I have my personal blog, made with Hugo and hosted on GitHub pages. Initially I did not turn on any kind of web tracking / web analytics, because I do not like tracking at all. But I want to make my blog better and to achieve it, I need a feedback loop about traffic. For example, what are the most popular publications, or how many people view my blog from mobile devices, etc.

So, my question is, what is the most appropriate (ot the less evil) way to track a web traffic?

An answer "there is no good way to do it without breaking user's privacy" is acceptable too, I did not decide yet turning on the analytics. Instead I'm interested in an opinion of the community.

Thanks in advance!

Title says it all--a fellow bricoleur just turned me on to the No Trace Project and I'm curious to know if anyone else here has looked into it and the quality of the information therein. Thanks in advance!

Is it just me or do Instagram videos loaded via Pixwox always buffer for you too?

I miss the days of VHS and DVD shelfs in homes, for example. If you bought the tapes and had them in your home, no corporate entity could alter those tapes without your consent, monitor how many times you watch them, sell your data to whomever they please without your knowledge, roll out new mandatory conditions to a 'user agreement,' or remove them from your library if/when they like.

I noticed some dumb change in how Dictionary definitions are shown in the Spotlight (ie, overall search my computer function) in MacOS this week. I've turned off all auto-updates, and I didn't make that change or consent to it. But despite paying the full price all by myself for this machine, I clearly don't have 100% control over it. It seems very clearly to me that consumers having control and privacy over their Internet-connected devices is a bygone era.

After Blizzard, the video game company, replaced copies of Warcraft 3 that I and others had paid for in full and installed on our computers that we could play without connecting to the Internet with a lower-quality copy that prohibited offline play - I swore I'd never pay for a video game again*, and 3 years later I haven't backslid on that. I felt so angry, cheated, and robbed by that. (*Edit: my criticism and frustration is really more with larger developers/companies/creators - I appreciate and am happy to support smaller, more independent and libre ones.)

Many people probably won't be bothered by these things, but I am. I don't want to pay full price for something that I don't truly own. I miss the familiarity. I miss the reliability. I miss feeling like it's mine. Dependable. Trustworthy.

Picking my old guitar up again has never looked so appealing. I think I want to go back to investing more time, money, and energy into things that aren't connected to the internet

cross-posted from: https://beehaw.org/post/13793778

Fake WhatsApp and Instagram apps that can steal personal data

Happy Net Box is an experimental internet social experience based on the arcane and near-forgotten retro internet protocol known as FINGER.

Finger is a command line tool that comes pre-installed on Macs and Windows and most Unix systems. It allows you to retrieve information about a "user" on "the internet" -- but it doesn't use the web!

This is probably not the right community but I haven't found a better one.

So I watched a video from Seytonic where he mentiond that some malware creates a windows link with the name of the usb on a usb. So I checked my usb because I remembered that I had to click 2 times on my usb to opened it. I found a link that contained cmd.exe and a name of a file next to it. Upload to the virustotal showed Raspberry Roblin worm.

I use Linux but my familly uses windows so I will have to go through all familly computers and remove the worm. Where can I find info how to remove this specific worm - Raspberry Roblin? On google I found a description about how the worm works but not specific files it creates and how to remove it.

The first page that shows up is microsoft.com and it says that windows defender detects the worm, but clearly it doesnt.

Edit: The worm was on one computer and it did not have windows defender installed. Seems like malware removed it and also disabled automatic updates. I installed MalwareBytes and sucessfully removed the worm :)

I have been pro privacy and anti data harvesting for many years now, however it is becoming increasingly more difficult staying off some platforms. Mostly Meta.

Over the years I have convinced most of my friends and family to use Signal instead of WhatsApp. However, there are still chat groups that I am missing from, and trying to keep up to date with local events seems next to impossible without Facebook or Instagram.

Additionally, I am finding it more and more tiring to have the awkward "No I don't have WhatsApp. No I don't have Facebook either. Or Instagram, sorry. Do you want to try an app that you've never heard of to stay in contact with me?" every time I meet someone new.

I saddens me that it feels like the multi-billion dollar data harvesting companies are winning, but I no longer know if this is a hill that I'm willing to die on.

What are your thoughts on what we have to give up in our lives just to stay in control of our personal information?

Hi, I was planning to encrypt my files with GPG for safety before uploading them to the cloud. However, from what I understand GPG doesn't pad files/do much to prevent file fingerprinting. I was looking around for a way to reliably pad files and encrypt metadata for them but couldn't find anything. Haven't found any recommendations on the privacyguides website either. Any help would be appreciated!

Thanks

Please write the 3 phone brands (in order please) which you think they bring the least number of third-party apps.

Notes:

• 1- PrivacyGuides recommends Google Pixel. But it is not selling on my country. I can not bring it from other countries because it will not have warrant.

• 2- We also don't have fair-phone and nothing-phone (i can not bring it from another country).

• 3- we only have: general-mobile, huawei, samsung, asus, tcl, htc, xiaomi, vivo, infinix, oneplus.

• 4- please dont recomend custom ROM. Its technically difficult for me. Also I will recommend the device to my friend (they don't have even an idead what is custom-rom)

Welp I guess this is the perfect example of companies not deleting your credentials and account info when asking for it... I deleted my Notion account several years ago. And completely randomly today got an email from them about data retention, assuming this is one of those "important" emails they have to send out. Sadly, years ago I wasnt using email-aliases like I am today, so still stuck with them having my email. Fuck I hate this so much. Thought I'd just share this lesson, use alises my friends!

I wanted to degoogle since Google has been most annoying so far with S21FE. Was thinking of getting Pixel 8a but due to mixed reivews I was looking for other phones. Thoughts on this? Would be also nice if I can get some opinions from people who have the phone as well.

Wht would be people's recommendation between using Molly, Langis and Signal-FOSS? I have always used Molly for years but I'm oen to sometuhing else.

I've been a social media hermit for the past 3 years but recently I've given up and created a few accounts across different apps again. It's unreal how strict the requirements are now.

1. Give e-mail (ok)
2. Give phone number (.... eeh, ok)
3. Use the new account for a while
4. Account suspended, please upload selfie to continue (no thanks xi). There are also some verification promps where you have to record a video and rotate your face left to right

If this isn't a message to move to indie web I don't know what is

I've been seeing a lot of confusion around the TunnelVision vulnerability. While I'm no expert, I've done a fair share of research and I'll edit this post with corrections if needed. The goal of this post is to answer the question: does this affect me?

Two sentence summary of the vulnerability

When you use a commercial VPN like Mullvad or NordVPN, the VPN client tells your system to redirect all traffic through the VPN. This recent vulnerability shows that a malicious device on the network can trick your system into redirecting traffic to their device instead.

Claim: just don't connect to hostile networks!

This is hard in practice. For most people, the only "trusted" networks are your home network and your workplace. So you still have to worry about coffee shops, airports, hotels, restaurants, etc. And if you are using cellular data, the cellular tower can perform this attack to snoop on your traffic.

Claim: but I trust the hotel owner, restaurant owner, etc

This attack allows any device on the network to impersonate a DHCP server and attack your system, not just the router. And while there are router settings that can prevent devices on the network from talking to each other, afaik they are rarely used. So even if you trust the owner of the cafe, you have to also trust everybody else in the cafe.

Claim: if you use HTTPS you are safe!

If the attacker redirects traffic to their machine, then even if you use HTTPS, the attacker can still see what websites you connect to, they just can't see what you are sending or receiving. So basically they can steal your browsing history, which defeats the purpose of a commercial VPN for many users.

Claim: Linux users are safe!

Not quite. The report says that Linux has a feature that is able to fully defend against this vulnerability, called network namespaces. So if your VPN uses that, congratulations. Afaik most VPNs do not use this, and instead use a kill-switch or a firewall. In which case Linux, Mac, and Windows users are all affected the same way, and I go into it more in the next claim.

Claim: if you use a kill-switch you are safe!

The term "kill switch" gets thrown around a lot but there's actually two major ways that a kill-switch can be implemented. The first way is a more literal "kill switch" - when the VPN connection drops, the kill switch is triggered and blocks leaks. The other way is a persistent firewall, which blocks leaks all the time.

If your VPN client uses the first kind, then bad news, it won't protect you against this attack. This is because the VPN connection is never dropped, so the kill switch is never triggered. NordVPN was caught using this poor practice, to nobody's surprise (more info here).

If your VPN uses the second kind, then you should be safe. For example, Mullvad published a statement about how they are not vulnerable here. I would hope that any competent VPN would also use a persistent firewall, but if your VPN provider hasn't published a statement yet, unfortunately your only other option is to inspect the VPN client yourself.

That being said, even if your VPN uses a persistent firewall, you may have read in the report that there's a "side-channel" attack still possible...

Claim: even if you use a firewall, there's a side-channel attack

This is true, but from what I read the side-channel is actually very hard to pull off and gain any useful information from. You can read some discussion about it here. My takeaway is that if you're a regular user, you don't have to worry about it. But we should still push VPN providers and network engineers to use network namespaces in their applications, since they are more resistant to these kinds of attacks.

Claim: you shouldn't trust commercial VPN providers anyways

This is not really about the vulnerability but I've seen it a lot in the discussions. I think it's a mischaracterization of why people use VPNs. If you are using the internet, somebody has to send that traffic to your destination. The three major options are your ISP, a VPN provider, or Tor. Depending on your location and your circumstances, you will trust these three differently. In the EU, ISPs are not allowed to sell data. In the US, ISPs are allowed to, and have been caught doing so. VPNs can sell data too but they risk losing their entire business. Tor is much harder to judge, but the bigger issue with Tor is that many websites block it.

Further reading:

• Official Report
• Official TLDR and FAQ
• Arstechnica article
• Hacker News discussion
  • one of the original researchers is active in this discussion, see comments by @morattisec

Hey all,

I've been using a commercial VPN for years on my mobile devices and home PCs. Recently I've started to use Tailscale and realized I can easily create a self-hosted VPN on a cheap VPS with unlimited traffic.

But I'm not really sure if that's what I need. BTW, I'm not doing anything dangerous, no torrents, no illegal stuff, no journalism or whistleblowing, not even looking up abortion clinics. I just hate mass surveillance and I don't want to be constantly profiled.

Commercial VPN allows to "hide in a crowd" by sharing IP with thousands of other clients. But there are a few issues:

1. Often sites blacklist VPN IPs, so I can't get in or pass captcha
2. Performance is not very good
3. I have to trust VPN to not keep the logs and not sell data. I used Mullvad and they are considered reliable, but you never know until it's too late

With self-hosted VPN, I'm losing benefit of "hiding in crowd" as my VPN will be used only by me and maybe a couple of other people. My understanding is that my VPS outgoing traffic is from static server IP. So if I login to Facebook once, the address is associated with me. I'll also have to trust VPS provider to not analyze my traffic and sell it. On other hand, I'm still protected from my ISP spying, from exposing my real IP address to web sites, from dangers of public WiFi networks. And I might get better performance for about the same price.

What's your take on VPNs? Tell me if you are using self-hosted VPN and why.

cross-posted from: https://leminal.space/post/6433881