Reddit's new "private" chat system is powered by send bird without any additional end to end encryption.

This means send bird provides a searchable plaintext database of all of these "private" chats.

https://sendbird.com/features

I like the (public) chat feature but to introduce "private" chats a feature that is clearly intended to increase interactivity and thus use of the feature without making this clear is just wrong IMO.

Reddit private chats are anything but.

Here's how my dumb brain understands it:

His friend sent him a youtube link in WhatsApp. WhatsApp does link previews in its messages--and somehow, when the link loaded, Youtube knew that it was this dude looking at the link.

Fun fact: that's a classic OSINT technique to find people who are on the run. Send them an email with an embedded image saved on one of your websites, and then just wait for him to open the email--when he does, you can see what IP address loaded the image and boom--now you know where he is.

Also fun fact: Signal has taken steps to prevent this from happening: https://signal.org/blog/i-link-therefore-i-am/

Whatsapp is owned by fucking Facebook. Nobody should use it for anything.

Use Signal.

Signal for iOS

Signal for Android

>Consider a reputable VPN like Freedome.

Yeah they collect and distribute your data lol.

Edit: I'm not bashing Freedome for no reason, read the F‑Secure privacy policy for their services yourselves lol.

>We may disclose some of your personal data to subcontractors and F-Secure group companies who provide parts of our services that you use.

Whose going to ensure that those subcontractors don't leak your data?

>We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc,), who market, sell and distribute our services.

Sound familiar?

Now read the F-Secure Freedome Privacy Policy.

> We only analyze your communications traffic to provide you the service and to keep your data transfers clean. To be more exact, this means that:

>1. We need to process some metadata (such as: volume, country, IP address) of your traffic when providing the service to you;

>2. As an information security company, we analyze the traffic for suspicious or malicious files and destinations (i.e. URLs);

>3. We automatically screen the traffic to inhibit usage that is against our acceptable use policy; and

>4. The service collects statistics to give you a view of your browsing history via the service, but we do not connect this information to you.

>For us to learn when and how you use our service, to enhance it, and to learn how customers find out about the service, the service also collects data on installation success, installation and activation paths, performance, operation environment, connections, data routing, quota, as well as other similar metadata (such as which features are used and how often). We do this so that we can create services that are of value to you and our other customers.

Try this it's only visible to the camera. IR flashlight.

EVOLVA FUTURE TECHNOLOGY T20 IR 38mm Lens Infrared Light Night Vision Flashlight Torch.

Edit: I just put the description... Any IR flashlight should work well.

Interestingly enough, almost all Android phone bootloaders can be unlocked. Especially Google's Pixel devices have an "unlock-friendly" bootloader: You can unlock it, install another operating system such as GrapheneOS and then even relock it to be able to use verified boot. Verified boot is an important security feature that confirms the integrity of the installed operating system on every boot (even for third party OSes assuming you relock the bootloader), thus preventing offline modifications or malware from persisting across reboots. You can also unlock the bootloader again, install the stock OS made by Google and relock it again. In comparison, lots of other Android phones (Samsung for example) are also unlockable, however you will not be able to lock the bootloader again, even when you install the stock OS again, because when unlocking the bootloader, a physical fuse on the circuit board of the phone will be tripped. This will also void your warranty. Some custom ROMs have been developed for phones with bootloaders that can't be relocked. These ROMs might provide better privacy at the cost of decreased security because verified boot is unavailable. It is a good idea to force the vendors to let the bootloaders be relocked after installing third party operating systems.

I have a hunch it could be related to https://signal.org/blog/cellebrite-vulnerabilities/ and the followup https://hothardware.com/news/cellebrite-physical-analyzer-software-no-longer-supports-iphones

What kind of phone does your wife have that they inspected?

Congratulations! Very good start towards improving your security and privacy. See here for a lot more guidance to help you along: https://www.privacytools.io/

​

what is up with their website?

It redirected me literally 8 times, to completely different articles, ending up on https://thenextweb.com/microsoft/2017/11/30/microsoft-edge-now-publicly-available-iphones-yay/

How does that even make sense?

The web was bound to fail anyway, because the web relies too much on people, and most people are shit.

The only thing the web is still good for now, is figuring out the next platform (decentralized things like ipfs come to mind), until that gets ruined of course.

There is and it's called CanvasBlocker: https://github.com/kkapsner/CanvasBlocker/

Can be configured in multiple ways, blocking canvas readout api completely or returning random data each time. Works also for multiple other common used APIs for fingerprinting.

Hi there, the TutanotaTeam here. We noticed this discussion and wanted to jump in: In regards to data protection laws Germany and Switzerland aren't so much different. One difference, however, is that Switzerland has data retention laws for email, which Germany does not have. Anyhow, any company in these two countries must hand out data if requested to by a court. Nevertheless, as all data is encrypted in Tutanota, we can only hand out encrypted data. If you're interested in details, best check the transparency report: https://tutanota.com/blog/posts/transparency-report/

Maybe show them this or copy paragraphs: https://thenextweb.com/contributors/2018/11/20/read-this-if-youve-got-nothing-to-hide/

https://www.startpage.com/

thanks, this will be great to switch to! I've found google's engine to give me better results when searching sites like "site:reddit.com/r/privacy thing", so it should help.

This is the same company that Moxie Marlinspike absolutely embarrassed in a blog post recently after they claimed they could extract data from Signal. https://signal.org/blog/cellebrite-vulnerabilities/

Beep. Boop. I'm a bot.

It seems one of the URLs that you shared contains trackers.

Try this cleaned URL instead: https://signal.org/blog/keeping-spam-off-signal/

If you'd like me to clean URLs before you post them, you can send me a private message with the URL and I'll reply with a cleaned URL.

It's a fairly long but not complicated process, but basically involves purchasing a Raspberry Pi 3+ (it's about the size of a cigarette packet), installing Raspbian, and Pi Hole on it. You then connect it to your real router, and set all your devices to use the Pi's DNS.

See

1. https://pi-hole.net/
2. https://www.youtube.com/watch?v=rp8mi1oAvAg

Webkit is open source, would offer much of an improvement over ’s filter lists, which Firefox uses for its default tracking protection.

> For search, duckduckdo is really good.

In addition StartPage searches Google, but strips it of all metadata.

> As for phones, you can download apks from the store with yalp or alternatives.

Also, I suggest looking at FDroid for FOSS applications for android.

If you want to go completely google services free, there are plenty of Android roms based on the open source version.

This is why it is SO important to use a VPN or proxy to access sensitive sites.

TIP: You can search for the website disruptj20.org privately at StartPage.com and then visit the site privately using the free StartPage.com proxy link option.

When you search with StartPage, you are protected. StartPage does not log any personal information, and your searches remain private. Even Edward Snowden has recommended StartPage no-logging privacy.

When you visit the disruptj20.org site through the free StartPage proxy, StartPage doesn't "see" you and neither does the website or host. All they would see is StartPage. This also prevents you from getting any tracking devices, adware or malware on your browser while you visit through the proxy.

The Signal team have vouched for WhatsApp in the past https://signal.org/blog/there-is-no-whatsapp-backdoor/

Granted that was a few years ago and there’s no telling if WhatsApp has changed since then. But Signal haven’t announced a change in stance regarding WhatsApp, so it’s probably safe enough, assuming you’re ok having your metadata mined…

Apple reserves the right to “use [customer] personal information for internal purposes such as auditing, data analysis, and research to improve Apple’s products, services, and customer communications” across its product line. It permits itself to share this information with “its affiliates” as well (whoever they are).

Source: https://www.apple.com/legal/privacy/en-ww/

EDIT: Things get more complicated further into the terms of use, according to reddittechnica - http://www.reddit.com/r/privacy/comments/2ys6jx/apple_admits_siri_voice_data_is_being_shared_with/cpcwuic

>UBlock Origin - it uses less CPU/RAM and shows no ads.

>Adblock (Plus) allows certain ads. They will also demand money from "larger entities" to let ads through. While I'm not a fan of ads (I use uBlock Origin), I'm also not a fan of how Adblock (Plus) makes money - they are basically running an extortion racket. This makes marketing more expensive even for good/nice/no-spammy/well-behaved companies:

> … our main source of revenue comes as part of the Acceptable Ads initiative. Larger entities (as defined below) pay a licensing fee for the whitelisting services …

> Regarding fees, only large entities (those with more than 10 million additional ad impressions per month due to participation in the Acceptable Ads initiative) have to pay.

>https://adblockplus.org/acceptable-ads#revenue

Source

OpenOffice is not getting serious development for over 8 years now. Please don't use it, the only thing it has is the name recognition.

Use LibreOffice if you want a FOSS office suite.

Not too long ago, Cellebrite announced "support" for Signal Messenger. This "support" is only for unlocked phones where Signal Messenger is also unlocked. Cellebrite makes devices that download any available info from many phones, locked or unlocked. An Android phone that is freshly restarted will expose minimal data. A decrypted phone (after you enter your password the first time), even when the screen is locked, will offer a little more data, still not much though. Something to note is that some things, like the alarm you set and named "Remember to dump the body from the drum," are accessible from your encrypted & locked phone.

The Signal organization "found" a Cellebrite UFED that "fell off a truck" and they found numerous vulnerabilities. Read the blog post here. It's not very long nor technical. Pay attention to the last paragraph, LMAO.

It's possible that law enforcement is looking for the pretty little files that "don't do anything" that Signal Messenger uploaded to a few random people's phones. I read a legal blog post suggesting that the US government might try to prosecute someone under the CFAA if these files do damage to any of their Cellebrite UFED machines, possibly with the goal of going after Signal Messenger.

Just a thought.

Privacy and Win10 are 2 different things... but in this case, maybe the server that Win10 was trying to communicate with was blocked by the router or something else... so it kept trying again and again ... It happens sometimes with my Pi-hole

Since we are looking at ToS here i think this website deserves an honorable mention. It's basically a website that makes TL:DRs for ToS though it seems some of the rating may be outdated.

Maybe some of the more lingo-savvy people among us can help update their ratings? It does seem like a good resource for privacy-minded people after all.

1. Avoid Edge, Chrome, and probably anything Chromium-based.

2. Anyone interested in hardening their browser for privacy should take a look at the privacytools.io list for Firefox: https://www.privacytools.io/browsers/#addons

Addons I'm using: NoScript, HTTPS Everywhere, uBlock Origin, uMatrix, Nano Defender, Privacy Badget, Privacy Possum, Decentraleyes, Cookie AutoDelete. They also list tons of config options to tweak along with a couple open source JS templates aimed at privacy configuration. Librefox is a new version of Firefox which includes a lot of these tweaks, but you'll have more leeway with customization if you just use a stock Firefox install and implement only the changes you want.

Also look into pi.hole if you really want to get paranoid.

/r/privacytoolsio is another great privacy-oriented sub.

I believe this particular discussion and decision is quite old and settled. The use of phone numbers is a usability and reliability trade-off that users need to be willing to make with Signal. If that's not fitting of your threat model, may I suggest https://matrix.org/

Its a way to bridge WhatsApp messages over a different messaging protocol called matrix. Matrix is a decentralized and federated approach to messaging and both the clients and servers are open source. If you run your own server you can install various bridges that let you forward messages from one platform over matrix so you can avoid installing many permission-wanting and tracking-laden apps on your phone. For example, I run my own server using this ansible playbook and it includes scripts to set up bridges for WhatsApp, messenger, groupme, discord, slack, and many other services. Its a great way to transition off of a service without getting rid of it completely, allowing you to keep in contact with people who use the nonfree platform without needing to interact with it directly.

Matrix is definitely the way to go in terms of private, encrypted messaging IMO but it requires a little more work to set up than something like signal.

Yep, that would be great for newbies. Actually there are lots of posts about how to stop using Google out there: one example and another example.

But having it here would be awesome!

Did you even read the comments? I'm not saying that I support protonmail (or any other proton services). But you can't trust everything that is online.

> protonmail: We've unfortunately had to deal with a lot of this recently. The issue is that we have turned the VPN industry upside down by providing a free service, and that is likely hurting profit margins across the entire sector so everybody is trying to hit ProtonVPN now. We just aren't very profit driven, and that's the type of competition that brings down prices (and profit margins).

> protonmail: ProtonMail team here. The above is not correct. ProtonVPN is developed and operated by ProtonMail. However, it exists as a separate legal entity for security reasons. This is to avoid ProtonMail getting banned in jurisdictions where VPNs are illegal. An example is China where ProtonVPN is banned, but ProtonMail is permitted. Had they been the same company, both would have been banned together. So from the legal standpoint, we put as much separation as possible between ProtonMail and ProtonVPN. Like ProtonMail, the ProtonVPN team is distributed, split between Geneva, Skopje, Vilnius, and San Francisco. Tesonet (one of the biggest IT firms in Vilnius) was previously used as outsourced HR before we incorporated our own entity in Vilnius. We have similar arrangements for our staff in San Francisco, Prague, and Skopje. The above poster's intentions are a bit suspect, given that he's the co-founder of PIA...

Do you really, really believe privacy can be attained by disabling few settings at the user end? If you're not paying, you're the product.  

>Free Software Foundation accuses Microsoft for using "draconian laws" to keep users away from the core of the Windows operating system, stating that "Because it is fundamentally insecure and scoffs at privacy, Windows is an open window onto you." http://news.softpedia.com/news/reject-windows-10-and-embrace-free-software-says-fsf-488237.shtml

Some privacy focused OS alternatives https://www.privacytools.io/#os

I was about to buy Alice on steam for $5.

Found a better home for that $5.

EDIT: it took forever for the site to update after i donated, but here is the list of donors. Just wanted to prove I really did donate :3

Not a gallery app, but I think Signal (Android, iOS) would be great for this. Built in camera, conversations are encrypted end-to-end, as well as at rest if you set a passphrase for the app. A bonus is end-to-end encrypted messages all the time, not just for photos. Encrypted voice/video calls are also supported.

The other bonus is that because all the photos are encrypted at rest within Signal, no other apps are going to be able to access them, period (unless of course you decide to export the photos to your camera roll).

I know this isn't the gallery app you were looking for, but I think it's going to be your most private/secure option.

I cant say for sure but if you use FF anti-tracking + uBlock Origin + Privacy Badger you will have a good chance of blocking MOST tracking attempts. uBlock has some quite sophisticated filters which you can rely on without worrying about using extra targeted addons for cookies.

One thing to be careful about if your thinking about adding more addons is fingerprinting because the more unique your browser is compared to the majority of the FF population, the more chance you have of becoming uniquely identifiable but you probably already know this.

One last thing I can recommend is follow the Firefox: Privacy Related "about:config" Tweaks which works well and tightens the security and privacy of firefox further.

linageos comes without gapps which are googles preinstalled apps and also some services but many people install them for compatibility. those are not very good privacy wise. i would suggest to use linageos for microg https://lineage.microg.org/ if you need apps that use those google services.

> All this information is essential for sysadmins and web developers to troubleshoot potential issues with the site or the server.

not really, having managed matomo instances, it is far more an analytics of visitors tool than a tool used to troubleshoot server issues, for those you are better off looking at daemon generated logs. (even if there were no analytics it's likely system logs are on and collecting similar data but people over look that)

It's a google analytics replacement so will gather as much or as little information as you want. from as simple as what page a looked at all the way down to heat maps of mouse movement on pages.

Matomo does make an effort to protect peoples privacy but even with only recording one octet of an IP address, it's still possible to uniquely track visitors, just their IP is hidden from the Matomo users.

Having said all that, the whole situation was handled poorly, by both u/Axxxse and /u/burunghantu. The ban does not seem to have been justified but either was this post claiming an updating of the privacy policy to clarify what the site is doing was some sort of conspiracy to track us.

NB: the "No Google Analytics" at the bottom of the site is a bit disingenuous, as while technically true, it very likely leads most people to assume they use no analytics.

Hi Guys!

Thank you for your support here on Reddit!

Yes it was a fake email sent to PureVPN Customers. However, our VPN service is functioning 100% fine and there is no interruption whatsoever.

While we are further investigating the actual cause. Please check out our blog for further clarifications and updates:

We are also keeping our customers updated every minute through our Twitter channel. Please follow us on twitter @purevpn for further updates.

Thank you everyone!

PureVPN Team!

This happened to me and they blocked me out of my account. You can use a picture from https://thispersondoesnotexist.com/ and get a fake ID from Google (university ones are quite easy to come across). Some extra editing work and you can bypass this requirement.

I would rather not use Facebook but due to work and other reasons, I have to be on there in some capacity.

I’m in the same mindset, as paranoid as I am about privacy, set and forget is definitely the way forward for me. I use ProtonMail and F-Secure Freedome (VPN) on everything, phone, tablet, VMs. Nothing connects to the internet without it. I’ve got true gbit up and down connection and it performs well with it. I’m toying with the idea of configuring my router to do the VPN handshake part but not sure what visibility I’d have if it failed. Something to test I guess.

Keepass user too.

> We haven't had a chance to formally release Epic's source code because we've been giving 200% to get the product ready, and Chromium is a HUGE code base so to release it in an organized way will take a bit of effort.

At the end of the day, trust that software is not malicious depends on many eyes looking at the project. You're not going to be able to code-review everything this project has ever done (even when/if they bother to push to github), but someone would be screaming bloody murder if a backdoor or privacy-invading feature were committed to Firefox tomorrow.

I trust Firefox developers + the addon more than I trust a custom, unreleased modification of chromium. Further, I trust Mozilla to provide me with a clean binary more than I trust some random, unknown group. Even if it were open source, Chrome apparently takes 500 TB of RAM and hypothetical quantum supercomputers to compile, realistically very few people would build their own.

So three separate issues: no community to back me up, no code base, and no faith in the binaries.

Just use FF's Private Browsing as desired, and you'll be able to use crazy features like FF's password manager and (local) spell check, features Epic boasts of not having.

Or if you're serious, use the TOR browser, which has further privacy-conscious modifications and also has many eyes on it.

>But see: https://lifehacker.com/generating-a-bunch-of-internet-noise-isnt-going-to-hi-1793898833

What about a process active in the background that creates noise that makes sense? Like creates fake habits and patterns in the noise it generates?

For those who want a replacement for CCleaner, use Bleachbit. Open source and does what CCleaner does.

EDIT: One bit of information. If your files are on a SSD, you do not need overwrite the files to truly delete them. TRIM will actually delete the data

Presumably they're using the same mechanism as today, but just enabling it by default. That means it's based on the blacklist:

There's O&O Shut Up that's been updated to support W11 and seems to be fairly popular. However, I do have a problem recommending things like this since many aren't open source and they collect data.

While OOSU doesn't specifically say it collects data for this particular freeware, they do collect data from their other offerings, so it should be assumed they may be collecting with this application as well.

To prevent that, you could use something like Glasswire (paid) to block OOSU from any outgoing network connections to ensure it's not doing anything fishy.

It's worth looking into the DDG browser on Android instead of Chrome too.

It's much harder to build a unique fingerprint with it

It is, in-fact, real. Though not exactly normie-friendly, mostly due to software still being WIP.

edit: Reportedly one of the best/most responsive userspaces for it right now is this.

Now that the NSA has poured gasoline on the erosion-of-trust bonfire, we can get started. x-post from /r/linux :

• prominent OpenBSD member questions the IETF.

Of course they are. Windows 10 is the ultimate surveillance tool (https). Best defense is still TOR and/or a VPN - see guide (https).

There are countless people who know how to check network activity. You can reasonably assume that someone would have raised alarm if it was sending content that you load to some mysterious server.

Plus uBlock origin is open-source, so you can compile it yourself if you so wish. It's as good a guarantee of privacy that you can get from a piece of software, and what we should be pushing for.

Alternatively (to HSTS) everyone should be using EFF's HTTPS Everywhere extension to force HTTPS. In the latest version you can even block all plain-text HTTP connections by checking a button.

Since it's today you probably just have to grin and bear it. If you have time you could create a restore point and roll it back after you take the test.

Depending on your laptop model if it's something you have to keep showing up with maybe invest $50 and get another hard drive. Image your current one over and install their crapware on that. Then just swap it in when you have to take a proctored exam.

Spez: Or just get a bigger hard drive and dual boot.
ReSpez: Actually probably not a good idea. I imagine Honorlock will see the OS on the other partition and bless it with its presence the next time it boots up.

If you want to confound them show up with linux as the only OS on your laptop.

Please don't forget about modem isolation, this is a very important topic for all "smart"phones (not for dumb phones):

>A device with bad modem isolation cannot prevent the modem from accessing and controlling key parts of the hardware. For instance the main CPU's RAM, its storage, the GPS, the camera, user I/O and the microphone. This situation is terrible for privacy/security as it provides plenty of opportunities to efficiently spy on the user, that could be triggered remotely over the mobile telephony network. That mobile telephony network is accessible to the mobile telephony operator, but also to attackers setting up fake base stations for that purpose.

https://replicant.us/freedom-privacy-security-issues.php

>when I log into my google account it's going to track everything I do on the device

This is correct. Don't associate your Google account with your Android device. Only use libre software from the f-droid store.

You should also keep your Bluetooth and WiFi disabled whenever you're not using them, as you can by physically tracked by those.

https://www.getapp.com/security-software/a/okta-on-demand-identity-management/reviews/

Why can’t the company purchase devices for leveled employees to have these apps on those devices. This is my personal device, I don’t want to install the collection of Okta on my personal device.

Logging my location on / in /around my work and outside of work life. Or buy a new device that’s wiped and use that for work and nothing else.

> Yes we do, any site has a privacy policy.

I can create a DNS service, create a page saying "I don't log anything" and then log every query and sell it to advertisers. Let's not put all our trust on the privacy page.

> If they're not descriptive, then it's probably not a good one to use.

I agree. Still, many use and recommend services that don't describe what they're doing and are trusted anyway.

> https://www.quad9.net/policy/ is just one example.

I don't know if you think that Quad9 is better than Cloudflare from a privacy point of view, but what's the difference between both?

For many Quad9 is like the holy grail, but they seem to collect more and less the same data, which is probably required to run a stable service on level like this. Not to mention that Quad9 is supported by entities like this one: https://old.reddit.com/r/privacy/comments/8v0qru/next_mozilla_release_will_forward_all_your_dns/e1jzg88/

Both services log and share anonymized stats with 3rd parties. The main difference having a quick look at Quad9's privacy page is that they have a wall of text and, for example, talk about logging query data while Cloudflare specifies which part of the query is logged:

>Query Name > >Query Type > >Query Class > >Query Rd bit set > >Query Do bit set > >Query Size Query EDNS

I'm not going to go after CF because they used a list to show every single thing they log. Also we would be having a similar discussion if the service was operated by Mozilla.

Don't forget to mention the handy (FOSS) decentraleyes addon. Helps with more than just remote fonts too.

https://reddit.com/r/privacy/comments/71abka/what_does_the_addon_decentraleyes_do_exactly/

https://decentraleyes.org/

I might be missing something, but doesn't Riot (& Matrix protocol generally) leak a lot of metadata to the network. So basically anyone running a server on the network can know who is communicating with whom and when?

E2E encryption is great, but without protection of metadata it's meaningless for privacy.

It's not a problem that riot/matrix is particularly designed to, or interested in, solving: https://matrix.org/~matthew/2015-06-26%20Matrix%20Jardin%20Entropique.pdf (e.g. see slide 49 below)

>Matrix is all about >pragmatically fixing today's >vendor lock-in problem. >You can't bridge existing >networks without exposing >who's talking to who.

Yet ProtonMail has an eerily close relationship (formerly shared offices; formerly shared staff) with a major data mining organization (Tesonet). They even used Tesonet signing keys for one of their android apps.

To be fair - the ProtonMail and Tesonet people responded to such claims on reddit, and their recruiting pages emphasize machine learning.

But in any case, you probably want some privacy protecting anonymization layer (tor, and cash payments) between you and Proton*.

Don't use any Facebook related services, like Whatsapp, Instagram, Oculus Store... But Facebook is not the only one, do you trust Google? Microsoft? Apple? Amazon? Most of them probably exchange data between their database anyway. If you try to avoid them it's nearly impossible to have a digital life.

The best is to use multiple fake accounts, give as few personal info in them and split your contact on these accounts (one for family, one for close friend, others type of contacts should not be on social media anyway). Don't forget to backup everything you can and don't hesitate to start from scratch from time to time and delete as much old posts, upload and whole accounts. But don't use one or two accounts then one day get new ones and reset everything 1:1, you have to progressively migrate from one to another.

Offer to use other platforms, at least your close family or close friends could accept to use Wire, Signal, XMPP OMEMO, , ...

Connect as much as possible using tor or various VPN (also consider VPN with Tor output like ProtonVPN offer but it's expensive).

Use uBlock and other tools as you said to block as much tracker as possible. Use a clean browser that leak as few data as possible (very hard in practical).

Others would recommend more or differently but in any case it's a really hard and constant work to minimize your trails and it's never 100% efficient, plus your contacts might not follow you and you might lost them sometimes because they are not up to date or just don't care doing the efforts.

I'm not doing all of this and I already put a lot of effort into it, so you have to judge how much invested you might go but in my point of view being aware of what you do and what you share is the first and most important step.

This easy: https://bitwarden.com/help/article/import-from-chrome/#export-from-chrome

I prefer Bitwarden as it's better and has much more features than any browser-based password manager, and it works on any browser or device.

discord is probably fine but if you want to go the extra step get the BetterDiscord plugin DoNotTrack (blocks analytics): https://github.com/rauenzi/BetterDiscordAddons/tree/master/Plugins/DoNotTrack

also there is an alternate client called ripcord: https://cancel.fm/ripcord/. haven't used it in a while though and it does lack a lot of features from the official client but for basic chatting it should be fine

as with anything that's not open-source be weary

If you have to use facebook on Android I recomend Tinfoil for facebook.

• F-Droid
• Google Play.

It's a sandboxed version of the website seperate from your own web browser.

So it's a tripwire. Decent idea imo and it shouldn't require Snowden to develop.

I would be very surprised if there were no other tripwire apps in existence today. I just did a quick google and found one in the first results.

Oops, yeah sure. When you turn that switch off in Settings it calls Analytics.setAnalyticsCollectionEnabled(false), per Firebase's documentation: https://firebase.google.com/docs/analytics/configure-data-collection, which says "collection is suspended until you re-enable it".

If the OP has more specifics as to what it's doing when it should be turned off I'm happy to look, it's possible there's a bug in the documentation or something I misinterpreted, but the "disabler" seemed pretty straightforward.

Privacy? I don't have anything to hide.

Glenn Greenwald: Why privacy matters Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide."

I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting.

After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer.

Glenn Greenwald in Why privacy matters - TED Talk

From: https://www.privacytools.io/

Direct link to delete your Facebook account without being able to reactivate it again. List of decentralized social networks: https://www.privacytools.io/#social

Yes, you are still good with Tutanota. We at Tutanota cooperate with the authorities when we get a valid German court order. You can read details on this in our Transparency Report: https://tutanota.com/blog/posts/transparency-report Therefore, an illegal seizure of our servers will not take place. On top of that, all data on our servers is end-to-end encrypted and can't be accessed - not even by our developers.

This action by the German police is already heavily criticized as being out of their legal limitations. We're sure an investigation on this will follow and there will be consequences.

Last time there was an audit of OpenSSL, it ended up in a fork. This gonna be good.

That said, I hope to support this once I get my paycheck. OSTIF is legit, and our privacy is worth it.

Edit: And can we please get OSTIF to allow Tor users to access their site? It's on "attack mode" for pete sake. Tor can be partially whitelisted. https://support.cloudflare.com/hc/en-us/articles/203306930-Does-CloudFlare-block-Tor

Depends on your tech-savviness and paranoia levels. For most people I would say flash Cyanogenmod and create a new throwaway gmail account just for downloading apps.

https://prism-break.org/en/categories/android/

http://droid-break.info/

DroidWall was last updated in 2011. Use the successor AFWall+ instead which is also available on F-Droid.

That's correct. If a MITM attack directed you to a website with a download and hash, they could just as easily change the hash (to the hash of the malicious download) as they could the download.

To mitigate this, a developer can sign their download and hash with their PGP key. A MITM attacker would not only have to inject a malicious download and hash, but they'd have to sign those items with the PGP key of the developers of whatever you're downloading.

If you trust the developer to keep their PGP signing key secret, and you know the fingerprint of their key, then there's no way for a MITM to deliver a malicious download/hash.

See more about signatures and hashes in this documentation from the Qubes OS team.

> I wish there was some way through which people can communicate with other apps, this way everyone will have choice to use what they want and still able to communicate.

I introduce you to Matrix, likely the future of communication.

My general starting advice for noobs is Startpage for searches, Brave in private mode only as a browser, the only free VPN I'd recommend in one device only ProtonVPN and O&O Shutup10 for Windows and links to some privacy websites/forums including this one.

Let's face it. It's really hard to get people started. They 1) don't really care about privacy and 2) are not tech savvy enough to understand even the basics. I prefer DDG and hardened Firefox, but most are coming from a Google ecosystem. Brave means no new UI to learn or tweaking to do with a browser and Startpage is close to Google search. My GF hated DDG but is fine with Startpage. Loves the ads being blocked by Brave out of the box. That's all she needed to like it. Has no idea what 3rd party cookies and fingerprinting are, but they are blocked well enough. Hardened Firefox would be better, but baby steps are needed with your average person. Tor will be considered too slow while it breaks sites plus a new UI for noobs. And no average person is going to make a switch to Linux unless they really get into privacy, and that will take a year or two.

If they get these four down and show an interest, migrate to Firefox, Signal for talk text with me (and hopefully get others into it) and Protonmail for email. I get Tuta offers twice as much free storage and is much cheaper when you reach a gig and leaves less metadata (for instance, it encrypts subject field), but if you make a full switch to an e2e email, I have more confidence in PM staying in business long run. Tuta will probably be fine, though.

• Brave search is hosted on Amazon AWS so Amazon get your IP address, location, time
• DuckDuckGo is hosted on Microsoft Azure so Microsoft get your IP address, location, time
• Qwant has Huawei as major investor, which I don’t like personally. Hosted somewhere in France, but not sure
• Searx instances. Host your own instance you will stand out and won’t be good for privacy. Use someone else’s - could be ok, could be a hacker. There are breakdowns on instances but I would say you never really know who your are giving your data too
• MetaGer is hosted university of Hanover so they get your IP address, location, time
• Startpage i don’t know but was bought out by System1 which is an undesirable company

So you have to pick the lesser of evils really. Who knows what metadata these companies can also derive, but there is for sure leakage.

If you are just an average user like me trying to get away from sleazy ad companies I would say Brave if you don’t like DDG. They collect anonymous metrics though link

You will drive yourself crazy trying to find something that doesn’t have some sort of problem. There is no total privacy on the web. Just try to to find a good balance of what meets needs.

> the device they use needs further explanation

Probably an MitM proxy like this one. It's very simple to do: you just need to install a custom SSL cert on the phone, which allows any gateway with the corresponding SSL key to decrypt all the traffic. The same tech is used by many corporate firewalls to also inspect HTTPS traffic, and decent prosumer firewalls like pfSense can do it, too.

There are other people in the thread going on about SSL certificate pinning (which can prevent the above MitM interception), but Google don't appear to be using hard pinning: I've seen plenty of people use Google services from Android and Chrome on corporate networks that have such SSL-intercepting firewalls without issue. I just MitM'ed a couple of Google apps on my iPhone without any problems.

> It is a scare piece.

It's certainly at least a bit stupid. The phone is recording your location via GPS, which is obviously unaffected by turning of WiFi and pulling the SIM.

They answer this in their FAQ.

> How is Privacy Badger different to Disconnect, Adblock Plus, Ghostery, and other blocking extensions? > > Privacy Badger was born out of our desire to be able to recommend a single extension that would automatically analyze and block any tracker or ad that violated the principle of user consent; which could function well without any settings, knowledge or configuration by the user; which is produced by an organization that is unambiguously working for its users rather than for advertisers; and which uses algorithmic methods to decide what is and isn't tracking. > > Although we like Disconnect, Adblock Plus, Ghostery and similar products (in fact Privacy Badger is based on the ABP code!), none of them are exactly what we were looking for. In our testing, all of them required some custom configuration to block non-consensual trackers. Several of these extensions have business models that we weren't entirely comfortable with. And EFF hopes that by developing rigorous algorithmic and policy methods for detecting and preventing non-consensual tracking, we'll produce a codebase that could in fact be adopted by those other extensions, or by mainstream browsers, to give users maximal control over who does and doesn't get to know what they do online.

Don't most stores allow you to buy a "credit card" over the counter and load it up? Or Google drivers license and use that picture or make fake ones. I have a feeling this one will be a huge hit.

Obviously (I hope at least) they use the Russian words for those terms [Blue is a Russian nickname that roughly translates as 'faggot']. It's easy to not notice these things because they try extremely hard to make it look normal. But if you've ever watched a Russian political debat you'll notice that all the people fit a stereotype. The communists are all puffy red faced and fat, spouting ideology of marx, the liberals are thin and effemenate, the far right are stupid and lack rhetoric. This is done so the Russian people watch it and go "Who else but Putin can controll this mess?". All of it gets orchestrated by Vladislav Yuryevich Surkov. If you're really interested in how the Russian mis-information machine behind the media works then this book I can highly recommend.

> Ghostery

Not Ghostery. The company which owns and develops Ghostery has close connections with a lot of ad companies.

https://en.wikipedia.org/wiki/Ghostery#Criticism

https://lifehacker.com/ad-blocking-extension-ghostery-actually-sells-data-to-a-514417864

> Ghostery is owned by Evidon, a company that collects and provides data to advertising companies. It has a feature called GhostRank that you can check to "support" them. The problem is, Ghostery blocks sites from gathering personal information on you—but Ghostrank will take note the ads you encounter and which ones you block, and sends that information back to advertisers so they can better formulate their ads to avoid being blocked. The data is anonymous, and Ghostery still does everything it promises to do to protect your privacy.

HTTP can be cached by intermediate proxies, which can help reduce bandwidth consumption.

HTTPS introduces additional administrative overhead (certificate renewal, configuration changes, key distribution, additional servers, additional IP addresses) that may not be worth it.

Certificate authorities suck and it's nice not to have to interact with them. It's especially nice not to have to give them money.

Let's Encrypt should help the latter two enormously. About fucking time.

I haven't had any issues with my email server, fortunately. I keep my firewalls (router and per device) locked down.

The other two points I mentioned in other replies:

> I use NordVPN, and get about 90% of my possible speed via TCP, and about 30% via UDP. The loss is due to overhead of encrypting the connection.

I also have a pfSense box for my router, including a VPN.

/r/VPN

1- go to PrivateInternetAccess or Mullvad and purchase a VPN subscription. $35/year isn't bad. There are dozens of services you can research, but these are the popular ones. Mullvad is european based, so not subject to bogus NSLs from the US government

2- Download and run their client software. This will route your traffic through their network and encrypt it

3- google What's my IP to confirm your IP address shows a different geographic location

https://ipinfo.io/AS8075

whois -h whois.radb.net '!gas8075'

I'd say that qualifies as a crapton, that's 21 million ips owned by microsoft. Not including any 3rd party CDNs they might be using (akamai etc.)

Note: It is possible to create iptables drop rules using ip ranges. For example, this command alone would prevent 4 million microsoft owned ips from going through your router:

iptables -I FORWARD -s 40.64.0.0/10 -j DROP

/u/newbiepirate this might be a solution for you if you manage your home firewall. But if we're talking about work, going to starbucks or some other crap like that, you're shit out of luck. You also mentioned windows update, i'd think this might also hinder that :P.

Better off running linux either way in my opinion, but that's just me.

When they hardcoded Pocket into Firefox, I was an avid Pocket user for about two years (back from when it was called Read It Later.) I immediately deleted Firefox and my Pocket account, moving over to Instapaper.

Browser-wise, I floated around for a while before settling on Vivaldi. It's based on Chrome, so there's a good library of extensions, but it has a lot more options for the UI than Chrome does.

Adblock and ABP has been such a sell out lately. Their whitelist of "trusted ads" was the last straw for me. I was using ABE for awhile, but then I found uBlock origin. Truly the best!

I have Windows 10 Enterprise installed on a machine earlier today. Even with telemetry set to Full, the lights on my switch don't blink when I double-click on an image in Explorer.

I also set Windows to proxy HTTP/HTTPS to mitmproxy running on another computer, and I get no requests when opening images.

Independently of that, with telemetry fully disabled I still get some disappointing requests to bing.com and live.com when using the operating system. I'm not even logged into a Microsoft account.

"The flaw wasn't considered a major issue until Windows 8 began allowing users to sign into their Microsoft accounts -- which links their Xbox, Hotmail and Outlook, Office, and Skype accounts, among others."

"The flaw works because Internet Explorer and Edge (on Windows 10) allow a user to access local network shares but don't fully block connections to remote shares."

"Perfect Privacy, a virtual private networking (VPN) provider, said in a blog post that VPN connections are also affected."

"The group set up a proof-of-exploit page."

"Chrome and Firefox users aren't affected."

Install virtualbox, a free hypervisor, which is an application that lets you boot a virtual computer inside your computer. It will be empty with no OS installed but you can then mount an iso file (click Devices menu => Optical Drives => Choose Disk Image) and reboot the virtual machine to boot from a Windows install image.

This will give a completely safe throw away environment to install any garbage they give you which you can safely delete after the test. It is very difficult for malicious software to escape from inside a VM, and certainly no piece of shit proprietary trash like this will even try to.

PM me if you need any help.

As for Drive, the privacy-minded solution is to get a Nextcloud instance running. Either selfhosted, or from a provider.

For YouTube I can recommend NewPipe.

Basically I'm following the thread "Cutting Google out of your life (2019)" So til now: - Firefox with duckduckgo + privacy modules - Protonmail and tutanota (still keeping the gmail one for my current work unfortunately) - Using ProtonVPN - On my android phone:using Netguard, Blokada, Duckduckgo - Deleted my main Instagram account. Still have another one for my photography business.. Not sure how to proceed with that And I'm actively looking for an alternative to google maps, I use it quite a lot :(

I'm currently on an internship abroad but when I'm back in my country, I'll switch to Linux and try to find something else for my phone

Please check your facts.

GrapheneOS does not ship with Play Services but they provide a compatibility layer to run it as a sandboxed app.

https://grapheneos.org/usage#sandboxed-play-services

Edit: typo

Visionary member here: import/export feature was released to all visionary members for testing so I can confirm this feature is coming soon.

https://protonmail.com/support/knowledge-base/how-to-export-emails-from-your-protonmail-account/

Try this Adblock addon (written by the same team): https://adblockplus.org/en/elemhidehelper

Intuitive selector that makes it a lot easier to write your own rules. I have a few for almost every site I visit (sidebars, comments, etc)

You may enjoy these rules. To add: open up Adblock preferences, go to "Custom filters", add a group, then add filters:

facebook.com###appsNav facebook.com###interestsNav facebook.com###listsNav facebook.com###pagesNav facebook.com###pagelet_trending_tags_and_topics facebook.com###pagelet_ego_pane facebook.com###pagelet_ego_contextual_group facebook.com###pagelet_megaphone facebook.com###timeline_info_review_unit

What these rules remove:

• The first three Nav rules remove sections from the left bar (most of which are just clickbait).
• Next, the trending rule is just not-quite advertising that should be blocked by default.
• The two ego rules (I know, FB literally calls them ego sections) removes a TON of crap. Reccomended pages, suggested groups, run here, do this, buy that... the worst sections of the site.
• Finally, the megaphone & "info review" are various information nags. These in particular might be what's bugging you - all prompts to add a phone number, high school, etc match these rules.

IMHO, Facebook is unusably noisy without these rules. Hope this helps!

The points this article is missing. Telegram is free software (available on F-Droid), whatsapp is proprietary. Also please compare the privacy policy of telegram and whatsapp. Telegram basically says doesn't share anything with anyone. Whatsapp's privacy policy says they'll share almost anything with a lot of companies.

https://telegram.org/privacy

https://www.whatsapp.com/legal/#privacy-policy

Encryption in whatsapp says nothing since they can decrypt the messages, it is not really end-to-end encrypted. You can check this yourself. Send a message to a phone that is off/dead, connect whatsapp to a new phone and the message will arrive. They can decrypt the message and encrypt it again while it's in transit.

The author is right that Signal is better. But it is still a centralized server. Best would be to use something like Riot.im, which uses the federated matrix network and supports end-to-end encryption on multiple devices (something signal also just introduced).

Not really surprising. In the U.S. almost all of the media outlets in the country is owned by something like only 6 companies. I did find this bit amusing:

>Gaditek, the Karachi-based tech company, officially claims to own just 3 VPN products (PureVPN, Ivacy and the newer Unblock VPN & Proxy). However, we’ve discovered two more VPN products. We also show that this company runs the VPN review sites , , , and 2 others

> Come on, now. This isn't a helpful attitude. This kind of comment is letting the perfect be the enemy of the good. "Nothing is perfect so you might as well not even try." That's just not helpful. Every little bit a person does to make their personal data harder to collate, correlate, associated, and group is a step in the right direction. Folks should make it as difficult as possible at all times to exploit people's personal data.

I'm not saying don't try, all I'm saying is don't use Freedome lol.

>Yes, the VPN could distribute your data. But then so could your ISP. In fact your ISP fought to be able to sell your data (in the US).

Yeah that's why you use a VPN provider that doesn't do that.

The purpose, at least in the case of DuckDuckGo is actually to preserve your privacy; by routing the link through another page, the page you end up on doesn't know what your original search was. Assuming you can trust the middle man site, this situation is really better.

Of course, Facebook doesn't care about privacy...

Not true. Pine64 is making their PinePhone which comes with hardware killswitches as well. I own their devkit currently (I work on postmarketOS), and it already has the killswitches.