# Are you trusting Google with all of your online life?



## Jose (Mar 8, 2021)

I suggest using more than one account.









						Terraria developer cancels Google Stadia port after YouTube account ban
					

Hit indie game developer tells Google, "Doing business with you is a liability."




					arstechnica.com


----------



## unitrunker (Mar 9, 2021)

Make self hosted email administration easy and this sh$t goes away.

Meanwhile, there's protonmail.


----------



## ralphbsz (Mar 9, 2021)

This is one month old. Some of the details in that article aren't correct to begin with. For example, that guy's youtube channel remained accessible at all times (which is not compatible with statements such as "had all their accounts closed"). And the situation seems to have been resolved. I don't know any details, other than what the press has been reporting.

Old joke from a divorce attorney: There are always three sides to a story: his, hers, and the truth.


----------



## Jose (Mar 9, 2021)

ralphbsz said:


> This is one month old. Some of the details in that article aren't correct to begin with. For example, that guy's youtube channel remained accessible at all times (which is not compatible with statements such as "had all their accounts closed").


TFA explicitly mentions that the channel is up


> Re-Logic's YouTube channel, which is still up here, (with a disabled profile picture) appears to be nothing but trailers of the company's games.


Problem was, they couldn't add any new content because their Google account was disabled. TFA does not contain the word "closed" in it at all.


ralphbsz said:


> And the situation seems to have been resolved. I don't know any details, other than what the press has been reporting.


Do you have a source for this? I could find no information on what has happened since February 10th,


----------



## richardtoohey2 (Mar 9, 2021)

I think that was just an example of what might happen, so no point getting too bogged down in the specifics of that case?

The point still stands - our choices are getting more limited.

Between Google, Facebook, Amazon, Apple etc. etc. we're all doomed anyway.

Putting my tinfoil hat back on and scuttling back under the bed.


----------



## a6h (Mar 9, 2021)

richardtoohey2 said:


> we're all doomed anyway.


What's an alternative to the X? The rest of the Internet.


----------



## ralphbsz (Mar 9, 2021)

Jose said:


> Do you have a source for this? I could find no information on what has happened since February 10th,


First hit when you web search for "terraria account google" is this:








						Terraria Now Coming to Stadia After Co-Creator Has Google Accounts Restored [Updated] - IGN
					

Update: Terraria will be coming to Stadia after all, after the game's co-creator had access to their Google accounts restored.




					www.ign.com
				



It has links at the top to official communication from Terraria that everything is good again.



richardtoohey2 said:


> The point still stands - our choices are getting more limited.
> 
> Between Google, Facebook, Amazon, Apple etc. etc. we're all doomed anyway.


There are many other providers of hosting and e-mail service. 

Where it gets difficult is this: people want for example a free e-mail service. But they also want that e-mail service to remain up and running when the company hosting the e-mail is served with a legal order against that account, of when they e-mail provider catches the user performing illegal actions. And they want easy-to-reach fully staffed human tech support for when things go wrong (like: I lost my password, or my account was closed because I was caught sending pictures that are illegal, or my account was hacked by criminals from Elbonia, or the court ordered you to close my account but my lawyer sees it should stay open). And they want the hosting company's lawyers go fight for them.

I pay $10 per month for my e-mail and hosting. I know that I can reach my e-mail provider by phone, 24x7, and someone will answer the phone. I know their address, so if I need to personally deliver paperwork (like legal documents), I can get there by car in about 3 hours. I know that if I need to meet with the CEO of that company on an important issue, I can make an appointment, and he will talk to me. I know that their lawyers will try to defend me if they are served with an order shutting me down. All this is from personal experience (been there, done that, got the T-shirt). All that for $10 per month? Pretty good deal if you ask me. To be honest, the fact that I had to give my personal lawyers about $3000 to help defend me made the whole thing quite a bit more expensive, but the hosting company did pay for their own lawyer on my behalf.

Now, if someone wants to have all that service, but not pay for it? Sorry, that's unrealistic. If you need a business-critical or hosting service, a free one is unlikely to be a good choice.


----------



## richardtoohey2 (Mar 9, 2021)

ralphbsz said:


> There are many other providers of hosting and e-mail service.


You make good points, but how much longer will we have these other providers for?

Google has lost ~US$13 billion on Google Cloud over the last three years (I was going to paste a link but they are all auto-playing video nightmares) - how is that fair on other players, especially the smaller ones?  You will have to have very deep pockets to play in this game.

Guess that is how things work (and always have worked).


----------



## Jose (Mar 9, 2021)

ralphbsz said:


> First hit when you web search for "terraria account google" is this:
> 
> 
> 
> ...


This is what they said


> ...we had a ton of issues to kick off the year stemming from the locking-down of Redigit's entire Google account in early January. After a month of pushing (and with the immense support of our fans), Google finally reached out and was able to provide a lot of transparency around the situation and to restore access to all of our accounts.


It took two full months and an Ars Technica article  for an indie developer with a hit game and 69k Twitter followers to get Google to react. What chance do you have if you're a regular Joe?


----------



## Mjölnir (Mar 9, 2021)

unitrunker said:


> Make self hosted email administration easy and this sh$t goes away.


On my laptop?


unitrunker said:


> Meanwhile, there's protonmail.


And posteo.de (.net .mx .info ._younameit_) or mailbox.org and many others.  _You get what you pay for._


----------



## Mjölnir (Mar 9, 2021)

vigole said:


> What's an alternative to the X? The rest of the Internet.


??? What is X in your question?


----------



## a6h (Mar 9, 2021)

Mjölnir said:


> ??? What is X in your question?


Somebody specifically asked me: "_what's the alternative to Wikipedia_". I answered: "_the rest of the internet, and libraries_".
To prevent mass hysteria, I redacted the "wikipedia". But you can think of X as a set: X={..., Google, Facebook, Twitter, ...}.


----------



## Mjölnir (Mar 9, 2021)

richardtoohey2 said:


> You make good points, but how much longer will we have these other providers for?
> 
> Google has lost ~US$13 billion on Google Cloud over the last three years (I was going to paste a link but they are all auto-playing video nightmares) - how is that fair on other players, especially the smaller ones?  You will have to have very deep pockets to play in this game.


I'm paying 1.20 €/month for an e-mail+ service, 100% anonymous (if I really wanted),  incl. cloud storage (2 or 5 or 10 GB? dunno 'cause I don't use that).  That's 1/3 drink in a pub.  IOW I invite one of the people driving that service for a drink every season.  Is it worth it?  I think so, and if not, how many others did I invite in that season?
_*You get what you pay for*_, that's not too complex to understand for anone with an IQ > 85, right?  If a commercial company offers you a so-called _"free"_ service, damn what'd ya think that _"free"_ means?  You pay with your privacy instead of money.  If you go _FreezeBook_, _WhatsApe_, _Giggle_, _Ape'le_, well, *it's your free decision...*


----------



## Deleted member 66267 (Mar 9, 2021)

Just know that gmx.com and mail.com banned my country from registering.


----------



## a6h (Mar 9, 2021)

also-ran said:


> Just know that gmx.com and mail.com banned my country from registering.


Use a VPN. Generally it's better to have some type of "VPN Kill Switch" too.
VPN crashes, connection drops, and you don't want to expose your IP addr.
Some VPN clients (windows & mac) have kill switch. Built in the client itself.
But I don't know (never done that!) how to run or implement it on FreeBSD.

Related threats on implementing "Kill Switch":
Thread ipfw-killswitch-for-vpn.66813
Thread restarting-network.76075


----------



## ralphbsz (Mar 9, 2021)

richardtoohey2 said:


> You will have to have very deep pockets to play in this game.


Or provide a service that customers find valuable, and that is unique.

For the last ~22-something years, I've had the same "ISP" serving my mail and hosting needs (I put ISP in quotes, because they're not the provider of last-mile bandwidth). About 22 years ago, they were a larger company than Google: they probably had 50 people, when Google had 5, and Facebook didn't even exist yet. Today, they still exist, they continue to grow, they're probably at nearly 1000 employees, and I know they're hiring. I have no fear that they'll go under any time soon, at least not due to competition. They don't compete with IaaS companies such as AWS, Azure or Google Cloud.

Don't get me wrong: I'm not claiming that the FAANG don't have good products. This message is being typed on a computer made by Apple, worth every penny. If it were twice as expensive, I would still have bought it. But that doesn't mean that the FAANG will wipe out all the computing industry.


----------



## ShelLuser (Mar 9, 2021)

I definitely wouldn't trust Google with anything, but it does go to show you how little people investigate before putting their business somewhere. I mean... I don't know how long ago it was when those Android developers started complaining because they suddenly didn't get any revenue from Google even though their apps had been sold a couple of times.


----------



## Snurg (Mar 9, 2021)

Jose said:


> I suggest using more than one account.


Umm...
does anybody know whether this actually helps?
I mean, FAANG associates you with all your accounts.
Who can give you any certainty they won't block all and lock you out anyway?

Regarding usage of paid email hosters, it is extremely important to make sure to choose a provider who allows you to downgrade your email subscription package.
For example, from personal experience I urgently warn against using gmx.com/.de, as your email account will get closed if you want to go back to the free plan, for example if you aren't satisfied for whatever reason.
(This is many years ago, I don't know whether they have changed this. But I won't ever give gmx a try again.)


----------



## drhowarddrfine (Mar 9, 2021)

I've read a few tech people I consider normal losing access to their Google accounts and losing all their documents and they have no clue why. I'm at the point where I'm uncomfortable with that and have transferred everything to my own storage. I've always had my own email server but still use GMail. I'll still use GDrive and Photos but only as temporary storage to transfer to my own. I've paid $20/year for extra storage but I'm canceling that while still retaining the free 20GB.


----------



## a6h (Mar 9, 2021)

I have not a lot of choices. I have to use some free services. It's not just about free services. There's also paid software/service and hardware. I can't build them at home! I don't have any rational justification, but when I have to choose between FAANG and the Big Boys, I choose the Big Boys, aka IBM, Intel, and Microsoft. I think they'll stay with us for a long time, similar to the East India Company (EIC).
FAANG? I doubt it. That's just my personal observation (==feeling) on the whole shebang.


----------



## Deleted member 30996 (Mar 9, 2021)

I had to get a google account to get my site listed correctly but I never used the gmail account or did anything but login to the website owner area and log back out when finished.

My hosting package ends next month so I'll lose my roundmail account that comes with it and that's the one I use most.

I have a yahoo account for registering and such but I seem to remember hearing about them scanning emails for keywords to target ads or something on the order.

I had a Tutanota account with a server in Germany, by choice, and it's free for up to 1GB of storage. I hadn't used it in 6 months so it went dead but will probably get another one there.


----------



## Mjölnir (Mar 9, 2021)

I presented my research results in this thread, fast-forward down, you'll find it quickly.


----------



## Jose (Mar 9, 2021)

Snurg said:


> Umm...
> does anybody know whether this actually helps?
> I mean, FAANG associates you with all your accounts.
> Who can give you any certainty they won't block all and lock you out anyway?


I don't know for sure and perhaps am being naive. What I do is create a new Google account whenever I need one for whatever reason. They're free. I use it for whatever purpose made me get it and nothing else. I abandon them silently when they're no longer of use.


----------



## Mjölnir (Mar 9, 2021)

Delete their cookies often, IIUC that's their main method to identify the user, plus CPUID?  Can a browser access the cpuid?  Can they identify me by reading (from a .js running in my browser) a SSL seed or such that's pinned by my SSL/TLS library?  I.e. today it's the same like last week?  I'm a total _noob_ when it comes to this crypto stuff...
EDIT I cited none, but just do some wild guessing.  See above: I'm a _noob_...


----------



## Jose (Mar 9, 2021)

I run most things in a private window (deletes all cookies on closing) and have Firefox set to do the same to third-party cookies globally. Dunno about the ones you cite, but I worry about these:


			Fingerprintjs by Valve
		









						Anatomy of a browser dilemma – how HSTS ‘supercookies’ make you choose between privacy or security
					

HTTP Strict Transport Security (HSTS) is supposed to keep you more secure online, but it could be used to track you against your will. Mark Stockley explains…




					nakedsecurity.sophos.com
				




I figure a custom-compiled Firefox on Freebsd is pretty darn unique.


----------



## unitrunker (Mar 9, 2021)

Browsers can pull your hardware MAC address - even when you've set a different one (thanks Google).


----------



## Alain De Vos (Mar 9, 2021)

In rc.conf I use,
### IPv6 options: ###
ipv6_privacy="YES"               # Use privacy address on RA-receiving IFs


----------



## Mjölnir (Mar 9, 2021)

unitrunker said:


> Browsers can pull your hardware MAC address - even when you've set a different one


It should be possible to send a faked one? I could patch the browser to generate a new one hourly/daily/weekly, according to the appropriate rules how a MAC address is made?


unitrunker said:


> (thanks Google).


Why's that?


----------



## Mjölnir (Mar 9, 2021)

Alain De Vos said:


> In rc.conf I use,
> ### IPv6 options: ###
> ipv6_privacy="YES"               # Use privacy address on RA-receiving IFs


What is _RA-receiving_?  I'm fetching that RFC 4941, but maybe you can explain quicker than I can read the RFC...


----------



## unitrunker (Mar 10, 2021)

I'll explain. On a different OS, I hop on to wifi at the local Starbucks. Google is the provider. I see my physical MAC address in the location bar URL of the sign-in page.

I clear cache and cookies, change MAC to a fake one, and try to login again.

Physical MAC re-appears in the location bar. The browser extracts it somehow.

Yes my traffic over WiFi uses the fake MAC but doesn't prevent Google from tracking me.

I should do some experiments with different browsers but you get my point.


----------



## Mjölnir (Mar 10, 2021)

unitrunker said:


> I'll explain. On a different OS, I hop on to wifi at the local Starbucks. Google is the provider. I see my physical MAC address in the location bar URL of the sign-in page.


You mean the sign-in page of that WLAN access point?  You have to sign-in in that _Stubbucks_ café to get internet access via their WLAN?  Ok, then it's not your browser that's extracting your MAC address, but the WLAN router you're connecting to, tells that the web interface where you sign in.  No matter who's their ISP.  If OTOH you mean the sign-in page of any _Giggle_ service like _YouTube_, then that's probably another story.


unitrunker said:


> I clear cache and cookies, change MAC to a fake one, and try to login again.  Physical MAC re-appears in the location bar. The browser extracts it somehow.


Only very few carrier-grade commercial network hw allows the user/admin to fake the MAC address.  I strongly doubt you have such.  The driver may allow you to set the MAC address; but the average consumer hw will not take that, it uses the burned in MAC address, and rightly so.  There's just too many things an non-expert user could misconfigure.  I had a 4-port Sun QFE in a UltraSPARC box that allowed me to set the MAC adress.  The manpage read s/th like this: hme(4) (FreeBSD)
	
	



```
On sparc64 the hme driver respects the local-mac-address? system
     configuration variable which can be set in the Open Firmware boot monitor
     using the setenv command or by eeprom(8).  If set to “false” (the
     default), the hme driver will use the system's default MAC address for
     all of its devices.  If set to “true”, the unique MAC address of each
     interface is used if present rather than the system's default MAC
     address.
```
 IIRC that feature could be used for HA failover scenarios or such?  Dark fuzzy memories...


unitrunker said:


> Yes my traffic over WiFi uses the fake MAC


How do you know that?  Are you sure?  See above: I strongly doubt you can set the MAC address that goes out to the wire or antenna.  The driver's: yes.  The HW doesn't give a sh(1)t.


unitrunker said:


> but doesn't prevent Google from tracking me.


IMHO that's not so clear.  They track you, yes, but probably not by your MAC address.


----------



## Deleted member 30996 (Mar 10, 2021)

unitrunker said:


> I'll explain. On a different OS, I hop on to wifi at the local Starbucks. Google is the provider. I see my physical MAC address in the location bar URL of the sign-in page.



I have a box dedicated to the Goddess for use with our wi-fi hotspot and spoof my MAC.

Here's how to spoof the ether MAC on FreeBSD showing before and after the command:


```
root@jigoku:/ # ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
    ether b0:0b:de:ad:b0:0b
    inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog

root@jigoku:/ # ifconfig bge0 ether DE:AD:B0:0B:DE:AD
root@jigoku:/ # ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
    ether de:ad:b0:0b:de:ad
    hwaddr 1c:75:08:22:06:65
    inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog
```

And since my router will not allow it to have Internet access by my instructions, changed it back to what it was originally before being able to post this:


```
root@jigoku:/ # ifconfig bge0 ether b0:0b:de:ad:b0:0b
root@jigoku:/ # ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=c019b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,VLAN_HWTSO,LINKSTATE>
    ether b0:0b:de:ad:b0:0b
    inet 192.168.1.7 netmask 0xffffff00 broadcast 192.168.1.255
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
    nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    inet 127.0.0.1 netmask 0xff000000
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog
```


----------



## Mjölnir (Mar 10, 2021)

And you connect to your WiFi with that bge(4)?  I knew you're _magic_!


----------



## Deleted member 30996 (Mar 10, 2021)

Mjölnir said:


> And you connect to your WiFi with that bge(4)?  I knew you're _magic_!



Sheer Black Sheep Sorcery to you.

I've never looked at the MAN page you cited until now or done one thing listed on it before.

Not compiling the driver into the kernel as suggested. Not with any tweaking to tunables or sysctl variables. Yet here I am.

View attachment 9347

Nothing but choose bge0 from the wi-fi and ethernet network interfaces  presented during installation of the base system.

I've passed on my Black Sheep Sorcery Skills in the obscure guise of a Beginners Tutorial for those Birthday Party Level Magicians who wish to become FreeBSD Daemon Level Sorcerers.

If it's not in there I don't do it to get online, or to the x11=wm/fluxbox desktop. Maybe you'd like to critique it. I'm always open to suggestions and constructive criticism.

Don't count on me making any changes due to it unless it's needed to make it do something it doesn't already or better it somehow. Or from using ports, just so you know.


----------



## Snurg (Mar 10, 2021)

Mjölnir said:


> Delete their cookies often, IIUC that's their main method to identify the user, plus CPUID?  Can a browser access the cpuid?  Can they identify me by reading (from a .js running in my browser) a SSL seed or such that's pinned by my SSL/TLS library?  I.e. today it's the same like last week?  I'm a total _noob_ when it comes to this crypto stuff...
> EDIT I cited none, but just do some wild guessing.  See above: I'm a _noob_...


Just look at what data they actually use and see how unique you are 



Jose said:


> I figure a custom-compiled Firefox on Freebsd is pretty darn unique.


You don't need to custom build the browser to become uniquely identifiable.



unitrunker said:


> Browsers can pull your hardware MAC address - even when you've set a different one (thanks Google).


Another reason why using only IP4+NAT might have some (small) advantages.

I wish there were a browser which allows you choose what data is been shown to the javascript etc.
If all share an identical (or a small set of) "John Doe" profile, this would imply some loss of functionality while becoming less recognizable.


----------



## Mjölnir (Mar 10, 2021)

Trihexagonal said:


> Sheer Black Sheep Sorcery to you.


Thank you, you're very generous.


Trihexagonal said:


> View attachment 9347


Oops! We ran into some problems.
You do not have permission to view this page or perform this action.


Trihexagonal said:


> I've passed on my Black Sheep Sorcery Skills in the obscure guise of a Beginners Tutorial for those Birthday Party Level Magicians who wish to become FreeBSD Daemon Level Sorcerers.


I do like that Tutorial.  It's is very contemplative.


Trihexagonal said:


> Don't count on me making any changes due to it unless it's needed to make it do something it doesn't already or better it somehow.


No, but how about Devilene?


----------



## Deleted member 30996 (Mar 10, 2021)

Snurg said:


> Just look at what data they actually use and see how unique you are


I just blend in with the crowd as long as JS isn't enabled for a site. It's denied globally and enabled on a site by site basis. Not that one:


```
User agent 
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
```


----------



## Snurg (Mar 10, 2021)

Trihexagonal said:


> I just blend in with the crowd as long as JS isn't enabled for a site. It's denied globally and enabled on a site by site basis. Not that one:
> 
> 
> ```
> ...


Yes, there remain some data that can be extracted from what remains.
Sadly, the statistics of the site I mentioned doesn't go into much detail there.
How unique does it say you are?


----------



## Deleted member 30996 (Mar 10, 2021)

It needed JS enabled for the Am I Unique page to work at all, and once enabled that blew my cover:


----------



## Snurg (Mar 10, 2021)

Yes, I wish there were a link to the details on every percentage shown on the main page.
At least you can see the most common John Doe values for each entry if you click the "Similiarity ratio" button at the top of the "Javascript attributes" section.
With a specially hacked/patched browser, one could compose a "John Doe" profile that is as non-unique as possible.
I wonder whether such a plugin exists or even can be made at all.


----------



## Deleted member 30996 (Mar 10, 2021)

Snurg, I use the Firefox Toggle Referrer extension and it has an additional Referrer Spoofing feature for "problematic websites" you can enable that allows you to do custom editing of the Profile sent outlined in detail here if that meets your needs. You can make out the other extensions I use from the image provided.

I'm not all that worried about it beyond the things I already have covered. Google can tell exactly where I'm located on the Search page even when I don't have JS enabled and geo location disabled in about:config.

What bogus personal/unique information they collect from me now should be of any real privacy or security concern to me? And what accurate information they collect now should be of concern to me personally?

I don't allow JS to run globally through the use of NoScript and that's by far the most important security measure for Internet browsing that can be taken IMO.

It shuts down Meltdown and Spectre and pops a cap in malicious drive-by downloads before they get a shot off. Having NoScript to handle scripting and the fact very little malware targets FreeBSD, which I spoof to Windows, does it's fair share of what I think needs done to make browsing a thing with very little consideration given to being exploited no matter where I go.

I wouldn't get that Oh So Delightful Out-Of-The_Box Windows Experience feeling I hear spoken of on my Win10Pro box at_all and it never does online.


In the interest of transparency and full disclosure, when I was a Win98 user and full-time Agent of Chaos at large MultiProxy was standard issue equipment for all of us. With the click of a button you could switch from one to any proxy world-wide that was in my pre-loaded list and change my location to another Country and IP# instantly.

In the interest of Privacy, if at all possible, IMO it should be ported to FreeBSD by someone with smarts beyond mine to do it with my overwhelming everlasting gratitude if they would. It's freeware and the guy who ran the site was active in communication with users, very friendly and might be happy to see it done.

However, in the interest of Privacy and Security I would never enter a password to an account while using it. Those lists came from scanning the net and might unknowingly include a trap MITM open port in the list compiled and any of them could be sniffing.


----------



## Deleted member 30996 (Mar 10, 2021)

Mjölnir said:


> Thank you, you're very generous.


I called it Black Sheep Sorcery because not long after joining the PC-BSD forums as beta tester I found x11-wm/fluxbox and abandoned KDE3. Then dumped their .pbi Push Button Installer that reminded me of a Windows .exe in favor of learning ports.

One of the Moore Bros. asked me what I wasn't following the direction of the rest of the flock,
instead of bleating "baa" I said "bah" and the Black Sheep was born.

I never looked at the Handbook thinking because I was using PC-BSD it did not apply (that's how green my grass was at the time) and figured out how to use it on my own. Nobody would tell me `portsnap` was a command when I asked where it could be found in ports, lest lamb chops be listed on the menu.

Then the Shepard devotion towards the safety of their flock that followed them faithfully changed to love of money with Xsystems in the picture and they knowingly and purposely failed to protect the little lambs that followed them.

On April 4th 2012 I found a bug in the Firewall Manager GUI that broke pf, report it to the Shepard in charge, provided demonstrations of it along with a simple user level fix with example of how it was done. They became aware of the situation April 6th 2012 but ignored the black sheep of the flock, who did the black sheep thing and spoke out loudly in the PC-BSD forums to make the Shepard aware.

After being totally ignored for 2 months I shed my wool disguise in disgust, did a cougar catflip over the fence and bounded to Wilders Security Forums where I knew I would not be ignored and made their failure to the flock Public Knowledge. I knew the flock were being screwed and said get away from that little lamb when you've got those rubber boots on!

Then donned the disguise of a normal noob geek and headed for Freedom and FreeBSD. Only recently after returning letting my true form be known to drhowarddfine (for shock value), ILLUXA and Sir Dice to share with mods. I was telling the truth when I said I wasn't what you'd expect your average geek to look like. When I feel the time is right I'll post it here myself for the benefit of all.

You weren't here then back then or around to hear if before so I don't want you to misunderstand the meaning of Black Sheep Sorcery. I've told it many times before but being able to repeat the story as a means of contiuned negative reinforcement was part of my Lesson Plan.


Mjölnir said:


> Oops! We ran into some problems.
> You do not have permission to view this page or perform this action.


Forum related problem to correctly display uploaded images.


Mjölnir said:


> I do like that Tutorial.  It's is very contemplative.


Thank you. It's what's known in my circles as a Task Analysis. Not everyone can do it.

It began as notes to myself so I wouldn't forget how to do it when I terminated my Internet and cable service for a year. I should have written my login passwords down because I forgot that and lost all my account passwords but one.

After going back online I posted it to the only forum I belonged to I had written the password down for on paper under the name of my bot Siseneg.

That was picked in an article by freebsd.news and their article featured on the English and Arabic Facebook pages of bsdmag.com. After posting it here in the forums it was picked up again in another article by freebsdnews.com featuring a screenshot of the desktop of ILUXA.


Mjölnir said:


> No, but how about Devilene?



Abandon all hope of Devilene undergoing Graphic Image Breast Reduction done by me. She said so.


----------



## Mjölnir (Mar 10, 2021)

Trihexagonal said:


> Abandon all hope of Devilene undergoing Graphic Image Breast Reduction done by me. She said so.


Ok.  But I have to make sure about copyrights before I can copy & paste her to a shirtprinter.company
Can you provide me with serious input on that issue?  I didn't try yet, but I could imagine they'll ask me for a real name & address & all that.  EU legal stuff, copyrights violations are punished harder than if I started a hooligan-like fight with real blood & broken bones... seriously, not kidding.


----------



## Deleted member 30996 (Mar 10, 2021)

Yes, that image already appears on a T-shirt somewhere. I had the file named t-shit.png and the artists name still appears on the image. If you can make it out contact him.

I took Law of the Sea liberty to alter in into a full-sized image from original format because I didn't think they would mind. If they ask me I'll take it down but once in my files it's mine.


----------



## Jose (Mar 10, 2021)

Snurg said:


> Just look at what data they actually use and see how unique you are


Unfortunately I am quite unique. One of the things that was really annoying is that my list of fonts is one of the most unique things about me. That led me to find this Firefox addon








						Font Fingerprint Defender – Get this Extension for 🦊 Firefox (en-US)
					

Download Font Fingerprint Defender for Firefox. Defending against Font fingerprinting by reporting a fake value.




					addons.mozilla.org
				




Now I'm unique every time I load the page, which is exactly what I want.


----------



## Snurg (Mar 10, 2021)

Jose said:


> Now I'm unique every time I load the page, which is exactly what I want.


Good to see there exist "fingerprint defender" plugins already.

But, can mere reshuffling of the font list really work?
If I were a bad guy, I'd just try to null the plugins' effect by _first_ sorting and stripping the font list, and _then_ checksumming it.
I guess it would be worth to take a look at the plugin source to make sure it works in a way that rules out such workarounds.

Maybe it is best to provide a set of indiscernible, partly fake information?
Maybe having a set of essential fonts that are always there, and another set of fonts that are randomized, at the cost of sometimes slightly varying page display?


----------



## unitrunker (Mar 11, 2021)

Mjölnir said:


> You know that?  Are you sure?  See above: I strongly doubt you can set the MAC address that goes out to the wire or antenna.



Yes I'm sure. Wireshark confirms it.

As an aside, Android has the option to randomize its mac address. Ironically Google thinks this has some benefit to privacy.


----------



## Mjölnir (Mar 11, 2021)

I have to refresh my knowledge of the topics networking basics & privacy...  You're sniffing the WLAN traffic with another box, and your FreeBSD box sends out a fake MAC address out in the air?  BTW you didn't tell on my 1st question:  did you mean the sign-in of the WiFi AP or the sign-in of a public Giggle service?  IMHO that makes an important difference concerning the issue.


----------



## wolffnx (Mar 11, 2021)

sorry for change the talk, but even if you change your email provider  @gmail.com to another
they can read your emails?
whow? is you use chrome, today I read this,an had sense

Si usas ProtonMail, Google está leyendo igualmente tus correos a través de Chrome

use google translator


----------



## Deleted member 30996 (Mar 11, 2021)

Mjölnir said:


> I have to refresh my knowledge of the topics networking basics & privacy...  You're sniffing the WLAN traffic with another box, and your FreeBSD box sends out a fake MAC address out in the air?


I have an Ethernet LAN hooked into a router that goes into the cable box out the cable into the Internet.

Mine sends the spoofed MAC down the Ethernet cable and my router blocked it from Internet access as per my instructions. I had to set it back to the MAC it recognized before I could post that command, even though I still had the browser window open.

What would be the difference in wi-fi?


----------



## avgijbsd (Mar 11, 2021)

I use custom ROMs from XDA website. They are wonderful and open-source as they are based on Android which is also open-source. All you need to do is avoid flashing GApps (google apps package) or use MicroG (alternate to google service framework).
I currently have no google apps on my phone and it saves battery life much better.

Just stay away from google. Use ProtonMail or Tutanota Mail instead of gmail. And various other google apps alternatives can found on internet if you search "de-google Android". And also switch to DuckDuckGo search engine (they dont track you).
The only service I use is Youtube but I use it using a different client (get it on FossDroid or F-Droid).


----------



## Mjölnir (Mar 11, 2021)

No difference.  But there is a difference if you (intro-) inspect the traffic of a box from that box itself.  Because AFAIK there are NICs that let the driver set the MAC, but the HW refuses to use that, instead still sends out the hardcoded MAC out to the wire or antenna.  Then what your sniffer tools shows you, could be what the driver thinks is the faked MAC address, not that what really goes over the wire/antenna.  That's what I mean.


----------



## Jose (Mar 11, 2021)

wolffnx said:


> use google translator


The irony! Fortunately it's not necessary. This is the meat of the matter:


			https://www.redeszone.net/app/uploads/2018/11/Reddit-ProtonMail-Google-Chrome.jpg
		


So Chrome will send the contents of every Web page you visit, including your email inbox to some translation engine in its cloud if you have certain options set. I don't use Chrome so I can't verify this.


----------



## wolffnx (Mar 11, 2021)

Jose said:


> The irony! Fortunately it's not necessary. This is the meat of the matter:
> 
> 
> https://www.redeszone.net/app/uploads/2018/11/Reddit-ProtonMail-Google-Chrome.jpg
> ...



I hate the ugly that interface is, but firefox seems to be the "solution" of this


----------



## Mjölnir (Mar 11, 2021)

wolffnx said:


> I hate the ugly that interface is, but firefox seems to be the "solution" of this


Which pills are you taking?  One web search on _"firefox+security"_ and you'll avoid that evil crap like the plague.


----------



## wolffnx (Mar 11, 2021)

Mjölnir said:


> Which pills are you taking?  One web search on _"firefox+security"_ and you'll avoid that evil crap like the plague.


are you serious? you like the interface?


----------



## Mjölnir (Mar 11, 2021)

No no no. It's not about the interface.  That's quite modern & good BTW.  It's about the engine & it's security open doors; add "+history" to the search.  Just use any other browser than (firefox|chrome), and everything's all right.


----------



## Snurg (Mar 12, 2021)

Jose said:


> So Chrome will send the contents of every Web page you visit, including your email inbox to some translation engine in its cloud if you have certain options set. I don't use Chrome so I can't verify this.


What about Chromium?
Does it do that, too?


----------



## wolffnx (Mar 12, 2021)

Mjölnir said:


> No no no. It's not about the interface.  That's quite modern & good BTW.  It's about the engine & it's security open doors; add "+history" to the search.  Just use any other browser than (firefox|chrome), and everything's all right.


 you scare me  , I dont know is any human like that interface


----------



## wolffnx (Mar 12, 2021)

Snurg said:


> What about Chromium?
> Does it do that, too?


iridium was in the ports and packages but not anymore, btw , at the end was become slower and slower compared to chromium
and I think that they send information just like chrome


----------



## Jose (Mar 12, 2021)

Snurg said:


> What about Chromium?
> Does it do that, too?


I don't use Chromium either, sorry. I use Firefox.


----------



## Snurg (Mar 12, 2021)

Jose said:


> I don't use Chromium either, sorry. I use Firefox.


Just curiously wanted to know about the behavior of Chromium, whether this code has been removed which sends Google what you read.

Other things I don't understand is, why people don't deactivate that browser warning about malicious sites.
This sends your page requests to another (unknown) server, and waits until that site gave its OK for you to see that site.
Apparently a lucrative business model of browser and antivirus manufacturers, who try to grab a portion of the privacy sale market from the usual bad guys.

Or DoH.
There are already some DNS providers in the boat, skimming the browsing data.
I wonder how many $$$ Mozilla Foundation cashed in for this "feature".
Luckily in the FreeBSD port DoH is deactivated by default.


----------



## Jose (Mar 12, 2021)

I couldn't believe the DOH thing when it came out... Reminded me of the Verisign Site Finder thing





						Site Finder - Wikipedia
					






					en.wikipedia.org
				




I guess there are a lot of people drooling over how that juicy DNS data could be used to monetize advertising.


----------



## Snurg (Mar 12, 2021)

Jose said:


> Reminded me of the Verisign Site Finder thing


What bewilders me most that these <politely censored> are still in business, being "trusted" as .com TLD chieftains.
That their "license" hadn't been revoked by the ICANN shows the decline of ethics.


----------



## avgijbsd (Mar 16, 2021)

wolffnx said:


> iridium was in the ports and packages but not anymore, btw , at the end was become slower and slower compared to chromium
> and I think that they send information just like chrome


What about Brave browser? I'm using it for a long time with DDG search engine.


----------



## Snurg (Mar 16, 2021)

avgijbsd said:


> What about Brave browser?


They have interesting approaches and apparently actually care about what is done with the users' data.
When I got time to play with the Linuxulator, I'll try installing Brave and Vivaldi, too.

Regarding sending information, one has to remember that all that "protection" against malicious sites etc only can work by calling home at the browser company or its affiliates and telling them what you are going to visit. Basically this is worse than any DoH imho.


----------



## wolffnx (Mar 16, 2021)

Snurg said:


> They have interesting approaches and apparently actually care about what is done with the users' data.
> When I got time to play with the Linuxulator, I'll try installing Brave and Vivaldi, too.
> 
> Regarding sending information, one has to remember that all that "protection" against malicious sites etc only can work by calling home at the browser company or its affiliates and telling them what you are going to visit. Basically this is worse than any DoH imho.


I see it but not call my atencion,maybe in future
for the desktop I use falkon
and in my cell phone (yeah yeah..I complain before  I know it)
a firewall and firefox with sync,
I look the "master password" option im firefox but not apear
I read that when using firefox sync the passwords travels encrypted side to side

and the mayority of keyboards in playstore call to the outside sending data,
thanks god for the firewalls

sorry the answer was for avgijbsd


----------



## Deleted member 30996 (Mar 18, 2021)

Mjölnir said:


> Which pills are you taking?  One web search on _"firefox+security"_ and you'll avoid that evil crap like the plague.


I did as you suggested and searched google for _firefox+security+history._

I didn't see anything that concerned me. Exactly what do you see that will convince me to "avoid it like the Plague"?

I disable JavaScript globally and enable it on a site-by-site basis with the NoScript browser extension as I browse. I'm very familiar with the process and can tell by looking at a list of scripts which ones need enabled for minimal functionality and the site still work.

I use the Firefox extensions HTTPS Everywhere, uBlock Origin, Privacy Badger, Toggle Referrer, User-Agent Switcher and Shodan.io.

I delve into about:config and set things right in there, including to enable it to show punycode.

I opened www/firefox-esr last night and watched it sit there inactive several minutes while running `pftop` and amazonaws was the only thing that didn't time out, but I never see any ads.


----------

