Hi all!

Newbie here on a privacy journey. My current objective is to create a cute little phone that limits tracking by surveillance capitalists, law enforcement, & the state.

That said, the stakes are not particularly high here. I just miss the world I grew up in & find the call of freedom enticing. So this is more of a hobby project for me to be able to put my main phone down and experience a world without tracking again.

So far I have installed GrapheneOS on my old phone. I'm absolutely in love with it and I'm 100% sold on one day even migrating my main phone to it. But thats not my main concern today.

For now, I have some questions related to SIM cards.

I understand that in order to avoid device number leaks (if that's something one cares about) it's important to not have a SIM card in the device and keep it on airplane mode.

However, years before privacy ever mattered to me I already had a SIM card and two eSIMs in this phone. And all of the advice I read talks about NEVER putting a SIM card in, but I have a hard time thinking critically about what that really means for those of us who ALREADY had one in.

If I remove that SIM card and eSIM and carry on using the phone, what are the privacy implications of such a choice?

Likewise, if I leave the SIM cards in but keep the phone on airplane mode is it really all that bad?

I assume at minimum this means that the IMEI number is stored somewhere in some cell tower logs. If the state were to seize my phone they could I suppose link the phone to things I did with my phone or accounts I used back before privacy mattered to me.

But are there other implications as well? Is this phone forever going to leak a connection to my old activity even if I remove the SIM cards, leave it on airplane mode, use a VPN and ensure it never falls into bad hands?

Thanks!

Do you recommend some or know how to find out? To be more privacy-friendly ofc

EDIT: -possibly working with addons like ublock (vern cc has ad breaks) and emote support (so chat isnt a cryptic jungle)

-Primarily on desktop, but additional app welcome

-Possibly not even communicating with Amazon (like for YT for example only psTube does to my understanding)

QUESTION: Could it possibly work to still participate in the chats (like i imagine a throwaway account for example) or does that break the whole concept of privacy? How does that work exactly.

cross-posted from: https://reddthat.com/post/38409619

Tuta is having a birthday sale, putting their highest Legend tier at the same price as their second-highest Revolutionary tier, and I'm wondering two things:

• Is this a good deal for 36€ per year?
• Is this a deal that comes around every year, or is this a rare sale?

I use addy.io to manage aliases, so the extra addresses are whatever. The custom domains might be nice, since I could potentially(?) use that with Addy. I've been pretty judicious with my free 1GB of space, but having 500GB would be more than comfortable (besides being overkill).

I'm not really interested in getting into self-hosting right now, but I might in the future, so I'm also curious how y'all who self-host email feel about a deal like this. Comparable to the cost of self-hosting? Similar features?

Thanks!

Joan Didion and John Gregory Dunne met in the late fifties, when she was working at Vogue and he at Time. They married in 1964, and in 1966 they adopted a baby girl, giving her a name from the Yucatán: Quintana Roo. Together, Didion and Dunne lived out one of the most collaborative literary marriages in American history. Last week, after two years of preparation, the New York Public Library opened the Didion-Dunne archive to the public. Among its three hundred and thirty-six boxes of material is a thick file of typewritten notes by Didion describing her sessions with the psychiatrist Roger MacKinnon, beginning in 1999. Addressed to Dunne, the entries are full of direct quotations and written with the immediacy of fresh recollection. Didion was concerned about Quintana and her struggles with depression and alcoholism, but she was preoccupied, too, with aging, with creative fulfillment, with the complex dynamics of their family. She recorded her thoughts with the cool, forensic clarity she was known for.

https://archive.is/Cricr

I haven’t had any problems upvoting or accessing lemmy content, but yesterday, whenever I tried leaving a comment on a post, I triggered a 403 error (both from the Mlem app and my browser) which identified the use of VPN as an issue. Once I disabled my VPN, I was able to post the comment.

Now, while trying to make this post, I am experiencing errors too.

Has anyone else experienced this, and have you found work arounds?

As part of its efforts, the bloc has repeatedly introduced its Chat Control legislation, aimed at weakening the encryption that protects messaging services and force providers to provide a client-side backdoor for law enforcement.

Privacy Guides is formally taking a stand against dangerous and frightening technologies.

I’m trying to move away from Telegram. I have the iOS app but don’t see any option for downloading my chats or photos and videos sent to me. Has anyone done this recently and can give some pointers?

Hey everyone,

last weekend at a friends house I saw the Alexa Show (I think?) in action. It was used as a digital family-calendar, weather forecast and music player. It sat there on the fridge like an old school family planer. The music-player wouldnt be relevent to me. But an digital calendar in the kitchen with weather forecast looks really appealing. Do you probably know a privacy-friendly and suitable project with the possibility to implement my CalDav-Calendar(s)? Probably open Source? And without a lot of tinkering? (:

Ive just startee getting into privacy, but i had a few questions.

1. I havent switched operating system yet due to fear of losing my data. I have a lot of pictures, contacts and messages i dont want to go missing. I have a one plus and i really love it. I do not want a pixel phone. Is there a way i can maintain privacy without changing phones?
2. If i delete google play services, will my phone not work correctly?
3. I have been replacing my apps with open source apps, is that helpful?
4. What vpn should i use? I have malewarebytes.

I was using protonmail for my custom domain for work and private emails but now I think mailbox has better options, providing way more custom domain emails. Wondering what the best use case is? Thinking of using my own domains instead of proton. I have this one and my name.

Using name@name.com or bills@name.com is fun and easy but is it private? These companies already know my name so is using my work website domain okay?

Current emails

• name@name.com for prof
• product@pm.me example for money
• notlegal@proton.me example for legal torrenting
• No idea what I will use this domain for

I posted on my local subreddit asking about this sheisty van that I saw outside of my house.

It has the name cyber logistics inc on the side and when I looked it up online it just got weirder and weirder, but I couldn't find any real information about it.

There are similar branches in Florida (most recently), NY/NJ, IL, and South Africa. Still don't know wtf this is?

I just woke up to a post this morning letting me know it's registered to the Louisiana Secretary of State. Given the LA Governor quietly granting the National Guard authority to act during a declared state of emergency involving cyber security, I admit I'm a little on the paranoid side lately especially about things like government surveillance.

I flipped out when I saw the message bc I'm paranoid and kind of dumb like that, but a friend of mine let me know all businesses are registered with LA secretary of state.

So I definitely overreacted, and don't want to contribute to any disinformation/misinformation, but maintain:

1. Whatever the fuck cyber logistics inc/cyber transport ltd is, it's fucking sheisty.

2. If Landry can blame George Soros for voters in Louisiana not voting the way he wanted and still be Governor, I can at least ask questions about his power grabs and granting authority to the National Guard

Original Post: https://www.reddit.com/r/NewOrleans/comments/1jogla7/anybody_know_anything_about_cyber_logistics_inc/#lightbox

Corrected Update: https://www.reddit.com/r/NewOrleans/comments/1jovxn1/til_that_while_cyber_logistics_inc_is_registered/

Landry EO and GOHSEP State of Emergency Cyber: https://pimento-mori.ghost.io/comparing-edwards-original-state-of-emergency-cybersecurity-incident-with-landrys-renewal-2/

https://archive.ph/9fyuk

Is there an open source solution that lets you record from your phone to an offsite location? Preferably something self hosted, but not crucial I guess.

Just thinking about scenarios where people in the US are stopped by cops and need to record their interactions, but want to make sure that the local info isn't destroyed. I've tried the Mobile Justice app for my state but it's not very reliable and I have no insight into the data after it's left my device.

A prominent computer scientist who has spent 20 years publishing academic papers on cryptography, privacy, and cybersecurity has gone incommunicado, had his professor profile, email account, and phone number removed by his employer Indiana University, and had his homes raided by the FBI. No one knows why.

Xiaofeng Wang has a long list of prestigious titles. He was the associate dean for research at Indiana University's Luddy School of Informatics, Computing and Engineering, a fellow at the Institute of Electrical and Electronics Engineers and the American Association for the Advancement of Science, and a tenured professor at Indiana University at Bloomington. According to his employer, he has served as principal investigator on research projects totaling nearly $23 million over his 21 years there.

He has also co-authored scores of academic papers on a diverse range of research fields, including cryptography, systems security, and data privacy, including the protection of human genomic data. I have personally spoken to him on three occasions for articles here, here, and here.

"None of this is in any way normal"

In recent weeks, Wang's email account, phone number, and profile page at the Luddy School were quietly erased by his employer. Over the same time, Indiana University also removed a profile for his wife, Nianli Ma, who was listed as a Lead Systems Analyst and Programmer at the university's Library Technologies division.

According to the Herald-Times in Bloomington, a small fleet of unmarked cars driven by government agents descended on the Bloomington home of Wang and Ma on Friday. They spent most of the day going in and out of the house and occasionally transferred boxes from their vehicles. TV station WTHR, meanwhile, reported that a second home owned by Wang and Ma and located in Carmel, Indiana, was also searched. The station said that both a resident and an attorney for the resident were on scene during at least part of the search.

Attempts to locate Wang and Ma have so far been unsuccessful. An Indiana University spokesman didn't answer emailed questions asking if the couple was still employed by the university and why their profile pages, email addresses and phone numbers had been removed. The spokesman provided the contact information for a spokeswoman at the FBI's field office in Indianapolis. In an email, the spokeswoman wrote: "The FBI conducted court authorized law enforcement activity at homes in Bloomington and Carmel Friday. We have no further comment at this time."

Searches of federal court dockets turned up no documents related to Wang, Ma, or any searches of their residences. The FBI spokeswoman didn't answer questions seeking which US district court issued the warrant and when, and whether either Wang or Ma is being detained by authorities. Justice Department representatives didn't return an email seeking the same information. An email sent to a personal email address belonging to Wang went unanswered at the time this post went live. Their resident status (e.g. US citizens or green card holders) is currently unknown.

Fellow researchers took to social media over the weekend to register their concern over the series of events.

"None of this is in any way normal," Matthew Green, a professor specializing in cryptography at Johns Hopkins University, wrote on Mastodon. He continued: "Has anyone been in contact? I hear he’s been missing for two weeks and his students can’t reach him. How does this not get noticed for two weeks???"

In the same thread, Matt Blaze, a McDevitt Professor of Computer Science and Law at Georgetown University said: "It's hard to imagine what reason there could be for the university to scrub its website as if he never worked there. And while there's a process for removing tenured faculty, it takes more than an afternoon to do it."

Local news outlets reported the agents spent several hours moving boxes in an out of the residences. WTHR provided the following details about the raid on the Carmel home:

Neighbors say the agents announced "FBI, come out!" over a megaphone.

A woman came out of the house holding a phone. A video from a neighbor shows an agent taking that phone from her. She was then questioned in the driveway before agents began searching the home, collecting evidence and taking photos.

A car was pulled out of the garage slightly to allow investigators to access the attic.

The woman left the house before 13News arrived. She returned just after noon accompanied by a lawyer. The group of ten or so investigators left a few minutes later.

The FBI would not say what they were looking for or who is under investigation. A bureau spokesperson issued a statement: “I can confirm we conducted court-authorized activity at the address in Carmel today. We have no further comment at this time.”

Investigators were at the house for about four hours before leaving with several boxes of evidence. 13News rang the doorbell when the agents were gone. A lawyer representing the family who answered the door told us they're not sure yet what the investigation is about.

This post will be updated if new details become available. Anyone with first-hand knowledge of events involving Wang, Ma, or the investigation into either is encouraged to contact me, preferably over Signal at DanArs.82. The email address is: dan.goodin@arstechnica.com.

I was thinking about how all of my passwords are compromised if I have malware on my system. It made me wonder, does Vaultwarden or KeePassXC/KeePassDX offer better protection on a malware infected system?

Vaultwarden

• Only accessed locally via LAN/VPN
• Set up for 2 factor authentication using WebAuthn (FIDO)

KeePasssXC/KeePassDX

• Synced locally via syncthing
• Set up for 2 factor authentication using HMAC-SHA1 Challenge-Response
• All clients blocked from internet access

I don't use browser extensions and I manually copy/paste my passwords to fill in entries.

KeePass has good memory protection, but the 2FA can be read from USB and doesn't change every time the database is decrypted. Vaultwarden enables the more secure FIDO2 2FA, but to my knowledge has less secure memory management as the entire entire database is decrypted on unlock.

I was thinking about personal data security and let my mind wander. I decided that if you were exceptionally paranoid then........

When thinking about personal data it may occur to you that, once you have implemented an adequate 3 stage backup system to avoid data loss, your main risk is the exfiltration and use of that data for nefarious purposes.

Personal data, e.g. the pictures or messages on your phone or pc, can imply many different things such as religion, sexual orientation, health details, political views etc. that could potentially be used against you by a bad actor.

As such, it would seem rather inadvisable to hold any data on any device that is not encrypted in a fashion whereby only you hold the encryption key.

Further, if you are going online using the device then, even if the device has a trusted os that implements full disk encryption, then it would also seem inadvisable to hold any data on the device that isn't seperately encrypted within the operating system. The data would be protected before first unlock by the os encryption and after first unlock by the seperate encryption.

As the password for this seperate encryption would neccessarily need to be complex you would be best storing this within a trusted password manager that employs zero-knowledge encryption or even better one that does not employ cloud-based syncing. You would also probably want to pepper the password with memorised additional digits.

You might then consider that, as encrypted data, while not especially useful now, may be seen as potentially more valuable should it be exfiltrated and stored for future decryption once technology allows, it may not be the best idea to store this encrypted personal data on any device that connects to the internet or even in a zero knowledge encrypted cloud-based storage solution.

You would then presumably decide that it is best to carry all the data you may wish to access at short notice encrypted on a portable simple data storage device that you could connect to any devices you wish to access the data on. You make the assumption that whoever mugs/holds you up/pickpockets and takes the data device is less likely to hold onto the encrypted data than an online attacker.

It is possible that you would then adjust your 3 stage backup system to be based on 3 non-internet-connected simple data storage devices kept in 3 seperate locations, one of which you carry around with you.

It was at this point that I decided to stop thinking about it. Lol. As noted, this train of thought would probably only occur if you were exceptionally paranoid and it could be theorised that at that point it is debateable whether you are more at danger from data exfiltration and exploitation or the very angry rabbits that want to know why you are so far down the rabbit hole. Lol.

I tend to play Team Fortress 2. It's a rather old game. The server I play on used to allow anyone to connect. Later on, it kicked me (sometimes) because it detected me originating from one of MullvadVPN's IP addresess. They seem to have updated the blacklist list so it always seems to detect me using a VPN. I just don't want to share my public IP with them.

Is there a clever way around this? I feel like all the residential proxies tend to be quite pricey compared to a normal VPN

I am looking for a simple to use VoIP provider that I mainly plan to use for 2FA (when a cell number is required). I know there are checks that sometimes prevent VoIP from being used but I figure it's worth a shot.

MySudo looks nice but they require Google play services to be installed, VoIP.ms looks nice too but I've had a hard time getting a hold of anyone there to help with activating my account.

Anyone have any recommendations?

Hey all, so I randomly decided to check over Windscribe's VPN relationship chart again to look over some stuff on various providers. I always make sure to check the sources rather than just taking what it says and I already use Mullvad so it was really just mindless reading more than anything.

But going through Surfshark's entry, there was this

[3] SurfShark's TrustDNS app is used to collect data on the user for advertising and marketing purposes.

Advertising. We may receive certain information about you (cookie id, mobile device id, when you use our Trust DNS app – advertising IDs, in app events, such as in-app purchase or amount and type of ads watched, information about what browser, network, or device is used to access and use Trust DNS) from certain advertisers and advertising partners for advertising purposes. Our advertising partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising and account-based advertising." Legal basis for the processing of personal information is our legitimate interest to deliver relevant ads and promotional messages to you." 

The source they provided to find the privacy policy was: https://surfshark.com/trust-dns

Obviously a VPN company ever making something that does all this is... Pretty bad? From what I can tell looking up stuff it was launched in September 2019. For how long it lasted I have no real clue. Best I can find was this Github repo developed by someone who has like no other commit or repository history that only hosts DNS servers and was last updated in 2020??? Archive.org and other sites on cachedvuew provide nothing when I use the URL above, and it just goes to the normal Surfshark homepage now.

https://github.com/TrustDNS https://github.com/SharonBarcia

This whole thing just feels very strange overall. So if someone could shed some light on this I'd be pleased!