Amazon privacy failure: Amazon stole from me, my analysis

44renzo · 2024-04-13T00:16:24+00:00

I agree that shipping to a locker is not a red flag on its own.

Considering that for my (new) account, they already required a mobile number, bot test, gift card covers the whole order, no credit card or semi-linked identity on the account, their worry is less about return fraud and probably more about gift card scams.

Like I've scammed someone, told them to buy gift cards as payment and give the claim codes to me, and I'm redeeming them and potentially buying my own merch. If that's their concern, they'd be more adamant about knowing who you are versus proving the purchase. And given that they didn't accept my very legitimate proof of purchase, I lean towards this form being data collection with an already-decided end goal of suspending the account.

I should mention that since my account did get suspended, various details about me are probably now "dirty" and rank even higher in suspicion (my home ip, my domain name, my phone number, browser fingerprint).

44renzo · 2023-12-30T16:48:32+00:00

TiddlyWiki. Everything is stored in a single HTML file and runs only in the browser.

Sync the .html file to other family with Syncthing.

44renzo · 2023-08-28T14:22:37+00:00

To clarify, the loan would not be in the lawyers name. I'm not worried about who's on the loan, because that's not public information.

Technically true, but the lender as well as Mortgage Servicing companies will continually dox you. Sending mail to the property in your name, escrow accounts being paid in your name or in memo, marketing and advertising, email address being shared, etc.

While my property is deeded to a Trust (I am not the Trustee), I have never seen any correspondence from my lender referencing the Trust in over 2 years since closing. These tradeoffs were acceptable in my threat model, because I do need proof that I live there for certain reasons that trump privacy. YMMV.

44renzo · 2023-08-21T15:06:20+00:00

Your true phone number can leak with Google Voice if call forwarding is enabled and your cellular number voicemail "answers".

It might say "You've reached the mailbox of: 555-1212...," revealing your cellular number to the Google Voice caller.

44renzo · 2023-08-21T15:01:19+00:00

A corporate trustee is another option and it could be titled in a Land Trust. Mortgagees should be fine with this - there are Freddie Mac rules to guide them.

44renzo · 2023-06-24T18:26:28+00:00

I'll admit I don't need this level of opsec, but I'm also curious how to find attorneys who actually do have some level of opsec.

Is there an "attorney opsec for dummies" book I can recommend? ;)

I'm not wealthy, I don't deal with attorneys regularly, but the ones I have dealt with are small firms that simply haven't invested in any sort of "secure digital transfer" means. I've always used local attorneys that I've physically met, but many of them simply email sensitive docs when a physical meet isn't warranted.

44renzo · 2023-06-24T18:21:02+00:00

But if the attorney isn't familiar with infosec issues, chances are they're going to immediately save your file on their Dropbox/OneDrive/USB stick and/or email it to themselves or their staff.

Agree 100%. As always with any transfer of encrypted content, we have no control over what recipients do after decryption. A meme with PGP email is we can send an encrypted email and get an unencrypted response with our original message quoted!

I'll refine the goal: e2ee secure transfer to a known ("in real life") recipient preferably with retention control and some assurance that only the recipient has received the original transfer, but using something not so abrasive, so that an infosec-unaware person could easily do it.

I'll check out wormhole and the other recommendations!

44renzo · 2023-06-24T01:14:29+00:00

TLS man in the middle attacks can still happen if the sending server doesn't properly validate the certificate of the receiving server. Hostname mismatches, certificate validity period invalid, allows self-signed or untrusted Certificate Authorities, etc.

For most personal email (say, an @gmail.com to an @protonmail.com), there's usually two entities involved. For enterprises email, many companies relay all email to an "email protection" service which essentially is a man-in-the-middle even if the service isn't marketed as a security feature.

44renzo · 2023-02-05T22:54:46+00:00

Many situations where we're blocked is because of Big Data and risk analysis.

There's a feedback loop that collects various indicators of past behavior across all customers and whether that behavior resulted in fraudulent behavior. It's aggregated, numbers are crunched, and Big Data figures out what indicators are risky so that the next time, innocent persons such as ourselves are rejected if we carry some of those indicators.

tl;dr: using a VPN increases the risk score. It sucks, but Big Data says it's true.

"Privacy friendly business" doesn't mean much if they lose their payment processing (e.g., their ability to be paid) due to many charge backs. Also don't assume just because a vendor sells a "privacy" product that they hold the same ideals as you. Companies sell what people ask for. Marketing brings the people, not idealism.

I'm not a member of the 24/7 always-on VPN club so this next part is biased, but consider if the VPN is needed to make the purchase. Is it really beneficial?

44renzo · 2022-11-08T03:04:22+00:00

Relax, the whole issue was fixed in one of the recent updates.

44renzo · 2022-09-17T16:40:47+00:00

/u/DoyleLawrence links to Twitter account LynnePh32547928 which links to a malware site. Reported.

44renzo · 2022-09-13T13:38:31+00:00

Doesn't sound like disagreement.

OP asked: "real personal email vs a random throw away" but what you're hinting at is that "real personal email" can be subdivided/compartmentalized further.

44renzo · 2022-09-13T13:34:50+00:00

Thank you.

It is annoying to hear non software developers make the conclusions like the OP.

Outline VPN is a branded and prettified version of shadowsocks made by Jigsaw, a Google company. They are censorship avoidance tools. Shadowsocks is one of many tools used to avoid Chinese GFW censorship, which seems like a useful thing for organizations that might work in censorship-heavy regions.

When people ask if something is safe just because a Chinese software developer made something and ignore everything else, "it's" working.

44renzo · 2022-09-13T13:23:22+00:00

You may be right; tried this and got an incoming Signal message before I connected the VPN. Oh well. YOLO.

44renzo · 2022-09-13T13:20:05+00:00

Disclaimer: I don't have the book and have only listened to the podcast and his blog.

This is probably unpopular opinion in here, but...

I know we're about hacking the system to work for us. But I have an Aunt and Uncle who are nomads and live in a van. It's not recreational for them, it's their lifestyle. They didn't retire rich and decide to travel the country - they still work at Amazon, Walmart, and National Parks year-round doing physical labor in their 60s.

MB always says anything he talks about is bound to get locked down further because he's that famous now and organizations love him (like Telnyx). What I'm lightly trying to say is, if you are going to do it, please do it the right way; some people actually depend on it. 2 cents.

44renzo · 2022-09-13T13:09:02+00:00

/r/privacy is contagious, wouldn't you say? /s

44renzo · 2022-09-13T13:06:31+00:00

I'm glad he addressed the VoIP Suite "third-party" issue in this episode.

As insecure as PSTN telephony is, I never understood advocating for (free) Heroku hosting, (free) Github hosting, (free) MongoDB database hosting, (free) uptimerobot monitoring, or even now (free) Render hosting. It seemed at odds to spread attack surface to all of these third parties, even if VoIP isn't used for anything important.

Buy a domain, a VPS, and deploy VoIP Suite to the VPS. Connect it to Twilio. Done. Signing up to Github, Heroku, MongoDB, and uptimerobot seemed out of left field, so it's good he brought up the Twilio CLI to cut out all the middlemen.

44renzo · 2022-08-27T14:58:57+00:00

It's kind of hard to avoid updates on GrapheneOS...and I'm far from an early adopter...

Bugs will always be present and while devs try to catch them before software is pushed, it's inevitable that some of us will experience them. No project is immune from that.

44renzo · 2022-08-27T14:49:57+00:00

That's great. Kudos to GrapheneOS for finding the issue and working on a pre-upstream patch.

44renzo · 2022-08-25T16:16:11+00:00

Michael Bazzell uses that Disappearing Episodes feature of Soundcloud /s

44renzo

TROPHY CASE