> “Create a different email address for every service you use,” wrote Matt McHenry. “Then you can tell which one has shared your info, and create filters to silence them if necessary.”
Obligatory mention - for gmail you can suffix your email address with a service name by using +, e.g., johndoe+adobe@gmail.com will be delivered to johndoe@gmail.com. So if a service leaks your data or sells your email, you’ll know who to blame.
Although the article recommends not to use gmail, it’s a neat trick if you’re stuck with it.
"Forget password" becomes unusable though, since you’ll probably forget what suffix you used for each service.
Oh companies have become smarter about it! Even the scammers I suspect! Many won’t accept + in the email address and I think now it’s well known enough that most scammers will run a regex to detect and remove the + sign.
Useful workaround is to have unique aliases on a domain name you control. Can’t get around that with a minute of work!
If you control your email, you can do slightly better with the ‘+’. Share addresses of the form ‘me+my-tag@’, strip on ‘-’ to deliver these to ‘me+my@’, and have ‘me@’ immediately block the sender.
fastmail supports a variation of this:
if my email is me@mydomain.com, then I can use service+me@mydomain.com, or better service@me.mydomain.com (or anything@me.mydomain.com). It seems like it'd be a little less obvious to scammers.
With fastmail you can just make a alias. My address is me@mydomain.com and in the settings you can make a alias where you can just use something like garbage@mydomain.com
Fastmail also lets you use wildcards and catchall addresses, giving you infinite email addresses whenever you need them, with no way to tell what “base address” they resolve to internally.
For example, my Twitter address might be twitter@mydomain.com, my Google address google@mydomain.com and so on. All of those go straight to my inbox unless I decide to set up individual filters for them.
The downside is that I can’t easily migrate to a service that doesn’t support this.
Shout-out to my new mail provider Migadu [0] whose model is “pay for the number of emails you send, not the number of mailboxes you have”. This opens up all sorts of interesting opportunities.
I have been using this system for about a year, and it works great. I generally use the pattern yourdomain.com@accounts.mydomain.net. However, I have found from time to time that I never get account signup/confirmation emails to these addresses. It seems like they're being silently rejected. Does anyone know if there's some kind of email validation service that might be filtering these?
I guess I could use a hash of the domain (eg asdffdsa@accounts.mydomain.net) to make my strategy less visible, but that feels like I'm probably overthinking it.
Not the same way. The dot would be filtered out, but the part after the dot won't get removed, so john.smith@gmail.com is equivalent to johnsmith@gmail.com.
> If you’re in that category, Ms. Winterton recommended Ghostery, a free plug-in for most web browsers that “blocks the trackers and lists them by category,” she wrote.
After Apple destroyed safari extensions and forced everyone to use declarative net requests, there are few options. I’m pretty sure Ghostery is now unable to perform the analytics or data collection from previous versions. KaBlock and others are worth trying. There are few options, so I’ve settled on Ghostery for safari on macOS
> We need to stop treating knowledge of public data like this as some sort of identity metric.
And one step further, such public data should not be used by corporations / governments to validate (or inform much, beyond "details") the identity of someone. It's just too unreliable and can't be verified.
Maybe PGP or similar, hashed from some source biometric data, to allow multiple 'IDs' over a lifetime but 100% verifiable.
> We need to stop treating knowledge of public data like this as some sort of identity metric.
I love how it's easier to steal my identity than to intercept my encrypted web traffic.
Society really could do with a cryptographically sane method of authentication - think an PKI-type verification but in replacement for '100 points of id' / Social Security Number / Tax File Number etc.
Surely the cost of implementation wouldn't outweigh the cost of identity theft and other types of fraud which can occur due to the current flawed system?
Maybe the costs are/would be paid for by different parties, but indirectly we all pay for them through insurance premiums and taxes which cover the (preventable) financial damage anyway.
> Apple’s privacy website reveals many examples: You don’t sign into Apple Maps or Safari (Apple’s web browser), so your searches and trips aren’t linked to you.
I think there are different categories of "tracks". One category is marketing tracks, which include cookies, browser profiling, tracking scripts, etc. This is the one most discussion on HN is aimed at and most people find personally offensive but aren't materially harmed by. The second is legal tracks, which is exposure to harm from legal authorities for activities such as piracy, political activism, and various types of forbidden speech under different legal/national regimes. The third type is personal tracks, which I categorize as the ability for private individuals or groups to connect your online presence to your real self. That is the one I'm most concerned with, as internet users seem almost entirely unconcerned about it but it has far more potential to harm you than Google knowing your sexual fetishes. Nobody cares that they're exposing their real name and face to millions of people and it only takes one lunatic who decides your activities or opinions are worth trying to ruin your life to cause you a world of hurt.
-Use a private cloud, so that your data is in your control.
We've actually developed a self-hosted private cloud solution as a substitute to Dropbox for exactly these reasons. Basically a private Dropbox at home (no complicated installation and no server needed)
The point is to have a product that works just like a Dropbox, as simple and straightforward, but that is actually private with no one interfering, playing, accessing or reading your data.
Somehow I don't understand how you say Syncthing's disadvantage in comparison is that it's a P2P system[1], but at the same time your website says duple doesn't need a server.
Maybe I've misunderstood, but this sounds just like Syncthing with an always-on client - except for the file versioning, that sounds like an interesting feature to me.
Syncthing does file versioning, although a bit noobishly. It just keeps n copies of the old file in a hidden folder with DATE_MODIFED appended to each copy.
I've been using SyncThing for over 4 years and while it has a few rough edges (synced/shared/global file ignore would be great) still it's been fully reliable and a generally great user experience. So if you're trying to cater to existing SyncThing users don't mince words to make it appear that something which you claim is a negative with SyncThing doesn't exist in your product - which it clearly does.
SyncThing has a huge advantage: years of trust. They have been around since 2013 and continue to crank out features and builds consistently. Duple hasn't been around for one year at the time of this writing. Beyond that it's clear from the Duple site that it's main goal is to take my data and file replication hostage via licensing fees. I'm curious how or why I'd donate before I've even installed the Beta (based on your click flow to even reach the downloads page)? No thanks.
Also, let's clarify something Duple has wrong...
Duple states: "Syncthing is P2P, so you get the disadvantages along with it e.g. all your devices need to be turned on at the same time. If not, you get a desynchronisation between your devices and create conflict." - This is wrong. You do not need all your devices on at the same time with SyncThing. Yes, it is true that it's good to have a device with a consistent state, however it's not required. The second part of the statement is FUD. When conflicts happen it's generally around odd permissions or file updates with regard to versioning. This was more problematic in versions prior to 1.0. At this point in time I haven't run into this issue other than because of disparate problems caused by file permissions which SyncThing does a great job preserving.
Duple also states SyncThing has no IOS support and yet, itself, has neither IOS or Android. Or Windows... Or an open source repo of what I'm supposedly using.
In my mind Duple doesn't compete with SyncThing and, really, never will. But here's the thing... Don't pretend to compete where you don't. SyncThing users aren't looking for Duple. You'd do yourself a better service to take that verbiage out because all it did for me was give me the impression that Duple is lying about competitors that they simply didn't take the time to understand. That leaves a bad impression in my mind.
I'm sure what they mean by all devices needing to be on and connected, is that if only one device is connected, there will be nothing to sync to. So if I take some photos while on vacation, but my desktop at home is asleep, then I can't sync my photos to it. So if I lose my phone before then, I'm sunk.
Of course this is fixed by simply having the desktop on all the time, which would then make it similar to a client server setup.
Well, they don't say that so it doesn't really matter what they mean. And they imply that by not having a device on all the time it is the cause for synchronization issues which is completely incorrect.
If I take photos on vacation and throw them in a sync'd folder the next time both devices are online they will resolve the new file delta between that shared folder. That doesn't imply I always need one or the other device online. The more devices syncing the less likely it is that only one would be online at a time, but again there's no requirement there for an always on device.
Anyway... SyncThing is fantastic for users who are willing to invest some time learning how the software works. Every paid for product seems to cater to the "it just works" mentality thereby sacrificing control to me, the user, to handle situations that can't be handled by overly simplified, cloud-first, lock the user into our licensing model solutions. And don't get me wrong, those are fine for many people. For users who want more control via more responsibility - then SyncThing is great. But I don't like how they are spreading FUD about it just to get some name association.
I know this is a late reply,but maybe you'll see it.
Regarding the synced/shared/global file ignore, there's an imperfect but usable work-around:
You can use #include statements in your .stignore, so you can include another file that contains the global ignore list, then sync that file. You have to set up the .stignore with the include statement for all of your devices/folders, but after that, it's essentially a global ignore list.
this is not a technical position managing security. most tech writers at major news institutions are likely not tested with technical interviews - they are writers with domain knowledge, and there is nothing inherently wrong with that.
I was able to read the article by opening it on a browser I rarely use. But even then, an email ask isn't "tracking", and you can always use a throwaway account if you want. As the article itself suggests, use a different email for each service you sign up for.
The NYT is a content website in a sea of content websites. Getting you on their email list is valuable in the way that getting you to install their app is valuable; they can send you notifications and a few free articles that can maybe upsell you into a subscription.
They have no choice but to do this because we still think text and pictures on the internet should be free. We've come around to paying for music and videos, but it still seems too much of a hurdle for traditional news outlets.
What about fingerprinting? Fingerprinting allows to track browser even in private mode or if you anonymize your IP address. You should disable WebGL right now because it is absolutely unnecessary, almost never used and its only purpose is to collect information about your video card.
Google is just one of 100+ ad networks that show you personalized ads. You can turn off ads personalization from Google or any of the other participating ad networks here at http://optout.aboutads.info/
As others have said, there's a huge difference between "not showing you personalized ads" and "not tracking you".
But I really wanted to opine about the optout.aboutads.info link. I suppose that using that can't hurt, but I didn't find it to be particularly helpful. I gave up on it entirely quite a while back.
> Nearby patrons, using their phones or laptops, can easily see everything you’re sending or receiving — email and website contents, for example — using free “sniffer” programs.
Is the author assuming the absence of https encryption here, or is there some widely available exploit I don't know about?
Install uMatrix and block all 3rd party JavaScript. It breaks functionality in some sites that embed social networks' widgets, but other than that works like a charm. As a bonus sites load at least 30% faster.
Exactly my experience, going on 3 to 4 years now. Spend the time to learn uMatrix. It's an incredible investment into yourself and your web experience. I barely browse on mobile anymore since I don't have uMatrix, although Brave does allow blocking scripts and some stuff quite easily. Highly recommend Brave on mobile.
I use uMatrix lazy style - if go to page and it works without changes I use it - if it breaks but I need to use it allow all - if it breaks but I don't care that much close the tab.
Unreadable . Does it mention E2E? It's way past time for tech to get serious about E2E , ignoring warnings and pleas from greedy governments. People have a right to communicate without being constantly surveilled, and it's the most serious track they leave.
The omission of "Disable third party cookies" is fairly shocking. From my understanding, it might be the single most effective thing you can reduce tracking. Whenever I get the chance, I recommend the following pieces of Internet hygiene to anyone and everyone I can:
* Disable 3rd party cookies
* uBlock Origin
* Privacy Badger
* HTTPS Everywhere
These things are all dead simple and will significantly reduce your trackability. Of course they are far from comprehensive or perfect, but it's the Internet equivalent of washing your hands after you go to the bathroom.
Won’t disabling third-party cookies render certain payment gateways unusable? While such advice may be very welcome among savvy computer users who know when they should temporarily turn third-party cookies back on, the NYT is unlikely to give advice that will break online shopping for large numbers of people.
I've had 3p cookies disabled for years and never experienced an issue with payments. But, it may be that I don't pay for things as often as others. My recommendations will slightly break some things like embedded Twitter posts but it's rare that I experience a site being functionally impacted in ways I care about.
I don't think I've ever run into an issue with a payment gateway. The one major site I've had issues with has been playstation.com. Sony seems to use a bunch of different domains for managing its various PSN websites, and I've never found the right set of rules in uMatrix without also enabling third-party cookies.
you're limited to what Apple has allowed you to have. Search app store for content blockers. This "story" [1] by Apple contains most popular, and I've used Ka-Block! and Ghostery Lite. I would go with either or both.
107 comments
[ 4.5 ms ] story [ 147 ms ] threadThey missed that one off.
> “Create a different email address for every service you use,” wrote Matt McHenry. “Then you can tell which one has shared your info, and create filters to silence them if necessary.”
Obligatory mention - for gmail you can suffix your email address with a service name by using +, e.g., johndoe+adobe@gmail.com will be delivered to johndoe@gmail.com. So if a service leaks your data or sells your email, you’ll know who to blame.
Although the article recommends not to use gmail, it’s a neat trick if you’re stuck with it.
"Forget password" becomes unusable though, since you’ll probably forget what suffix you used for each service.
Useful workaround is to have unique aliases on a domain name you control. Can’t get around that with a minute of work!
https://i.imgur.com/UWoU4NA.png
For example, my Twitter address might be twitter@mydomain.com, my Google address google@mydomain.com and so on. All of those go straight to my inbox unless I decide to set up individual filters for them.
The downside is that I can’t easily migrate to a service that doesn’t support this.
Not affiliated, just a happy customer.
[0]: https://www.migadu.com/en/index.html
I guess I could use a hash of the domain (eg asdffdsa@accounts.mydomain.net) to make my strategy less visible, but that feels like I'm probably overthinking it.
You can put that in a safe wallet. OneDrive provides that now
I’m not sure I can recommend Ghostery, as their business model is a bit suspicious: https://en.wikipedia.org/wiki/Ghostery#Criticism
> Using websites whose addresses begin with https are also safe; they, too, encrypt their data before it’s sent to your browser (and vice versa).
Safe from your public Wi-Fi operator. Not from the company with a tracking script on the page.
> You don’t sign into Apple Maps or Safari (Apple’s web browser)
You sign into the OS, though.
> You never want to tell Facebook where you were born and your date of birth. That’s 98 percent of someone stealing your identity!
I can literally Google this information. We need to stop treating knowledge of public data like this as some sort of identity metric.
For websites I like, I turn off uBlock Origin but leave Privacy Badger enabled.
So far to me that's been pretty good to the point I stopped using Privacy Badger (which I agree is pretty good too!).
You should stop printing nonsense
And one step further, such public data should not be used by corporations / governments to validate (or inform much, beyond "details") the identity of someone. It's just too unreliable and can't be verified.
Maybe PGP or similar, hashed from some source biometric data, to allow multiple 'IDs' over a lifetime but 100% verifiable.
I love how it's easier to steal my identity than to intercept my encrypted web traffic.
Society really could do with a cryptographically sane method of authentication - think an PKI-type verification but in replacement for '100 points of id' / Social Security Number / Tax File Number etc.
Surely the cost of implementation wouldn't outweigh the cost of identity theft and other types of fraud which can occur due to the current flawed system?
Maybe the costs are/would be paid for by different parties, but indirectly we all pay for them through insurance premiums and taxes which cover the (preventable) financial damage anyway.
Not linked... in a way visible to you.
We've actually developed a self-hosted private cloud solution as a substitute to Dropbox for exactly these reasons. Basically a private Dropbox at home (no complicated installation and no server needed)
We're currently in beta, could interest a few in this thread! https://www.duple.io/en/
The point is to have a product that works just like a Dropbox, as simple and straightforward, but that is actually private with no one interfering, playing, accessing or reading your data.
Good luck on your product. Seems promising. But I didn't like how your site loaded slowly (just a subjective feedback)
Maybe I've misunderstood, but this sounds just like Syncthing with an always-on client - except for the file versioning, that sounds like an interesting feature to me.
[1] https://blog.duple.io/what-is-the-point-of-duple/
I've been using SyncThing for over 4 years and while it has a few rough edges (synced/shared/global file ignore would be great) still it's been fully reliable and a generally great user experience. So if you're trying to cater to existing SyncThing users don't mince words to make it appear that something which you claim is a negative with SyncThing doesn't exist in your product - which it clearly does.
SyncThing has a huge advantage: years of trust. They have been around since 2013 and continue to crank out features and builds consistently. Duple hasn't been around for one year at the time of this writing. Beyond that it's clear from the Duple site that it's main goal is to take my data and file replication hostage via licensing fees. I'm curious how or why I'd donate before I've even installed the Beta (based on your click flow to even reach the downloads page)? No thanks.
Also, let's clarify something Duple has wrong...
Duple states: "Syncthing is P2P, so you get the disadvantages along with it e.g. all your devices need to be turned on at the same time. If not, you get a desynchronisation between your devices and create conflict." - This is wrong. You do not need all your devices on at the same time with SyncThing. Yes, it is true that it's good to have a device with a consistent state, however it's not required. The second part of the statement is FUD. When conflicts happen it's generally around odd permissions or file updates with regard to versioning. This was more problematic in versions prior to 1.0. At this point in time I haven't run into this issue other than because of disparate problems caused by file permissions which SyncThing does a great job preserving.
Duple also states SyncThing has no IOS support and yet, itself, has neither IOS or Android. Or Windows... Or an open source repo of what I'm supposedly using.
In my mind Duple doesn't compete with SyncThing and, really, never will. But here's the thing... Don't pretend to compete where you don't. SyncThing users aren't looking for Duple. You'd do yourself a better service to take that verbiage out because all it did for me was give me the impression that Duple is lying about competitors that they simply didn't take the time to understand. That leaves a bad impression in my mind.
Of course this is fixed by simply having the desktop on all the time, which would then make it similar to a client server setup.
If I take photos on vacation and throw them in a sync'd folder the next time both devices are online they will resolve the new file delta between that shared folder. That doesn't imply I always need one or the other device online. The more devices syncing the less likely it is that only one would be online at a time, but again there's no requirement there for an always on device.
Anyway... SyncThing is fantastic for users who are willing to invest some time learning how the software works. Every paid for product seems to cater to the "it just works" mentality thereby sacrificing control to me, the user, to handle situations that can't be handled by overly simplified, cloud-first, lock the user into our licensing model solutions. And don't get me wrong, those are fine for many people. For users who want more control via more responsibility - then SyncThing is great. But I don't like how they are spreading FUD about it just to get some name association.
Regarding the synced/shared/global file ignore, there's an imperfect but usable work-around:
You can use #include statements in your .stignore, so you can include another file that contains the global ignore list, then sync that file. You have to set up the .stignore with the include statement for all of your devices/folders, but after that, it's essentially a global ignore list.
Hope that helps.
Where is link to github with ALL code?
Edit: sorry, my bad, cloudflare 1.1.1.1 resolves it as 127.0.0.5. Someone ought to check that out...
Edit2: apparently this is a deep rabbit hole: https://community.cloudflare.com/t/archive-is-error-1001/182...
https://twitter.com/runasand/status/1186775481615605760?s=20
The NYT is a content website in a sea of content websites. Getting you on their email list is valuable in the way that getting you to install their app is valuable; they can send you notifications and a few free articles that can maybe upsell you into a subscription.
They have no choice but to do this because we still think text and pictures on the internet should be free. We've come around to paying for music and videos, but it still seems too much of a hurdle for traditional news outlets.
Google is just one of 100+ ad networks that show you personalized ads. You can turn off ads personalization from Google or any of the other participating ad networks here at http://optout.aboutads.info/
Source: https://adssettings.google.com
Evil corporation never lies to you
But I really wanted to opine about the optout.aboutads.info link. I suppose that using that can't hurt, but I didn't find it to be particularly helpful. I gave up on it entirely quite a while back.
Is the author assuming the absence of https encryption here, or is there some widely available exploit I don't know about?
All "antiviruses" use it
And that is not even funny
* Disable 3rd party cookies
* uBlock Origin
* Privacy Badger
* HTTPS Everywhere
These things are all dead simple and will significantly reduce your trackability. Of course they are far from comprehensive or perfect, but it's the Internet equivalent of washing your hands after you go to the bathroom.
[1] https://apps.apple.com/us/story/id1377753262
* declare you are from EU even if you are not
then any provider is damned scared of messing with your privacy