Privacy Guides

Is it safe to store OTP tokens on the same device? Even if app is encrypted and locked with passcode?

edit: Thanks for all the recommendations!

I wanted to add hardware 2FA to Apple ID, and noticed this particularly strange requirement.

I get that two keys is ideal (one as daily driver and one as a backup), but who actually REGULARLY uses both keys? Seems strange.

Can anyone who has this already setup shed some light?

A bipartisan team of U.S. lawmakers has introduced new legislation intended to curb the FBI's sweeping surveillance powers, saying the bill helps close the loopholes that allow officials to seize Americans' data without a warrant.

The bill follows more than a decade of debate over post-Sept. 11, 2001, surveillance powers that allow domestic law enforcement to warrantlessly scan the vast mountains of data gathered by America's foreign surveillance apparatus.

Clients like Thunderbird are great because you have everything stored locally so you can easily search offline. They also support encrypting and decrypting emails in PGP. However, they seem to have the same limitation as protonmail where you can't search through encrypted emails.

I know that protonmail can't just store your key at their server since that would defeat the purpose, so the emails are all ciphertext to them right? But in Thunderbird, you already have the key and decrypt everything all the time. So why can't you skip the middleman in your local machine and store everything locally in plaintext? It's not less secure since if your local machine is compromised, your private key is also compromised.

Or at the very least give us the option and have a slightly less secure but much more convenient option.

I've been wanting to move away from Dropbox for a long while, but I haven't been able to find a suitable replacement. Dropbox has always been super convenient and has just worked for me.

I've tried Tresoit but the low link sharing limits (2gb) and 10gb limit for files is somewhat of a deal breaker for me. I've been interested in Proton Drive for a while, but until their mac app is ready it's unusable for me.

I've also tried self-hosting a nextcloud instance (multiple times) but I've always just had too many issues with it. It's been inconsistent in actually backing up files from my mac, I've had so many file conflicts, etc. I have a truenas scale server, so if there are other self-hosted methods I should try let me know.

Currently, I'm looking at filen and sync.com, but I've heard both have their issues so I'm curious to hear everyones thoughts on them as well.

Thanks!

When I try using the normal way in Windows 10, it throws an error. I have some videos I uploaded to a YouTube channel a long time ago, and I'd like to share them, but first I need to remove the metadata.

The normal way I do this for images is to right click and select "Remove Properties and Personal Information," but when I try to do this with an mp4, it doesn't succeed. I've checked the security settings to make sure I have full control over this file, which I do, but it seems impossible to remove this metadata. I've tried saving-as using VLC and even tried within different folders, but nothing works.

Surely there must be a tool to remove metadata from a mp4 just as there is with an image, but none of my searches have been helpful. I'd much appreciate it if anyone can help!

The latter has filters to block trackers and fingerprinting scripts.

Originally, I installed NoScript to follow the principle of least privillege and only allow the minimum set of permissions for domains that they require.

At first, it wasn't a problem at all because I don't visit that much websites, but occasionally I'll have to visit some fedi links and it does require giving permissions often.

It's just a good practice I picked up from the days of hardening my Linux system. Sometimes, though, I feel annoyed like in the case described above.

So, does it make any sense to keep using NoScript if my threat model doesn't include dedicated attackers, who would target me precisely with custom-made scripts?

Google has abandoned the “Web Environment Integrity” API that was supposed to allow websites to only allow approved and verified browser environments. The plan would allow websites to reject browser or even OS modifications that were “unattested” for the purpose of supposedly stopping bots, piracy, ad-blocking, and other activity Google deemed to be malicious. However, critics of the plan called it corrupt tyranny in which Google flexes it’s muscles to control the entire internet.

The plan was rejected from Firefox and Brave browsers, and could potentially shut Linux users out of many websites as there would be no telemetry company to “verify” the operating system was not modified. Further, some said it was an outright attempt by Google to force people to submit to the API even if they didn’t want to use Chrome browser.

Now this horrible tyrannical plan from Google was abandoned after severe “community backlash”, however it could see a limited version for Android Chrome only when embedded into apps themselves. Some privacy advocates criticize this move as merely a trial testing ground, where they can prove to websites and services that the concept works and then try to push it to a larger audience. These critics call for a boycott of the apps that use this functionality.

We can only hope these rotten Google executives can abandon their plans for world domination and the submission of all knowledge to pass through their ad tracking software.

https://simplifiedprivacy.com/google-abandons-web-environment-integrity/

Some good tips to preserve a bit of privacy for those who use the Strava platform.

Several suggestions in the article also apply to other fitness tracking platforms.

Police in U.S. say technology is helpful but researchers say Canada should hesitate before using it