wowana.me

website source


commit 4afd44d55fdc717c1386658e2e3e79e45375eded
parent 6ad08a0e427215c244f5c80700421b72f96e988a
Author: opal hart <opal@wowana.me>
Date:   Tue,  3 Sep 2019 05:34:21 +0000

two blog articles lol

Diffstat:
Mout/blog/feed.atom | 263++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
Aout/blog/guess-im-done-with-discord.xht | 169+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Mout/blog/index.xht | 4+++-
Aout/blog/staying-safe-online.xht | 140+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Asrc/blog/guess-im-done-with-discord.md | 123+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Asrc/blog/staying-safe-online.md | 103+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 798 insertions(+), 4 deletions(-)

diff --git a/out/blog/feed.atom b/out/blog/feed.atom @@ -4,7 +4,7 @@ <link href="/blog/" rel="alternate"/> <link href="/blog/feed.atom" rel="self"/> <id>/blog/</id> - <updated>2019-08-02T14:48:04+0000</updated> + <updated>2019-08-29T09:57:46+0000</updated> <entry> <title>a musing on sharing and receiving opinions</title> <link href="/blog/a-musing-on-sharing-and-receiving-opinions.xht" rel="alternate" type="application/xhtml+xml" /> @@ -251,7 +251,7 @@ mechanism.</p> <link href="/blog/federated-social-networking.xht" rel="alternate" type="application/xhtml+xml" /> <id>/blog/federated-social-networking.xht</id> <published>2019-07-12T07:10:27+0000</published> - <updated>2019-07-12T07:10:27+0000</updated> + <updated>2019-08-29T09:41:55+0000</updated> <author><name>opal hart</name></author> <content type="xhtml"> <div xmlns="http://www.w3.org/1999/xhtml"> @@ -288,7 +288,7 @@ goes beyond just one domain, just one company, just one set of policies. <strong>meet the fediverse</strong>: the result of years of collaboration to provide an open protocol and several software implementations, to solve the issues inherent in conventional social platforms. I've personally been -hosting an instance (at <a href="https://anime.website/">anime.website</a> for a +hosting an instance (at <a href="https://anime.website/">anime.website</a>) for a bit over a year now, and I can confidently say it is a suitable twitter replacement for me. my timeline doesn't feel empty, I see many interesting and unadulterated discussions because people feel welcome to @@ -426,6 +426,149 @@ policing.</p> </content> </entry> <entry> + <title>guess I&#39;m done with Discord</title> + <link href="/blog/guess-im-done-with-discord.xht" rel="alternate" type="application/xhtml+xml" /> + <id>/blog/guess-im-done-with-discord.xht</id> + <published>2019-08-15T23:57:49+0000</published> + <updated>2019-08-29T09:57:38+0000</updated> + <author><name>opal hart</name></author> + <content type="xhtml"> + <div xmlns="http://www.w3.org/1999/xhtml"> +<p>I'll let the E-mail ticket do most of the talking:</p> + +<blockquote> + <p>Hi,</p> + +<p>Today I received a prompt to verify my account with a phone number [1], +which is the first time I have ever encountered this message in the +entire time I've had my account (created 2017 Jan 09 according to my +password manager). My account opal#6614 has a verified E-mail address +(the one I'm sending this message from) and two-factor authentication. +As I have mentioned in a prior support request, I use Tor to access +Discord, both on my desktop and my phone.</p> + +<p>I refuse to provide phone verification as I believe it is Discord's +fault for flagging my account even though I've never had an issue +following terms of service. I do not spam, I do not upload content +against terms of service (even though I disagree with the list of +banned content), and I have never used this or other accounts to evade +bans or other limitations. The reCAPTCHA upon login was insulting +enough, and now being asked for a phone number is an even bigger spit +in my face. The only thing I can think of that may have triggered +Discord's crappy anti-spam detection, is the invite I sent to a user +for my newly-created guild. That, and the fact I just so happen to be +using Tor when sending the invite. Because, everything else about the +invite was fine: I have been friends with the user I invited, and I did +not spam the user (or any other users for that matter) whatsoever.</p> + +<p>Please make it so: +1. Discord's anti-spam isn't so anal, +2. my account (and other accounts in good standing and with proper 2FA) +is exempt from such checks, and +3. I don't have to solve a Google reCAPTCHA for an account I have taken +every step to protect against bruteforcing. Using Tor is not a crime; +don't treat it as such.</p> + +<p>I'm tired of Discord's attitude toward things like this and I'll sooner +abandon my account and uninstall the app if I am unable to access my +account. I will recommend all my friends to migrate to a more suitable +platform if this continues, too. I am not part of Discord Hype Squad +for very good reason; Discord has shown to be hostile toward FOSS and +privacy for a while now.</p> + +<p>[1]&lt;<a href="https://pl.wowana.me/media/0bf9e6e5cb428f89596e9d217f281d4f054895c85a3450a5b7fb2d876e8f6bc1.png">https://pl.wowana.me/media/0bf9e6e5cb428f89596e9d217f281d4f054895c85a3450a5b7fb2d876e8f6bc1.png</a>></p> + +<p>Thanks,</p> + +<p>wowaname &lt;<a href="https://wowana.me/pgp.xht">https://wowana.me/pgp.xht</a>></p> +</blockquote> + +<p>reply:</p> + +<blockquote> + <p>Hi opal,</p> + +<p>Thanks for reaching out!</p> + +<p>Sorry to hear that you're walled out of your account. I just checked with my team, and upon review of your account, it appears that our system's detection system has triggered successfully and we will not be removing the phone verification requirement on your account, and you'll be required to register a phone number to your Discord account in order to continue the use of it.</p> + +<p>It's possible that our system detected that you were using a VPN or proxy that was shared with other bad actors, which is why our system flagged your account. However, for privacy reasons, we're not able to share the specifics of the inner workings of our system.</p> + +<p>I understand that you put privacy above all else, however, we won't be able to remove the phone verification prompt and you really need to use a phone number to get back into the account. Just a heads up, if you're currently using a VOIP or landline number, unfortunately, VOIP and landlines are not compatible with our verification system.</p> + +<p>Otherwise, if you have recently attempted to verify this number already, our system will put a timeout on a number from being used again for anti-abuse purposes, and unfortunately, you will need to wait for the end of the timeout to use the number once more or use a different number to verify the account. Sadly, because the system automatically detects and generates a timeout period when a phone number has been used multiple times to verify an account, there is no exact ETA for when the number will be able to used to verify another account.</p> + +<p>If that's not the case, let me know what number you're trying to register and I'll be more than happy to double check in our system.</p> + +<p>Best, +Devemer</p> +</blockquote> + +<p>my reply:</p> + +<blockquote> + <blockquote> + <p>upon review of your account, it appears that our system's detection +system has triggered successfully and we will not be removing the +phone verification requirement on your account, and you'll be required +to register a phone number to your Discord account in order to +continue the use of it.</p> + +<p>It's possible that our system detected that you were using a VPN or +proxy that was shared with other bad actors, which is why our system +flagged your account. However, for privacy reasons, we're not able to +share the specifics of the inner workings of our system. </p> +</blockquote> + +<p>I've been accessing Discord with Tor just fine for several months now. +How in the hell is my account suddenly a threat to Discord?</p> + +<blockquote> + <p>I understand that you put privacy above all else, however </p> +</blockquote> + +<p>No, you don't understand. I will <em>not</em> give any phone number for +verification. I am treated like an abuser of the Discord service, I am +singled out for my use of Tor. I take this personally. If Discord blocks +Tor, then clearly you do not want to see me as a user. I will do my best +to find an alternate platform with a user interface my friends and other +peers are comfortable with. Discord has never held a monopoly over chat +and voice, and it never will. An alarming amount of your userbase is +vocally unhappy with Discord just as I am, as I have noted from many +conversations across several guilds.</p> + +<p>I've enabled 2FA, I rotate my passwords at least once a year, I do not +engage in password reuse, I choose strong passphrases, I verified my +E-mail. Discord will not bully me into solving reCAPTCHAs as free labour +for Google, nor will it bully me into providing a phone number. If you +or any other representative/specialist will not override this asinine +"detection system" despite this abundant evidence that I am not a bad +actor, then it's simple, I will leave Discord. I've tolerated all of +Discord's other shortcomings without much protest, but I will not stoop +any lower to remain on the platform.</p> + +<p>Unless you can refer me to someone who can look into this given the +<em>context</em> of my account, this will be my last reply. I will be making +this message thread public, in the interest of other current and +potential Discord users.</p> + +<p></blockquote></p> + +<hr /> + +<p>in a nutshell, unless Discord has a change of heart and allows me access +to my account, I will cease to use its service. chances seem slim, +though, especially considering they shot down my suggestion to remove +reCAPTCHA puzzles from the login form, even when 2FA is active on the +account in question.</p> + +<p>I will be communicating with a couple communities with which I'm +involved to explain that I am unable to use Discord, and with any luck, +we can explore user-friendly alternatives together.</p> + </div> + </content> + </entry> + <entry> <title>&#34;Learning how to learn&#34;</title> <link href="/blog/learning-how-to-learn.xht" rel="alternate" type="application/xhtml+xml" /> <id>/blog/learning-how-to-learn.xht</id> @@ -553,6 +696,120 @@ policing.</p> </content> </entry> <entry> + <title>staying safe online</title> + <link href="/blog/staying-safe-online.xht" rel="alternate" type="application/xhtml+xml" /> + <id>/blog/staying-safe-online.xht</id> + <published>2019-08-24T00:15:20+0000</published> + <updated>2019-08-24T00:15:20+0000</updated> + <author><name>opal hart</name></author> + <content type="xhtml"> + <div xmlns="http://www.w3.org/1999/xhtml"> +<p>this is an E-mail I typed out and figured it'd be fitting as its own +public post:</p> + +<blockquote> + <p>If you want the closest thing to true anonymity from software +perspective, I'd suggest Tails because it's pre-configured to proxy +everything through Tor. It can be run with a live CD / USB on bare +metal, or it can be used in a virtual machine of the user's choosing +(personally I use qemu for Linux, and I think virt-manager is a GUI +frontend for it, but a lot of people may have heard of VirtualBox +which is cross-platform). Even I use Tails for certain things +although I consider myself to be proficient and able to set up my own +anonymous system; sometimes it isn't worth the trouble when I need to +be sure that my system is safe, though.</p> + +<p>If you want an "everyday setup" where anonymity isn't key, but you +still want security and casual privacy, drop Windows in favour of +Linux, and grab the Tor Browser if you want to browse the Internet +through Tor (not limited to onion websites, which seems to be a +misconception for people "exploring the deep web"). Steam can play a +lot of games in Linux, Wine can run many Windows programs, and as a +last resort, a user can set up a Windows virtual machine or set up +dual-booting (although from my understanding, Windows can fuck with +dualboot partitioning, so this might be an advanced topic. Personally +I don't trust Windows with hardware access at all, anymore). One big +issue (that unfortunately I have to face as well) is NVidia graphics +support in Linux. The best solution to any NVidia issues is to replace +the NVidia GPU with AMD, because AMD ships open-source drivers, or, if +the user doesn't do much gaming then it's likely fine to just use the +integrated graphics from the CPU. It's an unfortunate fact that NVidia +is very anti-consumer; if I had other suggestions you'd bet I would +say, but my friend and I (and many other people) have had nothing but +issues with NVidia.</p> + +<p>For additional safety, no matter whether you use Tor Browser in +Tails, or Tor Browser in Linux, or even a normal browser in Linux +like I do: I strongly suggest disabling JavaScript by default for +sites you don't trust. In Tor Browser, it's as simple as clicking the +NoScript icon in the toolbar to whitelist a website. There was a +NoScript bug found not too long ago that allowed sites to bypass +settings regardless, but this has since been fixed and hopefully +there will not be similar incidents in the future. This is why I +strongly dislike modern Web browsers; they're too big to make sure +that they're entirely bug-free. (I personally use uMatrix instead of +NoScript, because it's much more configurable and can block more than +scripts, but it's probably not best to suggest in a "basic tips" +YouTube video.)</p> + +<p>Like I said in my previous E-mail, a VPN does not help with anonymity +in any way. You can still stick in that sponsorship for PIA if you +make clear it's only to keep users' Internet activity away from +<em>their own ISP</em>, and it gives them a different IP address perhaps in +a different country, if they so choose. This can be useful for +accessing region-locked websites, for instance, or for casual privacy +to prevent other people from finding someone's home IP address. The +VPN can still see and track all users' activity, but my opinions of +PIA aside, I believe from a business standpoint they will be very +careful about what they do with user information. Just know though, +depending on what country a VPN is based in, they might be forced to +comply with requests for user information by law.</p> + +<p>Enough about software; usually people are able to follow along until +it comes to something scary: they aren't safe until they change their +own behaviours as well. I was taught one thing as a kid, practically +every year in school there was a poster or a computer lab teacher +telling us "don't share your personal information with strangers +online". This seems to have been forgotten with the rise of social +platforms that encourage or require users to use their real info, and +it's really sad that things have taken a turn for the worse in this +regard. Even before I knew what Tor was, I never gave people so much as +my name, and to this day, while I did say some dumb shit in my early +teenage years (who hasn't done things before that seem foolish to them +now?) I can at least say I don't regret how I handled my personal +information during all these years. Nowadays, the Internet is a more +hostile place, with more people understanding the power of "big data" +and keen on collecting user information, with all the serious threats +regarding IoT security vulnerabilities (allowing for large-scale DDoS +attacks for cheap, or potentially worse attacks against the devices +themselves). So, it's more important than ever not to give anyone any +information that one might regret sharing later.</p> + +<p>Keeping a healthy amount of scepticism toward other users and services +online has always been a rule of thumb as well, albeit one that's lesser +talked about. (It's normally brought up by school librarians and English +teachers, who urge students to ensure that their citation sources are +credible.) A lot of people especially on Tor phrase it as "don't trust +anyone" which is an imprecise piece of advice. It might be good advice +for people who don't yet know what signs to look out for that tell apart +a normal user from a con artist or a federal agent (and federal agents +are perhaps best-equipped to produce convincing cover identities). I +don't open up to many people online, but I have definitely made at least +a couple real connections with Tor users. A lot of people, I don't +<em>need</em> to trust, such as the people I ask to join the moderation team on +Hidden Answers, or others I ask advice / questions from, for instance. +In the former case, I give moderators just enough access to the site to +do their jobs, and if a rogue moderator happens to slip through, the +damage is normally easily reversible. And we have had some cases of +rogue moderators -- usually just scammers who abused their position for +extra credibility, though. In the latter case, I can use my own logic to +verify whether someone's advice sounds reasonable, or I can cross-verify +with other sources.</p> +</blockquote> + </div> + </content> + </entry> + <entry> <title>testing patches made to bashblog script</title> <link href="/blog/testing-patches-made-to-bashblog-script.xht" rel="alternate" type="application/xhtml+xml" /> <id>/blog/testing-patches-made-to-bashblog-script.xht</id> diff --git a/out/blog/guess-im-done-with-discord.xht b/out/blog/guess-im-done-with-discord.xht @@ -0,0 +1,169 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en-GB"> + <head> + <title>guess I'm done with Discord – wowana.me</title> + <link rel="stylesheet" type="text/css" href="/opal.css"/> + <link href="/blog/feed.atom" type="application/atom+xml" rel="alternate" title="Blog Atom feed" /> + </head> + <body> + <div class="sidebar-holder"> + <header class="sidebar"> + <img class="avatar" src="/gravatar" alt="Libravatar"/> + <h1><a class="nolink" href="/">opal</a></h1> + <p class="subheader">wowaname</p> + <nav class="topnav"> + <ul> + <li><a href="/about.xht">about</a></li> + <li><a href="/blog/">blog</a></li> + <li><a href="/contact.xht">contact</a></li> + <li><a href="/donate.xht">donate</a></li> + <li><a href="/git/">git</a></li> + <li><a href="/pgp.xht">PGP</a></li> + <li><a href="/files/">files</a></li> + <li><a href="/permalink.xht">permalink</a></li> + <li>content is <a href="https://creativecommons.org/share-your-work/public-domain/cc0">public domain</a> unless otherwise noted</li> + </ul> + </nav> + </header> + </div> + +<main id='guess-im-done-with-discord'> +<h1>guess I'm done with Discord</h1> + +<time datetime='2019-08-15T23:57:49+0000' title='2019-08-15T23:57:49+0000'>2019 Aug 15</time> + +<p>I'll let the E-mail ticket do most of the talking:</p> + +<blockquote> + <p>Hi,</p> + +<p>Today I received a prompt to verify my account with a phone number [1], +which is the first time I have ever encountered this message in the +entire time I've had my account (created 2017 Jan 09 according to my +password manager). My account opal#6614 has a verified E-mail address +(the one I'm sending this message from) and two-factor authentication. +As I have mentioned in a prior support request, I use Tor to access +Discord, both on my desktop and my phone.</p> + +<p>I refuse to provide phone verification as I believe it is Discord's +fault for flagging my account even though I've never had an issue +following terms of service. I do not spam, I do not upload content +against terms of service (even though I disagree with the list of +banned content), and I have never used this or other accounts to evade +bans or other limitations. The reCAPTCHA upon login was insulting +enough, and now being asked for a phone number is an even bigger spit +in my face. The only thing I can think of that may have triggered +Discord's crappy anti-spam detection, is the invite I sent to a user +for my newly-created guild. That, and the fact I just so happen to be +using Tor when sending the invite. Because, everything else about the +invite was fine: I have been friends with the user I invited, and I did +not spam the user (or any other users for that matter) whatsoever.</p> + +<p>Please make it so: +1. Discord's anti-spam isn't so anal, +2. my account (and other accounts in good standing and with proper 2FA) +is exempt from such checks, and +3. I don't have to solve a Google reCAPTCHA for an account I have taken +every step to protect against bruteforcing. Using Tor is not a crime; +don't treat it as such.</p> + +<p>I'm tired of Discord's attitude toward things like this and I'll sooner +abandon my account and uninstall the app if I am unable to access my +account. I will recommend all my friends to migrate to a more suitable +platform if this continues, too. I am not part of Discord Hype Squad +for very good reason; Discord has shown to be hostile toward FOSS and +privacy for a while now.</p> + +<p>[1]&lt;<a href="https://pl.wowana.me/media/0bf9e6e5cb428f89596e9d217f281d4f054895c85a3450a5b7fb2d876e8f6bc1.png">https://pl.wowana.me/media/0bf9e6e5cb428f89596e9d217f281d4f054895c85a3450a5b7fb2d876e8f6bc1.png</a>></p> + +<p>Thanks,</p> + +<p>wowaname &lt;<a href="https://wowana.me/pgp.xht">https://wowana.me/pgp.xht</a>></p> +</blockquote> + +<p>reply:</p> + +<blockquote> + <p>Hi opal,</p> + +<p>Thanks for reaching out!</p> + +<p>Sorry to hear that you're walled out of your account. I just checked with my team, and upon review of your account, it appears that our system's detection system has triggered successfully and we will not be removing the phone verification requirement on your account, and you'll be required to register a phone number to your Discord account in order to continue the use of it.</p> + +<p>It's possible that our system detected that you were using a VPN or proxy that was shared with other bad actors, which is why our system flagged your account. However, for privacy reasons, we're not able to share the specifics of the inner workings of our system.</p> + +<p>I understand that you put privacy above all else, however, we won't be able to remove the phone verification prompt and you really need to use a phone number to get back into the account. Just a heads up, if you're currently using a VOIP or landline number, unfortunately, VOIP and landlines are not compatible with our verification system.</p> + +<p>Otherwise, if you have recently attempted to verify this number already, our system will put a timeout on a number from being used again for anti-abuse purposes, and unfortunately, you will need to wait for the end of the timeout to use the number once more or use a different number to verify the account. Sadly, because the system automatically detects and generates a timeout period when a phone number has been used multiple times to verify an account, there is no exact ETA for when the number will be able to used to verify another account.</p> + +<p>If that's not the case, let me know what number you're trying to register and I'll be more than happy to double check in our system.</p> + +<p>Best, +Devemer</p> +</blockquote> + +<p>my reply:</p> + +<blockquote> + <blockquote> + <p>upon review of your account, it appears that our system's detection +system has triggered successfully and we will not be removing the +phone verification requirement on your account, and you'll be required +to register a phone number to your Discord account in order to +continue the use of it.</p> + +<p>It's possible that our system detected that you were using a VPN or +proxy that was shared with other bad actors, which is why our system +flagged your account. However, for privacy reasons, we're not able to +share the specifics of the inner workings of our system. </p> +</blockquote> + +<p>I've been accessing Discord with Tor just fine for several months now. +How in the hell is my account suddenly a threat to Discord?</p> + +<blockquote> + <p>I understand that you put privacy above all else, however </p> +</blockquote> + +<p>No, you don't understand. I will <em>not</em> give any phone number for +verification. I am treated like an abuser of the Discord service, I am +singled out for my use of Tor. I take this personally. If Discord blocks +Tor, then clearly you do not want to see me as a user. I will do my best +to find an alternate platform with a user interface my friends and other +peers are comfortable with. Discord has never held a monopoly over chat +and voice, and it never will. An alarming amount of your userbase is +vocally unhappy with Discord just as I am, as I have noted from many +conversations across several guilds.</p> + +<p>I've enabled 2FA, I rotate my passwords at least once a year, I do not +engage in password reuse, I choose strong passphrases, I verified my +E-mail. Discord will not bully me into solving reCAPTCHAs as free labour +for Google, nor will it bully me into providing a phone number. If you +or any other representative/specialist will not override this asinine +"detection system" despite this abundant evidence that I am not a bad +actor, then it's simple, I will leave Discord. I've tolerated all of +Discord's other shortcomings without much protest, but I will not stoop +any lower to remain on the platform.</p> + +<p>Unless you can refer me to someone who can look into this given the +<em>context</em> of my account, this will be my last reply. I will be making +this message thread public, in the interest of other current and +potential Discord users.</p> + +</blockquote> + +<hr /> + +<p>in a nutshell, unless Discord has a change of heart and allows me access +to my account, I will cease to use its service. chances seem slim, +though, especially considering they shot down my suggestion to remove +reCAPTCHA puzzles from the login form, even when 2FA is active on the +account in question.</p> + +<p>I will be communicating with a couple communities with which I'm +involved to explain that I am unable to use Discord, and with any luck, +we can explore user-friendly alternatives together.</p> +</main> + </body> +</html> diff --git a/out/blog/index.xht b/out/blog/index.xht @@ -34,7 +34,9 @@ <p><a href="/blog/feed.atom">atom feed</a></p> <ul> -<li><a href="federated-social-networking.xht">federated social networking</a> <em>last updated <time datetime='2019-07-12T07:10:27+0000' title='2019-07-12T07:10:27+0000'>2019 Jul 12</time></em></li> +<li><a href="guess-im-done-with-discord.xht">guess I'm done with Discord</a> <em>last updated <time datetime='2019-08-29T09:57:38+0000' title='2019-08-29T09:57:38+0000'>2019 Aug 29</time></em></li> +<li><a href="federated-social-networking.xht">federated social networking</a> <em>last updated <time datetime='2019-08-29T09:41:55+0000' title='2019-08-29T09:41:55+0000'>2019 Aug 29</time></em></li> +<li><a href="staying-safe-online.xht">staying safe online</a> <em>last updated <time datetime='2019-08-24T00:15:20+0000' title='2019-08-24T00:15:20+0000'>2019 Aug 24</time></em></li> <li><a href="why-program-efficiency-and-usability-matters.xht">why program efficiency [and usability] matters</a> <em>last updated <time datetime='2019-06-05T03:41:13+0000' title='2019-06-05T03:41:13+0000'>2019 Jun 05</time></em></li> <li><a href="wowaname-now-on-git-and-hosted-on-my-laptop.xht">wowana.me now on git (and hosted on my laptop)</a> <em>last updated <time datetime='2019-06-05T03:15:47+0000' title='2019-06-05T03:15:47+0000'>2019 Jun 05</time></em></li> <li><a href="a-new-era-for-hidden-answers.xht">a new era for Hidden Answers</a> <em>last updated <time datetime='2019-05-11T03:38:03+0000' title='2019-05-11T03:38:03+0000'>2019 May 11</time></em></li> diff --git a/out/blog/staying-safe-online.xht b/out/blog/staying-safe-online.xht @@ -0,0 +1,140 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en-GB"> + <head> + <title>staying safe online – wowana.me</title> + <link rel="stylesheet" type="text/css" href="/opal.css"/> + <link href="/blog/feed.atom" type="application/atom+xml" rel="alternate" title="Blog Atom feed" /> + </head> + <body> + <div class="sidebar-holder"> + <header class="sidebar"> + <img class="avatar" src="/gravatar" alt="Libravatar"/> + <h1><a class="nolink" href="/">opal</a></h1> + <p class="subheader">wowaname</p> + <nav class="topnav"> + <ul> + <li><a href="/about.xht">about</a></li> + <li><a href="/blog/">blog</a></li> + <li><a href="/contact.xht">contact</a></li> + <li><a href="/donate.xht">donate</a></li> + <li><a href="/git/">git</a></li> + <li><a href="/pgp.xht">PGP</a></li> + <li><a href="/files/">files</a></li> + <li><a href="/permalink.xht">permalink</a></li> + <li>content is <a href="https://creativecommons.org/share-your-work/public-domain/cc0">public domain</a> unless otherwise noted</li> + </ul> + </nav> + </header> + </div> + +<main id='staying-safe-online'> +<h1>staying safe online</h1> + +<time datetime='2019-08-24T00:15:20+0000' title='2019-08-24T00:15:20+0000'>2019 Aug 24</time> + +<p>this is an E-mail I typed out and figured it'd be fitting as its own +public post:</p> + +<blockquote> + <p>If you want the closest thing to true anonymity from software +perspective, I'd suggest Tails because it's pre-configured to proxy +everything through Tor. It can be run with a live CD / USB on bare +metal, or it can be used in a virtual machine of the user's choosing +(personally I use qemu for Linux, and I think virt-manager is a GUI +frontend for it, but a lot of people may have heard of VirtualBox +which is cross-platform). Even I use Tails for certain things +although I consider myself to be proficient and able to set up my own +anonymous system; sometimes it isn't worth the trouble when I need to +be sure that my system is safe, though.</p> + +<p>If you want an "everyday setup" where anonymity isn't key, but you +still want security and casual privacy, drop Windows in favour of +Linux, and grab the Tor Browser if you want to browse the Internet +through Tor (not limited to onion websites, which seems to be a +misconception for people "exploring the deep web"). Steam can play a +lot of games in Linux, Wine can run many Windows programs, and as a +last resort, a user can set up a Windows virtual machine or set up +dual-booting (although from my understanding, Windows can fuck with +dualboot partitioning, so this might be an advanced topic. Personally +I don't trust Windows with hardware access at all, anymore). One big +issue (that unfortunately I have to face as well) is NVidia graphics +support in Linux. The best solution to any NVidia issues is to replace +the NVidia GPU with AMD, because AMD ships open-source drivers, or, if +the user doesn't do much gaming then it's likely fine to just use the +integrated graphics from the CPU. It's an unfortunate fact that NVidia +is very anti-consumer; if I had other suggestions you'd bet I would +say, but my friend and I (and many other people) have had nothing but +issues with NVidia.</p> + +<p>For additional safety, no matter whether you use Tor Browser in +Tails, or Tor Browser in Linux, or even a normal browser in Linux +like I do: I strongly suggest disabling JavaScript by default for +sites you don't trust. In Tor Browser, it's as simple as clicking the +NoScript icon in the toolbar to whitelist a website. There was a +NoScript bug found not too long ago that allowed sites to bypass +settings regardless, but this has since been fixed and hopefully +there will not be similar incidents in the future. This is why I +strongly dislike modern Web browsers; they're too big to make sure +that they're entirely bug-free. (I personally use uMatrix instead of +NoScript, because it's much more configurable and can block more than +scripts, but it's probably not best to suggest in a "basic tips" +YouTube video.)</p> + +<p>Like I said in my previous E-mail, a VPN does not help with anonymity +in any way. You can still stick in that sponsorship for PIA if you +make clear it's only to keep users' Internet activity away from +<em>their own ISP</em>, and it gives them a different IP address perhaps in +a different country, if they so choose. This can be useful for +accessing region-locked websites, for instance, or for casual privacy +to prevent other people from finding someone's home IP address. The +VPN can still see and track all users' activity, but my opinions of +PIA aside, I believe from a business standpoint they will be very +careful about what they do with user information. Just know though, +depending on what country a VPN is based in, they might be forced to +comply with requests for user information by law.</p> + +<p>Enough about software; usually people are able to follow along until +it comes to something scary: they aren't safe until they change their +own behaviours as well. I was taught one thing as a kid, practically +every year in school there was a poster or a computer lab teacher +telling us "don't share your personal information with strangers +online". This seems to have been forgotten with the rise of social +platforms that encourage or require users to use their real info, and +it's really sad that things have taken a turn for the worse in this +regard. Even before I knew what Tor was, I never gave people so much as +my name, and to this day, while I did say some dumb shit in my early +teenage years (who hasn't done things before that seem foolish to them +now?) I can at least say I don't regret how I handled my personal +information during all these years. Nowadays, the Internet is a more +hostile place, with more people understanding the power of "big data" +and keen on collecting user information, with all the serious threats +regarding IoT security vulnerabilities (allowing for large-scale DDoS +attacks for cheap, or potentially worse attacks against the devices +themselves). So, it's more important than ever not to give anyone any +information that one might regret sharing later.</p> + +<p>Keeping a healthy amount of scepticism toward other users and services +online has always been a rule of thumb as well, albeit one that's lesser +talked about. (It's normally brought up by school librarians and English +teachers, who urge students to ensure that their citation sources are +credible.) A lot of people especially on Tor phrase it as "don't trust +anyone" which is an imprecise piece of advice. It might be good advice +for people who don't yet know what signs to look out for that tell apart +a normal user from a con artist or a federal agent (and federal agents +are perhaps best-equipped to produce convincing cover identities). I +don't open up to many people online, but I have definitely made at least +a couple real connections with Tor users. A lot of people, I don't +<em>need</em> to trust, such as the people I ask to join the moderation team on +Hidden Answers, or others I ask advice / questions from, for instance. +In the former case, I give moderators just enough access to the site to +do their jobs, and if a rogue moderator happens to slip through, the +damage is normally easily reversible. And we have had some cases of +rogue moderators -- usually just scammers who abused their position for +extra credibility, though. In the latter case, I can use my own logic to +verify whether someone's advice sounds reasonable, or I can cross-verify +with other sources.</p> +</blockquote> +</main> + </body> +</html> diff --git a/src/blog/guess-im-done-with-discord.md b/src/blog/guess-im-done-with-discord.md @@ -0,0 +1,123 @@ +# guess I'm done with Discord +<!--[time 201908152357.49]--> + +I'll let the E-mail ticket do most of the talking: + +> Hi, +> +> Today I received a prompt to verify my account with a phone number [1], +> which is the first time I have ever encountered this message in the +> entire time I've had my account (created 2017 Jan 09 according to my +> password manager). My account opal#6614 has a verified E-mail address +> (the one I'm sending this message from) and two-factor authentication. +> As I have mentioned in a prior support request, I use Tor to access +> Discord, both on my desktop and my phone. +> +> I refuse to provide phone verification as I believe it is Discord's +> fault for flagging my account even though I've never had an issue +> following terms of service. I do not spam, I do not upload content +> against terms of service (even though I disagree with the list of +> banned content), and I have never used this or other accounts to evade +> bans or other limitations. The reCAPTCHA upon login was insulting +> enough, and now being asked for a phone number is an even bigger spit +> in my face. The only thing I can think of that may have triggered +> Discord's crappy anti-spam detection, is the invite I sent to a user +> for my newly-created guild. That, and the fact I just so happen to be +> using Tor when sending the invite. Because, everything else about the +> invite was fine: I have been friends with the user I invited, and I did +> not spam the user (or any other users for that matter) whatsoever. +> +> Please make it so: +> 1. Discord's anti-spam isn't so anal, +> 2. my account (and other accounts in good standing and with proper 2FA) +> is exempt from such checks, and +> 3. I don't have to solve a Google reCAPTCHA for an account I have taken +> every step to protect against bruteforcing. Using Tor is not a crime; +> don't treat it as such. +> +> I'm tired of Discord's attitude toward things like this and I'll sooner +> abandon my account and uninstall the app if I am unable to access my +> account. I will recommend all my friends to migrate to a more suitable +> platform if this continues, too. I am not part of Discord Hype Squad +> for very good reason; Discord has shown to be hostile toward FOSS and +> privacy for a while now. +> +> [1]&lt;<https://pl.wowana.me/media/0bf9e6e5cb428f89596e9d217f281d4f054895c85a3450a5b7fb2d876e8f6bc1.png>> +> +> Thanks, +> +> wowaname &lt;<https://wowana.me/pgp.xht>> + +reply: + +> Hi opal, +> +> Thanks for reaching out! +> +> Sorry to hear that you're walled out of your account. I just checked with my team, and upon review of your account, it appears that our system's detection system has triggered successfully and we will not be removing the phone verification requirement on your account, and you'll be required to register a phone number to your Discord account in order to continue the use of it. +> +> It's possible that our system detected that you were using a VPN or proxy that was shared with other bad actors, which is why our system flagged your account. However, for privacy reasons, we're not able to share the specifics of the inner workings of our system. +> +> I understand that you put privacy above all else, however, we won't be able to remove the phone verification prompt and you really need to use a phone number to get back into the account. Just a heads up, if you're currently using a VOIP or landline number, unfortunately, VOIP and landlines are not compatible with our verification system. +> +> Otherwise, if you have recently attempted to verify this number already, our system will put a timeout on a number from being used again for anti-abuse purposes, and unfortunately, you will need to wait for the end of the timeout to use the number once more or use a different number to verify the account. Sadly, because the system automatically detects and generates a timeout period when a phone number has been used multiple times to verify an account, there is no exact ETA for when the number will be able to used to verify another account. +> +> If that's not the case, let me know what number you're trying to register and I'll be more than happy to double check in our system. +> +> Best, +> Devemer + +my reply: + +> > upon review of your account, it appears that our system's detection +> > system has triggered successfully and we will not be removing the +> > phone verification requirement on your account, and you'll be required +> > to register a phone number to your Discord account in order to +> > continue the use of it. +> > +> > It's possible that our system detected that you were using a VPN or +> > proxy that was shared with other bad actors, which is why our system +> > flagged your account. However, for privacy reasons, we're not able to +> > share the specifics of the inner workings of our system. +> +> I've been accessing Discord with Tor just fine for several months now. +> How in the hell is my account suddenly a threat to Discord? +> +> > I understand that you put privacy above all else, however +> +> No, you don't understand. I will *not* give any phone number for +> verification. I am treated like an abuser of the Discord service, I am +> singled out for my use of Tor. I take this personally. If Discord blocks +> Tor, then clearly you do not want to see me as a user. I will do my best +> to find an alternate platform with a user interface my friends and other +> peers are comfortable with. Discord has never held a monopoly over chat +> and voice, and it never will. An alarming amount of your userbase is +> vocally unhappy with Discord just as I am, as I have noted from many +> conversations across several guilds. +> +> I've enabled 2FA, I rotate my passwords at least once a year, I do not +> engage in password reuse, I choose strong passphrases, I verified my +> E-mail. Discord will not bully me into solving reCAPTCHAs as free labour +> for Google, nor will it bully me into providing a phone number. If you +> or any other representative/specialist will not override this asinine +> "detection system" despite this abundant evidence that I am not a bad +> actor, then it's simple, I will leave Discord. I've tolerated all of +> Discord's other shortcomings without much protest, but I will not stoop +> any lower to remain on the platform. +> +> Unless you can refer me to someone who can look into this given the +> *context* of my account, this will be my last reply. I will be making +> this message thread public, in the interest of other current and +> potential Discord users. + +---- + +in a nutshell, unless Discord has a change of heart and allows me access +to my account, I will cease to use its service. chances seem slim, +though, especially considering they shot down my suggestion to remove +reCAPTCHA puzzles from the login form, even when 2FA is active on the +account in question. + +I will be communicating with a couple communities with which I'm +involved to explain that I am unable to use Discord, and with any luck, +we can explore user-friendly alternatives together. diff --git a/src/blog/staying-safe-online.md b/src/blog/staying-safe-online.md @@ -0,0 +1,103 @@ +# staying safe online +<!--[time 201908240015.20]--> + +this is an E-mail I typed out and figured it'd be fitting as its own +public post: + +> If you want the closest thing to true anonymity from software +> perspective, I'd suggest Tails because it's pre-configured to proxy +> everything through Tor. It can be run with a live CD / USB on bare +> metal, or it can be used in a virtual machine of the user's choosing +> (personally I use qemu for Linux, and I think virt-manager is a GUI +> frontend for it, but a lot of people may have heard of VirtualBox +> which is cross-platform). Even I use Tails for certain things +> although I consider myself to be proficient and able to set up my own +> anonymous system; sometimes it isn't worth the trouble when I need to +> be sure that my system is safe, though. +> +> If you want an "everyday setup" where anonymity isn't key, but you +> still want security and casual privacy, drop Windows in favour of +> Linux, and grab the Tor Browser if you want to browse the Internet +> through Tor (not limited to onion websites, which seems to be a +> misconception for people "exploring the deep web"). Steam can play a +> lot of games in Linux, Wine can run many Windows programs, and as a +> last resort, a user can set up a Windows virtual machine or set up +> dual-booting (although from my understanding, Windows can fuck with +> dualboot partitioning, so this might be an advanced topic. Personally +> I don't trust Windows with hardware access at all, anymore). One big +> issue (that unfortunately I have to face as well) is NVidia graphics +> support in Linux. The best solution to any NVidia issues is to replace +> the NVidia GPU with AMD, because AMD ships open-source drivers, or, if +> the user doesn't do much gaming then it's likely fine to just use the +> integrated graphics from the CPU. It's an unfortunate fact that NVidia +> is very anti-consumer; if I had other suggestions you'd bet I would +> say, but my friend and I (and many other people) have had nothing but +> issues with NVidia. +> +> For additional safety, no matter whether you use Tor Browser in +> Tails, or Tor Browser in Linux, or even a normal browser in Linux +> like I do: I strongly suggest disabling JavaScript by default for +> sites you don't trust. In Tor Browser, it's as simple as clicking the +> NoScript icon in the toolbar to whitelist a website. There was a +> NoScript bug found not too long ago that allowed sites to bypass +> settings regardless, but this has since been fixed and hopefully +> there will not be similar incidents in the future. This is why I +> strongly dislike modern Web browsers; they're too big to make sure +> that they're entirely bug-free. (I personally use uMatrix instead of +> NoScript, because it's much more configurable and can block more than +> scripts, but it's probably not best to suggest in a "basic tips" +> YouTube video.) +> +> Like I said in my previous E-mail, a VPN does not help with anonymity +> in any way. You can still stick in that sponsorship for PIA if you +> make clear it's only to keep users' Internet activity away from +> *their own ISP*, and it gives them a different IP address perhaps in +> a different country, if they so choose. This can be useful for +> accessing region-locked websites, for instance, or for casual privacy +> to prevent other people from finding someone's home IP address. The +> VPN can still see and track all users' activity, but my opinions of +> PIA aside, I believe from a business standpoint they will be very +> careful about what they do with user information. Just know though, +> depending on what country a VPN is based in, they might be forced to +> comply with requests for user information by law. +> +> Enough about software; usually people are able to follow along until +> it comes to something scary: they aren't safe until they change their +> own behaviours as well. I was taught one thing as a kid, practically +> every year in school there was a poster or a computer lab teacher +> telling us "don't share your personal information with strangers +> online". This seems to have been forgotten with the rise of social +> platforms that encourage or require users to use their real info, and +> it's really sad that things have taken a turn for the worse in this +> regard. Even before I knew what Tor was, I never gave people so much as +> my name, and to this day, while I did say some dumb shit in my early +> teenage years (who hasn't done things before that seem foolish to them +> now?) I can at least say I don't regret how I handled my personal +> information during all these years. Nowadays, the Internet is a more +> hostile place, with more people understanding the power of "big data" +> and keen on collecting user information, with all the serious threats +> regarding IoT security vulnerabilities (allowing for large-scale DDoS +> attacks for cheap, or potentially worse attacks against the devices +> themselves). So, it's more important than ever not to give anyone any +> information that one might regret sharing later. +> +> Keeping a healthy amount of scepticism toward other users and services +> online has always been a rule of thumb as well, albeit one that's lesser +> talked about. (It's normally brought up by school librarians and English +> teachers, who urge students to ensure that their citation sources are +> credible.) A lot of people especially on Tor phrase it as "don't trust +> anyone" which is an imprecise piece of advice. It might be good advice +> for people who don't yet know what signs to look out for that tell apart +> a normal user from a con artist or a federal agent (and federal agents +> are perhaps best-equipped to produce convincing cover identities). I +> don't open up to many people online, but I have definitely made at least +> a couple real connections with Tor users. A lot of people, I don't +> *need* to trust, such as the people I ask to join the moderation team on +> Hidden Answers, or others I ask advice / questions from, for instance. +> In the former case, I give moderators just enough access to the site to +> do their jobs, and if a rogue moderator happens to slip through, the +> damage is normally easily reversible. And we have had some cases of +> rogue moderators -- usually just scammers who abused their position for +> extra credibility, though. In the latter case, I can use my own logic to +> verify whether someone's advice sounds reasonable, or I can cross-verify +> with other sources.