TL;DR there was a backdoor found in the XZ program. All major distros have been updated but it is recommended that you do a fresh install on systems that are exposed to the internet and that had the bad version of the program. Only upstream distros were affected.

Within minutes of walking through an Israeli military checkpoint along Gaza’s central highway on Nov. 19, the Palestinian poet Mosab Abu Toha was asked to step out of the crowd. He put down his 3-year-old son, whom he was carrying, and sat in front of a military jeep.

Half an hour later, Mr. Abu Toha heard his name called. Then he was blindfolded and led away for interrogation.

Hi everyone :)

For those interested, I share my just finished personal Firefox user.js. It's based on the latest arkenfox and has the same privacy features, with some personal tweaks to fit my workflow. And also easier to read 😅.

https://github.com/KalyaSc/fictional-sniffle/blob/main/user.js

KEEP IN MIND

Except for the privacy focused entries, some are personal choices for an easy drop-in Firefox preferences backup. This is what I consider a good privacy model and some entries could break YOUR workflow, especially if you don't have self-hosted alternatives (Vaultwarden, Linkding, Wallabag).

I'm not an expert, but most of those entries are the same as Arkenfox's user.js. I really encourage you to read their file for better understanding on what each entrie does. While my file is easier to read, one downside is the lack of documentation for each entries.

Also, this is not just a COPY/PAST. It took a lot of effort, time, reading, testing and understanding. I kept a similar naming scheme for cross referencing.

I learned a few things and hope that you also will enjoy, edit, read and learn new interesting things.

Happy hardening !

Features

• Automatic dark mode theme (Keep in mind you still need Dark Reader or similar plugin for web pages in dark mode.)
• Deep clean history on every Firefox quit. Only cookies as exception are kept. I need them for my self hosted services.
• Disable password/auto-fill/breache. Vaultwarden takes care of everything.
• All telemetry disabled by default except for the crash reports. To also disable the crash reports, comment the begining of the following lines with //:

user_pref("breakpad.reportURL", "");
user_pref("browser.tabs.crashReporting.sendReport", false);
user_pref("browser.crashReports.unsubmittedCheck.enabled", false);
user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false);

• DoH disabled (got my personal VPN with DoH enabled)

user_pref("network.trr.mode", 5);

• Disable WebRTC. If you need it for video calling, meetings, video chats:

Comment the following line:

user_pref("media.peerconnection.enabled", false);

Uncomment the following (arkenfox default, it will force WebRTC inside your configured proxy)

//user_pref("media.peerconnection.ice.default_address_only", true);
//user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);

• FIxed Width and Height (1600x900) (Finger print resistant) arkenfox's default
• Resist Fingerprinting (RFP) which overrides finger print protection (FPP)
• Alot of other tweaks you can discover while reading through the file.

How to use/test this file ?

Open firefox, type about:profiles and create a test profile. Open the corresponding root folder, put in the user.js and launch profile in a new browser.

After testing and happy with the result, BACKUP your main Firefox profile somewhere safe and put the user.js in your main profile to see if it fits your workflow.

Room for improvement / TODO.

Alot of the settings in the 5000 range form arkenfox's user.js need further testing and investigation, because they could breake and cause performance/stability issues.

• JS exploits:

- javascript.options.baselinejit
- javascript.options.ion
- javascript.options.wasm
- javascript.options.asmjs

• Disable webAssembly
• ...

TODO

• Disable non-modern cipher suites
• Control TLS versions
• Disable SSL session IDs [FF36+]

Also those settings are another beast that needs further testing/investigation on how they work.

The user.js file

https://github.com/KalyaSc/fictional-sniffle/blob/main/user.js

WARNING

Arkenfox advise agianst addons who scramble and randomize your fingerprint characteristics (like chameleon).

WHY? Because resist fingerprint takes care of most things. See 4500: RFP (resistFingerprinting) in arkenfox user.js.

[WARNING] DO NOT USE extensions to alter RFP protected metrics

    418986 - limit window.screen & CSS media queries (FF41)
   1281949 - spoof screen orientation (FF50)
   1330890 - spoof timezone as UTC0 (FF55)
   1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
 FF56
   1333651 - spoof User Agent & Navigator API
      version: android version spoofed as ESR (FF119 or lower)
      OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android
   1369319 - disable device sensor API
   1369357 - disable site specific zoom
   1337161 - hide gamepads from content
....

Very long list !

Final words

I'm open for any constructive criticism or any constructive comment that could help me out to improve or understand something new or something I misunderstood. Sure that's not 100% my work, but as I said it took a lot of time, testing, searching, reading... Please don't be a crazy Panda...

Credits

https://github.com/arkenfox/user.js

https://github.com/pyllyukko/user.js/

https://wiki.archlinux.org/title/Firefox/Privacy

I'm running the latest GrapheneOS with no VPN and yesterday it was failing and saying "if you're using one, try disconnecting from proxy/VPN" and today it's saying server not found. This happens regardless whether I click on Anonymous, or Anonymous (insecure).

Is anyone else having this issue? I have another phone without Graphene on the same network and it's working fine.

Edit: via @[email protected]

Rahul Patel:

Quick update:

• We had to get new VPS for Aurora.
• Server was up all night but due to change in location accounts were not able to generate auth sessions.
• Working on it! We'll be back soon.

Happy Friday ❤️

Source: https://t.me/AuroraSupport/390621

Today most Invidious instances are experiencing very harsh ip address rate limiting, it is becoming very very hard to watch yt videos through

cross-posted from: https://covert.nexus/post/27235

The FTC released a staff report in 2021 analyzing the privacy practices of six major U.S. Internet Service Providers. The report found that these ISPs collect as much, if not more, data on their customers' browsing habits than popular advertisers like Google and Facebook. Additionally, some of these ISPs either operate their own advertising businesses or sell the data to third parties, such as the NSA.

in 2018, Facebook told Vox that it doesn't use private messages for ad targeting. But a few months later, The New York Times, citing "hundreds of pages of Facebook documents," reported that Facebook "gave Netflix and Spotify the ability to read Facebook users’ private messages."

Surprising? No. Appalling? Yes.

cross-posted from: https://lemmygrad.ml/post/4108287

ACTUALLY! Android is more private than the iPhone! (Disclaimer: The YouTuber is anti-China, but his analysis on Apple is very good)

This is the problem with using VPN services in general, you have to have complete trust in the service provider.

Due to work I need to use Microsoft outlook mail on a daily basis. What I would like to know is the privacy and security concerns of various options:

1. Login and use outlook on a browser for general purposes
2. Use a tailered third party client from flatpak such as https://flathub.org/en-GB/apps/io.github.mahmoudbahaa.outlook_for_linux
3. Use thunderbird
4. Any other possibilities

(In the case that someone in Lemmy still use Google)

My son was just born, and while a few photos will go on the likes of Facebook and Instagram, overall my partner and I are wanting to keep our shared photos private from the EULA abuses that we all know and hate.

Does anyone here have any good suggestions? I would create my own front end, but I can't swing hosting or a static IP to do it from my local box. Are there any companies out there who aren't total shit bags who claim immediate irrevocable license to all of my photos to do with whatever the fuck they please?

A client of mine is getting harassed, we think by her former attorney who she's suing for embezzlement.

Someone is posting fake resumes for her and applying for jobs and she gets daily emails and call backs. Is there anything to do short of either ignoring it or playing whack-a-mole?

She's a very sweet old lady who is freaked out by this and doesn't deserve it.

cross-posted from: https://covert.nexus/post/20450

Summary:

Federal investigators have requested Google to provide information on all users who watched specific YouTube videos within a certain timeframe, sparking privacy concerns from civil rights groups. The videos had collectively been watched over 30,000 times.

The case involves undercover agents sending tutorial links for mapping via drones and augmented reality software to an individual, “elonmuskwhm,” who is suspected of violating money laundering laws and unlicensed money transmitting.

Court orders obtained by Forbes show that the government instructed Google to disclose user data, including names, addresses, telephone numbers, account activity for Google account holders, and IP addresses for non-account holders who watched the videos. The government argues that this data collection was relevant to their criminal investigation.

Telegram is giving away FREE Premium subscriptions! All they need from you is to use your cell phone as a relay to text out their OTP codes! And the recipient of the OTP sees your phone number! What could POSSIBLY go wrong with this deal?

PLEASE don't use Telegram! I personally recommend Matrix as it's totally FOSS, you can self host, there are tons of front end clients to choose from. Or even use Signal. I have my own issues with Signal, the fact they don't allow third party clients, you can't self-host, they have a proprietary shim in their stack that only they know what it does, they were pushing crypto, etc, but at least Signal is better than this garbage.

Link is in French: a dataleak on 200 million accounts on X.

This link is in French but as a summary: technical report shows that M365 Word and PPT contents leak to US servers (augloop.office.com) as soon as you open a document on a local installation of Powerpoint or Word, unbeknownst to users.

This is potentially huge!

Finally deleted my LinkedIn account!

After putting my account into "hibernation" for the past few weeks, I finally closed it. But I'm still looking for work. Thankfully I can still find positions (SRE and software dev) by just going directly to the company's site and finding a Jobs page.

Good luck to everyone else out there looking for work!

#privacy @privacy

If the link preview above displays an ad, ignore it.

Article

Hey there,

I've been using Firefox for ages now, and I was completely satisfied with it... until very recently, that is. For space-saving reasons, I started to convert my media library to H265, since all devices in my network support it now. Or so I thought. One very noticeable omission is my desktop PC with Firefox. Now, if I watch something from my local media server, the server has to waste resources to convert to H264, which is a noticeable performance hit to all other things running on the server. The GPU in my Desktop PC (or the CPU for that matter) could have displayed H265 without even changing clock speed from idle. So I tried to use the native Plex App for Windows for that, but that one does not support RTX Super Resolution which was really nice when watching old DVD stuff.

From what I can see, to get both, I need a Chromium browser. Since I would rather not have two browsers open all the time: Is there any browser based on the latest Chromium Builds that is not a massive insult to one's privacy?