[Off-Topic] Privacy Tips and Tricks

[bbbhltz]

One of my major concerns, or even obsessions, is digital privacy.

I have read plenty of advice from self-appointed experts on this topic. I would rather have your personal tips and tricks with regards to everyday digital privacy for desktop users.

I'm not looking for tips on hardening talking about encryption or links to blogs. I'm more concerned with things that wouldn't scare off a new user.

For example:

• Flatpak: yay or nay?

• Browser or DE/Shell Extensions?

• One-liners for the CLI?

• etc.

Thanks and have a nice, private, day!

[lindi]

I have separate commands for starting browsers for the sites that make their money from tracking their users. Something like

Code: Select all

$ cat bin/facebook
#!/bin/bash

exec chromium --proxy-server=socks://localhost:9052 --user-data-dir=$HOME/.chromium-facebook https://facebook.com/

$ cat .ssh/config
host shellserver.example.com
    dynamicforward 9052

This ensures that my traffic towards the company always comes from the same IP address and the same browser is not used to browse other sites.

[Hetzer]

I would rather have your personal tips and tricks with regards to everyday digital privacy for desktop users.

So let's start with what to avoid:
- Avoid commercial social networks, especially these known for intensive infiltrating - Facebook, Twitter, et cetera
- Avoid mainstream "privacy-first" companies / "organisations" like Mozilla and especially avoid their "services"
- Avoid using non-free programs with network access - and if ye must run them (Like I have to run AutoCAD for me school) - run them isolated or in virtual machines (Example from me life, I run mentioned AutoCAD on Tiny10 (stripped-down Windows10) on virtual machine with no networking enabled)
- Avoid web-based pseudo-software - or simply avoid anything company server-based (or so-called "cloud"-based). Ye never really know what's done with that data ye give them

And now, in terms of desktop environments / web browsers:
In matter of DEs there's no problem what to choose: We have XFCE, MATE, LXDE && LXQT. I'd avoid GNOME and KDE since they are heavyweight, bloated and somewhat hard to operate.
In terms of web browsers, well, we have only firefox(-derived), plus to that which is only somewhat bearable - Not only it's heavy as hell, it's also unreliable and by default is configured to leak a lot of data.
Though unlike chromium (not sure actually), firefox can be configured to be privacy-respecting by:
- Disabling cookies (and allowing to place them only sites specified in exceptions) / Disabling all tertiary cookies
- Setting firefox to clear everything but "site settings" on close
- Disabling telemetry in about:config, changing every telemetry server to localhost
- Installing NoScript, uBlock, et cetera
- Disabling interaction data sending (as I rebember, it's disabled by default on Debian-packaged firefox-esr)
- Not using "pocket" or anything (anti)service-based from Mozilla
In terms of search engine - As for now, we have only free (as in freedom) front-ends to these commercial ones - SearX(NG), Whoogle, LibreY, etc. Still better than using a commercial one like Goolag, Yandex...

Flatpak: yay or nay?

I have no opinion on Flatpak since I don't use it - I use either debian-packaged or tarballs

[bbbhltz]

@lindi:

love it, I've seen this mentioned elsewhere but this is the first time someone actually shared a little script.

@Hetzer:

Some of those might not be easy for someone just starting out. I would have no problem implementing them, but explaining the reasoning might take more time than setting it up. All good advice though. I do think that many users would benefit from using the arkenfox or betterfox user.js which can get rid of the Pocket integration which I suspect lots of users dont really use (wallabag anyone?).

[Hetzer]

Some of those might not be easy for someone just starting out

Well, being private nowadays ain't easy, sadly - especially in times of commercial Web and JS-driven everything

I do think that many users would benefit from using the arkenfox or betterfox user.js which can get rid of the Pocket integration which I suspect lots of users dont really use (wallabag anyone?).

Or install a pre-configured privacy-first firefox derivative like LibreWolf

[Uptorn]

I'm not looking for tips on hardening talking about encryption or links to blogs. I'm more concerned with things that wouldn't scare off a new user.

I happen to know quite a few good resources, if ever you're interested.

Flatpak: yay or nay?

libraries that are packaged with flatpack do not get updated with the rest of your system. And many simply are allowed to languish on old versions by their packagers. So using anything like flat for snap becomes a detriment to security.

Browser or DE/Shell Extensions?

Somebody above mentioned big DEs being a concern. But there is another angle to consider: big DEs (and all "big" software projects) enjoy a lot of dev time. Smaller DEs can have long standing bugs and issues that take long to address simply because they are at a manpower disadvantage. As to which is better for one's privacy, I am unsure. Just endeavor to disable/remove components that you will not be using in order to minimize attack surface.

The same holds true for web browsers. There are dozens of Firefox forks. And many fall by the wayside, just look at GNU Icecat. One is left to decide between the monumental task of de-clawing upstream Firefox, or relying on some downstream spin that has sane defaults but is inevitably behind on security patches and can languish or die due to sudden onset lack of developer interest.

One-liners for the CLI?

Before sharing or uploading any file to anyone, run it through mat2 to remove all metadata.

Code: Select all

mat2 --inplace file.jpeg

Or shove just about anything through the tor network.

Code: Select all

torsocks some-networked-applicaiton

etc.

For new users, the most immediate benefit will be seen in the cessation of using privacy-hating services and products. Only then will explicitly seeking out privacy friendly solutions begin to yield aggregate benefits. It's mentioned above but, avoid all commercial proprietary nonsense.

If you must interface with web-facing proprietary nonsense, do so through sanitizing front ends like Invidious and Nitter. Static pages can be proxied through web.archive.org and archive.today.

Many things can be done without going through the internet at all; translation with apertium, unit conversion with gnu units, maps with KDE marble, for example.

[Hetzer]

Many things can be done without going through the internet at all

Plus to that, one can always get a cheap machine and set up a self-hosted alternative

[bbbhltz]

I happen to know quite a few good resources, if ever you're interested.

...

Before sharing or uploading any file to anyone, run it through mat2 to remove all metadata.

Code: Select all

mat2 --inplace file.jpeg

...

For new users, the most immediate benefit will be seen in the cessation of using privacy-hating services and products. Only then will explicitly seeking out privacy friendly solutions begin to yield aggregate benefits. It's mentioned above but, avoid all commercial proprietary nonsense.

If you must interface with web-facing proprietary nonsense, do so through sanitizing front ends like Invidious and Nitter. Static pages can be proxied through web.archive.org and archive.today.

...

I am personally interested in those resources, I may have already seen some of them. But, the scope of my question is limited to things I could suggest to a friend or colleague without leading them down a rabbit hole that doesn't apply to their threat model.

Removing metadata is something I try to show my students. They have a bad habit of putting their CV or résumé on LinkedIn without removing things like their birthday, phone number and home address (which they should just edit out) and also sometimes the PDF includes metadata about Canva, OS, screen size, etc. They consider that to be harmless, but now someone has their phone number and can contact them and say they are from Apple support and their device has been compromised which is a common scam now.

I never used Twitter, and I am quite upset that nitter has stopped functioning as well as it used to. I did manage to get my campus to unblock the Invidious instances I use (why they blocked them is a mystery).

[Uptorn]

I am personally interested in those resources, I may have already seen some of them. But, the scope of my question is limited to things I could suggest to a friend or colleague without leading them down a rabbit hole that doesn't apply to their threat model.

Before I go posting anything, I guess I must ask: what is their threat model?

[bbbhltz]

@Uptorn "they" are hypothetical people that don't exist, but in general I don't know any investigative journalists or people who work in sensitive areas. Nobody I know needs hardening, they just need to be eased into things and shown that protecting yourself online does not need to lead to friction and annoyances. They are the people that don't have ubo installed, that use Google Chrome to save their passwords, that think "Private Mode" is a magic invisibility cloak from hackers and the government, and so on.

Your idea about removing metadata is the exact kind of suggestion I am looking for. Digital privacy for the person who says, "I have nothing to hide" is a better way of putting it.

[Hetzer]

Nobody I know needs hardening, they just need to be eased into things and shown that protecting yourself online does not need to lead to friction and annoyances

I think that in the end it's more convenient than "convenient" rejecting of privacy - browsin' throught sites without any ads, pop-up "privacy" settings and not having gigabytes of tracking cookies on disk sound good, doesn't it?

They are the people that don't have ubo installed, that use Google Chrome to save their passwords, that think "Private Mode" is a magic invisibility cloak from hackers and the government, and so on.

Digital privacy for the person who says, "I have nothing to hide" is a better way of putting it

Well, good luck with such people then...
Literally nothing gets into these people. I'm not joking, I've tried to convince a lot of people with such mentality how all of this "convenient" crap works against them, that there are solutions to avoid it... I always get one of the below:
- "But I have nothing to hide" ("nothing to hide" but closes blinds 'cause they "don't want other people to see what they do"... Logic at it's finest)
- "They already have something on me" ("They stole me 20€, so I'll just give 'em my entire savings")
- "Yes I know but I can't do anything with that" (Free alternatives don't exist? I'm using a non-existent system then, don't I?)
- "Shut up ya paranoid" (Ye, I'm "paranoid" because I know what's written in Facebook "privacy" policy...)
Even better, I tell them how their response makes no sense - they still repeat it all over again... I feel like I'm talking with a mental /dev/null's
So well um, all I can tell ya is it's going to be a real pain to change anything in their mentality...
I'm not trying to discourage ya (Actually I think we shall insist on it no matter what, there's always a chance that one in thousand may understand that and therefore - join the world of freedom) - just know what it may take

[Uptorn]

@Uptorn "they" are hypothetical people that don't exist, but in general I don't know any investigative journalists or people who work in sensitive areas. Nobody I know needs hardening, they just need to be eased into things and shown that protecting yourself online does not need to lead to friction and annoyances. They are the people that don't have ubo installed, that use Google Chrome to save their passwords, that think "Private Mode" is a magic invisibility cloak from hackers and the government, and so on.

Your idea about removing metadata is the exact kind of suggestion I am looking for. Digital privacy for the person who says, "I have nothing to hide" is a better way of putting it.

I suppose there is no getting around the fact that one cannot make others care about an issue, however important it may be. I'm with you in spirit and wish you luck. That said, I'm not sure how I would go about sharing such a dialogue with a stock Chrome using average "normie" who probably just wants to access facebook and youtube. Your thread is an interesting exercise for me as it's forcing me to confront a hypothetical exchange!

So I guess you would want passive "set-and-forget" tools that can work quietly in the background. The moment such a user has to think about the tool, it becomes a deal breaker for them. A hosts blacklist using very relaxed blocklists? Or point their DNS so that their ISP can no longer hijack pages? Addons like SmartHTTPS?

It can really be broken down into two different things; we are either trying to persuade the hypothetical people as to the importance of digital security, or we are trying to deploy tools to their hypothetical devices that won't impact their "work"flow.

[bbbhltz]

I agree with a lot of what you're saying. Perhaps I should have approached this differently and prepared a sort of guide or list and then asked for feedback on it.

[Trihexagonal]

Never use your real name online for anything that isn't positively necessary.

Never, ever, post your photo online. If someone pisses me off in a major way the first thing I want to do is look for a photo to see what this person looks like.

In 2000 some people were talked into paying me a surprise visit with bad intent and made a 5 car fun weekend road trip out of driving approx 300 miles to get here. They knew my name, where I lived and everything they needed to carry out a plan to beat me to death with baseball bats. But they had never seen my photo and must have thought I was some pimply faced teenager living in Mommy's basement.

They were without a doubt my Superiors online.
IRL I was me and one of me is all it takes.

All I will say is it must have been a long, solemn ride home with much to think about nobody wanted to talk about. Because nothing went right for anyone but me that weekend and in a big way.

But they could Sub7 my Mighty Win98SE box at will in chat and if i was going to survive online I had to up my game by learning to use to Linux and I owe it all to them. The torture never stops. :p

[Uptorn]

Never use your real name online for anything that isn't positively necessary.

It is distressing how much this has been normalized. And the more people that cave and do it, the more it "legitimizes" this expectation that one uses PII without question.