Q&A: The Best Browser Extensions
Added 2024-09-04 17:00:07 +0000 UTCQ&A193: What are our recommendations for content-blockers and browser extensions? Why do people accept the lie of "anonymized" telemetry? Do we have any experience with privacy.com cards being blocked?
Video Version: https://youtu.be/1PCmeG79ITs
00:00 Introduction
00:24 Content Blockers & Browser Extensions
04:49 The Myth of Anonymized Data
08:38 Issues Using Privacy.com
---
🙋 Go ahead and leave some questions below for us to look at for SR194 this weekend! (Note: We record on Friday nights in the US, so it's highly recommended to leave all questions by noon on Friday in the US)
It can be about a specific story, a general question about privacy/security, a question about the world, a question you tried last week, or anything else. Due to time restraints we can't promise that we'll get to yours, but we appreciate all of them!
To receive these posts via RSS, get your own custom link using these instructions.
Comments
What are your favorite options for real-time file-syncing options similar to OneDrive/iCloud/GoogleDrive/Dropbox/Box but ones that respect user privacy, and where only the user holds the keys, and that are compatible with a wide range of operating systems / platforms? One class of approaches might be Cryptomator/Boxcryptor, which are an improvement over direct usage of "big tech" clouds. However, that approach still requires the use of underlying platforms of data-hungry companies that do not prioritise privacy of their users, and it does not stop the collection of usage metadata and "traffic analysis". Another class of approaches would be ones more on the DIY side, such as Synology or NextCloud. However, that makes it necessary to ensure that (a) all the configuration options have been gone through, understood, and configured securely and (b) all the security patches are applied asap, which takes extra time to both learn and implement, and is difficult for people who are not already doing this type of work for an employer as their main paid occupation. Finally, there are options from privacy-first companies, but they tend to be limited in platform support. E.g. Cryptee/Peergos seem to be only available as web apps, Proton Drive is yet to release a desktop client for any privacy-respecting desktop OS. Tresorit is the only product that seems to check all the boxes in this product category. What other options are you aware of in this field in addition to the above, and what do you use for file syncing?
David Johnson
2024-09-05 10:08:55 +0000 UTCFYI, here is the response Yubico customer support is offering regarding their vulnerability, in case you want to summarize for your next episode. Advisory summary: A vulnerability was discovered in Infineon’s cryptographic library, which is utilized in all YubiKey Series and Security Key Series with firmware prior to 5.7.0 and YubiHSM 2 with firmware prior to 2.4.0. Yubico has defined this as a moderate vulnerability. To further elaborate, a sophisticated attacker would require physical possession of the YubiKey, knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack. More detailed information regarding the vulnerability can be found in the official security advisory: Security Advisory YSA-2024-03 What we recommend: To mitigate any risks related to this vulnerability and as best practice in general, Yubico recommends that users always maintain physical control of their YubiKeys. If a YubiKey is ever lost or stolen users should immediately deregister it from all registered services or accounts and ensure they have backup authentication methods set up. Ideally, you should have 2 or more YubiKeys set up on each service for backup and recovery scenarios. Replacement policy: Historically, Yubico has only offered replacements for High/Critical severity vulnerabilities. Since YSA-2024-03 is classified as a moderate severity vulnerability, there is no blanket replacement program in place, nor is this vulnerability covered under Yubico’s Warranty Policy. Additionally, it’s important to note that as a security measure, YubiKey firmware is not upgradeable. However, we understand that certain users may face a higher risk of physical attacks depending on their specific environments or roles. If you believe you are in a high-risk environment and would like to request a replacement, please provide the following information to initiate a case for internal review: Order number or invoice for your YubiKey(s) A description of how you’re using YubiKey(s)
M
2024-09-05 01:25:04 +0000 UTC
![J.A.X [Ai art]](https://xaiju.com/istorage/100248.jpg)
