# google and privacy , share my case



## wolffnx (Feb 28, 2021)

Ok, when the talk is about google and privacy, everybody knows the answers and have more or less the same opinion
but today I want to share what happen to me yesterday and you guys judge for yourselfs
(I use the traslator from google..to change from spanish to english)

the sunday, arrive a mail from google app in my android phone ,

the subject was "*Take steps to protect your compromised passwords*" 
I say, ok, this is normal, come to me from time to time

I open it, and the principal header is "*Change your compromised passwords*"
and bellow :


Spoiler: body



Google has found some of your passwords on the Internet. Anyone who finds them can access your accounts.
Your Google account is still safe. This leak has occurred elsewhere on the web. Now you can protect saved passwords with the password manager.



the work "compromised" from beginning sounds bad , so I go to "*check security*" button
the first problem says "*your saved passwords*" and bellow


Spoiler: body



Some of your passwords have been exposed in a non-Google data security breach. You must change them immediately. Recently made password changes may take a while to appear here.



and go to "*password check" *link 

the first tab says "*2 broken passwords" *
with 2 items
1 http site (tplinkwifi.net) used when I configured a wifi repeater from chrome in the phone
and the other one was a dating app (closed some months ago)

the second tab says "*there are 4 passwords reused"*

with 2 dating apps , and closed months ago too
and 1 app ("Gimme Metal: Free Metal Music" , I listen Mustaine poodcasts )
and the other one was 1 web site, freebsd.org (now I change the password of course)


and that is all , now , I try to link the relacion between the gmail , the apps and the passwords saved in chrome in my phone
and become to one answer,  little by little replace the gmail acounts for example,  yandex or protonmail
and disappear from google world!!!!
this shows me that google read the passwords from my phone (this time "to protect me")  but wtf???
I dont want to think in my encrypted notepad app where I save all my passwords, olds and news
when I connect trough ssh to my servers from the app in my phone


----------



## a6h (Mar 1, 2021)

*Option I: Common Sense*

#! By now, I think it's obvious we shouldn't hand over our life to BigTech -- at least it's obvious for some of us, and that's a lot, and enough.
0. Dump the Googly eyes, as I did.
1. GOTO 0

*Option II: Go Full Bunker*

* Disable browser password managers.
* Wipe out all web-based password manager data (Google, etc).
* Don't use browser build-in sign-in facilities, i.e. Chromium to Google and/or Firefox to Mozilla, etc.

* Use an offline password manager. e.g. security/keepass
* Use 32-64 length password. e.g. This: "_GLMEZVVQPNCRBUNBAUJISZEXLOJGLSGA_" is better than this: "_Gr(kt\$97t,lo_A_".
* If you want to backup you password manager DB on web-storages, _AES-128_ it first!

* Disable "_Deceptive Content and Dangerous Software Protection_" in Firefox. It send your data to Google.
* If you want to use Google service, don't login -- if it's possible, e.g. YouTube.
* Don't use "save preference/setting on web" on you phone and/or desktop.

*Option III: Heuristics matter*

* These companies have no respect for nation states, e.g. Australia vs. Facebook. To them, you and I are just dudes!
* First encrypt, then send on the web-storage.
* Easiness is a red-flag.

*Footnote*
All of my arguments are based on heuristics. Every single one of them can be and will be rejected, by at least one or more counterargument.
I won't dismiss potential objections, e.g. yes, password in Firefox is encrypted. But despite all of that, I'm sticking to my guns on these issues.


----------



## richardtoohey2 (Mar 1, 2021)

Don't use a cellphone.  Don't use any online services.  Watch out for CCTVs.  And drones.  And spy satellites.


----------



## Snurg (Mar 1, 2021)

There are modded Android versions.
Some of them claim to reduce Google eavesdropping.
It is a little bit of work but it pays off to root the cellphone.

I block all trackers etc on DNS level.
Already months ago I blocked facebook.com and all subdomains.
I am using alternative search engines, only resorting to Google if I don't get good results for a particular query.

Dropping the googlemail account is the most difficult to do.
I plan to move to Protonmail, leaving Gmail only for spam, mailing lists etc.


----------



## richardtoohey2 (Mar 1, 2021)

Snurg said:


> It is a little bit of work but it pays off to root the cellphone.


In some legislations the cellphone companies are legally obliged to keep track of your cellphone movements/usage for 6 months e.g. in the UK:









						EE, Vodafone and Three give police mobile call records at click of a mouse
					

Three of UK’s big four mobile phone networks are providing customer data to police forces automatically through Ripa




					www.theguardian.com
				




Article actually says a year, so looks like I was wrong there.

Lots of CCTV usage around the world, including facial recognition, including in "benign" countries.

I understand the concerns but privacy these days is very near impossible.  Doesn't mean you don't have to try, but realistically if you are using a cellphone you are being tracked.


----------



## Snurg (Mar 1, 2021)

Yes this is true, but imho there is a big difference between state-mandated tracking and tracking by Google, Apple, FB, Twitter etc.
It is unlikely that this data is going to be sold freely or passed through to foreign services (at least not directly).
The bigger you make the information gaps, the better for you.


----------



## richardtoohey2 (Mar 1, 2021)

Snurg said:


> The bigger you make the information gaps, the better for you.


Oh, I don't know, it probably marks you out as trying to hide, and therefore being of interest and more of a challenge!   

I try and make so much noise that it will be too much for them to scan/read, but then it's probably all "AI" these days anyway.

Try to avoid FB but they track you even if not a member on there (and helpful family members have tagged me in photos anyway), and have WhatsApp so got sucked in anyway.


----------



## Snurg (Mar 1, 2021)

I have let my Whatsapp account expire gracefully.
Regarding Telegram, I find just interesting to remember the Russian governments' threats a while ago and to see RT.com advertising a lot for Telegram since a few months. Anyway, for my part, I'd trust the FSB more in keeping my privacy than any of the big US tech corporations.


----------



## mickey (Mar 1, 2021)

richardtoohey2 said:


> Don't use a cellphone.  Don't use any online services.  Watch out for CCTVs.  And drones.  And spy satellites.


Always wear a tinfoil hat


----------



## VladiBG (Mar 1, 2021)

Always Check the headers of such emails to verify the actual sender.  Use two factor authentication.  Google doesn't store your actual password, the password hash is only stored which is hard to reverse back to string.


----------



## wolffnx (Mar 1, 2021)

richardtoohey2 said:


> Don't use a cellphone.  Don't use any online services.  Watch out for CCTVs.  And drones.  And spy satellites.


Dont! , they are too insecures, instead I build one of this

Red 2, Marvin's untraceable cell phone


----------



## wolffnx (Mar 1, 2021)

VladiBG said:


> Always Check the headers of such emails to verify the actual sender.  Use two factor authentication.  *Google doesn't store your actual password, the password hash is only stored which is hard to reverse back to string.*


is good to know that,thanks
yes, the two factor authentication allways (except for this forum,but now was enabled)
and yes again,before anything I check the headers and the links


----------



## wolffnx (Mar 1, 2021)

Snurg said:


> There are modded Android versions.
> Some of them claim to reduce Google eavesdropping.
> It is a little bit of work but it pays off to root the cellphone.
> 
> ...



allways I been rooted my phones, from the motorola 1200  until today, I am still waiting for the warranty to expire to root the actual
*
I block all trackers etc on DNS level.
Already months ago I blocked facebook.com and all subdomains.*

me too, and you get rid of some adds (I blocked this things in my work from bind to a blackhole)

and yes, is hard to drop googlemail because  is so integrated into the lives of users and that become normal to all
share google drives,sheets of work..etc


----------



## drhowarddrfine (Mar 1, 2021)

Why is it bad that Google informs you that you have compromised passwords floating around the internet?


----------



## ShelLuser (Mar 1, 2021)

This is why it is time to challenge modern technology and instead rely on the ancient wisdom of the spiritual leaders from long ago.

I already started by setting up some huge freedom fires which I'm using to create smoke signals so that my ISP can interpret those and work as a proxy to sent those e-mails for me. But unfortunately you will always have the trouble of non-believers, they just don't understand the importance..  It took me _a lot_ of effort to even get on the roof of my apartment building, let alone setting up those fires and how do they thank me? Yeah, some nitpicker told me I was "endangering other tenants", I was "a danger to the environment because of mass polluting" and on top of that I was treated as some kind of criminal because they told me I wasn't supposed to be up there. But how else are you going to sent smoke signals if not from a high area?

Those naysayers even try to silence and oppress me and fined me, hoping that I will pay. Yah right.

I'll show them!  In the mean time I bought myself 2 carrier pigeons and wrote a message. I just released them outside and with a little luck one of them will find their way to my lawyers firm after which they'll show those dictators who's boss. The odds are obviously in my favor because I got smart and got _two_ pigeons, as I mentioned, so there's a 50% chance that they'll succeed.

Now let's see who will have the last laugh!

There, time to take off this tinfoil hat and start grinding some Java beans to make myself a coffee.....

</vent>

(don't mind me...  I don't know what came over me )


----------



## wolffnx (Mar 1, 2021)

drhowarddrfine said:


> Why is it bad that Google informs you that you have compromised passwords floating around the internet?


because I never given to them to be managed , and is suppose that nobody can read your personal passwords without you
consent (some of the big companies do it of course,but never tell you in the face)
is the ultimate invasion of privacy (besides if I use 1234 or  whatever as password and some guy hack my account)
the next will be "hey, in the ssh app you type a weak password for the firewall number3"


----------



## Mjölnir (Mar 1, 2021)

Snurg said:


> Yes this is true, but imho there is a big difference between state-mandated tracking and tracking by Google, Apple, FB, Twitter etc.
> It is unlikely that this data is going to be sold freely or passed through to foreign services (at least not directly).
> The bigger you make the information gaps, the better for you.


Ha ha ha.  Take e.g. the recent scandal about this swiss encrytion box sold for use by top level governmental use (embassies).  And it has been leaked several times that the german secret services are even more the CIA & NSA's lapdog than the UK or Australia & NZ's.  If they're the 51st state of the USA (live@TV show), then what is my country?  Dito with the Pacific region: keyword: _five eyes_.


----------



## aragats (Mar 12, 2021)

VladiBG said:


> Google doesn't store your actual password, the password hash is only stored which is hard to reverse back to string


Before I thought that's true, but now when I got the same email as the OP, I'm doubting: how Google knows that the compromised password is the same password if it doesn't store strings?


----------



## obsigna (Mar 12, 2021)

aragats said:


> Before I thought that's true, but now when I got the same email as the OP, I'm doubting: how Google knows that the compromised password is the same password if it doesn't store strings?


If the hash of your password, which is stored on their system, appears in one of the lists of compromised password hashes, or can be generated from one pw of a list of compromised clear text passwords, then it is not a far stretch to assume that the actual password is compromised, even without knowing the actual clear string.

PS: In this respect a compromised password does not mean, that one of your accounts is compromised. It could well be, that somebody else used the same password and was revealed by one of the many data breaches in the past. These breached passwords amount to many hundreds of thousands, and you can be sure, that criminals use these listed ones before any arbitrary pw's in their hacking efforts. So it is exactly a good idea to change the password.

For example see: https://haveibeenpwned.com/Passwords


----------



## aragats (Mar 12, 2021)

obsigna said:


> If the hash of your password which is stored on their system appears in one of the lists of compromised password hashes


I understand that, but isn't it very unlikely that namely the compromised password used the same hash mechanism that Google does?


----------



## shkhln (Mar 12, 2021)

aragats said:


> Before I thought that's true, but now when I got the same email as the OP, I'm doubting: how Google knows that the compromised password is the same password if it doesn't store strings?


They can check it on login (in addition to the usual comparison with the hash). Don't forget that you always send them your password in plaintext. The point of hashing stored passwords is preventing entities other than Google from acquiring them. There's no way to hide passwords from Google itself.


----------



## shkhln (Mar 12, 2021)

obsigna said:


> If the hash of your password which is stored on their system appears in one of the lists of compromised password hashes


That won't work with individual salts.


----------



## obsigna (Mar 12, 2021)

aragats said:


> I understand that, but isn't it very unlikely that namely the compromised password used the same hash mechanism that Google does?


Read the first line of the page which I gave a link to:


> Pwned Passwords
> Pwned Passwords are 613,584,246 real world passwords previously exposed in data breaches.


Then enter your password their and tell us the result. Here they explain how it works, and for sure, Google does something alike.


----------



## obsigna (Mar 12, 2021)

shkhln said:


> That won't work with individual salts.


You are presuming a lot which doesn’t mean that you actually know that Google uses indvidual salts which are unknown by Google.


----------



## shkhln (Mar 12, 2021)

obsigna said:


> Then enter you password


…and it's immediately pwned.



obsigna said:


> You are presuming a lot which doesn’t mean that you actually know they use inidvidual salts which are unknown by Google.


----------



## obsigna (Mar 12, 2021)

shkhln said:


> …and it's immediately pwned.


This site got many high profile recommendations. Anyhow, I won’t discuss this any further, because we are on the terrain of believing. „Who wants to believe goes to the church, who wants to know does a research.“ I am a liberal, and I let you believe anything what you want, as long as you don’t force me to believe the same.


----------



## Mjölnir (Mar 12, 2021)

I don't need to do much research to know that when I type in a password on a website, they're able to read my password... because I send it.


----------



## Sevendogsbsd (Mar 12, 2021)

I have to comment on the OPs situation: the email was clearly a phishing attempt. Google and privacy notwithstanding, never ever use links in email, unless it is something you JUST generated and expect, like a password reset link. Only use emails as a notification system. A certain amount of trust has to be in play to use any web site that requires a password because yes, they see it when it is submitted, until it is hashed (hopefully) and stored. To be clearer, the SYSTEM sees it.


----------



## aragats (Mar 12, 2021)

Mjölnir said:


> I don't need to do much research to know that when I type in a password on a website, they're able to read my password... because I send it.


Moreover, they can calculate and store all possible hashes of it to threaten me later ;-)


----------



## Sevendogsbsd (Mar 12, 2021)

I also need to add that password reset phishing attempts are becoming more prevalent so just be aware.


----------



## Snurg (Mar 12, 2021)

aragats said:


> Moreover, they can calculate and store all possible hashes of it to threaten me later ;-)


I have no real knowledge about encryption etc.
But if passwords are published in clear text, I guess Google can easily find out whether they match their customers' one.
What should they do then? Not warn their affected users?


----------



## Sevendogsbsd (Mar 12, 2021)

aragats said:


> Moreover, they can calculate and store all possible hashes of it to threaten me later ;-)


Which is why salted hashes are so important. Besides, they go great with beer


----------



## Sevendogsbsd (Mar 12, 2021)

Snurg said:


> I have no real knowledge about encryption etc.
> But if passwords are published in clear text, I guess Google can easily find out whether they match their customers' one.
> What should they do then? Not warn their affected users?


Passwords should never be in clear text, ever, except at the point of submission and probably during transport to a web server. They should be hashed and salted so the hashes are unique.


----------



## aragats (Mar 12, 2021)

Snurg said:


> Google can easily find out whether they match their customers' one


That's the point: why Google stores my password in clear text to compare with compromised ones?


----------



## Sevendogsbsd (Mar 12, 2021)

aragats said:


> That's the point: why Google stores my password in clear text to compare with compromised ones?


Passwords should NEVER be stored in clear text and also should never be encrypted, they should be hashed and salted at the time of the hash. They are comparing hashes of known compromised passwords. I still maintain that the email OP received was a phishing attempt and was not real.


----------



## aragats (Mar 12, 2021)

Sevendogsbsd said:


> still maintain that the email OP received was a phishing attempt and was not real


No, it's real. I got the same. Many people reported that. It's rather a "phishing attempt" from Google itself. They want you to open your account and confirm/change your info.


----------



## Sevendogsbsd (Mar 12, 2021)

Still should only use the email as a notification and not click any links in any email.


----------



## Snurg (Mar 12, 2021)

Sorry for expressing myself not clearly.

I didn't imply that Google stores passwords in cleartext.
I don't know how they store them, so I have to consider all possible.
For example, Facebook did (does?) store them in cleartext.

In lack of details I think it is perfectly plausible to assume that Google just could have verified that the passwords published in clear text match the stored Google accounts' password hash when hashed with Google's particular hash method. This would be sufficient to check whether a customers' accounts' password is compromised.

And it is known that Google does email its customers to warn them.
A few years ago there was a big password leak, it was high profile news in mass media, and Google said they will warn their gmail customers. I got an according email, verified it, it was completely legit. But nevertheless, I did not use the link in the email (even it was some .google.com) to change my password anyway.


----------



## Sevendogsbsd (Mar 12, 2021)

Any responsible entity that stores passwords should never store them in clear text. This is a great article about password storage: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html and a bit dated but still good advice: https://nakedsecurity.sophos.com/20...ity-how-to-store-your-users-passwords-safely/


----------



## wolffnx (Mar 12, 2021)

Sevendogsbsd said:


> I have to comment on the OPs situation: the email was clearly a phishing attempt. Google and privacy notwithstanding, never ever use links in email, unless it is something you JUST generated and expect, like a password reset link. Only use emails as a notification system. A certain amount of trust has to be in play to use any web site that requires a password because yes, they see it when it is submitted, until it is hashed (hopefully) and stored. To be clearer, the SYSTEM sees it.


I dont think so, first of all I double checked the links and the headers of the mail
and second, you think that the engine of gmail wont detect a phishing attempt from their own server against their servers?


----------



## Sevendogsbsd (Mar 12, 2021)

I am a web app penetration tester and look at everything from that perspective. Google wouldn't host the servers participating in a phishing attempt. I was merely stating that emails with links asking you to change your password or check your existing passwords are a huge red flag.


----------



## wolffnx (Mar 12, 2021)

Sevendogsbsd said:


> I am a web app penetration tester and look at everything from that perspective. Google wouldn't host the servers participating in a phishing attempt. I was merely stating that emails with links* asking you to change your password or check your existing passwords are a huge red flag*.


agreed, but, if they hosting or not the servers and dont detect a false sender with a false address passing by for gmail...that is a red flag (that is not that case, this case are real) believe


----------

