OpSec Lounge (Security, Privacy, etc.)

Valentine

Kingfisher
Gold Member
A few years back you provided some detailed information on the decentralised (or lack of nature) of a class of application. It may have been messaging devices.

Have you researched Element to be able to give a similar assessment?

I've used it a lot and researched it's background yes. Element is Discord-like chat app built on Matrix, a decentralised protocol for messaging. It's come a long way and I'd say it's now at a stage where it's a usable replacement for apps like WhatsApp and Discord, but it's just not as private as Signal currently as it comparatively lacks Sealed Sender, Private Contact Discovery, Secure Value Recovery, Private Giphy usage, etc.

However it's better than Signal for communication with people who you don't want knowing your number (although Signal are working on removing the phone number sharing requirement), for managing large groups (they have Spaces for grouping multiple chats together i.e. Discord Servers equivalent) and if you can't tolerate using a centralised platform.
 

TheFinalEpic

Pelican
Gold Member
There have been some interesting developments in the Signal world - namely with payments in app, as well as the fact that they seem to be burning cash now that the adoption doubled overnight from the Whatsapp exodus.

However, it seems Signal is going in the wrong direction:

1. The Signal repository hadn't been updated in nearly a year, and is No longer open source

2. Signal has introduced a in-app payment system - and it's unclear as to who owns what amount of the currency.
https://www.wired.com/story/signal-mobilecoin-payments-messaging-cryptocurrency/

It appears that the Matrix protocol is now the gold standard and what most privacy advocates are pushing as of late.
 

Valentine

Kingfisher
Gold Member
  1. The server repo hadn't been updated in a year due to implementing the cryptocurrency payment system, it was however updated at the same time as the MobileCoin integration got released and now is being updated regularly again.
  2. Other popular chat apps like WhatsApp and WeChat have an in-app payment system, so making a private version of this makes sense to me. I like that they're encouraging the shift to decentralised tech, and I'm especially a fan of blockchain projects. I believe the creators own the majority of the coin, like many cryptocurrencies especially token projects. I'm not especially concerned about accusations that Moxie owns lots of MobileCoin because I don't imagine it remaining the only coin available for payments, it doesn't have to be used as a store of value, and you can simply choose to ignore the payments feature entirely. Until Matrix replicates Signal's privacy features then for me it's not a good enough alternative yet, but I do think it'll be the better app in the long run.
 

Coja Petrus Uscan

Hummingbird
Gold Member
If anyone is skilled in the area of producing browser plugins, an idea -

Archive.is appears to be able to pull out fake news articles without having to pay for them, or go on their site:

e.g. you can read Paul Krugman's latest soon-to-be-proven-horrendously-wrong-opinions on Creppy Joe radical modesty - https://archive.is/kXcE3

Concept: a browser navigates to a fake news site, such as CNN, instead it redirects to archive.is, to either pull out an already archived copy, or save one.
 

Valentine

Kingfisher
Gold Member
If anyone is skilled in the area of producing browser plugins, an idea -

Archive.is appears to be able to pull out fake news articles without having to pay for them, or go on their site:

e.g. you can read Paul Krugman's latest soon-to-be-proven-horrendously-wrong-opinions on Creppy Joe radical modesty - https://archive.is/kXcE3

Concept: a browser navigates to a fake news site, such as CNN, instead it redirects to archive.is, to either pull out an already archived copy, or save one.

There are extensions that can redirect you to an archive page in one click e.g. Web Archives.
 

budoslavic

Owl
Orthodox
Gold Member
A change to TikTok’s U.S. privacy policy on Wednesday introduced a new section that says the social video app “may collect biometric identifiers and biometric information” from its users’ content.

TikTok just gave itself permission to collect biometric data on US users, including ‘faceprints and voiceprints’​

A change to TikTok’s U.S. privacy policy on Wednesday introduced a new section that says the social video app “may collect biometric identifiers and biometric information” from its users’ content. This includes things like “faceprints and voiceprints,” the policy explained. Reached for comment, TikTok could not confirm what product developments necessitated the addition of biometric data to its list of disclosures about the information it automatically collects from users, but said it would ask for consent in the case such data collection practices began.

The biometric data collection details were introduced in the newly added section, “Image and Audio Information,” found under the heading of “Information we collect automatically” in the policy.

This is the part of TikTok’s Privacy Policy that lists the types of data the app gathers from users, which was already fairly extensive.

The first part of the new section explains that TikTok may collect information about the images and audio that are in users’ content, “such as identifying the objects and scenery that appear, the existence and location within an image of face and body features and attributes, the nature of the audio, and the text of the words spoken in your User Content.”

While that may sound creepy, other social networks do object recognition on images you upload to power accessibility features (like describing what’s in an Instagram photo, for example), as well as for ad targeting purposes. Identifying where a person and the scenery is can help with AR effects, while converting spoken words to text helps with features like TikTok’s automatic captions.

The policy also notes this part of the data collection is for enabling “special video effects, for content moderation, for demographic classification, for content and ad recommendations, and for other non-personally-identifying operations,” it says.

The more concerning part of the new section references a plan to collect biometric data.

It states:

We may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content. Where required by law, we will seek any required permissions from you prior to any such collection.

The statement itself is vague, as it doesn’t specify whether it’s considering federal law, states laws, or both. It also doesn’t explain, as the other part did, why TikTok needs this data. It doesn’t define the terms “faceprints” or “voiceprints.” Nor does it explain how it would go about seeking the “required permissions” from users, or if it would look to either state or federal laws to guide that process of gaining consent.

That’s important because as it stands today, only a handful of U.S. states have biometric privacy laws, including Illinois, Washington, California, Texas and New York. If TikTok only requested consent, “where required by law,” it could mean users in other states would not have to be informed about the data collection.

Reached for comment, a TikTok spokesperson could not offer more details on the company’s plans for biometric data collection or how it may tie in to either current or future products.

“As part of our ongoing commitment to transparency, we recently updated our Privacy Policy to provide more clarity on the information we may collect,” the spokesperson said.

The company also pointed us to an article about its approach to data security, TikTok’s latest Transparency Report and the recently launched privacy and security hub, which is aimed at helping people better understand their privacy choices on the app.

The biometric disclosure comes at a time when TikTok has been working to regain the trust of some U.S. users.

Under the Trump administration, the federal government attempted to ban TikTok from operating in the U.S. entirely, calling the app a national security threat because of its ownership by a Chinese company. TikTok fought back against the ban and went on record to state it only stores TikTok U.S. user data in its U.S. data centers and in Singapore.

It said it has never shared TikTok user data with the Chinese government nor censored content, despite being owned by Beijing-based ByteDance. And it said it would never do so, if asked.

Though the TikTok ban was initially stopped in the courts, the federal government appealed the rulings. But when President Biden took office, his administration put the appeal process on hold as it reviewed the actions taken by his predecessor. And although Biden has, as of today, signed an executive order to restrict U.S. investment in Chinese firms linked to surveillance, his administration’s position on TikTok remains unclear.

It is worth noting, however, that the new disclosure about biometric data collection follows a $92 million settlement in a class action lawsuit against TikTok, originally filed in May 2020, over the social media app’s violation of Illinois’ Biometric Information Privacy Act. The consolidated suit included more than 20 separate cases filed against TikTok over the platform’s collection and sharing of the personal and biometric information without user consent. Specifically, this involved the use of facial filter technology for special effects.

In that context, TikTok’s legal team may have wanted to quickly cover themselves from future lawsuits by adding a clause that permits the app to collect personal biometric data.

The disclosure, we should also point out, has only been added to the U.S. Privacy Policy, as other markets like the EU have stricter data protection and privacy laws.

The new section was part of a broader update to TikTok’s Privacy Policy, which included other changes both large and small, ranging from corrections of earlier typos to revamped or even entirely new sections. Most of these tweaks and changes could be easily explained, though — like new sections that clearly referenced TikTok’s e-commerce ambitions or adjustments aimed at addressing the implications of Apple’s App Tracking Transparency on targeted advertising.

In the grand scheme of things, TikTok still has plenty of data on its users, their content and their devices, even without biometric data.

For example, TikTok policy already stated it automatically collects information about users’ devices, including location data based on your SIM card and IP addresses and GPS, your use of TikTok itself and all the content you create or upload, the data you send in messages on its app, metadata from the content you upload, cookies, the app and file names on your device, battery state and even your keystroke patterns and rhythms, among other things.

This is in addition to the “Information you choose to provide,” which comes from when you register, contact TikTok or upload content. In that case, TikTok collects your registration info (username, age, language, etc.), profile info (name, photo, social media accounts), all your user-generated content on the platform, your phone and social network contacts, payment information, plus the text, images and video found in the device’s clipboard. (TikTok, as you may recall, got busted by Apple’s iOS 14 feature that alerted users to the fact that TikTok and other apps were accessing iOS clipboard content. Now, the policy says TikTok “may collect” clipboard data “with your permission.”)

 

budoslavic

Owl
Orthodox
Gold Member
Site description:
Techxodus Wiki functions mainly as an index that aims to provide alternative platforms and software to people looking to escape the clutches of big tech, while also improving their privacy and security online.

 

epps_1920

Sparrow
Thinking of buying a new router, my TP-LINK Deco Mesh uses Trend Micro for virus network scanning, don't like the feature at all, plus they added smart device/home autiomation capabilities to it, which I don't want. Thinking of a new one with DD-WRT pre flashed, maybe through this site https://www.flashrouters.com/ - anyone dealt with them before?
 

Max Roscoe

Pelican
Orthodox Inquirer
Tiktok is probably just being honest about what every other "free" app is doing.
Instagram recently asked me to upload a video of myself to prove my identity to them !!!
(I have an account related to one of my hobbies, that is in no way related to me, my phone, my real name, etc--I guess this bothered them). No way in Hades that will ever happen, Zuckerberg. I will kiss my 10,000 followers goodbye if you persist.

I have some good tech advice. I have in the past run various live Linux distros, especially for accessing certain sites I don't want to be tracked to. I have used, among others, Backtrack, Tails, Kali, and now I can strongly recommend the best one by far, Kodachi,

It has built in DNSCrypt, Tor, and randomized VPN (I am currently in the Czech Republic according to my IP address; yesterday it was the Russian Federation). The background has a bunch of stats, showing your open ports, activity, a security rating from 0 to 100 depending on which services are in operation, the current price of bitcoin, etc.

What's more, it is completely run off a Live USB drive, which remembers nothing on each new boot instance. I have noticed other OSes, even Tails and the others I mentioned above, straying dangerously far from this idea. If you are in need of a security or privacy minded OS, try Kodachi. (I use Windows and Mac regularly; this is just for activities I wish to anonymize.)

Bonus: Google and Youtube treat you as a brand new user on a new machine who has never accessed their services before, and typically with the higher EU privacy standards. Regardless, they can only learn as much about me as can be gained in one browsing session, and then everything is lost when I power down.
 
Last edited:

Zanardi

Woodpecker
Orthodox
Is there any browser plugin that passes the ”disable your adblocker” window, which does not let me browse a certain site?
 

Max Roscoe

Pelican
Orthodox Inquirer
One side effect I've noticed from running Kodachi: Some sites give the following warning (I am in USA):

Our European visitors are important to us.​


This site is currently unavailable to visitors from the European Economic Area while we work to ensure your data is protected in accordance with applicable EU laws.

This just happened on some fox site. Thank you, Kodachi, for saving me. If a site can't even comply with the EU privacy laws, I certainly don't want to be visiting there at all.
 

Coja Petrus Uscan

Hummingbird
Gold Member
For anyone who is using the plugin PrivacyRedirect that redirects requests to YouTube to a proxy that will pull in the video here is the list of currently working mirrors.

It has got bad of late, with most of the instances going down:

The list:

https://invidious.snopyta.org,https://invidious.kavin.rocks,https://yewtu.be,https://invidious.tube,https://invidious.silkky.cloud,https://invidious.fdn.fr,https://tube.incognet.io,https://invidious.namazso.eu,https://invidious.exonip.de,https://yt.cyberhost.uk,https://inv.riverside.rocks,https://invidious.moomoo.me,https://ytb.trom.tf,ytprivate.com

Go into the plugin options -> Advanced -> Invidious dropdown : there is a place to enter a list of comma separated instances

Screenshot at 2021-07-14 01-32-24.png

For those who are not:


The plugin also handles Nitter, which pulls in Twitter without you having to access Twitter servers. The working (and quick) list for that is:

https://bird.trom.tf,https://birdsite.xanny.family,https://nitter.1d4.us,https://nitter.42l.fr,https://nitter.actionsack.com,https://nitter.cattube.org,https://nitter.cyberhost.uk,https://nitter.dark.fail,https://nitter.database.red,https://nitter.domain.glass,https://nitter.eu,https://nitter.exonip.de,https://nitter.fdn.fr,https://nitter.hu,https://nitter.kavin.rocks,https://nitter.mailstation.de,https://nitter.mha.fi,https://nitter.moomoo.me,https://nitter.namazso.eu,https://nitter.nixnet.services,https://nitter.pussthecat.org,https://nitter.skrep.in,https://nitter.snopyta.org,https://nitter.unixfox.eu

Can be used with the same plugin.

With the fresh lists, it is quite speedy to use these services.
 
Top