The New Oil

Privacy is Not Political

August 7, 2021

You would think this goes without saying. Pedos are bad. Breathing is good. Water is wet. Yet here we are. Every week on Surveillance Report, we have a “politics” section. This is where we discuss privacy news directly related to politics: the Pegasus scandal, laws that were passed or proposed, or pretty much anything privacy and security related that involves a political official or decision. And yet, without fail, there’s always political opinions in the comments. “Capitalism is what made this possible, capitalism is bad.” “You’re not being tough enough on Trump for this decision, you’re placating the Alt Right.” This is a big problem with the community, and a major reason my Matrix room has a “no irrelevant politics” rule. So this week, I want to talk about why I personally choose to be apolitical on The New Oil, and why I believe privacy is a non-partisan issue.

Privacy is a human right (see Article 12). Period. Full stop. End of story. A human right, by definition, is a “moral principle” that is “commonly understood as [an] inalienable, fundamental right ‘to which a person is inherently entitled simply because they are a human being.” (Source) You don’t have to earn human rights, and they don’t change based on your skin color, country, preferred language, or what you had for breakfast that day. You can be an a**hole and still deserve human rights. We can disagree on who should be president or what the tax rate should be, but you still deserve human rights regardless of how much I think you’re wrong. That’s how human rights work. That’s it. End of blog. Go home.

Now, of course, there are certain rights that actually can be suspended depending on the context. For example, your right to freedom can be largely suspended if you’re a criminal. In the US convicted felons can’t vote or own guns despite both of those things being mandated in our Constitution. The right to free assembly and protest was temporarily suspended at the initial onset of the pandemic here in the US. This is a highly controversial subject, but it’s worth noting as we have this discussion: some rights can be revoked or suspended based on certain criteria.

The problem I’ve been encountering in the privacy community is that many of us seem to be wanting to drag irrelevant ideas into the privacy space. Now to be clear: I’m not telling you what to think or how to behave. Some of you may find this hard to believe, but I am an incredibly political person in my personal life. I vote in local elections, I read the news (lots of different news sources with lots of different biases), and I frequently engage in discussions with people from all across the political spectrum to understand why they think the way they do. But the fact is that even the people I dislike on the other side of the aisle deserve privacy. I may think that my mayor is a clown or that more than one of our past presidents deserves to be in prison for various things they’ve done, but that doesn’t mean that I don’t think that the people who voted for them don’t deserve privacy. And that’s why, as The New Oil, I choose to be apolitical. Because privacy doesn’t care how you voted.

Let me pause again for a second to say that personally, I don’t believe “apolitical” is a real thing. I think it’s a lie people tell themselves so they can avoid thinking about the hard and frustrating dilemmas facing us in the political arena, and I think anyone who truly lives an “apolitical” life is either in denial about how politics affects them or so privileged that they can minimize the effect to the point of ignoring it (or both). My move to be apolitical as The New Oil is, itself, a political statement. The statement that I hope I’m making is that privacy is for everyone regardless of your political affiliation. It is owed to Republicans, Democrats, Tea Party members, Libertarians, and Independents.

Having said that, there’s a time and a place. Politics is an unavoidable part of privacy because there are laws that either protect privacy or weaken it and may or may not give the average person control over their data. Those laws also get broken – both by corporations and the governments who pass those laws – and therefore there are punishments (that are usually weak, symbolic, and ineffective). That’s not even touching on things like cyberespionage, the ability to effectively crack down on cybercrime, the Five Eyes, and more. Politics plays an important role in privacy whether you like it or not and whether you care about politics or not. Whether you like the person who’s in office right now or absolutely hate them, sometimes they do good legal/privacy things and sometimes they do bad legal/privacy things and both the good and the bad deserve to be talked about.

This brings us back around to the beginning. Am I telling you not to talk about politics in privacy spaces? No. Well, keep it out of my room, but otherwise no. People are still people. I’ve said before that I have a lot of interests besides privacy. I’m super into scifi, true crime, video games, etc. The person you’re talking to on Matrix or Mastodon is still a human being, and just because they’re into privacy doesn’t mean that they can’t also be an intelligent, educated person who’s also interested in politics. Political conversations are important to have, and if you want to have them you should. The problem is that people seem to think that those of us on a pedestal – like me and Techlore and Michael Bazzell – should somehow also weigh in politically, that we should go on record to condemn or endorse certain politicians, but that’s not what privacy is about. Sure, we can – and do – say that a politician has done some good or bad things for privacy, but to take an unnecessary political stance alienates half of the humans who might watch or read our content – humans who deserve human rights like privacy.

This is about reaching people with a message they need. If I was more vocal about my political opinions on Surveillance Report or this blog, there would definitely be a lot of people who say “I don’t appreciate this guy always bashing on my political opinions, it bugs me too much and I’m done listening.” Again, just because I don’t agree with someone doesn’t mean they don’t deserve privacy. That person deserves privacy even if I don’t share their views. By taking a political stance, I’ve pushed away someone who might’ve otherwise heard about privacy and started valuing it and protecting it.

Being political also does a massive disservice to fairness. Recently on Surveillance Report, we talked about how Trump was attempting to use legal pressure to get the New York Times to reveal their sources in a certain story, but even after Trump left office the Biden administration continued the lawsuit for another three months. By taking a side and saying “well of course [Politician] was suing the news, it’s because he’s a piece of crap and he’s an enemy of democracy and freedom and privacy and blah blah blah,” I’m completely ignoring the fact that it’s not just [Politician] doing these things. It’s every president, both parties, and a large number of senators and representatives. Privacy is not a partisan issue. It’s under attack by every political side and nearly every politician, from local to federal laws. Back in the 1960s, the government was surveilling both the KKK and the civil rights movement. Privacy invasions don't take sides, why should I?

I didn’t plan for this blog to be a defense of my actions, but it seemed the best example. I don’t like using hypotheticals when concrete examples exist. The goal here was not to defend myself, the goal was to defend privacy. Privacy is truly non-partisan. And again, that doesn’t mean you can’t talk politics. People are allowed to have opinions and expertise about more than one thing. That also doesn’t mean I won’t talk about how laws and politicians are shaping privacy in the world today, cause that intersection certainly exists and needs to be discussed. What it does mean is you need to remember that privacy is for everyone, and sometimes there’s an appropriate time and place to just stick to that message. I personally have found in my own political experience that one-on-one, in-person conversations are the best kind of political discussions to have. Nobody feels attacked or ganged-up-on, it tends to be more civil and more intelligent, and frequently both sides – both myself and the person I’m talking to – tend to walk away going “oh, I learned something new” or “I hadn’t considered that opinion before.” Doesn’t mean you’ll change anyone’s mind, you should never go into a discussion attempting to change someone’s mind because that’s when it turns into a competition and that’s when people get heated and angry. When someone like me is blasting out privacy-specific information to hundreds or even thousands of people, that’s not the time for me to be injecting my personal political opinions. It’s too easy for someone to misconstrue what I meant and take it as an attack, or for the nuance of the discussion to be lost. It’s too one-sided, and it’s too easy for someone to go “oh, this is just another libtard/MAGA-head, no point in listening to what they have to say” even though what I have to say may actually be extremely relevant and important to them. There’s no use making things overly political when they don’t have to be. Because privacy is a human right, and human rights don’t care about your political leaning. Human rights are for all humans.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Sanity Check: People Don’t Spy Just Because

July 31, 2021

Once, I saw a Reddit post where someone asked something along the lines of “I’m moving into a new apartment soon, how can I check for hidden cameras?” While hidden cameras and sextortion are a real thing to be worried about, the nature of this particular concern raised a red flag in my head and I thought this might be a good topic for a sanity check. For those who are new, “sanity check” is a term coined by Michael Bazzell that basically means “step back, take a deep breath, and make sure you aren’t going too far overboard and negatively impacting yourself.”

Why Do People Spy?

In a world where your washing machine wants to know your contacts and your TV wants to know your neighbor's WiFi SSID, it’s easy to fall into the idea of thinking that everyone is out to collect every single piece of information about you just because, but the fact is that these stories are the exception rather than the norm. News, by definition, is news because it’s unusual. We don’t print stories about the hundreds, thousands, or millions of commuters who made it home each night on their way home from work, only about the ones who didn’t (and honestly traffic collisions after work have become so common those don’t even really make it to print anymore).

That’s not to say that data collection itself is unusual. Just a quick look through the privacy labels on the top apps for Apple’s App Store show that excessive data collection is quite the norm. What I am saying is that none of these apps are collecting all that data “just because.” They have a reason. In some cases, the reason is justified: it’s to know what features are popular or detect and fix crashes. In most cases, the reasons are not: it’s to know more about you to serve you ads. But the point is that these apps aren’t sucking up every piece of information about you just because they have the technical ability, they’re doing it to because they plan to use that data in some form or fashion.

Deep Dive: Examining the Redditor’s Question

This brings us to the apartment question. “How can I check my new apartment for hidden cameras?” The Original Poster (OP) made no indication that they had any reason to suspect hidden cameras – they didn’t cite any sort of clause in the lease or any odd behavior out of the landlord. They simply took it as a given that because they were moving into a new apartment that there was a risk of hidden cameras. Now, as I said, there is certainly a risk here just as I risk getting struck by a car every time I go near a road, but the fallacy here is that OP was making the assertion that the risk existed simply because the capability was there. “I did not have access to this space prior, and everybody is spying all the time just because, therefore there might be cameras here.” The question OP failed to address was why there might be hidden cameras.

Let’s start by examining a common myth: most hidden cameras don’t transmit data unless they’re specially designed and relatively pricier. The key word here is “relatively.” A quick search on Amazon (I plan to shower after this post simply for even looking there) for “cloud cam” shows nanny cams that look like smoke detectors, external hard drives, or even ones that are the size of your fingernail and meant to be concealed that all can connect to your phone in real time or transmit data to a cloud server for review later and range in price from $40 to $200 USD. This is not terribly expensive. However, another search for “hidden camera SD card” shows the most expensive option at $40, and most of these are designed to be completely invisible and hidden inside something like an existing fire alarm or air vent. As a busy and underpaid housekeeping staff at a hotel, it would be faster and cheaper for me to buy one of these $20 cameras and stick it in a hidden place, then in between guest stays I can simply dump the footage and put it back, ready to record the next guest. Plus since most camera services wouldn’t be self-hosted or zero-knowledge, that means by using a cloud-based camera you run the risk of getting in trouble if the company sees your content – or more likely, having your data deleted because of violation of the Terms of Service. If you get caught and reported, the company could have copies of the evidence.

More important even than the cost is the scale. At a hotel, I can expect to see a new guest at a frequency ranging from every night to every week (on average), and I have dozens if not hundreds of rooms to pick from. I’m CERTAIN to get footage of an attractive, naked woman who checked in under her real name who I can then blackmail for money, which is almost always what these particular scams are about. And with dozens or even hundreds of hotel employees, even if you report the incident that’s a lot of time and resources spent trying to pin down exactly which employee planted the camera and took the footage. I don’t mean to inject my personal political opinions here but point blank: the cops don’t care and neither does the hotel. The cops don’t have the resources to investigate one rando’s grainy nudes and the hotel will simply fire the person they suspect – who can quickly move onto another job because of the high turnover of entry-level positions – and issue a stern warning to everyone else. Ultimately, the risk is worth it to some.

Now here’s the most important part, the question OP didn’t ask: “why would I find hidden cameras?” All that scale of a hotel scam falls apart when we’re talking about renting an apartment. Even putting aside the price of hidden cameras, you have one “room” with one (or a small few number of) guest(s) who stay for months or possibly years at a time. Not to mention you have a very limited number of people who have access to the space: the office staff and a couple maintenance guys if we’re talking about a corporate property. If we’re talking a private landlord, they’re probably the only person with consistent access. This means you’ve got one person (or a very small number of people) who can be easily blamed and reasonably sued and the odds of renting to that one person who’s worth blackmailing is almost nonexistent. You might get a dude (male nudes aren't typically highly sought after) or someone considered unattractive by conventional standards. Even if they are attractive, part of the effectiveness of the scam comes from the idea that I'll publish this footage attached to your real name, and if you're traveling you're likely a professional who doesn't want that showing up on a Google search. Renting a home to randos, your odds of finding that professional are also less common. If any landlord actually tried this scam, I’d laugh hysterically reading the article about their trial.

I’m not saying it doesn’t happen. I’ve read the Florida Man stories. Epic stupidity certainly exists. I’m just saying that we’ve now gone from the likelihood of “I might get hit by a car every time I get near a road” to “I might get attacked by a shark while visiting the aquarium.” The answer to the question “why would I find cameras” is “you probably wouldn’t.” You might argue that the landlord might place cameras to prove property damage, and sure that’s possible, but the risk just doesn’t seem worth it. They already have a lease saying you’re responsible for anything that happens to the property between the date you move in and the date you move out, there’s no need for cameras. Again, people don’t spy just because they can. That’s just time and money wasted on buying a camera, placing it, making the paperwork legal (or risking a lawsuit if they don’t), recovering and managing the data, etc. It’s easier just to take you to court and go “here’s the lease with their signature.”

The Larger Picture

Let me be clear: I don’t think OP was stupid to ask that question. I’m glad that they think outside the box and consider the possibilities and ask when they’re not sure. But the bigger idea I wanted to share with this story – and what I hope OP learned that day – was the title of this post: people don’t spy just because. There’s always a reason. Again, often that reason is invasive, but the moral I wanted to impart here is that next time you find yourself thinking some extreme threat model thoughts – like “what if a hacker takes over my car while it’s on the highway?” for example – take a moment to ask yourself “why would they go through all the trouble?” Sometimes the answer is “because there’s money to be made and it’s easy.” But sometimes, the risk and the work just isn’t worth it. Again, surveillance is real and common and ubiquitous and far too overreaching. But when it comes to the high-level stuff, remember: people don’t spy just because.

iOS 2FA Apps Review 2021 (or Raivo OTP: The Only iOS 2FA App Worth Recommending in 2021)

July 24, 2021

Software two-factor apps are a funny thing. They all kind of do the same thing. Having said that, I managed to find one that shines above all the others for iOS: Raivo. So this week, I’ll review that and explain why I recommend it.

2FA: What to Use?

First off, let me remind all my readers that if you’re using SMS two-factor authentication, you need to stop. Go check your account right now and see if you have a better option. In some cases you don’t, and in those cases SMS is better than nothing. But the vast majority of sites these days offer app-based or even hardware-based two-factor, and if the site you’re using does you should use that without a second thought. In a perfect world, hardware 2FA is ideal, but this isn’t always feasible for everyone. For example, you may not have the spare USB space, or the token you want may not be something you can leave plugged in 24/7 meaning you might forget it. Most people don’t forget their phones, so for most people a software 2FA app is the sweet spot.

Why Raivo?

As I said before, there’s a ton of two-factor apps out there and most of them are very similar. In some ways, that makes picking the right one easy. While I have three criteria that apply to iOS 2FA apps, we only need two to really isolate Raivo as the best choice. First, we want something open source. I’ve preached time and time again on why open source is superior even if it’s not perfect. That automatically rules out a ton of apps. Second, Raivo offers local backups without using Apple’s built-in backup feature. A few years ago, my at-the-time 2FA app crashed while I was attempting to add a new account, and it wouldn’t open back up, meaning I had lost all my 2FA codes. For the most part I was able to get these reset, but in a couple cases I was unable to meaning I lost those accounts forever. As such, backups are very important to me now and I want everyone to have that feature. Thus, the only winner left standing: Raivo. (The third criteria, for those who care, is to be actively maintained. Raivo was last updated last month as I write this, so it is maintained.)

The Good

One thing that sets Raivo apart in my opinion was the wealth of icons in the library. Rather than phoning home to pull a Favicon or picking a predetermined icon for you, Raivo appears to respect your privacy by letting you pick an icon. This is actually even more helpful because some sites have multiple icons, and sometimes you have to have multiple accounts. For example, I have a personal Gmail account (I’ve had it for almost ten years and it’s in my real name, so even though I don’t use it I keep it just in case) AND a work email that’s managed by Google, so I can assign them each different Google icons to help me more easily keep track of them. They even have a pretty extensive library of icons for popular privacy respecting services like Proton, Brave, Cryptomater, Mastodon, SimpleLogin, and more. Another cool feature is that your vault is password-protected, so that can give you a second layer of security for your accounts by making a password or PIN that’s separate from your phone’s login PIN or password.

The Bad

Personally my biggest complaint is the fact that the password protection is mandatory. I have the mentality that if my phone has been unlocked, I’m already in trouble and using different passwords for different apps will probably not do me any significant good at that point, so the password lock is more inconvenient to me than helpful. There’s also some privacy services that I’m a little surprised not to see present, like CTemplar. But other than that I honestly don’t really have any complaints. It’s a nice-looking app that works great and I’ve yet to have any issues with it.

Conclusion

I don’t have much to say this week. As I’ve said, 2FA apps are all pretty similar. The main thing that really sets Raivo apart for iOS is the backup feature, but as I said that’s not the only thing. The password-protection and icon selection also make for a pleasant experience that makes it very user-friendly. If you’re an iOS user, I strongly encourage you to check it out if for no other reason than that you can make those backups. Learn from my mistakes.

You can download Raivo for free in the Apple App Store here.

Critical Thinking 101

July 17, 2021

In life – and the privacy and security communities – we are constantly assaulted with a variety of conflicting information. I’m sure there’s no need to give examples, you can find plenty of them just by reading the news or cruising the Privacy subreddit. This week, I want to write possibly my most important blog topic: Critical Think 101, or “how to evaluate a claim.” Don’t let the title fool you, this is not going to be a condescending, partisan politics post about how [insert group here] is dumb and you just need to use common sense. Instead I’m going to give you real, practical steps that you can use in almost any situation to help determine if a person and their claim are worth considering. Please note that this process may not always give you a definite “yes” or “no” on whether a claim is true or not, but it will help you weed out a lot of low-hanging fruit and can be part of your process when deciding whether or not to believe something.

Step 0: Solipsism, Certainty, & Standards of Proof

We need to get something out of the way right now: it is literally impossible to ever be 100%, truly, “come down off a mountain and found a religion” positive about anything. Have you ever heard the famous phrase “I think therefore I am?” It was said by Rene Descartes while he was attempting to determine the nature of reality. Suppose you sat down and decided “I want to prove beyond any doubt what is real.” Am I [Nate Bartram of The New Oil] real to you, the reader? Maybe not. Maybe I’m a VERY well programmed AI, complete with deepfake videos on Surveillance Report and all. Is this blog post real? Maybe not, it could be a glitch on your device. Is your device that you’re reading this on real? Surely, right? After all, you’re holding it in your hand, you can feel it. Not necessarily. Maybe you’re hallucinating. Maybe your home is a hallucination, and your loved ones. You could be in a coma right now, or a brain in a jar being stimulated with electricity by researchers to see what happens. At the end of the day, the only thing you can truly be certain is 100% real is your sense of self, the fact you are perceiving something and that you are conscious. What you are perceiving may be a hallucination, it may not be real, but the fact that you are conscious at all shows that if nothing else, you are real. This is called solipsism. I apologize if I just gave anyone an existential crisis. At the end of the day, I personally do not believe in solipsism and I don’t think it matters either, but the point is that in the most extreme sense of the word, we can never be certain that anything is real.

When it comes to deciding if you believe something, you base that on the “standard of proof,” which could also be called the evidence, the argument, or any number of things. The standard of proof is the level at which someone has presented enough evidence or logic that you say “okay, I believe that.” The standard of proof for a claim should vary depending on the claim. Again, there are some people who demand unrealistic standards of proof, like the infamous “if X is open source, how do we know the-company-behind-X isn’t running a different version on their servers?” At the end of day, a person can always raise their standard of proof to unrealistic levels to the point where you can never meet it and therefore never convince them otherwise. This is a common meme both in media and real life: someone admits they made something up, the believers respond by saying that person was paid off or intimidated into a false confession. The standard of proof is too high to ever be met.

I encourage you to find a balance between the fact that you can never be truly certain and the severity of the claim. It’s a lot like threat modeling: if you tell me that you’re a professional plumber, I’m not going to demand a lot of proof given that the stakes aren’t very high. If you tell me that Matrix has a backdoor, I’m going to demand a higher standard of proof. It is with these two important points in mind – the lack of achieving true certainty and the fact that standards of proof rightfully shift – that we can now move forward. Remember these as I go.

Step 1: The Claim

The Earth is flat. The Moon is made of green cheese. The CIA can read my thoughts. These are all claims that are blatantly ridiculous, and we know this because they are proven, scientific facts. Now look, I know that to some, science itself is suspect these days but as I said above we have to accept that we can never truly be 100% certain of anything. That said, when someone is making a claim, the first place to start is the claim itself. Does this claim contradict proven, repeated evidence? Let me cite a common example: “Signal is a honeypot because it’s an American company.” This claim rests on the idea that because Signal is based in America – a country that is openly hostile towards end-to-end encryption – and because it’s centralized that it therefore must secretly be spyware and that using it is no better (or arguably worse) than just using regular SMS. However, baring any new evidence (which we’ll discuss in a second), this claim is easily disproven. Signal is open source and wildly popular, meaning that many, many experts have laid eyes on it. Numerous experts from across a variety of fields, companies, and levels of experience (this will also be covered later) have all stated that there is no indication in the source code of Signal’s client app that there is any kind of vulnerability. This means that even if the servers were compromised, the messages are still secure. The only way the message could be compromised would be at the device level – if your phone had a keylogger or something like that. This is a claim that has been tested and proven many times over during the course of many years. In fact, we can even go a step further and look at the infamous Vault 7 CIA document leaks and see that the US intelligence community has spent considerable effort attempting (and failing) to crack Signal and find workarounds to circumvent their encryption. If Signal was a honeypot, why would they do that?

Now of course, as I said, there will always be the people with a standard of proof that’s unreachable. Those people will say “maybe all those researchers were paid off” or “maybe Vault 7 was disinformation.” Personally I find that these suggestions make the security of Signal even more likely because of the additional unlikeliness and assumptions required: you have to assume that not a single one of those researchers is ethical, that the ones who were have somehow been COMPLETELY silenced or overlooked, and not to mention this is all stuff that can be verified by any given individual who cares to learn the programming language and examine the Signal code themselves.

This blog post is not meant to be a defense of Signal, but this is a good example: the claim itself can’t stand up scrutiny. There is years of evidence from multiple credible sources that disprove it right off the bat. Unless the person making the claim is presenting new evidence, then the claim itself is probably safe to discredit and ignore. On that note:

Step 2: The Evidence

Suppose, in the Signal example, that the person is presenting new evidence. In fact, they kind of already presented some in the claim: “because Signal is an American company.” Not all evidence is equal or valid. In this case, the person’s evidence is that American companies all inevitably have encryption backdoors. While that specific claim is untrue, it’s a valid concern and it has precedent. Popular messaging platforms like Clubhouse, Facebook Messenger, Skype, Reddit, SMS, and others are not end-to-end encrypted and the providers frequently keep message content for at least a certain period of time. All it takes is one court case and a subpoena for Verizon to turn over all your SMS messages – plus content – to the court to be read aloud in public. But then there’s also the hidden programs like the infamous PRISM program in which the US intelligence community paid companies like Apple, Google, and AT&T for direct, backdoor access into their databases to pop in any time they wanted to collect whatever data they desired. The UK had their own version, TEMPORA, which involved physically splicing into the country’s main internet cables so the government could make a copy of every single piece of internet traffic that passed through the country. And recently, several western countries teamed up to make an “encrypted” messenger with the sole purpose of infiltration criminal groups, all the while it was backdoored and submitted decrypted message content back to authorities. With evidence like this, it’s not hard to see why someone who say that any American-based service is compromised by default.

This brings us the importance of evaluating multiple parts of the claim. While Signal is indeed an American company and that does warrant scrutiny, further evidence has shown that despite Signal’s country of origin, it is likely safe and secure. Suppose the evidence for the claim was new. Suppose the claimant said “because Signal is a UK-based company” or “because Signal sold to Amazon.” These are not true, and if the person is making this claim then they need to provide new evidence to back up that claim such as reputable articles, a company blog, or some sort of public record documents that were filed like a transfer of ownership document with the state. So just to sum up and be clear: sometimes a claim may seem outright ridiculous (“the medical community killed black people just to see what would happen”), but that doesn’t mean you should dismiss it on that alone. You should also examine the other factors, like the person making the claim or the evidence.

The Claimant

The final piece of critical thinking that must be examined is the person making the claim. Now let me be clear: this is NOT the same as an “ad hominem” attack, which is Latin for “to the person.” You’ve likely seen this, and if we’re all being honest we’ve all probably done it in fits of emotional outburst. Let’s keep rolling with the Signal example and let’s pretend I’m the one making the claim that Signal is compromised on account of its American origins. An ad hominem attack might be to point out that I’m openly critical of the federal government and therefore I’m biased. Or to cite my recent interview with Session as proof that I’m trying to knock Signal down a peg to promote Session instead. Or, since in reality I do encourage the use of Signal, you might argue the opposite: because I’m an American I would be loyal to my country and refuse to admit the possibility that Signal might be compromised on that grounds alone.

An ad hominem attack in common usage refers to attacking the person without validity. It’s the fancy equivalent of calling someone a buttface because you didn’t like what they said. But there is, in fact, a way to evaluate a person in a valid, ethical way. Technically this can be broken up in a number of different categories, but in my opinion it all comes down to one broad factor: qualifications. Qualifications are made up of a number of factors that aren’t always necessarily equal or important. For example, education is one. If I’m making the claim that Signal is broken, do I have any education as a cryptographer? A programmer? Did I go to college for it? Did I graduate from MIT or community college? Of course, education alone is not the end-all-be-all. There are many incredibly talented individuals in a variety of fields that are self-taught, and there’s also tons of Harvard and MIT graduates who barely scraped by with C’s and never really did anything exceptional (or at all) in their field of study. This is why I say that qualifications are made up of several factors and that they’re not always equally important. I want my doctor to not be self taught. My app developer, on the other hand, I’m less concerned about. Other factors in the “qualifications” category include things like experience – have they been in this field for ten years or ten months? – and reputation – is this person generally regarded as someone who knows what they’re talking about or are they widely considered a crackpot who’s good for little more than entertainment? It’s also worth considering the person’s possible conflicts of interest, like employer. If ProtonMail releases a study touting the efficacy of PGP, Proton is based on and heavily uses PGP so they have a conflict of interest. Of course they want to say why PGP is good and downplay (or ignore) any evidence that it’s bad. As discussed before, this doesn’t mean they’re wrong and you shouldn’t ignore the claim on this alone, but it’s worth keeping in mind when researching the claim.

Personally I also find it important to separate information about a person based on relevance. For example, let’s say the person making the claim that Signal is bad is an alcoholic. Does that matter? In my opinion, not really. As long as they were sober when they did the research and presented their findings, what they do in their free time is none of my business. Personally I think that’s about as relevant as their sexuality or gender. On the other hand vices like alcohol, drug use, sexual lifestyle or interests, these could potentially (“potentially” being the key word) indicate things like blackmail or sloppiness (hence my “was the person sober when they did the research” caveat), and they tend to be used to smear a person even if it has no bearing on the claim (ad hominem). This is why intelligence communities often look into things like sexual orientation or history of addiction in potential applicants – they want to know if you can be blackmailed by the enemy for things like cheating on your wife or gambling away your kid’s Christmas budget in Vegas.

Caveats

Toward the beginning of this post, I mentioned that the standard of proof can vary, but so can your level of belief in something. For example, I said in my recent interview with Opt-Out Podcast that I firmly believe that Apple can see everything I do on my phone despite having no evidence. Well, that’s not entirely true. I base that claim on the 2014 Documentary “Terms And Conditions May Apply,” in which they demonstrate how digital forensics tools can in certain cases be able to recover the exact keystrokes from your device. If third-party tools can do that after the fact, why wouldn’t Apple be able to in real time? It is for this reason that I don’t trust my phone, but honestly other than this single documentary I don’t have any real proof. I don’t have any leaked Apple memos, any news stories about this, or anything like that. I’m basing all of that off a single story from a person who I know almost nothing about. I believe this claim, but I’m also willing to admit that I’m wrong. My level of belief, if I had to put it on a scale of 1-10 (1 being I don’t believe it at all and 10 being I’m certain of it), I’d say I’m about at a 7.

The point is that you can think something is likely without being convinced of it, and vice versa. You can always change your views as more information comes to light later, and in fact you should. You don’t have to be totally certain of something. You can evaluate a claim, the evidence, and the person making the claim and still walk away going “I’m not really sure, honestly.” As I said at the beginning, the point of this post is not to tell you what to think or how to be certain of something, but rather it’s to give you some tools to help with that process. I see far too many people in all areas of life believing claims at face value. There’s never anything wrong with critical thinking. Now go forth and think great thoughts.

The Best Password Manager in 2021

July 10, 2021

Password managers are – thankfully – becoming a mainstream topic. In addition to seeing commercials for certain ones from time to time, it’s becoming more common for me to attempt to spread the word about good passwords only to be met with something like “oh I already use LastPass/Dashlane/1Password/etc.” While it’s good for consumers that there are more of them available, that also makes it rather difficult for people to know what’s best. This week, I’d like to weigh in on this subject. While I will admit that I purposely formatted this blog title for SEO, I am writing this blog on the assumption that you understand the basics of what a password manager is, what it does, and why it matters. If you’re not sure, I encourage you to skim this page of my website quickly and come back.

Criteria

I’ll cut right to the chase: the only two password managers I recommend are Bitwarden and KeePassXC. The first criteria I use to recommend password managers is that they are open source. See this page on my website all about what open source is and why it matters to me. This automatically rules out most of the “mainstream” providers like LastPass, Dashlane, etc. My second criteria that rules out many of the other open-source projects it that they must be cross-platform – that is, they must be available on Windows, Mac, Debian-based Linux, Android, and iPhone. There are some other criteria, which you can view in full here if you care, but those main two will likely answer the inevitable “Why isn’t X listed here?”

Privacy Policy

Bitwarden

Bitwarden’s privacy policy is admittedly not great. This actually serves an excellent example of having security without privacy (I’ll get to Bitwarden’s security in a moment). Visiting the website will automatically result in standard data collection like IP address, cookies, and other automatic identifiers (and needless to say, any other information you knowingly submit like contact forms). They do admit to third-party sharing for the purposes of improving the product, processing payment information, and other such services. The website is also riddled with Google fonts, Cloudflare, and other services that are generally frowned up on in the privacy community for their poor privacy practices, meaning there’s a possibility that those sites may be tracking users even though Bitwarden themselves do not. The policy does not explicitly state but does suggest that app usage is also collected. According to the Apple privacy label, this appears to be limited to crash data.

On the plus side, it does appear that Bitwarden's tracking is limited to their site – in other words, they don’t try to aggregate information about you from other sources to identify you specifically. While this is probably more data about you than they really need, it does seem to be primarily limited to data they want for the purpose of improving the service. They explicitly say in the policy that they ignore Do Not Track signals as they don’t track you anyways. Their mobile app also appears to collect limited data according to the Apple Privacy Label, but unfortunately this “limited data” does include unique identifiers, specifically your Device ID. While I understand the value of this data in regards to security, I suspect they could ignore this information to better preserve privacy if they wanted to.

KeePassXC

KeePassXC’s privacy policy is a lot better. Visiting the website will collect information like partial IP address, browser data, referrer data (if any), and location determined by IP address. On the plus side, the policy explicitly states it will never be shared with third parties (I assume this does not apply to valid law enforcement requests) and is deleted after 90 days. Additionally, they admit to respecting Do Not Track headlines, meaning that if you have that box checked in your browser, no data will be collected in the first place. And even furthermore, KeepassXC only ever contacts the internet on two occasions: to check for new updates, and to pull a website’s favicon (if you request it). No usage analytics are ever submitted (one could argue that auto-checking for updates creates a usage pattern, though personally I view this as a very small, worthwhile risk for most people). For mobile, forks of KeePassXC are used instead of actual Keepass XC. I recommend KeePassDX for Android and Strongbox for iOS. Strongbox explicitly states they collect no information, while KeePassDX’s privacy policy redirects to the official GNU GPL 3.0 license, which tells me they likely have similar practices.

Security

Bitwarden

Bitwarden is cloud-based, which means that you’re automatically opening up some degree of risk by default. However, the database is protected with AES-256 encryption – currently one of the standards that at this time has no known weaknesses – and your password is salted and hashed with bcrypt, which is also considered the current strongest hash algorithm for passwords. For my non-techy readers: they take your security really freaking seriously. The only known weakness at this time would be the master password you use, so make sure you’re using a strong passphrase and two-factor authentication. While it is important to note that nothing is unhackable and keeping your vault in the cloud with Bitwarden is inherently a risk no matter what, at this point in time I would argue that if you’re using a strong master passphrase and two-factor, the average person has nothing to fear on the security front from using Bitwarden.

KeePassXC

KeePassXC’s vault is also encrypted using AES-256. KeePassXC has the advantage of being locally stored, entirely independent of the internet. This means that unless you choose to upload your vault to a cloud service, you have virtually no risk of vault compromise. However, it is important to note that you should keep secure backups as you still run the risk of having your vault get corrupted, being lost if your computer dies, and of course having locally-stored files won’t save you from a compromised device so be sure to take proper and appropriate device security measures overall. I would also encourage the use of a strong passphrase with KeePassXC simply as a precaution, though the odds of needing it are much lower than with Bitwarden (depending on your situation).

Other Features

Quite frankly, Bitwarden and KeePassXC are almost identical in terms of features and functionality. For that reason, I’ll just go ahead and list all the major features and differences here in one section. Both allow you to generate random passwords or passphrases, both allow you to specify the criteria for those passwords (length, special characters, etc), and both will allow you to store your two-factor keys in the app for a more convenient login experience (for Bitwarden this is a paid feature and for KeePassXC this does require a small degree of manual expertise from the user. Regardless, be aware that this does make your password vault a “single point of failure” and therefore this feature should be used cautiously). Bitwarden does have a secure file send feature they recently rolled out for premium users, but I personally have never used it as this isn't something I expect of my password manager and I already have other methods for doing that anyways. I would say the only difference between the two in terms of features and function is the user interface: Bitwarden is very sleek, very modern, very pleasing to the eye, and very easy to navigate. KeePassXC looks a bit more outdated, a bit older, a bit more rough, and some of the more advanced features can be confusing and intimidating (fortunately most users don’t have to worry about these features and can safely ignore them). Both services also allow for a browser extension to easily login to websites. I recommend keeping your browser extensions to a minimum, but that’s useful for those who have come to rely on such features. It's also worth mentioning that Bitwarden does have a paid teams feature, so if you run a company then Bitwarden would be the clear winner here as they make it incredibly easy to integrate multiple users into the same shared vault so that you can use strong passwords at work while still giving access to everyone who needs those sites or accounts.

Ultimately, for individuals, you can’t go wrong with either of these options and which one you should pick depends on your threat model and your lifestyle. If you have a low threat model – that is, you are unlikely to be specifically targeted by an individual or organization – and you value convenience, Bitwarden is probably the right choice for you with their single app, synchronization across all devices, and sleek user interface. If you have a higher threat model (or you simply distrust the cloud), you’re willing to do a little extra work, you don’t mind a slightly outdated design, and/or you’re more techy, then KeepassXC is right for you. Whichever one you use, remember to use a strong passphrase (and two-factor for Bitwarden), keep good backups, and you should be pretty well protected. Now go forth and create strong, unique passwords everywhere.

Staying Informed Without Big Tech

July 3, 2021

A 2019 study from Stanford University challenged a random sampling of Facebook users to quit the site for a month. The results were mostly positive: people felt happier, interacted with friends and family more, and were less polarized in terms of news and politics. I often encourage my readers to ditch mainstream social media like Facebook, Twitter, TikTok, and similar sites if at all possible, as I have also felt those same effects. Particularly I noticed that my conversations with friends and family became significantly more meaningful and felt more genuine and sincere. But there was one major downside the study found that I also noticed: people felt less informed. While we all know that Big Tech is feeding us selective headlines based on our algorithms, it can still be helpful to get even a few major, biased headlines to help us know generally what’s going on in the world. When you give up social media, that information is no longer fed to you, and it becomes your job to find out how to stay informed. So this week, I want to share what works for me to help stay informed without sacrificing my privacy so much.

Newsletters

An obvious method we often forget about is newsletters. Most organizations that you may want to follow – like non-profits and companies – offer newsletters. If your first reaction to that was “ugh, my inbox is already cluttered,” then you will have to go through and start unsubscribing to stuff. Once you do that, I encourage you to use an email masking service (so that you can burn the address if it gets breached or starts spamming you) and start signing up to newsletters you care about. Feel free to unsubscribe to any of them if you stop caring. The companies won’t hound you, I promise. They’re focused on other stuff.

Bonus tip: most email providers offer folders and rules that allow you to keep your inbox organized. For example, as a freelancer I have certain recurring client emails automatically drop into a freelance folder. That way I can open that folder and see ONLY emails pertaining to work, clients, contracts, upcoming events, etc. I don’t have to see that folder interspersed with a bunch of newsletters, personal emails, etc. Likewise, you can create a folder and have all your newsletters go straight there so you can check them at your leisure and/or keep them out of your main inbox so it doesn’t get cluttered.

Please note that many emails of all kinds – not just newsletters – come with tracking pixels and analytics built into them. Make sure you have your email client or inbox set to not load remote content automatically and instead load it manually. This will prevent much of this tracking and give you a much more private experience.

I’m a big fan of Mastodon. It’s like a privacy-respecting Twitter. I’ve met some really cool people, seen some neat ideas, and overall had a positive experience. One cool thing about Mastodon is that many people have created mirrors which basically just copy and repost content from Twitter. There’s several BBC News mirrors, for example, so I can still subscribe to BBC if I wanted to and get their tweets. Some privacy-conscious companies even manage their Mastodon directly, like Tutanota and Nextcloud. This is not limited to Mastodon. For videos, some people cross-post or mirror their content from YouTube to PeerTube. This isn’t always a guarantee, but it’s worth looking into. You’d be surprised sometimes what has been mirrored or has a fediverse account.

RSS

Alright, this is the power-user option where you’ll probably get the best results. It sounds harder than it is, so don’t panic. RSS stands for Really Simple Syndication, and it used to be all the rage back in the mid 2000s. These days it’s less common, but still widely supported. First, you’ll need an RSS reader. Unfortunately there’s not a lot of open source, privacy respecting options here. As far as I know, there’s only two: Tiny Tiny RSS and Thunderbird. I personally lean toward Thunderbird as I tend to use it for email as well, so it kills two birds with one stone, but admittedly it’s not the prettiest solution. At any rate, for most websites I simply search “[website name] rss” and that usually pops up a direct link to their feed. For example, here’s a Brave Search for “Wired RSS”. Most websites don’t advertise their RSS feeds anymore, so I’ve found this to be the most direct and least-frustrating way of finding it. From there, you can add that link to your RSS reader of choice and set the options to your liking: how often to check for new stories, how far back to keep old stories, etc.

But wait, there’s more! You don’t need to limit your RSS experience to just news sites. I also use RSS to keep up with Twitter accounts, subreddits, and even YouTube channels. Let's start with Reddit because that one is easiest. Simply go to the subreddit you wish to follow, such as the Privacy subreddit, and add “/.rss” to the end and add it to your reader: https://www.reddit.com/r/privacy/.rss. There are additional tips you can add here, such as to only pull the top posts each day if you’d like to filter out some of the lower-level content. Michael Bazzell talks about some of these configurations in his own podcast episode about RSS here.

For Twitter, you’ll need to pick a Nitter instance. Any instance will do so long as it’s reliable. Then you find the account you wish to follow. In this case, we’ll use mine as an example. Then you’ll add “/rss” to the end and add it to your RSS reader: https://nitter.nixnet.services/thenewoil1/rss. Bam! You are now following my Twitter account without needing an account of your own! (Note: I encourage you to follow me on Mastodon, instead. It’s the same content. I only use Twitter so I can schedule posts and mirror them to Mastodon.)

YouTube was a little trickier and took me some time to track down. In this scenario, we’ll use The Hated One, a popular YouTuber who produces content about Big Tech and privacy. After a lot of searching, I found the following code that seems to work for me: https://www.youtube.com/feeds/videos.xml?channel_id=Channel_ID. Where it says “Channel_ID,” we’ll replace that with the link at the end of The Hated One’s channel from above. It now becomes https://www.youtube.com/feeds/videos.xml?channel_id=UCjr2bPAyPV7t35MvcgT3W8Q. So that means to make that link work with any channel, simply copy the channel ID. For example, Techlore’s YouTube channel is https://www.youtube.com/channel/UCs6KfncB4OV6Vug4o_bzijg, so the new RSS link becomes https://www.youtube.com/feeds/videos.xml?channel_id=UCs6KfncB4OV6Vug4o_bzijg. My own channel is https://www.youtube.com/channel/UCH5DsMZAgdx5Fkk9wwMNwCA, so my RSS link would become https://www.youtube.com/feeds/videos.xml?channel_id=UCH5DsMZAgdx5Fkk9wwMNwCA. (Alternately, you can just get the RSS link directly from my PeerTube channel with no trickery or fuss.)

Podcasts

Last but not least, let’s not ignore podcasts. Many news outlets – and a variety of other creators and brands – offer regular podcasts, ranging from twice a day to once every other week, where they share top stories. This can also be a great place for you to get your information, especially if you’re on the go and rarely have time to sit down and sort through an RSS feed. Unfortunately the podcast landscape is getting invasive. Spotify and Apple are the two biggest podcast apps, and both of those are already quite invasive (with Spotify becoming more and more so each year). Spotify is even going a step further by offering many podcast series contracts to become “Spotify exclusive,” further locking listeners into their data-sucking monopoly. Many privacy-respecting podcasts share RSS links so you can listen to them without the invasive tracking, but again we’re now back in that same position of using an RSS reader. Of course, you could always download the episode and upload it to your media player of choice for listening on the go, but that may be more than some readers are willing to do. The point is: podcasts are an option, but they are not without privacy risks. Beware.

Conclusion

That’s all there is to it, honestly. Those are all the tricks I personally use to stay educated. RSS is my main option, as it gives me the chance to sort through things on a protected desktop environment at my own pace, but as with everything in privacy that may not be right for everyone. If I missed any tricks (or RSS readers), feel free to let me know. Good luck out there and stay safe!

I Was Supposed to Review Mailbox.org This Week.

June 26, 2021

I ended up delisting them. So instead, I want to take this week to remind both my readers and myself about the mission behind The New Oil and to make sure I'm staying true to that.

Why Delist Mailbox.org?

Mailbox.org is a perfectly fine service. In fact, I’ve even had some readers argue that Mailbox is a better choice than Proton or Tutanota for… reasons? I didn’t really get their argument, it was confusing and circular, but the point is there is nothing wrong with Mailbox.org. So why delist them? Because zero-knowledge and PGP were not activated by default and actually required some intentional setup on behalf of the user. Just as how many critics say that Telegram not enabling end-to-end encryption by default lulls inexperienced users into a false sense of security, I think this falls into the same category. This is not a problem for my more advanced readers, but it can very confusing and overwhelming for newbies, and while I welcome advanced readers and value your feedback, frankly The New Oil isn’t aimed at you.

The Vision

I’ve once heard it described as “The Grandparent Test.” This doesn’t appear to be a popular phrase, but I think it should be. The Grandparent Test asks “can your grandparents get started and continue using it with little or no help?” I think most of us have at least some firsthand experience with helping someone who is not tech-savvy get started on something. Maybe you had to help fix Excel for your coworker or show your grandma how to send an email. As someone who’s been moderately techy my entire life, I have had many of these experiences. It only got more common as I became a privacy advocate: helping people find Signal in the app store, helping my mom try Matrix, etc.

My goal for The New Oil was and is, ultimately, to pass The Grandparent Test. I mentioned in a recent Decentralize Today blog post that at the time I started TNO, I was not aware of any websites that offered comprehensive, user-friendly information. PrivacyTools.io was – and largely is – a list of tools with no instruction or context. Michael Bazzell is at times too hardcore and makes his money from book sales so the information wasn’t freely available (you can learn a lot from his podcast but it’s still not comprehensive). I couldn’t direct my mother, grandmother, brother, or anyone to any of these sites and say “here’s a starting point to learn at your own pace.” They needed me to translate, which was inconvenient for both them and me. I wanted to create a website that said “hey, you know nothing? Cool. Here’s what you need to know to get started” and people could move at their own pace.

I also wanted to stop there. I know firsthand – and I’m sure many of my readers do, too – that if you try to create a tool that does everything, you end up creating a tool that does almost everything but really poorly. It’s best to create something that focuses on solving one specific problem, and refine that tool until it solves that one problem really well. This is why The New Oil doesn’t offer tips on how to adjust the about:config of your Firefox browser, how to use uBlock’s advanced mode, how to use virtual machines, or any of that stuff (although I would look to create an “advanced tips & tricks” series of videos on PeerTube in the future that covers this sort of stuff). I want to help people who don’t understand digital privacy to understand it and get started and that’s it, no extra information or overwhelming optional stuff. Personally I think I do that well. If you disagree, I recently open sourced the website. Feel free to submit an issue for suggested improvement. So why did I delist Mailbox.org? Because it wasn’t user-friendly. It’s a fine service, and I see no reason that my more advanced readers shouldn’t use it or should switch, but I wouldn’t feel comfortable telling my mother to use it because it would be too easy for her to overlook changing the PGP settings and then having a false sense of security.

Reviews

This also brings up an issue I’ve been tossing around in my head for quite some time: consistency and criteria. During a discussion with one of the community managers of PrivacyTools, they pointed out that I didn’t have any kind of publicly listed criteria for how to I decide what tools to list and what tools not to. They made a really good point, and that’s been on my mind ever since. And to their defense, I didn’t really have a criteria. I knew I wanted to go with open source whenever possible (the VoIP section is pretty much the only one that doesn’t meet this criteria), and I mainly base my recommendations on tools that have been vetted and have a good reputation in the privacy community. Of course I did my own research, too, but there was no hard and fast “here’s the rules.” So, thanks in no small part to the feedback from my wonderful Matrix community, I’ve decided to remedy that. I have added a Wiki on GitLab explaining the criteria I use to judge each section and what allows an app to be listed on my site. Furthermore, the review criteria for my twice-monthly reviews are in the process of being standardized and will be posted in each review, as well as being available on the GitLab Wiki. As always, if you have any suggestions, feel free to share.

Cool Privacy & Security Toys for Father’s Day

June 19, 2021

I apologize. Last month for Mother’s Day I wrote “Mom’s Guide to Online Child Safety,” a post meant to capitalize on the holiday (as I often do). This of course meant that in order to be equal, I had to do something for Father’s Day. While fathers of course love their children just as much as mothers do, I had already done that topic. So instead my mind went straight into the cliché of “cool toys for dad.” I’m sorry. I hate the stereotype of of the manly dad who tinkers with tech and power tools and all that crap while mom just makes breakfast and cleans. Women can be techy, too. Nonbinary people can be techy. (And men can cook and clean.) I’ve met girls who know more about tech than I’ll ever forget. All that to say: I apologize for perpetuating stereotypes and gender roles. Gender roles suck and they’re dumb. Moms can enjoy these items as much as dads. I’m sorry for not thinking ahead and playing into the stereotypes. Having said that, I still think this is a cool blog idea worth sharing, so I’m gonna lean into it.

As my long-time readers probably already know, I don’t believe that privacy is an app, product, or service. I think privacy is a lifestyle. It’s about making decisions that protect your data, like “I want to protect my messages” or “I’m going to pay in cash.” It’s not about the app: it’s about the reason for using the app and how you execute the usage. Having said that, apps are fun. Toys are fun. Gadgets are fun. And they’re not always mutually exclusive. There are plenty of apps, toys, gadgets, gizmos, whosits, whatsits, kerjiggers and more that can help enhance your privacy and/or security. Here’s a few such toys that aren’t necessarily “must haves,” but they’re cool and fun and can take your journey to the next level. Many of them will require some work to set up, but if you like a challenge, consider these for your next purchase or gift. As usual, these are in no particular order.

Flashing a Custom OS

Most of our lives are dominated by two or three choices of operating system: Mac or Windows, iPhone or Android. But almost all of your electronic devices can actually be modified with custom, open-source operating systems (OS’s) that open up a world of privacy, security, and new features. I will list these in order of easiest to hardest based on my experience.

Desktop

Unless you use highly specialized software, Linux can do everything that a mainstream OS can do: save and open pictures, save and open movies, access the web for streaming, emailing, word processing, you name it. For most people, I recommend Debian as it has the easiest support for common programs like Discord, Slack, and gaming. However, Fedora does offer better security, so if you’re feeling up to the challenge, definitely look into that. It should still be able to support all the common programs, but it may require a little more work. (Even if you do use specialized software, I encourage you to consider dual-booting. I'll discuss that another day.)

Router

There are a few variations of Linux available for various routers. My personal favorite is DD-WRT. According to my research, it has the most support both from the community and the number of routers it can work with. DD-WRT can take even a relatively inexpensive home router and turn it into a pretty powerful enterprise-grade router with pages upon pages of settings and features. You can create a powerful firewall, segment your whole network into VLANs, load up a VPN to cover the network (or certain parts of it), and much more. I’ve had mine since Christmas and I’m honestly still learning my way around it. This should keep you occupied for a while unless you have an extensive background in networking.

Mobile

This is the holy grail of privacy for many. Putting a custom ROM on your phone will remove all the tracking from companies like Apple and Google (unless of course you choose to download their apps afterward) and will remove the “bloatware” of preinstalled apps. My recommended ROM is Calyx OS, which offers a blend of high security and usability. Keep in mind that this won’t make your phone untrackable – your cell carrier will still track your phone via location data – but it will reduce the amount of tracking and telemetry by A LOT.

Honorable Mention: Pine64 Devices

If you like the idea of de-Googled/de-Appled devices but want something a little less risky or involved, consider Pine 64 devices. Pine64 sells the PinePhone, PineBook, PineTab, and PineTime for a complete Linux ecosystem replacement for your current smart devices. As an added bonus, there are several community-driven projects that cater specifically to Pine64, meaning that if one operating system isn’t your cup of tea, there’s about half a dozen others to choose from. And they’re all made specifically for Pine64 devices, so they’re almost guaranteed to work and if they don’t, there’s a thriving community ready to help.

Hardware 2FA Tokens

If you’re ready to take your account security to the max and you don’t mind tinkering a bit with configuration, hardware keys are top of the line. You may be familiar with the brand Yubikey, but there’s also three open source options called OnlyKey Nitrokey and SoloKey. These will take some work to set up, and I always recommend buying them in pairs to keep the second as a backup (configured, of course), but once you have these configured your accounts will be about as secure as you can possibly make them. In fact, this is one way that Google has managed to avoid any major data breaches in all their years: all employees are required to use a Yubikey on company accounts. You can even program your computer to require a hardware key to unlock for the ultimate in device security (and with the OnlyKey, you can do considerably more than with a typical hardware key). You can’t get much more secure than this.

Raspberry Pi

This one is fun. For anywhere between $35 – $100, you can get a microcomputer known as a Raspberry Pi. “What does it do?” you may ask, to which I would reply with “what do you want it to do?” Raspberry Pis are designed to be full-featured computers – they won’t do any video editing or gaming or anything super hardcore like that, but they can do just about anything else a regular computer can do. Do you want your own custom DNS for maximum ad and tracker blocking? Raspberry Pi. Want to self-host your own Nextcloud, Matrix, XMPP, Mastodon, PeerTube, etc instance? Raspberry Pi. Maybe a travel router? Raspberry Pi. If a computer can do it, so can a Raspberry Pi, and the possibilities are limited only to your imagination. This is is a MUST consider device for any tinkerer, especially those who want more control over their home network or are interested in self hosting.

This is just the tip of the iceberg. Whatever particular part of technology interests you, I encourage you to go out looking for privacy-respecting and open-source alternatives and sink your energy into that. In fact, you may find that a project already exists but needs some help improving and that’s where you can come in. We can all make the world a better place in terms of privacy and security, sometimes just by using these projects instead of their Big Tech counterparts, and sometimes by actively contributing to them. Whatever role you choose to play in that world, I encourage you to go looking. You may be pleasantly surprised at what you find.

2021 Review: Signal

June 12, 2021

Even if you’re not big into privacy or security, you’ve likely at least heard of Signal. The WhatsApp/Telegram competitor rose to mainstream prominence earlier this year, when WhatsApp announced planned changes to their privacy policy and Elon Musk almost immediately tweeted “Use Signal.” Though the app had been around for years, these two factors combined to catapult Signal into the mainstream consciousness overnight, hitting the number one spot in multiple countries’ app stores and even crashing the servers for a weekend. So what is Signal, should you use it (and why, if yes), and how does it rank for those who value their privacy and security?

The Service

Signal is an end-to-end encrypted messenger, similar to WhatsApp or (arguably) Telegram. Based in the US, it was founded by Moxie Marlinspike around July 2014. It allows voice, text, or video chat to any other user (one-to-one or up to five at once) and has a variety of features that might appeal to mainstream users like stickers and GIFs. Signal is based on the Signal Protocol encryption, which I will discuss more in a moment.

The Good

Actually, let’s just go ahead and start there. Signal’s encryption is good. Like, really good. So good that according to the Vault 7 leaks, the CIA has considered pretty much every insane idea to circumvent it because they can’t actually crack it. While Signal has its fair share of detractors and criticisms (some of them valid, many of them not), you can’t knock them for their encryption. It is world-class, and is even used by WhatsApp, Facebook Secret Messages, Skype, and even Google (they know a thing or two about security). The app itself is used by the EU Commission, numerous politicians, journalists, whistleblowers, and law enforcement. Unarguably, you can’t get much better security than Signal.

Setup is – as I like to call it – insultingly easy. Seriously. If you’ve never tried Signal before, go do it right now just so you can see how ridiculously easy set up is. You download it, you basically hit “next” three or four times, and you’re ready to go. On Android, you can even make Signal your default messenger so that if you text another Signal user but don’t know they use Signal, it will automatically make use of the encryption. Actually using the app is also incredibly easy, with very intuitive and plain-English buttons, menus, and options.

Signal is fast, stable, and if you don’t want to use your SIM number (I’ll mention that in a second), you can use a VoIP number with no additional work except that you have to manually enter the verification code rather than Signal pulling it automatically. Messages are end-to-end encrypted by default, unlike services such as Telegram which require you to enable encryption. Perhaps most importantly, Signal as a company has a proven track record of not logging any user data and having virtually nothing to turn over to police when requested.

The Bad

Signal’s downsides are, in my opinion, far and few between. However, they are legitimate and worth noting. One “bad thing” that some people note is that Signal is based in the US. Given that Signal is open source, audited, and has proven themselves to respect user privacy, I personally don’t think this is a big deal. However, the US government is a notorious enemy of privacy. For the vast majority of people, I wouldn’t consider this a reason not to use Signal, but it is worth being aware of what laws Signal is subject to and the hostility the company faces from the government.

The next most obvious flaw is that Signal requires a phone number to use. Phone numbers are as good as social security numbers these days and a quick web search of a phone number can turn up tons of identifying information. While one can use a VoIP number (as I mentioned above), most people won’t (not to mention that this alienates people who don’t have a valid phone number and can’t get a VoIP number). This is a realistic potential privacy and security risk for every user, and while Signal has said they plan to roll out usernames in the future, they’re not here yet and last time I checked there was no real word on when “the future” would arrive.

Let’s address the elephant in the room: the Mobilecoin incident. For those who don’t know, Signal went almost a year between Spring 2020 – Spring 2021 without publicly posting the source code for their server. They continued to share the client source code, and those who examined it found it was still secure, however the client very obviously was contacting an updated server version than the one that was posted and Signal refused to say why they hadn’t updated it. Speculation ran rampant about malicious backdoors, government gag orders, and more. It turned out that Signal was laying the groundwork to integrate a privacy-respecting payment platform with a cryptocurrency called Mobilecoin. This move was considered highly controversial for a number of reasons. Among some of the most valid and popular reasons: it was considered highly unethical and shady to keep users in the dark about the server code updates, integrating cryptocurrency can attract unwanted attention from government regulators like the IRS and FTC, and many users expressed concerns about what impact this would have on the security of Signal and the possibility that this was all a “pump and dump” financing scheme. You can find my take on this story here and you can find a (in my opinion somewhat sensational but factually correct) deep dive here. Here’s the takeway from all this: while this incident – at this time – does not indicate any sort of technical compromise with Signal’s privacy or security, it definitely cast a lot of doubt on them as an organization ethically.

Last but not least, there’s also been a lot of rightful accusations and concerns about Signal’s infrastructure, such as using services like AWS and Google to support their cloud. While – again – there’s no reason to suspect that Amazon or Google have any access to user messages or data, it is understandably troubling that using Signal also means supporting some of the biggest enemies of privacy on the planet by proxy. One could consider this the necessary evil of making Signal reliably available to the masses, but it’s still not comforting. Moxie has also been very strict about refusing to allow Signal to be decentralized or federated, even going so far as to legally pursue and shut down forks that attempt to be interoperable with Signal. Once again, this is done in the name of keeping Signal scalable and reliably secure (if everyone can run their own server, some servers will inevitably fall out of date due to lack of administrative maintenance which will create security risks for everyone involved) but it’s still a ding for people who value decentralization.

Final Verdict

I’ll be honest: I like Signal. The stability, the ease of use, it can’t be matched. I use Signal for 90% of my conversations with friends, family, and even a good chunk of The New Oil conversations. There’s never any issues with key exchange, the messages arrive quickly, the call quality is clear, communication is reliable, and it’s just so freaking easy. There’s no easier messenger out there. However, I’m not a Signal fanboy who will defend them to the ends of the Earth. Their opacity during the Mobilecoin incident was inexcusable, and I’ve already gotten all my close family to sign up for Matrix in the event that we ever have to jump ship on Signal (if Session rolls out voice calls any time soon then I’ll move them all to that instead, Session is also easy to set up). I like Signal, but as soon as I see any reasonable indication that they've been compromised, I'm out.

The moral is this: Signal is not a perfect company. To their defense, I’ve yet to find a “perfect” company or “perfect” anything really. They've made some ethically questionable business decisions and they could check more privacy-enthusiast boxes if they did things differently. But they are reputable, proven, and perfect for the masses. If you have a high threat model or like to go to the extreme for your privacy, Signal may not be for you (at least not yet). But for 95% of people reading this, Signal is just fine. They take user privacy and security seriously and they’re easy to use with a plethora of features. I whole-heartedly recommend Signal to most people. If you’re still looking for a messenger, I think this one is worthy of your consideration.

You can download Signal here.

Prime Day is This Month. Here’s Why You Should Stop Using Amazon

June 5, 2021

Amazon’s now-legendary “Prime Day” was just announced this week: June 21-22. Much like Black Friday or Cyber Monday, this means sales on lots of items on Amazon’s vast marketplace, and as such many people flock to the giant’s website to get sweet deals on everything from computers to small kitchen appliances and more. But this year, I urge you to resist the allure. Far be it from me to tell you what to spend your money on or where, but in this week’s post I hope to lay out a compelling case for everyone for why Amazon is full-stop evil, no caveats, and is undeserving of your money on a moral and ethical level. Amazon needs to be stopped, and legislation will not do so. Only its loyal consumers – who keep the beast alive – can do that by taking their money elsewhere.

Here are five reasons that you should stop supporting Amazon with your money and purchases.

Amazon Is An Enemy of Black Lives Matter

Do you believe that black lives matter? Do you think police have too much funding, too little oversight, are a tool of an oppressive regime, and/or are a private police force for the rich to keep the poor and minorities in line? Well guess what: up until last year Amazon proudly sold their Rekognition facial recognition software to law enforcement agencies all cross the country. Like every other facial recognition software out there, this system was notoriously bad at accurately identifying minorities, including people of color and women. Amazon only stopped for PR reasons at the start of the George Floyd protests, and even then they only issued a “one-year moratorium.” This has since been extended indefinitely, but frankly that doesn’t matter. It’s still just PR. Why do I say that? Because for one, that ban only applies to the US. Amazon is still free to sell their faulty facial recognition services to other countries and industries. Second, Amazon still gives police across the nation unfettered access to Ring doorbells, allowing police to have vast real-time surveillance networks paid for by private citizens who may not even know law enforcement has this sort of access. Amazon is actively helping police spy on and identify – poorly – everyone, even peaceful protesters.

Amazon Is An Enemy of Small Businesses

“Well I think all lives matter,” you may say to yourself, “and I support our law enforcement officers.” That’s cool. If you’re more right-leaning, you probably believe in the free market and you’ll likely be furious to know that Amazon actively crushes small businesses. Amazon has been repeatedly proven to use data gathered from small merchants who use their marketplace to create competing products, avoiding the financial hit of the mistakes that those smaller businesses may have already made in marketing, pricing, or production. Not that it matters, because Amazon can also just use their massive empire to undercut the competition, selling products at a massive loss until the competitor is eventually driven out of business, then bouncing prices back up to profit-making levels once there’s no alternatives to compete with. The use of this data in the first place isn’t just free market sorting itself out, it’s straight up corporate espionage. It’s one thing if I left my job to work for a competitor and said “we learned that our customers respond better to blue than red.” It would be completely different for me to take a copy of all our business records, marketing documents, and passwords with me. That’s basically what Amazon does. They leverage their highly-invasive platform (which is so ubiquitous that to NOT sell on Amazon is practically a death sentence) to harvest sensitive business data and then use their resources to take the hit until the smaller guys can’t anymore and fold. In any other scenario, this would be corporate spying and illegal monopolizing. Even if it wasn’t illegal, I’d have a hard time believing any free-market enthusiast actually has no problem with this.

Amazon Is An Enemy of Human Rights

Maybe you’re an apolitical person (there’s really no such thing and that’s actually a very “privileged” stance to take, but I digress). In this situation, you can probably agree that we’re all human beings. We all deserve to be treated with respect, no matter what. Well, Amazon is unbelievably hostile to worker’s rights. For years, Amazon Prime delivery drivers have been reporting unrealistic expectations like being expected to deliver 200 packages in a 9-hour shift (that’s about 1 package every 3 minutes), missing pay, intimidation, favoritism, and buggy AI tracking their “performance” (even off the clock). Many of them have reported having to pee in bottles to try to stay on schedule. One reported a hospital-worthy injury where he was advised to finish his deliveries (several hours’ worth) before seeking medical treatment. Warehouse workers report timed bathroom breaks and not being allowed sit down for a few minutes outside of breaks (I’m all about hard work ethic, but you’ve seriously never had a day where you just needed five minutes to gather yourself?). Amazon took it one step further with patented wearables in the workplace to spy on employees and make them work even harder. (For the record, there’s no evidence they plan to roll this out yet but the fact that they expressed an interest in controlling the rights to this technology is unsettling.) When workers expressed an interest in unionizing so they could force more humane working conditions (aren’t there already supposed to be labor laws in the first place?) Amazon used their powerful surveillance network to spy on and infiltrate those groups and even attempted to put cameras over the ballot boxes to “ensure integrity.” Amazon doesn’t give a crap about their employees, it’s all about the bottom line and quite frankly I’m surprised they haven’t just moved overseas to sweat shops.

Amazon Is An Enemy of Democracy

“Wow, we really need some regulation on Amazon!” you might be thinking. Yeah, that’d be cool, except that at this point Amazon is more powerful than the US government. Amazon spent $18 million in 2020 on lobbying – for those who live outside the US, “lobbying” is a fancy word for “legal bribery.” I’m not making that up. It started off with good intentions and it does make sense, but it gets abused constantly and in laughably transparent ways that make every American citizen wonder how the hell this practice is legal. Anyways, that’s not the point. Have you ever wondered why the “settlement” amounts in corporate lawsuits are always so obnoxiously low? It’s because corporations hire GOOD lawyers. They can afford to hire lawyers who are field experts and can pay them to focus all their time and attention only on that one company and that one subject/department. Then they can pour even more resources into filing new paperwork, doing research, fighting the case, etc. Eventually the court costs start to pile up and the idea of dragging this out for years and spending millions of dollars becomes arduous, frustrating, and impractical. Look at the recent Home Depot data breach settlement – 10 years later! This is compounded even more when you’re an elected official. “You’ve spent HOW MUCH taxpayer money on fighting over some silly case that doesn’t even concern me – the voter – in a way I can comprehend when that money could’ve gone to better roads, schools, healthcare, national defense, etc?” The fact is that these cases do matter and do concern everyone, but it’s hard to care when you’re buying new rims because you damaged the old one on a pothole, or when your kid brings home a history book from 1989, or when you work 60 hours a week and still don’t qualify for basic healthcare coverage. Amazon can’t be reigned in by regulation because they can outspend the government in time, fines, lobbying, and any other area that they need to. The government has to answer for their tax money spent (in theory). Amazon only has to answer to shareholders and only one question: “how much more money did you make me this quarter?” They can afford to hire lobbyists who shape the laws, and if they fail that they can always drag the court case into oblivion until it just gets settled.

You Are Part of The Problem

Do you remember when Chris Brown beat Rihanna? When that was still top news and I met people who listened to his music I’d always ask them “don’t have you an issue with him beating up Rihanna?” and without fail they’d always answer “Of course! But I just like his music, I don't support what he did.” Here’s the thing though: it’s impossible in situations like that to benefit without supporting the person in question. Every album purchase, every stream, every shirt purchased, every YouTube view, these are all metrics he can use to justify his popularity and book large venues with large guarantees. Honestly I’d even leverage illegal downloads if I was his booking agent. “They can download a song, they can’t download a concert. Those are potentially paying fans.” The same is true with Amazon. In no way can you give any money to Amazon and NOT be directly contributing to these problems I’ve listed above. Every penny you spend can be directed towards developing new surveillance tech or hiring new sales people to score new government contracts. Every purchase you make says that you’re okay with how things are currently working at Amazon and shows them that you’re willing to spend money there. Even using Alexa is sharing your data, which Amazon then uses to refine their products or serve you more ads (which they get paid for). There is absolutely no way for you to use Amazon that doesn’t tell their shareholders “I’m okay with this. Keep the course.” The only way that we can ever hope to affect change is to force their hand by taking your money elsewhere.

Reality and Next Steps

Look, I’m a realist, okay? I know that sometimes there are things that you absolutely cannot get anywhere else except Amazon (or if you can, it costs significantly more). First off, I’d ask you to weigh your definition of “significantly.” Paying $5 more on a $100 product is not “significant.” Furthermore, depending on your financial situation, paying $5 more on a $20 product may also not be much for you. In these cases, I urge you to take the ethical path and not give into Amazon. It’s worth paying a little extra for a good cause. Having said that, paying $50 more for a $10 product, that’s understandably different. If you must use Amazon, here’s my suggestions: First off, if you already have an account, you’re probably fine to leave it active. Your history will stay there, but frankly if you create a new account, it’s likely to get flagged and suspended or if you do it wrong Amazon will still trace it back to you anyways. Feel free to keep your current account, but go ahead and make sure you use good practices like 2FA, strong passwords, and forwarding e-mail addresses.

If you’re making a new account, I recommend using a forwarding email address or an old, already very-publicly exposed email address for credibility purposes (like an old Gmail address). I’ve had good success with buying pre-paid Amazon gift cards in cash at 7/11 and using those to make my purchases, however I’ve heard some people have still had their accounts flagged regardless in those situations, so don’t put too much money in right away in case that happens. You can attempt to make new accounts for every purchase (since ideally this should be rare for you anyways), or you can attempt to make one account and just keep topping it up as needed. Michael Bazzell offers more details on what's worked for him on this podcast episode.

Last but not least, I encourage you not only to avoid Amazon itself, but avoid their subsidiaries as using them will still contribute to Amazon’s unethical empire. Unfortunately this includes popular brands like Twitch, Audible, IMDB, GoodReads, Zappos, and over 100 others. I know it’s a lot and it can be hard, but as I outlined before we can’t keep hoping someone else will reign them in. It’s going to take a collective, serious effort to hit them where it hurts (the wallet) and force them to start being a more ethical company.

Prime Day is later this month. Please, avoid it.

Why Do People Spy?

Deep Dive: Examining the Redditor’s Question

The Larger Picture

2FA: What to Use?

Why Raivo?

The Good

The Bad

Conclusion

Step 0: Solipsism, Certainty, & Standards of Proof

Step 1: The Claim

Step 2: The Evidence

The Claimant

Caveats

Criteria

Privacy Policy

Bitwarden

KeePassXC

Security

Bitwarden

KeePassXC

Other Features

Newsletters

Alternate Social Media

RSS

Podcasts

Conclusion

Why Delist Mailbox.org?

The Vision

Reviews

Flashing a Custom OS

Desktop

Router

Mobile

Honorable Mention: Pine64 Devices

Hardware 2FA Tokens

Raspberry Pi

The Service

The Good

The Bad

Final Verdict

Amazon Is An Enemy of Black Lives Matter

Amazon Is An Enemy of Small Businesses

Amazon Is An Enemy of Human Rights

Amazon Is An Enemy of Democracy

You Are Part of The Problem

Reality and Next Steps