Encrypt all the things!

@hugo7 thankyou

Fresh information about how a backdoor forced on Juniper Networks by the NSA/DoD was exploited by Chinese hackers for maximum pwnage.

I thought this was a nicely explained article

https://www-spectator-co-uk.cdn.ampproject.org/c/s/www.spectator.co.uk/article/the-home-office-war-on-encryption-is-doomed/amp

even if it were somehow possible to create a magic back door to encryption that only the good guys could use (which it isn’t)

Lol. Which is worse: politicians who don't believe in dinosaurs or one's who dont believe in prime numbers

"Priti Patel has become the latest in a long line of Home Secretaries to be lulled into pushing an idiotic agenda by her dysfunctional and sclerotic department."

#burn

This is probably the best place to say it...

From January 2023 ad-blockers on Chrome will no longer work https://www.theregister.com/2021/09/27/google_chrome_manifest_v2_extensions/

You have 15 months to fully migrate your browser to something else if you want to not be constantly tracked and under surveillance by the ad industry on the web.

There's only one viable alternative, and that is Firefox.

Example of why your choice does not include Safari: https://caniuse.com/ping . The ping attribute on anchors sends a tracking ping back to a source when the link is clicked. Only Firefox refused to add this.

That kind of thing spans every bit of the philosophy of Chrome, Safari and Firefox... Firefox being the only one that actually seeks to protect privacy.

How I use browsers:

• I use Chrome as a sandbox for only Google things. I.e. Gmail, Gsuite, etc. Nothing else.
  
• I use Firefox for all other browsing. It is set as the default browser.
  
  

Additionally with Firefox I use NoScript... I browse the internet with JavaScript disabled, only enabling it if a site is broken and I really want to view the site. It's rare that I need to, most sites are improved by JS being disabled, i.e. something like a news site works great with JS disabled but is unreadable with it enabled.

When JS is enabled, then on Firefox I also use uBlock.

Below all of this is NextDNS and network level blocking. Some things like Facebook are 100% blocked on my network (including all of the companies they own).

The internet is wonderful without advertising.

Thanks for this.

There's only one viable alternative, and that is Firefox.

What about Brave?

What about Duckduckgo VB?

What about Brave?

Weird business model with crypto currency adverts... and based on Chromium. So... cannot guarantee ad-blockers work in future, no dedicated security team to keep Chromium base updated independent of the Google stuff, and it's fundamentally still limited to the same privacy boundaries Chrome has... i.e. not that many.

Firefox is the best browser there is, and the old issues of memory use are no longer an issue.

That said, if you like Brave and want something like it, there's the Dot browser which is similar though based on Firefox. I'd recommend that if Firefox isn't the UX you want. https://www.dothq.co/en

What about Duckduckgo VB?

It's not really a browser, it's a search engine. What they offer via Android store isn't really equivalent.

I have DDG in Firefox as the default search, but I'd be fibbing if I said I wasn't using hashbang to search via Google a lot. Google's UK results are pretty good.

But this is about browsers rather than search engines, etc. I'm not saying to people that they should purge Google 100% from their lives... just that Google, Facebook, etc shouldn't have full surveillance capability over your lives, and the simplest way to avoid that is to use Firefox.

Cheers. 👍

Interesting... Thanks. Will reorganise my browsers. I think I use FF on my desktop and DDG browser on my phone. I avoid chrome like the plague but really should be using it for Gmail.

Is there a forum approved password manager?

And a VPN while we're at it.

I have a surfshark VPN, and another before that, but found the speed sucked so I use them less and less stupidly.

BitWarden https://bitwarden.com/ is the one I swear by currently. Open source, all platforms.

For 2FA apps, on Android I now swear by Aegis https://getaegis.app/ ... but mostly because it works and it enables import / export and my 2FA secrets would be hellish to reproduce so being able to back them up within my control is great.

For VPN it depends what you want one for... but if privacy / security then https://mullvad.net/en/ are the only game in town (that has actively stood up for the principles by which they claim to operate). If it's for pure geolocation detection avoidance for things like Netflix... I dunno, I don't do that so I'm not sure if this is a fit for that.

Thanks, very helpful.

So for personal use you would use basic Bitwarden plus a separate 2FA?

Why not Bitwarden 2FA?

Why not Bitwarden 2FA?

Putting both passwords and 2FA in one place creates a single thing that if compromised now provides access to everything.

At least keeping them separate means if you have Bitwarden installed and logged in and you've left your device unattended, that the 2FA isn't also compromised at the same time.

So I use different apps, and set the security of the 2FA to need biometric on every occasion.

If you want a VPN for Netflix and suchlike that works on iOS, Android, Firestick etc then IPVanish is great

Duckduckgo are offering a .duck email address that forwards to your regular email for use in online forms. Also offers a onetime random email function. They remove email trackers before forwarding.
Seems like a good idea (?) rather than have a real email address stored on a companies server.

https://signal.org/bigbrother/cd-california-grand-jury/

Gotta love it. Also the format in which the data is presented.

I seem to remember you used to use Authy but had some issues. How did you export from Authy to Aegis, I can't see an option and I assume setting them all up again would be an absolute ballache (or is that what prompted the move)?

How did you export from Authy

I researched a load of approaches and it can be reduced to this:

1. You need to export the secrets behind the tokens
   
2. You can either do this via JavaScript within the web based version of Authy (the extension) or by communicating with Authy and unlocking and reading the vault of secrets.
   
   

I found the web based extension never listed all of my accounts... so whilst this is the most documented approach it didn't work for me.

But... I stumbled upon this https://github.com/alexzorin/authy which is written in Go and was effortless to run, and it perfectly exported every secret from the Authy vault (by communicating with the Authy servers).

Once I had the export, I had to then test whether the secret worked in Aegis... when I proved a couple produced the same value (by manually importing them via taking the secret and dropping it into a QR generator... the secret looks like a URL)... then I did an export from Aegis, looked at the differences between what was exported by the tool and what Aegis expects... I edited the export to match Aegis (very minor changes), and then imported the entire export as if Aegis had exported it.

The import / export file is basically a single secret (looks like a URL) per line. So it's really simple.

This entire thing took about an hour, and most of that was me choosing to manually verify every TOTP token that was generated.

At the end... I uninstalled (but didn't close the account) Authy. If you have any Authy 7-digit codes you need to not close your account as it will invalidate the token on their side. If you only have 6-digit codes then feel free to close the Authy account.

But that's it... and now, whenever I add a new TOTP to Aegis, I export afterwards and I keep the export safe.

Cheers, much easier than the other options of Chrome developer consoles and the like.

Only one of my codes didn't import correctly and I have no idea what that was for as I can't find a matching login. No editing was needed. All my codes are 6 digit (bar the one that didn't import correctly) so I'll give it a brief test but think I should be good to move.

Friend accidentally clicked on a link on a Facebook message on their mobile.

The closed it almost immediately. They've changed their FB Password.

No apps installed, nothing in the downloads folder.

What's the worst case, and is there anything else they should do?

Cheers.

I've noticed a large number of hacked accounts recently.

It was such an easy mistake, done instinctively. They are selling some stuff and someone msg to ask if this [link] was what they were selling. The link looked like a Google search link.

TBH it might have actually been a legit link.