Good security is mostly about reducing your attack surface and making the cost of compromising you higher than the value of what an attacker would get. For individuals, that means: use a password manager, enable multi-factor authentication everywhere, keep software updated, and be skeptical of unexpected messages (especially ones that create urgency).

The landscape changes constantly, particularly with [[AI]]-powered threats that can generate convincing phishing at scale and clone voices from a few seconds of audio. Staying informed matters as much as staying locked down.

Privacy isn’t about having something to hide. It’s about maintaining agency over your own information in a world where the default is to collect everything, store it forever, and monetize it later. Every data point you hand over is a bet that the company holding it will never be breached, acquired, or compelled to share.

The practical toolkit: [[Email Masking|email masking services]], [[Encryption]], strong [[Password Management]], and a healthy skepticism about “free” services that fund themselves through surveillance.

I support either Bitwarden or 1Password as great options for most people. Apple Passwords is okay, but vendor and ecosystem locked, and doesn’t have all the standard features; but it is better than nothing.

I would avoid using Google Chrome’s password manager (or any browsers).

I do not recommend LastPass at all.

End-to-end encryption means only the sender and recipient can read the message; not the service provider, not the government, not an attacker who compromises the server.

First, what is a supply chain attack? As the name suggests, it is when someone, we will call them the Threat Actor, attacks a part of the process that builds something, rather than attacking the end product. Take Google Chrome for example, the product, Chrome, is maintained by a huge company with a lot of staff involved in making sure it is secure. However, Chrome, like most software, doesn’t have all the parts built in-house, instead they leverage other software - often Free Open Source Software (FOSS) - as an off the shelf part. In the case of a supply chain attack, the Threat Actor would focus on identifying a part that Chrome uses, that might be maintained with minimal resources. If successful, they could get this compromised part into the final product, which would get to their ultimate goal of compromising Chrome.

There is a great recent example of a near miss with the well known XZ Utils Backdoor, it’s worth a deep dive if you don’t know much about it. You can start with the Wikipedia Article

Okay so this is well and good, but really the average person has no real control about what open source software is used in their favorite programs. Which is true, but there is another supply chain attack that is happening.

Exploiting your trust

Let’s again consider Chrome, when you download the software you expect it to be well maintained and secure. However, Chrome may not do everything you need it to do, so you install some extensions. And that is where these attacks are happening; based on people’s trust of extension, modification, or utility markets. Honestly though, browser extension compromises are nothing new.

There was the Cyberhaven compromise from an external threat actor.

Or worse still, when The Great Suspender sold the extension and the new owner/maintainer compromised it.

In both cases they were trusted extensions due to either a Company behind it or being recognized for a while as a trusted owner.

Further this is breaking out beyond what you think would be a “good” place to exploit.

For developers, more and more Packages are getting attacked, and now with the rise of long-con attacks, where a Threat Actor will work on trying to get trusted by a maintainer to eventually push malicious code.

For Gamers, mods are also a new vector for attack, recently there was one that aimed to compromise Crypto Wallet information in City Skylines. Which is a case where the Maintainer was compromised and then those credentials were used to maliciously impact the mod.

This list could go on, but what I want to hammer home on is that you may trust the source/product, whether it be Chrome, npm, or a video game, as soon as you start installing third party extensions, packages, mod or otherwise then you should be aware that those could lead to a compromise.

Where do I see this going?

I expect to see the types of vectors to continue to expand beyond what we might think as “the usual suspects”. Mainly because a lot of software out there is trying to act as a base foundation which you can then build up to your needs. I could see software that leverages and focuses on User-generated templates, functions, etc. to possibly become a new vector path, if it hasn’t already happened

With all that being said, what can you do?

Take a look at your computer or phone and consider the following:

First, take a look at the applications you have installed. Have you used them recently? Are they worth keeping installed or can you uninstall them without much issue? For example, do you really need your Airline app installed when you aren’t traveling anytime soon? What about having both Microsoft Office and Libre Office installed? Do you really need both installed?

Next, once you have cleaned up your applications, which ones offer extensions, mods, or otherwise “third-party” functionality. Review that in a similar way; especially extensions. Reduce down to the ones that really help you with your workflows. I often realize I have extensions or apps installed in a “just in case” scenario that has never actually happened!

Lastly, take this forward. Sometimes it isn’t worth installing the application, especially on phones, when the website works just fine. Create a checklist of apps you might need to install during certain events, like if you are traveling you install you airline app, taxi apps for where you are going, and so on.

Remember, you can always install the software again at a later date! When in doubt, delete and see if you still need it.

Unfortunately, it’s highly likely that your information will be exposed at some point. This has become a common enough occurrence that instead of asking, “If it happens, what do I do?” it’s more prudent to ask, “When it happens, have I prepared enough to minimize the impact?”

I’ve considered this from various angles, but one method of protection worth discussing is “Hide My Email Services” like Apple’s service with iCloud, or Proton’s service and how these services can be used to protect your privacy.

Keep in mind though, that whenever you plan to increase your security or privacy you will, in most cases, lose some convenience or ease of use.

What Are Hide My Email Services?

To start, these services create an alias that will relay any emails sent to it directly to your main email address. These aliases are often a randomly generated name with one or several domains. So, if your email is jdoe@gmail.com and you use Apple’s Service, it will generate an email like Jade.0a.Kiwi@icloud.com. You can then use this email for a website, and even generate multiple aliases that point back to jdoe@gmail.com

Think of it as having an unlimited number forwarding addresses for your main email.

Website --Sends Email--> Alias Email --Forwards--> Main Email

Aliases Alternatives

Some email services also offer a similar feature by allowing you to append a + to your email address. So jdoe@gmail.com can use something like jdoe+facebook@gmail.com as an email for Facebook. This would allow them to know that, in theory, only emails from Facebook should be going to that email, and if they get something from somewhere else they may be able to assume that the email was sold, exposed, or otherwise leaked.

Now, the issue with this from a privacy perspective is that the root email is clearly exposed. Instead, the goal is to make it difficult to guess your main email address and to ensure your provided email is as unlinkable to you as possible.

When to Use Hide My Email Services

Now that we know, in general, that these services offer an ability to create unique, random emails that can be used to protect your main email, let’s discuss when it might be appropriate to use these services, and the drawbacks in each case. I will order these in what I think are the best way to start as a path to more “advanced” usage.

Level 1: This is just temporary

If you run into a site or service that needs an email, but you don’t ever plan to really manage the account (I will come back to this point though) then this is a perfect service for that.

Suppose you’re at a restaurant and want to place an order through their website, which requires an email address. You can use these services to generate a temporary email, complete your order, and then delete that email to prevent any future spam.

And that’s really it! Use the service as a temporary email, you can make just one for all use cases or generate a new one every time. I would suggest making a unique one for each, if possible, because that let’s you get used to managing multiple ones at ones and move on to the next level.

Level 2: Why do I Have to Make an Account?!

Okay, so same as before, you’re in a situation where you have to not only provide an email, but also make an account. Rather than using your main email, use a Hidden email instead! Additionally, make sure to use your password manager to generate a random password.

This site will now send spam only to your randomly generated email. And since the site now has associated login credentials, it could potentially be a source for email and password leaks. However, since they are both random, it is basically just junk. Sure you do need to make sure to secure that account the best you can, remove any other information, credit cards, etc.

But now this data cannot be used to comprise your accounts on other sites.

Level 3: Change My Email

At this point, I hope you see where we are going. Taking this a step further, we can start changing our non-critical accounts to use Hide My Email services. Randomly generate a new email, log in to your site still using your root email, and then change it. Oh, and update your password while you are there to make sure it is fully randomized while you are there; and set up MFA.

Remember, this is only protecting you when it comes to linking the email to you directly and cross referencing/attacking to other sites.

I will want to also add a note here that you should take care on which sites you do this with. For social media, video game accounts, shopping accounts, there shouldn’t be too much of a risk using these emails. However, financial sites, government accounts, and other “Identity based sites” you may want to use your root email or other softer alias techniques like the + appending technique. Why? Well, it could be more frustrating to maintain or get support with a randomly generated email. Also, these sites tend to, but not always, have a stronger security posture. Remember, we are looking at minimizing impact here, not remove it entirely!

Is it worth the effort?

To summarize what we can do here is:

1. Get a new service, and yet another subscription.
2. Give spammers meaningless, disposable emails.
3. Use throw-away emails for throw-away accounts.
4. Move existing accounts to these new, randomly generated emails.

This helps isolate sites to a single email, lowering the value of your data provided and protecting you from being identified in a data leak. Additionally, in combination with randomly generated passwords, helps to isolate credential stuffing attacks to just that one site.

But, it isn’t all perfect. There are some negatives to consider!

Negatives

Communication

There are times when you may need to send an email from that randomly generated address, like when reaching out to support. This can be clunky or even impossible, depending on the service, and it’s generally not as simple as using your regular email address.

Also, trying to call support, or provide the email can get you some odd looks. And it is cumbersome to generate one in person, but not a non-stopper.

Authenticity

Another thing to be aware of, some sites have protections around temporary email addresses, particularly ones like 10minutemail. This can lead to issues where your generated email may not be accepted if the domain isn’t well known. For example, Apple’s uses icloud.com as the domain, which is well known and accepted in most cases. However if you use a service that uses less known domains, or you can use your own, that can lead to issues with the email not being accepted.

Service Provider trust

A significant concern with these services is that all emails going to those alias addresses are accessible to the service providers. For example, Apple could, in theory, see what is sent to Jade.0a.Kiwi@icloud.com.

Data breaches

When a breach happens you can go to places like Have I been Pwned and put in your email to see where you were affected. However, now you don’t see all your potential accounts, as most will have a unique email. In these cases, usually the site does send you an email to alert you, so you will want to monitor for those a bit more actively. When you do get one, you can do your normal response like resetting the password, but also reset the email!

All in all

Is this worth it? For you, I don’t know. But for me, it is worth applying some of these items.