The New Oil

2023 Review: IVPN

January 29, 2023

Disclosure: The New Oil is sponsored by IVPN. Per the terms of this agreement, IVPN does not have any input on our review, but we want to disclose any possible conflicts of interest up front. You can read all of our guidelines for sponsorships here.

What is IVPN?

A VPN – or Virtual Private Network – is a service that creates an encrypted tunnel between the device and the provider's server, protecting all your traffic from prying eyes along the way like your Internet Service Provider (ISP) or whoever owns the router (think public Wi-Fi, for example). After reaching the provider's server, your traffic continues on to your desired destination like normal. IVPN is one such service.

New Year’s Checkup

January 22, 2023

It’s a new year, and for most people that means “new beginnings.” Humans are naturally drawn to specific milestones in our lives because they feel like opportunities to start over fresh or rebuild from the ground up. The new year isn’t the only such milestone, it could also be a birthday, holiday, new week, etc. That’s why we get so excited about an – objectively speaking – arbitrary day. It’s a new chapter, a chance to redefine ourselves and do anything we want. In some cases, this could mean getting in shape, finding love, finishing a book, any number of things. But it could – and should – also mean a revaluation: where are you now? Where do you want to be? What can you do better? In privacy and security, I believe we should always be striving to take the next step and do better, but it’s always wise to check back and make sure you’ve got the basics covered. So in the spirit of new beginnings and revaluation, I’d like to present a few tips to help you check your privacy and security basics and set yourself for up a successful 2023.

2023 Review: Aegis & Raivo

January 14, 2023

What is 2FA and Why Do You Need It?

2FA is an abbreviation for “two-factor authentication,” which is basically what it sounds like. Usernames and passwords are a form of authentication; if you don’t know the username and/or password, you cannot be authenticated, or prove that you are authorized to access whatever it is you’re attempting to access. Of course, that’s not totally true. Data breaches expose usernames and passwords all the time. Hence the need for more than one method of authentication at the same time. When you combine more than one form of authentication, you get “multifactor authentication,” or MFA. All 2FA is MFA, but not all MFA is 2FA.

Transparency Report: 2022 (And Goals for 2023)

January 7, 2023

“What a year.” My annual catchphrase. I always say that this project has exploded in ways I never expected, and that never stops being true. So where are we now?

Book Review: Weapons of Math Destruction by Cathy O’Neil

January 1, 2023

About the Author & the Book

Cathy O’Neil is an American mathematician and data scientist. She got a Ph.D in math from Harvard, and later taught at MIT. In 2007 she left academia to work in the finance industry, an experience she talks about in the book that left her disillusioned with the role of data collection and algorithms and the way that they can harm the outliers. This ultimately led to her publication of Weapons of Math Destruction in 2016.

The saying goes that if you want to cook an omelet, you have to break a few eggs. Weapons of Math Destruction focuses on those eggs who have become casualties on the way to algorithmically modernize the world, using big data to make decisions that are – on the surface – more objective, fair, and accurate. However, O’Neil explores how this is frequently not the case and the flaws with our current approaches to using Big Data to this end.

Twitter May Be Hacked and Nobody's Talking About It

December 13, 2022

The following is an original piece of journalism from The New Oil

Twitter may be compromised, and nobody's covering it. This is the allegation from security researcher Lucky225.

In order to understand the context of this story, we have to briefly go back to 2010, where Army intelligence specialist Chelsea Manning was becoming disillusioned with – among other things – the actions she was helping to facilitate for the US incursions into Iraq and Afghanistan. This seems to be at least part of what led her to disclose hundreds of thousands of classified documents to whistleblower website WikiLeaks, which detailed everything from American war crimes in Iraq and Afghanistan to diplomatic cables showing China's frustrations with North Korea at the time.

The Sandbox is a Lie

December 4, 2022

Regardless of how you feel about capitalism, there is one aspect of it that – to some extent – I think we can all agree is nice: the free market. Exactly how “free” the market should be is up for debate, but I think it’s safe to assume that most of my readers are in favor of a world where someone can wake up one day and say “I hate my job, I’m gonna go find another one,” or “I don’t like that company (for whatever reason), I want to shop somewhere else,” or “I want to make a website teaching data privacy and cybersecurity to beginners. Oh look, I have a second job now.” I don’t believe it’s perfect by any stretch of the imagination, but I still choose to live my personal life largely by the free market hypothesis. I hate the way Walmart treats their employees, so I shop elsewhere. Earlier this year I left one job largely because I felt I was being underpaid (spoiler: I was). On the other hand, sometimes I choose to buy name brand because the better quality justifies the price increase. Free market in action: voting with your dollars.

This ties into privacy when it comes to the argument of “just don’t use X if you don’t like it.” I get that a lot. “Just don’t use Facebook if you don’t like it.” “I don’t see the problem, just don’t use Amazon if you hate them so much.” “I like Google, but you’re free to use something else.” In the free market, there’s the idea that every company is free to institute whatever rules, policies, and business strategies they feel are best. At The New Oil, for example, I have every right to list whatever tools I want for any reason I want. In theory, the market responds accordingly: if people agree with my reasoning – or the tools I list – then they reward me by visiting, recommending the site, maybe even buying merch, donating money, or using an affiliate link to help support the project. On the other hand, if people disagree with my reasoning or tools, they can choose to go support another project such as Privacy Guides or Privacy International the same way. But what if – hypothetically – all three of those organizations were under the same umbrella company?

Book Review: The Age of Surveillance Capitalism by Shoshana Zuboff

November 26, 2022

About the Author & the Book

Shoshana Zuboff is no stranger to technology and the way it impacts our modern life. With a Ph.D. in psychology from Harvard (where she's tenured, by the way, in the Business School), she's written on such topics as the future of work in the digital age (In the Age of the Smart Machine) and somewhat predicted the current state of capitalism in her book The Support Economy (assuming I read the Wikipedia synopsis correctly, truthfully I haven't read any of her other works myself).

The Age of Surveillance Capitalism is arguably Zuboff's best-known book, and has certainly become one of the foundation “must-reads” in the world of privacy. It outlines a brief history of “how we got here” in terms of surveillance, notes the ways that Big Tech and the government often work together, explains how Big Tech encroaches on our privacy, and explains how all of this fits into a larger concept of our individual freedom of choice and a sort of “class struggle” between us as individuals and Big Tech companies as they seek to undermine our freedoms in exchange for profits.

Safe Shopping: 2022 Edition

November 20, 2022

Next week, gift-giving season officially beginning in the United States (and at least a few other places, I presume) with Black Friday. As such, I figured this would be a great time to discuss safe shopping tactics. In what is becoming my own yearly tradition here at The New Oil, below are my list of online shopping tips, updated to reflect any techniques or strategies I've picked up in the last year. (Note: some of the services I suggest offer affiliate programs which The New Oil has signed up for. Affiliate links are clearly marked and are totally optional.)

Pay with cash in person. There’s a large push for credit card usage in the US, and it has some personal finance benefits. Cards often come with cashback and purchase protection, and while the risk of skimming still exists, fintech (financial technology) security has come a long way. However, cards are still a privacy nightmare. Your shopping data will absolutely be sold by your bank to data brokers. As such, cash is king. But if you need some less-paranoid, more practical reasons to use cash: if you’re buying a gift for someone who has access to your bank statements (significant other, parent, etc) it can help shield your purchases – both the site and the amount – and keep the gift a surprise. Furthermore, holiday spending and gift giving is often a source of debt in the new year, so using cash will help you stick to your budget. Personally I think racking up a boatload of new debt is a really crappy way to start the new year.
Of course, online shopping has long been popular and even moreso during Cyber Monday (not to mention some services are online-only). For online transactions, use pre-paid cards or card-masking services like Privacy.com, MySudo, or ViaBuy (if you live in Europe) to avoid having your real information stolen. If a scammer steals your info, the effects could be as minimal as having to get a new card or as serious as draining your bank account, stealing your identity, or even stalking you. So I definitely encourage you to use a masking service of some kind. Be aware that Privacy.com and MySudo essentially function as banks in this scenario, so they will ask for some personal information that some people may not be comfortable with. If that's the case, call your bank and ask if they offer virtual card services. Some banksk do – including large ones – and it's becoming more popular. You won't have the privacy benefit of having your transactions shielded from the bank, but you'll get the security of not having your card number stolen. Personally I’m a fan of Privacy.com for a lot of reasons (I actually have an affiliate link you can use here if you're interested) but this isn’t the time or place. Feel free to check out all of the solutions suggested and see if any of them are right for you.
Use HTTPS. HTTPS is a powerful and effective encryption method for data-in-transit (aka web traffic) that helps protect your sensitive information as it shoots across the web. The vast majority of the internet is now securely encrypted so you’re probably covered, but be vigilant anyways. All four of the browsers I recommend on my site – Brave, Firefox, LibreWolf, and Tor Browser – offer some type of “HTTPS-Only Mode” that will automatically upgrade connections when possible and warn you when it's not. On Brave, go to Settings > Privacy and Security > Security and enable Always use secure connections. On Firefox, Librewolf, and Tor Browser, go to Settings > Privacy & Security and scroll all the way down to HTTPS-Only Mode. Make sure you select Enable HTTPS-Only Mode in all windows.
Use a PO Box. PO Boxes can serve tons of great purposes that you didn’t even know you needed. For starters, they start off inexpensive, in some places as little as $20/year. They can be handy because your packages don’t sit unguarded on your porch while you’re at work, they sit safely inside the building of your box. And of course, you don’t have to worry about some stranger on the internet snagging your home address, whether that’s the random person on Etsy, the rogue employee at Amazon, or the cybercriminal who hopefully didn’t steal your information because you already implemented the above bullet points.
Use alias email addresses. These are services such as SimpleLogin (affiliate link here) and AnonAddy that offer you email addresses that automatically forward to your inbox. The website you sign up for only ever sees your alias email address, but it all arrives in the same easy-to-manage place. The privacy protection here is that it keeps you from being cyberstalked (there are lots of ways I can find your various other accounts just from an email address) and makes it slightly harder for companies to track you. The security benefit is that it changes your login on each site and makes it harder for credentials caught up in data breaches to be weaponized against you (see credential stuffing). And as a practical benefit, once you've signed up for these sites, they usually spam you with offers, newsletters, and other marketing crap. Usually you can simply click “unsubscribe” but some of the scummier sites don't respect that request. With an alias email address, you simply turn it off and stop getting the spam. Imagine having a peaceful, organized inbox again. Wonderful.
On the topic of security benefits, be sure to use strong passwords with a good password manager and use two-factor authentication (2FA) on all accounts that offer it. I know the holidays are a hectic time for most people with travel and family and such, but it also usually means more paid time off for most people. Take advantage of some of that time off and set aside an hour or two to pick a good password manager, change your passwords and password habits, and enable 2FA. This is one of the single most effective things you can do to protect your online accounts, and on top of that it's free and easy, yet still few people do any of this stuff. Doing this step alone is one of the one most powerful things you can do to protect yourself year-round. Speaking of year-round...
Don’t quit on December 26. The thing about these habits is that they’re great any time, not just around the holidays. Shopping is something we do all the time, all year, and these strategies can be implemented there, too. You can pay cash at the grocery store. HTTPS can protect your Facebook login from a random cybercriminal just as much as your card number. Online data breaches are quickly becoming a daily occurrence, so using card-masking can prevent your card number from getting permanently posted to the dark web (if you’re not worried about that, clearly you’ve never had the hassle of updating EVERY service you use after a card number changed for any reason). Even a PO Box can be a neat thing to have on hand if you rent and move in the same area frequently, if you need an address on file for work (again, data breaches), or freelance and need somewhere to send checks or a return address for merchandise you sell.

Take some time to think about which of these strategies can benefit you most. HTTPS is something that takes just a few seconds to ensure is enforced and you never have to think about it again. A PO Box can be easily added into your routine by renting one nearby or on your way to/from work. Cash can be handy as well to help you stick to a budget. I hope these tips help keep you safer online this holiday season, and good luck finding that perfect gift!

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

2022 Review: Wire

October 22, 2022

What is Wire & Why Do You Need It?

Wire is an end-to-end encrypted (E2EE) messenger available on Linux, Mac, Windows, Android, and iOS. I have long touted the need for E2EE in your daily communications for both practical and philosophical reasons. For practical reasons, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW pics/texts if that’s your thing. For philosophical reasons, I think that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical.

The Good

Wire has a lot of valuable features. In addition to the obvious things that make it recommended by this site such as being open source and audited, one major advantage of Wire is that it is username based. You can sign up entirely anonymously by signing up on desktop, using a VPN (or Tor), and using a throwaway email. Even without hardcore anonymous signup, you can still retain a great deal of privacy by using a forwarding email address and not submitting a phone number or real name. And because you pick a username, that means you can privately communicate with others without having to provide any personal information like a phone number to that person. You can also have up to three accounts on a single device, allowing you to easily compartmentalize work and personal life.

Wire on Android

According to their privacy policy, Wire does not retain any encryption keys, and uses TLS to encrypt metadata when possible. They claim not to retain copies of encrypted data after it has been delivered, and to only keep technical logs for 72 hours for the purposes of troubleshooting and abuse-prevention. Analytics (sending crash reports on iOS and keeping troubleshooting logs on Android) were opt-in (not on by default) when I signed up for an account. Speaking of Android, Wire is available for F-Droid and seems to work just fine without MicroG or Play services, meaning it should work without issue on any degoogled device.

In my review last year, I noted that Wire was slow. This no longer seems to be an issue – or at least, not a Wire-specific one. When I first started testing it – admittedly during a slow stretch at the day job – I noticed right away that my Android device took a little longer to send and receive messages than my iPhone. But once I got home on a different network, they both worked just fine. I also noted last year that Wire was feature-deprived. Specifically I noted a lack of voice messaging and poor GIF support. This also seems to have been fixed. GIFs use GIPHY (probably not proxied like Signal, so use at your own risk), and voice messages have been added. They even have a little drawing board so you can hand-write notes and a “ping” feature to get someone’s attention (if you prefer not to simply say “hey man, you there?”).

Ultimately, I think Wire’s biggest features are the universal availability in terms of devices and the support of usernames. These two features alone make it a powerful choice worth considering.

The Bad

Wire on Windows 10

However, Wire is not without its drawbacks, and there are quite a few worth considering. Let’s start with a recent development: who owns Wire? A few years back, Wire took a significant amount of investment from a venture capital firm (who hates VPNs, by the way) called Morpheus Ventures, who’s other investments seem to be pretty heavy on the “privacy invasive” side of the spectrum, apps and companies who try to use data to tackle various “problems.” The nature of this relationship was never really fully explained, and it remains that way. Currently Wire is listed under the “Other investments made by Morpheus, our founders or funds previously managed by them.” Pretty vague. Is Wire “previously managed”? Or are they “other investments”? Additionally, around the same time as this investment, Wire had moved their headquarters to the US so they could qualify for said investment (and others), but now their website states they are headquartered in Berlin, Germany. Where is Wire based? Who owns how much of it? These question are unclear. I reached out to them for clarification a few weeks back, but never got an answer since I’m not a paying user. (You can read more about the initial investment and move here, but be aware that this article is from 2019.) It’s also important to know what got Wire booted from Privacy Guides in the first place: changing the privacy policy without announcing it. While this is common for many services, it’s troubling for privacy- and security-advocating services in particular.

Finally, it’s worth noting that Wire is centralized. A premium feature does allow it to be federated for enterprises, but for the average free user, the main centralized server is your only choice.

Conclusion

Wire is far from perfect, but to be honest there is no perfect messenger in the privacy space. The ones that are user-friendly usually have glaring flaws, and the ones that are almost perfect are usually nightmarish to implement and/or use. Wire is definitely not for everybody, however I think it offers some powerful advantages – much of the metadata collection can be outsmarted with a simple VPN and a forwarding email address (and by using it on desktop only, if your threat model is that severe) – and the ability to have a username instead of a phone number is something that can’t be discredited. However, I don’t think Wire is right for everyone. Ultimately I think Wire might be a good trade-off between Matrix and Signal: a little more user-friendly than Matrix, but doesn’t require a mobile device like Signal does. Ultimately, as always, it depends on your needs and threat model.

You can learn more and download Wire here.