cross-posted from: https://leminal.space/post/6433881

By the way, the earlier posted article https://restoreprivacy.com/protonmail-discloses-user-data-leading-to-arrest-in-spain had an update starting at the paragraph with title Update: Statement from Proton and additional commentary

ordered a new phone so I wanted a new SIM for a clean slate. My country require KYC for SIM cards. So i ordered this https://www.ebay.com/itm/295938085941 I see now that the card is being shipped from Israel.

(I'm in another EU country)

Cloning, swapping etc , how bad idea was this on a scale from 1-10? Even if the package is unbroken , I assume someone with physical access (and resources) can do a lot of stuff?

Miss being able to go get one from the corner store. But idea was to load it up by cash bought giftcards.

Also played with the idea of getting a gl-inet portable router and skip SIM card in phone but it is quite a bit of hassle to have another device to maintain and carry...

I have a LinkedIn account which is

• 5 years old.
• both SMS and Gmail verified (via code).
• all information filled (experience, personal, jobs, profile photo etc).
• all information are real.
• I logged-in million times to account from my home (without virtual-private-network).
• My account is cached by Google.

The Gmail account which verified by LinkedIn:

• I also have buy with my personal credit card a google-service (its not important which service).
• my phone number and Gmail is already verified by my government's national-digital-system (I am legally the responsible of this gmail and mobile number).

Depending on the above information

• A- I think my account is already linked with me by big-brothers.
• B- If something bad happens legally, I can never say that "this account does not belong to me". I already talked this topic with different lawyers.

Therefore I don't see any reason to do not verify the account.

My questions

I would like to hear your thoughts about below questions:

• 1- should I have privacy concerns if I verify my account via national-identity card?
• 2- should I have privacy concerns if I verify only "workplace verification". Because it only sends a code to my company email. No identity card needed. No additional steps.

• Make a screen shot of your desktop
• Check with a viewer and see no EXIF data
• Load it in gThumb to use its crop feature, crop and save
• Check again with a viewer and see that gThumb added EXIF data including the gThumb version

In the mean time I've started to use other software to crop screen shots but I am still puzzled why gThumb always adds EXIF data ?

Recently I just hit by stolen card detail and makes me searching a virtual card service. Anyone knows any works in the UK and EU region? Apparently Privacy.com needs SSN to work now. Thanks.

cross-posted from: https://lemmings.world/post/8926396

In light of the recent TunnelVision vulnerability I wanted to share a simple firewall that I wrote for wireguard VPNs.

https://codeberg.org/xabadak/wg-lockdown

If you use a fancy official VPN client from Mullvad, PIA, etc, you won't need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here).

A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here). Unfortunately I'm a noob and I couldn't find any scripts or tools to do it that way.

cross-posted from: https://lemmy.world/post/15187027

cross-posted from: https://lemmy.world/post/15187023

Received notice of a change to the service in my inbox today. Seems icky to me.

Devices in the network use Bluetooth to scan for nearby items. If other devices detect your items, they’ll securely send the locations where the items were detected to Find My Device. Your Android devices will do the same to help others find their offline items when detected nearby

Your devices’ locations will be encrypted using the PIN, pattern, or password for your Android devices. They can only be seen by you and those you share your devices with in Find My Device. They will not be visible to Google or used for other purposes.

Here's what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

Materialious now can be used as a Desktop or Android application. Allowing it to be used for any Invidious instance!

https://github.com/Materialious/Materialious/tree/main?tab=readme-ov-file

12ft ladder doesnt seem to work anymore, on major sites at least. Does anyone have an alternative? Gracias

I used to use Protonmail, however the verification steps become tedious when creating unique emails for sign ups. I've switched to Tutanota despite it contravening their one account policy. What do you all use for one off emails (for sign ups etc )? Or do you prefer one of those 10 minute email sites?

I've attempted to create a VM on my ubuntu host machine that is accessing the internet via a dedicated VPN app. I'm able to disconnect my host VPN and access the web within the VM, but cannot access the web when the host VPN is enabled. Ideally I'd like to enable the VPN on the host and pass through web access to the VM.

I have two questions:

1. If my use case is to use a VM to increase privacy and security as well as isolate my operations within the VM from my host, is it better to have the VPN app from inside the VM or pass the host's through to the VM?
2. If it doesn't make much of a difference, how can I go about passing the host's VPN to the VM?

In either scenario, I'd still like to keep the host's VPN active while being able to use the VM, which I currently cannot.

Even if you have encrypted your traffic with a VPN (or the Tor Network), advanced traffic analysis is a growing threat against your privacy. Therefore, we now introduce DAITA.

Through constant packet sizes, random background traffic and data pattern distortion we are taking the first step in our battle against sophisticated traffic analysis.

This post will be my personal experience about trying to gain back my privacy after years of being privacy unconscious. And foremost I want to apologize for my English, if it isn't perfect, 'cause English is not my first language.

I was already using Linux for the past year. I tried switching to it three times, and only the third time was successful. Also interested in open source I was for quite a long time, but the privacy topic has never really interested me. I was following this stupid statement: «I don't worry about privacy because I have nothing to hide», which I regret now. But last Christmas, I suddenly realized how much data I was giving away to Big Tech (and not only them). I can't perfectly remember what did lead me to that realization. Was it some YouTube video, privacy policy that I suddenly decided to check out or something else, but I immediately started to action.

For the past 6 months I deleted more than 100 accounts. Sometimes it was as easy as to press the button, sometimes I had to email support, and sometimes I literally had to fight for my right to remove the account. Even today there are still 7 accounts left, that I can not delete either because support is ignoring me, or because the process is too slow, or because the service simply does not give the right to remove user account.
JustDeleteMe actually helped me very much with that process, and I've even contributed to the project a few times, so to the other users who'll follow my way the process would be at least a little easier.

Today is a special day, though, because I finally get rid of my Google and Microsoft accounts. I can finally breathe free. My situation is still not perfect, 'cause I still have some proprietary, privacy invasive accounts left, like Steam, Discord, or my banking apps. I can't just immediately drop them, but at least I've reduced the amount of information I left behind.
What's the moral? Welp, it would be so much easier for today's me if yesterday's me had been concerned about privacy in the first place.

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

I use Aegis as my 2fa. Today on new token creation I observed that there's hash function set to SHA-1, later checked all my tokens and the result is same type of encryption used for all. So I have edited all my tokens to SHA-256 as a result my totp doesn't authenticate. Do I have to rescan my tokens for updating to SHA-256 or it doesn't work like that?

Security: SHA-1 < SHA-256 < SHA-512

Speed: SHA-1 > SHA-256 > SHA-512

My doubts are: Why can't we use SHA-256? Is it because TOTP requires less time so faster one(SHA-1) is chosen? Can we use SHA-256 for TOTPs?

Pulling this off requires high privileges in the network, so if this is done by intruder you're probably having a Really Bad Day anyway, but might be good to know if you're connecting to untrusted networks (public wifi etc). For now, if you need to be sure, either tether to Android - since the Android stack doesn't implement DHCP option 121 or run VPN in VM that isn't bridged.

Over the years I have saved many bookmarks in Firefox in various folders for interesting, useful or just frequently used websites.

Now I've recently moved a lot of stuff to more private (foss/selfhosted) alternative and I'm considering moving browsers too. Since the bookmarks are so integrated into the browser I was wondering what you guys do/recommend in order to keep a bit more freedom.

One option I could think of would be to write them into a Markdown doc and to sync it with all the other notes I keep but that's a bit inconvenient - there's got to be a nicer way that doesn't send every action to a browser corpo, right?

Hi, I used to use Instander to browse Instagram privately but it doesn't seem to be updated anymore, is there an alternative that you recommend that has similar features? Like "ghost mode" when watching stories