As we've learned over the last few weeks, it is important to understand and to have figured out your personal threat level. From the point you have one, you can begin to pick and adjust how you set up your devices.

Everyone has their own threat level, and you should not just blindly follow suggestions. A great example is on our Samsung list and how to make your Samsung device more private, because, at the same time, you might need some of the apps already there and others might be useful for your specific use case.

Privacy Update: PrivSec - Part 2 - threat modeling
#privacy.do #decentralize.today #Privacy Update: #PrivSec - Part 2 - #threatmodeling - define the threat and respond accordingly #grapheneos
do privacy at privacy.do comprehensive guide to online anonymity
privacy.do - #samsung - setups for maximizing your #onlineprivacy with Samsung devices

Coming to today's problem which I call 'badness enumeration'.

You might have made a list of bad actors and found ways to remove apps on your phone or block them at the DNS level. Perhaps you even run a VPN on your router/phone or device and have added a DNS with blocklists. However, not all solutions combined are a great idea, and some can even give you weakened privacy or security.

Let's imagine you did the latter and blocked all Google servers, malware, and threats that you found out there. Maybe you did that with the new AdGuard-DNS (oh we will review this new goody soon), with a Pi-hole, AdGuard Home and/or with a blocklist. You need to make sure you always have the newest updates and lists on hand, and you would need to research these regularly, as many new bad actors join by the day. So while DNS level blocking with NextDNS or AdGuard is great, it won't keep bad actors out of your life.

The next issue is when you combine this with a VPN. At first, this sounds like a great idea, you have an IP address from a VPN provider and you block bad actors via the DNS of your system. That's a 100% win, right? False! You think it is a win and even if it looks like one with the setup but you just made yourself a unique fingerprint. Considering most people will be using the VPN's DNS service and with you using someone else's, you've got yourself a unique fingerprint. On top of this, you now have two third parties you need to trust to not log into your browsing.

Consider also that the website you visit might not be able to log you with Google Analytics when you block Google, you still have your fingerprint, IP address etc, and the website itself could log and share your date with Google.

I would still recommend using either a VPN or a DNS with blocklists. If you do so, however, you need to trust the DNS provider to update the third party blocklists regularly and not log your browsing habits.

The very best way to stay private and secure is to find a trustable VPN provider (iVPN, Mullvad and Proton.me) come to mind and use their DNS with their own published blocklist.

Amazingly, the 'The Six Dumbest Ideas in Computer Security' article published nearly 20 years ago remains valid even today. It explains the issue with Default Permit, which, in short, explains that when setting up a Firewall or similar, it is good idea to start by blocking everything and then permiting the traffic you want or need. This means you don’t have to worry about applications that you didn’t bother to block becoming a vulnerability.

Sometimes, 'goodness enumeration' is the answer!

The Six Dumbest Ideas in Computer Security

The next thing will be if you use iOS and consider or do use Brave or Firefox etc. on iOS. In the end, they all need to use the web engine Safari provides and again you have a unique fingerprint. Safari itself on iOS is actually pretty good and you will not stand out by using it, as the iPhone and iPad will have you appear like millions or even billions of other iOS users.

GrapheneOS has Vanadium, which is not just hardened but also is the best solution on GrapheneOS phones. I wouldn't mess around using any other browser such as the pre-installed.

https://github.com/GrapheneOS/Vanadium

On desktop, it's a different story. Personally, I chose Librewolf or Firefox, even on macOS.

Your main goal after determining the threat level is to find a balance between privacy and security what works for you. Do not mix too many services, don't use too many browser add-ons. All these things give you a unique fingerprint and every extension you add could be an additional security weakness in your setup.

When it comes to antivirus you have your next privacy nightmare! Yes, they can protect you, but they can also scan every file you have on your device. On iOS and Android you have Sandboxing of each app, so this should be isolating and you don't need any antivirus. On a desktop you should only install trusted apps, verify the download and only install who you trust. On macOS via the Apple Store, on Linux always check the hash to confirm that it matches. This is not a guarantee, but you'll be better off than when you allow a third party to scan your machine.

Sometimes, the biggest issue can be due to people overthinking things and trying to be overly protected. Find the right balance and most of all have your threat level sorted out. Go from there and take it one step at a time. Privacy is not a race, but a destination. Security is important and even more so than privacy, as without security you will lose your privacy.

Stay safe, stay secure

The Privacy Advocate

💡
We publish daily doses of decentralization every day and boost out on Mastodon, Twitter, Telegram, Lemmy, Tribel and Element (Matrix). Please like & share our output. We rely on you for content, so why not write for us. We welcome sponsorship and donations to help us continue our work - all major cryptos accepted or buy us a coffee. Contact us at blog@decentralize.today - many thanks for all donations received, much appreciated.
Share this post