OTI OPSEC

[Sicklick]

I need an expert opinion on this. I keep seeing these "privacy" tutorials on YouTube, but what I find so ironic about them is that if you were truly concerned about privacy, chances are you wouldn't have an account on YouTube. Any sane person would've already jumped ship back in 2008 the moment after Google bought it and ruined it. But what if you want to watch an age restricted video or watch a video without giving it views or avoid giving them money through ad revenue? Either Hooktube or uBlock Origin / AdNauseam (for the last one, that is). Although YouTube has changed a lot of shit in their embedding code, Hooktube doesn't work that well anymore, but I have heard that some people have improvised their own versions, but for a while it was like the archive.is of YouTube.

Another thing is: avoid Google products like a bag of dirty needles. They are nothing but trouble and in essence are all backdoors to your privacy and data. Including smartphones. Android is compromised by default through Google voice. Unless you're jailbroken and running a custom ROM, you're pretty much fucked. And even then, the higher acclaimed ones (like GrapheneOS / LineageOS) only works for certain models of Android phones, they won't work for just any. Avoid Samsung also, especially their later models that are US releases, because they have KG / RMM state enabled on it that will in essence make it impossible to root your phone in the first place without bricking it. Same with Huawei. iPhones have decent security, but shit privacy, so it's one trade-off for another. And they're (((closed source))) making them even more suspect. Really, the only ideal smartphone I can think of would be a Linux-based one, but the only problem is, Linux phone technology is still in its infancy and hasn't hit the general market yet (and probably never will), and phones that are out there currently that are Linux-based and have all kinds of privacy features (like the Pinephone and the Librem 5) aren't that superior in terms of general usability. But other than that, use a PC, smartphones are generally trash anyways.

As for mail, avoid Gmail at all costs. Self-host your email, do not put your trust in some third party for handling your private conversations (especially nothing that revolves around a cloud server), just host your own.

Also, avoid social media. Do not put your real name out there, never use the same username in other places, et cetera. Also, use unique, sophisticated passwords for each website you visit. See xkpasswd, BitWarden, KeePassXC or masterpassword.app. And as for your IP address, do not use NordVPN. It is insecure trash (and it gets hacked all the time). Use Cryptostorm or VPS. As for your web browser, avoid Chrome at all costs. Even Brave is trash from what I know. Use Firefox (with all of the commonly recommended privacy plug-ins of course, like Privacy Badger, Cookie Autodelete, Multi-Account Containers, No Script and so on). And also, trying to remain anonymous and use OPSEC will never be complete if you're still using Windows or Mac. Use Linux, and in particular Qubes, Arch or Manjaro (which I would highly recommend over the last two, since it is so simple that literally anybody can use it and unlike Arch, isn't a pain in the ass to install). Hardware should be either something like System76 / Purism or a good ole' fashion Lenovo ThinkPad to scrub the firmware using Coreboot / Libreboot.

Anything I'm missing?

 

[The Mass Shooter Ron Soye]

Piped

An alternative privacy-friendly YouTube frontend which is efficient by design.

piped.kavin.rocks

GitHub - TeamPiped/Piped: An alternative privacy-friendly YouTube frontend which is efficient by design.

An alternative privacy-friendly YouTube frontend which is efficient by design. - GitHub - TeamPiped/Piped: An alternative privacy-friendly YouTube frontend which is efficient by design.

github.com

 

[Aidan]

What's OTI? What's the point of this thread?
Your OP is kinda hard to follow for me.

if you were truly concerned about privacy, chances are you wouldn't have an account on YouTube.

Most privacy channels will acknowledge the irony but justify it as the target audience is almost certainly on Youtube to begin with. I'm not aware of any privacy-oriented channels that don't also use Odysee and/or peertube. I'm sure some exist.

what if you want to watch an age restricted video or watch a video without giving it views or avoid giving them money through ad revenue?

yt-dlp or invidious should do the trick. I use yt-dlp for that.

Unless you're jailbroken and running a custom ROM, you're pretty much fucked. And even then, the higher acclaimed ones (like GrapheneOS / LineageOS) only works for certain models of Android phones,

Buy one of the supported phones. Ironically Pixels are great for this and supported by all the privacy-oriented ROMs to my knowledge. If you won't do that then that's on you.
That said, there are steps you can take to improve privacy otherwise that are worth doing as you progress into improving your own privacy.

Really, the only ideal smartphone I can think of would be a Linux-based one, but the only problem is, Linux phone technology is still in its infancy and hasn't hit the general market yet

2022 is the year of the Linux phone!

Self-host your email

This can backfire. There is literally nothing indicating you can't trust Protonmail or Tutanota. They can not see your emails. Anyone can see the email metadata which is a basic requirement of the protocol.
Managing your own email server does come with risks and is certainly not for everyone. One middle-ground thing to do is use a custom domain for email forwarding to mask your actual email and use a trusted provider.

avoid social media.

As much as possible. I personally go so far as to block most social media domains outright on my home network. It goes without saying I don't invite many people over but if I did it regularly enough they'd be on a guest VLAN anyway and I'd probably still block it out of autism.

not put your real name out there

Situational but generally yes. Your name gets out there from other records that can be skimmed that are unavoidable to many. Eg leases and utility bills

never use the same username in other places

Most usernames now are emails so hit/miss imo. Definitely don't use the same password anywhere whether you're a privacy nut or not.

and as for your IP address, do not use NordVPN. It is insecure trash (and it gets hacked all the time). Use Cryptostorm or VPS.

Not aware of NordVPN being hacked all that often but yeah it's not a great option for privacy. Using a VPS wouldn't really be very private but can be used situationally with good effect. There are highly regarded privacy-respecting VPN services to use and blending in with their traffic is beneficial. Right now it seems Mullvad is the most respected and I got nothing bad to say about them.
Not familiar with Cryptostorm so no comment.

Use Firefox (with all of the commonly recommended privacy plug-ins of course, like Privacy Badger, Cookie Autodelete, Multi-Account Containers, No Script and so on).

Another double edged sword due to browser fingerprinting. I personally stick with Firefox, uBlock, and noscript. Technically noscript is redundant as uBlock can do the same but I am just so used to that combination at this point.

Device Info - Web browser security, privacy, and troubleshooting tool.

Device Info is a web browser security testing, privacy testing, and troubleshooting tool.

www.deviceinfo.me

Cover Your Tracks

See how trackers view your browser

coveryourtracks.eff.org

Hardened Firefox is still one of the most private and secure browser options, unfortunately. Annoying though as Firefox messes with settings so you have to double check each update.

use Linux, and in particular Qubes, Arch or Manjaro

Agreed, though Qubes is for the enthusiasts in my opinion. I don't see a need for an arch-based distro, I know for a fact Mint and Debian respect your opt out and don't do shady one-offs before you get the chance to opt out. Haven't personally tested others but in general even the least privacy-respecting Linux distro will inherently be more privacy-respecting than Windows and Mac.

Hardware should be either something like System76 / Purism or a good ole' fashion Lenovo ThinkPad to scrub the firmware using Coreboot / Libreboot.

From a strict privacy angle, I don't see how this is relevant. I'm not aware of common firmwares on consumer devices phoning home by default but could be wrong. You could very easily block it, if so.

 

[We Are The Witches]

There is literally nothing indicating you can't trust Protonmail or Tutanota.

I don't know why you wrote this in bold letters, I would not put what I consider "trust" in them.

If I remember correctly there was a thread here on Protonmail's surveillance of users:
https://kiwifarms.net/threads/protonmail-rats-users-out-to-les-feds.99735/
The main article was about the disclosure of someone's IP when the authorities required it, but there seems to be more to it.

In any case, if you're not engaging in illegal activities when using the service it should be relatively fine, but one of the reasons I don't like or trust Protonmail is because they started to ask for phone numbers in order to create an account.

And I know that the "reason" is to verify that you're a human, I'd rather do 1 hour of Captcha solving than trusting the service with a phone number.

 

[Equivocal_Iki]

As for mail, avoid Gmail at all costs

A level-headed approach is to treat it like your government documents. Have one around for anything official, but use anything else for when you don't absolutely need it. Really if you need that level of privacy, don't use email. Its only use is to have a paper-trial.

Also something I've been meaning to do but never get around to, get a burner phone for sites that require 2fa or whatever.

 

[820㎌Cap]

Also something I've been meaning to do but never get around to, get a burner phone for sites that require 2fa or whatever.

This might help.

 

[Celebrate Nite]

There is literally nothing indicating you can't trust Protonmail or Tutanota.

Nigger what?

if you wanna use these as throw-aways, be my guest, but to use these as normal emails is NOT a good idea.

 

[Frail Snail]

I keep seeing these "privacy" tutorials on YouTube, but what I find so ironic about them is that if you were truly concerned about privacy,

I think it's somewhat ironic to discuss privacy techniques on Youtube, but overall this is not hypocritical. Spreading the message on the most popular platforms helps it reach a wider audience and you can be private as a viewer with yt-dlp/age restriction bypass userscripts. One of the points of good OpSec is compartmentalization. An official, "clean" identity tied to your real life and a private, Internet-only identity (or identities).

For example, reading KF via VPN or proxy is good OpSec. Using them when authorizing to a government website is not, if anything it's a red flag. The government already knows who you are and has your IRL credentials, so barebacking their websites is perfectly fine. On the same note, you can keep social media and GMail for basic networking and nothing else. People are going to assume you have them, whether it be for meeting prospective clients and connections or work in general. Keep them minimal and tidy, have a separate browser instance for anything related to official business and your OpSec is maintained.

 

[Bad Gateway]

Good luck retard

 

[Aidan]

I don't know why you wrote this in bold letters, I would not put what I consider "trust" in them.

If I remember correctly there was a thread here on Protonmail's surveillance of users:
https://kiwifarms.net/threads/protonmail-rats-users-out-to-les-feds.99735/
The main article was about the disclosure of someone's IP when the authorities required it, but there seems to be more to it.

In any case, if you're not engaging in illegal activities when using the service it should be relatively fine, but one of the reasons I don't like or trust Protonmail is because they started to ask for phone numbers in order to create an account.

And I know that the "reason" is to verify that you're a human, I'd rather do 1 hour of Captcha solving than trusting the service with a phone number.

Nigger what?
View attachment 2857242View attachment 2857244
if you wanna use these as throw-aways, be my guest, but to use these as normal emails is NOT a good idea.

There isn't an internet service in the world you can use that won't have the IP of users accessible and can resist its national law enforcement making such a request. It's bullshit, but if you think your IP isn't known to any email provider then you need to review how email/the internet works. It is nonsense that Protonmail heavily implied they will never keep such logs, but the truth is when big daddy government makes a request like that, not complying can ruin a business. This is why Telegram has had to move a few times and is now headquartered in Dubai. Telegram is not secure anyway but have had to move to avoid government compliance.
People who say Protonmail is compromised are saying it without any evidence or they don't understand what "compromised" means. Same with Tor.

I don't care what people use, but hosting your own email is almost always worse than using something like Protonmail which is the most private mainstream provider. If those things are problematic, there is virtually no email provider you can trust and you should host your own or not use it. Email is inherently not private and not secure.

I've never had to provide my phone number to make an account and I have quite a few Proton accounts but if you're privacy-focused then an anonymous burner phone is a must anyway. There are online services for this as well such as MySudo.

 

[Slav Power]

The only way you'll get a sliver of privacy is if you pull a Ted Kaczyński and live in a shack in the buttfuck of nowhere with zero technology. Everything else is a half-measure.

 

[TheSkoomer]

Nigger what?
View attachment 2857242View attachment 2857244
if you wanna use these as throw-aways, be my guest, but to use these as normal emails is NOT a good idea.

This.
If your "private" email is not 100% tor-friendly, it's shit and run by CIAniggers.

Also, PGP integration/support from your email provider is just a gimmick, and it is more likely to compromise security than protect it. Encryption should always be handled client-side without any assistance from the email provider. If your email provider generates your private PGP keys for you; your email provider can give your private PGP keys to the feds later.

You can use PGP with any and all email services; just use a PGP client, and copy/paste the encrypted messages between your PGP client and your email client. This way all the encryption/decryption is handled client-side and your email provider has no part in it.

For desktp: "Gnupg" / "GPA"
For phone: "OpenKeychain"