Tagged as: Privacy

On forums like r/privacy people often discuss the role of open source software when it comes to privacy and end-to-end encrypted messaging applications. The general consensus is: a privacy focused app must be open source so that people can get their eyes on the source code and audit it for security vulnerabilities, verify it's doing what it says in the tin and without any secret government backdoors built in that would undermine the security and reveal peoples' private chats.

These are all well and good: if the source code is not open, you can't verify the code isn't doing something sneaky like uploading your encryption keys to the service provider or whatever. But, open source alone isn't a silver bullet to help guarantee the security of the app:

• Just because the code is readable and somebody could audit it for bugs, doesn't actually mean anybody does. Some vendors of such software may hire security firms to deliberately audit their code, but for random small projects that haven't been formally audited, "open source != automatically secure" -- but still, it is better than closed source where nobody can audit the code.
• Just because the source code is available doesn't mean the program you download from the App Store is built on exactly the same code. Google Chrome, for example, is built on top of the open source Chromium browser but after Google injects a few proprietary services and features; the Chrome program released by Google has features not found in the Chromium source code. This can be helped by so-called "reproducible builds" and I'll cover that below, but reproducible builds do not come "for free."

In this post I'll address a few common tired things I hear people on r/privacy say in regards to this topic and how it's never quite that simple.

Read more...

Signal is an end-to-end encrypted messenger app for smartphones that has been recommended by the likes of Edward Snowden and has seen an especially large influx of new users in recent months who are suddenly more concerned about Facebook or other tech companies reading or censoring their chat messages.

It's a fairly good app for what it does and it would probably fit the needs of your "average user" very well, but it doesn't work well for my needs and I still use Telegram in its place.

Now, I would like to use Signal instead of Telegram, because Signal's technology is more sound and the chats are truly end-to-end encrypted (where Signal Co. would be incapable of reading my chats even if they wanted to). Telegram in comparison uses some home-made cryptography (and you should never roll your own crypto) and their chats are not end-to-end encrypted by default, but Telegram does have some good quality-of-life usability features that makes it more appealing to me than Signal for now.

Read more...

A couple of years ago I started the progress of slowly de-googling my life: lessening my reliance on Google services, moving my data to my own servers and limiting what data Google can collect about me going forward as well as deleting the data they already have.

In this blog post I'll talk about the Google services I used to use and the solutions I found for replacing them. The full list of Google services I used to use and have found alternatives for include:

• Gmail: hosting my @kirsle.net email addresses elsewhere.
• Contacts & Calendar: Nextcloud provides my cross-device sync for these.
• Drive: Nextcloud holds my files in the "cloud" (my home PC available on the go).
• Photos: I moved all mine to my Nextcloud.
• Search: DuckDuckGo.

Also check out some of my personal notes I've been taking as I went:

• Degoogle
• Android App Compatibility w/o Play Services
• Self-Hosting

Read more...

Today I finally migrated away from using LastPass as my password manager and am instead going to use KeePass. My reasons were the following:

1. I don't want a browser extension being responsible for my password manager, as the security surface area of a browser extension is unknown.
2. The usability of LastPass's extension for Firefox has been declining. They removed the ability to "Copy Password" which makes logging in to some sites, like Amazon AWS, a royal pain in the ass.
3. LastPass is closed source and is a black box and it does weird things, like not ask me for my password often enough, and I have no idea what it keeps available in memory for malicious apps to get into.
4. I want to keep my things off the cloud where I can.

In this post I'll share my experience with migration, complaints about LastPass and how my current setup looks for syncing my passwords between my phone and computers.

Updated (6/1/18): Syncthing is a good way to synchronize a KeePass DB between my phone and computers.

Read more...

This has been a rough week for Facebook with all the Cambridge Analytica drama, and it's as good a time as ever for me to start withdrawing from Facebook and other social media.

Announcing that you're going to #DeleteFacebook, on Facebook, is cliche af so I'm not going to do it there. This week I've been wiping my Facebook profile clean (not that deleting posts actually deletes anything from their database) and all that remains, currently, is one profile picture, a cover picture, and a Keybase verification post that, of course, I don't mind being public. After I find out alternative messaging options for some of the friends I enjoyed chatting with on Messenger, I'll delete the account.

Facebook's drama isn't the only crazy thing I heard about this week, though: there's also the CLOUD Act, and it is far worse.

Read more...

I was reading this ACLU blog post about how DreamHost was served with a warrant to hand over IP addresses of some 1.3 million visitors to a website they host, and it got me thinking: do websites really need to store IP addresses of their visitors?

There are a lot of VPN companies such as Private Internet Access that advertise far and wide that they explicitly chose not to keep any logs. The idea is that if the VPN provider is served with a warrant for user activity, they would have no data to hand over, because they never stored anything in the first place. Why don't websites do that?

Read more...