Datafication & Technology

Datafication, Phantasmagoria of the 21st Century

Tag: Security

Resources for Digital Privacy

28 June 2024 / / 0 Comments

A hacker friend sent me a number of resources that introduce and clearly but simply explain digital privacy. I am sharing these here without much comment.

General Resource

A good general resource: https://www.privacyguides.org/en

Why Privacy Is Important

Very short description of why privacy is important (I get SO MANY questions about why it’s important!) https://www.privacyguides.org/en/basics/why-privacy-matters

This is a blurb on why privacy is important by Mullvad VPN: https://mullvad.net/en/why-privacy-matters

NB: the pdf version is available here: https://mullvad.net/pdfs/Total_surveillance.pdf

Threat Modelling

These 3 articles explain the concept of threat modelling, to understand your own situation in order to know what to do/not do.

https://www.privacyguides.org/en/basics/threat-modeling
https://privsec.dev/posts/knowledge/threat-modeling
https://opsec101.org

Common Threats

A little bit more detail on what kinds of threats most people think about when threat modelling: https://www.privacyguides.org/en/basics/common-threats

And then, once the person has thought about their threat model and has a rough idea about it, then comes the part about choosing and deploying countermeasures.

Tools

This is a question people often ask me: what tools can I use? Here are some references for tools that can be used, depending on the threat model one has identified: https://www.privacyguides.org/en/tools

it is important to remember that it’s difficult to prescribe a one-size-fits-all solution for everyone, because each person’s threat model will be different.

Someone who is only concerned with surveillance capitalism will need to approach things differently vs. a high net worth individual or celebrity concerned about their physical and digital security vs. a political dissident or whistleblower.

Hope this helps!

Privacy Guides – Restore Your Online Privacy

11 March 2024 / / 0 Comments

Privacy Guides is a cybersecurity resources and privacy-focused tools to protect yourself online.

Start your privacy journey here. Learn why privacy matters, the difference between Privacy, Secrecy, Anonymity and Security and how to determine what is the threat model that corresponds best to your needs.

For example, here are some examples of threats. You may want to protect from some but don’t care much about others.

  • Anonymity – Shielding your online activity from your real identity, protecting you from people who are trying to uncover your identity specifically.
  • Targeted Attacks – Being protected from hackers or other malicious actors who are trying to gain access to your data or devices specifically.
  • Passive Attacks – Being protected from things like malware, data breaches, and other attacks that are made against many people at once.
  • Service Providers – Protecting your data from service providers (e.g. with E2EE, which renders your data unreadable to the server).
  • Mass Surveillance – Protection from government agencies, organisations, websites, and services which work together to track your activities.
  • Surveillance Capitalism – Protecting yourself from big advertising networks, like Google and Facebook, as well as a myriad of other third-party data collectors.
  • Public Exposure – Limiting the information about you that is accessible online—to search engines or the general public.
  • Censorship – Avoiding censored access to information or being censored yourself when speaking online.

Here, you can read about Privacy Guides recommendations for a whole range of online privacy tools, from browsers to service providers (cloud storage, email services, email aliasing services, payment, hosting, photo management, VPNs etc), softwares (sync, data redaction, encryption, files sharing, authentication tools, password managers, productivity tools, communication such as messaging platforms etc) and operating systems.

You can also understand some common misconceptions about online privacy (think: “VPN makes my browsing more secure”, “open source is always secure” or “complicated is better” amongst others).

You can also find valuable information about account creation: what happens when you create an account, understanding Terms of Services and Privacy Policies, how to secure an account (password managers, authentication software, email aliases etc). And just as important (maybe more), about account deletion (we leave A LOT of traces in the course of our digital life, and it’s important to become aware of what they are and how to reduce their number).

AND MUCH MORE!

I can’t recommend this website enough. Visit it, revisit it, bookmark it and share it with friends and enemies. 🙂

Leaving Traces Online, Identifiers.

11 February 2024 / / 0 Comments

Visit this website (or copy and paste https://www.deviceinfo.me) and it will show you a long list of all the identifiers that every website you visit can find out about you, your location, your device etc… All these different data points then used to create a “fingerprint” of your web browser, allowing the rest of your web activity on that same browser/device to be trackable.

NB: You can visit this website from any of your devices (mobile or desktop/laptop).

[HOW TO] Manipulate Photos That Can’t be Reversed Engineered Using Signal.

26 March 2023 / / 0 Comments

You want to send or post a photo, but don’t want to show the whole image. Maybe it’s a screenshot and you do not want to tell the world about your mobile provider and other personal visible details on a screenshot, or you may want to blur your background to hide your location, or or or…

Did you know that it is easy to reverse engineer cropped, blurred or manipulated photos back to their original state, thereby revealing what you wanted to hide by manipulating the photo in the first place? It is called an “exploit” (as in exploiting a loophole or weakness in a programme or app). Recently, such a weakness has been found in the built-in cropping feature on Google Pixel phones, but the weakness is also present in iPhones and other Android phones (read this Wired article to know more).

While companies can patch the exploits, all redacted photos already online (and if you use a cloud service, your photos are most likely already online) are vulnerable to it. When you crop a photo, what happens is the process tells the file to pretend that the cropped out section is not there, but it actually is still there.

As we all now know (and if you don’t, you should), if there is anything you do not want to make public, do not post it online. It is safe to consider that anything you have posted online is now in one way or another known to someone. And deleting what you have already posted does not help. You are just removing it from your view. Your photos are probably already in multiple datasets.

One way to really crop photos is to use… SIGNAL! Yes. You may know Signal as one of the most secure and private messaging platform, but it is also a great tool to REALLY crop out stuff from your photos so they can’t be reversed engineered. How to do that? Open Signal, take a photo, open the editing tool, crop, change as needed and save. Then send to “Note To Self” (another great feature of Signal for storing info).

If you have not downloaded Signal yet, you can find it in your app store, or here.

[Podcasts Series] Surveillance Report Podcast

25 March 2023 / / 0 Comments

In the Podcast Series, I am going to start posting links to interesting podcasts that cover topics we are interested in.

One of those is the Surveillance Report Podcast, described on their website as a “weekly security and privacy news – Presented by Techlore & The New Oil”. Every week, you get about 50 minutes of news on topics around privacy and security, including news about data breaches, exploits, new research etc. Each episode presents and analyses a highlight story, usually a piece of news that has gone viral in the privacy and security community. It is quite informative although sometimes a bit technical. Each episode also presents a list of sources for what is discussed.

The Surveillance Report Podcast is available on Youtube, RSS, Apple podcasts and Spotify.

Web3 Analysis by Moxie Marlingspike

10 May 2022 / / 0 Comments

A must-read blog post by Moxie Marlinspike, founder of Signal, sharing his thoughts on Web3.

The basic argument is that although Web3 concept is for decentralization of internet away from platforms, practically it has just reverted back to Web2 (centralized internet) with only superficial trappings of decentralization.

His points:
1) Blockchain and “crypto” (as it’s now commonly referred to meaning blockchain/cryptocurrency rather than the original meaning “cryptography” aka encryption) is discussed in terms of “distributed” and “trustless” and “leaderless”. One might think that this means that every USER involved is a peer in the chain. But practically it’s not about USERS, it’s about SERVERS. The distributed nature is based on SERVERS, not what Moxie calls “clients” (aka YOUR computer, YOUR phone, YOUR device). So the blockchain concept is supposed to follow distributed trustless and leaderless methods between SERVERS. The problem is that your phone is not a server. Your computer is not a server. Your devices are not servers. All of your devices are END-USER devices. Very few people will actually be setting up, running and maintaining their own server. It’s difficult, requires technical knowledge, and time consuming and costs money to maintain.

So what actually ends up happening is that the whole interface of Web3 turns to: Blockchain <-> Servers <-> End-user client devices. And the problem with Web3 so far is that all the end-user interaction with the blockchain has now consolidated to very few servers, aka returned to the phenomenon of platformisation (which describes how Web2 platforms decentralised their API throughout the entire web to centralise data back to their servers in the 2010s). As of now, most of the Web3 “decentralised apps” interact with the blockchain through two companies called Infura and Alchemy. These two companies run the servers in between blockchain and end-user client devices. So if you are using MetaMask and do something with your cryptocurrency wallet in MetaMask, MetaMask will basically communicate to Infura and Alchemy who then communicate with the actual blockchain.

His two sub-complaints to this are:
A) Nobody is verifying the authenticity of information that comes from Infura / Alchemy. There is currently no system in place on the client side (aka MetaMask on user side) to ensure that what information Infura / Alchemy returns to the end-user is actually what is truly on the blockchain. Theoretically if you have 5BTC in your wallet on the blockchain, and you load up MetaMask to query the balance in your wallet, MetaMask might contact Infura / Alchemy requesting your BTC balance and Infura / Alchemy can respond to say you have 0.1BTC. MetaMask won’t verify if that’s actually true, it’s just taken at its word.
B) Privacy concerns with routing all requests via Infura / Alchemy. Moxie’s example is: imagine every single web request you make is first routed through Google before being routed to your actual intended destination.

2) He gives the example of how NFTs are in fact just URLs stored on the blockchain. And these URLs point to servers hosting the actual content. So when you buy an NFT, you only own the URL on the blockchain that DIRECTS to the artwork, NOT the “artwork” itself. He did an exercise where he made an NFT that looks like a picture when viewed through OpenSea, but looks like a poo emoji when accessed via someone’s crypto wallet. Because ultimately the server hosting the image (to which the URL on the actual blockchain points to) is ultimately in control of the artwork.
Even worse, his NFT ended up being deleted by OpenSea. But somehow his NFT ALSO stopped appearing in his wallet. How is this possible? Even if OpenSea deletes the NFT from their website, the NFT should still be on the blockchain, right? Why doesn’t it still show up in his wallet? Well he says that due to this centralisation of supposedly “de-centralised” apps, his wallet is in fact communicating not with the blockchain directly, but through a few centralised platforms (one of which is OpenSea). So because OpenSea deleted his NFT, his wallet also no longer shows the NFT. It doesn’t matter that his NFT still belongs to him on the blockchain if the whole end-user system is totally divorced from the blockchain and instead reliant on the middle servers.

3) Finally, he is saying that Web3 as we know it now is really just Web2 with some fancy “Web3” window dressing. And the window dressing actually makes the whole system run worse than if it just stuck to pure Web2. But why force the window dressing? Simply to sell the whole thing as a next generation Web3 package as part of what he calls a gold rush frenzy over Web3.

© 2024 Datafication & Technology

Theme by Anders NorénUp ↑