Category Archives: Tips

IRS Hell for BitCoin Users



2018 is the first year U.S. citizens have to file taxes on their cryptocurrency activities for 2017.  The limited “rules” the IRS has published do not cover the majority of types of activities and the information needed to accurately file taxes is simply not available to non programmers and is excruciatingly difficult to acquire, even for programmers.

Tax “Guidance”

In 2014, the IRS published a somewhat vague guidance on how to report cryptocurrency taxes.  It essentially boils down to:

  1. How much did you buy? 
  2. How much did you sell?
  3. What’s the difference?
  4. Send in 30% of your profits.
  5. Determine fair market value on the day of your transactions.

Here’s the actual 2014 IRS tax guidance document.


Unfortunately, reality is much more complicated than that.  Here are the real-world things that we have no clear rules on:

  1. What if I bought some prior to 2017?
  2. When I sell some, which of the MANY prior purchasing transactions do I apply the price to?  The price is different for every transaction.
  3. What about mining?
  4. What about mining hardware prices?
  5. What about price of electricity?
  6. I bought & sold on more than one exchange.
  7. I moved crypto between exchanges.
  8. I converted crypto from one to another.
  9. Prices at the moment of each transaction are not available when converting between currencies.
  10. Which price would we use, even if we had it?  There’s no universal price on any crypto.  Each exchange has its own, moving price that changes by the second.
  11. What about when a cryptocurrency forks, like BitCoin to BitCoinCASH and BitCoinGold?
  12. They say to use the fair market value of the day to determine prices on transactions, but that’s of no use since the price can swing thousands of dollars within a day.

My Experience

Since 2014, I’ve bought and sold crypto hundreds of times.  On some days, I’ve made dozens of trades in a single day.  In addition to that, I have accounts on 4 exchanges and also mine Ethereum.  I also traded between cryptos like converting BitCoin to LiteCoin and LiteCoin to Ethereum & Ripple & IOTA, etc., and moved crypto between exchanges like CoinBase, Kraken, Bitfinex, & Bittrex, and to and from my personal wallets,  and gained some crypto during forks, and lost some due to CoinBase not giving me my Ethereum Classic.

Over the past week, I’ve spent about 6-10 hours or so JUST on trying to gather what I understood would be needed for my tax accountant for cryptocurrency (not counting my usual taxes).  From the list above, you’ll get a rough idea of what I was going through to try to collect the information.

It’s 2018-03-31 and I finally finished my taxes.  Here’s how the day went:

I was woken up around 9:45 am this morning (I like to sleep late on Saturdays) by my tax accountant.  We spent a SOLID FIVE HOURS on the phone, trying to resolve everything (95% of that was related to cryptocurrencies).  This is their first year dealing with this.  I had to explain a lot about crypto and even the IRS’s rules.  She, apparently, had the same, uninformative PDF document from 2014 from the IRS too and just assumed it’d be as simple as they explain.  Reality is hugely different.

She wanted me to make it simple for her.  I wanted her to make it simple for ME.  That’s kind of why I’m paying her, right?  I spent hours gathering everything she could possibly need (minus the information that was just not feasible to get, but that we actually DO need).

It was simply not enough information, not just the lack of data that I didn’t have access to, but the lack of rules from the IRS.


The amount of effort trying to figure out just HOW to report my cryptocurrency transactions to the IRS was a nightmare and equals about the same amount of effort I spent throughout the year transacting and buying, learning, and setting up my Ethereum mining.  And it was significantly more frustrating than the actual crypto activities.

The IRS needs to get their act together, learn what it is we actually do, and come up with REALISTIC rules that we can actually perform.

After all the time and effort I spent preparing my taxes for my accounted, PLUS the amount of time we spent on the phone afterwords was insane and we STILL didn’t get everything.  We probably got about 85% of what was needed and I guarantee that what we reported was not right, but that was the best we could do.  I had tens of thousands of dollars in transactions.  With the limited information we had, she simply ended up using what I sent to her from the website, which is ONLY good for a SINGLE exchange.  So, I reported a $200 profit and paid taxes on that.  At least that is small, to keep my taxes down AND shows a “profit”, which should keep the IRS off my back, since I’m actually paying them something.  I was told that if I reported a loss, it would likely trigger an audit.

What?  Were you hoping to come here for a resolution to YOUR tax problems?  Sorry.  All I can offer is comfort that you’re not alone.  The IRS needs to get their act together and YOU need to click this link to contact your U.S. representative and explain to them the nightmare they’ve created for us.  Click the following link:

Find Your Representative


See these images?


You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!


Validating Digital PGP Signatures & Why it’s Important


Do you ever see the checksums, CRCs, SHA, or PGP signatures presented to you when you’re downloading a file?  Like this for example:

These are actually SUPER IMPORTANT!

What are those signatures?

They are, in a very very simplistic explanation, answers to a math function where the numbers given to the function are the bytes of the file you want to download.

Why are they important?

They are used to prove to you that the file you’re downloading hasn’t been tampered with.   HOW? you may ask?   Because only the valid, original file, with the original set of bytes in it could have produced that signature.  If you change just ONE byte in the entire file, no matter how big the file is, you’d get a DIFFERENT answer to the math function.

This is CRUCIALLY important for things like cryptocurrency wallets for cryptocurrencies like #BitCoin, #Ethereum, #LiteCoin, etc…  Hackers frequently publish TAMPERED versions of wallet software and if you install and run the hacker’s version, they’re going to steal ALL OF YOUR CRYPTO!  This has already happened many times.  Websites are compromised and hacked versions are put on their websites.

This brings up another important concept of signatures vs. the files they’re supposedly coming from:

A published signature is absolutely USELESS if it’s on the SAME website as the download file.  Why?  Because if a hacker compromises the download site, then you can’t trust anything on that site, including the signature.  You’ll find that MOST sites that publish a signature do so on one website, but the downloaded file is hosted on another website.  For BOTH the signature AND the file to be compromised by the same hacker, they’d have to hack BOTH of those websites, which is much more difficult.

How can I validate them?

You’ll need software on your computer that can compute the same types of signatures that the website publishes for their downloaded files.  In short, these are the steps (I’ll go into explicit detail shortly):

  1. Install some signature making and validating software onto your computer (Do this only once).
  2. Make note of the published signature for the file you’re about to download. (Do this for every download that offers it).
  3. Download the file (DO NOT EXECUTE IT!  It’s NOT trusted until you validate the signature!)
  4. Use the signature software to make or verify the signature of the downloaded file.
  5. If the signature checks out, the file is safe.  If it doesn’t, DELETE THE FILE!  DO NOT EXECUTE IT!

Detailed VALIDATION instructions:

Before you get overwhelmed, scroll to the bottom and see that once you’ve done all this once, future validations are really simple…. Just those 4 steps at the bottom.  But for now, you’ll need to go through this more lengthy setup process.

In this tutorial, we’ll be dealing with a downloadable executable file that offers a public PGP signature for you to validate against.  You should know that there are many forms of signatures that an author could choose to publish.  Other than PGP, there are SHA1, SHA256, SHA512, MD5 (which has been broken), and several others.  These are the most popular ones.

We’ll be downloading and validating a popular BitCoin wallet app.  For this type of app, it’s critical to validate the downloaded file against the published signature.

Yes!  This looks very involved, but the good news is that most of these steps are only needed to be done ONCE EVER.  Since this is your first time, there are many steps to get new things installed and set up right.  Subsequent verification will be much simpler and I’ll provide a list of steps to do after you have everything set up.

First, install some PGP key software on your computer.

  1. Install gpg4win from here:
    1. It will install a few utilities and a GUI app that will hold all of your PGP keys and certificates. (You don’t need to understand what those are at this point).
  2. Skip this step if you already have a public/private PGP key pair.  Create public/private keys for your own e-mail address.  You’ll need this later and it has other benefits such as being able to send and receive encrypted e-mail on any e-mail system.  See: STICK IT TO THE NSA: HOW TO ENCRYPT YOUR WEBMAIL
    1. Open the “File” menu and choose “New Key Pair”.
    2. On the box that opens, choose “Create a personal OpenPGP key pair”.
    3. Enter your name and e-mail address, then click “Advanced Settings…” and on the top 2 drop downs, change it to 4096 bits.  That’ll make your key orders of magnitude stronger.  If you want, feel free to check “Authentication” and “Valid until” and pick a date.  I recommend 1 year into the future.  If you choose a date, your key will not be trusted by anyone after that day.
    4. Click [OK], then [Next], then [Create].
    5. It’ll prompt you for a password.  To use your private key, you’ll need this password, so DO NOT LOSE IT!!!!!  Go ahead and enter it.
    6. After taking a few moments (and it WILL take a few moments), you’ll have a key pair.  If you want others to be able to send you encrypted data, I recommend clicking the button “Upload Public Key To Directory Service…”.  People will be able to look up your public key via your name or e-mail address.  But, it’s not needed for validating signatures, which is the primary purpose of this article.  Now, click [Finish].
    7. You’ll now have a new, certified key in your key ring.  PROTECT YOUR PRIVATE KEY WITH YOUR LIFE!!!!

If you’re interested in more details about what they private/public key pair is that you created, please see.  It’s not necessary to know all of that for this article, but it will clear up some confusion, if you have any.

Now, let’s do an actual Verification!

  1. Go to and view that page.  (Note, if you have the know-how and the means to download and build from the source code, ALWAYS do that rather than downloading a pre-built executable!)  Notice the signature links next to every download option?  THAT’S what we’re working with in this article.
  2. Click the Windows Installer and download it.  DO NOT RUN IT!  In the folder in which you downloaded the file, you’ll see a file named something like electrum-3.1.0-setup.exe.  As you can see, I’ve downloaded prior versions of the file too.  Notice that some of the files DON’T have “.exe” at the end?  We’ll fix that shortly.
  3. Back on the web page, click the signature next to “Windows Installer”.  You’ll see something that looks like this in your browser:
    1. -----BEGIN PGP SIGNATURE-----
      -----END PGP SIGNATURE-----
  4. Click anywhere on the text and hit [Ctrl]+[A] to select all of that text, then [Ctrl]+[C] to copy it.  Or you can select all the text with your mouse and copy it.  You’ll be pasting it into a text file shortly.
  5. Open the folder to where you downloaded the Windows Installer file.  It should be named something like electrum-3.1.0-setup.exe.  Obviously, if you’re reading this in the future, there will likely be a newer version.  This is the latest version at the time of this writing.
    1. Right-click on any empty, white space in the folder and choose “New”, then “Text Document”.  A new, empty text file will be created.  Ignore the extra menu items I have.  I’m a developer and have extra features installed that you might not.
  6. Now hit enter to open the empty text file and paste the PGP key into it (from step 3.1 above, you should have the text in your copy buffer (or “clipboard”) still).  Hit [Ctrl]+[V].  This will paste the text you already had copied from 3.1 above into the text file.  Now hit [Ctrl]+[S] to save it.  And finally CLOSE notepad (or whatever text editor you’re using).
  7. Now rename the text file to exactly the same name as the downloaded electrum exe file, but with “.pgp” added to the end of the filename.  In my case, I rename the text file to electrum-3.1.0-setup.exe.pgp
  8. Now, let’s fix that problem where the file types (also called “file extensions”) are hidden.  While looking at the filename that you downloaded in Windows Explorer, open the “View” menu or tab.  On the right hand side (you might have to resize the window to something bigger to see it), open the “Options” drop down and choose “Change folder and search options”.
  9. On the “Folder Options” that opens up, click on the “View” tab and check OFF (or UN-check) the box “Hide extensions for known file types”, then click “OK”.  It should NOT have a check-mark in it.
    1. You’ll see the files changed from this…
    2. to this…  (again, these are MY files, you may have more or fewer and certainly different files in your downloads folder).
      1. It’s VERY important that you see the FULL filenames.  Before this, the electrum-3.1.0-setup.exe.pgp file looked like it it was named electrum-3.1.0-setup.exe and as you can see, there’s actually ANOTHER file that actually has that name.  Why Microsoft hides these by default is beyond me.   All it does is create confusion is severely increases the risk of hackers tricking you into launching a malicious program when you think you’re opening a safe text file or a picture file.
  10. LET’S DO IT! Let’s make an attempt to actually verify the PGP signature of the file.  Spoiler alert:  It won’t work, but that’s OK.  It will walk us through what we need to do.  Right click your newly created and renamed file that you added “.pgp” to the end of the filename on.  In my example, it will be electrum-3.1.0-setup.exe.pgp , and then choose “More GpgEX options”, then “Verify”.
  11. The verification process will complete as verified, but not fully verified…
    1. Here’s what’s going on.  The EXE file DID verify against the PGP signature, but the signature, itself, is not known to be trusted.  At least, your verification software you’re using (called Kleopatra) does not know the signature to be from a trustworthy source.  You’ll have to TELL IT that you trust that author’s key.  Once you do that, Kleopatra will fully verify everything produced from that author, signed with his same keys.  Click the “Search” button.  This will search on several public PGP key stores on the internet for one that contains that PGP key you have from that author.
      1. It SHOULD find a key from after a minute or so…
      2. Click his e-mail address and then click the “Import” button.  That will import his public PGP key into your PGP keyring.  This will make it available for future use by you to validate new versions of this app and others from the same author.  You won’t have to go through all of these steps again for future downloads from him.
  12. Now we need to CERTIFY his signature.  This simply means we’re going to tell our local install of Kleopatra that we TRUST the key from ThomasV.  Open your start menu and find Kleopatra and launch it.
    1. It will show you all the public and private PGP keys you have installed.  Here’s what MINE looks like.  Yours may have only the one key from ThomasV and your own key.  (I’ve blurred my personal keys).
  13. Now, we’ll certify ThomasV’s key.  Right click his key (anywhere on the line with his e-mail address in it) and choose “Certify…”
  14. Check ALL the boxes on the “Certify Certificate” dialog box that pops up, then click “Next”.
  15. Now you need to tell it which of YOUR keys you want to certify it with.  It should show you all your keys that you already installed for yourself.  Select the one you wish to use to validate.  It’s not critical which one you choose, but I recommend choosing the latest one of yours that’s not expired and is associated with your most used e-mail address.  And select “Certify only for myself”, then click “Certify”.  (I’ve blurred all my personal signatures).
    1. You’ll see the following once Kleopatra has marked his certificate as validated by your own key.  We do this to make the software validation work.  Most of these steps are a one-time deal.  You will not repeat all of these every time you want to validate a signature on software.
      1. Click [Finish] and you’ll see your list of installed keys and see that his key is now marked as “certified”.  This is good.  This will REDUCE the number of steps to validate software from him in the future.
  16. Now, one more time, let’s right-click the electrum-3.1.0-setup.exe.pgp file you created, choose “More GpgEX options”, then “Verify”.  This time, you’ll get FULL VERIFICATION!

Congratulations!  You’ve now validated that the Electrum BitCoin wallet software is safe, unmodified, and from the original author.  It is safe to install.  Please note, this was NOT an article about installing the Electrum BitCoin software.  It was an example of how to validate software signatures from ANY software you download (as long as the author provides you validation signatures).  We could have used countless other apps to do the same thing.

It’s MUCH easier the second time!

Yes, I know.  That was quite a lot of work to do.  But that’s only because you’re new to this AND you had to install, configure, and create lots of new things.  Now that you’ve done it once, doing it again will be much less effort.

From now on, all you do is the following:

  1. Get the PGP signature of the file you want to download and save it into a text file.
  2. Download the file you want.
  3. Rename your PGP signature file to exactly the same name as the file you download, but with “.pgp” appended to the end of the file name.
  4. Right-click that pgp file, choose “More GpgEX options” -> “Verify”, and it’ll either validate or report that it’s not valid.

That’s it!  And getting newer versions of the app will be the same 4 steps.

See these images?


You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.

Check back later for updates too!


LastPass: Turn Off Auto-Fill NOW!


There are many reports recently of malicious websites and malicious scripts in ads and comments on websites that generate login name and password fields on legitimate sites that trigger LastPass and other password managers to auto-fill with your credentials, allowing the bad actors to literally steal your login credentials, without you doing anything except innocently visiting your favorite sites.

Side note:  This is a REALLY GOOD reason to turn on 2-Factor Authentication.

To turn off aut-fill in LastPass is pretty simple, but nearly impossible to find and know how to do with out someone else “in the know” showing you.

  1. On your desktop browser, open your LastPass vault.
  2. Click “Account Settings” in the lower left.
  3. Click on the “Never URLs” tab.
  4. Click the “Add” Button at the bottom of the dialog box.
  5. Now, you’ll need to do this 3 times, once for “Never Fill Forms”, “Never AutoLogin”, and “Never AutoFill Application”.  Choose “Never Fill Forms”, from the “Type” drop down and then type “all” (without the quotes!) in the “URL” box and click add.  Continue for “Never AutoLogin” and “Never AutoFill Application”.

That’s it!  From this point forward, LastPass will still work, but it won’t just blindly fill in your login name and password to just any field named “login” or “password”.

Thank you for sharing this article.  See this image?


You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.


Encrypting Degoo Cloud Drive With Cryptomator


In this article in my series of “Encrypt All The Things!”, I’ll show you the specifics of encrypting a cloud drive using the cloud drive service. For a generic overview, that’s not Degoo specific, see:

If you use cloud drive services, of any kind, it’s critical that you do so ONLY with data that YOU have encrypted on YOUR END and that YOU are in control of the keys. Any service that handles the keys for you is NOT SECURE! The ONLY way your own data is secure is if YOU are in control of the keys. Some cloud drive services offer encryption at an extra price, which is crazy because you can do it FOR FREE with the added benefit of YOU being in control, NOT THEM!

The best way to ensure that you’re in control is for you to do the encryption yourself with software NOT provided by your cloud drive service.

In this article, I’ll show exactly how to do this with a commercial cloud drive service called and a free and open source encryption application called Cryptomator.

Create a Degoo account and install the software

First, you’ll need to sign up for the cloud drive service here.

100 GB Free Backup

Be sure to download and install the software. Don’t set up the download or sync folders yet. We need to get the encryption app installed first. BTW, Degoo has both free and paid options.

Install the Encryption App

Go to and download and install the software (It’s free and open source!). Once installed, you’ll need to setup one or more “vaults”, which are simply nothing more than a folder on your hard drive where encrypted files will be stored.

Set up a Cryptomator vault

First, you need to understand how Cryptomator works. DO NOT SKIP THIS!

The first time you run it, you will not have any vaults (encrypted folders). First, create a new folder on your drive in whatever way suits you best. This is where you’re going to have encrypted versions of your sync files stored.

  1. Click the “+” sign in the lower left and choose “Create New Vault” to create a vault.
  2. Navigate to the folder you want to store your encrypted files (the folder should be blank, right now) and give it a name, here I Cryptomator.
  3. Then create a password for it. DO NOT FORGET THE PASSWORD OR YOUR DATA WILL BE LOST FOREVER!!!!!
    1. I Highly recommend saving it in a password manager like I also recommend using that password manager’s password generator to generate a long, random password for you.
  4. Create the Vault by clicking the “Create Vault” button. This stores a couple of small files in there that cryptomator needs.
    You’ll be prompted for the password again. This is not part of the vault creation process. You’re done. Now you’re ready to use it like you will everyday. Now you unlock the vault by entering your password.
  5. Click the “more options” button to see what you have available. Those options are pretty self-explanatory. I’ll skip those and let you choose how you want to configure it.

Your vault is now unlocked and is opened in a Windows Explorer window, usually as drive letter Z:.

The real folder on the real drive is here (below) (depending on where YOU chose to create it… this one is mine):

Now, I can store files in my Z: drive (as long as my vault is unlocked) and I can use any apps I want to read and write to the Z: drive. Everything works normally. Apps that read and write there have NO IDEA that they’re reading and writing to an encrypted folder.

You’ll notice that in Documents\deleteme\test (again, that’s where I created mine; yours will be where ever you put yours), you’ll see a “d” folder and 2 masterkey files. Those masterkey files have an ENCRYPTED version of your key. No one can decrypt it without knowing YOUR password that you just created.  This masterkey file WILL BE ON THE REMOTE SERVER, so this is why you need a STRONG password, preferably random characters generated by a password manager.

As you save more files into your Z: drive, you’ll see more files show up somewhere under Documents\deleteme\test (again, MY folder is here, YOURS is where ever you put yours). The files that show up here have unreadable filenames and if you try to open them, they will have what appears to be garbage in them. These are the files you stored in your Z: drive, but these are encrypted.

Think of your Cryptomator unlocked vault Z: drive as a decrypted, magic window into your physical, encrypted files stored in their encrypted state in your Documents\deleteme\test (again, MY folder name I chose, YOURS will be different).

One caveate: Files in your Z-Drive CANNOT be larger than 2GB! That’s a limitation with the current version of Cryptomator.

I created a text file in my new Z: drive. As you can see below, Cryptomator created a file in the Documents\deleteme\test\d\WQ folder with a funky name. That’s what’s REALLY stored on my REAL hard drive. If I try to open the funky named file, it looks like garbage bytes. Both of those windows are showing the SAME data, it’s just that the REAL data is encrypted (top window). The bottom window is a VIRTUAL drive with an decrypted view of the data. ALWAYS remember this! You will NOT back up your Z drive! EVER! You’ll back up and/or sync your Documents\deleteme\test folder. More on that later.

Now, how to sync your encrypted files with

Now that you have a folder that contains your encrypted files and an easy way to use the the encrypted files (your cryptomator Z-drive), you need to sync the encrypted files to your account. DO NOT SYNC OR BACK UP YOUR Z: DRIVE!!!!!!

  • If you haven’t already, download and install the software on and create an account.
  • When you open it, click on the “Choose what to backup” tab. The actual folders on disk that are being backed up are each in their own cryptomator vault folder with encrypted files.
  • Click the “Add folder to backup…” button and navigate to your Cryptomator vault folder… the one with the unreadable encrypted files NOT YOUR Z-DRIVE!!!! and click “Add folder to backup”
  • Your folder will be added to your list of folders to be backed up.

Now, you’re all set. Anything you put into your Z-Drive is automatically encrypted at the time it’s written and since the real folder with the encrypted files is the one that’s backed up, you automatically get your data backed up in addition to automatically encrypted. Now, no matter how malicious anyone at Degoo may be (I have to reason to believe the are (or aren’t)), your privacy is safe. They cannot see anything other than what you see when looking at the encrypted version of your folder. Unless they have your password to your vault (which, of course, should be DIFFERENT from your Degoo password), they’ll never be able to see the contents.

But that was hard!

No it wasn’t! And, the small amount of work you did above is only done when creating a new vault and installing everything for the first time. Once it’s done, here’s all you need to do moving forward:

  • Turn on your PC and log into Windows (or Mac or Linux)
  • Start Cryptomator and unlock your vault.

That’s it! You can even shorten that to not have to start cryptomator setting up your vault to save your password and auto-unlock on start.

You can also add more cryptomator vaults at any time.

Quick review:

In this tutorial you did the following simple steps:

  • Signed up with and installed Degoo.
  • Downloaded and installed Cryptomator.
  • Created a vault with Cryptomator.
  • Told Degoo to sync the encrypted version of your cryptomator vault.

That’s really all you did. And now, you’re protected both with encryption and with an automatic, encrypted backup.

What’s Next?

Just continue to use your computer with your Z-Drive as your unencrypted version of your data. You can even lock your vault and Degoo will continue to back up your data. Degoo doesn’t need you to have it unlocked because it’s NOT backing up the unencrypted files. It’s only backing up the encrypted bits.  Degoo isn’t even aware of the Cryptomator software.  From Degoo’s software’s point of view, all that matters is that folder with the encrypted files in it.

Conversely, the Cryptomator software is unaware of Degoo.  All Cryptomator knows is that you have a folder with encrypted files and it provides the means to unlock and use them.

You can create more vaults with Cryptomator, if you like and add them to Degoo as well.

You can create vaults inside your Google Drive sync folder, your Microsoft One-Drive sync folder, your DropBox sync folder, etc, etc… As many or as few as you want.  Cryptomator works by encrypting any folder and providing an unencrypted view of it.  Cloud drives work by backing up and/or syncing a folder.  Put the two of them together and you’ve got a robust and secure backup strategy.

I do strongly recommend you make a cryptomator vault in EVERY cloud drive sync folder and move all your non-encrypted files INTO your virtual drive letter created for that vault.


You MUST obey the following rules!!!

  • Don’t write files directly into your real folder that contains the encrypted files. If you do that, it will be backed up AS-IS… WITHOUT ENCRYPTION!
  • Do NOT backup your Z: drive (or whatever drive letter cryptomator makes for you). That is DECRYTPED and if you back THAT up, you’ve wasted all your time and effort and are NOT storing an encrypted version of your files. Your Z: drive should ONLY be used for your normal work. DO NOT BACK IT UP!!!!

You are, of course, free to break these rules, but your secure backup is not going to be encrypted if you do break them.


GIT For Beginners


Target Audience

Programmers that need a good source code repository and versioning system.

Expected Knowledge Level:

Beginner through Advanced. You do not necessarily have to have experience with other version control systems, but it helps, of course. Your knowledge of programming is of minimal importance to this article. But if you’re reading this, you’re most likely a programmer, and that’s all that really matters.

Purpose of this article:

To give you a head start with Git. This is not a complete tutorial. This will give you critical pieces of information that are usually lacking in other documentation that experienced GIT users forget that non Git users don’t already know.

What IS Git?

Git is a source code repository and versioning system. It’s free and open source. It lets you keep track of your source code projects, have them backed up on zero or more remote storage locations, share your source code (if you want), keep track of versions of your source code, branch from your source code to work on special features without interfering with the main branch, merge branches together, provide opportunities to review source before merging it back into an important branch (for teams), allows teams of programmers to easily work on the same project without undue burdens of coordination and synchronization.

What Problems is GIT a Solution For? (Why GIT?)

First, let’s answer what version control systems, in general, solve, not just GIT:

  • Provides a backup for your source code.
  • Allows collaboration with other programmers.
  • Allows keeping track of versions of your source.
  • Allows branching and/or forking of your source to work on specific features or bugs or experimental releases without contaminating the main source branch.
  • Replication of your source for safety.
  • Many other reasons.

So, why GIT in particular? I’m not an advocate for GIT in particular. I like it and I use it. What’s important is that you’re using a modern source code control system and have policies in place to prevent problems and provide standardized solutions. GIT is one of many solutions. However, GIT has risen in popularity and seems to be the defacto go-to source control software these days. And there’s good reason for that. It was created by Linus Torvalds (the creator of Linux) and is actively maintained., arguably the most popular source code repo on the planet is based on GIT. And like most source control systems, GIT is multi-platform.

Again, I’m not advocating for GIT. I’m writing a quick-start guide with a little bit of background. I’ve written plenty of articles on subversion too. Note also that Mercurial is a Git derivitive, so pretty much everything I cover here applies to Mercurial as well.

Things You Need to Know:

GIT is not easy to get started with if you’re not familiar with it, and by definition, if you’re getting started with it, you’re NOT familiar with it. For one: GIT is not a single product. Since it’s open source, there are MANY products that are GIT compatible and you have options for command line, GUI, embedded into your favorites IDE or source editors, plus multiple server options as well.

1. Terminology

  • “Repo”: A managed database of a source code project. Unlike other source control solutions like Subversion, where a “repo” is a centralized database where you store all your projects, in GIT, a “repo” is where you store ONE source code project. For example, say you’re writing a game. You’d have a dedicated repo just for that game. On your local machine, you’ll have a complete repo folder named “.get” inside your primary source code folder.
    “Project”: A centralized server can host multiple software projects. Each project is generally set up for a single software application being worked on by programmers. Programmers will “clone” or “check out” the project to their local machine, creating a local “repo”.
  • “Check Out”: The process of retrieving source code from a branch in a repo. That repo could be a remote repo or your local repo.
  • “Clone”: Pretty much the same thing as “Check Out”. In other source code providers, “checking out” a project informs the server that you have it checked out. In GIT, the server is never aware of who has what and doesn’t care and doesn’t need to know. You’ll simply “clone” the project to get a local copy of the database and work on it locally, committing locally, then eventually push your changes back up.
  • “Check in”: This is not a term used in the world of GIT.
  • “Commit”: The act of submitting your local source code edits into your local repository.
  • “Push”: The act of sending all of your commits from one of your local repositories up to a remote server. If someone else committed and pushed code in on any of the same files you worked on, chances are you’ll have a conflict and will be forced to perform a merge.
  • “Merge”: The act of you being presented with two conflicting versions of the same source file. You’ll be asked to pick and choose which differing lines from both versions should be merged into a single file version before committing.
  • “Pull”: The act of you pulling down the latest changes from a remote repository into your local one.  Note that “pull” is in the direction of the machine in which the code is moving to.  Whoever triggers a pull, does so from the location of the machine in which the code moves to.  For example you “pull” from the server to your local machine.  You log onto the server’s web interface and request a “pull request” to move your code into the central repository.
  • “Pull Request”: The act of a programmer requesting that their committed and pushed changes be merged with a more important branch. One or more other programmers (frequently the project lead) will review your changes and decided whether or not to allow them to become part of the bigger project. You may be asked to make some minor changes and re-submit your pull request or it may be rejected out-right.

2. Storage

Unlike Subversion and the much older Microsoft Visual SourceSafe, you don’t have 1 server and multiple clients. Instead, GIT has no “real” central server. Though most people use it in a way that sets up one repo as the understood central repo.

You don’t simply check out from the server, edit, then check back in. Instead, your local machine, itself, becomes a server. You become a client to your own server. So, when you check out and commit your code, you’re doing it from and to your local repository. At any time, you can push all your commits from your local repo up to another repo. You can “pull” from a remote repo to yours to get yours up to date.

But while writing code, you’ll create branches locally in your own repo, then checkout from those local branches, edit, commit. You may do this many times. Eventually, you’ll want to push your changes up to the shared repo.

3. Branching

If you’ve ever tried branching in things like subversion, you’re probably aware of how difficult it is and how easy it is to screw things up badly.


In GIT, it becomes ridiculously easy. It’s so easy, in fact, that branching will become your common, every day practice. Everything you do… every feature you add, every bug you fix, will be done in a branch.

In all fairness though, it’s still hard if you’re not using the right tools. If you’re a command-line junky (which I do not recommend, nor should anyone be impressed by someone insisting on sticking with the command-line), you can implement best-practices like GitFlow. Better yet, are plugins for GitFlow that are made for Visual Studio, GitKraken, and many other Git clients. This removes the complexity of branching and merging down to a couple of clicks and removes the human error component, making your workflow incredibly powerful and easy at the same time.

4. GitFlow

Make your life much less complicated. Start using the GitFlow best practice. Just because GIT supports branching, doesn’t mean that everyone’s going to do it the same, nor that everyone’s doing it “good”. What’s your policy on how code moves from developers to production? There are just about an infinite amount of hodge-podge plans using GIT to make that happen. GitFlow is a standardized way of doing it. In short (very short) explanation, here it is:


  • When you create your project, you create a “main” or “master” branch. The becomes the gold standard for finished, polished code. You will most likely build what’s in there and publish it.
  • Create a branch off of “master” called “develop”. This will be the main, working branch where programmers will branch from and merge back into. This isn’t necessarily the “best” version of the code, but it’ll be the “latest” version that all developers use as their developing silver standard.
  • If you are tasked with fixing a bug or creating a new feature, you’ll create a new branch derived from the develop branch. You’ll work on your fix or feature until done, then merge it back into develop.
  • Some coding shops like to have a “bug fixes” branch, a “features” branch, and “hot fixes” branch from the develop branch. Then the developers never branch directly from the “develop” branch. They’ll instead branch from one of those 3 branches.

Making this happen is a chore if you don’t have tools that are designed for this and you are likely to introduce big mistakes without using GitFlow tools. If you’re using Microsoft Visual Studio, go to the Extensions and search for GitFlow. Install that, then you can very very easily automatically create, pull, and work on a feature or bug or hot fix branch. Then when you’re done, you simply click “finish” and it’ll do all the committing, pushing, and merging for you (except for the merging where human intervention is required). Your F-Up rate will greatly decline and your co-workers will appreciate it!

If you’re using GitKraken, there’s a plugin for GitFlow there too. You can use both Visual Studio’s GitFlow and GitKraken’s GitFlow interchangeably, at the same time, on the same project.

No joke! Go get GitFlow now!


  • The base GIT software:
  • GIT Bash
  • GitFlow
  • Git Clients
    • Git GUIs
    • Inside Microsoft Visual Studio
      • VS directly supports GIT
      • Install the GitFlow extension.
    • Eclipse
    • Sublime
    • Android Studio
    • Stand-Alone clients
      • GitKraken
      • SourceTree
      • GitExtensions
      • Git Bash
  • GIT Servers

Thank you for sharing this article.  See this image?


You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.


How I Protect Myself Against Ransomware



What is RansomWare?

Ransomware is probably the worst kind of malware you can get infected with.  After it gets into your system, it secretly encrypts all your disk drives in the background.  Once it’s done, it notifies you that all your files are encrypted and locked and demands an exorbitant amount of money to be transferred to the thieves (usually via BitCoin) in order to receive the decryption key and sometimes they take your money and never give you the key.  The longer you wait, the higher the ransom, until after about 3 days, they delete your key and your files are gone forever.

Things that do NOT work:

  • Encrypting your hard drive.  While it’s good practice to encrypt your hard drive, this does absolutely NOTHING to protect against Ransomware.  It may protect you from external people snooping your data, but if ransomware gets installed on your machine, it has access to your drive while it’s unencrypted, and can then encrypt it with its own keys.
  • Backups created using the same PC.  Why would having a backup NOT work against ransomware?  Because again, the ransomware can see and write to your backup drive if it’s accessible from your same PC and it will encrypt that too!

How I’m protecting myself against Ransomware

  • I have 2 drives on my main PC:  A boot drive that contains Windows and the installed applications, and an external, high capacity hard drive where ALL my data goes, INCLUDING my Windows Desktop, and all the special windows folders like desktop, documents, pictures, videos, downloads, etc…
  • My boot drive and my external drive are both encrypted (not really a help against Ransomware… just thought I’d mention that they’re encrypted).
  • I have a second drive of equal capacity as my data drive and it’s hooked up to an older Linux laptop.
  • On host, Windows PC, I created a user account named “Backup” (could be named anything) with read only access to my main data drive on my Windows PC.
  • On Linux, I used Veracrypt to encrypt my backup drive that’s connected to it (doesn’t really help against Ransomware, but again, just thought I’d mention it.)
  • Running a scheduled backup program on the Linux laptop (Lucky-backup… a GUI for rsync), connecting to my Windows PC over the network with the Windows “Backup” user account. It backs up all of my Windows external data drive to the Linux, encrypted backup drive and runs a differential backup every night.
  • Critically, the Windows PC has no direct access to the Linux backup drive.
  • My Linux laptop boots off a Linux flash thumb drive and does NOTHING but backup.

How does this protect me?

By using 2 different PC’s, the chances of BOTH of them being infected with ransomware at the same time is very small. By using 2 different operating systems, the chances of both being infected at the same time is drastically reduced.  While Linux is NOT virus free and is NOT ransomware free, it’s significantly more resilient and will NOT be infected by a Windows ransomware infection.  If, by chance, the Linux machine gets infected with Ransomware, it has only read only access to my data drive on my Windows PC and will not be able to encrypt it.  In either case, I have my full data on the other machine.

What happens if my Windows machine gets Ransomware?

I’ll reformat all of my Windows drives by booting off a clean flash thumb drive that has Windows installation media.  Then I’ll have to manually re-install my software, which will be a pain, but I have access to all of it.  Then I’ll need to restore my data to my data drive from my clean Linux backup.

What happens if my Linux machine gets Ransomware?

I’ll reformat all my Linux drives by booting off a clean flash thumb drive and then re-set up my backup system.  My Windows machine at that time should be clean.

Why doesn’t Encrypting my drives help me?

Encrypting your drives DOES  help protect you against adversaries trying to gain access to your data, but it does NOT help protect you against ransomware, which simply wants to DESTROY your data.  The reason is because ransomware runs after you’ve booted into Windows and Windows has decrypted access to your encrypted drives.  That means the ransomware has access to your encrypted drives too and can simply double-encrypt your data.

Thank you for sharing this article.  See this image?


You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.


Encrypting the Non-Encrypted Cloud Drive Services



In this article in my series of “Encrypt All The Things!”, I’ll show how to fully encrypt your files on popular cloud drive services that do not support zero knowledge encryption.  Such services that do NOT support zero knowledge encryption are:

  • Google Drive
  • Microsoft OneDrive
  • DropBox
  • Box.Net
  • Amazon Cloud Drive

That is obviously not a comprehensive list.  Some that DO support zero knowledge encryption:

  • Mega
  • Spider Oak

That is also not a comprehensive list.  The problem with Mega is that it’s closed source, so you can’t confirm that everything’s on the up and up.  In fact, Kim Dot Com, the creator of Mega, was/is wanted by the United States government for hosting pirated material.  That’s why he created Mega, so he’d have zero ability to decrypt the data, which was a great big middle finger to the U.S. government.  He’s since left the company and now claims it can’t be trusted, but we don’t know if that’s just sour grapes from him, or if there’s a legitimate reason for him to say that.  At any rate, it’s closed source, so there’s no way to confirm.

Spider Oak is also closed source AND it costs money.  It’s not a free service.

But, there are plenty of free cloud drive services (listed above at the top of this article), but none of them support zero knowledge encryption.  But, there’s now a fairly easy way to encrypt those.

Download and install the free, open source software called Cryptomator.  You can get it here:

As of this writing, they only have a Linux, Windows, and Mac version, but they are actively working on Android and iOS versions.

How it works

Once you install CryptoMator on your PC, you configure it to access each of your cloud drive services.  At the time of this writing, Cryptomator supports 4 of the popular cloud drive services.

  • Google Drive
  • Microsoft OneDrive
  • DropBox
  • (I can’t find information on the 4th one)

But, it should work with any cloud drive as long as you have a synced folder on your PC to that cloud drive service.  It doesn’t have to directly support your cloud drive service AS LONG AS your cloud drive software provides a local sync folder that other apps on your PC can access.

Below, I give general instructions.  The exact steps are clearly outlined in the CryptoMator documentation.  This will give you the basic idea of what you’re trying to accomplish…

Once installed, you add a “vault” to Cryptomator, create a password, and point CryptoMator to your local sync folder.  It will then create a virtual drive (using an unused drive letter) and store some encrypted files in your local sync folder.

Now, with your new drive letter, just put any files you want encrypted into there and NOT directly in your local sync folder.  If you put anything directly in your local sync folder IT WILL NOT BE ENCRYPTED!!!!  If you put files in your virtual drive that CrytpMator created for you and gave it a drive they, those files will appear as unencrypted to you as long as you have the “vault” unlocked with CryptoMator.  The actual encrypted bytes of the files are stored in the local sync folder associated with your cloud drive service.  If you open the sync folder, you’ll see meaningless file names and meaningless folder names with encrypted files in them.  That’s the encrypted data.  To have an unencrypted window into that encrypted data, simply open the new drive letter that CryptoMator created for you when you unlocked the vault with your password.

Since the encrypted bits are stored in your sync folder, they get synchronized with your cloud server and it’s those encrypted bits that are stored on the cloud drive servers.

Once you get that working, it’s a good idea to drag and drop all your previously existing NON ENCRYPTED files and folders from your local sync folder into your vault virtual drive.  Once you’ve confirmed they’re in the vault, BACK UP YOUR FILES, then you can safely delete them from your sync folder, which will delete the unencrypted files from your remote cloud drive, leaving only the encrypted bits.  Cryptomator will automatically encrypt them and store the encrypted bits back into your local sync folder, which your cloud drive software will then upload to your cloud drive service.


  • Errors with large folders: I have about 64GB in my Microsoft One Drive.  When I tried moving my camera roll folder into my Cryptomator virtual drive associated with OneDrive, it kept failing.  I presume it wasn’t designed for folders with that many files or that many bytes.  After many days of effort, I finally did get it working.  I do not know if it was a OneDrive problem or a Cryptomator problem.  I had no issues encrypting my Google Drive nor my DropBox, but neither of them had as much data.
  • No Mobile (yet): Right now, there’s no mobile access to your encrypted data.  They’re actively working on both Android and iOS apps, so that may change by the time you see this.
  • No browser access: Since the web interfaces of these cloud services simply show you the files as they are on their services, after you encrypt your files and folders, when viewing them with a web browser on those services, you’ll only see the encrypted data.  This makes sense because the cloud drive services are unaware of the encryption switch-aroo you’ve done.  Don’t expect this to change.
  • Your Key: With zero knowledge encryption, you keep your key locally, but Cryptomator stores your key ON your remote cloud drive.  Don’t fret too much though.  It’s encrypted with your password that you made when you created your vault.  Technically, your password is your key.  In my judgment, it’s fairly safe.  Though, I wouldn’t be storing my archives of my classified State Department e-mail on any of these public cloud drives, even with Cryptomator. Winking smile
  • Meta data: The contents of your files are encrypted as well as the file and folder names, but the timestamps are NOT encrypted and neither are the number of files, the number of folders, nor the sizes of the files.  The timestamps are left as is in order for your cloud drive software (OneDrive, Google Drive, DropBox, etc…) to know when things have changed so it can sync properly.  The file sizes are a result of how many bytes you’re encrypting.  The number of encrypted files will be roughly equal to the number of files as they were before they were encrypted (but the contents will be fully encrypted).  This too is a side effect of how the syncing works.
  • Mobile still unencrypted: You should probably turn off or uninstall the cloud drive software on your mobile devices because you won’t be able to see anything but encrypted data.  Also, any files you have locally on your mobile device that you have set to sync will be uploaded UNENCRYPTED.  Then you’ll have a mix of both encrypted and unencrypted files on your cloud drive.  Remember, CryptoMator is actively working on Android and iOS apps.  When they’re available, you can install those and follow Cryptomator’s recommendations on what to do with your cloud drive provider software.

Use this information about the caveats

Thank you for sharing this article.  See this image?


You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.


Zero Knowledge Encryption


Zero Knowledge has this to say about zero knowledge encryption:

“Zero Knowledge means we know nothing about the encrypted data you store on our servers. This unique design means nothing leaves your computer until after it is encrypted and is never decrypted until it is unlocked with your password on your computer. It’s not just “end to end encryption;” it’s a Zero Knowledge System.”, by the way, is a cloud drive service provider.  Though, there are some critiques of the way they password protect your local key on your own PC, it is far more secure than Google Drive, Microsoft One Drive, Amazon cloud storage, DropBox, Box.Net, etc…

In short, if you have full control over your encryption keys and the remote service provider does NOT and cannot decrypt your data, then THAT is zero knowledge encryption.  Never settle for anything less.



Why it’s proper to assume the worst



When you’re securing your devices, network, and data, you do so as if you’re expecting the worst.  This, of course, doesn’t mean the worst is going to happen, but if you can protect against it, you should, and if you don’t, and you get hit, it’s your own fault.

“Are you Paranoid???”

It’s inevitable that when you discuss standard security practices online, you’re going to run into some uneducated yahoo that loves to scream “paranoia!”.  If we used their “logic”, then we’d have no blinds on our windows, no bathroom doors, no bedroom doors, no locks on our homes or cars, no health insurance, no auto insurance, no life insurance, no home owners or renters insurance, no smoke detectors, and no fire extinguishers.  Just because you’re taking obvious and appropriate precautions, does not a paranoid schizophrenic make.

Reduce Your Attack Surface

A basic security principle is to reduce your attack surface.  That means that you simply turn off or disable avenues of outside attack, except for the few that you definitely need to use and protect those as best you can when they’re open, and close them when you’re done using them.


The fact is there’s plenty of money to be made and is being made by malicious users around the world, whether it’s phishing scams, viruses, trojan horses, worms, stolen databases, direct hacking attempts, webcam hijacking, bots, ransomware, or any number of other attacks, if it’s online, it’s definitely being scanned by malicious users and poked and proded for exploits.

Your current software and operating systems and devices are not secure

Today, in the second half of the second decade of the 21st century, if you put a fresh install of Windows 95 on a computer and hook it to the internet, it’s estimated that within 45 seconds, it will be compromised.  I’m not trying to scare you away from Windows 95.  By now, you’re certainly on a newer operating system.  That’s just an example of what kind of attacks are constantly running and scanning everything hooked up to the internet.  Newer operating systems are much less vulnerable.  Let me clarify that.  Newer operating systems are no longer vulnerable to those old, known attacks, but they are still vulnerable.  Every week, Microsoft releases security patches to Windows.  They’ve been doing this for at least 15 years.  And next Tuesday (no matter when you’re reading this), there will be another round of security patches to close up some of the security holes your up-to-date copy of Windows has right this moment.  But, it will not fix the security holes that are still in it.  The following Tuesday, even more holes will be closed.  And the cycle will continue ad-infinitum.  Even as Microsoft continues close up more security holes, they’re always making other modifications to Windows to add new features or fix bugs, that ultimately open new security holes.



It doesn’t matter how much you try to protect yourself, there will always be holes open for attackers, but you should, of course, close up the holes you know about, keep your software up to date, encrypt your data, don’t re-use passwords, use long passwords, preferably computer generated, use a password manager, and even cover up your webcam on your laptop with a piece of tape.  You’re not paranoid if they really are out to get you, and believe me and all the others in the security industry… They Are!  However, they’re most likely not out to get specifically you, just anyone or anything that they find that’s not protected, and that’s YOU, me, and everyone else on the internet.  Just as you lock your front door, close your bedroom blinds, and buy insurance, protecting your digital content is no different.  You’re not expecting anyone to rob you tonight, but you’re going to lock your door anyway.  You don’t expect to die today, but you have life insurance anyway.  However, unlike your front door on your home, your home network is constantly being probed.

Now, go an encrypt your data.

Thank you for sharing this article.  See this image?


You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.


How to deal with Trolls Online


Years ago, back when Google+ was still in the invite phase, I wrote the following article on Google+ Netiquette:

Google+ Netiquette

Years have gone by and the pleasant days of invite only are gone and now we deal with trolls on a daily basis.  If you’ve spent any time online, you’ve dealth with trolls.  But what IS a troll?

Troll Defined

According to Google, it’s someone that “make(s) a deliberately offensive or provocative online posting with the aim of upsetting someone or eliciting an angry response from them.”


According to the Urban Dictionary, it’s “Being a prick on the internet because you can. Typically unleashing one or more cynical or sarcastic remarks on an innocent by-stander, because it’s the internet and, hey, you can.”


Let’s look at some real life examples of trolling, shall we?

Here’s a typical one I encountered recently.  During an innocent conversation about someone that got a chip on their Gorilla Glass screen on their Samsung Galaxy S7 phone, which, has a premium build glass and metal body (that’s important to follow the trolliness here)…


So, this troll jumped into an ongoing, pleasant conversation instantly stating lies (or he’s just 2 generations behind on his knowledge of what Samsung phones are made of), then he jumps to drastically wrong assumptions, repeats his misinformation, jumps to massive conclusions, attacks the entire Android platform, then expands his insults to all Android users across the entire planet, then accused me of being the troll when I called him out on his trolliness.  This thread went on further with more of the same.


Good Luck Lifestyle Theme Trolls 5″ – Ballerina by Play Along

This is just the latest troll I’ve dealt with and is a typical example of the trolls I deal with almost daily.  No doubt, in true troll form, if this troll ever sees this post, he’ll make a new thread claiming this post is all about him.  Reminds me of the old Carly Simon song, “You’re So Vain” … you probably think this song is about you.  Would be the same with any troll that I used as an example here.  This is just the most recent one at the time of this posting.

Of course, you see this behavior on any subject where people have opinions… politics, religion, science, favorite devices, etc…

But, how do you DEAL with these trolls?

There are 2 schools of thought on this and they’re both equally valid:

  1. Ignore them and the’ll go away.  Also known as “Don’t feed the trolls”.
  2. Take them on.

The conventional wisdom is “don’t feed the trolls”.  The theory goes that they only post to get people riled up and if you ignore them, they’ll go away.

While that’s true for some trolls, and in my opinion, a very small minority of them, it’s not true for all trolls and it’s my experience that it’s not true for most of them.  Ditto for the claim that they just want to rile people up.  My experience in dealing with them going all the way back to 1988 is that most of them are just people with strong opinions, poor social skills, and an extraordinarily sensitive ego.  Their purpose is not to rile people, but to make themselves feel better by belittling others.  When uncontested, they feel vendicated and that is a reward to them to do more of the same.


So, step 1, Don’t be a Troll!

See these Google+ Netiquette tips

Step 2:  Understand that you’re not necessarily dealing with this one troll, but combating a larger problem of trolls everywhere.

Step 3:  Determine what kind of troll this person is.  Are they just confused and if you provide corrected information, will it fix them?  Or, are they a repeat troller or trolling in a known trolling topic (such as iOS vs. Android or Republican vs. Democrat)?

Step 4:  Always try to first resolve issues politely and respectfully, even when the other party isn’t being respectful… IF you’re not sure they’re a repeat offender or trolling on a repeat troll topic.

Step 5:  Establish yourself as a polite, honest, reasonable person.  Politely try to resolve the problem.  Don’t give them an opportunity to label you as a troll.  They’ll do this anyway, but when you’re being more than polite, it only makes them look more ridiculous.  This is a big hit to their ego.

Step 6:  Re-confirm that you’re goal is to get to the truth, not to argue, and that you’d appreciate being treated with respect and that you’ll provide him (or her) with respect too.  Killing them with kindness makes their heads explode.  On a few occassions, they realize what they’ve done and apologize.  Sometimes they just leave, licking their wounds, usually blocking you on the way out.

There are, however, times when a troll needs a true smackdown.  I caution against this unless you can hold your own and are an expert in the topic being discussed.  Don’t be rude for the sake of being rude (that’s trolling), but feel free to mirror their insults.  Copying and pasting their own text against them is a great way to mirror their bad behavior that they can’t tag you on, because they’re actually the ones that wrote it.  Make absolutely certain that your facts are correct, because if you make any factual mistakes, YOU will be called out.  Keep reminding them that you tried to be civil, rational, and respectful, but they chose this path and you’re simply reciprocating the style of discussion that they chose… that it appears to be the only style they’ll pay attention to.  Also, trolls hate it when you use complex sentences and multisyllabic words or sound educated in any way.


When a troll has an unpleasant experience trolling (when their ego is hurt), they’ll think twice before trolling again, especially against you.

Thank you for sharing this article.  See this image?


You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.