How can digital assets protect themselves? The 15-step checklist co-created by OpenAI

Title: How to Stay Digitally Secure in the Age of Claude Mythos (Using Karpathy’s 15-Step Checklist)
Author: Ole Lehmann
Translation: Peggy, BlockBeats

Author: Rhythm BlockBeats

Source:

Repost: Mars Finance

Editor’s note: As AI capabilities begin to approach the boundaries of “general tools,” the meaning of cybersecurity is also changing. It is no longer just about defending against hackers, viruses, or data leaks but evolving into a game of “capability asymmetry.”

With Anthropic’s release of Claude Mythos demonstrating near-top expert-level vulnerability detection abilities, cyberattacks are entering a more covert and automated new stage, and personal security has shifted from “optional” to “essential.” On one hand, the barrier to attack is being lowered; on the other hand, attack efficiency is exponentially increasing. This means “passive security” will become increasingly unsustainable.

Against this backdrop, OpenAI co-founder Andrej Karpathy’s “Digital Hygiene” checklist offers an actionable response path. In the AI era, security is no longer “remedial after an incident” but part of “daily behavior.” Authentication, permission isolation, information minimization, and behavioral habit restructuring. These seemingly trivial 15 steps are essentially about rebuilding a security boundary that an ordinary user can control.

The real risk isn’t whether you become a target but whether you are defenseless when an attack occurs.

Below is the original text:

It is certain: in cybersecurity, there is no longer any room for laziness.

The milestone Mythos released yesterday by Anthropic marks an irreversible turning point.

This technology is not yet public, but once it falls into the hands of malicious actors (which is almost inevitable)… you will face an extremely advanced cyberattack, and most people will be too late even before realizing they’ve been compromised.

It’s like the “COVID-19 virus” in the software world.

And for this reason, from now on, your cybersecurity must be airtight.

Karpathy’s Digital Hygiene Guide

Last year, Andrej Karpathy (@karpathy, co-founder of OpenAI) compiled a “Digital Hygiene Guide,” systematically outlining fundamental methods to protect oneself in the AI era.

This is one of the most worthwhile beginner’s guides I have seen.

Here are all the security measures you should take in this uncertain era:

1. Use a password manager (e.g., 1Password)

Generate unique, random passwords for every account you own. If a service is breached, attackers often use these credentials for “credential stuffing.” A password manager can eliminate this risk entirely and also auto-fill, making it faster than reusing passwords.

2. Set up hardware security keys (e.g., YubiKey)

These are physical devices used as second-factor authentication. Attackers must “possess the physical item” to access your account. Compared to SMS codes, which can be easily stolen via SIM swapping (where someone impersonates you to the carrier and transfers your number to their device).

It is recommended to buy 2–3 YubiKeys, store them separately to avoid being locked out if one is lost.

3. Enable biometric authentication everywhere

For example, Face ID, fingerprint recognition, etc., in password managers, banking apps, and critical applications. This is the third layer of verification: “yourself.” No one can steal your face from a database.

4. Treat security questions as passwords

Questions like “What is your mother’s maiden name?” can be answered with a quick online search in 10 seconds. Generate random answers and store them in your password manager. Never use real information.

5. Enable disk encryption

On Mac, called FileVault; on Windows, called BitLocker. If your computer is stolen, encryption makes the data on it just a “brick,” not your entire data. Turning it on takes only 2 minutes and runs automatically in the background.

6. Reduce smart home devices

Every “smart device” is essentially an internet-connected computer with a microphone. They continuously collect data, connect frequently, and are often hacked. Your home air quality monitor, for example, doesn’t need to know your precise location. Fewer devices mean fewer attack points.

7. Use Signal for communication

Signal offers end-to-end encryption, so no one (including the platform itself, carriers, or eavesdroppers) can read the content. Regular SMS and even iMessage retain metadata (who, when, contact frequency). Enable “disappearing messages” (e.g., 90 days) to prevent history from becoming a risk.

8. Use privacy-focused browsers (e.g., Brave)

Based on Chromium, compatible with Chrome extensions, with nearly identical user experience.

9. Switch your default search engine to Brave Search

It has an independent index (unlike DuckDuckGo, which relies on Bing). If search results are poor, you can add “!g” to jump to Google. The paid version costs about $3 per month, which is worth it—you become a customer, not “the product being sold.”

10. Use virtual credit cards (e.g., Privacy.com)

Generate separate card numbers for each merchant and set spending limits. You can even fill in random names and addresses. If a merchant is breached, only the one-time card number is leaked, not your real financial identity.

11. Use virtual mailing addresses

Services like Virtual Post Mail will receive your physical mail, scan the contents, and let you view them online.

Decide which to destroy and which to forward. This way, you don’t have to give your real home address to strangers every time you shop online.

12. Never click links in emails

Email addresses are extremely easy to forge. With AI, phishing emails now are almost indistinguishable from real ones. Instead of clicking links, manually type the URL and log in directly.

Also, disable automatic image loading in your email to prevent embedded images from tracking whether you’ve opened the email.

13. Use VPN selectively (e.g., Mullvad)

A VPN (Virtual Private Network) can hide your IP address (a unique identifier of your device and location) from the services you access. No need to keep it on all the time, but definitely turn it on when using public Wi-Fi or visiting untrusted sites.

14. Set up DNS-level ad blocking (e.g., NextDNS)

DNS is like a phonebook for “finding websites.” Blocking at this layer prevents ads and trackers from loading before they even start.

It works for all apps and browsers on your device.

15. Install network monitoring tools (e.g., Little Snitch)

These show which applications are connecting online, how much data they send, and where it goes. Any app with unusually high data transmission should be scrutinized or uninstalled.

Currently, Mythos remains controlled by the defenders of Project Glasswing (such as Anthropic, Apple, Google). But similar capabilities will soon fall into malicious hands (possibly within 6 months or even sooner).

That’s why you must strengthen your security defenses now. Spending 15 minutes to set up these measures can help you avoid a series of serious future problems.

Stay safe and best wishes.