r/theprivacymachine

Been slowly trying to take my privacy more seriously over the past few months and figured I’d share what I’m currently using to see where I can improve.

Right now my “stack” looks something like this:

- Password manager with unique passwords everywhere

- Authy for 2FA

- Firefox + uBlock Origin for browsing

- Mullvad VPN when I’m on public networks

- DuckDuckGo as a secondary browser sometimes

- Signal for messaging

- Cloaked for alias emails and phone numbers, plus data broker cleanup

I feel like I’ve covered the basics, but at the same time it still feels like there’s a lot I’m missing, especially on the data exposure side and long term footprint.

With the 2026 push for "Agentic AI" (autonomous agents that can book flights, manage emails, and handle bank transfers), we’ve officially opened the final door. Google’s new "Agent Identities" are supposed to secure this, but let’s be real: giving a model a unique ID and the power to operate "autonomously" is just a high-tech way to centralize your entire life for a single point of failure. If one prompt injection can hijack an agent with financial permissions, your "digital twin" becomes your digital assassin. Is anyone actually sandboxing their agents, or are we just hoping for the best?

I ran into this again today and it made me notice something.

Almost every time I try a new service now, I get stuck at the same step phone number required. Not optional, just required.

I know it is helpful for security in some situations but it look like it is becoming the ideal everywhere even for things that do not really need it.

What is been bothering me is that there is usually no way around it. If you do not want to give your number, you just can not continue.

I have been trying to be a bit more careful about what personal info I share so this keeps coming up as a problem.

At this point it feels like I can not even try something new without linking it to my number.

Not sure if I am just noticing it more now or if it is actually getting more common.

Are you guys seeing the same thing? Do you usually just give your number or try to avoid it?

dealing with a locked pdf from my kids school and not sure what to do because they password protected the report card but forgot to send the password

searched unlock pdf and every site wants me to upload the document... that seems sketchy right? its my kids grades and personal info. dont really want that on some random website

I asked the school for password (theyre closed for break, tried common passwords like the school name, my usual pdf reader just says enter password

wife says just wait until school reopens but i want to see the grades now... been getting emails about missing assignments all semester and need to know whats going on

found some free sites that say they can unlock pdf files but they all want you to upload first... is that safe? just seems weird to send personal documents to random websites

anyone know a way to unlock pdf without uploading it somewhere? preferably something simple because im not great with complicated computer stuff

worst part is this happens every semester... youd think the school would figure out a better system by now

First of all, please dont give me dating advice or relationship advice... I know EVERYTHING and this post is not about that topic... But I got a little problem with trust issues, and meeting this girl on an app that primarily is focused on sharing photos of yourself for those good shallow first impressions. She is a match in terms of how she speaks with me, and overall seems like a really kind woman.

Just she has no photos apart from memes... I liked the memes so I swiped yes on her. I saw like the corner of her face on her profile picture in her Instagram after we left the dating app bubble... I know it might sound weird but I even started checking who she follows to see if it happens to be fake random people from India or something... I kinda been catfished in the past, and I developed some nasty trust issues...

What other ways are there to check if the person is..well real? I dont want to seem pushy but straight up asking seems to be bad in any form. I dont mind OSINT investigations though... Take that one up with Zuck for making it happen not me though

I wanted to learn more about the ubiquitous encryption standard AES-256-GCM, so I forced myself to dig into its history. I learned quite a few interesting bits that I thought were worth putting into a blog.

Did you know that one of the founders of the field of math behind GCM was killed in a legit duel? Me neither!

saw in another sub, sharing here as well

I’m looking for a technical explanation and some security advice. I am using a Chromebook with Chrome browser with a VPN (ProtonVPN extension) set to the Netherlands. Good search shows "Google offered in: Nederlands" and my search results are in Netherlands but it's all in English and my Google device history (where I'm signed in) shows my real location and city.

• Web & App Activity is OFF, Location History is OFF, and Play Store is disabled (I have gone through every Google account setting everything is basically off including all syncs and backups and permissions in device and chrome browser)
• All site permissions (Chrome browser settings) are BLOCKED as well as all other site settings.
• Using metered Wi-Fi. (device setting)
• Time zone is manually set to near my country (not in it) and language and keyboard is set to my country
• Using "Use secure connections to look up sites make it harder for people with access to your Internet traffic to see which sites you visit. ChromeOS uses a secure connection to look up a site's IP address in the DNS (Domain Name System)." I've set this to Cloudflare (device setting)

My VPN works perfectly and there is no DNS or WebRTC leak as confirmed on 'Browser Leaks' I also use UBlock Origin Lite set to 'complete'

I do have "Safe Browsing Real-time, AI-powered protection against dangerous sites, downloads and extensions that's based on your browsing data getting sent to Google" set to on but that's just for personal reasons and security.

Preload pages is off

I have done everything I can in the settings (device and browser). Is there anything else I can do to hide from Google? I suspect it could be fingerprinting however I'm no expert I could be wrong? I'm not too worried about it but I'd still like to know why as I mainly focus on security.

Thanks

​

Hi.

First post here. I am doing some research for a fictional story.

The main character is a person in exile from a repressive regime. They need to stay in contact and connect with others from the same regime and do so virtually. Protecting identities is the most important part.

So far tools and strategies I have put down are:

Proton w preshared pw.

Signal use

Security questions (in the interpersonal interactions)

Use of vpn.

2factor authentication

Remove location services, no public WiFi.

No facial recognition and no fingerprint logins.

Are disappearing messages as good and thorough as they are made out to be?

What else could I be missing?

.

Would also be interested in more privacy aspects for activism, like information splits, analogue and tech mixed strategies.

Anyone having any interesting input or resources that would be appropriate? Have done a fair few googles.

English is not my first language in case something above is not making sense.

You can build the most secure system in the world:

– end-to-end encryption
– no logs
– no server access
– client-side processing

And it all breaks because someone takes a screenshot.
Or shares a screen.
Or copies content into another app.

We spend insane effort protecting data in transit, but almost none protecting it at the human layer.

Security people know this, but product people ignore it.

The weakest point isn’t the algorithm.
It’s the user.

Always has been.

A lot of people treat it like a full solution, but I’m guessing it’s not that simple.

I was cleaning out my old tech stuff and found a cd with "back orifice" written on it, took me a minute to remember what that was. suddenly feeling ancient remembering when cult of the dead cow was all over the news
for those too young to remember,  cult of the dead cow was this hacker group from the 80s... started in 1984 in texas by some kids who wanted to improve their hacking skills. they basically invented hacktivism before that was even a word lol. 
the thing that made them famous (or infamous) was releasing back orifice in 1998 at def con... it was supposed to be a remote administration tool but everyone knew it was basically a way to control windows computers and microsoft was NOT happy about it
they named it "back orifice" as a joke on microsofts "back office" software... teenage me thought that was hilarious. still kinda do tbh. these guys went from being underground hackers to actually influencing modern tech... some members contributed to tor and fought against electoral misinformation. they called themselves "white hat" hackers, the good guys
found out theyre STILL AROUND... oldest surviving hacker group in the US apparently. they even released some privacy framework called veilid recently.. meanwhile i can barely remember my email password
anyone else remember downloading back orifice and thinking you were some elite hacker? or those text files they used to release? feels like a completely different internet back then
makes me wonder what happened to all those old hacker groups... everything seems so corporate now. miss when the internet felt more like the wild west and less like a shopping mall

I’m not sure if this is the right place; this is my 1st reddit post.

I was using Chrome on my Macbook today, and as I was talking to a friend, I realized there was a light red box in the top right, typing out what I was saying in real-time.

I was not touching anything and I didn’t say anything that could’ve triggered a command or anything like that. As far as I know I don’t have anything of that sort even turned on.

In every other situation, my Macbook will show an icon on the top bar if my mic is being used by anything, and that was not showing. But I was watching my words pop up on my screen as I spoke.

And as soon as I realized what was happening, it disappeared.

This has never happened to me before. I’m 24 and use Chrome literally 24/7 between university, work, and personal things. I can’t find anything about this online but I can’t lie, it’s freaking me out a bit. If anyone knows what this was, how I can make sure it doesn’t happen again, or anything of the sort please let me know.

I have an old laptop that I use for network security and general computer hacking. The problem is that rockyou.txt is too bulky for some specific cases, and my old CPU is running so hot during these sessions, that's it no better than a shrimp being cooked in a Thai street food stand.

I'm new to this, so I was wondering if there are smaller or more targeted wordlists I can get. I'm talking about lists that are specific to a region or just smaller lists that won't destroy my computer.

I know Kali has some built-in word lists, and I've heard there are shortened versions of rockyou.txt and others. Do you have any suggestions for where I can find smaller wordlists that won't overheat my laptop or make it unbearably slow?

I'm in the US and just trying to block a website on our home Wi-Fi. Thought this would take five minutes. It did not. My Router is TP-Link, I have iPhone, iPad and Windows laptop and my goal is to block one website for everyone. I’ve tried router blacklist, OpenDNS. I’ve restarted router, cleared browser history and turned Wi-Fi off and back on AND laptop blocks it, iPhone still opens it, iPad blocks it sometimes, sometimes not and now I'm standing in the kitchen doing network tests for no reason. I don't get why one device blocks it and another doesn't on the same Wi-Fi. What actually works if you want to block a website for the whole house?

I've spent years doing deep dives into messengers, evals, white papers, third-party audits. It was my passion at one point.

Signal: some things are not reassuring me about it. A few years ago they added a closed-source applet to it, to examine messages, their blog saying it's "to fight spam". But what else can that be used for? Remember they fall under US laws. Not reassuring. What's more, they're not exactly transparent on what metadata they can actually see (I found a vague reference to "and other metadata", without specifying what, on their website, as a sidenote). Many on the internet claim they can't hand over any metadata and that is simply not true. At all. And they admit it while working hard to redirect. There's also the spoofing vulnerability issue. And the fact that it's tied to your phone number (even if you use an alias). My pet peeve about it is that as with Whatsapp, you only have one day to recall a message.

Wire: allows you to use an anonymous zero-knowledge email (like Mailum) for registration, if you don't want it tied to your number. They are more transparent, admitting they can know your contacts and groups (signal too but they don't advertise that). Both can know your IP. Wire is registered in Switzerland with servers in Germany, offering a bit more protection than if they were based out of the US. So I'd say Wire is a bit more deserving of trust. The free account lets you have a few profiles to separate work, friends&family, fun. And there's no delay to recall a message.

Skred: this one was a surprise discovery. It's been used by operatives in Europe for over a decade and a half now. There is no server. It's peer-to-peer. Because of the absence of a server, sometimes you get disconnected and a message might deliver with many seconds delay, occasionally a minute. But it leaves no trace in the cloud. I hate the emojis that are antiquated, but I love that there's no time limit to recall messages, and you can even nuke entire conversations from both ends with one press (see "reset" under the (+) beside the message compose box). It also allows to have many different concurrent profiles, and you can reset (change) your add code at any time. Sounds like something the population in Iran could use right now. Because it's P2P group chats are limited to under 20 participants.

I've mentioned these 3 because one is the more popular, one is better, and the last addresses some of their shortcomings.

But I'd like to hear if anyone knows of a server-based one that offers as much privacy as Skred, that I may have missed. Reason being a possibility of group chats and more tolerance for when someone has internet issues.

Which brings me to one that some might think to mention, Session. The shortcomings with that is the calls are of dismal quality even with encryption scaled back. Message recall is unreliable (not guaranteed to work). And what they don't advertise is that all file transfers actually use a server (!) contrary to claims, and those servers are in Canada where there's not much hope of privacy protection regarding logging you and your IP. All those problems (as well as having to ditch pfs) are all limitations coming from using a block chain. You can also not change your ID-code without deleting and reinstalling a new one, having to rebuild your contacts from scratch.

I'm bringing my home lab back online after a break and adding some new hardware. Now I need to lock it down properly. I'm looking for a good endpoint security solution for several computers, a couple of laptops, and one server rack.

Most of this hardware is old, but it should work for what I'm planning. These devices will be connected to the internet, so I need them to be very well protected. The endpoint security market is very confusing right now. There are too many options.

Can anyone recommend something? Any software that doesn't cost a fortune or anything that would be open source, but wouldn't require advanced knowledge how to operate it?