The New Oil

2022 Review: Bitwarden & KeePass

September 10, 2022

In this review, I’ve decided to lump both Bitwarden and KeePass into the same review because of their vast similarities. However, there are some key differences that I will outline below. I don’t think of this blog as “Bitwarden vs KeePass.” In fact, I use both myself for different purposes. I hope that discussing this below will help you decide which is right for you, or if both are – like in my case – how to use them to their maximum potential.

A quick note, in this review I am using “KeePass” as a general term to refer to any KeePass client. Personally I use KeePassXC and therefore will base all my information on that experience, but the same general trends should hold true for other forks as well.

The Products

Bitwarden and KeePass are both password managers. A password manager is a critical piece of technology that I would argue is mandatory in today’s world, as they give a secure place to store your login (and other) information. This serves several purposes. The first and most obvious is account security. Modern cybersecurity advice says that passwords should be at least 8 characters (more, depending on who’s advice you listen to); contain a mix of uppercase and lowercase letters, numbers, and special characters; and should not be reused anywhere. This makes the idea of remembering your passwords laughable – even those with the best memory would struggle after a few accounts, and less-used accounts would be quickly forgotten. A good password manager will help you adhere to best password practices and keep track of all your accounts with zero effort on your end. It is a commonly held piece of wisdom that if you know your passwords, they aren’t strong enough (with the exception of passphrases used to log into your password manager and devices). Password managers can also serve numerous other purposes like help preventing phishing and keeping track of other critical information like 2FA seeds, security answers, and more.

The Good

Bitwarden and KeePass both start off with a lot of positives in common, like being open source and free. Bitwarden has a premium tier we’ll get to later, but even their free tier should offer all the functionality an average user would need. Both allow unlimited entries, multiple devices, folders, and much more. Both also feature browser plugins, which can help prevent you from falling prey to a phishing attack. (This works because if you click a link and it’s not accurate, the plugin won’t offer to auto-fill your login details, tipping you off that something’s not right.) Bitwarden can also be self-hosted if you like the product itself but want a little more control over your data.

In terms of functionality, KeePass is the clear winner. Because KeePass is fully free in every sense of the word, there is no functionality hidden behind a paywall. You can add your 2FA seeds, unlock your password vault with a hardware token, and more.

In terms of look, Bitwarden outdoes KeePass by a long shot. KeePass works, but it’s not the prettiest program ever. Bitwarden, meanwhile, looks much more modern and sleek, and even has different entry types so you can easily store common information like names, credit cards, and notes. KeePass can technically be made to do all this stuff, but you’re really using a password entry while Bitwarden has these entries already modified to look right. For example, I store my emergency credit card information in Bitwarden in case I ever need it while I’m not home. In KeePass, this would require me to enter the credit card number in a field normally used for logins, like “Password,” “Username,” or maybe the “Notes” field if I want. While there’s no real issue with this, it does bug my perfectionist nature a little bit. In Bitwarden, there’s an actual credit card entry that has fields like “Cardholder Name” and “Number” and “Expiration.” Same with Notes, and Identity. (Pro Tip: you can use the “Identity” entries to keep track of your various disinformation identities, like how Nathan Bartram lives at 350 West Wolf Point Plaza in Chicago.) Bitwarden also automatically pulls login icons for websites, while KeePass must be made to do this. Admittedly, this is either a pro or a con depending on your threat model and preferences, which brings me to my next point.

Let’s get to the elephant in the room: cloud syncing. Depending on your threat model and/or level of caution, cloud syncing is either a pro or a con for you. If you have a low threat model and value convenience, Bitwarden is the clear winner here. They are cloud based, with apps on Android and iOS, as well as Mac, Windows, Linux, and the aforementioned browser extension. Bitwarden is password security on easy mode. If you don’t trust the cloud – or you don’t trust Bitwarden for whatever reason – KeePass is going to be the best choice for you. You can manually sync your vault between devices by either plugging them in and uploading them, or by using a cloud service like Nextcloud or Filen.

The Bad

Let’s start with KeePass’s drawbacks because I think there are fewer of them. The most obvious, I already noted, is the UI. However, there’s also the cloud sync and plethora of forks. Because KeePass is not cloud-based, it’s up to you to make sure that you’re keeping good backups in case your device ever dies, becomes corrupted, gets stolen, etc. I discuss this on the site, but it can never be overstated. Losing your passwords is hard to bounce back from. It can also be tedious syncing your database, even if you have a good system in place. At one point, I was keeping my database in a cloud folder so it would always sync up automatically, then using Strongbox/KeePassDX on my mobile devices. Even with this near-realtime-cloud setup, I would still have to routinely import the newest version of my vault into the mobile apps to ensure I had the latest entries, and I would also have to be careful not to save over them. And on that note, KeePass is mostly a community-driven project in that sense that there is no universal KeePass client that works everywhere. KeePassXC is the closest you’ll get, as it works on Linux, Mac, and Windows, but for mobile you’ll need to find another client such as Strongbox for iOS or KeePassDX for Android. It’s definitely not as smooth and seamless of an experience. KeePass also doesn’t come with any sort of automatic sharing features like Bitwarden. If I wanted to share a login with someone, I’d have to export it somehow and send it to them over a secure channel.

Now let’s talk about Bitwarden. I’ll start by addressing the cloud part, since that’s a double-edged sword. Bitwarden is cloud-based. If you value convenience, this is great. But it also comes with some risks. For example, since Bitwarden is centralized, that means if they ever suffer a data breach, your vault could be at risk since they store it for you. Now just to be clear, if Bitwarden is encrypting your vault properly – and personally believe they are – then you have nothing to fear in the event of this happening. Still, it’s a very unsettling thought. Your vault has the keys to your entire digital life – which could include things like bank logins, logins for sensitive accounts and communications, and more. Even if it is practically unhackable, I still wouldn’t exactly be comfortable handing out a copy of that to just anyone. And of course, again, this is predicated on the assumption that they’ve implemented their encryption correctly. Bitwarden is very popular, meaning a lot of experts have no doubt laid eyes on the code, and they’ve even been audited, but all it takes is one slip up to create a vulnerability. It’s a lot of trust you’re placing in someone.

On that note, let me address a complaint I’ve seen float around a few times: there’s allegations that Bitwarden’s website is not properly protected against a possible malicious Javascript hijacking, which could allow an attacker to steal your login credentials. This is concerning, for sure, because as the end user you’d really have no way of knowing. However, in my experience, people love apps. I suspect that most people who use Bitwarden won’t be using the website except to make serious changes to their account like buying a premium plan or changing their password. I know that’s my use case. This seriously reduces the risk of this attack, and between that fact and my belief that the gains from using a password manager outweigh the risks in this usage model, I would still strongly encourage people who are considering Bitwarden to go ahead and use it. I preach Bitwarden to everyone I know without reservation, and as far as I know nobody I’ve convinced to use it uses the website. They all download the app and the browser plugin. Having said that, if you’re reading this and you work for Bitwarden, I strongly urge you to consider addressing this attack. It’s only a matter of time before it gets abused, and when you does you guys are gonna look pretty stupid for brushing it off all these years. Surely you can afford it now.

Finally, I should address that some of Bitwarden’s features are premium only. As I said earlier, the core functionality of Bitwarden is free – unlimited entries, unlimited devices, etc – and there’s really no reason that this shouldn’t work just fine for the vast majority of people. However, there are some paid features that would either increase user security or make life a lot easier for users. For example, being able to lock your vault with a hardware token is a paid feature. Such a feature increases your vault security exponentially. Another paid feature is the ability to store your 2FA seeds in your password vault. While this is potentially risky as it creates a single point of failure, it also makes using 2FA nearly effortless, and it’s something I would encourage if it’ll make the user more likely to use 2FA (assuming they also have a strong vault passphrase and 2FA enabled on the vault, too, for maximum protection). It’s a bummer to see such powerful features locked behind a paywall, but I suppose it’s somewhat fair. TOTP 2FA (the kind where you get a new code every thirty seconds) is still supported on the free account, and Bitwarden has to make money somehow, and also you could always just self-host it if you really want those features for “free” (in quotations because we’re not counting the cost of the server/VPS, time spent, etc). Again, the important functionalities are free, and that’s what matters.

As a last note, it should be noted that Bitwarden offers an emergency access feature. I can set another Bitwarden user – like my spouse – to be the emergency contact. If she requests access and I don’t respond within a certain time frame (I think it’s 7 days), she’ll automatically be given access to my vault. This is to ensure that if anything happens to me, she’ll be able to login to stuff like the bank, my email, and whatever other accounts she needs to handle our affairs. KeePass, being offline, does not offer such a feature. In either case, I encourage you to think about this kind of stuff and have a plan in place should the worst happen. I discussed this more in my blog post here.

Final Verdict

As I said above, I use both password managers. For those curious, here’s a quick explanation of how I do it (quick piece of context: I dualboot both Linux and Windows. I use Windows for gaming and for producing videos and music): I use KeePassXC for all of my passwords, even the ones I also have in Bitwarden. This is the vault I export regularly as part of my routine backup schedule. Anything that I need to access on a different device – like Windows or mobile – or anything that I need to share with my wife, I put in Bitwarden. So for example, my Discord and Matrix logins are saved in both KeePassXC and Bitwarden, because I like being logged into my communities on Windows so that I can keep an eye on them and respond if necessary even when I’m doing stuff on Windows. I also have things like Proton in there so I can access Drive or my email when on Windows to transfer files between my two OS’s easily. Then there’s the stuff I share with my wife, like the electric company login, the emergency credit card, and Netflix. Bitwarden makes it easy to sync logins between operating systems and to share them, but for the extra sensitive stuff like bank logins or accounts I don’t need immediate 24/7 access to, there’s always KeePass, where I can ensure more control over my vault and more easily integrate the backups into my workflow (for the record, Bitwarden does backups just as easily as KeePass, KeePass just works better for my personal workflow). I trust Bitwarden, but personally I also err on the side of “why take unecessary risks?” If I don’t need regular, sudden access to the account, then I prefer to keep it offline just in case. But that’s just me.

In the end, I believe that both password managers are excellent choices, and really the deciding factor is your preferences. If you prefer not to trust the cloud, you have good backup procedures in place, and you don’t mind some inconvenience when it comes to syncing your passwords across devices or sharing them with others, KeePass is the clear winner for you. If you want something easy that looks sharp and syncs across devices with no effort on your end but also has a strong reputation and good security, Bitwarden is the right choice. Regardless of which one you pick, I hope I’ve helped lay out the differences of each and helped make the choice a little bit easier for you. Remember to keep your vault secure. Password managers are game changers in making your digital life safer and more convenient, but they’re also putting all your eggs in one basket if you don’t take securing them seriously. With that said, be sure to check out these two password managers if you still haven’t adopted one yet.

You can check out Bitwarden here and KeePass here.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...

Your Loved Ones Are Betraying Your Privacy

September 3, 2022

Privacy can be overwhelming. It seems like every company out there is intent on collecting as much data as possible. For example, this morning I noticed that GasBuddy – the app that helps you find the cheapest gas for your car – wants permissions to access your Apple Health fitness data. Because apparently I plan to run to the gas station and carry the fuel back to my car, I guess? On top of that, we’re routinely subject to companies flat-out lying about their data collection and use policies – like when Twitter claimed they’ll only use your phone number for 2FA (spoiler alert: they used it for advertising) or when TikTok claimed they don’t send user data to China (spoiler alert: that was also a lie). And it’s only getting worse.

It’s for that reason (that privacy can be overwhelming at times) that I strongly emphasize a focus on mental health. The surveillance state wasn’t built in a day, and odds are that the mistakes you made in feeding data into it didn’t happen all at once either. It’s going to take time to climb back out of that hole, to erase any data you want to and find the right tools and techniques to protect yourself going forward. One technique I strongly preach to help manage the deluge of options and rabbit holes to study is to take it step by step. I also strongly encourage people to focus on yourselves. I’m not sure I’ve ever publicly issued this statement before except in response to forum posts and the like – such as the infamous “I can’t get my family to switch to Signal” (I’ve address that specific one before) – but this is one of those “more art than science” delicate balances we each have to find in our own lives. There’s nothing wrong with asking friends and family to use things like Signal or ProtonMail to contact you – maybe even offer to help get them set up with it – but at the end of the day we can’t force them to do anything. You may have heard the popular “Serenity Prayer”: “Grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference.” Good words to live by in almost any area of life.

Unfortunately, accepting that we are not in control of the actions of others (unless you’re in some sort of BDSM power dynamic) means that we are frequently faced with a choice: to accept it, or to walk away. (Technically “fighting it” is also an option, but I’m assuming you already did that in the form of asking people to make a certain privacy-oriented change, and if you push the issue too hard you end up pushing people away, ultimately resulting in the “walk away” option being chosen for you.) The real friction arises here when we realize that nothing happens in a vacuum. I strongly believe that everything is intersectional and causal. In other words: I don’t believe anyone just wakes up and does anything without reason, and in nearly every situation, whatever they do impacts someone else. Those impacts may be positive or they may be negative, but they’re still impacting someone somewhere to some degree.

And this brings us to privacy: when the people around you refuse to use encrypted messaging, or choose to use social media, or pretty much any other privacy-adjacent choice is made by them, this impacts you. Here’s an easy example: if someone you know downloads TrueCaller (or a similar robocaller-blocking app), your name and number will get caught up in that database without your consent. If my mom refuses to use Signal, I have two choices: I can accept that and text her anyways using insecure SMS, or I can simply stop talking to her. Now for the record, I am a huge believer that “family” is an overrated concept – the fact that you share some DNA with a group of people due to complete coincidence that was beyond your control or choice does not give those people the right to take advantage of you. If someone’s a toxic person who doesn’t belong in your life, you should cut them out like the malignant tumor they are regardless if they’re family, coworker, or other. But that’s not privacy related, that’s just called self-respect and knowing your worth. In my case, my mom is not a toxic person. She’s supportive, caring, and enriches my life by being part of it. So I don’t want to stop talking to her. But her choices are impacting my privacy. Her refusal to use Signal is leaving some of my communications exposed.

For the record, my mother is actually a consistent Signal user, she even got some of my other family members on it without me being involved. This was just a thought experiment. But these are the kinds of real choices we will all face as we try to protect our privacy in this world. And the extent of these risks vary. Most of the privacy enthusiasts I meet – likely including you reading this – generally have pretty good practices. We use strong passwords, we 2FA everything we can, we encrypt every text and email we can as well as our devices, we’re mindful of what we post and what we put online. Most of the people I talk to are either in a good spot or are on the way to getting where they want to be. Which is great! But you’re only as strong as your weakest link, and for many of us that means our family members. In some cases, this weakness may be trivial: maybe your boss doesn’t use Signal, but you guys pretty much only ever text to say “hey the meeting tomorrow got rescheduled for Friday” and other non-sensitive stuff like that. In more extreme cases, maybe your parents are posting pictures of your kids on Facebook despite you expressing your wishes that they wouldn’t. That’s a lot bigger of a problem, in my opinion.

This is one of my more “philosophical” posts in that I won’t be leaving you with any specific recommendations. That’s because the exact nature of your threat varies, as well as your threat model. I’m very fortunate. Last time my mother visited, she didn’t just visit me, she visited a lot of other family and friends in the state. Later when she sent the pics to the rest of the family, she explicitly wrote in her email “please don’t upload any pictures with Nate to Facebook or any other sites.” I didn’t even ask, I had no idea she was going to send photos to people. I’m lucky to have people in my life who respect my craziness, even if they don’t understand it or don’t care as much as I do. But I’m the exception. I’ve heard lots of people say things like “my parents uploaded pictures of my kids even though I explicitly asked them not to.” That’s rough. On the one hand, that’s a blatant disrespect for your wishes. But on the other hand, maybe they’re not actually “toxic” people and you don’t want to cut them off from their grandkids. These are choices you have to weigh. First off, what is your threat model? A lot of people – in my experience – don’t start there often enough. They seem to go straight to “this is a problem, how can I fix it?” Is it though? Maybe it is. Maybe you don’t want your kid’s face on Meta’s servers for the rest of eternity. That’s fair. If I had kids, I wouldn’t either. But as with any privacy hiccup, the threat model is a good place to start: “is this really an actual problem?” If it is, maybe you have to do the hard thing and say “you can’t take pictures of the kids at all anymore.” If it’s not that big of a deal – more of a preference – maybe a serious talk is in order. Or maybe some sort of compromise, like “you can upload pics but only if their face is obscured.”

This is all a hypothetical scenario for me, but I’m sure it’s not for many of the parents reading this. I’m sure you’ve all at one point or another had to sit down and explain to your family why you don’t want to post pictures of the kids on FB, or why you’ll only send pics via Signal or Proton or something like that (sorry I’m shilling those two so hard today, just using them as shorthand for “secure services”). There’s no easy answers here. Again, if someone’s toxic and only bringing negativity into your life, just cut them out. That’s a pretty straightforward, easy answer in my opinion. It may cause a drama storm, but eventually the storm will pass and your life will be better off for it. But if it’s someone you love who’s causing these vulnerabilities out of ignorance rather than malice, it’s a tough line to walk. Maybe you’ll need to be firm. “If you don’t start using Signal, I won’t reply to your texts.” Maybe you need to frame the problem in a way they’ll understand. “Hey, you know how the internet is a dangerous place and we want to keep the kids safe, right? That’s why I want you to keep pictures of the kids off social media.” There’s no easy answers here. But my goal was not to provide answers, instead it was to bring to your attention a weakness in our defenses that frequently doesn’t get properly addressed. These may not be pleasant conversations to have, but if you want to put yourself in the best privacy and security position possible, they need to happen.

Before I go, I want to reiterate two things. First off, your mental health matters. Do not cut off loving, supportive, well-meaning family members if your threat model doesn’t call for it. Second, and related, be sure to threat model. One mistake doesn’t mean you need to go nuclear, burn down the house, and move the family into witness protection (not for most of us, at any rate). Be patient with your loved ones if they’re trying, but be firm with your boundaries. Boundaries are really important, and people should respect them. Make them clear. I hope this has helped spark some thoughts.

2022 Review: Threema

August 27, 2022

What is Threema & Why Do You Need It?

Threema is an end-to-end encrypted messenger available on Android, and iOS. Linux, Mac, Windows, and web clients also exist, but you’ll have to create an account on mobile first before connecting them (like Signal). I have long touted the need for E2EE in your daily communications for both practical and philosophical reasons. For practical reasons, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW pics/texts if that’s your thing. For philosophical reasons, I think that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical.

The Good

Threema has a lot of strong attributes to like. Starting at the top, the company is based in Switzerland, which is well known for having strong consumer data privacy laws. They follow this up by having been audited by Cure53 – a well-reputed security company with a history of audits like this. Finally, Threema offers a lot to their users in the way of privacy and anonymity. You can sign up without ever entering any personal information, like a phone number or username. Instead, they assign you a randomly-generated username – a short, easy-to-share one, unlike some other messengers which can be just as easily shared as a QR code. You can also pay for a license via the website, using a masked payment option (such as a privacy.com card or a prepaid gift card) and an alias or masked email address for near total anonymity.

The online payment option is particularly valuable for people with De-Googled devices, and on that topic Threema has been a champion of open source and free software ever since they open sourced their code in late 2020. Some of their recent privacy-first moves include things like trying to raise awareness for data privacy week, running an ice cream truck where they asked people to pay with their data to point out how invasive and ridiculous it is, and moving away from Google services for push notifications on Android, which later evolved into Threema Libre, a fully open-source version that does not have any proprietary dependencies and can be downloaded via F-Droid (or a similar front-end like Neo Store). It should be noted, this is the version I tested for this review.

On that note, from an end-user perspective, Threema worked very well. Signing up – even with a key purchased from the site – was a pretty straightforward process. Certainly not as “insultingly easy” as something like Signal or Session, but also nothing out of the ordinary that would be confusing to anyone who’s ever signed up for another service like email or social media. Adding people was pretty straightforward: just go to “Start a Chat” then click “New contact” and either paste their username or scan the QR code. Syncing to the desktop was similar to Signal in that you scan a QR code, except that you have to also enter your password for persistence, and every time you start the desktop app you have to enable the session on your mobile device so that’s a little annoying. Messages sent and arrived quickly with no issues, and voice chats were received with perfect, impressive clarity. I unfortunately didn’t make any time for voice or video calls, but based on my other experiences I assume they would’ve worked with perfect clarity and reliability.

The Bad

As with every service, Threema is not without flaws. The most prominent of these is that Threema is not financially free. The fee to use the service is one time, and it is only about $5, but not everyone has $5 to spare and some people aren’t willing to pay for a messenger even if they do have it, thanks to years of getting things for free (as well the availability of options like Signal, which are more secure – more on that next – and still free). Threema accurately argues that you’re always paying somewhere – if not with cash then with data – but this can still be a hard pill to swallow for some.

More importantly, Threema’s security is not on par with Signal’s. Now regarding this particular post I just shared, I want to make two notes. First, it’s nearly a year old. I would hope Threema has fixed any serious issues by now. I did reach out to them asking them about this post and they dismissed the criticisms as “valid but well-known and non-essential,” saying they were “based on misconception or not relevant in regards to Threema’s practical use case.” In other words: the people at Threema disagree that these are security vulnerabilities at all on the grounds that it’s either a misunderstanding of how Threema works, or it’s not within the scope of problems Threema is aimed at solving. That brings me to my second point: I want it to be noted that I personally have some issues with this post. I really don’t want to get into it too much and derail the review, but the short version is “I think it’s obvious the author went into this research with some kind of bias.” That’s not me trying to attack them, for the record. I know nothing about this author or the work they do. I just wanted to say that in case anyone else reads that post and notices the same things I did. Having said that, I have no reason to suspect that the conclusions and findings were fabricated or invalid. Does this make Threema not worth using? Not in my opinion. But I do think it’s worth knowing the shortcomings of a messenger. Between the article itself and Threema’s rebuttal, I personally land on the belief that Threema’s security is probably fine for general, day-to-day talk with family and friends. Would I trust it if I were Edward Snowden fleeing the CIA? Probably not. Asking my wife if she needs me to grab anything from the grocery store? Sure.

There are some other downsides beyond questionable cryptographic choices, some of which may be more impactful for daily users. For one, Threema is centralized. We’ve seen this become a problem in the past with other messengers like WhatsApp and Signal, both of whom have had outages. That’s really the main concern with centralized messengers, in my opinion, is risk of an outage for one reason or another. But theoretically there can also be risks of censorship and compromise, depending on the app in question.

The aforementioned audit is also getting pretty old, having last been done in October 2020. At the time of publication, that’s nearly two years old. A lot can change in the digital landscape in just two years. Finally, Threema offers no form of multifactor authentication. The only thing standing between your account and an attacker who wishes to take over your account and pose as you is your password. We can only hope all their users are using good password practices and that Threema is storing those passswords with a strong hashing algorithm.

Conclusion

There are lots of options out there for encrypted messaging these days. Threema has long been a popular option, and it’s got some features worth considering: usernames, audits, strong jurisdiction, and a responsive and pleasant user experience. Getting your friends and family to fork over the $5 may be a challenge, but if they are willing to do so, Threema certainly doesn’t seem like the worst choice you can make when it comes to picking a private messenger. If some of the other popular recommendations – like Signal, Session, or Matrix – aren’t right for you, Threema would be worth checking out.

You can check out Threema here.

The New Oil Has a Merch Store Now

August 6, 2022

The New Oil now has a merch store. If you have no interest in such things, feel free to ignore this. But if you’re interested in possibly helping support The New Oil and picking up some swag in return (we do ship globally), I’d like to take some time talk about this newest support method, because quite frankly, it’s not perfect and some of you are not going to be happy about it, but I think if I explain it you’ll find that it’s actually not too bad.

Why a Merch Store?

When I started The New Oil, I never actually expected it to take off. It was really more of a “getting it off my chest” or “being the change I wanted to see” kind of thing, but I truthfully didn’t expect a lot of people to care. I figured it would get a few hundred hits, attract a few fans, and maybe get a small handful of die-hard donors. I was very wrong. In just a few years, The New Oil has just had shy of 10,000 visitors per month (we actually broke 10,000 for the first time last month) and last year made over $2,000 USD in donations, not including things like affiliate links where I get a credit on my account, and we're on track to make significantly more this year. Once I realized the project was growing so much, I began to look for ways to ethically monetize it. I like my day job, but truthfully I like working on The New Oil a whole lot more, so if possible I’d love to make enough money off of it do do this full time. I decided to aim for this with things like affiliate links, sponsorships, and donations. But of course, money is not the goal here, so we have very strict guidelines about sponsorships that you can view here, and we only implement affiliate links from projects we have vetted and trust and we deploy them in a transparent and optional way. Adding a merch store is merely the latest step in this side goal of ethical income. Donations are appreciated, but I hate asking for handouts and free money. I much prefer to give people something in return. (One could argue that I’m already giving you content, but still.)

Why This Particular Setup?

Let’s talk about how the store itself works. The best way would’ve been to order merch upfront and then sell it via an open-source, self-hosted platform such as OpenCart or WooCommerce. It would’ve meant less parties involved, more control over the content of the store (like third party trackers), the trust of open source, and more profit in my pocket (buying merch in bulk up front results in a lower per-item cost). However, there are several reasons I chose not to go this route. The first and foremost is time. Running a store this way requires me to sink a considerable amount of time into ordering merch, monitoring inventory, restocking, and – most importantly – taking items to the post office and mailing them. I have a full time day job, The New Oil (which is basically a part time job at this point, I easily sink double digit hours into it every week and that’s just to maintain stuff like running the communities, posting articles, and correcting errors on the website), Surveillance Report, a wife, a band, and friends and other family all asking for my time. I can’t afford to put more workload on myself. The idea of putting more work onto my already crowded plate was – quite frankly – ludicrous and I don’t think anyone in my life, supportive as they are, would’ve appreciated me cutting into my precious free time anymore than I already do.

Additionally, I am not comfortable hosting your payment data. Running a self-hosted store would’ve meant that I was responsible for securing your data, and storing it for four years in compliance with the laws in my state. That meant four years of having your name, address, and possibly card details in my possession. This coming from the guy who can’t even spell in his own native language most days, are you sure you want to trust me to have that database set up correctly? To have all the security features enabled? To have all the vulnerabilities patched? I’d like to take this second to remind you that I have absolutely no formal training in this stuff at all. I am not a sysadmin, I was not any kind of comms guy in the military. Everything I know about hosting and cybersecurity has been self taught. That’s fine when it comes to stuff like “use a password manager” and “keep apps off your phone when possible,” but it’s begging for trouble when it comes to stuff like securing your payment data.

How Does it Work?

Instead, I opted to use BigCartel with Printful. Here’s where things start to get sticky. BigCartel is an ecommerce plaftorm with a freemium business model: the free plan (which I’m currently using) allows me to post up to 5 items with a single image to display. Printful is a back-end “on demand” manufacturing platform. In other words, here’s what happens: you buy the item, BigCartel pays me, BigCartel sends your order to Printful, Printful charges me, Printful manufactures the item, and then finally Printful ships the item to you. (Remember that sequence, it’ll come up again shortly.) This does have several drawbacks. For one, the prices are significantly higher. I only make a few dollars from each purchase (I set the profit margin to 15%, well below the retail clothing industry average of 36-43%), whereas with pre-printed and self-shipped products I’d make about $10 or more, easily. I also have very little control over the content of these websites, including things like tracking scripts. But the plus side is that this service is entirely, 100% automated. I don’t have to lift a finger. See my earlier rant about not wanting to add more work to myself.

That said, I stated earlier that making money was not the primary goal of The New Oil. It’s a secondary bonus. Therefore it was imperative to me that I ensure I that whatever platform I use is at least “not god-awful” for privacy. And I think I’ve accomplished that. The following information was gathered over several weeks of studying the privacy polices of both BigCartel and Printful, as well as numerous back-and-forth conversations with both asking for clarifications. First, the easy one: Printful never sees any information about you except what you ordered and your shipping address to fulfill the order. They never see any payment information, and they never get any kind of data that typically gets collected when you visit a website directly, like cookies, tracking beacons, and other fingerprinting techniques. Remember earlier I said “BigCartel pays me, BigCartel sends the order information to Printful, and Printful charges me”? That’s how Printful charges for orders. If you pay $20 for a shirt and the cost for them to print it is $15, then upon receiving that order they charge me $15, leaving me with $5 left over from the order. Your payment info is never involved in that equation.

BigCartel is a little less great. They collect a lot of information like browser type, IP address, “the page you visited before navigating to our services,” device information like hardware model, operating system and version, mobile network information, etc. (You can view their privacy policy here). Now, I do want to clarify something: a lot of websites these days have this trend of writing a privacy policy for users and not visitors. In other words: not everything in this privacy policy applies to you as the shopper. Some of it I have no doubt they do to you, like reading cookies and device information. But you’ll notice some other, more worrying stuff in that privacy policy such as aggregating data from identity verification services. It’s much more likely that this only applies to me, because I have to give them legal information for tax reasons. So don’t read that privacy policy and instantly go into panic mode. This actually leads into my next section about recommendations.

How Can I Use it Safely?

So BigCartel is a little invasive. But as I said earlier, I think it’s pretty reasonable to use it despite that because frankly, to defend against BigCartel’s tracking is to use the exact same stuff I recommend on the website anyways. For starters, you should be visiting with a browser that respects and defends your privacy, such as Brave, Firefox, LibreWolf, or Tor browser if they’ll allow it. You should be using plugins like uBlock Origin that block trackers. I also encourage using a VPN (or Tor browser if you can’t/prefer not to use a VPN for whatever reason) to hide your IP address. That takes care of almost all the automated stuff like fingerprinting and cookie tracking. For payment and shipping, I’ve long advocated for the use of payment masking strategies such as privacy.com and the use of PO Boxes to mail things to instead of your real home. And finally, use a masked email address to protect yourself from both data breaches and tracking when placing the order and a Voice-over-IP phone number if they require a number. Between all of these strategies, you run virtually no risk in using BigCartel’s service to order merchandise.

Having said that, there is one use-case in which I am willing to put in a little extra work (assuming it doesn’t become overwhelmingly popular). BigCartel does not support cryptocurrency, and even if they did it would probably not include privacycoins like Monero. If you’d like to place an order in cryptocurrency, contact us directly at thenewoil@protomail.com (or thenewoil@tutanota.com) and we’ll either send you an invoice or make a new one-time address you can use for the transaction. Then we’ll order the product on your behalf and ship it to the address you provide. (If you have a better suggestions on how to handle crypto transactions, feel free to let me know. I’m not a crypto expert, I’m just trying to ensure a way for us to verify that you have paid the amount while still respecting your privacy).

Where is the Store?

Hopefully this covers everything and has made a decent case for why this particular setup is not as evil as it first seems and explains why I went this route as opposed to other routes. If you know of a better way to accomplish a merch store that doesn’t add more work to my plate but also better respects user privacy and doesn’t rely on my incompetence to protect user payment data, don’t hesitate to let me know. But at this time, I think this is going to be the best compromise. If you’ve read all this and you’re interested in supporting The New Oil and getting some merch in return, you can check out the store here. If the store does well and there’s a high demand, I’ll invest in a paid plan so I can add more items.

Thank you guys for your continued support. I look forward to bringing you more helpful content as The New Oil continues to grow.

2022 Review: ProtonMail

July 16, 2022

Disclaimer/Disclosure of Interest: The New Oil has a ProtonMail affiliate link. If you sign up for a paid plan using this link, we get a small financial payment. As always, a non-affiliate link will also be shared.

What is Zero-Knowledge/End-to-End Encrypted Email & Why Do You Need It?

Encrypted email is a bit of a misnomer. Technically all emails are “encrypted” using technologies such as TLS but in this context I'm specifically referring to “end to end” encrypted (sometimes called “zero knowledge”) email providers. This means that the provider can’t read your inbox, which is – in my opinion – a must-have for any person who values their privacy and security. Many people argue that zero knowledge email providers are overhyped – or worse – because you’re only securing half of the chain. If I’m emailing someone at a Gmail address, the contents are still exposed on Google’s servers. However, in my opinion, that’s still cutting your attack surface in half. If we’re both using Gmail – or if one of us is using another provider like Yahoo – that’s just twice the opportunity for a data breach, warrants, or an insider threat. Sure, you may not get the full benefit without both parties using encryption, but it still counts for something. See my past post about how privacy is a spectrum for more on that logic. With that said, let's look at one of the most popular encrypted email providers out there: ProtonMail.

The Good

Proton has a lot to like. The company is based in Switzerland, a land notorious for having pretty strong user data privacy laws. Signup starts off strong by offering an Onion site (we’ll get to the downsides of this later) which allows you to access the site anonymously via the Tor network, and offering anonymous payment options like cash and Bitcoin (which can be made anonymous with the right work). So far, so good.

On the technical side, Proton has been repeatedly audited and repeatedly found to be secure and sound. They are also based on PGP, which in my opinion is great because it allows non-Proton users to initiate encrypted communications with you (otherwise you would have to email them first with a password-protected email). To be clear, PGP itself is not without drawbacks, but again – privacy is a spectrum, and it's better than not using it at all.

Finally, Proton is an ecosystem. With your account you get access to their VPN service, encrypted calendar, and encrypted cloud. Now of course, this is optional. Some users may not want to put all their eggs in one basket, others may simply find another solution superior for their needs, however I know I personally have met resistance in the past when trying to get people to care about privacy with responses like “Google just makes it so easy, they have email, calendar, Drive, etc.” Well now we’ve got something that can compete with Google, an all-in-one solution that those who want such an ecosystem-type experience may find just what they needed.

The Bad

Proton is not without flaws, and unfortunately in this case they are few but significant. For example, Proton’s Onion link sign-up is broken. Originally it simply redirected you to the “clearnet” version of the site. They fixed this, except now you may be asked to provide additional verification when you try to sign up. They say that this data is not linked to you, but personally this still makes me uncomfortable for people who are actually trying to be anonymous. Most people probably don’t need anonymity but some do. I hope to see Proton find a better solution for this sooner than later.

Speaking of sooner and later, Proton’s app experience is incredibly inconsistent. For example, there’s a Calendar app for Android but not iOS. For the VPN, my iOS and Windows apps updated within a few days of Proton’s branding update, but the Android app took several weeks to follow suit. Proton Drive doesn’t even have an app, requiring the web browser exclusively for use. This can be maddening, especially for customers of a company attempting to create an all-in-one ecosystem. How can I be part of your ecosystem when it’s only accessible under specific conditions? What good does a Drive do me that’s only accessible via the browser? What if I want to use Calendar but I’m an iOS user? This all stems from Proton’s philosophy of “if a feature is ready to roll out, why wait?” which makes sense but it creates a hodgepodge of inconsistent experiences for users.

Conclusion

Email is not secure. I think that’s always worth pointing out. Email was never designed to be 100% secure. You never know who might print it or forward it, and there’s also a bunch of super-technical issues with both email itself and PGP that literally cannot be fixed. Society would have to adopt an entirely new protocol to fix them. You should never trust your life to email (which is one reason why Snowden didn’t just email his documents to people). Yet email is still a widely-used tool that permeates almost every service we use in some way, shape, or form. For that reason alone, it’s worth trying to get a secure email provider to mitigate the risks as much as possible. ProtonMail is a solid choice of email provider with multiple layers of data protection (both legal and technical), PGP-based encryption for interoperability, a free tier that should work for most users, and some great bonuses like green energy, the above-mentioned VPN/Calendar/Drive, and a number of other features that set them apart from even established, mainstream competition like Gmail. I strongly encourage you to check them out, maybe sign up for a free tier, and see how you like it.

You can learn more and sign up for ProtonMail here. If you do decide to sign up, consider using our affiliate link to help support us in the process at no extra cost to you.

Prime Day is This Week. Here’s Why You Should Stop Using Amazon

July 10, 2022

Amazon’s now-legendary “Prime Day” is July 12-13. Boy that sneaks up on you fast when you avoid them and don't have ads in your life. Much like Black Friday or Cyber Monday, this means sales on lots of items on Amazon’s vast marketplace, and as such many people flock to the giant’s website to get sweet deals on everything from computers to small kitchen appliances and more. But this year – as with all years, hence why this repost – I urge you to resist the allure. Far be it from me to tell you what to spend your money on or where, but in this week’s post I hope to lay out a compelling case for everyone for why Amazon is full-stop evil, no caveats, and is undeserving of your money on a moral and ethical level. Amazon needs to be stopped, and legislation will not do so. Only its loyal consumers – who keep the beast alive – can do that by taking their money elsewhere. No matter your political or ethical beliefs, I'm certain Amazon violates them in one way or another, and you should vote with your dollar by buying from other places whenever possible.

Here are five reasons that you should stop supporting Amazon with your money and purchases.

Amazon Is An Enemy of Black Lives Matter

Do you believe that black lives matter? Do you think police have too much funding, too little oversight, are a tool of an oppressive regime, and/or are a private police force for the rich to keep the poor and minorities in line? Well guess what: up until 2020 Amazon proudly sold their facial recognition software (called “Rekognition”) to law enforcement agencies all cross the country. Like every other facial recognition software out there, this system was notoriously bad at accurately identifying minorities, mainly people of color and women (if you have Netflix, there's a whole movie about this called Coded Bias, I highly recommend it). Amazon only stopped for PR reasons at the start of the George Floyd protests, and even then they only issued a “one-year moratorium.” This has since been extended indefinitely, but frankly that doesn’t matter. It’s still just PR. Why do I say that? Because for one, that ban only applies to the US. Amazon is still free to sell their faulty facial recognition services to other countries and industries. Second, Amazon still gives police across the nation unfettered access to Ring doorbells, allowing police to have vast real-time surveillance networks paid for by private citizens who may not even know law enforcement has this sort of access. Amazon is actively helping police spy on and identify – poorly – everyone, even peaceful protesters.

Amazon Is An Enemy of Small Businesses

“Well I think all lives matter,” you may say to yourself, “and I support our law enforcement officers.” That’s cool. If you’re more right-leaning, you probably believe in the free market and you’ll likely be furious to know that Amazon actively crushes small businesses. To be clear, I'm not talking about the free market where they simply provide a better product/service and win over customers from the other guys. Amazon has been repeatedly proven to use data gathered from small merchants who use their marketplace to create competing products, avoiding the financial hit of the mistakes that those smaller businesses may have already made in marketing, pricing, or production. (I believe this is the exact sort of data that would be covered by nearly every standard non-disclosure agreement that nearly every company uses these days.) Not that it matters, because Amazon can also just use their massive empire to undercut the competition, selling products at a massive loss until the competitor is eventually driven out of business, then bouncing prices back up to profit-making levels once there’s no alternatives to compete with. The use of this data in the first place isn’t just free market sorting itself out, it’s straight up corporate espionage. It’s one thing if I left my job to work for a competitor and said “we learned that our customers respond better to blue than red.” It would be completely different for me to take a copy of all our business records, marketing documents, and passwords with me. That’s basically what Amazon does. They leverage their highly-invasive platform (which is so ubiquitous that to NOT sell on Amazon is practically a death sentence) to harvest sensitive business data and then use their resources to take the hit until the smaller guys can’t anymore and fold. In any other scenario, this would be corporate spying and illegal monopolizing. Even if it wasn’t illegal, I’d have a hard time believing any free-market enthusiast actually has no problem with this.

Amazon Is An Enemy of Human Rights

Maybe you’re an apolitical person (there’s really no such thing and that’s actually a very “privileged” stance to take, but I digress). In this situation, you can probably agree that we’re all human beings. We all deserve to be treated with respect, no matter what. Well, Amazon is unbelievably hostile to worker’s rights. For years, Amazon Prime delivery drivers have been reporting unrealistic expectations like being expected to deliver 200 packages in a 9-hour shift (that’s about 1 package every 3 minutes), missing pay, intimidation, favoritism, and buggy AI tracking their “performance” (even off the clock). Many of them have reported having to pee in bottles to try to stay on schedule. One reported a hospital-worthy injury where he was advised to finish his deliveries (several hours’ worth) before seeking medical treatment. Warehouse workers report timed bathroom breaks and not being allowed sit down for a few minutes outside of breaks. I’m all about hard work ethic, but you’ve seriously never had a day where you just needed five minutes to gather yourself? Amazon took it one step further with patented wearables in the workplace to spy on employees and make them work even harder. (For the record, there’s no evidence they plan to roll this out yet but the fact that they expressed an interest in controlling the rights to this technology is unsettling.) When workers expressed an interest in unionizing so they could force more humane working conditions (aren’t there already supposed to be labor laws in the first place?) Amazon used their powerful surveillance network to spy on and infiltrate those groups and even attempted to put cameras over the ballot boxes during a union vote to “ensure integrity.” Amazon doesn’t give a crap about their employees, it’s all about the bottom line and quite frankly I’m surprised they haven’t just moved overseas to sweat shops.

Amazon Is An Enemy of Democracy

“Wow, we really need some regulation on Amazon!” you might be thinking. Yeah, that’d be cool, except that at this point Amazon is more powerful than the US government. Amazon spent $18 million in 2020 on lobbying, and then increased it to $20.3 million in 2021 – for those who live outside the US, “lobbying” is a fancy word for “legal bribery.” I’m not making that up. It started off with good intentions and it does make sense, but it gets abused constantly and in laughably transparent ways that make every American citizen wonder how the hell this practice is legal. Anyways, that’s not the point. Have you ever wondered why the “settlement” amounts in corporate lawsuits are always so obnoxiously low? It’s because corporations hire GOOD lawyers. They can afford to hire lawyers who are field experts and can pay them to focus all their time and attention only on that one company and that one subject/department. Then they can pour even more resources into filing new paperwork, doing research, fighting the case, etc. Eventually the court costs start to pile up and the idea of dragging this out for years and spending millions of dollars becomes arduous, frustrating, and impractical. Look at the recent Home Depot data breach settlement – 10 years later! This is compounded even more when you’re an elected official. “You’ve spent HOW MUCH taxpayer money on fighting over some silly case that doesn’t even concern me – the voter – in a way I can tangibly see and understand when that money could’ve gone to better roads, schools, healthcare, national defense, etc?” The fact is that these cases do matter and do concern everyone, but it’s hard to care when you’re buying new rims multiple times per year because you damaged the old ones on a pothole, or when your kid brings home a history book from 1989, or when you work 60 hours a week and still can't afford basic healthcare coverage (the fact that we're the only developed nation that doesn't have free healthcare is a completely separate issue). Amazon can’t be reigned in by regulation because they can outspend the government in time, fines, lobbying, and any other area that they need to. The government has to answer for their tax money spent (in theory). Amazon only has to answer to shareholders and only one question: “how much more money did you make me this quarter?” They can afford to hire lobbyists who shape the laws – literally – and if they fail that they can always drag the court case into oblivion until it just gets settled.

You Are Part of The Problem

Do you remember when Chris Brown beat Rihanna? When that was still top news and I met people who listened to his music I’d always ask them “don’t have you an issue with him beating up Rihanna?” and without fail they’d always answer “Of course! But I just like his music, I don't support what he did.” Here’s the thing though: it’s impossible in situations like that to benefit without supporting the person in question. Every album purchase, every stream, every shirt purchased, every YouTube view, these are all metrics he can use to justify his popularity and book large venues with large guarantees. Honestly I’d even leverage illegal downloads if I was his booking agent. “They can download a song, they can’t download a concert. Those are potentially paying fans.” The same is true with Amazon. In no way can you give any money to Amazon and NOT be directly contributing to these problems I’ve listed above. Every penny you spend can be directed towards developing new surveillance tech or hiring new sales people to score new government contracts. Every purchase you make says that you’re okay with how things are currently working at Amazon and shows them that you’re willing to spend money there. Even using Alexa is sharing your data, which Amazon then uses to refine their products or serve you more ads (which they get paid for). There is absolutely no way for you to use Amazon that doesn’t tell their shareholders “I’m okay with this. Keep the course.” The only way that we can ever hope to affect change is to force their hand by taking your money elsewhere.

Reality and Next Steps

Look, I’m a realist, okay? I know that sometimes there are things that you absolutely cannot get anywhere else except Amazon (or if you can, it costs significantly more). First off, I’d ask you to weigh your definition of “significantly.” Paying $5 more on a $100 product – especially a luxury you can live without – is not “significant.” Furthermore, depending on your financial situation, paying $5 more on a $20 product may also not be much for you. In these cases, I urge you to take the ethical path and not give into Amazon. It’s worth paying a little extra for a good cause. Having said that, paying $50 more for a $10 product, that’s understandably different. If you must use Amazon, here’s my suggestions: First off, if you already have an account, you’re probably fine to leave it active. Your history will stay there, but frankly if you create a new account, it’s likely to get flagged and suspended or if you do it wrong Amazon will still trace it back to you anyways. Feel free to keep your current account, but go ahead and make sure you use good practices like 2FA, strong passwords, and masked e-mail addresses.

If you’re making a new account, I recommend using a masked email address or an old, already very-publicly exposed email address for credibility purposes (like an old Gmail address). I’ve had good success with buying pre-paid Amazon gift cards in cash at 7/11 and using those to make my purchases, however I’ve heard some people have still had their accounts flagged regardless in those situations, so don’t put too much money in right away in case that happens. You can attempt to make new accounts for every purchase (since ideally this should be rare for you anyways), or you can attempt to make one account and just keep topping it up as needed. Michael Bazzell offers more details on what's worked for him on this podcast episode.

Last but not least, I encourage you not only to avoid Amazon itself, but avoid their subsidiaries as using them will still contribute to Amazon’s unethical empire. Unfortunately this includes popular brands like Twitch, Audible, IMDB, GoodReads, Zappos, and over 100 others. I know it’s a lot and it can be hard, but as I outlined before we can’t keep hoping someone else will reign them in. It’s going to take a collective, serious effort to hit them where it hurts (the wallet) and force them to start being a more ethical company.

Prime Day is this week. Please, avoid it. Be the change you want to see in the world. A drop of water alone isn't much, but together it can make an ocean.

2022 Review: Signal Messenger

July 3, 2022

What is Signal & Why Do You Need It?

Even if you’re not big into privacy or security, you’ve likely at least heard of Signal. The WhatsApp/Telegram competitor rose to mainstream prominence in 2021, largely thanks to Elon Musk’s timely “Use Signal” tweet that came on the heels of several unpopular WhatsApp changes. The app promptly skyrocketed to the number one spot in multiple countries’ app stores and even crashed the servers for a weekend.

Signal is an end-to-end encrypted messenger available on Linux, Mac, Windows, Android, and iOS. I have long touted the need for E2EE in your daily communications for both practical and philosophical reasons. For practical reasons, it can protect sensitive communications like financial discussions, upcoming plans, and NSFW pics/texts if that’s your thing. For philosophical reasons, I think that everyone should use encryption whenever possible to normalize it and make mass surveillance less feasible/practical/economical.

The Good

Signal has a lot to like. Let’s start at the top with installation: I like to call Signal “insultingly easy” to setup. You basically just download it and keep clicking through the prompts. The only way this gets even remotely complex is if you decide to sign up using a phone number other than your SIM card number, but even then “complex” simply means “you have to enter the number yourself instead of letting Signal read it from your messages automatically.” Side note: Signal allows you to register with a Voice-over-IP number. This is fantastic for privacy, which I’ll talk about in the next section.

Next, let’s talk about Signal’s encryption. You really can’t beat it, it’s some of the best in the world. It’s so good that allegedly even the CIA can’t crack it and companies like WhatsApp, Skype, Google, and Facebook Secret Messages all use it for encryption. Signal itself has been used by the EU Comission, numerous politicians and their cabinets, journalists, whistleblowers, and law enforcement.

Signal if fast, reliable, and as a plus Android users can set it to be their default messenger app. This means that both your encrypted Signal messages and your unencrypted SMS messages will both funnel into the same app. This has two advantages: for one, you don’t have to switch between apps (a common complaint for iOS users), and for another, if you message someone new who already has Signal, it will automatically send as an encrypted Signal message. If they don’t have Signal, it will automatically send as a regular SMS. Very convenient. Speaking of convenience, Signal also offers a huge array of mainstream features that are sure to reel in even those who don’t care about privacy, like GIPHY support, stickers, and virtually unlimited attachment sizes (I’ve heard rumors of people sending 20-minute voice messages. Horrifying, but impressive). They also offer group chat and video calls of nearly any size you could want – including up to 40 people in a video call. Oh, and Signal is audited. That’s always a plus.

The Bad

Signal is not without flaws. The biggest one for most people (myself included) is the phone number requirement. Signal must have an active phone number to work. For those of you who like to use temporary verification number services, that means “don’t.” Once your burner number goes away, Signal will likely stop working a few days after. You’ll have to find a number that you control completely and use that. I prefer to have a number dedicated only to Signal and nothing else – this can be done with MySudo or Google Voice or pretty much any VoIP service that allows you to create multiple numbers – but that’s a pain for minimalists. Signal has been promising usernames for years, but at the time of this writing there’s still no sign of it coming any time soon. I think this is where we should note that Signal is not anonymous. While they make no effort to correlate or determine your identity, the fact is that most people won’t use VoIP numbers with Signal, and even those who do can still be traced back to the provider. Signal is very private and very secure, but anonymity really depends on you and the measures you take.

My other complaint with Signal is somewhat personal, but I think understandable even if you disagree: the “MobileCoin” incident. I gave a more detailed explanation of this in last year’s review as well as this blog post I wrote for Decentralize Today, but the short version is that Signal went nearly a year without publicly updating their server source code so that they could work out the kinks and introduce a new feature of sending and receiving money to friends and family via “MobileCoin,” a Monero variant. I personally am one of the people who’s not a fan of MobileCoin, but more importantly I don’t like that Signal felt the need to be so secretive about this. I understand they wanted to surprise everyone with what they thought was good news, but I wish they hadn’t. Save the surprises parties for my friends and family, not my encrypted messenger. It was a poor decision that they never really addressed, we all just sort of moved on cause we had no choice.

Signal’s other lesser flaws include being based in the United States, which I believe doesn’t really impact the efficacy of the service itself but it does call into question the future of the service as the United States becomes increasingly anti-encryption (though in the past, Signal did say that any laws banning encryption would simply result in the organization moving overseas to an encryption-friendly country). Signal is also centralized, and many of those central servers include ones owned by Google and Amazon. Signal goes to great lengths to create a zero-trust service where the server’s compromise means nothing, but it’s still sad to see yet another place where escaping the clutches of Big Tech isn’t possible. It’d be nice to see them invest in alternative infrastructure that doesn’t enable enemies of privacy.

Conclusion

Signal is one of the best messengers on the market. It is incredibly secure, very private (remember: not anonymous, but private), easy to use, and has very wide adoption. In fact, it was even casually featured in this year’s Google IO event during a feature demonstration. For the vast majority of people, Signal is without a doubt the best messenger because of the wide array of features, adoption, and user-friendliness. However, Signal does have drawbacks that make it not right for every situation. For those who don’t want to hand out a phone number or don’t want a phone at all, Signal presents serious challenges. Still, for a daily messenger I strongly encourage readers to look into Signal. It may be the gateway app that gets your friends and family deeper into encrypted messengers down the road.

You can check out Signal here.

Let’s Talk About Roe v Wade

June 25, 2022

This week, the US Supreme Court overturned a landmark decision from 1973. “Jane Roe” had filed a lawsuit against the state of Texas, claiming that banning abortions was unconstitutional. Regardless of your opinions of abortion, this is a discussion we need to have because the Supreme Court ultimately ruled 7-2 that the 14th Amendment of the US Constitution guaranteed a right to privacy, which included privacy over a woman’s body. In fact, the exact quote was “This right of privacy….is broad enough to encompass a woman's decision whether to terminate her pregnancy.” (Source). So this isn’t just about abortion, this decision has the possibility (probability, I would argue) to impact privacy on a long-term, national level. And that’s why I want to talk about it today. So put aside your political opinions for just a moment, and let’s talk about the impact of this decision.

The Direct Privacy Connection

With the overturning of Roe v Wade, abortion decisions must now be made at the state level. This means that in about half the US, abortions are now essentially illegal unless the life of the mother is at risk (many of these states do not provide exceptions for cases of rape or incest). This has thrown much of the US into a state of panic because of mass surveillance: it’s long been no secret among groups like Privacy International, EFF, and even a horde of mainstream news outlets that “period trackers” – like pretty much every other mainstream app on earth – collect vast amounts of data (more than they actually need) and submit it back to third party advertisers and data brokers who track people. Couple this with the US government’s long standing penchant of simply buying data from third parties to circumvent the red tape of court orders and due process and we have now entered a dystopian but 100% possible (and I would argue “likely”) scenario: the weaponization of data to hunt down and persecute people.

I have long said that if the data you collect would be dangerous in the wrong hands, you shouldn’t collect it. Likewise, I have also long said that “I have nothing to hide” is an absolutely insane argument because laws change. What’s legal today is not tomorrow. Unfortunately, I was ahead of my time. The data we’re collecting today can be weaponized in the future. Data that didn’t matter last week – like where you went – matters now. The Supreme Court has decided to weaken protections, and this case isn’t just about abortion. The decision was directly predicated on privacy: “you have a right to privacy from the government.” With that decision no longer valid, privacy protections in the US have taken a hit, and every blow that weakens privacy makes room for further losses in the future. Maybe you’re anti-abortion. In this case, I don’t think that matters. You may think this case was a win, but that trophy comes with heavy strings attached. Go ahead and quote me: the reduction in privacy protections that occurred this week will go beyond reproductive rights and be used to weaken other rights in other areas, probably in some that affect you negatively. This was not what you wanted. With the rampant, obscene overcollection and sharing of sensitive data, the price will be paid in other areas, and it will be expensive.

Practical Advice

It is with this in mind that I urge us all, now more than ever, to take our data seriously regardless of if or how this ruling has directly impacted you. Last week, researching abortion for any reason didn’t matter legally, and now it might. In the future, wanting to understand a particular medical or mental health issue could cost you health insurance or certain rights. The BDSM community has long struggled with the fear of having their children taken away because of their lifestyles. I personally could easily see a future where a quick Google search to better understand depression could be used to deny you a firearms license, or where researching Russia’s narrative of the war in Ukraine could be used to restrict your travel or financial purchases. Maybe today that sounds insane. The idea that abortion rights were going to be rolled back sounded insane to most a year ago. Maybe I’m wrong, but are you willing to take that risk? Your innocent data today can be used against you tomorrow. Why risk it?

Regardless of what you’re searching or why, I have some practical tips for everyone moving forward in a world where your data can be weaponized against you at some point in the future.

1. Encrypt and erase everything. You’ve got to stop using unprotected communications like SMS and things that identify and track you like Chrome. Use the Tor Browser (or Brave/Firefox with a VPN). Use Signal, Session, or Wire to communicate. Furthermore, set your browser to never save history or cookies, and set your messenger to automatically erase messages (hence why I suggested those three specifically). You should also switch to a privacy-respecting search engine that doesn’t try to track you. I personally use Brave, but DuckDuckGo, and Startpage are popular options, as well as Whoogle and SearX. Some of these even have onion versions for Tor users that can provide additional protection.

2. Check app permissions. It’s unrealistic to ask people not to have phones at all (if you can swing that, kudos to you). However, you should absolutely check all the apps on your phone right now. First off, delete the ones you don’t actually need or use regularly. For the ones you decide to keep, be sure to check the permissions. Does Tinder need location data access all the time, or only when using it? Does that game really need access to your contacts? Disable any permissions the app doesn’t actually need. I have some additional suggestions and information here. It should also go without saying that you should probably start checking the privacy policies and look for apps that either don’t collect data, or only collect data they actually need (for example, not location data). A great place to start is AlternativeTo.

3. Ditch the phone altogether. Of course, the best option is to simply not have a phone. While this is not feasible for most 24/7, it can easily be done in specific scenarios and there are two I want to highlight. First, research. Do not research sensitive stuff on your phone. Phones are incredibly locked down for security reasons, and they are very invasive by their nature. For these reasons, it’s best to use a computer where you can restrict the data collected easier and have stronger protections from your browser and VPN. Tor browser on a hardened computer will always be more private than Tor browser on an iPhone, in my opinion. Second, travel. If you’re going somewhere sensitive, leave the phone at home. If you take it with you, there will be a record of you going to that place. Trust me, you can live without it for a few hours. I am not convinced that airplane mode is enough for this purpose, I’d leave it altogether. (Note: this applies to anyone around you. If your friend or partner gives you a ride to your appointment, they could be tracked, too.)

4. Communications. Most places require you to make an appointment. For this, I recommend using an encrypted email provider as they will not be able to disclose your email contents even with a court order. Certain sensitive, one-time appointments may warrant making a new inbox altogether.

5. Payments Digital payments – like your debit/credit card, Venmo, PayPal, Cash App, etc – all leave a trail. Instead, you should always opt for cash. If for some reason your provider accepts cryptocurrency, please also note that Bitcoin is not private by default. I recommend Monero instead. If none of these are accepted, try to buy prepaid cards using cash.

While this information – at the time of writing – may be most relevant to those seeking certain forms of healthcare, I urge you not to ignore it if this doesn’t affect you. Like I said earlier, the Roe v Wade decision is about more than abortion. Our privacy rights in America have been weakened, and right now the only thing protecting most of us from data abuse as it is are some flimsy laws and empty promises from companies who value profit above privacy. This particular decision may not impact you right now, but I’m willing to bet that in the future others stemming from this will. So again, even if you’re anti-abortion or unaffected, I encourage you to heed this as a wake-up call and start valuing your privacy. Your data may be weaponized next. Protecting yourself is easier than you think.

Upping Your Privacy Game

June 18, 2022

Lately I’ve been seeing a big trend among a lot of privacy content creators for wider acceptance of wherever people are in their privacy journeys. To be clear, this is a good trend. I think it’s vital that we accept that everyone is in a different place with different circumstances. Sometimes people just started their journey and haven’t decided to switch to Linux yet (or which distro to switch to), or maybe people are still filling in gaps in their technical knowledge before making a decision about something. Nobody is born knowing everything, and everything we do is a journey.

Having said that, pendulums can swing too far in either direction. Just as it’s possible to be too aggressive, too unforgiving, too dogmatic about forcing everyone to go to the maximum in privacy, it’s also possible to be too forgiving, too patient, and never push yourself (or those around you) to go further.

I’m a big believer in constant growth. My father once said that the day you wake up, watch TV, and go to bed without ever doing anything to grow or better yourself is the day you start to die. While I think everyone needs days off, I do believe in his overall message. You either grow or die. If your life is a chart, the general trend should be up and to the right. The day you stop trying to grow in any way, shape, or form is the day you’re just wasting air. Now before anyone thinks I’m being too harsh or discriminatory, let me be clear that growth comes in multiple forms. “Growth” doesn’t necessarily mean going to the gym, learning a language, or taking a college class. Growth could – in my opinion – mean reading a new book. Checking the news (assuming your mental health allows for that regularly). Going for a walk. Checking on a friend you haven’t chatted with in a while. “Growth” could also encompass “maintenance” – keeping your garden alive, keeping your friendship alive, keeping your mind sharp. The day you stop doing that – the day you wake and go to bed without having done anything to improve or maintain at least one thing in your life, and you make that the new norm – you may as well go lie down in the grave. Again, days off are fine. At the time of this writing, I took a day off yesterday. I watched TV, I played video games, I drank, and it was amazing. I needed that so badly. But today I’m back in action: writing, reading, running The New Oil, etc. The overall trend is upward and to the right.

I believe that our privacy journey should also be like this. For most people, privacy is not their passion. I don’t expect everyone to wake up every day and go “how can I improve my privacy and/or security?” For most people, privacy is – at best – an interest. It’s something they want to take seriously, but they also have to balance jobs, relationships, parent-teacher meetings, classes, emergencies, the usual gamut of things that we all struggle with. I accept that. But the day you say “okay, I’ve hit my privacy goal, I can quit now” is the day you start losing your privacy.

There’s two reasons I believe this. The first is the most practical: privacy is an ever-evolving field. Suppose a couple years ago I had signed up for CTemplar and said “okay, I’m good now. I’ve got privacy.” For those who don’t know, CTemplar shut down last month, which means if I wanted to stay private, I had to find a new email provider. Wickr was once a great choice for privacy – personally, Wickr was my favorite. No personal data required for signup, mobile and desktop clients, usernames. Man, Wickr had it all. But now they’re owned by Amazon, and quite frankly if you think that Amazon isn’t collecting metadata, you’re delusional.

The second reason I believe this is because our situations change. I’ve met numerous people in the privacy community who say things like “I have to use WhatsApp for class, but as soon as I graduate I’m deleting it.” I’ve mentioned myself how in the past, I had a job that required the use of Facebook to communicate schedules and other bulletins. These days I could easily find another job that doesn’t require me to use Facebook, but back then I was just starting my career and had no choice. News flash: none of us are the same person or in the same situations we were ten years ago – and frankly, if you are, that’s very concerning. I don’t mean to judge, but you should probably examine yourself and your life and make sure you aren’t stagnating. I think we should all always be striving to be better than we were yesterday.

This is why we should never settle. Maybe you’re using a Mac right now because it’s functional and you don’t have the money to justify just going out and buying a new PC to put Linux on it. That’s fine. I respect that. I’m a frugal person myself, and I would never condone discarding a perfectly good device if your threat model allows you to get the most usage out of it. But in a few years when your device gets outdated, maybe go ahead and take the leap into Linux. Maybe you can’t, perhaps your career field requires Mac-specific software. I also respect that. I’m an audio guy, and I do a lot of work in Pro Tools. But I dualboot. I run Linux for 90% of my day, and Windows only when I need to do production work (or gaming). Imagine if I had said “well I need Pro Tools, so I’ll just say with Windows full time.” I would be losing out on that privacy for 90% of my life.

In the past, I’ve mentioned threat modeling and not overloading yourself. That stuff still applies. It’s still critical that you don’t burn yourself out or run yourself into a mental hospital (no stigma intended) because you tried to emigrate to a country with better privacy laws when you didn’t have to. At the same time, however, I believe it’s critical to recognize when you can do better and do so. Suppose my partner asked me to put up a shelf as high as I could reach to store some of our lesser-used kitchen utensils. I’m 5’10” (that’s 178 cm, for my readers in literally every other country on Earth). If I put the shelf five feet off the ground, I think we can all agree that I could do better. Sure, five feet is better than three, but the goal was “as high as possible” and I can easily do more than that. We should approach privacy and security the same way. Sure, Google has good security, but we can do better. Sure, SMS 2FA is better than none at all, but we can do better.

We all have a set amount of stuff we can deal with in a day. Some people call it “spoons,” I call it “emotional bandwidth,” but at the end of the day it’s the same thing: we have a limit on what we’re capable of. This is usually a combination of decisions, physical effort, emotional attention, etc. but once we’re out, we’re out. Sometimes, taking our privacy to the next level involves waiting until we have a day when we can do more. “I don’t have the energy to set up my own Nextcloud server today, but next week is a three-day weekend and I can set aside a few hours to do it then.” That’s perfectly okay. But my point is that I believe it’s worthwhile to see where you can improve and try to. Maybe you’ll try out Nextcloud and go “wow this sucks.” But maybe Proton Calendar works for you. Or Tutanota’s calendar. If you’re still using Google or iCloud for a calendar, I believe it’s worth looking into these solutions and trying them. Maybe none of them will work. But you owe it to yourself to spot room for improvement and look for solutions. In some cases, there may not be room for improvement. But again, things change. Maybe last year there weren’t any good options for your problem, but maybe this year there’s a new service to try. If something is just too much, it’s okay to dial it back and admit that the particular service or solution isn’t right for you. But remember to circle back around when things are different, and look for other areas of improvement. It’s always important to check in regularly and see what we can do better.

Remember: never stop growing. Slow, incremental growth is still growth. Let’s all strive to always grow. A tiny sprout today could be a nearly-indestructible Redwood in the future.

Daily Driving the Pinephone Pro

June 4, 2022

by Uncover

Pine64 has been known for their affordable GNU/Linux based devices for a while now. They released a Linux based phone called the PinePhone in early 2020, complete with switches to disable the camera, microphone, radios, and other sensitive hardware. I unfortunately didn’t get one at the time, but since then the Pinephone has become pretty decently stable (depending on what operating system – or “OS” – you use on it).

In Oct of 2021, the Pinephone Pro was announced and shipped early the following year. I preordered a Developer Edition, which is only intended for developers or people with extensive Linux knowledge, since I know the software will eventually mature and the higher hardware specs will be much better then the original PinePhone and I want to be along for the journey. I received it about one month ago and have been “daily driving” it as much as possible since, though I am unable to use it full time due to required work software I need to use and being available via phone is crucial (I did use it as much as possible besides required work needs).

I mostly used the default Manjaro KDE Plasma OS that it ships with, but I also tried Manjaro Phosh (the Gnome-based distribution that the Librem 5 also uses) and PostmarketOS with Plasma briefly. I have managed to put a sim card in it and test the calls and SMS/MMS.

What I Found

Plasma

Plasma is my personal favorite in terms of look and layout. Unfortunately I had to reinstall the OS on three separate occasions because sometimes the lock screen would say the PIN was wrong which I’m sure it wasn’t. I also had some issues with the screen getting stuck when rotating where part of the screen was black.

Voice calls were mostly reliable but sounded far away and muffled. It was manageable, but clearly lower quality than what I was used to on my usual phone. SMS and MMS, on the other hand, were spotty and unreliable. I usually received them, but not always. Overall I’d give that experience an 8/10 if I had to rate it.

The overall speed was actually faster then my iPhone when it came to browsing on the Angelfish browser that is included (Firefox also ran faster than my main cellphone but not as significantly as Angelfish).

Finally, the biggest issue I had was when using Discover (the app software “store”). When updating, there was an error of “1 offline update failed” where it offers an option to repair or open Discover, but neither option solved the problem. It should be noted this has already been brought up to the developers and they are working on a solution last I checked.

Phosh

Phosh is the smoothest and least bug-filled OS I tried, likely due to Phosh being in use for a while now on other devices such as the Librem 5. Personally I didn’t care for the icons or the way it vibrates every time you swipe down on the notification bar. However, that’s personal preference. If you want the most functionality and reliability, that seems to be what Phosh offers.

Phosh’s native SMS/MMS and phone calls also suffered the same issues as Plasma (low quality, hit-or-miss reception rates) but because of the rest of the phone’s factors it was a slightly more pleasant experience, maybe a 9/10.

Overall I encountered almost no bugs except for some YouTube playback issues on Firefox, where it buffered endlessly until I restarted the browser. Thankfully a quick fix.

PostmarketOS

I wanted to love PostmarketOS so much. It has also been in development for a long time and is focused on replacing the Android-like experience with Linux on phones. Unfortunately I couldn’t manage to update it or do much of anything. I couldn’t even get native SMS or voice calls to work at all. However, it should be noted that PostmarketOS does not officially support the Pinephone Pro at the time of this writing. I was able to find a developer who was willing to build a custom image for me to try. This is almost certainly why I ran into so many issues. I’m sure that by the time it’s officially released most of these bugs will be fixed.

Conclusion

The Pinephone experience varies wildly. Some people report a smooth, daily-drivable experience while others find it nearly unusable. I think this largely comes down to your daily lifestyle and what you need it to do for you. Pine64 has made it clear on the Pinephone Pro’s page who the product is and isn’t for at this stage (see the image above). I personally got one because I love FOSS and wanted to support a great company. I’m also impatient and would rather be along for the “software maturity” ride than wait until the final product is ready. I’m willing to risk some bugs in exchange for early adoption. If this sounds interesting to you and you are knowledgeable (very knowledgeable) in Linux, then I completely recommend checking out the Pinephone Pro. If you’re more of a casual user, then you may be more interested in a custom Android ROM until the software is more stable. But once it develops a little more, I bet it will be a powerful third option for those wishing to take back control of their data.

Stay safe and stay private.