non qubes
jer...@disroot.org
for example i need to know if enabling java script to watch youtube in tor will compromise anonimity or anything like that, or enabling java script in other websites, if it's a risk.. and how i should tell where i can enable java script, etc.. also if it's recommended to buy stuff through tor, and how, etc and what its benefits, etc...
Yuraeitha
> where do i find support for security, privacy? (some place where i can post with anonimity too, reddit privacy requires java script i think, doesn't it compromise anonimity? also i would like to ask how things are recommended in doing, like a guide, etc...
>
> for example i need to know if enabling java script to watch youtube in tor will compromise anonimity or anything like that, or enabling java script in other websites, if it's a risk.. and how i should tell where i can enable java script, etc.. also if it's recommended to buy stuff through tor, and how, etc and what its benefits, etc...
I'll answer to your mentioned issue first, but in addition to that there are some extra, but related, information below it.
As for support, you found the best place. You can indeed avoid javascript, and this is where to hang-out for feedback/questions/help/support if you want to be as close to the developers as possible (they don't always post but they do drop by every now and then), and probably also the best place to find help too given the people who gather here. But remember, when you ask for support, you must remember that it is volunteer driven "support". I'm not doing it my self, but you should be able to use for example the open-source Thunderbird mail-client over the Tor network, to post on these e-mail threads, and then use the Tor plugin's to Thunderbird to ensure you're anonymous (remember the plugin). This way, you bypass the java-script for google mails, and you can even use mail encryption if both parties have & use the keys (as you might have seen, some people have their encryption keys below their posts here, so you can send encryption messages to them).
As for the extra information, it's a good timing of you to ask a question like this, as some of us are currently trying to get a discussion going today, exactly about issues like this. It could be helpful if you throw a comment over here (@ link below) to help putting focus on issues which are not covered in the Qubes docs, and come from the bottom-up (by Communuty for Community). This will over time help increase the availability of extra guides and solutions for all sorts of different things. It'd be helpful to have backing as to why we need more focus on less or unofficial guides/scripts/etc. https://groups.google.com/forum/#!topic/qubes-users/dZNWxBOqa08
The better this can be done, the quicker we can get more helpful content coordinated, checked for errors/mistakes/security/easy-of-use/help-finish and make both the unfinished and finished work more visible for the rest of the community. Some of it, if good enough, could maybe end up in the Qubes docs at some point as well. To clarify, instead of top-down, this is a bottom-up approach.
Disclaimer, I don't plan to take any leadership in this, I'm only pushing to get it going, and then afterwards help where I can help as a regular user. It might even be that there won't be a leadership, but things like these are for the discussion to discuss as well.
Basically, if you could post your point of view, entirely what you think, what you would like to see, your own opinion, related to the subject of course.
Tim W
> where do i find support for security, privacy? (some place where i can post with anonimity too, reddit privacy requires java script i think, doesn't it compromise anonimity? also i would like to ask how things are recommended in doing, like a guide, etc...
>
> for example i need to know if enabling java script to watch youtube in tor will compromise anonimity or anything like that, or enabling java script in other websites, if it's a risk.. and how i should tell where i can enable java script, etc.. also if it's recommended to buy stuff through tor, and how, etc and what its benefits, etc...
Javascript itself will not reveal your IP over Tor ie break tor. But javascriptt has always had security issues that could be used to run code that could itself reveal ip etc. This is more an issue with emails and small or spoofed sites etc not a large offical site like youtube.
Honestly I do not understand people using gmail etc if privacy is critical. Even using pgp for all text etc so much can be learned from your habits email accounts contacted time of use etc... Its sad they own so much of the Internet data and portal activity these days such as youtube. I wish this list was not hosted but its so hard to avoid the carrot when its a opensource project.
Use tor to setup a protonmail etc if you need a webmail account.
Yuraeitha
While I in general agree, some e-mails are created specifically for a specific purpose. People who use gmail on these websites for example, may not specifically use that e-mail for anything else. Since we're already posting on gmail mailing lists, it shouldn't make any difference anyway, google will know irregardless of which mail is used here. Though perhaps there is a legal difference, maybe? But as long it isn't used outside google systems, then having a gmail here shouldn't make much difference. Unless I overlooked something? legal element maybe?
It won't be long before A.I. can just scan and analyze the way how people write to profile people and identify them. It's essentially the same tech as face-recognition software, which many laughed off just a few years back, but today is very real. So too is happening to A.I.'s that can identify people by how they write. Google is likely no exception here, and irregardless of which mail you use, they would probably be able to identify you one way or another if you only once slip up and publicize your writing style. It's like a fingerprint. The future is scary.
awokd
> On Thursday, March 1, 2018 at 9:30:52 AM UTC+1, jer...@disroot.org wrote:
>
>> where do i find support for security, privacy? (some place where i can
>> post with anonimity too, reddit privacy requires java script i think,
>> doesn't it compromise anonimity? also i would like to ask how things
>> are recommended in doing, like a guide, etc...
>>
>> for example i need to know if enabling java script to watch youtube in
>> tor will compromise anonimity or anything like that, or enabling java
>> script in other websites, if it's a risk.. and how i should tell where
>> i can enable java script, etc.. also if it's recommended to buy stuff
>> through tor, and how, etc and what its benefits, etc...
tor-users mailing list. Enabling Javascript anywhere is a risk because it
opens up attack vectors to your computer, but by itself it will not
automatically compromise anonymity. Someone would have to be using an
exploit delivered over Javascript to do that. This is pretty unlikely in
the case of large sites such as Youtube or Reddit, unless state agencies
are targeting you specifically (which Tor makes more difficult).
Qubes is designed to contain exploits to a single VM. If you use it with a
disposable VM for browsing, even if you do get compromised in a browsing
session such as by a Javascript virus in Google ads on Youtube, closing
that Tor Browser and opening a new one will result in it using a fresh,
non-compromised disposable VM.
Buying items through Tor means using your real identity through Tor. Some
people use Tor for everything including banking. Some use Tor for all
browsing except anything involving their real identity. Others just use
Tor occasionally for some sites. Try searching tor-users mailing list for
questions similar to yours; you'll need to develop your own answer.
Tim W
That is how 99.9% of those caught using tor are found. Its from bad opsec not actually breaking of tor itself. Tech even the way silk road was brought down was via a spoof more than 100% of breaking tor. but like anything layers. Whats great about qubes is it helps in numerous ways from being resistant to the spread of malware its easy integration oh whonix. It ability to string numerous network tunneling chains together to creating multiple layers if done correctly have the effect of indecent cells working to a common goal with only the end user knowing all parts. Qubes is but one part but its configuration allows for numerous ways and layer for security and or if done with proper opsec anonymity
awokd
failure". In the case of someone using Tor in conjunction with their real
identity, for example, they aren't worried about the site or any third
party trackers knowing WHO they are during that particular session. Their
primary concern (aka a security failure for them) might be revealing their
location by their real IP (or in the third party trackers case,
link-ability across sessions/other sites by super cookies etc.). The trade
off, though, is their traffic may get routed through network path that is
less trusted than user -> ISP -> ISP -> site; would be user -> Tor ->
random exit node -> random exit node's ISP -> ISP -> site. That's why
there is no comprehensive, simple answer on the "right" way to use Tor. It
varies by what you are trying to accomplish. See
https://www.torproject.org/docs/faq.html.en#WhatProtectionsDoesTorProvide
, or https://www.torproject.org/docs/documentation.html.en for more
details and support options.
Tim W
I could not agree more. Also very well put and easy to understand example. You always have to define the use and what you are protecting and from who. No one way for everything.