Cyber Security Best Practices and Ghosting Yourself (Update)

How to Ghost yourself in a Technocracy

“Technocracy advocates contended that price system-based forms of government and economy are structurally incapable of effective action, and promoted a society headed by technical experts, which they argued would be more rational and productive.” (https://en.wikipedia.org/wiki/Technocracy_movement)

In order to start using cyber security best practices to Ghost your profile on the cloud, we first need to understand the “bread crumbs” we are leaving behind. This article will focus on smartphones since it’s the most used hardware device and the most relevant OS running on Android and iPhone that individuals use on a daily basis.

Basic Steps

First, I need to understand that for convenience purposes all mobile apps will enable push notifications by default.

What are Push Notifications?

Push notifications are the alerts that apps send to your phone even when the apps aren’t open. Often appearing at the top or side of your screen, nearly every popular app uses push notifications in some way.

Push notifications allow app providers to reach you, impacting your privacy. To Ghost yourself this is one area to focus on. The best way to disable these and take control on which applications can use push notifications is by using Google wrapper service (microG) settings.

To truly become a Ghost, users need to detach as much as possible from a single web service provider like Google, Apple, Microsoft or AWS. Think of it as a diversified portfolio of web services including new semi-decentralized ones like IPFS and FileCoin. Also focus on centralized web services that provide Zero-knowledge technology services like SpiderOak.

Second, enable Two-Factor Authentication. The most important measure you can take to help keep your account secure is to enable Two-Factor Authentication (2FA). 2FA provides an additional layer of security for all your accounts. Once it’s set up, you’ll be required to enter your password and a code that you generate on your phone using apps like Aegis or Authy, also the use of security keys like a YubiKey is highly recommended. A code sent to an email you control, to sign in to your account is preferred to sending SMS which is highly unsecured.

Third, strengthen your password. Beyond adding 2FA, you can help protect your account with a strong password.

A strong password:

• Use a password that has not been used elsewhere
• Contains at least 10 characters
• Includes uppercase and lowercase letters, numbers, and special characters

To help in managing passwords use password managers like Bitwarden or LastPass to apply the recommendations above.

Fourth, secure your personal email account. Perform the above recommendations for your personal email(s) associated with all your important online accounts as a requirement. This can help prevent bad actors from gaining access to your accounts through your email(s). If possible use a reusable disposable email(s).

Besides the above four areas, review your phone number and email address. Verify that your phone number and email address listed on all your important online accounts are up-to-date, and valid functioning ways to reach you that are not tied to your real identity.

Review your devices. In most of your important online accounts, look for ways to view logs of the device that has been used to login to your account. We recommend reviewing the listed devices regularly and removing any you don’t recognize or no longer use if possible.

Beware of phishing scams. Be careful when clicking on links in text messages and emails that you don’t expect or recognize. Look at the URL heading to make sure it corresponds to the originating sender. Most online accounts support never requiring your password, 2FA codes, or sending you links within text messages. In addition, most never ask you to download software or ask you for information regarding your accounts on other online account platforms or services.

Another tactic is SMS sent to your phone as marketing asking to reply Yes/No on receiving marketing information. Any choice Yes/No will reveal your triangulated locations reducing your privacy.

Types of Users

There are three types of users with distinct privacy requirements and thus levels of security that require possibly two devices with two account(s)

• Privacy Account/Device Type (Private), that will obviously require pseudonymity and private account(s)

An example would be for self-custody, DeFi or self sovereign purpose transactions.

Options:

• Reuse of disposable email
• SIM/eSIM with Telco local number for specific jurisdiction purchased with physical untraceable ‘cash” or virtual currency like Bitcoin/Lightning and/or Monero.
• SIM/eSIM with data only purchased with physical untraceable ‘cash” or virtual currency like Bitcoin/Lightning and/or Monero.
• Public Account/Device Type (non-private), this type of user will require full KYC and primary use would be for social media accounts and full use of federated, centralized and survailed infrastructure, that provides a fingerprint and the ability to track cookies. An example would be for survailed citizens, banking or company/employment custodian purpose transactions.

Options:

• SIM/eSIM with Telco local number for specific jurisdiction purchased with traceable bank account or virtual currency like Bitcoin/Lightning and/or CBDC/Stable coins fully KYCed.
• Public/Privacy Account/Device Type (semi-private), this type of user will require partial KYC and primary use would be for necessary social media accounts for services (i.e. Uber, Lyft) and full use of federated, centralized and surveilled infrastructure, that provides a fingerprint and the ability to track cookies. These surveillance applications and services can be disabled and controlled by sovereign individuals as needed.

Options:

• Combinations of privacy account/device type and public account/device type configured by sovereign individuals to reflect specific needs and requirements.

These types of users are constantly reevaluating their privacy and security posture to determine what trade-offs to execute and thus constantly being aware of their online web presence. Most individuals will require a mental strategy for what tasks to perform in each account/device.

Another area to focus is on the physical (SIM) or virtual (eSIM) used to enable users to become “Ghosts”

SIM

You can purchase a SIM from your local wireless provider and if this provider requires KYC then “Ghosting” will become more difficult and thus if possible pay in local cash fiat currency with no KYC requirements. If this is not possible then an eSIM or virtual SIM would be preferred.

eSIM

Privacy First eSIM are new global providers with this service. Providing global mobile 4G/5G internet access and SMS number instantly and privately on any modern eSIM-compatible smartphone. Silent.Link (https://silent.link/)

Another option for a global provider is Efani. Whether SIM or eSIM is chosen, great due diligence is necessary when choosing a carrier to provide this service. Specially to prevent SIM swapping.

How does SIM swapping occur?

1. A rogue hacker rings your mobile operator and requests a new SIM
2. The unsuspecting operator tests their identity with relatively simple security questions such as your date of birth or favorite color, etc.
3. The hacker answers at least one of the questions correctly and receives the new SIM
4. The hacker is now able to take complete control of your phone, and through text message verification, also takes control of your email and bank account

Global secure telecommunication service from Efani (https://www.efani.com/) provide solutions and services such as multigrade-verification, encryption, insurance coverage and excellent 24/7/365 support.

A good list of hardware and software to enable users to become “Ghosts”

One area of recommendation is to migrate to a non-proprietary hardware and OS. Given the fact that Google base OS is open source and there is no option for apple iPhone open source.

Open source is software source code that is made freely available for possible modification and redistribution.

There are some security and privacy centered options that develop open source OS specifically for android phones that use this Google based open source software as base.

CalyxOS is the most popular and the one I will be recommending here, given the fact that I have been using it for some time as my main smartphone OS, CalyxOS. (https://calyxos.org/).

My CalyxOS installation on my Pixel took about 8 minutes, all without a hitch.

Currently installing all security apps like VPN etc. and apps I need that require privacy.

Continuing with apps like Map, chat, and maybe even banking apps like PayPal etc. Using integrated Firewall and Google wrapper service (microG).

This OS is truly innovating and part of a game changer like Ubuntu did to Linux desktops back in the day.

Once you unlock your boot-loader remember to lock it back which re-enables the Secure Enclave (A secure enclave provides CPU hardware-level isolation and memory encryption on every server by isolating application code and data from anyone with privileges, and encrypting its memory.)

This setup makes Android phones 100x more secure than iPhones

Android hardware that is supported at the moment is:

• Pixel 4a (5G)
• Pixel 5 (redfin)
• Pixel 4a (sunfish)
• Pixel 4 XL (coral)
• Pixel 4 (flame)
• Pixel 3a XL (bonito)
• Pixel 3a (sargo)
• Pixel 3 XL (crosshatch)
• Pixel 3 (blueline)
• Pixel 2 XL (taimen)
• Pixel 2 (walleye)
• Xiaomi Mi A2 (jasmine_sprout)

Next step is to separate your online web services with security and privacy centric services providers

Here is a list of some recommended ones:

Replacements for Google Services

Google Search → DuckDuckGo (free)

Let’s start off with the easiest one! Switching to DuckDuckGo not only keeps your searches private, but also gives you extra advantages such as our bang shortcuts, handy Instant Answers, and knowing you’re not trapped in a filter bubble.

Gmail, Calendar & Contacts → FastMail (paid), ProtonMail (free with paid options), Tutanota (free with paid options)

FastMail is an independent, paid service that also includes calendar and contacts support across all devices. There are also several ways to get encrypted email between trusted parties by integrating PGP encryption tools. Even more private email alternatives are ProtonMail and Tutanota, both of which offer end-to-end encryption by default.

YouTube → Vimeo (free with paid options)

For videos that are only on YouTube (unfortunately, a lot), you can search for and watch them on DuckDuckGo for better privacy protection via YouTube’s “youtube-nocookie” domain. If you’re creating and hosting video yourself, however, Vimeo is the best-known alternative which focuses on creators.

Google Maps → Apple Maps (free), OpenStreetMap (free)

For iOS users, Apple gives you an alternative built in via Apple Maps, so no installation is necessary. For wider device support, check out OpenStreetMap (OSM) which is more open, though may not have the same ease-of-use or coverage quality as Apple Maps.

Google Drive → Resilio Sync (free with paid options), Tresorit (paid)

Resilio Sync provides peer-to-peer file synchronization which can be used for private file storage, backup, and file sharing. This also means your files are never stored on a single server in the cloud! The software is available for a wide variety of platforms and devices, including servers. An alternative cloud storage and backup service with end-to-end encryption is Tresorit.

Android → iOS (paid)

The most popular alternative to Android is of course iOS, which offers easy device encryption and encrypted messaging via iMessage by default.

Google Chrome → Safari (free), Firefox (free), Brave (free), Vivaldi (free)

Safari was the first major browser to include DuckDuckGo as a built-in private search option. A more cross-device compatible browser is Mozilla’s Firefox, an open source browser with a built-in tracker blocker. Brave goes one step further with tracker blocking switched on by default. There are also many more browsers that come with DuckDuckGo as a built-in option, such as Vivaldi, which is well suited for power-users.

As depicted above in this article I am mostly focusing on Android platform vs Apple iPhone and this is because Apple is close source just like Windows and IBM software. This means that there are trade-offs for convenience and security and privacy and in the Apple iPhone it might be more secure and convenient, but you as an individual are trusting the company Apple with your security and privacy for convenience, so it becomes a personal choice.

To summarize, in order to start using cyber security best practices to Ghost your profile on the cloud, what traces we leave behind on the cloud is key. What OS we choose will dictate what hardware will enable us to better reduce our footprint and thus Ghost ourselves on the cloud. This is a gradual process and not easy to accomplish at once, but rather in simple small steps.