PrivacyGuides.org
Privacy Guides is a not-for-profit, volunteer-run project that hosts online communities and publishes news and recommendations surrounding privacy and security tools, services, and knowledge.
This is a fantastic resource with lots of recommended tools and information on how they work.
|
My Firefox Addons & Plugins
I think it's perhaps a good time for me to share my current Firefox plugins. You don't have to use these, but I'm sharing it as a reference in case others need them. (Also, it's useful if I get a new machine and need to find my plugins quickly.)
Bitwarden - My password manager of choice. Please, use a password manager. I wrote about them in "Hacked 101," an older post about security.
Privacy
I have a set of plugins which I use to try and minimize trackers and other 3rd-party data gatherers. They can be annoying sometimes as they will sometimes interfere with page functionality, but if you regularly visit new pages and corners of the internet, this sort of privacy is excellent.
DecentralEyes - This tool is dedicated to trying to prevent tracking from sites which utilize data-gathering content delivery networks for things like Javascript, etc.
Privacy Badger - Run by the EFF, it blocks invisible trackers on pages.
uBlock Origin - Again, it blocks problematic elements on pages, as well as ads.
While not a Firefox extension, and thus not part of this post's central theme - I do utilize a PiHole for the house which also blocks ads and trackers for our entire network.
Extra Functionality
Containers - Containers is a functionaltiy offered in both Firefox and Chrome. I don't know if Edge provides it. But essentially it lets you segment your internet usage. I do the vast majority of my web usage in the primary container, but sometimes I will open a new container, or as you'll see, some sites are cordoned off.
Container Bookmarks - Allow me to set bookmarks to open in specific containers.
Facebook Container - This extension puts all of Meta's properties into their own container, greatly hampering Meta's ability to track me across the web.
Sticky Window Containers - With Containers, my primary use-case is for differentiating work and personal web browsing. This plugin opens new tabs in the same container as the first tab in the window.
TamperMonkey - Once upon a time there was a plugin called GreaseMonkey. It allowed you to write scripts which were executed on pages which matched settings. So you could automatically hide things on websites, or add additional functionality, etc. Greasemonkey is no longer maintained, but there are a number of forks, such as this one.
MarkDownload - Markdown is a text-only syntax which provides formatting of text, such as bold, etc. The back end of this blog is written in markdown, and I maintain a personal library of markdown text in an Obsidian MD vault. This plugin makes it easier for me to pull text from the web into this blog, or into Obsidian.
Reddit Enhancement Suite - Yes, I still use Reddit. Yes, I still use the old template on Reddit. RES provides a multitude of functions on Reddit which make the site usable for me. I hate the redesign and rely on RES.
Simple Translate - A quick in-browser context menu-based translation plugin.
Unpaywall - If I come across an academic paper I want to read but which is pay gated, this tool quickly checks to see if that paper is available for free elsewhere on the web.
Media
BetterTTV - A staple for many who watch Twitch. It adds functions and emoji to Twitch chat.
Return YouTube Dislikes - YouTube hides the dislikes of a video now within their API. This plugin re-adds it to the videos (when able.)
Save WebP as PNG or JPG - WebP has a lot of upside for websites, but it is not yet fully embedded and useful when downloaded on desktops. This plugin allows me to easily download a webp into a more usable format.
|
Apple does passwords smarter
DaringFireball turned me onto this blogpost about some of the password generation tools iOS uses to make passwords easier to type, but no-less strong.
To make these passwords easier to type on suboptimal keyboard layouts like my colleague's game controller, where the mode switching might be difficult, these new passwords are actually dominated by lowercase characters. And to make it easier to short-term have in your head little chunks of it to bring over to the other device, the passwords are based on syllables. That's consonant, vowel, consonant patterns. With these considerations put together, in our experience, these passwords are actually a lot easier to type on a foreign, weird keyboard, in the rare instances where that might be needed for some of our users.
And we weren't going to make any changes to our password format unless we can guarantee that it was as strong or stronger than our old format. So if you want to talk in terms of Shannon entropy once again, these new passwords have 71 bits of entropy, up from the 69 from the previous format. And a little tidbit for folks who are trying to match our math — [note that] we actually have a dictionary of offensive terms on device that we filter these generated passwords against and we'll skip over passwords that we generate that contain those offensive substrings.
…
So these new passwords are 20 characters long. They contain the standard stuff, an uppercase character. They're dominated by lowercase. We chose a symbol to use, which is hyphen. We put two of them in there, and a single [digit]. We picked this length and the mix of characters to be compatible with a good mix of existing websites.
And a few more details: These aren't real syllables as defined by any language. We have a certain number of characters we consider to be consonants, which is 19. Another set we consider to be vowels, which is six. And we pick them at random. There are five positions for where the digit can go, which is on either side of the hyphen or at the end of the password.
|
My Firefox Extensions
It struck me this morning that it may be useful or, perhaps interesting, to archive the Extensions I currently use in Firefox. The extensibility of browsers today is fantastic.
- Bitwarden - Password Manager
- Decentraleyes - Privacy tool which works by attempting to block unneccessary calls to content distribution networks.
- Easy Screenshot - Tool to easily snag screenshots of pages. I primarily use it to snag photos of complete pages where it scrolls down and screepcaps and then stitches them together.
- Facebook Container - Forces Facebook and Instagram pages into their own container, this blocks them from tracking you across the web.
- Feed Preview - It returns and enhances the ability to preview RSS feeds.
- Firefox Multi-Account Containers - I live and die by multi-containers in Firefox. The majority of it is so that I can easily differentiate Work and Personal credentials, etc. But I use it for all sorts of things.
- Firefox Translations - Mostly so I can test and experiment with Mozilla's local translation tool, meaning it doesn't interface with Google etc. Overall it's good, but not perfect.
- GIPHY for Firefox - Honestly, I use it largely to enable quick and easy gif access for posting on Mastodon.
- Privacy Badger - Privacy tool from EFF. It's not as good as it used to be, but it still blocks some tracking tools.
- Reddit Enhancement Suite - As a longtime Redditor, and I use the old layout still, it enables and enhances a bunch of functions on Reddit.
- Return YouTube Dislike - Using the API, it allows me to see the dislikes on YouTube videos.
- Simple Translate - Integrates with Google's Translate for easy on-the-fly translation.
- Soundfixer - It allows me to manage volumes for individual tabs in Firefox, very useful for my laptop which has dinky speakers and I want to boost the tab's volume over 100%
- Sticky Window Containers - Another tool for the account containers, this one has tabs in a window open in the same container as the first tab in the window. This also lets me easily do the work/home split.
- uBlock Origin - The best ad blocker ever
- Unpaywall - Legally find free access to academic articles.
|
Bitwarden enables passwordless authentication on the desktop / laptop
If you aren't using a password manager, please reconsider. Seriously.
This feature for Bitwarden is super cool and super important. It means you can make your passwords that much more secure while also having the convenience of not having to type a very long password, instead relying on your mobile phone to act as your key.
|
"The Quiet Invasion of 'Big Information'"
I recently removed Twitter and TikTok from my phone. Primarily because of productivity and not feeling I was getting the value I wanted from them. But also, partly, out of a concern of privacy.
I don't think removing those apps will make a substantial change in my digital footprint, and the reality is, I hardly make an effort to be anonymous online. I willingly answer questions from Google about my behaviors, both online and offline, for pennies ("When were you at Fred Meyer last?" or "Do you remember this YouTube video?")
This article, which is an excerpt from "Data Cartels" Sarah Lamdan is a grim reminder of what I largely already knew. These massive businesses which do, what to people just 30 years ago, would consider obscene observation and stalking, make huge profits because of it.
Despite being a billion-dollar data and information business—just one of RELX's brands, alone, has profit margins that rival Apple, Google, and Amazon's—RELX doesn't get the same level of public scrutiny that those other companies do.
We regularly hear, and most recently in conjunction to Musk's Twitter moves, that if you're not paying for it - you, yourself, are the product. But the truth is you are already the product. No matter what we do, where we go, we are being tracked.
My mother-in-law was frustrated about getting texts for political candidates in Washington state even though she lives in Florida. She has a very small online footprint, but I suspect it's big enough. I didn't want to make her worried, so I glided over some of the details, but I noted that I suspect her phone was registered on a tower or network here in Washington and that that was recorded and then sold to the political marketers for this campaign.
I truly think we are approaching an epoch change in regards to online privacy and data, though it will be messy and, honestly, likely Sisyphean with too much already being out there and too many freedoms already lost.
I'm adding the book to my steadily growing pile of "things I need to read eventually."
Data Cartels by
|
Security Researchers can use a SATA cable inside a computer to transmit data wirelessly to a nearby receiver
Dubbed the 'SATAn' attack. This is not an attack normal people need to be worried about, but it's pretty wild technology. Bolding for emphasis is mine:
This paper introduces a new type of attack on isolated, air-gapped workstations. Although air-gap computers have no wireless connectivity, we show that attackers can use the SATA cable as a wireless antenna to transfer radio signals at the 6 GHz frequency band. The Serial ATA (SATA) is a bus interface widely used in modern computers and connects the host bus to mass storage devices such as hard disk drives, optical drives, and solid-state drives. The prevalence of the SATA interface makes this attack highly available to attackers in a wide range of computer systems and IT environments. We discuss related work on this topic and provide technical background. We show the design of the transmitter and receiver and present the implementation of these components. We also demonstrate the attack on different computers and provide the evaluation. The results show that attackers can use the SATA cable to transfer a brief amount of sensitive information from highly secured, air-gap computers wirelessly to a nearby receiver. Furthermore, we show that the attack can operate from user mode, is effective even from inside a Virtual Machine (VM), and can successfully work with other running workloads in the background. Finally, we discuss defense and mitigation techniques for this new air-gap attack.
|
Axie Infinity was taken down by a fake job offer
Ronin, the Ethereum-linked sidechain that underpins play-to-earn game Axie Infinity, lost $540 million in crypto to an exploit in March. While the US government later tied the incident to North Korean hacking group Lazarus, full details of how the exploit was carried out have not been disclosed.
The Block can now reveal that a fake job ad was Ronin’s undoing.
According to two people with direct knowledge of the matter, who were granted anonymity due to the sensitive nature of the incident, a senior engineer at Axie Infinity was duped into applying for a job at a company that, in reality, did not exist.
[...]
The fake “offer” was delivered in the form of a PDF document, which the engineer downloaded — allowing spyware to infiltrate Ronin’s systems. From there, hackers were able to attack and take over four out of nine validators on the Ronin network — leaving them just one validator short of total control.
In a post-mortem blog post on the hack, published April 27, Sky Mavis said: “Employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”
The hackers are reportedly out of North Korea. The article highlights this article which notes that they have used similar tactics with aerospace and defense contractors. It's hard to blame anyone for falling for these. This isn't a Nigerian prince emailing, this is a company that looks legit and puts you through many rounds of interviews, just to get you to download a PDF.
|
I’ve locked myself out of my digital life
This is the stuff of nightmares. I'll have to think hard about how I can take steps to overcome the worst case scenario. Definitely going to put some steps in place in case something like this ever happens to me.
|
Hello Google. Yes, I appreciate you encrypting every search. You've told me about it every search I've made for the last several days. Please stop.
|
|
Aegis - 2-factor Authentication App
Yesterday I moved my 2-factor authentication from FreeOTP to Aegis. I did this because Aegis can make encrypted backups, so in case something happens to my phone, I can download the backup and have Aegis set up again, rather than using backup codes or going through hopes to recover my accounts.
It's Android only, but is open source, and available on F-Droid as well as the Google App Store.
|
