cross-posted from: https://links.hackliberty.org/post/2005038

I know this is an outrageously bad idea, I don't need convincing. I am just looking for some more information and discussion on what exactly the exposure and surveillance risk is.

I'm asking both for my own education (I am still very green to networking), and to better explain to people in my life if and why they should care.

1. Is it true that traffic can be tracked and logged by ISP through DNS lookups, as these routers are preconfigured to use their internal dns service?

2. If this is changed (like base.dns.mullvad.net), how much does this actually mitigate the risk here?

3. What about when a VPN (mullvad) is also being used at all times? Would it then be "overly paranoid" to fear this untrusted box all the traffic goes through?

I personally take a conservative approach to things like this and assume it's an unacceptable risk, but I don't really understand what the truth is.

Thank you in advance for your time and thoughts.

EDIT: I'm asking about US and US adjacent areas

Isn't the value of two factor auth that it requires a physical device (your phone or computer) with the auth key to authenticate you? Then why don't many two factor auth apps seem to support syncing? If it's fine to do so, are there any open source cross platform apps that sync keys?

Death Note Anonymity analysis by Gwern.

I think it would be valuable to read for people here, especially newbies and "privacy bros" to understand how ~~privacy~~ (anonymity) actually works.

Given a perfect weapon, can you commit a perfect crime?

The answer is surprisingly close to no.

Everything you do bleeds information.

A perfect crime is one that wasn't even noticed. If a perfect crime gets noticed it immediately reveals the following: you are smart and you have the knowledge and weapons to commit a perfect crime, and in a murder you must have had a motive, instantly ruling out 99% of the human population.

On the web you can be tracked using almost anything: browser window size, word choice, times you are online, internet connection delay, negative qualities like not giving your language will exclude the majority of people who do.

In fact, just this post alone is sufficient to narrow me down to less than a million (maybe even a few thousand) people.

Edit: This is actually about anonymity, privacy is slightly different, but I think this is still relevant to privacy.

https://reddit.com/r/privacy/comments/v624di/apple_tracks_you_even_if_you_dont_have_apple/

We investigate what data iOS on an iPhone shares with Apple and what data Google Android on a Pixel phone shares with Google. We find that even when minimally configured and the handset is idle both iOS and Google Android share data with Apple/Google on average every 4.5 mins. The phone IMEI, hardware serial number, SIM serial number and IMSI, handset phone number etc are shared with Apple and Google. Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this. When a SIM is inserted both iOS and Google Android send details to Apple/Google. iOS sends the MAC addresses of nearby devices, e.g. other handsets and the home gateway, to Apple together with their GPS location. Users have no opt out from this and currently there are few, if any, realistic options for preventing this data sharing.

https://www.scss.tcd.ie/doug.leith/apple_google.pdf

Fingerprinting works by collecting bits of information about the browser and device to identify users. Couldn't browsers see when a website gets such info with JS and either prevent or ask permission from the user for the website to make HTTP requests to upload such information to the website. Idk if they do something like this already.

iOS is very good about sandboxing and only letting apps run things while the app is open and focused on. It shows green and orange dots when the camera or mic is being used, and none of my use them without saying so and they only do so when they actually need them. If that is the case, are there any potential privacy issues with it?

I've been looking at using email aliases services, and right now I'm thinking of using Simplelogin for all my online accounts and accounts where I can change my email easily, and getting my own domain to share with people and where I can't easily update my email. It seems like I shouldn't use my own domain for online services because it would be unique and can be tracked.

I did lots of reading about this and am still wondering why someone would want to opt for catch-all domains over aliases. Catch-alls seem highly susceptible to spam and while I haven't actually done any email aliasing yet, it doesn't seem to take much effort to make a new alias if you have a plan with unlimited aliases.

All I found was this comment about the difference.

Premium domain is only available when you have premium, because fewer people pay and fewer people use it, so there is less abuse and the domain name has better reputation, so when you public domain is not working, using the premium domain may be able to register.

I did the tests on fingerprint.com/demo/ and https://coveryourtracks.eff.org/ and they both said I have a unique fingerprint, even when I enabled privacy.resistFingerprinting to True.

https://themarkup.org/blacklight, I put in a few sites, including a full Reddit post URL and it reported 0 trackers. Does this site work well, are there other sites for seeing trackers on websites that work well?

"Google has announced plans to store Maps Timeline data locally on users' devices instead of their Google account effective December 1, 2024."

"The development is part of a series of changes the company has enacted in response to allegations that it misled consumers and illegally tracked their movements despite turning off Location History from the account settings by taking advantage of the non-obvious Web & App Activity setting."

I don't want to sound like a "aluminum foil hat" guy but I'm concerned about CCTV cameras (private and public) around our towns.

All of these cameras do not send the stream to private servers (as the closed circuit would imply) but it's sent to the manufacturers' servers, usually in countries unfriendly to privacy regulations, let alone to human rights. I don't think I'm in immediate danger, but I personally think they likely flow into some AI models and into some government-controlled hands in order to do whatever they want with it.

Another risk is the fact they're very insecure.

I don't know how to battle this. I try not to look directly into a camera when I see one, but that's it. I wish more people would be aware of such risks.