Ask HN: What tech advice are you giving to those around you for 2023?
You have probably given advice to the vulnerable young and older people (as well as to self-declared "technotwits") about technology in the coming year.
What are your top 5 tips for the coming year? I'm advising:
* Do upgrade any device that doesn't receive OS updates (mobile devices are a particular concern)
* On mobile, do use an encrypted chat app (e.g. Messages with RCS, Signal, &c)
* Don't use identifying information as a password and don't re-use passwords
* Don't answer phone calls from unknown sources
* End any communication where someone asks you to do something insecure (e.g. "give me your password so I can check your account")
94 comments
[ 240 ms ] story [ 2006 ms ] threadIt's lost me some friendships, which is sad, but I'm not going to stop.
If you question if your electronic device has exploitable vurnabilities, the answer is absolutely yes.
Don't store private info on your electronics, if you can't handle them leaking. (Nude photos, bank credentials)
Commercial VPNs are not as useful and secure as you think.
I personally cover the front facing cameras on my laptop and mobile, on the assumption that if someone were to gain access to my phone, that's the first thing they would look at.
Don't connect to random public WiFi. If you do, don't login to any online account on it, or send confidential information.
While this is good advice in general, I have seen that people do end up having to connect to public WiFis in general (airports, traveling in a foreign country, lost LTE connections). I advise people never to accept "Insecure connection" warnings in browsers, with TLS in place and HSTS, practically the risk is very low.
> MitM on android works very well if you just use an app without a browser view.
Do you have any examples showing this? Popular http clients like okhttp on mobile devices do perform TLS validation based on trusted CAs stored on the device. You would have to go out of your way to make them trust self-signed certificates to perform MITM or compromise a CA to issue you a certificate to allow MITM.
Why? TLS establishes secure channels over insecure networks.
And boom now you have their answers to security questions to reset their passwords.
TLS directly addresses this.
Are there any example of this actually happening? It seems like an old wives tale. The simpler explanation for why these posts are so popular is that they generate a lot of engagement, especially in the form of unique comments and number of commenters, which is a signal used for ranking and helps increase reach of these accounts.
That's highly contingent on the "as you think" part.
For example, I use ExpressVPN on public WiFi networks because I trust them a whole lot more than random public WiFi providers. Sure, they have access to the URLs I've accessed while using their service. Then again, so does my ISP.
The crucial part is, said random public WiFi providers won't have access to that data.
Additionally, and much more importantly, some public WiFi providers try to MITM secure connections, which is effectively prevented when using a trustworthy VPN.
"Aren't as secure as you think" seems to imply Comcast or the foreign wifi has what, broken the encryption? If so, tell me! But i kinda doubt it.
As for the public wifi, i get that i can't trust my random Dropbox VM for example, but i can surely trust it more than an actively hostile public wifi, no? If i can't trust any remote computing VM, how can i host anything on infra i don't own?
It took a lot of explaining to my parents why a VPN didn’t add any meaningful security for them.
Leaked keys or keys obtained/accessible by law enforcement from vpn providers effectively allow them to MITM you: https://www.byos.io/blog/nordvpn-torguard-and-vikingvpn-brea...
That said, why did you choose EXpressVPN?
> If you're an ExpressVPN customer, you shouldn't be. - Snowden, Sep 16 2021
- https://twitter.com/Snowden/status/1438291654239215619
- https://www.zdnet.com/article/trust-but-verify-an-in-depth-a...
For connections happening via a browser that's true. For other applications, it depends, since those might happily accept a certificate that has been tampered with without the user being aware of it.
> That said, why did you choose EXpressVPN?
Put snarkily: Because I'm not Edward Snowden and I'm not subject to the same kind of threat level.
At the time (2018), ExpressVPN for me was the right choice in terms of sufficient security for my requirements and - not to be underestimated - user experience.
Other VPN products I tried out back then were more difficult to install and use (sometimes significantly so) and suffered from slow or even regularly dropped connections.
I am really surprised to see this misconception.
> Put snarkily: Because I'm not Edward Snowden and I'm not subject to the same kind of threat level.
Well that is alright, we should all make decisions based upon our own threat models. It is just that in that case you are also at no risk with public WiFis unless you are sincerely looking for a fully secure alternative.
Potentially, any desktop app not downloaded via an app store might do this.
I also didn't say a VPN is an alternative to proper TLS validation. It just prevents public WiFi networks from trying to intercept (improperly validated) connections.
Have you encountered any such apps?
- https://developer.android.com/training/articles/security-ssl
- Showed them how to use ublock origin, they love it
- If you have to enter your PII and the site/service doesn't really need it, try to not give them correct information (fictitious date-of-births for example work on a lot of sites which honestly don't really need it but do ask for it to harvest data or do age verification etc.)
- Take a phishing quiz to be aware of what's out there: https://phishingquiz.withgoogle.com/
- Request data deletion under GDPR (if applicable) for sites which you no longer use but still have accounts on
> I have never seen them used for any legitimate or useful purpose > They take advantage of non-technical users and frighten them > Non-technical users habitually click “OK” [..] in any dialog
The article is written in a way that's myopic, belittling, and alarmist--and the author, you presumably, should think about this tone when there's a good reason browser vendors agreed on a standard included the API to solve a real-world need. Communicating time-sensitive information is a valid use case--especially with PWAs where the web is the platform. This very important to Linux, BSD, KaiOS, Capyloon, etc. users where developers aren't making their application source available, but users can run a properly built web app, and it can also be good for the developer that doesn't have the time and budget to build native apps for all platforms or users that don't wish to install an "app" for everything.
I have no idea why you seem to have a personal problem with it but, alas, it's personal. If you don't want to use them that is up to you, I don't care.
Feel free to make a pull request.
Not every user needs to be coddled. Not every use of Push is malicious. Folks build real apps on the web.
You didn't even bother to explain how getting real-time chat notifications isn't a real-world demand. And running through the comments are just as many folks saying PWAs are a real need to them and that this rhetoric is alarmist.
Oh that's right, it's not open source :)
(I should listen to this advice too).
There was a documentary about a solitary girl shepherd in the mountains. Most things in her life were source of life and liveliness. Nature, hill sights, calm, animals.. the more she did, the happier she got. So even if her life looks poor or lacking .. its quite the opposite.
Hopefully you'll get the gist of how she feels.
Not that I don't admire her -- I wish MORE people could live like that!
But now HN is the new hottie for me :D
"Telegram Cooperates with FSB (Rus)"
https://news.ycombinator.com/item?id=30661335
I'll research this more.
- Explore KodeKloud.com as a Udemy alternative, especially to learn more about general internet infrastructure (especially if you lack a CS or CIS degree, as I do), cloud providers, etc. (From what I've read it's more recently updated than ACloudGuru)
- Explore Roadmap.sh for a roadmap of knowledge necessary to become a web app, infrastructure, or phone app engineer.
You should see my kids' behavior when grounding them and banning video games; they are addicts going through withdrawal.
Source: 28 years in software development and adjacent roles.
I’d suggest that mindfulness is a goal to strive for. If you use a product and you cannot stop and reflect before consuming more media or replying to another post, then this is a pretty good sign that the product is carefully designed to manipulate you.
1. Use a good¹ password manager for everything.
2. Upgrade at least critical logins to use 2FA, which becomes much easier when using a password manager.
3. Use password manager features that allow you to detect weak and compromised passwords, and fix those.
¹ I'm recommending 1Password to less-technical friends/relatives, and 1Password or Bitwarden to tech-savvier folks.
Primarily out of personal unfamiliarity with Bitwarden, although I feel safe recommending it to certain users because of its reputation with HN users. Because 1Password is my (and my family's) daily driver, it's easier for me when people who are new to password managers invariably come back to me for help.
Other considerations: My impression from reading "vs" reviews is that 1Password edges out Bitwarden in terms of user experience and features. Also, I do (possibly unfairly) assume that Bitwarden is focused more on corporate IT and technical users based on the availability of self-hosting, etc.
* Use Firefox (same)
* Use PrivacyBadger Firefox plugin (same)
Works like a charm (fortunately they do not require any Windows-specific apps)
https://news.ycombinator.com/item?id=30776698
https://news.ycombinator.com/item?id=33173531
(Elementary is based on Ubuntu)
https://news.ycombinator.com/item?id=30611748
https://news.ycombinator.com/item?id=32503090
I wouldn't recommend manjaro nor elementary.
If you want some of the ArchLinux experience (like Manjaro promises) try EndeavourOS or Garuda Linux.
(Have tried them both and didn't hear much negative things about them)
If you just want to get going with linux without much hassle and just want to explore everything i'd recommend linux mint (it is also based on ubuntu but only inherits the good stuff and for example doesn't use snaps). It has many tools that help you if you don't want to do everything in the terminal (although i'd recommend to get warm with the terminal). And IMO it just has a good out of the box eperience.
(Haven't used it myself but have set it up for some non tech people who were only familiar with windows or macos and they learned to use it relatively fast)
I personally use plain Archlinux and wouldn't want to trade it for something else, but the pure archlinux experience may not be what you want and is definitely not for everyone.
The "set it and forget it", "everything should be available in a GUI", distro is needed imo. Sad elementary had such a mess, organizational... problems abound.
Thanks for the mint clarification, I wasn't sure what delineated that os outside of the aesthetic.
I am most comfortable with Debian myself, but getting new audio software to work sometimes just brings the whole house of cards down- at least more easily than arch. Pipewire has been a breeze on arch by comparison, but I've only played with manjaro lately. I'll give the real thing a try on my raspberry pi with xfce, and try garuda too on something.
Thanks again for the 2¢
Have a look at the top 10 here:
https://distrowatch.com/
I would not recommend any "rolling release" distro for a new Linux user.
ChromeOS is usable but it is of course tightly coupled to Chromebooks and the Googosphere. Still, the user can add Debian Linux easily and then Firefox is one command away.
- Don't do anything crypto/blockchain related (this is more of an annual reminder).
- Stop getting news from Facebook, it's melting your brain.
- Set up 2fa on everything you can.
And stop giving data to these companies. It may not matter in the broader society since the average person won’t stop, but we devs can stop giving data to things like copilot. Switch off GitHub. Use Brave or Firefox.
Don't download apps - use web versions
Use proprietary blobs if you're "just trying to get it to work", and give yourself the grace to do things piecemeal while you learn.
If you can stomach it, delete your tiktok, twitter, and Facebook.
Learn about your country's data laws.
Get outside more, preferably with exercise (this is a big one).
* 2 Factor authentication. Always. Ignore anyone who says it's useless. It's just as important than strong passwords if your goal is to keep out random script kiddies.
* Don't buy anything linked to a cloud account that doesn't work without it. Unless it's like, really cheap, I can't blame you for that even though it's a minor environmental concern.
* Use Bitwarden to manage your passwords. Let it generate them for you. Use 2FA on your vault.
* Stay away from wannabe Apple companies selling some expensive luxury thing made of delicate real glass that needs their subscription to work and is missing 90% of the features everyone else has.
You probably don't need whatever Juicero-alike they invent next or some expensive headphones with no bluetooth or noise canceling.
* Look for standards and ecosystems everyone else uses. Matter, USB-C, MicroSD cards, etc. Avoid things that do everything different for no reason.
* Back. Everything. Up. Do NOT use anything that makes that hard. Use. Backups.
* If you have to ask, it's probably spying. You decide whether you care or not for yourself.
* If it's not spying, you're probably using it to talk to other people who do use spy devices, like me.
* FOSS is often good now. You probably don't need to pay for software.
But NASes are more than I want to spend and I've never used one, so I can't really suggest something I haven't tried.
I just do manual incrementals to an external drive, plus of course GitHub for all software related stuff.