The New Oil

When to Switch Services

September 18, 2021

A few weeks ago, ProtonMail was forced to turn over the IP address and device information of a user to the Swiss government. A couple months ago, Wickr sold to Amazon. A few months before that, Signal integrated with cryptocurrency MobileCoin. Long before that, Wire moved to the US. So many services out there, none of them perfect, and all of them constantly evolving. How do you know which one to use? Better yet, how do you know when you should abandon one and move on to another after they make a major change?

Every time any critical piece of news comes out regarding a privacy tool, there’s always at least one person saying it’s time to jump ship and go to their competitor. So this week, I want to weigh in on when you really should switch services and replace one for another.

If the Service is Definitely Compromised

Let’s go ahead and get the obvious one out of the way: if a service is definitely compromised, you should jump ship. This begs the obvious question “what is definitely compromised?” Some people say that Signal is now compromised because of their MobileCoin integration. Others say Wire is compromised because of their relocation to the US. I’m not talking about that. I’m talking about “is it unarguable?” For example, Anom is definitely compromised. There is no argument there. If there is 100% credible, unarguable proof that a service has been cracked, sold, or otherwise compromised, you should drop it. Simple as that.

If the Service is Arguably Compromised

Unfortunately, if you’re unsure of whether you should switch or not, that’s likely because it’s unclear if the service is truly compromised or to what extent. In my experience, 90% of the time this is just disinformation and sensationalism spread by YouTubers looking to make ad revenue and perpetuated by haters of the service in question who are either purist/extremists (“anything that isn’t self-hosted is a honeypot”) or loyal to a competitor (“this is why everyone should drop Signal for Session”). However, there is that 10%. In my experience, the 10% of legitimate concerns boil down to two categories: theoretical and unconfirmed.

Theoretical Compromise

Let’s look at the Signal/MobileCoin incident. While the incident was extremely poorly handled, it doesn’t indicate any kind of actual compromise in the integrity of Signal’s encryption or their data handling procedures. However, I think cybersecurity expert Bruce Schneier summed it up best in his own blog post regarding the incident:

It’s that adding a cryptocurrency to an end-to-end encrypted app....invites all sorts of government investigative and regulatory meddling: by the IRS, the SEC, FinCEN, and probably the FBI.

In this case, the potential for regulatory meddling and government investigation opens up new avenues of abuse by governments that previously weren't feasible: for example, demands to log user data as in the name of “national security” or “fighting fraud” or some other facade. It offers new tools for the government to exploit that previously didn’t exist. Prior to Signal integrating with MobileCoin, demands to “Know Your Customer” wouldn’t have made any sense because Signal did not handle any financial data. Now those demands suddenly seem more likely. (Signal claims they still don’t handle any user financial data and that it’s all handled by MobileCoin and their own exchanges, but it’s not hard to imagine the government forcing Signal to also log user financial transaction data that can be correlated with MobileCoin's or their exchange's data to unmask the parties involved.)

More often than not, this is the reasoning behind why a service is suddenly “compromised” when it changes hands, teams up with other services, introduces new features, or relocates. When Wire moved to the US, this was the concern. When Wickr was purchased by Amazon, the concern is not that messages suddenly became readable, but that Amazon now had access to all the metadata. In some cases, there is precedent to some of these concerns (like how Facebook owns WhatsApp and admits to making extensive use of user metadata). In other cases there aren’t, but that doesn’t mean that some of these theoretical abuses aren’t possible and aren’t worth noting. A “theoretical” compromise is not necessarily a current compromise of the service or project itself, but rather the increased potential for a project to be come compromised that didn’t exist prior to the change introduced. It's important to be able to tell the difference between a legitimate theoretical abuse – like Schneier's concerns with regulation – and someone who just hates MobileCoin cause it's not Monero or whatever.

Unconfirmed Compromised

When I originally began writing this blog, I wanted to do a quick explanation of critical thinking, but I quickly realized that deserved an entire in-depth blog post itself. So if you haven’t read that yet, please take a few minutes to do so here. I will now assume you’ve read this post as it will be critical to this next section.

There’s an old meme that says “on the internet, nobody knows you’re a dog.” As fun as this meme is, there’s some truth to it. While our online anonymity has been largely stripped by governments and surveillance capitalism, for the average person it’s still alive and well. You have no way of knowing if the person you’re talking to is a world-renowned cybersecurity expert or if they’re a 12-year-old making things up. So when someone posts on Reddit and says “I have found cryptographic weaknesses in Matrix,” it can often be hard to know if they’re telling the truth, especially if the comment goes ignored or is hotly contested in the comments section. This is often compounded by the technical jargon of an explanation. Even the most low-level writing I’ve seen explaining various bugs and vulnerabilities typically has a few sections that leave me unsure if what I just read was actually English and just trusting the author that it made sense to someone. This can often lead to us walking around with questions about not only the validity of something, but also the severity of it. Not all threats are created equal. For example, the now-infamous Pegasus malware is a very serious and severe threat, but the nature of it means that it is often reserved for government targets like journalists, activists, and sometimes terrorists. It’s virtually impossible that the rando you pissed off on X-Box Live is going to hack your phone with Pegasus. Generally speaking, you should not be concerned about the risks of getting targeted with Pegasus. So then where does that leave us? Are iPhone unsafe because of Pegasus? Is Android any safer or harder to crack? Is Matrix’ encryption acceptable, or compromised? You can find no shortage of articles arguing both ways. This is when I think we must fall back on our critical thinking skills. Who is making this claim? What evidence are they offering? Can you confirm the person’s identity or claims? What are the risks if what they’re saying is true? What’s your threat model? Can you afford those risks? Is it worthwhile to switch just to be sure?

I think more often than not, a compromise you can’t confirm comes down to the reputation, feasibility, and risk. Signal is widely reputed by experts to be secure, even if those same experts have complaints with the company itself. A single person claiming to have cracked it, to me, doesn’t move the proverbial needle enough to outweigh the reputation of Signal. Likewise, I’ve seen posts that say “hey, do you think r/AskReddit questions are actually scammers attempting to learn information for their scams?” The feasibility isn’t there: too much work to verify people, match up information, record it all individually, etc. There’s easier, more feasible ways to steal user data for scams. Last but not least: risk. Is the Matrix protocol cracked? Maybe. But I’ve got some of my friends using it who would otherwise not be using any kind of encryption, and all we really talk about is sharing memes and music videos. The risk level is low, and even if Matrix is cracked we’re not using it to send passwords or credit card numbers. (I know that one is kind of a variation of “nothing to hide,” but I think of it more as “lesser of two evils.”)

Note: Threat Modeling and Compromise

It's worth remembering that your threat model also determines the extent to which a theoretical or unconfirmed compromise matters. Let’s take Wire for example: Wire moved to the US to have more funding opportunities. The US is a five-eyes country, which means that Wire is likely now more vulnerable to court orders and other US data collection policies. If your goal is simply to protect your SMS messages from your cell carrier and avoid giving out your phone number, Wire is still a solid choice. They log very little metadata and their encryption is still considered secure. But if you’re a whistleblower, Wire may not be the best choice for you anymore because they are beholden to one of the most powerful and invasive governments on Earth. You may wish to look into other choices like Threema or self-hosting an XMPP server. As always, you are free (and I encourage you) to go above and beyond, but it’s important to know what your threat model demands so you don’t neglect important areas or negatively impact yourself by trying to do more than you need to. I mentioned that some of my friends use Matrix earlier. If Matrix is cracked, none of our conversations are sensitive enough to be at risk. It's not worth the threat model of trying to move them all to something unarguably secure, like a self-hosted XMPP server. Your situation may require that, though.

Conclusion

Sometimes it’s easy to know when to switch services, like when you find out you’ve been doing it wrong this whole time and there’s a better way to do it. Sometimes, it’s less obvious. But hopefully between this breakdown and the critical thinking blog I linked earlier, this post has helped you know when to make that decision. And of course, as I said before, I always encourage you to go as far as you can in your privacy journey. There’s no shame in saying “I want to switch cause I think this service/product does better and I want that better protection.” Just make sure that you’re not negatively impacting your life – emotionally, mentally, or relationally – and that you’re not doing it because of the latest sensationalist headlines.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Backup Solutions Roundup

September 11, 2021

With so much of our lives in the cloud these days, backups have become a low priority for many people, but not for us privacy/security minded folks. We know the risks of the cloud, and we value having control of our data. But this can come back to bite us when the unforeseen happens: a stolen, bricked, or otherwise inoperable device. For this reason, it’s important to make sure you have good backup habits in addition to your good privacy and security habits so your life doesn’t get turned upside down.

This post will focus specifically on examining the various services I suggest on my website, so be sure to check out the Backups page for more specific tips on how to develop good backup habits. (Side note, we have added a .org TLD, so you can find the exact same content on TheNewOil.org now!) This list will go in alphabetical order.

Cryptomator

Cryptomator is a popular choice in the privacy community because it gives you the same large amounts of free storage provided by mainstream cloud providers like Google Drive and Dropbox but with the benefit of zero-knowledge encryption. On the website, I talk about how to set up a Veracrypt container inside a mainstream cloud provider. Cryptomator is basically the same principle, but it handles the whole process for you. You set a password, and then it essentially creates an encrypted folder inside your cloud account. The advantage is that it takes all the heavy lifting out of your hands, though it does mean that you have to download an additional app onto each device where you want to use that account. As I say on the site, I discourage the use of mainstream cloud providers for many reasons, but if you have no choice this is a powerful option.

External Device

The classic, tried-and-true solution, I think an external drive is a great solution for everyone. I strictly use offline, external backups, but here’s my personal strategy to comply with the 3-2-1 rule: I have two external harddrives. My main one at home is 4TB and full disk encrypted. It contains every backup I’ve ever made. The second is a large thumb drive that is full disk encrypted and contains only the most recent backup (including copies of my passwords and scans of important documents like IDs and birth certificates). I keep this offsite, but since it’s encrypted I’m not really worried about it getting lost or stolen. I’ll simply buy another drive and keep doing it. I think for most people the ideal backup solution is probably an external drive and one of the other cloud solutions listed here.

Filen

Filen is, honestly, probably going to be the sweet spot for many people. Open source and zero-knowledge, Filen works like Dropbox or Google Drive: create an account, download the app, then it puts a folder on your device that you simply work out of. You can save files directly to that folder and work out of them in real-time. The interface is, admittedly, not the prettiest, but it works smoothly and offers 10 GB of storage for a free account, maxing out at 5 TB.

Nextcloud

Nextcloud is the golden standard for the privacy community. It’s the complete package: calendar, contacts, file storage, photo backup, countless community apps for every purpose you can imagine (my partner and I just downloaded the cookbook today), and even an E2EE messenger, meaning that not only your data but your actual metadata is controlled entirely on your server. Of course, there is one major drawback to Nextcloud: it’s entirely self-hosted. Either you have to invest the time and money into hosting it yourself, or you have to use a server you trust. As far as self-hosted services go, Nextcloud is definitely among the easiest I’ve used, but that doesn’t make it easy or feasibly for the average non-techy person. If you have experience with software, I encourage you to give Nextcloud a try. Otherwise, you may want to settle for one of the others on this list. Also keep in mind that if you self-host a Nextcloud server in your home, using that with an external harddrive does not satisfy the 3-2-1 requirements.

ProtonDrive

ProtonDrive is the latest up-and-comer in the encrypted cloud storage game. Honestly, they’re probably the weakest solution here in some ways: no free tier, no mobile app, web only, not open source, and only 5 GB of storage to start. However, what they lack in features currently they make up for in other ways. For starters, ProtonDrive is still in beta, which means there are likely more apps and features to come. They also have explicitly stated that the app will be open sourced once they move out of beta (I don’t understand why not now, but whatever). Not to mention that you’re getting a trusted, reputable behemoth like Proton on your side with this service, and with the paid ProtonDrive service you also get access to the suite that the company is building: contacts, email, VPN, and calendar. They are clearly striving to compete with Google for a user-friendly, managed cloud suite that handles all your needs. This is still in progress, but there is something to be said for having a well funded company handling all the nitty-gritty, leaving you free to not stress the technical details and simply enjoy the product. But until the product develops a bit more, this solution is probably honestly only best for those who wish to pay for the other features anyways. (On that note, if you’re considering using Proton products, consider signing up via my affiliate links: email and VPN.)

Conclusion

Thankfully, we live in a day and age where encrypted cloud storage solutions are becoming more and more plentiful. This list actually leaves off some other services I’ve heard of or used like Sync and Tresorit. There’s a wide variety of good choices out there, each with their own advantages and drawbacks. I encourage you to closely examine all of them and pick the one that best suits your needs. We live in a world of increasing digital reliance: we live online, with family and friends spread across the map, and that often requires us to share files or collaborate digitally. It’s important that we value this model and protect the information we share online with encrypted cloud services. I hope this list can help give you some starting points to investigate which of these tools and services is right for you and your situation.

Things I Wish I’d Known/Done Differently

September 5, 2021

I once read that experience can be defined as “That thing you get right after you needed it.” Likewise, my dad used to have a sign in the bathroom that read “If you can’t be a good example, be a horrible warning.” I believe it’s very important to learn from others whenever possible, both the successes and failures. Why recreate the light bulb from scratch every time – complete with the failures – when someone already did it? It is with this mentality in mind that I thought I would take some time to look back at my early days of privacy and talk about some of my own successes and failures and things I wish I’d known or done differently.

I Wish I’d Been More Patient

I’m the kind of person that when I get a new obsession, I get really into it. My mother described my early years as “the child of phases.” I went through phases where I would only eat pancakes – breakfast, lunch, and dinner – wear cowboy boots, use a certain word at every opportunity, etc. I was notorious for latching onto something and running with it til the next thing came along. These days I tend to jump around less, but the intensity of my interests still remains. When I got into privacy, I jumped in headfirst, and while there’s absolutely nothing wrong with that, I do wish I had paced myself a little better because many of the things I ended up doing, I ended up rolling back and costing myself money. For example, I deleted Steam – the popular gaming platform. Well, this came back to bite me when I decided that while I don’t consider myself a “gamer,” I do still play casually. That meant that all the games I had previously purchased from Steam, I had to purchase again when I decided to go back. Likewise, I ended up needing Facebook for a short time after deleting it, resulting in me signing back up – and having to give up real information so I could make an account again.

Now it should be noted that there is something to be said for both of those examples. Getting rid of Steam, while it meant paying for things twice in the end, was easily reversible, and likewise getting rid of Facebook once was the stepping stone that made it possible to do it twice (and for good the second time). Often I encourage readers if they’re unsure to just do it and you can always step back later if it proves to be too much. But the opposite is also true: you can start by deleting Facebook off your phone, and then after a week realizing “wow, I’m doing just fine without it, may as well go all the way and delete my account entirely.”

I Wish I’d Done More Research

When you first get into privacy and security, you’re probably following the lead of one person. This may be because you don’t know any other resources (which is why I list other resources on my site), or it may be because that person resonates with you and explains stuff in a way you can understand. But this is dangerous. There is no one-size-fits-all privacy/security solution. If there was, there wouldn’t be dozens of products in the same space. (That’s also why my site is organized in “pro/con” format.) On the other hand, in many privacy forums and chat rooms you’ll find no shortage of opinions and while some of them may be valid and fact-based, many of them are still just that – opinions. While I’m fortunate enough to have developed good critical thinking skills that have helped guide me in the right direction, I still wish I had taken more time to evaluate different services myself rather than relying on popular opinion. It took me far longer than I care to admit to realize that all services come with a privacy policy and that’s a good place for me to start vetting things on my own. Or to use the search function (including open web searches) to find more information about a service’s history. Again, I was fortunate enough to not fall for any major misteps, but I could’ve done better if I had taken more time to think for myself and evaluate things on my own instead of taking them at face value because of popular consensus or what my own intro-to-privacy guru thought.

I Wish I’d Been More Fearless

This one kind of runs counter to the first one, but not really. I understand – and suffer from – the fact that life is busy and there’s more to life than just privacy or security. Bills have to get paid, the day job has to be paid attention to, there’s social obligations and relationships, and other interests that also typically cost time or money. But in almost every situation where I put off something because of the time and/or money involved, I end up wishing I’d done it sooner. For example: once I FINALLY pulled the trigger and bought a DD-WRT router, that meant I could start experimenting with it sooner and finding a privacy-oriented solution that works. Now, I can rest easy knowing my network is extra secure. Or similarly: recently I came into possession of a PinePhone. After a few weeks of tinkering, I am beyond convinced that this is not a daily driver for me. Previously I had been on the fence – “maybe I can make it work… I’m not sure.” No, definitely not. And now I know I need to invest in another solution of some kind, but I still have a PinePhone to keep an eye on in case it develops further. The point is that more often than not, when I put things off it’s primarily justified due to fear of the unknown: “this will be a lot of work.” “I don’t know what I’m doing.” But more often than not, I end up finally implementing something and going “wow, how did I live without this before?” (Ironically, this is also the reply I often get when I convince people to switch to Bitwarden.) Again, this also varies. Sometimes I put things off because I’ve truly got other stuff to focus on and pay for. With privacy, there’s always more to do. It’s important to prioritize and take care of things correctly: the rent needs to be paid before I buy a Pixel for Calyx, and date night comes before the podcast – it’ll still be there waiting to be edited afterwards. But putting things off because I’m scared of the work or fear of failure, those have never been smart and I wish I’d been more willing to rise to the challenge because the sense of accomplishment and security I get from those can’t be understated.

Conclusion

When I set out to write this blog, I expected to have a laundry list of things I wished I'd done differently, but I quickly found I didn’t have many regrets. I think this is largely due to my critical thinking skills that I mentioned earlier, but also my social skills. I’ve written a blog post about this before, too. If you’re new to privacy, I hope this blog post is still helpful. Remember: do your research and don’t be afraid to take it slow in some areas or dive in deep in others. Just remember not to go too far to the point of hurting yourself or your relationships, and take it slow to avoid burnout. Privacy is a marathon, not a sprint.

Recognizing Progress (or, An Appreciation Post for Newbies)

August 21, 2021

In the past, I’ve talked about how privacy is a sliding scale, and that it’s possible to have some privacy without having maximum privacy and how that’s still an improvement over having little or no privacy. I’ve also talked in the past about some of the techniques I’ve used to make people around me care about privacy. But this week, I want to marry the two ideas and talk about how to recognize progress.

I have a coworker. Let’s call him Ed. Ed his in his early 40s, but honestly could pass for mid or late thirties. He’s got a wife and two kids that he adores. When Ed and I began working together, Ed was aware of privacy concerns but wasn’t really acting on it. He knew about the dangers of manipulation of social media, the fear of his kids growing up in a panopticon world, and the risks of public information from data breaches (especially as they pertained to his kids). That’s not to say that Ed is tech-savvy. He’s never self-hosted anything a day in his life or even so much as installed Linux. I think the most advanced thing he’s ever done was when he made a Windows virtual machine with my help so he could test out some Windows-only software for work (we use Macs at work). But he’s also not tech-illiterate.

You may or may not be surprised to know that in-person, I have a hard time shutting up about privacy. It takes a lot of restraint for me, which I fortunately have come to terms with, but even so I usually still sneak in snarky comments about Facebook or try to remind people that Amazon is evil from time to time. As such, it didn’t take long for Ed to learn about my interest in privacy, and as someone who’s passingly aware of these issues it was something he began to pick my brain about from time to time.

That was about two years ago. And the other day, it occurred to me how much Ed has changed in the time I’ve known him. When we first met, he was using a flip-phone for personal, non-privacy reasons. His first switch was to Bitwarden. For other unrelated personal reasons, he finally decided to get a smartphone recently. After consulting with me, he got a used iPhone. Almost immediately, he texted me to ask what sort of steps he should take to protect it for privacy. (Of course, I sent him this page). During one of our talks about privacy and technology, Ed asked me what browser he should be using. I told him Brave, maybe Snowhaze. Our most recent employee, who joined only a few months ago, was present for that conversation and has remarked several times recently how happy he is with Brave. He said he uses DuckDuckGo cause Brave Search is kind of slow sometimes and the other day he even lamented that his younger brother still uses Google Search in Brave. On desktop, I did get all of our department to willingly switch to Firefox with a the two add-ons I recommend. (I can’t afford to risk hardening Firefox or else things might break, which we can’t really have on the job).

Ed still has a long way to go. I haven’t managed to get him on Signal (or Matrix) or ProtonMail yet. He’s aware of both of them, we just haven’t had a slow day to really dig in at the office. I’m not sure if he’s started using two factor authentication. I’m also not sure if he’s frozen his kids’ credit yet, if I’ve ever talked to him about email masking, or any of that. But the other day, while at work, it occurred me to how proud I am of him and thankful I am that he’s come so far. You have no idea how many times I’ve banged my head against the wall to get people to just TRY literally anything other than Google Chrome. I’ve explained to so many people the risks of bad passwords and the benefits – even the peripheral benefits – of Bitwarden. I’ve even made my own Nextcloud server and offered it to family and friends, plus free tech support. Some people just can’t be bothered to actually take action no matter how hard I plead, try, or overexplain. But people like Ed – and our other new guy who switched to Brave that day – they’re a rare gem. I value those people so, so much because they’re receptive and they act on it. The more people like them who care, the more social pressure it creates for others to care. I think sometimes the reason I forget to bring up privacy stuff with Ed and push him to take the next step is because I’m so scared of pushing him too hard and undoing all that progress, even though I know at this point that’s quite unlikely.

Regardless of how often I (fail to) push Ed, the epiphany I had the other day made me realize that he’s made progress, and that should be appreciated. So many people pay lip service to privacy and security by saying that they worry about the world their kids are growing up in, or they’re scared of Big Tech’s manipulation, or identity theft, but then they continue to post every second of their lives on social media and reuse weak passwords. It’s rare to see someone who actually puts their money where their mouth is and finds time to make the changes, even if it’s slow and piece-by-piece. It’s people like that that give me hope.

It’s not uncommon for me to have people reach out to me and thank me for making The New Oil, Surveillance Report, this blog, or any of the other things I do that make privacy and security accessible to novices. I don’t do this for the thanks, but honestly it still feels good. It’s not about ego, it’s about knowing that I’m making a difference, and that I’m doing my part to make the world a little bit more private and secure each day. So to all the Eds out there – the people who are taking steps forward ( even slow baby steps), the people who are changing their ways to make their behavior match their values, and the people who act – thank you. I think the work is I do is important, but the steps you take are just as important. You give people like me hope, you keep us motivated to keep up the good fight, and you’re part of that change. I’m rooting for you. Don’t give up.

2021 Review: MySudo

August 14, 2021

Why Do You Need Voice-over-IP?

Before we dig into the world of VoIP, I feel it’s important to remind my readers why I recommend it in the first place. The benefits, in my opinion, cannot be overstated. In no particular order, VoIP can be used to compartmentalize your life, set healthy work/life boundaries, protect yourself from spam calls and robotexts, and protect your overall privacy. For example: if you have a VoIP number you use for work, you can disable that number each night when you get off the clock. You can also use a VoIP number for dating or selling things online, which prevents you from being stalked or harassed by a weirdo if things go south. There is no reason I can think of not to use VoIP if it’s available in your country. But are there reasons not to use MySudo specifically?

What is MySudo?

MySudo is a VoIP app for iOS and Android that offers up to nine digital identities. I say “identities” because to say “phone numbers” is to discredit MySudo’s other features: an inbox, a web browser, and virtual cards.

The Good

I think the most obvious advantage of MySudo is the number of identities you can have. I believe most people could get away with three (depending on how many minutes you need): work, personal, other. But you could do work, personal. Signal, shopping, burners, really whatever your heart desires. I do personal, important stuff (banking, medical, etc), work, Signal, The New Oil, and a few others I won’t publicly disclose here. I also have a burner one that I change the number of every month.

When contacting other MySudo users, you get the advantages of group messaging, end-to-end encryption, self-destructing messages, and even video chat. With non-users, you get SMS and voice calling. You also have an email address for each identity that you can customize (ex, nbartram@sudomail.com) which are also E2EE for other MySudo users, and a web browser for each identity that claims to block third party ads and trackers. Each identity can also create masked virtual cards that you can use online to help prevent tracking and card theft. Unlike privacy.com, these cards are not linked to a single merchant but can be reused as many times as you want.

The Bad

I am biased toward MySudo. I personally use it in my daily life and depend on it very heavily, so much so that it’s probably the last thing actually holding me to a mainstream phone OS. Having said that, it’s not without drawbacks.

For starters, there’s that: the whole “dependency” thing. MySudo is only available for iOS and Android. Because of a dependence on Google for notifications, it won’t work on custom ROMs like Calyx or Graphene, which can be a challenge for those who wish to take their privacy to the max and truly get as Big Tech-free as possible. It’s also just an inconvenience for those who prefer to be as phone-free as possible in general. There’s a web app you can use on Desktop, but it has to be synced up manually each time you use it. Sure, I have most of my most important contacts on Signal, Matrix, or some other desktop-ready communication platform but I’m one of those people lucky enough to work a job that generally respects work/life balance. That means that when I get a late-night text, it’s usually kind of important, so I’d like to be able to have a desktop app where I can get this information in real time without depending on my phone.

There’s also the big issue of payment. There is a free tier, but it’s pretty useless. You can’t call or text non-Sudo users. Personally, I think most people can do just fine with SudoPro, which is $5/month ($50/year). This plan gives you 300 messages per month and 200 minutes per month with non-Sudo users, as well as 3 virtual cards and 3 identities. However, I am a firm believer that privacy should not be a luxury and should be available to all. Obviously services like MySudo are not cheap to run and must be paid for somehow, but it still makes me sad that the free level is so restrictive. I think the Pro level is pretty affordable, but I always want to be considerate of people who truly are that tight on money.

Two objective concerns: MySudo is only available in the US, Canada, New Zealand, Singapore, South Korea, and UK. Second, the virtual card feature costs money, too: 2.99% of the purchase price plus $0.31. Two personal concerns I’ve experienced that may or may not be unique to me: text messages can be slow to send and sometimes my phone rings then hangs up before I have a chance to answer.

Conclusion

It’s important to remember that VoIP is not meant to a be a replacement for an end-to-end encrypted messenger. A lot of people bash on MySudo because it’s not open source or zero-knowledge, but that’s missing the point. What VoIP is meant to be is a way to compartmentalize your life and protect you against data breaches, stalkers, and set healthy boundaries in your own life. In that sense, I personally have found MySudo to more than meet my needs and exceed. Due to the price, messaging restrictions, and operating system restrictions it may not be for everyone but I strongly encourage those who still use a stock iOS or Android app to look into it. It’s a powerful tool and it may come in extremely handy to have in your arsenal.

You can learn more and download MySudo here.

Privacy is Not Political

August 7, 2021

You would think this goes without saying. Pedos are bad. Breathing is good. Water is wet. Yet here we are. Every week on Surveillance Report, we have a “politics” section. This is where we discuss privacy news directly related to politics: the Pegasus scandal, laws that were passed or proposed, or pretty much anything privacy and security related that involves a political official or decision. And yet, without fail, there’s always political opinions in the comments. “Capitalism is what made this possible, capitalism is bad.” “You’re not being tough enough on Trump for this decision, you’re placating the Alt Right.” This is a big problem with the community, and a major reason my Matrix room has a “no irrelevant politics” rule. So this week, I want to talk about why I personally choose to be apolitical on The New Oil, and why I believe privacy is a non-partisan issue.

Privacy is a human right (see Article 12). Period. Full stop. End of story. A human right, by definition, is a “moral principle” that is “commonly understood as [an] inalienable, fundamental right ‘to which a person is inherently entitled simply because they are a human being.” (Source) You don’t have to earn human rights, and they don’t change based on your skin color, country, preferred language, or what you had for breakfast that day. You can be an a**hole and still deserve human rights. We can disagree on who should be president or what the tax rate should be, but you still deserve human rights regardless of how much I think you’re wrong. That’s how human rights work. That’s it. End of blog. Go home.

Now, of course, there are certain rights that actually can be suspended depending on the context. For example, your right to freedom can be largely suspended if you’re a criminal. In the US convicted felons can’t vote or own guns despite both of those things being mandated in our Constitution. The right to free assembly and protest was temporarily suspended at the initial onset of the pandemic here in the US. This is a highly controversial subject, but it’s worth noting as we have this discussion: some rights can be revoked or suspended based on certain criteria.

The problem I’ve been encountering in the privacy community is that many of us seem to be wanting to drag irrelevant ideas into the privacy space. Now to be clear: I’m not telling you what to think or how to behave. Some of you may find this hard to believe, but I am an incredibly political person in my personal life. I vote in local elections, I read the news (lots of different news sources with lots of different biases), and I frequently engage in discussions with people from all across the political spectrum to understand why they think the way they do. But the fact is that even the people I dislike on the other side of the aisle deserve privacy. I may think that my mayor is a clown or that more than one of our past presidents deserves to be in prison for various things they’ve done, but that doesn’t mean that I don’t think that the people who voted for them don’t deserve privacy. And that’s why, as The New Oil, I choose to be apolitical. Because privacy doesn’t care how you voted.

Let me pause again for a second to say that personally, I don’t believe “apolitical” is a real thing. I think it’s a lie people tell themselves so they can avoid thinking about the hard and frustrating dilemmas facing us in the political arena, and I think anyone who truly lives an “apolitical” life is either in denial about how politics affects them or so privileged that they can minimize the effect to the point of ignoring it (or both). My move to be apolitical as The New Oil is, itself, a political statement. The statement that I hope I’m making is that privacy is for everyone regardless of your political affiliation. It is owed to Republicans, Democrats, Tea Party members, Libertarians, and Independents.

Having said that, there’s a time and a place. Politics is an unavoidable part of privacy because there are laws that either protect privacy or weaken it and may or may not give the average person control over their data. Those laws also get broken – both by corporations and the governments who pass those laws – and therefore there are punishments (that are usually weak, symbolic, and ineffective). That’s not even touching on things like cyberespionage, the ability to effectively crack down on cybercrime, the Five Eyes, and more. Politics plays an important role in privacy whether you like it or not and whether you care about politics or not. Whether you like the person who’s in office right now or absolutely hate them, sometimes they do good legal/privacy things and sometimes they do bad legal/privacy things and both the good and the bad deserve to be talked about.

This brings us back around to the beginning. Am I telling you not to talk about politics in privacy spaces? No. Well, keep it out of my room, but otherwise no. People are still people. I’ve said before that I have a lot of interests besides privacy. I’m super into scifi, true crime, video games, etc. The person you’re talking to on Matrix or Mastodon is still a human being, and just because they’re into privacy doesn’t mean that they can’t also be an intelligent, educated person who’s also interested in politics. Political conversations are important to have, and if you want to have them you should. The problem is that people seem to think that those of us on a pedestal – like me and Techlore and Michael Bazzell – should somehow also weigh in politically, that we should go on record to condemn or endorse certain politicians, but that’s not what privacy is about. Sure, we can – and do – say that a politician has done some good or bad things for privacy, but to take an unnecessary political stance alienates half of the humans who might watch or read our content – humans who deserve human rights like privacy.

This is about reaching people with a message they need. If I was more vocal about my political opinions on Surveillance Report or this blog, there would definitely be a lot of people who say “I don’t appreciate this guy always bashing on my political opinions, it bugs me too much and I’m done listening.” Again, just because I don’t agree with someone doesn’t mean they don’t deserve privacy. That person deserves privacy even if I don’t share their views. By taking a political stance, I’ve pushed away someone who might’ve otherwise heard about privacy and started valuing it and protecting it.

Being political also does a massive disservice to fairness. Recently on Surveillance Report, we talked about how Trump was attempting to use legal pressure to get the New York Times to reveal their sources in a certain story, but even after Trump left office the Biden administration continued the lawsuit for another three months. By taking a side and saying “well of course [Politician] was suing the news, it’s because he’s a piece of crap and he’s an enemy of democracy and freedom and privacy and blah blah blah,” I’m completely ignoring the fact that it’s not just [Politician] doing these things. It’s every president, both parties, and a large number of senators and representatives. Privacy is not a partisan issue. It’s under attack by every political side and nearly every politician, from local to federal laws. Back in the 1960s, the government was surveilling both the KKK and the civil rights movement. Privacy invasions don't take sides, why should I?

I didn’t plan for this blog to be a defense of my actions, but it seemed the best example. I don’t like using hypotheticals when concrete examples exist. The goal here was not to defend myself, the goal was to defend privacy. Privacy is truly non-partisan. And again, that doesn’t mean you can’t talk politics. People are allowed to have opinions and expertise about more than one thing. That also doesn’t mean I won’t talk about how laws and politicians are shaping privacy in the world today, cause that intersection certainly exists and needs to be discussed. What it does mean is you need to remember that privacy is for everyone, and sometimes there’s an appropriate time and place to just stick to that message. I personally have found in my own political experience that one-on-one, in-person conversations are the best kind of political discussions to have. Nobody feels attacked or ganged-up-on, it tends to be more civil and more intelligent, and frequently both sides – both myself and the person I’m talking to – tend to walk away going “oh, I learned something new” or “I hadn’t considered that opinion before.” Doesn’t mean you’ll change anyone’s mind, you should never go into a discussion attempting to change someone’s mind because that’s when it turns into a competition and that’s when people get heated and angry. When someone like me is blasting out privacy-specific information to hundreds or even thousands of people, that’s not the time for me to be injecting my personal political opinions. It’s too easy for someone to misconstrue what I meant and take it as an attack, or for the nuance of the discussion to be lost. It’s too one-sided, and it’s too easy for someone to go “oh, this is just another libtard/MAGA-head, no point in listening to what they have to say” even though what I have to say may actually be extremely relevant and important to them. There’s no use making things overly political when they don’t have to be. Because privacy is a human right, and human rights don’t care about your political leaning. Human rights are for all humans.

Sanity Check: People Don’t Spy Just Because

July 31, 2021

Once, I saw a Reddit post where someone asked something along the lines of “I’m moving into a new apartment soon, how can I check for hidden cameras?” While hidden cameras and sextortion are a real thing to be worried about, the nature of this particular concern raised a red flag in my head and I thought this might be a good topic for a sanity check. For those who are new, “sanity check” is a term coined by Michael Bazzell that basically means “step back, take a deep breath, and make sure you aren’t going too far overboard and negatively impacting yourself.”

Why Do People Spy?

In a world where your washing machine wants to know your contacts and your TV wants to know your neighbor's WiFi SSID, it’s easy to fall into the idea of thinking that everyone is out to collect every single piece of information about you just because, but the fact is that these stories are the exception rather than the norm. News, by definition, is news because it’s unusual. We don’t print stories about the hundreds, thousands, or millions of commuters who made it home each night on their way home from work, only about the ones who didn’t (and honestly traffic collisions after work have become so common those don’t even really make it to print anymore).

That’s not to say that data collection itself is unusual. Just a quick look through the privacy labels on the top apps for Apple’s App Store show that excessive data collection is quite the norm. What I am saying is that none of these apps are collecting all that data “just because.” They have a reason. In some cases, the reason is justified: it’s to know what features are popular or detect and fix crashes. In most cases, the reasons are not: it’s to know more about you to serve you ads. But the point is that these apps aren’t sucking up every piece of information about you just because they have the technical ability, they’re doing it to because they plan to use that data in some form or fashion.

Deep Dive: Examining the Redditor’s Question

This brings us to the apartment question. “How can I check my new apartment for hidden cameras?” The Original Poster (OP) made no indication that they had any reason to suspect hidden cameras – they didn’t cite any sort of clause in the lease or any odd behavior out of the landlord. They simply took it as a given that because they were moving into a new apartment that there was a risk of hidden cameras. Now, as I said, there is certainly a risk here just as I risk getting struck by a car every time I go near a road, but the fallacy here is that OP was making the assertion that the risk existed simply because the capability was there. “I did not have access to this space prior, and everybody is spying all the time just because, therefore there might be cameras here.” The question OP failed to address was why there might be hidden cameras.

Let’s start by examining a common myth: most hidden cameras don’t transmit data unless they’re specially designed and relatively pricier. The key word here is “relatively.” A quick search on Amazon (I plan to shower after this post simply for even looking there) for “cloud cam” shows nanny cams that look like smoke detectors, external hard drives, or even ones that are the size of your fingernail and meant to be concealed that all can connect to your phone in real time or transmit data to a cloud server for review later and range in price from $40 to $200 USD. This is not terribly expensive. However, another search for “hidden camera SD card” shows the most expensive option at $40, and most of these are designed to be completely invisible and hidden inside something like an existing fire alarm or air vent. As a busy and underpaid housekeeping staff at a hotel, it would be faster and cheaper for me to buy one of these $20 cameras and stick it in a hidden place, then in between guest stays I can simply dump the footage and put it back, ready to record the next guest. Plus since most camera services wouldn’t be self-hosted or zero-knowledge, that means by using a cloud-based camera you run the risk of getting in trouble if the company sees your content – or more likely, having your data deleted because of violation of the Terms of Service. If you get caught and reported, the company could have copies of the evidence.

More important even than the cost is the scale. At a hotel, I can expect to see a new guest at a frequency ranging from every night to every week (on average), and I have dozens if not hundreds of rooms to pick from. I’m CERTAIN to get footage of an attractive, naked woman who checked in under her real name who I can then blackmail for money, which is almost always what these particular scams are about. And with dozens or even hundreds of hotel employees, even if you report the incident that’s a lot of time and resources spent trying to pin down exactly which employee planted the camera and took the footage. I don’t mean to inject my personal political opinions here but point blank: the cops don’t care and neither does the hotel. The cops don’t have the resources to investigate one rando’s grainy nudes and the hotel will simply fire the person they suspect – who can quickly move onto another job because of the high turnover of entry-level positions – and issue a stern warning to everyone else. Ultimately, the risk is worth it to some.

Now here’s the most important part, the question OP didn’t ask: “why would I find hidden cameras?” All that scale of a hotel scam falls apart when we’re talking about renting an apartment. Even putting aside the price of hidden cameras, you have one “room” with one (or a small few number of) guest(s) who stay for months or possibly years at a time. Not to mention you have a very limited number of people who have access to the space: the office staff and a couple maintenance guys if we’re talking about a corporate property. If we’re talking a private landlord, they’re probably the only person with consistent access. This means you’ve got one person (or a very small number of people) who can be easily blamed and reasonably sued and the odds of renting to that one person who’s worth blackmailing is almost nonexistent. You might get a dude (male nudes aren't typically highly sought after) or someone considered unattractive by conventional standards. Even if they are attractive, part of the effectiveness of the scam comes from the idea that I'll publish this footage attached to your real name, and if you're traveling you're likely a professional who doesn't want that showing up on a Google search. Renting a home to randos, your odds of finding that professional are also less common. If any landlord actually tried this scam, I’d laugh hysterically reading the article about their trial.

I’m not saying it doesn’t happen. I’ve read the Florida Man stories. Epic stupidity certainly exists. I’m just saying that we’ve now gone from the likelihood of “I might get hit by a car every time I get near a road” to “I might get attacked by a shark while visiting the aquarium.” The answer to the question “why would I find cameras” is “you probably wouldn’t.” You might argue that the landlord might place cameras to prove property damage, and sure that’s possible, but the risk just doesn’t seem worth it. They already have a lease saying you’re responsible for anything that happens to the property between the date you move in and the date you move out, there’s no need for cameras. Again, people don’t spy just because they can. That’s just time and money wasted on buying a camera, placing it, making the paperwork legal (or risking a lawsuit if they don’t), recovering and managing the data, etc. It’s easier just to take you to court and go “here’s the lease with their signature.”

The Larger Picture

Let me be clear: I don’t think OP was stupid to ask that question. I’m glad that they think outside the box and consider the possibilities and ask when they’re not sure. But the bigger idea I wanted to share with this story – and what I hope OP learned that day – was the title of this post: people don’t spy just because. There’s always a reason. Again, often that reason is invasive, but the moral I wanted to impart here is that next time you find yourself thinking some extreme threat model thoughts – like “what if a hacker takes over my car while it’s on the highway?” for example – take a moment to ask yourself “why would they go through all the trouble?” Sometimes the answer is “because there’s money to be made and it’s easy.” But sometimes, the risk and the work just isn’t worth it. Again, surveillance is real and common and ubiquitous and far too overreaching. But when it comes to the high-level stuff, remember: people don’t spy just because.

iOS 2FA Apps Review 2021 (or Raivo OTP: The Only iOS 2FA App Worth Recommending in 2021)

July 24, 2021

Software two-factor apps are a funny thing. They all kind of do the same thing. Having said that, I managed to find one that shines above all the others for iOS: Raivo. So this week, I’ll review that and explain why I recommend it.

2FA: What to Use?

First off, let me remind all my readers that if you’re using SMS two-factor authentication, you need to stop. Go check your account right now and see if you have a better option. In some cases you don’t, and in those cases SMS is better than nothing. But the vast majority of sites these days offer app-based or even hardware-based two-factor, and if the site you’re using does you should use that without a second thought. In a perfect world, hardware 2FA is ideal, but this isn’t always feasible for everyone. For example, you may not have the spare USB space, or the token you want may not be something you can leave plugged in 24/7 meaning you might forget it. Most people don’t forget their phones, so for most people a software 2FA app is the sweet spot.

Why Raivo?

As I said before, there’s a ton of two-factor apps out there and most of them are very similar. In some ways, that makes picking the right one easy. While I have three criteria that apply to iOS 2FA apps, we only need two to really isolate Raivo as the best choice. First, we want something open source. I’ve preached time and time again on why open source is superior even if it’s not perfect. That automatically rules out a ton of apps. Second, Raivo offers local backups without using Apple’s built-in backup feature. A few years ago, my at-the-time 2FA app crashed while I was attempting to add a new account, and it wouldn’t open back up, meaning I had lost all my 2FA codes. For the most part I was able to get these reset, but in a couple cases I was unable to meaning I lost those accounts forever. As such, backups are very important to me now and I want everyone to have that feature. Thus, the only winner left standing: Raivo. (The third criteria, for those who care, is to be actively maintained. Raivo was last updated last month as I write this, so it is maintained.)

The Good

One thing that sets Raivo apart in my opinion was the wealth of icons in the library. Rather than phoning home to pull a Favicon or picking a predetermined icon for you, Raivo appears to respect your privacy by letting you pick an icon. This is actually even more helpful because some sites have multiple icons, and sometimes you have to have multiple accounts. For example, I have a personal Gmail account (I’ve had it for almost ten years and it’s in my real name, so even though I don’t use it I keep it just in case) AND a work email that’s managed by Google, so I can assign them each different Google icons to help me more easily keep track of them. They even have a pretty extensive library of icons for popular privacy respecting services like Proton, Brave, Cryptomater, Mastodon, SimpleLogin, and more. Another cool feature is that your vault is password-protected, so that can give you a second layer of security for your accounts by making a password or PIN that’s separate from your phone’s login PIN or password.

The Bad

Personally my biggest complaint is the fact that the password protection is mandatory. I have the mentality that if my phone has been unlocked, I’m already in trouble and using different passwords for different apps will probably not do me any significant good at that point, so the password lock is more inconvenient to me than helpful. There’s also some privacy services that I’m a little surprised not to see present, like CTemplar. But other than that I honestly don’t really have any complaints. It’s a nice-looking app that works great and I’ve yet to have any issues with it.

Conclusion

I don’t have much to say this week. As I’ve said, 2FA apps are all pretty similar. The main thing that really sets Raivo apart for iOS is the backup feature, but as I said that’s not the only thing. The password-protection and icon selection also make for a pleasant experience that makes it very user-friendly. If you’re an iOS user, I strongly encourage you to check it out if for no other reason than that you can make those backups. Learn from my mistakes.

You can download Raivo for free in the Apple App Store here.

Critical Thinking 101

July 17, 2021

In life – and the privacy and security communities – we are constantly assaulted with a variety of conflicting information. I’m sure there’s no need to give examples, you can find plenty of them just by reading the news or cruising the Privacy subreddit. This week, I want to write possibly my most important blog topic: Critical Think 101, or “how to evaluate a claim.” Don’t let the title fool you, this is not going to be a condescending, partisan politics post about how [insert group here] is dumb and you just need to use common sense. Instead I’m going to give you real, practical steps that you can use in almost any situation to help determine if a person and their claim are worth considering. Please note that this process may not always give you a definite “yes” or “no” on whether a claim is true or not, but it will help you weed out a lot of low-hanging fruit and can be part of your process when deciding whether or not to believe something.

Step 0: Solipsism, Certainty, & Standards of Proof

We need to get something out of the way right now: it is literally impossible to ever be 100%, truly, “come down off a mountain and found a religion” positive about anything. Have you ever heard the famous phrase “I think therefore I am?” It was said by Rene Descartes while he was attempting to determine the nature of reality. Suppose you sat down and decided “I want to prove beyond any doubt what is real.” Am I [Nate Bartram of The New Oil] real to you, the reader? Maybe not. Maybe I’m a VERY well programmed AI, complete with deepfake videos on Surveillance Report and all. Is this blog post real? Maybe not, it could be a glitch on your device. Is your device that you’re reading this on real? Surely, right? After all, you’re holding it in your hand, you can feel it. Not necessarily. Maybe you’re hallucinating. Maybe your home is a hallucination, and your loved ones. You could be in a coma right now, or a brain in a jar being stimulated with electricity by researchers to see what happens. At the end of the day, the only thing you can truly be certain is 100% real is your sense of self, the fact you are perceiving something and that you are conscious. What you are perceiving may be a hallucination, it may not be real, but the fact that you are conscious at all shows that if nothing else, you are real. This is called solipsism. I apologize if I just gave anyone an existential crisis. At the end of the day, I personally do not believe in solipsism and I don’t think it matters either, but the point is that in the most extreme sense of the word, we can never be certain that anything is real.

When it comes to deciding if you believe something, you base that on the “standard of proof,” which could also be called the evidence, the argument, or any number of things. The standard of proof is the level at which someone has presented enough evidence or logic that you say “okay, I believe that.” The standard of proof for a claim should vary depending on the claim. Again, there are some people who demand unrealistic standards of proof, like the infamous “if X is open source, how do we know the-company-behind-X isn’t running a different version on their servers?” At the end of day, a person can always raise their standard of proof to unrealistic levels to the point where you can never meet it and therefore never convince them otherwise. This is a common meme both in media and real life: someone admits they made something up, the believers respond by saying that person was paid off or intimidated into a false confession. The standard of proof is too high to ever be met.

I encourage you to find a balance between the fact that you can never be truly certain and the severity of the claim. It’s a lot like threat modeling: if you tell me that you’re a professional plumber, I’m not going to demand a lot of proof given that the stakes aren’t very high. If you tell me that Matrix has a backdoor, I’m going to demand a higher standard of proof. It is with these two important points in mind – the lack of achieving true certainty and the fact that standards of proof rightfully shift – that we can now move forward. Remember these as I go.

Step 1: The Claim

The Earth is flat. The Moon is made of green cheese. The CIA can read my thoughts. These are all claims that are blatantly ridiculous, and we know this because they are proven, scientific facts. Now look, I know that to some, science itself is suspect these days but as I said above we have to accept that we can never truly be 100% certain of anything. That said, when someone is making a claim, the first place to start is the claim itself. Does this claim contradict proven, repeated evidence? Let me cite a common example: “Signal is a honeypot because it’s an American company.” This claim rests on the idea that because Signal is based in America – a country that is openly hostile towards end-to-end encryption – and because it’s centralized that it therefore must secretly be spyware and that using it is no better (or arguably worse) than just using regular SMS. However, baring any new evidence (which we’ll discuss in a second), this claim is easily disproven. Signal is open source and wildly popular, meaning that many, many experts have laid eyes on it. Numerous experts from across a variety of fields, companies, and levels of experience (this will also be covered later) have all stated that there is no indication in the source code of Signal’s client app that there is any kind of vulnerability. This means that even if the servers were compromised, the messages are still secure. The only way the message could be compromised would be at the device level – if your phone had a keylogger or something like that. This is a claim that has been tested and proven many times over during the course of many years. In fact, we can even go a step further and look at the infamous Vault 7 CIA document leaks and see that the US intelligence community has spent considerable effort attempting (and failing) to crack Signal and find workarounds to circumvent their encryption. If Signal was a honeypot, why would they do that?

Now of course, as I said, there will always be the people with a standard of proof that’s unreachable. Those people will say “maybe all those researchers were paid off” or “maybe Vault 7 was disinformation.” Personally I find that these suggestions make the security of Signal even more likely because of the additional unlikeliness and assumptions required: you have to assume that not a single one of those researchers is ethical, that the ones who were have somehow been COMPLETELY silenced or overlooked, and not to mention this is all stuff that can be verified by any given individual who cares to learn the programming language and examine the Signal code themselves.

This blog post is not meant to be a defense of Signal, but this is a good example: the claim itself can’t stand up scrutiny. There is years of evidence from multiple credible sources that disprove it right off the bat. Unless the person making the claim is presenting new evidence, then the claim itself is probably safe to discredit and ignore. On that note:

Step 2: The Evidence

Suppose, in the Signal example, that the person is presenting new evidence. In fact, they kind of already presented some in the claim: “because Signal is an American company.” Not all evidence is equal or valid. In this case, the person’s evidence is that American companies all inevitably have encryption backdoors. While that specific claim is untrue, it’s a valid concern and it has precedent. Popular messaging platforms like Clubhouse, Facebook Messenger, Skype, Reddit, SMS, and others are not end-to-end encrypted and the providers frequently keep message content for at least a certain period of time. All it takes is one court case and a subpoena for Verizon to turn over all your SMS messages – plus content – to the court to be read aloud in public. But then there’s also the hidden programs like the infamous PRISM program in which the US intelligence community paid companies like Apple, Google, and AT&T for direct, backdoor access into their databases to pop in any time they wanted to collect whatever data they desired. The UK had their own version, TEMPORA, which involved physically splicing into the country’s main internet cables so the government could make a copy of every single piece of internet traffic that passed through the country. And recently, several western countries teamed up to make an “encrypted” messenger with the sole purpose of infiltration criminal groups, all the while it was backdoored and submitted decrypted message content back to authorities. With evidence like this, it’s not hard to see why someone who say that any American-based service is compromised by default.

This brings us the importance of evaluating multiple parts of the claim. While Signal is indeed an American company and that does warrant scrutiny, further evidence has shown that despite Signal’s country of origin, it is likely safe and secure. Suppose the evidence for the claim was new. Suppose the claimant said “because Signal is a UK-based company” or “because Signal sold to Amazon.” These are not true, and if the person is making this claim then they need to provide new evidence to back up that claim such as reputable articles, a company blog, or some sort of public record documents that were filed like a transfer of ownership document with the state. So just to sum up and be clear: sometimes a claim may seem outright ridiculous (“the medical community killed black people just to see what would happen”), but that doesn’t mean you should dismiss it on that alone. You should also examine the other factors, like the person making the claim or the evidence.

The Claimant

The final piece of critical thinking that must be examined is the person making the claim. Now let me be clear: this is NOT the same as an “ad hominem” attack, which is Latin for “to the person.” You’ve likely seen this, and if we’re all being honest we’ve all probably done it in fits of emotional outburst. Let’s keep rolling with the Signal example and let’s pretend I’m the one making the claim that Signal is compromised on account of its American origins. An ad hominem attack might be to point out that I’m openly critical of the federal government and therefore I’m biased. Or to cite my recent interview with Session as proof that I’m trying to knock Signal down a peg to promote Session instead. Or, since in reality I do encourage the use of Signal, you might argue the opposite: because I’m an American I would be loyal to my country and refuse to admit the possibility that Signal might be compromised on that grounds alone.

An ad hominem attack in common usage refers to attacking the person without validity. It’s the fancy equivalent of calling someone a buttface because you didn’t like what they said. But there is, in fact, a way to evaluate a person in a valid, ethical way. Technically this can be broken up in a number of different categories, but in my opinion it all comes down to one broad factor: qualifications. Qualifications are made up of a number of factors that aren’t always necessarily equal or important. For example, education is one. If I’m making the claim that Signal is broken, do I have any education as a cryptographer? A programmer? Did I go to college for it? Did I graduate from MIT or community college? Of course, education alone is not the end-all-be-all. There are many incredibly talented individuals in a variety of fields that are self-taught, and there’s also tons of Harvard and MIT graduates who barely scraped by with C’s and never really did anything exceptional (or at all) in their field of study. This is why I say that qualifications are made up of several factors and that they’re not always equally important. I want my doctor to not be self taught. My app developer, on the other hand, I’m less concerned about. Other factors in the “qualifications” category include things like experience – have they been in this field for ten years or ten months? – and reputation – is this person generally regarded as someone who knows what they’re talking about or are they widely considered a crackpot who’s good for little more than entertainment? It’s also worth considering the person’s possible conflicts of interest, like employer. If ProtonMail releases a study touting the efficacy of PGP, Proton is based on and heavily uses PGP so they have a conflict of interest. Of course they want to say why PGP is good and downplay (or ignore) any evidence that it’s bad. As discussed before, this doesn’t mean they’re wrong and you shouldn’t ignore the claim on this alone, but it’s worth keeping in mind when researching the claim.

Personally I also find it important to separate information about a person based on relevance. For example, let’s say the person making the claim that Signal is bad is an alcoholic. Does that matter? In my opinion, not really. As long as they were sober when they did the research and presented their findings, what they do in their free time is none of my business. Personally I think that’s about as relevant as their sexuality or gender. On the other hand vices like alcohol, drug use, sexual lifestyle or interests, these could potentially (“potentially” being the key word) indicate things like blackmail or sloppiness (hence my “was the person sober when they did the research” caveat), and they tend to be used to smear a person even if it has no bearing on the claim (ad hominem). This is why intelligence communities often look into things like sexual orientation or history of addiction in potential applicants – they want to know if you can be blackmailed by the enemy for things like cheating on your wife or gambling away your kid’s Christmas budget in Vegas.

Caveats

Toward the beginning of this post, I mentioned that the standard of proof can vary, but so can your level of belief in something. For example, I said in my recent interview with Opt-Out Podcast that I firmly believe that Apple can see everything I do on my phone despite having no evidence. Well, that’s not entirely true. I base that claim on the 2014 Documentary “Terms And Conditions May Apply,” in which they demonstrate how digital forensics tools can in certain cases be able to recover the exact keystrokes from your device. If third-party tools can do that after the fact, why wouldn’t Apple be able to in real time? It is for this reason that I don’t trust my phone, but honestly other than this single documentary I don’t have any real proof. I don’t have any leaked Apple memos, any news stories about this, or anything like that. I’m basing all of that off a single story from a person who I know almost nothing about. I believe this claim, but I’m also willing to admit that I’m wrong. My level of belief, if I had to put it on a scale of 1-10 (1 being I don’t believe it at all and 10 being I’m certain of it), I’d say I’m about at a 7.

The point is that you can think something is likely without being convinced of it, and vice versa. You can always change your views as more information comes to light later, and in fact you should. You don’t have to be totally certain of something. You can evaluate a claim, the evidence, and the person making the claim and still walk away going “I’m not really sure, honestly.” As I said at the beginning, the point of this post is not to tell you what to think or how to be certain of something, but rather it’s to give you some tools to help with that process. I see far too many people in all areas of life believing claims at face value. There’s never anything wrong with critical thinking. Now go forth and think great thoughts.

The Best Password Manager in 2021

July 10, 2021

Password managers are – thankfully – becoming a mainstream topic. In addition to seeing commercials for certain ones from time to time, it’s becoming more common for me to attempt to spread the word about good passwords only to be met with something like “oh I already use LastPass/Dashlane/1Password/etc.” While it’s good for consumers that there are more of them available, that also makes it rather difficult for people to know what’s best. This week, I’d like to weigh in on this subject. While I will admit that I purposely formatted this blog title for SEO, I am writing this blog on the assumption that you understand the basics of what a password manager is, what it does, and why it matters. If you’re not sure, I encourage you to skim this page of my website quickly and come back.

Criteria

I’ll cut right to the chase: the only two password managers I recommend are Bitwarden and KeePassXC. The first criteria I use to recommend password managers is that they are open source. See this page on my website all about what open source is and why it matters to me. This automatically rules out most of the “mainstream” providers like LastPass, Dashlane, etc. My second criteria that rules out many of the other open-source projects it that they must be cross-platform – that is, they must be available on Windows, Mac, Debian-based Linux, Android, and iPhone. There are some other criteria, which you can view in full here if you care, but those main two will likely answer the inevitable “Why isn’t X listed here?”

Privacy Policy

Bitwarden

Bitwarden’s privacy policy is admittedly not great. This actually serves an excellent example of having security without privacy (I’ll get to Bitwarden’s security in a moment). Visiting the website will automatically result in standard data collection like IP address, cookies, and other automatic identifiers (and needless to say, any other information you knowingly submit like contact forms). They do admit to third-party sharing for the purposes of improving the product, processing payment information, and other such services. The website is also riddled with Google fonts, Cloudflare, and other services that are generally frowned up on in the privacy community for their poor privacy practices, meaning there’s a possibility that those sites may be tracking users even though Bitwarden themselves do not. The policy does not explicitly state but does suggest that app usage is also collected. According to the Apple privacy label, this appears to be limited to crash data.

On the plus side, it does appear that Bitwarden's tracking is limited to their site – in other words, they don’t try to aggregate information about you from other sources to identify you specifically. While this is probably more data about you than they really need, it does seem to be primarily limited to data they want for the purpose of improving the service. They explicitly say in the policy that they ignore Do Not Track signals as they don’t track you anyways. Their mobile app also appears to collect limited data according to the Apple Privacy Label, but unfortunately this “limited data” does include unique identifiers, specifically your Device ID. While I understand the value of this data in regards to security, I suspect they could ignore this information to better preserve privacy if they wanted to.

KeePassXC

KeePassXC’s privacy policy is a lot better. Visiting the website will collect information like partial IP address, browser data, referrer data (if any), and location determined by IP address. On the plus side, the policy explicitly states it will never be shared with third parties (I assume this does not apply to valid law enforcement requests) and is deleted after 90 days. Additionally, they admit to respecting Do Not Track headlines, meaning that if you have that box checked in your browser, no data will be collected in the first place. And even furthermore, KeepassXC only ever contacts the internet on two occasions: to check for new updates, and to pull a website’s favicon (if you request it). No usage analytics are ever submitted (one could argue that auto-checking for updates creates a usage pattern, though personally I view this as a very small, worthwhile risk for most people). For mobile, forks of KeePassXC are used instead of actual Keepass XC. I recommend KeePassDX for Android and Strongbox for iOS. Strongbox explicitly states they collect no information, while KeePassDX’s privacy policy redirects to the official GNU GPL 3.0 license, which tells me they likely have similar practices.

Security

Bitwarden

Bitwarden is cloud-based, which means that you’re automatically opening up some degree of risk by default. However, the database is protected with AES-256 encryption – currently one of the standards that at this time has no known weaknesses – and your password is salted and hashed with bcrypt, which is also considered the current strongest hash algorithm for passwords. For my non-techy readers: they take your security really freaking seriously. The only known weakness at this time would be the master password you use, so make sure you’re using a strong passphrase and two-factor authentication. While it is important to note that nothing is unhackable and keeping your vault in the cloud with Bitwarden is inherently a risk no matter what, at this point in time I would argue that if you’re using a strong master passphrase and two-factor, the average person has nothing to fear on the security front from using Bitwarden.

KeePassXC

KeePassXC’s vault is also encrypted using AES-256. KeePassXC has the advantage of being locally stored, entirely independent of the internet. This means that unless you choose to upload your vault to a cloud service, you have virtually no risk of vault compromise. However, it is important to note that you should keep secure backups as you still run the risk of having your vault get corrupted, being lost if your computer dies, and of course having locally-stored files won’t save you from a compromised device so be sure to take proper and appropriate device security measures overall. I would also encourage the use of a strong passphrase with KeePassXC simply as a precaution, though the odds of needing it are much lower than with Bitwarden (depending on your situation).

Other Features

Quite frankly, Bitwarden and KeePassXC are almost identical in terms of features and functionality. For that reason, I’ll just go ahead and list all the major features and differences here in one section. Both allow you to generate random passwords or passphrases, both allow you to specify the criteria for those passwords (length, special characters, etc), and both will allow you to store your two-factor keys in the app for a more convenient login experience (for Bitwarden this is a paid feature and for KeePassXC this does require a small degree of manual expertise from the user. Regardless, be aware that this does make your password vault a “single point of failure” and therefore this feature should be used cautiously). Bitwarden does have a secure file send feature they recently rolled out for premium users, but I personally have never used it as this isn't something I expect of my password manager and I already have other methods for doing that anyways. I would say the only difference between the two in terms of features and function is the user interface: Bitwarden is very sleek, very modern, very pleasing to the eye, and very easy to navigate. KeePassXC looks a bit more outdated, a bit older, a bit more rough, and some of the more advanced features can be confusing and intimidating (fortunately most users don’t have to worry about these features and can safely ignore them). Both services also allow for a browser extension to easily login to websites. I recommend keeping your browser extensions to a minimum, but that’s useful for those who have come to rely on such features. It's also worth mentioning that Bitwarden does have a paid teams feature, so if you run a company then Bitwarden would be the clear winner here as they make it incredibly easy to integrate multiple users into the same shared vault so that you can use strong passwords at work while still giving access to everyone who needs those sites or accounts.

Ultimately, for individuals, you can’t go wrong with either of these options and which one you should pick depends on your threat model and your lifestyle. If you have a low threat model – that is, you are unlikely to be specifically targeted by an individual or organization – and you value convenience, Bitwarden is probably the right choice for you with their single app, synchronization across all devices, and sleek user interface. If you have a higher threat model (or you simply distrust the cloud), you’re willing to do a little extra work, you don’t mind a slightly outdated design, and/or you’re more techy, then KeepassXC is right for you. Whichever one you use, remember to use a strong passphrase (and two-factor for Bitwarden), keep good backups, and you should be pretty well protected. Now go forth and create strong, unique passwords everywhere.