• 16 Posts
Joined 4Y ago
Cake day: Jun 07, 2020


You can stop using internet right now. There are closed source bits of code in the JS you run off of websites natively. If you are not using LibreJS and IceCat, you have already been assimilated.

I want to one up you, China should make MaOS, just to trigger Western iPhone kids.

I find this post too Reddit-like, honestly. What is this favourite user crap even, some kind of social media validation technique?

Please check if this is once again Bing. DDG has brought onto itself a lot of bad light by censoring news outlets, but put the blame on correct entity. It makes all DDG criticism look like hoax.

ironic how this is posted below an article that says that testing websites are not reliable and that you should not read into the results unless you understand them

Turns out, he is not talking about the kind of people I fit in. I am using Tor for more than a decade at this point, and have been a very avid I2P torrent user as well since many years. If not the same, I compare pretty well in experience in this aspect.

He is talking about the kind of people who open Panopticon for fingerprint tests and misread the fractions and decimal numbers and information there when comparing, and then scream on reddit with misinterpreted posts aimed to get awards and upvotes at the cost of sanity of many people.

deviceinfo.me is not the kind of site and data used for demonstrations he is talking about. I have a fair amount of experience to make this claim.

To expand on the attacks that are mitigated, avoidance is a better measure than mitigation. Hence the reason why I say noJS is a better policy, the next best is turning on JS manually when needed. Keeping JS on all the time is a fool’s errand if they want to go beyond standard levels of privacy and anonymity. The author himself mentions in the last line as a subtle disclaimer why it can be a choice.

You know how gait movements IRL work? Turns out, Google Recaptcha makes very good use of how you move and click with cursor on the captcha boxes. If you thought AI/ML image training was the only thing Google was making users do, now you know something new.

You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.

that’s simply not true. TB has further enhancement and code changes, it is based on ESR plus it’s not the same as a private window at all since private mode does not write to disk for example. most importantly tho: TB has crowd and the Tor network

Firefox has a bigger userbase than Tor Browser users, and it is a pretty uncontested claim logically. Firefox has Tor Project’s code for anti fingerprinting and per site data isolation upstreamed to Firefox’s private browsing mode since the past 15-20 or so versions now.

usability, a browser with JS disabled by default is not a good everyday browser for most. the more people use Tor Browser daily and have a good experience with it, the larger the crowd gets.

Does that not make the argument for Firefox stronger for regular daily browsing usage, since it has an even bigger userbase? You can use uBlock Origin and you can enjoy Tor Browser’s dFPI and per site data isolation benefits in Firefox’s private browsing mode.

I also don’t get what the difference between typing private stuff on facebook on tor or behind a vpn or on your ISP’s network is.

You missed where I said how having JS on means you are keylogged easily. Your caps lock is also detectable, just to be clear. You are also forgetting that making strings out of this keylogged stuff, and then applying stylometry analysis is a very easy and cost effective way into unmasking identities behind pseudonyms. I do this myself regularly as part of OSINT investigations. It is how I have also unmasked many sockpuppets on Lemmy, Matrix, Reddit in the past few years.

The author has a very agreeable position with me on what he speaks, but it is like how anti-imperialist viewpoints sound very correct in today’s political scenario, but every single nuance does not have to be perfect to get the idea across. He is getting the idea across here, and that is why you are arguing at length with me.

Edit: I think this explanation is lacking. I must expand on it.

First I will get out of the way elements that can be spoofed with JS on:

  • browser build number, country and GPS coordinates, CPU cores, user agents

Now it is time to address elements which having JS on reveals. Feel free to correct me whatever is spoofed by Tor Browser.

  • OS Core
  • multiple nameserver connections, resolved and unresolved
  • private/incognito mode
  • tracking protection on or off
  • browser window size
  • monitor colour depth support
  • current page scroll position
  • current mouse cursor position
  • last key pressed (keylogging)
  • caps lock on or off
  • last cursor clicked position on page
  • estimation of your connection speed using page load time, network time, DNS lookup time, TCP connection time, server load time, page download time, browser load time

Monitor colour depth support may not be a significant issue, as many have standard monitors.

Can you explain me how these are spoofed in Tor Browser while having JS on? I have ignored the fonts as those are spoofed, and there are no timing attack vectors in this list. The last bullet point, if you want to talk about, can be used to identify if someone used a really fast connection ISP at an unusual place and time.

Nameserver connections can be a possible issue with exit node identification, if we are to assume the OPSEC of an average journalist just downloading and using Tor Browser on any machine. If we assume relays can protect them, we have other vectors here, like…

… page scroll and mouse cursor positions, caps lock on or off, last key pressed.

Keylogging, as explained earlier, is a very cost effective way to unmask people. Telling people on top of it to feel free to use a personal Facebook account over Tor network, puts them in the mindset of typing personally identifiable messages, even becoming trackable down to how many errors a person makes and hits Backspace key. Imagine people typing messages under a pseudonym on a forum anonymously in a couple tabs besides the Facebook/Twitter tab, and writing with the same mental personality in mind.

I think this reply now feels a little more apt.

I just ran TBB and used deviceinfo.me to verify, what JS vs noJS can reveal. Here, JS reveals all this information, noJS does not.

  • 32/64 bit OS
  • OS Core (Linux or NT kernel, revealing your actual OS)
  • browser build number
  • country and GPS location which are spoofed
  • multiple nameserver connections, resolved and unresolved IPs
  • 2 user agents, one with spoofed details and other with OS Core and display manager
  • spoofed CPU cores
  • private/incognito mode
  • tracking protection on or off
  • browser window size spoofed or not
  • monitor colour depth support
  • current page scroll position
  • last key pressed, therefore keylogging
  • current mouse cursor position
  • last clicked position on page
  • estimation of your connection speed using page load time, network time, DNS lookup time, TCP connection time, server load time, page download time, browser load time

Can the author explain me why keeping JS on is so helpful, if your goals go beyond basic privacy expectations?

You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.

Edit: I forgot to address this one

may I ask why? I generally agree with the sentiment of the article but I don’t have a very strong opinion on this and maybe I’m missing something. PS I don’t think the usual “I will end up in a list of people who use Tor” argument is a valid one.

People have a habit of typing stuff where they should not, and using literally something like a personal Facebook account over Tor and typing PII should have no opinion other than that it can be risky. All the above information I mentioned is trackable for even a single JS script allowed, and any website where you have such a personal account likely is not a very privacy respecting entity that will allow you to live JS free.

There’s generally nothing wrong with logging in to “real” accounts over Tor.

Tor Browser intelligently isolates your traffic so logging in to your “real” Facebook while doing secret stuff on a different website is not correlate-able via traffic patterns.

It also isolates local state (like cookies) so it won’t leak that way.

I found this problematic. He is encouraging the use of PII accounts over Tor, which is a very risky thing to do for someone not familiar with how to make and stick to an OPSEC.

A lot of his advice is actually what I practice and preach, but this and the JavaScript one makes me feel less confident here. Preferring JavaScript stay disabled is a better choice, the next best is only allowing JavaScript when needed momentarily. This is why TailsOS which ships with a uBlock Origin Tor Browser is more helpful.

Those are just hired people sitting and watching IPs connecting to the big popular torrents. And so VPN works well, yes.

That article is a… bit conflating in terms of privacy and anonymity. The whole idea of a VPN has been discarded by the writer just because there is a paywall around it. People can use it for using SaaS like games, streaming platforms to acquire contextual anonymity and/or security.

A very popular use is for torrenting as well, and some trackers do not like same IP being abused by many people, so IP range blocks also exist. VPNs help bypass those as well.

Certainly looks like it, no matter how hard you try. Downvoting is really getting to me, I am seething! Look!!

It is okay not to share views, but what is true shows in real time. And neither of us can do much about it apart from watching from the sidelines.

Also definitely you are not some comrade, so stick to your political lane.

The one that you did not, a functional, critical brain. Liberals can only be revolutionaries in internet downvoting.

“Its a war bro, like Iraq”

“Its a genocide and massacre bro, look Bucha satellite photos, do not talk about how they got debunked”

“Bro Russia lowkey dropped nukes like Chernobyl”

- average C14, Right Sektor, Azov supporter liberal and knows only what Western MIC MSM tells

The amount of people who have made that phrase problematic is wrong on many levels. It is what Nazis and racists do. Nazis first tilted Hindu Swastika to a 45° on left and made it their symbol, now they are using Nordic mythology symbols as their own. They take common language and symbols and adopt them to grift into masses’ discussions.

USA was called “Great Satan” by Iran when Suleimani was assassinated. Russia called them an “Empire of Lies”. Turns out, these descriptions were always true.

Century of The Self documentary is immensely valuable in these times for anyone who has not seen it.

Because you are incapable of differentiating the civilian and infrastructure destruction between Russia’s op in Ukraine and USA’s op in Iraq, Libya, Syria and many other places.

I doubt you are incapable, so I will just call it intellectual dishonesty.

Westerners are majorly racists. The news media anchors, citizens, various publications make it very open. The refugees that were entering Poland also made it clear who was blocked, harassed and beaten up. All non whites.

It is not exactly a war though. You want to see a true invasion and war? Go look at Iraq or 2011 Libya or 2015 Syria.

We need more and more accelerationism so that Western capitalism and the colonialist white power mentality can die together.

Relevant reading: https://github.com/zlw9991/node-ipc-dependencies-list https://web.archive.org/web/20220318095406/https://github.com/RIAEvangelist/peacenotwar/issues/45 https://security.snyk.io/vuln/SNYK-JS-NODEIPC-2426370

The amount of Russophobia and anti Russian censorship ongoing currently on Reddit is astounding.
I am observing a very similar sentiment to Sinophobia, now regarding Russia. Reddit's audience is primarily 80% USA + West EU, and the rest 20% also includes a lot of East Europe and other countries, leaving for 5-10% anti-hatred people. On the other hand, Western world makes up for a mere 12% of the world's population. This speaks volumes about how majoritarianism is flipped on the internet by Western world to suit their narratives and loudmouth whatever they want dominating in virtual space. And since moderators are also from said Western countries, the biases are completely intentional and systematic. For all the "human rights" and "no censorship" nonsense these Western countries spout with the assumption of having high horse on moral grounds, they lie a lot systematically. Just an observation.

What are easy to present criticisms of mainstream outlets like BBC and CNN?
While it is easy to use phrases like "use critical thinking", this is not easy for elders or cousins in families to be told, as this is not lucid to understand in a snap. It is essential for criticism to be easily communicable to ordinary people that watch Google Feed or MSN News daily, and I feel that such criticism is not even easy to access or read, considering ordinary people have been cornered from MSM, YouTube, Twitter, Facebook and rest of Big Tech and Western media apparatus. If you love your BBC and CNN feeds, avoid this post, this is not for you.

r/PrivacyGuides restored citation-less slander post as facts, and GrapheneOS community sockpuppet theory is proven correct by one of its members
cross-posted from: https://lemmy.ml/post/143981 > Mod statement: https://np.reddit.com/r/PrivacyGuides/comments/rxf02a/theanonymousjoker_false_privacy_prophet/hs1dxux?context=3 > > https://i.imgur.com/LahmNkO.jpg > > dng99/dngray has branded a citation-less slander post as facts. These are the "community standards" of r/PrivacyGuides. Always remember this. > > u/trai_dep, the record stands corrected once again > > Moreover, my theory about GrapheneOS community using sockpuppets is true, as confirmed by... > > https://np.reddit.com/r/fdroid/comments/rxtc14/came_across_this_thoughts/hs1o6no?context=3 > > https://i.imgur.com/JX6uTpx.jpg > > Tommy_Tran = B0risGrishenko (OP of slander post). Thanks for confirming my GrapheneOS community sockpuppet theory.

r/PrivacyGuides is allowing a personally targeting post with my name in post title currently, slandering me and my smartphone guide
https://teddit.net/r/PrivacyGuides/comments/rxf02a/theanonymousjoker_false_privacy_prophet/ This is one of key GrapheneOS community members doing it, and r/PrivacyGuides has the same moderation team as r/privacytoolsio before, and the main moderator of r/privacy is also same. Has anyone seen this kind of behaviour in overall privacy community?

100% FOSS Smartphone Hardening non-root Guide 4.0
https://lemmy.ml/post/128667 Crosspost but the guide body is so long, I had to break it into 5 parts.

[TINY GUIDE] How to stay safe from Pegasus and most social engineering malware these days
cross-posted from: https://lemmy.ml/post/74540 > Hello! I think it is a nice time to re-mention some 101 tips of IT security for folks here, that I also practice. Pegasus malware investigation will be big news for a good while, so the more awareness it helps spread, the better. > > # RULE 1 > > DO NOT CLICK ON RANDOM SMS AND EMAIL LINKS. Please, do not do this, ever. Just do not do it. Do not do it. Do not do it. Do not do it. > > Yes, that is how many times I repeated that line. That is how important this rule is. > > Also, do not download random email attachments. > > Phishing is such a common tactic that one would think this problem has been solved by now, but it has not. > > # RULE 2 > > Keep OFF auto download of photos, videos, documents and so on on WhatsApp, Signal and such apps. > > Drive by downloads being self executable surprise bombs is not a new thing. Basically, this rule is similar to keeping off AutoPlay for external USB sticks on Windows computers. > > # RULE 3 > > Avoid using popular software too much. > > I get it, this is a hard rule to workaround considering how much we need to use WhatsApp, Signal, Telegram and so on, so it is a lot better to compartmentalise your activities among multiple messengers. > > Pegasus and a lot of specialised malware uses zero-days to be able to design zero click deployment tricks, which is what these government surveillance tools are good at reserving. They use their millions of dollars of funding and R&D properly, so you have to be careful. > > As an example, try to keep WhatsApp internet turned off most of the times via NetGuard, and turn it on only when needed, a good method I have earlier suggested as well in my smartphone hardening guide. > > # CONCLUSION > > Those were some thoughts on the top of my head, before I go to sleep. Stay safe against surveillance! And feel free to ask whatever you want to!

Smartphone Hardening non-root Guide 2.0 (for normal people)
(1/2) Lemmy does not allow too long post walls **UPDATED 16/8/2020: Major edit, replaced closed source App Ops and Shizuku with AppOpsX (Free Open source) on F-Droid. ~~This guide is nearly FOSS supported now.~~** **UPDATED 17/9/2020: MAJOR EDIT, replaced closed source Access Dots with Privacy Indicator (FOSS) on Izzy's F-Droid repo. This guide is completely FOSS.** Hello! I am the founder of /r/privatelife . Finally my smartphone non root guide is back, and there are some big upgrades. I was taking time to test everything myself on my daily driver, so apologies for keeping everyone in the wait, but stability and ease of use is the important goal to strive in my playbook. Privacy must be accessible to maximum amount of people without being annoying or tedious. **A kind request to share this guide to any privacy seeker.** #User and device requirement * ANY Android 9+ device * knowledge of how to copy-paste commands in Linux or Mac Terminal/MS-DOS Command Prompt (for ADB, it is very simple, trust me) #Why not Apple devices? iPhone [does not allow you to have privacy](https://gist.github.com/iosecure/357e724811fe04167332ef54e736670d) due to its blackbox nature, and is simply a false marketing assurance by Apple to you. Recently, an unpatchable hardware flaw was [discovered](https://9to5mac.com/2020/08/01/new-unpatchable-exploit-allegedly-found-on-apples-secure-enclave-chip-heres-what-it-could-mean/) in Apple's T1 and T2 "security" chips, rendering Apple devices critically vulnerable. 17/9/2020: [Apple gave the FBI access to the iCloud account of a protester **accused** of setting police cars on fire](https://www.businessinsider.com/apple-fbi-icloud-investigation-seattle-protester-arson-2020-9). Also, [they recently dropped plan for encrypting iCloud backups after FBI complained](https://www.reuters.com/article/us-apple-fbi-icloud-exclusive/exclusive-apple-dropped-plan-for-encrypting-backups-after-fbi-complained-sources-idUSKBN1ZK1CT). They also collect and sell data [quite a lot](https://i.imgur.com/n8Bk0bA.jpg). Siri still records conversations 9 months after Apple [promised not](https://www.theregister.co.uk/2020/05/20/apple_siri_transcriptions/) to do it. Apple Mail app is vulnerable, yet Apple stays in [denial](https://9to5mac.com/2020/04/27/iphone-mail-vulnerabilities-2/). Also, [Apple sells certificates to third-party developers that allow them to track users](https://www.theatlantic.com/technology/archive/2019/01/apples-hypocritical-defense-data-privacy/581680/), [The San Ferdandino shooter publicity stunt was completely fraudulent](https://www.aclu.org/blog/privacy-technology/internet-privacy/one-fbis-major-claims-iphone-case-fraudulent), and [Louis Rossmann dismantled Apple's PR stunt "repair program"](https://invidio.us/watch?v=rwgpTDluufY). Also, Android's open source nature is starting to pay off in the long run. Apple 0-day exploits are far [cheaper](https://www.wired.com/story/android-zero-day-more-than-ios-zerodium/) to do than Android. ----- #LET'S GO!!! **ALL users must follow these steps before "for nerdy users" section.** **Firstly, if your device is filled to the brim or used for long time, I recommend backing up your data and factory resetting for clean slate start.** * **Sign out all your** Google and Huawei/Samsung/other phonemaker **accounts** from your device so that Settings-->Accounts do not show any sign-ins **except WhatsApp/Telegram** * Install ADB on your Linux, Windows or Mac OS machine, simple guide: https://www.xda-developers.com/install-adb-windows-macos-linux/ * Use ["Universal Android Debloater"](https://gitlab.com/W1nst0n/universal-android-debloater) to easily debloat your bloated phone. NOTE: Samsung users will lose Samsung Pay, as Samsung has been caught and declares they sell this data: https://www.sammobile.com/news/samsung-pay-new-privacy-policy-your-data-sold/ * **Make DIY camera covers**, for front camera notch use a tiny appropriate-sized thin opaque plastic cutout and use an invisible tape to stick it in place, replace every month (cost: tape roll and one minute of your time per month). [**My rear camera cover**](https://i.postimg.cc/T37Qvc52/image.jpg) * Install **F-Droid app store** from [here](https://f-droid.org/en/) * Install **NetGuard** app firewall (see NOTE) from F-Droid and set it up with [privacy based DNS like Uncensored DNS or Tenta DNS or AdGuard DNS] NOTE: NetGuard with [Energized Ultimate](https://block.energized.pro/ultimate/formats/hosts.txt) HOSTS file with any one of the above mentioned DNS providers is the ultimate solution. NOTE: Set DNS provider address in Settings -> Advanced settings --> VPN IPv4, IPv6 and DNS * In F-Droid store, open Repositories via the 3 dot menu on top right and add the following links below: 1. https://rfc2822.gitlab.io/fdroid-firefox/fdroid/repo?fingerprint=8F992BBBA0340EFE6299C7A410B36D9C8889114CA6C58013C3587CDA411B4AED 2. https://apt.izzysoft.de/fdroid/repo?fingerprint=3BF0D6ABFEAE2F401707B6D966BE743BF0EEE49C2561B9BA39073711F628937A 3. https://guardianproject.info/fdroid/repo?fingerprint=B7C2EEFD8DAC7806AF67DFCD92EB18126BC08312A7F2D6F3862E46013C7A6135 Go back to F-Droid store home screen, and hit the update button beside the 3 dot menu. ----- ###LIST OF APPS TO GET * Get **Firefox Preview** web browser from F-Droid (install uBlock Origin addon inside ([if technically advanced, try doing this](https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode))). Also get **Firefox Klar** if you like a separate incognito browser. * Get **Aurora Store** from F-Droid for apps from Play Store without actually using Play Store, use Anonymous option to sign in * for 3rd party APKs source them only from **APKMirror** OR **APKPure** OR **APKMonk**, quite trusted, BUT **TRY AND AVOID IT IF POSSIBLE** * Get **Privacy Indicator** from F-Droid for **iOS 14 like camera/mic dot indicator feature** * Get **OSMAnd+** from F-Droid or **Qwant Maps inside web browser** for maps and/or print physical maps if you live and travel in one or two states or districts. NOTE: Qwant Maps has better search results than OSMAnd+ * Get **PilferShush Jammer** from F-Droid to block microphone (use this in malls, restaurants or such public places if you can to prevent beacon tracking) * Get **OpenBoard** (user friendly) OR **AnySoftKeyboard** (nerd friendly) from F-Droid instead of Google GBoard, Microsoft SwiftKey et al, they are closed source keylogger USA spyware * Get **FTP Server (Free)** from F-Droid and **FileZilla on computer** for computer-to-phone internet less file sharing NOTE: for phone-computer sync or sharing, can TRY **KDE Connect**, available for Android, Windows, Linux * Get **TrebleShot** instead of SHAREIt for phone to phone file sharing * Get **K-9 Mail** or **FairEmail** as e-mail client * Get **NewPipe** for YouTube watching, or YouTube in Firefox Preview/Klar * Get **QKSMS** from F-Droid as SMS client app * Get **Shelter** from F-Droid to sandbox potential apps that you must use (eg WhatsApp or Discord or Signal) * Get **SuperFreezZ** from F-Droid to freeze any apps from running in background * Get **Librera Pro** from F-Droid for PDF reader * Get **ImgurViewer** from F-Droid for opening reddit/imgur/other image links without invasive tracking * Get **InstaGrabber** from F-Droid for opening Instagram profiles or pictures without invasive tracking (seems like a revived fork is [here](https://github.com/austinhuang0131/instagrabber/releases), thanks u/sad_plan ) * Get **GreenTooth** from F-Droid to set Bluetooth to disable after you have used it * Get **Material Files** or **Simple File Manager** from F-Droid for file manager app * Get **ImagePipe** from F-Droid if you share lot of pictures, and want to clear EXIF metadata snooping (often photos contain phone model, location, time, date) * Get **Note Crypt Pro** from F-Droid for encrypted note taking app * Get **Vinyl Music Player** from F-Droid for music player * Get **VLC** from F-Droid for video player ----- ###CRITICAL FOR CLIPBOARD, LOCATION AND OTHER APP FUNCTION BLOCKING I would say this is one of the critical improvements in my guide, and will solve the problem of clipboard and coarse location snooping among other things. AppOpsX is a free, open source app that allows to manage granular app permissions not visible normally, with the help of ADB authorisation without root. This app can finely control what granular information apps can access on your phone, which is not shown in app permissions regularly accessible to us. Now that you would have set up your phone with installing apps, now is a good time to perform this procedure. Step 1: Install **AppOpsX** from F-Droid. (https://f-droid.org/en/packages/com.zzzmode.appopsx/) Step 2: Plug phone to computer, and enable USB debugging in Settings --> Developer Options (you probably already did this in the starting of the guide) Step 3: Keep phone plugged into computer until the end of this procedure! Open AppOpsX app. Step 4: On computer, type commands in order: ```adb devices``` ```adb tcpip 5555``` ```adb shell sh /sdcard/Android/data/com.zzzmode.appopsx/opsx.sh &``` Step 5: Now open "AppOpsX" app, and: * disable "read clipboard" for apps except your messengers, notepad, office suite, virtual keyboard, clipboard monitor apps et al. NOTE: Most apps that have text field to copy/paste text require this permission. * disable "modify clipboard" for every app except for your virtual keyboard or office suite app or clipboard monitor/stack special apps. * disable "GPS", "precise location", "approximate location" and "coarse location" for every app except your maps app (Firefox and OSMAnd+) (2/2) in comment below.