Q&A: Is F-Droid Safe?
Added 2025-02-19 18:00:10 +0000 UTCQ&A214: Is F-Droid safe to use? Is using a custom DNS with a VPN a good idea? Can lawyers be helpful in your privacy journey?
Welcome to the Surveillance Report Q&A - featuring Techlore & The New Oil answering your questions about privacy and security.
Video Version: https://youtu.be/yda8l6DLxYo
(00:00) Introduction
(00:17) Is F-Droid Safe?
(06:12) Custom DNS + VPNs
(11:29) Lawyers & Privacy
---
🙋 Go ahead and leave some questions below for us to look at for SR211 this weekend! (Note: We record on Friday nights in the US, so it's highly recommended to leave all questions by noon on Friday in the US)
It can be about a specific story, a general question about privacy/security, a question about the world, a question you tried last week, or anything else. Due to time restraints we can't promise that we'll get to yours, but we appreciate all of them!
To receive these posts via RSS, get your own custom link using these instructions.
Comments
Thought you might find this funny (or sad) to read on the show, but I was alerted just recently of the Change Healthcare breach and my data being affected a year later today. This shows the importance of the show and keeping up with the latest information because companies sure won't inform you.
Ken
2025-02-24 18:42:23 +0000 UTCI'm throwing some curveballs into the Q&A for a bit of fun haha Q1. If you were a cryptid - What kind of cryptid would you be? Q2. What do you think about the simulation hypothesis?
Brandon
2025-02-21 09:15:16 +0000 UTCHow do you guys (as more advanced users) approach deciding the optimal password strength across various use cases? The typical password advice appears to aimed at people new to cybersecurity awareness: (1) do not reuse passwords for different sites, (2) use a password manager, (3) do not use guessable passwords like "123456", "password", "letmein", keyboard patterns like "1q2w3e4r5t", personal information like your child's name or "maga2020!" (latter per Darknet Diaries), (4) Use long passwords and include both uppercase, lowercase, numbers and special characters. However, there seem to be a number of other factors to consider other than password strength against pure brute-force cracks or checks against rainbow tables, HIBP-type sets, or dictionary words plus common character $ub$titution$ and some OSINT/"spear"-guesses where applicable. In addition, being fixated on having the strongest possible password from an absolute cryptographic standpoint may result in misdirected effort in some cases. Here are a few factors against conventional advice: (1) Pure password strength beyond the basics may not be super relevant when logging in to an online account that throttles the number of login attempts (and if it doesn't do that, maybe it's not a service you ought to be using because that likely means more security holes you can't see). (2) The same would seem to apply to password for unlocking a smartphone. In particular, there was research that machine learning can reliably guess a numerical pin entry from footage of a person entering it, and since a phone throttles login attempts, using even a cryptographically somewhat weak password with letters, numbers and punctuation may be superior to a 16-digit pin. (3) Having an analogue of "network segmentation" where individual apps require their own password to access them (with a limit to brute-forcing attempts) seems more important than the strongest possible unlock password so that if someone bypasses it, that will still restrict their horizontal movement on your phone. (4) Keyloggers/infostealers/phishing make password strength rather irrelevant (see recent addition of stealer log data to HIBP); so, there having 2FA may be far more bang for your buck than a 24- instead of 14-character password. (5) Passphrases are often recommended as a better alternative to passwords, but once you get decent at remembering and typing gibberish, typing out passphrases of equivalent entropy to shorter random passwords gets rather tedious. What do you think about these points? - A brief question for Nate: do you know of a good resource for suggested workflows on how to accomplish common tasks efficiently on Qubes that do not needlessly nullify the protections that Qubes offers for the sake of convenience? "Switched to Linux" has Qubes tutorials, but they mostly focus on setting up and maintaining the OS, not on doing daily tasks that people buy computers for: generate new content, store relevant data, work on it with multiple applications, pull some data from the web and upload other data from the web, communicate with others, etc.
David Johnson
2025-02-20 11:03:52 +0000 UTC
