- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
This is original content. AI was not used anywhere except for the bottom right image, simply because I could not find one similar enough to what I needed. This took around 6 hours to make.
Transcription (for the visually impaired)
(I tried my best)
The background is an iceberg with 6 levels, denoting 6 different levels of privacy.
The tip of the iceberg is titled “The Brainwashed” with a quote beside it that says “I have nothing to hide”. The logos depicted in this section are:
- Apple
- TikTok
- PayPal
- Google Chrome
- CashApp
- Samsung
- Steam
- Microsoft Windows
- Ring (Security Camera)
- YouTube
- Amazon
- Discord
- Gmail
- ChatGPT
The surface section of the iceberg is titled “As seen on TV” with a quote beside it that says “This video is sponsored by…”. The logos depicted in this section are:
An underwater section of the iceberg is titled “The Beginner” with a quote beside it that says “I don’t like hackers and spying”. The logos depicted in this section are:
- Telegram
- Authy
- Brave Browser
- Privacy.com (Virtual Cards)
- DuckDuckGo
- iMessage
- Proton Mail
- AdBlock (Browser Extension)
A lower section of the iceberg is titled “The Privacy Enthusiast” with a quote beside it that says “I have nothing I want to show”. The logos depicted in this section are:
An even lower section of the iceberg is titled “The Privacy Activist” with a quote beside it that says “Privacy is a human right”. The logos depicted in this section are:
- Monero
- GrapheneOS
- Vanadium (Web Browser)
- KeePassDX
- SimpleX Chat
- Accrescent
- SearXNG
- Aegis Authenticator
- OpenWrt
- Mullvad VPN
- An illustration of physical cash
The lowest portion of the iceberg is titled “The Ghost”. There is a quote beside it that has been intentionally redacted. The images depicted in this section are:
- A cancel sign over a mobile phone, symbolizing “no electronics”
- An illustration of a log cabin, symbolizing “living in a log cabin in the woods”
- A picture of gold bars, symbolizing “paying only in gold”
- A picture of a death certificate, symbolizing “faking your own death”
- An AI generated picture of a person wearing a black hoodie, a baseball cap, a face mask, and reflective sunglasses, symbolizing “hiding ones identity in public”
End of transcription.
sexy chart!
Could use some anti-malware/AV for beginners and privacy enthusiast level.
Not everyone in there is running a secured OS.
Beautiful and I love it Thank you
Where’s GOG.com?
Not sure if gog has anything to do with privacy. Altho if it was on the list I imagine it’d be up there with steam ( not sure why that one’s on the list either )
I’d argue that gog might be a bit better, since you can download executables from their website, and then use them offline, without telemetry. But still, I think neither are necessarily all that relevant here.
Well that sounds like a malware poisoned well
They are a relatively established game storefront, and have been at it for over a decade. Same Corp that’s also behind CD Projekt Red.
In the end, any storefront that distributes executables could in theory distribute malware, but I’d honestly be more worried about steam, since their publishing process seems a lot more automated, with less oversight.
Android missing?
Hi from near the top of the iceberg. I have five from the top and two from the next level down, plus two from level four. A balanced diet?
Depends what they are, I think a fair amount of people might be in the same boat, with a few services from different tiers.
Android missing?
I wasn’t able to fit everything, but I specifically excluded Android, because it isn’t inherently bad. GrapheneOS is based on the Android Open Source Project (AOSP), for example, so I didn’t want to give the wrong idea.
I’d put Android/iOS on top layer then AOSP on the 2nd layer then deGoogled Androids on 3rd layer then PostMarketOS on 4th or 5th layer.
What’s open wrt for?
Malwarebytes is good in my opinion and ads didn’t told me about it. I discovered it by myself. And nowdays ads can’t really tell me much because I block every single ad I just possibly can.
Yeah I’ve also heard malware bytes is good. I heard if from thenewoil.org.
Yeah Tor is just straight up unusable for most sites.
My experience is it does work with most sites. And the minority of sites where it doesn’t work are evil sites that I don’t want to visit anyway
In my experience, most sites are broken not by Tor, but rather by Javascript turned off. But I do it in my normal browser as well, and it breaks just as much, with the exception that there I whitelist a lot.
Maybe email the site admin and let them know
I usually tell them to test their site in Tor Browser on Strict mode to reproduce the issue.
Sadly, using small niche VPNs that might be more trusted makes you stand out more. It’s pretty unusual to have a Mullvad user on your server
They don’t rotate IPs as well so a lot of them are blacklisted… and don’t offer port forwarding anymore
I wish they could change IPs reguarly and add port forwarding back :-( - I would happily pay for their service again
Because 5€ for their current service is overpriced
What do you use instead of Mullvad now?
https://airvpn.org/ is a great option that is still privacy friendly and allows port forwarding. Still niche if you care about that, so may not be for you.
Interesting option as well, but some problems :
- Not audited iirc
- Port forwarding leads to identification of the individual account, and facts about this aren’t really explained. They admitted than in case they receive a legal order against someone who has port forwarding, they must give the identity because they can get it.
- Sure, changing ports frequently is a way around this but meh, I’d like to know what they will provide if that happens
I’ll add that their servers are a bit slow (I have a gigabit connection) and they don’t have a server in my country
Going to get hate for it (justified), but NordVPN
Reasons: low price, and someone I know already had an account.
Could switch but most VPNs don’t have what I’m looking for (port forwarding), as well as IPs that often change and a solid userbase to mask traffic in smaller websites
Tested mullvad a few years ago and had some small connection problems, but the main issue was that it wasn’t usable in many websites due to their IPs being really abused (+ blocked from streaming services).
I don’t get why the second layer of Op iceberg is solutions having strong marketing budget. As far as I know (correct me if I’m wrong) Nord VPN has been audited by 3rd parties which confirmed its no-log policy. Also feel more anonymous when using a mainstream VPN because many users share the same IP. On the contrary if you use a VPN where only 2 users are on the same IP, seems easier to track you. Maybe I’m wrong but the hate for NordVPN does not seems justified.
The hate is mainly because they run current anti consumer techniques, such as:
- infinite fake sales (illegal is most countries)
- misleading fear mongering (VPNs don’t bring much security at all, and aren’t the only tool you need to achieve anonymity at all. Most people don’t need a VPN.) but this has some positive impacts: normies use VPNs so they become more accepted
- ultra aggressive misleading marketing: occasionally, false claims are made through sponsorships
They are also in a country where they can legally not provide any info to anyone (also in case of legal problem I believe), but it is a double edged sword, as it also means they can lie and sell our info and will never get sued over it
Such things makes it hard to trust, but the reality is they’re most likely fine to use because they already make a ton of money. They probably won’t risk to lose a business over this.
Sadly, using small niche VPNs that might be more trusted makes you stand out more.
This probably doesn’t matter does it? Because being spotted as a mulvad, airvpn, etc user doesn’t make you more of a target for anything.
It just means that if they try to trace your connection back to you, they won’t find anything out, because you have a trusted zero-logging vpn.
Only think I could see is it could potentially be easier to track usage through the ip and assume it’s one person, but idk you could do that with anything if you look at the request timings, etc. It’s still just guesses.
Am i missing something?
It’s pretty unusual to have a Mullvad user on your server
Probably not on the usual sites people visit (youtube, etc, the big sites 99% of ppl go to exclusively), but I can see your point for any smaller site.
Because 5€ for their current service is overpriced
Airvpn provide a discount for each extra month you sign up for in bulk which is nice. It’s a great service in my opinion.
Sadly, using small niche VPNs that might be more trusted makes you stand out more.
This probably doesn’t matter does it? Because being spotted as a mulvad, airvpn, etc user doesn’t make you more of a target for anything.
I’m just taking a stab at this since I’m not entirely certain, but I would think that this would weaken you against fingerprinting since it depends on having many different semi-unique characteristics as you browse?
This ^
If you have 2 accounts on a website for example, you can be easily exposed if using a niche VPN. If on a more popular VPN, it’s not as likely as some other users probably use those as well
Realistically, on bigger websites it doesn’t matter as much - it would really depend on your config. You’re bound to be fingerprinted at some point anyways. It’s just too hard and too annoying to blend in.
At this point I believe we should just aim at randomizing our fingerprint every few seconds by sending BS rather than aiming to all have the same one
I don’t get how that’s relevant to what I said. That’s still something else
Your last sentence?
Mullvad is one of the most popular VPNs with loads of other users wtf
Compared to other options like mainstream VPNs and proton, they don’t have much servers, so, users
I’m not confident thats a valid assumption
Check out IVPN, I find the service very similar but they also offer reverse split tunneling (choosing what programs go through the VPN).
Mullvad has that now. It usually works.
I can’t find the announcement and this issue is still open, can you share your source? https://github.com/mullvad/mullvadvpn-app/issues/2808
That’s not port forwarding though 🤔 but still a nice thing to have I guess
I use Keepass but mostly for convenience and I don’t understand why it’s in the 5th category. If I have 50 different accounts with 50 different passwords but they can all be had with one keepass password, how is that different than having 50 different accounts all using the same password?
I love this! May I share on my blog and with my newsletter subscribers at Punching Up Press? We’re probably in boxes #2 and #3, with a lot of readers starting off in box #1.
Cash and Monero being on the same tier is very funny
What’s the issue with steam? I thought the epic game store was the one actively spying on your device
Steam has telemetry. They gather a ton of data on you. What details, how they use it, and how secure it is I can’t answer, but it’s clear that it’s happening.
Does that happen only when you use Steam or is it gathering data at all times?
I don’t know. I’m sure it only transmits when active, but that doesn’t mean its not collecting data at all times. If you’re on windows you can turn it off with a script, but it might turn back on after major updates.
I’m on Linux, actually. I installed Steam with great reluctance because everything else I’m running is privacy-friendly FOSS stuff but one of my best friends wanted to play something and there was no other way. As it always happens, we ended up never playing together and I just did stuff on my own, so I should probably just uninstall it at this point.
Thanks!
They also have so many security breaches that it won’t even make the news anymore.
Many of those are caused by people having insecure accounts without enabling 2FA etc. And there is a lot of money involved, even the top TF2 accounts are worth tens of thousands of euro’s
I am now paranoid about someone getting in and deleting my gibus
It collects and stores information about your system and also has your identity tied to your purchases.
I don’t think it’s a big privacy concern as far as tracking and spying on you.
But realize any device you install steam on then is tied to your real identity if you purchased games on that account. And can be used with data gained from other parties to determine your online activity if a government were to be able to obtain both.
I could also imagine DRM, though not directly privacy related, being a thing. Like the issues of freedom and openness are probably also important to many people who value privacy and might therefore prefer GOG or something over Steam.
Edit: I see someone else mentioned this already: https://lemmy.world/comment/16903223
Until recently, your steam activity and games played are public and your relationship with other steam users can be traced even if you have a private profile.
Good to know, thanks
I guess I’m in the privacy enthusiast section. Although I do use searxng. And I will admit I do use some things from the top layer, like YouTube and steam. Also i don’t like how proton is a section above tuta aside from quantum safe encryption which is meaningless at the current state of technology (I agree that could change soon) aside from that proton mail is just as good as tuta.
I use everything from the privacy enthusiast section on a daily basis except for addy.io and tuta since i use proton for email and email aliasing.
Maybe I am wrong, but I think proton doesn’t encrypt headers and some metadata, Tuta encrypts everything or almost everything. Also, proton mail is not available in F-Droid
Personally, I don’t like proto, it doesn’t follow the separation of powers principle, what happens if proton suddenly changes their policy? That is why true free and open software tend to be decentralized, for example mastodon vs bluesky, the only way I can really trust you it is if you can’t “betray” me, even if you really wantTuta is located in Germany which has more power to look into your data than the Swiss government, but it’s mhe.
Also what separation of power do you mean? Proton is also owned by a non profit and Tuta is just a Gmbh which is owned by two individuals it seems. Changing something regarding the non profit or the structure is pretty hard to do
Tuta is however more open with that you can find their annual report or at least part of it if you want.
Sorry, I took for granted that you had to buy a pack with vpn, cloud storage, etc. That would have means that you would have to change a lot of services again in the case the proton company let you down. I still think that Tuta is a little more private for the reasons I mentioned
You might be right I searched it up and found that protonmail doesn’t encrypt header lines which isn’t great. The f-droid point is also valid. But unfortunately there is no decentralised email providers, even tuta is still centralised. I would be interested if there are any options for decentralised mail.
On another note regardless of whether I’m using proton or tuta it’s hardly ever end to end encrypted since everyone I’m sending the mail to uses Gmail.
I just switched from Android to iOS, and while I have many complaints, I’m pleasantly surprised by how “walled off” the apps mostly are. Unlike Android, they have to comply to function for the general public.
It feels a lot more like tier two, where it isn’t like a spyware implant but your banking app or whatever will still function. And yes I know it’s far from good, just talking degrees here…
I just switched from iOS to deGoogled Android (e/OS setup by Murena) and as discussing with a friend yesterday, the biggest trade off is arguably security, namely than iOS and AOSP are relatively secure (even though far form perfect) and applications have both permissions to explicitly request and also containerized (e.g. limited file system access) … yet you do not need a security flaw to exist if your data are being exfiltrated periodically by the OS or apps. So arguably depending on your thread model (e.g. voluntarily offering your data vs spam/scam vs private malicious actors like NSO vs state level espionage) and your needs (banking apps vs Web equivalent) then one can be more appropriate than the other.
I agree that Apple, while not entirely private, is still a decent choice compared to Android. They both have their flaws though.
Even before I cared about privacy, I think Apple would’ve been unacceptable to me due to how tightly locked down it is. Like… I’d have to go through hoops and pay some money for a cert (not much if you know where to look, but still) to get something as basic as an adless Youtube client.
I have no clue why telegram is often mentioned when it comes to “privacy focused messaging”. They don’t even have e2e encrypted group chats. Only 1:1 chats may be encrypted as an opt-in. Even WhatsApp is more secure than that, since they use signals encryption.
Also the “we don’t give out even a byte of data to anyone” statements made by telegram have been thoroughly debunked as lies. When telegrams bottom line is in danger, they have and will give out your data.
Just curious, does telegram keep a log of our msgs? Im guessing right now, mitm attacks doesn’t work since tls exists, but telegram can still read the msg cuz it’s not e2e?
Yea, telegram being advertised as a privacy messenger is a joke. If people want to have group chats like in discord and don’t care about privacy, whatever. But to try and flaunt how privacy focused you are while using your own home-brewed encryption is a joke. Not to mention the fact you have to turn it on for every chat you want end to end encrypted.
The whole thing about not giving out data is really only accomplished by spreading user data across several countries. So you would have to get a search warrant from every country to get the data, relying on some countries not wanting to cooperate with other countries. That is not real security. Real security would be encrypting it so you literally couldn’t give them the data, even if they had a search warrant. Ya know, like signal.
WhatsApp claim to use this. They do not show their code nor did they do any kind of audit. Therefore we have to assume that there is no encryption.
or that some part of the encryption, like key handling is flawed. also, considering they have an RCE vulnerability every year, I wouldn’t be surprised if the encryption keys could just be stolen remotely.
we also don’t know if facebook has implemented some kind of analytics for message content, sent files and media.
well that section has a few not so effective services, like authy, and imo brave and adblock, to depict what people believe at that point. and telegram probably gets to be there because it’s not the usual big tech companies, and it seems fine, even if unencrypted.
Only 1:1 chats may be encrypted as an opt-in.
and only on the phone app
well that section has a few not so effective services, like authy, and imo brave and adblock, to depict what people believe at that point.
Yes, this is the exact reason Telegram was put there. I even see Telegram recommended alongside Signal, despite the privacy risks.