Google has abandoned the “Web Environment Integrity” API that was supposed to allow websites to only allow approved and verified browser environments. The plan would allow websites to reject modifications that were “unattested” for the purpose of supposedly stopping bots, piracy, ad-blocking, and other activity Google deemed to be malicious. However, critics of the plan called it corrupt tyranny in which Google flexes it’s muscles to control the entire internet.
The plan was rejected from Firefox and Brave browsers, and could potentially shut out Linux users out of many websites as there would be no telemetry company to “verify” the operating system was not modified. Further, some said it was an outright attempt by Google to force people to submit to the API even if they didn’t want to use Chrome browser.
Now this horrible tyrannical plan from Google was abandoned after severe “community backlash”, however it could see a limited version for Android Chrome only when embedded into apps themselves. We can only hope these rotten Google executives can abandon their plans for world domination and the submission of all knowledge to pass through their ad tracking software.
Google has abandoned the “Web Environment Integrity” that was supposed to allow websites to only allow approved and verified browser environments to reject modifications that were unattested.
This corrupt and tyrannical plan from Google was abandoned now after severe “community backlash”:
https://www.theregister.com/2023/11/02/google_abandons_web_environment_integrity/
I see a lot of people talking on Twitter about how public opinion is shifting towards NOT supporting Israel this time. It's hard to judge these things on the internet. Do you guys agree with this from your own experience?
WireGuard’s privacy flaws?
WireGuard and OpenVPN are two popular VPN protocols. Many flock to WireGuard because it’s faster, but are unaware that it’s less private than OpenVPN. VPN providers prefer WireGuard because it uses less resources on their end to achieve good results and so it saves them money.
To make it even more biased, most home routers lack the resources to handle OpenVPN without crippling speed, so the VPN router companies heavily push WireGuard in their interface setups and tech support. Because WireGuard is easier for the customer, VPN provider, router provider, and governments trying to do illegal surveillance on the population, it’s rarely discussed what the negatives of it even are.
In this episode, we take a closer look:
https://video.simplifiedprivacy.com/wireguard/
Whonix 101: The Best Way to Use Tor
Tor Browser is one way to use Tor. Another way is through the operating system Whonix in a virtual machine. There are 4 main security advantages of doing this. These are:
1) All Traffic is forced through Tor
2) Malware is contained in a virtual machine, preventing it from infecting the host
3) All of the traffic is routed through a 2nd virtual machine gateway if malware escapes the first virtual machine
4) The virtual machine’s operating system can be run in live mode, which means it erases all the contents after it’s done
_________________________________
Brief Overview
Whonix is an operating system designed to be run in a virtual machine. It is among the most secure options available for browsing on Tor. All traffic by design is forced through Tor, which prevents leaks.
Based on Kicksecure
Whonix is based on Kicksecure, which is a security hardened version of Debian. There are two main differences between the original Kicksecure and Whonix, as follows:
1) On Whonix, all traffic is routed through Tor whereas on Kicksecure, it’s not.
2) Whonix uses two virtual machines – a workstation and a gateway. All internet browsing or activity is done in the workstation, and then this traffic is routed through the gateway before leaving to the internet. This is to prevent leaks.
In constrast, Kicksecure does NOT have a gateway.
_________________________________
How the Gateway Works
Whonix has the following structure:
You → Workstation → Gateway → Internet
The purpose of the gateway is to protect the user if malware escapes the first virtual machine. In addition, it provides a second layer of protection to force traffic through Tor and reduce the possibility of it escaping via clearnet access.
In practice, the chance of malware escaping both the workstation and gateway is incredibly rare. Also, this risk is reduced to virtually zero if JavaScript is completely disabled.
_________________________________
Live Mode
Both Whonix and Kicksecure offer a live mode option. When this is selected at each virtual machine boot up, all data is erased once the virtual machine is shut down. This ensures any malware, cookies, and tracking scripts will be destroyed once the browsing session is done. All internet browsing should be done in Live Mode. (The regular mode should be used only when Whonix or Kicksecure needs to be updated.)
Whonix’s non-persistent mode should ONLY be used for updating the operating system and potentially for updating software. It absolutely should NOT be used for regular internet browsing, as it’s unknown what cookies or scripts could be downloaded.
_________________________________
Downloading Software
Software can be installed on the Whonix virtual machine in regular mode so the software persists between sessions, but only if it is TRUSTED and is needed for every session. However, the user must use extremely good judgment in deciding what software can be trusted enough to persist inside Whonix, as doing so could compromise all browsing if the software is malicious.
We recommend exclusively using free and open source software if it is downloaded in persistent mode.
_________________________________
Make Clones for Software
If the user has enough memory on the direct hard drive or on external USB drives, then additional Whonix virtual machines can be set up as clones — each with unique persistent clone software, which could be configured for different purposes.
What defines Malware
When you say “malware,” people usually think of software that is installed. But malware could exist in a huge variety of forms. For example, a PDF could contain a malicious script to send back your IP address to its creator.
If you were to download a PDF from Tor Browser alone and run it outside of Tor Browser, the PDF could potentially report back your real IP address, whereas with Whonix, all traffic is routed through Tor. The PDF script would not be able to escape the virtual machine and would not be able to avoid being routed through Tor.
_________________________________
Conclusion
You can learn a ton about Tor and open source software by subscribing for free to our new content on Nostr. Are you feeling overwhelmed with the amount of technical knowledge required to properly set up and use virtual machines? At Simplified Privacy, our team is ready to help you with your Whonix and Kicksecure setups and cater advice to your specific needs. Reach out via Nostr DM
Elizabeth Warren blaming cryptocurrency for the Hamas attack on Israel is ludicrous, when Israel funded Hamas to begin with. Government budgets should be on blockchain so we can clearly audit their corruption.
VPN Mistakes to Avoid
VPNs are a great tool for privacy, but they are often misunderstood and misused. Sometimes people believe that they are getting more privacy or anonymity than they actually are. Or other times, a user’s goals are possible, but were not executed correctly.
Who sees traffic?
First of all, there are many different participants who can view different types of information about what you’re doing online. These include, but are not limited to:
1) Your Internet Service Provider (ISP)
2) The website itself
3) The government
4) Microsoft or Apple (unless you’re on Linux)
5) Google if it’s an Android phone or you’re using Chrome Browser
6) Search engines
7) Cross Site Cookies such as Facebook, Google, Twitter, Amazon, and more which can track you even on a different website.
8) Your router manufacturer, unless you specifically put open source firmware on it
9) Database brokers, such as Oracle, which get contracted to fingerprint your device by some websites and services and then resell that data to advertisers
10) Browser Add-ons may report data back
11) Your DNS or Domain Name Service. Often your ISP will pass this off to Cloudflare or Google
12) Many Websites use Denial of Service (DoS) from Cloudflare and Captchas from Google. These can be sources of tracking.
13) Companies such as Silverpush use ultrasonic audio sounds, which are invisible to the human ear, that are emitted from your computer desktop speakers and picked up on your smart phone, to track you across devices.
So now let’s talk about what a VPN does and does not hide (and what other techniques can be used to help).
______________
VPN Basics
A VPN forms an encrypted tunnel between you and the VPN company. Then whatever you do, is executed from the IP address of the VPN company.
A VPN does hide the following:
1) Your IP address from the website
2) Your traffic from the ISP
3) If properly configured, the VPN should have their own DNS, which will also hide your traffic from the DNS provider that the ISP uses, such as Cloudflare
______________
A VPN does NOT hide the following:
1) The Operating System’s company (e.g., Microsoft, Apple, or Google) phones from knowing the traffic and your true location (IP address)
2) Any type of cross site cookie tracking, such as Facebook
3) Any type of browser fingerprinting from the website or from its third party database broker, such as Oracle. Fingerprinting data include your timezone, your screen dimensions, and operating system version.
4) The government forcing a VPN company to track you in real time
How to Mitigate these issues
Now the cookies issue can be solved by properly modifying your browser settings (and using a good browser).
We covered this in this article.
The browser fingerprinting issue can be solved by Virtual Machines, which we covered in this article.
The Operating system issue can be solved by using Linux or degoogled phones. We covered how Linux works in this article. But if you are insistent on using Microsoft Windows or Apple, then a VPN on the router (instead of the computer itself), could help in some ways, such as hiding your real location.
______________
VPN on a Router
Putting a VPN on a router (instead of the computer itself) hides your IP address (and thus your real location) from Microsoft/Apple. But they can still see the traffic.
Now in theory if you never sign in to any account associated with your real name or known nicknames on that device, then it could potentially hide your identity. But in practice, this is highly prone to mistakes in execution, and it’s far better to just use Linux, using Windows or Apple only for specific software you need Windows or Apple for.
Also putting a VPN on most retail routers will slow down the internet connection, since the processing power on a router is less than real PC CPUs. However, there are more expensive ($500+) firewall routers that can match a computer’s speed because they have real CPU chips inside.
No Logs?
Now let’s talk about logs. Most VPN companies advertise a no logs policy.
This may or may not be true in practice. One can evaluate how the logs policy compares to their other policies.
For example does the company accept cryptocurrency? If the traffic data is tied to your real world financial identity, then the company is clearly less committed to keeping you anonymous.
Also, free VPNs that don’t cost anything to use should be avoided. They have no profit motive to protect you and usually store and sell data. Why else would they want you to use the service for free?
Not only should you only go with VPN providers who accept cryptocurrency, but also make sure they allow sign-ups through Tor. Do they process payments themselves or use a third party like Coinbase which blocks Tor?
Even though you may not use Tor to connect to the VPN, you want to see that they allow customers to actually be anonymous while in compliance with their legal department. This makes it much more likely that their legal structure is set up to resist third party attempts to de-anonymoize users because if the customer used Tor and cryptocurrency, then they can’t identify you.
What is the legal history of this VPN company? All of these factors can help you evaluate if you should believe their logging policy.
I hope you learned something, Subscribe on Nostr for more content!
This changes the game for institutions looking to market on Nostr
nostr:nevent1qqszw67emdjz0ewxxkm8cgsfrnuzww3x7pw8acej27fgq64fz93j46gppemhxue69uhkummn9ekx7mp0qgsyvrp9u6p0mfur9dfdru3d853tx9mdjuhkphxuxgfwmryja7zsvhqrqsqqqqqpnn0hgc
Breaking News: The GrapheneOS build for the Pixel 8 is out. This is not the final official version, but it’s making it’s way around their Matrix room, and they’re doing debugs. Our brand-new video is timed to cover the basics behind DeGoogled Phones:
https://video.simplifiedprivacy.com/degoogledphonebasics/
We have brand new Pixel 8s in stock and ready for you. Reach out to us via encrypted messenger if you have any questions.
Make sure to update Tor Browser, their devs just widened the window size which is not only more convenient for search engines with data on the far right side, but you want to blend in with the crowd and not stand out as the "old version" guy.
New animated episode: SimpleX vs Session
These are both partially decentralized privacy messengers that separate identity from IP addresses using encryption. However, there are huge differences between them both in their design goals and flaws. In our brand new animated episode, we discuss important considerations with some tips on using SimpleX or Session:
https://video.simplifiedprivacy.com/simplexsession/
The Session team claims they don't keep the signing keys in Australia. You raise a valid point with this sure.
Regarding the Oxen coin, I disagree with their business model yes and this is valid criticism. However, if they did not rely on the coin, they'd have to actually make money charging for the messages or names. Which they are not profitable doing
Up until now, Shadow Rebel has been doing privacy videos with just his voice. Now after viewers refused to connect even a $0 Ethereum wallet because of a complete lack of trust in an anonymous shadowy figure, he’s come forward to sacrifice his anonymity to advocate for and spread adoption of decentralized social media that is more resistant to censorship.
Yes Ethereum has flaws, and this website is free, so you don’t need to buy it. Yes MetaMask has privacy issues. But if you evaluate the technology we’re presenting, you'll understand why it's better than Google’s Youtube.
In this video he explains “encryption as identity” and how the Ethereum-powered video website works:
https://vid.simplifiedprivacy.com/news/0x81ad645949cb936067f2f90f022e00a45cc75377b16eed0427e9e98c685951d4730bd09ba4f1fb4761d43281db2a8febe7017e304f1626d4bbba163c4a379cba1b
How you can be deanonymized through Tor
Tor is an excellent tool for privacy, and we do not recommend you avoid it. However, there are many limitations to be aware of and ways of using it that can compromise your anonymity on Tor. This article will discuss just a few of the ways, but there may be others that the public is unaware of. For example in 2017, the FBI dropped a case against a school worker accused of downloading child pornography because the FBI would have rather let him go than reveal the source code for how they deanonymitized him through Tor.
The techniques we will cover include:
1) JavaScript based attacks
2) Cookies
3) Compromised Exit Nodes
4) Compromised Middle Relays
5) Compromised Entrance Guards
6) Opening Files Outside Tor
7) Ultrasonic Sounds
JavaScript Attacks
JavaScript is used by many websites to deliver content and perform services. Many sites use it as part of their core functionality. JavaScript also can be used to browser fingerprint and therefore serve content that’s appropriate for the end user’s browser and operating system versions, such as ensuring the content has the correct screen dimensions. While the purpose of JavaScript’s fingerprinting is to properly serve content to benefit the user, it can be used maliciously against the user to identity him or her through Tor.
JavaScript was created by Brendan Eich in 1995. Ironically, Brendan went on in 2015 to become the founder and CEO of Brave Browser, which is promoted as a privacy browser by hiding and confusing your JavaScript fingerprints. In other words, the founder of JavaScript 20 years later became the founder of one of the most popular JavaScript evasion tools!
Brave Browser has Tor functionality and is popular for obscuring fingerprints for everyday casual use, but it isn’t as effective as Tor Browser, which has a fixed smaller screen resolution and better browser isolation. Browser isolation is the ability to prevent different tabs open at the same time and any downloaded files from accessing your main PC.
While JavaScript’s incredibly popular, website developers do not technically have to use it for websites to have interactive experiences or to be properly sized. For example our website, SimplifiedPrivacy.com, uses PHP to allow you to buy services with cryptocurrency, but the overall industry standard has moved towards JavaScript’s use and adoption.
Most large corporate developers are interested in collecting data on users because that data has value in marketing goods and services to those users. Because surveillance data has value to both website owners and third parties, large software developers create tools that utilize the data, and then smaller website creators often are reliant on these pre-existing tools.
JavaScript can be used to identify a user through Tor in a number of different ways. This is why Tor Browser comes pre-bundled with the “NoScript” plugin. This plugin can either reduce or disable JavaScript’s ability. When the plugin is set on the “Safest” setting, JavaScript is completely disabled. This level of security is required to completely stay anonymous and secure on Tor.
The first way that JavaScript can identify a user is if a malicious website were to inject code into Mozilla Firefox (the foundation upon which the Tor Browser bundle is built). An example of this exploit was demonstrated as recently as 2022 by Manfred Paul at a Pwn2Own hacking contest of getting a user’s real IP address through Tor. [4a] [4b]
But this is not a one time bug or incident, as Mozilla Firefox has a history of being vulnerable to these types of malicious JavaScript injections. Malicious script hacks caused Tor to have to patch to correct them in 2019 [5], 2016 [6], and 2013 [8].
Back in 2016, cybersecurity researcher Jose Carlos Norte revealed ways that JavaScript could be used to identify Tor users through its hardware’s limitations. These advanced techniques fingerprinted the user’s mouse movements, which are tied to hardware restrictions and potentially unique operating system settings. Norte additionally warned how running CPU intensive code could potentially identify the user’s PC based on how long it takes to execute. [7]
The point of all of this is that all of these vulnerabilities did not work when NoScript was set to the safest mode of disabling JavaScript.
Browser Alone doesn’t stop cookies
Another security issue with Tor is pre-existing cookies, which could compromise your anonymity. For example, let’s say you previously signed on to your Amazon account from the same computer you are now using Tor Browser in (but using a different browser). If you now visit an Amazon page using Tor Browser (or maybe even receive a forwarded Amazon URL), you could potentially be connected to the Amazon cookie already on your computer and be deanonymized instantly. This would immediately connect the Tor traffic with you.
Remember though that Tor Browser is only one of a few options for using Tor. The way around this cookie issue is to use Tor in a virtual machine with the Whonix operating system or the USB operating system version of Tor called Tails.
Compromised Tor Exit Nodes
Your traffic enters Tor encrypted and stays encrypted through its journey throughout the mixnet until it gets to the final stop, which is the exit node. Here the exit node communicates with the “regular” clearnet without Tor’s onion encryption to access a website on your behalf.
Outside of Tor on the “regular” clearweb internet, most websites use httpS encryption. This is shown with a padlock in the top by the URL. If the website is http, without the “s,” then it’s unencrypted plain text data. Anything you do using an unencrypted http website with a Tor exit node can be snooped on and seen. However, this risk is relatively low because of the high percentage of websites that use httpS.
The biggest risk is that the httpS encryption can be removed using SSL stripping. This is when the Tor Exit node acts as a man in the middle, faking the server with which you’re trying to authenticate and downgrading the connection to httpS. For example in 2020, a malicious actor took control of over 23% of all Tor exit nodes and started doing SSL stripping to steal Bitcoin being sent on mixing websites. [9] [10]
To prevent against these types of attacks, upgrade the Tor security level to safest, which requires the use of HTTPS encryption with “HTTPS-Only”. Also pay attention to the top icon by the URL bar, to make sure there’s always a padlock showing it’s using this encryption.
You can click on the icon to see your Tor connection route and the certificate authority. Certificate authorities are the entities that validate the authenticity of the HTTPS encryption to this IP address. On a side note, these certificate authorities can act as a censor by removing an entry’s IP address, and this is one of the flaws that many cryptocurrency blockchains are actively working to solve.
Another way to prevent malicious Tor exit nodes from stealing your data or cryptocurrency is to avoid using exit nodes by using primarily Onion services. If you only login to Onion websites, then you never exit Tor. This doesn’t mean completely avoiding clearweb sites, but try to only browse them and not login. It’s the login/password credentials that malicious exit nodes steal with SSL stripping.
Malicious Middle Relays
The next type of risk is malicious middle relays — the hop between an entrance guard and an exit node. For example, the malicious group KAX17 had been identified as having run up to 35% of the middle relays and 10% of the overall Tor network before the official Tor project removed 900 of its servers. [15] [16]
While malicious exit nodes often want to steal Bitcoin or data, the goal of malicious middle relays is to deanonymatize users by seeing the path of their traffic. This is especially true on Onion hidden services because it doesn’t even use exit nodes.
There are a few things you can do to reduce this risk. We will go over them in the entrance guard section, because they are the same methods.
Malicious Entrance Guards
Entrance guards can see what IP address is connecting to the Tor network, but can’t see the traffic itself as it’s onion layer encrypted. However, they can gather some information, such as the time, size, and frequency of the data packets.
Researchers from Massachusetts Institute of Technology and Qatar Computing Research Institute wrote in a 2015 paper that if one of their malicious machine learning algorithm servers gets randomly picked to be a user’s entrance guard, then it may be able to figure out what website that user is accessing. The MIT researchers are able to do this by analyzing the patterns of packets from a pre-determined list of websites and seeing if they match the traffic their malicious entrance guard snoops. [17] [18]
According to MIT News, the MIT machine learning algorithm has above an 80% chance to be able to identify what hidden services a given Tor participant is hosting, but there are two conditions. First the host has to be directly connected to its malicious entrance guard and second the hosted site was on MIT’s predetermined list. [18] And finding who is the host of controversial materials is often of more interest to oppressive regimes than just who are the website’s visitors.
How can you avoid this?
There are a few ways you can reduce your risks with malicious entrance guards and middle relays.
First, use your own hosted ob4s bridge as an entrance guard to avoid ever having both a malicious relay and guard. Our company can help you set this up on a cloud server (VPS) or create it for you. See our product page for more details.
And second, you can enter Tor with a VPN first.
Opening Files Outside of Tor
Virtual machines contain and isolate identities
If files are opened outside of Tor Browser, they could have code that executes and reveals back to an adversary your real IP address. To avoid this, one can use a dedicated virtual machine like Whonix, which forces all traffic in the VM through Tor. Another option is the Tails operating system on a USB stick, which automatically erases everything after you’re done.
However, if you want to use a PDF outside of Tor, then you’ll need to convert it to plain text. One great Linux tool to do this inside Whonix’s command line is PDFtoText. You can install it with this command:
sudo apt install poppler-utils
Then use it with this:
pdftotext -layout input.pdf output.txt
The -layout flag keeps the original layout. input.pdf is the original file, and output.txt is what you want the output to be named.
Ultrasonic Cross Device Tracking
As University of California Santa Barbara cybersecurity researchers presented at a BlackHat European conference, malicious websites can identify users through Tor using sounds invisible to the human ear. [20]
The way this works is that many popular phone apps use Silverpush’s ad system, which can receive high frequency audio without the phone’s owner being aware of it. Audio of this type could be broadcast maliciously from a Tor website.
Silverpush enables the sale of your location data
These doctoral researchers warned of the dangers Silverpush presents by being connected to wide-spread platforms such as Google Ads. To demonstrate this, the researchers played video of their lab experiment, which de-anonymatized a laptop through Tor Browser, as a result of an Android’s mic next to the laptop’s speakers, while being signed in to a Google account. [34]
While the researchers presented a Chrome browser app that can stop this, we do not recommend it for Tor use because of fingerprinting (and Tor Browser is Firefox based). The best solution is to turn off the speakers and any phones around you when visiting controversial or private websites. Also consider a degoogled phone with a custom operating system, such as Graphine or Calyx, which would allow you to modify when apps have microphone privileges.
Conclusion
In this article, we covered a variety of different ways your identity can be revealed through Tor. To summarize your best defenses are:
1) Disable JavaScript with Tor’s Safest Setting
2) Use a custom private entrance bridge (ob4s) for an entrance guard that you control. Our company can help you set this up.
3) Use Whonix or Tails when you need JavaScript or for doing anything outside a browser, such as opening unknown software or files
4) Before connecting to Tor, first use a high quality VPN with OpenVPN (Avoid Wireguard)
5) Avoid resizing Tor Browser because of fingerprinting
Reach out to us or find the sources for this post:
https://simplifiedprivacy.com/how-you-can-be-deanonymized-through-tor/
Big Tech Abuses Medical Privacy
In the US, your medical records are protected by HIPAA but your internet medical browsing history on websites like WebMD is NOT. That is the kind of data that is being sold in ways that may hurt or embarrass you.
If you have any kind of medical problem, even if it’s small, then you absolutely need to learn privacy. Medical data is among the highest paid data that’s collected, sold, and put into databases by a huge number of websites. When you go to research your condition, these medical information websites like WebMD will collect and sell your personal browser fingerprint.
Fingerprinting your medical traffic
In our article on browser fingerprinting, we discussed how your PC clock’s time zone, IP address, screen dimensions, operating system version, and more all go into your browsing fingerprint. Combined with cookies, these easily can identify you, especially if you had or are signed into accounts associated with your real name while you browse medical websites.
Your medical browsing history is put into databases. Access to this database is sold to all types of companies, from potential employers to banks deciding whether to give you a personal loan and even to governments trying to track you.
Employers View Medical Data
Medical data isn’t sought out by just insurance companies, but also employers. Employers love this information as a way of screening potential employees to see who might call out sick or take leave. In theory employers need your written permission to access your medical history, but that’s only if the source of the information is the official healthcare records from the provider. [1] There is a huge amount of medical data that is sold by data brokers who get it from phone apps, software, social media scraping, how you navigate online ads, and even the doctor’s websites themselves can leak it to tech firms. [2] [4a] [4b] [6]
To quote The Verge covering a study from The Markup, which later saw congressional overview,
“The Markup found that 33 of the top 100 hospitals in the United States were using a tracker called the Meta Pixel on their websites. Installing the Meta Pixel gives groups access to analytics about Facebook and Instagram ads but also tracks how people are using their websites: the buttons they click, the information they put in forms, and so on.” [4a] [4b]
This study found that in some cases patients conditions, medications, and appointment times were sent to Facebook along with identifying information like an IP address or a Facebook login cookie. [4a] These meta cookies and trackers were built into the sign-up forms or hospital websites themselves so would require elderly patients with severe medical conditions such as Alzheimer’s to have advanced cybersecurity knowledge to avoid having their data leaked.
Data doesn’t stay with Facebook, but is shared with many other technology firms. According to an article from Silicon Republic, Facebook’s own internal documents disclose that it illegally shared user data with dozens of other tech firms long after it had told congress it would discontinue the practice. [3]
In fact, according to Facebook’s own engineers from documents leaked to Vice News in 2021, data spreads so much through Facebook, that it’s not even possible to track it for compliance purposes. This Facebook engineer said quote: “We do not have an adequate level of control and explainability over how our systems use data.” [5] So not only does Facebook violate the law, but compliance would not even be possible. Quote: “We can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’ And yet, this is exactly what regulators expect us to do” [5]
Your dating partners will see it
Google will get this medical search history and then display ads when you’re watching Youtube videos with friends or dates. Now whoever you watch content with will know your medical problems at the start of the videos. It’s well-known in dating that people will discriminate against those with medical conditions out of fear of passing it on genetically and the associated financial burden.
In our previous article, we covered how Google abusively sells your data through a cookie to evade European Union regulations and how third parties can effortlessly tap into their spyware ad system to collect data about you. When your romantic date borrows your phone or laptop to look something up, Google ads will be happy to display related medical advertisements and suggestions.
Google does not respect the law regarding medical records. For example in 2017 in the United Kingdom, Google was fined for illegally using 1.6 million British hospital patients records for its DeepMind AI project.
The DeepMind project was not an isolated incident of HIPAA violations. To quote the New York Post and the non-profit Consumer Watch Dog group: “Google has signed a multiyear deal with HCA, an American for-profit operator of medical facilities with 2,000 health-care sites across 21 different states. The agreement will give Google access to millions more patient records — enabling its advertisers to specifically target even victims of sexual abuse as well as those struggling with severe eating disorders.” [6]
Affects your finances and travel
Also this medical history combined with your browser fingerprint, makes you stand out even more, to track you over some unrelated thing on a different website like your cryptocurrency trades.
Now in the United States, there currently are laws that prohibit insurance companies from denying you medical insurance coverage if you have a pre-existing condition. But if you want to leave the US because the political situation has become so unbearable, then you’re going to need an Expat health insurance plan. These plans do real medical underwriting.
To say you don’t care about medical privacy is essentially saying you will never travel. Forever you will be trapped with whatever some overreaching politicians decide.
The sources for this post can be found here:
https://simplifiedprivacy.com/big-tech-abuses-medical-privacy/
Should you use a VPN with Tor?
There’s a heavy amount of debate over whether you should use a VPN with Tor. We will cover using a VPN either before or after launching Tor, but when people refer to this without explicitly saying which method, they usually mean putting a VPN on BEFORE Tor is used. So:
User → VPN → Tor → Website
VPN before Tor
The use of a VPN with Tor is heavily debated among security experts. We will present both the pros and cons, without taking a side.
Some argue that a VPN provides some benefit because if an entry guard turned out to be the malicious adversary, then instead of directly handing the data packets to you, it yields the VPN’s public IP address.
However, others point out that if the adversary is violent and your use of the same VPN continues, then the adversary will force the VPN to comply with giving up your location.
In addition, critics of the “VPN First + Tor” approach point out that if the VPN is compromised, this is a far greater threat than if a Tor entry guard were compromised because you get a new Tor entry guard at least every 10 minutes. In contrast, most people use the same VPN for all of their traffic.
Proponents of the “VPN First+Tor” strategy argue that the VPN can’t see the Tor traffic and that even if the VPN were compromised, it’s no different than the ISP seeing you’re using Tor. In addition, these proponents point out that by using a VPN first, you’d be hiding that you’re even on Tor, which is in-and-of-itself suspicious.
Our Nostr feed is neutral and does not take sides on the issue. However, the risks of VPN use can be mitigated a little bit (but not fully) by using multiple VPNs instead of trusting a single party. Some security experts suggest having one VPN for Tor and another for regular traffic to reduce the risk of the server recognizing you. Some VPN providers use external third party VPS cloud servers. So if you don’t wish to pay for two VPN accounts, another alternative is to research which VPN locations are on what VPS cloud provider. Then use one cloud provider location for Tor and the other for clearweb traffic.
Make your own Tor Entrance Guard
Since Tor is a decentralized network, anyone can setup a VPS (virtual private server) to enter the network. By setting it up yourself, it reduces the ability of the Tor entrance guard to be malicious. Our company can set this up for you. Please visit the store section of our website.
VPN after Tor
It is also possible to put the VPN AFTER Tor for the purpose of going to websites which ban Tor use.
You → Tor → VPN → Website
There are some risks with this strategy and the main one is that over periods of time longer than ten minutes, the VPN will see all the traffic, whereas if you were just using Tor, then every 10 minutes a different Tor exit node would take over. Having different Tor exit nodes handle your traffic will obfuscate and disconnect each 10-minute session from the previous traffic.
The longer you use the same VPN, the higher the chance of malicious Tor participants (exit nodes, relays, ect) associating all this previous traffic back to your current session. However, this threat assumes the VPN is logging your activity and you’re using the same VPN for a long period of time. Technically the exit node can’t even see the VPN’s traffic, but if the exit node were a malicious violent adversary, then it could force the VPN to give up your traffic. This would be possible since a VPN’s physical location is always known.
The threats from Tor → VPN use are extremely minimal or non-existent if the browsing session is under 10 minutes. Another option is to host your own dedicated VPN on a cloud VPS to ensure it’s operating without a log.
Follow us for more content!
Why Linux is more secure than Windows
Open Source
First, Linux is open source, meaning anyone can view the code. Because of this, Linux does not have malicious tracking or anything that works against you. Because the code is readily available, Linux gives huge numbers of participants the ability to test security flaws. The operating system improves through the contributions of decentralized individuals looking over the code. Decentralized open source initiatives then progress through a merit based system, in which changes are adopted as they are shown to be needed.
Windows has less of an organic feedback loop
Linux is in sharp contrast to Microsoft Windows, for which management dictates what changes will take place. With Windows, only those within the company or those that the company hired can view the source code for security flaws. So by trusting Windows, you are essentially betting that these Microsoft employees are better and smarter than the entire rest of the IT community.
Management dictates Windows. On the other hand with an open source project like Linux, it is a constant feedback loop of the community finding flaws, and then the development teams responding. Linux has good code because it’s stood the test of time of thousands to millions of eyes looking for security flaws in it that were then corrected.
Linux is built by a spontaneous voluntary decentralized ecosystem
It’s unknown what security flaws could be found from looking at Microsoft’s code, but there certainly are many instances of viruses and data breaches in the real world.
Windows is vulnerable to viruses
Linux is more resilient to computer viruses for a number of reasons. In fact, Linux is so secure that you don’t even need anti-virus software. (As an aside, anti-virus software on Windows is another way that you are being spied on. Every file it scans is reported back to the anti-virus company.)
Some say Windows has more viruses because it’s more widely used. This propaganda is only applicable to home users because Linux is actually a LARGER share of the enterprise cloud market. And they don’t get viruses because it’s extremely difficult to compromise.
Windows has a flawed design
Microsoft Windows is vulnerable to viruses by its flawed design of allowing programs either all or nothing access. When you download and run a Windows .exe file, you have to trust the creator because it can do anything once it is run.
In sharp contrast, when you get software from outside the package manager’s approved software, it’s usually an AppImage or Flatpak which are automatically sandboxed only have permissions related to that software itself and not the entire system. However, these sandboxes are relatively weak and not as strong as a full-blown virtual machine for isolation, but it’s still better than Microsoft Windows or nothing.
This AppImage and Flatpak sandbox system helps provide some security but remember it is a weak sandbox so any untrusted software should be run in a full virtual machine. The goal of any sandbox is to stop malicious software from spreading across your entire computer.
Linux software is better vetted
Another way that Linux differs from Microsoft Windows is in how you get applications. Every type of Linux (which is called a distribution) has a centralized free app store. The nerdy technical word for this is “package manager”, but it is very similar to an app store on phones. You can easily and effortless install software from your “app store” package manager. This software installation method will dramatically increase your security, since all software is being vetted by the operating system’s creators as being safe.
The app store (aka package managers) have most of the basic programs that you’d need when you get started, such as an office suite, picture and video editor, and a web browser.
But then is it decentralized?
You might be thinking “But Linux is not really decentralized if the operating system’s creators get to pick which apps are in it’s app store” (aka package manager). There’s a few replies to this.
The first is that different versions of Linux (called distributions) compete with each other. Anyone could make their own version of Linux, so if you don’t like the contents of one app store, you can go to another one. This competition forces Linux developers to want to have desired software and not to censor.
The second reply is that just like Windows, you can download Linux software directly from the website of the creators, if you choose to do so. And if you do this without the app store (aka package manager), then the program itself is sandboxed like we outlined earlier in this article to only be able to modify files related to its own software.
Linux Software Updates Easily
Not only is Linux software more safe when you get it, but it stays safe over time. With flawed systems like Windows, the user has to update each piece of software individually over time. Since this is extremely burdensome, most users don’t do it, and then they are vulnerable to new security bugs.
Updates on Linux are easy
On the other hand, Linux lets you update all your software at once in a single typed command. This easy to apply update ensures you will effortless be able to resist the latest hacking bugs across the whole system effortlessly.
Follow on Nostr for more decentralized security tips!
XMPP is an open source messaging protocol that’s decentralized. It’s what’s called “federated,” which means that anyone can set up their own server, and these servers can all communicate through the same protocol.
This means you can easily talk to your friends on your own hidden social media network, while at the same time talk to strangers on other servers end-to-end encrypted. XMPP is similar to a decentralized version of Signal because you get end-to-end encryption but without trusting the Signal Foundation or Amazon AWS servers with your personal metadata such as who and when is communicating.
Email Analogy
You can understand XMPP with the example of email because they are both structured in a similar standardized, yet decentralized, format. Anyone can set up an email server to communicate with another email account or server using the Standard Messaging Protocol. There are no permissions or centralized authority.
XMPP usernames are called JIDs and are structured like email, with the format of user@server. So if the server is example.com then you would communicate with person@example.com.
Many Servers
There are many different servers worldwide from which you can choose (or even set up your own), although when XMPP first started, Jabber.org was the original popular server that many used. Because of this, people often refer to XMPP as “Jabber.” Someone asking you to “send me your Jabber ID” is probably referring to XMPP in general, and so you could send him or her an account that’s not on the Jabber.org server.
Encryption choices
There are two popular encryption protocols for XMPP. These protocols offer the possibility of end-to-end encryption, but both your server and the client of the person you’re talking to have to allow it. The two types of XMPP encryption are Off the Record messaging (OTR)and OMEMO.
Choices!
Dino video calls
Because XMPP is decentralized, you have to make 3 choices when you first set up an account.
1) What software client you want to use?
2) What server do you want to use?
3) What username will you pick on that server?
Client Software
There are many different choices for what software you should use for XMPP. We recommend you make your decision based on how you will use it.
Dino on Linux
Dino is good for Linux video and audio calls, but it won’t work on Windows or Mac.
Gajim
Gajim works on Windows and has audio calls, but no video. It has a real small user interface.
Pidjin works on many platforms but requires installing an additional plugin for encryption, which you can find here:
https://otr.cypherpunks.ca/index.php#downloads
Servers
You should use an XMPP server that respects your privacy. If you truly want privacy and don’t want to trust any server, we recommend setting up your own server. If this beyond your technical interests then we can setup a server for you and hand over the passwords. If you self-host, then you’d pick the domain name and get complete control over who can use it.
Have you ever heard “you should encrypt your hard drive” on a technology video channel? What does that even mean really? Doesn’t the Linux operating system have a user password? Is that encryption or protection?
Let’s break it down:
User passwords on the operating system, protect you from hackers over the internet. The password provides a safeguard against anyone accessing the operating system or system resources remotely.
But a password for a user on the operating system does NOT protect you against someone in person pulling the hard-drive out and opening the files using a different operating system.
Hard-drive encryption prevents an in-person attack. If an attacker were to pull the hard-drive out and access it with another operating system, then it would still be encrypted and require the password. This type of protection is also referred to as “disc encryption” or “full drive encryption.”
Here at Simplified Privacy we recommend you have both types of protection. It’s easy to setup. Many Linux distributions will ask you (when you first install and set up the operating system) if you want to encrypt the drive. Then they may or may not give you the option to pick a completely separate password for disc encryption vs the operating system user.
For example, on the Linux distribution Debian, they will ask you for 2 separate passwords. But on Linux Mint, when you choose the option to encrypt the drive, it automatically makes your disc encryption password the same as for the user login.
Forgotten passwords
If you forget your operating system password, you can recover from this. You can enter the operating system by other means to reset it. But on the other hand, if you forget your LUKS hard-drive encryption password, then you’re screwed. There would be no alternative way to get in.
Different passwords
On a Linux distribution that does allow for separate passwords for operating system vs disc encryption, you should take advantage of this opportunity and use different passwords. This will make it incredibly difficult for anyone to access your files without your authorization because they’d have to crack 2 passwords.
$5 wrench
In the cybersecurity industry, there is a term for using low tech methods to break into files called the “$5 wrench.” From an academic perspective, a computer system or file encryption may be secure from a technological hack, so the user may get an overly confident sense of security that he or she is invincible. But encryption can’t provide protection from an attacker drugging the user and beating them with a $5 wrench until they confess the password.
Because of the $5 wrench threat, always consider what the effects of someone demanding the password or breaking the full disc encryption are. This is one of the reasons to consider also using Veracrypt for computers and the Duress app for phones for additional protection.
The video website Rumble comes under pressure from the UK government to remove Russell Brand’s monetization or go offline, despite the fact that he has not yet been actually convicted of any crimes. This highlights the need for “encryption as identity” which is the concept that we can communicate without government DNS or IP addresses to reject censorship.
What's the solution?
Simplified Privacy is proud to announce our new Ethereum powered video website featuring our animated shorts on technology, in partnership with DegenRocket. This website allows users to subscribe and comment using any Ethereum wallet, including Rabby and MetaMask. Videos can be upvoted similar to Lemmy/Reddit, and new content is sent to your Ethereum inbox by a framework from push_org to reject Youtube subscriptions. There are no gas fees or Eth costs to use the site, so a “burner” $0 balance wallet can be used for privacy.
We will be teaming up with other video creators in the future to create a more decentralized and free internet.
Enjoy the new site:
vid.simplifiedprivacy.com
Extremist-left woke corporations such as Google and corrupt government thugs sit on the tech throne to rule over the currently very centralized internet, with the wicked goals of censorship and surveillance. This animated 2-minute video explains a new framework to reject their tyranny using a concept we call “encryption as identity”.
What this means is communication and decentralized value systems divorced from traditional domain names, IP addresses, and external control or censorship. Everyone knows the example of Bitcoin as money, but this video goes over some examples of these types of systems replacing Twitter, Telegram, and government-promoted DNS.
Let freedom ring:
https://video.simplifiedprivacy.com/encryptionidentity/
New episode!
Libertarians promote political freedom, but often ignore technology freedom. For example, the main party website LP dot org makes 3rd party JavaScript calls to Google and Facebook, visible with the browser extension uBlock Origin. This JavaScript allows these Big Tech firms to do surveillance on behalf of the government and these are the same organizations that suppress pro-freedom speech.
Most Libertarian groups such as Mises or Cato are reliant on Democrat-controlled big tech platforms to spread their message and do not teach fundamental decentralized tech infrastructure for resilience against oppression.
This video goes over an introduction to Digital Freedom for Libertarians including:
1) Operating systems on the phone and PC
2) Cryptocurrency gift cards & debit cards
3) Decentralized Instant messaging & Email
Enjoy:
https://video.simplifiedprivacy.com/libertarian101/
Google is the government's spyware, masquerading as a private company. While I respect their right to make malicious spyware, that doesn't mean I'm going to use it. Like many things in life, this is a trade-off, of convenience vs time, to find alternatives. But you will still face some adversity as friends or co-workers try to send you a google doc, and look at you like you're nuts for not wanting to be apart of it. Here's an article full of alternatives to try,
https://simplifiedprivacy.com/how-to-reduce-googles-control-over-you/
XMPP and Matrix are two competing federated end-to-end encrypted messengers. XMPP is far better, on server cost decentralization, speed over Tor, degoogled push notifications, multi-identities, and overall privacy. So if Matrix is inferior centralized bloatware, why is it more popular? Especially among techies, who should in theory understand these concepts.
This brand new video gives a quick overview of the technical reasons that XMPP is the gold standard king of federation. And it briefly discusses how Matrix manages to push it’s agenda:
https://video.simplifiedprivacy.com/xmpp-vs-matrix-why-matrix-sucks/
The articles have links. The videos don't . most of the comments made from the video are subjective experience such as synapse load speed. If you want to study this academically and get back to us with numbers please do. The term fraud means we are lying
Oddbean new post about login | logout
Notes by SimplifiedPrivacy.com Podcast | export