• 1 Post
  • 18 Comments
Joined 2Y ago
cake
Cake day: Jul 24, 2023

help-circle
rss

Depends on what your definition of winning is. If we reach a state where it is literally impossible to run your own software without heavy hardware modification, which would exclude 99.9% of users, that would be like big tech winning in my book. That’s why right to repair is important, and we probably also need laws to prevent OEMs from disallowing the use of alternate OS.


Let’s be careful to remember that there are different levels of effort and understanding required for different levels of security and privacy. GrapheneOS has taken the approach of offering harm reduction, with sane defaults and options that allow advanced users to take near-complete control over their device (within the limits of the Pixel hardware). This is obvious by their inclusion of the sandboxed Google Play Store as a major feature of the OS, as it is much better than the situation on Google’s Android. It is also not installed by default, forcing users to at least somewhat educate themselves in order to install it.

Accrescent is right in line with this philosophy, and is also not installed by default. Of course if your threat model (or desire) is to achieve the highest level of online anonymity and to have a completely FOSS system, you should not use it… of course you probably shouldn’t use FDroid either, in that case, and should build from source. However, you are clearly in a situation where your threat model does not require those lengths, and FDroid is more of a principled choice.

I think its pointlessly inflammatory to call Accrescent “dangerous” just because it allows for non-FOSS software. Now if you want to criticize whether or not it is fulfilling its stated goals, that is another story.


For accessing reddit behind a vpn there is a very reliable system of frontends. Here is the instance I use: https://redlib.freedit.eu/


The two have completely different goals, and SimpleX’s goal (anonymity) comes with difficulties such as not having typical “accounts”, which means no true simultaneous multi-device support.




Apparently this is a tough problem for mobile devices… GrapheneOS (security hardened OS based on Android) took months to fix a leak someone reported, and had to collaborate with the VPN app providers to do it https://github.com/GrapheneOS/os-issue-tracker/issues/3442


I would be interested to know why you are pushing this product across multiple places on Lemmy. Your post, despite disparaging “viral marketers”, has a viral marketing tone with statements such as “I feel like I’ve been wasting money on my VPN ever since I found Riseup”.

Additionally, while I do believe a free VPN using an autonomous collective, resource pooling approach is a great idea, in practice this VPN has had… not a great history from my point of view. A quick search shows that in 2017 they were forced to comply with US Law Enforcement https://en.m.wikipedia.org/wiki/Riseup, see the Warrant Canary section. VPNs based in the US are known to be at risk, and this is another good example.

When choosing a VPN provider, server location is important, as well as company location. You are repeatedly encouraging people to Torrent from a VPN based in one of the most zealous countries opposing file sharing worldwide, and one that has already worked with Law Enforcement.


FYI, for folks currently using a normal PIN and looking to use this, it’s intended that the 2nd factor PIN at least be different than the main unlock PIN. Otherwise you can just swipe up to dismiss the fingerprint prompt and get to the main PIN prompt; if its the same as your 2nd factor, that’s pointless.

I was told on the Graphene matrix channel that the most secure configuration for this is:

Main unlock method: 6 word diceware password

Secondary unlock method: biometric + 6 character 2nd factor PIN

Be aware that if you use this config that you will be prompted for the main unlock method (long password) at reboot, and also every 48 hours.


WIreguard VPN: Allow Local Route to Subnet without DNS Leaks
I have finally figured out how to add local routes to another VLAN subnet in Wireguard without leaking DNS, and figured that I would share. In this case, I am running an Unbound DNS server on the gateway. In a Wireguard config file you can add "PreUp" and "PostDown" system commands to run stuff before and after the tunnel connects. Unfortunately with some Linux networking (NetworkManager in this case) it will keep using the DHCP assigned DNS server, and if a local route to the DNS server is available it will use it for some things and therefore leak. To prevent this, you can use the Pre/Post commands to force the LAN DNS server to match the Wireguard tunnel's DNS server, and simply return it to normal after the tunnel is closed. This only works with wg-quick, not the NetworkManager Wireguard plugin since that does not overwrite the resolv.conf or run the PreUp/PostDown commands as far as I can tell. Example: ``` PreUp = ip route add 192.168.3.0/24 via 192.168.1.1 dev enp4s0 PreUp = nmcli conn modify enp4s0 ipv4.ignore-auto-dns yes PreUp = nmcli conn modify enp4s0 ipv4.dns "10.2.0.1" PreUp = systemctl restart NetworkManager PostDown = ip route del 192.168.3.0/24 via 192.168.1.1 dev enp4s0 PostDown = nmcli conn modify enp4s0 ipv4.ignore-auto-dns no PostDown = nmcli conn modify enp4s0 ipv4.dns "192.168.1.1" PostDown = systemctl restart NetworkManager ```
fedilink


Invidious still works very well, however it is an ongoing battle with YouTube. They ban an instance and the instance’s ban evasion routine tries again, or in the case of IP range bans migrates to another provider and the game goes on. Despite this, it is the only way I know of to access YouTube relatively pain free using a public VPN provider. By now YouTube has blocked a lot of public VPN IPs. To me, this advantage makes it worth it.

The best way to keep up with which instances are currently functional is via the Invidious Matrix room, https://matrix.to/#/#invidious:matrix.org. You can also check the instances list https://instances.invidious.io/ but it may get out of date sometimes.

Finally, I’ve found the best way to use Invidious is via FreeTube (Linux) or Clipious (Android).


Nope, pretty normal. You’ll find that you’ll need frontends and proxies for tons of things. For example Instagram hasn’t ever worked for me with a VPN. I no longer have an account anyway, but for the times someone sends me a link I’ve had to find sites that let you view the content without actually visiting Instagram. Same with reddit, reddit frontends are very good these days (I’d recommend any Redlib instance). Also, sometimes a specific VPN server is IP blocked and you can just connect to a different server to view a web site that blocked you initially. It is a fair amount of work, but honestly its helped me slow down my consumption of random bullshit anyway haha. I use ProtonVPN and pay for premium.



My experience so far as a new user, which might be a little redundant but here goes:

  • Overall, there is a balance to work out between security, decentralization and FOSS, and anonymity.
  • for the average user, using sandboxed google play is pretty much essential. Otherwise you’ll spend days trying to figure out why you aren’t getting notifications, why certain integrations aren’t working, etc. Notifications especially are just painful without google FCM. HOWEVER, I do not believe it is mandatory to sign in to your Google account for notifications to work, so you could in theory avoid signing in at all and still take advantage of FCM.
  • multiple profiles don’t make sense for my use case (and possibly most people). Graphene does advertise the use case of having banking apps on a separate profile, but after attempting to do just that I believe it is a very niche use case that would actually benefit from it. Obviously a great tool to have for privacy and security, but not something you’ll went to use everyday.
  • For the move away from Imessage, it is indeed kinda painful and still ongoing. The simple fact is that people are super weird about switching from I message, and honestly going straight to Signal was a no-go for many of my contacts. I’ve had to settle for WhatsApp, Telegram, and even Discord… I just have had to accept that the transition will take time. I’ve weighed that privacy issue against the privacy gain of GrapheneOS itself, and the benefits of supporting a 3rd party OS option, and I still believe using Graphene is better overall. And, once people get used to using a 3rd party app vs Imessage, in a couple years the jump to Signal will be no problem at all.
  • banking apps are super painful. That being said, here is an opportunity to vote with your wallet… Support apps that don’t require invasive system access for “security”. For me, the biggest eye opener was that there are NO GENERIC THIRD PARTY TAP TO PAY PROVIDERS IN THE US. It is only Apple Pay, Samsung Pay, or Google Wallet. And, as is pointed out on the Graphene user guide, 3rd party apps are allowed to implement their own NFC payment system, but the extremely vast majority simply choose to use Wallet or Apple Pay. This is obviously rather scary as more and more retailers use these systems, and I’ve realized I would gladly support and use any alternative at this point. Without Graphene, I would have never even thought about it.

I use openSUSE Tumbleweed and it has BTRFS and snapper (snapshot manager) set up by default, with all necessary system subvolumes already created. It’s been a great experience for gaming so far, and actually the best experience with NVIDIA drivers I’ve had! All you would need to do is create a separate BTRFS subvolume and snapper config for your games folder and you’d be good to go, without worrying about any other setup! No need to use EXT4 at all. Additionally, there is very detailed snapper documentation on the openSUSE website.

https://doc.opensuse.org/documentation/leap/archive/15.0/reference/html/book.opensuse.reference/cha.snapper.html#id-1.4.3.4.2.2

Additionally, you can get support from the community in the openSUSE Matrix Space: https://matrix.to/#/%23space:opensuse.org

Use the support channel (#support:opensuse.org) or the gaming channel (#gaming:opensuse.org)


Yeah I believe asdf is a kind of package/version manager, so probably similar. And yes when you install you will see the Proton-GE version as an additional Proton version you can apply in the game options, but it does not overwrite the already installed proton versions


https://github.com/GloriousEggroll/proton-ge-custom

I recommend installing it via asdf, which is described in the installation section of the github readme


TL;DR It uses the Matrix protocol to make every post E2E encrypted in the same way a Matrix chat is. Except they added more separation between people in the “Circles” functionality. Instead of everyone seeing all content like in a chat room, you have to invite people to follow your timeline. And only those people who have been invited can see your posts, and vice versa. I’m not sure he said it specifically, but it was implied that unless people have invited each other to see their posts, they can’t interact with each other in the same circles (he used an example of two people not liking each other and both being able to see a 3rd person’s timeline, but not each others timeline/posts). So essentially it offers encryption and social media like usage but with a sane privacy stance…aka nobody can find you via stalking your mutuals and nobody can just google and DM you out of the blue. Basic photo and sharing is available, apparently improving those features is what is planned for this year. You can also self host it if you wanted, as it just runs off a Matrix server (although they currently provide a US and Europe matrix server run by the FUTO company that funds the app development). Looks like they plan on charging for storage space (1.99$/month for 10GB is what it says in the app right now), and I’m not sure how much storage you get for free.