Hacker News new | past | comments | ask | show | jobs | submit login

I appreciate the intention of this article. Written for people only starting to change their surfing habits in light of Snowden. But the example of the tools they should use are not thought out very well.

First: Freedome by F-Secure is closed source and there is no OpenVPN alternative. Always choose a VPN that has OpenVPN so that users can configure the connection to their needs. No need for this bloated mess.

Second: Whilst disposable Google accounts might seem like a good idea, there are any number of ways for Google to cross-correlate a disposable identity with your actual identity using fingerprinting captchas or even your screen resolution. Google does this to spot serial re-registrations and to stop people gaming Google Plus voting rings and spammers in general.

Third: Be careful of online websites offering fake-name services. Most of this data is generated server-side and logged for the purposes of cross-correlation with your IP address and useragent string. Quite possibly the vast majority of fake-identity sites are run by LEA

- I like to write some quick and dirty ruby gems to generate fake identities because then it can't be correlated. (The names are pulled in from disparate sources and I always ensure true-randomness).

- In terms of email, use things like Riseup which use TLS at every hop so that passive dragnets cant sniff the password. 99% of all IMAP and SMTP services can be passively sniffed because they use weak STARTTLS.

- Use 'honeywords' in an email to correlate different emails with different activities. For example:

This way you can whitelist those addresses for the purposes of filtering out spam and phishing attempts.

> Second: Whilst disposable Google accounts might seem like a good idea, there are any number of ways for Google to cross-correlate

In all fairness, the author does mention multiple times that a fake Google account is not meant to protect you from Google, but from the site you're signing up on.

I don't see the point of using honeywords. I mean, I've used them a bit, but any spammer is going to strip them immediately, so they're useless for identifying which provider leaked your address, right? And now to login, you need to remember the honeyword you used to register, which is a big inconvenience for anyone not using a password manager. (Use a password manager!)

If you primarily use honeywords, then you can filter out anything going to craigds@host.tld as spam. The hard part would be transitioning people you want to communicate with to craigds+{family,friends,correspondence}@host.tld.

Optionally, retain craigds@host.tld for personal and professional communication/correspondence, and move everything else to craigds1+{something}@host.tld (or a different host).

I just bought an entire TLD for signups/spam and made it a catchall. One positive is I know when companies are breached often before they announce it as my pagerduty@domain.com told me a little while ago.


I've used the same strategy for the past few years with great results. Like you said it's really nice to see early on which companies are leaking your info.

It's also nice to be able to kill specific email addresses once a breach has been disclosed and the spam becomes plentiful.

This is a great idea! What's it like viewing email? Which client do you use? Is it easy to see which email address the email was sent to?

Viewing email is as you would expect, the email they sent to is in the header so it's just a single click away in Thunderbird.

Wait, did you really mean "TLD", or just "domain"?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact