Ask HN: What tech advice are you giving to those around you for 2023?

53 points by heresie-dabord ↗ HN
You have probably given advice to the vulnerable young and older people (as well as to self-declared "technotwits") about technology in the coming year.

What are your top 5 tips for the coming year? I'm advising:

* Do upgrade any device that doesn't receive OS updates (mobile devices are a particular concern)

* On mobile, do use an encrypted chat app (e.g. Messages with RCS, Signal, &c)

* Don't use identifying information as a password and don't re-use passwords

* Don't answer phone calls from unknown sources

* End any communication where someone asks you to do something insecure (e.g. "give me your password so I can check your account")

94 comments

[ 240 ms ] story [ 2006 ms ] thread
If you consume online content that makes you angry at one group or another group, the reality of it likely isn’t so black and white. You’re likely being fed a narrative to shape your opinion.
I've been trying to tell people about this since the lead-up to the 2016 election.

It's lost me some friendships, which is sad, but I'm not going to stop.

Yup, and TBH it's OK to lose friends who ignore this rule.
I dont think the people who most need to hear this message are receptive to it.
Reddit front page is a good example. Pure propaganda.
Including the narrative that some objectively bad groups aren't as bad as some people say they are.
If you grant an application access to your contacts, you are sharing the private data, perhaps PII, of others.
If you question whether your electronic device is compromised, it probably is.

If you question if your electronic device has exploitable vurnabilities, the answer is absolutely yes.

Don't store private info on your electronics, if you can't handle them leaking. (Nude photos, bank credentials)

Commercial VPNs are not as useful and secure as you think.

I personally cover the front facing cameras on my laptop and mobile, on the assumption that if someone were to gain access to my phone, that's the first thing they would look at.

Don't connect to random public WiFi. If you do, don't login to any online account on it, or send confidential information.

> Don't connect to random public WiFi. If you do, don't login to any online account on it, or send confidential information.

While this is good advice in general, I have seen that people do end up having to connect to public WiFis in general (airports, traveling in a foreign country, lost LTE connections). I advise people never to accept "Insecure connection" warnings in browsers, with TLS in place and HSTS, practically the risk is very low.

MitM on android works very well if you just use an app without a browser view. Android don't tell you that the certificate was changed and the app developer usually don't care to pin the certificate or check for the issuer. When using a random wifi, use a vpn just to be sure.
Which certificate authority does this new cert chain from? No reputable authority will issue valid certs for public WiFi MitM.
People can't distinguish the official wifi from a rouge one if it "sounds" official. Just go to a crowded place, name your wifi "Joes Coffee Shop" and people will connect to it in no time.
I guess the point is about MiTM which you have not really answered, MiTM requires the man in the middle to present a webpage / api to the user over https with a valid certificate so that the browser or the android app would make connections to it. They just don't accept all tls certificates as valid, only the ones signed by CAs trusted by the device. It is the same for android. I guess you are confusing certificate pinning with standard TLS. Certificate pinning is an additional measure and prevents against compromised CAs etc. Standard TLS itself is sufficient to prevent MITM over https.

> MitM on android works very well if you just use an app without a browser view.

Do you have any examples showing this? Popular http clients like okhttp on mobile devices do perform TLS validation based on trusted CAs stored on the device. You would have to go out of your way to make them trust self-signed certificates to perform MITM or compromise a CA to issue you a certificate to allow MITM.

> Don't connect to random public WiFi. If you do, don't login to any online account on it, or send confidential information.

Why? TLS establishes secure channels over insecure networks.

Mitm attacks are still a thing, but personally I wouldn’t bother with it. It’s much easier to go the social engineering route, ie post on Facebook a picture of my “old” dog (really a random dog) with the text “flash back to my first dog Tessie! You will always have a place in my heart :) post in the comments about your first dog”

And boom now you have their answers to security questions to reset their passwords.

> Mitm attacks are still a thing

TLS directly addresses this.

> boom now you have their answers to security questions to reset their passwords.

Are there any example of this actually happening? It seems like an old wives tale. The simpler explanation for why these posts are so popular is that they generate a lot of engagement, especially in the form of unique comments and number of commenters, which is a signal used for ranking and helps increase reach of these accounts.

How do you Mitm TLS? You would need to have the server's keys right?
> Commercial VPNs are not as useful and secure as you think.

That's highly contingent on the "as you think" part.

For example, I use ExpressVPN on public WiFi networks because I trust them a whole lot more than random public WiFi providers. Sure, they have access to the URLs I've accessed while using their service. Then again, so does my ISP.

The crucial part is, said random public WiFi providers won't have access to that data.

Additionally, and much more importantly, some public WiFi providers try to MITM secure connections, which is effectively prevented when using a trustworthy VPN.

Yea, i use it to avoid Comcast mostly out of spite.

"Aren't as secure as you think" seems to imply Comcast or the foreign wifi has what, broken the encryption? If so, tell me! But i kinda doubt it.

I think the problem is you’re trading one set of untrustworthy actors for another set of lesser known untrustworthy actors.
Yea, but that's not _my_ problem. My problem is "fuck comcast".

As for the public wifi, i get that i can't trust my random Dropbox VM for example, but i can surely trust it more than an actively hostile public wifi, no? If i can't trust any remote computing VM, how can i host anything on infra i don't own?

Of course, I fully expect someone commenting on HN to understand the issues and to have made the trade off.

It took a lot of explaining to my parents why a VPN didn’t add any meaningful security for them.

Very good point. They also sell it as if _just_ using a VPN equals security. I can't count the number of ads i've seen that over sell that :/
While public Wifi providers may try to MITM, TLS effectively prevents that from happening unless you are prone to accept "insecure certificate/connection" warnings.

Leaked keys or keys obtained/accessible by law enforcement from vpn providers effectively allow them to MITM you: https://www.byos.io/blog/nordvpn-torguard-and-vikingvpn-brea...

That said, why did you choose EXpressVPN?

> If you're an ExpressVPN customer, you shouldn't be. - Snowden, Sep 16 2021

- https://twitter.com/Snowden/status/1438291654239215619

- https://www.zdnet.com/article/trust-but-verify-an-in-depth-a...

> While public Wifi providers may try to MITM, TLS effectively prevents that from happening unless you are prone to accept "insecure certificate/connection" warnings.

For connections happening via a browser that's true. For other applications, it depends, since those might happily accept a certificate that has been tampered with without the user being aware of it.

> That said, why did you choose EXpressVPN?

Put snarkily: Because I'm not Edward Snowden and I'm not subject to the same kind of threat level.

At the time (2018), ExpressVPN for me was the right choice in terms of sufficient security for my requirements and - not to be underestimated - user experience.

Other VPN products I tried out back then were more difficult to install and use (sometimes significantly so) and suffered from slow or even regularly dropped connections.

TLS validation is enforced in all mobile applications unless you have spyware/malware which would use insecure CAs or self-signed certificates. Please see my comment above https://news.ycombinator.com/item?id=34159195 All standard mobile clients do TLS validation. They just can't be MiTMed by anyone using self-signed certificates/CAs which is how most mitm tools work (e.g. mitmproxy) Do you have any examples of apps not doing TLS validation?

I am really surprised to see this misconception.

> Put snarkily: Because I'm not Edward Snowden and I'm not subject to the same kind of threat level.

Well that is alright, we should all make decisions based upon our own threat models. It is just that in that case you are also at no risk with public WiFis unless you are sincerely looking for a fully secure alternative.

> Do you have any examples of apps not doing TLS validation?

Potentially, any desktop app not downloaded via an app store might do this.

What does it have to do with app store? Insecure apps which might not respect server TLS certificates / settings or communicate over plain HTTP will be insecure to use over a VPN as well. A VPN is not an alternative to not using proper TLS validation.
You specifically mentioned TLS being enforced in mobile apps. For non-mobile apps such an enforcement either happens through an app store vetting process or the operating system restricting access to non-secure API calls.

I also didn't say a VPN is an alternative to proper TLS validation. It just prevents public WiFi networks from trying to intercept (improperly validated) connections.

I said "mobile apps" to exclude browsers which do similar validation anyways. And it is the same process for mobile apps, only apps designed in an insecure manner (to choose to ignore cert warnings, use custom TLS clients etc) would fail validation and there is no reason to use such apps, it does not matter whether you use a VPN or public-wifi.

Have you encountered any such apps?

- https://developer.android.com/training/articles/security-ssl

is the public wifi advice still relevant today with HTTPS?
- Use 2fa everywhere

- Showed them how to use ublock origin, they love it

- If you have to enter your PII and the site/service doesn't really need it, try to not give them correct information (fictitious date-of-births for example work on a lot of sites which honestly don't really need it but do ask for it to harvest data or do age verification etc.)

- Take a phishing quiz to be aware of what's out there: https://phishingquiz.withgoogle.com/

- Request data deletion under GDPR (if applicable) for sites which you no longer use but still have accounts on

Use the unsubscribe links or 'mark as spam' feature in your emails. It takes an extra few seconds, but you'll be happy when your inbox only contains things that matter to you.
I have a Gmail filter for email bodies containing “Unsubscribe”. Works wonders
Learn how to encrypt and decrypt sensitive data
Disable browser push notifications or do it for them https://www.lloydatkinson.net/posts/2022/consider-disabling-...
That's over the top. Why? Because keeping applications sandboxed and adblocked inside the browser is better than downloading some proprietary app (doesn't apply to FOSS clients). Some of those applications, you'll definitely want notifications, like the web app for work chat, etc. What you don't want to do is discourage using the browser as a platform, but you definitely should proceed with caution for enabling those notifications rather than outright disabling them.
If you’d read the article you’d see that I specifically call out disabling browser push notifications, not web sockets or server sent events.
I know exactly what the Push API is--and I resent that iOS won't enable it making PWAs not really work for a lot of use cases because developers need notifications. I currently, and purposefully, get push notifications from Element, Mattermost, Slack, and (for the time being while traffic has been low) replies on Mastodon--when I was using a web client for email, I did there as well. I think project managers would be pretty mad if I wasn't responding to messages, as much as I'd be angry if they required that I install some Electron app with tracking onto my system, where I can't make modifications via userScripts and userStyles, just to get notified (or an inbox full of "You have 100 unread message on ACMEChat from 1 hour ago").

> I have never seen them used for any legitimate or useful purpose > They take advantage of non-technical users and frighten them > Non-technical users habitually click “OK” [..] in any dialog

The article is written in a way that's myopic, belittling, and alarmist--and the author, you presumably, should think about this tone when there's a good reason browser vendors agreed on a standard included the API to solve a real-world need. Communicating time-sensitive information is a valid use case--especially with PWAs where the web is the platform. This very important to Linux, BSD, KaiOS, Capyloon, etc. users where developers aren't making their application source available, but users can run a properly built web app, and it can also be good for the developer that doesn't have the time and budget to build native apps for all platforms or users that don't wish to install an "app" for everything.

No, I'm quite happy with the tone and message of the article thank you. Just because you have not experienced the many instances of compromised machines thanks to this "feature" (and feel free to find the HN thread where this article is discussed also) does not mean the feature is not dangerous. I assume you don't have a problem with popups not being heavily restricted and opt-in now.

I have no idea why you seem to have a personal problem with it but, alas, it's personal. If you don't want to use them that is up to you, I don't care.

Feel free to make a pull request.

It's not a personal problem--you're making that up; the purpose of Push is getting native app features in your web app which is good for consumers--especially those on less popular operating systems as almost all have some form of modern web browser (and some, like FxOS and its successor KaiOs, fully banking on the web as competent, common-denominator application platform). Opt in is perfect too because it's not hard to clearly communicate what notifications will do and making it the result of a consensual user action and not page load (if page-load-pop-up is still the case, that sucks though).

Not every user needs to be coddled. Not every use of Push is malicious. Folks build real apps on the web.

You didn't even bother to explain how getting real-time chat notifications isn't a real-world demand. And running through the comments are just as many folks saying PWAs are a real need to them and that this rhetoric is alarmist.

Feel free to send a pull request.
When your comments are full of rebuttals to "there's no use case" and you refuse to acknowledge them, that revision is on you.
No thanks, your personal problem is your problem. Feel free to send a pull request.

Oh that's right, it's not open source :)

Stop using so much tech and get outside more. Let go of the FOMO and you'll be much happier. Delete all your social media.

(I should listen to this advice too).

I did that to an extent but depending on the weather and moods (sometimes both) I get FOMOing again.

There was a documentary about a solitary girl shepherd in the mountains. Most things in her life were source of life and liveliness. Nature, hill sights, calm, animals.. the more she did, the happier she got. So even if her life looks poor or lacking .. its quite the opposite.

Name of doc please?
It's a 20min youtube video in french https://www.youtube.com/watch?v=GLqKmkWQlPk

Hopefully you'll get the gist of how she feels.

Seems like your typical instagram vanlifer... how did she make a living to afford all that gear? And I guess being French she at least has socialized healthcare and welfare to fall back on... harder for an American to do, especially later in life :(

Not that I don't admire her -- I wish MORE people could live like that!

I finally deleted Twitter a few days ago. I don't miss it at all. FB is going to be the next.

But now HN is the new hottie for me :D

A couple bits of advice I've recently given are focused on IT-skills knowledge sources.

- Explore KodeKloud.com as a Udemy alternative, especially to learn more about general internet infrastructure (especially if you lack a CS or CIS degree, as I do), cloud providers, etc. (From what I've read it's more recently updated than ACloudGuru)

- Explore Roadmap.sh for a roadmap of knowledge necessary to become a web app, infrastructure, or phone app engineer.

Thank you for sharing links.
The advice I'm giving people is to avoid tech as much as possible--to simplify one's life. Tech has long ago left the realm of useful tool and is instead being used to spy on people, foment and continue addiction, manipulate our brains' chemistry, and, in general, to do evil. I'm not saying all tech is evil, but a sufficient amount of it is for me to try and eliminate it from my life as much as possible.

You should see my kids' behavior when grounding them and banning video games; they are addicts going through withdrawal.

Source: 28 years in software development and adjacent roles.

Many people find it useful to go cold turkey for a while. Many of those end up finding a better balance afterwards.

I’d suggest that mindfulness is a goal to strive for. If you use a product and you cannot stop and reflect before consuming more media or replying to another post, then this is a pretty good sign that the product is carefully designed to manipulate you.

My single, multi-step recommendation is to commit to improving password hygiene.

1. Use a good¹ password manager for everything.

2. Upgrade at least critical logins to use 2FA, which becomes much easier when using a password manager.

3. Use password manager features that allow you to detect weak and compromised passwords, and fix those.

¹ I'm recommending 1Password to less-technical friends/relatives, and 1Password or Bitwarden to tech-savvier folks.

Why would you recommend 1Password over Bitwarden for less technical folks? Asking because I am about to setup a family plan on Bitwarden for me and my less-technical wife. I already use Bitwarden and have for some time, so seeing if there may be a compelling reason for us to go with 1Password instead.
> Why would you recommend 1Password over Bitwarden for less technical folks?

Primarily out of personal unfamiliarity with Bitwarden, although I feel safe recommending it to certain users because of its reputation with HN users. Because 1Password is my (and my family's) daily driver, it's easier for me when people who are new to password managers invariably come back to me for help.

Other considerations: My impression from reading "vs" reviews is that 1Password edges out Bitwarden in terms of user experience and features. Also, I do (possibly unfairly) assume that Bitwarden is focused more on corporate IT and technical users based on the availability of self-hosting, etc.

* Use Linux (and I install it for them)

* Use Firefox (same)

* Use PrivacyBadger Firefox plugin (same)

Works like a charm (fortunately they do not require any Windows-specific apps)

Which distro do you recommend?
Not the op, but having done this a few times now, I've had the best success with manjaro - I've seen others say elementary is best, but I have hesitations
Just leaving my two cents here

https://news.ycombinator.com/item?id=30776698

https://news.ycombinator.com/item?id=33173531

(Elementary is based on Ubuntu)

https://news.ycombinator.com/item?id=30611748

https://news.ycombinator.com/item?id=32503090

I wouldn't recommend manjaro nor elementary.

If you want some of the ArchLinux experience (like Manjaro promises) try EndeavourOS or Garuda Linux.

(Have tried them both and didn't hear much negative things about them)

If you just want to get going with linux without much hassle and just want to explore everything i'd recommend linux mint (it is also based on ubuntu but only inherits the good stuff and for example doesn't use snaps). It has many tools that help you if you don't want to do everything in the terminal (although i'd recommend to get warm with the terminal). And IMO it just has a good out of the box eperience.

(Haven't used it myself but have set it up for some non tech people who were only familiar with windows or macos and they learned to use it relatively fast)

I personally use plain Archlinux and wouldn't want to trade it for something else, but the pure archlinux experience may not be what you want and is definitely not for everyone.

I was a big fan of Antergos before Endeavour began, and am curious how that has developed since. I didn't know that the pine64 ecosystem was so tilted, and frankly, so dumbly self-interested. I'm guessing they've seen the criticism; we'll have to see how well the manjaro team gets along.

The "set it and forget it", "everything should be available in a GUI", distro is needed imo. Sad elementary had such a mess, organizational... problems abound.

Thanks for the mint clarification, I wasn't sure what delineated that os outside of the aesthetic.

I am most comfortable with Debian myself, but getting new audio software to work sometimes just brings the whole house of cards down- at least more easily than arch. Pipewire has been a breeze on arch by comparison, but I've only played with manjaro lately. I'll give the real thing a try on my raspberry pi with xfce, and try garuda too on something.

Thanks again for the 2¢

If I may suggest... "Mint" has been a top-rated distro for its usability for a long time.

Have a look at the top 10 here:

https://distrowatch.com/

I would not recommend any "rolling release" distro for a new Linux user.

ChromeOS is usable but it is of course tightly coupled to Chromebooks and the Googosphere. Still, the user can add Debian Linux easily and then Firefox is one command away.

Debian, the rock-solid, with automatic security updates, without the interface updates.
It's good to show users how easy it is to install Firefox security extensions (add-ons).

    * uBlock Origin
    * Privacy Badger (you mentioned it)
    * Multi-Account Containers (need to show how to use them effectively)
    * Cookie Autodelete
- Switch off of Chrome to Firefox if you can and install ublock origin.

- Don't do anything crypto/blockchain related (this is more of an annual reminder).

- Stop getting news from Facebook, it's melting your brain.

- Set up 2fa on everything you can.

Print back up codes for iCloud/gmail. Get a small bank lockbox and put it there.

And stop giving data to these companies. It may not matter in the broader society since the average person won’t stop, but we devs can stop giving data to things like copilot. Switch off GitHub. Use Brave or Firefox.

Or better yet, use Librewolf
De-Google your life. Perhaps Search is fine - but absolutely remove all dependency on Gmail or Google Accounts.
same with Twitter. Elon's been explicit about the need to sell users' data more. I'd update your privacy settings at the very least
Haven’t used twitter, Reddit, Facebook, Instagram or TikTok in a month … love my life.
(comment deleted)
If you value your privacy, don't own/use a mobile phone.
We should make a browser extension that encapsulates all this advice. Or at least the ones relevant to the way you use the web. Much easier to get your non-tech savvy family install an extension that will continuously help them (and that we can continuously update) rather than just giving them a wall of advice they'll forget
If you are in the Apple ecosystem of products update all your devices and turn “Advanced Data Protection” on.
download their files and delete them from cloud systems. Not only have all passwords been leaked by now, but there is a vicious downturn coming in which crime will increase in magnitude and sophistication. This is time to decentralize

Don't download apps - use web versions

Use FOSS whenever you can.

Use proprietary blobs if you're "just trying to get it to work", and give yourself the grace to do things piecemeal while you learn.

If you can stomach it, delete your tiktok, twitter, and Facebook.

Learn about your country's data laws.

Get outside more, preferably with exercise (this is a big one).

Ignore crypto. 98% of it is bullshit and fraud, and you (and I) aren’t smart enough to pick out the 2% that isn’t.
* The algorithm likes it when you're angry or sad or anything that makes you engage more. Your idea of what "everyone" is into these days is probably what the algorithm tells you.

* 2 Factor authentication. Always. Ignore anyone who says it's useless. It's just as important than strong passwords if your goal is to keep out random script kiddies.

* Don't buy anything linked to a cloud account that doesn't work without it. Unless it's like, really cheap, I can't blame you for that even though it's a minor environmental concern.

* Use Bitwarden to manage your passwords. Let it generate them for you. Use 2FA on your vault.

* Stay away from wannabe Apple companies selling some expensive luxury thing made of delicate real glass that needs their subscription to work and is missing 90% of the features everyone else has.

You probably don't need whatever Juicero-alike they invent next or some expensive headphones with no bluetooth or noise canceling.

* Look for standards and ecosystems everyone else uses. Matter, USB-C, MicroSD cards, etc. Avoid things that do everything different for no reason.

* Back. Everything. Up. Do NOT use anything that makes that hard. Use. Backups.

* If you have to ask, it's probably spying. You decide whether you care or not for yourself.

* If it's not spying, you're probably using it to talk to other people who do use spy devices, like me.

* FOSS is often good now. You probably don't need to pay for software.

Regarding backups, I found Google Photo makes it harder. I decided to just use harddisks for that.
Yeah, I think in theory I would say everyone should get a consumer level NAS with redundant disks, plus SyncThing between devices for important small stuff, and some kind of cloud solution for offsite.

But NASes are more than I want to spend and I've never used one, so I can't really suggest something I haven't tried.

I just do manual incrementals to an external drive, plus of course GitHub for all software related stuff.

Yep, I think HD is good enough for casual backup-ers.
Just curious, regarding privacy in general, are the new iPhones still better than the Android phones?