Paranoia? (?)

It’s not paranoia if they’re really watching you.

Okay, random statement, no context, thrown out on the internet to nobody in particular. Not really any reason. It’s got a nice ring to it though.

Same way that a truly crazy person doesn’t know that they’re crazy. Doesn’t know, can’t tell, doesn’t cross their mind.

When paranoia becomes the question or a potential possible factor in something, an action, reaction, or explanation, you have to get really careful.

Take internet scammers. Pretty easy to spot, butt of jokes all over the places. Doesn’t take a genius to tell that a random Nigerian doesn’t want to send you $30 million dollars that you just inherited (bro,you’re fucking white as Eminem’s ass.)

But what when somebody(s) really want to do you in, and they set their eyes on it, or a goal (maybe just stealing as much money from plebs on the internet as possible without being caught.) What happens then? This is the internet, a website is not hard to make, and with experience, and then if you add talent on top of that, you can get trouble.

I can turn out a realistic site or copy, with or without magic tricks behind the curtains doing magical things, in about thirty minutes.Don’t care how hard you try to track and trace, if somebody truly doesn’t want to be identified on the internet, then they can wreck havoc whilst doing just that.

It’s a big place out there.

Don’t talk to strangers. 😉

Too Many Friends

What a problem for a man to have.

Not mine exactly, but it made for a more catchy title. Too many ways to talk to friends, enemies, random people. Too many different messaging systems, incompatible with each other, with different operating systems and devices, accounts, some can be used on one device, some on two, some five, some you need to remember to sign out. Some are encrypted well, like Signal, some claim end to end encryption (like Facebook Messenger’s “Secret” mode), but are actually either flawed or have a backdoor in them (yes, that’s aimed directly at Facebook, I’ll follow up a little later.)

Firstly: me. Want to contact me? In a bit of a state of flux and upgrading at the moment, but as of July 12, 2019, until likely July 31, 2019, use these contact details:

Phone: 0432 342 584 (+61 432 342 584 from outside Australia) – since 2003

Signal encrypted messenger: 0432342584 (same as phone, preferred over SMS)

Wickr: michael131991 (not checked as often)

Email: [email protected]

Website with this and PGP key: (PGP also at bottom of this page)

As of July 13, , main official homepage is online just fine.

What else is out there?

Well, you can phone people over a cellular network. Insecure. SMS and MMS over cellular is similar but easy. Signal and in some cases, WhatsApp, are tied to a phone number which may or may not be tied to your identity. WhatsApp is owned by Facebook and THEIR PRIVACY RECORD SUCKS. Facebook Messenger is insecure and even their “encrypted” “secret” chats can be unlocked by Facebook via a backdoor or sorts if law enforcement asks nicely (or maybe a skilled cracker, or a jealous Mark Zuckerberg.)

Email has many points of failure. PGP encrypted based email services like Tutanota and specifically Hushmail have proven to not be trustworthy – Hushmail was at the centre of a case where they used a key of their own to unlock a customer’s past emails for law enforcement. PGP/GPG itself is great; just type the password in yourself on your local computer. That cuts out probably 95% of the weaknesses. Most of the remaining 5% involves your kneecaps and a hammer.

Speaking of that, steganography. Veracrypt is the best encryption software out there, hands down. Found better? Show me. Veracrypt started as Truecrypt, and runs on Mac, Linux, and Windows. Supports encrypted file containers, disks, partitions, and full disk boot encryption on Windows (please bring it to Mac!) It supports many ciphers and hash functions to protect the password, as well as multiple key files or phyislcal USB keys that must be present and plugged in in conjunction with the password to grant access. The encryption algorithms used, at least AES, Twofish, and Serpent, are currently unbreakable (save torture), are currently unbreakable with a long password (long means a minimum of 30 characters.) Click here to go to the Veracrypt website, and if you’re running an oldschool computer, Mac OS X 10.6.8 32-bit for example, the original Truecrypt 7.1a can be dowloaded from this site (click.) Both Truecrypt and it’s successor, Veracrypt, can create hidden files or paratitions or drives within hidden partitions or drives and can use layers of decoy passwords. So follow that rabbit hole…

Continue reading

VPNs: AVOID “Hotspot Shield” and “Hotspot Shield Elite”

OK, a piece of advice regarding VPNs: AVOID Hotspot Shield, that means every version, the “free”, “elite”, “VPN”, and “proxy” version. It’s hard enough to find concensus on which commercial VPN is best or which are safe or not, but this one has had some bad press, some damning evidence, and I’ve personally caught it injecting advertising data into my web traffic when I used it a year or so ago. I saved the proof somewhere, it’ll be published when I come across it again or take another in depth look. I observed this happening by analysing a long capture of traffic with Wireshark.

Hotspot Shield interferes with and modifies your web traffic.

Take a quick read of this, too:

Hotspot Shield was named in a research paper for “actively injecting JavaScript codes using iframes for advertising and tracking purposes” with their Android VPN app. Furthermore, analysis of Hotspot Shield VPN’s source code revealed that they “actively use more than 5 different third-party tracking libraries.” Hotspot Shield was also found to be redirecting user traffic to e-commerce domains, such as and through partner networks.

In 2017, Hotspot Shield was officially named in an FTC complaint for alleged traffic interception. In 2018, Hotspot Shield was again in the news for a security flaw that revealed user locations. The company behind Hotspot Shield is AnchorFree, which runs other free VPN services as well.


One link is to this slightly more in depth article and also this one here.

And I thought Facebook scored badly for privacy

After seeing Facebook scoring a C for privacy, which actually was surprisingly high, I just saw a D; in the web interface for Gmail. Yeah, Google is bad too, shame they got the best webmail out there.

The rating comes from an extension called ‘DuckDuckGo Privacy Essentials” for the Firefox browser.

What I find most disturbing is the way it’s worded there, and because it’s a very accurate way of wording what is going on and the possible ramifications of it. Google will keep records of you visiting, from where, what computer, etc, FOREVER. They track, or try to track, you across most of the internet, and can use content that you have created in their own products without a second thought; and they can keep doing it into the future with whatever new widgets they come up with.

Bye bye privacy, welcome to 2019.

Are You Safe Online ? (Online privacy & security tests)

A partial copy from my page here:

How safe is it for you to be online right now? (Online 10 second tests!)

This easy to remember site is a quick way to check your IP address. Or at least, what is showing to the public as your IP address. DNSLytics is a more in depth service that analyses the structure of the internet.

BadSSL gives you a quick overview of how much modern security your web browser supports and is implementing.The more green on the screen, the safer you are. More red, less safe.

SSL Labs has a similar test. They also can test the security supported by a web server/website itself, just enter the address and let it go. And a third choice is How’s My SSL?

More tests (more specific or expert-oriented):

DNS Leak Check checks for DNS leaks, which can give away your identity even if you’re using a VPN. IP Leak also checks for them, as well as WebRTC leaks.

Can you see this site? Is your browser loading it? If so, your browser is being fooled by a forged security certificate/digital signature. You’re open to having your information stolen by phishing sites and other nasty things, and will be none the wiser. If you’re getting a security error, you’re safe.

More links to browse (tests, writing, and advice):

SSL Labs Projects & Homepage and their full list of (expert) assessment tools

G-Sec list of downloadable tools (mostly Windows)

Cipher List’s of downloadable tools and a test or two

SSL Decoder lets you check to security configuration of a website or server, just enter the address

Ivan Ristic’s writing about web security and encryption

Bruce Schnier’s writing, well known encryption expert

COMODO’s online server/site tester, just enter the address (currently not working)

Website reputation checker URLVoid is here. Close friend IP void which checks the server IP address is here.

Webmaster Tips has a list of site checking tools (like safety and reputation), same story with Google’s Transparency Report, the McAfee Site Advisor, whereas VirusTotal checks sites and downloaded files for viruses and threats.

DNSLytics is a great site, server, or IP address research and investigation tool. MXToolbox is similar and quite good too, as is Talos Intelligence.

More tools you can use to keep yourself safe and protect your privacy are over on this page:

Shame on Facebook, Shame, Shame, Shame

These three following screenshots sum it up; they’re from the Firefox browser privacy extension DuckDuckGo Privacy Essentials. This is the tip of the iceberg, and I’m dropping it off here without much explanation (for now.) Facebook does not care about your privacy of security whatsoever. Even their so called “secret messaging” which they claim is encrypted, actually has a backdoor in it that allows Facebook to access messages from the past when asked by law enforcement.