To correct some oversimplifications in this thread, let me just summarise some facts:
Crypto is exactly as worthless as money.
Not all crypto is bad for the climate, see for example Etherium and Solana.
Crypto has legitimate uses, especially as a replacement for traditional bank transactions, which to remind everyone, are basically made up numbers and ‘trust me bro’-s. And I will explicitly include smart contracts and NFTs here, just to annoy people who don’t get them.
Not all crypto is private. In fact, it was designed to be the opposite, hence most crypto isn’t private at all.
While not all crypto is private, even less ways to spend or exchange crypto are private. A simple and also very private thing is cash.
Connecting to any trustworthy VPN at the very least:
- Encrypts your connection entirely and ensures you are connected to a party you trust
- Limits snooping in your traffic to one party you trust
Which is objectively not a scam and a desirable thing to do. Not as desirable as hosting your own VPN, but 100% better than not having one, no matter what some guy on the internet says.
Yeah, Element is super easy to use.
You just need to chose a Matrix instance, create an account with username and password that have nothing to do with what follows, log in (not that), generate keys, ideally back up those keys (which you could ignore, but you are prompted to), then it bothers you with cross-signing (which you can also ignore, except you kinda can’t, depending on you contacts, so log in again and confirm the devices), then chose another, unrelated instance to be discoverable via mail/phone (which again is optional, except if you want to be or don’t want to explain how adding via domain + name works), than add mail or phone number and activate it and boom, you are golden. Except you are not, because if you want Element X, well, you still have no push notifications, which just require you to… Oh, create another account, neat!
Meanwhile on Signal you do what? Punch in your number, confirm, optionally set a PIN, optionally enable backups, done. Yeah, that’s not as private, and missing online massage backups, I know, but it’s also a 1-3 step setup without any alarming prompts, telling you to do non-straightforward stuff that could very well compromise your privacy. Or having to dig through options and make choices and handle keys you don’t understand.
Do you need a reminder that 123456789 is a popular password and 2FA commonly considered a nuisance? Matrix is complicated enough to confuse even (non-ITSec) IT people.
As a professional software developer, I consider Matrix/Element to be quite user-unfriendly (and anecdotally also quite buggy)
Edit: Some clarifications. Describing this easy process was kinda confusing for silly ol’ me
There are some fairly good solutions tho. Matrix is still kinda half-baked (specifically thinking about 2.0 and Element X) and Conversations has limited capabilities, but they are fairly easy to use
Edit: Although I would really wish Matrix had a ‘normie-mode’, with secure and reasonably easy to handle defaults
You can make an argument for confidentiality making it harder to find exploits in your code. If nobody cares enough to report them to you, or if you don’t have the resources to fix them, open-sourcing your code just exposes them.
This is pretty much only an argument if you use stuff that would be irresponsible to use in the first place tho
This is so stupid. Messengers offer easy access to E2EE, but they are not the only way to make it work. So doing this changes nothing, even assuming you need E2EE to distribute illegal material.
And I want to stress this is not even true. Or can I not just go on the internet and download a movie, which is definitely illegal and aggressively persecuted?
I’m using Proton Pass aliases and they work like a charm. With the browser plugin, it’s easily feasible to generate one for every single thing you sign up for. I would argue that there are some advantages over DDG (although I haven’t used their service in for quite a while):
- Proton applies E2EE to incoming mails
- If the mails go to your Proton account anyway, removing DDG means removing a proxy that could read your mails or be an attack vector to do so
- Afaik you can secure your proton account way beyond what DDG offers (password + 2FA + Sentinel + extra password for Mail + extra password for Pass) if you want to
- Convenience: You can manage everything in Pass and it tells you right away what you created an alias for, allows to create accounts from it etc.
Is it a total game changer? Probably not.
I adopted a lot of customisations from Garuda to my EndeavourOS setup. I got fed up with Garuda because it constantly broke.
Bootloader broke twice, desktop broke all the time, and when I needed to load a snapshot and it simply didn’t work, they finally lost me. Never had any of these issues with my current setup, really a surprising contrast, given that Endeavour is also Arch based.
There are some FOSS SMS clients tho. I used to use Simple SMS, but there were no updates for 12 months.
Maybe try Deku SMS: https://github.com/deku-messaging/Deku-SMS-Android
It seems to have at least some traction for what it’s worth.
I’m gonna go with no, because of containerization and permission management. On your computer, any program can do pretty much anything, unless you explicitly take measures against this. On a smartphone, you get a lot of control over your apps. In newer Android versions you can even completely disable cameras and microphones (even if only in software).
I would use a throwaway account and avoid giving Google any personal data tho. Of course they could still figure stuff out, but it’s harder and unreliable, not to mention super-duper illegal (at least in the EU), so I kinda doubt they go the extra mile.
I’m just gonna go ahead and say it: 16 Characters are sufficient and 20 pretty damn secure.
That is assuming they do stuff right and there are no vulnerabilities, which they won’t and there are. However they may manifest, they are a greater concern at 16+ characters, especially if they don’t offer 2FA.
The reason is that even if machines become powerful enough that 16 characters can be bruteforced, which they can’t atm, you can effectively defend everything against bruteforce attacks by other means. Including but not limited to limiting login attempts, salts and pepper, multiple encryption layers etc.
With just a salt pepper you can make a 16 char password effectively a 24 char password… Or a 2.000.000 char password. Assuming it is not stolen alongside that is.
Edit: Changed ‘salt’ to ‘pepper’.
You can use Sennheisers without an account - and I think even without the app altogether. Not exactly sure tho.
They have a feature where they toggle sound presets depending on your location. That’s the only thing that requires an account, as well as access to your location. It’s opt-in however (and pretty useless imo).
The simple answer to SSO is: Just don’t.
It has it’s place in companies, but there is no good reason for private use, except maybe a little convenience.
On the other hand, you open yourself up of to your data being collected left and right and increase the chance it gets compromised by it being shared.
They do have desktop apps at least. I’m happy with it so far, totally second the recommendation.
Regarding your general question: I would argue that a separate 2FA app is a must, since you can not only secure your password manager with it, but also remain protected if it is breached somehow.
Having 2FA and credentials in one place partly breaks the rational between having 2FA at all.
That’s pretty much it afaik. Owner sold it, new owner didn’t know what to do with it, owner bought it back.