Module 10 · Staying Safe Day-to-Day
Linux was built from day one for lots of people sharing one computer. Every single file has an owner, a group, and a list of who's allowed to do what with it. Once it clicks, it's tidy and makes sense.
By the end of this module, you will:
- Spot a suspicious email, download, or pop-up before you click
- Lock your screen reliably and know when to do it
- Back up the files that matter
- Recognise a legitimate password prompt vs a fake one
- Know when in doubt to ask IT rather than experimenting
The good news, first
Linux is a lot safer than Windows by default. There's no big antivirus app nagging you. There's no Windows-style "click here to update Flash" pop-up scam. Most of the trouble Windows users hit — drive-by malware, sneaky toolbars during installs, fake security pop-ups — just isn't a thing here.
But "safer by default" isn't "safe forever". The same five habits that keep a Windows user out of trouble keep a Linux user out of trouble. None of them are technical. All of them take less than a minute.
What this module is — and isn't
This module is everyday safety: passwords, screen locks, suspicious emails, backups. The stuff that protects you from people trying to trick you, not from servers trying to break in. If you want the firewall / fail2ban / GPG sysadmin stuff, that's in the Further Learning section under "Security" — useful if you're running a server, overkill if you're just using a laptop.
Habit 1 — Lock your screen every time you walk away
On Windows you press Windows + L. On Linux it's Super + L (the Windows key is called Super on Linux, just to confuse you — same key, same place). One press, screen locks, your password is needed to get back in.
Do it every single time you leave your laptop alone for more than ten seconds. Coffee run. Bathroom. Conversation with a colleague in the corridor. It's the cheapest single thing you can do for your own security, and the one most people skip.
| You're doing | You should |
|---|---|
| Stepping away from your desk | Press Super + L |
| Closing the laptop lid | Already does it — but check with the lid trick once |
| Going to a meeting and leaving the laptop on your desk | Lock it. Don't trust the office. |
| Working in a coffee shop and going to the loo | Lock it AND take it with you, or ask a friend to watch it |
Press
Super + L now. Your screen should go to the lock screen. Wiggle the mouse — it should ask for your password. Type it, press Enter, you're back. Now you know it works. Use it.
Habit 2 — One strong password, kept in one safe place
The single biggest password mistake: using the same one in more than one place. If one website gets hacked, the bad guys now have your password for everything else too. It happens constantly.
The fix: a password manager. One program remembers every password for you. You only ever type one master password — the one that unlocks the manager — and it fills in the rest. Bitwarden is free, works on Linux out of the box, and works on your phone too. Install it from the Software Centre (you learned how in Module 7).
| What good looks like | What bad looks like |
|---|---|
| One master password you actually remember | The same password on every site |
| Every site gets a unique random password from the manager | Passwords written on a sticky note under the keyboard |
| You'd happily tell someone what password manager you use | You'd be embarrassed to tell anyone how you choose passwords |
| Two-step verification turned on for email + bank | "It hasn't happened to me yet, so I'm fine" |
Two-step verification — turn it on for email and bank, at least
Two-step verification (sometimes called 2FA) means even if someone steals your password, they still can't get in without your phone. Most email providers and banks support it. Turn it on for those two at minimum. The thirty seconds it adds when you sign in is nothing compared to the alternative.
Habit 3 — Recognise a dodgy email when you see one
Linux doesn't protect you from a person sending you a fake email asking for your password. Nothing protects you from that except you. The good news: dodgy emails almost always have a few telltale signs once you know what to look for.
| What you see | What it usually means |
|---|---|
| "Your account has been locked. Click here to verify." | Phishing. Real companies don't lock accounts via email. |
The sender's address is support@am4z0n-security.com instead of amazon.com | Phishing. Look at the domain after the @ — that's the real sender. |
| "URGENT — your boss needs the gift cards today" | Phishing. Urgency + an unusual request = stop and think. |
An attachment called invoice.pdf.exe | Phishing. .exe is a Windows program; no real invoice ends in .exe. |
| Email from your bank addressed to "Dear Customer" with no name | Suspicious. Your bank knows your name. |
Link text says "amazon.com" but hovering shows "http://am4z0n.ru" | Phishing. The hover text is the real link. |
The single rule that catches 99% of phishing
Hover over the link before you click. Your browser or email client shows you where it really goes at the bottom of the screen. If the link says one thing but the hover text shows somewhere else, don't click. Ever. Doesn't matter who sent it, doesn't matter how urgent it looks.
What to do if you clicked something you shouldn't have
Everyone clicks the wrong thing eventually. The damage you can do depends on what you do next.
- Don't type your password anywhere. If a page asked you to log in, close the tab. Do not fill in the form, even to "check" it.
- Disconnect from the network if you ran something. Click the Wi-Fi icon at the top right, switch it off. That stops anything from talking to a server.
- Tell IT (or your help channel) immediately. The faster they know, the less damage. They will not be cross. They will be cross only if you don't tell them and find out a week later.
- If you typed a password into a dodgy form, change it. Use your password manager to make a new one. Change it on the real site, not via any link in the dodgy email.
Habit 4 — Only install software from the Software Centre
Module 7 showed you how to install apps via the Software Centre and via apt install. Both pull software from a trusted source — Ubuntu's own repositories — which has been checked and signed.
Everything else is risky. A random .deb file you downloaded from a forum. A bash script someone posted that starts with curl ... | sudo bash. A "Linux version" of an app from a website you've never heard of. None of these are automatically dangerous, but they all skip the trust check. Treat them like you'd treat a USB stick handed to you by a stranger.
| You're about to install | Safe? |
|---|---|
| Firefox from the Software Centre | Yes. Verified, signed, kept up to date. |
sudo apt install vlc | Yes. Same as above, just from the terminal. |
A .deb from a forum link | Risky. Only if you trust the forum AND the original author. |
"curl https://random.io/install.sh | sudo bash" | Risky. You're running a script as admin without reading it. |
| A Snap or Flatpak from the official store | Yes — these stores are also verified. |
| A "Linux installer" .exe file | Not a thing. .exe is Windows. Either it's not really for Linux, or it's a trick. |
Habit 5 — Back up the stuff you'd cry over losing
Backups aren't about Linux being unreliable. They're about everything eventually breaking: hard drives die, laptops get stolen, you accidentally delete a folder. The question isn't "will I need a backup", it's "when".
Ubuntu comes with a backup tool called Déjà Dup (it's called "Backups" in the menu). Open the Software Centre, search "Backups", install it if it isn't already there. It takes about three minutes to set up:
Open Backups
Activities → type "Backups" → click it. The first time it opens, it asks where to back up to.
Pick somewhere that isn't your laptop
An external hard drive. A USB stick. A cloud account like Google Drive or your company's OneDrive. The rule: if your laptop disappeared today, your backup must still exist somewhere else. A backup on the same disk as the original is not a backup.
Tell it what to back up
Add your Documents, Pictures, and Desktop folders. Skip Downloads — that's stuff you can re-download. Skip Videos only if they're not yours.
Turn on the schedule
Switch the "Automatic backup" toggle on. Daily is fine. Weekly is the minimum. Now forget about it — it just runs.
Once a year, restore one file
Pick a random file. Use Backups to restore it. If the restore works, the backup is real. If it doesn't, fix it now — not the day you actually lose something.
The 3-2-1 rule (one for the keen)
Pros use a thing called 3-2-1: 3 copies of anything you care about, on 2 different types of storage, with 1 copy off-site. For most people: the original on your laptop, Déjà Dup to an external drive, plus your important documents in OneDrive or Google Drive. That's already 3-2-1.
When in doubt — ask, don't experiment
If something feels off — a weird pop-up, a download that asked for your password unexpectedly, a file you can't open and don't remember creating — stop. Don't try to fix it by clicking things or running random commands you found on a forum. You'll either make it worse or convince yourself it's fine when it isn't.
The next module is the proper troubleshooting checklist, and most everyday problems are in there. But for anything that smells like security — a phishing email you opened, a download you regret, a screen lock that didn't work — your job is to ask for help, not to be a hero.
- Super + L every time you walk away
- Password manager + a strong master password
- Hover before you click — link text lies, hover text doesn't
- Install only from the Software Centre
- Backups, set up once, restored once a year