Secure PDF Viewer app version 27 released:

- us gov coordinates the yemen bombings on signal

- accidentally adds the editor in chief of the atlantic to the group

full write up below, crazy read

I used to post a lot more about privacy and security, but it tends to attract a lot of paranoid people—many of which probably have mental issues, and probably shouldn't be on the internet if they actually have the threat model they think they have. Many of which seem to have a penchant for attacking other privacy tech and users of that tech for not being completely anonymous.

I still post about it, just not as much as I used to because I want to keep things in their proper perspective, and the scene can be quite toxic to interact with on the regular—especially on platforms and protocols one doesn't have the ability to moderate.

For example: Just mentioning that you use GrapheneOS (because they use Pixels) or Proton and not Mulvad, etc. is enough to get you called a spook or worse in some circles. I once got harassed daily for promoting GrapheneOS by some anon who thought everyone should use LineageOS. This went on for months.

I used GrapheneOS for years, now I am back on Google OS for Android as my daily driver. I know my threat model and I practice privacy and security through isolation and compartmentalization, but this alone has been enough for people to throw ad hominem attacks my way.

Know your threat model in the various areas of your life—both online and off, and act accordingly. Don't let perfect be the enemy of good. Don't let paranoid nyms online deter you from practicing threat model appropriate OPSEC for YOUR unique situation.

Not everyone needs to act like Edward Snowden when he was on the lam with gov secrets. Even he says he's not as hardcore as he used to be because he's in a different place in his life. Lots of privacy advocates will try to tell you that you have one threat model MOST EXTREME. That is not the correct approach, and as I said in the post, you will burn out.

A trusted no logs VPN is great for privacy (Proton/Mullvad) is great for privacy, but it will not keep you anonymous, Tor is better for anonymity. Both will be a pain with financial services. I used to keep my VPN on ALWAYS, and it was more of a pain than it was worth trying to do legitimate business online.

I mean, even some private torrent sites disallow VPN use, so they can keep users from abusing their services.

One very valid usecase for a VPN is that clearnet Nostr relays have access to your IP address, and some of them are maliciously scraping user data. If you use a VPN or something like Orbot/Tor on mobile that comes with Amethyst, then relays will not have access to your IP.

Another is that if you are using Chrome, then all of your Internet searches are tracked by Google. If you use a VPN, but you are logged into Gmail, a VPN will be of little use. If you use a VPN and are not logged in, then your activity will be more private when it comes to Google.

Just know that the VPN you use will have access to your IP and must comply with local gov law. They will hand over any data they have if the gov demands they do so. They will not risk going to jail over a $5 a month service. This is why using a no-logs VPN is so important—but you have to trust that they are actually not logging.

A quality VPN is one that reduces the amount of data they have access to, so if the powers that be force them to hand it over, they have nothing to hand over. Proton has handed over user data in the past, but that is because the user added a "backup email" to their user account. This information IS visible to Proton (so they can help restore compromised access to accounts) and therefore they will have to hand it over in the event of a gov subpoena.

The user did not follow proper OPSEC and did not follow Proton's explicit warnings about adding a backup email.

No privacy tool or service can prevent users from shooting themselves in the foot with bad OPSEC.

Definitely check out the Techlore video and the other links I posted. Bazzell's books and training are technical in nature and will give you step-by-step instructions to get things set up. Check them out when you are ready.

I recommend using a browser like LibreWolf or Brave that is not Google. They both have protections against browser fingerprinting (look this up), and Brave has a built-in site tracker blocker.

Use Tor browser where you need/want more anonymity. Use offline conversations wherever possible for the most sensitive conversations.

Bitcoin is not private, lightning is better, but it can also be traced. Monero is more anonymous.

Use a quality VPN like Proton or Mullvad when you don't want sites or relays to have access to your IP or browsing habits.

Host your own cloud to store your photos and data—a Synology NAS is a good starting point (Synology is not open source, but they are good for beginners) or use Proton Drive since it has E2EE.

Use a password manager. A cloud-based service like Proton Pass or Bitwarden is great for most people—much safer than reusing memorable passwords. For usecases where cloud-based is not trusted, use KeePass (preferably on an air-gapped device or VM).

Use a private messenger for sensitive conversations like Signal or SimpleX.

Go for services that use E2EE wherever possible (just note that all encryption is not created equal).

Be mindful of the websites you visit.

Be mindful of the mobile keyboards you use—some of them "phone home." Turning off G-Board access to the Internet is a good practice to keep it from phoning home, but it will limit functionality. You make the call based on your threat model.

Windows and Mac collect a lot of user data, look into Linux, just know that Linux is not as secure out of the box—but you can harden it. QubesOS is way more private and secure, but it is not as user-friendly. Use Tails on a USB when you need an OS that you can plug in and burn—maybe with a hidden volume to hide things with plausible deniability etc. (it's not meant for daily driving).

Look into a hardware firewall for your home network like a Protectli, both Bazzell and Brockwell (below) have guides on setting it up.

Use a private DNS service like OpenDNS or Control D, don't trust Google DNS.

Study social engineering, etc...

Again, I could go on, but I don't want to overwhelm you. Once you get the concept of OPSEC down, you will be able to make these judgement calls for yourself and your situation based on your threat model.

Another good channel for the basics is:

This seems like an ominous development:

"A new executive order from President Donald Trump aims to expand information-sharing across federal agencies as well as between federal and state governments, but civil libertarians and other experts are warning that the main purpose is to help normalize how the Department of Government Efficiency is handling government data."

"The order, issued Thursday, directs all federal agency heads to modify or rescind any regulations preventing the sharing of unclassified data and records between federal agencies."

"Agency heads also must ensure that the U.S. government has “unfettered access” to comprehensive data from all state programs that receive federal funding. The order extends to all such data even when stored in third-party databases."

"The stated goal is “eliminating bureaucratic duplication and inefficiency while enhancing the Government’s ability to detect overpayments and fraud” — the supposed core of DOGE’s mission. The order does not mention DOGE by name."

"Civil libertarians and other experts, however, call the new EO an alarming development, and say it is meant to give cover to DOGE, which has been the subject of numerous lawsuits as its workers continue to root through government records and disrupt federal agencies. Trump also has previously sought to consolidate data for reasons that would infringe on civil liberties, the experts say."

"While the new EO asserts that the removal of data “silos” is designed to eliminate fraud, waste and abuse, disturbing mission creep is very possible, said Elizabeth Laird, director of equity and civic technology at the nonprofit Center for Democracy and Technology."

"There are no assurances that the data won’t be used for “targeting people who the administration has separately said are a priority for them,” Laird said. “That can include immigrants, it can include people who are transgender, it can include people that speak up” against the administration. "

More here:

Follower counts don't mean much on Nostr, because #Nostr still has a significant adoption and retention problem. Nostr needs better onboarding and user-adoption campaigns, period—the numbers don't lie, and they haven't changed much in over a year (+ ~10k weekly users).

Nostr Real Time Statistics over the past two months: