You may have heard about a lawsuit filed regarding a data breach concerning social security numbers. I encourage you to read at least the first few pages of the linked class action complaint to see how massive a violation of privacy this is.

The data breach concerns National Public Data, a company which offers background checks. They collect personally identifiable information (PII) as a part of their business. The defendant claims that NPD scraped PII from non-public sources (¶11). NPD then stored the data in an insecure manner and did not adequately protect this personal information (¶25). Consequently, a hacking group by the name of "USDoD" stole records of 2.9 billion individuals from NPD. According to the document, the data was independently reviewed by VX-underground, the cybersecurity company. They confirmed the breach included full names, address and address history, and social security numbers. They were also able to identify familial connections, both living and deceased (¶ 22-24).

Based on this class action complaint, NPD's conduct was grossly negligent, leading to potential identity theft for almost anyone in the United States. It was also a massive privacy violation by scraping data from non-public sources. Even after they took millions of Americans personal information, they failed to secure the data from hackers.

Criminals can ruin your life if they target you with this information. They can open lines of credit without you knowing. You might only find out until creditors call you, demanding that you pay them back (¶60).

So, yeah. I am very concerned. I'll have to figure out how to defend against this identity theft. Overall, I'm new to the privacy community, but I'm feeling like "privacy" in the United States is an absolute mess. If your data wasn't somewhere on the dark web, it might be now. Protect your data. Stay safe.

repost from: https://falkvinge.net/2013/11/17/nsa-asked-linus-torvalds-to-install-backdoors-into-gnulinux

Google's campaign against ad blockers across its services just got more aggressive. According to a report by PC World, the company has made some alterations to its extension support on Google Chrome.

Google Chrome recently changed its extension support from the Manifest V2 framework to the new Manifest V3 framework. The browser policy changes will impact one of the most popular adblockers (arguably), uBlock Origin.

The transition to the Manifest V3 framework means extensions like uBlock Origin can't use remotely hosted code. According to Google, it "presents security risks by allowing unreviewed code to be executed in extensions." The new policy changes will only allow an extension to execute JavaScript as part of its package.

Over 30 million Google Chrome users use uBlock Origin, but the tool will be automatically disabled soon via an update. Google will let users enable the feature via the settings for a limited period before it's completely scrapped. From this point, users will be forced to switch to another browser or choose another ad blocker.

Archive link

It is truly upsetting to see how few people use password managers. I have witnessed people who always use the same password (and even tell me what it is), people who try to login to accounts but constantly can't remember which credentials they used, people who store all of their passwords on a text file on their desktop, people who use a password manager but store the master password on Discord, entire tech sectors in companies locked to LastPass, and so much more. One person even told me they were upset that websites wouldn't tell you password requirements after you create your account, and so they screenshot the requirements every time so they could remember which characters to add to their reused password.

Use a password manager. Whatever solution you think you can come up with is most likely not secure. Computers store a lot of temporary files in places you might not even know how to check, so don't just stick it in a text file. Use a properly made password manager, such as Bitwarden or KeePassXC. They're not going to steal your passwords. Store your master password in a safe place or use a passphrase that you can remember. Even using your browser's password storage is better than nothing. Don't reuse passwords, use long randomly generated ones.

It's free, it's convenient, it takes a few minutes to set up, and its a massive boost in security. No needing to remember passwords. No needing to come up with new passwords. No manually typing passwords. I know I'm preaching to the choir, but if even one of you decides to use a password manager after this then it's an easy win.

Please, don't wait. If you aren't using a password manager right now, take a few minutes. You'll thank yourself later.

I am looking for an auto toggle feature for the swipe down menu. Sometimes I forget to turn off Bluetooth, location, or other toggles on the drop down menu. Is there such a way to have Bluetooth shutoff after 15 mins of inactivity? Or say Mic, camera toggle off after X time of no use, location toggle, etc. Pixel 6 Pro.

I began using invidious after every piped instances refused to play videos lately. But what I read from their docs is that my IP might get exposed to google servers while loading videos from invidious. I use rethink DNS app and in that I can see all the domains that are getting called by my browser.

I tested about five instances and none are calling googlevideo domain as mentioned in the doc. Are they proxying my requests by default or am I missing something?

No, I don't have the option proxy video turned on. I use yewtu.be as my main invidious instance.

A cookie notice that seeks permission to share your details with "848 of our partners" and "actively scan device details for identification".

Hi folks,

I'm seeing there are multiple services which externalise the task of "identity provider" (e.g. login with Facebook, google or what not).

In my case, I am curious about Tailscale, a VPN service which allows one to chose an identity provider/SSO between Google, Microsoft, Github, Apple and OIDC.

How can I find out what data is actually communicates to the identity provider? Their task should simply be to decide whether I am who I claim to be, nothing more. But I'm guessing there may be some subtleties.

In the case of Tailscale, would the identity provider know where I'm trying to connect? Or more?

Answers and insights much appreciated! The topic does not seem to have much information online.

Rather peeved about all of this. Been waiting for this game for ages and was excited about the F2P aspect then found out a lot of elements of the game are locked behind paywalls making the full game costing way over most AAA games. Ok, lets roll on anyways and see what the game has to offer. Then I get to the privacy policy and realize they're using anti-cheat services to monitor your game, I continued reading the user agreement and then had to find their actual privacy policy page because they have it listed under a different url then what they have posted. Some Highlights from the user agreement:

You may not host, provide or develop matchmaking services for the Product, or intercept, emulate or redirect the communication protocols used by Frost Giant in any way, for any purpose, including without limitation unauthorized play over the internet, network play (except as expressly authorized by Frost Giant), or as part of content aggregation networks.

You may not organize, promote or participate in an esports competition for the Product which has not been licensed by Frost Giant.

You may not play on another user's Account

In order to safeguard its licensing rights, when you are using the Product, Frost Giant may monitor your hardware random access memory (RAM)

You understand that the mere presence of unauthorized cheat software on your device, whether or not you use that unauthorized software while playing the Game, may result in Frost Giant exercising its full rights under this Agreement.

Acknowledgments. You acknowledge that:

• The Game which is the object of the Alpha or Beta Test is a work in progress and may contain bugs which may cause loss of data and/or damage to your computer system;
• You have, or will, back-up your hard drive prior to installation of the Beta;
• You have the resources necessary to easily reinstall the operating system for the computer system that you will use to take part in the Alpha or Beta Test as well as to restore any and all data that may be lost;

It just goes on and on with some really sketchy stuff, then I get to the privacy policy:

Your contact information/identifiers, such as your name, your gamer id, mailing address, email address, employer, primary language, country, social media credentials. preferred games and date of birth. If you contact us by telephone, we will also retain your telephone number.

Your geolocation data, if your device settings allow us to collect such information.

Your account preference information, such as your contact, communication and marketing preferences.

Your device and browsing information, including non-personally identifiable information about your phone, tablet, computer or device and online browsing activity, which may be automatically collected. This may include IP addresses, unique identifiers, cookie identifiers, browser language, device and browser settings and broad location-based information, and internet service provider information. It may also include information about when and how you accessed and used our Sites, how you navigated to our Sites (such as the date and time of your visit), the links you clicked, the websites you visited before and after our Sites, and what you searched for while on our Sites.

Analytics & Interest-Based Ads. We partner with third parties (like sponsors, content providers, and analytics companies) to help us improve our Services and better understand how you interact with them, as well as to support our marketing initiatives and ad campaigns. These companies may collect info from you automatically in connection with your visit.

And the really scary part

In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

• A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
• A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
• Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.
• Physical location or movements.

Third party service providers. - From time to time, Frost Giant may need to transmit your personal data to vendors or service providers that enable us to market, sell, or deliver our services. These service providers may require certain personal information in order to perform specific services on our behalf, such as cloud service and data storage, beta testing, tech support to enhance game operations, chat, customer support, social login, fulfillment and shipping, email and newsletter delivery, conducting surveys, payment processing, tournament operation, anti-cheat and fraud prevention, web hosting or web analytics. Such partners include:

Steam
Epic Online Services
RallyCry
Hathora
Brevo
Eventbrite
AWS
Sentry.io 
Google
Easy Anti-Cheat 
GGWP
Untapped
Kakao Games
ModSquad

I've stopped playing previous games that use these tactics and programs because there's just too many other games that don't require these that are available. This was a game I was hoping to get back into with some RTS friends I've made along the way, Is this just the way of the world or something to avoid?

I've not seen this before but it was strange.

An ad loaded at the end of a video, so I paused it. What caught my eye was the background was moving when I moved my phone, which turned out to be the room I was in. The ad was overlayed on whatever my camera was looking at, but the ad appeared stretched from a single point in the middle of the screen, which was even weirder.

Edit: The ad was using the rear camera, not the front facing one.

I've looked through my phones settings and there are no options to toggle YouTube's camera access either, so I feel like it's safe to say this is being forced on users (surprise /s).

Needless to say, that app is no longer on any of my devices :)

So I've been in the rabbit hole of android privacy for some time, last I joined the GrapheneOS community but let's just say that they doesn't have a "healthy" opinion about other projects like f-droid.

So I am looking for generic communities that focus on mobile privacy that doesn't have drama or toxicity or "extreme opinions". Any suggestions? I prefer chat based communities like matrix or simplex instead of like reddit or lemmy.

Last two weeks every time I use Piped I am getting error "Sign in to confirm you are not a bot". It happens on every instance and videos work very rarely. It seems like Google enforces you to log in if you try watch lot of videos from one IP. I hope this will not be end of Piped and there will be solution for this problem.

Upd. I got similar problem on Invidious recently

Do i need to wipe the private volume for the template vm if so how?

EDIT: I figured it out was because the template vm changes dont take effect until the template is shutdown. Took me way to long to figure that out.

A lot of services support passkeys. Microsoft even has an option to make my account "passwordless". Since they are more secure than passwords, will you be switching some / most of your accounts to passkeys any time soon? Interested to hear everyone's thoughts on passkeys. 🔑

Did you know? Despite claiming to block all cross-site cookies out of the box, Firefox automatically allows Google to use them in your browser should you log in to one of their services.

The browser only lets you know about this once it happens, and it's on you to notice the permissions icon appearing in the URL bar. There is a link to a paragraph on a help page explaining this behaviour, but it seemingly goes unmentioned pretty much everywhere else on the internet.

This surprised me, especially considering Firefox's stance on privacy. I was even more surprised that this is done without consent. If this is for usability, Firefox should at least warn the user before this happens.

I highly recommend disabling JavaScript by default in your browser and then whitelisting the websites that you use frequently and need JavaScript to function.

The privacy benefit of this is that when you read articles online or visit new websites, most of the time it will not need JavaScript to function which will stop loading a lot of ads and tracking scripts.

The security benefit here is massive, first if you visited a bad link that contains a malware that is dependent on JavaScript it would not work, secondly if you visited a link for a service that you use and JavaScript did not work there, then you can see in real time that this is a fake page and not the real websitewebsite you intended to visit.

Bonus tip: try to replace the unnecessary websites that can't work without JavaScript and you need by JavaScript free websites or open source apps.

Disclaimer: Stay cautious. This recommendation will improve your privacy and security, but it does not protect you from everything.

Yesterday I purchased a custom .eu domain, only to find out that eurid does not redact the owner's email address. Obviously I'm not comfortable with using an actual email address on a secondary domain.

Any opinions on using an alias as the domain owner's email address? Or should I simply switch to another TLD which does support full whois privacy?

Thanks for feedback.

It seems like Michael Bazzell's new book edition was released without much fanfare. I like the reorganization but have to say there isn't a lot that is "new" for me in the first half (computer, mobile device, firewall, virtual machines)--although, full disclosure, I already had all of the topic-specific supplements for these chapters, which were released over the last year. I am just getting to chapter 20 now and found the sections on mailing addresses and trust / estate management much improved. I really hope the podcast comes back. I am curious for the thoughts of others.

Hi,

anyone come across and used the Polycentric + Harbour option for managing digital ID? What do you think about it? Does it really manage IDs in a private and secure way? I came across FLUTO who seem to be great promoters of "software for the benefit of humanity" but you always wonder how much you can trust these thrid parties ... when they decide to sell your data?

https://content.govdelivery.com/accounts/USDODDC3/bulletins/2e03518

Molly has at rest encryption with a password

A little old but interesting non the less