Online Security

rockymountaindog said:
Lot of good advice here in this thread. The only thing I would add is check your DNS! For those that don't know what this or does, its the service that looks up web addresses. So when you type Zoovilleforumn.net your computer sends the request off to the server which then tells your computer the IP address. Some VPN's are know for not masking your DNS, so even with a VPN running, your ISP will have record of you visiting this site.
Click to expand...
This used to be the case. Browser makers are in the process of converting to DNS-over-HTTPS. This means your browser is ignoring the settings from your router/ISP and connects to a service like CloudFlare. If enabled, your ISP does not see the DNS request, nor can it be filtered, blocked or logged. The downside : CloudFlare knows where you are going.

The other option is to run your own DNS server (Pi-hole is a good one) and use unbound or cloudflared. Cloudflared does the same as your browser, it sends almost every DNS request over HTTPS. This means every device in your network is protected if they use the Pi-hole. I deliberately state almost, as Android (Google) will sometimes just ignore everything and go directly to 8.8.8.8.

Unbound is a different way to obscure your actions. Unbound uses port 53 (DNS) and can therefor be seen. The difference is the split search. It will first go to the .COM DNS servers to ask where zooville is hosted. Then it wil go to the DNS server hosting Zooville and asks for the location of a server called www. This is more "security by obscurity" as it is difficult to know where you are going, especially if you use a VPN.

The Pi-hole has more advantages. First, it is local. Meaning it is fast. Requests are cached so your browser does not need to wait for an answer. Secondly, it blocks advertisements and other bad things. This means every device in your home has a built in add blocker.
 
memyself said:
This used to be the case. Browser makers are in the process of converting to DNS-over-HTTPS. This means your browser is ignoring the settings from your router/ISP and connects to a service like CloudFlare. If enabled, your ISP does not see the DNS request, nor can it be filtered, blocked or logged. The downside : CloudFlare knows where you are going.

The other option is to run your own DNS server (Pi-hole is a good one) and use unbound or cloudflared. Cloudflared does the same as your browser, it sends almost every DNS request over HTTPS. This means every device in your network is protected if they use the Pi-hole. I deliberately state almost, as Android (Google) will sometimes just ignore everything and go directly to 8.8.8.8.

Unbound is a different way to obscure your actions. Unbound uses port 53 (DNS) and can therefor be seen. The difference is the split search. It will first go to the .COM DNS servers to ask where zooville is hosted. Then it wil go to the DNS server hosting Zooville and asks for the location of a server called www. This is more "security by obscurity" as it is difficult to know where you are going, especially if you use a VPN.

The Pi-hole has more advantages. First, it is local. Meaning it is fast. Requests are cached so your browser does not need to wait for an answer. Secondly, it blocks advertisements and other bad things. This means every device in your home has a built in add blocker.
Click to expand...
I have heard of the Pi-hole and even considered running it. I also have the option of setting my router up to send all internet traffic through my VPN but that seems a bit excessive when I use mostly for this site.
 
rockymountaindog said:
I have heard of the Pi-hole and even considered running it. I also have the option of setting my router up to send all internet traffic through my VPN but that seems a bit excessive when I use mostly for this site.
Click to expand...

It is worth considering, the security and obscurity is more or less a bonus. Let me explain.

Each time you want to visit a website, your browser needs to know the IP address. It does this by asking the DNS servers provided by your ISP, or the one you entered in the settings. You can use Ping to see how long it takes for the DNS server to reply to your request. Mine does it in about 10ms. The website itself usualy contains links and scripts to other places. Each of those needs a DNS request to get to know where they are. Each request takes about 10ms. I logged the DNS requests to my Pi-Hole whilst going to xvideos.com. 104 requests were made just to open it's front page. You'd think 100 times 10ms isn't too bad but your DNS server needs to go get it if it doesn't know. It takes some more time than a ping.

You could asume you need to wait an extra 2-3 seconds for a page to load because of the DNS requests. Bringing them local solves that issue. Results are cached so the next time you go there, you don't have to wait.

Secondly, I've seen providers being DDOSed. Usualy customers report their internet is no longer working. Their internet is fine, the DNS servers are under attack and won't reply. Switching to 8.8.8.8 immediately solves the issue. But then Google knows. Running a Pi-Hole with unbound or cloudflared combined with a backup DNS server fixes that issue. If some kid harasses your provider with an attack, you won't even notice it.

Thirdly, Pi-Hole works with lists to block malicious sites, advertisements and other stuff you couldn't be bothered about. I see a lot of popups following links (advertisements hidden in iframes etc), and although they open, they are blank. The end result : I do not see all the advertisement banners, popups, rollovers and whatnot. Since Pi-Hole reports 0.0.0.0 as an address it has no loading time speeding up my internet experience.

There are a few browser extensions who can do the same, but it's only on that device. Pi-Hole takes care of all devices.
 
Does anyone know how private are the Two-Step authentication apps? I prefer them instead of having a code sent to my email every time, but I don't know if they keep track for what we use their apps
 
Oldman said:
GENERAL POSTING

1. Do not use an identifiable avatar. This includes faces, tattoos, fursuits (especially if they are not yours)

2. Review every picture, every video you post multiple times. Look for identifiable things; houses, barns, unique saddles, collars with or without tags, pictures, furniture, mail, packages, collectibles, mirrors or anything can reflect your face or body, absolutely anything that can be used as identification.

3. If you have a unique pet, be very, very careful. If you have posted normal pictures anywhere, like facebook, twitter, ect., do not post him here or anywhere zoo themed. Even if you delete the social media pics, it's too late. ( Familiarize yourself with Reverse Image Search, what it is, and how it can be used against you )

4. Be careful with the information you post. Anyone with enough patience can piece together little things through pictures, descriptions, email addresses, anything to pinpoint who you are.

5. Use an email that is not attached to anything. Do not use real name, and do not setup a password recovery phone number or alternate email. Make yourself an absolute stand alone free email account and do not use it for anything else but zoo. Not even furry or fursuit related sites or accounts.




ONLINE SECURITY

1. Public IP addresses can be used to track your general location. We Recommend a VPN service like Nord VPN to mask your IP. ALWAYS USE VPN!

2. Use Strong Passwords on your ZooVille Account.

3. Whatsapp and Discord are NOT recommended services for private off-site chat. They have been known to be leaked and report info on users.

4. Telegram and Signal are considered safe in of themselves, however always used a VPN when logging onto telegram and also be wary of phishing for your IP address with external HTML links. This has been used before to catch users NOT using VPN on telegram or Signal.

5. Public telegram links to group chats are allowed here on zooville if you own a group (see site rules), however be aware that bestiality is illegal in many countries. Law enforcement can phish users out into private chats is a common way to trace and doxx your identity. TRUST and RESPONSIBILITY is on your hands for whomever private chats you join.
Click to expand...
I use incognito modes for these sorts
 
NexusTheDergVR said:
I use incognito modes for these sorts
Click to expand...
All incognito mode does it prevent the browser from storing cookies locally and deletes your browser history from your computer when you close the window. While a good practice it provides no protection from people tracking your IP address and your ISP from seeing what you're doing
 
rockymountaindog said:
All incognito mode does it prevent the browser from storing cookies locally and deletes your browser history from your computer when you close the window. While a good practice it provides no protection from people tracking your IP address and your ISP from seeing what you're doing
Click to expand...
I use incognito with a special browser. Not just a standard browser lmao.
 
koldo said:
Does anyone know how private are the Two-Step authentication apps? I prefer them instead of having a code sent to my email every time, but I don't know if they keep track for what we use their apps
Click to expand...
Without a code-review it's hard to say for certain, but the ones like Google Authenticator and various other RSA token generators use standard methods of derriving a shared secret from an initial starting point (defined when you set up the 2FA). Without going into the weeds, the server and client (you) can use that initial setup and feed it through crptographic functions so they can both calculate a code and use that to verify independently without the client or server applications communicating directly. There's typically no need for network access to generate the code, there are even little keychain gadgets that can do it.


For the truly paranoid, it's possible to run most of the common vpns over tor...just expect it to be very, very slow; I've done it for amusement and I can see some very obscure corner cases where it could be useful, but it's not practical or useful in general.

CyberHorse said:
Use a virtual machine with tor and javascript disabled.
Click to expand...
For advanced users, if you setup your firewall rules to deny all non-tor traffic except the bits necessary to setup tor and redirect all non-tor traffic through tor as a transparent proxy you can use non-tor aware applications with tor relatively safely. Due to some protocols embedding IP information in packets, I don't recommend doing so with a computer having a public IP though. You can do the same with vpns too, but in both cases you need a firm grasp of IP and be very familiar with your firewall of choice.
This allows you to get around the problems of javascript and other methods bypassing proxy settings. This is, admittedly, likely more effort than most are going to want or need.
 
Last edited by a moderator:
aqua said:
Tor Browser is the safest available method. It is built on Firefox ESR and highly customized to protect you in ways a standard browser can't. But web browsers all have flaws, so it's still possible to find and exploit those flaws to escape the browser to the host operating system and reveal who you are. The way to mitigate that possibility is to increase the security level in Tor Browser from 'Standard' to 'Safer' or 'Safest' and try to put up with websites being kind of messed up. It varies from site to site.

If you're really concerned about that kind of intrusion, you have to run Tor Browser in a disposable environment like TAILS or Qubes-whonix. TAILS is easy, Qubes is hard. Try TAILS sometime if you haven't, it's pretty nice.

It's more nuanced than that. Combining Tor with a VPN hurts performance, offers little to no extra protection, and is only useful in rare circumstances. There are two combinations. The "X" marks a connection that is outside the Tor network and not protected by Tor:


(You) <---> (VPN) <---> (Tor) <-x-> (Website)

In this case, the VPN provider is not able to read your Tor traffic. Your connection to Tor is highly resistant to man-in-the-middle attacks. This is one of Tor's most important features because it enables you to use internet connections you don't trust.

Maybe do this if your local network is blocking Tor traffic but not VPN connections, and only after trying to connect to Tor directly with an unpublished Tor Bridge first.

Maybe do this if you're unable to turn off WebRTC without breaking a website you want to use. Certain functions in WebRTC can leak your real IP, so in that case a VPN could offer a little bit of protection. This only applies other browsers you are connecting to Tor by proxy, which you should never do unless absolutely forced, and to Tor Browsers on iOS which all have to use Apple's Safari browser underneath.


(You) <---> (Tor) <-x-> (VPN) <-x-> (Website)

In this case, the VPN provider is able to read your Tor traffic, because it has already left the Tor network. However, the VPN will only see that it is traffic coming from a Tor exit node, and the VPN will know who you are because you subscribed to them. Some VPNs like Mullvad allow anonymous signup and payment. The content of your traffic could reveal enough personal information for others to deanonymize you.

Doing this is a bad idea and the need for it is very rare. Basically it's a way to hide the fact you're using Tor from a website that blanket blocks connections from Tor exit nodes, since exit nodes are well known. However you lose some anonymity because your traffic is more unique and interesting. To an outside observer, you are no longer a Tor user with traffic coming from a Tor exit node like all the others, you're a VPN user with regular traffic on one side and Tor traffic on the other. That's not great.

In either case you are creating nested TCP connections, which can be very finicky and slow.

?
Click to expand...
This is the most clear explanation I've read. Thank you for posting this!
 
Oldman said:
GENERAL POSTING

1. Do not use an identifiable avatar. This includes faces, tattoos, fursuits (especially if they are not yours)

2. Review every picture, every video you post multiple times. Look for identifiable things; houses, barns, unique saddles, collars with or without tags, pictures, furniture, mail, packages, collectibles, mirrors or anything can reflect your face or body, absolutely anything that can be used as identification.

3. If you have a unique pet, be very, very careful. If you have posted normal pictures anywhere, like facebook, twitter, ect., do not post him here or anywhere zoo themed. Even if you delete the social media pics, it's too late. ( Familiarize yourself with Reverse Image Search, what it is, and how it can be used against you )

4. Be careful with the information you post. Anyone with enough patience can piece together little things through pictures, descriptions, email addresses, anything to pinpoint who you are.

5. Use an email that is not attached to anything. Do not use real name, and do not setup a password recovery phone number or alternate email. Make yourself an absolute stand alone free email account and do not use it for anything else but zoo. Not even furry or fursuit related sites or accounts.




ONLINE SECURITY

1. Public IP addresses can be used to track your general location. We Recommend a VPN service like Nord VPN to mask your IP. ALWAYS USE VPN!

2. Use Strong Passwords on your ZooVille Account.

3. Whatsapp and Discord are NOT recommended services for private off-site chat. They have been known to be leaked and report info on users.

4. Telegram and Signal are considered safe in of themselves, however always used a VPN when logging onto telegram and also be wary of phishing for your IP address with external HTML links. This has been used before to catch users NOT using VPN on telegram or Signal.

5. Public telegram links to group chats are allowed here on zooville if you own a group (see site rules), however be aware that bestiality is illegal in many countries. Law enforcement can phish users out into private chats is a common way to trace and doxx your identity. TRUST and RESPONSIBILITY is on your hands for whomever private chats you join.
Click to expand...
Thanks for the info!
 
MypupandI69 said:
In certain states it's illegal to discuss or advocate for bestiality/zoophilia I live in one of those.😕
Click to expand...

Don't suppose you can name it and/or cite the law as that seems like it would be a complete violation of one's constitutional rights.
 
Hi,
If you make a post with a picture, can you edit/remove it after it's been posted? A little nervous to make my first post, that's all. Thank you.
 
Anon7000 said:
Hi,
If you make a post with a picture, can you edit/remove it after it's been posted? A little nervous to make my first post, that's all. Thank you.
Click to expand...
Lower tier users have a limited time to remove old messages. Ask a mod to remove it for you by reporting your own post for example.
 
Loving all of this information, I'm pretty new at all of this....that said, did anyone else have issues with Proton shutting down your email because of "potential policy violation"? I'm not too worried since I don't think I'll need password recovery anytime soon, but I do find it odd
 
Before I became savvy about online security I visited some zoo sites for about a month without any VPN or software to anonymize my activity. I noticed that I started to receive frequent robocalls on my cell phone, probably at least five per day at the exact time I visited the sites without a VPN. I had never had frequent robocalls before. What organization do you think is the source of the robocalls? Law enforcement? Maybe it's the ISP selling my info to third party sources which then gets made available to predatory robocall scammers. Anyone have any input? It makes me sound a little paranoid but I swear this happened and I think it would quickly happen again if I stopped using my VPN.
 
IcerMora said:
Loving all of this information, I'm pretty new at all of this....that said, did anyone else have issues with Proton shutting down your email because of "potential policy violation"? I'm not too worried since I don't think I'll need password recovery anytime soon, but I do find it odd
Click to expand...

I have not and communicate with others who's accounts appear to be functioning as expected. Don't know what policy violation you're suspected of, but anonymous != unreadable. If you're doing things that are against policy and want to persist at such, might I recommend encrypting your communications (a-la pgp) so the provider has no idea what you are communicating? Alternatively, if Proton is concerned, perhaps reexamine what you're doing and ask yourself if maybe it's you that's gone astray? Don't know the details (and I'm not asking) so not judging, just offering an answer and some commentary that some might find useful.
 
pab665 said:
Before I became savvy about online security I visited some zoo sites for about a month without any VPN or software to anonymize my activity. I noticed that I started to receive frequent robocalls on my cell phone, probably at least five per day at the exact time I visited the sites without a VPN. I had never had frequent robocalls before. What organization do you think is the source of the robocalls? Law enforcement? Maybe it's the ISP selling my info to third party sources which then gets made available to predatory robocall scammers. Anyone have any input? It makes me sound a little paranoid but I swear this happened and I think it would quickly happen again if I stopped using my VPN.
Click to expand...

Likely an unrelated event, the usual term is "post hoc egro propter hoc", or "post hoc" for short, it's a logical fallacy that two events which are close together in time seem related, but are not. Not saying they aren't, but most robocalls are spam/scam and there's no reason for a gov to tip their hand if they were interested in you.
 
Well I may try to login for a few days to zoo sites without a VPN then a few days with VPN and record the number of robocalls. Logical fallacy or not I have enough experience with statistics to compare the values and determine if there is likely a difference between VPN vs. no VPN.
 
pab665 said:
Well I may try to login for a few days to zoo sites without a VPN then a few days with VPN and record the number of robocalls. Logical fallacy or not I have enough experience with statistics to compare the values and determine if there is likely a difference between VPN vs. no VPN.
Click to expand...
I suggest you just login to a ‘normal’ site to measure. No need to get your IP caught.
 
You must log in or register to reply here.
Back
Top