Hi, I was planning to encrypt my files with GPG for safety before uploading them to the cloud. However, from what I understand GPG doesn't pad files/do much to prevent file fingerprinting. I was looking around for a way to reliably pad files and encrypt metadata for them but couldn't find anything. Haven't found any recommendations on the privacyguides website either. Any help would be appreciated!

Thanks

Please write the 3 phone brands (in order please) which you think they bring the least number of third-party apps.

Notes:

• 1- PrivacyGuides recommends Google Pixel. But it is not selling on my country. I can not bring it from other countries because it will not have warrant.

• 2- We also don't have fair-phone and nothing-phone (i can not bring it from another country).

• 3- we only have: general-mobile, huawei, samsung, asus, tcl, htc, xiaomi, vivo, infinix, oneplus.

• 4- please dont recomend custom ROM. Its technically difficult for me. Also I will recommend the device to my friend (they don't have even an idead what is custom-rom)

I've been feeling uneasy about the privacy implications of using Lemmy and similar platforms. The ability for anyone to view your entire posting history feels to me like publicly sharing my browser history. In contrast, most other social media platforms allow you to limit your feed visibility to just friends or followers.

I'm curious to hear from the community - what are the most private social media platforms you've come across? I vaguely remember stumbling upon one that automatically removed content after six months and had some other interesting privacy features. Can anyone refresh my memory or recommend some other private alternatives?

Welp I guess this is the perfect example of companies not deleting your credentials and account info when asking for it... I deleted my Notion account several years ago. And completely randomly today got an email from them about data retention, assuming this is one of those "important" emails they have to send out. Sadly, years ago I wasnt using email-aliases like I am today, so still stuck with them having my email. Fuck I hate this so much. Thought I'd just share this lesson, use alises my friends!

I've been a social media hermit for the past 3 years but recently I've given up and created a few accounts across different apps again. It's unreal how strict the requirements are now.

1. Give e-mail (ok)
2. Give phone number (.... eeh, ok)
3. Use the new account for a while
4. Account suspended, please upload selfie to continue (no thanks xi). There are also some verification promps where you have to record a video and rotate your face left to right

If this isn't a message to move to indie web I don't know what is

• Mullvad VPN's blog post: DNS traffic can leak outside the VPN tunnel on Android

Identified scenarios where the Android OS can leak DNS traffic:

• If a VPN is active without any DNS server configured.
• For a short period of time while a VPN app is re-configuring the tunnel or is being force stopped/crashes.

The leaks seem to be limited to direct calls to the C function getaddrinfo.

The above applies regardless of whether Always-on VPN and Block connections without VPN is enabled or not, which is not expected OS behavior and should therefore be fixed upstream in the OS.

We’ve been able to confirm that these leaks occur in multiple versions of Android, including the latest version (Android 14).

We have reported the issues and suggested improvements to Google and hope that they will address this quickly.

• GrapheneOS 2024050900 release changelog announcement:

prevent app-based VPN implementations from leaking DNS requests when the VPN is down/connecting (this is a preliminary defense against this issue and more research is required, along with apps preventing the leaks on their end or they'll still have leaks outside of GrapheneOS)

I wanted to degoogle since Google has been most annoying so far with S21FE. Was thinking of getting Pixel 8a but due to mixed reivews I was looking for other phones. Thoughts on this? Would be also nice if I can get some opinions from people who have the phone as well.

I've been seeing a lot of confusion around the TunnelVision vulnerability. While I'm no expert, I've done a fair share of research and I'll edit this post with corrections if needed. The goal of this post is to answer the question: does this affect me?

Two sentence summary of the vulnerability

When you use a commercial VPN like Mullvad or NordVPN, the VPN client tells your system to redirect all traffic through the VPN. This recent vulnerability shows that a malicious device on the network can trick your system into redirecting traffic to their device instead.

Claim: just don't connect to hostile networks!

This is hard in practice. For most people, the only "trusted" networks are your home network and your workplace. So you still have to worry about coffee shops, airports, hotels, restaurants, etc. And if you are using cellular data, the cellular tower can perform this attack to snoop on your traffic.

Claim: but I trust the hotel owner, restaurant owner, etc

This attack allows any device on the network to impersonate a DHCP server and attack your system, not just the router. And while there are router settings that can prevent devices on the network from talking to each other, afaik they are rarely used. So even if you trust the owner of the cafe, you have to also trust everybody else in the cafe.

Claim: if you use HTTPS you are safe!

If the attacker redirects traffic to their machine, then even if you use HTTPS, the attacker can still see what websites you connect to, they just can't see what you are sending or receiving. So basically they can steal your browsing history, which defeats the purpose of a commercial VPN for many users.

Claim: Linux users are safe!

Not quite. The report says that Linux has a feature that is able to fully defend against this vulnerability, called network namespaces. So if your VPN uses that, congratulations. Afaik most VPNs do not use this, and instead use a kill-switch or a firewall. In which case Linux, Mac, and Windows users are all affected the same way, and I go into it more in the next claim.

Claim: if you use a kill-switch you are safe!

The term "kill switch" gets thrown around a lot but there's actually two major ways that a kill-switch can be implemented. The first way is a more literal "kill switch" - when the VPN connection drops, the kill switch is triggered and blocks leaks. The other way is a persistent firewall, which blocks leaks all the time.

If your VPN client uses the first kind, then bad news, it won't protect you against this attack. This is because the VPN connection is never dropped, so the kill switch is never triggered. NordVPN was caught using this poor practice, to nobody's surprise (more info here).

If your VPN uses the second kind, then you should be safe. For example, Mullvad published a statement about how they are not vulnerable here. I would hope that any competent VPN would also use a persistent firewall, but if your VPN provider hasn't published a statement yet, unfortunately your only other option is to inspect the VPN client yourself.

That being said, even if your VPN uses a persistent firewall, you may have read in the report that there's a "side-channel" attack still possible...

Claim: even if you use a firewall, there's a side-channel attack

This is true, but from what I read the side-channel is actually very hard to pull off and gain any useful information from. You can read some discussion about it here. My takeaway is that if you're a regular user, you don't have to worry about it. But we should still push VPN providers and network engineers to use network namespaces in their applications, since they are more resistant to these kinds of attacks.

Claim: you shouldn't trust commercial VPN providers anyways

This is not really about the vulnerability but I've seen it a lot in the discussions. I think it's a mischaracterization of why people use VPNs. If you are using the internet, somebody has to send that traffic to your destination. The three major options are your ISP, a VPN provider, or Tor. Depending on your location and your circumstances, you will trust these three differently. In the EU, ISPs are not allowed to sell data. In the US, ISPs are allowed to, and have been caught doing so. VPNs can sell data too but they risk losing their entire business. Tor is much harder to judge, but the bigger issue with Tor is that many websites block it.

Further reading:

• Official Report
• Official TLDR and FAQ
• Arstechnica article
• Hacker News discussion
  • one of the original researchers is active in this discussion, see comments by @morattisec

cross-posted from: https://leminal.space/post/6433881

By the way, the earlier posted article https://restoreprivacy.com/protonmail-discloses-user-data-leading-to-arrest-in-spain had an update starting at the paragraph with title Update: Statement from Proton and additional commentary

Hey all,

I've been using a commercial VPN for years on my mobile devices and home PCs. Recently I've started to use Tailscale and realized I can easily create a self-hosted VPN on a cheap VPS with unlimited traffic.

But I'm not really sure if that's what I need. BTW, I'm not doing anything dangerous, no torrents, no illegal stuff, no journalism or whistleblowing, not even looking up abortion clinics. I just hate mass surveillance and I don't want to be constantly profiled.

Commercial VPN allows to "hide in a crowd" by sharing IP with thousands of other clients. But there are a few issues:

1. Often sites blacklist VPN IPs, so I can't get in or pass captcha
2. Performance is not very good
3. I have to trust VPN to not keep the logs and not sell data. I used Mullvad and they are considered reliable, but you never know until it's too late

With self-hosted VPN, I'm losing benefit of "hiding in crowd" as my VPN will be used only by me and maybe a couple of other people. My understanding is that my VPS outgoing traffic is from static server IP. So if I login to Facebook once, the address is associated with me. I'll also have to trust VPS provider to not analyze my traffic and sell it. On other hand, I'm still protected from my ISP spying, from exposing my real IP address to web sites, from dangers of public WiFi networks. And I might get better performance for about the same price.

What's your take on VPNs? Tell me if you are using self-hosted VPN and why.

ordered a new phone so I wanted a new SIM for a clean slate. My country require KYC for SIM cards. So i ordered this https://www.ebay.com/itm/295938085941 I see now that the card is being shipped from Israel.

(I'm in another EU country)

Cloning, swapping etc , how bad idea was this on a scale from 1-10? Even if the package is unbroken , I assume someone with physical access (and resources) can do a lot of stuff?

Miss being able to go get one from the corner store. But idea was to load it up by cash bought giftcards.

Also played with the idea of getting a gl-inet portable router and skip SIM card in phone but it is quite a bit of hassle to have another device to maintain and carry...

Recently I just hit by stolen card detail and makes me searching a virtual card service. Anyone knows any works in the UK and EU region? Apparently Privacy.com needs SSN to work now. Thanks.

• Make a screen shot of your desktop
• Check with a viewer and see no EXIF data
• Load it in gThumb to use its crop feature, crop and save
• Check again with a viewer and see that gThumb added EXIF data including the gThumb version

In the mean time I've started to use other software to crop screen shots but I am still puzzled why gThumb always adds EXIF data ?

Here's what he said in a post on his telegram channel:

🤫 A story shared by Jack Dorsey, the founder of Twitter, uncovered that the current leaders of Signal, an allegedly “secure” messaging app, are activists used by the US state department for regime change abroad 🥷

🥸 The US government spent $3M to build Signal’s encryption, and today the exact same encryption is implemented in WhatsApp, Facebook Messenger, Google Messages and even Skype. It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕‍🦺

🕵️‍♂️ An alarming number of important people I’ve spoken to remarked that their “private” Signal messages had been exploited against them in US courts or media. But whenever somebody raises doubt about their encryption, Signal’s typical response is “we are open source so anyone can verify that everything is all right”. That, however, is a trick 🤡

🕵️‍♂️ Unlike Telegram, Signal doesn’t allow researchers to make sure that their GitHub code is the same code that is used in the Signal app run on users’ iPhones. Signal refused to add reproducible builds for iOS, closing a GitHub request from the community. And WhatsApp doesn’t even publish the code of its apps, so all their talk about “privacy” is an even more obvious circus trick 💤

🛡 Telegram is the only massively popular messaging service that allows everyone to make sure that all of its apps indeed use the same open source code that is published on Github. For the past ten years, Telegram Secret Chats have remained the only popular method of communication that is verifiably private 💪

Original post: https://t.me/durov/274

I have a LinkedIn account which is

• 5 years old.
• both SMS and Gmail verified (via code).
• all information filled (experience, personal, jobs, profile photo etc).
• all information are real.
• I logged-in million times to account from my home (without virtual-private-network).
• My account is cached by Google.

The Gmail account which verified by LinkedIn:

• I also have buy with my personal credit card a google-service (its not important which service).
• my phone number and Gmail is already verified by my government's national-digital-system (I am legally the responsible of this gmail and mobile number).

Depending on the above information

• A- I think my account is already linked with me by big-brothers.
• B- If something bad happens legally, I can never say that "this account does not belong to me". I already talked this topic with different lawyers.

Therefore I don't see any reason to do not verify the account.

My questions

I would like to hear your thoughts about below questions:

• 1- should I have privacy concerns if I verify my account via national-identity card?
• 2- should I have privacy concerns if I verify only "workplace verification". Because it only sends a code to my company email. No identity card needed. No additional steps.

cross-posted from: https://lemmings.world/post/8926396

In light of the recent TunnelVision vulnerability I wanted to share a simple firewall that I wrote for wireguard VPNs.

https://codeberg.org/xabadak/wg-lockdown

If you use a fancy official VPN client from Mullvad, PIA, etc, you won't need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here).

A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here). Unfortunately I'm a noob and I couldn't find any scripts or tools to do it that way.

Received notice of a change to the service in my inbox today. Seems icky to me.

Devices in the network use Bluetooth to scan for nearby items. If other devices detect your items, they’ll securely send the locations where the items were detected to Find My Device. Your Android devices will do the same to help others find their offline items when detected nearby

Your devices’ locations will be encrypted using the PIN, pattern, or password for your Android devices. They can only be seen by you and those you share your devices with in Find My Device. They will not be visible to Google or used for other purposes.

ETA: here's the link to opt out: opt out of the network

cross-posted from: https://lemmy.world/post/15187027

cross-posted from: https://lemmy.world/post/15187023