• 0 Posts
  • 171 Comments
Joined 2Y ago
cake
Cake day: Jun 04, 2023

help-circle
rss

Remember that fingerprinting can be your friend… because it’s much easier to fake an online fingerprint than a real one.

You can generate a unique fingerprint with each online interaction; this means that you will always have a unique identity.

Or, you can ensure you always have the same fingerprint as a large number of other people.

Think of it as the difference between using a different valid loyalty card each time you shop vs using one of the famous numbers that millions of other people are also using.

Of course, in both circumstances, you do give up the benefits of being uniquely identifiable.



There are an infinite number of programs that could do this. Will they? Probably not.

Best thing is to install a trustworthy personal firewall, and block all outbound network access for all processes, and then enable as needed. This won’t stop Windows itself, but it will give you a heads-up if something else is trying to send data somewhere and you can make an informed choice at the time.



The one I use is part of a hardware UTM, but I also use Lockdown VPN on iOS, and https://pi-hole.net/ in a container on my LAN, and then VPN all my devices to my home network when I’m not at home.


Depends on the browser/OS.

My go-to for general browsing is Firefox with uBlock Origin and NoScript, which I also use in Edge; I have a few browsers that are still using uMatrix, and I have a proxy filter that strips calls to .js URLs by default except for specifically allowed URLs.


This is why using a local web proxy is a good idea; it can standardize those responses (or randomize them) no matter what you’re actually using.

Personally, I keep JavaScript disabled by default specifically because of this, and turn on those features per-site. So if a website has a script that requires the accelerometer for what it does, that script gets to use it. Other sites keep asking for it? I suppress the requests on that site and if it fails to operate (throws one of those ad blocker or “you have JS disabled errors), I just stop going to the site.

I’ve found that with everything disabled by default, browsing the web is generally a pleasant experience… until it isn’t.

This of course requires using a JS management extension. What I’d really like to see is a browser that defaults to everything disabled, and if a site requests something, have the browser ask for permission to turn on the feature for that particular script, showing the URL for the script and describing what the code does that needs the permission. This seems like an obvious use for locally run AI models.


Thing is, privacy isn’t binary; it isn’t even a spectrum. It’s an amorphous 3-dimensional cloud.

Total privacy means that nobody else knows you even exist. Nobody wants total privacy, even if they think they do.

What most people want is for governments and corporations to not be able to track their day to day activity, malicious actors to not have access to their identity and financial data, and individuals to only have the information about them needed to connect and relate in society.

The first thing anyone needs to do is create their own privacy and threat models. Identify your personal risks within those models and adapt as needed.

For instance, using a cellphone of any type means you’re using a location tracker. Same goes for any vehicle with a built in cellular device. That information is available to specific corporations as well as government agencies and sometimes third parties with money.

Is it worth giving up that level of privacy to be connected to other people in most places you’d be likely to go? That’s up to the individual.

Same goes for libre software and hardware.


Buying with cash is useful, or else someone is still selling your purchase patterns.

And turn your phone off before you go in the store.


Since we’re discussing Windows privacy here…

What I’d really like is something that creates a situation like VeraCrypt plausible deniability, but where the base image gets updated regularly so that the timestamps and temporary file usage also look plausible for a computer used today.

Then instead of running an app like this, you just log out, and when you log in with the wrong password, it presents a plausible if mostly empty userland that overwrites the real encrypted data as new files are written to disk.


And in recent years, VPN abuse by malicious actors has gone WAY up. Well, either that or the ability for InfoSec practitioners to trace the threat actor back to the VPN has gone up. Or a combination.


I don’t have these legitimate concerns, and I STILL keep stuff like that as thoughts in my head. The only reason I’d journal my thoughts is if I eventually wanted someone to read them.

I keep my journaling for things I actually do in real life that I want to keep track of.

What is the purpose for writing it down? When you know that answer, then you look for the safest way to accomplish that purpose, which probably isn’t a diary.


Realistically, what the article suggests to me is that I should carry a burner phone when crossing borders and if I need my real phone, turn on lockdown mode and then turn it off and stow it in my luggage with the understanding that it may get confiscated and never returned.


Probably worth reading the article. There are consequences to saying “no” at the border.


That’s the point. Windows 11 cannot be made to be a private OS. So you have to adjust your privacy model instead if you want to use it.


Censorship is when the government blocks otherwise free speech.


Depends on who does it and why.

The US government blocking access to .ca by US citizens? Yeah, that’s censorship.

Your ISP blocking access to .su domains? Nope.

A web server blocking access to .br domains? Again, no.


Er, your instructions don’t kill all the telemetry that makes Win11 so privacy invasive.

Unfortunately, your comments about security are spot-on — there have been a number of improvements in the latest Win11 releases that were never added to Win10.

So while Win10 can be tweaked to be a relatively private OS, you need to update to the latest Win11 for security, or switch to a non-Microsoft OS.


Help them get to Canada?

If that’s not an option and they don’t already have claimant’s status, help them get somewhere off-grid.

If they’ve got claimant’s status already… the government is already keeping tabs on them and will likely hunt them down. Their best bet may be being sent to El Salvador where at least they won’t be tortured and killed (assuming that’s not where they’re from).


Funny thing to me about this is that I’ve been using PGP since 1993. OpenPGP became an RFC standard in 2007.

S/MIME became an RFC standard in 1999. And that’s really the reason it has stuck around. It got an 8 year head start on OpenPGP, despite PGP itself being used in email as far back as 1991.


Actually, this raises more questions. If ZoomInfo is anything to go by, I’m about 5 different people, none of which accurately map to the real me.

And that’s just me; there’s millions of bots and dogs on the Internet.



In a browser? Via DDG works pretty well.

Has anyone created a PWA for YouTube?


Yeah; unfortunately on that particular computer, it’s the only modern browser that still functions. I don’t trust it with anything.

If the question had been “what trustworthy browsers do you use?” I wouldn’t have mentioned it.



Thing is about trade marks… if the terms can be shown to be in common usage, the mark is struck down. Like Kleenex and Xerox.

So let’s all start talking about privacy invading cameras as being flocking stupid.


As a centralized system, nothing has been shown to improve on Signal yet. For decentralized systems, I haven’t seen anything better than Matrix yet? SimpleX is slightly more secure, but harder to spin up and easier to break.

Session… there have been multiple articles written on how it is flawed and untrustworthy.


Reminder that you don’t need to use iCloud backup; local backups still work fine and are encrypted.


xz almost worked because it was in something nobody was looking at. Signal code is audited regularly.


I convinced my family to switch by giving them my Signal contact info and letting them know that that’s where they could contact me. I ditched my WhatsApp account when Facebook bought them, and never had any of the other accounts because I knew too much about the people behind the companies.


This is an important extra point: being open source, a government can’t secretly mandate a back door, because everyone would be able to see it. For the other options listed, there are no guarantees.


Many services do that. However, very few make it the only 2fa allowed.


Yes, this is normal. The alternative is having your domain stolen and held ransom by someone who pretends to be you. Usually they do have an alternative method though, using some other 2fa like a yubikey.


I studied AI in the 90s.

It’s been studying me for over a decade now.


Does it block you even when you use old.reddit?


The obvious next question is: what features do these apps have in common? Do they share a development platform or ad network? Do they use Firebase or some other diagnostics/debug platform?

Because I suspect that they’re all using some sort of “free” or ad supported component that just happens to be owned by a shell company belonging to either a data broker or a company selling large amounts of data to one.


It’s not in my profile, but if you search my work address, my profile is the single result.


That’s what I do, but they tied my work email to my LinkedIn profile anyway… I keep my personal life offline aside from work and use pseudonyms on systems like this, so they aren’t linking the rest of my life, but they didn’t have any issues tying down my professional identity.


Just a warning that LinkedIn and the like try to link your private and corporate information.


And the decryption key is stored… where?

Sure, they COULD be using a TPM in the cars and PKI so that having the public key still only lets them encrypt the data and not decrypt it… but in that case, we wouldn’t have this article, because they’d have properly secured the data.

Since they only really value that telemetry in bulk and have to foot the compute bill, I’m pretty confident they don’t actually do that, but instead depend on the S3 bucket and the connections to it being encrypted.