Once you’ve had the PIN scramble turned on for a while, it becomes second nature. I enter my GrapheneOS scrambled PIN about as quickly as the unscrambled PIN on my non‐GrapheneOS work phone. But it’s more of a defense against figuring out my PIN from the finger marks on my screen.
In environments where shoulder surfing is a concern, I prefer to use the multiple profiles feature: log out of my main profile (which is actually a secondary profile) to completely evict its keys from memory, and switch to a burner secondary profile containing no personal data, which unlocks with my fingerprint for convenience.
Second nature or not, I’m not sure how this protects you against the security camera watching you enter the passcode. I guess you’re hoping it can’t read the digit on each key?
How does one “demand better” from a handful of giant corporations? Did you personally negotiate that plan with your phone operator?
Besides that, neither tethering (for reasons other than cost, mentioned above) nor international roaming (increased latency) are a perfect replacement for fast local Wi-Fi at this point.
Cell signal is terrible for privacy, uniquely identifying each individual’s location at all times. Though Wifi can also be tracked, it at least is possible to use anonymously with MAC randomization as is the default on many phones. (Leaving aside countries like Switzerland which outlaw wifi without mandatory registration.)
I browse social media sites like Facebook and Reddit using their onion services. I was sick of seeing ads pop up that were clearly based on tracking my general browsing activity through IP correlation, tracking pixels and embedded “like” buttons. So now I block all cleartext Facebook/Reddit traffic completely.
Using Tor this way doesn’t anonymize me—on Facebook at least, I’m logged in under my own account—but it limits the profile Meta builds on me to the union of what it directly observes on Facebook and what it can purchase through data brokers. Ever since I started doing this, I’ve noticed a huge drop in relevance in my Facebook ads, so apparently it’s working. When the ads become suddenly relevant again (which has happened a few times), it exposes an information leak: usually a credit card purchase that Meta must have obtained from either my bank or the shop vendor and tied to my identity.
Using a VPN could theoretically provide the same benefit, but in practice Facebook tended to temporarily lock my account when using a VPN and Reddit blocks VPN traffic completely. So I stick to the onion services, which are run by the websites themselves and so are less likely to be treated as malicious traffic.
If you use these platforms, I recommend bookmarking their onion sites in Tor Browser and using it as your primary interface to them for a while. Then, if you don’t find it too inconvenient, start blocking the non‐onion versions of the sites on your network.
(P.S.: You shouldn’t trust the links I just posted; I could have posted fake ones! I recommend double‐checking against https://github.com/alecmuffett/real-world-onion-sites which links to proofs of onion site ownership under their usual domain names.)
For games, the equivalent level of ownership comes from DRM‐free digital purchases. That means buying games from platforms like GOG, Itch, and Zoom Platform, and then backing them up. Steam is distantly behind in terms of user ownership—their installers are always DRM‐locked, but some games can be run DRM‐free after that—and Xbox, PlayStation and Nintendo aren’t even on the same planet due to their hideous DRM and online service tie‐ins.
An SSH key can be freely reused to log in to multiple SSH servers without compromise. Passwords should never be reused between multiple servers, because the other end could log it.
An SSH key can be stored in an agent, which provides some minor security benefits, and more importantly, adds a whole lot of convenience.
An SSH key can be tied to a Yubikey out of the box, providing strong 2FA.
I recently bought a 2024 Toyota RAV4. Throughout the purchasing process, I kept an eagle eye out for any data collection that I might accidentally opt into. This way I avoided a free trial of Toyota Safety Connect, which tracks the location of your vehicle at all times (with the justification that it can thus be located if stolen).
Incidentally, I took a peek at my sales rep’s computer screen and saw that Toyota kept a log of every interaction with me, whether initiated by me or the sales rep, including recordings and transcriptions of every phone call. This isn’t really surprising but it was certainly interesting to see. (The rep also surreptitiously looked through my own paperwork folder when I was distracted, and later made some innocuous remarks based on financial information I kept there.)
Per the instructions, I pressed the SOS button to turn off the data transmission. The voice on the other end agreed to do so, but the necessary first step was to install the Toyota app. This, apparently, is how Toyota verifies that I own the vehicle and have permission to disable data collection.
I didn’t have or want the app, so I asked if there was some other way to prove that I owned the vehicle. Could the dealership do this? The agent said yes. So I went back to the dealership, and asked the receptionist whom I could talk to to disable data collection without using the app. After expressing visible surprise and confusion and asking other people for help, she concluded that she had no idea who could do that, and gave me a Toyota phone number to call.
I called this line, and after explaining, was redirected to the multimedia unit team. The rep seemed helpful, and after thirty minutes of him researching, he said he might have some instructions I could follow, and only needed to confirm that he was authorized to give them to me. After a five minute wait, he backtracked, and said I had no other option except to install the app.
Defeated, I installed the app. My phone number was a mandatory field; I tried using a fake one, but linking the app to my car required entering the same phone number on the car’s entertainment system, which would text me a code that authenticated me to the car, so I had to use a real number. I believe the app also checked my physical location against the physical location transmitted to the car before finally granting access.
Finally, I opted out of data collection through the app. I was met with a notice: if I ever removed my VIN number from my Toyota app, the vehicle would automatically begin transmitting data again. So obviously the car is still constantly connected to Toyota!
The article suggests pulling the fuse of the Data Communication Module (which contains the cell modem used for transmission). This is a good idea, but there are some extra complications. First, as the article mentions, the microphone is routed through the DCM and pulling the fuse kills it—but the passenger‐side speakers are also routed through the DCM, and lose sound if the fuse is pulled. Second, the DCM has its own internal battery, and will continue to transmit data until the battery dies, even with the fuse pulled.
So my recommendation is not to pull the fuse, but to disconnect the DCM completely, and jump the audio wires to restore your passenger‐side speakers.
Soon enough, I expect the DCM will be integrated rather than an independent module. Who knows how we’ll disable data transmission then.
> This is a good idea, but there are some extra complications. First, as the article mentions, the microphone is routed through the DCM and pulling the fuse kills it—but the passenger‐side speakers are also routed through the DCM, and lose sound if the fuse is pulled.
Is that something a custom wiring hardness could solve?
> Second, the DCM has its own internal battery, and will continue to transmit data until the battery dies, even with the fuse pulled.
Holy crap. How is there any legitimate justification for designing it that way?
> How is there any legitimate justification for designing it that way?
Without such an internal battery, automotive thieves could instantly mask the car's location by merely pulling the fuse or disconnecting the main battery. I imagine that is their justification (not that I agree with it).
In environments where shoulder surfing is a concern, I prefer to use the multiple profiles feature: log out of my main profile (which is actually a secondary profile) to completely evict its keys from memory, and switch to a burner secondary profile containing no personal data, which unlocks with my fingerprint for convenience.