Skip to content

Latest commit

 

History

History
129 lines (82 loc) · 20.6 KB

DONOTREADME.md

File metadata and controls

129 lines (82 loc) · 20.6 KB
Raw

This is not an "awesome", "ultimate" or "perfect" list

This is my own collection I gathered over the years, written down into one single file which anyone can freely access. I do claim that the listed tools are good enough alternatives to e.g. Google, Microsoft etc. products. I believe it's an important piece of democracy that we have the right to be anonymous and free of tracking in our personal life, this is why I've created this list in the first place. I do not believe in any competition, which means listed tools/products are not in any competition to each one another and I do not get paid nor sponsored showing them on my page.

I decided to go with the name - Privacy Tools - not to bait someone or under the false premise that those make you automatically more private, I moreover decided to use that name for people who are interested in alternative programs that are overall designed - for the user - and not entirely for only profit. This does not mean you should stop supporting open source developers, but listed tools are hand picked with best intentions and research behind.

Please keep in mind that open source depends on funding.

Do not drag me into so-called "privacy communities"

I do not want to have anything to do with PrivacyGuides, PrismBreak or any other "privacy clown community". Especially PrivacyClows have a huge history stealing donations and other shady stuff.

Please do not link me or my guides into such communities. The reason is simply, I want to stay unbiased and objective. I do not advertise tools to gain money / reputation, or to get any benefit out from it. I fully stand behind listed products because I tested or reviewed them and can suggest them without hesitation, if new findings occur I will update entries as soon as possible.

About evidence aka links as so-called proof

I, among others depend on evidence - findings and sources - from third-parties, unless we do and inspect it ourselves, but are external links to claims + statements which you can not verify yourself real evidence? NO.

  • GitHub itself has a bug, which you can abuse, they refuse to fix it because it is, according to them not critical and part of another feature.
  • Sources are often protected, or obfuscated, renamed to protect individual people. Some reporters do not even bother to link to a specific source at all.
  • Screenshots can be faked easily, same like text and timestamps. Everyone can access eg. Adobe Photoshop, Gimp, online tools etc. You do not have to be skilled to do such things. ‘Evidence’ means and includes All documents including electronic records produced for the inspection of the Court.
  • You cannot, in most cases contact FBI etc. to verify statements because they do not answer you directly even if you are an actual reporter, getting in touch takes lots of time and effort. Writing an eMail to feds, Google and Co. only results that you get an automated Bot answer back.
  • External links, content and claims by others are by no means ultimate proof, but it gives someone a glimpse that there is something wrong or revealed. Absence of evidence theory still can have meaning.
  • Verification and credibility of some statements are impossible to reproduce unless you have access, or are you skilled enough eg. doing an audit yourself or hire someone professional. Most people have no time, and no skill to audit a program or review something on a professional level because it consumes time, you need coding skills and the understanding how to spot certain patterns which you only obtain if you deeply involved into such topics. Professional people usually taking money for the time they do to audit software.
  • Things can change in the meantime or the media forgot some stuff to include in their reports, it happens all the time. Newspapers and news have these days almost no trust.
  • Some news, articles spread, on purpose misinformation, there is political motivation, there are feds that give reporters on purpose wrong information or lead parts out and so on.
  • There is bias, there always is. This can be a problem for credibility and objectiveness.
  • You can misinterpret something based on your own bias, based on someones reputation eg. author of the article or because you simply do not understand the source because it is simply beyond your horizon. The Snowden leaks often got misinterpreted by people that are no network or cloud experts, deliberately speculating something more into given pictures or slides without asking any necessary questions or doing some research. Proof without words must be so good that there is no room for misinterpretation.
  • Claims, even from reputable sources, e.g. that Monero is cracked is spread like wild-fire and re-shared dozen of times, the reality looks entirely different. In fact such news often help to make such networks even more secure, because people want money.

This is a huge dilemma because the user - you - simply need to trust that the reporter, author, blogger, dev etc. or a normal user who wrote the article with such findings really shows the truth, without actually knowing his motivation or the real person behind it. If you accuse someone you need to provide the burden of proof, if it comes out that you wrongfully accuse someone charges against you can be made, eg. to prevent and suppress slander.

I try to workaround this issue by linking to articles and sources that can be verified or recreated by you, or that makes the most logical sense. I am absolute not responsible for third-party links nor do I claim that every given article is the entire truth, in fact I say that the sources should be questioned and inspected no matter if it is from the FBI, Washington Post or any other source.

Why is MacOS, iOS and Windows listed

I plan to split this list once I collected enough apps for those closed source platforms. Until then I keep them until I know how I am going to split the list exactly.

Something incorrect, outdated or you want to contribute?

In case you have some questions, you can ask them directly on our official Matrix Server. In case you want RSS based news/feeds for mostly FOSS tools only, you can follow my community on Reddit if you want.

What does not belong on my list

  1. Fedpots – Potential honeypots and/or services/tools behind feds/police. If it is clear that the network, service or app is directly involved into such activity it will get unlisted.
  2. Criminal stuff – If the creator/inventor, CEO, whatever, was once involved into criminal activities, their products getting unlisted. No matter how good their products are. I also see software with dark patterns as criminal e.g. KC Softwares SUMo.
  3. Controversial tools or services which cannot be fully verified or reviewed because of e.g. lack of transparency or because they are propriety, see 5.
  4. Cracked software/services, if I see that a service cannot handle leaks or there are mass uploads with cracked accounts on e.g. Telegram it is automatically a no-go, no matter how good the service/tool is. I also do not list illegal tools/services.
  5. Closed source software – Unless verified, tested and proven "worthy" – Can you lift Mjölnir to be worthy? Closed source must be labeled as such and should be the exceptions on my list. Trackers in software or websites of any kind are not allowed unless approved.
  6. I do not give much 💩 about ethical aspects in software or for that matter in ethics in general unless we hit the criminal section and then there is morality aspect. You can abuse almost every legitimate software and do shady stuff with it, repack it with malware etc. I am not the one who can control every aspect nor the people who plan to do such malicious intends things.
  7. The persons behind software/service have their own life and I do not care/judge them if they come from Mars or have two waifus, as long they play by our current laws. Everyone can pretend to be a good guy, it is not up to us to be judge and executive in one person. However, if I see the interest is mainly to make only money out if it, I will most likely not list them unless there are absolute no other alternatives usable.
  8. Every (popular) software or service might leak at some point, good software and developers are defined by how fast they handle/react such things and if they disclose everything in public or not. Trying to hide something is a no-go.
  9. I am not a criminal and my goal here is not to list tools for criminals which they can use/abuse for shady stuff like doxing others and getting away with it. – I kneel before society laws even if I do not fully agree or like all of them, this is called living in a democracy and the reason more than one tool in the same category is listed, simply to give you a choice (if possible).
  10. I am not red nor blue pilled. – This means that I change my mind considerable often when I see it fits (software/services evolves so do attacks & leaks). Example: I currently use Brave Browser but if I see Browser X is better, then I switch it and do not aggressively try to get people on my side with made up arguments or try finding excuses in order get others following my "opinion". That being said, fanboyism is not welcome here. The things here are listed because they are reliable, secure and privacy-friendly, anonymity is just a "bonus".

Please keep in mind that there will always be leaks, software is never perfect and privacy/security is more a concept/idea which is defined by people with "high" standards/expectations.

Definition of the term "controversial"

  • Closed source or OSS.
  • Connections to AWS, Google, Azure even if encryption is strong enough. Example why this is not wanted is explained over here.
  • Contains Google Fonts, there are some products listed with Google Fonts but in that case I made sure they can be self-hosted to eliminate the exposure of possible backtracking. Google collects some data, they say it is to improve the service - whatever that means.
  • Ethical right is by no means a subject, most people mean moral anyway. However, if the status of the software and his involving into X are unclear then this also results automatically in a controversial tag. Besides criminal involvement this extends to harassment, doxing and behavior which is not tolerated by society terms.
  • Possible outdated without a statement from maintainers or developers.
  • Weak or broken encryption.

How does software or service X land on my list?

  1. FOSS / closed source – Closed source automatically ranks lowest and should only be listed as exception if no alternative is usable/available.
  2. Maintained – I will not add a software or services that are not actively maintained. Everything that does not got any updates within 1 year is considerable dead. This is rather a person preference than a real argument, because if something is perfect nothing needs to added, changed therefore commit activity is no real indicator that someone is working or not working on his program, it only indicates when the last commit was. I choose 1 year as overall measurement here because in the meantime other alternatives could have be created or the maintainer decided to work on more important things. However, the argument alone - is dead - is subjective term, which I aware off. In best case scenario there is an official statement or the repository is visible labeled as closed, archived or there are otherwise other tags that directly indicate the project status e.g. Readme.md files or other documents.
  3. Reviewed / evidence / audited – An audit is only a snapshot review which does not mean that in the near future there could nothing go wrong, but it shows how transparent the software/developer is and what third-parties had to say about the product. It also can reveal how they handle possible revealed problems and how they communicate this into public.
  4. Usability – The best software is useless if I or others cannot really use it. Listed products and solutions must be usable beyond any made-up criteria. There is no definition about what is usable so this is an subjective point.
  5. Criminal background check – Or connections to advertising companies which also includes bias/interest checks to ensure that in the future nothing "bad" happens with product/service x. Software regarding criminal activities never gets listed.
  6. Malware/tracking check – If it contains any sort of malware it will get reported. Tracking depends on how severe it is and if the included trackers/analytics are FOSS and explained or not e.g. Kiwi Browser.
  7. Self-host – Software which can get self-hosted ranks automatically higher since you can then control every aspect of the software.
  8. Rumor check – I personally give nothing about rumors from unknown sources, but there will be a background check regarding the software or service itself.
  9. Paid – I am not against paid software in general because every developer needs to pay bills – like the rest of us – but I will do a check what payment system he uses to obtain donations/money, if I see that the developer uses none privacy-friendly services like PayPal I might not list the product at all, unless there are other friendlier options like e.g. Monero listed.
  10. It is my list and not yours – I will have the last word what I list here because at the end of the day I vouch with my name for listed products.

Software Audits are no approval Certificate

Software audits are often overrated and play more a role for business reasons, eg. to provide your assurance company with plausible information in case something went wrong, data breach, hacks and so on. They usually do background checks like if things were known, and then cross-reference how the business cooperation actually handled it. The assurance company typical checks if audit concerns have been addressed or not, among bunch of other things that are unrelated to audits. An independent review of your code can help in such cases to show evidence that at that time everything was secure and private or that absolute no severe hole was discovered in the first place.

Software audits are in general no certificate or approval indicator on how good software overall is, rather it is a snapshot - at that time - from a third-party inspecting your source code. This is no absolute statement because the ones that inspected that piece of code only check things against known best practices as well as known security vulnerabilities as well as doing some leak checks, among lots of other things...

This does overall mean anything at all because you can address possible flaws afterwards even if something was discovered. The security relies here on how you actually respond to possible found flaws.

Also, not every flaw that exists gets directly exploited. Just because there were theoretically some issues revealed does not necessarily mean it was actively abused in the world. This argument goes vice-versa, just because some expert did not found a flaw, does not mean there is no way to attack the software or to exploit other weaknesses such as social engineering.

Assuming your product constantly evolves by adding new features and fixing known issues you code dramatically changes, theory you need to let your product audit after each major release or big change in the code. Since an independent audit is expensive this is simply impossible for normal developers to pay for. Usually developers trying to workaround possible flaws by reviewing each pull request as well as code changes they make themselves against certain security and privacy best practices, this is however not the same as an independent audit from a third-party.

Note

The myth that if you pay someone external to audit your code and then this company approves everything just because you paid money for it is absolute nonsense. The audit usually shows all findings, and explain usually how they did it and what they used in a document. Assuming your source code is accessible in public, people with enough knowledge could reproduce such findings and inspect the code.

Usually professionals always releasing a review paper to a public database, see below, to summarize the entire audit and to debunk or confirm if the piece of code, or the whole product has severe or small flaws.

The reputation damage here would be so big that no one seriously can risk that, because that would be a death sentence for the audit company, no one would do business with you again in the security scene. There is also no known case when professionals actually approved knowingly code that had flaws and went into public saying that everything was okay, faking the review, especially in open source were everyone can reproduce or review specific practices and samples this would not be possible, assuming the software source code is public visible and accessible.

Project Goals

  1. Listing 5 to 10 solid alternatives for every service/app/platform. Alphabetically sort content sections is low-priority.
  2. All proprietary software should be removed (there are only a handful listed currently). Only FOSS products must be listed.
  3. Remove/replace controversial stuff and find more evidence why they are controversial/removed.
  4. Address CDNs controversies that violate GDRP, that includes hosting aggregators like Cloudflare among others. For example Cloudflare logs user IP addresses for 24 hours and permanent logs data about the DNS requests that are sent to their custom resolver for eg Firefox indefinitely. You can easily get some background information about an server with some online tools like Serverhunter.
  5. Keep this list up-to-date and remove/tag or label outdated/important stuff.

To-Do list

  • Add icons or emoji indicators for controversial or stuff which is not audited or reviewed.
  • Automatically remove software which got no update within 365 days or add a warning emoji, hint.
  • Color blindness tweaking to this page, assuming it is possible.

🔝 Back to top 🔝