Portfolio Archive Categories About Contact Tip

Walking in the dark

Ashpex  included in  category privacy
     3373 words   16 minutes   cc-by-nc-sa-4.0   
/2020/02/walking-in-the-dark/walking-in-the-dark.jpg
Warning
This article was last updated on 2022-05-03, the content may be out of date.

Surveillance, advertisements, tracking,.. are everywhere. Have you ever wonder how to cut those nasty sneakers from your digital life? Wonder how you could go reading some news, listening to music, shopping while keeping your privacy and personal interest from prying eyes? I’m no professional but I’m mindful enough to care about my privacy and this is how I do while trying to achieve it.

First thing first, to achive something we always need specific tools (or softwares in this case) for it. But the most important question: “Which one?”. Surely you can’t dumbly trust ISP or Facebook for your messages, right? I mean it’s so obvious.

Kevin Mitnick
To mask our online identities—to enjoy the Internet anonymously— we will need to trust some software and software services. That trust is hard to verify. In general, open-source and nonprofit organizations provide perhaps the most secure software and services because there are literally thousands of eyes poring over the code and flagging anything that looks suspicious or vulnerable. When you use proprietary software, you more or less have to take the vendor’s word.

Check out recommended softwares on PrivacyTools.

Threat
Smartphones are horrible for security and privacy. They constantly broadcast your location (to all cell-towers, not just those of your provider), they constantly look for known Wi-Fi networks, the cell-service provider knows your location and calls and messages, they’re pre-loaded with apps you can’t remove, all apps have a lot of access to your data, some apps have terrible security, etc.

  • Of course, do the basics right: have a PIN or password on your phone, turn on encryption, write your email address on the outside so it can be returned if lost, do backups, use a case to protect it if dropped, record serial numbers and model number so you can report them in case of theft or loss.

  • Have a PIN or password on your carrier’s Support account for your SIM/number/account, so any change to your SIM or number or account requires a password, even if you’re calling Support on the phone.

  • Carry your phone as little as possible. Leave it at home when you can.

  • Keep your phone turned off as much as possible.

  • If your phone is turned on, keep it in a Faraday bag as much as possible. That way you can pull it out when you need it and it will be ready to use right away.

  • Keep the phone’s camera pointed at something uninteresting when you’re not using the phone. Or put a piece of tape over the lens.

  • If you need to plug the USB cable into a USB charging station (such as in an airport), use a data-only USB cable or a “data blocker” USB connector. Better yet, plug into AC instead using your AC adapter. Don’t reply to SMS’s or call back to calls from unknown numbers. They could be premium-charge services.

  • Each time you change to a new phone or phone number for some reason is an opportunity to create a new Apple or Google account, separate from past accounts you used. Unless you need to bring across lots of info from iCloud or Google’s cloud, keep new separate from old.

  • Use as few apps as possible; each additional app installed means a greater chance of getting a malicious app or a security hole. Use browser access to web pages as a safer alternative to apps. ClassyShark3xodus (app to scan other apps for trackers)

  • Many apps harvest data from your Contacts list. Maybe keep only essential contacts in there, not everybody. And for those contacts, keep only essential data (name and phone number) in there. Maybe even abbreviate the names a bit.

  • Review the permissions given to each app, in Settings / Apps. But expect some tweaking; I found my Camera app refuses to run unless given permissions for recording audio and making phone calls.

  • Keep as little data as possible on your phone, and backed up into the phone’s cloud account. I sweep pictures from my phone to my laptop via USB cable within hours of taking the photos. Don’t save a lot of downloaded documents and cached data on your phone. Check to see if apps such as WhatsApp are doing backups (thus retaining deleted photos).

  • Some apps demand a huge list of permissions, to everything in your phone. Maybe don’t install those apps; choose other apps that take fewer permissions, or access the services through a browser instead.

  • Install a Custom ROM if your Android device support it. I recommend GrapheneOS if you have a Pixel phone and LineagOS for the rest. There are many custom rom but LineagOS is likely the most popular so there is a high chance it supports your device.

  • Blokada(not in Google Play Store, have to download and install it specially; doesn’t need rooted phone; can’t use with a VPN ?)
  • AdAway (requires rooted phone)
  • DNS66 (acts as a VPN, does DNS filtering)
  • personalDNSfilter (acts as a VPN, does DNS filtering)
  • In Firefox browser, use uBlock Origin add-on.

Apparently, non-root ad-blockers appear as a VPN to the phone, so you can’t use them together with a real VPN.

Threat
Facebook is a special case, because they know so much about you, and they have code on many other web sites, and they sell login services to many sites, and they buy data about you from other services.

  • On phones, the Facebook app requires a huge set of permissions, and certainly harvests your Contacts list. Use m.facebook.com or mbasic.facebook.com through a browser instead of the Facebook app (or, some people say use apps like Frost for Facebook or FaceSlim).

  • Don’t fill in all of those “profile” fields. Or put in fake data. Why tell Facebook where you’ve worked, where you went to school, who your family members are ?

  • Don’t post really private things about yourself, and be even more careful about what you post about your family and friends.

  • In the browser, use blockers such as: Disconnect for Facebook Or: in uBlock Origin, add and activate “Fanboy’s Social Blocking list”.

  • Do NOT use Facebook login or Google login as your login to lots of other web sites. Not only does it let everything get tracked and shared, but if Facebook or Google ever deactivates your account for some reason, you’ve lost access to those other sites too.

  • Do NOT use Google’s online password manager (holding passwords you’ve saved in Chrome or Android). If Google ever deactivates your account for some reason, maybe you’ve lost access to those other sites too, I’m not sure.

  • Do NOT use Facebook or Google (or Pinterest, or Amazon, etc) as the sole, critical host of your business, if you can avoid it. They give the “appearance of ownership”, but in fact you do not own the platform. If the service ever deactivates your account for some reason, your business is dead. If you absolutely must use them as your critical host, plan for the possibility that they may drop you. Keep backups, have a separate web site and email, have pages on other services, etc.

  • Do NOT rely on a high page-rank in Facebook or Google (or a high rating in Amazon or iTunes or YouTube or AirBNB or something) as the critical asset of your business, if you can avoid it. The algorithms behind those can change at any time. A couple of bad reviews from users can harm you.

Your computer or browser or ISP may reveal your physical location to web sites.

Ways your location can be determined
  • GPS, in smartphone.
  • Cell towers that your smartphone can see.
  • Adapters (networks) that your Wi-Fi can see.
  • Adapters or devices that your Bluetooth can see.
  • Adapters or devices that your device can see through a mesh network.
  • Location set by the owner of the LAN’s router ?
  • Location set by the ISP that connects to the router.
  • Small clues set in your OS, such as system time-zone and language and country-code.
  • Location you set in your browser or other application (VoIP?) or OS.
  • Location you set in your online accounts (social media, etc).
  • Location set or known in other devices on your LAN or Bluetooth, such as TV or game consoles or car’s GPS ?
  • Location set or calculated in body-devices on Bluetooth, such as watch or fitness-tracker ?
  • Location acquired from connected nearby devices not owned by you, through hookup apps ?
Defense

 Operating system:

Windows 10 gives a setting to turn off location and set a “predetermined location” to give to apps. I think you get to it through “Diagnostic Settings”. It seems Linux does not have a similar facility.

 Set location in your browser:

  • Location Guard

  • In Firefox, do about:config and look at “geo.” entries. Someone says set something like:

    `geo.wifi.uri = data:,{"location":{"lat": 51.50,"lng":-0.12},"accuracy":1000}`

  • In Chrome, maybe “Manual Geolocation” extension.

 Smartphone:

  • Go through app permissions and disable Location wherever possible.
  • Facing your location with Private Location (Android only; fake GPS location)

  • Pick a simple, neutral name, such as “John Doe”.

  • Create an email address that fits, such as J.Doe at gmail.

  • Get a pay-as-you-go SIM phone and use it for this person.

  • Get a Privacy.com virtual credit-card in their name.

  • Use one set of fake data (phone number, email address, gender, DOB, SSN, photo [not a stock photo from the internet; maybe from This Person Does Not Exist], school history, work history) for this persona, and stick with it. Write it all down, print it out for easy use.

  • Create an email address that fits, such as J.Doe at gmail.

  • Subscribe to a couple of cheap or free magazine trials (Forbes, Wired) in their name.

  • Subscribe the email address to a couple of newsletters, so there’s activity in the account. Set the account to forward the newsletters to some other junk account, so there’s outgoing traffic too.

  • Use this persona when ordering things online.

What Google harvests from your accounts (mainly GMail), from someone on reddit 12/2018:

… I downloaded what supposedly is all the data Google keeps about me … In my Takeout archive, there is a folder called “Purchases and reservations”, which contains many files with all the data that Google collected from my e-mails. This includes my purchases on all sorts of websites (Amazon, etc.), shipping updates and my flight/train reservations. … My location data file freaked me out a little bit too, with all of its “ON_FOOT”, “STILL” and “IN_ROAD_VEHICLE” strings, but I had my location history on, so that was to be expected. That text file alone is 82.7 megabytes - not bad, huh? If you have a Google account, I suggest you download all of your data from Google Takeout and check what it looks like with your own eyes.

  • It may be a good idea to have separate email addresses for family, work, financial, social, shopping:Hiding From The Internet’s Compartmentalization

  • Encrypting email with PGP whenever possible.

  • You can get a disposable email address, which exists just long enough to finish registering somewhere: 10 Minute Mail, Mailinator, others.

  • In your email client, turn off automatic display of HTML, images, and Javascript. It’s dangerous to let some random person send you a piece of software that executes in your client.

  • Some security guys say it’s safer to use browser-based email instead of a client application (such as Thunderbird). The browser is somewhat of a sandbox, and highly tested, and you need it for other reasons too. A mail client application is an additional complex piece of software that probably is less secure.

  • On the other hand, if you use an email client application (such as Thunderbird), your email is not stored on the email provider’s server for very long, it’s stored on your personal machine. Maybe you can find a provider that promises to erase your messages completely from their server after you retrieve them to your machine.

    Nitrous’s “The Easy Way to Use PGP for Encrypting Emails on Windows, Mac & Linux” (if using Thunderbird)

Caution
Email is broken in security by nature. Trying to secure it is the same as trying to mend a broken glass. The best solution is only using instant messenger for private communication.

The biggest threat of all. You accidentally post something private in the wrong place, expose a password, mis-configure your device or account, drop your device, lose your device, accidentally delete your data, trust a scammer.

They post about you, snoop on you, accidentally leave your house or car unlocked, mis-configure their device, use their infected device on your LAN, sit next to you with their unprotected phone running, drop your device, accidentally delete your data, trust a scammer. They expose their phone or email Contacts list, which contains your name and email and address and phone number and birthday. They put your info into Amazon or EBay when buying a gift for you. They tag you in Facebook photographs, or mention that you were with them at some wild party.

They may be highly motivated, but probably don’t have access or skill to cause high-tech harm. Unless you forgot to change the passwords they know. But they may have private info they could post.

Some application or web site you use may be sending your data to somewhere else that you don’t know about (some apps harvest your email address book or phone contact list or Friends list). Or storing your data in an unsafe way in a server.

Corporations reading your data to enforce their contract rights (terms of service) and maybe look for criminal activity.

Organizations accidentally exposing data you’ve entrusted to them, through careless practices or by getting hacked.

Identity thieves, credit-card thieves, blackmailers, ransomware, etc. Hackers who want to use your device as part of a botnet or crypto-coin-mining network. Criminals who want to make your phone call their $3/hour phone service repeatedly, running up a $10K phone bill that you have to pay. And you may be a special target if you have something valuable on your computer.

Although with snooping software, “casual” capabilities are increasing.

Recording everyone’s activity, such as cell-phone locations and car license plates, and then selling it to police and repo men and bounty-hunters

Recording everyone’s activity, such as cell-phone locations and car license plates.

(E.g. someone decides a picture shows you mistreating your dog, and whips up a mob to punish you.)

Highest technical ability, but no legal authority.

NSA, DHS, etc. Highest technical ability, PLUS legal authority.

Naked pictures of yourself or your spouse ? Personal embarrassments ? Dark secrets ? Something illegal ? Something embarrassing about your friends or family ? Just don’t put it online, or transmit it over the internet. Maybe don’t even put it on your computer or phone or camera.

Either stop using social media, or use it more carefully.

You have lots of data about your friends and family and employer and coworkers and neighbors. Treat it carefully.

Don’t fill in all of those “profile” fields. Why tell Facebook where you’ve worked, where you went to school, who your family members are ? Why tell LinkedIn everyone you’ve worked with ?

Registering for professional conferences is particularly bad; those directly give your data to all 500 vendors at the conference.

If you use Google Apps, Google Docs, Google Sites, Chrome browser, GMail, Google search, Google Maps, and Google Drive, then of course Google is going to know a lot about you. Instead, compartmentalize it: ProtonMail, some free web hosting service, Firefox browser, DuckDuckGo search, etc. Use Google only where you have to.

Do you really need email accounts at N different providers ? Each one has to be secured. Really need accounts at Twitter, LinkedIn, Facebook, Snapchat, Instagram, Flickr, YouTube, 20 different online stores, etc ? Each one is a possible security or privacy problem. Really need 5 credit cards and accounts at 5 banks ? Reduce, simplify.

  • Don’t give them your real birthday, or real mailing address, or real phone number. Misspell your name slightly. (But: if Facebook or whoever later challenges you to produce real ID to verify your account, and your info doesn’t match, you’ll lose the account.)

  • Set Facebook profile fields for school, work, places lived to real, big places that have no actual connection to you. Let them sell misinformation.

  • For map/GPS applications, set home and work addresses to nearby addresses, not your exact addresses.

  • But you can’t give fake data to police or government or schools or insurance or banks. That may be illegal, or may come back to bite you later in some way.

  • When installing an OS, or using a brand-new PC for the first time: Give your PC a generic name such as “laptop2”. Create a user account with a generic name such as “user3” or your pseudo-name, instead of using your real full name. Those names will appear on networks and other places.

  • They may post about you on social networks, put pictures of you online, mention you in emails. They may widely repost something that you posted to a small audience.

  • Your family may submit their DNA (which is partly your DNA) to testing services. Their family medical history is your family medical history.

  • Push back, calmly, if they post something you wish they wouldn’t.

  • Don’t give them information that you don’t want them to put in Contacts lists in email or phone.

If the government or a spy agency or law enforcement really wants to get your data, they can get it. The software we use is extremely complex and has lots of bugs and vulnerabilities. If an agency seizes all your devices and really digs into them, they’ll probably get your data. Do your best to protect yourself, but be realistic about the limits.

For example: If you are in the US then you are done for. Somebody in the third-world country is laughing right now? Don’t get your hope too high. Probably there is no basic privacy law to protect you from government. Have your computer encrypted? They will beat you in the ass until you are so fuck up. You may have some luck with Switzerland though, they have the best privacy law to ensure that there is no government that can envade your personal information.

Scenario
Your friend comes over to your place, and asks for the Wi-Fi password to connect their phone to your LAN.

You have no idea what malware is on their device, or who else they may give that password to, or what traffic they may do through your internet connection. Suppose malware on their device starts spamming people on the internet, and your ISP shuts down your service ? Suppose your internet has a monthly data-cap, and their device starts torrenting or something ?

It would be best to have a “guest” network defined in your router, but I think few ISP-supplied routers support that.

Do you really need to use:

  • Each add-on you have installed in your browser ?
  • Each app you have installed on your phone ?
  • Each app you have installed on your computer ?
  • Each app you have allowed to access your Facebook account ?
  • Each app you have allowed to access your email account ?
  • Each social media site you use ?

Every one of these is potential point of failure, a thing that could be stealing and selling your data, or accidentally having a security vulnerability.

Updated on 2022-05-03
cc-by-nc-sa-4.0
 privacy
Back | Home