On various privacy/security websites

Written by Theundercoverman on 2022-04-04

Before I start i’d like to talk about how the privacy community is so divided. Everyone wants to do their own thing, create their own guides, and use their own software. You have people like Dig Deeper who take privacy very seriously, people from /r/privacy and other mainstream privacy communities that know nothing about GNU/Linux and whine about muh convenience, and privacy/security “experts” who shill proprietary, corporate software like Google Chrome and Windows. The spyware group chat is just a tiny minority within a tiny minority. Most people do not care about their privacy and even the ones that do would rather use shit like Firefox, Signal, and their mobile devices, as opposed to a more lightweight browser (such as Links or Pale Moon), XMPP, and either GNU/Linux or one of the BSDs.

Nothing will ever come close to being perfect. All of the websites i’m reviewing have their problems, whether it be awful recommendations, poor website design, or lack of activity (by this I mean the content rarely gets updated). This doesn’t mean we shouldn’t try at all. How else would we convince normies to stop using Google Chrome and Windows?

Privacy Guides

Privacy Guides (formerly known as PrivacyTools.io) used to be a decent website for those new to privacy but not anymore. Instead of writing about how governments and corporations are spying on people, and how mainstream software like Windows and Google Chrome is spyware, they instead just list a bunch of software recommendations (a lot of which are shit) and write about threat modeling without even explaining why large corporations are bad.

The biggest problem with Privacy Guides is that they pander to casuals/non-technical users by shilling software and services that are normie-friendly as opposed to ones that actually are secure and don’t spy on you. They’ve recently gone as far as to recommending proprietary software (which could possibly result in them no longer caring about FOSS, shilling shit like MacOS and Google Chrome, and even recommending against using GNU/Linux). I’m going to list some of their recommendations and why they’re so bad:

Honestly, I like having a central resource for privacy and security with lots of software recommendations, but Privacy Guides recommends too much shit. Now what if I made another website similar to Privacy Guides?

First off, I would write the website in XHTML instead of HTML5. All of the content would be written in markdown (which is what PrivacyGuides does now) making it easy for anyone to contribute. Unlike PrivacyGuides, it’d be targeted towards more technical users and would not pander to casuals (at least not as much). I would only recommend free and open source software (which means no Safari). I’d provide information about how programs, governments, and corporations are spying on you as well as how to harden operating systems, web browsers, and other software. Finally, the website would be available on the clearnet, Tor, and I2P at the very minimum.

The reason I haven’t done this is because it takes a lot of work maintaining a website like that, keeping everything up to date, and adding new content. Nobody could do this on their own. It would take an entire community, preferably an active one, to maintain something like that. Also, considering what I did to my old website, I should be the last person to start something like this.

Restore Privacy

There are so many product review sites like this one that always show up on search engines. If I were to look up “what is the most secure GNU/Linux distro”, I’d get results like “The 7 most secure Linux distros” and most of the distros listed there would be penetration testing distros like Kali Linux and not distros which are actually secure. Restore Privacy is your typical review site/blog, and just like all the others, it’s full of shit.

The way they earn money is by sponsoring VPN providers. They tell you to use shitty VPN services like NordVPN and offer you 70% off or something so people will pay for VPNs and they will earn an affiliate commission. They also recommend using a VPN with Tor, something which, the Tor project, the Whonix developers, and Matt Traudt all recommend against. Speaking of Tor, they are spreading FUD to scare people into not using Tor.

I won’t get into all their recommendations since I don’t need to. It’s clear to me that they’re even worse than Privacy Guides.

Madaidan’s Insecurities

Madaidan is a popular “security expert” who shills corporate software like Chromium and Windows. He’s part of the reason why some mainstream privacy communities no longer care about software freedom as much and are becoming more tolerant of proprietary software. While I do agree with some of the things he says, like Encrypted DNS and VPNs being useless, the fact that he even shills shit like Windows and MacOS while shitting on Linux (without even mentioning any of the good things about Linux, meaning he justs picks and chooses to make Linux look worse than it actually is) is enough to convince me that his website is bullshit.

He recommends Signal despite it requiring your phone number and being centralized. He doesn’t even mention any decentralized messengers like XMPP, Matrix, Briar, or Session (though he’d likely shit on all of those except maybe Briar, which i’ve never used).

In his Browser Tracking article, he talks about how Adblockers such as uBlock Origin are completely useless. uBlock Origin is better than nothing at all because it blocks most, but not all ads, and I don’t want a bunch of ads on the screen. As for hardening the browser…

"You cannot configure your browser to prevent tracking either. Everyone will configure their browser differently, so when you change a bunch of about:config settings, such as privacy.resistFingerprinting, and pile on browser extensions like Privacy Badger, you’re making yourself stand out and are effectively reducing privacy."

Ah yes, the typical excuse to use Google Chrome. You’re better off reducing attack surface by disabling JS and other things, as well as using anonymizers such as Tor, than using Google Chrome with the default settings and no browser extensions. Moonchild, the main Pale Moon dev, makes his fingerprint unique on purpose and randomizes it each time to generate a unique identity. I don’t know whether that’s effective or not, but regardless, blocking all JavaScript, disabling all telemetry and other spyware, and using Tor, will give you more privacy than using vanilla Chrome on Windows.

"Additionally, just disabling JavaScript, while preventing large vectors for fingerprinting, does not prevent fingerprinting entirely. Fingerprinting can be done with only CSS and HTML."

CSS can be used to track you, but so can images. Ever heard of tracking pixels? This is why you disable all of this, or even better, use a browser that doesn’t even support JavaScript, CSS, or images, such as Lynx or Links. These browsers, with their small attack surfaces, are more secure and better for privacy than Google Chrome and Firefox. On to his Security and Privacy advice…

"stay away from desktop and stick to mobile devices."

Wrong. Completely wrong. You cannot have privacy on a mobile device, since they include more advanced tracking capabilities than a desktop computer (including cell tower triangulation), and the mobile OS situation is even worse than the desktop because in order to install certain forks of Android (like GrapheneOS), you need a Google Pixel device. Linux phones exist but as expected he shits on those. Stay away from mobile devices and stick to the desktop!

"Use Windows 11 (preferably in S mode and on a Secured-Core PC), macOS, ChromeOS or QubesOS."

Do I even need to explain? You shouldn’t be using Windows (which now requires a Microsoft account to install), macOS, or ChromeOS at all. They are all locked down and loaded with spyware, most of which can’t be disabled. He wrote a guide on hardening GNU/Linux (which i’ll get into later). You’re better of following that then using proprietary operating systems.

"use a reputable email provider with a strong focus on security, such as ProtonMail or Tutanota."

Yet he advises you to use native email clients, which I agree. Email clients like Claws Mail are better than webmail because no JavaScript is required to use it. Neither ProtonMail nor Tutanota support email clients and should be avoided. Read DigDeeper’s reviews on email providers and Email Comparison - Shadow Wiki for more information on email providers and why ProtonMail and Tutanota are shit.

"Use a different password on each website, and enable two-factor authentication (2FA) for every website. Do not use SMS for 2FA, as it is vulnerable to simjacking and man-in-the-middle attacks. Use an authenticator app like Aegis."

I agree that authenticator apps are better than SMS or Email for 2FA, but all the authenticator apps only work on mobile devices and not desktops. Also, a lot of websites that have 2FA don’t even support OTP, meaning you can only use SMS or Email, in which case, you’re better off not using 2FA at all. Generate strong passwords and use a local password manager. KeePassXC and pass are two good ones.

Finally, in his GNU/Linux hardening guide, he recommends using distros which use LibreSSL instead of OpenSSL, except there aren’t any distros that use it anymore. Alpine, Gentoo, and Void all used to support it but ended up switching back to OpenSSL (though Gentoo never really switched to begin with).

The New Oil

Yet another shitty privacy guide. The New Oil, just like PrivacyGuides, panders to casuals/non-technical users way too much. For starters, he shills iOS despite it being a closed source blackbox, and he fails to mention any other mobile operating systems like GrapheneOS and CalyxOS. His main browser recommendations are the usual: Firefox and Brave, both of which spy on you (at least he talks about some of the shit both Mozilla and Brave have done, but he still recommends them).

For email, he shills ProtonMail, Tutanota, and CTemplar, all of which are shit (which i’ve already talked about). He doesn’t even go over third-party email clients like Claws Mail, and in his visual email chart, he is obviously biased towards CTemplar. Notice how all of the desktop operating systems are separate (when they should be together)? This is done to make ProtonMail look bad (which they are) by giving them more “No”s than the other two providers. How stupid does he think we are?

The website’s repository is hosted on Gitlab, which is not only Cloudflared, but it also won’t load at all without JavaScript. The New Oil is a joke. Do not listen to them.

Dig Deeper

A much better website than any of the ones above. Most of his tech articles are pretty good and he talks about stuff and recommends software that most other privacy websites don’t. There are a few things I disagree with though:

"The idea that a software needs constant updates to stay useful really needs to die. It is what has got us into this whole privacy and bloat mess in the first place. My clock or drawer have not needed updates for decades, why would a program?"

Because programs have security vulnerabilities. A clock and drawer doesn’t need security updates because there’s no way some guy online is going to show up and destroy them. Now I still use uMatrix because he is right about uBlock Origin not having nearly as much functionality (and it’s not like uMatrix is completely dead as it did receive a security patch months after it got deprecated), but imagine using a version of Firefox that is over 10 years old and has all of the vulnerabilities discovered since then, or imagine still using Windows XP in 2022.

He does recommend other addons but a lot of them, including Decentraleyes, Linkification, and I don’t care about cookies, are pretty much useless, and Vimium is outclassed by both Pentadactyl (for Pale Moon) and Tridactyl (for Firefox).

In his Ninja’s guide to the internet, he talks about Freenet being the best anonymizing network since it allows hosting a site 24/7 without being online, but fails to mention that Freenet’s website runs on Amazon servers (a big red flag, but at least it isn’t Cloudflared) and that Freenet is barely even active. I think that was written years ago, and we are all better off using I2P.

He also wrote an article on the Salix GNU/Linux distro, which has been dormant for years and he no longer recommends it. I’m still writing about this since he wrote:

"Salix is a carefully crafted distribution that satisfies the following:

Really any distro that doesn’t include a lot of bloat can satisfy the requirement of having one application per task, and in some cases, there is no program installed by default, leaving it up to the user to decide which browser, text editor, or whatever he or she wants to use. Lots of GNU/Linux distros still support 32 bit processors, including Debian/Devuan, Gentoo, and Void. There isn’t anything wrong about having a text-based installer (Void has an ncurses based installer which kinda sucks since it didn’t have an option for LUKS encryption), and the convenience tools by default aren’t really necessary (why do we need a GUI for package management?). Also, Salix’s documentation isn’t that good (at least compared to Arch and Void). On to what Linux struggles with (or rather, what Windows did right)…

"In Linux, “help” means reading barely intelligible man pages - and even then, you have to know what you’re looking for. Though some distros do have real help, it’s online and usually low quality anyway. What remains for a newbie user are elitist internet forums that will tell him to RTFM (which doesn’t exist). On the other hand - Windows, since at least 98, has included a great, interactive help tool that can diagnose and fix problems with audio, graphics, internet, everything."

A tool which, from my personal experience, never permanently fixes things. This honestly sounds like a non-technical user whining about muh customer support rather than an actual issue with Linux.

"Repos are a fine system in general if you know what you’re doing and can afford to spend some time - but the Windows system of just running install.exe has its advantages as well (which Linux is now realizing with the inclusion of AppImages and such - but again, had to screw it up by also making certain packages exclusive to Snap, Flatpak, etc. that aren’t even available for many distros)."

Advantages like having to deal with bundleware that ends up getting installed alongside the programs you want to install, and removing the bundleware is even more difficult because it could install even more bundleware or insert popups begging you not to uninstall or even scaring you into not uninstalling? Yeah no thanks. Also, a lot of proprietary software on Windows doesn’t even have an updater so you have to manually install the new version each time a new update comes out (which is very often). At least with GNU/Linux you can easily update all your software with just one command.

"Now I don’t know too much about this, but Linux does lack suitable replacements for certain programs, according to the people who use them."

Because the people who use them have never tried LibreOffice, Krita (which can replace Adobe Photoshop and Animate/Flash), and other free and open source software. From my personal experience, LibreOffice and Microsoft Office are pretty much the same thing, except one is FOSS and the other is proprietary and requires a subscription to use. Also, how the fuck is Microsoft Paint glorious?

He also talks about how GNU/Linux is hard to rice, but at least GTK and Qt allow for customization, whereas with every version of Windows since Windows 8, you are limited to changing the titlebar and taskbar color. FFS if you want the classic Windows 9x customization, install Redmond97 (not really maintained but it still works) which not only includes a lot of different color themes, but also a script to create your own themes.

A lot of what he wrote probably hasn’t been updated in a while and could be rewritten. Despite all this DigDeeper’s website is still good.

Spyware Watchdog

A good website but the scope is very small. It only focuses on web browsers and not other software that could be spyware. A lot of the articles haven’t been updated in years but remain relevant. Some programs I’d like to see rated: Links (I remember testing this one a while ago and it didn’t make any unsolicited requests, so it’s probably not spyware), Claws Mail, Gajim, Pidgin, Lutris, Minigalaxy (lightweight GOG client for Linux), MPV, and GIMP. I don’t expect them to ever rate any of these (except maybe the first two), but it’d be good if they rated other programs and not just browsers.

Another thing about the website is that it only focuses on how much spyware a program has. Some of the browsers rated “not spyware” might not be as good for privacy as Tor Browser (rated “low”) or a properly configured Pale Moon (rated “medium”). Maybe at some point i’ll write a guide on how to harden browsers, something I was planning on doing for my old site.

I kinda wish they’d bring back the browser comparison since I liked it and it gave people an idea of which browsers were the best. Instead of a tier list, they could separate all the browsers into three categories (browsers which have no spyware, browsers whose spyware can be mitigated, and browsers with non-mitigatible spyware) then make three separate tables comparing each of the browsers, including information like the logo, browser name, links to the articles (and mitigation guides), and possibly some other things like whether or not the browser works with Tor, the browser license, the rendering engine, and a short description of the browser.

The website doesn’t appear to be very active, just maintained, but it remains a good resource for which browsers spy on you and how to mitigate browsers.