google and privacy , share my case

wolffnx

wolffnx

Ok, when the talk is about google and privacy, everybody knows the answers and have more or less the same opinion
but today I want to share what happen to me yesterday and you guys judge for yourselfs
(I use the traslator from google..to change from spanish to english)

the sunday, arrive a mail from google app in my android phone ,

the subject was "Take steps to protect your compromised passwords"
I say, ok, this is normal, come to me from time to time

I open it, and the principal header is "Change your compromised passwords"
and bellow :
Google has found some of your passwords on the Internet. Anyone who finds them can access your accounts.
Your Google account is still safe. This leak has occurred elsewhere on the web. Now you can protect saved passwords with the password manager.

the work "compromised" from beginning sounds bad , so I go to "check security" button
the first problem says "your saved passwords" and bellow
Some of your passwords have been exposed in a non-Google data security breach. You must change them immediately. Recently made password changes may take a while to appear here.

and go to "password check" link

the first tab says "2 broken passwords"
with 2 items
1 http site (tplinkwifi.net) used when I configured a wifi repeater from chrome in the phone
and the other one was a dating app (closed some months ago)

the second tab says "there are 4 passwords reused"

with 2 dating apps , and closed months ago too
and 1 app ("Gimme Metal: Free Metal Music" , I listen Mustaine poodcasts 🤘)
and the other one was 1 web site, freebsd.org (now I change the password of course)


and that is all , now , I try to link the relacion between the gmail , the apps and the passwords saved in chrome in my phone
and become to one answer, little by little replace the gmail acounts for example, yandex or protonmail
and disappear from google world!!!!
this shows me that google read the passwords from my phone (this time "to protect me") but wtf???
I dont want to think in my encrypted notepad app where I save all my passwords, olds and news
when I connect trough ssh to my servers from the app in my phone
 
Option I: Common Sense

#! By now, I think it's obvious we shouldn't hand over our life to BigTech -- at least it's obvious for some of us, and that's a lot, and enough.
0. Dump the Googly eyes, as I did.
1. GOTO 0

Option II: Go Full Bunker

* Disable browser password managers.
* Wipe out all web-based password manager data (Google, etc).
* Don't use browser build-in sign-in facilities, i.e. Chromium to Google and/or Firefox to Mozilla, etc.

* Use an offline password manager. e.g. security/keepass
* Use 32-64 length password. e.g. This: "GLMEZVVQPNCRBUNBAUJISZEXLOJGLSGA" is better than this: "Gr(kt\$97t,lo_A".
* If you want to backup you password manager DB on web-storages, AES-128 it first!

* Disable "Deceptive Content and Dangerous Software Protection" in Firefox. It send your data to Google.
* If you want to use Google service, don't login -- if it's possible, e.g. YouTube.
* Don't use "save preference/setting on web" on you phone and/or desktop.

Option III: Heuristics matter

* These companies have no respect for nation states, e.g. Australia vs. Facebook. To them, you and I are just dudes!
* First encrypt, then send on the web-storage.
* Easiness is a red-flag.

Footnote
All of my arguments are based on heuristics. Every single one of them can be and will be rejected, by at least one or more counterargument.
I won't dismiss potential objections, e.g. yes, password in Firefox is encrypted. But despite all of that, I'm sticking to my guns on these issues.
 
There are modded Android versions.
Some of them claim to reduce Google eavesdropping.
It is a little bit of work but it pays off to root the cellphone.

I block all trackers etc on DNS level.
Already months ago I blocked facebook.com and all subdomains.
I am using alternative search engines, only resorting to Google if I don't get good results for a particular query.

Dropping the googlemail account is the most difficult to do.
I plan to move to Protonmail, leaving Gmail only for spam, mailing lists etc.
 
Snurg said:
It is a little bit of work but it pays off to root the cellphone.
Click to expand...
In some legislations the cellphone companies are legally obliged to keep track of your cellphone movements/usage for 6 months e.g. in the UK:

www.theguardian.com

EE, Vodafone and Three give police mobile call records at click of a mouse

Three of UK’s big four mobile phone networks are providing customer data to police forces automatically through Ripa
www.theguardian.com www.theguardian.com

Article actually says a year, so looks like I was wrong there.

Lots of CCTV usage around the world, including facial recognition, including in "benign" countries.

I understand the concerns but privacy these days is very near impossible. Doesn't mean you don't have to try, but realistically if you are using a cellphone you are being tracked.
 
Yes this is true, but imho there is a big difference between state-mandated tracking and tracking by Google, Apple, FB, Twitter etc.
It is unlikely that this data is going to be sold freely or passed through to foreign services (at least not directly).
The bigger you make the information gaps, the better for you.
 
Snurg said:
The bigger you make the information gaps, the better for you.
Click to expand...
Oh, I don't know, it probably marks you out as trying to hide, and therefore being of interest and more of a challenge! 😁

I try and make so much noise that it will be too much for them to scan/read, but then it's probably all "AI" these days anyway.

Try to avoid FB but they track you even if not a member on there (and helpful family members have tagged me in photos anyway), and have WhatsApp so got sucked in anyway.
 
I have let my Whatsapp account expire gracefully.
Regarding Telegram, I find just interesting to remember the Russian governments' threats a while ago and to see RT.com advertising a lot for Telegram since a few months. Anyway, for my part, I'd trust the FSB more in keeping my privacy than any of the big US tech corporations.
 
Always Check the headers of such emails to verify the actual sender. Use two factor authentication. Google doesn't store your actual password, the password hash is only stored which is hard to reverse back to string.
 
  • Thanks
Reactions: a6h
VladiBG said:
Always Check the headers of such emails to verify the actual sender. Use two factor authentication. Google doesn't store your actual password, the password hash is only stored which is hard to reverse back to string.
Click to expand...
is good to know that,thanks
yes, the two factor authentication allways (except for this forum,but now was enabled)
and yes again,before anything I check the headers and the links
 
Snurg said:
There are modded Android versions.
Some of them claim to reduce Google eavesdropping.
It is a little bit of work but it pays off to root the cellphone.

I block all trackers etc on DNS level.
Already months ago I blocked facebook.com and all subdomains.
I am using alternative search engines, only resorting to Google if I don't get good results for a particular query.

Dropping the googlemail account is the most difficult to do.
I plan to move to Protonmail, leaving Gmail only for spam, mailing lists etc.
Click to expand...

allways I been rooted my phones, from the motorola 1200 🥲 until today, I am still waiting for the warranty to expire to root the actual

I block all trackers etc on DNS level.
Already months ago I blocked facebook.com and all subdomains.

me too, and you get rid of some adds (I blocked this things in my work from bind to a blackhole)

and yes, is hard to drop googlemail because is so integrated into the lives of users and that become normal to all
share google drives,sheets of work..etc
 
  • Thanks
Reactions: a6h
This is why it is time to challenge modern technology and instead rely on the ancient wisdom of the spiritual leaders from long ago.

I already started by setting up some huge freedom fires which I'm using to create smoke signals so that my ISP can interpret those and work as a proxy to sent those e-mails for me. But unfortunately you will always have the trouble of non-believers, they just don't understand the importance.. It took me a lot of effort to even get on the roof of my apartment building, let alone setting up those fires and how do they thank me? Yeah, some nitpicker told me I was "endangering other tenants", I was "a danger to the environment because of mass polluting" and on top of that I was treated as some kind of criminal because they told me I wasn't supposed to be up there. But how else are you going to sent smoke signals if not from a high area?

Those naysayers even try to silence and oppress me and fined me, hoping that I will pay. Yah right.

I'll show them! In the mean time I bought myself 2 carrier pigeons and wrote a message. I just released them outside and with a little luck one of them will find their way to my lawyers firm after which they'll show those dictators who's boss. The odds are obviously in my favor because I got smart and got two pigeons, as I mentioned, so there's a 50% chance that they'll succeed.

Now let's see who will have the last laugh!

There, time to take off this tinfoil hat and start grinding some Java beans to make myself a coffee.....

</vent>

(don't mind me... I don't know what came over me 😂)
 
drhowarddrfine said:
Why is it bad that Google informs you that you have compromised passwords floating around the internet?
Click to expand...
because I never given to them to be managed , and is suppose that nobody can read your personal passwords without you
consent (some of the big companies do it of course,but never tell you in the face)
is the ultimate invasion of privacy (besides if I use 1234 or whatever as password and some guy hack my account)
the next will be "hey, in the ssh app you type a weak password for the firewall number3"
 
Snurg said:
Yes this is true, but imho there is a big difference between state-mandated tracking and tracking by Google, Apple, FB, Twitter etc.
It is unlikely that this data is going to be sold freely or passed through to foreign services (at least not directly).
The bigger you make the information gaps, the better for you.
Click to expand...
Ha ha ha. Take e.g. the recent scandal about this swiss encrytion box sold for use by top level governmental use (embassies). And it has been leaked several times that the german secret services are even more the CIA & NSA's lapdog than the UK or Australia & NZ's. If they're the 51st state of the USA (live@TV show), then what is my country? Dito with the Pacific region: keyword: five eyes.
 
VladiBG said:
Google doesn't store your actual password, the password hash is only stored which is hard to reverse back to string
Click to expand...
Before I thought that's true, but now when I got the same email as the OP, I'm doubting: how Google knows that the compromised password is the same password if it doesn't store strings?
 
aragats said:
Before I thought that's true, but now when I got the same email as the OP, I'm doubting: how Google knows that the compromised password is the same password if it doesn't store strings?
Click to expand...
If the hash of your password, which is stored on their system, appears in one of the lists of compromised password hashes, or can be generated from one pw of a list of compromised clear text passwords, then it is not a far stretch to assume that the actual password is compromised, even without knowing the actual clear string.

PS: In this respect a compromised password does not mean, that one of your accounts is compromised. It could well be, that somebody else used the same password and was revealed by one of the many data breaches in the past. These breached passwords amount to many hundreds of thousands, and you can be sure, that criminals use these listed ones before any arbitrary pw's in their hacking efforts. So it is exactly a good idea to change the password.

For example see: https://haveibeenpwned.com/Passwords
 
obsigna said:
If the hash of your password which is stored on their system appears in one of the lists of compromised password hashes
Click to expand...
I understand that, but isn't it very unlikely that namely the compromised password used the same hash mechanism that Google does?
 
aragats said:
Before I thought that's true, but now when I got the same email as the OP, I'm doubting: how Google knows that the compromised password is the same password if it doesn't store strings?
Click to expand...
They can check it on login (in addition to the usual comparison with the hash). Don't forget that you always send them your password in plaintext. The point of hashing stored passwords is preventing entities other than Google from acquiring them. There's no way to hide passwords from Google itself.
 
aragats said:
I understand that, but isn't it very unlikely that namely the compromised password used the same hash mechanism that Google does?
Click to expand...
Read the first line of the page which I gave a link to:
Pwned Passwords
Pwned Passwords are 613,584,246 real world passwords previously exposed in data breaches.
Click to expand...
Then enter your password their and tell us the result. Here they explain how it works, and for sure, Google does something alike.
 
You must log in or register to reply here.
Back
Top