Privacy Guides

Never rely on any cloud service! A good cloud based password manager is end to end encrypted meaning the password manager provider cannot access your passwords and they are secured from the provider and any compromise of the provider. But you do not only need confidentiality but also reliability. The cloud is just someone else's computer that you store your data on. They can cease their service or stop providing you access to it at any time. Always have a local backup of anything important saved in a cloud.

With Bitwarden for example you can export your vault as unencrypted json and csv format. Those are widely compatible and allow you to easily access and import your passwords.

Do not save your exported passwords unencrypted. I strongly recommend creating a dedicated VeraCrypt or LUKS container or similar and saving the export directly into that without saving it to disk unencrypted in the first place.

Note that shared organizations are not included in the standard vault export and need to be exported separately.

Edit: Someone mentioned that Bitwarden's export feature does not export attachments. So export them manually if you need to.

You can't have privacy without security

This tool does its best to determine where your system stands on each of the collectively named transient execution vulnerabilities (also sometimes called "speculative execution" vulnerabilities) that were made public since early 2018.

Check your distro is resilient to CVEs & provide guidance on how to mitigate them.

I am still new to privacy, please steer me. I see that many use RSS feeds to get their news. I was trying to use neuters as a front end to get my RSS feed started and cannot get it going.

Is a front-end even necessary for RSS feed? Does it help with tracking? Am I approaching my news aggregator the wrong way?

I tried searching RSS generator websites for neuters since I couldn't just load the webpage into the app, but many are paid or require accounts. I have steered away from that at the moment. I just assumed every website could enroll in RSS...I was completely wrong.

I wanted to set up with NetNewsWire on ios.

I am willing to go an entire new direction with the collective knowledge from this community.

I’m a firm believer that inching towards a more private life and future is a good thing in and of itself. However, I also believe that striving for a healthy social life and finding individual happiness is very important.

One area that I’m a bit lost on how to achieve better privacy is gaming. I also believe this is an area that is often overlooked. Do you all have any tips, tricks, or guides on how to game while retaining some level of privacy?

Specifically I’m referring to privacy from corporations, governments, and to a lesser extent friends. I’m also thinking about all types of games, from MMOs, to competitive FPSs, to RTS Games, to RPGs.

With Linux gaming becoming increasingly viable in conjunction with the mainstream success of the Steamdeck, I would imagine one idea for most people is kicking windows to the curb.

• Why do you use Crowdin (proprietary, bad for privacy) instead of Weblate (libre, privacy-friendly)
• Why do you host the project on GitHub (proprietary, bad for privacy, developers located in Crimea, Cuba, Iran, North Korea and Syria can't contribute)?
• Why don't you mention any of the FSF-endorsed GNU/Linux distributions?
• Why do you use a Creative Commons non-free license?
• Why don't you recommend Libreboot or Coreboot?

Just because software is open source does not mean someone is actually looking at the code. But depending on the software there are incentives to do so. Some people might be technologically interested on the way a software does something and look at the source code for that. Some people might want to check the benignity for themselves and actively check the source code for malicious features. With community maintained software there are often many different independent people working on the software. Also many open source software projects allow code commits to the software. Many eyes on the software due to many people working on it increases the chance of malicious features or vulnerabilities being discovered. A great thing about FOSS is the possibility to fork it or to use the FOS software of someone else in your software. FOSS allows and even encourages everyone to work with the software of others for ones own purpose and to modify, adapt or embed it. This leads to more people having an eye on the source code just for purely practical purposes. Open source just means publishing the source code, but FOSS is about actively reusing, improving and adapting other people's work in your own work. Security researchers might also have a look on open source software purely for their own research. Another great important aspect are bug bounties. Many developers pay bounties to people who report vulnerabilities to them. That creates an incentive to audit the code. But obviously not every project, especially smaller ones, have bug bounty programs. But you could probably sponsor one for some software you like.
Lastly there are independent third party audits. Those can be done for a number of reasons. There can be community paid audits through donations. VeraCrypt had one for example. Then there might also be other organizations who want to use the software and have an interest in its security. VeraCrypt is also an example for that. The German government paid the Frauenhofer Institute for an audit of VeraCrypt.

In the end it comes down to the specific software. If someone implements a malicious feature in their software it is not necessarily going to be found just because the source code is open. If you find some random unknown software it is not secure just for being open source, but the chance of malicious features or vulnerabilities being discovered is definitely higher if it is possible to look for them in the first place.

Security critical software should be open source and audited.

This work is licensed under CC BY-SA 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0/

You might have old accounts especially cloud accounts that are just idling abandoned while still holding personal information. They might have old weak passwords just waiting to get compromised. Same goes for old email addresses that you do not use anymore but are still linked to other accounts. This is a reminder to check those, delete your data from them or to delete them altogether (delete private information manually first before deleting the account as many companies do not actually delete the data from deleted accounts and just mark the account as deleted).

Some examples of this could be:

• old Google accounts from old devices
• old iCloud accounts
• old Microsoft accounts
• old Aol or similar email accounts
• old accounts from smartphone vendors like Samsung, Huawei etc. that often have their own cloud services

Make sure to set a strong passwords on accounts you want to keep and of course use a password manager. Besides the security password managers have the great side effect of giving you an overview over all your accounts so that you cannot just forget old ones.

This work is licensed under CC BY-SA 4.0. To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/4.0/

I vaguely remember reading something about leaking your private network setup if you used Let's Encrypt to generate your certificates.
Because of this when I installed my reverse proxy with caddy to handle my selfhosted home network I configured it to generate the certificates locally.
But this comes with the issue of the annoying warnings of the browsers plus being unable to connect to those devices/services which can't ignore it.

Am I being too paranoid? Is there any real concern about generating the certificates with Let's Encrypt for addresses which I don't intend to have outside my private network?

Kickstarting this community; let's discuss our favorite apps on Android & iOS.

I saw a post on r/privacy from the founder, and it caught my attention. What do you guys think of it?

I've seen the post saying that the lead developer is stepping down, I've seen his accusations of abuse. I've seen enormous write-ups which make questionable claims about how he's the devil himself. I've seen a lot of rumour and hearsay, and now I've got no idea what to think.

Is anyone able to give a short, unbiased summary of what's going on? (Ultimately, from a selfish point of view, I want to know if the project is likely to fall apart or if this is just bickering between egos!)

For a while now I've been quite happy running LibreWolf, with Bitwarden and some other privacy extensions. I've also switched over from Google to Kagi as a search engine; doesn't keep me anonymous, but I do love not being the product for once.

cross-posted from: https://feddit.de/post/721048

"While Eclypsium says the hidden code is meant to be an innocuous tool to keep the motherboard’s firmware updated, researchers found that it’s implemented insecurely, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte’s intended program."

Links to a hopefully growing list of lemmy clients.

There is an official FOSS lemmy app for Android called Jerboa that I'm using to create this post and it seems to work pretty well but that's not all, there's an iOS app, some BBS looking thing and some libraries that interact with reddit..

Wonder how useful those will be once the api changes happen in July, maybe worth trying them while you can..

What app are you using? Any thoughts about how they work? Just the website seems on your phone seems way more usable then any official reddit anything which is nice.

Man, I can't find the submit post button..😅 Edit: i had to select a community first

cross-posted from: https://beehaw.org/post/411763

...to keep running as is.

creator of Apollo, a popular Reddit client for iOS, relays his talks with Reddit about upcoming ridiculous API pricing.