What "pointers" would you provide to someone who asks what they should consider doing for privacy/security?

What "pointers" would you provide to someone who asks what they should
consider learning about to improve their desktop/mobile privacy/security?

The topic is huge, so all I would do, for an adult, is provide a bunch of
head-start keyword/URL pointers to any adult who asks that question.

But which keyword pointers would you provide to start with?
o Can you help flesh out this list I just created for them?

In no particular order (yet)...
o Browser fingerprinting (https://panopticlick.eff.org)
o Browser proxy (Epic, Opera, TBB, Aloha, & Brave proxy/tor browsers)
o IP address privacy (vpn(*), killswitches)
o IP address check (curl icanhazip.com, http://whatismyipaddress.com)
o Password privacy (keepass & mobile phone equivalents)
o Data privacy (veracrypt & mobile phone equivalents)
o Domain blocking (http://winhelp2002.mvps.org & acrylic DNS)
o DNS leaks & encryption (dnscrypt, https://www.dnsleaktest.com)
o OS (copperOS, tails)
o WiFi (wireshark, tcpdump, _nomap, _optout)
o ???

*What other keywords would point to basic privacy/security concepts?*

(*) Just mentioning the three letters V-P-N will normally induce a hail of
vpn trolls, so let's keep this high level please, where we're just looking
for keywords as we all know the zillions of caveats surrounding VPNs.
--
Usenet is a public potluck where purposefully hellpful people help each
other learn more about the technical topics that they discuss on this ng.

On 27/12/2019 05:56, Arlen Holder wrote:
What "pointers" would you provide to someone who asks what they should
consider learning about to improve their desktop/mobile privacy/security?

o Browser proxy (Epic, Opera, TBB, Aloha, & Brave proxy/tor browsers)

There is always the risk of your data will be used for tracking you or
profiling you, never trust a free service.


o Password privacy (keepass & mobile phone equivalents)
o Data privacy (veracrypt & mobile phone equivalents)

Always avoid applications that lets you store your data online, as you
never know if they will have the key to decrypt your data (stored or in
transit)


o Domain blocking (http://winhelp2002.mvps.org & acrylic DNS)

I would recommend pihole with dnsproxy, also router iptables to redirect
all outgoing traffic over port 53 to the pihole.


o WiFi (wireshark, tcpdump, _nomap, _optout)

Avoid wifi, it's insecure and slow compared to a cable.


--

//Aho

In article , J.O. Aho
wrote:

o Password privacy (keepass & mobile phone equivalents)
o Data privacy (veracrypt & mobile phone equivalents)

Always avoid applications that lets you store your data online, as you
never know if they will have the key to decrypt your data (stored or in
transit)

it's very easy to know if they have the keys or not.



o WiFi (wireshark, tcpdump, _nomap, _optout)

Avoid wifi, it's insecure and slow compared to a cable.

no to both and a cable is not an option most of the time.

"J.O. Aho" wrote

|
| o Browser proxy (Epic, Opera, TBB, Aloha, & Brave proxy/tor browsers)
|
| There is always the risk of your data will be used for tracking you or
| profiling you, never trust a free service.
|

Good tips for general security online, but for anything
resembling privacy you need to:

* Turn off cellphones whenever possible and avoid apps.

* Use a HOSTS file and block numerous domains from the
likes of Google and Facebook.

* Avoid enabling javascript except where absolutely
necessary.

That's just for starters. Those are just the most obvious
issues involving constant tracking both online and in terms
of physical location. The third is absolutely necessary for
anyone who hopes to have protection from online attacks.
Nearly every online security risk requires javascript. The
rest generally require other executable code, such as Flash,
Java, Silverlight, etc.

If those steps seem unreasonable then the next best
thing would be to admit to yourself that you value convenience
and Instagram so much that you've decided to accept
wearing a tracking collar at all times and risking malware.
If you're going to be a sucker you can at least not fool
yourself about it.

On 27/12/19 10:42, J.O. Aho wrote:
On 27/12/2019 05:56, Arlen Holder wrote:
What "pointers" would you provide to someone who asks what
they should
consider learning about to improve their desktop/mobile
privacy/security?

o Browser proxy (Epic, Opera, TBB, Aloha, & Brave
proxy/tor browsers)

There is always the risk of your data will be used for
tracking you or profiling you, never trust a free service.

I have no objection with this, but ... why does this not
hold for paid services too ?
As long as they are able enough to get away with it and have
you not even know, even them might profile you.
Or not ? And if not, why not ?
Explain pls



o Password privacy (keepass & mobile phone equivalents)
o Data privacy (veracrypt & mobile phone equivalents)

Always avoid applications that lets you store your data
online, as you never know if they will have the key to
decrypt your data (stored or in transit)

totally agree, even if ones with self-discipline strong
enough to cript stuff manually before uploading could be
sufficiente to workaround the trust



o Domain blocking (http://winhelp2002.mvps.org & acrylic DNS)

I would recommend pihole with dnsproxy, also router iptables
to redirect all outgoing traffic over port 53 to the pihole.


o WiFi (wireshark, tcpdump, _nomap, _optout)

Avoid wifi, it's insecure and slow compared to a cable.




--
1) Resistere, resistere, resistere.
2) Se tutti pagano le tasse, le tasse le pagano tutti
Soviet_Mario - (aka Gatto_Vizzato)

On 27/12/19 05:56, Arlen Holder wrote:
What "pointers" would you provide to someone who asks what they should
consider learning about to improve their desktop/mobile privacy/security?

The topic is huge, so all I would do, for an adult, is provide a bunch of
head-start keyword/URL pointers to any adult who asks that question.

But which keyword pointers would you provide to start with?
o Can you help flesh out this list I just created for them?

In no particular order (yet)...
o Browser fingerprinting (https://panopticlick.eff.org)
o Browser proxy (Epic, Opera, TBB, Aloha, & Brave proxy/tor browsers)
o IP address privacy (vpn(*), killswitches)
o IP address check (curl icanhazip.com, http://whatismyipaddress.com)
o Password privacy (keepass & mobile phone equivalents)
o Data privacy (veracrypt & mobile phone equivalents)
o Domain blocking (http://winhelp2002.mvps.org & acrylic DNS)
o DNS leaks & encryption (dnscrypt, https://www.dnsleaktest.com)
o OS (copperOS, tails)
o WiFi (wireshark, tcpdump, _nomap, _optout)
o ???

*What other keywords would point to basic privacy/security concepts?*

(*) Just mentioning the three letters V-P-N will normally induce a hail of
vpn trolls, so let's keep this high level please, where we're just looking
for keywords as we all know the zillions of caveats surrounding VPNs.



you're one of the few that raises general topics, and
intresting ones.
Tnx


--
1) Resistere, resistere, resistere.
2) Se tutti pagano le tasse, le tasse le pagano tutti
Soviet_Mario - (aka Gatto_Vizzato)

On 27/12/2019 16.41, Soviet_Mario wrote:
On 27/12/19 10:42, J.O. Aho wrote:
On 27/12/2019 05:56, Arlen Holder wrote:
What "pointers" would you provide to someone who asks what they should
consider learning about to improve their desktop/mobile
privacy/security?

o Browser proxy (Epic, Opera, TBB, Aloha, & Brave proxy/tor browsers)

There is always the risk of your data will be used for tracking you or
profiling you, never trust a free service.

I have no objection with this, but ... why does this not hold for paid
services too ?

A paid service don't automatically mean they won't profit from your data
too, so you have still be careful when picking which service to use.


--

//Aho

On 27/12/2019 12.48, nospam wrote:
In article , J.O. Aho
wrote:

o Password privacy (keepass & mobile phone equivalents)
o Data privacy (veracrypt & mobile phone equivalents)

Always avoid applications that lets you store your data online, as you
never know if they will have the key to decrypt your data (stored or in
transit)

it's very easy to know if they have the keys or not.

Not that easy, specially on a mobile phone where you have less control
of things, it make is more difficult to for you to know if your private
key has been shared.

--

//Aho

On 27/12/2019 14.21, Mayayana wrote:
"J.O. Aho" wrote

|
| o Browser proxy (Epic, Opera, TBB, Aloha, & Brave proxy/tor browsers)
|
| There is always the risk of your data will be used for tracking you or
| profiling you, never trust a free service.
|

* Use a HOSTS file and block numerous domains from the
likes of Google and Facebook.

That's what you have pihole to, no point in editing things on each
device you have on your network, do it on one instance.

--

//Aho

On Fri, 27 Dec 2019 10:42:31 +0100, J.O. Aho wrote:

o Browser proxy (Epic, Opera, TBB, Aloha, & Brave proxy/tor browsers)

There is always the risk of your data will be used for tracking you or
profiling you, never trust a free service.


Hi J.O. Aho,

I realize instantly that you're trying to be helpful, which I appreciate,
but it's too easy on Usenet to say why something "can't work" where the
point of this thread is simply to come up with "ideas" via keywords, that
can be made to work.

For example, you can make proxies work simply by adding a VPN (for example)
to the front end of the proxy, where my intent of this thread wasn't to
discuss what "will work", but what "can work".

Nonetheless, we all know the flaws of _every_ keyworded topic I listed, all
of which we can ameliorate to some extent (which isn't the point of this
thread, since the ameliortion discussion can go on, easily, forever).

As an example of amelioration of your objection, it's easy to "add another
proxy" to the existing proxy, where, of course, there's always a "first
proxy", which even itself can be ameliorated by using someone elses' WiFi
connection (for example).

Since I like to make my threads "actionable" (i.e., real, & not bull****)
as a _simple_ example, you can do this quite easily by way of amelioration:
a. Sit away from Starbuck's cameras with a WiFi enabled iPad on your lap
b. Start any public VPN service on that iPad, so now you're "on VPN".
e.g., https://apps.apple.com/us/app/hide-me-vpn/id953040671
c. Start any "proxy browser" on that iPad, so now you're on a proxy.
e.g., https://alohabrowser.com/
etc.

Sure, there is browser fingerprinting, and dns leaks, and hidden cameras
galore, along with government-sponsored license-plate readers and FBI
Cessnas flying overhead capturing your IMEI that can nab you as you travel
to the Starbucks or sit at home alone... but we have to keep in mind the
basic "threat model" in the situation above, where I was advising a group
of college-age boys on how to better be "private" while on the university
computer system.

Likewise, for example, torrenting amelioration steps could be:
a. Obtain a magnet URL via vpn/proxy/tor & sit on it for increased latency
b. Utilize a killswitch when the torrent begins & set the seed to 2.0
c. Ensure a reliable public VPN service to keep the DCMA notification away
etc.

In summary, we all already know of all these reasons why you "can't have
privacy" on the Internet - but - for a group of college aged kids - there
is still merit in giving them a select set of about a dozen to a score of
privacy/security based "keywords", that they can look up.

Hence, the question here is simply one of privacy-based keywords...
*What other keywords would point to basic privacy/security concepts?*

o Password privacy (keepass & mobile phone equivalents)
o Data privacy (veracrypt & mobile phone equivalents)

Always avoid applications that lets you store your data online, as you
never know if they will have the key to decrypt your data (stored or in
transit)

Again, for _every_ topic above, there are reasons why someone will say it
"can't work"; when the truth of the matter is that you "can make it work"
by putting in place amelioration steps.

For example, I already told these boys to try as much as possible when
they're at the university to only use their USB cable, where you'll note
that the password solution of using "keypass" works on their desktop
(there's never a need to put a password database on the Internet or even on
the university LAN).

In addition, the same USB-cable amelioration applies to their truecrypt
database, and to their calendar ics file, where I showed them my Android
phone doesn't even have a Google Account, where I can easily maintain my
calendar & passwords & encrypted data over a USB cable from PC to phone.

But the point of this thread is NOT why you "can't have privacy", but why
you "can have privacy", if you know a few keywords to look up for details.

*What other keywords would point to basic privacy/security concepts?*

o WiFi (wireshark, tcpdump, _nomap, _optout)

Avoid wifi, it's insecure and slow compared to a cable.

I told the freshman boys to keep their passwords, calendars, and truecrypt
databases only on their computers & phones (merging via USB cable).

Nonetheless, Wi-Fi is a reality, where I showed them, for example, how to
torrent a bit more safely by simply taking amelioration steps into account.

For example, WiFi amelioration steps could be:
a. Be aware of butterfly hash tables by using unique SSID & passphrases
b. Be aware of Wi-Fi Sense (e.g., _optout) & SSID naming (e.g., _nomap)
c. Be aware of WiGle & Google SSID databases (i.e., SSIDs are geolocated)
etc.

NOTE: Even Android tells people nowadays (at least Android 9 does on my new
$100 Moto G7 for example) that your SSID/BSSID _is_ your geolocation (in
essence) given there are WiGle WiFi wardriving databases which list your
geolocation and that there are freely available Google databases too.
o WiGle SSID/BSSID geolocator https://wigle.net/
o Google SSID/BSSID geolocator https://www.mylnikov.org/archives/1170
o *Any other sites do people know of that geolocate your BSSID/SSID?*

o Domain blocking (http://winhelp2002.mvps.org & acrylic DNS)

I would recommend pihole with dnsproxy, also router iptables to redirect
all outgoing traffic over port 53 to the pihole.

Ah, _this_ suggestion is in keeping with the spirit of this thread!
Thank you for adding those "domain blocking" keywords, where I'm wholly
unfamiliar with the keyword "pihole" for example (which I've added to the
list above based on your helpful suggestion).

Googling, it seems all three go together (piholes, iptables, firewalls)
https://docs.pi-hole.net/guides/vpn/firewall/

My goal, much later, for each keyword, is to have a canonical site, e.g.,
o DNSCRYPT https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0
o IPTABLES https://www.leaseweb.com/labs/2013/12/setup-linux-gateway-using-iptables/
o FIREWALL https://opensourceforu.com/2015/04/iptables-the-default-linux-firewall/
o SSID/BSSID https://www.maketecheasier.com/google-know-where-wifi-router/
etc.

Hence, I repeat the question, in that tack, where I ask for more keywords!
o WiFi setup (e.g., WPA2/PSK butterfly hash tables, & wifi sense _optout)
o Wardriving amelioration (e.g., hidden broadcast, _nomap, & BSSID cloning)
o Network firewalls (e.g., router iptables firewalls, wireshark, & tcpdump)
o Privacy smtp/imap servers (e.g., mailinator, & protonmail)
o Browser fingerprinting (e.g., panopticlick.eff.org)
o Browser proxies (e.g., Epic, Opera, TBB, Aloha, & Brave web browsers)
o IP address privacy (e.g., VPNs, web proxy servers, & cmd-line killswitches)
o IP address checks (e.g., curl icanhazip.com, & whatismyipaddress.com)
o Password privacy (e.g., keepass & mobile device equivalents)
o Data privacy (e.g., truecrypt/veracrypt & mobile device equivalents)
o Domain blocking (e.g., HOSTS, pihole, router iptables, MVPhosts & acrylic DNS)
o DNS leaks & encryption (e.g., dnscrypt, dnsproxy, & dnsleaktest.com)
o Privacy-based OS's (e.g., tails, & copperOS)
o ???

*What other keywords would point to basic privacy/security concepts?*

--
Usenet is a wonderful public potluck where ideas can be fleshed out better.

On Fri, 27 Dec 2019 16:42:48 +0100, Soviet_Mario wrote:

you're one of the few that raises general topics, and
intresting ones.

Hi Soviet_Mario,
Thanks for that accolade where I'm always trying to find "actionable"
advice, e.g., the advice of "don't use Wi-Fi" isn't really actionable in
today's world, but the advice of "use USB cable for passwords" is
actionable (as previously explained in my prior post to A. J. Aho.

What most people posted is why we "can't have privacy", but I'm trying to
help a group of college freshman in "improving their privacy" while on the
university network.

*The goal of this thread is to come up with meaningfully "actionable" keywords.*

Hence, the intent is to have a canonical site attached to every keyword,
such that they can look up the details on their own; but that's for later.

*Right now I need the score of keywords*, where this is what I've gleaned
from the posts to date by way of basic privacy/security keywords so far:
1. WiFi setup (e.g., WPA2/PSK butterfly hash tables, & wifi sense _optout)
2. Wardriving amelioration (e.g., hidden broadcast, _nomap, & BSSID cloning)
3. Network firewalls (e.g., router iptables firewalls, wireshark, & tcpdump)
4. Privacy smtp/imap servers (e.g., mailinator, & protonmail)
5. Browser fingerprinting (e.g., panopticlick.eff.org)
6. Browser proxies (e.g., Epic, Opera, TBB, Aloha, & Brave web browsers)
7. IP address privacy (e.g., VPNs, web proxy servers, & cmd-line killswitches)
8. IP address checks (e.g., curl icanhazip.com, & whatismyipaddress.com)
9. Password privacy (e.g., keepass & mobile device equivalents)
10. Data privacy (e.g., truecrypt/veracrypt & mobile device equivalents)
11. Domain blocking (e.g., HOSTS, pihole, router iptables, MVPhosts & acrylic DNS)
12. DNS leaks & encryption (e.g., dnscrypt, dnsproxy, & dnsleaktest.com)
13. Privacy-based OS's (e.g., tails, & copperOS)
14-20. ???

*What other keywords would point to basic privacy/security concepts?*

--
Usenet is a wonderful public potluck where ideas can be fleshed out better.

In article , J.O. Aho
wrote:


There is always the risk of your data will be used for tracking you or
profiling you, never trust a free service.

I have no objection with this, but ... why does this not hold for paid
services too ?

A paid service don't automatically mean they won't profit from your data
too, so you have still be careful when picking which service to use.

a free service doesn't automatically mean they will datamine.

many times, there's a free tier with limited functionality, with the
hopes that the user will upgrade to a paid tier and additional
features.

In article , J.O. Aho
wrote:

* Use a HOSTS file and block numerous domains from the
likes of Google and Facebook.

That's what you have pihole to, no point in editing things on each
device you have on your network, do it on one instance.

carrying a pihole around everywhere is incredibly impractical.

In article , J.O. Aho
wrote:

Always avoid applications that lets you store your data online, as you
never know if they will have the key to decrypt your data (stored or in
transit)

it's very easy to know if they have the keys or not.

Not that easy, specially on a mobile phone where you have less control
of things, it make is more difficult to for you to know if your private
key has been shared.

not true.

On Fri, 27 Dec 2019 17:48:56 +0100, J.O. Aho wrote:

Not that easy, specially on a mobile phone where you have less control
of things, it make is more difficult to for you to know if your private
key has been shared.

Hi J.O. Aho,

You bring up a good point about "private keys", which hasn't been covered.
(And which is useful because this thread is intended to be "actionable".)

Bear in mind the ultimate goal is a canonical URL for each keyword, e.g.,
o PRIVATE KEY https://www.namecheap.com/support/knowledgebase/article.aspx/9834/69/how-can-i-find-the-private-key-for-my-ssl-certificate
But we still don't yet have the full score of privacy-based keywords yet.

I understand (and appreciate) you're being helpful where this thread wasn't
supposed to be about 'amelioration', as that would extend the thread out to
an infinite number of posts, but partially to your point, I did address
'amelioration' with this gang of college-age freshman boys with respect to
"keyboard privacy".

For example, while it's not about "private keys", this recent thread goes
into gory detail on how to easily switch to privacy-based keyboards on a
mobile device for the purpose of opening the master keepass kdbx passwd
database, which is to be maintained over USB cable wholly outside the
university LAN or the Internet.
o If not the default, what free Android keyboard are you using & why do you like it?
https://groups.google.com/forum/#!topic/comp.mobile.android/CmZAI0OsXDs

Notice that passwords on mobile devices 'can' be somewhat protected simply
by switching, ad hoc, when typing passwords, to a "protective keyboard":
https://i.postimg.cc/NMjf6fGd/keyboard00.jpg

As long as the students use a database _designed_ to be used offline:
https://i.postimg.cc/wvD8RCLw/keypass01.jpg

And which works on all mobile devices, even these budget devices I own:
https://i.postimg.cc/136096sR/motog700.jpg

To the point you and nospam bring up about a "private key", other than PGP
and GnuPGP, I haven't any experience with "private keys".

Should we add PGP private keys to the existing keyword listing to help
flesh it out to the approximately score of keywords all kids should know?
o Private keys (e.g., pgp/gnupgp, & SSL Certificates)
o Privacy keyboards (e.g., non-Google keyboards such as keepass2android keyboard)
o Wi-Fi setup (e.g., WPA2/PSK butterfly hash tables, & wifi sense _optout)
o Wardriving amelioration (e.g., hidden broadcast, _nomap, & BSSID cloning)
o Network firewalls (e.g., router iptables firewalls, wireshark, & tcpdump)
o Privacy smtp/imap servers (e.g., mailinator, & protonmail)
o Browser fingerprinting (e.g., panopticlick.eff.org)
o Browser proxies (e.g., Epic, Opera, TBB, Aloha, & Brave web browsers)
o IP address privacy (e.g., VPNs, web proxy servers, & cmd-line killswitches)
o IP address checks (e.g., curl icanhazip.com, & whatismyipaddress.com)
o Password privacy (e.g., keepass & mobile device equivalents)
o Data privacy (e.g., truecrypt/veracrypt & mobile device equivalents)
o Domain blocking (e.g., HOSTS, pihole, router iptables, MVPhosts & acrylic DNS)
o DNS leaks & encryption (e.g., dnscrypt, dnsproxy, & dnsleaktest.com)
o Privacy-based OS's (e.g., tails, & copperOS)
o ???

*What other keywords would point to basic privacy/security concepts?*

--
Usenet is a potluck where people from all backgrounds mix & share ideas.