• 0 Posts
Joined 1Y ago
Cake day: Jun 03, 2021


I’m going to assume that Twitch implements password hashing and salting correctly

This is not a good idea. Many many sites including major companies have terrible security and don’t spend the slightest effort in protecting user data. They simply face no consequences over it. Countless data breaches show over and over again how bad sensitive information like passwords are protected. Many sites still use ridiculously weak hashing procedures like unsalted MD5 or even store passwords in plaintext. The way many sites handle passwords not only shows that their users’ security is of absolutely no priority to them but can often only be explained with enormous incompetence. Password guidelines are often so ridiculously bad to the point where it would be a lot easier to just do it right, yet someone explicitly programed nonsensical limitations for the passwords like lenght limits, limited character sets, the necessity to start with a letter, case insensitive passwords or whatever idiocy they can think of.

Never trust a site to secure your data. They most likely won’t. Also don’t trust a companie’s report on a breach. Breaches are often kept secrete until there is no way to hide it anymore. But even then companies usually play it down and admit only to what they really cannot hide. The number and extent of known breaches is already disastrous, but there certainly is a lot of unknown breached data that makes it even worse.

We have to assume the Twitch leak is worse than they admit. The attackers might have had access to much more than we know, perhaps they were able to intercept passwords in plaintext. We also have to assume Twitch did not properly secure the saved passwords. Acting otherwise would be foolish and insecure.

Be better safe than sorry and just hit the password generate button in your password manager. If you used the same password on other sites those should be changed regardless.

And of course if your password is too weak no hashing can protect it from being cracked.

I strongly disagree. That’s a problem for everyone. Everyone needs privacy, not just journalists.

Are you talking about watching or uploading to YouTube?

You can use NewPipe on Android and FreeTube on desktop as free open source third party clients. They allow you to create (or import) a list of local subscriptions and a subscription tab where the list of your subscried channels’ videos gets fetched and ordered into a chronological list just like on YouTube with an account. They are less responsive and stable than YouTube app and website, but work well for watching your favorite channels.

Can you define what you mean with supercookies? There are two different technologies under that name: https://en.wikipedia.org/wiki/HTTP_cookie#Supercookie

Tor Browser works decently for web browsing. It’s a trade off in convenience, but its anonymity is pretty strong. If you need even stronger security, you can go with Tails or Whonix.

You can create a ProtonMail account over Tor, bur you need to verify it with a phone number or a small payment that you again need to get anonymously. It’s a lot of effort, but it’s possible to operate a ProtonMail account anonymously. Whether you really need this is up to your threat model. Also in this case a simple VPN would have probably been enough.

Don’t make yourself dependent on the hardware of data storage in the first place. Backup and if you intend to store anything sensible on it, just encrypt it from the beginning so you don’t have to worry about drive failures or erasing data. The drive itself does not matter much then.

If you are in the EU you can send them a GDPR request and ask them to remove your account and all associated data. Look for a contact email address in their privacy policy.

Looks like a good way to get a bunch of IPs for your botnet.

No. Unless you’re discussing state or corporate secrets, or disclosing personal health information to a patient, Zoom should be fine.

So the average person does not need privacy?

How is this connected to Bromite or GrapheneOS? Do you have anything to back up those claims?

Go with a reputable, highly trustworthy VPN provider like the ones recommended on PrivacyTools.io. That VPN provider was anything but reputable let alone trustworthy. Their marketing with a quadruple hop VPN is a very obvious red flag. Make sure your provider has honest, realistic marketing. Do not trust any providers that market their VPN as a single tool for anonymity and general security like NordVPN, because it is not.

DoubleVPN was heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and phishing fraudsters, Europol said.

This is probably the reason for them being seized. A legitimate VPN provider would never do this.

Anyways if you want anonymity you should use Tor instead of trusting in a single point of failure, your VPN.

GrapheneOS or CalyxOS to give options I recommend more.

Apart from the onion v2 addresses being depracted the fix of ‘Bug 40432: Prevent probing installed applications’ is very important. It allowed fingerprinting the system based on the installed applications and has been topic of the last post here. Update ASAP!

You are right.

Iridium Browser does not download and install updates automatically as it would need to call home which is blocked for maximum privacy.

Afterall Chromium is overal a bad option for privacy, control and personal freedom as well as the freedom of the internet. The predominant use of Chromium puts web standards in Google’s hands and thereby threatens the open internet.

I highly recommend against Edge as it is the same as Chrome with Google exchanged by Microsoft as the bad guy.

Ungoogled Chromium does not have automatic updates for Windows as far as I know.

There is always Brave despite its controversy.
But you could also look into Iridium. Make sure to configure it according to your friend’s needs so no privacy feature like automatic cookie clearing bothers him and add uBlock Origin and HTTPS Everywhere. I have not used Iridium myself though and cannot vouche for it but it looks worth looking into.

I would find it interesting to know what your friend bugs so much about Firefox. Firefox is much more customizable than Chrome so maybe that can be resolved. If it has been some time since your friend tried FireFox it might make sense to look back into it.

I’d recommend against Edge. It is the same evil just with Microsoft as the devil rather than Google.

It is at its core made to spy on the user, I think it connects to the user’s Microsoft account automatically and saves browsing history to the account, it is closed source and can therefore not be trusted, the security features of “smart screen” look fishy to me as well.