Privacy Checkup 2021

[Ozma (ZeTrannyJanny)]

(Incase your vpn hates you). I heard that you can use the kiwifarms.is domain thingy

 

[Null]

There seems to be a setting to do that in account details>privacy, but it's manual and I don't know if it works.

Senior users (who can see TSIC) can bypass profile privacy. I've disabled the menus until I can decide what I want to do.

 

[Rotollo 2]

If anyone is looking for a good cheap VPN surfshark is relatively cheap, its like 30 dollars for 2 years last time i got ot on sale.

Use promocode "She Came for CWC" to get 50% your next surf shark subscription

 

[Grotesque Bushes]

Thanks for the reminder, I will speak to my clients that the animalfetishporn.us email address shall no longer be used for business enquiries.

 

[Jolyne THICCujoh]

Kinda glad I got @'ed for this because I have indeed been slacking on my privacy stuff. Maybe I got cocky cause my dumbass thinks I'll be fine always and only accessing the Farms in Private Mode (retarded as hell I know), but I really should be taking steps to secure myself more. I may live in 'Merica but it's been utter Clown Land for a while and shows no sign of stopping.

Also, how hard or demanding would it be to set up your own VPN? (Wireguard, OpenVPN, Strong Swan, etc.)

 

[hundredpercent]

Your Email
You should use a permanent email not tied to your real ID.

Only admins can view your email address. However, we have had a security breach in the past which leaked the email addresses of active users.

...

They are not disposable / temporary email addresses. We do not allow those because they are used by spammers and abusive accounts suicide bombing the forum. Any legitimate users with a disposable email will eventually forget their password and be permanently locked out, so it's seriously against our interests to allow it.

Why not hash them?

Store KDF(email || salt) and salt in DB. To do password reset:
- user inputs username and email
- server gets salt for username, computes hash = KDF(email || salt)
- if hash matches hash on file, send email
- if it doesn't match, do nothing
- "If that was your email address, we've sent you a password reset. If you didn't get anything, try another one."

You could use username as salt.

If you get hacked, it would still be possible to get the emails, but it'd take a lot of cracking effort and be far from 100% effective.

(If you're really worried, it's also possible to use a hardware pepper, but that's almost schizo-tier paranoia)

 

[Da Capo]

Thanks papa null

 

[hundredpercent]

Also, how hard or demanding would it be to set up your own VPN? (Wireguard, OpenVPN, Strong Swan, etc.)

Not that hard, but you'll need a server to host it on, and the VPN will uniquely identify you ("oh hey, that's the digitalocean IP lolyne always uses"). A big VPN provider will rotate your IP addresses among other users.

 

[Rungle]

I still feel safer uploading a KeePass database to a cloud like Dropbox rather than using a cloud based password manager, since I know the file is actually encrypted and useless without the password, while I cannot be fully sure of that in case of services like Bitwarden or LastPass.

Bitwarden also has an opensource docker application which allows the user to make its own server to store passwords on.
This is great if you want to prevent being victim of a dataleak

 

[Null]

This is great if you want to prevent being victim of a dataleak

These applications use your password as an encryption key, so even if shit gets hacked they only get encrypted payloads.

Why not hash them?

Store KDF(email || salt) and salt in DB. To do password reset:
- user inputs username and email
- server gets salt for username, computes hash = KDF(email || salt)
- if hash matches hash on file, send email
- if it doesn't match, do nothing
- "If that was your email address, we've sent you a password reset. If you didn't get anything, try another one."

You could use username as salt.

If you get hacked, it would still be possible to get the emails, but it'd take a lot of cracking effort and be far from 100% effective.

(If you're really worried, it's also possible to use a hardware pepper, but that's almost schizo-tier paranoia)

We've never had a database leak. The email leak came from using Redis-stored hashes to log in to every recently active account and download their account information page, which includes the email address. This is security through obscurity.

 

[hundredpercent]

We've never had a database leak. The email leak came from using Redis-stored hashes to log in to every recently active account and download their account information page, which includes the email address. This is security through obscurity.

No. The accounts would not be able to see their email address either, even if logged in. The server simply wouldn't store that information, just as there's no way to see your password even if you're logged in.

 

[Null]

No. The accounts would not be able to see their email address either, even if logged in. The server simply wouldn't store that information, just as there's no way to see your password even if you're logged in.

I mean you might as well just suggest not showing people their own email addresses. That'd solve the problem with a single template change and without a hashing system that'd amount to nothing if the system got rooted. Gimmicks like that wouldn't matter if the database was being copied.

 

[Godbert Manderville]

On this site, your old username remains in your posts that have been quoted by others. Not sure if that's easily fixable, or at all, but just a heads up.

 

[Arm Pit Cream]

If you want to increase security, wouldn't holding onto IPs for a shorter amount of time help? I've heard it's held up to 6 months, that seems like awhile particularly considering that 2 factor authentication (which everybody really should be using) only lasts for a month.

 

[Professor Monkey]

I accidently logged in without my VPN one time. Do I go make another account now?
(Also hive mind opinions on Mullvad?)

 

[Null]

If you want to increase security, wouldn't holding onto IPs for a shorter amount of time help? I've heard it's held up to 6 months, that seems like awhile particularly considering that 2 factor authentication (which everybody really should be using) only lasts for a month.

7 days currently. Changes based on current threat.

I accidently logged in without my VPN one time. Do I go make another account now?
(Also hive mind opinions on Mullvad?)

no.

 

[hundredpercent]

I mean you might as well just suggest not showing people their own email addresses. That'd solve the problem with a single template change and without a hashing system that'd amount to nothing if the system got rooted. Gimmicks like that wouldn't matter if the database was being copied.

The hashing system would help you if the database got rooted. The database would not contain any email addresses, just as it doesn't contain any unsalted passwords.

 

[Da Grim Reaper]

Imagine living in a country where the government knows what you do online lmao

 

[Aib Ld]

I was always a bit confused at that Firefox is still in privacytools.io but nowadays other places are saying it uses your data or its not safe? Not sure of what I should believe. Tried getting Brave, and that thing runs as slow as molasses for some reason.

 

[Jolyne THICCujoh]

Not that hard, but you'll need a server to host it on, and the VPN will uniquely identify you ("oh hey, that's the digitalocean IP lolyne always uses"). A big VPN provider will rotate your IP addresses among other users.

Ahh, I see now. I'm kind of a cheap fuck and thought this would be better than the monthly subscriptions to VPNs but I guess privacy costs something, no matter what.

Or I can just go with TOR for browsing KF and all that. Dunno which option is better at this point cause they both have their ups and downs.