Kev

Kev

HomeArchives

Common Misconceptions

#隐私#安全#secure#privacy107
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses common myths about the security of open-source and proprietary software, the concept of trust transfer in privacy solutions, and the importance of considering technical guarantees over privacy policies and business practices. It also provides tips for finding the best privacy solutions without overly complex threat models and discusses different identity scenarios and the use of VPNs and Tor for privacy protection.

"Open source software is always secure" or "proprietary software is more secure"¶
These myths stem from many biases, but whether the source code is available and the licensing of the software does not inherently affect its security in any way. Open source software may be more secure than proprietary software, but it cannot be guaranteed. When evaluating software, you should individually examine the reputation and security of each tool.

Open source software can be audited by third parties and is often more transparent than proprietary software regarding potential vulnerabilities. It also allows you to inspect the code and disable any suspicious features you discover. However, unless you do so, there is no guarantee that the code has been evaluated, especially for smaller software projects. The open development process is sometimes exploited to introduce new vulnerabilities, even in large projects.1

On the other hand, proprietary software has lower transparency, but that does not mean it is insecure. Major proprietary software projects can undergo audits by internal and third-party organizations, and independent security researchers can still discover vulnerabilities through techniques like reverse engineering.

To avoid making biased decisions, it is crucial to evaluate the privacy and security standards of the software you use.

"Transferring trust can increase privacy"#

When discussing solutions like VPNs, we often talk about "transferring trust" (which transfers your trust from your ISP to the VPN provider). While this specifically protects your browsing data from your ISP, your chosen VPN provider still has access to your browsing data: your data is not fully protected from all parties. This means:

You must be cautious when choosing a provider to transfer trust to.
You should still use other technologies like E2EE to fully protect your data. Not trusting one provider and trusting another does not protect your data.

"Privacy-centric solutions are inherently trustworthy"#

Focusing solely on the privacy policies and marketing of a tool or provider may blind you to its weaknesses. When looking for a more private solution, you should identify the potential issues and find technical solutions to address them. For example, you may want to avoid using Google Drive because it allows Google to access all your data. In this case, the underlying issue is the lack of E2EE, so you should ensure that the provider you switch to actually implements E2EE or use a tool like Cryptomator that provides E2EE on any cloud provider. Switching to a "privacy-centric" provider that does not implement E2EE does not solve your problem; it simply transfers trust from Google to that provider.

The privacy policies and business practices of the provider you choose are important, but they should be seen as secondary to the technical guarantees of your privacy: you should not transfer trust to another provider when it is not necessary.

"Complexity is better"#

We often see people describing overly complex threat models. These solutions often involve multiple different email accounts or complex setups with numerous moving parts and conditions. The response is usually an answer to "what is the best way to do X?"

Finding the "best" solution for yourself does not necessarily mean searching for an absolutely reliable solution with dozens of conditions—it is often difficult to use such solutions in practice. As we discussed earlier, security is often traded for convenience. Here are some tips:

Actions should serve a specific purpose: Think about how to accomplish what you want to do with the fewest actions.
Eliminate human failure points: We fail, get tired, forget things. To maintain security, avoid relying on manual conditions and processes that you have to remember.
Use the right level of protection for your intent: We often see recommendations for so-called law enforcement or subpoena-proof solutions. These often require expertise and are usually not what people want. If you can easily de-anonymize yourself with simple surveillance, building complex threat models for anonymity makes no sense.
So, how does this look?

One of the clearest threat models is when people know who you are, and another is when they don't. In some cases, you must disclose your legal name, while in others, you don't need to.

  1. Known identity - Known identity is used for things where you must declare your name. Many legal documents and contracts require a legal identity. This may include opening a bank account, signing property leases, obtaining a passport, customs declarations when importing goods, or any interaction with your government in general. These things often lead to credentials such as credit cards, credit checks, accounts, and potentially physical addresses.
    We do not recommend using a VPN or Tor for these things because your identity is already known through other means.

Tip
Using parcel lockers when shopping online can help protect the privacy of your actual address.

  1. Pseudonymous identity - Pseudonymous identity can be a fixed pseudonym that you frequently use. It is not anonymous because it does not change. If you are a member of an online community, you may want to maintain a role that others know. This pseudonym is not anonymous because—if monitored for long enough—more information about the owner can be revealed, such as their writing style, general knowledge of topics they are interested in, etc.
    You may want to use a VPN for this to hide your IP address. Financial transactions are harder to conceal: you may consider using anonymous cryptocurrencies like Monero. Using privacy coins for transfers may also help conceal your source of funds. Usually, exchanges require completing KYC (Know Your Customer) before you can convert fiat currency into any type of cryptocurrency. Local meetup options may also be a solution; however, these are often more expensive and sometimes require KYC.

  2. Anonymous identity - Even with experience, anonymous identities are difficult to maintain in the long term. They should be short-term and periodically rotated.
    Using Tor can help address this issue. It is also worth noting that greater anonymity can be achieved through asynchronous communication: real-time communication is susceptible to input pattern analysis (i.e., exceeding a certain length of text, being distributed across forums, via email, etc.)
    Source: privacyguides

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.