Security

The first and most important thing with software has been the availability of source code—chiefly, whether an app is open source. Apps that are open source do not do anything secretly when you can see what the are supposed to be doing.

Closed-source apps could be doing anything, however, and you wouldn’t know it. For example, Google Chrome sends data to Google’s servers whenever you type anything into the URL box. (This is the part in the browser where you type in web addresses.)

Chrome is closed source. Thus, we can never know what data Chrome is sending to Google’s headquarters. Other closed-source apps are Microsoft Edge, Opera, Vivaldi, and Apple Safari.

Mozilla Firefox, on the other hand, is open source. I recommend installing it and using it because it is cross-platform. You can download and install Firefox on your computer. If you have an iPhone, you can find Firefox on the App Store. For Android phones, you can find Firefox on Google Play. The app also is also available on F-Droid under the name of Fennec.

As much as possible, try to replace proprietary services with open-source apps. If you switch to Linux or another operating system, the transition is easier when most of the apps you use are cross-platform and open source. In addition to Firefox, such apps include Mozilla Thunderbird (email), LibreOffice¹ (to replace Microsoft Office), OBS (broadcasting), and VLC (audio and video playback).

To block trackers from Google and other advertisers, you can browse the Web through Mozilla Firefox with the extension for Firefox that is called uBlock Origin.

The extension of uBlock Origin will not work on Google Chrome, which only supports extensions in the format of Manifest version 3. On Chrome, blockers such as uBlock Origin do not work because they need to use abilities that are available only in the format of Manifest version 2. Chrome-like browsers include Microsoft Edge, Opera, Brave, and Vivaldi.

Firefox, in contrast, works with both versions of Manifest, 2 and 3. This means that uBlock Origin still works perfectly with Firefox. You can trust uBlock Origin because it is open source. Anyone can find out what uBlock Origin actually does. Other extensions such as AdBlockPlus take money from advertisers in order to allow certain advertisers and trackers.

Also, keep in mind that plain “uBlock” (not Origin) is different. Stay away from it.

If you would like to let ads play in order to support someone you like, then just click on the uBlock Origin icon after you install it. A pop-up appears, and you can click the giant power icon (⏻) to turn off the extension for that website.

The Yellow Light’s main website, the podcast feed, audio files, images, and transcripts are all delivered through SSL (a.k.a. TLS). If you click inside the address bar of your web browser, then you can see if the URL (the address) begins with https. That s will:

• Encrypt everything you do on the website, such as typing into search boxes or entering a password
• Hide whether you visit various sub-directories because everything after the .com/... or the .org/... stays invisible to third parties
• Certify, through a chain of trust, that the website’s address is real as guaranteed through a certificate authority that your browser trusts

Most sites use SSL these days. Your web browser will warn you about the rare website that does not use SSL. With or without SSL, anyone who sees your internet traffic can see that you went to www.nyan.cat but not which pages you visited there or which cat you selected as your favorite.

Be careful, however, because SSL has its limits. SSL only guarantees that a site claiming to be www.website-name.com actually points to www.website-name.com.

SSL does not guarantee that walmart-shop.com is actually a part of the Walmart company. That website of walmart-shop.com could still be a scam.

If incognito is a word you use for browsing, you may be making a serious error right off the bat. Incognito is the word for Google Chrome to run in a mode that does not use cookies or active log-ins from the main browser and will delete its history when you close it.

Remember that Google Chrome is closed source.¹ This means that you cannot see the source code. As a result, users can never know what it actually does. Chrome in Incognito mode may “work” in the sense that you can use a different log-in on some website while still logged in under a different identity on the non-Incognito window. However, who knows what really happens when you close the Incognito window. Is the app deleting all cookies and history? How well is it deleting them?

With Mozilla Firefox, which I highly recommend, this kind of browsing happens within a “Private Window.” For security, the biggest strength of Firefox is that the source code is available for all the world to inspect. Anyone can go look at the repository of the source code at Mozilla’s website and understand what the program actually does. You can think of source code as coming together to make a very detailed instruction manual.

A Private Window will open fresh without any active log-ins and will delete the history when you exit, but that’s all it does. It does not hide your internet activity from anyone. Unless you use a special server for DoH (DNS over HTTPS), your internet service provider knows what websites you visit. Without an SSL connection (https:// at the beginning of the address), anyone can see what you do on that site.

If you use a Private Window, you are making it possible to have a parallel log-in or delete your history so that your partner or parent doesn’t stumble upon it. And even then, it will only cover your tracks if the other person doesn’t have advanced tech skills. Remember that if anyone you do not trust has physical access to your computer and your computer does not have an encrypted hard drive, then that’s game over.²

Your computer at work can watch everything you do. A Private Window will not stop that.
Additionally, your computer can still leave clues in unencrypted swap space or your RAM. Admittedly, the contents of RAM (memory) expires within seconds of turning the computer off.

Do not rely on a Private Window for dangerous situations. Run a modified version of Firefox, the Tor Browser, and run it on the Tails operating system. (You can put it on a USB thumb drive and boot from that.)

If you would like to obscure your location, you can route your internet traffic through a virtual private network (VPN). This will hide your real location. The internet services you use and the websites you visit cannot see where you are.

Remember, though, that a free VPN can be very slow or not even hide your real location. Also, it may even spy on you in order to sell your information.

Those in dangerous locations should mind the limits of VPNs. They can hide your location from websites, but when you connect to the VPN, the company can see where you are.

As an alternative, you can use the power of math to completely hide your location for free. You can do this with Tor. It makes your internet connection go through three or more relays before reaching the normal internet.

You can stay completely in the world of Tor relays when you visit websites that are “onion services.” With an onion service, both the visitors and the website itself stay hidden, and onion services encrypt everything and self-authenticate—without TLS.¹

Tor is easiest to use through a customized build of Firefox called the Tor Browser. Please note some of the challenges, however, with streaming large videos or BitTorrent.²

For encrypted and verifiable communication that you can repudiate, I strongly recommend Signal. It is available for both iPhone and Android (Google Play and homepage), and it’s easy to use. After you get set up, you can also install Signal Desktop for Windows, Mac, or Linux.

Basic text messaging has no security. A criminal can send messages from a fake phone number or spy on your messages.

Apple confuses matters because the iPhone’s Messages app mixes basic text messages with iMessages into one app for the iPhone. And because the app is closed source, you can never what the program is really doing. Also, you have to reveal your real phone number to everyone else in a chat.

The problems with iMessage get much worse. The iPhone will automatically convert an iMessage into a basic text message if someone in a chat does not use an iPhone. Without “security numbers,” signatures, or fingerprints, you have no way to check that no one managed to sneak in through a man-in-the-middle attack.

Signal was in the news in the spring of 2025 for three reasons:

• US officials used Signal on private networks in their official workplaces.
• They invited non-official people into group chats.
• No one else in the government can read Signal messages and release certain information under the Freedom of Information Act.

However bad these facts may be, Signal is not insecure. It remains safe and anonymous—as long as you don’t accidentally add editors of the Atlantic to your chat.

Signal has many benefits:

• Installation on cheap hardware
  It can run on a thousand-dollar iPhone or on a cheap smartphone that costs less than a hundred dollars.
• Video calling
  Live conversations are free, and calls can be direct (higher resolution) or through special hops in order to hide your location (lower resolution).
• Hidden phone numbers
  You don’t need to reveal a phone number to anyone else. You can set a “username” and only share that. The only time that you need a phone number is when you receive a text message to register with Signal’s service.
• Verifiable identities
  You can check that the conversation is only between you and your friend by authenticating the signature or “safety number.” After just one check, you know that the conversation forever stays free of spies and impostors.
• Repudiation
  Anyone can disavow a given message. You can say, “I didn’t write that,” and no one could prove otherwise.
• Open source
  Anyone can see the source code to find out what Signal is really doing, and the installation file is reproducible.
• Nonprofit management
  Signal Messenger LLC and the Signal Protocol are part of Signal Technology Foundation, a 501(c)(3) nonprofit organization in California, USA.

Please exercise caution when interacting with AI on websites or in customer service. AI models need lots of data to train on. They read and remix theat training data. As a result, AI companies are always looking to get more training data. Sometimes their means are illegal or unethical. For example, many AI models (or chatbots, or LLMs) hold onto everything that end users you say or type. Remember, if a closed-source app or service seems to be free, then there’s a catch.

Relying on the output of AI models is risky. They are essentially probabilistic search engines; they are not deterministic. Every time you use an AI model, the answer could be slightly different. AL models do not “think.” They string together sentences based on what ideas are most likely to follow from another one. They are prone to repeat facts, make shoddy connections, and conjure up so-called hallucinations.

They also waste ungodly amounts of electricity and consume our resources in a mad dash to use as many processors as possible. Worst of all for human culture, they are simply plagiarism machines.

The output AI models can seem very lifelike or human-like in their responses. This is because AI models remix content that humans already wrote or draw.With practice, you can get good at picking up on the clues, however. Somebody could hypothetically use an AI model in content creation, but the machines themselves do not create.

The champions of AI exhibit a staggering lack of care for ethics. The free price tag is not a license from the writers and artists whose works are in the training data. They did not give permission to the AI company or to you, the end user, to use that content.

Even if you are completely selfish, then be careful for your own sake. Someday, copyright courts may treat AI art with some consistency. They could say that you have to pay royalties to someone because you made money from selling art that used an AI that was trained on someone else’s work. Don’t expect the tech bros to bail you out or pay your legal fees.

Most people encounter a lock screen everyday on an encrypted cell phone. Smartphones that run Android and iPhones will encrypt the files after you leave your screen off or put your phone in your pocket.

When you try to use the phone again, you will see that the phone is now locked. If the phone is locked, it will ask you for a PIN or password to unlock the phone. This will hide everything on your phone from any attacker, any criminal, and any border agent.

Nobody has ever cracked the encryption algorithms that we have been using for decades now. By the end of the 2010s, the top-of-the-line encryption tools became standard everywhere.¹

If you reuse a simple password on PIN in multiple places, then you are in trouble. If my phone PIN is “5687,” then nobody can read that number from my phone. In fact, my phone cannot even see the PIN. (The PIN goes through a special “hash,” and your phone looks at the output.)

If my phone PIN is “5687” and my bank PIN is also “5687,” then I am in trouble. The bank does not use a hash. The bank can see my PIN. The bank knows that my PIN is “5687.” If some government agency can make my bank say what the PIN is, then that government agency can try to use that PIN to unlock my phone.

Another possibility is that the user of the smartphone already downloaded spyware in the past. (This is why I advocate open-source software. Apps cannot secretly spy on you when the source code is open.)

Trying to crack encryption is pointless. There is no such thing as “military-grade encryption.” Everybody can and usually does use the same algorithms—everybody. If you want to make it harder on criminals, you keep the just make the key longer. If a key is 256 bits long, then a quantum supercomputer would need to guess numbers for thousands of millions of years just to reach a fifty percent chance of success.

Your phone PIN is not 256 bits in length (256 zeroes and ones). Your phone uses a hash function in the processing of passwords. Normally, a criminal’s computer may be able to guess a million passwords per second. If your phone or computer uses a hash, then the criminal can only guess a thousand times per second. That makes a huge difference.

The log-in screen on a Windows, Mac, or Linux computer is not the same as the lock screen on a smartphone. A log-in screen will not encrypt your hard drive.

If you carry your laptop around and you do not encrypt it, then you are at risk if criminals or border agents take your laptop. If you do any banking on an unencrypted laptop and lose that laptop, then you are in trouble.

You can encrypt your laptop, however. If someone steals a laptop that is encrypted, then no one can read the information on that laptop.

Remember that the log-in screen is not encryption. The log-in screen is useful for separating user accounts, blocking your children from getting onto the computer, or keeping out anyone without tech skills.

Anyone with physical access can boot a special operating system from a USB thumb drive. Then, that person can look at all of the files without ever using the log-in screen.

To encrypt the whole computer:

• Linux
  You will use a tool called LUKS. This is an open-source tool that defaults to the best standards for non-AEAD² encryption: two 256-bit keys for AES in XTR mode and password hashing through Argon2id. Plus, you can set multiple encryption passwords. Any one of those will work just fine. Every person in your family can have a unique password. This allows your family to share a computer and also protect that computer’s information if a criminal ever broke into your home.

• Windows
  BitLocker is the default program for encrypting computers that run Windows. This program does not support multiple passwords, and so everyone in your family has to share another password that they all must learn.

• Apple/MacOS
  Similar to BitLocker for Windows, FileVault for MacOS only allows for one password.

It is impossible to remember a strong, long, random, and unique password—much less several of them. The solution? Memorize one decent password and run it through a strong hash in order to open the “key” to everything else, and have that be verifiable. If that key is verifiable, you know that no one tampered with it.

KeePass is the answer. The cross-platform app of KeePassXC is lightweight and can read a KeePass database (a simple text file that ends in .kdbx) as can open-source app such as KeepassDroid (on Google Play and F-Droid) and KeePassium (on the App Store).

You never have to reuse passwords or use bad passwords. Just remember one password. It need not be perfect—just good enough.

Any KeePass program will have to process the password very slowly. This means that instead of the password taking a millisecond, it takes a whole second.

Within a KeePass file is just a list of your passwords for every website. It can make new, random, and unique passwords for each site. You need unique passwords that are random. I mean really random, not your slamming the keyboard back and forth with your two hands. That’s not random. You need randomness to beat criminals.

A criminal’s computer can guess str4wB3rry1! and str4wB3rry2! and str4wB3rry3! and very quickly. It cannot guess V(I\f+qZ2 and 7e"[-p^<0c{ and L%MPd>D+5 with any efficiency.

But I can’t remember those passwords! Yes, and that’s the point. If you can easily remember the password, then a computer can easily guess it.

You can, however, create a “Diceware” phrase. This is also called a pass-phrase. Such a pass-phrase will come in handy for something you must type out many times a day on different computers. One example could be the employee password that you use to print material on several different computers at work.

With a pass-phrase, you should never come up with a phrase that makes sense. Computers can easily guess real sentences. Instead of using a real sentence, have a Diceware generator make some nonsense for you. The result could be something like creation-oozy-refutable-professor. This classic XKCD comic lays out the point in four pictures.

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.

Edward Snowden said that. His actions as a whistleblower forever changed internet security.

Snowden carefully leaked secrets of the US government’s program to work with companies to spy on US citizens in their own country, and to spy on all of them. He worked with journalists who redacted anything that had the remote possibility to endanger an agent. He is the reason that website managers finally began to adopt SSL en masse after 2013.

SSL protects everyone from eavesdropping by criminals, the US government, or any other government. SSL is also the technology that secures online banking and credit card usage online and in stores.

Snowden’s biggest mistake is that he didn’t plan his escape very well. He was in Hong Kong when he made the leaks. He then ran from country to country before the US government revoked his passport while he was in an airport in Moscow. He eventually took asylum in Russia.

In the time since, Snowden hasn’t endorsed Putin’s invasions or his assassinations. He had no choice but to stay in Russia and keep his head down on certain issues.

Russia, like it or not, was the only place where the CIA could not easily abduct Snowden. He was understandably scared to come to the USA when national politicians called for his death on live television. Even if the US government never hurt Snowden, some misguided vigilantes would have tried to hurt him.

Snowden exposed a wiretapping program that was illegal. That program did not “save American lives.” Snowden sacrificed a free life in the USA to make us more secure.

Let’s pretend you are a blind loyalist to the White House. You think Snowden committed treason. You believe every conspiracy theory about him. Okay, fine. Now imagine how much more easily foreign governments in 2025 would have been able to spy on everyone through the internet if Snowden had not given us all a kick in the pants back in 2013.

• Email
• Bluesky
• Reddit
• Telegram
• Facebook
• Threads
• LinkedIn

Hello!