That is not what they were asking. They were suggesting you use someone else’s ID (say, your parent’s) and a picture or video of the person the ID belongs to.
@CrypticCoffee
As for me, I will never, ever use any site that demands a drivers license or a face scan to get on. I'd sooner totally disconnect from the open Internet and move all my work to the darknet only.
I don’t think so. Porn is very much a mental thing too, not just a visual one. Knowing none of the subjects of the pictures and videos exist will ruin it for a lot of people.
Um, so, pretend you didn’t hear this from me, but there are LoRas you can use and even train yourself from a handful of sample images, for anyone in the world that you want to see.
@CrypticCoffee Counter to that is obvious: DO NOT USE legal access modes, use Tor instead and access only sites that "block" the UK instead of complying.
Hopefully most porn sites will do exactly that, like Pornhub already did to US states that demand driver's license uploads (including Utah and Arkansa). When they attempted to comply with such a demand from Louisiana, open traffic from there dropped 80% and presumably VPN and Tor access jumped.
This told all porn sites that it's not worth the programmer time to even attempt to service legal traffic from such jurisdictions. Block non-Tor/non-VPN connections and enjoy immunity.
Best of all, it only takes ONE jurisdiction on the whole planet that won't censor porn to make these measures globally ineffective. Crack anywhere, play everywhere. This gives new meaning to saying "fuck you" to the government.
Any attempt by the UK to block Tor will fail: China can't reliably block it, and the Great Firewall of China has far more resources than "Hadrian's Firewall." Trying to jail people for using Tor would be nearly as difficult and would also face the legal obstacle of jury nullification. This will go the way of the failed 21 drinking age and 55 mph speed limits in the US.
As governments try to crack down on porn, on dissent, and on criticism of their Great Leaders, the clearnet will be of declining importance (possibly used only for shopping) and the darknet will become more important. Embrace the power of the darknet...
Tor can be compromised though, you just need someone watching a good portion of the end nodes and hosting the fastest intermediate nodes, then run a viterbi trace back to a source. Tor is also very slow.
I’m looking at IPFS and FreeNet as viable alternatives
@tetris11 Slow yes, but if you download videos rather than stream them, slow is much less of an issue.
Even the US is not capable of watching all Tor exit and guard nodes. The UK sure as hell is not. The Torproject by the way is always looking for and decommissioning malicious Tor nodes, so the risk to any one user is low.
The usual way to attack a Tor user is to get them to connect to Tor to destination site you have compromised with javascript ON, then send a malware installer to the real target's computer. The installer then downloads a rather standard payload that tells the computer to phone home on a non-Tor connection. The widely reported 2013 incident used a Windows-only payload, today they probably add iOS and Android. Stock android that is. If it was reasonably practical for cops to see through Tor they would not put so much effort in seeing around it instead.
Things like the Silk Road takedown were very time consuming and labor-intensive, and required a lot of old fashioned exploits and unskilled admins at the targets. In other words, Tor, Signal, anything else running on an untrusted device also become untrusted. Silk Road was still brutally difficult for the cops, and that was a major, motivated investigation that unlike UK or Utah porn cops wasn't going to run into a stone wall of non-extraditability or lack of jurisidiction on someone with zero local "business presence."
BTW, do not use Google Fiber to connect to Tor to use Google privately, because if you do, Google can see your device directly(being your ISP), and see the one exit node they are talking to, allowing a confirmation attack.
Why not looking for distributed mechanism, which don’t depend on trusting central servers or particular instances on decentralized mechanisms, like jami, or similar?
What Distro are you on? I use Firefox and Brave, both as RPM now. I actually switched for convenience (keepassxc extension works, plasma extension works etc) but they are actually more secure.
Native Chromium is poorly way more secure than Firefox. When using the Browsers through Flatpak you need to remove the sandbox, so process isolation and memory stuff is gone, and replace the specific sandbox with bubblewrap.
Bubblewrap is good, but doesnt support isolated Tabs.
There are CSS exploits, but to my understanding just using Noscript in “block all by default” mode is best for security AND privacy.
I would like to like Brave, as it is more secure, but it sucks a lot. Very bloated, tab management worse, missing extensions, damn Chromium webstore and the addon not working so no updates. It is not bad, and I want to write a hardening config soon, to remove and disable all that bloat permanently.
I would not recommend Librewolf if you are advanced. For one it is a Flatpak, ironically (didnt know this a few weeks ago too) less secure. Also it lacks behind in updates a bit, not much, but this may become a problem.
I am working on this tool, should work, that keeps your Arkenfox config up to date and sets a few switches to soften it. So you add that to Firefox and dont need Librewolf anymore.
On Fedora all you need is libavcodec-freworld from rpmfusion to get everything working. But ublue.it images work best out of the box.
Edit
Why are you downvoting this? Doesnt it fit your opinion? I also dont like Chromium, but its more secure. I also didnt know that Flatpak browsers are less secure, but thats a fact.
I mean sandboxes are just pretty complex. Chromium relies on user namespaces for process isolation. Flatpak browsers are isolated but have no internal isolation of processes (one tab could attack another tab). At the same time the Flatpak sandbox itself relies on user namespaces, while the flatpakked browser cannot use the namespaces internally.
Then there is the hardened kernel which disables user namespaces for security reasons, on the other hand people say running the Sandbox as suid means if there is a vulnerability processes get root access.
Flatpak browsers put less trust in the code, but more in the maintainer that has to keep them as updated as possible.
Even though pretty old and probably outdated, some points are for sure true. Some apps like Onionshare are horribly outdated, and unless every app has at least one packager responsible for it, best official and paid, its a total mess.
These where not the sources I refer to, and it is pretty complex. Secureblue disables user namespaces and uses bubblewrap-suid for security, but after madaidans statement that would mean a hole in bubblewrap allows the app root privileges.
Thanks for the additional reading and information. Maybe it’s just me, but I feel like I hear about a security vulnerability in “processor microcode” or packages or other software basically every day. As a relatively non-technical user, it’s always very difficult to tell how much these things actually matter for normal users. Flatpaks are incredibly convenient because they “just work” and are easily compatible with immutable distributions. For better or worse, I suspect many people are not going to be dissuaded from using them by hypothetical/abstract security risks.
Flatpaks are more and less secure. Their Sandbox improves 99% of apps security as other sandboxes are hard to setup and thus nearly nonexistent.
Browsers have their own, so just dont use Flatpaks there.
I am not sure about microcode, but processes running as root are maybe more critical, but it sounds like any process could have exploits if microcode is a problem. Also, RiscV or even ARM will be waaay better here, as their instruction set is not dozens of years old and extremely bloated.
As we get our apps from secure repos, with projects keeping track of every Git commit etc, we just had no malware really.
The only problem is that Flatpaks, like appimages, “just work” and dont have to evolve like the rest of the OS will. Their main goal is to work everywhere, and Devs always choose convenience over security.
For example Portals are not implemented in most old big projects like Libreoffice, Gimp, Inkscape etc. Scribus is even X11 only. But developers will not remove the filesystem=host permission and replace it with “just all the media locations”. This will still be a problem, but at least apps could not read Kernel logs etc anymore.
Also as they “just work” its easy to abandon them and dont update. The “outdated Runtime” Warning is a veeery good indicator of a project using old and probably insecure libraries. But afaik there is no automatic CVE patching in flatpak-builder which is a huge problem.
I’ve thought about this for a long time. Nice to see it getting attention.
this is why I don’t really appreciate Graphene’s sandboxed google play services as much as I appreciate MicroG. MicroG allows you to control which GPS-compatible apps get registered to your random ID on google’s servers.
It’s also worth studying your individual apps and how exactly they handle google push notifications. I know that there are various configurations, some which allow Google to see the content of the notification and some which done. of course, regardless of that, metadata such as who it gets delivered to and when, is still there.
Years ago, I worked for a company that provided phone location for emergency services (fire, police, medical) to the big 3 cellular companies in the US. It required cell providers to install special hardware; back then, GPS was less ubiquitous, but it (still) suffers from accuracy in urban environments; it doesn’t take much to block GPS signals. Also, you don’t need access to anything more than the service provider’s logs to do trilateration; it’s harder to get GPS data from a phone without having software on the phone. In any case, Google pioneered getting around that by mapping wifi signals and supplementing poor GPS with trilateration, and it was good enough. Even back then, our lunch was being eaten by the cost of our systems, and work-arounds like wifi mapping.
Anyway, fast forward a decade and I’m working for a company that provides emergency support for customers who are traveling, and we’re looking at ways to locate customers’ business phones to provide relevant notifications. One of the issues was that there are places in the world where data connections are not great, and it was not acceptable for us to just ignore clients without data connections. One of the things we explored was called zero-length SMS. It’s what it sounds like: an SMS message with zero-length does not alert the phone, but it does cause a ping to the phone. It was an idea that didn’t pan out, but that’s not relevant.
Cell phones have a lot of power-saving algorithms that try to reduce the amount of chatter – both to reduce load on cell towers, but because all that cellular traffic is battery-intensive. So, if you’re a government trying to track a phone, and you’re working with a cell provider, and you don’t have a backdoor in the phone, then you will be able to see which cell tower the phone last spoke with, but that probably won’t give you very good location data and it may not update frequently. This is especially true in rural environments, where there’s low density and a single cell tower might have a service radius of 3 miles – that’s a lot of area.
If you’re tracking someone by phone, a normal cell connection may not be granular enough. Sending SMSes to a phone can force the phone to ping the tower and give you more data points about where the phone may be, how it’s moving, and so on.If you’re lucky, you can get pings from multiple towers, which might allow you to trilaterate to within a dozen meters.
Push notifications use data, but I wouldn’t be surprised if there’s some of that going on, too. It says “through Apple and Google’s servers” which means they’re talking about the push notification servers and not the phones. Android phones are constantly sending telemetry back to Google, so if that is what they’re doing sending push notifications is probably more useful to them for Apple phones.
The article is light on details, but that’d be my guess. Forcing traffic to get more frequent cell tower pings and more data points for trilateration.
Just been reading up on this, they’re basically using the push device ID to see when certain devices are receiving data and from what apps. It sounds like more work than its worth, but it’s clearly something that’s being used widely.
privacy
Hot
This magazine is from a federated server and may be incomplete. Browse more on the original instance.