Thread

Thank you. When you say "on privacy and security," what do you mean exactly? There are many really good books and resources. If you want to learn how to disappear, more about OSINT, and general overall high-quality OPSEC with all the details from recommended burner/travel/main devices and essential apps to faraday bags, hardening your home network etc., then I recommend Michael Bazzell's IntelTechniques books. They are a little pricey for the set, but well worth it, and are frequently updated. I have gotten much use from his training and books. https://inteltechniques.com/ Here's his bio: About the author Michael Bazzell investigated computer crimes on behalf of the government for over 20 years. During the majority of that time, he was assigned to the FBI's Cyber Crimes Task Force where he focused on various online investigations and open source intelligence (OSINT) collection. As an investigator and sworn federal officer through the U.S. Marshals Service, he was involved in numerous major criminal investigations including online child solicitation, child abduction, kidnapping, cold-case homicide, terrorist threats, and advanced computer intrusions. He has trained thousands of individuals in the use of his investigative techniques and privacy control strategies. After leaving government work, he served as the technical advisor for the first season of the television hacker drama Mr. Robot. His books Open Source Intelligence Techniques and Extreme Privacy are used by several government agencies as training manuals for intelligence gathering and privacy hardening. He now hosts the weekly Privacy, Security, and OSINT Show, and assists individual clients in achieving ultimate privacy, both proactively and as a response to an undesired situation. Details about his company's services can be found online at IntelTechniques.com. I have many others I could recommend, but if you could only choose one set to give you a solid grasp on the basics, this would be it. I also recommend regularly checking out: https://www.privacyguides.org/en/ They have a wonderful "tools" section that is updated frequently. I recommend you also read up on hacking and hackers, and study some on pen-testing to better understand the mindset of an attacker—whether it be social engineering or hardware/software. The most vulnerable point of failure in any system is humans. To that, I would say, check out Kevin Mitnick's books. Start with "Ghost in the Wires." No Starch Press has some wonderful books on hacking. "Linux Basics for Hackers" is a good starting point. Then there are others like "Black Hat Python". It really depends on what your threat model is. The more privacy you want/need, and in what areas will determine how far down the rabbit hole you need to go. If you try to be the most hardcore in areas where it's not really necessary or needed, it is common for people to burn out. Here is a great short introductory video from Henry at TechLore to help you better understand threat models, the difference between privacy, security, and anonymity, how they impact time and convenience, and hopefully help you to identity yours. https://youtu.be/DHZRhboZhfI The TechLore forum is also a good resource: https://discuss.techlore.tech/ Another suggestion is to get into the scene, read articles on eff.org etc. and learn from others. Get into matrix rooms on privacy apps, and learn from the community. I could keep going, but just off the top of my head, this should be helpful to get you started.

That will get me started! Thank you so much for your time Ava. What am I looking for? Just the basics so far. I have ‘nothing to hide’, but am becoming more conscious that individuals need to stand up and push back against privacy/data invasion. Anonymity: I just started using a VPN on my computer (but for example not here on my iPad). Why is a VPN helpful? I kinda know but then again, do I? I’m just looking for the basic beginner understanding what is online and digital privacy/anonymity/security. What you posted is a great start. Thank you so much!

I used to post a lot more about privacy and security, but it tends to attract a lot of paranoid people—many of which probably have mental issues, and probably shouldn't be on the internet if they actually have the threat model they think they have. Many of which seem to have a penchant for attacking other privacy tech and users of that tech for not being completely anonymous. I still post about it, just not as much as I used to because I want to keep things in their proper perspective, and the scene can be quite toxic to interact with on the regular—especially on platforms and protocols one doesn't have the ability to moderate. For example: Just mentioning that you use GrapheneOS (because they use Pixels) or Proton and not Mulvad, etc. is enough to get you called a spook or worse in some circles. I once got harassed daily for promoting GrapheneOS by some anon who thought everyone should use LineageOS. This went on for months. I used GrapheneOS for years, now I am back on Google OS for Android as my daily driver. I know my threat model and I practice privacy and security through isolation and compartmentalization, but this alone has been enough for people to throw ad hominem attacks my way. Know your threat model in the various areas of your life—both online and off, and act accordingly. Don't let perfect be the enemy of good. Don't let paranoid nyms online deter you from practicing threat model appropriate OPSEC for YOUR unique situation. Not everyone needs to act like Edward Snowden when he was on the lam with gov secrets. Even he says he's not as hardcore as he used to be because he's in a different place in his life. Lots of privacy advocates will try to tell you that you have one threat model MOST EXTREME. That is not the correct approach, and as I said in the post, you will burn out. A trusted no logs VPN is great for privacy (Proton/Mullvad) is great for privacy, but it will not keep you anonymous, Tor is better for anonymity. Both will be a pain with financial services. I used to keep my VPN on ALWAYS, and it was more of a pain than it was worth trying to do legitimate business online. I mean, even some private torrent sites disallow VPN use, so they can keep users from abusing their services. One very valid usecase for a VPN is that clearnet Nostr relays have access to your IP address, and some of them are maliciously scraping user data. If you use a VPN or something like Orbot/Tor on mobile that comes with Amethyst, then relays will not have access to your IP. Another is that if you are using Chrome, then all of your Internet searches are tracked by Google. If you use a VPN, but you are logged into Gmail, a VPN will be of little use. If you use a VPN and are not logged in, then your activity will be more private when it comes to Google. Just know that the VPN you use will have access to your IP and must comply with local gov law. They will hand over any data they have if the gov demands they do so. They will not risk going to jail over a $5 a month service. This is why using a no-logs VPN is so important—but you have to trust that they are actually not logging. A quality VPN is one that reduces the amount of data they have access to, so if the powers that be force them to hand it over, they have nothing to hand over. Proton has handed over user data in the past, but that is because the user added a "backup email" to their user account. This information IS visible to Proton (so they can help restore compromised access to accounts) and therefore they will have to hand it over in the event of a gov subpoena. The user did not follow proper OPSEC and did not follow Proton's explicit warnings about adding a backup email. No privacy tool or service can prevent users from shooting themselves in the foot with bad OPSEC. Definitely check out the Techlore video and the other links I posted. Bazzell's books and training are technical in nature and will give you step-by-step instructions to get things set up. Check them out when you are ready. I recommend using a browser like LibreWolf or Brave that is not Google. They both have protections against browser fingerprinting (look this up), and Brave has a built-in site tracker blocker. Use Tor browser where you need/want more anonymity. Use offline conversations wherever possible for the most sensitive conversations. Bitcoin is not private, lightning is better, but it can also be traced. Monero is more anonymous. Use a quality VPN like Proton or Mullvad when you don't want sites or relays to have access to your IP or browsing habits. Host your own cloud to store your photos and data—a Synology NAS is a good starting point (Synology is not open source, but they are good for beginners) or use Proton Drive since it has E2EE. Use a password manager. A cloud-based service like Proton Pass or Bitwarden is great for most people—much safer than reusing memorable passwords. For usecases where cloud-based is not trusted, use KeePass (preferably on an air-gapped device or VM). Use a private messenger for sensitive conversations like Signal or SimpleX. Go for services that use E2EE wherever possible (just note that all encryption is not created equal). Be mindful of the websites you visit. Be mindful of the mobile keyboards you use—some of them "phone home." Turning off G-Board access to the Internet is a good practice to keep it from phoning home, but it will limit functionality. You make the call based on your threat model. Windows and Mac collect a lot of user data, look into Linux, just know that Linux is not as secure out of the box—but you can harden it. QubesOS is way more private and secure, but it is not as user-friendly. Use Tails on a USB when you need an OS that you can plug in and burn—maybe with a hidden volume to hide things with plausible deniability etc. (it's not meant for daily driving). Look into a hardware firewall for your home network like a Protectli, both Bazzell and Brockwell (below) have guides on setting it up. Use a private DNS service like OpenDNS or Control D, don't trust Google DNS. Study social engineering, etc... Again, I could go on, but I don't want to overwhelm you. Once you get the concept of OPSEC down, you will be able to make these judgement calls for yourself and your situation based on your threat model. Another good channel for the basics is: https://m.youtube.com/@NaomiBrockwellTV Best wishes to you on your journey.

Wise words. :)

Agree. My biggest ahah moment was listening to an Opout podcast episode that talked about keeping a check on your threat model, mostly from a mental health standpoint. You only have to browse the Graphene forums for a few mins to realize that so many folks are taking INSANE steps in the name of privacy, and probably making their tech lives absolute hell!

A shame you no longer share this wisdom more often

Thanks for that. This is all so great. A good starting point. Many thanks. I’ll chew on this and digest what I can. Rinse and repeat. 🙏❤️🧡💜

Well said. There’s a fine line between “I like privacy” and “My neighbors are CIA spooks and using the microwaves to cook my balls through the apartment walls because I discovered the truth on 4chan and am now just like Jason Bourne”

Don't let perfect be the enemy of good. 🤌

And good enough doesn’t always have to be good enough. Life’s fun like that.

Fine line = 6 months

I use chrome as my daily driver because it establishes an electronic footprint just like every other pleb on the internet. I just blend in with the herd, and when I want to communicate securely, then I use a different system for that purpose.

I am a big proponent of most people having a front-facing identity online. Nowadays, it is often more suspicious if you don't have one. Privacy and security through isolation and compartmentalization is a very effective OPSEC strategy.

Thanks :). I need another day in each day..

Great take. But I think in your take with google, browser Fingerprinting can play a part too. So maby to use Brave-Browser, Mulvad-Browser or Librewolf could be an improvement additional to the VPN as well. But I support you in taking privacy as a spectrum. And in the end every datapoint one can hide is a win for privacy.

Thank you. Indeed. I have discussed at length browser fingerprinting in other posts.

Maby the best way to stay private and with good well bein is to minimize time connected to the internet in general. Best privacy is doing whatever activity that does not include connectivity ;)

I only mention it briefly in this post as it was running a bit long.

I hope you can excuse me, that I was no reading all lines :)

I think you're probably right. And even though it's hard to stay completely offline these days, definitely making your footprint smaller is a good idea (aka not signing up for every service under the sun)

Yes lets kill the FOMO One actually never misses out. In present one is exactly at the place where one belongs. Lets focus on the reality we are in. Because where we are not is not our problem. We only need to care wherever we are.

Maby late. But I hope I can add some short post here for easy privacy steps: 1. VPN (great to hide your real IP) 2. When just starting maby switch to Brave browser (great privacy by default, and ad-Blocker and tracking-Blocker active by default) 3. Switch to a privacy-focused websearch (search.brave.com was the best for me until now), when you really love google, startpage.com offers google search with privacy. I think these three steps are real no-brainers, which are setting up once and live goes on in just the same rythm with a little more privacy. Therefor I would consider those (even without VPN, since VPN you already have to setup) steps the first to start a privacy journey. And a short take on "nothing to hide". Privacy is not about hiding stuff. It is rather about having control of what information you want to show of yourself. When you decide to have the door to the toilet open while downloading this is your decision. But Google and Facebook do is they let you decide if you want the door to be open or not. But they already installed cameras within the toilet so they can see your actions independent from the door. Privacy focused tools empower you to decide what others can see.