Elias Griffin

I just happened upon this thread and security of all types is my specialty so I just wanted to say that nothing here is personal. I’m trying to be helpful giving folks “actual security” as in not “better than putting passwords in plain text files”. Lazy idiots will be lazy idiots with Keepass as well. I can’t tell you how many stories I’ve heard from colleagues that those people aforementioned just put the main Keepass password in a plain text file.

I upvoted the OP and your reply for bringing TM novelty and awareness.

I do see what you’re going for, but the mitigations you wrote can be found everywhere on the Internet for over a decade. It’s average commodity information combined with that fact that we are not more secure these days, but less secure in 2024 that ever.

In the case of password databases, this is de facto less secure than paper and pencil, which is not extreme by any measure and actually takes little effort.

Quadhelion Engineering Corrected Mitigation Strategies:

• Never use an electronic password manager, use index cards and an art quality graphite pencil instead
• The loss, hack, crack, or malfunction of a MFA device can be absolutely devastating. Use with caution and sync three of them, 1 of them kept in a firesafe at all times
• Never regurlarly update all software and devices, choose your updates and choose your timing depending on your environment and posture instead
• Never be reliant upon an electronic home security system and lock devices (if they get that far, major damage has occured), use a Rottwieller, Great Dane, Mastiff, German Shepard, or Akita (never Pitbulls or Dobermans) alongside yourself with non-lethal weapons until lethal force is used upon you, instead

You asked and the Non-lethal (Less-Lethal) Weapons Industry has delivered. Pepper ball guns, Radically Improved Tasers, Electrical Stun Devices, Batons, Kubatons, Pellet Guns, ColdSteel Brooklyn Smasher, Slings, and also you may not think unless you played, Paintball Guns, big nasty bruises at medium range if only wearing a T-Shirt.

• Women hide thier skin, lips, and age
• Men hide thier jawline with beards and their insecurities are buried so well, they forget it themselves as a defense mechanism hoping the mental/emotional weakness will “heal” by next confrontation
• Humans hide thier weakness,
• Thier competitive business plans
• Patents until they are published
• Who are you falling in love with at the start
• Exactly how much you are attracted to a person
• Who you have a crush on
• Your answer to a $10,000 competition
• Your lottery ticket
• The location of your gold and gun
• The location of your child when allowed online
• Whether someone is away from home for extended periods of time, you leave the lights and TV on.
• Inventions until it’s marketed
• Science Fair Project until it’s unvieled
• Presents until they are opened
• Your private parts
• Your private thoughts on your marriage

Have you ever grabbed a childs private parts? NO of course not, because you INNATELY UNDERSTAND even though you are not a parent and don’t remember being one yourself. In fact you understand it so well that if you were to do so publcally, you’re putting your life at risk.

CONCLUSION: Privacy is natural and helps give confidence and security to an individual but they want access to your weaknesses and privates anyway.

EVIDENCE: Privacy Violation is a specific tactic meant to break people …IN PRISON…since they begining of time, Gulags.

P.S. Stop showing nude baby pictures at reunions to those that did not raise or grow up with the child in the family who already saw them naked, and only while they are still a child and not a teenager, otherwise that is a serious privacy violation. In fact, just don’t take the picture, where did you even get that you lazy lubricated louse.

Very interesting tip, preciate that.

@PassGAN

Instead of relying on manual password analysis, PassGAN uses a Generative Adversarial Network (GAN) to autonomously learn the distribution of real passwords from actual password leaks, and to generate high-quality password guesses. Our experiments show that this approach is very promising.

Posteo

The name sounds akin to “mass gaslighting”?

Now that you mention that, I say if securing your own 1-chance-only->dead life that is only for you gets you on a list, better double time it. But in reality, there is no one who is not already on a list. Same thing as body armor being illegal or as I’ve experienced, “suspicious”. Suspicious to protect oneself like others do? Hah!

No. In the “Steps to reproduce” turning on Signal setting “Show in Suggetions” was not listed nor any setting of this type.

This is super helpful, I may post this to infosec.exchange. Flathub makes this so much more difficult to find the reason for what looks like a real breach. I don’t use Flathub for security reasons so I don’t know if you can even isolate the PID? Anyone know?

I don’t want you to have to spend a lot of time or troubleshoot over the web but if you see anything that stands out as “wow shouldn’t be there/running” when you run these commands come back to us:

1. ps the PID of Signal or secondarily, Flathub
2. lsof -p PID
3. strace
   • sudo strace -f -t -e trace=file -p PID
4. sysctl kernel.randomize_va_space
   • pkill/killall Flathub/Signal and restart FH/Signal and see if it still presents the vulnerability

What that user is describing is very serious. They are saying iOS can reach into Signal and extract data.

Huge if true! You could conceivably submit your phone to a Cybersecurity company and share in any reward.

Help us with:

• Your OS Version
• OS settings that are possibly related
• How you obtained Signal
• Signal version
• Video proof
• Steps to reproduce

Who knows how to compute a hash for an installed mobile phone app? We need to compare it with legit.

Let’s not go all the way down the rabbit hole in one pill. Steps of one less person so inured (Definition: Made tough by habitual exposure), so hopelessly dependent on Google.

Welcome to the real world.

Yeah, GetPocket App from Aurora store was able to turn on location on GrapheneOS about 4 months back. After reading the AuroraOSS Store Founder’s profile on Gitlab, I no longer trust AuroraOSS and if you are using GrapheneOS I would advise to vet and install your own apks.

I had a CalyxOS phone whose ROM was hacked which should be impossible outside the factory. Yes, I’m sure and if you had access to the phone, you would also be sure. I’m a huge target whereas most people are not so maybe some high end team was run at me and that would not happen to you.

I’m not competent enough about mobile OS security as of yet to vet mobile OS in detail, but thanks for awareness on Lineage/Divest.

Yeah, it’s just that I sponsor envs.net for the contributions they make to the NIX community as well as Nim, Zig, Musl, GhostBSD, NetBSD, and Dragonly BSD - all more secure than the alternative.

The Blacklight results come up exceptional compartively, 1 tracker, 1 cookie, and it’s easy to block Google. It doesn’t do that over accounts or sessions however, and that is a quite positive attribute. Thanks for the awareness on that though, for everyone. I always advise to use a blocking browser. I guess overall I see the best-in-class results to be worth it every once in a while.

You mentioned Cromite for Android, isn’t that conflicting? Cloudflare is the #1 MITM privacy destroyer so that’s great too. I’ll have to check under VPN.

Could I get your recommendation for what you would advise for a private search engine that has acceptable results?

Good info overall, thanks for this comment.

Hah, I didn’t even realize this was you! Great job here, although between us you already know what I think about what it takes to secure TOR ;)

Thanks for the compliment, I had to hack around bad Gogs docs for hours to implement that.

What a superb list! Saved.

I was thinking of writing a guide on how to lead a digitally private and secure “life” since so many bad guides are out there.

I’d like to add that the best private and secure Operating Systems are:

• BSD
• HardenedBSD
• Commercial UNIX (HP-UX, AIX, IRIX)
• Void & Alpine Linux
• Indie Operating Systems

Private Search Engines

• Searx
• Searx.envs.net

Private Browsers

• Lynx
• Librewolf
• Waterfox
• Qutebrowser
• Hardened Firefox (at my repo)

Qubues runs containers yes, but the unique use of a paravirtualized Fedora Linux kernel itself leaves open lots of unique security holes and is therefore extremely hard reviewing the security of it yourself.

GrapheneOS is constantly being showboated by Ed Snowden which is a red flag and I did experience app contamination on it. I would also suggest PostmarketOS. Definite no on CalyxOS.

I’d like to throw in my own Free Open Source, git clone, security repositories for BSD and Firefox available on Bitbucket, Github, and my own self-hosted git server with the latest files. All my software is currently written in Python (my very first Python scripts!) and short so it’s very easy to review.

I tried Kagi and canceled after a week. It’s a reformat of DuckDuckGo, a better format for sure, and lack of sponsored links, yet it adds AI too. In the end, it’s the same old curated unhelpful results that leave millions of high value boutique and indie sources of information out. Also, it’s Orion browser is bad.

Basically ask yourself that knowing all the good writers, content creators went to Substack, yet hardly any search engine gives results from there, why?

Looks like you are using Firefox. Use arkenfox sure, but cut Mozilla off it’s 115 server network it uses to track you via FF by using a host deny list, FOSS git clone harden-firefox. You’ll have to disable to update ublock origin or remove the extensions line, but it’s better to just cut the adverts and tracking by removing it from the networks than by browser interception (slower, loss of performance, still hits your computer). Links included to do that in that repo.

Alternative browers are Librewolf and Qutebrowser. When you really don’t want to be tracked for some things use Lynx.

A great search engine replacement is Grasp. It’s being funded by Paul Graham, the founder of Y Combinator and although you only get 100 free searches a months, it can come in very handy. The search results it gives you, unlike Kagi which is just a reformat of DuckDuckgo yet with AI, it’s results are completely different than any other engine and imo, on point, surely for anything technical.

My general search engine is an envs.net free hosting of Searx. envs.net is a free Linux shell community with many services like blogs, email, matrix hosting, etc etc. If you do end up using their German Searx as main search donate to them, I did.