Lots of this reads as just hyper-paranoia and just flat out ignorance.
systemd is pretty much an attempt at a takeover of Linux (archive) by big corporations
I think this is the farthest reach on “systemd bad” I’ve ever seen. I’m not an expert, but I don’t think Facebook, Amazon, Google, Microsoft, or Apple are pushing hard to get get systemd in literally every damn distro out there. Maybe people just use systemd because, it’s useful? Maybe modern software requirements are much more complicated that the unix philosophy allows, and having some standards makes developing higher-level software that much easier?
However they are dependent on the evil giants Google and Mozilla
Okay since when was Mozilla, of all companies, an “evil giant”?
Don’t venture out without this [VPNs]!
No, you really should. A VPN does nothing except move your attack vector. Sure, my ISP probably won’t be able to spy on my traffic, but anyone between my VPN provider (including them!) and the server still can. What has this solved, exactly?
And you’re telling me that Mozilla is a big bad, but some random small business that specializes in being a middle-man for all my internet traffic is a-okay?
To be fair, the “systemd is corporate” is one thing I heard early on in the discussion, and one of they things that made me very systems-wary. There are basically just two main argument-types against systemd, this is one, and the other one is the design/unix philosophy point, which I don’t think the author would want to agree with seeing his other posts.
Now let’s be clear here - this addon [LibreJS] has nothing whatsoever to do with privacy, functionality, convenience, or anything benefiting the user. It only serves to satisfy a particular brand of autism called freetardism.
*sigh* So much problematic packed into one sentence, I’m curious whether the concept of “freetardism”, or the use of “autism” as an insult, would get more lobsters up in arms. This post also makes a point of referring to companies as “Evil”. It’s obvious enough that the writer is intentionally using charged language, so I would like to downvote the OP as troll for it.
I additionally take issue with this mindset:
By using them, you are also relying on someone else to provide you with the lists, instead of taking your web browsing into your own hands.
Besides the obvious fact that this is false (you can write custom blocklists in most ad blockers, including uBlock Origin), it’s also ineffective for a fairly obvious reason: custom blocklists are a terrific way to fingerprint someone’s browser. You are making yourself easier to track when you use non-standard blocklists, and you’re putting in a lot more work to do it. That’s why Tor Browser doesn’t include an ad blocker.
Probably the best way to protect your privacy, assuming that Apple isn’t blatantly lying about what their software does, is to use Mobile Safari on a fairly-recent iPhone, constantly be clearing your cookies, don’t install any third-party apps, and don’t take the iPhone out of your house (don’t want it to track your location, after all, while the location where you live is already known to Apple and your LTE provider for billing and warranty purposes). Since iPhones are super-popular, basically identical to each other, and don’t make any active effort to tie themselves in with Google’s tracking system, they’re really hard to fingerprint.
I’d put Tor Browser in a distant second. If it’s a niche website, you might be the only visitor who uses it, which itself is a fingerprintable fact, though obviously it’s hard to figure it if you’re actually an individual or not.
I looked through his page before posting the link, and while I didn’t like articles such as “Refuting Freetardism”, I think the the page as a collection of links and references had a greater value than the particular opinions the author holds on these issues. Other than that, the language he uses seems like pretty standard /g/-speak, for whatever that’s worth.
Yeah, but on the other hand, this guy’s recommendations are probably a bad idea. Online anonymity is a statistical problem; what you want is to make it as hard as possible to sort online browsers into buckets. If I can recognize someone as that one guy browsing Lobsters using Pale Moon on a computer with a hidpi display, then you’ve failed. By this logic, clearing your cookies is a good idea because we need as many people to have identical sets of cookies as possible, and none makes a convenient Schelling point. Similarly, blocking tracking scripts is mostly a performance optimization, not a privacy enhancement, though you can minimize the induced harm by trying to make sure people block the same set of tracking scripts, either by having some fixed rule about third-party scripts or a shared “artificial Schelling point” like EasyList. Also, webmasters and ad companies are not perfectly-colluding Rational Actors with no motives other than tracking you, so blocking these scripts can help with your anonymity by depriving the adtech companies of a way to track you sans cooperation from the content provider. But since websites are already known to do work to detect ad blockers, and will in some cases allow ad providers to proxy their site, custom blocklists are at best a mixed bag, and if you want to pick from a mixed bag, you might as well pick the one that doesn’t require tons of work on your part.
p.s. This also means that privacy is not opposed to ease-of-use. Ease of use is required for privacy, in order to ensure that your configuration doesn’t reveal your technical expertise.
sigh So much problematic packed into one sentence, I’m curious whether the concept of “freetardism”, or the use of “autism” as an insult, would get more lobsters up in arms. This post also makes a point of referring to companies as “Evil”. It’s obvious enough that the writer is intentionally using charged language, so I would like to downvote the OP as troll for it.
The definition of what language counts as charged is polticial, and characterizing the entire post as trolling for using word choices you don’t approve of is an attempt to use the formal structure of the troll downvote mechanism to suppress the entire post for not adhering to your speech code, which I disapprove of.
I’m pretty sure the BSDs enjoy a similar level of corporate contribution, FreeBSD especially, receiving mountains of code and cash from the likes of Netflix and Apple.
I’m pretty suspect of the actual improvements in privacy Pale Moon affords over a reconfigured mainstream browser to disable telemetry and ‘bonus features’ coupled with privacy extensions. Pale Moon is itself uncommon enough to be a fingerprint all of its own (not to mention that I’m not very confident in the resilience to tracking hijinks or exploitation of a Gecko fork maintained by an extremely low number of people, taming it with a large group of devs seems hard enough)
Stop recommending to stop recommending GPG. GPG is difficult and absolutely has it’s sharp edges, but it is also “standard”. I use it every single day in both a corporate environment, personal use, and a ton of places in between. The article you link fundamentally misses one of the main reasons almost everyone uses GPG, encrypted email. I do a ton of vulnerability disclosures and mailing the security@COMPANY.WEBSITE with a GPG key and a vulnerability notification is the only consistent way to safely get my communications across. I’ve dealt with s/MIME, home brewed crap, third-party web portals, and a ton of other things. GPG is the only usable thing in the space that I have and I’ve never seen a successful migration away.
Stop recommending to stop recommending to stop recommending GPG.
For one thing, it’s not as simple as whether the tool is “a good thing” or not. If your goal is to use an existing email address with cryptography, there’s probably no better way to go about authenticating a message than what GPG does. If you really do need it, then obviously you should use it. If you’re able to employ it with enough success that getting error messages is actually a sign of intrusion, rather than being seen as a sign that you messed something up, then it’s doing its job.
The question, of course, is whether running cryptographic secure communications over existing email infrastructure, or something very much like it, is actually a requirement that most people have. It is for you, because you’re constantly sending unsolicited messages to people you have no preexisting connection with. So the value of using “standard” communication channels is greatly heightened, compared to people who mostly communicate with friends, family, and coworkers, and probably prefer using communication channels where both sides have to open a gateway to contact each other (look ma! no spam!). If you’re using a communication channel that requires such an explicit opt-in, then that opt-in stage is the perfect place to perform key exchange while you’re at it.
Also, a lot of use cases where PGP is currently employed would be better served with other tools. For example, if I was God King of Debian and had the chance to redesign their package management system, I’d probably build their package signing on top of libsodium instead. It’s actually intended to be embedded in other applications: it has a far better API, a far simpler design, and there’s really no point in using a “swiss army knife” CLI when it’s being invoked through Debian-developed wrapper tools approximately 100% of the time anyhow.
There is a difference between categorically saying “stop recommending GPG” versus “check to make sure GPG is what you need and that there isn’t an alternative”. I stand by my first negation, GPG has it’s place.
Whether I or you likes it a lot, the vast majority of the corporate world in the US (and outside) uses e-mail as it’s primary forms of communication and because of that I have to do things like deliver reports, exploit PoC’s, breach notifications, etc. that are absolutely sensitive. If my only form of contact with those organizations is e-mail, then what exactly are my options? Because GPG is “standard” for all of those use cases. Any mature organization I work with has had at least one security point of contact with a GPG key that can be used for further confidential conversations. I’d love to get rid of email, but let me tell you, if you try force your preferences onto another organization you are going to have a bad time.
I’m in totally agreement about package management signatures being a not so great place for GPG, but that’s why I mention sharp edges. It’s not a swiss army knife, but I think much of that is the fault of apt/dpkg as it is GPG’s.
It’s one of only a few tools NSA said they couldn’t break. They were breaking many other things people are using. Using a subset of it to just encrypt and decrypt files containing messages is easy enough for even lay people. Can be scripted, too.
Given NSA > most other threat, using GPG will probably handle them, too. So, I prefer it for proven effectiveness. The attackers will probably get me via Firefox before it.
Using a subset of it to just encrypt and decrypt files containing messages is easy enough for even lay people
This is misleading, gpg interface is notorious for ease of misuse.
Given NSA > most other threat
If this is your threat model, then it’s more about opsec than specific tools. Check out grugq guide on operational GPG for email, for example, it’s quite tricky to get it right every time.
People been repeating that for years instead of mitigating it. I wonder why given how easy it is. You create a cheat sheet with just a few items on that one, add the good options for key gen phase, and do something about the painful encrypt command. A shell script or something so they can type less stuff in. Then, you’re good.
“If this is your threat model”
My threat model is people breaking crypto. I also prefer vetted solutions. The NSA vetted this one in Snowden leaks. Most others they broke. If it causes them problems, it should work well against the lesser attackers most people are concerned with.
I did. Still in todays world where you can’t really trust any company with your data, and it’s only getting worse, I belive it’s better too be a bit paranoid than naive. Though I use firefox on all my devices it pains me that they are phoning home by default etc. It shouldn’t be like that
Lots of this reads as just hyper-paranoia and just flat out ignorance.
I think this is the farthest reach on “systemd bad” I’ve ever seen. I’m not an expert, but I don’t think Facebook, Amazon, Google, Microsoft, or Apple are pushing hard to get get systemd in literally every damn distro out there. Maybe people just use systemd because, it’s useful? Maybe modern software requirements are much more complicated that the unix philosophy allows, and having some standards makes developing higher-level software that much easier?
Okay since when was Mozilla, of all companies, an “evil giant”?
No, you really should. A VPN does nothing except move your attack vector. Sure, my ISP probably won’t be able to spy on my traffic, but anyone between my VPN provider (including them!) and the server still can. What has this solved, exactly?
And you’re telling me that Mozilla is a big bad, but some random small business that specializes in being a middle-man for all my internet traffic is a-okay?
To be fair, the “systemd is corporate” is one thing I heard early on in the discussion, and one of they things that made me very systems-wary. There are basically just two main argument-types against systemd, this is one, and the other one is the design/unix philosophy point, which I don’t think the author would want to agree with seeing his other posts.
I realize that I’m responding to a different post from this same author, but it seems important enough to call out:
*sigh* So much problematic packed into one sentence, I’m curious whether the concept of “freetardism”, or the use of “autism” as an insult, would get more lobsters up in arms. This post also makes a point of referring to companies as “Evil”. It’s obvious enough that the writer is intentionally using charged language, so I would like to downvote the OP as
trollfor it.I additionally take issue with this mindset:
Besides the obvious fact that this is false (you can write custom blocklists in most ad blockers, including uBlock Origin), it’s also ineffective for a fairly obvious reason: custom blocklists are a terrific way to fingerprint someone’s browser. You are making yourself easier to track when you use non-standard blocklists, and you’re putting in a lot more work to do it. That’s why Tor Browser doesn’t include an ad blocker.
Probably the best way to protect your privacy, assuming that Apple isn’t blatantly lying about what their software does, is to use Mobile Safari on a fairly-recent iPhone, constantly be clearing your cookies, don’t install any third-party apps, and don’t take the iPhone out of your house (don’t want it to track your location, after all, while the location where you live is already known to Apple and your LTE provider for billing and warranty purposes). Since iPhones are super-popular, basically identical to each other, and don’t make any active effort to tie themselves in with Google’s tracking system, they’re really hard to fingerprint.
I’d put Tor Browser in a distant second. If it’s a niche website, you might be the only visitor who uses it, which itself is a fingerprintable fact, though obviously it’s hard to figure it if you’re actually an individual or not.
I looked through his page before posting the link, and while I didn’t like articles such as “Refuting Freetardism”, I think the the page as a collection of links and references had a greater value than the particular opinions the author holds on these issues. Other than that, the language he uses seems like pretty standard /g/-speak, for whatever that’s worth.
Yeah, but on the other hand, this guy’s recommendations are probably a bad idea. Online anonymity is a statistical problem; what you want is to make it as hard as possible to sort online browsers into buckets. If I can recognize someone as that one guy browsing Lobsters using Pale Moon on a computer with a hidpi display, then you’ve failed. By this logic, clearing your cookies is a good idea because we need as many people to have identical sets of cookies as possible, and none makes a convenient Schelling point. Similarly, blocking tracking scripts is mostly a performance optimization, not a privacy enhancement, though you can minimize the induced harm by trying to make sure people block the same set of tracking scripts, either by having some fixed rule about third-party scripts or a shared “artificial Schelling point” like EasyList. Also, webmasters and ad companies are not perfectly-colluding Rational Actors with no motives other than tracking you, so blocking these scripts can help with your anonymity by depriving the adtech companies of a way to track you sans cooperation from the content provider. But since websites are already known to do work to detect ad blockers, and will in some cases allow ad providers to proxy their site, custom blocklists are at best a mixed bag, and if you want to pick from a mixed bag, you might as well pick the one that doesn’t require tons of work on your part.
p.s. This also means that privacy is not opposed to ease-of-use. Ease of use is required for privacy, in order to ensure that your configuration doesn’t reveal your technical expertise.
The definition of what language counts as charged is polticial, and characterizing the entire post as trolling for using word choices you don’t approve of is an attempt to use the formal structure of the troll downvote mechanism to suppress the entire post for not adhering to your speech code, which I disapprove of.
Insults are not covered by free speech.
Does anybody have the heart to show this person the commit log of a recent Linux release? They might have to install a BSD afterwards…
I’m pretty sure the BSDs enjoy a similar level of corporate contribution, FreeBSD especially, receiving mountains of code and cash from the likes of Netflix and Apple.
I’m pretty suspect of the actual improvements in privacy Pale Moon affords over a reconfigured mainstream browser to disable telemetry and ‘bonus features’ coupled with privacy extensions. Pale Moon is itself uncommon enough to be a fingerprint all of its own (not to mention that I’m not very confident in the resilience to tracking hijinks or exploitation of a Gecko fork maintained by an extremely low number of people, taming it with a large group of devs seems hard enough)
Isn’t it the other way around. If something is unpopular it’s easier to fingerprint. Not harder.
That’s what I was trying to say, sorry if it wasn’t clear!
Stop recommending GPG.
Stop recommending to stop recommending GPG. GPG is difficult and absolutely has it’s sharp edges, but it is also “standard”. I use it every single day in both a corporate environment, personal use, and a ton of places in between. The article you link fundamentally misses one of the main reasons almost everyone uses GPG, encrypted email. I do a ton of vulnerability disclosures and mailing the
security@COMPANY.WEBSITEwith a GPG key and a vulnerability notification is the only consistent way to safely get my communications across. I’ve dealt with s/MIME, home brewed crap, third-party web portals, and a ton of other things. GPG is the only usable thing in the space that I have and I’ve never seen a successful migration away.Stop recommending to stop recommending to stop recommending GPG.
For one thing, it’s not as simple as whether the tool is “a good thing” or not. If your goal is to use an existing email address with cryptography, there’s probably no better way to go about authenticating a message than what GPG does. If you really do need it, then obviously you should use it. If you’re able to employ it with enough success that getting error messages is actually a sign of intrusion, rather than being seen as a sign that you messed something up, then it’s doing its job.
The question, of course, is whether running cryptographic secure communications over existing email infrastructure, or something very much like it, is actually a requirement that most people have. It is for you, because you’re constantly sending unsolicited messages to people you have no preexisting connection with. So the value of using “standard” communication channels is greatly heightened, compared to people who mostly communicate with friends, family, and coworkers, and probably prefer using communication channels where both sides have to open a gateway to contact each other (look ma! no spam!). If you’re using a communication channel that requires such an explicit opt-in, then that opt-in stage is the perfect place to perform key exchange while you’re at it.
Also, a lot of use cases where PGP is currently employed would be better served with other tools. For example, if I was God King of Debian and had the chance to redesign their package management system, I’d probably build their package signing on top of libsodium instead. It’s actually intended to be embedded in other applications: it has a far better API, a far simpler design, and there’s really no point in using a “swiss army knife” CLI when it’s being invoked through Debian-developed wrapper tools approximately 100% of the time anyhow.
There is a difference between categorically saying “stop recommending GPG” versus “check to make sure GPG is what you need and that there isn’t an alternative”. I stand by my first negation, GPG has it’s place.
Whether I or you likes it a lot, the vast majority of the corporate world in the US (and outside) uses e-mail as it’s primary forms of communication and because of that I have to do things like deliver reports, exploit PoC’s, breach notifications, etc. that are absolutely sensitive. If my only form of contact with those organizations is e-mail, then what exactly are my options? Because GPG is “standard” for all of those use cases. Any mature organization I work with has had at least one security point of contact with a GPG key that can be used for further confidential conversations. I’d love to get rid of email, but let me tell you, if you try force your preferences onto another organization you are going to have a bad time.
I’m in totally agreement about package management signatures being a not so great place for GPG, but that’s why I mention sharp edges. It’s not a swiss army knife, but I think much of that is the fault of apt/dpkg as it is GPG’s.
What do you recommend in place of it?
Check this list out, it seems pretty good https://blog.gtank.cc/modern-alternatives-to-pgp/
I hope saltpack gets more attention. It seems like the perfect drop-in replacement.
I don’t like that keybase seems to be the only thing developing/pushing it. Also:
It’s one of only a few tools NSA said they couldn’t break. They were breaking many other things people are using. Using a subset of it to just encrypt and decrypt files containing messages is easy enough for even lay people. Can be scripted, too.
Given NSA > most other threat, using GPG will probably handle them, too. So, I prefer it for proven effectiveness. The attackers will probably get me via Firefox before it.
This is misleading, gpg interface is notorious for ease of misuse.
If this is your threat model, then it’s more about opsec than specific tools. Check out grugq guide on operational GPG for email, for example, it’s quite tricky to get it right every time.
“gpg interface is notorious for ease of misuse.”
People been repeating that for years instead of mitigating it. I wonder why given how easy it is. You create a cheat sheet with just a few items on that one, add the good options for key gen phase, and do something about the painful encrypt command. A shell script or something so they can type less stuff in. Then, you’re good.
“If this is your threat model”
My threat model is people breaking crypto. I also prefer vetted solutions. The NSA vetted this one in Snowden leaks. Most others they broke. If it causes them problems, it should work well against the lesser attackers most people are concerned with.
Wow, a lot of stuff there I didn’t know about. Great site
Please read the other comments. There’s lots of stuff but also lots of bad stuff.
I did. Still in todays world where you can’t really trust any company with your data, and it’s only getting worse, I belive it’s better too be a bit paranoid than naive. Though I use firefox on all my devices it pains me that they are phoning home by default etc. It shouldn’t be like that