801
-13
submitted 6 months ago by anonymous1212@r.nf to c/privacy@lemmy.ml
802
84
submitted 6 months ago by jorge@feddit.cl to c/privacy@lemmy.ml
803
167
submitted 6 months ago by boredsquirrel@slrpnk.net to c/privacy@lemmy.ml
804
232
submitted 6 months ago by Sunny@slrpnk.net to c/privacy@lemmy.ml

Welp I guess this is the perfect example of companies not deleting your credentials and account info when asking for it... I deleted my Notion account several years ago. And completely randomly today got an email from them about data retention, assuming this is one of those "important" emails they have to send out. Sadly, years ago I wasnt using email-aliases like I am today, so still stuck with them having my email. Fuck I hate this so much. Thought I'd just share this lesson, use alises my friends!

805
35
submitted 6 months ago by jinwk00@lemm.ee to c/privacy@lemmy.ml

I wanted to degoogle since Google has been most annoying so far with S21FE. Was thinking of getting Pixel 8a but due to mixed reivews I was looking for other phones. Thoughts on this? Would be also nice if I can get some opinions from people who have the phone as well.

806
1
Signal forks (lemmy.ca)
submitted 6 months ago by uzi@lemmy.ca to c/privacy@lemmy.ml

Wht would be people's recommendation between using Molly, Langis and Signal-FOSS? I have always used Molly for years but I'm oen to sometuhing else.

807
425
submitted 6 months ago* (last edited 6 months ago) by BenchpressMuyDebil@szmer.info to c/privacy@lemmy.ml

I've been a social media hermit for the past 3 years but recently I've given up and created a few accounts across different apps again. It's unreal how strict the requirements are now.

  1. Give e-mail (ok)
  2. Give phone number (.... eeh, ok)
  3. Use the new account for a while
  4. Account suspended, please upload selfie to continue (no thanks xi). There are also some verification promps where you have to record a video and rotate your face left to right

If this isn't a message to move to indie web I don't know what is

808
85
submitted 6 months ago* (last edited 6 months ago) by xabadak@lemmings.world to c/privacy@lemmy.ml

I've been seeing a lot of confusion around the TunnelVision vulnerability. While I'm no expert, I've done a fair share of research and I'll edit this post with corrections if needed. The goal of this post is to answer the question: does this affect me?

Two sentence summary of the vulnerability

When you use a commercial VPN like Mullvad or NordVPN, the VPN client tells your system to redirect all traffic through the VPN. This recent vulnerability shows that a malicious device on the network can trick your system into redirecting traffic to their device instead.

Claim: just don't connect to hostile networks!

This is hard in practice. For most people, the only "trusted" networks are your home network and your workplace. So you still have to worry about coffee shops, airports, hotels, restaurants, etc. And if you are using cellular data, the cellular tower can perform this attack to snoop on your traffic.

Claim: but I trust the hotel owner, restaurant owner, etc

This attack allows any device on the network to impersonate a DHCP server and attack your system, not just the router. And while there are router settings that can prevent devices on the network from talking to each other, afaik they are rarely used. So even if you trust the owner of the cafe, you have to also trust everybody else in the cafe.

Claim: if you use HTTPS you are safe!

If the attacker redirects traffic to their machine, then even if you use HTTPS, the attacker can still see what websites you connect to, they just can't see what you are sending or receiving. So basically they can steal your browsing history, which defeats the purpose of a commercial VPN for many users.

Claim: Linux users are safe!

Not quite. The report says that Linux has a feature that is able to fully defend against this vulnerability, called network namespaces. So if your VPN uses that, congratulations. Afaik most VPNs do not use this, and instead use a kill-switch or a firewall. In which case Linux, Mac, and Windows users are all affected the same way, and I go into it more in the next claim.

Claim: if you use a kill-switch you are safe!

The term "kill switch" gets thrown around a lot but there's actually two major ways that a kill-switch can be implemented. The first way is a more literal "kill switch" - when the VPN connection drops, the kill switch is triggered and blocks leaks. The other way is a persistent firewall, which blocks leaks all the time.

If your VPN client uses the first kind, then bad news, it won't protect you against this attack. This is because the VPN connection is never dropped, so the kill switch is never triggered. NordVPN was caught using this poor practice, to nobody's surprise (more info here).

If your VPN uses the second kind, then you should be safe. For example, Mullvad published a statement about how they are not vulnerable here. I would hope that any competent VPN would also use a persistent firewall, but if your VPN provider hasn't published a statement yet, unfortunately your only other option is to inspect the VPN client yourself.

That being said, even if your VPN uses a persistent firewall, you may have read in the report that there's a "side-channel" attack still possible...

Claim: even if you use a firewall, there's a side-channel attack

This is true, but from what I read the side-channel is actually very hard to pull off and gain any useful information from. You can read some discussion about it here. My takeaway is that if you're a regular user, you don't have to worry about it. But we should still push VPN providers and network engineers to use network namespaces in their applications, since they are more resistant to these kinds of attacks.

Claim: you shouldn't trust commercial VPN providers anyways

This is not really about the vulnerability but I've seen it a lot in the discussions. I think it's a mischaracterization of why people use VPNs. If you are using the internet, somebody has to send that traffic to your destination. The three major options are your ISP, a VPN provider, or Tor. Depending on your location and your circumstances, you will trust these three differently. In the EU, ISPs are not allowed to sell data. In the US, ISPs are allowed to, and have been caught doing so. VPNs can sell data too but they risk losing their entire business. Tor is much harder to judge, but the bigger issue with Tor is that many websites block it.

Further reading:

809
55
submitted 6 months ago by pound_heap@lemm.ee to c/privacy@lemmy.ml

Hey all,

I've been using a commercial VPN for years on my mobile devices and home PCs. Recently I've started to use Tailscale and realized I can easily create a self-hosted VPN on a cheap VPS with unlimited traffic.

But I'm not really sure if that's what I need. BTW, I'm not doing anything dangerous, no torrents, no illegal stuff, no journalism or whistleblowing, not even looking up abortion clinics. I just hate mass surveillance and I don't want to be constantly profiled.

Commercial VPN allows to "hide in a crowd" by sharing IP with thousands of other clients. But there are a few issues:

  1. Often sites blacklist VPN IPs, so I can't get in or pass captcha
  2. Performance is not very good
  3. I have to trust VPN to not keep the logs and not sell data. I used Mullvad and they are considered reliable, but you never know until it's too late

With self-hosted VPN, I'm losing benefit of "hiding in crowd" as my VPN will be used only by me and maybe a couple of other people. My understanding is that my VPS outgoing traffic is from static server IP. So if I login to Facebook once, the address is associated with me. I'll also have to trust VPS provider to not analyze my traffic and sell it. On other hand, I'm still protected from my ISP spying, from exposing my real IP address to web sites, from dangers of public WiFi networks. And I might get better performance for about the same price.

What's your take on VPNs? Tell me if you are using self-hosted VPN and why.

810
185
811
189
submitted 6 months ago by lemmylem@lemm.ee to c/privacy@lemmy.ml
812
119
submitted 6 months ago* (last edited 6 months ago) by lemmyreader@lemmy.ml to c/privacy@lemmy.ml

By the way, the earlier posted article https://restoreprivacy.com/protonmail-discloses-user-data-leading-to-arrest-in-spain had an update starting at the paragraph with title Update: Statement from Proton and additional commentary

813
36
submitted 6 months ago* (last edited 6 months ago) by LoveSausage@lemmy.ml to c/privacy@lemmy.ml

ordered a new phone so I wanted a new SIM for a clean slate. My country require KYC for SIM cards. So i ordered this https://www.ebay.com/itm/295938085941 I see now that the card is being shipped from Israel.

(I'm in another EU country)

Cloning, swapping etc , how bad idea was this on a scale from 1-10? Even if the package is unbroken , I assume someone with physical access (and resources) can do a lot of stuff?

Miss being able to go get one from the corner store. But idea was to load it up by cash bought giftcards.

Also played with the idea of getting a gl-inet portable router and skip SIM card in phone but it is quite a bit of hassle to have another device to maintain and carry...

814
32
submitted 6 months ago by lemmyreader@lemmy.ml to c/privacy@lemmy.ml
  • Make a screen shot of your desktop
  • Check with a viewer and see no EXIF data
  • Load it in gThumb to use its crop feature, crop and save
  • Check again with a viewer and see that gThumb added EXIF data including the gThumb version

In the mean time I've started to use other software to crop screen shots but I am still puzzled why gThumb always adds EXIF data ?

815
50
submitted 6 months ago by umami_wasbi@lemmy.ml to c/privacy@lemmy.ml

Recently I just hit by stolen card detail and makes me searching a virtual card service. Anyone knows any works in the UK and EU region? Apparently Privacy.com needs SSN to work now. Thanks.

816
64
submitted 6 months ago by lemmyreader@lemmy.ml to c/privacy@lemmy.ml
817
49
submitted 6 months ago by xabadak@lemmings.world to c/privacy@lemmy.ml

cross-posted from: https://lemmings.world/post/8926396

In light of the recent TunnelVision vulnerability I wanted to share a simple firewall that I wrote for wireguard VPNs.

https://codeberg.org/xabadak/wg-lockdown

If you use a fancy official VPN client from Mullvad, PIA, etc, you won't need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here).

A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here). Unfortunately I'm a noob and I couldn't find any scripts or tools to do it that way.

818
33
submitted 6 months ago by catalog3115@lemmy.world to c/privacy@lemmy.ml
819
74
submitted 6 months ago* (last edited 6 months ago) by s38b35M5@lemmy.world to c/privacy@lemmy.ml

Received notice of a change to the service in my inbox today. Seems icky to me.

Devices in the network use Bluetooth to scan for nearby items. If other devices detect your items, they’ll securely send the locations where the items were detected to Find My Device. Your Android devices will do the same to help others find their offline items when detected nearby

Your devices’ locations will be encrypted using the PIN, pattern, or password for your Android devices. They can only be seen by you and those you share your devices with in Find My Device. They will not be visible to Google or used for other purposes.

ETA: here's the link to opt out: opt out of the network

820
30
submitted 6 months ago by Ward@lemmy.nz to c/privacy@lemmy.ml

Materialious now can be used as a Desktop or Android application. Allowing it to be used for any Invidious instance!

https://github.com/Materialious/Materialious/tree/main?tab=readme-ov-file

821
5

I've attempted to create a VM on my ubuntu host machine that is accessing the internet via a dedicated VPN app. I'm able to disconnect my host VPN and access the web within the VM, but cannot access the web when the host VPN is enabled. Ideally I'd like to enable the VPN on the host and pass through web access to the VM.

I have two questions:

  1. If my use case is to use a VM to increase privacy and security as well as isolate my operations within the VM from my host, is it better to have the VPN app from inside the VM or pass the host's through to the VM?
  2. If it doesn't make much of a difference, how can I go about passing the host's VPN to the VM?

In either scenario, I'd still like to keep the host's VPN active while being able to use the VM, which I currently cannot.

822
235
submitted 6 months ago by clot27@lemm.ee to c/privacy@lemmy.ml

Here's what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

823
-26
submitted 6 months ago* (last edited 6 months ago) by cmgvd3lw@discuss.tchncs.de to c/privacy@lemmy.ml

(timestamp-link) iPad Pro M4 Hands on - Why I just bought it.
Review from a top YT reviewer, Mrwhosetheboss. How do you guys feel about it?

824
265
submitted 6 months ago by schizoidman@lemmy.ml to c/privacy@lemmy.ml
825
68
submitted 6 months ago by OnePhoenix@lemmy.world to c/privacy@lemmy.ml

I used to use Protonmail, however the verification steps become tedious when creating unique emails for sign ups. I've switched to Tutanota despite it contravening their one account policy. What do you all use for one off emails (for sign ups etc )? Or do you prefer one of those 10 minute email sites?

view more: ‹ prev next ›

Privacy

32024 readers
1073 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS