Recent comments in /f/Privacy

Reply to comment by zddy in Tor Browser and Orbot Questions by zddy

zddy OP wrote

So if one were to build social media accounts solely through Tor and only accessed them through Tor then it would go towards concealing my personal identity from the one being created.

As for Orbot as VPN, what i meant was - does it act more generally and not as a specific browser application like the Tor Browser? For instance: if I have Orbot enabled, and I access a social media app, would all of the app's data be transferred through the Tor network?

If I can ask you another question ( you have been too generous already): what would the danger be in downloading a file from Tor? I have read some stuff online and AFAIK, the real danger lies in the file "calling home." Would putting your device in airplane mode and then opening the file eliminate that danger, or is there something else that needs to be done? I am specifically looking to d/l stuff from the anarchist library to print and hand out if that makes a difference.

Sorry and thanks again for helping this noob out!

1

stoned_chief wrote (edited )

i read that Orbot is used more as a VPN and will route all data through the Tor network not just internet traffic.

Not sure what you mean by "not just internet traffic" because something like SMS or calls aren't routed over Tor because they don't use the internet. Did you mean browser traffic? Also small correction but Tor does not work like a VPN, it just uses a VPN connection on Android to make the initial connection, but it's still the same old Tor.

If one were to have Orbot active and then you sign into Snapchat or FB, wouldnt that deanonymize(sp?) you?

You wouldn't be deanonymized because you're using Orbot, but you'd be deanonymized because you're using social media tied to your phone and identity.

With Orbot active does it matter which browser you use? Would there be any advantage to using Tor Browser in conjucntion with Orbot, or would it just be redundant?

You would still be connected to Tor no matter what browser you use, but the Tor Browser is safer for many reasons. Mainly because you'll blend in with other Tor users which improves anonymity.

1

Reply to comment by stoned_chief in Is Riot safe(r) ? by vandemic

stoned_chief wrote

You don't have to manually perform the encryption, you're only advised to verify each device which can only really properly be done in person or over another secure channel. You don't actually have to verify anything to use encryption, it's just a way to ensure that the Matrix server you're using isn't providing you a fake encryption key to spy on your communications.

2

stoned_chief wrote (edited )

Yes, Riot is pretty safe so long as you make sure you're using encryption. I'd recommend you avoid the main Matrix homeserver because they have notoriously bad security and privacy, plus they're based in the UK.

EDIT: I forgot to mention that calls are not encrypted on Riot... Or at least the group calls aren't, I'm not sure about 1-to-1 calls. If you need encrypted calls use Signal, Wire, or maybe Tox if you're okay with trusting experimental encryption.

1

Reply to comment by celebratedrecluse in Is Riot safe(r) ? by vandemic

celebratedrecluse wrote

all encryption is time-sensitive. anything can be broken with enough time.

the UK does not have statutes of limitations on criminal prosecutions, a unique feature of its legal system. So anyone can be prosecuted at any time for any crime they allegedly committed, even if it was a misdemeanor like 20 years ago lol

theoretically, anything you talk about on a default Riot encrypted chat is a conversation occurring in UK, because the matrix.org server is hosted there. They have data breaches in the past, too. UK is part of five eyes, which shares info with US Australia etc. So all of it, could be considered "Conspiracy to X", if it relates to anything illegal under UK law. Conspiracy is usually a felony charge, which makes it eligible for extradition.

So the question is, do you live in a country that extradites to UK, or who UK shares info with? If so, might want to self-host Riot, and not rely on this suspicious server, which has a giant target on its back and is in the worst possible jurisdiction.

2

celebratedrecluse wrote

yes, but the default Matrix.org server is in UK, which has terrible data laws and a massive surveillance infrastructure which is contracted to USA very closely. This server also had a data breach recently, within a year ago iirc. So the matrix.org web service, I would avoid.

The integrations are also not open source, so avoid using or installing those sticker packs etc.

Theoretically, however, your encrypted messages are end to end, so the server does not have access. Nonetheless, the server can interpret certain metadata regardless of encryption, so it is good to run your own if you can.

Every affinity group should have at least one server admin! Helps a lot with opsec.

2

cute wrote (edited )

1 ) Yes because Facebook, Snapchat and such would already know who you are along with them now knowing you use Tor.

2a ) No, you can use whatever you'd like

2b ) No, it's better to use the official Tor Browser because it will allow you to blend in with other Tor users and be anonymous.

If you just need to hide your IP, riseup (dot) net has a free VPN that is public and is run by fellow radicals. With a VPN you aren't as suspicious and it isn't as slow.

2

Reply to comment by vandemic in Is Riot safe(r) ? by vandemic

vandemic OP wrote

Right, but if I set all conversations to e2ee, then even if they, the Riot ppl, store my data on their servers, none of it is in plaintext or otherwise accessible to their engineers, so it's fine?

2

Reply to comment by mofongo in Is Riot safe(r) ? by vandemic

mofongo wrote

After setting up the encryption, it remains as the default from that point forward and cannot be turned off. Riot does store information, it asked for elevated storing permission on the webapp and surely the app does as well. However, you can look for another matrix client that does not.

I'm unsure about iOS, but you can download riot from f-droid without requiring a phone number or be associated with an account.

Here's the list of supported matrix clients, there's also a feature comparison list on the same page.

https://matrix.org/clients/

3

Reply to comment by vandemic in Is Riot safe(r) ? by vandemic

vandemic OP wrote

If I configure an encrypted chat with a friend, do our comms remain e2ee as the default from that point forward or do I have to configure it every time? Also, does Riot store metadata as far as you know? One more thing, if I buy a smartphone off someone on CL without a SIM card, what's the procedure to download and install the app? I've noticed that it can be very difficult to work around needing a phone number to even access things like the iOS app store...

2

Reply to comment by mofongo in Is Riot safe(r) ? by vandemic

mofongo wrote

Yep, it must be set up manually on each room per device. It can be pain in the ass if you have lots of people in a room, and a fantastic way to boycott a group if you have the permissions to do so.

Lately, I've been asked to verify my device for encryption using Riotx and the web app, but it's not working despite being connected on both using the same network.

2

Reply to comment by vandemic in Is Riot safe(r) ? by vandemic

vandemic OP wrote

Looking over their site, correct me if I'm wrong, but implementing encryption doesn't appear to be automatic the way it is with signal and whatsapp, but instead something that must be manually configured, PGP-email style?

2

mofongo wrote

Riot is the official messaging service for Raddle, we use it for the same reasons you listed while being easy to set up. There are still considerations, like the web app requiring javascript, luckily there are other matrix clients to choose from.

6

vandemic OP wrote

Oh damn, I just realized I can set up an account with Riot.im using a bogus email and connect from there to Telegram and WhatsApp! At least in theory, as I've only just now read about it and haven't tried to implement it yet. Too bad Signal isn't on their list of potential bridges.

2

celebratedrecluse wrote

verification codes

SIM verification codes are codes which are sent to a phone number as a text message, usually six numbers. It is required for 2FA logins, and registering a signal private messenger number, etc.

meta datas

So i am referring to the purchase of the sim card, not the method of transmitting the info, although both are relevant. If your friend purchases a sim card, and then you use numbers associated with it, it will be connected to you. It is best to do this through someone you don't know as well, for this reason. it obscures the social networks you are part of.

process for setting up anonymous phone number

this will not provide cell phone phone service. if you are using a sim card, you need to just pay someone to buy one and either mail or give it to you, like you say.

the method i gave, on the other hand, is for setting up voip number, which many providers require an existing phone number to do. This VOIP can be used to register encrypted messaging applications like Signal Private Messenger, or other purposes you may need a cell phone number for, and it will work over the internet (you can use a mac address randomization application like macchanger to anonymize your MAC address and then just use it on public wifi, or use macchanger and a VPN to mask your ip).

2