hetzlemmingsworld

joined 5 months ago
 

When You enable removal of all cookies upon web browser restart, is it wise to exempt tens of sites by adding them to the exception/allowed list:

about:settings#privacy -> Cookies... -> Manage exceptions "You can specify which websites are always or never allowed to use cookies and site data."

i am constantly bothered by the Stack Exchange Network which constantly keep me logged-out and when i login, it redirect me to a homepage instead of a previous page, when i go back, it shows as logged out, so i have to F5 the page. And this constantly repeats.

Am I rendering my attempt to reduce tracking near pointless by allowing many sites like Microsoft's Github, Stack overflow etc. to permanently store the data incl. cookies?

[–] hetzlemmingsworld@lemmings.world 1 points 3 months ago* (last edited 3 months ago)

Please consider clarifying what do you mean by changing identity for the business.

[–] hetzlemmingsworld@lemmings.world 1 points 3 months ago (1 children)

Full-Chain Membership Proofs (FCMP), as a concept, is a replacement for rings within the Monero protocol. ... This means every input goes from an immediate anonymity set of 16 to 100,000,000.

https://ccs.getmonero.org/proposals/fcmp++-development.html shows "Completed 0 of 7 milestones" at my end.

 

cross-posted from: https://lemmings.world/post/12787893

  1. SEPARATE MONERO ACCOUNTS - For privacy reason, organize own funds into accounts like “cash”, “work”, “trading”, “mining”, “donations”, etc.. And in order to later combine these individual accounts funds, sweep/withdraw each of the account balance the way, that you do NOT sweep/withdraw multiple accounts balances in a single transaction, but one transaction per account. Feather wallet may do this thanks to its "Coin control" functions? Source: https://getmonero.dev/public-address/subaddress.html ; https://docs.featherwallet.org/guides/features

  2. WAIT/AGE XMR AFTER RECEIVING IT - After receiving Monero (XMR) from a 3rd party, wait some time (a few hours to a few days)

  3. CHURN/MIX XMR BY SENDING IT TO OTHER OWN ACCOUNT - Churning/mixing means to send your Monero/XMR to a different account/wallet in order to make it harder for others to track you: "So after 1 churn, there is a 1 in 16 chance (6.25%) that this transaction is yours. After 2 churns, it is a 1 in 16x16 = 1/256 = 0.39% chance that the final output of the route is yours. After 3 churns, 1 in 16x16x16 = 1/4096 = 0.0244%".

    A) Send your entire (or part of) your account's balance to a different account/wallet of yours, such secret destination account won't be used for receiving 3rd party XMR (only yours).

    B) Send your entire account's balance to same account (its own address - self). In case you would send partial, you would mix churned outputs with non-churned making your anonymization effort more or less pointless.

  4. WAIT/AGE CHURNED/MIXED XMR AGAIN

  5. CHURN/MIX AGAIN BY SENDING TO SELF OR 3RD PARTY - In order to decrease chance (from above mentioned 6.25% to 0.39%) of output being attributed to you. When having various Monero accounts for various purposes (e.g. "work", "home"), possibly churn 2x before "merging" XMR from multiple accounts of yours, example: KYC'ed 3rd party -> MyWork -> MyWork2nd ......... 3rd party -> MyHome -> MyHome2nd -> MyHome3rd -> MyWork2nd


FAQ: Why it is not pointless to send Monero from/to self, meaning same account? Because sending to same account is effective in decreasing the chance of a transaction being traced (attributed to you), since "there is no way to see the address" and other person says "You can send to yourself as many times as you want, without anyone knowing you're actually doing it. Every such transaction (called "churn") puts you in a bigger crowd of possible senders." and another person claims similar "churn to your own wallet, as it is not possible to link the output to the wallet".

 
  1. SEPARATE MONERO ACCOUNTS - For privacy reason, organize own funds into accounts like “cash”, “work”, “trading”, “mining”, “donations”, etc.. And in order to later combine these individual accounts funds, sweep/withdraw each of the account balance the way, that you do NOT sweep/withdraw multiple accounts balances in a single transaction, but one transaction per account. Feather wallet may do this thanks to its "Coin control" functions? Source: https://getmonero.dev/public-address/subaddress.html ; https://docs.featherwallet.org/guides/features

  2. WAIT/AGE XMR AFTER RECEIVING IT - After receiving Monero (XMR) from a 3rd party, wait some time (a few hours to a few days)

  3. CHURN/MIX XMR BY SENDING IT TO OTHER OWN ACCOUNT - Churning/mixing means to send your Monero/XMR to a different account/wallet in order to make it harder for others to track you: "So after 1 churn, there is a 1 in 16 chance (6.25%) that this transaction is yours. After 2 churns, it is a 1 in 16x16 = 1/256 = 0.39% chance that the final output of the route is yours. After 3 churns, 1 in 16x16x16 = 1/4096 = 0.0244%".

    A) Send your entire (or part of) your account's balance to a different account/wallet of yours, such secret destination account won't be used for receiving 3rd party XMR (only yours).

    B) Send your entire account's balance to same account (its own address - self). In case you would send partial, you would mix churned outputs with non-churned making your anonymization effort more or less pointless.

  4. WAIT/AGE CHURNED/MIXED XMR AGAIN

  5. CHURN/MIX AGAIN BY SENDING TO SELF OR 3RD PARTY - In order to decrease chance (from above mentioned 6.25% to 0.39%) of output being attributed to you. When having various Monero accounts for various purposes (e.g. "work", "home"), possibly churn 2x before "merging" XMR from multiple accounts of yours, example: KYC'ed 3rd party -> MyWork -> MyWork2nd ......... 3rd party -> MyHome -> MyHome2nd -> MyHome3rd -> MyWork2nd


FAQ: Why it is not pointless to send Monero from/to self, meaning same account? Because sending to same account is effective in decreasing the chance of a transaction being traced (attributed to you), since "there is no way to see the address" and other person says "You can send to yourself as many times as you want, without anyone knowing you're actually doing it. Every such transaction (called "churn") puts you in a bigger crowd of possible senders." and another person claims similar "churn to your own wallet, as it is not possible to link the output to the wallet".

 

Some feedback regarding Proton VPN documentation and some confusion regarding Firefox DNS configuration:

https://protonvpn.com/support/browser-extensions#firefox says:

"By default, Firefox does not route DNS queries through the HTTPS connection to our VPN servers" and then is mentioned a workaround to fix it.

That suggest alarming thing, that ProtonVPN Firefox user has to do some custom workaround in order to be private (prevent a DNS leak).

On another hand, https://protonvpn.com/support/dns-leaks-privacy says:

"DNS queries are routed through the VPN tunnel to be resolved on our servers"

these statements are a bit confusing/contradicting (though Proton later explains that this latest statement does not apply on a browser extension VPN apps) and Proton further adds at https://protonvpn.com/support/dns-leaks-privacy/#dns-over-https that the DNS leak can happen also due to enabled DoH feature in web browser.

Solution: ProtonVPN browser extension should (if possible) warn user in case it fails to process DNS and as a result, it is leaked. Vote for this feature request


Another "issue" is with the above mentioned/linked workaround (here I am speaking only about Firefox), this workaround: go to "about:config into the URL bar and hit . At the warning, click Accept the risk and continue → search for network.trr.mode"

In my case I had this set that variable to 5 which means DoH "Off by choice", Proton in said tutorial suggest value 3 instead, which means (According to https://wiki.mozilla.org/Trusted_Recursive_Resolver#DNS-over-HTTPS_Prefs_in_Firefox ) "Only use TRR, never use the native resolver.".

This confuses me since it looks like an opposite to what i have now, while any DNS leak site:

https://www.dnsleaktest.com

https://ipleak.net

does NOT report leak in my case nor in case i set network.trr.mode to 3. A bit weird but i guess no big deal?

Thanks for your feedback in advance.

 

Reposted from: https://lemmings.world/post/10879238

I am talking about some way to report it (without exposing my identity - using Tor browser) or let it be shutdown.

Related Tor FAQ: https://support.torproject.org/abuse/#abuse_remove-content

Report1: https://report.cybertip.org

Report2: https://www.iwf.org.uk/en/uk-report/

Report3: https://www.inhope.org/EN#hotlineReferral

Here is how to report bad site, in case you find any clearnet traces on the .onion site, incl. email address.

In this particular case, I have been able to spot the ODER/BUY NOW link which lead to a clearnet site. Within a second, it then redirected to a onion site, where I have found an e-mail address. So i had 2 ways to report this (clearnet website and an e-mail).

So run whois lookup (for example at https://who.is/whois/ for mentioned clearnet redirect domain name) and inside the output, discover which nameservers/hosting company it is using. Since it has been using Cloudflare, I have submitted the report form on Cloudflare site. Second thing is that e-mail address the paedopile worm provided on the site. I could visit that email service domain to find abuse contact. I have written steps on how i have discovered the initial link and found the e-mail so they can verify the case.

Do you know other way when you do not find any clearnet traces?

6
submitted 4 months ago* (last edited 4 months ago) by hetzlemmingsworld@lemmings.world to c/security@lemmy.ml
 

Reposted from: https://lemmings.world/post/10865023

1. Recognize the common signs

• Urgent or emotionally appealing language • Requests to send personal or financial information • Unexpected attachments • Untrusted shortened URLs • Email addresses that do not match the supposed sender • Poor writing/misspellings (less common)

2. Resist and report Report suspicious messages by using the “report spam” feature. If the message is designed to resemble an organization you trust, report the message by alerting the organization using their contact information found on their webpage.

I have found also these phishing reporting pages:

SITE: https://safebrowsing.google.com/safebrowsing/report_phish/

SITE: https://www.ncsc.gov.uk/section/about-this-website/report-scam-website

SITE: https://www.scamwatcher.com/scam/add?type=fraudulent_website

SITE/EMAIL: https://report.netcraft.com/report ( scam [*AT*] netcraft [*D0T*] com - for a phishing/fraud mail forwarding )

EMAIL: https://www.ncsc.gov.uk/collection/phishing-scams/report-scam-email#section_1 - forward phish mail to report [*AT*] phishing [*D0T*] gov [*D0T*] uk

EMAIL: https://apwg.org/reportphishing/ ( reportphishing [*AT*] apwg [*D0T*] org - forward phishing mail as attachment if possible )

EMAIL: phishing-report [*AT*] us-cert [*D0T*] gov (phishing message should be sent as attachment possibly or its full source code in a message BODY.)

OTHER: https://www.knowbe4.com/free-phish-alert (email client extension)

feedback or new additions are welcome

3. Delete Delete the message. Don’t reply or click on any attachment or link, including any “unsubscribe” link. The unsubscribe button could also carry a link used for phishing. Just delete


Source: https://www.cisa.gov/secure-our-world/recognize-and-report-phishing

Send this to your friends, especially internet beginners.

 

If anyone wants to check, here is a video showing a Firefox dev. console (F12 key) and errors occured on https://www.openstreetmap.org/search?query=Oslo#map=8/59.973/10.723

I would like to find the causing extension without the need of disabling extensions randomly or by disabling half of extensions, then if issue solved, disable half of that half etc..

Sometimes it helps to hover over the link near the error on dev. console (F12 key), Console tab, to see the moz-extension://somestring and find first characters of the string at page about:debugging#/runtime/this-firefox Though this time, it does not show that IMO (per the linked video).

If I should click something particular in a FF dev. console (F12), please guide me. Thank you.

3
submitted 4 months ago* (last edited 4 months ago) by hetzlemmingsworld@lemmings.world to c/law@lemmy.world
 

SPAM companies like DataPacket/DataCamp, 247.ro continuing to SPAM while using IPs from RIPE, which says "RIPE NCC does not have the legal power to investigate these types of issues or take action against ISPs, other organisations or individuals. ... If you require further assistance, we suggest contacting your local law enforcement agency or seeking legal advice." I know that there are many victims of their unsolicited messages, yet why they are allowed to operate for years, law not reaching them? What one can do except submitting their IPs to:

https://www.spamcop.net

https://www.spam.org/report

https://signalants.signal-spam.fr/reportings/new

https://www.abuseipdb.com

https://cleantalk.org/blacklists

I have tried to submit to TrustPilot, but they are protecting SPAMmers.

[–] hetzlemmingsworld@lemmings.world 2 points 5 months ago* (last edited 5 months ago) (1 children)

Ok, so spending received XMR within 15 blocks (block time seems to be 2 minutes, so half a hour) is too early and spending every 6 months incoming payments in one single tx to my secondary wallet i suppose is too long time.. hmm, that is all quite complicated, I can't asses/compare these times (30 minutes vs 1 month vs 6 months) significance of the impact on anonymity. But thank you.

I will need to consolidate/sweep hundreds of transactions maybe once per year and pay it to someone in one big transaction. This big transaction is mandatory, i can not pay them in small amounts. The plan on how to proceed is already mentioned below when you search for "C)" on this page. Please if it is wrong or if you have an improvement idea (anonymity-wise), comment on that below. Thank you

Thx, I have found that the small to medium Lemmy instances are NOT aware about the post, yet most of big instances are. So it fits what has been said: "New posts and comments should always propagate if at least one user is subscribed to the community." - big instances and old instances has higher likelyhood of someone being subscibed to it prior to me posting the post, so the instance could download that post. Related topic: What are the conditions for the Lemmy post to be distributed to other Lemmy instances?

[–] hetzlemmingsworld@lemmings.world 1 points 5 months ago (3 children)

what you meant.

You have not meantioned what you have not understood, so i can tell that my question was if i should be withdrawing my receiving Monero wallet often or if is ok to withdraw it rarely. (when it comes to privacy/anonymity, which way is better, how much better or even if you want to tell why)

 

3 password managers at same time 🧐 :

My older version of a Firefox browser remember most of my passwords (I am ok how it works), but some important passwords are also stored in KEEpass and not in Firefox. Then there is a ProtonPass which can import both Firefox CSV and KeePass XML.

Problem with import and synchronization of these managers is that the

  1. Pass is not made to deduplicate the imported data (some imported logins may already be in vaults), which requires user to delete Pass logins prior importing a .csv file (importing because file contains more up to date logins).

  2. import does not contain 2FA secrets nor aliases (aliases deleted in Pass can not be restored into Pass at the time of writing - June 2024).

Firefox and Proton Pass - PROS and CONS (as of June 2024):

Quality of suggested logins:

⛔️ Firefox (old ver.) suggests all passwords saved across whole website incl. its subdomains which is messy

✅ Pass: suggests only passwords for a present page (not subdomains) = good

⛔️ Pass: does not automaticaly complete/suggest login when typing into username field and the list of saved logins is not alphabetically sorted by the username.

Speed:

✅ Firefox: shows saved logins instantly

⛔️ Pass: 1 second delay of a Proton Pass drop down menu with login username suggestions comparing to Firefox which loads immediately and gives impression that it loads even before login page finished loading. Both password managers loads at same time on user mouse click into the login field. Delay of a ProtonPass happens only when the suggestion menu should appear automatically upon loading a login page.

Registration form suggestions:

✅ Firefox: suggests previously used usernames/emails when typing, which is fine

🆗 Pass: does suggest anything when i type, as already mentioned. When I click, it suggests main ProtonMail address and allows generating unique alias which is very important key feature

🆗 Pass: password generating box shows non-important confirmation of a successfully copied password, which hides after like 2 seconds, making impossible to read the next form field during that time, which is annoying.

Login form suggestions:

⛔️ Pass: does not offer any login suggestion on a Basic HTTP Auth (.htaccess password protection of a directory) forms (popup) of mine (site: ILF admin, C*A/my)

Other:

⛔️ Pass: in Firefox i think it sometimes gets logged out requring to spend time re-login which may require 2FA auth from other device or other password manager.

✅ Pass: editing, grouping of passwords seems a bit better than Firefox

✅ Pass: Integrated 2FA

✅ Pass: Pass monitor in paid plan, password strength/leak indication

PROS vs CONS. What to do?

ProtonPass is a bit slower than Firefox, yet it has its advantages - email alias generating, 2FA....

SimpleLogin browser extension can be used for Proton aliases and if you do not need 2FA, it may be easier to stay with just Firefox, which is enough safe manager since I am already making backups of a Firefox (incl. passwords - which are also synced E2EE to the Mozilla cloud https://support.mozilla.org/en-US/kb/sync#w_is-it-secure).

Other option is to use Pass only for aliases and 2FA and inside its General settings, disable passwords saving and filling, letting Firefox do this job.

Third manager (for example KeePassXC) can serve as a backup, it can also import exports of Pass and Firefox. I guess it would be good to backup any password manager (incl. Pass) data regularly on schedule.

What are your suggestions/feedback regarding this?

 

After removing all passwords under three dots/kebab menu in the top corner of the page "about:logins", i wanted to import passwords from a Proton Pass to see how it works. Yet there is no import menu entry. After researching, I have found a solution that I want to share:

go to "about:config" page, and search for "signon.management.page.fileImport.enabled". Set it to true by double clicking on "false". Reload "about:logins" page to see the import menu entry under three dots corner menu.

 

Firefox 115.12.0esr with Pass 1.17.4

On various pages including https://lemmy.ml/signup when I click 1st time into a email or password field, Pass shows a "suggestion" box, when I click one more time into that form field, the box now fails to hide even i click outside of it. Workaround is to click into different form field.

Anyone is experiencing the same? On which platform/pass version?

https://lemmy.ml sidebar shows "4.49K Communities; 129K Posts; 557K Comments" Maybe only admin can discover accurate number of indexed pages by adding their site into a Google/Bing webmaster tools and verifying the site ownership.

[–] hetzlemmingsworld@lemmings.world 1 points 5 months ago* (last edited 5 months ago) (1 children)

I think that when I am having link like https://lemmings.world/post/10530999 or knowing a title of the post, i can not discover in which community it has been posted... When I check same number of post on different instance: https://lemmy.ml/post/10530999 it does NOT work. Yet the search works: https://lemmy.ml/search?q=10530999 is there no other/easier way than opening one big instance after another (for example from the list https://lemmyverse.net/?order=posts&open=true ) and use search like that?

[–] hetzlemmingsworld@lemmings.world 1 points 5 months ago* (last edited 5 months ago) (2 children)

What are the steps to discover it knowing ONLY lets say "lemmings.world/post/10530999" and nothing else. If that is not possible, then knowing title "Dead Lemmy instance, how/where to find backup of the post that was on the offline instance?" and mentioned URL, while not knowing parent community name or the instance from which the post originated.

 

Reposted from: https://lemmings.world/post/10530999

Please what are the easiest and fastest steps in order to find backup of a currently unavailable post thanks to no longer running Lemmy instance?

Lets say it is this post we are reading, that become offline. I am not asking for the links to instances that hosts it, but for the way on how to discover all the instances myself.

So far I have found only this way:

  1. open largest instances list: https://lemmyverse.net/?order=posts&open=true
  2. open one after another and under magnifier button, search for the same post ID (number) as your dead link has

OF opinion: good not to be adicted to it or to anything actually.

[–] hetzlemmingsworld@lemmings.world 2 points 5 months ago* (last edited 5 months ago) (2 children)

The more outputs you have/use, to more traceable you get

Thanks for your input. ChatGPT says "using more outputs in your transactions can potentially lead to unintentional traceability if those outputs are later used in a larger transaction. This is why it is important to carefully plan and manage how you use outputs in your transactions to maximize privacy." So it confirms what you have said.

So I guess that I should avoid manually adding multiple outputs in aim to decrease chance of a tracking, I am saying that since i am usually getting small transactions and spending in big ones (which would "consolidate" small outputs and more less invalidate my anonymization effort). So I guess i will do just churning with single output to my secondary wallet and in case i want to "join" funds from "home" and "work" accounts, I can do:

C)

3rd party -> work -> work2nd

KYC'ed 3rd party -> home -> home2nd -> home3rd -> work2nd

and then spend big transaction from work2nd (or maybe i can skip the step "home3rd -> work2nd" and source the big transaction from various accounts, yet someone claimed last year "It seems that at the present moment, neither the Monero GUI/RPC/CLI wallets implement the ability to transfer from multiple addresses." and I can confirm I am unable to find it in Monero GUI [btw. it is very slow to sync (even tens of minutes if not ran for 2 weeks+), i am NOT running node and i am using Tor proxy inside it]. Feedback to what I have written is much appreciated.

[–] hetzlemmingsworld@lemmings.world 3 points 5 months ago* (last edited 5 months ago) (1 children)

don’t use a churn output with an unchurned output

You mean that the churning by sending from my wallet to this same wallet(i can also say account or sub account of the wallet) (sending to self) just part of its ballance, will result in churned and non churned outputs in that wallet and these will be joined together if i later (after a week) send a big transaction (or wallet sweep) causing my previous churning be pointless? Maybe in this case is better for simplicity to always churn (part or full balance - i do not know if there is any benefit in sending in parts or in full) to second account within my wallet (instead of sending to self/same address) to prevent this. And i will be sending XMR to a third parties only from that secondary account?

view more: next ›