Read the latest posts from write.privacytools.io.

from Privacy Simplified

Security is the Basis of Privacy

According to wikipedia:

“Security is freedom from, or resilience against, potential harm (or other unwanted coercive change) caused by others.”
“Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively.”

So what are the differences? Which is more important? And why how are they related?

Well a high security mansion with the latest systems would be very secure, but it would not be very private, while a shack in the woods in the middle of no-where may not be very secure, it is very private.

Bracack Obama once said “You can't have 100% privacy and 100% security at the same time.”. Now while I'd love to disagree this is probably quite accurate. You are (on the whole) more secure as a group of people than on your own, and by being with other people you are less private than you are on own.

Finding the gap between privacy and security can be hard, and so I am going to try to make it a bit easier.

Encrypt everything. Never visit a page that is unencrypted (i.e. does not have https), it would be a good idea to install HTTPS Everywhere. Make sure all you files are encrypted using a reliable encryption software. Make sure all communications are end to end encrypted by using an reliable encrypted messenger. Not only is encryption good practice for privacy it is also good for security.

Make a conscious effort to replace your everyday online services with open source alternatives. However just because something is open source this does not always mean it is more secure. Rather it means you are (probably) relying on other people (this could be literally anyone) to have checked the code. This may sound bad but its better than relying on a few developers from a huge company not known for privacy. If you are struggling to find alternatives use one of these tools.

It is also important when choosing hardware to look at the security chips etc... The Google Pixel 3a has the Titan M security chip, and if you installed GrapheneOS then it would also become very privacy respecting.

At the end of the day, privacy and security are equally important as they pretty much go hand in hand. However the challenge is to find the right balance.


from WorldWideWebWizard

Secure Online Shopping

In an ever-growing world of eCommerce, there is an ever-growing threat of malicious people looking to stealing your information, and using your financial data for their means. Today I will be discussing about the many methods of keeping your data safe against these malicious people.

  1. Avoid Emails: Although emails are a way for businesses to promote deals, and exclusive merchandise, phishers will use target your inbox, attempting to pose as a business. Therefore its best to avoid looking in your inbox, this will prevent one vector of having of having your financial information stolen.

  2. Don't answer unknown calls: Companies normally don't call you, so you can be certain its a phishing attempt. Avoid calls and SMS text from unknown numbers at all costs.

  3. Use websites with good encryption: A website that has a good content security policy is always recommended. HTTPS-Strict-Transport-Security, ensures that your browser connects through HTTPS only by default.

  4. Install HTTPS Everywhere: HTTPS Everywhere is an extension for Chromium and Firefox. The extension forces encrypted connections with websites that are known to support it. I recommend using the default settings.

  5. Use an Ad-Blocker: Ads can pose a problem by tracking your visits and some are malicious, by installing malware without having to interact with the advertisement at all. I recommend Ublock Origin, which is light on resources and is very effective.

  6. Avoid phishing sites: Some sites attempt to look like a legitimate version of a website, look at the URL address, check to see if their is anything different compared to the real address. Also, don't click on advertised search results, these results are a prime vector for abuse.

  7. Use Private Browsing Mode/Incognito Mode: When using private browsing mode, your cookies, history, and session won't be saved, this is an effective way at preventing access to your account, since your login sessions won't be saved.

  8. Look over your shoulder frequently: Shoulder surfing is when a person looks over your shoulder to get information, counter this by looking over your shoulder at a frequent rate.

That's all for now, use these practices, and you will have a much safer shopping experience, thanks for reading!


from it's all personal

A nota mental é a seguinte: eu tenho um conto e preciso terminá-lo. É sobre as “coisas da vida”, mas um verdadeiro escritor não tem a necessidade de explicar as coisas que escreve, certo? As histórias apenas saem da cabeça, formam palavras, organizam-se em parágrafos, ideias, blocos de capítulos até se tornarem um monumento completo. Mas posso dizer que sempre quis escrever um texto cujo personagem principal se chamasse Tomas. A vida é difícil para ele. Principalmente quando se trata do coração. Vive na bolha virtual criada por ele próprio — e quando essa bolha estoura, fica perdido. Ele vai em um encontro e descobre o último amor.

Leia mais...

from tari-alfaro

It's imperative that we protect credentials with great care, such as properly hashing the low entropy secrets with algorithms like Argon2 or Scrypt.

Multiple factors of authentication is important to protecting accounts. Such as having knowledge of a secret and in possession of something.

Despite properly implementing cryptography and management of credentials, there are still issues such as malicious third-parties attempting to gain access to accounts. And it's hard stopping that all together.

Just use CAPTCHAs! Hold your thought on that.

Usually it's still possible to attack a lot of services by trying well known “secrets” against a bunch of accounts. Some services attempt to prevent this with CAPTCHAs(official site).

One thing I've noticed is that CAPTCHAs are either accessible or sufficiently resistant to automated actions. Often it's not both. Sometimes it's neither! Even though I don't have any disabilities, I still have a hard time completing them.

Google's reCAPTCHA a lot of the time doesn't like Tor network activity often rejecting valid CAPTCHA answers due to “possible automated queries”. Usually the solution I found is to switch up the exit node. It's an issue with popular proxies and VPNs, not just Tor users. More information here.

Unfortunately I don't know of any decent free open-source privacy respecting alternatives to Google's CAPTCHAs.

So CAPTCHAs may not be the best choice.

My solution.

The foreign account.

For each set of credentials that is stored, there is also a unique foreign account associated with it, this could be a email, XMPP or phone number that the authentic individual is in possession of.

The data.

There has to be some sort of data sent to the foreign account to prove they have access to it. The data MUST be ephemeral and random. This could be a software token attached to a link where a few authentication attempts are permitted. Or a secret(e.g: 8 digit code) that can easily be typed in.

To securely store the data, and verify the foreign account access data, it must be hashed properly. Generally the secret is low entropy, so we should store it with Argon2 or Scrypt.

However if the data comes from a CSPRNG output with >= 128 bits of entropy, we use an easy to compute hashing function. Take the BLAKE2 hashing algorithm for example.

For defense in depth or as an alternative strategy: Use asymmetric cryptography to ensure only the authentic individual may access the data. This could be sent to the associated foreign account or given right away.

Example secret(easy to type in):

8 1 7 1 5 9 4 6

Example link(far less guessable):


The locking mechanism.

Now that there are two very important pieces to the puzzle gathered, that being the foreign account and the data. We have one final piece to gather.

What are we going to do with those two pieces? They can be used as a form of two-factor authentication.

By definition “locking” means to apply that 2FA. Of course we could constantly apply it(preventing nearly all malicious authentication attempts), however ... we can try to make educated guesses to only apply the 2FA when it's possible there is an attack on the account.

Which means it's possible to make the accounts a lot more secure while retaining usability.

What do we lock, when and for how long?

We can lock an IP that attempted to authenticate and failed a certain number of times within a certain time period. If we lock an IP, it's global. Meaning that IP is not allowed to attempt to authenticate on any accounts without verifying foreign account access. This goes for whitelisted IPs as well.

There is one other way to handle IPs. Each account could have whitelisted IPs that avoid the lock(only if the whitelisted IPs aren't locked), while any unrecognized IPs are automatically required to go through lock, even if the IPs themselves aren't locked. This could provide some better security while still retaining some usability.

Another method is locking by account. If a certain number of authentication attempts fail within a certain time period, it'll be locked. Meaning no IPs may attempt to authenticate on this account. That includes whitelisted IPs.

The only effective way of defending against attacks is to use both methods. Locking by IP and account, preferably with the same allowed authentication fail attempts before locking.

We can't completely rely on the first method because most experienced attackers know that they can just switch up their IP with a proxy.

We also can't completely rely on the second method because one IP could just attack all of the accounts. Instead we use both methods to prevent both issues.

However it's better to only have the second method than to only have the first. And it's best to have both.

  1. If an account is allowed 3 failed attempts within 24 hours, and an IP is allowed 6 failed attempts within 24 hours ... they can use one IP to attack two accounts.

  2. If an account is allowed 6 invalid authentication attempts within 24 hours, and an IP is allowed 3 failed attempts within 24 hours, we can use two IPs to attack one account. This can be worse than 1) because more attempts are available to each account.

For how long the account or IP is locked could fixed, incremental(depending on how many times it was previously locked), or randomized.

There are a few other things to take into consideration. You could make accurate educated guesses by determining how many requests there are to authenticate with which IP, and which account. Monitor and automatically lock all accounts for a certain period of time if you're 99% sure there is a possible attack on a bunch of accounts and warn the users that there is probably an attack that was prevented.

It's one area I'm still exploring, how to accurately determine whether there are attacks ongoing. (Although from my understanding it's extremely hard, it would require a lot of math, possibly even an AI.)

This was my alternative for authentication forms. This isn't meant to replace CAPTCHAs, it's meant to avoid them as much as possible and provide a more secure and accessible solution when authenticating.

The most secure solution is to always apply the 2FA, use asymmetric cryptography and a high entropy piece of data, such as the software token attached to a link. But this is too inconvenient for average users.

Take note that if you're not already logged into your email assuming that's what you use for the foreign account, then the email service could require CAPTCHAs during the sign in process.

If you have any questions or you'd like to discuss anything, contact me via email, Mastodon, the forum, DEV.to or XMPP.


from aisyk's thinking

Article publié le 23 janvier 2007

En allant me promener dans un magasin, je suis tombé par hasard sur ce produit : http://www.amazon.fr/Charango-cl%C3%A9-USB-512-Mo/dp/B000IFRXAC

Une clé USB de 512Mo, avec afficheur numérique, écouteurs... compatibilité annoncée : Windows, Mac, Linux 2.4 (!). Les fichiers sont “transférables et copiables” et la durée de vie estimée à 10 ans avec une limite d'heures (je ne m'en souviens plus). Des albums sur clé USB avec des morceaux librement copiables ? Ceci pour linux, windows et mac ? Tout ceci sur des baladeurs “sony-bmg”, “universal”...

Les choses seraient-elles en train de changer ? Les artistes présents sont ceux qui vendent pas mal, par exemple, on peut citer Mickael Jackson (best of), Lorie, Laurent Voulzy, Yannick Noah, Jamiroquai... Bref que des pointures des charts des majors. Ces clés sont vendues entre 25 et 33 euros, ce qui nous donne grâce à notre comparateur de prix...

Un baladeur entre 15 et 19 euros (en enlevant la tva et autres marges supposées), et un album d'artiste entre 5 et 10 euros... Les majors baissent leurs prix !!! Oh joie ! Maintenant reste à savoir si ce genre d'opérations marketing va se poursuivre sur d'autres supports, même si je vois mal les gens s'emmerder avec 15 clés usb (qui ne se rangent pas comme des disques) pour 15 albums. Dans tous les cas que peuvent répondre les artistes indépendants, les semi-pros qui n'ont forcément pas les mêmes moyens pour baisser les prix ? Le “marché” du disque change, des opérations sont tentées, dans quel but ? Se faire encore plus d'argent sur le dos des consommateurs, ou tout simplement montrer à ses actionnaires que l'entreprise “réagit”, “entreprends”,“innove”, se “modernise”...

Je crois qu'avec ces clés, les artistes vont toucher encore moins d'argent qu'avec le “revenue share” de Jamendo...

En savoir plus...

from WorldWideWebWizard

Apple Is Not Your Friend

Recently, Apple has been putting out many commercials with the slogan “privacy, that's iPhone”. While Apple can say they're for privacy, you really can't trust that they really are. You also can't rely that Apple cares about your freedom. I'm here to explain why.

First off MacOS and iOS are both proprietary/closed-source systems. Apple doesn't want you to view the source code of their software. This affects privacy, because if you can't view the source code, then you can't determine what Apple is really doing behind the scenes is good or bad. Another reason is, you are already making connections to services such as iCloud, and since these services are proprietary, you can't trust Apple to handle your data.

Apple also doesn't respect your freedom, Apple has does this by embracing DRM. DRM stands for Digital Rights Management, DRM restricts your ability to use your product, how you like, wherever, whenever. Apple forces people to use their store on iOS for security reasons. Except, this isn't security, this is really control. Apple has put themselves as the gatekeeper of your system, they want you to use it how they want you to use it. Apple also solders their ram in the latest MacBooks, this is not okay. The consumer has the right to make a decision regarding their product. It isn't Apple's choice of how I upgrade my system.

If Apple wants to be respected, here is what they need to do.

  1. Let the user upgrade their hardware from other vendors without penalty

  2. Let the user review the source code

  3. Let the user install from other software sources on iOS

  4. Stop using DRM through iTunes

  5. Give better freedom towards experimenting with their system

Sources: https://gizmodo.com/apples-war-on-upgrades-continues-with-the-new-touch-bar-1789002979, https://www.defectivebydesign.org/apple


from hook

People sometimes claim that they have control over their content after they have published it, this provides a false sense of privacy. The only way to ensure that something isn't redistributed is by not publishing it. With the recent rise in popularity in federated software, it's even more important to make sure that users understand that deleting content is only done as a best effort attempt. Mastodon (and most other software in the fediverse) seems to give users the impression that they're able to delete their posts from the entire fediverse, what actually happens is a request is sent to other instances in the fediverse asking them to delete it from their servers, they're not forced to.

Something else people oftentimes claim is that you can keep content private by asking crawlers to not touch certain pages through the robots.txt standard. This is oftentimes portrayed as “banning” crawlers from your site, this couldn't be further from the truth. It's essentially politely requesting that the crawler not go to those pages.

What I hear when people say they want to be able to control their publicly published content is that they want what would essentially be DRM for social media, which would be ineffective, just like any form of DRM.

By posting something publicly, you need to acknowledge that there's a chance it may be crawled, archived, or indexed. Not acknowledging this will lead to you being disappointed when you find out that you can't delete your content off of the internet completely. If you don't want your content to be redistributed, you should think twice about publishing it. Anyone claiming that there's a good way to control the distribution of content after it has been published is misinformed.

In order to improve people's privacy, we need to focus on educating them about the importance of being cautious about what you post publicly online.

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.


from Privacy Simplified

Privacy by Compartmentalisation

According to wikipedia:

“Compartmentalisation is the limiting of access to information to persons or other entities on a need-to-know basis to perform certain tasks.”

It was originally used by the Greeks to keep the secret of Greek fire, but now it is used by people all around the world for lots of different reasons.

I like to think of it as a floor of a house. You have different rooms for different purposes, and you don't mix things up. For example, you wouldn't sleep in the kitchen, nor would you cook in the bedroom. This is a good attitude to have when it comes to privacy.

The simplest way to do compartmentalisation is by having 3 parts:

  1. Professional
  2. Personal
  3. Other

Let's start with professional. This should contain your work email, all of your files/documents (preferably on Libre Office), potentially your LinkedIn etc...

The best browser for all your needs will probably be FireFox with these add-ons:

Be careful when adding extra add-ons. Always make sure its open source and that it actually respects your privacy.
This is a collection of privacy-related about:config tweaks that will enhance the privacy of your Firefox browser. Enter “about:config” in the FireFox address bar and press enter. Press the button “I'll be careful, I promise!” Then follow the instructions and hey presto! The last thing you need to do is choose a search engine, I'd recommend SearX.

Next we are going to want a browser for personal stuff, like emailing friends and family or watching YouTube. For this we are going to use Brave . While it is based on Chromium, it has built in “shields” which are a combination of “Ad Control', “Cookie Control”, “Fingerprinting protection”, HTTPS Everywhere and Script blocking. Another thing to note is that its open source, which is a must have. I would advise setting your default browser to startpage.

Brave requires very little set up, however if you want some extra privacy there is a tutorial on it here (it starts at around 1:34) There is also a list of all the config tweaks you can make here in the Brave section. This is pretty much it for your personal section.

Brave also has an interesting ad feature which allows you to earn BAT. If you are interested in this then there are ways that you can earn BAT just by downloading the browser.

Finally we have other. This is for anything else that doesn't fit into one of the other categories. The best browser for this is Tor. Before installing Tor their are a few things you need to know. Never log in to anything on Tor. I'd watch this video. For search engine I'd use DuckDuckGo. If you want more info on Tor then this article will help!

But what Operating System should I use?

You should use Qubes. Its endorsed by Ed Snowden the NSA whistleblower and is focused on compartmentalisation. They even have a sub-reddit devoted to helping you set it up! And if you are wondering what operating systems to run in your Qubes I'd use debian for your professional and personal and have tails or whonix for other.

You may be thinking that this all sounds rather complicated, but after a while, like everything, it gets easier. If you are stuck there are lots of great tutorials and sub-reddits on the matter, so don't feel you have to suffer in silence.


from My thoughts on security.

When I explained the myths surrounding Tor in my last post, I realized that in addition to outright myths about the protocol, inaccurate suggestions about how to use Tor properly are everywhere. This often includes worrying advice on connecting to Tor via VPN services, proxies, or other anonymity systems. So in this part of the “Slicing onions” series, I will attempt to clarify why you should not combine Tor with such networks and techniques and highlight the negative consequences if you do.

How This Technology Works

To help illustrate why combining Tor with other services is sub-optimal, here’s a recap of how Tor, VPNs and proxies work. Those who read the first blog in the series or are familiar with the protocols may skip this.

Tor Tor works by sending your traffic though a network of voluntarily run nodes (also called “servers” and “relays”) that bounce your traffic around three random nodes spread across the planet before reaching its final destination, a website for example. See below for a simple visualization:

To protect your traffic, Tor will encrypt your packets three times. Each node only has the key to remove its own layer. Once a node removes its encryption layer, it will be able to see which node the packets should go to next, and this continues until your traffic is decrypted at the last node, which forwards it to its final destination. The exact reverse process happens for return traffic, as shown in the graphic below:

So what do we learn from this? Well we learn that Tor allows us to connect to a website without any single party knowing the entire path. The first node knows who you are, but not where you are going; the second node doesn’t know who you are OR where you are going; and the last node knows where you are going, but not who you are. Because the last node makes the connection, the destination website will never know who you are (the IP address of the originating device).

Proxies A proxy is a server that acts as an intermediary for requests from your device to other devices or services (websites etc.). An anonymous proxy will not forward your email address to the destination site, so it can protect your privacy. It will always be possible for the proxy owner to know both where you connect from (your IP) and what you connect to (the destination website/server). Proxies do not necessarily protect your traffic with SSL/TLS encryption so unless you connect to the destination via HTTPS they can see your content too.

This shows a simple proxy server without encryption:

VPN Services Strictly a VPN (Virtual Private Network) is the extension of a private network across a public one. The best example of this is connecting to a corporate network over the internet to access applications and files at your workplace. VPNs are encrypted to protect the content in the private network from being accessible outside of the VPN.

VPN services that we may use as consumers are a little different. These are really just groups of encrypted proxies that we can pick from instead of connecting directly to destination sites. This hides your IP from the destination site as described above, and the encryption hides your content and destination from your local network and ISP (anything between your device and your VPN provider’s server).

VPNs suffer from the same weakness as proxy servers, in that the VPN provider will always know your IP and destination and HTTPS is still required to hide your content from them.

Here is a VPN server in action, note the connection from you to the VPN server is encrypted, but not the connection from there to the destination:

The Issue With Centralized Trust

Now that we understand how these technologies work I will explain why the last two are problematic in the context of anonymity. With VPNs and proxies, the entire path is known to the provider of the service. Therefore, your anonymity is only as strong as the providers promise.

Imagine letting someone you don’t know put a gun against your head and being fine with it, because for $5 a month they will promise not to pull the trigger. That would be crazy now wouldn’t it? What if someone else offers them $500 to break their promise? $5000? $5000000?

With Tor, the entire path will never be known, and the user will be safe; trust is distributed across all the nodes you use. It’s like giving one person the gun, another the bullet, letting the third hold a rubber chicken to your head, and not paying any of them any money!

Another benefit of Tor is that with more then 6000+ nodes spread across the globe, watching all traffic going in, and all traffic going out, is much harder and more expensive than watching the servers of a VPN provider (most have tens or low hundreds). If your threat model includes capable adversaries working to de-anonymize you, Tor will make that much less likely.

Why 3 is better than 1

Now that you understand the issue you should start to see why a VPN is not an option for anonymity. It can make tracking harder, but you still have to trust one single party. With Tor, you don’t need to trust any single party. So lets spell out the pros and cons:

  1. Tor Pros: Hides your IP address; encrypts traffic, preventing local network or ISP snooping; and when using Tor browser, intelligently separates streams to avoid traffic correlation; free to use, which is a double benefit as it leaves no financial trail; easy to use with a simply app on Android or any desktop OS; most censorship can be evaded using bridges; fast enough to watch 720p and sometimes 1080p videos (nowadays!). Cons: Speed is often slower than a single hop VPN as depends upon all 3 nodes in your current circuit and is probably not going to play 4k video; some services block Tor nodes in a misguided attempt to deny access to bad actors, refreshing your circuit may find an unblocked node; exit nodes could snoop http traffic; torrenting will be slow and is strongly discouraged as it hurts Tor and breaks anonymity; no udp support (Signal requires this for VoIP calls).

  2. VPN services Pros: Generally fast and low latency; most are easy to use with apps for any OS; hides your IP address and encrypts traffic to the VPN server, preventing local network or ISP snooping; usually fast enough to watch high res 4k videos; torrents will work; UDP is possible. Cons: Absolute trust placed in a single point of failure. Your VPN provider can see who you are and where you are going, and when not using HTTPS, the content of your traffic; leaves a money trail unless paid for with cash or cryptocurrency; provider sees your real IP address and could be pressured in cooperation by the local government to hand over data; VPN server can be hacked to retrieve all data; anonymity depends on policies and the security of a single server.

Why 2 is not better than 1

The worst piece of advice I commonly see is to use both Tor and a VPN. Tor is not intended to be run with VPN or in combination with other services. I absolutely do not recommend you to ever run Tor with a VPN. By doing so you essentially create either a permanent entry or exit node, which often also has a money trail. You also create more attack surface for near zero theoretical benefit. The two commonly proposed configurations are:

Tor over VPN. Here a user will first connect to the VPN server, and then connect to Tor. The most common rationale behind this setup is to hide Tor usage from an ISP or circumvent censorship of the Tor network. This is unnecessary as you can hide Tor usage and circumvent censorship by using bridges. You can either use the bridges that are included in Tor Browser for this, or request other bridges from in any of the ways described here. A bonus of bridges is that they don’t leave a money trail, which VPNs often do. The last blog explained that even if you were to end up on a watch list, it would be a uselessly large list as Tor has more then 2 million daily users. It strikes me as very naive to imagine that someone powerful enough to trace you over the Tor network will be stopped by a $5 a month VPN service.

VPN over Tor. Here a user will first establish a connection to the Tor network before connecting to the VPN service. The purpose of this is to reach services that are blocking Tor nodes. This setup may succeed in making access to such services easier, but it is terrible for anonymity for two reasons: VPN providers often know you from the money trail; and Tor splits all data streams across different circuits to prevent correlation of traffic as a means to de-anonymize users, but all of your traffic will come from the VPN provider’s IP, making correlation a LOT easier.


As you can see, in the vast majority cases where a VPN could be used, Tor would easily suffice. Not only is it free to use, it actually allows you to browse anonymously. This is impossible with a VPN service by design. A VPN is privacy by policy, Tor is privacy by design. This isn’t to say VPNs are completely useless; they do protect your IP address from the websites you visit; protect you from local network adversaries; and they also allow you to watch 4k footage.

Generally, you should be using Tor if anonymity and privacy are your goals, or indeed if you just want to help improve the availability of anonymity to others who need it and make mass surveillance harder. There is more to consider though: your IP address is just one of the many ways you can be tracked. Another threat comes in the form of browser fingerprinting, which is the topic of my next blog post: [Slicing onions: part 3 – Don't leave your fingerprint!]()

If you have feedback on this article, or would like to debate the topic with me, then you can reach me in any of the ways listed on my About page


from Freddy's Blog

A Brief Insight into the Scary world of AI

As AI progresses it becomes more and more of an everyday thing, and more of a norm.

A few years ago people would have never believed that major companies would be putting loads of Money into smart speakers such as ‘Alexa’ and ‘Google Home’.

Being someone who is working to help create a new virtual assistant, I find it scary to think that we use AI on a regular basis and we probably aren’t even aware of it. Every time we say ‘Hey Siri’ we are using it.

This is alarming because in a lot of cases the AI is listening even when its meant to be off. This a huge privacy risk, and why many people are sceptical about bringing AI into their homes.

The big benefit of AI is that there is no limit to what it can do, beyond battery life. All you have to do for it to be able to do something is tell it the rules.

Take teaching a robot chess for an example: Scientists wanted to make a robot that could beat the best chess player in the world. At first they taught it the best moves that the top players used and knew, the robot was rubbish. Then they tried a different approach. They taught it the rules of chess, and let it figure out the best moves it self. It was unbeatable. It made moves that no-one had ever made before.

This is when people started to realise that all you have to do to make a robot do something, is teach it the basic rules.

This correlates to AI. When you have a conversation with ‘Siri’ it may not feel 100% normal, but that is because it is learning. Siri by now must have had billions of conversations, and that’s why overtime they have got more realistic.

Of course this is also down to the devs, but the software is learning.

This is the future of AI. This is what we are going to see more and more of in the future. AI can already do a lot, such as creating the coldest things know to man from scratch in under a hour, but they are going to be major scientific advances in the future due to AI.

Now I am defiantly not saying the world will be run by Robots, but AI is going to mean an awful lot in the future.


from Privacy Simplified

Should you use a VPN?

A common thing that people say is that a VPN is enough for privacy. I could download a free one from my app store and I’m as good as gone, right?

This isn’t the case.

To be private online isn’t that easy, it requires a lot of thought and time. For instance, to be private online you should not be running Windows or MacOS rather a version of GNU/Linux. And thats just your operating system, to be private online you need to switch browser, search engine, email, your habits — the list goes on and on. Using a VPN on its own doesn’t make you private.

What it actually does is direct all your internet traffic through a virtual private network, rather than your Internet Service Provider (ISP). You are doing this with an app, which owns multiple servers around the world, through which you connect to avoid restrictions where you live.

What you are also doing is placing trust in that VPN provider to not keep logs, to not sell your data and so on. You may ask why a VPN provider would do such a thing, and the answer is money. VPN servers cost lots of money to maintain. How else do you think they provide a “free” service. After all: “If the product is free, you are the product!”. You may say: “I pay for my VPN so they would never do this!”, well unless they are listed on privacytools.io they probably are.

The VPN industry is not a nice place. Companies use cut-throat tactics to get ahead of the competition, with you, the customer, being directly affected.

Is there an alternative?

Yes. It's called Tor. Instead of routing all of your traffic through a VPN, you are routing it all through a series of nodes (or servers). From that explanation it seems similar, but it's not.

The deep-web contains billions of webpages that you can’t access via clearnet. Tor also provides the only form of anonymity online. By routing all your internet traffic through servers that only know where they are going, but not where they came from, you are making yourself anonymous online. And the best part is it's all free.

Isn’t Tor the dark web?

No. Thats a common misconception. Tor is simply a gateway to the deep-web, which in itself is not a bad thing. However it can be used to get to the dark-web.

Tor was actually set up so whistle-blowers or people with content restrictions could access a non censored internet. However now Tor is used by a much larger variety of people.

If you want more info on Tor then this article will help!

Which is better?

This all depends on your threat model and also what you want. For privacy Tor is better, but I wouldn’t use any form of social media on Tor like how I would on a VPN. They both have advantages and disadvantages.

Can I use both?

I wouldn’t, unless you have complete trust in your VPN provider.

At the end of the day everyone is different. For an average user a VPN on the list bellow will bypass restrictions perfectly well. IF, however you really care about your privacy, and are prepared to change some habits, Tor is the best way to go.

Sources and acknowledgements:

Inspiration — https://matt.traudt.xyz/posts/vpn-tor-not-mRikAa4h.html

Great privacy website — https://www.privacytools.io/

VPN Comparison chart — https://thatoneprivacysite.net/#detailed-vpn-comparison


from Jonah

If you run servers for public services, like I do with privacytools.io, you definitely want to monitor them for any successful logins to user accounts (via SSH, et cetera). The way I plan to accomplish this is to setup an automatic notification to the Pushover app on my phone in the event of any login. I'm going to implement this as part of PAM authentication, and configure it to fail any logins if the notification script fails for whatever reason.

If you want to implement this on your own server, I'll assume you already have a Pushover account and device setup, and an API key.

Create login-notify.sh, where we will store the actual script. I put it in /etc/ssh/ for example but you could put it anywhere:


# Change these variables

if [ "$PAM_TYPE" != "close_session" ]; then
  TITLE="SSH: ${PAM_USER}@$(hostname -f) (${PAM_RHOST})"

  curl -s \
  -F "token=$API_TOKEN" \
  -F "user=$API_USER" \
  -F "title=$TITLE" \
  -F "message=$TEXT" \
  -F "priority=0" \
  https://api.pushover.net/1/messages.json >/dev/null 2>&1

Just change API_TOKEN and API_USER to your own account's values. You can also change priority=0 to another value if you'd prefer more or less intrusive notifications.

Make your script executable:

chmod +x login-notify.sh

And add the following line to the end of /etc/pam.d/sshd:

session optional pam_exec.so seteuid /path/to/login-notify.sh

We made this optional mainly for testing purposes. You can leave it as it is, or change it to required after you've made sure it works to prevent logins entirely unless the script runs, if that is what you want.

Try logging in to SSH and it should send you a notification!

In theory, this method can also be applied to essentially any /etc/pam.d/ module. For example, you could add that last line to /etc/pam.d/login for notifications on TTY logins.

Thanks to this answer from Fritz on Ask Ubuntu and this post on Nology for guidance with the script.

Discuss this post on the Privacy Forum



from WorldWideWebWizard

Family Privacy: Part 2

In our last discussion, I discussed about using Firefox to protect your privacy. Now, I will be talking about GNU/Linux, and how to you can get started.

What is GNU/Linux?, GNU, was started by Richard Stallman, and is run by the Free Software Foundation. Linux is a kernel, created by Linus Torvalds. The Linux kernel helped fill in the gap, that the Free Software Foundation had yet to fulfill. That is why any system using GNU software, and the Linux kernel, is called GNU/Linux. Many People just call it Linux, but this isn't technically correct, as Linux is just the kernel.

You may be asking. Why should I use GNU/Linux over Windows? Here are my reasons on why you should make the switch.

  1. Windows does not respect your freedom:

When you use Windows, you are using an operating system that is controlled by a software giant. Microsoft has many examples of not respecting the freedom of its users. Like when Microsoft employed DRM in Windows Vista, that controls what people can do with their media.

  1. Windows is closed source:

Windows is a proprietary operating system. Microsoft does not want you to know what Windows is doing behind the scenes. Because of that, you cannot trust what Windows is doing.

  1. Windows invades your privacy:

With the release of Windows 10, Microsoft has added many privacy invading functions in the operating system. There is location tracking, native advertising, and more. With Windows 10, you have become a prime target for tracking.

Here is a list of the benefits of GNU/Linux.

  1. Your freedom is respected:

With GNU/Linux, its your system. You can do whatever you wish with it.

  1. GNU/Linux respects your privacy:

You shouldn't have to worry about user tracking. With GNU/Linux you are free from tracking.

  1. Open-Source:

GNU/Linux is open-source, so you can look and see what is happening with your operating system.

Now on to getting started. My recommended distribution is Linux Mint. Mint provides a familiar desktop, for people who use Windows. Mint comes with support for multi-media out of the box. Mint is based on Ubuntu Long Term Support Release, so you get a stable experience with Mint. To get started download a ISO file from https://linuxmint.com. Next, write that image to a disk, or USB drive. I recommend balena etcher for writing to a USB drive. Then, boot into the live environment. Select what how you want to install Mint. If your family member won't be missing Windows, then select erase disk and install Mint. If your family member still needs Windows for some applications, then select install Mint alongside Windows. Follow the instructions in the install prompt. After that, you should be ready to go.

Note: For laptops, make sure you check “install third-party components”. The third-party components contain software and firmware, that allow your laptop to connect to Wi-Fi, and more.

Thanks for reading, I hope this was informative for you. Stick around for part 3!

Resources: https://fsf.org/, https://linuxmint.com/, https://www.fsf.org/windows/upgrade-from-windows#abuses, https://www.balena.io/etcher/, https://fossbytes.com/install-linux-mint-19-tara-guide/, https://www.fsf.org/about/what-is-free-software


from My thoughts on security.

The Tor network is an anonymity system designed to protect the privacy and anonymity of its users. Unlike a VPN service, Tor is both free to use and decentralized. Sadly, there is plenty of misinformation around about Tor. This post aims to clearly explain Tor and to debunk various myths surrounding it.

How does Tor work?

The Path Tor works by sending your traffic over a network of thousands of voluntarily run nodes (sometimes referred to as relays). Each node is a server that is run by volunteers to help you improve your privacy and anonymity. Every time you connect to Tor, it will choose three nodes to build a path to the internet; this is called a circuit. Each of these nodes has its own function:

  • The Entry Node: often called the guard node, this is the first node your computer connects to. The entry node sees your IP address, but does not see what you are connecting to. Unlike the other nodes, the Tor client will randomly select an entry node, and stick with it for 2 to 3 months. I’ll expand on the reasons for this in a future blog.

  • The Middle Node: the second node to which your Tor client connects. This node can see which node traffic came from (the entry node) and which it goes to next. It does not, however, see your IP address, or the domain you are connecting to. This node is randomly picked from all Tor nodes for each circuit.

  • The Exit Node: is where your traffic leaves the Tor network and is forwarded to the destination domain. The exit node does not know your IP (who you are) but it knows what you are connecting to. The exit node will, like the middle node, be chosen at random from the Tor nodes(if it runs with an exit flag).

A quick visualization:

The Encryption Tor will encrypt each packet three times, with each key in turn from the exit, middle and entry node in that order. Once Tor has built a circuit, browsing is done as follows:

1. When the packet arrives at the entry node the first layer of encryption is removed. In this encrypted packet it will find another encrypted packet with the middle node’s address. The entry node will then forward that to the middle node.

2. When the middle node receives the packet from the entry node, it too will remove a layer of encryption with its key, and find an encrypted packet with the exit nodes address. The middle node will then forward the packet to exit node.

3. When the exit node receives its packet, it will remove the last layer of encryption with its key, and find the destination address that the user wanted to connect to, and forward the packet to that address.

Here is an alternative visualization of the process. Note how each node removes its own layer of encryption, and when the destination website returns data, the same process happens entirely in reverse. For example, the exit node does not know who you are, but it DOES know which node it came from, so it adds his own layer of encryption, and sends it back.

So what do we learn from this? Well we learn that Tor allows us to connect to a website without any single party knowing the entire path. The entry node knows who you are, but not where you are going; the middle node doesn’t know who you are OR where you are going; and the exit node knows where you are going, but not who you are. Because the exit node makes the connection, the destination website will never know who you are (the IP address of the originating device).

Myths and facts.

Although Tor is one of the best ways out there to protect your privacy and security these days, it sadly suffers from a bad reputation. This is the result of a number of myths which we’ll now attempt to debunk:

  1. But Tor was created by the US government, it must have a backdoor! Tor was not written by the government. Tor was written by Roger Dingledine, later on joined by Nick Matthewson, with the funding from the Naval research lab through Paul Syverson. The claim that that it must therefore contain a backdoor does not hold up for the following reasons: First of all, the US government uses Tor to hide its own activities online; if it had a backdoor, it would not be safe for them to use. One could argue that they could make their own anonymity systems, but this wouldn’t be effective. If the government would build their own system, and only let themselves use it, then ALL traffic is known to be automatically CIA/NSA/FBI traffic, making it pointless to use in the first place. One must not forget that you cannot be anonymous alone, you need similarly anonymous peers to form a crowd for you to blend into. The more people you throw into the mix, the harder any individual is to find.

  2. Tor will get me on a watch list! The claim that using Tor gets you on a watch list in a western society makes no sense at all. Not because it won't ever happen, but because it would be useless in the case they did it. Analysis shows that the Tor network gets as many as 2 million users a day. That’s a huge list, big enough that targeted surveillance is no longer possible, and governments would have to rely on mass surveillance. Hey, mass surveillance, wasn’t that already happening somewhere? Oh yeah, it's called the internet! The only place where using Tor could be dangerous is in nations with an oppressive government, but in that case a VPN is just as likely to arouse suspicion and get you on “the list”. Also with Tor, one can try to avoid detection by using bridge relays, which are entry nodes that are not publicly listed. Finally, it is worth considering what use of Tor protects you from, and whether that is more important than what the theoretical list would expose you to. It’s a little like thinking that using HTTPS will get you on a list, so you will no longer use HTTPS to protect yourself.

  3. But exit nodes can do spooky stuff with my traffic! This one is partially true, although your traffic is encrypted while entering and traveling through the Tor network, the connection between the website and your exit node is not. If I were to login into a webpage using HTTP, an exit node could intercept my password. And while this was a big issue in the past, the massive adoption of HTTPS, which went from 67% of all websites in 2017 to 77% in 2018 , has made most manipulation done by the exit node impossible, as the exit node will only see an encrypted HTTPS packet that it has to forward, so even it does not know what the packet contains.

  4. But the government can set up a lot of nodes to de-anonymize people! While Tor is indeed not a silver bullet, setting up a lot of nodes is a very unlikely attack, that can either be fairly trivially detected, or become VERY expensive, depending on how it is done. First of all to really DE-anonymize someone this way, you need to at least have the entry node and exit node of a Tor user. Remember when I explained above that entry nodes are chosen once, and are kept for 2/3 months? This is exactly why: if the government wants to become your entry node it has N% chance to be picked by you out of 6000+ nodes. If I am lucky, and pick a non-government node, the government will have to keep all their nodes running (costing lots of money) for at least two months before they get another chance of becoming your entry. Also it takes At least 8 days, maximum of 68 days before it gets up to full speed, to become a Guard node, as you see, this is slow, expensive, and generally a very unattractive way of finding a Tor user. While yes, they COULD do it, it wouldn't make sense for them to do it as there are a lot of attacks out there that are a lot cheaper to execute and try out. In the Tor stinks slides that were leaked in the Snowden documents, it was stated that they could de-anonymize a very small fraction of people, but it can not be used to target specific people on demand. which makes this expensive attack, not worth it in a real life scenario.

  5. But Tor is only used by criminals on this thing called the dark web, we should not support it! Firstly, while Tor can be used to reach websites anonymously on the “dark web”, the VAST majority of Tor traffic is used to reach normal websites. While some people are convinced Tor is enabling pedophiles and should be taken down, this is not a solution and will not help anything. If you take away Tor, all that would happen is that criminals will use another (illegal) medium to conduct their business, where an activist in Iran may be killed and tortured without the protection of Tor. Tor may be a two edged sword, but the side of the benefits to society cuts a whole lot sharper then the criminal side.

  6. I heard attack XYZ can break Tor! As I said above, Tor is no silver bullet, there can be attacks out there that could be used to try and de-anonymize Tor users. But it is currently the best we have, and as Tor grows, with each user and each new node, attacks become harder and more expensive to execute. All we currently know is that in 2013, as part of the Snowden leaks, the NSA was not able to reliably trace Tor users.

  7. But what about this drug market that got busted? It was hosted on Tor! It is true that there are certain individuals that abuse Tor to hide illegal websites, and many have been caught doing it. However, in each and every one public case of a take down, Tor was not the cause. One has to understand that even if your connection is anonymous, other things might be not. Tor is not magic security dust, it will not make your server “unhackable”. Software bugs are still a thing, government infiltration is still a thing, and simply user error is still a thing. These tactics are WAY cheaper, and also often a lot easier, to execute then any attacks directed at Tor itself.

  8. But Tor is funded by the US government! This one is partially true. While most current funding of the Tor project comes from the US government, people first have to realize that again, the government uses Tor themselves, so it makes sense for them to fund its development. Secondly, the US government is enormous, and it makes perfect sense that one part of the government is trying to improve it, while the other part wants to break it. Furthermore it's worth mentioning that the Tor project is actively trying to diversify their funding sources, with success. In 2015 85% of Tor's funding came from the US government, it went down to 76% in 2016, and even 51% in 2017. Do you want to help out diversifying Tor's funding even further? You can do so by heading to their webpage, by donating you will help their important work. It is also worth mentioning that all Tor code is completely FOSS, all discussions and meetings, all research, everything the Tor project does is transparent and available for anyone online to crawl through and investigate; meaning that if the Tor project were to do something sketchy, people can see it.

So you are saying Tor is unbreakable?

No, Tor is, like I mentioned above, not a silver bullet. While it is currently the best option we have, there are certain attacks that could be used against Tor (like traffic confirmation attacks) to try and de-anonymize its users. For this however, other technical measures can be taken to protect yourself further. What Tor is though, is a way to make mass surveillance so expensive, so hard, that governments will now have to scale down, and focus their resources on specific targets, essentially dumping mass surveillance. And that is the power of Tor.

Where to next?

Now that we got most Tor myths out of the way, we can move on to the next post in the Slicing onions series. Here I will explain how Tor relates to VPNs, what their use cases are, and when you should use one above the other: Slicing onions: part 2 – Onion recipes; VPN not required

About the author Other articles by this author


from Privacy Simplified

The Darkest Side of VPN's

Over the past week there has been a lot of stuff going on in the VPN world. It started off with The Hated One (THO) getting called out by another YouTuber called Tom Spark. In Tom's video he called out THO for being “another NordVPN shill”. This video was then posted on THO's sub-reddit, where Tom was quick to reply to all the comments this post was getting.

To give some Context, Tom Spark is a small YouTuber who reviews VPN's, amongst other things, and has 5k subscribers. He owns multiple VPN review website including best10VPN.com and vpntierlist.com . This is not the first time Tom has called THO out, as he made a video on him titled “Does The Hated One Know Anything about VPNs?”.

The Hated One is a rather bigger YouTuber with 90K subscribers, who makes videos and tutorials on the topics of privacy and anonymity. He is affiliated with NordVPN.

The premise of the Tom's video was that THO was saying don't use a VPN, and then having an affiliate code in his description. The claim he made was that “The Hated One is just a cheap Nord VPN sell-out” For the record Tom too has affiliate links in his description.

The argument was taken to reddit, where Tom argued that THO had no right to have affiliates. When questioned why he used affiliates he said he had “the right to” because he was a VPN reviewer. Sadly, I can't link these quotes as his reddit account has had most of its posts deleted.

Either way I and a fellow redditor argued about this subject for a good hour, going back and forth over and over again. We were getting nowhere. So I looked into his websites and was surprised to find TorGaurdVPN at the top of all his lists. Seemed rather odd.

For a while the reddit thread was silent, until THO made his official statement on the matter on his account.

If you follow the links through the article you can see the “Tom Spark” also goes by the name of Kevin Vadala, who also just so happens to work for TorGaurd (which is not disclosed on any of his sites or YouTube reviews). He also appears to have links with Windscribe (although this source can't be verifiable).

All in all, this entire calling out is just a massive attack on THO for publicity. Wether you can still trust THO is up to you, but “Tom” certainly can't be.


from WorldWideWebWizard

Pointing Your Family In A Private Direction

Many of our family members use online services such as Facebook, Twitter, and Instagram. Today I'm going to give a brief rundown about taking your family in a better direction. I'm going to start with web browsing. In a second part, I will discuss about private messengers. So lets get right down to it.

Web Browser: A web browser, is an application that displays content on the world wide web. Many browsers have come and gone, but the popular ones active today are, Firefox, Google Chrome, Internet Explorer, Opera, Safari, and Microsoft Edge.

Many people in your family may use Google Chrome as their primary browser. However, many people are unaware that Google Chrome employs tracking to know more about you such as, your location, what you've recently visited, and your favorite things. Talk to your family about these concerns, and talk to them about trying out Firefox. Firefox is a web browser from Mozilla, an organization that has many people who strive for an open, and private web. Firefox supports a wide range of add-ons that can be used to help protect their privacy. Facebook container can restrict Facebook from tracking you around the web. Ublock Origin, can help block trackers and ads while you browse. Firefox also offers their own tracking protection in the browser. Firefox offers sync, to allow your family member to use their profile across their devices.

There are many more add-ons out there, visit addons.mozilla.org to get started. You can also visit support.mozilla.org, and walk your family member through the basics.

Stick around for part two!