Trust No ☁ <input type='text'> or <textarea>; Signal > Mastodon || Bluesky ; Non-Comprehensive Resource List (v0.1.0)

I posted three words — “Hang. In. There.” — to both Mastodon and Bluesky as the shadow of darkness began to loom over the election results, this week. That was at a point where there was a sliver of hope left for the POTUS part of this election cycle (there is still hope on the side of the House, but it’ll be a razor-thin majority for the Democrats if the hope is met).

Your arms will get tired hanging, though, and — despite requiring strength — it’s a pretty passive activity. So, drop down, shake it off, and — when you’re done absorbing and processing what just happened — take one step forward, then another (etc.).

Despite all the warnings, a bunch of folks decided they wanted cheaper eggs, a mollified working-class, and a marginalized group of “others” to bully for 20-40 years (yes, that’s a woefully incomplete reduction), so we’ve got what we got.

As a result, many of my online and IRL mates are now in real, impending danger; or, at least more so than they were already.

The Drop isn’t turning into “resistance” blog, but I will be, more often, dropping resources related to online safety/privacy/etc. We’re also going to double down on how to preserve online resource, as a mind-boggling number of them are about to just disappear.

I’ll be reloading Bluesky and Mastodon apps on my desktops and phones, today. The “griefscrolling” was hard to absorb Tue/Wed, but I have no right, privilege, or business to “wallow”. I’m in one of the safest demographics and could easily just put the hoodie up, and go along to get along, and have me and mine be just fine. But that’s now how I/we roll.

So, today is an unplanned, hastily drafted Drop on some things to be aware in your online world, and some tech resources to look into, today, as evil takes the reins again.

No TL;DR today.

No section header images today.

Trust No ☁ <input type='text'> or <textarea>

This is short, but — as we saw over the past weeks and months — the gazillionaires who run apps and services you or I may rely on cannot be trusted with, well, anything. That means any text box you put any information into should be treated as hostile unless you own it, or have some semblance of trust in whomever does.

So, be mindful of what information you put where. More mindful than you have ever been before in your life.

I’d also suggest decoupling yourself from as many unnecessary online services, apps, sites as you can.

And, if you’ve been ignoring “your password was in a breach from this site” warnings from your password manager (you do use a password manager, right?) please fix that, even if you’re not going to use that service anymore. Delete the account or set up a better password, preferably with app-based 2FA/MFA.

Signal > Mastodon || Bluesky

I joke with a good friend about how upset I am at how we got to “HTTPS Everywhere”. It’s a fun shtick, and I’m still upset with the Let’s Encrypt do-gooders for all the harm they’ve caused to get here, but the joke’s over.

Please, if you do anything as a result of getting this far in today’s Drop, use Signal for non-public comms. I’ll cover how to do secure, out-of-band, contacts exchange in some other Drop.

Neither Mastodon nor Bluesky is good for anything but “social”-social stuff, now (unless you are in a position to speak truth-to-power publicly or fully understand the real consequences of doing so). Most Mastodon instance admins aren’t security experts and the U.S. government can get into whatever they want on whatever instance they want, so don’t think your “mentioned people only” or “block” usage is going to have any impact on an org with those kinds of resources.

And, just to be clear, who you follow and who follows you is public info:

$ curl -s "https://mastodon.social/api/v1/accounts/$(curl -s "https://mastodon.social/api/v1/accounts/lookup?acct=hrbrmstr" | jq -r .id)/following" | jq -r '.[]|.acct' | head -3
bees@infosec.exchange
davidgasquez.com@bsky.brid.gy
threatresearch@infosec.exchange

$ curl -s "https://mastodon.social/api/v1/accounts/$(curl -s "https://mastodon.social/api/v1/accounts/lookup?acct=hrbrmstr" | jq -r .id)/followers" | jq -r '.[]|.acct' | head -3
hobs@mstdn.social
vulnerability_collector@social.circl.lu
Gbemzzy

(This uses https://github.com/mattn/bsky.)

$ bsky follows --handle wyden.senate.gov | head -3
404media.co [404 Media] did:plc:vcepp6trx4vpe5ourxso4tjl
joshuajfriedman.com [Joshua J. Friedman] did:plc:qrllvid7s54k4hnwtqxwetrf
kamalahqrepeater.bsky.social [KamalaHQ (automated mirror)] did:plc:2nkztwlaqopwokupbumpou7f

$ bsky followers --handle wyden.senate.gov
bsky followers --handle wyden.senate.gov | head -3
profrog.bsky.social [] did:plc:p6tuxnb3hjbplssgfrlgyn3p
botterud.bsky.social [Carl Botterud] did:plc:kblrz6kdv2jnoz34zlmduqvn
staceykiser.bsky.social [] did:plc:tk4uzi4slbcpimvo4usfoat4

So, we’re handing over our “graphs” to them without them even needing to rely on data from third-party trackers. (Just be clear-eyed about that.)

Non-Comprehensive Resource List (v0.1.0)

For having my online actions appear to be coming from somewhere else, I use Tailscale with randomly spun-up exit nodes or Mullvad VPN. Since Tailscale is a venture-backed company, we’ll take one of the upcoming Drops to show you how to do something similar with just WireGuard (the underlying protocol Tailscale uses).

Pi-hole with a DNS-over-HTTPS server you control is one of the safest ways to avoid as much tracking/ads as you can without installing anyting in your browsers. That’s alot to ask for someone who just needs to get stuff done and doesn’t want to be a server/service admin. For an easier setup that works everywhere, I also use NextDNS. No VCs, but they are a U.S. company subject to the whims of whichever dear leader is in charge. DNS0 is a fine DNS alternative and also DNS-over-HTTPS (et al.) service. It doesn’t have the built-in blocklist bits, so either use a Pi-Hole with it or see below.

While Pi-hole and NextDNS add some level of protection, you will need something in-browser to get some real protection. The U.S. government (and, let’s be real, all governments) buy the tracking data that comes from ads and apps, and know how to use it. Covering how to do content/tracking blocking is really a “whole Drop” sort of topic, and we’re kind of screwed when it comes to browsers in general (don’t. trust. Mozilla.).

uBlock Origin with Manifest v2 still-enabled (on Chromium), the lite version (for Chromium) when not able for that.

The current state of WebKit / Apple browsers is pretty sad, unfortunately, and I don’t really trust any of the extensions I’ve tried to do a good job. And, let’s be clear, Apple, Google, Microsoft, and — very likely — Arc will all gladly turn over any and all data they have on you if you use their browsers (so, yes, I’m likely switching back to Vivaldi in the very near future, and praying some of the budding alternatives manifest themselves sooner-than-later).

The apps on your mobile devices are all pretty horrible. Consider investing a bit of time into Tracker Control:

• Android
• iOS

so you can see just how horrible.

FIN

Today was a very non-comprehensive bit of things you can do and be aware of, but they are some things you can do, right now. Without leaving your desk, chair, couch, bed. They’re small, tiny acts of defiance and safety, but we’re going to need thousands of small acts as the years and decades (yes, decades) move on.

Finally, I know how some folks feel about White/Nichols, but these two posts helped me this week, and they may help you:

• And Yet It Moves
• Trump Has Won, but Democracy Is Not Over

They are very likely the reason I stopped wallowing and got my head back into the fight.

Ping me on Mastodon or Bluesky with a “🦇?” request (public or faux-private) and I’ll out-of-band connect us on Signal.

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️