107 comments

[ 4.5 ms ] story [ 147 ms ] thread
"Don't read paywalled articles."

They missed that one off.

Step 1 - do not create a free account or logging to read The Times
> A few more suggestions:

> “Create a different email address for every service you use,” wrote Matt McHenry. “Then you can tell which one has shared your info, and create filters to silence them if necessary.”

Obligatory mention - for gmail you can suffix your email address with a service name by using +, e.g., johndoe+adobe@gmail.com will be delivered to johndoe@gmail.com. So if a service leaks your data or sells your email, you’ll know who to blame.

Although the article recommends not to use gmail, it’s a neat trick if you’re stuck with it.

"Forget password" becomes unusable though, since you’ll probably forget what suffix you used for each service.

Outlook.com supports this as well, and so does Fastmail.
Oh companies have become smarter about it! Even the scammers I suspect! Many won’t accept + in the email address and I think now it’s well known enough that most scammers will run a regex to detect and remove the + sign.

Useful workaround is to have unique aliases on a domain name you control. Can’t get around that with a minute of work!

If you control your email, you can do slightly better with the ‘+’. Share addresses of the form ‘me+my-tag@’, strip on ‘-’ to deliver these to ‘me+my@’, and have ‘me@’ immediately block the sender.
If you control your own email, why not just have company@ ?
fastmail supports a variation of this: if my email is me@mydomain.com, then I can use service+me@mydomain.com, or better service@me.mydomain.com (or anything@me.mydomain.com). It seems like it'd be a little less obvious to scammers.
With fastmail you can just make a alias. My address is me@mydomain.com and in the settings you can make a alias where you can just use something like garbage@mydomain.com

https://i.imgur.com/UWoU4NA.png

Fastmail also lets you use wildcards and catchall addresses, giving you infinite email addresses whenever you need them, with no way to tell what “base address” they resolve to internally.

For example, my Twitter address might be twitter@mydomain.com, my Google address google@mydomain.com and so on. All of those go straight to my inbox unless I decide to set up individual filters for them.

The downside is that I can’t easily migrate to a service that doesn’t support this.

Shout-out to my new mail provider Migadu [0] whose model is “pay for the number of emails you send, not the number of mailboxes you have”. This opens up all sorts of interesting opportunities.

Not affiliated, just a happy customer.

[0]: https://www.migadu.com/en/index.html

I have been using this system for about a year, and it works great. I generally use the pattern yourdomain.com@accounts.mydomain.net. However, I have found from time to time that I never get account signup/confirmation emails to these addresses. It seems like they're being silently rejected. Does anyone know if there's some kind of email validation service that might be filtering these?

I guess I could use a hash of the domain (eg asdffdsa@accounts.mydomain.net) to make my strategy less visible, but that feels like I'm probably overthinking it.

I use <random>@mydomain.com. My password manager remembers which I used.
Yes, it’s a great feature! They also have many non-fastmail.com domains available on the basic plan.
"." works the same way.
Not the same way. The dot would be filtered out, but the part after the dot won't get removed, so john.smith@gmail.com is equivalent to johnsmith@gmail.com.
Ah, you're right of course. I was too quick to reply. Sorry.
Well, another problem is that if you reuse email addresses, then a social engineering attacker has an easy starting place across all services.
Or set up a mail server and add as many aliases as you with, one for each service.
>since you’ll probably forget what suffix you used for each service

You can put that in a safe wallet. OneDrive provides that now

> If you’re in that category, Ms. Winterton recommended Ghostery, a free plug-in for most web browsers that “blocks the trackers and lists them by category,” she wrote.

I’m not sure I can recommend Ghostery, as their business model is a bit suspicious: https://en.wikipedia.org/wiki/Ghostery#Criticism

> Using websites whose addresses begin with https are also safe; they, too, encrypt their data before it’s sent to your browser (and vice versa).

Safe from your public Wi-Fi operator. Not from the company with a tracking script on the page.

> You don’t sign into Apple Maps or Safari (Apple’s web browser)

You sign into the OS, though.

> You never want to tell Facebook where you were born and your date of birth. That’s 98 percent of someone stealing your identity!

I can literally Google this information. We need to stop treating knowledge of public data like this as some sort of identity metric.

I would suggest Privacy Badger nowadays (as a complement to the irreplaceable uBlock origin).
Add to that Cookie Autodelete and uMatrix
Does Privacy Badger do something that uBlock Origin does not?
Instead of having built in lists, it dynamically tries to track the trackers and block domains/cookies it thinks are trying to track you.
Been wondering this for a while even though I have both installed
Not really. uBo devs recommend having only one blocker in place to reduce chances of issues/breakage occurring.
They have different purposes. Privacy Badger is not there to block all ads; it exists to block trackers.

For websites I like, I turn off uBlock Origin but leave Privacy Badger enabled.

Have you been able to compare that with latest Firefox's native tracker blocker?

So far to me that's been pretty good to the point I stopped using Privacy Badger (which I agree is pretty good too!).

Consider using Privacy Possum instead of Privacy Badger. It's a bit more thorough.
Anyone can got your phone number from fb, which fb "use" for 2fa

You should stop printing nonsense

After Apple destroyed safari extensions and forced everyone to use declarative net requests, there are few options. I’m pretty sure Ghostery is now unable to perform the analytics or data collection from previous versions. KaBlock and others are worth trying. There are few options, so I’ve settled on Ghostery for safari on macOS
> We need to stop treating knowledge of public data like this as some sort of identity metric.

And one step further, such public data should not be used by corporations / governments to validate (or inform much, beyond "details") the identity of someone. It's just too unreliable and can't be verified.

Maybe PGP or similar, hashed from some source biometric data, to allow multiple 'IDs' over a lifetime but 100% verifiable.

> We need to stop treating knowledge of public data like this as some sort of identity metric.

I love how it's easier to steal my identity than to intercept my encrypted web traffic.

Society really could do with a cryptographically sane method of authentication - think an PKI-type verification but in replacement for '100 points of id' / Social Security Number / Tax File Number etc.

Surely the cost of implementation wouldn't outweigh the cost of identity theft and other types of fraud which can occur due to the current flawed system?

Maybe the costs are/would be paid for by different parties, but indirectly we all pay for them through insurance premiums and taxes which cover the (preventable) financial damage anyway.

Nothing new go away paywall
> Apple’s privacy website reveals many examples: You don’t sign into Apple Maps or Safari (Apple’s web browser), so your searches and trips aren’t linked to you.

Not linked... in a way visible to you.

I think there are different categories of "tracks". One category is marketing tracks, which include cookies, browser profiling, tracking scripts, etc. This is the one most discussion on HN is aimed at and most people find personally offensive but aren't materially harmed by. The second is legal tracks, which is exposure to harm from legal authorities for activities such as piracy, political activism, and various types of forbidden speech under different legal/national regimes. The third type is personal tracks, which I categorize as the ability for private individuals or groups to connect your online presence to your real self. That is the one I'm most concerned with, as internet users seem almost entirely unconcerned about it but it has far more potential to harm you than Google knowing your sexual fetishes. Nobody cares that they're exposing their real name and face to millions of people and it only takes one lunatic who decides your activities or opinions are worth trying to ruin your life to cause you a world of hurt.
-Use a private cloud, so that your data is in your control.

We've actually developed a self-hosted private cloud solution as a substitute to Dropbox for exactly these reasons. Basically a private Dropbox at home (no complicated installation and no server needed)

We're currently in beta, could interest a few in this thread! https://www.duple.io/en/

The point is to have a product that works just like a Dropbox, as simple and straightforward, but that is actually private with no one interfering, playing, accessing or reading your data.

You know, ipfs helps a lot with this. If I can pay for someone to mirror whatever I host on my ipfs and tie it to some account it would be neat.

Good luck on your product. Seems promising. But I didn't like how your site loaded slowly (just a subjective feedback)

Somehow I don't understand how you say Syncthing's disadvantage in comparison is that it's a P2P system[1], but at the same time your website says duple doesn't need a server.

Maybe I've misunderstood, but this sounds just like Syncthing with an always-on client - except for the file versioning, that sounds like an interesting feature to me.

[1] https://blog.duple.io/what-is-the-point-of-duple/

Syncthing does file versioning, although a bit noobishly. It just keeps n copies of the old file in a hidden folder with DATE_MODIFED appended to each copy.
Agreed.

I've been using SyncThing for over 4 years and while it has a few rough edges (synced/shared/global file ignore would be great) still it's been fully reliable and a generally great user experience. So if you're trying to cater to existing SyncThing users don't mince words to make it appear that something which you claim is a negative with SyncThing doesn't exist in your product - which it clearly does.

SyncThing has a huge advantage: years of trust. They have been around since 2013 and continue to crank out features and builds consistently. Duple hasn't been around for one year at the time of this writing. Beyond that it's clear from the Duple site that it's main goal is to take my data and file replication hostage via licensing fees. I'm curious how or why I'd donate before I've even installed the Beta (based on your click flow to even reach the downloads page)? No thanks.

Also, let's clarify something Duple has wrong...

Duple states: "Syncthing is P2P, so you get the disadvantages along with it e.g. all your devices need to be turned on at the same time. If not, you get a desynchronisation between your devices and create conflict." - This is wrong. You do not need all your devices on at the same time with SyncThing. Yes, it is true that it's good to have a device with a consistent state, however it's not required. The second part of the statement is FUD. When conflicts happen it's generally around odd permissions or file updates with regard to versioning. This was more problematic in versions prior to 1.0. At this point in time I haven't run into this issue other than because of disparate problems caused by file permissions which SyncThing does a great job preserving.

Duple also states SyncThing has no IOS support and yet, itself, has neither IOS or Android. Or Windows... Or an open source repo of what I'm supposedly using.

In my mind Duple doesn't compete with SyncThing and, really, never will. But here's the thing... Don't pretend to compete where you don't. SyncThing users aren't looking for Duple. You'd do yourself a better service to take that verbiage out because all it did for me was give me the impression that Duple is lying about competitors that they simply didn't take the time to understand. That leaves a bad impression in my mind.

I'm sure what they mean by all devices needing to be on and connected, is that if only one device is connected, there will be nothing to sync to. So if I take some photos while on vacation, but my desktop at home is asleep, then I can't sync my photos to it. So if I lose my phone before then, I'm sunk.

Of course this is fixed by simply having the desktop on all the time, which would then make it similar to a client server setup.

Well, they don't say that so it doesn't really matter what they mean. And they imply that by not having a device on all the time it is the cause for synchronization issues which is completely incorrect.

If I take photos on vacation and throw them in a sync'd folder the next time both devices are online they will resolve the new file delta between that shared folder. That doesn't imply I always need one or the other device online. The more devices syncing the less likely it is that only one would be online at a time, but again there's no requirement there for an always on device.

Anyway... SyncThing is fantastic for users who are willing to invest some time learning how the software works. Every paid for product seems to cater to the "it just works" mentality thereby sacrificing control to me, the user, to handle situations that can't be handled by overly simplified, cloud-first, lock the user into our licensing model solutions. And don't get me wrong, those are fine for many people. For users who want more control via more responsibility - then SyncThing is great. But I don't like how they are spreading FUD about it just to get some name association.

I know this is a late reply,but maybe you'll see it.

Regarding the synced/shared/global file ignore, there's an imperfect but usable work-around:

You can use #include statements in your .stignore, so you can include another file that contains the global ignore list, then sync that file. You have to set up the .stignore with the include statement for all of your devices/folders, but after that, it's essentially a global ignore list.

Hope that helps.

How implemented E2E encryption?

Where is link to github with ALL code?

Is this the level of technical competency needed to work at the New York Times? How much do they pay?
if you look up some info on this writer, I think you'll find competency was not considered
Hey now, there's no need to attack the author like this.
this is not a technical position managing security. most tech writers at major news institutions are likely not tested with technical interviews - they are writers with domain knowledge, and there is nothing inherently wrong with that.
"Safari’s “don’t track me” features are turned on as the factory setting."
I'm not sure where you're going with that comment.
Oh the irony. Reading this article requires me to give away my e-mail address...
Or click the "Reader Mode" in Firefox? (YMMV).
Yes, if you do it fast enough, before the paywall loads.
I was able to read the article by opening it on a browser I rarely use. But even then, an email ask isn't "tracking", and you can always use a throwaway account if you want. As the article itself suggests, use a different email for each service you sign up for.

The NYT is a content website in a sea of content websites. Getting you on their email list is valuable in the way that getting you to install their app is valuable; they can send you notifications and a few free articles that can maybe upsell you into a subscription.

They have no choice but to do this because we still think text and pictures on the internet should be free. We've come around to paying for music and videos, but it still seems too much of a hurdle for traditional news outlets.

What about fingerprinting? Fingerprinting allows to track browser even in private mode or if you anonymize your IP address. You should disable WebGL right now because it is absolutely unnecessary, almost never used and its only purpose is to collect information about your video card.
> Avoid unnecessary web tracking

Google is just one of 100+ ad networks that show you personalized ads. You can turn off ads personalization from Google or any of the other participating ad networks here at http://optout.aboutads.info/

Source: https://adssettings.google.com

Just because they no longer show you personalised ads doesn't mean they have stopped tracking you...
In fact I’d argue it means they have to track you. And telling them your preference gives them another data point on you.
Yeah

Evil corporation never lies to you

As others have said, there's a huge difference between "not showing you personalized ads" and "not tracking you".

But I really wanted to opine about the optout.aboutads.info link. I suppose that using that can't hurt, but I didn't find it to be particularly helpful. I gave up on it entirely quite a while back.

The New York Times: a former newspaper.
In the long run, they're all former newspapers, aren't they?
I had to clear my NY Times cookies to read the article. The irony.
(comment deleted)
> Nearby patrons, using their phones or laptops, can easily see everything you’re sending or receiving — email and website contents, for example — using free “sniffer” programs.

Is the author assuming the absence of https encryption here, or is there some widely available exploit I don't know about?

mitm for weak https exists

All "antiviruses" use it

Install uMatrix and block all 3rd party JavaScript. It breaks functionality in some sites that embed social networks' widgets, but other than that works like a charm. As a bonus sites load at least 30% faster.
This is bare minimum
Exactly my experience, going on 3 to 4 years now. Spend the time to learn uMatrix. It's an incredible investment into yourself and your web experience. I barely browse on mobile anymore since I don't have uMatrix, although Brave does allow blocking scripts and some stuff quite easily. Highly recommend Brave on mobile.
I have Firefox and uMatrix on mobile. It is not a s seamless as desktop but bearable.
Nice, thanks for the tip! I'll have to give it a try
I use uMatrix lazy style - if go to page and it works without changes I use it - if it breaks but I need to use it allow all - if it breaks but I don't care that much close the tab.
You can do that in uBlock Origin too.
That what looks like when someone gives advises when know nothing about industry and tech

And that is not even funny

We should rename hacker news to the New York Times reader.
Unreadable . Does it mention E2E? It's way past time for tech to get serious about E2E , ignoring warnings and pleas from greedy governments. People have a right to communicate without being constantly surveilled, and it's the most serious track they leave.
The omission of "Disable third party cookies" is fairly shocking. From my understanding, it might be the single most effective thing you can reduce tracking. Whenever I get the chance, I recommend the following pieces of Internet hygiene to anyone and everyone I can:

* Disable 3rd party cookies

* uBlock Origin

* Privacy Badger

* HTTPS Everywhere

These things are all dead simple and will significantly reduce your trackability. Of course they are far from comprehensive or perfect, but it's the Internet equivalent of washing your hands after you go to the bathroom.

Won’t disabling third-party cookies render certain payment gateways unusable? While such advice may be very welcome among savvy computer users who know when they should temporarily turn third-party cookies back on, the NYT is unlikely to give advice that will break online shopping for large numbers of people.
I've had 3p cookies disabled for years and never experienced an issue with payments. But, it may be that I don't pay for things as often as others. My recommendations will slightly break some things like embedded Twitter posts but it's rare that I experience a site being functionally impacted in ways I care about.
I don't think I've ever run into an issue with a payment gateway. The one major site I've had issues with has been playstation.com. Sony seems to use a bunch of different domains for managing its various PSN websites, and I've never found the right set of rules in uMatrix without also enabling third-party cookies.
With the latest macOS it is no longer possible to install uBlock Origin in Safari. Do you have a different recommendation that works with Catalina?
you're limited to what Apple has allowed you to have. Search app store for content blockers. This "story" [1] by Apple contains most popular, and I've used Ka-Block! and Ghostery Lite. I would go with either or both.

[1] https://apps.apple.com/us/story/id1377753262

they forgot the best tip nowadays which is:

* declare you are from EU even if you are not

then any provider is damned scared of messing with your privacy