“Don’t put all your eggs in one basket.” This is ancient investment advice, and most investors have taken this wisdom to heart, either because they were taught well by others who came before them, or they learned the hard way. (Bitcoin’s looking good right now in February 2021. It also looked good in December 2017 / January 2018, and guess who was there at the time.)
Most security people also sort of understand this, though in slightly different terms: “Layered Security” or “Defense in Depth”. It’s the idea of having multiple defenses in place so that if one defense layer gets penetrated, there’s still another layer behind it, and so on until you run out of layers. Passwords, for example, would be one layer, while 2FA would be another.
If you’re a wealthy king trying to keep your treasure safely stored in your castle, you’d fortify the castle with multiple layers of defense: a perimeter wall and gates would be one layer, patrolling guards would be another, and the walls of the castle itself with its locked doors and windows would be the third layer. Since this is about treasure, you’d have a vault that only a few people have access to as a fourth layer. You might even have a moat around the perimeter walls, giving you a grand total of five layers of defense for your treasure. In other words: don’t put all your defense in one layer.
But that’s “layers of defense”. You’ve still got all your treasure in one castle, “all your eggs in one basket.” If that one castle gets infiltrated somehow, then all your treasure may be lost. Good luck staying king after that.
Now how about your online accounts? Or even your offline accounts? Should all of that be put in one place? Of course it ideally shouldn’t, but sometimes you need one central location in which to control everything, either because of speed and convenience or because of business requirements like efficiency and cost-savings. A better question to ask is: Is it reasonable to decentralize this or not? If so, then for the sake of security, you probably should.
All your base email are belong to us
Let’s start with email, since that’s usually the most important online account for most people. Got a Facebook account? Need an email address for that. Buy stuff from online stores? Need an email address for that. Download apps from the Google Play Store or the Apple App Store? Need an email address for that (though there is a way around this for the Play Store).
Most people put all their emails in just one account, in one place. If they work at a company that issues them work email addresses, then maybe they put all their emails in two places.
ʕ·ᴥ·ʔ: Not me! I’m a bear so I don’t got no work email! I got one email address for everything! My whole life’s in there! But I’m sure Google keeps it safe and sound.
And what if one day they don’t?
ʕ·ᴥ·ʔ: Then I’m royally screwed, hehe! But that would never happen, right?!
…
ʕ´•ᴥ•`ʔ: Riiiiight?
Well, it’s February 2021 right now, and did anybody ever expect us to be in lockdown for nearly a year, for meeting up with your loved ones to be discouraged, for travel to be on indefinite hold, and for the entire airline industry to be on life support, all for a virus with a 99.0%-99.8% survival rate after infection?
ʕ´•ᴥ•`ʔ: Hmmm… Yeah. Stuff like that never happens… until it totally happens.
So you can’t just assume that “it would never happen.” If it can, prepare for it.
But, okay, back to email. This idea that “it would never happen” was probably what Yahoo! Mail users were thinking. Until it totally happened, not once, but twice!
ʕ·ᴥ·ʔ: Oh yeah. Hehe. I knew about that. Forgot about that. It’s totally happened before already.
Exactly. Having your entire life hinge on just one possibility never happening ain’t a good idea. If you can, spread your risk. “Don’t put all your eggs in one basket.”
What I recommend is having just a few email addresses, with each email address being used for an entire category of accounts or uses. For example:
- One email address for social networks
- One email address for online stores
- One email address for work
- One email address for banking and investments
- One email address for actually emailing people
- And one email address for everything else
With a setup like this, if any one email address gets compromised, you can lose only that one category of accounts. If your email address for social networks gets hacked, at least the hackers won’t have your banking info. And if your email address for banking gets hacked, that’s a big problem, but at least it’ll be only one big problem rather than one big problem plus many other smaller problems on top of it. You might even be able to prevent any kind of pain and suffering on your part, financial or otherwise, because having one problem to solve will mean having the focus to solve the one problem quickly.
You could also take it a step further and create one dedicated email address for every single online account, like one just for Facebook and another just for your Twitter account, and one just for your Bank of America account while another is just for your JPMorgan-Chase account. Some (extremely paranoid) people do this, and you can’t get much safer and more private than that.
Just like how you don’t want to put all your emails in one email address, you also don’t want to put all your email addresses in one email service provider, like Gmail. Spread them around. Maybe use Outlook for one email address, Yahoo/AOL for a couple more, Gmail for a fourth, ProtonMail for a fifth, Tutanota for a sixth, CTemplar for a seventh, and so on.
I also recommend using a disposable email service like Temp Mail to sign up for services that you just don’t want to provide an email address to but are forced to, or that you just want to try out first before you give them a real one. With services like Temp Mail and others, you can maintain both the privacy and security of your real email addresses. (Spread your risk, not your info.)
Got a dual-SIM phone? Use it!
Just like how you don’t want all your accounts in one email address, you also don’t want to have just one phone number. Dual-SIM phones are cheap, common, and popular. If you happen to have one with only one SIM card, you may as well make use of the free real estate. Go get another SIM card, prepaid or otherwise. Use one phone number for important things like online banking and receiving one-time PIN’s; the other phone number for communicating with friends, family, colleagues, and clients.
Be warned though: if you decide to use a prepaid number, be sure to load it up a bit every now and then. If you don’t, even if you regularly connect it to the cellular network and get some calls and SMS’s on it, some telecoms will still deactivate and recycle it without notifying you (personal experience). They also might not give you the option of getting the number back afterwards (also personal experience).
If you decide to have a postpaid phone plan for the important phone number, it doesn’t have to be expensive. It can be as cheap as possible, as long as it can receive SMS messages and phone calls. It might not ever have to send SMS messages or make phone calls because that’s what the other, less important phone number is for.
If you’re in the US or Canada, consider signing up for MySudo. They give you multiple phone numbers for a great price that you can use for different accounts and uses.
Don’t expect your friends and family to keep your phone numbers private – they won’t – so make sure that even they don’t know the phone numbers you use for important things.
Lastly, just like I said with email service providers, consider again having your phone numbers be from different telecoms. Maybe one telecom is less susceptible to SIM Swap Attacks, for example.
You have only one phone? You’re poor (in OPSEC)!
Hey, Kuma. You got your whole life in one email address, right? Do you also have your whole life in one phone?
ʕ·ᴥ·ʔ: I… don’t even wanna’ think about dropping it in the river on the Salmon Run.
Then get another phone.
Preferrably, get a new or an old but clean phone for, again, the important stuff like banking. On this important phone, you put in the important phone number we were talking about earlier, and you also avoid downloading and installing anything on this phone.
ʕ·ᴥ·ʔ: What? But what’s the point in having a smartphone if I ain’t downloading and installing stuff?
You can still download and install stuff, just avoid it as much as you can. The reason why you want to avoid that is because malware very often comes from downloading and installing stuff.
ʕ·ᴥ·ʔ: But Apple and Google vet the apps on their app stores, so downloading and installing stuff from there has got to be safe, right?
Uh, no. In fact, definitely no. The Google Play Store is actually where most Android malware infections come from. And while Apple has much tighter controls on the App Store, malware still gets through the vetting process, again and again.
ʕ·ᴥ·ʔ: Okay, fine. Maybe I’ll just be pickier about the apps I install. You know, like sticking with just the popular ones.
Oh, like this one and this one?
ʕ´•ᴥ•`ʔ: Okay… fine. I’ll just stick with the ones that I know are harmless.
Oh, you mean like this one.
ʕ´•ᴥ•`ʔ: Mmmm… Okay, fine. I’m not installing anything I don’t need.
And uninstall things when you don’t need them anymore.
ʕ·ᴥ·ʔ: Right. Malware sucks.
Indeed, it does. But just keep your phone clean, and your important phone cleaner, and you’ll have more than one tough castle in which to store your precious treasures.
And for convenience, you don’t even need to always keep your important phone on or bring it around with you everywhere. If, say, it is just for banking, then turn it on and use it only when you need to do some banking. Otherwise, leave it off (and encrypted), and maybe even leave it at home or in the car (don’t leave it in the car while the car’s sitting out in the hot sun, now). If you don’t like carrying around two phones, this is how you can carry around just one most of the time.
And again, just as it is with different email service providers and different telecoms, consider buying your phones from different brands like Samsung, LG, Nokia, Sony, or even Apple. Why? Well, if you had bought two Huawei phones in early 2019, would Donald Trump essentially banning American companies like Google and by extension Android from doing business with Huawei have been good for your plans? I don’t think so.
On a sidenote: Maybe don’t buy Chinese brand phones, or even phones made in China. And if you think, “Eh, I’m poor, I’m living in a poor country nobody cares about – they don’t care about me,” think again.
It’s one computer, but two machines?
Since I’ve mentioned the idea of having two phones, the idea of having two computers shouldn’t be too far-fetched. But computers are a lot more expensive, and a lot bigger and bulkier than phones, so maybe you’d like to compartmentalize your computer instead of getting a separate computer to pay for and lug around. That actually can be done in a couple of ways.
The first way is to install multiple operating systems on your computer, oftentimes called “dual-booting” or “multi-booting”. It’s exactly what it sounds like: having more than one operating system on your computer, and being able to pick and choose between them every time you turn it on.
You might have Windows and Linux both installed on the one computer, or you might have Windows and MacOS, or you might have all three installed, or you might have Windows 10 and Windows 7 (the goodest boy) installed, or you might have Linux Mint (which feels like Windows) and Pop!_OS (which feels like MacOS) installed.
You could have one operating system for work, another operating system for personal stuff, and a third one for very important stuff that you’d rather do or have on a more secure (and also encrypted) operating system. For that third use case, remember: keep the operating system clean and avoid installing stuff as much as possible. You may even want to consider never connecting that third secure operating system to the internet. A disconnected machine can’t be hacked by anybody who ain’t in the same room.
There are a lot of guides on dual-booting/multi-booting, with a lot of different methods available for different hardware and different operating systems. Going into them in detail here is way beyond the scope of this article, but a good starting point would be this How-To Geeks article.
A portable operating system in your pocket
The second way to compartmentalize your computer is to install one or more operating systems on a USB flash drive, making it “bootable” or a “live USB”.
You could install Windows on one flash drive, and Linux on another, or both in one single flash drive, while using a regular MacBook with MacOS installed. Then when you want to use Windows on your MacBook, just plug your USB in, restart or turn on the MacBook, and have it start up Windows instead of MacOS.
Again, there are lots of ways to do this, and exactly what kind of setup you’d like for yourself will be up to you, but you can start getting your hands dirty with this Instructables guide.
Only two ways?
ʕ·ᴥ·ʔ: Hey, aren’t you forgetting a few other ways to compartmentalize a computer?
Nope!
ʕ·ᴥ·ʔ: Well what about virtual machines, containers, sandboxes, and even Windows Subsystem for Linux? Aren’t those also ways to compartmentalize your computer?
They are, sort of, but not exactly. And they don’t serve our purpose here, which is the spreading of risk or the “not putting all your eggs in one basket.”
You see, all those methods don’t so much compartmentalize your computer as compartmentalize your operating system – but you’re still running them all in the one and the same operating system. They are all accessible to the host operating system that’s running them. And if that one host operating system gets compromised, then all the virtual machines, containers, sandboxes, and subsystems get compromised. You’re still compartmentalizing, but not into different isolated operating systems, just into different isolated portions of the one operating system. It’s kind of like dividing your one basket into multiple compartments, but all your eggs are still in the one basket.
The reason why I draw the line of secure compartmentalization at the operating system level is because hacking anything below that level is exponentially more difficult than hacking anything at or above that level. Operating systems get hacked all the time. They are the central, most important software on your computer. And as software, they are also much, much, much easier to hack than firmware or hardware. So act based on that information: don’t put all your eggs in one operating system. Virtual machines, containers, sandboxes, and subsystems are all high level software eggs in one operating system basket.
You know what else you shouldn’t put all in one basket? Your website. But that’s a whole can of worms that’s worthy of its own article, which I will probably publish eventually. I’m still pretty new to managing my own website, so I’d like to rack up some experience points first before I get into that. I also have experiments planned for the backend of this site that I would like to try out before I write that article.
Until then, if you’d like to be notified of when I publish new articles, consider subscribing. You can subscribe to my mailing list by submitting your email address (one of your many) down below. Or you can subscribe to my RSS feed linked to in the menu. The only emails and feed updates you’ll get from me are new articles.