How to not get hacked by China

Four things you MUST do

Participants hold their laptops in front of an illuminated wall at the annual Chaos Computer Club (CCC) computer hackers' congress on December 28, 2012 in Hamburg, Germany.
(Image credit: Patrick Lux/Getty Images)

So you might not be a newspaper who plans to run an expose on the finances of the Chinese central committee. But if you're a journalist, an academic, or a national security professional, there's a startlingly decent chance that the Chinese intelligence apparatus wants to get inside your brain.

There's an information asymmetry, though. Us regular folks know only as much as our government tells us about the tactics, techniques, and procedures used by foreign governments to spy on us. Investigative journalism helps fill in part of the picture, but huge gaps remain. Our spies don't want THEIR spies to know how much WE know about them.

Still, I wondered: Those who might have access to that information still live most of their lives in an unclassified world. How do they protect themselves?

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.


Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

What follows are tips from the pros. From people who KNOW. All of it is unclassified, but it's straight up knowledge from those whose job it is to protect the servers and domains of the United States from sophisticated cyber criminals and spies.


* Use a VPN service as an intermediary (eg: In terms of remote exploitation, this can make things harder (sometimes impossible) for a nation state actor unless they've got a lot of data on your online presence already. At the very minimum, you're removing the easy options from the table and making them decided if they really want to work for it.

* Use Chrome. It's not perfect, but it's less likely to get you successfully remotely exploited by orders of magnitude. You also benefit from a smaller and typically personal (in other words, non-corporate) and more savvy user base.

In aggregate, these make it hard to justify development resources against vs. Internet Explorer/Firefox, which are likely being used in the corporate networks that nation states want access to, and 50-year-old or older users who financial scammers and spammers are hoping for.

Or — use Linux (eg: Ubuntu, for day-to-day desktop use). Again, it's not perfect, but much of the same logic behind Chrome applies (especially for web-based remote exploitation). The small installed base of desktop users really helps here. This is still true for Macs, but not to the same degree due to increasing market share (the sole driver of increased development interest). Perhaps you could say, then, 'don't use Windows.'


* Seriously, don't jailbreak your smartphone. If you do, you're pretty much asking for any random drive-by remote exploit if you do it, and this is quadruply true for Android platforms. If you don't jailbreak phones, stick with an iPhone. Unless you're logging into a service and providing personal data, it's nearly impossible to tell one iPhone user from another over cellular or common-use WiFi networks.


* When a smartphone or tablet app equivalent exists for a website, particularly a common one (eg: gmail), use it instead. Remote exploits that get people in trouble are all targeting PC web browsers because of their ubiquity in day-to-day use and the limited target set to develop to (IE, Firefox, Safari, Chrome). It is extremely resource intensive to target apps one-by-one, and they're improved so frequently that the return on interest doesn't exist to keep up. If you're surfing the web, use your smartphone or tablet then too. These systems are substantially more locked down than PCs, so any access that a remote exploit may attain is likely to be more limited. Also, these devices are rarely given full access to valuable network services or data the same way PCs are in Windows domains. So it's not that there aren't actual risks here, but the value proposition typically results in efforts being focused on lower hanging fruit that can bear out more access growth opportunities.


* Change the default password on your ISP's cable/fiber box and turn off the remote access features. They're all still there for the ISP, but at least you've made it harder. At the minimum, put a firewall (another access point like an Airport Extreme, for example) between you and that box and do not use any of its services (eg: DHCP). You will *never* be able to secure it.

* Things that protect you only from newbies and script kiddies but, for this reason, you should still do: anti-virus, long passwords, firewalls.

Finally, NEVER check your email or Facebook or something from a public computer — it is worth waiting. Assume that computer is compromised.

Continue reading for free

We hope you're enjoying The Week's refreshingly open-minded journalism.

Subscribed to The Week? Register your account with the same email as your subscription.