you'll be safer and less prone to malware. Should you grab an iOS device and start clicking on any link in any email? Or you should surf the web thinking you and your precious Apple device are impervious to any attack? Uh, no: never think that, young grasshopper. But give yourself the gift of using the safest consumer platform available. For now.

Solution #2: Only use a VM to surf the web or check email. Always use the "snapshots" feature to save and, if necessary, restore your OS to a pristine state.

There's no reason you HAVE to use the OS that comes with your computer. For example, I own an Apple computer but I frequently work on another, virtual OS which runs a Linux variant called Ubuntu. That OS and the virtual software which run it - called "Virtual Box" - are 100% free for you to download, set up and run. I won't walk you through how to do that here (you can find some great guides online for that), but I will suggest that you always use the feature called "Snapshots". Once you've set up your VM operating system — and you can set up Ubuntu, Windows, or the macOS —taking a snapshot of it will allow you, time and again, to return to that perfect and pristine operating system. Then, if you should click on a virus, trojan or malware worm, you can always revert to your last snapshot. Users of Apple's Time Machine backup software will recognize this concept instantly. Only using a VM and a snapshot will ensure that your ENTIRE OPERATING SYSTEM is returned to its last known and fully healthy state. Here's a picture of the virtual Ubuntu OS running on my Mac, by the way:

Solution #3: Only use a "container" to surf the web or check email. This is a very trippy solution, but here's the explanation in a nutshell: rather than using your own computer to do these tasks, you'll instead log onto a virtual OS in the cloud and do your email and surfing there there. Wait: what?! That's right: thanks to the magic of the cloud and the ingenuity of programers, you can now log onto a virtual OS which is hosted in a secure "container" in the cloud and do all of your dangerous surfing and email chores there. As a result: there's no OS for a hacker to manipulate with malware. Here is a picture of the Silo system by Authentic8 that I set up recently: it runs as an application on my Mac or PC but looks like and functions as a virtual browser, allowing me to visit any of the websites I'd normally visit, but doing so on Silo's secure cloud instance and not on my own computer. Silo costs $100/yr for any user with additional costs for those with deeper security concerns or an entire network of employees.

Here is a picture of a competing product called Turbonet that I set up: it also runs as an application on my Mac or PC but allows me to use any number of applications or browsers — Chrome, Firefox, Edge & Internet Explore, even Tor and more — either on my host computer or, more importantly, via their secure cloud instance. Turbonet is polished and very expensive but, unlike Silo, is aimed at corporate users, not individuals, so mention this to your IT manager: I'm sure she'll be interested in this kind of solution that helps isolate certain kinds of hacking.

So there you have it. Give those solutions a shot and let me know how it goes. Just remember: the solutions I've discussed above aren't a substitute for good, old-fashioned common sense. You must always practice common sense before clicking on any link, whether it's in an email or on a website. In general, that means you should NEVER click on any link if:

1. You don't recognize who sent the email.

2. You can't verify that BOTH the name of the sender AND the actual email address are correct.

3. Your instincts tell you the webpage looks suspicious.

4. You haven't first confirmed that the URL is what you think it should be and that it's associated with the proper domain. For example, a Google security webpage won't have a URL that looks like http://mailergooglesecurity.bestmediajinx.ru

5. You haven't verified - by phone - that your bank, credit card or the IRS really do need your personal info. Hot tip: these institutions will almost always call you from a verifiable phone number or send snail mail when they need something.

If you liked what you read today, please: feel free to forward this email to friends and family. This email & post is a part of my free-to-all series. Only paying members have access to my deeper, paid newsletter and archives.