#information security

I've been helping friends who host NSFW content on Google Docs with backing up and migrating off it, so I figured I could share that here.

1: Facts about Google Docs banning/removing NSFW content

They've always done this, actually. It isn't new, although they do go through periods where they get more stinky about it. If you really look at their terms and conditions, they tell you that while they won't interfere with NSFW content in private files, they do reserve the right to meddle when you make that file public/share the link. The words are "you may not DISTRIBUTEadult content via GoogleDocs."

So when you enable a shared link on a file, like below, you're considered to be 'distributing' it. 

As a side note, this also makes that file fair game to be fed into their AI training. 

As far as I understand, sharing a file with a specific other account or several--such as editors or co-authors--does not count as public distribution.

More on how to protect yourself, back up your files and alternative services under the cut.

A thing a lot of information security teams do is Table Top exercises. Basically get a bunch of people into a room and say "Okay what if [insert security incident here] happened, what would you do? What's the plan?"

These can vary from just a conversation to "hey lets actually implement a multi-phased attack on the company and make fake phone-calls and emails from fake customers or partners". We did a variety of levels through the year.

Anyways the main difference between these and a penetration test is that these are usually more considerate of other areas that a breach would impact. It's not just 'is there a vulnerability?, it's 'your customers are calling you because they read about it on some social media, how do you respond?', and 'The security exec just recommended shutting down the website, but Sales Lead you're in the middle of on-boarding a $$$$$$$$$ customer and contract negotiations were already shaky', and 'Okay you said you'd call in the FBI. Do you even have a number for that?'

Been awhile since I've had one of these posts but I figure with all that's going on in the world it's time to make another one of these posts and get some stuff out there for people. A lot of the information I'm going to go over you can find here:

So if you'd like to just click the link and ignore the rest of the post that's fine, I strongly recommend checking out the Privacy Guides.

Browsers:

There's a number to go with but for this post going forward I'm going to recommend Firefox. I know that the Privacy Guides lists Brave and Safari as possible options but Brave is Chrome based now and Safari has ties to Apple. Mullvad is also an option but that's for your more experienced users so I'll leave that up to them to work out.

Browser Extensions:

uBlock Origin: content blocker that blocks ads, trackers, and fingerprinting scripts. Notable for being the only ad blocker that still works on Youtube.

Privacy Badger: Content blocker that specifically blocks trackers and fingerprinting scripts. This one will catch things that uBlock doesn't catch but does not work for ads.

Facebook Container: "but I don't have facebook" you might say. Doesn't matter, Meta/Facebook still has trackers out there in EVERYTHING and this containerizes them off away from everything else.

Bitwarden: Password vaulting software, don't trust the password saving features of your browsers, this has multiple layers of security to prevent your passwords from being stolen.

ClearURLs: Allows you to copy and paste URL's without any trackers attached to them.

VPN:

Note: VPN software doesn't make you anonymous, no matter what your favorite youtuber tells you, but it does make it harder for your data to be tracked and it makes it less open for whatever network you're presently connected to.

Mozilla VPN: If you get the annual subscription it's ~$60/year and it comes with an extension that you can install into Firefox.

Proton VPN: Has easily the most amount of countries serviced, can take cash payments, and does offer port forwarding.

Email Provider:

Note: By now you've probably realized that Gmail, Outlook, and basically all of the major "free" e-mail service providers are scraping your e-mail data to use for ad data. There are more secure services that can get you away from that but if you'd like the same storage levels you have on Gmail/Outlook.com you'll need to pay.

Proton Mail: Secure, end-to-end encrypted, and fairly easy to setup and use. Offers a free option up to 1gb

Tuta: Secure, end-to-end encrypted, been around a very long time, and offers a free option up to 1gb.

Email Client:

Thunderbird if you're on Windows or Linux

Apple Mail if you're on macOS

Cloud Storage:

Proton Drive: Encrypted cloud storage from the same people as Proton Mail.

Tresorit: Encrypted cloud storage owned by the national postal service of Switzerland. Received MULTIPLE awards for their security stats.

Peergos: decentralized and open-source, allows for you to set up your own cloud storage, but will require a certain level of expertise.

Microsoft Office Replacements:

LibreOffice: free and open-source, updates regularly, and has the majority of the same functions as base level Microsoft Office.

OnlyOffice: cloud-based, free, and open source.

Chat Clients:

Note: As you've heard SMS and even WhatsApp and some other popular chat clients are basically open season right now. These are a couple of options to replace those.

Signal: Provides IM and calling securely and encrypted, has multiple layers of data hardening to prevent intrusion and exfil of data.

Molly (Android OS only): Alternative client to Signal. Routes communications through the TOR Network.

Briar: Encrypted IM client that connects to other clients through the TOR Network, can also chat via wifi or bluetooth.

Now for the last bit, I know that the majority of people are on Windows or macOS, but if you can get on Linux I would strongly recommend it. pop_OS, Ubuntu, and Mint are super easy distros to use and install. They all have very easy to follow instructions on how to install them on your PC and if you'd like to just test them out all you need is a thumb drive to boot off of to run in demo mode.

If you game through Steam their Proton emulator in compatibility mode works wonders, I'm presently playing a major studio game that released in 2024 with no Linux support on it and once I got my drivers installed it's looked great. There are some learning curves to get around, but the benefit of the Linux community is that there's always people out there willing to help.

I hope some of this information helps you and look out for yourself, it's starting to look scarier than normal out there.

Online age verification checks (that are now required for some websites in half of all US states) frequently share highly-sensitive personal data with third parties, and are ineffective at actually protecting minors. This has been confirmed in a study by researchers from Georgia Tech and UC Irvine.

These checks tout the high value they place on the privacy of those whose data collect... but they're fucking liars.

Stay woke.

Just a little tip if you see a website asking you to enter information to register for a rally, do not. If you see a number listed to call to report things, *make sure it's correct before sharing it and that it helps actually helps people* know who you are reporting it to, and it's not a random number used to keep a record who is reporting .

Gosh, who could have possibly predicted this????

Or, like, any online rando.

I ran into a server that wanted to make sure that members are over 18 years old. They wanted to avoid the other thing I've heard of, which is asking you to verify your age by sending pictures of your ID card to a moderator. Good! Don't do that!

However, ALSO don't do this other thing, which is using a discord bot that would "automatically verify" you from a selfie and a photo of your ID card showing your birthday. The one they used is ageifybot.com. There's a little more information on its top.gg page. Don't like that! Not using that!

Why not? It's automatic! Well, let me count the ways this service skeeves me out:

How does the verification process work? There is no information on this. Well, okay, if you had more info on what kind of algorithms etc were being used here, that might make it easier for people to cheat it. Fair enough. But we need something to count on.

Who's making it? Like, if I can't understand the mechanics, at least I'd like to know who creates it - ideally they'd be a security professional, or at least a security hobbyist, or an AI expert, or at least someone with some kind of reputation they could lose if this turns out to not be very good, or god forbid, a data-stealing operation. However, the website contains nothing about the creators.

The privacy policy says they store information sent to them, such as your selfie and photo of an ID card, for up to 90 days, or a year if they suspect you're misleading them. It sure seems like even if they're truly abiding by their privacy policy, there's nothing to stop human people from looking at your photos.

The terms of service say they can use, store, process, etc, any information you send them. And that they can't be held accountable for mistakes, misuse, etc. And that they can change the bot and the ToS at any times without telling you. The terms of service also cut off midway through a sentence, so like, that's reassuring:

In conclusion, DO NOT SEND PICTURES OF YOUR ID CARD TO RANDOM DISCORD BOTS.

Yes, keeping minors out of (say) NSFW spaces is a difficult problem, but this "solution" sucks shit and is bad.