Badness Enumeration

Badness enumeration is the concept of making a list of known bad actors and attempting to block them. While it seems intuitive at first glance, badness enumeration should not be relied upon for privacy or security. In many cases, it actually does the exact opposite and directly harms the user. This post will attempt to explain why badness enumeration as a concept is flawed and give some examples of its failings in practice....

July 27, 2022 · 5 min · 1011 words · Tommy

Commercial VPN Use Cases

Virtual Private Networks are a way of creating a protected and private network over the open Internet. It was originally designed to provide remote access to an internal corporate network. However, in recent years, it has also been used by commercial VPN companies to hide their clients’ real IP address from third-party websites and services. Should I use a VPN? Yes, unless you are already using Tor. A VPN does two things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third-party service....

July 19, 2022 · 5 min · 896 words · Tommy

FLOSS Security

While source code is critical for user autonomy, it isn’t required to evaluate software security or understand run-time behavior. One of the biggest parts of the Free and Open Source Software definitions is the freedom to study a program and modify it; in other words, access to editable source code. I agree that such access is essential; however, far too many people support source availability for the wrong reasons. One such reason is that source code is necessary to have any degree of transparency into how a piece of software operates, and is therefore necessary to determine if it is at all secure or trustworthy....

February 2, 2022 · 20 min · 4160 words · Rohan Kumar

Multi-factor Authentication

Multi-factor authentication is a security mechanism that requires additional verification beyond your username (or email) and password. This usually comes in the form of a one-time passcode, a push notification, or plugging in and tapping a hardware security key. Common protocols Email and SMS MFA Email and SMS MFA are examples of the weaker MFA protocols. Email MFA is not great as whoever controls your email account can typically both reset your password and receive your MFA verification....

July 16, 2022 · 6 min · 1219 words · Tommy

PrivacyTools.io

PrivacyTools.io is a fairly popular website recommending software and providers for the privacy communities. However, the website lacks any sort of quality control, recommending many products without technical merits or with severe vulnerabilities, and ending up harming user privacy. This post will go over a non-exhaustive list of bad recommendations from PrivacyTools.io. Web Browsers Duckduckgo Duckduckgo Browser on Android is a Webview based browser. It does not support Site Isolation. This is in contrast with Standalone or Trichrome browsers which support this feature and come preinstalled out of the box with most Android-based operating systems....

July 28, 2022 · 6 min · 1107 words · Tommy

Threat Modeling

The first task a person should do when taking steps to protect their privacy and security is to make a threat model. Defining a threat To make a threat model, we must first define a threat. A common mistake made by people who are just getting into the privacy space is to define the threat as “big-tech companies.” There is a fundamental problem with this definition: Why are we not trusting “big-tech companies,” but then shift our trust to “small-tech companies”?...

July 18, 2022 · 9 min · 1916 words · Tommy