This article is part of my Self-Defense BaseCamp series. I want to show you how to work safer and more anonymous on your PC.

In the first section, I will give you a brief assessment of the security and protection of your privacy when using Windows, macOS or Linux.

Sections 2 and 3 are about making your operating system more secure and also more “private”. You will find behavior and configuration recommendations that you can implement step by step. At the end you will find a collection of links to important articles on the subject. I have linked the information you need for implementation directly in the text.

I welcome any comments, questions, or feedback.

1 – How Secure and Private are Today’s Computers?

As you’ve probably heard, PCs (personal computers) were developed in the 1970s. The goal back then was to give computers as much power as possible to run user programs. Since there was no Internet and little networking at the time, security was not at the forefront of development.

As a result, the security model of today’s PCs is still quite patchy, leaving many vulnerabilities in the hardware and operating system for attackers. That’s why some security experts advise against using PCs.

“If you can, stay away from the PC and use a mobile device.” madaidan (Security Researcher) Articles | Madaidan’s Insecurities

Operating System Market Shares

What are the market shares of the major PC operating systems? According to Statista 03/2024 work:

  • 72.47% of all PCs are running Microsoft Windows
  • 16.11% with Apple’s macOS
  • 4,5% with various Linux systems (doubled since 2022)

These figures show that a Windows or Apple PC user may be exposed to more potential threats than a Linux user.

What About Security and Privacy?

Microsoft and Apple have significantly improved the security of their operating systems in recent years. For example, if you are running Windows 11 today, preferably in S-mode on a Secured Core PC, or macOS on an M1/M2/M3 (Silicon) generation MacBook or later, both manufacturers now offer proactive security features such as :

  • Mitigation of undiscovered security vulnerabilities (exploits),
  • Verified startup of the operating system (Secure Boot),
  • Sandboxing of applications and the use of memory-safe programming languages
  • The use of memory-safe programming languages

However, by default, both systems violate your privacy by sending insights about you back to their “builders”. They call this Telemetry.

Microsoft’s Telemetry Service for example continuously collects the following data, and much more, and sends it to their corporate servers in Seattle:

  • Text typed on the keyboard
  • Microphone transmission
  • Index of all media files
  • Webcam data
  • Browsing history
  • Search history
  • Location activity
  • Saved health activity
  • Your privacy settings

This data would make it very easy to identify you, your location, and all of your online activities. (Source: Michael Bazzell, “OSINT Techniques: Resources for Uncovering Online Information,” 10th Edition, 2024, page 4)

You can also read more about this in the Microsoft privacy statement. A summary of the 2013 Edward Snowden disclosures can be found here and here.

The extreme extent of Microsoft’s (and Apple’s) data collection can be reduced, but unfortunately not eliminated. You will learn more about this in section 2 and 3 of this article.

Linux or Mainstream?

For those who value their privacy, Linux offers an excellent alternative. As an open-source operating system, it’s almost telemetry-free, meaning it doesn’t collect or send data about your usage by default. Distributions such as Ubuntu and Linux Mint are particularly easy to use and an excellent choice for beginners. They are compatible with almost all PCs, easy to install, and offer users a high degree of anonymity, privacy, and freedom to customize their system as they wish. A global community of volunteers maintains and updates these systems on a daily basis. Security vulnerabilities are quickly identified and patched by this community through automatic updates.

A “secure” and trusted system is the foundation for all other security measures, such as encryption or low-trace web browsing. Mike Kuketz, German blogger, privacy activist and hacker.

While Linux leads the way in terms of privacy, trustworthiness, auditability, and freedom to customize, it’s important to recognize that no system is immune to security risks. Linux’s openness allows vulnerabilities to be quickly identified and patched, but maintaining system security requires users to be proactive: regular updates, the use of strong passwords, and following expert cybersecurity advice are critical. It’s important to understand that the security of a computer system is not only determined by the choice of operating system, but also by the behavior and practices of the users.

Ultimately, whether your computer can be “tapped” by investigating authorities or whether cybercriminals succeed in stealing your identity also depends on the following factors:

  • Your personal threat level
  • Who is actually interested in you and your information?
  • What resources and determination will a potential attacker use?
  • Your IT experience, time, and budget
  • Your discipline and daily form-dependent attention when working on the PC

2 – Basic Settings and Behaviors

… that you can easily implement on any PC running Linux, Windows or MacOS.

Please use only trusted, secure sources for your hardware and software. More and more, you should rely on your own experience, not just on what the vendors say and what they offer in their app stores.

Do not use a fancy name for your computer that can be associated with you. Instead, use names that sound like there are millions of them in the world. For example, “MacBook” on a MacBook or “Desktop” on a Windows system.

Use a “standard” user account without administrative privileges for your daily work.

The current practice of granting administrative rights to the standard user for administrative tasks via a password prompt (on Linux via “sudo”) is risky. If you accidentally install malware, you can infect your entire computer.

What should you do?

First, set up your computer under a administrator account and finish the full installation. Than create another new administrator account and devote the install administrator to a limited or standard user account. Only use this standard user account for your daily work.

Use a strong user password or better Password Phrase of 5-6 words. Do not use this password (phrase) anywhere else and make sure you never repeat it.

Store your accounts and passwords with a trusted password manager.

Encrypt your hard drive. If someone gets physical access to your PC, they will be unable to do anything with your data.

Configure your system so that the firmware, operating system, and any applications you use are regularly and promptly updated.

Install only the necessary applications and operating system components. Each additional component provides an additional attack surface and needs to be updated regularly. Start cleaning up, uninstalling and deleting unneeded stuff.

Most Linux distributions give you the option to install only the required base system during installation. This gives you an easy start, and you don’t have to figure out if you need X applications at all.

Set up a regular backup with an external hard drive. Of course, you can “classically” back up your entire system, including the operating system, applications, and your data. This takes a long time and is very inconvenient. Since you can reinstall the operating system and applications with limited effort, I recommend backing up only your data (documents, pictures, movies, password manager exports, etc.).

Store the backup hard drive in a safe place (such as a safe-deposit box at you bank). Practice what you have to do to restore this backup in case of an emergency.

Use Apps that Are Your Allies

From the CloudPirat Privacy ToolBox , I recommend the following apps or providers for your computer. Most of these apps are open source, and the providers are trustworthy and work without tracking you:

  • Password Manager – Use Bitwarden as password manager if you want to synchronize your accounts and passwords with other devices. If you want to store your password database for security reasons offline on one PC, use KeyPassXC
  • VPN Service – I recommend Mullvad to protect you from advertisements and trackers, maleware and as encrypted DNS. Configure Mullvad so that it is also started at system startup.
  • Browser – Use as default browser Brave and not Chrome, Edge or Safari
  • Search engine – Use Brave Search Engine as standard search engine
  • Messenger – Use Signal as End-to-End encrypted, trustworthy desktop messenger
  • Office Suite – Use LibreOffice instead of Microsoft Office 365, so that no one is “looking over your shoulder” when you write. LibreOffice is an “open source” software developed and maintained by a worldwide community. The aim of the project is to give everyone access to powerful, open and free office software.
  • Email & Calendar – A great combination for secure and private email, calendar and contacts is the “Proton Suite
  • Video Conferencing – secure and end-to-end encrypted video conferencing is hard to find these days. For two party VC just use Signal too.

3 – Harden Your Windows PC

Use and Configure Windows Security

The most important action you can take to improve Windows security is to enable Windows Security (including the Windows Defender).

Activate your firewall and make sure that your PC does not allow incoming connections.

Also enable antivirus and malware protection.

Here’s how – Microsoft – Stay protected with Windows security

Do not use additional third-party Internet security software, such as antivirus software. By default, Windows Security is an Internet security suite designed specifically for Windows. If you install a third-party Internet security solution on top of Windows Security, the manufacturer will get deep insight into your system. This is an unnecessary threat to you.

Deactivate unwanted functions in Windows

O&O ShutUp10++ – You don’t want your keystrokes to be logged? Or that Windows sends your WLAN password to your Facebook friends? With O&O you decide when the sharing of your data goes too far. A simple user interface allows you to determine how Windows 10 and Windows 11 should respect your privacy. Unwanted functions can be deactivated at the click of a mouse. O&O ShutUp10++ The AntiSpy Tool for Windows

Privacy is sexy – is a website with a rich tweak pool to protect the security and privacy of the operating system and other software running on it. You don’t need to run any software on your system, just execute the generated scripts. You have full transparency about what the tweaks do while you enable them. Privacy is Sexy – Privacy & Security for Windows and MacOS.

Windows 11 S Secured Core PC’s – With Windows 11 S Microsoft offers a Windows version with special, certified hardware. The so-called Secured Core PC’s. As of today, you can only download software from the Microsoft Store in Windows 11 S mode and must use the Edge browser.

Using a System Cleaner

The tasks of a system cleaner is to remove unwanted data in your system like internet history, temporary fles and a lot of other stuff. My preference for this task is BleachBit. You can select all available option except of “Wipe Free Space” and repeat this process weekly.

3 – Harden Your Mac

Use and Configure Mac’s Security

For older Macs without M1 or M2 processors (Apple Silicon), it is recommended to set the Mac firmware password.

Setting the Mac firmware password prevents your Mac from booting from a hard disk other than the specified boot disk. For example, an attacker cannot boot your Mac from a USB flash drive.

Apple – Set firmware password on Mac

Enable the Mac firewall and configure it to block incoming connections. Also set the so-called stealth mode to active. This will prevent your Mac from responding to connection requests from the Internet.

Apple – Enable Stealth Mode

Minimize iCloud usage – I recommend not using Apple’s iCloud if possible.

You should not synchronize your contacts, calendar, etc. via iCloud. Email providers like can synchronize calendars and contacts via CalDAV and CardDav interfaces. Apple supports this for all devices.

I also recommend not storing data, images, or backups in iCloud, but rather use a trusted cloud storage provider.

You should not allow your applications to use iCloud for syncing with other devices or for storing data.

Deactivate Unwanted Functions in macOS

Privacy is sexy – is a website with a rich pool of tweaks to protect the security and privacy of the operating system and other software running on it.

You don’t need to run any software on your system, just run the generated scripts. You have full transparency about what the tweaks do while you enable them. Privacy is Sexy for Windows and MacOS.

Antivirus or not?

Unlike Windows, today’s Mac OS includes only some malware protection. Apple – Malware protection in MacOS

Should a Mac user install an additional third-party Internet security suite on his Mac?

This is a controversial topic among security experts. The vendors of such a solutions get a deep insight into your system and your data.  Experts who care about privacy call external Internet Security Solutions like Kaspersky, Norton or Bitdefender “snake oil”. Similar to the traveling salesmen who sold snake oil as a cure-all in the Wild West.

I recommend using a combination of the following three applications and perform a weekly check:

  • Task Explorer – free, Mac only, application identifies all running processes and checks them with the Virus Total service.
  • Knock Knock – free, Mac only -as malware installs itself persistently, to ensure it is automatically executed each time a computer is restarted. KnockKnock uncovers persistently installed software in order to generically reveal such malware.
  • ClamAV –  free, Windows, Mac and Linux, ClamAV is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

3 – Harden Your Linux PC

Configure Linux Firewall – Activate the UFW – “Uncomplicated Firewall” and prohibit incoming connections.

Antivirus or not? – I recommend using ClamAV also under Linux. ClamAV is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

Using a System Cleaner – As explained in the Windows Section, the tasks of a system cleaner is to remove unwanted data in your system like internet history, temporary fles and a lot of other stuff. My preference for this task is BleachBit. You can select all available option except of “Wipe Free Space” and repeat this process weekly.

Everything else that I think is important for beginners has already been explained under Basic settings and behavior.

Sources, Tips and Links for Further Reading

madaidans, Linux Security Analyst, Security and Privacy Advice, 10.08.2022

madaidans, Linux Security Analyst, Linux, 18.03. 2022

Johanna Rutkowska, founder of Qubes OS on Twitter, Jun 5, 2019.

Alexander Peslyak (Solar Designer), Founder of OpenWall, oss-security, 05.10.2022

Hardening Windows

(In German) Federal Office for Information Security (BSI), SiSyPHus project
Windows 10 hardening configuration recommendations, 2019

beerisgood, gitHub user, Windows 11 harden, 10/08/2022

O&O Software GmbH, O&O ShutUp10++, Free AntiSpy Tool for Windows 10 and 11, 08/10/2022

Privacy is Sexy, Toolbox to harden Windows and macOS

Hardening macOS

beerisgood, gitHub user, macOS Hardening, 10.08.2022

Privacy is Sexy, Toolbox to harden Windows and macOS

Apple, Apple Platform Security, 10.08.2022

Hardening Linux

madaidans,Linux Security Analyst, Linux Hardening Guide, 19.03.2022

Mike Kuketz, Secure Desktop System – Hardening Linux Part1-3, 25.02.2016