323
YSK: Keeping your accounts/online identity safe in the age of the fediverse/federated networks (discuss.tchncs.de)
submitted 1 year ago by gvasco@discuss.tchncs.de to c/youshouldknow@lemmy.world
74 comments fedilink hide all child comments

As more people flock over to the fediverse from reddit, twitter and other centralised proprietary networks it is important that you keep your e-mail and other important accounts safe from hijacking attempts. Since anyone can simply spin up an instance and host users and communities it is important that you don't divulge your internet personal details to anyone as these can be harvested by the instance owner and by any instance you erroneously try to login to or simply the instance could be hacked and the user data harvasted. With this in mind here are some suggestions for good OPSEC (Operation Security):

  • Don't use your main e-mail address. Either create a new one or better sign up for an e-mail forwarding service and set-up forwarding addresses for each instance you sign up to. Since these are throw away addresses, if it gets leaked you can just delete the address and create a new one without compromising your main e-mail address. (Bonus: this can also be used to use unique addresses for traditional web services and make it easy to know how and from where an address got leaked)

Here is a nice article with some e-mail forwarding providers to get you started

  • Use a password manager and generate strong and unique passwords for any and all instances and services you use, this way you won't divulge a password used on another account to the instance owner, or if the address used (especially if you used your main e-mail address)/got leaked your account will still be safe from hijacking by attempting to use password dictionaries to guess the password.

Some passvault suggestions:

  • Passbolt (self hosted)
  • Bitwarden (self hosted and hosted options)
  • Vaultwarden (unlocked self hosted alternative to bitwarden)

These are my main security suggestions for all you new and existing lemmings. Feel free to suggest other security considerations to have and other services beyond those mentioned. Stay safe and have fun posting and commenting.

top 50 comments
sorted by: hot top controversial new old
[-] dbx12@programming.dev 58 points 1 year ago

You could add keepassxc as an option for those who don't want a hosted service at all. You can still exchange the storage file with other computers if you have to (via USB stick, mail, nextcloud etc)

[-] henfredemars@infosec.pub 13 points 1 year ago

I second this option. I use it because there's an app that supports the file format for pretty much every platform.

[-] Sheltac@lemmy.world 5 points 1 year ago

What do you use in iOS?

[-] Karcinogen@vlemmy.net 3 points 1 year ago

Check out Strongbox. I can't say I've used it, I'm on Android, but it seems good.

[-] kuroshi@lemmy.ramble.moe 2 points 1 year ago

I use strongbox, it is pretty good.

load more comments (1 replies)
[-] kurikai@lemmy.world 7 points 1 year ago

And can use syncthing to sync between your devices

load more comments (1 replies)
[-] Karlos_Cantana@sopuli.xyz 5 points 1 year ago

Do you know of a "keepass for dummies"? I've tried to figure out how to use it, but reading the readme on GitHub just makes me feel like an idiot.

load more comments (3 replies)
[-] polskilumalo@lemmygrad.ml 5 points 1 year ago

You can also add to that pass which names istelf the "standard UNIX password manager", altough it's just a nice frontend for gpg.

[-] dbx12@programming.dev 2 points 1 year ago

Don't forget that git is doing the archiving here ^^ And pass is great when your need to share a password store with someone. Just add their hog key and let them checkout the git repo

[-] drone509@discuss.tchncs.de 3 points 1 year ago

I feel like this option is honestly worse for most people. You have the new security problem of having to transfer the file everywhere, but now the huge inconvenience of potentially losing it or not having it on a new device.

load more comments (1 replies)
[-] Deez@lemm.ee 22 points 1 year ago

It’s not very open-sourcey, but Apple include a email forwarding service called Hide My Email in their iCloud+ plans. So, you may already have access to that service.

[-] melonpunk@lemmy.world 21 points 1 year ago

duckduckgo.com offer that service too. Using a browser plug in it can generate @duck.com email addresses when signing up to sites and forward them to your standard email address.

[-] Deez@lemm.ee 8 points 1 year ago

DDG is an excellent free option

[-] T156@lemmy.world 6 points 1 year ago

Firefox also offers their Relay service, which is hosted by the Mozilla foundation, although I don't believe that the service is open source.

[-] Deez@lemm.ee 4 points 1 year ago

Cheers, I didn’t know of the Mozilla service.

[-] kape@lemmy.world 3 points 1 year ago* (last edited 1 year ago)

great service for sites that hatenon-standard templates!!

load more comments (2 replies)
[-] humanreader@infosec.pub 21 points 1 year ago

Speaking of which, stuff that frequently comes up in privacy related forums:

Differentiate between your professional accounts (it has your real name attached) and your non-professional ones (you use it to discuss pooping methods for example). Don't mix them up. I know many will say "so what if people in the fediverse know where I live and how I poop, I got nothing to hide" a lot, but that's how people got doxxed or swatted.

Even if you don't feel the need to, it's good to sit down and identify the potential threats given certain problems. Do you recycle passwords for email and social media accounts? What about banking? If a malicious coworker or an immature family member got access to your social media profile and posted reputation-damaging content, how bad can things get? Identify the outcomes you can mitigate or must prevent, and plan accordingly.

There is no "100%" when it comes to privacy. It's a process, not an "all-or-nothing" switch. Beginners often ask if "program X and Y will protect me 100%", and the answer usually boils down to "there isn't a single magic pill".

Privacy ≠ Security ≠ Anonymity. A VPN subscription can secure your connection (content secret in transit), but does not make you anonymous (sender known to middle node). You could leave an anonymous message (sender unknown) on a public forum, but the message itself isn't private (content not secret). And so on.

Encryption is a useful tool, but don't fall for the "military grade encryption" speech. They often mean "we just slapped whatever shit it came up with", nothing extraordinary.

There are many more but I will stop for now. No, I am not in Guantanamo.

[-] gvasco@discuss.tchncs.de 2 points 1 year ago

Great points all around!

[-] redcalcium@c.calciumlabs.com 16 points 1 year ago* (last edited 1 year ago)

Also, do not post personal information here ever. Once you posted a comment, there are no guarantee you can fully delete them later. If you post a personal information, there is a chance that it might still up in some instance somewhere even if you attempt to delete it. Some instance might not receive the activitypub push about the deletion due to federation issue/lags, getting blocked from the original instance, bugs or random internet connection issues. Use other channel if you need to share personal info to fellow lemmings so you can be sure to purge them if needed later (e.g a link to pastebin, discord, etc)

[-] ShadowPouncer@kbin.social 7 points 1 year ago

If there are not already people running fediverse nodes that exist specifically to harvest potentially 'interesting' data, there will be.

You edited it? That's maybe interesting. You deleted it? Same deal, maybe interesting.

It looks like an email address? Definitely might be interesting. A phone number? Yep.

An address? Definitely could be interesting.

If you posted it, assume that it will always be available to the exact people that you don't want to see it.

[-] PlutoniumAcid@lemmy.world 5 points 1 year ago

You said, do post. I am sure you meant, don't post.

load more comments (1 replies)
[-] CoderKat@lemm.ee 2 points 1 year ago

I wouldn't say don't post personal information at all. But rather don't post information that you're not comfortable with everyone knowing, while being identified and never being able to delete it.

IMO it's best to assume that if you post enough online, someone dedicated enough will be able to identify you, especially people who already know you in real life. It's difficult to post without revealing small details about yourself that can be combined to piece together who you are. Eg, you might never say where you work, but your city, field, an offhand comment about a coworker, a mention of a conference, and such might let someone narrow it down. Similarly, you might never mention what city you're in, but it might be narrowed down from mentions of things like traffic, weather, events near you, remarks of things being close by, etc. And that's not even getting into devious things like trying to trick someone into clicking a link to a domain you control so that you can get their IP.

I'm of the opinion you should generally act as if you're talking to people face to face with a name tag saying your full name and address. I think that approach also just plain makes the internet a better place. Anonymity seems to make a lot of people more comfortable being aggressive assholes.

I say "generally" because there's plenty of valid reasons to want to post things you would want to post things that you'd never say if identified. But in that case, you should strongly consider using an absolutely minimal throwaway account, while being extremely careful with details. And even then, you should at least consider that you might still get identified. In particular, I think a lot of users of throwaways only consider strangers not being able to identify them. Sometimes that's all you care about, but your family, friends, and coworkers are going to have a lot easier time identifying you.

[-] Trapping5341@lemmy.world 15 points 1 year ago

When I made my account was the first time I used a Firefox relay account for more than just testing how it worked 😂 didn't even think about the fact that fediverse instances are probably "less secure" or could even be outright malicious from the get. Been using bitwarden for about a year now and honestly I love it as well.

[-] didnt_readit@lemmy.world 15 points 1 year ago

I totally agree with using strong unique password manager generated passwords for every server (as everyone should do for every service they use regardless) but my email has been leaked so many times by so many breaches I’m not sure I really care about that part at this point…

[-] 9284562@kbin.social 6 points 1 year ago

In case you are concerned about giving up a personal email for signup, you can use temporary email generators for signing up for Lemmy as well. There are plenty available.

[-] ShadowPouncer@kbin.social 6 points 1 year ago

I use + addresses for stuff.

Well, since I run my own mail server, I tend to use _ instead of + as the separator, simply because more places will consider it a valid address.

But it's amazing how useful it is to include the name of whoever you're giving the email address to in the email address. It lets you keep getting email for stuff like password recovery. And when an address is leaked, not only can you block that one, but you also get to know who leaked it.

Which is awesome for knowing which businesses to never use again.

[-] Cevilia@lemmy.blahaj.zone 9 points 1 year ago* (last edited 1 year ago)

The throwaway email providers I personally use are:

  • If I want to receive ongoing messages and have the ability to reset passwords etc: DuckDuckGo
  • If I don't care what happens after the first email: Yopmail
[-] i_need_a_vacation@kbin.social 3 points 1 year ago

DDG is great, I've been using it for a while now, but I recently learned that I can also send mails from my main account as a @duck.com address and now I'm in love.

[-] Nemo@midwest.social 7 points 1 year ago

Adding on (because I almost did this very, very stupid thing until I stopped and thought for a moment):

If you create accounts on multiple instances with the same username, don't use the same password. Otherwise anyone with access to one has access to all.

[-] GunnarRunnar@kbin.social 6 points 1 year ago

Passwords aren't encrypted? Or you mean if an instance's password leaks, they all leak? Because that applies to everything. Use unique passwords with every account, everywhere.

[-] ShadowPouncer@kbin.social 4 points 1 year ago

The advice to always use a unique password per site is an excellent one.

The why is multifaceted, and some of them are moderately complex.

First off, not every site is going to be storing your password in a good a secure manner.

In an ideal world, every site on the planet would be hashing it with something like bcrypt with a fairly aggressive cost setting, and good salts.

And they would have a way to automatically rehash your password on login in the event that the password hashing settings change. (Almost everyone misses this one.)

In practice... It could be stored in plain text. It could be hashed with classic crypt(), or with md5 or sha1 with no salt. There are so many ways to get it wrong.

On the rehashing one, they could have picked something that was best practices at the time, you setup your account, and then two years later, best practices have changed, it turns out that there was a way to attack the previous way, so they change how they do it... And that's great for everyone who changes their password or sets up a new account after that change, but everyone who did it before that change? Well, those passwords are just sitting there hashed by the old method indefinitely.

Or someone could compromise the site, and grab every password everyone enters.

Or you could fall prey to a phishing attack, and type your login to what looks exactly like the site in question, but is infact a common typo of the real domain.

Again, there are a lot of ways for the password used on a site to get compromised. Many of those ways are entirely out of your control. It is standard practice for attackers to attempt to use that password and username / email on other services when this happens, just so that they can see what else they can get into.

Don't let that work.

load more comments (1 replies)
[-] gvasco@discuss.tchncs.de 2 points 1 year ago

For real! In any case people should always be using unique passwords for any account on any service, but yeah this is definitely understated.

[-] buco@lemmy.fmhy.ml 7 points 1 year ago

You could also use an instance that doesn't require email for signups. Like fmhy or lemmynsfw.

[-] henfredemars@infosec.pub 5 points 1 year ago

If they don't use email, how do these instances prevent themselves from being immediately overrun by bots?

[-] buco@lemmy.fmhy.ml 8 points 1 year ago

Fmhy requires you to write a sentence with a certain number in it and use manual approval of accounts. I don't know about lemmynsfw.

[-] variants_of_concern@lemmy.one 3 points 1 year ago

It's the same with lemmy.one, took me a few days to get in without an email waiting for approval

[-] BlueEther@no.lastname.nz 2 points 1 year ago

Captcha or signup questions/response.

I think I only had about 10 bots sign up on my instance - caught the beginning of the wave before it kicked off

load more comments (1 replies)
[-] big_duck_energy@partizle.com 7 points 1 year ago

Weird question - if you change your email address, is the change you made, and the old and new email address now federated out to all the other instances, meaning in a hypothetical leak, both email addresses get leaked? Or would only the newest one be saved and federated, and therefore leaked?

[-] drone509@discuss.tchncs.de 8 points 1 year ago

I do not believe either mastodon or lemmy federate your email address at all. Only the server you join has that information. You might have to worry if you have signed up to an uncrupulous instance. That instance admin could sell your email, I guess. They would have access to any email you gave them, so changing it would probably not help. I think the problem is a little overstated, honestly.

[-] person@fenbushi.site 6 points 1 year ago

federated users and local users are stored in the database in different tables. The federated users table doesn't have emails saved in it.

[-] woodnote@lemm.ee 4 points 1 year ago

My question as well! Since I didn't know this at signup and used my primary email, am I screwed no matter what in the event of unscrupulous data collection?

load more comments (1 replies)
[-] Drunemeton@lemmy.world 6 points 1 year ago

Caution: The following requires that you have "Keychain" and "iCloud Mail" activated for your Apple ID, and are running iOS 15+, iPadOS 15+, and macOS Monterey+ on the applicable devices.

For macOS / iOS / iPadOS users you can use "Hide My Email" (aka "Sign in with Apple") to have a randomly generated e-mail address used for sign-ups. Then you can have Keychain generate a random, strong, passcode for you to use on that particular website.

Note: If you see just an "e-mail" field on the sign-up page, and when you click in it you see a drop-down menu of your current Apple e-mail addresses, just scroll to the bottom of that list to get to "Hide My E-mail".

After you've completed a sign-up on a website (not just federated, but any website) Apple will e-mail you the new e-mail address you generated and for which website is was used on. Store that in a safe place to easily keep track of what's being used where. (You can also find them here: System > Apple ID > Hide My E-mail > Options…)

All of the above, the randomly generated e-mail addresses and passcodes for the websites, are automatically synced through iCloud to all of your devices signed into the account used to create them.

Note: The "Sign in with Apple" button is a bit weird. When you've used it on a website, then later go back and are asked to sign-in to your account, you'll see the same "Sign in with Apple" button you saw originally. There's no visual indicator on the page that you've used this feature before. It's not until you select the button that the next screen will show you the e-mail address that was generated.

[-] kuroshi@lemmy.ramble.moe 5 points 1 year ago

This is a good explanation of the feature for use with Lemmy.

I’m gonna be an annoying pedant for a second though and say that “hide my email” and “sign in with apple” are two different and unique features, though they both act as an email relay.

The former just creates a semi-random email address for you that forwards to your email. This address will end in “@icloud.com,” making it indistinguishable from any other iCloud email address (other than the ridiculous address you get).

The latter is an authentication system that allows you to sign up for services that support it with your apple account. The service doesn’t get your password directly of course, when you click the “sign in with apple” button it will redirect you to an apple sign in, typically faceID or touchID, and when you sign in successfully (or are already signed in to Apple) it will redirect back to the service with a token that says “this person is cool.”

Importantly for this conversation though, you can optionally send the service your real email or a generated email address as a relay, but the generated email is not the same as the email generated by “Hide my email,” instead it’s a clearly random series of characters and ends in “@privaterelay.appleid.com”.

In the end they have roughly the same purpose for your email, but the important bit here is that on Lemmy, only “hide my email” will be useful. There are no Lemmy instances that support “sign in with Apple” (yet).

Okay, I’ll stop being a pedant now. Sorry for being annoying there.

[-] Drunemeton@lemmy.world 4 points 1 year ago

Thank you for the excellent clarification.

[-] discodoubloon@kbin.social 3 points 1 year ago

Ha ok this is fun. I do like this idea for most people. You should sign up with as little information as you need. You still must watch what you say.

I do also think you should have a federated business server before you start posting with your real name/loc

[-] axzxc1236@lemmy.world 2 points 1 year ago

Or get yourself your own domain name, and use a email service provider that can forward all emails of the domain name to one account.

load more comments
view more: next ›
this post was submitted on 05 Jul 2023
323 points (97.9% liked)

You Should Know

32162 readers
395 users here now

YSK - for all the things that can make your life easier!

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must begin with YSK.

All posts must begin with YSK. If you're a Mastodon user, then include YSK after @youshouldknow. This is a community to share tips and tricks that will help you improve your life.

Rule 2- Your post body text must include the reason "Why" YSK:

**In your post's text body, you must include the reason "Why" YSK: It’s helpful for readability, and informs readers about the importance of the content. **

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Posts and comments which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding non-YSK posts.

Provided it is about the community itself, you may post non-YSK posts using the [META] tag on your post title.

Rule 7- You can't harass or disturb other members.

If you harass or discriminate against any individual member, you will be removed.

If you are a member, sympathizer or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people and you were provably vocal about your hate, then you will be banned on sight.

For further explanation, clarification and feedback about this rule, you may follow this link.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- The majority of bots aren't allowed to participate here.

Unless included in our Whitelist for Bots, your bot will not be allowed to participate in this community. To have your bot whitelisted, please contact the moderators for a short review.

Partnered Communities:

You can view our partnered communities list by following this link. To partner with our community and be included, you are free to message the moderators or comment on a pinned post.

Community Moderation

For inquiry on becoming a moderator of this community, you may comment on the pinned post of the time, or simply shoot a message to the current moderators.

Credits

Our icon(masterpiece) was made by @clen15!

founded 1 year ago
MODERATORS
_MoveSwiftly@lemmy.world
Thekingoflorda@lemmy.world
ja2@lemmy.world
Rooki@lemmy.world
Boozilla@lemmy.world