Welcome to Netrider ... Connecting Riders!

Interested in talking motorbikes with a terrific community of riders?
Signup (it's quick and free) to join the discussions and access the full suite of tools and information that Netrider has to offer.

Internet scary much?

Discussion in 'The Pub' started by brownyy, Apr 10, 2011.

  1. Ok, the random girl thread aside, this kind of scared me and I wasn't even trying, honest!!

    I got bored the other day and started pondering track bikes to buy, and did a search on bike sales. I found one I wanted to ask the seller some questions about, but all you could do on the site was send them a message via the site, no contact details were given.

    So I sent him a message with questions about the bike and one of my write off email address's, and he replied to my email address - with his email - of course, no biggy, right?

    Fukn wrong.

    I got bored tonight (3am sunday morning) and did some sniffing around on the interwebs to see if this bike had any interesting history.

    I found out the following in 30 minutes from just his email address;

    --His full name
    --He is orignally from an Asian country
    --His username on a specfic non-national bike forum, and all accoscited posts
    --His myspace page
    --He was in a foreign country's navy and obtained the rank of sergeant
    --He has been trying to sell this bike since december
    --He likes cats
    --He plays guitar
    --Which university he studies at (haven't researched what he studied in yet)
    --His mobile phone number

    All, from a ****ing email address.

    Think about how exposed you may be... kinda scared myself with that one...

    flamesuit on?
  2. Nice, its interesting isn't it, you can find out most things about just about anyone with some basic information, and its not illegal at all as they were the ones that threw the information about the place in the first place.
  3. Don't let Hornet see this.
  4. sercurity? hehe nice tag :p
  5. #5 коннор, Apr 10, 2011
    Last edited by a moderator: Jul 13, 2015
    Here's a post from another forum, its a good writeup by a bloke who knows his stuff:

    Today, Jan 28th, is Data Privacy Day (also known as Data Protection Day in some places), and as such I decided to create a fairly comprehensive thread in the hopes that it will help you, maybe by making you a bit scared, secure your own privacy status today -- both online and in reality (security does not start and stop with the computer, after all, though all I talk about is computer-related security). One thing you must realize: security and privacy are at ends with ease-of-use. Securing up everything as tight as a bottle will hamper your ability to move around freely. However, if you take the all the advice given in here to heart and choose the options you feel best, you will find yourself in a much more secure situation with little-to-no impact on your movement in the digital world. I appologize for the length, this ended up being significantly longer than I imagined, but there isn't anything I feel can be cut out.

    Special thanks to Exorince and Veeno for their help!

    Important definitions:
    • Two-factor/multi-factor authentication: The use of two (or more) forms of authentication. They must be different forms, using two items of the same form does not qualify (so two passwords is still considered single-factor authentication). There are three forms of authentication:
      1. Something you know (Password is most common, followed by a PIN, and in smartphones: a swipe pattern)
      2. Something you have: A keyfile, ID card, or a token
      3. Something you are: Anything biometric such as a fingerprint or iris scanner
    • Brute-force attack: A hacking attack where the hacker systematically tries every possible combination to gain access to your account
    • Dictionary Attack: A hacking attack where the hacker systematically goes through every word in the dictionary, followed by every name, followed by any personal information they know about you


    Passwords are the most common form of security around, and the most important. This issue will not be covered in it's entirety here because of how prevelent it is, but rather this will be the starting point for strong passwords and other password-related things that apply to everything. Password-related content for specific services and products can be found in their own appropriate section.

    Here are some basic questions to start off with:

    1. Do you use the same password everywhere or almost everywhere?
    2. Are your passwords less than 12 characters in length?
    3. Do your passwords contain a word from the dictionary or a name properly spelled?
    4. Is one (or more) of the following missing from your passwords: a lower-case letter, an upper-case letter, a number, or a special character?

    If you answered "Yes" to any of the above questions, your password is probably weak, and if you see your password here, then you definitely have a weak password.

    So, what are wrong with the above things? Let's see:

    1. When you use the same password everywhere or almost everywhere, if any site gets hacked or you slip up and give out the password just once, all or almost all your accounts are compromised. -- XKCD on using the same password everywhere
    2. The shorter the password, the easier it is to crack. In some instances, short passwords use weaker encryption in general than longer ones (for example, Windows passwords under 15 characters use LM Hash, which is extremely weak, passwords with 15+ characters use NTLM)
    3. Words and names are extremely easy to crack with a modern PC by just doing a dictionary attack. It's all the easier if you have a botnet or supercomputer trying all the possibilities.
    4. The more variance in your password, the better. Having at least one of each character type significantly boosts your password strength compared to not.

    So, just how secure is your current password? Test it out here. If you are paranoid (which in this case is NOT a bad thing), you can view the source. It all runs locally and sends nothing back, it even works fine in offline mode. Still a little anxious about entering your password? Do what he says here and just type in something that is similar to your password

    Further reading: How I'd Hack Your Weak Passwords -- a bit on the old side, but still a great read.

    Remembering your Passwords​

    But remembering a bunch of 12+ random character passwords is hard, right? Well, it doesn't have to be.

    To start, you can create a system to help you remember your complex passwords. The Mozilla team did a great job describing it, including a video. See here. Such a system can create very strong passwords and be quite memoriable. I currently use a variation of it.

    Maybe you still are afriad you will forget your password. For this there are four options that I will discuss here. These are: KeePass, LastPass, TrueCrypt, and keeping them on you at all times. The first two are password managers, TrueCrypt is obviously a file encryption tool (which I will give more attention to in the future), and keeping them on you at all times, while counter-intuitive, does work. Each of these tools has their own distinct advantages and disadvantages, so I leave it up to you to choose the one you feel is best. First, though, let me address a question you are probably wondering right now:

    So what is wrong with my browser's password manager?

    Quite simply: it is incredibly insecure, especially the way it is right now. Firstly the encryption on the password database isn't very strong (I can't even find information on Chrome's password database being encrypted). Are you using Google Chrome's password manager? All your usernames and passwords are just a click away and there is no way to fix that (don't believe me? See here). It's the same on Firefox unless you use a master password. Opera is a step up in that it will never show you the passwords, just the username, but the encryption is still weak. I really cannot recommend Chrome's password manager at all as there is NOTHING you can do at the current time to secure it. If using Chrome, you really do need to use a third-party password manager. Both Firefox and Opera aren't much better off, but if you are going to use them, you do have some options.

    Firefox's built-in password manager:

    First download Master Password+ and set a master password. A quality meter will tell you how strong it is. Set up an auto-logout time. You will never be prompted for your master password so long as you don't time out, but if you do you'll need to re-enter it again. Either leave it on a short time but only when inactive or set it to a long time (an hour or so) but always times out. Which to choose depends on your browsing habits and how easily you are annoyed.

    Opera's built-in password manager:

    Opera's password manager is a bit more feature-rich than Firefox's and so is it's master password, which is good since there is no extension for it. Tools -> Preferences -> Advanced -> Security -> Set Master Password... and set your password. Set your timeout interval (right underneath it called "Ask for password") as you feel appropriate. Setting it to "Every time needed", the default setting, will probably drive you mad, an hour is good. Finally make sure to check the box for "Use master password to protect saved passwords". If you don't, the master password only applies to client certificates.

    As I said, Firefox and Opera's password manager are only marginally better than Chrome's even with the master password, so a third-party password manager is still best as the encryption is many times better. If you do use them, at least think twice about giving them important passwords for things like your bank account. Please consider one of these good password managers instead.

    The Good Password Managers​

    KeePass: KeePass is a Password manager for Windows. It can run on Mac OS X and Linux through Mono if that is something acceptible to you (alternatively there is KeePassX, but it only works with 1.0 databases. Ports to other platforms also exist). You give it a master password, and, optionally, you can create a keyfile (this is known as two-factor authentication. See "Important Definitions" at beginning of post). Now you only need to remember one password and all your passwords are secure. KeePass has a plugin for Firefox called KeeFox, but really all programs (not just browsers!) are supported through the auto-type feature. Just minimize KeePass (to the tray even), press the hotkey auto type combo, and KeePass will automatically enter your username/password into the active program/website. There are also various tools to import your existing password list into KeePass.

    Pros: Open Source, you control it, portable, highly secure, will tell you the strength of your passwords, can generate random passwords, works with any program. Works on Android/iPhone too.
    Cons: The auto-type feature takes a little getting used to, while it works with any program the overall integration suffers to allow this (Except in Firefox where KeeFox creates seamless integration).

    LastPass: LastPass is a browser-based password manager that works in all major browsers and is cross-platform. Binary versions exist, but still only works with browsers and the passwords are still synced online. On Windows an Application password manager (works with any program like KeePass) is in the works, currently at beta, but only available to Premium members. It is free for home use, but to use it with your phone you must pay ($1 a month). Your passwords are encrypted with a local encryption key and synced across browsers. When on a network you don't feel 100% secure accessing your LastPass database, you can use one-time passwords that expire after use, so you don't have to worry about them falling into enemy hands.

    Pros: always with you so long as you have Internet Access, instantly syncs, highly integrated, audits your passwords, can generate random passwords, one-time passwords, very secure (before you ask: It's been verified that LastPass NEVER gets your encryption key -- see here)
    Cons: You must trust that they will stay around, if your Master LastPass password is compromised, all your passwords are compromised*

    *Note: LastPass Premium offers two-factor authentication (see here). The Free version has grid authentication, which I don't quite consider unique enough of "something you have" to be two-factor authentication, as if someone knows what your card looks like, they can access your account without actually having your card, but still a significant security boost.

    TrueCrypt: TrueCrypt is an on-the-fly encryption tool. So how does it work as a password manager? Well, it isn't as elegant as the other two options, but if you create a small encrypted file container in which you put a document containing all your passwords, then it is a highly effective, encrypted, password database. This way if you forget any password you have a fallback to rely on.

    Pros: Extremely secure, offering many options for creating your encrypted file container (including a hidden volume).
    Cons: Obviously not integrated at all with any application, so you must do everything manually. Must use a third-party tool (such as Dropbox) to sync it.

    Keeping a list always on you: Obviously no software is involved, you just simply keep a list on you at all times, say in your wallet (or anywhere else, so long as you always remember to keep it on you). This method, while once frowned upon, has been gaining popularity in recent years among security experts. Why? Because it is always on you, so you know it is safe. If it isn't on you, then you know it is time to change all your passwords. For extra security you can do a trick to the list that only you know. For example: inject a random number in every password at a specific spot (or in a pattern that you know). If the list falls into the wrong hands, they can't tell those numbers aren't part of the actual password and as such cannot use your passwords right away or at all. This gives you more than enough time to verify you didn't just leave the list at home and to change your passwords to something secure again.

    Pros: Pretty secure, you are instantly aware if your password database is compromised since it is always on your persons. Always with you in all circumstances
    Cons: You must diligently keep it always on you for the security aspect, obviously if you do no trick and lose the list, all your passwords are potentially compromised, likewise it is obviously 100% manual.

    Passwords - the remaining stuff​

    At this point your passwords are nice and complex, secure, and easy to remember/access, but that is not all there is to say on password security. Remember those password hints and pesky security questions you set up for most services? Those can be an achilles heel to your accounts if you are not careful.

    For password hints there are a few things you can do: You can do away with them completely, typing in gibberish when forced to have one (what I currently do), or you can use things you know you know to help you remember the pattern you use for your passwords. Along the lines of see here). My advice is to do that, but also make sure to include a special character at the beginning or end.

    If you follow through with everything, your passwords will be very secure and any backdoors effectively shut to anyone but you.

    Smart Phones​

    Smart Phones are all the rage these days, and as they grow more feature-rich we store more and more of our lives on them. Combining that with their high-mobility means they are a huge potential security risk and privacy hole if you lose them. Thankfully there are a decent amount of options for security on them.

    Locking your phone​

    Android: Android 2.2 enabled PIN and password locking, prior to that you could only do a swipe pattern*. How to enable a Password, PIN, or Pattern on Android
    *Note: If using a swipe pattern, make sure to have at least one part of the pattern trace over itself. If you do not, someone can tell your pattern by looking at your smudge marks.

    For Apps there are two tools: Android Protector and Tasker:

    Android Protector - free up to 10 locked apps, $0.99 for unlimited locks.

    Tasker - $5-7 (out of market version is cheaper and recommended for file encryption). How to lock an app with Tasker

    Why lock an app? Let's say you are letting a friend borrow your phone, but don't want them "accidentally" reading your emails or posting something from your Facebook account. Now you can lend them your phone without watching over their every move like a hawk.

    iPhone: with iOS4, full password support came to the iPhone. Instructions on setting up a long passcode on iOS4 -- iPhones not using iOS4 or later: KeePassDroid - Free. The Dropbox app on Android being very full-featured means easy syncing from the safety of your private dropbox folders. It's still a bit cumbersome, but overall good. Read-only support for KeePass v2 (kbdx) files (you shouldn't be creating accounts on your phone anyway).


    iKeePass - $0.99 and can use your KeePass database file from your Dropbox account -- Note that it must be a KeePass v1 database (kdb), not 2 (kdbx) for iKeePass to work with it. Full instructions

    MyKeePass - $0.99. It, like iKeePass, supports databases on Dropbox, however, it has one very nifty feature: Simple importing of Database files over wifi. Given for it to work with Dropbox it must use the public folder, I think over wifi is a very nice implementation. MyKeePass has another feature over iKeePass: It works with Keypass v2 (kdbx) databases (read-only, though). MyKeePass has the edge right now for the iPhone, but that may change in the future.


    It's a free app, but having a Premium LastPass plan ($1/month) is needed. Just like on the desktop, on your SmartPhone LastPass is highly integrated with your browser. It supports both iPhone and Android, supporting Android's browser as well as Dolphin HD and Firefox Mobile (on the iPhone just Mobile Safari).

    Remote Locating/locking/wiping​

    I imagine nothing could be worse than losing your smart phone, luckily there are a few ways to try and recover it.

    Android: Android has many ways to recover it after you lost it, each offers its own advantages. Some free, some paid.

    With 2.2 Froyo you have remote wiping built into Android. The only thing is that you must have Exchange set up, and only an administrator can remote wipe it. Really only an option for you if your Android phone is through your work.

    Prey - Free. Well known for their PC tracking software, Prey is now on the Android. Simply send a specific SMS to your android phone to activate it (you can set it up in the app) and another to deactivate it.

    Lookout - Free or Premium version for $30/yr. Not only does it offer remote finding through the website, but also has an antivirus program. The Premium features include the ability to lock your phone until you find it or wipe it clean, as well as even more goodies.

    DIY with Tasker - Free if you have Tasker already, otherwise $5-7.

    WaveSecure - $19.90/yr. You can track your phone, lock it, and back up/wipe the data

    Norton Mobile Security - Free for now. Same as above, but by Norton instead of McAfee

    Mobile Defense - Free (waitlisted). Before getting waitlisted, it was the app to go. Remote location, wiping, locking, and backup. Add yourself now and you might get lucky to get it in the near future.


    Find my iPhone: Free for iPhone 4 users running iOS 4.2. $99/yr otherwise (there is a workaround that may apply to some). It does it all, though. Remote lock, remote finding, remote wipe, displays a message.

    Workaround for non-iPhone 4 owners: You must know an iPhone 4 owner. iPhone 4s can create 3 free MobileMe accounts. If you have a friend who owns an iPhone 4 and not used all their activations, here are the instructions

    TrekTrak - Free for two uses, $5 beyond that. Like Prey for Android, it only locates the phone, but always runs in the background.

    Undercover - $5. Alternative to TrekTrak.

    FoneHome - $3. Another Alternative, more or less the same as Undercover or TrekTrak.

    Encrypting Files on your Phone​

    Your phone may contain sensitive data, in which case you may feel the need to encrypt it. Options are fairly limited, but do exist.

    Android: Tasker from the website (but not from the market) offers file encryption. It's the only real good choice out there.

    iPhone: There isn't too much out there, since the iPhone doesn't really offer file storage. Jailbroken phones can get previously mentioned mAdvLock, otherwise there are some options to password protect pictures and videos: Video Lock, Private Pictures, and Picture Safe (other options exist as well).

    One more thing: Apps & Privacy​

    Be careful what you install. Here is a list of some of the worst offenders of apps that invade your privacy: What they Know. On Android, always pay attention to what permissions an app asks for on install and make sure it makes sense.

    Web Browsing​

    There's not a single person reading this who doesn't do it. We all are doing it right now, in fact. Web browsing is a part of all of our lives, but without proper care it can be quite dangerous.

    When randomly searching for things, you never know if that next search result is going to contain malware. Your antivirus software may have a rating feature, and your browser may have some protections (as does the search engine itself), but for more information a website reputation tool is needed. There are various ones out there, but the one that I feel does the best job is WOT: Web of Trust. Like any web rating site, it is prone to users downrating, but overall I feel it does a very good job. It does collect information on "you", as to get ratings it needs to know the domains you are looking at. This is true for any web rating service, though, so if you want to have this functionality, you'll have to allow the data be collected. WOT has an extension for Firefox, Google Chrome, IE, Opera, and Safari. Other browsers can use a bookmarklet for the service.

    Recently there has been a rise in Intranet sniffing on public wifi networks. The main tool to this end is Firesheep, which can collect passwords sent over non-secure connections. Firesheep in particular can be countered with Blacksheep, but other tools can do a similar job, such as Wireshark. To combat these other tools, the most effective way is to always establish a secure connection. To that end the Tor Project and EFF have teamed up and made an extension called HTTPS Everywhere for Firefox (NoScript can also do it, but it is a bit more complicated. Here is the FAQ). Similar extensions exist for Chrome and Opera also exist, but are not as foolproof.


    Currently Gmail is set to always us HTTPS for secure email browsing, which is a good thing, but if you changed this yourself you can fix it under the General tab in Settings. Hotmail recently added this feature, which you can set by going Here. Unfortunately Yahoo! has not added this feature. If using Yahoo! you should request this very important security feature be added.

    Hotmail also has a single-use code system for signing in on computers that are not your own. For information on how to set it up, read Hotmail's FAQ. Gmail does not offer this, but does offer Password recovery over SMS. To add this feature, Go to your Google Account's Password recovery options.

    Gmail offers the ability to Remotely log out of any computer (See here), which can be very useful if you leave yourself logged in somewhere on accident.

    Cookies and LSOs​

    Cookies are not necessarily bad, in fact there is a cookie keeping you logged in to this forum right now. However, advertisers often use cookies to track you around the web. Given the usefulness of cookies in general, you probably don't want to outright disable them, however blocking third-party cookies will block practically all advertiser cookies without hindering your web experience.

    Firefox: Tools -> Options -> Privacy -> Use Custom Settings for History -> Uncheck "Accept third-party cookies"

    Google Chrome: Wrench/Tools icon -> Options -> Under the Hood -> Content Settings -> Cookies -> Check "Block all third-party cookies without exception"

    Opera: Tools -> Preferences -> Advanced -> Cookies -> Select "Accept cookies only from the site I visit"

    Local Shared Objects (LSOs), also known as flash cookies, are a part of Adobe Flash and are becomming an ever-more prevalent way of storing data on your computer as well as tracking your whereabouts. Note that as before, LSOs do have legitimate uses, so don't think that they are all bad. There are a few things that can be done. The one thing that is the same for everyone is to go to Adobe's Online Flash Settings page and delete/disable the storage for various websites. This has one significant advantage over other options: You can set those websites that do use flash cookies to track you to 0kb. That way they can't store data and you don't have to worry about a new one being created. Firefox and Chrome have addons for flash cookies, that being BetterPrivacy for Firefox and Click&Clean for Google Chrome. Both of which can automatically delete LSOs on browser close. Another way to go about this is to block Flash except when needed.

    Firefox: NoScript can block flash perfectly fine. If you are not a fan of NoScript, there is Flashblock (Flashblock and NoScript don't work well together, and since NoScript does what Flashblock does by default, it isn't necessary)

    Google Chrome: FlashBlock is available here as well.

    Opera: Flashblock for Opera -- Even though it doesn't specify Opera 11, it works fine in it.

    One more: The Evercookie. Evercookie is new on the field and is a javascript that creates multiple files through multiple methods to store data on your computer. It is not wide-spread yet, but may be in the future. The only truely effective way to deal with the evercookie is to block the javascript.

    Using an ad-blocking feature, add the following entry: */evercookie.js*

    Ad-blockers and Script-blockers​

    Ad-blocking does more than just remove annoying ads (though that is the most obvious) -- it also adds security. ads are not controlled by the website they are displayed on, and there are many cases of malicious ads infecting users, the most recent example I can remember was not even a year ago on SlickDeals.net. I am all for supporting websites you visit, but when the ads don't run on their own server, you are taking a risk. Thankfully whitelists are fairly popular for ad-blockers, so you can get rid of the annoying/dangerous ones while still supporting your favorite websites. For extra privacy, consider adding the Track-blocking lists from here.

    Script-blocking is similar. Many scripts from domains other than the one you are on can be dangerous or track you.

    Firefox: Does it really need to be said? Adblock Plus! Undeniably the king of Ad-blockers.

    The Previously mentioned NoScript is the add-on of choice for script-blocking.

    Google Chrome: AdBlock is currently the best one. Adblock Plus was recently officially ported, but is in Beta and VERY unstable.

    For Script Blocking it is NotScript

    Opera: Opera has a built-in Content Blocker that is best used with the Fan-boy filter list. Right-click any page and select "Block Content" to access the blocker. Hold shift while clicking to block specific items. NoAds is another option. The best is to use Content Blocker whenever possible and NoAds' Content Blocker Helper feature for iFrames/javascript and only use NoAds for the auto-updating filter list feature.

    Chrome's NotScript was ported to Opera 11. Here

    URL Unshorteners​

    With the advent of microblogging, URL Shorteners have grown in popularity. However, just randomly clicking a shortened link is VERY dangerous, as the site on the other side may be crawling with all sorts of nasties. Luckily, there are ways to unshorten a URL.

    Firefox: Long URL Please

    Google Chrome: LinkPeelr

    Opera: Unshorten

    Private Browsing and Deleting Browser Data​

    Private browsing is supported in Firefox, Google Chrome, and Opera. It allows you to browse the web without leaving a trace (not really, but for the most part, yes). It is great for when you occasionally want to browse without leaving a trace, but if you are willing to go futher, you can clear all or at least select browser data every time on close. Why would you want to do this? Your browser cache and cookies are insecure. If someone gains access to your computer and you leave don't clear out your cache and cookies they will be able to gain access to your accounts since you are still logged in. This can be remedied in Firefox, Chrome, and Opera in different ways by deleting your browser data on browser close.

    Firefox: Tools -> Options -> Privacy -> Check "Clear history when Firefox closes". Proceed to click the "Settings" button. Cookies, Cache, and Active logins should definitely be cleared on close. It does mean you'll have to log in to your sites every time, but that is what password managers are for. For extra security clear your Form & Search History and Download history. If extra paranoid and you won't miss it, clear your Browsing history as well. super-paranoid people may also want to consider clearing offline website data and site preferences to not leave a trace behind.

    Google Chrome: Google Chrome only supports deleting cookies on browser close. To enable this go Wrench/Tools icon -> Options -> Under the Hood -> Content Settings -> Cookies -> Check "Clear Cookies and other site data when I close my browser". You need previously mentioned Click&Clean to completely clear out your private data on browser close. It is an option under the extension options.

    Cache: Tools -> Preferences -> Advanced -> History -> On "Disk Cache" check "Empty on exit".
    Cookies: Tools -> Preferences -> Advanced -> Cookies -> Check "Delete New Cookies when Exiting Opera"
    Download: opera:config#TransferWindow|KeepEntriesDays and set to "0"
    If feeling extra paranoid: Tools -> Preferences -> Advanced -> History -> Set History Addresses to "0" and uncheck "remember content on visited pages" and set opera:config#UserPrefs|SavePasswordProtectedPages to 0

    One more thing: Web domains and extensions​

    The single greatest thing you can do to check if you are on a phishing website is to check the domain. Modern web browsers all highlight the actual domain of the site making it all the easier (Firefox users need this add-on). Doing that alone will greatly lower your risk of being a phishing victim.

    The last thing to talk about is plug-ins. Plug-ins are insecure, to put it simply. They aren't updated automatically with your browser, and it is very easy to miss one that is a security risk. The biggest security risks in general to your computer are: Adobe Flash, Adobe Acrobat/Reader, Java, Silverlight, and Quicktime (here, use it often. It works with Firefox, Google Chrome, and Opera.

    Firefox: NoScript is the closest thing to plug-ins on demand. If you don't want to block javascript, you can set it up so that only plugins are disabled. To do this Go into the Options for NoScript. Under General, select "Scripts Globally Allowed (dangerous)", then on the "Embeddings" tab, forbid java, flash, silverlight and other plugins, select "Apply these restrictions to whitelisted sites too". Plugins are now effectively on-demand.

    Chrome: Plug-ins on Demand

    Opera: Plug-ins on Demand

    Note that running plugins on demand may break some sites.


    I'll be honest with you guys. I've caved. I created a Facebook account...

    ... Well, kinda. I created a dummy account attached to a dummy email address for the sole purpose of perusing Facebook's privacy options.

    Facebook is a social network site, that puts it instantly at ends with privacy, but that isn't to say you can't have your cake and eat it too. Here are some things you can do to improve your privacy without quitting Facebook.

    First things first: set up an email address just for Facebook. You can set your email to private, but that isn't foolproof. Most webmail services offer excellent email forwarding features to make it seem like it isn't even a separate email account.

    Now let's head over to Facebook's privacy settings. Click Account->Privacy settings when logged in on Facebook.

    Recent happening: Recently Facebook announced the option to use HTTPS throughout the site. This will be slowly rolled out over the upcoming weeks. Pay attention to when you can do it, and I HIGHLY recommend enabling it as soon as possible (full details)

    Connecting on Facebook​

    I almost missed this at first, being at the top and not highly visible (maybe Facebook did that on purpose :p). This controls what people can see on your public profile. What you should set to what depends on how visible you want to be, but there are three settings you should consider altering:

    Send you messages: Set it to at least "Friends of Friends" if not "Friends Only". This will seriously cut back on the amount of spam messages you recieve.

    See your friend's list: Does everyone need to be able to see who your friended? No. Like above set it to at least "Friends of Friends" if not "Friends Only" (maybe you also have some people on your friends list who you don't want to be able to see who else you friended, customize it to keep them from seeing it).

    See your current city and hometown: Maybe you are trying to reconnect with someone from your hometown, but besides that this is nothing but a significant privacy leak that offers no real value to have visible to everyone. Even if you are trying to reconnect with someone, having it visible may not do you any good, rather you are better off trying to track them down than rely on them trying to track you down.

    Sharing on Facebook​

    This controls the more private bits you put on Facebook. For the most part there isn't much benefit from letting everyone see everything on here.

    Posts by me: Does the whole world need to see this? If so, use a blog. Facebook is for networking with groups, not for the whole world to read your manifesto. Friends of Friends or Friends only make the most sense. Maybe there are a few "friends" that you don't want to be able see your posts (like your boss).

    You can also set who can and cannot see an individual post/update, which I will discuss below.

    Family: Does it even make sense to have everyone be able to view this? No. Either have just your friends view it or even just a subset of those, like close friends and actual family members.

    Relationships: Even allowing some family members the ability to see your relationship status can be dangerous for some people. This is one that I definitely think you should have very restricted, unless you want a bunch of people messaging you asking "what happened between you two!" and "I liked him/her" or "you deserve better" mere minutes after changing your status from "in a relationship" to "single" or "it's complicated". An anecdotal bit from just last month: my sister had a horrible break up with a guy my parents never really approved of. She didn't change her status on facebook for some time and I can recall various times where various people family and friends talking about her non-status change behind her back. :shakehead:

    "Interested in and looking for" and "Bio and favorite questions" are two that you should set as you feel appropriate as if you are trying to find people who have similar tastes rather than just staying in touch with those you already know, you may want to leave them open (just don't make your favorite questions the same as your security questions as I mentioned above in the passwords section!)

    Religious and political views: This can be quite volitile for some people, especially if you have never told some family members about your stance on these things, so think carefully about who you let see this.

    "Places I check in to" and "Include me in "people here now" after I check in": once again, depends on your stance social networking vs privacy. Note that the last one is visible to people checked in nearby, NOT just friends. While that may be fine with you for things like conventions, it is a privacy leak at other times that you may or may not want.

    Photos: I highly recommend customizing who can and cannot view what photos and videos. Be aware of what you are posting and apply fitting filters to any and all pictures as you see fit.

    Photos and videos I'm tagged in: Do you want other people to be able to find videos and pictures of you that you did not upload? Like, say, your boss or a family member who doesn't know some of your habits? Or in general maybe you were just stupid a night and did things you normally wouldn't. I highly recommend restricting this one to certain people only, and it doesn't really hurt your social networking (it doesn't stop them from seeing tagged photos from mutual friends, of course)

    Can comment on my post: Maybe you have that one annoying person who just pesters you, use this to keep them from bothering you with comments.

    Suggest photos of me to friends: Same concept as "Photos and videos I'm tagged in"

    Can see Wall posts by friends: This is another one you may wish to restrict quite a bit if you have a friend who says some things often you don't want a boss or family member to see and you don't want to disable your Wall.

    Friends can check me in to places: It makes no sense to enable this one in any situation. Disable it.

    Contact information: Set this as you feel appropriate. Remember this, people with a bajillion friends and who added those obviously fake accounts to boost their friends list: if you make it visible to those not-really-friends people, they can very easily go ahead and use it in advertising and other things without your knowledge. It might explain your constant spammage.

    Apps, Games, and Websites​

    Info accessible through your friends: This is a potentially huge data leak. Look at what you are allowing your friends to leak and see if that makes any sense to you for games. It doesn't a lot of the time. It can undo a lot of the other settings you've set up.

    Instant personalization: A huge privacy leak that offers little to nothing in return other than possibly saving you a little time. On the other hand it can cause other sites to become incredibly annoying (see this to add blocking filters as well). Disable it.

    Public search: You may be ok with some people searching you out on Facebook, but a full search engine is a different matter. It's disabled automatically if you disable everyone being able to search for you on Facebook.

    Account Settings​

    **As mentioned above, Facebook is rolling out an HTTPS everywhere on Facebook setting that can be found in your Account Settings, I HIGHLY recommend enabling it As soon as it is available to you**

    Now go to Account Settings to get the last little bit of Privacy and security settings:

    Set up your mobile phone with Facebook, and you can get one-time passwods through SMS for Facebooking anywhere you don't feel 100% safe (like those public wifi networks previously mentioned). In "Account Settings" you can also remotely log out any other active computer connected to your account (see here for full details).

    For the last thing, head over to the "Facebook Ads" tab in your account settings. Set to "No one" both "Allow ads on platform pages to show my information to" and "Show my social actions in Facebook Ads to". With that, your Facebook is now nice and secure, however:

    Some Other Settings​

    Per-post/update settings for a post's viewability - I HIGHLY recommend really getting into the habit of using this. In many aspects it is better than setting a universal rule for your posts. A video guide to using this feature -- Also demonstrates a bit of the power of labels (see below reading).

    [Hit Netrider's character limit, splitting post]
  6. [Continued]

    Also be Aware Of​

    As we saw just recently on this very forum (see here), linking to content from your profile IS a leak that can lead to your profile being uncovered. Be aware of this when linking to images you've uploaded to your Facebook account. Likewise be weary of Facebook Connect. If you Facebook login information is compromised, so are these sites. It can also be used to track down your Facebook page if your profile picture is tunneled through FB Connect.

    Some Other Settings​

    Google Buzz: Google Buzz is quite a privacy leak. The only way to disable it is to remove your public profile, which can be done here. In all likelihood you probably don't even have a public profile. (Click "My Account" on google, and it will tell you under "Profile")

    Remember: Pretty much every Google product has options on the visibility of your content, just look around and set it appropriately. Creating a document you only want select people to see? Set it appropriately. Even more important are your Google Calendar settings (if using it). Every calendar you create has options on how public it is that can be found in the Calendar settings, same for every event you add to your calendar. Spend some time just looking around at the various privacy settings for Google Products that you use. There isn't much you can do with how much Google collects on you short of stopping your use of Google products, but you can stop anyone else from seeing that Google info.
    Remember that Facebook only uses a secure connection for initial log-in, after which your log-in cookie is transmitted over insecure HTTP. This allows for your log-in information to be sniffed out with previously mentioned Firesheep. Consider forcing HTTPS with previously mentioned HTTPS Everywhere (and related clones) when on public networks (note: HTTPS Everywhere does break some apps some other stuff on Facebook). **Note: This is now chagning!!! See previous notes about it!*

    A recent development is how much information leaks through to Apps when using them (see here):

    "The apps reviewed by the Journal were sending Facebook ID numbers to at least 25 advertising and data firms, several of which build profiles of Internet users by tracking their online activities."

    Your Facebook ID is always collected, so it isn't fully anonymous, this data is linked directly to you:

    "Defenders of online tracking argue that this kind of surveillance is benign because it is conducted anonymously. In this case, however, the Journal found that one data-gathering firm, RapLeaf Inc., had linked Facebook user ID information obtained from apps to its own database of Internet users, which it sells. RapLeaf also transmitted the Facebook IDs it obtained to a dozen other firms, the Journal found."

    Just another of many things to think about on Facebook.

    Also, a recent development is that Facebook apps and games can request your phone number and street address. Pay extra-close attention when granting permission from now on.

    Further Readings:

    Get Better Privacy on Facebook with Facebook lists It'll make your customization of who gets to view what much simpler.

    A guide to Facebook's new, Simpler Privacy Controls

    The State of Facebook Security -- Facebook scamming is on the grow, so be careful. This is just another reason to forbid Facebook from communicating with other sites.


    Pretty much all of us use it, and it knows a ton about most of us. Thankfully Google does give you some control.

    Google Privacy Center - Learn it, love it, visit it often. Click on Privacy Tools to get to the settings. The rest is just information. In privacy tools you will see many options.

    Google Dashboard: The important one is Google Dashboard, which will tell you what Google products you are using and what Google knows about you through them. It is a central point of control for all your use of all Google products.

    Ads Preference Manager: this will allow you to control what ads Google will show you. In doing so you tell Google what you like so you get more accurate/relevant ads.

    Data Liberation Front: If you are looking into biting the bullet and leaving Google entirely, head here. This site will tell you how to get any and all your data from all the Google services out so you can switch to different options. It's drastic, but if you are THAT worried about Google, it may be interesting.

    Google Encrypted search: This secures your connection between you and Google for your searches, but it doesn't work for everything. Google still stores your information, so for truely anonymous web searching through Google, you will need to use Scroogle.

    Web History Controls: This is a setting you may have inadvertantly enabled. It uses your previous web searches to "help" you in the future as well as potentially storing other web usage information. It doesn't remove your searches from Google's servers, but it may still be useful especially in a multi-user environment.

    Google Analytics Opt-out. You can opt-out of being tracked through Google Analytics. You will need to install a browser extention, and currently only supports Firefox, Google Chrome, and Internet Explorer. This can, of course, also be done through a content blocker.

    Search Personalization Opt-out: If you are using Web History, this is enabled. Instructions on how to disable it when not signed into a Google Account are also explained.

    File Encryption​

    File encryption is the ultimate in data privacy and security. There are many encryption tools out there, but for the purposes of discussion here I will only talk about TrueCrypt. TrueCrypt offers many advantages over other options, including BitLocker. In being cross-platform, it makes recovery in any situation possible. Other encryption schemes may offer advantages over TrueCrypt (for example, if interested in TPM), so it may not necessarily be the right choice for you.

    There are three basic encryption options, as well as the choice between hidden and non-hidden volumes. These options are: an encrypted file container, an encrypted non-system partition or drive, and an encrypted system partition/drive (this last option is currently only available on Windows). Two-factor authentication is also available through the use of keyfiles, though it isn't an option for system encryption (but two-factor authentication still can be achieved).

    Encrypted file container: This option is the simplest to implement. You create a volume that appears to be a normal file (you can make it any filetype you want), but when you mount it with the proper password (and/or keyfile) it reveals the truth. You can make it a hidden volume for even added privacy/security (a would-be attacker may uncover the outer volume in one way or another, but the hidden volume remains secure). The disadvantage to making an encrypted file container is it is relatively simple to just copy the file container to a removable drive where the attacker can try and crack it at their leisure without you being aware of it (a keyfile would drastically lower their ability to succeed, if the keyfile and file container are not stored in the same location).

    Encrypted non-system drive/partition: This option is relatively simple to implement. The advantage is it looks like just unallocated disk space to the untrained eye, and, in the case of removable storage, the user would be prompted to format it before use. Of course in removable storage you must be careful to not format it yourself. Once again the use of a hidden volume and keyfile can be used for increased privacy/security.

    EDIT: There's still more stuff, but the software here is being unhappy even when I break it into chunks that should work :rolleyes:.
  7. Dude...attribute the original author and provide a link to the original post... you really don't need to copy and paste the entire thing...
  8. Pffft, that would be the easy way. And I though I did include his name? Or maybe I lost it/forgot about while trying to get things to cooperate :shrug:. DEFRON would care more about people learning the stuff than attaching his name to it, anyway.

    And copying stuff across results in a slight increase in the likelihood that people will read it, in my experience.

    EDIT: On that forum, inactive threads get automatically deleted after a few months, too.
  9. So anyway Browny - you gonna actually ask this guy out on a date seeing you have all his details - compared to random girl that you knew very little about :)
  10. Most of that information you got about him looks like the sort of info that you could find on Facebook and other social medi sites. The only information about your self, that is on the internet is there because you have allowed it to be there. If I google my name or my email address there is pretty much nothing there. Stay away from facebook.
  11. Slight problem, I like vagina's, so no.

    I do have random girl's email addy, but I never did the research... due to her replies... :bolt:
  12. A more appropriate title would be "Brownyy, scary much?".
  13. I'm 5'4, hear me roar!!!!

  14. I've seen you squeak. It's quite impressive ;)
  15. Facebook ?

    Someone said I should be on facebook so I can play something called farmville ?

    Sounds shit, after all why would anyway sane want a FACEPLANT ?
  16. Faceplant Tak's new female model??

    Edit; As in faceplant into her...?
  17. I get more than enough social interaction from this and one other bike forum. I don't faceplant, our_space, ICQueer, MSN, YaWhoo? or any of the others. There's already a bit too much compromising personal information of mine up there on the web. I don't need to add to it.
  18. Yes I googled you and am sorry to hear about the extra testicles and what happened to your gerbil.