Privacy

Duke_Nukem_1990 , in Safest way of using WeChat on Android?

To answer the question: GrapheneOS and a separate profile would be the safest but still...

If you are both outside of china there really is zero reason (other than preference) to use that piece of spyware.

bionicjoey OP ,

To answer the question: GrapheneOS and a separate profile would be the safest

I appreciate the suggestion, but maybe I should add that I'd like to not have to change up my phone too much. It's a Fairphone 4 running the OEM Android and my preference would be to keep it that way. Are separate profiles like that a thing on stock Android?

If you are both outside of china there really is zero reason (other than preference) to use that piece of spyware.

She travels back to China sometimes, uses it to contact friends and family back home, and uses it to chat with lots of mainlanders here in Canada. For her it's not weird at all.

In fact, she expressed to me that she's perfectly comfortable with the fact that they use WeChat combined facial recognition technology in China for payment processing. When you get on public transit, you can have them scan your face and it will automatically charge you the bus fare. It really skeeves me out, but it's simply not the hill I want to die on in this relationship. I'm crazy about her in so many ways, it's okay with me if we don't see eye-to-eye on digital privacy.

xarexyouxmadx ,

Personally I'd be way more concerned with using OEM Android in the West than using wechat anywhere but if it's really an issue for you then I'd say insist on trying session or signal.. One of those are probably your best options if you're worried about being spied on..

If she's unwilling to try them or doesn't like them then I guess you have to settle for wechat or traditional SMS (although without RCS I find SMS to be a trip to a previous decade lol)

LWD ,

If you're in the US and mostly worried about one app, you can probably devote a Work folder via an app like Shelter to a GF.

bionicjoey OP ,

I'm not in the US, but what is this Shelter you speak of?

Neuromatic ,

https://f-droid.org/packages/net.typeblog.shelter/

Shelter is an app that takes advantage of the work profile in android to install apps in that profile and makes shortcuts for that app in the normal profile. So it feel like you're just using an app as usual but the app is pretty much sandboxed away from all your info.

huginn ,

Android 15 solves your issues -

https://www.androidauthority.com/android-15-private-space-hands-on-3432113/

Private Spaces when they come to Fairphone will be perfect for this.

chezjoeong , in Safest way of using WeChat on Android?

And you're not concerned about Alphabet, Microsoft, Meta or even the NSA?

viking , (edited ) in Safest way of using WeChat on Android?
@viking@infosec.pub avatar

I'm in China and have to use that piece of crap. So here's how I locked it down:

  1. Root your phone with Magisk. There's no way around it.
  2. Install Storage Isolation (https://play.google.com/store/apps/details?id=moe.shizuku.redirectstorage) and deny access to all folders.
  3. Install ApOps (https://play.google.com/store/apps/details?id=rikka.appops) and set pretty much everything to deny or ignore (ignore means the app receives the information "permission granted", but no data is provided, in case some permissions are "mandatory"). If you intend to use wechat to exchange voice messages or make video calls/send photos, the "use microphone" and "use camera" functions would be required. In a similar fashion the location access if you intend to use the location sharing feature.
  4. Be acutely aware that wechat is not encrypting messages, neither end to end nor in the server communicaton. Everything you say can (and probably will) be read and archived. Don't say anything confidential or critical there.

And yeah really, try to convince your wife girlfriend to use signal instead. Or hell, even whatsapp is miles ahead.

My wife is Chinese as well, so even after we leave here she'll be using wechat to stay in touch with family, no way around it, but using messengers more commonplace in other countries is definitely better. Personally I will move wechat to another phone once we're out. For now that's not feasible as it's too much integrated into every function of life here.

umbrella ,
@umbrella@lemmy.ml avatar

+1 for signal but i doubt whatsapp is ahead at all

umami_wasbi ,

At least Whaysapp have the content encrypted

viking ,
@viking@infosec.pub avatar

Whatsapp uses end to end encryption and is far from as intrusive as wechat.

EngineerGaming ,
@EngineerGaming@feddit.nl avatar

Can it be used without a smartphone, like in an Android VM?

lud , in How do you trust a U2F key?

Where do you get a key for the price of a cup of coffee?
The ones I found are quite expensive.

TurtleTourParty ,

Maybe coffee is very expensive where OP lives

uzi , in Why don't people here love SimpleXChat more?

In F-Droid, after disabling all anti-features, SimpleX still is listed. Signal never will be due to connecting to GCM or Firebase. Molly is an improvement for Signal but not for untrackable privacy like SimpleX from using a different ID with each individual SimpleX contact.

malean ,
@malean@lemmy.world avatar

I hoped Molly leaved the sms feature, that is the only thing I can use as a bait for let my friends switch to signal.

uzi ,

No, because SMS code was removed from Signal, I believe Molly would have to fork the code if they try to put it back in.

adespoton ,

Not to mention, SMS was removed because it’s inherently insecure at every level. Keeping it would mean there’d be an insecure side channel into the protocol. While it’s a useful onboarding mechanism, it can also be abused — and was. So eventually it got removed to prefer privacy and security over convenience.

uzi ,

That's a valid reason, prioritizing security over convenience. I forgot about the fact that texting is plain text communication.

Charger8232 , in Why don't people here love SimpleXChat more?

I've been a fan of SimpleX for a while now. Privacy comes at the cost of convenience, and SimpleX is the most private messaging platform according to this spreadsheet.

SolarPunker OP ,

Thanks for this report.

lemmyreader ,

Beware https://privacyspreadsheet.com/messaging-apps uses Google fonts. So much for privacy.

moreeni , (edited ) in Why don't people here love SimpleXChat more?

They do. I absolutely love it

NegativeLookBehind , in How privacy on the web is mostly a myth
@NegativeLookBehind@lemmy.world avatar

The article says privacy is a myth and then suggests you use PIA VPN. Nice

ghewl OP ,
@ghewl@lemmy.world avatar

What is wrong with PIA?

NegativeLookBehind ,
@NegativeLookBehind@lemmy.world avatar

It’s more an issue with their parent company, Kape technologies

ghewl OP ,
@ghewl@lemmy.world avatar

Thank you for the feedback. I will remove PIA.

NegativeLookBehind ,
@NegativeLookBehind@lemmy.world avatar

You’re welcome. Thanks for writing the article!

electro1 , in Reddit started blocking VPN users on old.reddit.com
@electro1@infosec.pub avatar

Reddit taught me to never trust a silicon valley, centralized, proprietary service on the internet with my data and/or content

Tb0n3 ,

Could have learned that a long time ago. Everybody learns it somehow from some greedy company. Luckily you've learned it now.

sturlabragason ,

Same.

I’m switching everthing over to federated, self-hosted, decentralized, open source…

It’s a brave new old school world!

cyborganism ,

Well you shouldn't trust a public, decentralized, open source personally hosted service either.

I don't really know who's hosting the Lemmy or other fediverse services I use and what access they have to the data that we post on there.

Basically, you shouldn't trust any online service with your data and your posts.

RagnarokOnline ,

Off the grid it is, then

pennomi ,

Or just use e2e encrypted services. They can be trustless and still useful.

LemmyHead ,

Depends on how they're implemented. Signal and WhatsApp are e2e encrypted, but they track your phone number, your contacts and IP address. Maybe even metadata

dumpsterlid , (edited )

Of course you shouldn’t but there is a categorical difference between the risk of a corporation exploiting you because of a power imbalance (you want to use Reddit, there aren’t alternatives in this hypothetical scenario) and the rando running your fediverse instance abandoning the project or being weird about your data.

The second category can definitely be problematic, but it just isn’t the same level of awfulness and systematic exploitation that corporations wield every day to extract a profit.

It sounds like a weird statement because we have been trained to think the average “other” we will encounter in society as dangerous, but if you actually think about the statistics then yes absolutely it makes way more sense to trust a random person or handful of people to run your instance than a corporation. Publicly traded corporations are legally required to be assholes in the pursuit of profit, on the other hand most of the time randos usually aren’t assholes, though to be safe you should always be cautious as you say.

Windhover ,

What’s to stop a data broker from running an instance?

dumpsterlid ,

Sure it could happen, but I don’t understand what relevance that has when you compare it to the fact that you KNOW without a shadow of a doubt corporations are going to sell your data to the maximal amount they can, even if it is illegal.

Besides this isn’t about our data being sold or not being sold really (our data will be mined and sold by somebody so long as it is publicly available on social networks), it is about who has the power and who doesn’t. Does a single corporation run by a billionaire fascist-baby have the power or an imperfect constellation of developers, instance maintainers and moderators?

JoMiran ,
@JoMiran@lemmy.ml avatar

I went the other route. I am very noisy online. I post and comment all over the place but I treat all of that as what it is, content I have given away freely and publicly. Now, when I need to do something privately, you are going to need serious mojo to be able to dig it out. Plus, who would assume that I do certain things privately when almost everything I do is out in the open.

tetris11 ,
@tetris11@lemmy.ml avatar
SELECT 'ipaddress', 'username' FROM tables
WHERE (username.normalize() == "jomiran" 
OR post.links CONTAIN "jomiran") 
FILTER content IN _blacklist_keywords;

Or some such. Data is easy to mine if you have a target. It's finding unknown targets that is hard.

JoMiran ,
@JoMiran@lemmy.ml avatar

Exactly. Do a search for my username and get flooded with shitposts. IP? MAC? Same, plus some porn watching and way too much YouTube. Everything I want to keep private is done with as many degrees of separation as possible.

pressanykeynow ,

IP? MAC? Same

Unique fingerprint? Most likely the same with your "private" stuff.

JoMiran ,
@JoMiran@lemmy.ml avatar

I use disposable hardware (one time use) and unique, pre-configured remote access points from third party locations for my work. In other words, many little headless Raspberry Pis everywhere.

delirious_owl ,
@delirious_owl@discuss.online avatar

I have 10 Facebook accounts, a few with my real name and about 20 google accounts.

The real accounts that I use are created and destroyed frequently.

Reverendender ,
@Reverendender@sh.itjust.works avatar

You...you realize you just posted right?

Live_your_lives ,

Just because you shouldn't trust them doesn't mean you're not allowed to interact with them. It just means you need to be careful.

electro1 ,
@electro1@infosec.pub avatar

I guess what I mean by not trusting is : I'm not going anywhere near that website, since I use Lemmy this means I put some trust in it..

But ultimately yeah, self-hosting is the way to go and that's what I'm planning to do, it's just not as simple as people make it seem to be

Crackhappy ,
@Crackhappy@lemmy.world avatar

What about a whiteboard?

delirious_owl ,
@delirious_owl@discuss.online avatar

You could message the instance admin on matrix and get to know them...

TheAnonymouseJoker Mod ,
@TheAnonymouseJoker@lemmy.ml avatar

...and this is how "rational" people act more irrational than irrational people. Arguments that are reductionist tautological absurdities.

Open source culture is far more transparent and trustworthy than the 100 headed monster Hydra that is Western Big Tech companies, fully armed with neuro scientists and western capitalist media machinery. There are a few bad apples in FOSS culture, but they can be easy to spot for a few people, and that works as long as people actually listen to those few people.

cyborganism ,

Take a chill pill.

All I'm saying is whatever the service, be careful what you post online. We assume the people hosting fediverse services have a code of ethics or that they have our best interests or privacy at heart. Or even that they have the time and know how to protect our data.

But we should still consider the opposite and take the necessary precautions.

TheAnonymouseJoker Mod ,
@TheAnonymouseJoker@lemmy.ml avatar

I am good, it just sounded very absurd. There is no "both sides" in credibility of open source vs closed source ecosystems.

I think we can judge Lemmy instances dependingly, for example I trust the dev instance and Lemmygrad instance quite a lot and stick to them. I distrust instances like Lemmyworld, lemmy.one and some others. All instances that connect to the ones I use will be able to scrape my comment data, which is public and which is fine (well not but AHs gonna AH) because I teach and advise on OPSEC, stylometry and other stuff.

A much better way to spread the message is telling people how they can be mindful of firstly judging how "public" a space is, and then how and what you type/record and share.

Artyom ,

You can trust that the service will persist. The fediverse is practically speaking unkillable since no one group holds all the strings. The trade off is that any data you post is shared freely with all. At least it's clear from the start and no one is profiting off of it. Unlike Reddit, you know exactly what's going on as soon as you sign up.

Ultragigagigantic , (edited )
@Ultragigagigantic@lemmy.world avatar

True, I am safest alone in my dank basement

CaptDust ,

Internet 101 if you want control, self host.

electro1 ,
@electro1@infosec.pub avatar

If it was easy, I would have done it by now

CaptDust ,

Hmmm, from a tech perspective there's lots of VPS hosts that provide dashboards to deploy a CMS in one click (Ghost, WordPress, etc.), in that way it's never been easier to get started. The hard part though is gaining visibility and publishing enough content to give people a reason to visit.

electro1 ,
@electro1@infosec.pub avatar

In my opinion, one of the main benefits of selfhosting ( aside from controlling your data,) is that you don't have to pay for the VPS/CMS service, of course you pay for the infrastructure.. As someone who HATES monthly subscriptions it's one of the main reasons I don't have an online presence yet

I tried to run Ubuntu server and slapped something on top of it ( CasaOS ), which i didn't like, then I tried Ghost ( and failed miserably )..

It's not easy and YouTubers are full of shit ( they skip so many details )

CaptDust , (edited )

To each their own, that can be a benefit but youll still need to buy hardware, maintain the server software and maybe rent rack space (if you need bandwidth).

My tiny slice of the web hosts a private image gallery for my family to upload and share photos. Going into it I wasn't really interested in administering yet another server. Instead I threw $6 at a VPS and had a publicly accessible, user friendly site with backups up and running in about 15 minutes.. and I haven't had to think about it again since. And Google/Meta isn't training their AI on my niece's birthday pictures. That monthly sub is worth it for reclaiming my time.

electro1 ,
@electro1@infosec.pub avatar

That monthly sub is worth it for reclaiming my time

Yeah definitely, it's a small price for the benefit, but also to add to how I feel about subscriptions, I think their major flaw is they don't consider poor parts of the world like Africa were I live, while 6 $ is reasonable or even cheap for some people, here it's a lot of money ( x200 which means 1$ = 200 ), so it's not accessible..

Only few, very few websites change their pricing based on my IP address, or send me to a different domain, but for the most part it's not affordable

You might ask, does you ISPs have VPS plans ? Yes they do,

Tap for spoiler

waaaay more expensive than European VPSs combined ... LoL...

There's also politics and agenda involved but won't get into it, it's just bad news, and we have enough of that already

CaptDust ,

The currency situation makes sense and I apologize-- I realize now I had a very western-centric perspective while writing my thoughts. I can absolutely understand hosting on your own hardware, as the opportunity cost in that situation is hugely different. I think the next best option is a good server OS and the ghost docker container but you are right it is not as straight forward or easy. Best of luck friend, trust documentation not youtubers :)

electro1 ,
@electro1@infosec.pub avatar

Best of luck friend

Thank you

trust documentation not youtubers :)

yeah, I learned my lesson.. (´・ᴗ・ ` )

Sunny , in A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers - An FTC Staff Report
@Sunny@slrpnk.net avatar

Thanks for sharing! This is highly relevant to my master thesis, appreciate it 🌻

technomad ,

What is your master thesis on, if you don't mind me asking?

Sunny ,
@Sunny@slrpnk.net avatar

All good!
It's about the use of free VPNs and how they may impact user privacy and security. But I do mention that VPNs is a one of the reasons as to why some people choose to use them in the first place. And this is a good source to have as it shows exactly the reasons as to why people flee to VPNs (be it paid or free).

Spoiler, in the majority of the cases free vpn's are not good to use, but there isn't too many documented articles on the topic, only some. So wanted to contribute on that field :)

technomad ,

That is really cool, and super interesting! Thanks for sharing!

MediaSensationalism OP , (edited ) in A Look at What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers - An FTC Staff Report
@MediaSensationalism@covert.nexus avatar

This information, although not new, sheds light on the misconception prevalent even amongst industry professionals today that ISPs only retain customer usage data related to IP address assignment.

taladar ,

However VPNs are exactly the same as ISPs, especially when it comes to actions forced by the government in the jurisdiction they are in.

Scolding0513 ,

you're doing blanket statements. this highly depends on the provider

taladar ,

If you think your VPN provider is more immune to legal authorities than your ISP you are deluding yourself.

Scolding0513 ,

if you think that every VPN in the world handles legal situations the same way regardless of jurisdiction then you are a total nonce

fishos ,
@fishos@lemmy.world avatar

Which is why good vpns are hosted in countries with extremely high privacy laws. And some can even be bought and used without giving any personal info. And why most vpns are RAM only and literally can't log any records.

But you knew this before you spouted off, right?

possiblylinux127 , in Meta gave Netflix and Spotify access to users private messages
@possiblylinux127@lemmy.zip avatar

I love that thumbnail

Also it cracks me up that WhatsApp is still popular

over_clox , in Family photo sharing?

Maybe don't share online?

We have a printing center in my area that prints high quality full color photos for 75 cents a page.

dubyakay ,

Photo development booths, printing centres and later phone repair shops (before phones regularly got encrypted) used to be the number one avenue for getting photos leaked.

over_clox ,

As true as that is, we're talking about photos of a newborn infant. Like for real, who would intentionally leak photos of a newborn?

Oh yeah, that's right, artificial intelligence!

Don't feed the online machine, take the photos into a print shop via USB flash drive, and I'm pretty sure anyone with a soul will have respect for family privacy.

Not so with online cloud services though ☹️

kbal , in [es] Spanish government is working in a digital certificate to identify adults and avoid minors to access porn sites
kbal avatar

When you phrase it that way, it becomes all the more obvious that it's not really about the porn.

kbal , in The Irish government wants to pass a law that could see you or your loved ones jailed for possession of memes, cartoons or any content that could be deemed "hateful".
kbal avatar

It's too bad you couldn't find a link to somewhere other than x.com. Just going by the headline though, this could lead to great new career opportunities for Irish black market contraband meme dealers.

SheeEttin ,
Kissaki ,
@Kissaki@feddit.de avatar

Freedom of expression is a protected right under both the Irish constitution and the European Convention on Human Rights.

So not at all what the post title claims?

SecurityPro OP ,
@SecurityPro@lemmy.ml avatar

Freedom of expression?

[https://extra.ie/2021/02/21/news/irish-news/gardai-tell-woman-to-take-down-social-media-post-after-she-identifies-herself-as-child-abuse-victim(url)
https://extra.ie/2021/02/21/news/irish-news/gardai-tell-woman-to-take-down-social-media-post-after-she-identifies-herself-as-child-abuse-victim

FfaerieOxide ,
@FfaerieOxide@kbin.social avatar

404 Error

Sorry we could not locate the page you are looking for please try again or return to the homepage

Is that what you were trying to "express"?

otp ,

Freedom of expression generally doesn't mean you can say anything without limitation

SecurityPro OP ,
@SecurityPro@lemmy.ml avatar

So an adult victim of a crime can't admit that they were the victim of a crime?

otp ,

I'm not familiar with the laws of Ireland, but considering that article you linked, I guess I'm that specific instance, the answer is "No".

They still have freedom of expression.

AutomaticJack ,

Thats a completely different scenario and frankly, you're being dishonest putting that forward as an example of freedom of expression being blocked.

SecurityPro OP ,
@SecurityPro@lemmy.ml avatar

There is not freedom of expression if the police can demand that you take down or alter a social media post.

AutomaticJack ,

It's a well intentioned law to protect child sex abuse victims and the law needs updating to cover this scenario. I think it's more an example of the ineptitude of the Irish government than anything.

FfaerieOxide ,
@FfaerieOxide@kbin.social avatar

Critics - including Donald Trump Jr and Mr Musk

Some of these amendments are being put forward by Senator Sharon Keogan, who has been very vocal in her opposition to the bill.

She claims the bill "seeks to codify the prevailing narratives and restricts the free exchange of ideas" and has urged her colleagues "to be brave and speak up".

In September 2021 Keogan was criticised after she stated that there is "an organised takeover at every level in our society" by the LGBT community

So this is just about hating Queers, then?

  • All
  • Subscribed
  • Moderated
  • Favorites
  • privacy@lemmy.ml
  • kamenrider
  • pixo
  • jeremy
  • Lexington
  • cragsand
  • mead
  • RetroGamingNetwork
  • MidnightClan
  • neondivide
  • xyz
  • PowerRangers
  • AnarchoCapitalism
  • WatchParties
  • WarhammerFantasy
  • supersentai
  • Rutgers
  • Teensy
  • itdept
  • space_engine
  • steinbach
  • learnviet
  • bjj
  • loren
  • AgeRegression
  • khanate
  • mauerstrassenwetten
  • electropalaeography
  • Mordhau
  • All magazines