You've covered the basics. You've checked off the more-than-basics. But you still can't fight a nagging feeling that it's not quite enough. At a certain point, if a nation-state wants to compromise your devices or your privacy badly enough, it's going to find a way. You can at least make it harder for them. Here are a few measures designed to do just that.
The best way not to get your computer hacked? Don't connect it to any other computer, a practice known as air-gapping. In a world where practically every machine connects to the internet, that’s not easy. But for ultra-sensitive files and tasks—storing a Bitcoin cache or working with leaked files from a whistleblower—the inconvenience of working entirely offline can be worth it.
While any laptop lets you turn off basic radio connections like Wi-Fi and Bluetooth, the safest way to air-gap your machine is to physically remove all wireless hardware, says David Huerta, a digital security fellow at the Freedom of the Press Foundation. Better still, use a computer that doesn't come with any; Huerta points to the Intel Nuc, Gigabyte Brix, and older Mac Mini desktops as a few examples of those radio-optional computers.
Practically the only way someone can compromise an air-gapped computer is if they have physical access—they have to be able to walk up and physically plug in a USB drive, or other type of storage media.
An air-gapped machine generally functions as a viewing station, a way to work with sensitive files while ensuring they’re not subject to being hacked, or themselves infecting your network. Huerta recommends taking the further step of removing the computer’s hard drive too. Instead, you can boot it from a USB installed with the ephemeral operating system Tails, which ensures that no trace is left on the computer after use. That means you can’t store any files on your air-gapped machine. But it also makes that “clean” machine virtually impossible for any hacker to meaningfully attack.
If you truly don’t want to be tracked, turning off your phone helps some. But security experts have warned for years that sophisticated malware can track or use a phone for audio surveillance even when you think it's powered down, likely by spoofing its “off” state while continuing to leave key functions running.
Pulling out a phone’s battery can thwart that eavesdropping. But for the iPhone and other mobile devices without easily removable batteries, the supremely cautious rely on Faraday cages or bags. These are essentially metal shields that block all radio frequencies. Slip your phone into one of the metal-lined wallets, and it goes dark for anyone attempting to communicate with its radios. No info can go in or, more importantly, out. They're also not hard to come by; you can find them on Amazon for relatively cheap.
In a pinch, any sufficiently shielded metal box, like a safe or even a microwave, will do. NSA leaker Edward Snowden asked visitors to his Hong Kong hotel room to put their cell phones in a minifridge. Just know that while the cage or bag might block your phone from revealing its location, it doesn’t necessarily stop it from collecting audio if it’s already been hacked—and its spying powers switched on—before it got black-bagged. In that case, it wouldn't be able to transmit anything in the moment but could the instant the smartphone leaves its Faraday holster and regains internet connectivity.
If sophisticated spies want to hear your conversations, they may not need a bug in your office or home. Instead, they can use a tool known as a laser microphone, which bounces an invisible infrared laser off of a window and back to a light sensor. By measuring any interference in that reflected light, the laser microphone can detect vibrations in the window pane and reconstruct sound on the other side of the glass.
That laser eavesdropping could potentially be foiled by closing heavy curtains or playing loud music while having a private conversation. But some high-value spying targets also resort to vibrating devices like this one, planted on windows to jam any attempts to read their resonance.
Sure, hackers can steal your passwords with malware, or by breaching the servers of the services you use. But they can also just watch over your shoulder as you type them in. And in cases where you think you might be under targeted video surveillance—say, that Moscow hotel room—it’s worth considering a silly-sounding but significant protection: A literal security blanket. Call it the Linus Method.
By covering your head and hands, you can type in sensitive passwords without fear that a surveillance camera is watching over your shoulder. Snowden illustrated that under-the-sheets technique in the documentary Citizenfour, when he was shown putting a blanket over his head to enter passwords in a Hong Kong hotel room. He jokingly referred to the blanket as his “magical mantle of power.” But if you’re protecting a password sensitive enough that spies would be willing to plant a camera to capture it, that blanket could be the only thing keeping your secrets, well, secret.
More Tips for Superspies: After you've bought your Faraday cage, remove the mic from your devices and sweep for bugs.
Activist? Journalist? Politician? Consider Yourself a Target, Too: Encrypt everything, sign up for Google Advanced Protection, take a tour of Tor, and deploy physical measures to increase your digital security.
Advice for Regular Users (the Hackers Are Still Circling): Master passwords, lock down your smartphone, keep yourself secure from phishers, know how to deal with getting doxed, and, if you have kids, keep them safe online.
