Here I explain the different levels of security, some common attacks, and ways to protect youselves.

Level 0:

The basics that anyone can (and should) do to protect themselves.

At this level we want to guard against common attacks and viruses. Our adversaries could be scammers and hackers that appear very often. Here we limit ourselves to actions that are simple, require no technical knowledge, and don’t affect daily life/convenience.

Install a password manager

The biggest risk we face comes from reusing the same password in many places. Using the same password for your Gmail/email account, social media, computer, bank account, etc., is very risky because if one of those services suffers a data breach, or a hacker guesses the password, they can instantly access all of your accounts.

Another benefit of a password manager is that you’ll never forget a password again. Since each service has different rules (some require a symbol like !@#, others don’t; some need numbers, etc.), it’s hard to remember every combination. With a password manager you only need to remember one master password.

A recommended password manager is Bitwarden, which is secure, easy to use, free, and open‑source. Choose a strong master password for your password manager (e.g., Bitwarden). While the best password would be long and completely random, it’s hard to remember. Instead, experts suggest using a passphrase: string together about five unrelated words and create a story to remember them. For example, with the words “microphone”, “elephant”, “wood”, “paper” and “towl”, you could tell this story:

The microphone recorded the roar of an elephant, but as I got closer I realized the elephant was made of wood and covered with paper. The sound was like my friend blowing his nose on a towl.

Use Bitwarden to generate and store unique passwords securely for each website.

Install an antivirus

It’s extremely easy to run a virus by accident—whether you open a malicious email or download and execute an infected app without knowing it. An antivirus provides a solid line of defense.

Some people think they won’t get infected if they’re careful, but that’s not true. Scammers can create a site that looks identical to the original but contains malware. Even the most cautious users eventually get tricked by a convincing email or download, and a virus runs.

A strong defense against viruses is an antivirus. Many antivirus programs stop more than 99 % of threats without issue.

The world leader is Kaspersky, known for its behavioral analysis. Traditional antiviruses detect only known malware that’s already in their databases. New malware may be missing, making detection hard. Behavioral analysis learns what normal program and system behavior looks like and flags malicious actions, allowing Kaspersky to combat new, unregistered threats.

For more info, check out The PC Security Channel. As an alternative, Bitdefender is also very good.

Be aware that not all antiviruses are effective; for example, a virus can trivially disable Microsoft Defender.

Encrypt your devices

If your phone or computer is stolen, you want to ensure thieves can’t access your data. Simply enable disk encryption.

Without encryption, a thief can access the drive without any password and modify files that contain password (hashes).

On Windows, we want to enable BitLocker (or here) (or here)

On macOS, Open System Settings → Privacy & Security → click FileVault and turn it on. Choose to use a Recovery Key for maximum protection; store that long alphanumeric code in your password manager. You’ll need it to decrypt the drive if the computer is damaged or otherwise. Note: If you choose to store the recovery key in iCloud, any Apple employee, law enforcement, or agencies could access it.

On Android: Most devices ship with encryption enabled by default. Verify under Settings → Security & privacy → More security & privacy → Encryption & credentials → Encrypt phone.

Other Tips:

Automatic updates

Vulnerabilities appear in applications almost daily, and patches follow quickly. Keeping every device up‑to‑date (at least security updates) prevents many attacks. Ensure automatic updates are on and manually update apps when new versions are released, especially web browsers.

Web browser

Blocking ads is crucial because many ads can contain malware. There are various options:

On Firefox (or derivatives), install uBlock Origin Brave browser Firefox forks with built‑in blocking, such as LibreWolf or Mullvad Browser

Search engine

Google often manipulates results to favor paid ads, increasing the risk of encountering malicious ads (and here).

As an alternative, you can use:

• Brave Search – its own index
• DuckDuckGo – uses Microsoft/Bing results
• Mullvad Leta – aggregates Google/Brave results with fewer ads
• Stract – its own index

Most search engines ultimately forward queries to Bing because only three major general‑purpose indexes exist (Google, Bing, Yandex). Using multiple engines gives broader results and reduces censorship.

Web Apps / Progressive Web Apps

Often it’s safer to install a Web App instead of a native app. A Web App is just a website that looks like an app, requiring no downloads, automatic updates, and saving disk space.

There are various guides how to add/install WebApps.

Lockdown mode (Apple devices)

iPhone, iPad, and Mac allow enabling Lockdown mode, which adds extra security. This doesn't mean that Apple devices are secure/private, as we saw with the backdoor. It simply offers a bit more security.

Enable it by going to System Settings → Security & Privacy → find the Lockdown mode option and turn it on.

VPN and DNS

Sometimes network administrators (in stores or your ISP) modify DNS resolution to inject ads (or malware). Some VPN/DNS services also have options to block (some) ads and scam sites.

There are many VPN and DNS services (many VPN companies automatically provide their own DNS server). Secure and private DNS servers include:

• Quad9
• AdGuard

VPN services include:

• Mullvad
• iVPN

Unfortunately, there is a lot of misinformation about VPNs regarding security and privacy. Do not fall for the traps. Messengers

At this Level 0 I am not telling you to avoid any messenger. For now, I want you to know that messages can be read. I am sure there will be sensitive topics where you’ll want greater privacy (e.g., medical topics). In that case, there are more secure messengers you can use.

I have written about the most secure (and insecure) messengers here. However, at this stage it is not necessary to use the most secure messenger (SimpleX). Molly, Signal or Forkgram with a secret chat are sufficient.

SimpleX is extremely secure but a bit harder to use. If it’s not inconvenient, I do recommend using SimpleX (especially in the upcoming levels). But for now, at stage 0, we are not worried about highly sophisticated attacks.

Level 1:

In this stage we continue with what we did in Stage 0.

On your computer, I recommend installing Linux. It doesn’t matter which distribution you choose, as they are all very similar. A fairly easy distribution for beginners is Linux Mint.

When installing Linux, be sure to enable disk encryption. This prevents any thief from getting into your computer like a burglar in your house.

For additional protection, you can install an antivirus.

Mobile

In this stage our goal is to increase privacy by moving away from Google/Apple accounts, etc. First, we want to disable everything related to personalized ads/propaganda/tracking/analytics, etc. Then, we want to sign out of Google/Apple.

Disable everything related to iCloud (Apple). By law, Apple gives any state agency, police, or a hacker posing as police access to any iCloud account. With access to your iCloud account, someone can read your passwords, decrypt your disk, read your messages, access your documents and photos, and track the phone in real time. Delete all iCloud data and turn off everything related to iCloud and Siri.

For the same reasons, disable everything related to your Google account (i.e., location tracking, Google Drive/Photos, etc.).

We want to disable Wi‑Fi/Bluetooth scanning for tracking/positioning, on Android and on Apple.

Also, I recommend uninstalling or disabling apps you don’t use/need. For the apps that remain, try to review and limit their permissions.

I recommend installing the stores F-Droid and Aurora Store. Additionally, install the web browser IronFox or Brave.

Try replacing some services with more secure versions. For example:

• Use Organic Maps for maps. If you can’t find some stores there, or need public transport, I recommend opening Google Maps as a web page in IronFox’s incognito mode.
• Use NewPipe instead of YouTube.
• Use a private email provider.

Just like in Stage 0, try to install applications as PWA/Web Apps.

I recommend using Molly, Signal, or ForkGram (with secret chat) for communication. As I wrote earlier, SimpleX is the most secure messenger, but it can be a bit harder to use. For now, Molly, Signal, or ForkGram are sufficient.

Level 2:

Mobile

In this level our goal is to install GrapheneOS on the phone. Thanks to the developers, it is extremely easy to install on a phone (Pixel). At this stage we no longer want to use Apple products, since they contain backdoors.

When installing GrapheneOS, install the stores F-Droid and Aurora Store. We can also install the store Accrescent. Accrescent has (very) few apps available, but we can install Organic Maps and Molly. At this stage it is no longer recommended to use Signal or ForkGram, nor WhatsApp/Discord/SMS/Facebook/Instagram, etc.

Try using the F‑Droid store to install secure open‑source versions. For example, you can install the web browser IronFox. The GrapheneOS web browser called Vanadium is also quite good. If there are apps not available in F‑Droid, you can use the Aurora store to install and update apps from the Google Play Store.

Unfortunately, some “geniuses” of the GrapheneOS project think the F‑Droid and Aurora stores are ‘super insecure’, and that it is better to use the Google Play Store. That is completely false. One only has to discover the hundreds of thousands of Google Play Store apps that contain malware/viruses.

If you need apps that require Google Play Services, I recommend creating a new profile, installing that app and its Google dependencies there. And if a PWA/WebApp version exists, it is better to use that.

Computer

Just like in Level 1, we continue using Linux. We prefer a large distribution such as Debian/Ubuntu/Fedora/Mint, as they have security teams that find and fix vulnerabilities quickly. Don’t forget to encrypt the disk when you install it.

It is extremely important to install a good antivirus for Linux. Unfortunately, many think an antivirus isn’t needed (whether on Windows, Mac, or Linux). That is completely false. It is a very misguided way of thinking that shows they don’t know what they’re talking about. I have debunked a "genius" and his security ideas

In this stage we want to install large packages (like the web browser) using the Flatpak or Snap format. Flatpak and Snap create a sandbox and add an extra layer of protection. For system packages we want to use only the official repositories.

When you need higher privacy, you can use the Tor web browser. We also want to use a VPN all the time (or at least whenever possible). You can enable Secure Boot (optional, as I have doubts about any security benefit).

More information can be found in the Debian guide.

Level 3:

Qubes OS

Install QubesOS to radically increase your security. Qubes OS is a distribution that uses virtualization to split and isolate actions on the computer. It is very hard to escape from a virtual machine. That’s why Amazon and Microsoft use virtualization on their cloud servers to prevent a user from running malware and taking down the whole system. Qubes OS works the same way. Fortunately, Qubes OS encrypts the disk by default!

In Qubes OS, be sure to install an antivirus in a template qube. When you need higher privacy, use the Whonix qubes. And when you don’t need to store anything on the disk, you can use a disposable qube.

For qubes that you don’t want to connect via Whonix, you can route them through a VPN qube.

Other

However, not all devices need Qubes OS. As in Level 3, the phone can (and should) continue with GrapheneOS. But other devices, especially IoT devices, do not benefit from the Qubes model.

It makes no sense to install Qubes OS on a device that has a single purpose. For those devices, I recommend finding minimal and specialized distributions.

For example, install OpenWRT on your router. In other cases, you can install Alpine Linux – a minimal distribution that uses Musl. For IoT devices, you can install a Home Assistant server. Be very careful with IoT devices, as they are often insecure. Create a separate VLAN for IoT devices and do not give them internet access.

If you have a server (I hope you are using virtualization), you can install a Web Application Firewall (WAF) such as Crowdsec (and enable the WAF option) or Coraza.

Level 4:

At this level we are facing more sophisticated/intelligent adversaries. We must consider not only computer security but also physical security.

You can use my guide to place the /boot and /boot/efi partitions on a USB (since those partitions cannot/are useless to encrypt). This helps prevent an “Evil Maid” attack, where a hacker modifies files in /boot to capture the disk password the next time you boot. Also, you can use the kicksecure and Whonix templates for extra protection.

It is already risky to use phones for any important/sensitive tasks (even with GrapheneOS). Try to keep nothing important on the phone and use airplane mode as much as possible.

If we are talking about a company, this stage calls for adding more detection capabilities. There are EDR/XDR platforms that collect and analyze more system information. Then a SIEM can aggregate data from EDR systems, system logs, internet traffic analysis, WAF logs, etc., to detect more sophisticated attacks.

In fact, using such a security platform you could detect the triangulation attack, which used a backdoor in Apple devices, indicating a state agency (i.e., NSA) was behind it.

If you are ambitious, you can try to disable Intel ME (or AMD PSP). The Management Engine is a chip component of the CPU that has near‑full access to the computer’s functions. Severe vulnerabilities have been found in Intel ME. The risk is that ME runs before any software and has direct access to chips and devices with higher privileges than the operating system. ME runs a tiny Minix distribution, and because the source is closed, we don’t know what it does. Unfortunately, disabling ME is quite complex; it requires an external programmer to read and modify the BIOS.

At this level I also recommend applying glitter/stickers on your computer (especially around the case seams and screws) to detect physical tampering. If someone tries to open your computer, the stickers are likely to break, alerting you to the intrusion.

Level 5:

Physical security

We continue with physical security. From now on (or perhaps better from the previous stage), remember that it becomes easier to attack a person than a computer. In other words, even if you have a very secure system, security is useless if a thief/agent threatens or harms you and forces you to reveal the password.

Assume you have already dealt with your personal security.

Never leave your computer unprotected! In Level 4 we secured the /boot partition by moving it to a USB. However, a more sophisticated “Evil Maid” can attack in other ways. They can insert a tiny device into the computer that connects to the keyboard and reads the password. They can also simply replace the computer with an identical-looking device that mirrors the real screen. In that case the attacker boots the machine from a USB, everything looks normal, you type your password, and the attacker now knows it.

Continue using stickers and glitter as in Level 4, but that is no longer enough because attackers can print identical stickers.

Another attack is acoustic tracking. There are microphones that can listen from long distances and can be highly directional. If you type your password and a microphone records the sounds, it is possible to deduce which keys were pressed and guess the password. To make things scarier, there are devices/cameras that can record vibrations of objects/windows, sometimes using a laser, and “listen” to the sound/vibrations. Likewise, if a camera captures you entering the password, it can also infer the keystrokes.

Combining these two points, the computer must be physically protected 24/7, and the password should only be entered in a secure location after searching for hidden cameras and microphones.

We must also consider how to protect the computer after the password has been entered. As recalled, agents once captured a dark‑web marketplace leader simply by stealing his computer after he had entered his password. If you use a disposable distribution such as Tails, make sure to tie the USB to your hand. Always find a safe place to use it (back against a wall) so you cannot be surprised (and so you can sleep/limit exposure, etc.).

You must always be ready to cut power to the computer quickly and effectively. You can tie your hand to the power cable, ready to yank it. There are also USB devices that shut down a laptop when the USB is removed.

If you want extra protection (also for later levels), you can, with great caution, create a dead‑man’s switch: while you hold a button/switch the cables are connected and power flows; releasing it (e.g., if something happens to you) cuts the power.

I also recommend using a glue gun to seal any ports you do not use. This can prevent BadUSB attacks. (Qubes r4.3 has BadUSB protection, and some antiviruses such as Kaspersky KESL 12.4 can detect and block this type of attack). Firmware

We know that BIOS/UEFI systems are vulnerable. Intel ME (and AMD PSP) firmware is also vulnerable.

Use computers with an open BIOS/UEFI, such as Heads or Dasharo. Heads (and Dasharo) provide a feature called Measured Boot, hardware attestation, and some form of 2FA.

Never use Wi‑Fi/Bluetooth, etc. Any wireless signal can be captured and attacked (due to possible WPA vulnerabilities and the many Bluetooth flaws). Moreover, Wi‑Fi/Bluetooth drivers/firmware are often not open source. If you need internet, use Ethernet connected to a secure router (running OpenWRT).

Level 6:

Up to the fifth stage, a reasonably tech‑savvy ordinary user can (more or less) follow the recommendations. From now on, substantial resources are required to keep increasing security. Specialized companies and secure government departments already take similar or equivalent measures.

Keep in mind that many computers must not be connected to the internet. This is especially important for enterprises/infrastructure that use devices to control or monitor machinery.

Firmware

As mentioned, there are many firmware vulnerabilities, whether in BIOS/UEFI or other micro‑controllers. CPU microcode and the CPU itself have vulnerabilities (e.g., Spectre/Meltdown). Even the x86_64 architecture itself is not secure.

If you work for a government or a large corporation, secure the supply chain for every component in the computers. That means ensuring components are manufactured within your country in facilities with high physical protection.

It is well known that the CIA has modified components/chips/computers before they are assembled. Snowden revealed this a decade ago, and unfortunately some incompetent leaders still do not understand it. As a result, Israel/CIA modified pagers to include bombs and then detonated them against the Lebanese population.

There are several options to secure firmware. Servers from Raptor use Power9 (IBM) CPUs with open‑source code. Raptor runs OpenBMC and can secure (and modify) the BIOS/UEFI. If you are in Russia (or related countries), use the Elbrus CPUs. If you are in China (or related countries), you can use CPUs from HiSilicon or Loongson.

Recently, CPUs based on RISC‑V have been developed; the advantage of RISC‑V is that the architecture/instruction set is free and open.

Code

With more resources, we can harden the software that runs on the machine. This means obtaining certifications and accreditations from a national security agency. For example, there are CISA certifications in the U.S., FSB certifications in Russia, etc. Besides certifications, have experts who stay informed about current attacks, can patch them, and review code for vulnerabilities. Physical

After receiving secure CPUs, ensure the remaining components have not been tampered with. All other components should be manufactured locally (i.e., within your country) with high security. Once received, carefully inspect each component with a magnifying glass or microscope to avoid literal “bugs” being inserted.

For obvious reasons, this machine must be isolated from the internet if it processes or stores any sensitive data. Physically block all ports and keep the computer in a cage.

The Debian manual contains excellent recommendations suitable for this level. You can keep logs on paper and store the base system on read‑only physical media.

Do not forget to have guards in front of the server, physical security systems in the building, and only allow a trusted operator near the server.

Wow, it already feels like a James Bond movie!

Level 7:

In these last two levels, what a computer can (or should) do is already quite limited. Computers must have a single purpose and be designed with a secure architecture.

Specialized devices

At this stage, having a general‑purpose computer is already a risk. If there is a need for IoT devices, we want to use a specialized micro‑kernel as a base. There are formally verified micro‑kernels such as seL4 and other secure micro‑kernels like Kasperky OS that are very safe.

Continuing with the topic of specialized devices, I recommend using specialized silicon. In other words, you can design the chip’s silicon itself to fulfill your purpose. For this you need access to a semiconductor fab, or you can use an FPGA — (programmable gate array).

For example, to secure secret communications/calls, you could use this type of specialized phones, made in your own country, that employ specialized silicon to encrypt and authenticate the data.

Level 8:

Few systems in the world require (and achieve) that level of security. In fact, only a few countries have the capability to create such secure systems. One example is the strategic weapons system. To protect it, hundreds (or thousands) of engineers, programmers, and other experts have worked on it.

At this stage it is enough to transmit secret information, authenticate it, and act based on that information.

As an example — (without mentioning many details, since there are so many layers of protection that several books could be written):

Several people must enter their secret code to authenticate (it could be the President/head of state, the army commander, and another person). The keys are entered into specialized devices (with specialized silicon) that are very well guarded (with guards, etc.). If the codes are correct, specific encrypted information is released and transmitted to special sensors (in submarines/aircraft, etc.).

The commanders who receive the information verify that it is correct among themselves (more than one person). From that moment on, they neither receive nor emit any further signals or communications with the outside. The commanders open specialized silicon devices (for example, on a submarine), insert the devices into opposite parts of the submarine, and simultaneously enter their secret codes along with the encrypted and authenticated message. That device verifies everything and programs the strategic weapons.

As shown in this example, there are many layers of protection, authentication, identification, fault testing, etc., that secure the system.