Skip to content

Instantly share code, notes, and snippets.

Last active April 5, 2024 21:22
Show Gist options
  • Save grugq/353b6fc9b094d5700c70 to your computer and use it in GitHub Desktop.
Save grugq/353b6fc9b094d5700c70 to your computer and use it in GitHub Desktop.

Simple Security Guidelines

Using an iDevice? (Best option)

  • Use an iPod or an iPad without a SIM card
  • Use an iPhone
  • Do not jailbreak
  • Always upgrade to new iOS versions
  • Use Brave browser

Need Secure chat?

  • Use Signal (iOS + Android)
  • Use Wire (iOS + Android)
  • Avoid desktop versions
    • Optional: use an iPad [Pro] with a smart keyboard
      • register Signal w/ a phone (burner, anonymous SIM, etc)
      • register Wire w/ an email address (ProtonMail is free)
  • Use Conversations w/ OMEMO (Android, unfortunately the only implementation of OMEMO for general use right now)
  • Use on desktops
  • Do not use: Telegram, LINE, Kaokao, WeChat, Viber, Hangouts, etc.
  • WhatsApp, Facebook Messenger (Private chat), are acceptible (high security, high surveillance)

Using Android?

  • Do not root your device
  • Do not enable Developer Mode
  • Use a Nexus or Pixel (gets latest patches w/o carrier/vendor barrier)
    • Run the latest version, always
    • Optional: run CopperheadOS
  • Optional: use a flagship Samsung (or Nokia) purchased direct, not through a telco
    • These devices tend to get timely security updates
  • Don't have a Nexus or Pixel? Install LineageOS (official builds only)
    • Run the latest version, always
  • Use Brave browser

Using a ChromeBook?

  • Do not enable developer mode
  • Use Termux for a console environment

Using Windows?

  • Use 10 or 8.1, nothing earlier.
  • Use EMET

Using Office?

  • Do not enable macros. Ever.
  • Find and disable Flash

Using macOS?

  • Install patches and updates immediately
  • Enable the firewall
    • Disable "signed apps"
    • Enable "block inbound"
    • Optional: enable "stealth"
  • Install Objective-see tools
    • Do Not Disturb
    • BlockBlock
    • KnockKnock
    • RandsomWhere
    • Oversight


  • Enable full disk encryption (FDE)
    • Use a special encrypted vault for sensitive files
      • VeraCrypt cross platform
      • CryFS (Linux, sorta macOS)
      • Encrypted disk image (macOS)
  • Require a password to unlock
  • Apply patches
  • Use backups. Secure your backups, they contain your secrets.

Use a password manager!

  • Use KeePass, free, cross platform, but clunky UI/UX
  • Use 1Password, not free, iOS/macOS, good UI/UX
  • Never use a cloud based password manager
  • Never enable integration between your browser and password manager


  • Enable two factor authentication whenever possible
    • OTPauth iOS/macOS only
    • Authy
    • FIDO (YubiKeys)
    • Duo
    • SMS (last resort, but better than nothing)

Web Browser

  • Use Chrome
  • Use Edge
  • Do not use Safari
  • Do not use IE
  • Do not use Firefox, yet (until they enable sandbox by default)

Use an ad blocker

  • Install uBlock Origin

  • Install HTTPS Everywhere

  • Install uBlock Origin Extra

  • Optional: Install Privacy Badger

  • Disable Flash (on Chrome you can still right click to play)

Use a VPN

  • (Self hosted option: algo) - Best
  • ProtonVPN offers free VPN service - Ok
  • CryptoStorm has a privacy preserving business model - OK
  • Use WireGuard, self hosted, still new but very promising - Good
  • Use Freedome (iOS, Android, macOS), not free, trivial to use - OK
Copy link

@londonontech Safari on Windows was discontinued a long time ago and has not been receiving security updates, but the advice is for both OS X and Windows as in general it's not a very secure browser.

Copy link

After installing and enabling EMET 5.5 go to Trust and Pinning Rules and enable PublicKey Match for MicrosoftAccountCA.

(Allowed Country won't do any good if the use Symantec CA to spoof certificates for the updater.)

Copy link

  • Do NOT use Chrome. Use Inox or ungoogled-chromium Its Chromium with everything-google removed, no Spyware.
  • Qupzilla is good browser too 100% Open Source.
  • Do NOT use Google Search. Do NOT use DuckDuckGo. Use SearX its 100% Open Source.
  • LibreOffice is very good replacement for Office.
  • Try NOT using PDF, use ePub is the same, but internally its HTML5/CSS3, cant run JS. PDF executes arbitrary code, ePub dont, by design.
  • Use an Unicode Emoji on Passwords.
  • Put sticker on WebCam if you dont use it.
  • Put sticker on IR Remote Receiver if your notebook has that and you dont use it.

Copy link

ghost commented Aug 18, 2016

Mac OS X:

Just some general tips for Mac OS X, feedback welcome.


  • Enable FileVault 2 with a STRONG password
  • Set a STRONG firmware password on your device
  • Be aware of the iCloud password-reset backdoor - see the second link under Read below
  • Disable all of Apple's iCloud Spyware, Backup, Drive, FindMyDevice, Calendar, Weather, etc.
  • Use a strong password on your Apple ID and enable 2FA, DO NOT REUSE THIS PASSWORD!
  • Install BlockBlock and RansomWhere - (has other nice tools aswell btw.)
  • Get a license for Little Snitch and Micro Snitch -
  • Ensure you are on the latest version + patchlevel, disable 'silent upgrades', check periodically by hand
  • Disable all unneeded interfaces and ports such as Firewire, Bluetooth, Ethernet, Wifi, etc.
  • Disable all Cloud-related shit such as iCloud, other sync shit like geod, ical, etc.
  • Some tape for Mic + Cam or better dissasemble and remove the hw parts if possible
  • Limit the app execution mode to signed App's from the App Store only
  • Set a short sleep timeout and enable FV2 key destruction on standby
  • Enable OSX's firewall and block all inbound traffic (advanced block mode)
  • Use custom DNS servers you trust and feel comfortable with such as OpenDNS
  • Personally I belive there is no need for anti-virus on a Mac, otherwise use ClamAV or MalwareBytes
  • Use a secure password manager such as Keepass - (Lastpass is ok too, but probably less secure)
  • Use VeraCrypt for usb drives or very sensitive data
  • Always use VPNs+Proxy if in public wifi
  • Disable IPv6 when not needed


  • Firefox or Chromium (not Google Chrome) (always keep it up to date)
  • NoScript, uBlock and HTTPSEverywhere addons (optionally UserAgentSwitcher - nice to mitigate exploits by faking IE6 lol)
  • No flash, silverlight, java, etc. disable all plugins, use click2play or even better UNINSTALL them completely!
  • Disable WebRTC completely, too many holes in that cheese
  • Purge all creepy CAs from your browser (there are a plenty of them...)
  • For more Firefox hardening stuff see


  • Set-up your OWN, SECURE mail servers (if possible)
  • NEVER use imap/pop3/smtp without TLS, big fail!
  • Get the GPGTools suite for Apple Mail -
  • Sign and encrypt your mails and attachments whenever possible


  • Regularly audit your system with the LockDown utility from
  • Regularly run TaskExplorer, KnockKnock and DHS from
  • Regularly check ALL system logs for anomalies including LittleSnitch's log
  • Regularly check kextstat + launchagents and launchdaemons and tmpdirs
  • Wipe stuff with diskutil secureErase if required (not recommended with SSDs)


Copy link

taoeffect commented Aug 18, 2016

That's a great list @schallertd! Regarding this:

Regularly audit your system with the LockDown utility from
Regularly run TaskExplorer, KnockKnock and DHS from

See cautions.

Copy link

dguido commented Aug 27, 2016

@taoeffect, you're welcome to disassemble the binaries for Objective-See just like everyone else. There are no backdoors. Avoid useful tools at your peril. BlockBlock and TaskExplorer are the best things out there to keep yourself safe, and they come from someone who would know what it takes to do that! Last point to remember: everyone needs security. Patrick is an avid OS X user and wrote the tools as much for himself as for everyone else. There's no good reason to sabotage them.

Copy link

Thanks for sharing

Copy link

Isn't Brave a better option than Chrome/Chromium?

Copy link

ghost commented Jun 27, 2018

EMET - Support for Windows ends on July 31. Any suggestions on a alternative?

Copy link

opfuchs commented Jul 20, 2018

Fantastic resource. Some things I might add, though I may be mistaken:

  • A "using linux?" section. Granted this is probably not ideal for most end users, but there are some in e.g. science and industrial R&D who really need desktop Linux, and best practices would be useful here.
  • Use KeePassXC on Linux - KeePassX (original) is abandoned - or regular KeePass as recommended above (now available due to Mono).
  • Chromium is an easy option on most Linux distros, in addition to regular Chrome and Edge (for desktop).
  • Algo is amazing, but doesn't have the "hide in the crowd" effect of public/multi-user VPNs there. May want to discuss what one is trying to do.
  • Last I checked Freedome has a Windows desktop client, though this may have changed.
  • Glasswire on Win10.
  • (maybe) disable Powershell v2 and SMBv1 on Windows (in Turn Windows Features On and Off) depending on use case.

Thanks for the incredible resource!

Copy link

ondrj commented Dec 15, 2018

  • Set-up your OWN, SECURE mail servers (if possible)

Are you OK?

Copy link

ondrj commented Dec 15, 2018

Basically there is no need to add anything.

Copy link

I use bitwarden as my password manager, and it's quite good and secure.

Copy link

Don't root but install a custom ROM. How? You need to do the first to do the second.
Also Samsung custom ROMs do not allow FDE.
Recommending chrome over Firefox....

Copy link

grugq commented Aug 30, 2019 via email

Copy link

Then you have TWRP anyway and you are vurnabile then.
Samsung supports FDE only on official stock firmware. Knox gets completely disabled when you root or flash custom firmware.

Copy link

grugq commented Aug 30, 2019 via email

Copy link

grugq commented Aug 30, 2019 via email

Copy link

On Samsung you do.

Copy link

grugq commented Aug 30, 2019 via email

Copy link

I'm 100% sure that Signal is not about privacy. It's the same as Telegram/Viber. Also guys, never use Brave. It's advertised everywhere only because of money and there affiliate program. My own fresh list of privacy tools available at (only free tools, open source, and I try to give the choice of what tool to use. By this way not everyone will be affected if some tool will be compromised.

Copy link

CopperheadOS developer has left that company and the most secure android ROM now is GrapheneOS by same developer. Seems to mainly support Google Pixels but massive security improvements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment