It was the spring of 2012 when I first sat down with myself and got started on hardening my Firefox install. And I certainly took some measures - blocked ads, installed Ghostery, stopped using Facebook, and applied the usual band-aids. As I learned more, I changed search engines, juggled a laundry list of browser addons, and found obscure and secure alternatives to all the popular services which I'll describe in a minute. First, a step back.

With these alternatives, I'm not exactly doing anyone a service - sure, they could use the donations I (am yet to) send them. And sure, giving less avenues for the tech giants to profit off the death of my privacy, or the NSA's dragnet to widen can't be a bad thing - but in the grand scheme of things, it doesn't feel like I'm doing awful good, either. I've concerned myself with a personalized, palliative solution that, while protecting my metadata, does not address why I'm insecure in the first place. What's more, I'm one of the few people I know who'd actually put the time towards these measures I have - no doubt the latest statistics show us privacy is still very important to some of us and must be protected, but it's up to you how to call it - either there's a big enough change to indicate widespread public interest, or nowhere near the size needed to protect all Americans from the widespread abuse of the National Security Agency and friends.

And despite my own best efforts, my data is still vulnerable.

My browser, first of all, is the latest version of Mozilla Firefox. A quick glance to about:addons indicates 32 installed items - 5 of which are disabled, and 20 of the total deal in some way with information security. I have also made extensive use of my browser's settings and about:config pages.

I don't plan on going into exhaustive details about what all these addons do, but I will probably name some specifics. You can find all of them in mozilla's privacy collection and category, plus this firefox guide. There are several more or less helpful kicking around as well.

An important feature of online privacy is cookies, which basically are pieces of information stored in your browser by websites that are used for various functionality. I use addons to automatically set opt-out cookies from online tracking, a better cookie manager than the default, and I clear them (along with flash cookies) on logout. Finding and configuring these took roughly ten minutes.

Advertisement, script, and request blocking are also important to take note of. I use a combination of uBlock, noscript, and requestpolicy. This is redundant and adds more inconvenience to my firefox install, however I'm told some levels of redundancy are important for security. I'm also told that uBlock + uMatrix are popular used together, as well as setting a custom hosts file on your computer to block out all data from unwanted sites, and I may waste yet more time on one of those solutions soon enough.

On a similar note, I use some addons to replace links in popular web browsers and social networks, as well as change my referrer - these are a little redundant, and refcontrol can cause problems sometimes, but hey it's more secure, right?

There is also the matter of making sure I use secure connections as much as possible. I'm using a combination of HTTPS everwhere, HTTPS finder, and customized about:config settings - specifically security.tls.unrestrictedrc4fallback set to false and security.tls.version.min set to 2. These make your browser incompatible with sites running outdated services, however it disables the more vulnerable ciphers from your browser (I actually didn't change those settings until writing this article, whoops). The addons I listed will automatically connect to all possible websites over HTTPS (TLS). HTTPS Everywhere uses a list of good sites that's maintained, while HTTPS Finder finds the HTTPS version of every site you visit and connects. Some argue HTTPS finder worsens our security because we can't confirm these are properly configured sites and gives you a false sense of security, but we've already established that even a small amount of additional protection is enough for me to waste time and hard drive space, so just throw it in there. It's useful for small websites.

Something else to do alongside using HTTPS as much as popular is encrypting your DNS traffic with DNScrypt. I don't have it installed currently, which means my internet service provider still has a record of all the domains I've connected to. This is hard, okay?

As some miscellaneous changes I've included User Agent Switcher and TrackMeNot. Also set your default search engine to startpage or ixquick if you haven't already. Go to about:config again and set geo.enabled to False.

I use encrypted communications mostly outside of my browser, there is an experimental chatting application called cryptocat that creates encrypted chat rooms, but it's still beta software with vulnerabilities left from its last security audit. I would instead suggest install pidgin and the OTR plugin, since this still makes you accessible to your friends on Facebook and offers something people who don't wear tinfoil can actually gain from [UPDATE: pidgin no longer connects to facebook. RIP]. The fact I still have a facebook account at all is another reason I'm vulnerable. Another rising application to check out is tox, but it's still in development so don't trust it until there's been a proper security audit.

I've also isolated my email from my web browser, instead choosing to use Thunderbird as my primary email application with the Enigmail addon. I don't use gmail for my primary email provider any more, instead going for a private email server and openmailbox.org. It would naturally be a better idea to host your own email service, I don't do this because it costs a small amount of money and everything mentioned here can be done without that.

I like to say that I've removed all google services from my life, realistically my phone still runs on android with all google apps except the play store removed or disabled. You can do this with Greenify, app quarantine, and /system/app mover, the first for hibernating apps you don't want to use and the second for actually deleting them. Look for more alternatives on F-Droid. I use k-9 and guerillamail for email, firefox beta for my web browser, duckduckgo and startpage for my search engines, chatsecure as my messenger (this does like pidgin to replace every other chatting service you can think of), Textsecure for texting, Redphone and Burner for calling people, and OsmAnd for maps.

Additionally, I've installed Authenticator on my phone to use 2-factor authentication on supported services, as well as XPrivacy (if you are on Android 4.2 you can use AppOps instead), AdAway to remove ads from every app, AFWall+ for a firewall, and Network Log to enable when I think apps are using traffic and shouldn't be. There are I2P and Tor apps available that I use infrequently, Tor actually comes with a pair of apps, Orbot and Orweb. Orbot allows you to route every single application through the tor, this is not as secure as it sounds since not every application is optimized to use the tor network but it's still very nice. Tor of course is not a magic bullet for privacy, as it will not protect your identity on sites associated with that identity, nor sites you've logged into without TLS protection. As a final measure, I've taped a four leaf clover to the back of my phone for good luck.

Some other mistakes I make are not routing all of my traffic through tor, not encrypting my entire hard drive, and not using a privacy or security oriented operating system like tails. Incidentally, most of the steps I took would be completely unnecessary if I just replaced my computer's operating system (currently Debian. You aren't using Windows, right?) and installed a custom ROM on my android after rooting it. This process would also be a lot less harrowing and time-consuming if I actually knew how to threat model.

Naturally, there is more one can, you should, and I have done to ensure proper security, however I hope to have covered all the basics, as well as paint a picture of my own failures in what not to do when it comes to privacy and security on your computer.