>I realized that Signal is located in Mountain View, Calif. So I downloaded Burner...
So, Signal is compromised because it's physically near Google? Okay.
>and went to Amazon.com
A company you can't shop at without leaving a digital trail? Okay.
>seeing the 7-Eleven location listed there along with almost everywhere else I’d been in the last seven years
You didn't turn off location services before trying a Faraday bag? You're still using your Android smartphone?
I guess I can give the author credit for looking around and trying, but most of the privacy benefits likely come from things like: using Signal (or similar end-to-end encryption), using privacy-focused email (or a private email server), not logging into social media, turning off location services, using a privacy-focused search engine like DuckDuckGo or StartPage, and blocking ads (and possibly JS if you're that bold).
If it's still not enough for the non-technically-minded, then I'd suggest doing some more research into more advanced techniques like network adblocking, Tor, VPN, or virtual machines.
I thought it was a great read & enjoyed the writing style. I took it to be very tounge in cheek. It was a good overview of a number of cool products I was unaware of, while also being very funny and entertaining.
Pretty silly ending, he just went back to doing the same old stuff he used to do. Fun read!
I take my privacy seriously, but it shouldn't have be so complicated/ time consuming to defend yourself.
And no, it shouldn't. But it is.
There are startup opportunities, perhaps. Something like Tails, but more comprehensive. And even more intuitive and user-friendly. Maybe using some lighter type of OS compartmentalization.
I try to protect my privacy more than anyone else I know in my personal life.
Doesn't mean I can't laugh at myself.
I dropped Chrome for Firefox. I only search on DuckDuckGo. I run my own WireGuard VPN server with Streisand https://github.com/StreisandEffect/streisand. I use Proton mail e-mail almost exclusively. I try my darnedest to not log into google if at all possible & lock down as many settings that I know of. I keep my activity cleared out https://myactivity.google.com/. Same for Facebook. I won't even consider using an Alexa/ Google home/ etc. I'm sure I'm forgetting some things, also I know there is more I could do.
I'm always preaching the privacy gospel to my friends, and I think they are sick of hearing about it at this point. And there in-lies the problem. Many people just don't care, or are not willing to put in the work to defend themselves.
Look at all the steps I had to take. I don't have to tell you folks. Trying to protect privacy this day in age is no trivial task. Especially for non tech people.
I wonder why you thought the author was dismissive? It's okay if you didn't like the style/ tone. But the bulk of the article was promoting tools for protecting privacy. That's a good thing, no?
I learned of a number of products I was unaware of. I plan on trying out Anonyome labs/ MySudo, Burner & the Abine.com products.
The author seems to care and be excited about privacy. But in the end, he resigns to the difficulty and amount of work it requires. I think the point is it shouldn't have to be so hard.
The article make as good point at the end about laws and legislation. Until we convince our lawmakers to make privacy a requirement, nothing much will change. A small minority of people like us will continue the good fight, but the privacy landscape as a whole will keep eroding.
I don't think this article was aimed at hardcore tech people like you find on HN. I think it is aimed at a more casual internet user. A good way to get normal folks to read an article is to keep it fun & entertaining.
If it is to dense or feels brow beating, it will turn people off. Just like I have with preaching to my friends. My hope is that casual articles like this will make people more aware & get more people/ lawmakers on board.
Some of the stuff that he recommended strike me as ~useless. That rubber mask. The glasses. The silly personal assistant. And so on.
And he totally didn't consider how pointless it is for most people to focus on obfuscating activities in meatspace. Unless you're cheating on your spouse, organizing a revolution, dealing drugs, or whatever, it just doesn't accomplish much. And indeed, it flags you as someone who may be up to something.
Online is really the only place where you can claw back some privacy. But you gotta make sure that your uplink doesn't flag you. Using numerous VPNs. Using Tor, I2P or Freenet. Lurking around public WiFi hotspots. Those will all raise flags about you.
And the focus has gotta be on compartmentalization. You have your meatspace life. Your family, your friends, your career, your hobbies, and so on. And that's gotta look totally uninteresting, from the perspective of adversaries. You gotta blend into the crowd.
And then you have your online personas, and their friends, careers, hobbies, etc. Which must be entirely distinct from each other, and from your meatspace life. They must seem like entirely different people.
So adversaries can track you all they like in meatspace. And they can track your personas all they like online. But as long as they don't correlate any of that, you're safe.
Looking at it from the VPN provider's perspective, it's actually simpler not to log. Logs are like radioactive waste. They aren't necessary for management. You can do that in real time, and log nothing. All they can do is implicate you in legal bullshit, which hurts users and damages your reputation.
And even if there's a legal requirement to log, you can just ignore it. At least, if you have no legal presence in the country, beyond running a VPN server.
But more generally, users can use nested VPN chains to distribute trust among providers. That is, connect to VPN A. Then connect to VPN B through VPN A. Then connect to VPN C through VPN B. And so on. I do that using virtual networks of pfSense VMs. But you could do it in one machine, using routing and iptables.
It's the same strategy that Tor uses, routing circuits through multiple relays. With three nodes in a nested chain, no one node knows both who you are, and what you're doing. So adversaries would need to obtain data from multiple nodes.
In my case, I'm my own host. I'm using the Wireguard protocol, running on a Digital Ocean droplet I own. The Streisand project does the heavy lifting of creating/ configuring the server, then I can easing tunnel into it using my computers or mobile phone.
Streisand also support OpenVPN & other common flavors of VPN, you can even run you own Tor bridge relay if you into that.
Even if this didn't happen, Big Tech would still know since you probably took your smartphone with you...
1. Privacy denied.
2. Privacy forfeited.
OP, I think, is complaining about the former. Though both forms could either be consentual or not. The latter is usually, in spirit, non-consentual: You agreed to the terms in good faith but wouldn't if you knew the unprecedented scale of the exploit.
Big Tech knows all about you personally, including your name, address, phone number, locations you've been to, people you've met, things you've bought or considered buying. And guess what: they will sell it to anyone who pays enough.
Mirimir is totally trackable. And if you could (not likely) get data from Riseup and Keybase, you could find all his contacts.
But even then, none of that is linked to me in meatspace. Nobody I know in meatspace knows about Mirimir.
Hiding is not so hard if you just compartmentalize.
I was lots sloppier, when I started going dark, in the late 90s. I even talked about it in meatspace. But gradually, I compartmentalized more and more.
Anyone can do that. Just gradually disappear as your meatspace identity. Or restrict it totally to career, and friends and family. Ideally, keeping those separate, so your friends don't hose your career.
And then create and develop an ~anonymous persona. Or a few of them, one for each ~defined set of interests. And just don't talk about it in meatspace. Or mix stuff among personas.
And because I use nested VPN chains, no individual VPN provider can correlate stuff from different personas. It's the same distribution of trust thing that Tor does. Albeit far weaker, because I'm only using several VPNs, and not thousands of Tor relays. But still, it'd take some effort to obtain logs from enough VPN providers.
If I care more about keeping personas unlinked, I make sure to use different VM OS, given the risk of WebGL fingerprinting. Because using the same virtual graphics driver and physical GPU gives the same fingerprint.
If I care even more, I use Whonix via nested VPN chains. With a different Whonix instance for each persona, or group of somewhat linked personas.
If I care lots more, I do all of that, using a different host machine, on a different LAN, with different nested VPN chains.
Apart from the privacy benefits, however, I feel that it is a net negative, because it prevents me from sharing here a lot of interesting stuff that happens in FOSS projects I am a part of, or at work.
A good social network should allow you to post under a different identity, while still tying-in some attributes of your other identity to the new one.
For instance you could easily share your real life experience under another name, while still proving you have between 1000 and 1500 karma on another account. This fixes the problems of traditional throwaway accounts (lack of credibility).
The only places I see this idea explored is in crypto(currency) projets. This is great because it will be robust and reliable, but the patterns could already easily be applied to today's centralized social networks.
Like this: https://www.ivpn.net/blog/wp-content/img/Chains.png
VPN4 is OpenVPN via Tor.
Not that I've used it myself but has this been established as fact now?
(I looked around and the only 'built in' solution I could find for adblocking is in Eero WiFi's paid subscription, which blocks ads on their wifi router)
Its not built in per se, but its arguably less complicated than replacing a router (or worse, putting one router behind another, as would be required for the many people who's cable/fiber/etc modem is all in one with their router).
Reading through Adguard's GitHub page I can't help not noticing some disingenuous feature comparison there. Like how PiHole doesn't support "Blocking phishing and malware domains" or "Parental control (blocking adult domains)". Although they both do it in the exact same way: blacklists . Does it block YouTube ads?
I'd like better reports and stats on PiHole, not just top sites, top clients, etc. Adguard seems to do better here from the screenshots. But I'll take it with a grain of salt.
Its pretty handy on Android (I think requires 9 or later), you can set dns.adguard.com as your "Private DNS" server and it will work system wide, with no Apps or VPNs to install, and on every network you connect to. I beleive it uses DNS over TLS as well.
 https://adguard.com/en/adguard-home/overview.html which takes you to: https://github.com/AdguardTeam/AdGuardHome
I think the same reason some people find Google's advertising-based business model problematic, they find Brave's advertising-based business model problematic.
Not that I'm advocating for ads that track and profile you and everything that you do. We should be making an effort to create an infrastructure for ads where they can't track and profile us. That's what Brave is trying to do, and I don't understand why people are against it. Like, how do they expect sites to be financed?
Lots of people on HN make money with ad networks or are otherwise invested in the concept of harvesting user data.
Same thing happens with GDPR.
I visit some sites that sell their ad spaces directly to advertisers and create and host all creative themselves. I have no issue with those ads.
Windows will still connect to quite a few even if they are in the hosts file.
Both of them, however, allow you to manually specify the IP of a DNS server in advanced network settings.
For ex: Pihole + Unbound
Then when your browser tries to load content from annoying.adserver.com it connects to the pihole, which returns dummy content (a blank image or html page)
I would imagine hardcoded ip addresses in trackers/ads might bypass pihole.
They fight back, with dark patterns. Ruleset works today may not work on the next; you can update the rules; they can make your update break things. I can see that on some major Chinese e-commerce sites, blocking tracking scripts may cause search function to stop working, or you cannot comment because the submit button failed to load.
It's difficult to know, I use uMatrix, and often run into questions like what is this <cryptic.cloudfront.net> domain doing? Sometimes it's almost 'first-party'; sometimes it can be something else.
Domain names are too broad because I don't see why a site owner can not add trackers under the domain, or some related domain names that were 'trusted'.
There's an option to do this as those anti-virus software do, have a database of hashes of the scripts and css, and audit them. But you know rapid things are changing on the web, it is next to impossible to keep track of those. Eventually, we'll run out of passion and energy, just unplug it already.
Gradully going fully F-droid  on my devices.
umatrix prevents loading of a lot of stuff. I have configured umatrix to only load first-party content (I can always add 3rd party content back in using the menu and save it).
Also, umatrix can be used first, then you can use reader mode. Weirdly I notice reader sometimes bypasses some umatrix protections.
Beyond rfid wallets, these glasses, and the clothing/jacket the author mentioned in the article, are there any other cool apparel-related gadgets out there, which a privacy-conscious person could look into (without spending the equivalent of a 3-letter agency budget)???
 = https://www.reflectacles.com
The more bizarre tricks you try to stay hidden, the more identifiable you (probably) are.
It's like the scenarios that weren't explored in the https://xkcd.com/1105/ strip: yeah, if it's just one guy with the 1lIl11l license plate, it might attract police attention, but if the guy collaborated with ten others who got similar license plates for similar-looking cars, then that could work to confuse and divert the police.
One thing I've found is that it's already clearly impossible to do perfectly, and looks like it will be getting even more difficult and limited in what privacy one can have.
(Obviously, were my own privacy the biggest concern, I wouldn't be talking online in places where creepy companies scrape. I mainly dabble in privacy exercises out of a vague sense of public-interest obligation as a techie.)
I do a pretty good job of hiding from everyone. And I don't use any "gadgets". Indeed, not using smartphones is a major boost to privacy. Otherwise, it's just multiple VMs, nested VPN chains, and Tor. All running on ~old i5 boxes that I bought used, for cash.
This condescension is so common and petty. It's like a real-estate broker laughing at someone for overpaying for a property, or a lawyer laughing that someone missed a court deadline they didn't know about.
Experts of complex systems generally know how to get what they want out of those systems. Finding ways for non-experts to do the same should not be sneered at.
There's a product/market/founder fit in there somewhere.
Like you say, most people I spoke to said they wouldn't pay. The folks who were serious abt privacy are happy to root their phones and use XPrivacyMod and Adguard, which are as comprehensive a solution you can get on Android short of flashing a ROM like GrapheneOS.
We do plan to charge however, a nominal fee, as low as 50¢ a year. Haven't figured out that yet, but a long way to go. The product needs to be built first.
Arguably a lot simpler than TFA goes on about.
The majority wouldn't know what VirtualBox and Whonix is, and that's before we start discussing what the benefits of privacy even are.
This is the disconnect we have with our peers who don't work in software/IT and why the right to privacy is being lost to jargon and technical expertise.
Privacy now is only a right to those who know how to employ it.
Except that now the technology has packed the entire world into a single "global village".
The AirVPN and IVPN clients for Windows are pretty much leak free. And dead simple. Buy account, download client, install, and run.
And for Whonix, it's just download and install VirtualBox. And then download Whonix, import into VirtualBox, and run.
Whonix / VM:
* Figuring out which version of virtual box is appropriate for her setup. The download page is not at all noob-friendly and there is no big "click this button to download for this OS" button. What does windows host mean? Does that mean windows? What's an SDK? Do I need the extension pack?
* Figuring out which version of Whonix is appropriate for the same reason. Download securely without verification? Is that ok? What's a signing key? Open pgp? What if she downloads the wrong one? Will it fuck something up?
* Feeling comfortable employing a VM. She has never used a VM and would have no idea what was going on when a different OS appeared within her OS. This could be very unnerving because it seems incorrect. The idea of importing an image would be so foreign that she might not be able to figure out how to do it using the virtualbox interface.
* Trivial tasks on whonix. She wouldn't know how to do trivial things on Whonix because it is has a totally different UI than Mac or Windows. Most non-technical people memorize what they have to do to accomplish tasks without actually understanding what they are doing so they can't port that knowledge to another platform.
* Troubleshootong. She would not be able to use Google for help because she can't form the queries correctly to ask what she wants.
* Determining which VPN(s) to use and signing up. There are about 100 options and she has no way to evaluate the quality.
* Determining whether the VPN was set up correctly. Leak tests? Checking external IP? What's an IP?
* Understanding why certain things don't work anymore. Why can't she print documents anymore? Why are certain sites going to the Canadian page instead of the regular .com page? Why isn't Netflix working anymore? Why is she constantly dealing with captcha?
* Understanding why everything is so slow
She would quickly realize she is in over her head, get frustrated, and then feel embarrassed because she would have to call me for help with what you described as a "trivial task". She would probably just not do it to save herself from the embarrassment / "wasting my time".
That's what's so good about Tails. You just boot it, and have a secure Debian system with Tor. But there are some vulnerabilities. Especially because the Tor daemon and userland are not isolated.
It one point, I experimented with packing VirtualBox, a pfSense VPN gateway, and Whonix, in a LiveDVD. It required 8GB RAM, and took minutes to boot. But once it was up, it was quite snappy, because it was all in RAM.
Anyway, it would be cool if someone could pack all of that in an app.
And if you really haven't heard of Whonix, I find it hard to believe that you've looked seriously into privacy protection. But maybe I'm just biased.
> Within three weeks, I got tired of being careful. My faraday bag is somewhere in the back of my car, because I like to use my phone for GPS and playing podcasts. I stopped wearing my Reflectacles in public. I haven’t scrubbed my old tweets away with Jumbo in a while. I use my Visa to buy stuff from Amazon, which it delivers to my house. I plugged Alexa back in. Daniel Gillmor of the American Civil Liberties Union wasn’t surprised. “I don’t think the fix to privacy is something that can be done by an individual alone, in the same way I can’t solve the pollution problem by recycling on my own,” he says.
> Until people demand a law that makes privacy the default, I’m going to try to remember, each time I click on something, that free things aren’t free. That when I send an email or a text outside of Signal or MySudo, I should expect those messages to one day be seen. And that if I ever really need privacy, I should feel a little badly about what is going to happen to Leo Selvaggio.
So basically, he's just poking fun at people who try being private. And he doesn't even mention compartmentalization. You know, the first rule of Fight Club?
I mean, I have a phone. Admittedly, not a smartphone. But I do call people. Mainly my wife and medical services, but whatever. And I do get tracked, at least by cell towers. But none of that matters, because I don't talk about Mirimir and my other personas.
I use a credit card for Amazon too. But I just don't buy anything that's linked to anything that Mirimir or my other personas are up to. Including the box that I'm typing this on, just in case some jerks are tracking firmware codes.
And the part about "demanding a law" is just foolish. We already have laws, but they're ignored all the time.