So, I’m not allowed to ask you for proof of your statement? And if its unrelated, then why did you post it? Its unrelated. Also, you’re saying you have an absence of evidence, ergo you have no evidence. Having no evidence does not qualify as evidence

Asking for evidence wasn’t the issue, believing that the truth relies solely upon a discussion providing such evidence is.

I think you are confusing having an option with something being mandatory.

You misunderstood. Some of your own statements say it matters and is used. Mandatory wasn’t mentioned nor implied.

And Tor nodes are not the same thing as VPN multi-hop.

I just realized you think that Tor is built using multi-hop.

I didn’t state they were the same. Tor uses “multiple hops” (you can find that string the the link I posted earlier). It is critical to the limiting of information seen by any single entity.

And again, if you connected your Firefox browser to Tor, we could still track you. You’d get cookied or localStorage() tracked. When you disconnect from Tor, that stuff is still present in your browser. Almost like the number of hops you take or the IP address used doesn’t seem to really matter, huh?

All that state can be removed. And the server might not be tracking that. Situations vary, adversaries vary. If you cannot imagine a scenario in which hops or IP address would matter, I would suggest doing some research.

Its a real life Dunning-Kruger effect! I’ve never encountered this. You are going to do something really stupid and end up in prison.

Personal swipes mark the end of this discussion. I would suggest you to leave those out next time as It detracts focus from constructive learning.

This will be my last reply. You can also reply if you want (but I won’t see it).

Evidence, or it isn’t true.

Unrelated, but absence of evidence is not evidence of absence.

Anyways, your own statement:

Adtech relies on the OpenRTB 2.5/2.6 spec for tracking, you would have removed 1 identifier out of a hundred (one that isn’t really used anyway given SSAI is so popular).

Removing an identifier that is used. (1/100 = matters, “isn’t really used” != unused). This contradicts your other statements:

Yeah, multi-hop is pointless for tracking.

…IP addresses and multi-hop don’t matter…

Broad statements that don’t take into consideration the threat model of other users. Servers you connect to might not be using source IP in any way to track. You might be leaking so many other identifiers, that its completely useless to worry about multi-hop. But this is not true for everyone in every situation.

If its worth anything to you, the Tor Project seems to think multi-hop and IP addresses matter for protecting against tracking.

I’m unsure what evidence you are referring to.

I’m unsure what evidence you are referring to.

What specifically about multi-hop makes you think it improves your security?

I haven’t mentioned security.

1. You giving some marketing crap you read from a VPN provider site on their multi-hop service.

I’m sorry, but that isn’t correct.

You almost had the rest of the sentence there:

That doesn’t change the contradiction.

Yeah, multi-hop is pointless for tracking.

The logic to it is crazy too. People think VPNs make them anonymous (they don’t), but they also think multi-hop makes them MORE anonymous.

Whether multi-hop matters to tracking is far and away a different discussion than whether multi-hop “makes you anonymous”.

I too disagree with the original comment, but also believe the pendulum swung too far the other direction in your replies.

Situations differ. Threat models differ. More hops can, from direct personal experience, make the difference in tracking. Your claim of “…multi-hop is pointless for tracking.” has too broad of a scope to be correct.

Remember to read the rest of that sentence:

It doesn’t change the contradiction.

…specifics about WHY IP addresses and multi-hop don’t matter.

…you would have removed 1 identifier…

So it can matter.

VPNs don’t prevent tracking, they just make sure the tracking is done through a secure tunnel.

The extra hop adds a significant barrier for the website in knowing the actual source IP. The fake source IP is likely used by many other users, and the user you are trying to track can easily rotate VPN IPs.

Its one less identifier for them to use.

The solution is to have stronger privacy laws.

Many people have the power to make certain privacy attacks impossible right now. I consider making that change better for those people than adding a law which can’t stop the behavior, but just adds a negative incentive.

I wouldn’t wait around for the law to prosecute MITM attacks, I would use end to end encryption.

Choosing an esoteric system for yourself is a good way for a free people to protect their privacy, but it won’t scale.

If this is referencing using a barely-used system as a privacy or security protection, then I would regard that as bad protection.

Everyone using GrapheneOS would be a net security upgrade. All the protections in place wouldn’t just fade away now that Facebook wants to spy on that OS. They’re still in place; Facebook’s job is still harder than it otherwise would be.

Same could’ve once been said about a free OS like Linux. Now it is absolutely possible, with the downsides shrinking bit by bit.

The goal of 100% free is one I support. And these people are working to make it possible.

A threat model in which you don’t trust the Linux Foundation and volunteers but do trust Microsoft.

Its all about what you want to protect. If a security breach is worse for you on Linux than it is on Windows because of which party has the data, then for you, Windows might be more secure.

Some people get confused because they think there is some objective measurable security rating one can apply to a system for every person. There isn’t. We may use the same systems but have different threat models and thus rate the security different.

Privilege escalations always have to be granted by an upper-privilege process to a lower-privilege process.

There is one general way this happens.

Ex: root opens up a line of communication between it and a user, the user sends input to root, root mishandles it, it causes undesired behavior within the root process and can lead to bad things happening.

All privilege escalation is two different privilege levels having some form of interaction. Crossing the security boundary. If you wish to limit this, you need to find the parts of the system that cross that boundary, like sudo[1], and remove those from your system.

[1]: sudo is an SUID binary. That means, when you run it, it runs as root. This is a problem, because you as a process have some influence on code that executes within the program (code running as root).

secureblue is about as secure as Linux can get…

Unless you have an unusual threat model, this statement is utter nonsense. I can run a kconfig stripped kernel with zero kernel modules and one userspace process that is completely audited and trusted, without the ability to spawn even other processes or talk to network (because the kernel lacks support for the IP stack).

Secureblue might offer something significant when compared to other popular and easily usable tools, but if you compare it to the theoretical limit of Linux security, its not even comparable.

I examined Secureblue’s kernel parameters and turned multiple of them off because some were mitigations for something that was unnecessary. IE: The kernel would make the analysis that your hardware is not affected by a vulnerability, and thus there is no need to enable a specific mitigation. But they would override this and force the mitigation, so you take a performance hit, for what I understand to be, no security gain. Not sure why they did that, a mistake? Or did they simply not trust the kernel’s analysis for some reason? Who knows.

Is desktop linux more insecure than Windows?

This is an impossible question to answer without more information. Depends on your threat model, how you use the computer, your distro, etc.

…if someone nefarious gets to the point they can read this stuff then they’ll already be able to record your screen, log keystrokes, etc.

No screenshots -> less data. Less data -> lower breach severity.

(Unless you have an unusual threat model)

All this can be gutted by an advanced user.

Talk is cheap. Show me the code.

Nothing™ lost just about all of its credibility with me when they released a disaster of a messenger and then proceeded to downplay it on social media.[1][2]

[1] [2]