Recent comments in /f/Tech

Strangeways wrote (edited )

Very illuminating. Great research. Time to leave ProtonMail I think. The immediate alternatives aren't that great.

Tutanota I've had massive problems with them in the past. I've actually lost accounts there because of their so called 2FA security, the Belgian company Mailfence appears to be security-oriented but it comes at a small nominal cost. What about Rise Up? that is if you can get an account there.

2

GadgeteerZA wrote

Are there say three or four links you can give to us? I fully realise they have to permanently scan for a face to keep the screen alive, to unlock, etc but sounds like you have some evidence in links about them actually storing and using those photos elsewhere, in other words zero of it is AI present on the device?

1

GadgeteerZA wrote

Are there say three or four links you can give to us? I fully realise they have to permanently scan for a face to keep the screen alive, to unlock, etc but sounds like you have some evidence in links about them actually storing and using those photos elsewhere, in other words zero of it is AI present on the device?

1

GadgeteerZA wrote

Many people were listed with this, but what does it actually tell us? He may have been a target, we are not even sure if his phone was actually penetrated, and whether they found Telegram's secret description key? It seems really all conjecture at this point until we know anything definate?

Telegram is supposedly not in the business of selling user data or metadata (no hint of evidence to that effect yet) and does at least allow you to hide your phone number from all contacts. Problem is mainstream users only otherwise use WhatsApp (knowingly leaks metadata inc location to Facebook whom we all know about with their dropped balls on user privacy and advertising), and Signal which requires a phone number to register, it can't be hidden, and is hosted in the USA.

Again we sit with the problem, which is the lesser of all evils that mainstream users actually 'can' use?

1

GadgeteerZA wrote

Exactly the same question I was thinking, and looking forward to the answer. I know of Tutanota but what's the point of doing a massive mail migration, only to find that Tutanota is worse than ProtonMail.

You can use your own OpenPGP key with Gmail (then Google cannot see the content) but 99% of your contacts receiving it (inc businesses etc), are clueless how to decrypt it.

1

Rambler wrote

The question is, then, who do you trust for secure email? Is email, by design, inherently 'bad' or 'flawed'?

What options does your average Joe have, outside of setting up his own mail server, and expecting his contacts to use PGP Encryption, which, may or may not be crackable by the big agencies.

3

Hitler_Was_Right OP wrote

Protonmail’s False Claim List

Lie: “Protonmail obeys the law”

In 2017 Protonmail seems to have used illegal cyber warfare capabilities to unlawfully break into a suspected phishing server. You can see the tweet and read about it here. They soon deleted the tweet and said: “We cannot confirm nor deny if anything happened.” In 2013 the European Union parliament voted to make hacking a crime that carried a prison sentence of 2 years. “Hacking back” is also illegal under Swiss law.

Lie : Protonmail offers “Zero Access” or “End to End Encryption”

A professor who teaches computer science and cryptography Nadim Kobeissi proved that Protonmail does not provide End to End Encryption. Protonmail has since publicly acknowledged that they can decrypt anyone’s encrypted content by obtaining their password/passphrase.

Lie: Protonmail protects free speech

Protonmail has stated on Reddit that they are “controlled by the politics of the community that dominates the ProtonMail userbase”. So if a majority of their users wanted to ban an innocent minority group, Protonmail has stated they would “yield to community pressure” and ban all those users from their platform even if their terms of service are not broken. So Protonmail protects free speech as long as it agrees with the majority of their users. Protonmail is not safe for any minority group including Jews, activists or missionaries. If Protonmail has a majority group ask them to ban a minority group of users then Protonmail has stated explicitly that they will do it even if no terms of service are broken. Read Protonmail’s statements here.

Lie: “Protonmail is open source code.”

Their front end code is open source. Their back end code and mobile code is kept private. This can be confirmed by reviewing their open-source code here

Lie: “By default, we do not keep any IP logs”

Protonmail’s Privacy Policy States: “This includes, the sender & receivers, the IP addresses were emails originated from, message subject, messages sent & received times, storage space, total emails and login times.” Protonmail is also legally required to store all users data for 6 months in Switzerland.

Lie: ProtonMail does not require any personally identifiable information to register.

If a user tries to signup without personal information, via VPN or TOR, they detect it and require a “donation” with a credit/debit card or a confirmation with your personal phone.

Lie: “When a ProtonMail account is closed, data and emails are immediately deleted from production servers”

By Swiss law, Protonmail is required to record all data for 6 months. When a user deletes an email, the email and all meta-data must legally be retained for 6 months

Protonmail Claims to be “Independently Audited”.

There is only 1 company listed as conducting an Audit of Protonmail, Cyberkov.com. Cyberkov’s website says it’s connected to Harvard, MIT & CERN. And their team is full of Harvard and MIT grads, exactly like Protonmail. So Protonmail’s audit was probably done by Protonmail’s college friends or colleagues. Protonmail also shows a list of people who’ve audited their code, but anyone can email Protonmail to add their name to the list. Years later Professor Kobeissi did a real independent audit and proved Protonmail doesn’t provide “end to end encryption Privacy Watchdog

https://privacy-watchdog.io/protonmails-false-claims/

3

Wahaha wrote (edited )

I'm already using that one for a long time, since webp generally sucks. But it only works if there's a choice between webp and jpg, if there is no choice, I'll get to see webp.

2

smartypants OP wrote (edited )

no time to go through all solutions, but this plugin from 12 months ago should do the trick at a perfect brute force way, but I dont know if a bad actor can use browser fingerprint to shove it in anyway.

https://addons.mozilla.org/en-US/firefox/addon/dont-accept-webp/

This extension monitors and edits request headers using the onBeforeSendHeaders API

TRY THAT PLUGIN.

If it works, vile web sites like youtube should show blank white squares for video previews.

many http web development tools including free ones, can do ANYTHING with any data sent or received from firefox and have persistent scripts. "ModHeader" is one fun one.

2

smartypants OP wrote

Apple did, often since 2017, scan faces for 30,000 data points in 3d FOR EMOTION TRACKING in Animojis in 2017 and later, but now in 2021 they do it on home screen and measure pupil and study gaze direction.

Learn and read. Lots of links support all I just typed.

1

Wingless wrote

It's been true a long time. The ideal was an "encyclopedia anyone could edit" with "the sum of all human knowledge". Now it is 1000000 times more important to leave out what needs to be left out, than to include what needs to be included, so they use unlimited, creepy, secret means to track users, which necessitates blocking proxies. We have no idea what kind of tactics they really use, but what leaks from their vague descriptions of "behavioral characteristics" in their so-called "AN/I" board is that they are probably using (at least) browser fingerprinting tactics. But they also supplant with a strong dose of simply banning anything they're not sure about or don't understand.

Every for-profit is corrupt, every non-profit is corrupt, and a cabal of spies rules over them all.

4

BlackWinnerYoshi wrote

You would have to make the browser engine run through the Tor proxy (socks5://127.0.0.1:9050), including DNS requests to resolve onions. But why no one forked Tor? It's probably because Firefox and its Gecko browser engine aren't dead yet, but it might be in the future, so it's probably a good idea to use Pale Moon as a replacement, especially with the Proxy Privacy Ruler, which allows for applying the proxy only for private windows and/or certain domains. But they'll probably not do that and just accept to use Chromium and its Blink browser engine (I mean, Pale Moon is bad... but it's still better than what Chromium is trying to do).

3