This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
I hate the antichrist!
Modern technology is in dire need of modern solutions
Our story starts a few days ago when I changed the IP address of the VPN I use to connect to my BurdensomeCount accounts and identity. This is a fairly regular thing I do for Opsec reasons. I also scramble the MAC address of my devices every once in a while, same reason. Normally this is all fine and dandy except that last time I decided to do both of these things together. Looking back this was a very bad idea indeed. While minor minutae of misfortunes I've had to face in my daily life aren't worth making a mottepost on my struggles over those pained few hours, if only for didactic reasons about the current state of modern large technology companies and the decay of the anonymous free internet, are well worth writing about.
On Saturday I tried to log into my discord account for a voice game of Blood on the Clocktower (on a server that originally sprung up from The Motte so populated by smart people, it's quite a fun way to spend an afternoon if you have nothing better to do). After inputting my email address and password and solving the captcha- these days they're using one with a picture containing multiple objects, all but one of which are in pairs, so like 2 trucks in the image, 2 lions in the image, one rabbit and you have to click on the unpaired object to pass- Discord did the whole "new login location detected, please check your email address" thing, all well and expected because of my VPN reset.
At this point I went to Gmail to log in. Email address, check; Password, check; no issues here. Since I was using a new IP and MAC Gmail asked for an extra security check before they let me in: they wanted a mobile phone number to send me a 6 digit code. This was the first sign that something was wrong: I didn't even have a mobile phone associated to this account so why was Gmail asking for a phone number? Like seriously, why do you need me to associate a phone number before you let me into my own account? I tried to see if there was a way around this but apparently not, Google wanted a phone number or it was no dice for me.
Obviously I didn't want to provide my registered phone number linked to me in real life but fortunately I have a burner phone. I gave Gmail one of my burner numbers and got the code from Google. Note that since I didn't have any associated phone numbers with the account anyone could have used literally any phone they had lying around for this so it's not like this was providing any real security benefit to my account against intruders, it was all a charade for Google to get its hand on a phone number. I was medium annoyed at this but I had a voice game to play so let it slide. I got my six digit code and put it in, only to be told:
No shit you couldn't verify this account belongs to me when I don't even have a phone number associated with the account? What possible reason related to identity verification could you have to ask me for a phone number in the first place?
It was off to Account Recovery for me. Google again wanted my email address and password, which I provided. I also had some security questions registered to my account that I knew the answers to but Google didn't even bother asking me about them, instead taking me straight to:
and leaving me at a complete blank wall. My only reaction at this point was WTF?? Locking people out of their accounts when they've forgotten their ID details is one thing, but doing it to someone who remembers literally every single piece of identity information associated with their account is a whole new level of bastardry. Do no evil indeed.
All this meant I needed a new Discord account, which meant a new disposable email account as well, and I needed it fast, the games were starting in less than half an hour. I wasn't gonna create another Gmail account after their recent treatment so I went to what I thought was the provider most open to anonymous accounts and least likely to pull another Google on me: Protonmail.
Fortunately making a new account with Protonmail was fast and without issue. I took this new email and tried to use it to create a Discord account. Discord though was much less nice. Firstly it wanted all the standard details: username, email, date of birth (1st Jan 1984 in case anyone is curious) and password. Before making the account it wanted me to verify I was human: it was time for another captcha but that wasn't enough to sate Eris, she also wanted me to verify my phone number to create an account, which as usual I didn't want to provide for Opsec reasons.
At this point I was already feeling some burnout so tabbed over to other stuff for a few minuets. When I came back it was to the landing page Discord has for all new accounts where they tell you about how they are a worse IRC clone and try to upsell you into buying Nitro (but hey, at least it's still better than Slack). Thinking I had lucked through somehow and wouldn't need to go through the whole phone number charade and was home safe I closed these popups but instead of the expected stuff I was presented with the login screen again. It looked like I had timed out instead on the previous screen and would need to login again into the new account.
No matter, at least I was getting somewhere. I put in my new email and password and hit "Log in", only to be rewarded with "Wait! Are you human?". It was captcha time again. I got my burner phone ready and clicked on the rabbit, just about having had it with Discord. Time was ticking, the game was about to start soon and I didn't want to miss out on the first round.
Fuck me with a pointed stick. Why has this account been disabled when it's never been properly logged into ever in the first place? What possible reason could you have for disabling the account? No phone number? In that case why not just ask for one instead of nixing the account straight up? I hadn't got the time to seethe here so I went straight back to the account creation screen. Since the previous attempt had failed to create a working account I tried to create another one only to be told "Email is already registered", but not before going through another round of captchas.
Great, because I had the temerity to switch over to another tab for a few minutes you've now basically made it impossible to use my email address with discord forever. Normally at this point I'd have gone outside and touched grass to cool off a bit but there wasn't any time for that right now. I immediately went back to Protonmail and created a new account then returned to Discord signing up for another shiny new account with my shiny new email. One more captcha later I was back to the "verify your phone number page". This time I had my burner in hand and gave Eris my number post haste prior to her fickle nature banishing me again only to be met with another "Wait! Are you human?" before she'd send me the six digit code needed to gain access to her inner valuables.
I got the code and typed the digits in one by one, then hit enter. My reward for this was, yep, you guessed it, another captcha. These newfangled automatic registration bots must be getting really good now at inserting themselves directly into the middle of the process given that you need to verify your humanity basically every other click.
Even this was not enough to satisfy her, she wanted me to verify my email as well before letting me in. I clicked on the button to send a verification email only to be presented with yet another captcha. This was too much, I was one sliver away from going full REEEEEE now: Verification can was supposed to be a meme you guys, not an accurate description of reality! Nevertheless I kept my composure, clicked on the rabbit and waited for the fated email to arrive.
Instead of the signup email from Discord I was expecting I got one from Protonmail instead:
WTF???????? The fact that you knew this was a registration email from Discord implies that you have scanned my email. I thought one of the unique selling points of Protonmail was that you were so privacy focused to the point that everything was encrypted and if governments served you a warrant you wouldn't ever have any info about your customer's emails beyond their encrypted inbox you couldn't do anything about. Scanning their emails is about the biggest breach of trust possible here. And it turns out you aren't just doing it when your hand is forced by the government (understandable) but willingly to make some extra pieces of lucre.
What's even the point of Protonmail then if you're going to be just as bad as the big providers when it comes to privacy but also provide a paltry amount of free storage compared to what they give, and we haven't even started talking about how you gimp new accounts or your sketchy and misleading advertising (they say new free accounts get 1GB storage but it's actually only 500MB by default with the rest requiring you to set up autoforwarding from your gmail account to use their UI and also download their app; oh and to create a sense of FOMO you only have 15 days to do this or you're forever stuck at 500MB).
I remember the days when you used to have two passwords for protonmail, one to download your encrypted mailbox from the site and then the other to decrypt the mailbox locally on your own machine. Oh how you people have fallen. I used to be highly supportive of them in the past but after seeing this I would't piss on them if their servers were on fire.
And of course by now Discord had timed out again and my fledgling account had been disabled. I would have to start the process from the beginning and go through the captcha gauntlet one more time. I was legit malding now, why did they have to make it so fucking hard to create a usable discord account? I was close to giving up by now, no clocktower game was worth this much strife.
Eventually I had to go to Microsoft and create an Outlook email to be able to create a functioning Discord account. I had just about given up and didn't expect much from them but surprisingly the process with them was completely smooth. All those capchas by the end though had me channelling my inner Elmer Fudd and I was just about ready to kill that damn rabbit. I noticed quite wryly that in the year 2024 AD Microsoft, that old bogeyman of the 90s, was somehow more OK with completely anonymous accounts than services which a few short years ago were loudly trumpeting how pro-anonymity they were.
But even now I was not home safe. I may finally have had a working Discord account but still needed an invite to the BOTC server because surprise surprise my last link had expired. Even though we're an open fun server that's happy to welcome pretty much anyone from rdrama/themotte in 2022 Discord got rid of permanent non-expiring invitation links unless the owner designates it as a "community server" which means giving Discord full rights to scan all content as well as getting it listed on a public directory on the discord website (not a good thing for us, the server's culture risks getting run over). This means we are forced to rely on invite links that expire every seven days...
This change by Discord making user experience worse sounds completely nonsensical until you realize that Discord wants to compete with other established social media sites like Twitter. That means they're trying to incentivise people to spend as much time as possible on their site and pushing community servers that people can self discover is one way of doing it (same reason they switched to fixed usernames). These incentives also have a side effect of Discord cannibalizing other smaller discussion sites like drama where Aevann who runs rdrama.net now hardblocks links to them because they very noticeably siphon off conversations and people; I can't say this policy is wrong either, something like it is probably necessary for the long term health of the site.
In the end I ended up messaging multiple different people I knew to be on the server and very obliquely asking them for an invite link (because I didn't want my messages to get filtered), hoping one of them would respond so I could join my game. Fortunately @everyone saw my message and I was able to join the game, but not before he got his drama account temp shadowbanned for falling afoul of the Discord filter. After wandering the modern technological desert I had eventually made it to the promised land, but not without half a headache and an intense burning hatred inside of me for the way these big companies operate...
Shattered the screen of my Google pixel and tried to get a new one. Even with being logged into Gmail on my personal laptop, even with having a phone number associated, even with having backup codes, Google told me that because the "safest" option was clicking numbers on my broken pixel, I would be unable to log in to the new phone. I ended up returning the new phone and replacing the screen on the old one (which turned out to be more expensive than buying a new phone). There is no way to turn off the "numbers on a screen" function for verifying the Google account for me either.
Now imagine you'd lost the old phone or it got stolen. You'd basically have lost your Google account there and then. It's one big reason why I'm not a fan of TOTP methods that don't allow me to register on multiple devices as a backup plan in case my main one becomes unusable for whatever reason.
More options
Context Copy link
More options
Context Copy link
Wait, how would GMail know your MAC? IMHO, their server should not have access to that. Nor should your browser tell them the MAC of your device. Of course, some proprietary spyware app from them could extract your MAC and sent it to the server, but even then it would be unsuitable for authentication purposes because your device could just lie about it.
Google and other sites don’t have to know the MAC itself to know of a device change (eg a hash can be used).
You can read about device and browser fingerprinting to find out more.
More options
Context Copy link
More options
Context Copy link
Having worked internally at bigcorp with the team that handles this, they are incompetent and inhuman. Their only care is keeping the spam rate "acceptable" while also keeping the rate of false bans "acceptable" too. They will leave useless rules in place while refusing to add new rules as long as their metrics are good. Of course there is no feedback loop so they never know what the actual rate of false bans is. Thankfully bigcorp only bans when you try to do something spammy, unlike google and discord, which ban you on login, which seems retarded in my imo. (The trick being if you never log in, you never get the discord verificationwall, so back up your cookies and auth tokens and never log into discord again since they don't ever log you off)
The problem you're facing is due to two things, new account spam, and account takeover.
Spammers use new accounts because it's the most obvious route, so this is the first thing they need to address. That's why you get screwed when signing up with a vpn. (though residential proxies exist, at not much higher cost then vpn, so this is likely a dumb rule anyways.)
Once spammers have their main route blocked, some will try to take over aged accounts. Of course all of the spam rules for 1. don't work anymore on aged accounts, so the anti spam teams have to make a whole new set of rules, with much less data to boot. You can blame the suckers who got hacked for subjecting you to this struggle. But on google you can mostly avoid this by pre-emptively setting up 2fa with totp, y2f or sms burner on your aged accounts to prevent them from being banned.
Since all of these services are past their hyper growth phase and have a moat, they don't care about impeding your signup, because as you've seen, you'll sign up anyways no matter how much bullshit they put you through. So if you have an aged account, you should take steps to protect it, because getting another one is going to be difficult. And if a new service is on the rise, you should start aging a personal account just in case, even if you don't want to use it right now.
Appendix
Elon vindicated? I'm guessing this is coming soon to Reddit as well, given the number of subs that died after the mods posted a discord in the sidebar.
You might want to just pay for data on that phone. Most phone providers use NAT so you'll have a shared ip with others, giving you an intermediate level of anonymity between vpn and a residential line. This also means an intermediate level of scrutiny when signing up for services online.
Matrix is shit garbage. I could destroy Matrix overnight with an attack over federation, but no attackers have ever tried because Matrix's defenses are so weak that spammers (and worse) don't bother - they just sign up for infinite regular accounts.
More options
Context Copy link
Protonmail uses PGP for their encryption, which doesn't encrypt subject headers or the sender. They don't know your contents, but those should be enough for them to realize what it was, even if discord had encrypted their email, which I assume they didn't.
More options
Context Copy link
If you want your tech providers to work for you, use a paid service.
Is there any reason why Google, Discord, or Protonmail should care about their services being unusable to a non-paying, uncooperative customer?
More options
Context Copy link
Yes, it is providing an excellent security benefit -- that from here on out the account will be protected by association to an additional factor.
Obviously it's not retroactively possible to add that as a factor for this specific login. But that doesn't mean it's of no benefit.
You have as much information as a well-motivated attacker might have. In fact, you went to great efforts to make yourself so uncorrelated with the original login, that you are indistinguishable from an attacker.
On some level, sure, this is a failure of the technology to have more factors that the real count has that an attacker wouldn't (although see above -- you got mad when they tried to add more factors)
Please, I don't want to look like abuse but I'm going to do everything I can to look like abuse!
Obviously. You made the account just to get past various other registrations. Of course that's gonna flag you.
Think of the alternative: if ProtonMail (or whoever) allowed this shit, then Discord (et al) wouldn't accept a ProtonMail account as a verification.
No, they don't scan. Discord and others explicitly insert metadata into the email header saying "this is a service registration request, please ensure that only established accounts can read it". No scanning necessary, because Discord actively tags it. You can read it yourself in the SMTP headers.
This is maybe understandable, but at the same time this is niche-of-a-niche kind of user behavior.
The social question of whether the systems that we put in place need to accommodate the needs of tiny minorities of people rather than being aligned to the larger majorities is well trod.
Privacy is incompatible with Gattaca's "Valid world" or Shadowrun's SIN. If we still believe it's a right - as it has been for most of history and is official policy in most Western countries - SINs as a prerequisite of existing in society can't be allowed. If we don't, we should go the whole hog, abandoning all restrictions on government surveillance (there is a lot more social good in police surveillance than corporate surveillance!), ripping out the "three felonies a day" from the criminal code*, and possibly going the full Geodesica-Bedlam route of "privacy is against the law; everyone gets to access the telescreen cameras and run spy drones".
*Laws that everyone breaks + no privacy = police state, since everyone is always provably guilty and thus prosecutorial discretion is ultimate power. And, indeed, we're sliding in that direction at the moment.
What about zero knowledge proofs?
What is to be zero-knowledge proven?
The current ideas around the application of the technology are precisely that you could use it to build a digital identity system that still retains privacy.
The usual example involves medical records: instead of having some centralized authority store all of your information and reveal select parts of it to people of interest, which has the properties you decry, you could hold this information encrypted (and even public to some degree) and require the signature of the individual to verify any property of this shared encrypted data without ever even exposing the data itself.
You could have your pharmacy check that a doctor prescribed a particular drug to you without knowing what your illness is, who the doctor is or any other information about you and none of that information be handled in the clear by any state authority.
Whether it's realistic that such a system would be made is another question, but the raw technical impossibility you speak of is, at least, being questioned right now.
OP's usecase doesn't seem amenable to zero-knowledge-proof, though; you could certainly prove that you have access to a SIN, but everyone has such access (including spammers) so there's not much point.
Maybe i'm being too literal, but SR SINs are specifically about what social categories you're part of in the RPG, not mere individual identification.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
That assumes that the phone number is there for security. It's actually there so that Google can collect information about you and correlate it with other information about you that uses the phone number. The claim that it's there for security is a lie.
Why would it not just be both? They make money on it and it also improves security for most people most of the time. They're willing to take the hit of angering a few weirdos that want to spoof and aren't actually doing anything sketchy if it makes them money and improves the user experience for people that don't care to hide their location or identity. Being able to correctly identify the owner of the account seems like an almost perfect alignment of interests between security and profit.
More options
Context Copy link
More options
Context Copy link
Seconded and endorsed across the board.
More options
Context Copy link
More options
Context Copy link
I take some limited precautions against a random stalker or curious individual, but I assume that if somebody really wants to track me down, they can. This is before we even get into stuff like bulk AI fingerprinting via stylistic analysis of crawled text samples, which is either incoming or already in use anyway and which, combined with LLMs looking for shared interests/hobbies/tics/references will probably be able to link anonymous users to each other and to information published under real names pretty easily.
More options
Context Copy link
I wonder if providers are in paranoid election mode now. In 2020 Facebook had a huge election security effort, maybe other companies are Doing Their Part to Secure The Election.
There's the problem that this time, Twitter (X) isn't fully on-board. I'm sure there's still loyalists there, but they're much less powerful, and if they come to Musk's attention they may get shut down.
More options
Context Copy link
Maybe, maybe not.
More effort, please. This comment literally conveys nothing.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
I used to work at a 3 letter agency hiding my identity on the internet. Two points jump out to me from your post:
I don't think your change of MAC address caused you this hastle. The MAC address is a physical layer id and won't get transferred beyond your router in the TCP/IP packets. Something you install (like a game) could use the MAC address to uniquely identify you, but I don't see how something like gmail could do that. Is there some sort of new javascript black magic that lets gmail access the MAC address? It seems much more likely to me that you triggered additional "security" measures via some other path.
Your burner phones also uniquely identify you. If two phones are in the same location (or connected to the same wifi networks) for extended periods of time, the borg can link them together as belonging to the same person pretty easily. These burners are probably a waste of money unless you are literally throwing them on a train after buying them and using them once.
If anything the OP's active efforts to appear untrustworthy as documented by @anon_ and @confuciuscorndog may themselves have triggered the scrutiny.
My guess would be that as a general rule, people who are seriously concerned about security don't maintain consistent pseudonyminous identities on public forums, and if they do, they try to blend in with the background rather than advertise thier presence.
More options
Context Copy link
I can say with some definitude that your phone's individual identifiers are trivially available to anyone who cares to know. So, triangulating you based on using multiple burner phones in close sequence is easier, not harder, than using one phone in sequence across a few discrete locations and then using a different one.
More options
Context Copy link
I guess it really depends who you're trying to hide from. In my mind, the layers roughly go like this: low-effort spammers, higher-effort spammers, a casual stalker, a dedicated investigator, government agencies in general, and then last a specific government investigation. There's a little bit of overlap between some of the layers and your ISP itself is in a bit of a unique spot as well. Even a very poor opsec burner phone number is pretty effective for at least the first 3 categories, and arguably that's all most people care about, though it sounds like OP is probably most concerned about levels 1-4 (up to and including a dedicated investigator/stalker/etc).
Nah, I'm not that concerned about government agencies, I've already made peace with the fact that if they come after me there's nothing I can do. I'm more concerned about your average journ*list etc. wanting to gather info on me.
More options
Context Copy link
What does opsec have to do with spammers?
A lot of web vendors resell personal information to third parties, who in turn sell to third parties, which often sell to spammers at best and scammers more often. This includes places you'd expect to know better: QuinnyPig has gotten contact points he's only given to Amazon resold to spammers. Mostly e-mail in his case, but I've personally gotten phone calls from vendors trying to use one of my online identities.
((Which is funny, but in a morbid way.))
If all they have is an e-mail or phone, without even a real name, there are upper limits to how credible their spam or scams can be. You might, maybe, get generic stuff like "your car's extended warranty has expired". The more personal details you have available connected to the same account, the more those people can start more aggressive tactics. Just standard purchase info is enough to make a pretty compelling-looking fake invoice, for one of the more common scammer tricks. And this can scale up pretty dramatically as more information leaks.
((And it's just annoying to get ten thousand spam phone calls or e-mails, even with tools to block them. Yes, in theory CAN SPAM and the national Do Not Call list should help, but they're limited in effectiveness.))
Opsec's not the only way to have problems, here, but it's a non-trivial way for many attacks to come in.
I don't know. I have never used a VPN in my life. Gmail filters out just about all the spam emails. My phone filters out the spam texts. Maybe I get a spam call every now and again, but by simple virtue of never picking up a call from anyone I don't know and never listening to voicemail I'm pretty insulated from most scams. I'm skeptical that there is much benefit to being super anal about logging into discord.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
Some scattered thoughts about what you posted from somebody who browses the Web almost entirely via Tor:
Use Matrix at a minimum people, seriously. Discord is shit garbage.
Always set up a TOTP 2FA key (assuming the service supports it, which most big ones do nowadays) on any burner account immediately, the very first moment you're registered, logged in, and can access the settings panel, before you do anything else. This will in many cases serve as a valid alternative to providing a phone number (can't say about Google though as they truly might be the Antichrist and you definitely should avoid their products entirely if possible). (PS: If you didn't do this on your Outlook account, you're going to get blocked with a request for a phone number the next time you log in with a different IP.)
You're doing Proton dirty here. They've only ever claimed to encrypt the bodies of your emails; the subjects (which are all they need to figure out that you're receiving registration e-mails) have never been claimed to be encrypted and aren't (otherwise it'd be very difficult for them to do spam/phishing/etc. filtering). And given that they're providing a free service where according to all known information they don't sell off your data to finance it (that is, solely using it as a free trial/advertisement for their paid offerings), why do you think you deserve infinite, unmetered use of it in violation of their clear ToS which says one free account per person only? Hard to feel sorry for you here. (Further, while I know you were in a rush at the moment, if you ever want to use an account to chain to registering another account, if you have the time and want to avoid any hassle, it is always a good idea to let the first account in the process age at least 24 hours. Proton is hardly the only service with a system to detect making throwaway accounts to register other accounts.)
Facebook makes it pretty easy (or at least easier than normal) to register a truly anonymous account via their Tor .onion hidden service, though it's been spotty at times. (Be sure to set a plausibly real profile picture that is edited slightly enough to not be reverse image searchable or ideally one that's AI-generated entirely, plus a plausibly real name that doesn't at all resemble any celebrity's.) After you wait at least a day with the account registered (as Facebook has similar measures in this area as Proton, though they just tell you to wait longer instead of putting permanent restrictions on your account), then you can often use this anonymous account to get a foot in the door on websites that allow you to sign up with Facebook. (However, the key is that you must only ever log in to the account via Facebook's hidden service. If the cookies for the account ever hit actual plain old Facebook.com itself, it will be permanently disabled. This means if you're using a "Sign in With Facebook" authentication link, you must modify the URL manually to the .onion version before going to it. Also this doesn't really work nearly as well for Instagram. You'd think having a Facebook account in good standing would guarantee its attached IG account, but nope. They'll often disable you quickly, especially if the account is unaged.)
If you ever use an app or locally-installed/program version of a service, they're probably already able to fingerprint you and your device enough that nothing else matters. If you're ever "pleasantly surprised" that a service doesn't give you crap for signing in via a VPN or something, it's because they already know who you are anyway based on your device characteristics. At a minimum probably every app you use on your phone (unless you use Graphene or something similar) can be connected via fingerprinting to every other app.
External services don't receive your MAC address (unless you use IPv6 without privacy extensions, but if you're using a VPN you're not showing off your real IP in the first place). Changing it has nothing to do with what happened.
There doesn't seem to be any particular reason to go out of your way change the IP you use to connect to a singular account. All of the IPs will be automatically connected by that account anyway. Opsec-wise, what's the point? You were hoping Discord might end up confused about whether the person still using the account now is the one who registered it? I guess you got what you wanted... (Yet any human or moderately-smart LLM looking at the account now probably still wouldn't question that it was the same person the whole time anyway.)
Is Matrix actually not garbage these days? I tried to set it up a few years ago and gave up when I couldn't get the default Android app to make a voice call without crashing. As I said, that was a few years ago, so hopefully it's gotten better, but I skim their weekly blog posts and it still sounds pretty beta-quality. Moving off Discord to something open sounds great, but it has to be to something that actually works.
Well, voice calls still suck in my experience, but that's never been what I've used Matrix or Discord for.
For encrypted voice calls, I suggest Wire.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
I do greatly miss irc. I know it hasn't gone anywhere, but the last few irc servers I used to hang out on all moved to discord because memes and emojis and reactions and integrated twitter links. I wonder what would happen if I set up another one... except I wouldn't be able to host it locally. My Starlink connection doesn't support stuff like that unless I upgrade to commercial with a static IP. Normies get to use ip sharing. I can't host most games either.
Can't you use ddns to set up a static server on a changing IP?
It's not so much that the IP is changing, it's that Starlink has multiple customers sharing a single IP at the same time, with some routing involved to send the right traffic to the right customer. But they explicitly do not support any sort of port forwarding unless you upgrade to commercial service.
Oh God one of those setups, that's awful. Literally no workarounds short of relaying everything through an outside server, and at that point you might as well host it with them in the first place.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
This is probably not helpful but the problems you list in your post is why I have almost completely given up on opsec precautions. It's just too inconvenient and stressful.
I've come to the conclusion that these big companies have won and if they want to know details about your internet life there's little you can do to stop them.
The best way I know of coping is to tell myself that there are people who are much more interesting to government/big tech than me. Now I simply go with the flow.
I agree entirely. I give it maybe 2 years before AI makes it trivial for even small players to dox anyone with any substantial amount of online writing. My twitter account is just my real name now.
More options
Context Copy link
More options
Context Copy link
Where do you get your burners? I need to get one for a new identity.
I never could make a Twitter account through protonmail and vpn, totally locked down.
The UK doesn't require SIM card registration. Just get a cheap physical SIM from your nearest small scale mobile phone store and go to another one of them and get a £25 dumb Nokia. Put SIM card inside Nokia and you're good to go.
More options
Context Copy link
More options
Context Copy link
Apparently it was not even a temp shadowban as such, Carp manually unbanned me as he does to most victims of Aevann's rslurration that catch his eye.
More options
Context Copy link
I feel your pain. It reminds me of the Please Drink Verification Can copypasta. The new captcha's I've been facing have been particularly annoying, requiring me to click images that slowwwwwly reappear in a way designed to infuriate humans more than to ward away bots.
The problem with online anonymity is that it's only valued by a handful of libertarians, and millions of bots, pirates, scammers, and other unsavory individuals. Since most normies don't care about being anonymous, the vast majority of companies don't care either, and only see it as problem.
They care about the exactly proper odds ratios -- out of X people that do action Y, Z% are bad actors.
More options
Context Copy link
One of the simplest and easiest ways to ward off bots, scammers, and trolls is to institute an minor inconvenience that disproportionately effects bad-faith-actors. Most normal users will think nothing of an enforced 30 second delay between login attempts or captcha inputs because they're only logging in so often anyway.
In contrast the scammer running a bot-net or the tumblr-troll hopping between multiple sock-puppets is definitely going to notice.
More options
Context Copy link
On the upside, this stuff hits people who aren't that focused on anonymity. The SO is an absolute normie for anonymity purposes, and is driven absolutely up the walls by a lot of the constant push for 'human verification' that doesn't work, and running normies at work through gov 2FA setups have made me and them want to strangle people.
It's a rather shitty silver lining to The Cloud, but I think there's a bigger alliance of People Pissed Off By Bullshit than one of Libertarians and Scammers.
((I've also been getting questions that are weirdly philosophical. Nothing quite at the level of 'what is good', but 'what counts as a sign' sorta way.))
These are the product of trying to use captchas as ai training data which i find both terrifying and weirdly reassuring in a way.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link