A Defensive Computing Checklist    by Michael Horowitz

HOME | About | Domain Names | VPNs | Rules of the Road | DC Presentation | ChangeLog | Stats |

COMPANIES TO AVOID

Many companies have behaved badly. Sometimes it seems like they all have. The Defensive Computing thing to do is avoid their products. This list is no particular sequence.

1. Twitter. Twitter (aka X) is here for so many reasons, all of which are pretty obvious. A suggestion for dealing with Twitter: If someone there says that ice cubes are cold, don't believe it.
2. September 29, 2025: Avoid Tile trackers (they compete with Apple AirTags).
   Tile Tracking Tags Can Be Exploited by Tech-Savvy Stalkers, Researchers Say by Kim Zetter for Wired
   The article details the insecure design used by Tile and also how they chose to ignore the researchers that pointed out the problems. So, double bad. Their privacy claims are false. Competing products are secure, Tile is not. Quotes: "... each tag broadcasts an unencrypted MAC address and unique ID that can be picked up by other Bluetooth devices ... The location of a tag, its MAC address, and unique ID also get sent unencrypted to Tile’s servers ... giving Tile the ability to track the location of tags and their owners, even though the company claims it does not have this capability."
3. I would avoid Gazelle, which buys and sells smartphones. I tried to buy a used iPhone from them, the order was delayed. Why? They would not say. When would it ship? They would not say. Would it ever ship? No comment. And, they would not cancel the order either. Other opinions:
   My experience with Gazelle, a learning experience from Reddit, more about selling a used phone rather than buying.
   Gazelle Reviews at ConsumerAffairs.com
   Gazelle at the Better Business Bureau
   Their Terms and Conditions
4. If you are buying a printer, probably best to avoid HP. For more, see the Printers page here.
5. Cell Service
   • T-Mobile has the most hacks and data breaches
   • Data security at AT&T has also been bad. In July 2024 we learned that much of their data was stolen. So, they practice bad security. In addition, they chose a cloud storage provider that also practices bad security as many customers of this cloud provider were also hacked. A third strike is in this New York Times article: The Massive AT&T Data Breach Doesn't Just Affect AT&T Customers. Here's How to Protect Yourself by Max Eddy (July 16, 2024) which says: "AT&T said that the information from mobile virtual network operators (MVNOs) was also exposed in the attack ... Boost Mobile, Consumer Cellular, and Cricket Wireless are just a few of the MVNOs that use AT&T's network. AT&T has not provided information about which specific MVNOs may have been affected. We also reached out to AT&T for more information about how MVNOs were affected by this breach, but the company declined to comment."
   • May 2025: A survey by Consumer Reports: Best and Worst Phone Plan Providers reported that AT&T finished dead last in the ratings, behind 20 other companies. It got poor marks for both value and customer support.
   • In the same Consumer Reports survey Verizon tied for second-to-last place
6. As a rule, avoid software from Microsoft. Don't use their web browser (Edge), don't use Skype, don't use Teams, don't use Office (go with Libre Office instead), don't use Windows, etc.
7. Avoid Lastpass (a password manager).
8. Avoid Paypal. I say this based on personal experience. Someone opened a Paypal account using one of my email addresses. This despite the fact that I never responded to either of the emails from Paypal that asked for information as part of the account setup process. The bad guy scammed Paypal, not me. When I reported this, Paypal said that it was a scam, just like the many other standard scams. Their tech support was too stupid to realize that they sent the messages.
9. Meta / Facebook / Instagram / Threads (pretty much this is self-explanatory)
10. Avoid Tesla. This Reuters article describes how they have been dis-honest:
    Tesla blamed drivers for failures of parts it long knew were defective by Hyunjoo Jin, Kevin Krolicki, Marie Mannes and Steve Stecklow December 20, 2023.
    More bad things about Tesla are in the Cars topic
11. AT&T has behaved miserably in regard to a data breach they suffered in 2019. Simply put, the company is a lying weasel. It took them almost five years to confirm that the stolen data actually belonged to them and to alert their customers. And, they have said nothing about how the data was stolen. See
    AT&T now says data breach impacted 51 million customers by Bill Toulas of Bleeping Computer April 10, 2024
    The article details how AT&T said as little about this as they could get away with. In 2021 they told BleepingComputer that the data did not belong to them and that their systems had not been breached. In March 2024 they again told Bleeping Computer that the data did not originate from them and their systems had not been breached. Then it was confirmed that the data did belong to AT&T (and DirectTV). Only then, did AT&T come clean. They are facing multiple class-action lawsuits in the U.S.
12. Western Digital and SanDisk fall into that category according to this August 2023 article. WD refused to answer our questions about its self-wiping SanDisk SSDs by Sean Hollister for The Verge. "For months, the company has been laughably silent about how its pricey portable SanDisk Extreme SSDs might lose all your data ... Months after our inquiries, Western Digital continues to sell these drives due to deep discounts, fake Amazon reviews, and issues with Google Search that rank favorable results far higher than warnings about potential failures." This issue has generated three lawsuits. "Western Digital was already forced into a class action settlement over a previous questionable practice: in 2020, the company brazenly tried to sneak SMR drives into its WD Red lineup marketed for network-attached storage devices. The company paid $5.7 million to settle those claims."
13. Sandisk: A personal story - I bought a Sandisk Ultra Dual Drive USB Type-C flash drive in September 2023. The packaging (and the linked PDF) said to go to a URL for a list of compatible devices. The URL did not exist. When I navigated through the Western Digital Support website and found the support page for the thing, there was no list of compatible devices anywhere.
14. D-Link. In November 2024, we learned that thousands of D-Link NAS devices are accessible from the Internet and have critical flaws that bad guys are exploiting. But, D-Link will not issue bug fixes because the devices are too old. The world suffers. They do the same thing with their routers. In April 2024, it came out that some D-Link NAS devices had a backdoor. That is, D-Link could get into the devices remotely, whenever they pleased. This is not something a reputable company does. See Critical takeover vulnerabilities in 92,000 D-Link devices under active exploitation by Dan Goodin for Ars Technica.
15. Avoid Substack where Nazis are good and tits are bad. I say this not because of privacy or security or any Defensive Computing reason. I say it after reading this Ed Bott article from January 4, 2023: Happy New Year to everyone except Substack's owners. Substack is managed by miserable human beings. If you want to create a newsletter, do not use them. This is not to say that everything there is bad, not at all. Many people creating newsletters do not have the technical ability of Ed Bott and can not move to another newsletter company. But, be aware that hate is good (and profitable) to the people in charge of Substack.
16. Tripadvisor is not trustworthy. I got burned by them when I stayed in a miserable hotel that had a great rating. After my trip I tried to give the hotel a more appropriate rating but because I had not booked the hotel stay through TripAdvisor, I could not review the hotel.
17. Sonos privacy: Sonos draws more customer anger - this time for its privacy policy by Chris Welch for The Verge (June 14, 2024). Quoting: "Sonos has made a significant change to its privacy policy, at least in the United States, with the removal of one key line. The updated policy no longer contains a sentence that previously said, 'Sonos does not and will not sell personal information about our customers.' That pledge is still present in other countries, but it is nowhere to be found in the updated US policy, which went into effect earlier this month."
18. Oracle (personal opinion). To backup my opinion, this January 2025 article in The Register tells of an HR and finance system that started in 2019 and was supposed to go live in 2021. The original cost was $3.1 million (US). It is still not completed and the cost is now expected to be $50 million (US). UK council selling the farm (and the fire station) to fund ballooning Oracle project by Lindsay Clark. If you read the article, take note of the other articles from The Register, at the bottom of the page, about Oracle. Among them, this: Eight things that should not have happened last year, but did by Rupert Goodwins January 1, 2025.
19. Norton and Symantec (personal opinion)
20. Avoid the Cash app from Block
21. Avoid the MOVEit secure file transfer software from Progress Software. Maybe avoid all of their products.
22. Internet Infrastructure
    • Avoid GoDaddy. I have felt this way for many years, for multiple reasons. No need to trust me, see this January 15, 2025 action by the FTC: FTC Takes Action Against GoDaddy for Alleged Lax Data Security for Its Website Hosting Services.
    • Linksys (personal opinion)
    • Avoid Cisco, they have a miserable record in terms of software bugs, hard coded admin passwords and fake hardware. More details are on both the News and Bugs pages of my RouterSecurity.org site. Here is but one example: Vulnerability in Cisco Smart Software Manager lets attackers change any user password by Dan Goodin for Ars Technica (JUly 17, 2024)
    • As per this April 2025 Reddit thread Goodbye Liquid Web Support maybe avoid Liquid Web for website hosting. It is a frequent story: they got bought out and the new corporate owner is firing everyone they can.
    • July 30, 2025: If you are looking to register a domain, maybe avoid Webnic: ICANN sends breach notice to domain registrar Webnic by Andrew Allemann for Domain Name Wire. ICANN claims the domain registrar is lax when investigating and responding to DNS abuse complaints.
    • June 2024: Anyone buying digital certificates should probably avoid Entrust as per this: Google cuts ties with Entrust in Chrome over trust issues by Connor Jones for The Register (June 28, 2024) and Sustaining Digital Certificate Security - Entrust Certificate Distrust by Google (June 27, 2024)
    • Maybe avoid Pair.com. I used them for many years but as of September 2025, something has clearly changed. I get a bill that is four times larger than before. I submit a ticket asking why, as the billing invoice does not break down the assorted charges. There is a new ticketing system that requires a new account with Zendesk. But, there is no way to create a Zendesk account. So, I used their chat to ask how to create a Zendesk account, and no one responds to the online chat. No need to believe me, here you can see a screen shot of the Zendesk chat showing my last message sent at 12:32pm and the computer clock showing it to be 12:58pm. No response for 27 minutes. On another note, if a website hosted there becomes popular and uses more than the allowed bandwidth, you are on the hook for a huge bill. They are not able to take a site off-line to avoid a possible huge expense.
23. For great Wi-Fi coverage, many people opt for a mesh system that covers much/all of their home. When shopping for a mesh system, avoid Plume SuperPods because they spy on you. In Canada they are sold by Bell, their largest ISP, and labeled as Bell, but are really made by Plume. For more, see: The spies in your home: How WiFi companies monitor your private life by Edward Komenda of ProtonVPN (June 5, 2024).
24. Crowdstrike. Anyone alive on July 19, 2024 when their software caused world-wide chaos, knows why they are listed here. They will tell the public it was one bad file, but one bad file causes a trivial amount of problems if you plan for that, which clearly they did not. They are on this list not because of one bad file but because of miserable disgraceful internal controls before sending the bad file out to the world. And, for not detecting it before sending it.
25. Bad security camera companies
    • August 30, 2024: Verkada: Press release from the FTC FTC Takes Action Against Security Camera Firm Verkada over Charges it Failed to Secure Videos, Other Personal Data and Violated CAN-SPAM Act They were fined almost $3 million for assorted violations and promised to do better regarding security.
    • August 5, 2024: AVM: Its not just that their cameras are buggy with a major vulnerability as per: ICS ADVISORY AVTECH IP Camera by CISA, but mostly the response by the company, AVTech, to the bug report. They completely ignored it, and thus don't deserve your business for any of their products.
26. Maye avoid Hikvision: China's Hikvision says it is challenging Canada's shut down order by Reuters July 7, 2025. Canada's Industry Minister has said that a multi-step review of information provided by Canada's security and intelligence community determined that Hikvision's continued operations in Canada would threaten the country's national security. No one has said exactly how Hikvision would harm national security. The company has also faced numerous sanctions and restrictions by the US over the past five-and-a-half years.
27. July 2025: I would avoid RealVNC. It pains me to say this as I have used their service for years and been very happy with it. But, the company seems to have gone downhill. I know nothing of their finances, but they are acting like a company that was purchased by private equity and trying to squeeze every last dollar out of the business. For one thing, they changed all their subscription plans and the new plans are miserably explained, so good luck figuring out what you need. Then too, they drastically raised the prices. Then, I had a problem that required a tech support request and the experience could not have been worse. First they hide the page on their website where you submit a tech support request. Then, days went by and there was no email from them, either with their response or just to say that they responded. Then, I logged on to their website to see if they only respond on the website (no emails). Again, I could not find the section on their website for tech support requests. It seems like the Help section of their website has a different logon than the rest of the site. Not sure. I asked their chatbot what to do. It gave me bad instructions. In the Help section, when I clicked a link to Login to the Help Center, nothing happened. After more with the chatbot, it said that my chat would be sent to a person. I waited and waited and waited and gave up. No person.
28. While on the subject of remote control software, maybe don't trust TeamViewer. On June 27, 2024, Lawrence Abrams wrote: "TeamViewer disclosed their network was breached in its Trust center. No one new because they added a noindex tag to their HTML." That is a real low-life thing to do, they are trying to hide a data breach.
29. August 2025: Windows users looking to do their own taxes, should avoid Turbotax. When the 2025 version of the software comes out in November 2025, there will be no support for Windows 10. Wonder how much Microsoft paid them for that.
30. Taking a trip? Beware of these bad things about Airbnb.
31. October 2025. In a review of VPNs, the Wirecutter (a division of the New York Times) published something that was wrong, was easily confirmed to be wrong and when confronted with this, did nothing. The article in question: The Best VPN Service October 3, 2025 by Max Eddy. The issue has to do who owns VPN provider TunnelBear. The article said they are owned by McAfee. They are not. I have a very large write up about VPNs here on this site which includes a section about who owns the VPN provider. This is an important criteria in deciding whether they are trustworthy. TunnelBear was owned by McAfee, but no more. As of November 2021 they are owned by private equity investors. Not a trustworthy ownership. One investor is a subsidiary of the Abu Dhabi Investment Authority. The cute little bears are just marketing. I also look at Exodus reports on trackers and permissions of Android apps and TunnelBear scores very poorly there. But the biggest point, is that I contacted both Max Eddy directly and the Wirecutter through their feedback system. No response to me. No update to the article. It is now over 2 weeks since I contacted them, and the article still says that TunnelBear is owned by McAfee. They don't give a shit.
    Nov 5, 2025: A month later and the article has still not been changed. I advised them for a second time of the mistake on their feedback page: Wirecutter Wants to Hear From You.

Slightly off-topic: There is much that can be said about Boeing and their planes but, as this is a Checklist website, I will simply suggest not flying on any plane made Boeing. Their 737 Max gets most of the bad publicity, but the real problem, in my opinion, is the company itself.

COMPANIES TO USE

If buying a mechanical hard drive, buy from Seagate rather than Western Digital or Toshiba. Bad guys buy used hard drives and resell them as new. As part of the scam, they wipe the SMART data on the hard drive so it appears to be new to many utilities. Only Seagate offers a utility that shows that the SMART data is invalid. Their hard drives have some data that can not be over-written. More: Seagate Uncovers Global Scheme That Sold 1 Million Used Drives as New by Amar Ćemanović for CyberInsider (August 18, 2025) and 2.5 Admins 263: Seagate RAID podcast episode from September 4, 2025.

When it comes to VPNs, Mullvad is the class of the lot. There are dozens of ways to judge a VPN provider and they are tops on just about everything. This is not just my opinion, it is shared by many.

 

Copyright 2019 - 2025