Ever been stalked by a hacker? Well I have, and many others have too. But you wouldn't know that because there's no How-To on getting the hell out of that sticky situation. Until now.
Perhaps you were given this because something bad has happened. The good news is that there’s help and (hopefully) you’re about to learn a bunch of cool stuff. I’ve tried my best to make this as user-friendly and enjoyable to read as possible.
No matter what though, there’s going to be some sort of repityism, so focus, attention to detail and patience is required. It is important to not skip anything as I’ve already weeded out the unnecessary.
However, there’s an unlimited amount of knowledge on how to keep you and your devices safe, so I encourage you to get into your own Wiki hole on the subject. I’ve provided some resources below to get you started.
In this case a literal dumpster fire would be much easier than this section. Rule number one is to NOT GET FRUSTRATED.
Take the time to upload pictures from your hard drive to Instagram, save resumes to a USB, but make sure everything not absolutely necessary gets deleted. (No need to delete anything on the Hard Drive individually, as we will be doing a mass-reset).
If you see something and think, “That’s important, I should keep that,” that’s exactly what you need to be removing. Anything with any sort of personal information on it what-so-ever. If there’s any evidence that you like cats, one of your passwords is associated to a cat you once had, and that cat is mentioned ONCE on the internet or hard drive, you might as well have no password at all.
I’ve left out Social Media entirely, but the best advice is to burn it. If you must post, Latergram everything by at least a day and make sure that you are NOT searchable by email or phone number.
- Sign out of iCloud and everything else possible. But especially iCloud.
- Turn off Find My Mac and Un-encrypt FireVault, if encrypted. These are all found easily in your System Preferences.
- If you have FireVault active, make sure you have a copy of your key before you deactivate it.
- Shut down the system.
- Hold down command and the R button, press the power button but don’t let go of command and R until you see the Apple loading screen.
- Select the Disk Utility. > Continue
- Erase. It will ask you if you’d prefer the fastest or the most secure, scroll all the way to most secure.
It once took an infected Mac I had, 20 hours to completely erase, so make sure you’re plugged in and just walk away.
Go have a snack. It might be a while.
Once your Mac is squeaky clean create a NEW iCloud account and we’ll go over rebuilding and hardening in the next section.
- Sign out of your Microsoft Account and everything else possible.
- If you’re tech savvy, install a fresh copy of your OS to a USB/External Hard Drive, plug it in, go in to Safe Mode on Start-up and follow the instructions.
If you’re not particularly tech savvy, in Settings, there should be the option for Change PC Settings.
If you can’t find it, press the Windows Key and type “Change PC” and it should populate.
- Click “Update and Recovery” > “Recovery”
- Select “Remove Everything and Reinstall Windows”
- Proceed to follow the instructions.
If asked which you prefer, the fastest or the most secure, always select the most secure.
This is when patience begins to play a part. I recently went through an entire Gmail account, with a Google Number attached to it (something I’ll cover in later sections).
It was like working on an assembly line (the same action over and over), but all in all the whole thing took me about an hour.
There’s a check box where you can select all emails. With Gmail you have to delete them page by page.
Once you’re finished deleting them, you must go into your trash, select them all page by page again and click “Permanently Delete.”
Google Hangouts Chat streams must be deleted individually, which in all honesty is a nightmare, but important and necessary.
Leaving as small of a digital footprint as possible is smart no matter what you’ve got going on in your life.
These steps are relatively the same for iPhone and Android. Sign out, reset, delete everything.
You can contact Apple and they will delete your entire iCloud account, so you can create a new one and start fresh.
If you’ve made it this far, you’re hopefully already feeling more comfortable with your electronics.
There’s something freeing about having a clean slate. However, you’re not out of the woods, yet.
Did you know that if you leave your phone next to a radio on a Spanish channel over-night, when you wake up, all of your ads will be in Spanish? So stick with me, kid and let’s knock this out.
Make sure all of the answers to your security questions are WRONG.
Create a system for yourself, like "What is your mother's maiden name?" the answer would be "12" or "blonde."
You should be using LastPass (covered below in Passwords) and going through so many email addresses this should never be much of a concern, anyway.
Create all new emails, create one for each of your payment apps, one for your iCloud, one for professional stuff, one for family and friends.
Separate your accounts as much as possible so if one thing gets popped, you don't have to run around trying to figure out what else is.
It's best practice to create ALL new emails and phone numbers every six months-year.
Drug dealers do this every single month, so do what you will with that information.
Your real name, transactions, (and sometimes your phone number, email/mailing address) are not private by default.
Create a (random) separate username for your Venmo, CashApp and PayPal.
Put your hangouts number instead of your real number.
Virtual Addresses are available at places like PostScanMail.com.
You can also use a P.O. Box or simply a past address. I don't have my actual address anywhere online, as all my bills are electronic, or even on my driver's license.
In fact, ESPECIALLY not on my driver's license.
Any profile/picture anywhere can be reverse Google image searched, so if that same image is on a profile with your real name, you can easily be found.
If you get emails notifying you to verify your account, DO NOT IGNORE IT.
Do not allow anyone to search for you by Phone Number or Email Address, username ONLY and crank up any other security/privacy settings you see, always.
Once your Mac is so fresh and so clean, it’s EXTREMELY important to go through these next steps immediately, or you may get infected again and have to do the last steps all over. Which I’ve had to do and I really kicked myself for it.
In the Finder window, under Favorites, click Applications, click Utilities, and then double-click Keychain Access. In the Keychain Access window, under Keychains, click login, under Category, click Certificates, and you should see your Code Signing Certificate, if your certificate was installed in your keychain.
Get a piece of duct-tape (I have a roll of Batman duct-tape just for this) and cover your Mac’s webcam.
Forget your webcam exists. Sorry ‘bout it. Trust me you don’t want it.
Turn off Bluetooth, WiFi, IPv6 and everything you can when you’re not using them. This goes for mobile, too.
When you first login, you’re going to create your Admin password.
Your Admin account is where you get to have all the super powers.
Like downloading and installing new tools and programs, fixing security settings and everything we’re going to do in this section.
So next we’re going to create a Guest account that we’re actually going to live on and use every day (except right now).
This provides an extra step for a potential hacker to be able to get Admin privileges.
I won’t lie to you, it’s a very tiny step but it’s still a step.
There is no such thing as an impenetrable device.
If it’s working, it’s susceptible. So basically what we’re doing here is making it as annoying as possible for someone to penetrate it in hopes they just say “Fuck it,” and go away.
Moving into System Preferences:
-
Deselect “Allow Guests to connect to Shared Folders”
-
Secure Users’ Home Folder Permissions
-
In Spotlight settings, make sure that it does NOT have access to search the web. Deselect everything that would need internet access.
If you’ve never used Spotlight, it’s a really fabulous tool (Command + Space Bar) used for finding things on your device.
If you can’t find what I’m talking about in your Settings, throw a keyword in there and it will most likely find it for you.
- Turn on FireVault and write the key on a piece of paper and lock it in a safe or hide it somewhere.
DO NOT PUT THIS KEY ON YOUR PHONE SO HELP ME.
- INSTALL MALWAREBYTES. It has a trial period but the service is free.
Once the trial (Real-Time Protection) ends, you can either delete and reinstall (resetting the trial) or purchase. Be sure to do regular scans. Especially after updates.
- Make sure Firewall is ON. Sometimes your VPN (covered below) will turn your Firewall off.
Make sure if you ever disconnect from your VPN (to get into banks, Coinbase, etc) to immediately turn your Firewall back on.
It should do this automatically but safe to never assume anything.
-
Enable Software Updates
-
System Preferences > Security and Privacy > General > Unlock > Select “App Store” only.
If for some reason you want to download something not on the app store (like from your browser) if you open General again, it will have a pop up. You will then be able to insert your Admin Username and Password from your Guest User account so you don’t have to switch back and forth.
- Install "Little Snitch" and its little brother "Micro Snitch."
Little Snitch alerts you to every single connection coming and going to your Mac.
Really spend some time getting to know Little Snitch, it's your new best friend.
Google what certain daemons do, what connections to look out for. Guaranteed there's an article on each one, somewhere.
SERIOUSLY, don't be lazy with it, when it asks you how long the connection is allowed, NEVER say "Forever" unless it's absolutely crucial to and you're SURE you know what it does.
Which should only be like three things, such as automatic updates.
Micro Snitch alerts you every single time your webcam or microphone is accessed.
If you're watching Netflix and it turns on, you've got problems.
Once your PC is so fresh and so clean, it’s EXTREMELY important to go through these next steps immediately, or you may get infected again and have to do the last steps all over. Which I’ve had to do and I really kicked myself for it.
Get a piece of duct-tape (I have a roll of Batman duct-tape just for this) and cover your PC’s webcam.
Forget your webcam exists. Sorry ‘bout it. Trust me you don’t want it.
When you first login, you’re going to create your Admin password. Your Admin account is where you get to have all the super powers. Like downloading and installing new tools and programs, fixing security settings and everything we’re going to do in this section.
There is no such thing as an impenetrable device. If it’s working, it’s susceptible.
So basically what we’re doing here is making it as annoying as possible for someone to penetrate it in hopes they just say “Fuck it,” and go away.
-
Turn off Bluetooth, WiFi, Airport, IPv6 and everything you can when you’re not using them. This goes for mobile, too. Enable Windows Defender. Install Malware Bytes. When the Malware Bytes trial ends, double check and make sure that Windows Defender’s Real Time Protection is on. Real Time Protection is the only thing that expires with Malware Bytes so keep it installed and do regular scans, especially after updates.
-
Create a new Microsoft Account
-
Activate Software Restriction Policy. This can be found using the Windows search bar, as will almost all of these.
-
Uninstall all bloatware (apps or programs that you won’t use or need on your system that come with the fresh install like Solitaire).
-
Create User account that you will use on a daily basis. Admin accounts should only be used to alter settings and install programs. Have a strong password for both.
-
In Windows Administrative Tools > Services > Make sure that Microsoft Sign-in Assistant and Windows Update are running.
-
Check for updates regularly.
-
INSTALL MALWAREBYTES. It has a trial period but the service is free.
Once the trial (Real-Time Protection) ends, you can either delete and reinstall (resetting the trial) or purchase. Be sure to do regular scans. Especially after updates.
If you’re on iPhone, you’re at a slghtly less risk because every app installed on an iPhone has to be approved/created by a verified developer.
If you’re on Android, there should be a setting somewhere to only allow verified Microsoft developers. However it’s usually pretty obvious if you look at reviews, ratings and amount of downloads. When you download an app, you agree to the permissions instantly. Android’s are usually all together. iPhone asks you individually sometimes.
-
If you can help it, never allow any apps permission to turn on your microphone, or at least have it ask you every single time it wants to turn it on. There is no setting for this for the phone app so no worries. Only your VoIP if you decide to go that route… and you should.
-
Private Internet Access is awesome for a mobile VPN, especially when traveling.
-
Never give permissions to any app that you don’t absolutely have to, and if possible have it ask you every time. This goes for access to your Contacts, Photos, Location, etc.
-
Turn off Location Services.
-
Turn off Find My iPhone.
-
You can set Map applications to only allow your location when the app is being used.
You should always have strong passwords on every account, and each account should have a different password.
If your password is something you can remember off the top of your head, you’re using a bad password.
Do not leave passwords written anywhere near your desk on a sticky note.
If you MUST write down your password, such as your FireVault key, write it down and lock it in a safe.
You can get a safe or a lockbox cheap these days.
This might seem like an impossible task, not remembering a password but being unable to write it down.
LastPass is here to save the day and solve your problems. Create one, really good, complex password. Remember it, and all the others will be randomly generated.
LastPass works in your Browser as a Chrome Extension, AND is available as an app! If you go to your vault, you can view passwords saved for applications and things not available in your browser and it autofills so you never have to type out another password again.
For iPhone in Settings > Passwords & Accounts > Wesite & App Passwords
As far as passwords for your devices, there’s only so much that you can do. Make sure that your admin and user passwords are different, and if you have trouble thinking of more than one strong password, use LastPass and make sure the admin password is the strongest.
Do not use real words. !f Y0u Mu$7 U$3
Words you think are random have already been thought of by malicious hackers (wordlists are available freely) and are definitely not random.
If you think there is any chance that your home network is compromised, contact your Internet Service Provider (such as AT&T or Time Warner Cable) and ask for a new router.
Tell them that you’re getting the error, “Connected, No Internet,” that you’ve done a “power cycle” and for some reason you still can’t get the internet to work.
Never tell your ISP you were hacked or are in any way worried about your security. They’ll ask questions there’s no correct answer to. Avoid it altogether.
If this explanation is too complicated for you, just say there’s dust in it.
Also, it’s best to get a new router from your ISP in person, just bring the old one with you.
-
On your new router there will be a basic IP address. Something like 127.0.0.1 and a password. Type the IP address into your browser (Chrome hopefully), your username will be admin.
-
Enter the password on your router.
-
If you are a gamer or have gamers in your household, there’s not much you can do, unfortunately.
Online gaming turns your router Firewall into Swiss cheese because of all the different ports that must be opened to play with others, but are never closed.
This can become an issue so a port/router reset every few months helps dramatically.
If you are not a gamer or do not have gamers in your household, go to your Firewall settings and crank that ish up.
-
Familiarize yourself with all the settings available. If for some reason you’re doing something one day and it doesn’t work, you’ll need to be able to get in and out easily to mess with the Firewall Security levels.
-
Disable IPv6 entirely.
-
Disable anything else you’re not using, if you’re not sure what something is, Google it or ask me.
-
Disable port 1900 UPnP. (This is a common thing you will need to revisit if something does not work).
Go to Windows Defender Security Center > App and Browser Control > Exploit Protection Settings to take a look. Program Settings > Add program to customize. A good program to add would be your 3rd party browser.
Below are the settings for Chrome:
- Aribitary Code Guard: off
- Block low integrity images: on
- Block remote images: on
- Block untrusted fonts: on
- Code integrity guard: off
- Control flow guard: on
- Data execution prevention: on
- Disable extension points: on
- Disable Win32 system calls: off
- Do not allow child proceses: off
- Export address filtering: off
- Force randomization: off
- Import address filtering: off
- Randomize memorty locations; on
- Simulate execution: off
- Validate API invokation: off
- Validate exception chains: on
- Validate handle usage: on
- Validate heap integrity; on
- Validate image dependency integrity: on
- Validate stack integrity: off
Google Hangouts and Google Voice are apps that work together to create a new phone number. If you use this, each time you make a call, the person on the other end must press “1” in order to accept your call.
Anyone who is familiar with Hangouts will know this is not your real number. If someone asks or gets offended, tell them you like that you can send texts easier (which comes in handy when you’re copy/pasting) from the computer, which is true through your Gmail account. In order to get a Google Hangouts number, it must be attached to a real number, so it is difficult to get multiple without getting another burner phone anyway.
Your Google Hangouts and Google Voice should be under a NEW email address. Having an alternative number to give to strangers is extremely useful and convenient. If someone you don’t want to have your number gets ahold of it, you simply mute them or get a new Hangouts number. Keep as little conversation streams as possible going when it comes to texts. Delete your emails as they come in and empty your trash when you do.
If you’re really in a mess, like your stalker is someone who works in law enforcement, take extra measures.
Forget Google. Google knows all. Find yourself a gas station or convenience store with cameras that either don’t record, have no cameras, or cameras that are not attached to the internet.
Buy a pay-as-you-go phone with cash from said store and buy your minutes there. You can then use this number to attach to Signal, the #1 encrypted messaging app if you still want to use your fancy smart phone.
Private Internet Access is an amazing VPN for mobile. Use it all the time unless you absolutely can’t, such as when checking banking apps.
Police will automatically assume it’s a petty lover’s spat, because that’s what they see a hundred times a day. Be adamant. Be honest and open. Advocate for yourself. Don’t be afraid to be compassionately aggressive.
It’s their job to hear you out but keep in mind, it is not their job to save you. On a real note: try not to cry - no one wants to deal with the crying girl; you’re a bad bitch you got this.
The internet is still like the wild west in terms of regulation. If done correctly, people can pretty much do and say whatever they want.
However, people mess up, even the pros. So be patient and wait for them to get sloppy, they always do.
The best thing you can do is keep your nose as clean as possible so that if things ever do go to court (which I’m sorry to tell you is painful and unlikely), you can show that you are without a shred of doubt the sane one, here.
NEVER respond. No matter what crazy shit they say or do never say anything back because you have to show absolutely that you did not encourage their behavior in any way, and retaliating will only hurt your case.
Also, if you don't give them any attention, they're likely to escalate and mess up sooner (or get bored and go on to harrass someone else).
In-person stalking is an entirely different matter. Security cameras, (possibly bodyguards) and having friends mobile-track you (Glympse/Family Locator), are all part of your life now. Every time they show up, do not engage with them, call the police. Run and film over your shoulder, if you have to.
Let’s say every single day at 6pm, they call you and leave you a voicemail threatening you, reciting your home address… don’t panic. Keep the voicemail/save it to your camera roll if you want, call the non-emergency line every single day at 6:01 pm, and make a police report.
So if they ever do actually hurt you, you’ve already got a STACK of police reports to back you up. Collecting evidence and making a police report is your life line. Dates, specifics, screenshots/recordings, all of it. Everything matters.
Delete nothing, even after the police have it. They’re not as organized as you’d think. Get your OWN binder to keep all of your print-out evidence and reports, organize them by date.
I refer back to paparazzi laws frequently when it comes to in-person stalking. It’s completely legal for someone to sit outside your work and watch you, even take pictures of you walking down the street. You’re in a public place. They can legally approach you, wave their hands around and speak wordsalad.
However if someone blocks your path, touches you, comes on/takes photos of private property or chases you in a vehicle, THAT’S illegal (thanks to Britney Spears btw). These are the things you hope they do, and when they do, have your phone/dashcam ready. (Same goes for abusive relationships, if someone is screaming at you, whip that phone out).
If you have a dire, serious emergency and the police aren’t doing what they should, take it to social media. @ the District Attorney's office and Chief of Police in your area, get other people involved. The department really doesn’t like to look bad to the public, so Twitter actually does work for this.
Just ask Miss Kennedy Summers (Playmate of the Year 2014).
ALWAYS KEEP ALL DEVICES UP TO DATE
Do regular Malware Scans
Check regularly for Application Updates on all devices
- I highly recommend a VPN. If you’re just the average Joe and aren’t doing anything particularly sketchy, TunnelBear is wonderful and costs $50/year. It works consistently on Mobile devices as well as Mac and Windows. It’s also adorable. If you’re a little more daring and live life on the wild side, get Private Internet Access and pay in bitcoin. :)
Use your VPN ALL THE TIME. 110% of the time.
Sometimes bank websites/apps won’t allow you to use one, so disable it for that sort of thing.
Never connect to public Wifi. The VPN will help but still not a brilliant idea if there’s heat. If you have a tech savvy stalker, chances are they’re waiting for you to do that in the bushes outside somewhere. When a Browser/Website asks for your location and a pop-up asking “Allow or Block”, ALWAYS block.
If asked if you want to send data to make the app better, say no. You don’t care, they’re selling your personal information to advertisers anyway. If asked to send a Do Not Track request, disable it. It’s not what it sounds like.
A taser can also be useful, but it's a gamble. You're not relying on actually touching them with it, you're relying on the loud sound and spark to startle them and scare them into fucking off. When you first get a taser, pop it off periodically for funsies so you're not startled by it anymore. Staying calm is key, stand your ground.
The flip side, is if they're not afraid of it, it's going to excite them and make them more aggressive. Also any weapon you bring into a fight can be taken and used against you.
I don't recommend using one for these reasons but I carry one, so I thought I'd mention it. You never know when a new stalker might just appear out of fucking nowhere.
Of course don't hesitate to reach out to me for assistance, I work for free.
Don't be afraid to find your local hacker group and ask them for help. Crying is actually helpful here (just kidding. sorta). There's bound to be a bad bitch or two in your city who knows this stuff all too well, and would be honored to help you.
Good hackers love to teach. So if you're a hacker who's stumbled on this, please be prepared to be there for them, because there are MANY out there. Use this as a guide if you have to. You can make all the difference.
Be just paranoid enough. Remember that at the end of the day you’ve got a leg up that’s almost always unbeatable:
You’re in the right. You’re doing the right thing.
Though things seem dark, just wait because you’ll get to tell your side one day.
So stay calm, cool and collected because you’re going to win.
Either by letting it go, never dealing with it again, or sometimes even getting that mentally ill person the help they need.
"Clear thoughts lead to clean getaways." - G.L. Lambert
- https://discussions.apple.com/docs/DOC-2435
- http://hardenwindows10forsecurity.com/index.html
- https://www.lastpass.com/
- https://stackoverflow.com/
- https://github.com/
- https://www.hacksplaining.com/
- https://www.youtube.com/channel/UC-1m-1yHfcC7-NJ7xKXxR4Q
- Penetration Testing: A Hands-on Introduction to Hacking by Georgia Weidman
- Start Where You Are by Pema Chodron