1您的密码可能会被破解 (1 Your Password Can Be Cracked)

The leak of celebrities’ photos gives us a shudder, as we should be in full charge of the data of our own. Tools available on shady forums and github alone could be used to back up your iPhone, or for attackers to get into your iCloud account. Following a suspicious IP address, the police captured someone who had hacked into more than 300 iCloud accounts, but till now no charge has been pressed. Using a hard to guess password is not going to prevent certain tools to crack this, but this could stall the attacker to the point that he gives up. The easiest and automatic way is to resort to a password manager. But beware that

名人照片的泄露使我们感到震惊，因为我们应该完全负责自己的数据。 仅在阴暗的论坛和github上可用的工具可用于备份iPhone，或使攻击者进入您的iCloud帐户。 继一个可疑的IP地址之后，警察抓获了一个入侵了300多个iCloud帐户的人，但是到目前为止，没有任何指控。 使用难以猜测的密码不会阻止某些工具破解此密码，但是这可能会使攻击者停滞不前。 最简单，自动的方法是求助于密码管理器。 但要注意

1. The master password could be breached, if the computer’s keystrokes are recorded.如果记录了计算机的击键，则可能会破坏主密码。
2. If you lose your master password, all passwords would be lost.如果您丢失了主密码，则所有密码都将丢失。

Tips:

提示：

1. Strong passphrases should be long (25+ characters) and be random!强密码短语应较长(超过25个字符)，并且是随机的！
2. Never use the same password for 2 different accounts.切勿对2个不同的帐户使用相同的密码。

Passwords are stored as a hash. Don’t leave your PC open to public, when you’re having a guest at home or more importantly when you got called away from your desk at the office, because of an impromptu meeting. Protecting passwords of online services only works if you’re keep your physical devices safe as well. Use bluetooth to unlock/lock your desktop/laptop when you approach or go away. For mobile devices, biometric and a password together should be secure enough. Most security questions are too obvious. Someone can scour your social media and gets the answer of your home town or where you went to high school. Be creative about the correctness of these questions. Write them down, or put them in a password manager. Also beware that providing the real answers to these questions is subject to the resell of your personal information, so people could fill in the blank about your profile.

密码存储为哈希。 当您在家里有客人时，或者更重要的是由于临时会议而被打离办公室时，请不要将PC开放给公众使用。 仅在确保物理设备安全的同时，保护在线服务的密码才有效。 当您接近或离开时，请使用蓝牙解锁/锁定台式机/笔记本电脑。 对于移动设备，生物识别和密码一起使用应足够安全。 大多数安全问题都太明显了。 有人可以搜索您的社交媒体，并获得您的家乡或上高中的答案。 对这些问题的正确性有创造力。 记下它们，或将它们放在密码管理器中。 另请注意，提供这些问题的真实答案取决于您个人信息的转售，因此人们可以在您的个人资料中填入空白。

If your email is hacked, the first thing to do is reset the password, a much stronger one. Second, check sent box or spam to see what emails have been sent. See if some addresses are added to the contact. Two-factor Authentication encompasses what you have, what you know and what you are. But this still isn’t quite secure. A gmail password reset message is sent to your phone, and the attacker sent immediately a second message warning the possibility that your account is under attack, and asking you to send the secret code to ‘prevent’ this. Instead, use Google Authenticator, which doesn’t require a message to your phone. For financial matters, I recommend that you use a chromebook (iPads are just too expensive) exclusively for banking. Install no other software on that device, and when you’re done with it, put it away. This sounds like and is indeed a huge hassle, but you’re far less vulnerable to attack this way.

如果您的电子邮件被黑客入侵，首先要做的就是重置密码，这是一个更强大的密码。 其次，选中已发送框或垃圾邮件以查看已发送了哪些电子邮件。 查看是否将某些地址添加到该联系人。 两因素身份验证涵盖您所拥有的，您所知道的和您所拥有的。 但这还不是很安全。 gmail密码重置消息会发送到您的手机，攻击者会立即发送第二条消息，警告您的帐户可能受到攻击，并要求您发送密码以“防止”此行为。 而是使用不需要向您的手机发送消息的Google Authenticator。 对于财务问题，我建议您专门为银行业务使用Chromebook(iPad太贵了)。 请勿在该设备上安装其他软件，并在使用完后将其丢弃。 这听起来确实很麻烦，但是您以这种方式进行攻击的可能性要小得多。

2还有谁在阅读您的电子邮件 (2 Who else is reading your email)

Emails, even deleted, are still stored somewhere on a server of that hosting company. Third parties will access these for sinister reasons. Yahoo, for example, scans the emails and uses that as a means of targeting advertisement, which is their main source of income. Google stopped scanning emails in your archive, but started to scan all emails sent and received. Your network may also choose to scan your traffic, for malsoftware and confidentiality purposes. Nevertheless, there’s always a good chance that the emails you sent, be it deleted or not in the future, will live on for quite a long while.

电子邮件，甚至被删除，仍然存储在该托管公司的服务器上的某个位置。 第三方将出于危险原因访问这些文件。 例如，雅虎会扫描电子邮件并将其用作定向广告的手段，这是它们的主要收入来源。 Google停止扫描存档中的电子邮件，但开始扫描所有已发送和已接收的电子邮件。 您的网络还可能出于恶意软件和机密性的目的，选择扫描您的流量。 尽管如此，您发送的电子邮件(无论将来是否删除)始终存在很长一段时间。

MTAs(mail transfer agents) may still use exposing channels to transfer mails. So use asymmetric encryption to protect your emails from end to end. PGP or GPG can also work well. Always verify the identity of the other side, the recipient might not who you believe to be.

MTA(邮件传输代理)可能仍会使用公开渠道来传输邮件。 因此，请使用非对称加密来保护您的电子邮件从头到尾。 PGP或GPG也可以正常工作。 始终验证对方的身份，收件人可能不是您认为的身份。

You want public algorithms and private keys, not any proprietary algorithm. When sending any messages, use end to end encryption. For emails, use something like mailvelope to encrypt emails whenever possible. Yet meta data, such as subject, recipient’s IP address, sender’s IP address, date and so on, will persist to be in plain text. Third parties can see these data and figure out some patterns out of them.

您需要公共算法和私钥，而不是任何专有算法。 发送任何消息时，请使用端到端加密。 对于电子邮件，请尽可能使用诸如mailvelope之类的方法来加密电子邮件。 但是元数据(例如主题，收件人的IP地址，发送者的IP地址，日期等)将始终以纯文本格式保存。 第三方可以查看这些数据并从中找出一些模式。

Sending a email to an IP address of North Korea is suspicious, even if your subject is merely “Happy Birthday”. A 20-minute phone call at 11pm to some psychatric hotline reveals a lot about this person’s emotional status. To fully hide yourself, you need to remove the IP address, your fingerprint on the Internet. A remailer can hide the sender’s IP address, but type I and type II do not allow replies. Type III does offer full service.

即使您的主题只是“生日快乐”，向北朝鲜的IP地址发送电子邮件也是可疑的。 晚上11点打了20分钟的电话，打了一条精神病热线电话，就可以看出这个人的情绪状况。 要完全隐藏自己，您需要删除IP地址和Internet上的指纹。 重发邮件者可以隐藏发件人的IP地址，但类型I和类型II不允许答复。 III型确实提供全面服务。

Tor is free and open source, created to stay anonymous online. The nodes between you and the server will change frequently, thus no one can restore that route. Two drawbacks still exist: 1. the node you’re connected to might be controlled by government. 2. Page loading is slow. Use a specilized device for Tor, not your day-to-day device for browsing.

Tor是免费开放源代码，旨在保持匿名在线状态。 您与服务器之间的节点将频繁更改，因此没有人可以恢复该路由。 仍然存在两个缺点：1.您连接到的节点可能由政府控制。 2.页面加载缓慢。 使用专用于Tor的设备，而不是用于浏览的日常设备。

To go completely anonymous, you need a burner. Definitely cut off all connections to the past, including any email services or phone numbers. Via Tor, create a new gmail account, using the burner’s number. When using this invisible account, log in only through Tor and don’t search the Internet, since you could reveal your identity inadvertently. This requires a ton of perpetual diligence, but worth it in order to go incognito.

要完全匿名，您需要刻录机。 绝对切断与过去的所有连接，包括任何电子邮件服务或电话号码。 通过Tor，使用刻录机的号码创建一个新的Gmail帐户。 使用此隐形帐户时，请仅通过Tor登录，而不要搜索Internet，因为您可能会无意中泄露自己的身份。 这需要大量的永久性勤奋，但为了隐身而值得。

3窃听101 (3 Wiretapping 101)

IMSI(International mobile subscriber identity) creates a unique pair between your phone and the cellular towers. Some towers have been established to intercept your messages. Others are used to monitor traffic status, based on how fast your signal moves from one tower to another.

IMSI(国际移动用户身份)在您的电话和蜂窝塔之间创建了唯一的对。 已经建立了一些信号塔来拦截您的消息。 其他信号则用来根据您的信号从一个塔移动到另一个塔的速度来监视交通状况。

Your phone when powered up connects to a series of cellular towers. The nearest one handles the actual phone call. But all have continuous signals transferred from your phone, identified by a unique TMSI, whether you make a phone call or not. Law enforcement can and does check the log of these records. Using a burner, if the purchase doesn’t reveal your identity, would be okay.

开机时，您的电话将连接到一系列蜂窝塔。 最接近的一个处理实际的电话。 但是无论您是否拨打电话，所有电话都有从您的电话传输的连续信号，并由唯一的TMSI标识。 执法部门可以并且确实会检查这些记录的日志。 如果购买的产品没有显示您的身份，则使用刻录机可以。

All cellular technologies, are based on signaling system protocol, which could be used for surveillance. Researchers have found that these networks are more or less easy to tamper with. We need end to end encryption, for the network itself never is secure enough.

所有蜂窝技术均基于可用于监视的信令系统协议。 研究人员发现，这些网络或多或少容易被篡改。 我们需要端到端加密，因为网络本身永远不够安全。

Whether it’s a physical switch at a phone company or a digital switch, law enforcement does have the ability to eavesdrop on calls. Digital phones are more vulnerable to monitoring than traditional landlines.

无论是在一家电话公司的物理开关或数字开关，执法确实有窃听电话的能力。 与传统的固定电话相比，数字电话更容易受到监控。

VoIP is great for laptops and tablets which might not be able to access cellular towers. Internet is used to transfer audio datagrams, but the security is still at risk. Some vendors still use symmetric encryption, and send the key over to the recipient not though SSL/TSL, which pretty much renders the whole process useless and susceptible. Other services keep the key at the server side, so that won’t protect you either. Signal, an app available on iOS and Android, tackles this problem by keeping the key only on your own device, and destroying the key once the session is ended. Moreover, the keys generated are not the same. So even if one key is compromised, your further communication will stay secure and unintelligible to third parties.

VoIP非常适合可能无法访问蜂窝塔的笔记本电脑和平板电脑。 Internet用于传输音频数据报，但是安全性仍然存在风险。 一些供应商仍使用对称加密， 而不通过SSL / TSL将密钥发送给接收者，这几乎使整个过程变得无用且易受攻击。 其他服务将密钥保留在服务器端，因此也无法保护您。 Signal(iOS和Android上可用的应用程序)通过仅在您自己的设备上保留密钥，并在会话结束后销毁密钥来解决此问题。 而且，生成的密钥是不同的。 因此，即使一个密钥被盗用，您的进一步通信也将保持安全，并且第三方无法理解。

4如果不加密，则表示您没有设备 (4 If you don’t encrypt, you are unequipped)

SMS text is proclaimed to be deleted within days by multiple carriers in the US. But traces can still be found and messages have been restored in the past. They are not as secure as you think.

SMS文本被美国多家运营商宣布在几天之内删除。 但是仍然可以找到痕迹，并且过去已经恢复了消息。 它们并不像您想象的那样安全。

Don’t use the native message service that comes with your carrier. Use a third party app, that employs end-to-end encryption. But they are too susceptible to surveillance. No logs are good logs. Refrain from Whatsapp and Telegram, since all have been successfully hacked. What remains is OTR(off the record) and PFS(Perfect Forward Secrecy) messaging. Signal is a good choice. Unlike open source projects, propreitary items cannot be fully trusted.

不要使用运营商随附的本机消息服务。 使用第三方应用程序，该应用程序采用端到端加密。 但是他们太容易受到监视。 没有日志就是好日志。 由于所有内容均已成功被黑客入侵，请不要使用Whatsapp和Telegram。 剩下的就是OTR(不在记录中)和PFS(完美转发保密)消息传递。 信号是一个不错的选择。 与开源项目不同，私有物品不能被完全信任。

5现在你看到我了，现在你没有了 (5 Now you see me, now you don’t)

You can avoid leaving browsing history in the first place. Despite the hidden/incognito mode provided by all major browsers, your credentials still travel through your ISP. HTTPS is much secure than HTTP. Beware of any account you’re logged in, such as microsoft or Google, which can track all your behavior to provide better targeted ads. Don’t use the Safari or the browser that comes with the mobile device. Use private browsing whenever possible.

您可以避免将浏览历史记录放在第一位。 尽管所有主要浏览器都提供了隐藏/隐身模式，但是您的凭据仍通过ISP传输。 HTTPS比HTTP安全得多。 当心您登录的任何帐户(例如microsoft或Google)，这些帐户都可以跟踪您的所有行为，以提供更有针对性的广告。 请勿使用Safari或移动设备随附的浏览器。 尽可能使用私人浏览。

Enable HTTPS Everywhere. The browser will check the certificate to confirm the identity of websites. The most stringent one being Extended Verification Certificate.

启用HTTPS Everywhere。 浏览器将检查证书以确认网站的身份。 最严格的一种是扩展验证证书。

Disable location tracking function. You might also want to fake your location. Use a plugin called Geolocator in Firefox, or in Chrome: open developer tools, click the triple-dot in the upper right corner, more tools, and select sensors to change your location.

禁用位置跟踪功能。 您可能还想假冒您的位置。 在Firefox或Chrome中使用名为G eolocator的插件：打开开发人员工具，单击右上角的三点，更多工具，然后选择传感器以更改您的位置。

You can also achieve this using Tor. But some sites don’t support Tor browsing. Establish a proxy instead. Read their privacy policy and avoid free services like plague.

您也可以使用Tor来实现。 但是某些网站不支持Tor浏览。 建立代理。 阅读他们的隐私政策，避免像瘟疫这样的免费服务。

Disable the auto synchronization. You might accidentally leave it open to others. Be vigilent when using a public terminal. Be careful when you’re using a shared service like family plan. Things can get synchronized and past content will also appear on another device. Set up multiple users if possible, and keep the administrative access to yourself.

禁用自动同步。 您可能不小心将其向其他人开放。 使用公共终端时要保持警惕。 使用家庭计划等共享服务时请多加注意。 事情可以同步，过去的内容也将出现在另一台设备上。 如果可能，请设置多个用户，并保留对您自己的管理访问权限。

Browsing history will remain on the cloud even if deleted on your own device. What you search for today might come back to haunt you tomorrow. Search results from Google, Yahoo and Bing are filtered based on your past history, which is a form of censorship, whereas DuckDuckGo provides zero tracking policy.

浏览历史记录将保留在云中，即使在您自己的设备上将其删除也是如此。 您今天搜索的内容明天可能会再次困扰您。 Google，Yahoo和Bing的搜索结果会根据您过去的历史记录进行过滤，这是一种审查制度，而DuckDuckGo提供了零跟踪政策。

6每次单击鼠标，我都会看着你 (6 Every mouse click you make, I’ll be watching you)

HTTPS will encrypt the content only if the website supports it, but never the URL. And websites will send these information to third parties without you knowing, usually for advertising and marketing purposes.

HTTPS仅在网站支持的情况下加密内容，而不会在URL支持的情况下加密。 网站通常会将这些信息发送给第三方，而您通常不会出于广告和营销目的。

Just like other applications, browsers will expose your meta data,Operating System, resolution and addons alike. One way to defend yourself is by using a virtual machine.

就像其他应用程序一样，浏览器将公开您的元数据，操作系统，分辨率和附加组件。 保护自己的一种方法是使用虚拟机。

1. Pop up windows can display no visible elements, for the only sake of connecting to third parties and tracking. Instruct your browser to disable this function.弹出窗口无法显示任何可见元素，仅是为了连接到第三方并进行跟踪。 指示您的浏览器禁用此功能。
2. When you click a link on a website, the target website will know where you come from, i.e. your previous history will be recorded. Ads are put at the corner of the page. Go to google to search for that site to avoid this. NoScript in Firefox can block scripts and flash, leaving your trace at bay, although you can cherry pick some elements to load. For Chrome, use ScriptBlock. Another solution is AdBlock plus, but the company will track your history as well. Ghostery is another useful option to disable trackers on a webpage.当您单击网站上的链接时，目标网站将知道您来自何处，即将记录您以前的历史记录。 广告放在页面的一角。 去谷歌搜索该网站，以避免这种情况。 Firefox中的NoScript可以阻止脚本和Flash，尽管您可以挑选一些要加载的元素，但是却无法跟踪。 对于Chrome，请使用ScriptBlock。 另一个解决方案是AdBlock plus，但该公司也会跟踪您的历史记录。 Ghostery是另一个禁用网页上的跟踪器的有用选项。
3. Create multiple emails to make yourself less interesting to third parties. For shopping, use a email address specially , have the boxes sent to your mail drop, and reload balance with a gift card. When it comes to social networks, use another public email address, and give each nonprimary address a unique fake name.创建多封电子邮件，使您对第三方的兴趣降低。 购物时，请特别使用电子邮件地址，将邮箱发送至您的邮箱，然后用礼品卡充值。 当涉及社交网络时，请使用另一个公共电子邮件地址，并为每个非主要地址指定一个唯一的假名。

Cell phones are not immune from tracking. Cookies are pieces of text stored on your browser, which are not dangerous by themselves. Removing cookies from one-off visits to sites need be done regularly. Cookie with name that does not match the name of the website should be deleted. Super cookies exist on your computer and should be eradicated.

手机无法免于追踪。 Cookies是存储在您的浏览器中的一段文本，它们本身并不危险。 需要定期从一次访问网站中删除Cookie。 名称与网站名称不匹配的Cookie应删除。 超级cookie存在于您的计算机上，应予以消除。

Equally pesty are tool bars. Read all checkboxes before install anything, that could save you a lot of hassles.

同样有害的是工具栏。 在安装任何东西之前，请阅读所有复选框，这可以为您省去很多麻烦。

Now HTML5 introduces canvas, whose fingerprint can be tapped into to build a online profile. Plugins such as CanvasBlocker for Firefox and CanvasFingerprintBlock for Chrome tackle this issue.

现在，HTML5引入了画布，可以利用其指纹来建立在线配置文件。 用于Firefox的CanvasBlocker和用于Chrome的CanvasFingerprintBlock之类的插件可以解决此问题。

Credit card companies do track us online. You can circumvent this via Bitcoin, with anonymous email address and gift card.

信用卡公司确实在网上跟踪我们。 您可以使用匿名电子邮件地址和礼品卡通过比特币来规避此问题。

This post will be actively updated, so stay tuned.

这篇文章将被积极更新，敬请期待。

Original: https://digitmancer.com/books/the-art-of-invisibility

原文： https : //digitmancer.com/books/the-art-of-invisibility