Obligatory blog post quote incoming...

Safety expert Shayne Connolly once wryly noted on their blog: "I guess the company tag line of 'We are here for the profit, let's try not to hurt anyone' isn't great for PR though". 1

While their cynical observation captures a harsh truth, it raises important questions about how we approach safety and security.

This tension exists in all industries, including technology and cybersecurity. As we mark another May Day, it's clear we must take security and safety into our own hands rather than waiting for institutions to prioritize it for us.

We need to not only implement these practices ourselves but teach others and advocate for better security standards at all levels.

Before diving into technical tutorials in future posts, I want to establish these essential security foundations that everyone should consider and share.

Zero Trust Principles

The concept of "Zero Trust" has transformed enterprise security, but its core principles are valuable for everyone: 2

  • Do not blindly trust an individual or system
    Just because something looks legitimate doesn't mean it is. From emails to applications, maintain healthy skepticism.
  • Always verify, do not trust by default
    Take the extra step to confirm identities and security of systems before sharing information or access.
  • Limit the blast radius if damage is done
    Compartmentalize your digital life so a compromise in one area doesn't spread to everything.

These principles apply universally, whether you're running a corporation or just managing your personal accounts. A practical application: assume any information you share online could potentially be leaked to anyone. This mindset helps you make better decisions about what to share and where.

The source I used for these Zero Trust principles was CrowdStrike. Ironically, people seem to have zero trust in them as a company after a recent software blunder that took down airports and hospitals.

Modern Threats: Phishing and AI Impersonation

Today's threats are far more sophisticated than the obvious scams of the past. Consider:

  • Advanced Phishing: Attackers now research targets extensively, creating personalized messages that reference real events, colleagues, or recent activities to appear legitimate.
  • AI-Generated Content: Deepfakes now extend beyond video to voice cloning and text generation. An AI can imitate your boss's writing style or even recreate a loved one's voice asking for urgent help.
  • Multi-Platform Attacks: Sophisticated attackers coordinate across channels—starting with an email that references a legitimate text message they sent earlier.

The level of sophistication means you should expect attacks that:

  • Appear to come from trusted sources
  • Contain accurate personal details
  • Create artificial urgency or emotional pressure
  • Show few obvious language or formatting errors

(And no, I'm not describing your average cold sales call, though the similarities can be striking! The difference is that legitimate salespeople merely want your money upfront, while scammers want your credentials, identity, or both. At least the salesperson will send you something in return—even if it's just another sales person.)

🚩 Watch for Phishing Red Flags 🚩

Be alert to these common warning signs:

  • Poor grammar or spelling in messages from supposed professional sources
  • Urgency or unusual requests ("Act now or your account will be closed!")
  • Suspicious sender addresses (check the actual email address, not just the display name)
  • Questionable link destinations (hover before clicking to see where they really go)

Today's scammers particularly love pushing cryptocurrency investments, obscure stocks, or exotic financial schemes with promises of extraordinary returns. If someone you just met is eager to help you invest for "guaranteed" profits, your financial safety is probably not their priority.

Identity Verification Practices

When someone contacts you or you're working with someone online:

  • Implement Multi-Channel Verification: If someone emails you, call them on a known number to confirm before taking action.
  • Request Impromptu Video Calls: Ask for a spontaneous video call where you can see the person in real-time—AI can't yet convincingly participate in unplanned live interactions.
  • Look for Competency Indicators: Someone who claims to be a specialist should demonstrate depth of knowledge beyond what's publicly available. Ask detailed questions about their claimed expertise.
  • Verify Humanity: Ask about recent events that haven't had time to be incorporated into training data, or request specific actions during video calls that would be difficult to fake.
  • Trust Your Instincts: If something feels "off" about an interaction, take extra verification steps before proceeding.

Free Security Tools

After years of experience and careful analysis of the security tool industry, I've filtered down to this set of free tools that provide the best balance of security, usability, and trustworthiness:

🔄 Regularly Updated: This section is routinely updated with the latest and most effective security tools as they emerge and evolve. Last updated: May 15, 2025.

Password Management

  • Bitwarden: Open source, free tier available (Download Bitwarden)
  • Bitwarden undergoes regular third-party security audits to verify its security claims
  • Implementation Tip: Start by adding your most critical accounts like email, banking, and social media

Two-Factor Authentication (2FA)

  • OTP Auth: Recommended for iOS users, download from the official app store
  • Aegis Authenticator: Recommended for Android users, download from the Google Play Store or f-droid store
  • Your phone/email: Built-in options for laptops/desktops
  • Implementation Tip: Prioritize enabling 2FA on accounts that control other accounts (like your primary email, Apple ID, or Google account).

VPN Protection

  • ProtonVPN: Free tier with servers in multiple countries, no data caps
  • ProtonVPN maintains a strict no-logs policy, verified by independent security audits
  • Implementation Tip: Use automatically when on public WiFi networks
  • For those willing to spend $5/month, Mullvad VPN offers premium features with exceptional security. They even accept cash payments by mail for complete anonymity. 💵
  • Like ProtonVPN, they maintain transparency through regular security audits
  • Implementation Tip: Use automatically when on public WiFi networks

Browser Security

  • Firefox: A privacy-focused, open-source browser with strong customization options
  • Tor Browser: Provides enhanced anonymity specifically for users needing stronger privacy protections or censorship circumvention
  • uBlock Origin: Use this powerful extension to block ads and trackers efficiently; its open-source nature and effectiveness are widely recognized
  • Privacy Badger: From the EFF, this extension learns to block invisible trackers, complementing list-based blockers like uBlock

Secure Communication

  • Matrix/Element: Open source, encrypted messaging platform available on virtually all devices (Download Element)
  • Matrix is the protocol (like email) while Element is the most popular app that uses it (like Gmail)
  • Implementation Tip: Create a room for your family or close friends to share sensitive information
  • Your current email + PGP: Add end-to-end encryption to your existing email with Mailvelope
  • Mailvelope is a browser extension that enables OpenPGP encryption in your webmail
  • Implementation Tip: Perfect for those who want to secure their existing email workflow
  • Proton Mail: Privacy-focused email service with built-in encryption (Sign up for Proton Mail)
  • All emails between Proton users are automatically encrypted
  • Implementation Tip: Good option if you're willing to switch email providers for enhanced privacy

Note: I am not sponsored by any of these tools. Stay curious and skeptical about all software tools you use, and always do your own research before implementation.

Vetting Security Tools

When evaluating security tools, consider these criteria:

Transparency and Oversight

  • Look for clear privacy policies that explicitly state what data is collected and how it's used
  • Prefer open source solutions where the code can be inspected by the community
  • Check for recent independent security audits (and their outcomes)

Development Indicators

  • Active development with regular updates and security patches
  • Responsive community support and bug handling
  • Transparent business model that doesn't rely on selling user data

Where do I start?

  • Audit Reports: Look for published security audit reports on the tool's website or in security databases
  • Privacy Policy Reading: Focus on data collection, sharing practices, and retention policies

Updates and Maintenance

  • For non-technical users: Enable automatic operating system updates. The minor inconvenience of an occasional restart is far outweighed by the security benefits.
  • For technical users: Consider your OS, current projects, and potential impacts before updating. Schedule regular update periods (e.g., every two weeks) to review and apply updates thoughtfully.
  • Prioritize security updates: When you see the words "security vulnerability" or "critical update," that's your cue to update immediately.
"While updates are super annoying, they are often worth the wait."
— Me

Considerations & Cautions

Despite the benefits of open source security tools, remain aware of:

  • Software Supply Chain Issues: Even well-respected tools can be compromised if someone manages to sneak malicious code into their components or distribution methods. Think of it like food recalls—sometimes the problem isn't with the restaurant but with an ingredient supplier. A recent example: malicious npm packages infected over 3,200 projects by targeting the source code itself.

Who Benefits Most?

These security tools and practices are particularly valuable for:

  • Individuals in regions with restricted internet freedom: Tor Browser and VPNs can help circumvent censorship and surveillance.
  • Journalists, activists, and whistleblowers: Matrix/Element's end-to-end encryption can protect sensitive communications.
  • People living under authoritarian governance: Which, it's worth noting, can include parts of governments at various levels in many countries, including some agencies and departments within the United States.
  • Small businesses without security teams: These tools provide enterprise-level protection without the enterprise budget.
  • Anyone concerned about data privacy: As data collection becomes more pervasive, these tools help maintain control over your digital footprint.

Wrap-up

Before adding your work, data, or identity to the internet, establishing these security foundations is essential. Start simple: just one practice from this post goes a long way.

Need help setting up these tools? Drop me a line on LinkedIn or Bluesky.

— Matt



References