What do I need to do?

Continuing the discussion from Help a Noob!:

Summary:

Basically to summarise my posts, for now should I just skip reading the Knowledge Base subtopics, and go straight to reading the Recommended Tools subtopics and download them? As they are pertinent to combating common threats.

Original Post:

With the being previous discussion being said, what do I and everyone need to exactly do?

Somewhat unrelated rant (feel free to ignore):

To understand cybersecurity I need to understand how computers work. Also, how does encryption work? It seems to me tech and science, of which our knowledge of them is naturally simple due to our limited intelligence, are shrouded in jargon and unnecessary, artificial complexity. I do not expect nor do I think an actually good explanation of how encryption, and computers generally work is actually available. But, I do expect easy to follow recommendations (as discussed previously).

What I have done so far:

1. Tediously deleted all my old accounts from services I signed up across my several old Gmail accounts (it feels like there were a 100 of them).
2. I have gotten a password manager (I understand why this is important). This is explained well in the Technology Essentials topic. I am using it’s random password generator to make passwords as complicated as are allowed by online services. I am also using it to make pseudonyms for all websites, except for websites that I think I shouldn’t use them, like for my bank, government stuff…
3. I have gotten the free version of Proton VPN (I only understand that it masks my IP address from websites, and does not allow my ISP to view my web activity somehow, and that it shifts my trust to the VPN provided), which automatically opens on the start-up of Windows 10 (not sure when I actually need to use Proton VPN, for example should I turn it off for gaming on Steam, should I even have Steam, should I delete my entire computer? I do not know at this point).
4. I have encrypted Windows 10 with BitLocker (no idea what this is doing, is it making it harder for people to get into my computer somehow? Why is it not on by default?).
5. I am using Proton Mail and I have put all my emails on one Proton account for the sake of convenience, which I assume is better than just having my 7 old Gmail accounts open, most of which I do not even use.
6. I am currently in the process of deleting ALL of my Google accounts (maybe I should do the same with my Microsoft account).
7. I have downloaded TOR, but I am unsure of when I actually need to use it?
8. I will use addy.io, i.e., email aliases for unimportant websites (e.g., gaming related, non-financial), but should I be using these for most services like ebay? Should I even used ebay?
9. What other software and Windows features do I need to activate?

So, what do I need to do? Setting up this website in a more straight forward simple way would answer all these questions and more.

Nobody can tell you what you need to do, and that’s exactly why threat modeling is important. I understand your feelings, to an extent. I got caught up in “threat modeling” and kept trying to find a specific and detailed guide on how to actually conduct the threat model. It’s akin to strategic planning in business; everyone talks about it but nobody shares how to “do it”.

I also think you’re over-complicating it. If you’re looking for someone to tell you what to do just so you can follow it, your privacy journey will likely end soon as you will give up due to inconvenience, etc. The idea is that YOU decide which aspects of your online life you want more private, and you search out methods of accomplishing that.

Starting with a VPN is great, because it’s easy and in your case, free. Yes, a VPN protects your web traffic from your ISP, which also means they can’t target you with ads and sell your data, they can only see that you’re connected to a VPN and get the encrypted traffic which is useless to them (I’m ready to stand corrected because I’m also not an expert). If you don’t care about targeted ads and you don’t care at all if your ISP sees all of your internet traffic, then don’t use a VPN. It’s as simple as that. Try running the VPN in steam and if you find the speeds acceptable then just keep using it. If not, then turn it off when gaming and turn it back on when done. It’s totally your choice based on if you see your ISP as a threat to your data and privacy.

Regarding a password manager, you seem to already understand why that’s important. Good for you because that protects your online accounts from being easily hacked.

You don’t need to understand the technical jargon and aspects of a tool to use it and benefit from it, in my opinion. I’m not even sure that’s exactly what you’re articulating.

Encrypting your OS (Windows 10) is important because if someone gets physical access to your computer, unless you have an idea to crack password, it will be extremely difficult for them to access your data. It’s free, easy, and requires nothing for you to have turned on BitLockers, so good for you.

ProtonMail is good because it encrypts your emails end-to-end when you’re sending to another ProtonMail account. There are some complaints that because most people are sending emails to non-Proton accounts, then your email is still visisble on the other end. That may be true, but you are still protecting the rest of your emails that come from secure systems from outside attack, and they are encrypted in storage so even if ProtonMail is somehow hacked, the data is encrypted. If you don’t care about the privacy of your emails or the things in your gmail accounts, then you should have just kept them.

TOR? Do you really need it? I find TOR is generally overkill for common internet users.

You should use aliases as much as you can, because you can easily stop receiving email from that alias without having to change your entire email address. Also, if one service provider gets hacked, they only have access to your alias and not your real email, which then you can turn off that alias.

This is just off-the-top-of-my-head stuff from someone who doesn’t really know much. The truth is, nobody can tell you what to do because nobody can say what’s important to you and what you’re willing and unwilling to give up and/or change.

Maybe ask more questions?

This would be nice, but the reason we have to place such an emphasis on threat modeling is that the steps you have to take are highly dependent on your situation, there isn’t a one-size-fits-all solution to privacy unfortunately.

Thanks for your excellent explanation and sound advice. However, I disagree to the extent with what you see as subjective, due to the nature of this subject, just like in science, when weighing the risks and rewards some things are objectively good advice. For example, you say:

It’s totally your choice based on if you see your ISP as a threat to your data and privacy

I disagree, I think an ISP is objectively a threat to everyone’s data and privacy, and hence why there is a need for less emphasis on threat modelling and more emphasis on universal advice for everyone. This is corroborated by the first subtopics in the Knowledge Base, such as the Common Threats subtopic.

To clarify I do agree with your point here:

You don’t need to understand the technical jargon and aspects of a tool to use it and benefit from it, in my opinion. I’m not even sure that’s exactly what you’re articulating.

Although I do think it is important, to understand the innerworkings of anything, especially if you are reliant on these said things.

Thanks for the reply. I would agree, every ISP is a threat, but I was trying to simplify the decision-making process. Further, I would agree with your statement regarding the need to have deep understandings insofar as you are able. You are a scientist by education and training, so your mind likely craves to understand the root of how things work. In that case, you only need to spend time researching, like you would in your lab, about the topics that you feel you don’t understand well. This forum is likely a great place.

For me, on the other hand, I am a business professional, not in the IT world. I don’t have the time in- or outside of work to really dedicate to learning the technical aspects of things that interest me, such as online privacy, networking, and linux. I do, however, learn enough to understand if and how I should use a tool. Otherwise I simply must wait to make a decision.

Cheers!

I whole heartedly agree, and honestly I do not have time for overly complicated, wordy explanations whether it be related to cybersecurity or science. So I agree on that point as well.

I truly appreciate your time!