Privacy Guides

r/PrivacyGuides

Privacy means being in control of ones own personal information. It does not mean secrecy but deciding on your own what you share and with whom and what you do not share.
On computers you can only have this control over your data when you have control over your computer. You should be the one deciding what your computer does, what software runs on its processor, what it does with your hardware and what it does with your data.

That is your personal freedom. Software should respect this freedom. That means you have to be in control of the software. This requires the following things:

• You should have the freedom to use the software for any purpose. Only you should decide and control what you do with your hardware and data.
• You should have the freedom to see what the software does. The software should be transparent and open source. To be in control of your data and your hardware, to be able to freely decide over it software should be open source so that you and anyone else who obtains a copy of it can freely check and see for themselves what the software does.
• You should be allowed to freely modify the software. To be in control of the software and in extent your device and data you need to have the right to modify the software to your liking: to remove any features that you dislike, that handle your hardware or data in a way you do not approve of, to modify features to your liking so that they suit your use case and use your hardware and data in the way you choose and to add new features so that you can do with your hardware and data what you choose to.
• You should be allowed to freely redistribute and publish the software and your modifications to it. You should not be forced to keep your copy of the software and your changes to it to yourself. Others should have the ability to profit of them as well if you want them to and you should have the ability to profit of the work and modifications of others if they want you to be able to. Your freedoms over your device are only effective if you can run the software developed and published by anyone. You should not need to develop all changes to the software yourself. Everyone including people who cannot develop software themselves should have freedom over their device and data and people developing and modifying software should have the freedom to collaborate and to build upon another. Innovation, peace, human culture and progress depend on people working together and building on the work of others.

Software that adheres to these freedoms is called free software. Free as in freedom.

You can only own a device if it runs free software.
You can only have privacy if your personal information is processed by free software.

This work is licensed under CC BY-SA 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0/

You might have old accounts especially cloud accounts that are just idling abandoned while still holding personal information. They might have old weak passwords just waiting to get compromised. Same goes for old email addresses that you do not use anymore but are still linked to other accounts. This is a reminder to check those, delete your data from them or to delete them altogether (delete private information manually first before deleting the account as many companies do not actually delete the data from deleted accounts and just mark the account as deleted).

Some examples of this could be:

• old Google accounts from old devices
• old iCloud accounts
• old Microsoft accounts
• old Aol or similar email accounts
• old accounts from smartphone vendors like Samsung, Huawei etc. that often have their own cloud services

Make sure to set a strong passwords on accounts you want to keep and of course use a password manager. Besides the security password managers have the great side effect of giving you an overview over all your accounts so that you cannot just forget old ones.

just that the TV commercial looks back at you through the TV and the TV follows you around everywhere, wherever you go, whatever you do, taking note of everything to get to know every single detail about you, every interest, every prejudice, every weakness of yours, to get to know you like no person, no matter how close to you does, like not even yourself do to use that information to influence you most effectively to the TV channel's and the advertiser's advantage, to manipulate you, to sell this information about you to other companies like insurances who use the power that this knowledge provides over you to extract every last cent of money from you, to sell you.

##Some general background

Discord is a privacy and security disaster. They do not make their money through ads and tracking (as of now) but they do not care about privacy or security just the slightest bit either. Discord messages are not end to end encrypted. Discord, their employees and their infrastructure partners like Google Cloud Messaging have access to your messages at all time. Do not ever send anything sensitive over Discord! Discord also does not delete your messages when you delete your account, leave a server or delete a channel or group. When you delete a channel or group or get removed from one your messages still stay on their server. You just lose access to them and have no way to delete them anymore. If you delete your account without deleting your messages first they will stay on their servers forever without you having any way to access or delete them. There is no official way for deleting all your messages. I am not a lawyer, but I am very sure that is a violation of the GDPR and highly illegal. They claim they anonymize that data when you delete your account, but all your messages are still tied to an account ID and there is no way to anonymize private messages that can contain personal information. Using client mods to automate deleting messages is even against their TOS. They do not comply with laws that require them to delete your data and reserve the right to ban you when you try to do that yourself. You should absolutely regularly delete your messages anyways. Make sure to have another mean of contact for your Discord friends so you do not rely on Discord as they can and do of course ban you for any or no reason whatsoever.

Discord also has extremely extensive telemetry that is not anonymized. They basically log every click you make in the app: when you click on a profile, when you join a voice channel etc. You can see this data when you do a GDPR request. Included in this logs is your IP address, your rough location and device information for every single event. You can block some of this with uBo in a browser or with client mods.

##Settings in Discord

• Opt out of personalization and other data sharing.
• Set yourself to invisible/offline. Everyone on every server can see when you are online otherwise and there are bots collecting this information.

##Modifications

• If you can, use Discord in a browser with uBlock Origin.
• Regularly use a script like this to delete your messages.
• Consider using a VPN to hide your IP address and location.
• If you use their mobile app do not grant it storage permission and instead share files from your gallery or file manager with Discord.

##Usage

Assume that absolutely everything you do on Discord – every message you send every word you say in a voice channel, every click you make – gets permanently recorded by Discord and secrete services, gets sold to advertisers either right away or in the future and breached to the public in the future. That is exactly what you risk when using Discord. Use it accordingly and do not share anything sensitive. If you need to discuss something private shift to another platform.

Note:

At their website, the author said they're using Microsoft App Center, so you might want to disable the app's access to the internet.

Introduction:

I've used UntrackMe for some time, but I felt that it misses some sites that I frequently using. So after searching a bit, I ran into Tarnhelm, which one of it's feature let the user to kinda mimic UntrackMe manually. It will copy the changed URL when you Tarnhelm-copy at the copy menu (or when you copy if you use LSposed or background monitor features).

Guide:

1. Download Tarnhelm (F-droid / LSposed)
2. Go to "Rules" -> "Regexes"
3. There are two options to go from here

• Copy one of the followed codes on the list below, then click on add and then click on the paste (note that you might need to change some of the instances).
• Add a rule manually.

4. Profit!

Feel free to add rules at the comment section. Actually, please do lol. Hope you'll find it as useful as I did :)

The list:

YouTube -> invidious.snopyta.org:

eyJhIjoiWW91VHViZSAtPiBpbnZpZGlvdXMuc25vcHl0YS5vcmciLCJiIjpbIihodHRwfGh0dHBzKTpcL1wvKHd3d3xtKS55b3V0dWJlLmNvbVwvIl0sImMiOlsiaHR0cHM6XC9cL2ludmlkaW91cy5zbm9weXRhLm9yZ1wvIl0sImQiOiJYcGVlTiJ9

reddit -> teddit:

eyJhIjoicmVkZGl0IC0%2BIHRlZGRpdCIsImIiOlsiaHR0cHM6XC9cLyh3d3cuKT9yZWRkaXQuY29tXC8iXSwiYyI6WyJodHRwczpcL1wvdGVkZGl0Lm5ldFwvIl0sImQiOiJYcGVlTiJ9

Medium -> Scribe

eyJhIjoiTWVkaXVtIC0%2BIFNjcmliZSIsImIiOlsiKGh0dHB8aHR0cHMpOlwvXC9tZWRpdW0uY29tXC8iXSwiYyI6WyJodHRwczpcL1wvc2NyaWJlLnJpcFwvIl0sImQiOiJYcGVlTiJ9

imgur -> rimgo

eyJhIjoiaW1ndXIgLT4gcmltZ28iLCJiIjpbImh0dHBzPzpcL1wvaT8uP2ltZ3VyLihjb218aW8pXC8iXSwiYyI6WyJodHRwczpcL1wvcmltLm9keXNzZXkzNDYuZGV2XC8iXSwiZCI6IlhwZWVOIn0%3D

Quora -> quetre

eyJhIjoiUXVvcmEgLT4gcXVldHJlIiwiYiI6WyJodHRwczpcL1wvKHd3dyk%2FLnF1b3JhLmNvbVwvIl0sImMiOlsiaHR0cHM6XC9cL3F1ZXRyZS5ibGFja2RyZ24ubmxcLyJdLCJkIjoiWHBlZU4ifQ%3D%3D

Twitter -> Nitter

eyJhIjoiVHdpdHRlciAtPiBOaXR0ZXIiLCJiIjpbIihodHRwfGh0dHBzKTpcL1wvdHdpdHRlci5jb21cLyJdLCJjIjpbImh0dHBzOlwvXC9uaXR0ZXIubmV0XC8iXSwiZCI6IlhwZWVOIn0%3D

The last two paragraphs can be seen as a brief Tl;Dr.

As you have probably already read a critical vulnerability in Android has been found by a researcher accidentally that allows to bypass the Android lock screen and to unlock the phone without the password on Pixel devices and potentially also many other devices. Here is his original post: https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/

Tl;Dr: When the phone is locked an attacker can swap the SIM card to their own while on the password entry screen. The device will then show the unlock SIM screen on top of the lockscreen password entry screen. Now the attacker can intentionally enter an incorrect PIN to their SIM card three times causing the SIM card to get locked and requiring the PUK code. When the attacker enters their PUK to unlock the SIM card again and then sets any new SIM pin the phone will unlock without requiring the lockscreen password. All the attacker needs is access to the locked phone, that just needs to have been unlocked once since the last boot and any SIM card they know the PUK of.

The vulnerability is in AOSP and could therefore also affect other non Pixel devices depending on whether the OS uses the AOSP or a customized variant of the lock screen and PIN screen. The vulnerability has been fixed in the November Android security update. So if you are on a Pixel make sure to update your phone quickly and check that you have the November security patch. I read somewhere that the vulnerability got introduced with Android 12, but I cannot verify this. All Android devices without the November 2022 security patch are potentially vulnerable until confirmed otherwise. Even if they are not vulnerable the unlock system before that security patch had significant security issues that made this vulnerability possible and could lead to other similar vulnerabilities being found.

I can personally confirm that the exploit is working on GraphneOS prior to the November security patch.

What to do know

The most important thing is of course to update the OS to get the patch. But there is one huge catch: many manufacturers take very long to incorporate the Android security updates into their custom Android variants and to publish security updates. Even worse many Android devices are no longer supported by the manufacturer and do not get security updates anymore at all. This means many potentially vulnerable Android devices are unpatched and there is no patch available. If your device is still supported you should pay especial close attention to updates in the next time and install them timely. Devices no longer officially supported might have custom ROMs with newer AOSP security updates available (e.g. GrapheneOS has the November security patch for the Pixel 4 and Pixel 4 XL). However custom ROMs can come with their own issues and are not a solution for the huge number of average users.

Mitigations and general advice

Since some time Android encrypts user data with filesystem encryption. When you boot your phone the data is encrypted and not accessible until your enter the password so it can get decrypted. A lockscreen bypass cannot bypass encryption. There is a huge difference whether your device is freshly booted and all user data is at rest and encrypted or whether it is just locked. Once you enter the password Android stores the encryption keys in memory and loads data to memory. Now your user data is accessible to Android and only the lockscreen protects it against someone with physical access. A lockscreen is generally much less secure than encryption. There is significantly more attack surface once you unlock your device after boot as this vulnerability shows. Also biometric authentication is only available after the first unlock which is more vulnerable to different attacks like forced unlocking or tampering and faked biometrics.

What this means is that when you shutdown your device or reboot it, it is invulnerable to this lockscreen bypass as it is protected by something much stronger: encryption. Only once you enter the password again it becomes vulnerable.

The following is good advice in general but especially important now for people with unpatched devices:

(Tl;Dr:)

If you get into a situation where your device is more susceptible to physical access by others such as border control, a police control, anything like that or you let your device unsupervised somewhere or store it somewhere without using it for some time, turn off or reboot your device beforehand. This will make sure all user data is encrypted at rest and significantly reduces attack surface for a physical attacker.

Of course every encryption and every lock screen is just as secure as the password. This is also a good example of why security update support is important. When buying a device, pay attention to the time frame for guaranteed security updates. Also be careful about how long different Android manufacturers take to publish security updates. Generally Android variants closer to AOSP like Pixel stock Android or Graphene OS get security updates quickly while heavily modified manufacturer variants like Samsung's One UI, Huawei's EMUI or Xiaomi's MIUI take much longer.

The surveillance state in one sentence

You are guilty until you prove otherwise by every part of your private life being surveiled. If you have any issue with this that is just proof of your guilt. What would you have to hide otherwise?

r/PrivacyGuides

Do you remember the movie Minority Report, the eye scan in the Mall for personalized advertisings? Now it's real 🥶

Most COM domains are blocked in China.

Protect your device from dangerous sites, get rid of annoying ads and tracking, get access to blocked resources in your country!

InviZible Pro includes the well known modules DNSCrypt, Tor and Purple I2P. These modules are used to achieve maximum security, privacy and ease of use of the Internet.

InviZible Pro can use root, if your device has root privileges, or uses a local VPN to deliver Internet traffic to Tor, DNSCrypt and I2P networks.

Features:

• No root required
• Hides location and IP
• Unblocks the restricted web content
• Prevents tracking
• Allows access to hidden networks
• ARP spoofing detection
• Built-in firewall
• Tethering supported
• Material design theme

If you want, there is also a Premium version for $5

• 1 A smartphone isn't a secure dispositive
• 2 It's not a good idea to store sensitive data in a smartphone or using it for banking or with pay apps
• 3 Disconnect the GPS, if you don't need it
• 4 Use a good AV , p.Exmpl. BitDefender (Free version is enough), because Google Play Protect is only a better placebo
• 5 Review the permissions of the apps and remove those which are not needed for the app (Candy Crush don't need access to your camara or mic, f.Exmpl.)
• 6 Prefer apps from F-Droid
• 7 Use Exodus Privacy to check the apps before download or using.
• 8 Use a VPN if you are on a public WiFi, but be aware of the most free VPN, there are few exceptions of thrustworth free VPN, you can use
• Proton VPN (no logs, no data limit, encrypted end2end, developed by Suiss CERN scientifics. -Windscribe (same as Proton, but only 10 Gb/month)
• Calyx VPN (No logs, encrypted, no data limit, but only one server from the Calyx Institute)

What do you think about this?