Security & Privacy with technology in (2016-2019, depreciated and needs updating)

Please remember the terms of your membership agreement.

Moderators: valis, garyb

Post Reply
User avatar
valis
Posts: 7306
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Security & Privacy with technology in (2016-2019, depreciated and needs updating)

Post by valis »

This thread originally started When Ronnie mentioned google in another thread and this subject was expanding. I have edited this first post since and will continue to try to keep this one updated and as coherent as I can.

In addition, when this thread started much of what we have discussed was NOT visible to anyone that wasn't involved in security related concerns. So if this seems redundant now, well that's because the direction our discussion was headed seems to have had some legitimacy.

Lastly, this is NOT meant to be an exhaustive list or resource, but rather intended for a lay-person to have some awareness of what is going on with our online platforms and what we expose here. In other words, info that you might leverage as a musician who uses computers, rather than a computer expert who also does music. Which seems in line with the target audience here.


---------------------------------

This is mostly about Privacy, and what information we expose. In the past when we might discuss technology and security it was virii and worms, then malware and phishing scams, and over time things have evolved and expanded certain actors have migrated into those who create fake profiles and aggregate data about users not just to exploit their passwords and banking info, but also to act as gatekeepers of what can be seen where (shape public perception and consensual reality) and tune that with the psychometric data that's collected by your platform interactions (likes) and "what kind of donut am I" mini-games.

A quick glance at The EFF's Privacy Page will show the many ways that everyone from the NSA and government agencies to Ad Networks (this is the primary business for Google & Facebook both) down to the browser extension makers are busy data-mining all of us.

For those who are truly concerned about their privacy and data exposure, I would first suggest a usage model that limits your exposure as the primary focus. Whether this is based on just sandboxing the things you do, or multiple browsers, faking (or hiding) browser fingerprints and digital identities so that online activities remain somewhat segregated, well this is up to you. I do the latter, and also do what I can for those around me within what I think they can handle.

Better yet, here's an article from the EFF written in late 2019 that may be of some use, it's a description of their repository of information at https://ssd.eff.org/en for self-defense from online surveillance (added 01/03/20).

Personally, have always used practice of segregating personas across browsers & computers, and use different logins entirely to access various services on each (vary your nicknames & handles). I like separating my workflows anyway, so this was always a logical extension of that, only now there's more cause to improving my model. In some cases it might be wise to segregate to entirely different networks, for things that really should be secure (think: business versus personal, then financial & medical).

For all of the above in more in additional detail WITH a 7-day walkthrough to help cover the basics, I *highly* recommend going through a data detox at least once: https://datadetox.myshadow.org/detox. You don't need to finish a full Facebook cleanup if you don't care, but I do suggest at least giving it enough of a go to understand what this process covers.

Next, here's a great article from ProtonMail on creating strong passwords and the use of password managers (added 01/21/20)

Since we're on the subject of passwords, many password management apps can generate as well as store your passwords. But before we get to that, we should also be aware that there are resources out there for tracking our account information to see if we've been caught up in any large data breaches. I've seen offers for monitoring & protection services from financial organizations (banks, credit monitoring services, online accounting software) so you might wish to see if any services you use already provide a service and whether it's worth using. In the meantime, you can always use this free resource:

haveibeenpwned.com

Now back to the password security discussion...


-----------------------------


Password Managers & 2FA / 2 Factor Authentication Apps

Closed Source Password Managers

Lastpass

1Password

Open Source Password Managers

Both of these support self hosting and implement client side encryption:

Bitwarden (has a more modern looking interface and multi-platform apps and add-ons.(

Keepass (has a number of versions like Keepass 2 original, and forks like KeepassXC and KeePassDroid etc.)

PasswordSafe (again many forks, clones and even java based versions)

Arstechnica.com article on 2 Factor Authentication apps (2FA)

Choosing 2FA authenticator apps can be hard. Ars did it so you don’t have to

I largely agree with what is written here, though the article didn't make it clear that if you use Lastpass the 2FA app they offer actually backs your 2FA account up to your main password account. And they ignored 2 other open source password manager apps that also come with their own 2FA app similar to lastpass. In any case, this is still an information article with some good options for most people and adequate explanation over the threat models and how security is accounted for with each app discussed.



-----------------------------

Facebook & Social Media

Facebook should be fairly well covered already in the Data Detox above, but as these platforms are already evolving, you should be aware that Facebook has an "Off Facebook activity" section under your Facebook settings. It's being reported that facebook will aggregate not just your browsing habits by tracking you anywhere they have a facebook pixel or 'like' extension installed and their ads being run, but they are also purchasing banking information and email/google information. They are also tracking this information for people who do NOT have facebook accounts, so this is one advantage to actually keeping an account active BECAUSE...

Go into your settings in Facebook, scroll down to "Off Facebook activity" and then click "Clear History" (this may show you everything that was being tracked depending on where you are viewing the settings page--desktop or mobile etc). Next click "Manage your off Facebook Activity" and then "Future Off-Facebook Activity and turn off future activity (the blue slider).

Note that this will log you out of services where you're using your Facebook account as your login/authentication method, so resolve this FIRST.


-----------------------------

The Real Cost of Free Email, Web Browsers & Search Engines

Clearly we are in a world where "free" means "give up some marketing and limited personal info in exchange" is the very best view on the nature of these products and platforms. When we consider what that data's existence on a company's IT infrastructure also makes us vulnerable too however, both in terms of data mining and potential 3rd party exploitation (personal or otherwise, as with malware and compromised logins) then one hopes that we begin to lock down our footprint a bit.

For our first steps, users typically run some for of Adblocerk. Adblock and UBlock Origin (Firefox & Chrome versions here) are a good place to start, and it would make sense to deploy one of those along with Decentraleyes, Privacy Badger & HTTPS everywhere and so on. Now you've begun to limit what your browsing sessions expose to data aggregators and tracking networks.

Next many would suggest that moving away from relying on Google's (Alphabet's?) services as your sole provider is probably a good idea. Keep your account(s) so you can go in and disable the data you don't wish to be retained, and set other settings as appropriate (Google now does a fairly good job at documenting this). For the record I still maintain Google accounts, but I limit what they expose. There are plenty of other free email providers out there and some even have a specific focus on security like Tutanota, Protonmail, Countermail or Hushmail and so on.

Hey.com has come along as a non-free alternative which might be interesting to some, both because it has a new attempt at updating your workflow with your inbox and also because it focuses more on simplicity rather than end-to-end encryption but is still reasonably secure.

Consider moving away from Chrome as much as possible as well (Opera, Brave, Vivaldi and many other forks from Opera Chrome now exist) and we switch browsers over to search engines that don't track like duckduckgo (01/01/20, duckduckgo has been reported to have stronger google ties than it did when this was written) or startpage.com.

On Firefox there are now built-in security container features with a browser extensions that will extend this, both in terms of limiting Facebook tracking you and separating out different privacy windows. To do this the Firefox uses a combination of containers and fake fingerprinting (which can be used to identify a browser even when it doesn't declare specific things), which you can extend with browser addons to create custom containers to isolate sessions running in the same browser process from each other.

If you're using Chrome, you should consider removing Chrome Software Reporter Tool (added 01/08/20) as it monitors all running processes and may have access to other data as well, including the system's clipboard. It can also remove software that Chrome deems to be 'impeding the performance of Chrome'. Ostensibly this is to remove malware, but I'll let you evaluate that claim for yourself and make the choice appropriately.


-----------------------------

DNS lookups & your ISP

For ISP-level protection beyond that, we have OpenDNS (and Google DNS, but that doesn't help us move away from their services,) Cloudflare's new DNS or local solutions like Pi-hole (local DNS relay running on Raspberry Pi that will block malware & ads for your whole network) and/or Simple DNSCrypt (windows client that can do ipv4, ipv6 & a large number of open secured DNS servers or your specific choice).

However that still means placing your trust in the hands of corporations and potentially oligarchs, so I've implemented Pi-hole solutions for friends as it's easier than the services that run on MacOS & Linux locally, this replaced using hosts file based lists for blocking ad tracking, social media tracking & Win10 analytics stuff...for those who need more security there's also VPN's. For Windows Simple DNSCrypt is pretty 'simple', but I have found it flakier than the Pi-hole solution at times.


-----------------------------

This is a rough starting list and far from fool-proof, as there's plenty about your personally identifying mouse movements, reading speed, computer identifiers and more than can be gleaned by the top level data aggregators. And yet it does mean that if an account gets compromised somewhere, there's a lot less that's vulnerable to individuals who may seek to exploit that compromise.

--------------------------------

Throttle the Windows (10/11/?) privacy footprint

I might recommend some of the following to anyone using Windows. I am giving links that give manual processes to secure Win10 first, but I will also recommend some simple applications that automate these things as well:

O&O ShutUp10 is the app that I prefer to use to tweak Windows telemetry, Cortana, One Drive and more. It encapsulates the above lists and I like it because it's a simple toggle on a case by case basis so I feel like it's still fairly manual, it covers all of the above and more, and it doesn't make changes I don't want or understand:

O&O ShutUp10: https://www.oo-software.com/en/shutup10


The tool below was created to remove a lot of the added telemetry/voice/etc technology in Windows, this is more of a 'one stop' utility that does everything automatically and is probably a better option for a 1-click 'clean' DAW install where you don't want ANYTHING else running, but since it's not as manual as the O&O version above I don't use this personally (I like to leave Live Tiles and a few other things running, you may not):

https://github.com/Nummer/Destroy-Windo ... g/releases


Even if you choose to not use the above tools, I like to disable One Drive completely unless you're already tied strongly to it (ie, if you have a lot of data stored on Onedrive, *don't do this*!!)
https://www.howtogeek.com/225973/how-to ... indows-10/

https://www.bleepingcomputer.com/forums ... r-privacy/
(above link dates back to 2015)

https://www.geckoandfly.com/25083/free- ... cking-you/
(more recent list, last updated June 5, 2019)

Disable Windows 10 basic telemetry:
https://winaero.com/blog/how-to-disable ... indows-10/

Comprehensive Windows 10 telemetry tweaks:
https://docs.google.com/document/d/1wDk ... 23icqvs76v


Most of you are probably already on top of this, but for more general computer cleaning you should also consider a tool similar to one of these:


Avira Privacy Pal may be worth a look:
https://liliputing.com/2018/04/avira-re ... ndows.html

Though it has some overlap with another cleaner tool I also recommend:
https://www.ccleaner.com/ccleaner

--------------------------------

Keep windows updated!
This goes without saying, but did you know there are a variety of tools available to help keep your windows applications, drivers and even windows updates current in ways that might also improve privacy and security?

When it comes to apps, I used to use a tool called Secunia Personal Software Inspector to speed up maintaining a Windows installation, but this was discontinued in 2018 (for personal use). Initially, I tried using a combo called SUMo (Software Update Monitor) and DUMo (Drivers Update Monitor) but shortly afterwards (likely because so many migrated from Secunia PSI) they stopped the automatic processes in the free version(s) and all you could basically do was double click an entry to spawn a web browser and download the update from a given vendor. The issue with this is that the links sometimes didn't work, and given my thorough nature I would then spend too much time hunting down said update. So it wound up being LESS efficient (because of my habits) than simply keeping things up to date the old fashioned way. A notification or two, followed by a broken download link, followed by time wasted, and repeated every day or so as the notifications were constant. Still, the paid versions work well, so they're still recommended.

Other alternatives given in a search at the time would have been:
uCheck & Patch My PC Home Updater, but since then a few more interesting options have come along (or evolved, in the case of the last recommendation):

First up is Ninite which is free to use and covers a fair number of commercial and free applications. The Pro version has the added bonus of a web interface that allows you to manage all your windows machines from a single browser.

Second (and I believe more comprehensive) is Chocolatey which is open source and makes installation of updates on Windows as simple as on linux. This is worth a look, imho.

And then of course [url=https://www.ccleaner.com/]CCLeaner has added a built in driver update process (this might be Pro only, I subscribe to Pro) and will notify you of application updates as well.

In the commercial space, there is enterprise level software that sysadmins can use to remotely manage (install patches) and take inventory of a company or network's machines from companies like SolarWinds and Spiceworks (and many others). I've actually used Spiceworks in the studio, it also uses a webmin interface but it's not the simplest tool to get running so I'm simply mentioning it here for reference.


------------------


Lastly, while this isn't strictly privacy related, this may also be of interest to Windows 10 users who prefer to know their machines more intimately:

Announcing Windows Admin Center: Our reimagined management experience
https://cloudblogs.microsoft.com/window ... xperience/

https://docs.microsoft.com/en-us/window ... min-center
User avatar
t_tangent
Posts: 970
Joined: Sun Dec 28, 2003 4:00 pm
Location: UK

Re: Privacy in 2018

Post by t_tangent »

Thanks for starting this thread, some really useful info already, so I look forward to reading other posts as this thread grows.

Yes I use Ublock for adblocking which seems to work pretty well, but will check out the others you mention, and the different search engines.

VPN is certainly a good idea. NordVPN has a great offer on at the moment, https://nordvpn.com/special/deal/?gclid ... s2EALw_wcB

I use Windscribe VPN sometimes as it has a free service up to 10GB/month for those who only need light usage or just want to try it out. https://windscribe.com/upgrade
User avatar
ronnie
Posts: 788
Joined: Thu Jul 17, 2003 4:00 pm
Location: Varies Between 30Hz & 20KHz
Contact:

Re: Privacy in 2018

Post by ronnie »

Great stuff. Cloudflare DNS, NordVPN, DuckDuckGo, I would add Orbot. And Orfox browser (Android Only). For Windows you would need a dual boot or USB boot into the Tails OS where they are built in. You will then be invisible. So now you can guess my day gig but I deny everything. 8)
"I’ve come to the conclusion that synths are like potatoes, they’re no good raw—you’ve got to cook ‘em, and I cooked these sounds for months before I got them to the point where they sounded musical to me." Lyle Mays
dawman
Posts: 14368
Joined: Sun Jul 24, 2005 4:00 pm
Location: PROJECT WINDOW

Re: Privacy in 2018

Post by dawman »

I was relieved when COO Sandberg said I could keep my privacy for a set price.
Privacy is a pipe dream.
People should know when everything is free, it’s like drug dealers giving you the good stuff at cheap prices to get you hooked.
Then the price goes up and the shit is cut.

To believe your privacy is in their best interests is a joke.
Has anyone read the recent EULAs Micro$oft sent you?

Read it, you’ll see your privacy is their legal piracy...
User avatar
valis
Posts: 7306
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Privacy in 2018

Post by valis »

Always the cynicist :D B
dawman
Posts: 14368
Joined: Sun Jul 24, 2005 4:00 pm
Location: PROJECT WINDOW

Re: Privacy in 2018

Post by dawman »

Me, I just continue to lie about the gear I own, and how I want the massive Central Government, and love Hillary.
They’ll think they succeeded in my re education and leave me be.
dawman
Posts: 14368
Joined: Sun Jul 24, 2005 4:00 pm
Location: PROJECT WINDOW

Re: Privacy in 2018

Post by dawman »

Registering at the DMV what political your you’re affilliated with will be kept private too....
User avatar
valis
Posts: 7306
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Privacy in 2018

Post by valis »

:lol:
User avatar
garyb
Moderator
Posts: 23248
Joined: Sun Apr 15, 2001 4:00 pm
Location: ghetto by the sea

Re: Security & Privacy with technology in 2018

Post by garyb »

thanks for taking the time to write this.
this is good info for everyone.
User avatar
valis
Posts: 7306
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Security & Privacy with technology in 2018

Post by valis »

Certainly. And thanks for all you do again 8)
User avatar
t_tangent
Posts: 970
Joined: Sun Dec 28, 2003 4:00 pm
Location: UK

Re: Security & Privacy with technology in 2018

Post by t_tangent »

Yes. Very useful links. Thanks Valis and to both yourself and the O.G. (Original Gary) for all your help on the forum :)
User avatar
Nestor
Posts: 6686
Joined: Tue Mar 27, 2001 4:00 pm
Location: Fourth Dimension Paradise, Cloud Nine!

Re: Security & Privacy with technology in 2018

Post by Nestor »

It is sad to see how complicated our lives have become due to this crap... it is amazing to witness it, and it is not a Hollywood movie, it is reality. We are surrounded by eyes watching us all the time..., it is insane. If it was only the internet that would be already pretty bad, but it is all over the place: supermarket, bank accounts, car, travels, money exchange, purchases, titles, phone calls, WhatsApp, pet shops records, credit cards, airports, customs controls and face recognition, hospitals, medical care, cameras recording you all over the place, and the list goes on…

I am in a middle position, that is, between Valis and Dawman. I think it is worth to take care and avoid for this octopus to follow you that much, and at the same time, I also believe that it is somehow impossible to totally hide yourself from this extremely persistent world control.

We are facing dreadful dark times! Everything is ready for the fall of our civilization, we are in key days right now.
*MUSIC* The most Powerful Language in the world! *INDEED*
User avatar
valis
Posts: 7306
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Security & Privacy with technology in 2018

Post by valis »

I'm certainly not trying to fear-monger, I just think it's good to be mindful of the things I've addressed above.
User avatar
valis
Posts: 7306
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Security & Privacy with technology in 2018

Post by valis »

At least we don't run casinos (though jimmy might work at them):
http://www.businessinsider.com/hackers- ... ?r=UK&IR=T
User avatar
Sounddesigner
Posts: 1063
Joined: Sat Jun 02, 2007 11:06 pm

Re: Security & Privacy with technology in 2018

Post by Sounddesigner »

What I hate about corporate abuse like this privacy issue is it ends up harming us in multiple ways. First our Privacy is destroyed cause Facebook and others don't know where to draw the line and go overboard doing things like watching all of your internet activities even after you leave their website; but secondly the Government uses this type of stuff as a excuse to over-regulate businesses wich ultimately cost us the users/consumers in some way, and makes it harder for new and small companies to compete with giants like Facebook, Google, etc. Over-regulation and over-taxation hurts the most customers and small businesses. Many politicians want a lot more changes to the internet in regards to regulations and taxation and financial-penalties. The EU passed legislation called GDPR that will be in effect in a few days wich puts extreme limitations on consumers personal data wich I'm sure will seriously harm EU consumers/Social-Media-Users in the longrun. Government often does more harm than good when it tries to solve problems like this and use issues like this as a excuse to impliment more Government control/political-agenda. If one does not like what Facebook and other companies are doing it's best to just not use their services and products and generally keep Uncle-Sam out of it or else citizens might end up harmed in multiple ways. Sometimes the fix is worse than the problem.
borg
Posts: 1516
Joined: Tue Oct 23, 2001 4:00 pm
Location: antwerp, belgium

Re: Security & Privacy with technology in 2018

Post by borg »

This is preposterous! I haven't got a single clue what is being discussed here... I don't mean the threats, I've read the news, but all these measures to be taken. I've been using Macs for almost twenty years now, only one issue with malware, but I do realize I'm vulnerable and ignorant, and probably lucky/uninteresting. What is this? Will, in two years time, only IT specialists be able to use the internet safely?

But this is child's play really. I recently saw a documentary about the next generation of cities that are being built at the moment in China and Persian Gulf states... Heading for disaster, I guess! Everything is being run by computers, everything! And I mean Every Thing!
A few months ago, a teenager in his bedroom brought the entire Dutch banking world on its knees (quite innocently), if you walk through a red light in China, it's camera registered and the government will shut you out/make you loose your civil rights. Everyone is being watched, and villains apparently have no trouble getting hold of all this info... What if some badass can get into the framework of such a city?

Dystopian, Orwellian, short sighted... call it what you want, but as long as governments don't really feel the need to protect its citizens, but rather keep them under its thumb in favour of the industry...
andy
the lunatics are in the hall
User avatar
valis
Posts: 7306
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Security & Privacy with technology in 2018

Post by valis »

Not sure I understand, but I'll attempt a clear response:

When it comes to abuses of power, imo concern is often not the faceless side of power wielded by organizations, oligarchies, governments and other organizations but rather the individuals who can wield that power in some way. The obvious case in point with Facebook is the Cambridge Analytica 'scandal', but the real issue there is that those resources are being used to mine you for a lot more reasons than just showing ads. And that singular company is just the tip of the iceberg...

Not to mention what happens when that data aggregates into the hands of a single player who can be exploited: https://www.wired.com/story/exactis-dat ... n-records/

A good example of abuse of power via access at the individual level: https://arstechnica.com/information-tec ... alk-women/

--------------------

So I agree with Sounddesigner in regards to voting with our dollars and attention, and simply avoiding the 'use' of services where possible. Since visiting a website first relies on DNS to resolve the web address, the DNS 'use' case outlined here is a case of 'knowing what websites you visit' and mining that data, and options are given for that. SImilarly, browser plugins to block ads and such are not new, so I have also mentioned how you can do this via DNS redirection (pi-hole, DNSCrypt etc) which also avoids ISPs injecting their own ads in place of well known ad-networks.

And since our operating systems also collect data on you, and provide default services (like Onedrive) which may also tie in a lot of your data, there are options provided here as well. I would have provided more Mac specific discussions here but I was operating with the presumption that more of our forum users are non-Mac, and know this is true from being here for so long. If you're interested borg I can provide more options there, or you can as well so we can include that into the conversation.
borg
Posts: 1516
Joined: Tue Oct 23, 2001 4:00 pm
Location: antwerp, belgium

Re: Security & Privacy with technology in 2018

Post by borg »

hi Valis,

if it was unclear, 'this is preposterous' wasn't aimed at this thread at all, on the contrary, it was aimed at the situation where you need a degree or at least deeper knowledge to do wat seems so innocent: looking for innocent info, connecting to friends,... Personally, I only check Z, and a few other music technology sites, and our national (unbiased?) news site, and some youtube, not interested in social media. I don't mind the 5 sec Native Instruments ads before my clip starts. So basically, I only use computers to make music and check soccer results, and try to keep my human interactions as 'live' as possible.
So, thanks for the offer to give some Mac based advice! My ignorant self says "don't need it", but yeah, it could be too late some time soon.

What I would like to ask you, has to do with something totally different: One of those other sites I frequent is the Subsekt techno forum, and the admins are having some trouble with phpBB, seems like they need a transition like Z went through a few years ago, but they haven't got a clue. The guy that built the site is no longer part of the team. I directed them to Z, and mentioned your name... So not really a question, more of a warning that some dude may knock on your door...
andy
the lunatics are in the hall
User avatar
valis
Posts: 7306
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Security & Privacy with technology in 2018

Post by valis »

Ok, thank you for the heads up. If I can help within my schedule, will do so.

And thank you for the clarification as well.
User avatar
valis
Posts: 7306
Joined: Sun Sep 23, 2001 4:00 pm
Location: West Coast USA
Contact:

Re: Security & Privacy with technology in 2018

Post by valis »

How to find and delete where Google knows you’ve been
https://www.apnews.com/b031ee35d4534f548e43b7575f4ab494
Post Reply