db <dieterhansbritz@gmail.com> wrote:

Sometimes the autosubstitution feature when I text a message
is helpful, but often it is very annoying, when it
repeatedly wants to substitute something I don't want to
write.
How do I turn it off?

Depends on brand of phone, and perhaps model, and which keyboard you
selected. Searching on "android undo auto correct" finds lots of online articles to help you, like:

https://www.google.com/search?client=firefox-b-1-d&q=android+undo+auto+correct

One match, but may not be the nav path on your particular phone, was:

https://www.mail.com/blog/posts/turn-off-autocorrect/113/

Another match was:

https://www.twintel.net/how-to/how-can-you-improve-your-android-devices-autocorrect/

Auto-correct rarely gets in my way, so I still leave it on. I think
hitting backspace (the back arrow nav button in the virtual keyboard)
undoes the auto-correct. Auto-correct just lists suggestions. If I
continue to type to the end of a word, what I typed in gets accepted,
so, for me, it's more of auto-suggest than auto-correct. However, I'm
using the included keyboard that came with my phone (LG) instead of
Google's keyboard (Gboard). From what I can from my settings, looks
like the Gboard is only used when speaking (speech to text) into a voice-capable input. Possibly Gboard is more aggressive than LG.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

db <dieterhansbritz@gmail.com> wrote:

Sometimes the autosubstitution feature when I text a message
is helpful, but often it is very annoying, when it
repeatedly wants to substitute something I don't want to
write.
How do I turn it off?

As VanguardLH indicates, it's a *keyboard* setting, not something in
the app in question (in this case the Messages app).

On my (Samsung) phone, the keyboard settings are under Settings ->
General management (Language and keyboard * Date and time) -> <type of keyboard> Keyboard settings -> Predictive text -> On/Off switch. (Note
that your phone might have several different software keyboards, with
one of them the currently selected/enabled one.)

Note that VanguardLH searched on 'auto-correct', but that on my phone
it's called 'Predictive text' (because it's more than just auto-correct).

If and when you respond, please mention the brand, model and Android
version of your phone.

Phone settings are nearly always brand dependent and often also model
or/and Android version dependent, so when asking questions which
probably involve phone settings (instead of settings of *add-on* (i.e.
not pre-installed) apps), alway mention brand, model and Android
version.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-20 10:13, db wrote:

Sometimes the autosubstitution feature when I text a message
is helpful, but often it is very annoying, when it
repeatedly wants to substitute something I don't want to
write.
How do I turn it off?

Repeatedly?

If I delete and retype what it corrected, it holds. In theory, your type
should be one of the options in the dictionary offerings, unless you
type fast and away.

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 20 Jan 2024 08:24:03 -0600, VanguardLH wrote:

From what I can from my settings, looks
like the Gboard is only used when speaking (speech to text) into a voice-capable input. Possibly Gboard is more aggressive than LG.

Good news.
You do NOT need Gboard to get speech to text microphone on the keyboard.

You can use Openboard instead. That's what I use for privacy reasons.
Plus I'm told it handles typographic misspellings in many languages.

Checking the URL for you, it used to be here but no longer is there. https://play.google.com/store/apps/details?id=org.dslul.openboard.inputmethod.latin

Luckily when I checked the box for other sources, the search found this. https://github.com/openboard-team/openboard

I'm not sure what the difference is between "Openboard" & "Openboard
Valencia" (if someone cares more they can let everyone else know) but I
think they may be the same because that site showed both. https://f-droid.org/packages/org.dslul.openboard.inputmethod.latin/

Since Google hates any app competing with it, that might be why it has been removed from the Google Play store (usually that means it's too good).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

db <dieterhansbritz@gmail.com> wrote:

That's how it has been on my Moto 100, but the other day I had to
repeat a word three times before I got my wish, and it sometimes
substitutes nonsense. Lately, it adds "ng" as a new word.

You might try resetting the learned/history predictions to start afresh.

https://www.google.com/search?q=android+reset+prediction+keyboard+moto+100

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-21 17:41, VanguardLH wrote:

db <dieterhansbritz@gmail.com> wrote:

That's how it has been on my Moto 100, but the other day I had to
repeat a word three times before I got my wish, and it sometimes
substitutes nonsense. Lately, it adds "ng" as a new word.

You might try resetting the learned/history predictions to start afresh.

https://www.google.com/search?q=android+reset+prediction+keyboard+moto+100

And remove words. Probably a long press on the offending word when it
appears.

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 1/21/2024 1:33 PM, The Real Bev wrote:

ai.type is free

Has ads though. https://play.google.com/store/apps/details?id=com.aitype.android.f

How bad are the ads?

And where do its ads show up when the app is a keyboard which underlies
almost everything you type on the phone, including your email and messages?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Larry Wolff <larrywolff@larrywolff.net> wrote:

The Real Bev wrote:

ai.type is free

Has ads though. https://play.google.com/store/apps/details?id=com.aitype.android.f

How bad are the ads?

And where do its ads show up when the app is a keyboard which
underlies almost everything you type on the phone, including your
email and messages?

The first and second screenshots look like fullscreen ads which means
they interfere with the use of both the app and your phone. Apps that
shove fullscreen ads onto the phone screen are malware. Seems its big "feature" is the support of emojis which appears to the kiddies;
however, it also says "To get the new emojis, You must download latest
"ai.type Emoji Keyboard plugin". The app's title is "ai.type Keyboard &
Emoji 2022". Geez, what a bunch of childish shit.

The plus version costs $3, but is older (May 2020) than the non-paid
version (Sep 2023). No info on how the plus version is more than the
non-paid version, like if ads are removed in the paid version. The
download links at their web site (http://aitype.com/) point to 2018 web.archive.org copies of the iOS and Android pages.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 21 Jan 2024 19:48:39 -0800, The Real Bev <bashley101@gmail.com>
wrote

I'd never identified ai. as the source of the occasional ads == which
seem to be for some game. Hunt for the x, make it go away, get on with
life.

I can't imagine what an app does that would make me want to see full-screen ads, as the only ads I'll tolerate are those at the bottom of an app while
in use but no others.

For a keyboard, I can't think of ads being worth it given how many good
free keyboards are already available out there that do not have any ads.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The Real Bev <bashley101@gmail.com> wrote:

VanguardLH wrote:

Larry Wolff <larrywolff@larrywolff.net> wrote:

The Real Bev wrote:

ai.type is free

Has ads though.
https://play.google.com/store/apps/details?id=com.aitype.android.f

How bad are the ads?

And where do its ads show up when the app is a keyboard which
underlies almost everything you type on the phone, including your
email and messages?

The first and second screenshots look like fullscreen ads which means
they interfere with the use of both the app and your phone. Apps that
shove fullscreen ads onto the phone screen are malware. Seems its big
"feature" is the support of emojis which appears to the kiddies;

appeals ___/

however, it also says "To get the new emojis, You must download latest
"ai.type Emoji Keyboard plugin". The app's title is "ai.type Keyboard &
Emoji 2022". Geez, what a bunch of childish shit.

The plus version costs $3, but is older (May 2020) than the non-paid
version (Sep 2023). No info on how the plus version is more than the
non-paid version, like if ads are removed in the paid version. The
download links at their web site (http://aitype.com/) point to 2018
web.archive.org copies of the iOS and Android pages.

The free version offers more options than I want to even think about.
You can add rows of special keys and/or make the rows offer different
sets of characters. You can add keys. I especially like the
unobtrusive spellcheck function.

The highly stressed emoji feature is inane. I use my phone, not play
with it, but a lot of folks apparently have lots of free time to waste
playing on their phones. Once all the emoji features are discarded,
there isn't much about this keyboard app that other trimmed versions
provide. However, the customizable key rows sound nice, but not really essential.

I'd never identified ai. as the source of the occasional ads == which
seem to be for some game. Hunt for the x, make it go away, get on with
life.

http://aitype.com/

The GDPR fucked up domain regisrations. They are so redacted that
domain registrars might as well eliminate providing any info about them. However, in this case, aitype.com is paying extra to hide behind a
privatized domain registration: domainsbyproxy.com operated by GoDaddy
for domain registration, Wildwestdomains (secureserver.net) for site
content, and leech from web.archive.org also for content. Their last
renewal was for only a year. One of their contact links points to
Google+ which died in 2019, so using their link drops you at a
web.archive.org page (which they cannot forge by pretending it's their content).

Looks like all of their content is at web.archive.org. Click on the
About Us, Support, or other links, and wait for the content from from web.archive.org while pretending it came from aitype.com. Seems an inappropriate use of the web archive site to offload your content. Go
to their Support page (well, web.archive.org's web page presented as
their own), and clicking on anything there gets a "page not found". The
site was first registered in 2009, and they have not fleshed out their
web site.

"ai.type¢s cloud based engine is a unique approach that enables the
market most accurate next word prediction and auto-correction
experience." So, what happens when you can't reach a cell tower, and
there is no nearby open wifi hotspot? Everything you type goes to them.

Data of 31 million users of iPhone add-on keyboard ai.type potentially
leaks (c.2017) https://forums.appleinsider.com/discussion/203091/data-of-31-million-users-of-iphone-add-on-keyboard-ai-type-potentially-leaks

Android users beware: This keyboard app may help scammers steal money,
delete it now (c.2019) https://www.indiatoday.in/technology/news/story/android-users-beware-this-keyboard-app-may-help-scammers-steal-money-delete-it-now-1616232-2019-11-06

How can they leak user data if they didn't have it? Because they do
have it. You're using a keyboard app that spies on what you enter.

It is abandonware. It is spyware. It is crapware. It appeals to the
inane. I wouldn't trust them with a vial of my piss.

Emojis are a sign of the collapse of civilization. Exception for
these, called SMILEYs, of course: :-( and :-)

We've spent 3000 years moving from hieroglyphics to having far more sophisticated languages. With smartphones, we're back to hieroglypics.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Mon, 22 Jan 2024 11:19:42 -0600 :

https://forums.appleinsider.com/discussion/203091/data-of-31-million-users-of-iphone-add-on-keyboard-ai-type-potentially-leaks

You did a good job showing WHY you do not want to have your contacts
exposed because apps that don't even need them are storing them on the net.

https://forums.appleinsider.com/discussion/203091/data-of-31-million-users-of-iphone-add-on-keyboard-ai-type-potentially-leaks
"Conflicting accounts have emerged about a security breach involving the ai.type add-on keyboard for iOS and Android, with researchers claiming that
31 million people's data has been compromised -- with a user's contacts
also potentially included in the leak."

That is why you should keep your default Android contacts completely empty. Each app you use should be chosen to maintain its own private contacts db.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH <V@nguard.LH> wrote:

It is abandonware. It is spyware. It is crapware. It appeals to the
inane. I wouldn't trust them with a vial of my piss.

There are far better & privacy aware keyboards out there that are free and don't have ads, and most are open source so the code can be looked at.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-24 00:39, Andrew wrote:

VanguardLH wrote on Mon, 22 Jan 2024 11:19:42 -0600 :

https://forums.appleinsider.com/discussion/203091/data-of-31-million-users-of-iphone-add-on-keyboard-ai-type-potentially-leaks

You did a good job showing WHY you do not want to have your contacts
exposed because apps that don't even need them are storing them on the net.

https://forums.appleinsider.com/discussion/203091/data-of-31-million-users-of-iphone-add-on-keyboard-ai-type-potentially-leaks
"Conflicting accounts have emerged about a security breach involving the ai.type add-on keyboard for iOS and Android, with researchers claiming that 31 million people's data has been compromised -- with a user's contacts
also potentially included in the leak."

That is why you should keep your default Android contacts completely empty. Each app you use should be chosen to maintain its own private contacts db.

Bollocks.

That's nuts.

Very inconvenient and cumbersome.

--
Cheers,
Carlos E.R.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Carlos E. R. wrote on Wed, 24 Jan 2024 12:31:13 +0100 :

That is why you should keep your default Android contacts completely empty. >> Each app you use should be chosen to maintain its own private contacts db.

Bollocks.

That's nuts.

Very inconvenient and cumbersome.

Nobody ever said staying private wasn't "very inconvenient & cumbersome".
So your feeling it's too hard for you to remain private is likely correct.

The people who take your contacts make it very convenient to upload them.
Did you ever stop to wonder why they make it so easy to get your contacts?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

Carlos E. R. wrote on Wed, 24 Jan 2024 12:31:13 +0100 :

Andrew:

That is why you should keep your default Android contacts completely
empty. Each app you use should be chosen to maintain its own
private contacts db.

Bollocks. That's nuts. Very inconvenient and cumbersome.

Nobody ever said staying private wasn't "very inconvenient &
cumbersome". So your feeling it's too hard for you to remain private
is likely correct.

The people who take your contacts make it very convenient to upload
them. Did you ever stop to wonder why they make it so easy to get
your contacts?

To satisfy both viewpoints, make damn sure you use a STRONG password on
your online account. And don't reuse passwords. Every domain gets its
own unique password. That resists frontend hacking. Backend hacking
(finding vulnerabilities in the service, employee theft) is another
matter, like data breaches you hear of. That's where in-transit and
in-situ encryption are important, so not even the provider or a hacker thereinto can see your data.

Although Gmail has come out with end-to-end (in-situ) and in-transit
encryption (for Workspace accounts), that still doesn't protect your
data from breaches. Frontend protection depends on how well you defined
the password for access, and it being unique at EVERY domain (i.e., do
not reuse any passwords). Just remember that data breaches are not only
up on servers. They include whatever local storage you are using to
store your contacts. Breaches can be online or local.

No e-mail provider needs to bother culling email addresses from your
contact records stored on their service. Besides, not everyone to whom
you send an e-mail is in your contact records. They already have your
e-mails, so they can cull from there everyone to whom you send e-mail.
You can go to whatever extreme you want to protect your contact records,
but how are you going to bar an e-mail provider from looking at the To
and CC headers in your outgoing e-mails, and the From and Sender headers
in incoming e-mails? You do all that paranoid protection of your
contacts, but leave wide open the interrogation of your e-mails. You
use their service to send e-mails. They have your e-mails. That means
they can, if they so choose, cull all addresses from your e-mails
(incoming and outgoing). Like putting a dozen deadbolts on your house
door, but you leave open the windows.

Andrew, what is YOUR method of toting contact records between hosts? Or
are you a hermit that has only 1 computer at home, so that is the only
place where you ever need contact records? If you're toting around a
USB drive with contact records, how do you protect that data the moment
you happen to plug the USB drive into a possible infected host that
would immediately read and store the data on the USB drive?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-24 09:23, Andrew wrote:

Carlos E. R. wrote on Wed, 24 Jan 2024 12:31:13 +0100 :

That is why you should keep your default Android contacts completely empty. >>> Each app you use should be chosen to maintain its own private contacts db. >>

Bollocks.

That's nuts.

Very inconvenient and cumbersome.

Nobody ever said staying private wasn't "very inconvenient & cumbersome".
So your feeling it's too hard for you to remain private is likely correct.

The people who take your contacts make it very convenient to upload them.
Did you ever stop to wonder why they make it so easy to get your contacts?

Apple let's you upload your contacts...

...but they're encrypted:

'End-to-end encrypted data can be decrypted only on your trusted devices
where you’re signed in with your Apple ID. No one else can access your end-to-end encrypted data — not even Apple'

<https://support.apple.com/en-us/102651>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Wed, 24 Jan 2024 12:13:47 -0600 :

Andrew, what is YOUR method of toting contact records between hosts?

It's so simple that it's obvious. Elegant. Efficient. Private. Secure.

My master contacts database file has over three hundred entrees.
Yet Windows 10 Thunderbird handles it (import/export).
And Android handles it (import/export).
Microsoft Office handles it too (Excel merges fields & removes duplicates).

I keep one master contacts database, which all the other applications use. Oddly enough, it's called contacts.vcs <https://fileinfo.com/extension/vcf>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Wed, 24 Jan 2024 12:13:47 -0600 :

Andrew, what is YOUR method of toting contact records between hosts?

It's so simple that it's obvious. Elegant. Efficient. Private. Secure.

My master contacts database file has over three hundred entrees.
Yet Windows 10 Thunderbird handles it (import/export).
And Android handles it (import/export).
Microsoft Office handles it too (Excel merges fields & removes duplicates).

I keep one master contacts database, which all the other applications use. Oddly enough, it's called contacts.vcs <https://fileinfo.com/extension/vcf>

When you import the .vcs file to get all your contact records into your
e-mail client, doesn't that mean those contacts are then synchronized to
your online account? Maybe not with Thunderbird since I don't think it synchronizes anywhere, even if you have a Mozilla account to use when synchronizing config data in Firefox across multiple instances of
Firefox. However, which Android contacts apps are you using that don't
use an online account? If they are just VCS viewers, how does seeing a
contact let you use it to initiate, say, writing an e-mail?

Which Android e-mail apps [that you use] have no sync function to an
online account? Or, which Android contacts apps [that you use] have to
option to sync to an online account?

Sounds like you employ sneakernet: toting around a USB drive from
computer to computer expecting each computer to have USB ports (and they
are enabled in BIOS rather than locked out, like at schools, libraries,
cafes, etc) where you can then import a .vsc file into some non-web
centric contacts app.

Why do you even need to import anywhere? The .vcs file is a text file.
You could open it with a text editor, copy an e-mail address for a
contact, and then paste in a new compose window when sending e-mail.

However, as noted, that doesn't prevent data breaches or hacking to get
at your sent e-mails, or those you received, to harvest e-mail address
from those sources. Instead of a list of contacts, you still have a
list of messages with all those e-mail addresses.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-24 14:45, Andrew wrote:

VanguardLH wrote on Wed, 24 Jan 2024 12:13:47 -0600 :

Andrew, what is YOUR method of toting contact records between hosts?

It's so simple that it's obvious. Elegant. Efficient. Private. Secure.

My master contacts database file has over three hundred entrees.
Yet Windows 10 Thunderbird handles it (import/export).
And Android handles it (import/export).
Microsoft Office handles it too (Excel merges fields & removes duplicates).

I keep one master contacts database, which all the other applications use. Oddly enough, it's called contacts.vcs <https://fileinfo.com/extension/vcf>

You have a computer...

...and you manually import/export contacts between different applications?

LOL!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Wed, 24 Jan 2024 17:58:40 -0600 :

I keep one master contacts database, which all the other applications use. >> Oddly enough, it's called contacts.vcs <https://fileinfo.com/extension/vcf>

When you import the .vcs file

I made a typo by typing "vcs". It's "vcf". VCARD file. My bad.

Keep in mind that my main premise wasn't to explain how I manage contacts.
It was just to let people know they should choose good privacy-aware apps.

Any app that uploads your contacts is, by definition, NOT privacy aware.

To the person who said it was too hard for him to NOT upload his contacts, sure, it's EASY to upload your contact to every app that asks for them,
even if they have no need for them (even Google Maps asks for them!).

I ask those people who allow that to simply ask themselves this question.
Why do you think they make it so easy for you to upload contacts to them?

to get all your contact records into your
e-mail client, doesn't that mean those contacts are then synchronized to
your online account? Maybe not with Thunderbird since I don't think it synchronizes anywhere, even if you have a Mozilla account to use when synchronizing config data in Firefox across multiple instances of
Firefox.

Thunderbird doesn't have a problem with keeping it on my local machine.
The master is in Excel though.

However, which Android contacts apps are you using that don't
use an online account?

I use the last known good version of the Simple Mobile Tools contacts. https://simplemobiletools.com/

But there are plenty of private contacts apps that don't upload them.

If they are just VCS viewers, how does seeing a
contact let you use it to initiate, say, writing an e-mail?

The answer is going to be the same for every question that you will ask.
You choose a privacy-aware mail user agent that doesn't upload contacts.

They import & export contacts into a private database instead.
All the good apps will do that. All the bad apps won't do that.

It's really that simple, so it was odd that a person said it was too hard
for him because all he needed to do was use good apps instead of bad ones.

Which Android e-mail apps [that you use] have no sync function to an
online account?

FairEmail, privacy aware email https://play.google.com/store/apps/details?id=eu.faircode.email

Or, which Android contacts apps [that you use] have to
option to sync to an online account?

This has been discussed on this newsgroup like a thousand times.
There are plenty of private contacts apps that don't upload them.

Most of them are named "Private Contacts" which gives you a cluebyfour.

Here are just some of them already discussed on this newsgroup in the past. https://play.google.com/store/apps/details?id=ch.abwesend.privatecontacts https://play.google.com/store/apps/details?id=ml.bluelinestudio.privatecontact https://apkpure.com/private-contacts-private-call-sms/hazar.studio.privatecontacts
https://play.google.com/store/apps/details?id=ch.abwesend.privatecontacts

Sounds like you employ sneakernet: toting around a USB drive from
computer to computer expecting each computer to have USB ports (and they
are enabled in BIOS rather than locked out, like at schools, libraries, cafes, etc) where you can then import a .vsc file into some non-web
centric contacts app.

Are you crazy?

What do you think a LAN does?
Have you never heard of Wi-Fi? Routers? APs? NAS?
What century are you living in anyway when you speak of sneakernet?

Your questions have a negative tone much like that other guy who said his
brain hurt him because it was too hard for him to think about his contacts.

I'm not forcing you to set up your Android phone using only good apps.
If you want to use lousy apps that steal all your privacy, have fun at it.

Just remember everyone in your contacts list also loses their privacy.

Why do you even need to import anywhere? The .vcs file is a text file.
You could open it with a text editor, copy an e-mail address for a
contact, and then paste in a new compose window when sending e-mail.

The guy who said his brain hurt, I think, complained that some apps require
you to manually enter the contacts, one by one, which is a valid concern.

So don't use those apps. Use the ones that import & export VCARD files.

However, as noted, that doesn't prevent data breaches or hacking to get
at your sent e-mails, or those you received, to harvest e-mail address
from those sources. Instead of a list of contacts, you still have a
list of messages with all those e-mail addresses.

Based on your questions, the amount that you do not know about this topic
is so huge that there's no way I'm going to teach you what you can't learn.

You can either accept the point that the safest way to keep your contacts
out of the hands of the harvesters is to not store them in the default db.

Or you can reject that premise.

If you're the type of person like that other guy who said his brain hurt
when he had to think, then you're going to reject privacy every time.

Why do you think all the default Google apps don't respect your privacy?
Why do you think the good apps respect you privacy and the bad apps don't?

The way to keep your contacts out of their hands is two simple steps.
The first step is not to put anything in there that you care about.
The second step is to use privacy aware contacts & dialers & the like.

If that concept is too difficult for you, then I can't fix that problem.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

It's really that simple, so it was odd that a person said it was too
hard for him because all he needed to do was use good apps instead of
bad ones.

Yeah, I get simple. I understand why many users want convenience.
Security and convenience are the anti-thesis of each other: get more of
one, lose more of the other.

Sounds like you employ sneakernet: toting around a USB drive from
computer to computer expecting each computer to have USB ports (and they
are enabled in BIOS rather than locked out, like at schools, libraries,
cafes, etc) where you can then import a .vsc file into some non-web
centric contacts app.

Are you crazy?

Nope. Apparently you've never left home to do e-mail, even when on
vacation. Maybe you tote along a laptop or netbook, and I have also,
but sometimes they don't work when on vacation. I've also lost my
smartphone both literally and via damage. When those personal devices
aren't available, I have to use someone else's host, so I use the
webmail clients to my accounts, and I need my contacts there (unless I'm
only replying to e-mails and not originating them).

What do you think a LAN does?

That only works on your intranet hosts. You never need to do e-mail
away from home?

Have you never heard of Wi-Fi? Routers? APs? NAS?

Yeah, still all part of your LAN. Unavailable when away from home.

What century are you living in anyway when you speak of sneakernet?

Because I wanted to find out how *you* were transporting your contact
records from host to host.

I'm not forcing you to set up your Android phone using only good apps.
If you want to use lousy apps that steal all your privacy, have fun at it.

So me asking what you use that is privacy oriented is me being rude,
crazy, or whatever insult you wish to apply to me. Didn't know
defending your stance, and telling us how would be so strenuous.

I'll look at your suggestions, but I suspect they'll be onerous when
away from home. At home, I use an e-mail client on my desktop, and it
doesn't sync contacts anywhere. I hate using my phone for anything
regarding docs, e-mail, or anything I have to read with my old eyes, but
that may be the device I'm stuck using when away from home. So knowing
what would be more private on the smartphone is interesting.

Just remember everyone in your contacts list also loses their privacy.

Just where is this privacy being intruded? Not on my phone. Would have
to be with the e-mail service. Any hacking into my account, or data
breach, or employee data theft would render availability of all my
e-mails with all those e-mail addresses in From, To, and CC headers (and others, too, like Sender). Even if my online account had no contact
records, all my e-mails do.

Why do you even need to import anywhere? The .vcs file is a text file.
You could open it with a text editor, copy an e-mail address for a
contact, and then paste in a new compose window when sending e-mail.

The guy who said his brain hurt, I think, complained that some apps require you to manually enter the contacts, one by one, which is a valid concern.

If I was using text files to carry contact records, I'd probably have
them on encrypt-protected USB drives (hoping that USB ports were
available at other hosts). Yes, I'd have to copy e-mail addresses, but
I don't originate that many e-mails. Most of e-mails are replies, and
the sender's e-mail address gets used for the reply.

Based on your questions, the amount that you do not know about this topic
is so huge that there's no way I'm going to teach you what you can't learn.

Ah, so I ask must mean I am stupid. You don't know me very well. I
won't bother reciting my resume here. Your lambaste makes you stupid.
Also remember that we do not learn by agreeing. We learn by contrast.

You can either accept the point that the safest way to keep your contacts
out of the hands of the harvesters is to not store them in the default db.

I wanted to see how *you* do it. Apparently, to you, that makes me
stupid. Uh huh. I was not rejecting your premise, but I was contending
its level of privacy, especially since all your e-mails stored in your
online account have addresses to which you sent, and addresses from
received e-mails. You also don't keep any e-mails on the server? I
quit using POP decades ago, because IMAP lets me keep multiple local
e-mail clients in sync with each other.

If you're the type of person like that other guy who said his brain hurt
when he had to think, then you're going to reject privacy every time.

Why do you think all the default Google apps don't respect your privacy?
Why do you think the good apps respect you privacy and the bad apps don't?

Well, I'm really not going to get into philosophical or logistical
arguments over what is good versus what is bad. Bad for you is good for someone else. Just reflect on how you protect your privacy without
condemning others doing it differently.

If that concept is too difficult for you, then I can't fix that problem.

Besides your intranet hosts at home using a LAN to pass around a text
file with contact records, how do you use those contact records
elsewhere? You mention using a .vcf file, but not how that keep its
content private when importing into apps. Your generic advice is don't
import into an e-mail app that syncs online. Okay, I'll look at some of
those, but still how am I going to get all e-mail clients I use on
different hosts all sync'ed on contacts? For my own mobile devices,
that's doable although perhaps not desirable.

When I'm not using hosts under my control to configure how I want, how
do I get my contacts for use there? You have limited access to specify
hosts under your control. Not everyone does e-mail that way.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Wed, 24 Jan 2024 22:41:26 -0600 :

It's really that simple, so it was odd that a person said it was too
hard for him because all he needed to do was use good apps instead of
bad ones.

Yeah, I get simple. I understand why many users want convenience.
Security and convenience are the anti-thesis of each other: get more of
one, lose more of the other.

I agree with you, and I think everyone would agree with what you said.

People who don't want to think because it hurts their brain to think will always use whatever apps Google and the carrier or phone maker give them.

Not only will those (bad) apps store all your contacts in the default
Android database, but they'll also upload your contacts to their servers.

The good apps won't do either of those two things.

Are you crazy?

Nope. Apparently you've never left home to do e-mail, even when on
vacation. Maybe you tote along a laptop or netbook, and I have also,
but sometimes they don't work when on vacation. I've also lost my
smartphone both literally and via damage. When those personal devices
aren't available, I have to use someone else's host, so I use the
webmail clients to my accounts, and I need my contacts there (unless I'm
only replying to e-mails and not originating them).

Let's agree to stop talking about sneakerneet and USB sticks, OK?

The only difference between the privacy aware setup I had patiently
explained to you & your setup is I use good apps that don't expect contacts
to be in the default contacts database and you use bad apps that do.

What do you think a LAN does?

That only works on your intranet hosts. You never need to do e-mail
away from home?

With the setup I explained, I can do email from the middle of Antarctica.
Why would you think just because your contacts are private that you can't?

Have you never heard of Wi-Fi? Routers? APs? NAS?

Yeah, still all part of your LAN. Unavailable when away from home.

My contacts are on my phone just like yours are on your phone.
They're just not in the default contacts database. Yours are.

What century are you living in anyway when you speak of sneakernet?

Because I wanted to find out how *you* were transporting your contact
records from host to host.

The only difference between what you do and what I do is you upload your contacts to servers and you use bad apps which expect the contacts to be in
the default database - whereas I don't do either of those two things.

You update your contacts any time you want to update your contacts.
So do I.

I just don't put them in the default Android database, and I don't upload
them to the Google or WhatsApp servers, that's all.

If I wanted to, don't you think I could access my NAS drive on my router?

I'll look at your suggestions, but I suspect they'll be onerous when
away from home. At home, I use an e-mail client on my desktop, and it doesn't sync contacts anywhere. I hate using my phone for anything
regarding docs, e-mail, or anything I have to read with my old eyes, but
that may be the device I'm stuck using when away from home. So knowing
what would be more private on the smartphone is interesting.

There really isn't any difference in use between what you do & what I do.
For both of us, our contacts are on our phone 100% of the time.
No matter where we travel.

The difference is you upload contacts to Google servers. I don't.
And you store contacts in the default contacts database. I don't.

Just remember everyone in your contacts list also loses their privacy.

Just where is this privacy being intruded? Not on my phone. Would have
to be with the e-mail service. Any hacking into my account, or data
breach, or employee data theft would render availability of all my
e-mails with all those e-mail addresses in From, To, and CC headers (and others, too, like Sender). Even if my online account had no contact
records, all my e-mails do.

Did you hear about the huge privacy breach that was reported just today? https://9to5mac.com/2024/01/23/trello-data-breach/

That breach isn't important other than to point out that EVERYTHING you
upload to the Internet WILL BE HACKED INTO bar none. Accept that concept.

If you upload all your contacts, they will be obtained by the hackers.
The solution to that problem is not to upload your contacts at all.

The best (easiest, simplest, most secure) way to do that, is to make sure
that your default contacts database is empty & then use privacy aware apps.

Why do you even need to import anywhere? The .vcs file is a text file.
You could open it with a text editor, copy an e-mail address for a
contact, and then paste in a new compose window when sending e-mail.

The guy who said his brain hurt, I think, complained that some apps require >> you to manually enter the contacts, one by one, which is a valid concern.

If I was using text files to carry contact records, I'd probably have
them on encrypt-protected USB drives (hoping that USB ports were
available at other hosts). Yes, I'd have to copy e-mail addresses, but
I don't originate that many e-mails. Most of e-mails are replies, and
the sender's e-mail address gets used for the reply.

You have a valid concern that the VCARD *.vcf files are, essentially, text.

But they're already imported/exported into/outof your privacy aware dialer,
so they act exactly the same as they do in the non-privacy aware dialers.

Do you even know where your contacts are stored on your Android phone?
Likely you don't. I know where they're stored but most people do not.

It's magic to most people.
They're "somewhere" but most people have no idea where they are.

So what's the difference if you put them inside the apps that need them?

You can either accept the point that the safest way to keep your contacts
out of the hands of the harvesters is to not store them in the default db.

I wanted to see how *you* do it.

It's simple. Elegant. Private.

I do not store any contacts in the Android default contacts database
(actually I do, but they're all fake contacts for spoofing purposes).

And I use apps that import/export from/to a VCARD contacts.vcf file.
I maintain the master on Windows in Excel but that is a minor detail.

I was not rejecting your premise, but I was contending
its level of privacy, especially since all your e-mails stored in your
online account have addresses to which you sent, and addresses from
received e-mails. You also don't keep any e-mails on the server? I
quit using POP decades ago, because IMAP lets me keep multiple local
e-mail clients in sync with each other.

The only difference between the method you use and the method I use is that
you store the contacts in the default location and I don't - and - you
upload those contacts to a Google server and I don't - where you use the
apps that Google or the carrier or manufacturer gave you and I don't.

Everything else is the same.

Besides your intranet hosts at home using a LAN to pass around a text
file with contact records, how do you use those contact records
elsewhere? You mention using a .vcf file, but not how that keep its
content private when importing into apps.

You have the same problem since your apps have your contacts too.
The main difference is you upload them to Google servers & I don't.

My contacts don't change every minute of the day so I don't need to put
them on my flash drive stuck into the back of my router which is available anywhere in the world over a static IP address - but I could if I want.

In that case, I'd put the contacts.vcf in an encrypted container file.

Your generic advice is don't
import into an e-mail app that syncs online. Okay, I'll look at some of those, but still how am I going to get all e-mail clients I use on
different hosts all sync'ed on contacts? For my own mobile devices,
that's doable although perhaps not desirable.

How often do your contacts change so drastically that this matters to you?

When I'm not using hosts under my control to configure how I want, how
do I get my contacts for use there? You have limited access to specify
hosts under your control. Not everyone does e-mail that way.

I do not understand what you mean by "hosts not under your control" because
the all the machines in the world are "hosts not under your control" except
for whatever is in your house and in your hand.

You seem to think your system is drastically different from mine.
It's not.

The difference is only three things but the use model is exactly the same.
1. You store contacts in the default Android database. I don't.
2. You upload contacts to the Google servers. I don't.
3. You use bad apps that can't import/export from a VCARD file. I don't.

But in the end, my contacts app works exactly the same as yours does.
Only mine is private. Yours is not.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH <V@nguard.lh> wrote:

Andrew <andrew@spam.net> wrote:

[...]

However, which Android contacts apps are you using that don't
use an online account?

The default Contacts apps I've used sofar, always had an option to
store each individual contact on the phone (and - with less capability -
on the SIM). Of course this isn't good enough for 'Arlen', but probably
good enough for most people.

[...]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH <V@nguard.lh> wrote:

Andrew <andrew@spam.net> wrote:

[...]

Are you crazy?

Nope. Apparently you've never left home to do e-mail, even when on
vacation. Maybe you tote along a laptop or netbook, and I have also,
but sometimes they don't work when on vacation. I've also lost my
smartphone both literally and via damage. When those personal devices
aren't available, I have to use someone else's host, so I use the
webmail clients to my accounts, and I need my contacts there (unless I'm
only replying to e-mails and not originating them).

I've never needed to use "someone else's host", but if I needed that contingency plan, I would store my contacts in encrypted form in 'the
cloud' (which I do anyway for some important files).

But if "someone else's host" only gives you web access, you probably
have no way to decrypt the contacts (or use some on-line decrypting
service, which needs you to trust that service).

If you have a mail provider which you trust, you could store your
contacts there, not neccessarily in their contacts facility, but just in
a file.

[...]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg wrote on 25 Jan 2024 15:17:28 GMT :

I've never needed to use "someone else's host", but if I needed that contingency plan, I would store my contacts in encrypted form in 'the
cloud' (which I do anyway for some important files).

It's not hard to store contacts in a plain file in an encrypted container. https://play.google.com/store/apps/details?id=com.sovworks.edslite

But if "someone else's host" only gives you web access, you probably
have no way to decrypt the contacts (or use some on-line decrypting
service, which needs you to trust that service).

If they're in an encrypted container, you decrypt on the Android device.

If you have a mail provider which you trust, you could store your
contacts there, not neccessarily in their contacts facility, but just in
a file.

You could store master contacts in an encrypted container on your LAN. https://www.howtogeek.com/108501/the-how-to-geek-guide-to-getting-started-with-truecrypt/

If you have a static IP address, you can access a USB stick in your router
from the middle of Antarctica if you lose your phone & suddenly need them.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg <this@ddress.is.invalid> wrote:

VanguardLH <V@nguard.lh> wrote:

However, which Android contacts apps are you using that don't use an
online account?

The default Contacts apps I've used sofar, always had an option to
store each individual contact on the phone (and - with less
capability - on the SIM). Of course this isn't good enough for
'Arlen', but probably good enough for most people.

Thanks for the reminder. The default Contacts app that came bundled on
my phone is the same. I can store contacts in the app which may sync
with contact lists at e-mail providers *if* so configured, or store my
contacts on local storage (main or SD card). I don't even need to
bother with import. The problem with local storage, though, is getting
those contacts to another device/host. I'm not the norm in that I do
most e-mail, or wait to do e-mail, on my desktop PC. I use the phone
when I have to, not because I feel compelled to. I'm too old to be a
user that has their phone grafted to their ear, or feels nude if they
discover their phone isn't with them. That's where storing an encrypted
file in a folder included in sync for OneDrive or Google Drive might
work, but I'd need a decrypter on each host. I could use cloud file
storage for transfer between hosts, but I'd want sensitive data
encrypted which also means it's of no value if there is no means to
decrypt.

I like using TrueCrypt on my home desktop for encrypted containers.
There is no TrueCrypt app for mobile (Android or iOS), so I'd have to
invest time to research, test, and use a different encryptor for which
there is a matching app on my mobile devices.

I have Peazip (a fork of 7-zip) on my home desktop which can encrypt,
too (and NOT use the vulnerable PKZIP encryption scheme). Again, no
mobile app version of either Peazip or 7-zip, so I'd have to invest in
using a different compressible archiver with encryption.

Probably the easiest cloud sync setup I can think of is using
Microsoft's OneNote (which uses storage in OneDrive). The desktop
client is free as are the Android and iOS versions. You can encrypt
sections in a notebook (although I would prefer an additional option of encrypting an entire notebook), so the data is encrypted locally,
encrypted in-transit, and encrypted in-situ. Someone could hack my MS
account login, but they still would have to hack past the different
password used in OneNote which is /not/ the same password for account
login. Instead of using cloud file sync service and having encrypter
and decrypter apps on each end, I just have OneNote on each end. I've
never had hacked my strong password on my MS account which is unique to
just that domain, but if it was hacked then the hacker would have
another hurdle of hacking the encrypted sections in my OneNote up on the
server under the OneDrive cloud storage.

However, if the OP is thinking the e-mail provider is stealing contact
data (I've not seen any reports on this; else, there would be very
expensive lawsuits to settle), or a hacker gaining access to an account (usually the fault of the user in not using strong passwords that are
unique to every domain) could steal contact data, or a data breach at
the e-mail provider that grants access to contact data, that doesn't
preclude the same abused/hacked/breached access to the e-mails on the
server which have contact data in the From, To, CC, Sender, and other
headers. All the effort on protecting contacts is wasted if the e-mails
are unprotected.

In-transit encryption is easy. Not many e-mail providers have in-situ encryption aka end-to-end encryption unless you pay for the feature.
Google has it with Workspace accounts, but those accounts aren't free. ProtonMail has it, and the quota on free accounts is enough to satisfy
my e-mail volume, but many users have much higher e-mail volume than I,
and they would have to pay to get more quota. Those are the 2 I can
think of right now that provide in-situ or end-to-end encryption where
not even the e-mail provider can see your data on their server for your account. There might be other e-mail providers with similar user data protections, but paid solutions would be ignored by all those
freeloading users of free services, like me.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Wed, 24 Jan 2024 22:41:26 -0600 :

It's really that simple, so it was odd that a person said it was too
hard for him because all he needed to do was use good apps instead of
bad ones.

Yeah, I get simple. I understand why many users want convenience.
Security and convenience are the anti-thesis of each other: get more of
one, lose more of the other.

I agree with you, and I think everyone would agree with what you said.

People who don't want to think because it hurts their brain to think will always use whatever apps Google and the carrier or phone maker give them.

Not only will those (bad) apps store all your contacts in the default
Android database, but they'll also upload your contacts to their servers.

The good apps won't do either of those two things.

Are you crazy?

Nope. Apparently you've never left home to do e-mail, even when on
vacation. Maybe you tote along a laptop or netbook, and I have also,
but sometimes they don't work when on vacation. I've also lost my
smartphone both literally and via damage. When those personal devices
aren't available, I have to use someone else's host, so I use the
webmail clients to my accounts, and I need my contacts there (unless I'm
only replying to e-mails and not originating them).

Let's agree to stop talking about sneakerneet and USB sticks, OK?

The only difference between the privacy aware setup I had patiently
explained to you & your setup is I use good apps that don't expect contacts to be in the default contacts database and you use bad apps that do.

Oh, you carefully explained before what you next mention about using a
NAS drive back in your intranet which means granting external access to
your home network? Your NAS drive operates within a DMZ, right?
Explain, without tossing insults, how you access your NAS drive when
away from home which makes all of its content secure. Is the NAS drive
itself constrained with a DMZ, and mandates strong login credentials to
access from outside your home network?

I just don't put them in the default Android database, and I don't upload them to the Google or WhatsApp servers, that's all.

Please explain, and actually explain rather than imply, and without
insult, how you get your contact records synchronized across multiple smartphones, tablets, desktops, etc.

The difference is you upload contacts to Google servers. I don't.
And you store contacts in the default contacts database. I don't.

No, the real difference is between using apps that employ cloud sync
versus having to setup local resources that are securely accessed from
outside your home network. That latter is possible, but how many
smartphone users would go through all that setup, and make it secure?

Did you hear about the huge privacy breach that was reported just today? https://9to5mac.com/2024/01/23/trello-data-breach/

Just recently my ISP got hacked, and their customer records stolen. I
use e-mail with them although they are not my primary e-mail service.
ANY e-mail provider I use can breached. Please explain how a hacker
with access to all my e-mails with their From, To, CC, Sender, and other headers with e-mail addresses as value are not just as accessible as my
contact records at the same e-mail provider? A contacts list would be
easier to steal, but a hacker can still harvest e-mail addresses from
e-mails. Once your online account has been compromised, ALL your online
data is in peril.

Yes, I could register my own domain, setup my own nameserver, add all
the SPF, DKIM, and MX records in the DNS table, get the site
certificates, and run my own IMAP and SMTP server hoping the other
servers will cooperate with mine in order to ensure that e-mail
providers that get breached won't have either my contact records nor my
e-mails from which to harvest e-mail addresses. Um, no thanks. Way too
much work just to do e-mail.

That breach isn't important other than to point out that EVERYTHING you upload to the Internet WILL BE HACKED INTO bar none. Accept that concept.

Will is different than can. Your statement is saying that I will be
infected by every malware rather than it is vulnerable *if* attacked.
You've protected your contacts. How are you protecting your e-mails?

If you upload all your contacts, they will be obtained by the hackers.
The solution to that problem is not to upload your contacts at all.

And have all my e-mails both encrypted in-transit and in-situ. The
first is easy. All e-mail clients and webmail clients can use encrypted traffic between client and server. The second depends on your e-mail
provider. Not many provide in-site encryption of your e-mails.

You can either accept the point that the safest way to keep your contacts >>> out of the hands of the harvesters is to not store them in the default db. >>

I wanted to see how *you* do it.

It's simple. Elegant. Private.

Child asks "Why is the sky blue." Your response is because God made it
that way. Expect resistance to anything you claim when you don't speak
to them as adults.

It's clear that you consider secrecy a primary method for security. At
this point, I'm no longer interested in how you do it, and I don't think
you're going to divulge the details for others to actually know how to implement. Somehow you managed to secure your contact records while
still providing access to multiple hosts and doing it all securely, but
it seems you closed the barn door but left open the hay loft door.

My contacts don't change every minute of the day so I don't need to put
them on my flash drive stuck into the back of my router which is available anywhere in the world over a static IP address - but I could if I want.

Since, as you claim, everything in Internet is hackable, why can't a
hacker get at your contact records residing in your home network that
you opened to the Internet? If you can access your files from outside
your network, why can't someone else? Regardless of all the security
you put in accessing that device in your intranetwork, so did all the
ISPs, e-mail providers, and companies that attempted to secure their
data, but they got breached, so there is no perfect security. Nothing
you do cannot be impossible to hack. You opened access to your contact
records to the outside, so you can access them from the outside.

In that case, I'd put the contacts.vcf in an encrypted container file.

Won't protect against keyloggers to get the password. The point is you
can try to increase security, but it will never be absolute.

You seem to think your system is drastically different from mine.
It's not.

The difference is only three things but the use model is exactly the same.
1. You store contacts in the default Android database. I don't.
2. You upload contacts to the Google servers. I don't.
3. You use bad apps that can't import/export from a VCARD file. I don't.

Understood. But how is access to the .vcf file obtained to each host
(phone, tablet, laptop, desktop, netbook, and even hosts you don't own
but have to use when travelling) while ensuring the records are secure?
You could encrypt the file, but failing that just how do you get the
data to each host to share that data? And how is whatever method you
used completely unhackable or non-breachable?

You raised the bar to make hackers hurdle higher, so less of them can
make it over the bar. Understood. Security is about finding a
comfortable medium between protection and usability.

No, I'm not wasting time, money, and resources on setting up a NAS drive
within a DMZ that I have to punch holes in the router's firewall which I
can access via a DNS lookup on a hostname that I can remember using a
service that provides the lookup to convert from name to IP address nor
pay extra to get a static IP address from my ISP where the .vcf file is encrypted, so I can transfer the file to multiple hosts to sync my
contact records. What I might do, however, is use an encrypted .vcf
that is stored in a folder sync'ed by OneDrive or Google Drive which
lets me access the .vcf file on each host where the OneDrive or Google
Drive clients are installed, but I'd still need the decrypter on each
host to use the contents of the .vcf file. I can figure out easier machinations on providing remote access to files that are encrypted and
the means to decrypt on each host. But none of that is going to stop
theft of e-mail addresses from e-mails I receive and send that are up on
the mail server that a hacker could get at. I cannot further secure my
e-mail provider's service.

Google offers encryption in-transit and in-situ, but requires using
their Workspace accounts which means you pay for those. Proton Mail
does in-transit and in-situ encryption, but its quotas might be too
small on their free accounts for some users. Their quotas are fine for
my personal use, but it seems most users have far more e-mail volume
than do I, and a company would have even more e-mail volume. You can
protect your contact records up the wazoo, but all that effort is wasted
if your e-mails are unprotected.

Oh, and as far as storing your contacts online at Google, Microsoft,
Yahoo, other other e-mail providers, please provide evidence that those providers are harvesting e-mail address from contacts lists. Google
settled a $5 billion lawsuit over its non-disclosure regarding its
incognito web browsing mode. Google is big, but more billion dollar
lawsuits on user data theft or misuse would eventually mean Google
disappears. It would be self-destructive for e-mail providers to
harvest their customers' contacts. I've not seen reports of Google
stealing contacts from their users, nor of Microsoft, nor of any other
e-mail provider. There is a huge difference between what they could do
versus what they actually do. Oh yes, there could be data breaches, and hackers can get into accounts, but which is more valuable: the contacts,
or the content of the e-mails? Not only might there be valuable info in
the e-mails, those also have all the contacts that sent you e-mail and
to whom you sent e-mail. Protecting one with protecting the other means
both are unprotected.

A padlock on the front door of your house but leaving unlocked your back
door means you have an insecure home. Protecting contacts is only part
of protecting your data. It's worthless without protecting the e-mails.
To me, your privacy scheme(s) handle one side of the coin while ignoring
the other side. Protecting contacts is a start, but an incomplete
solution.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Thu, 25 Jan 2024 11:26:42 -0600 :

The only difference between the privacy aware setup I had patiently
explained to you & your setup is I use good apps that don't expect contacts >> to be in the default contacts database and you use bad apps that do.

Oh, you carefully explained before what you next mention about using a
NAS drive back in your intranet which means granting external access to
your home network?

What started this wasn't an attempt by me to explain how networking works,
but simply to state the best place to keep your contacts is NOT in the
default contacts database (because bad apps will upload that to servers).

Your NAS drive operates within a DMZ, right?
Explain, without tossing insults, how you access your NAS drive when
away from home which makes all of its content secure. Is the NAS drive itself constrained with a DMZ, and mandates strong login credentials to access from outside your home network?

You misunderstood me because I didn't say that I bother to access my master contacts.vcf file when I'm in Antarctica. I simply said that you could.

I just don't put them in the default Android database, and I don't upload
them to the Google or WhatsApp servers, that's all.

Please explain, and actually explain rather than imply, and without
insult, how you get your contact records synchronized across multiple smartphones, tablets, desktops, etc.

It's easy. Simple. Elegant. Private.


Generally I add contacts on the Windows PC via Thunderbird (actually Betterbird) export to the VCARD format and then import into Excel.

Same with Android. I export to a contacts.vcf VCARD format file.
Excel has the ability to handle duplicates & merging for the master db.

Then I import back into the Android apps that need to use contacts.
I don't need to do it often. Generally only about once a year or so.
It's not like your contacts change every second of the day.

But you could do it every moment of every day if that's what you want.
How often do your contacts change anyway?

The difference is you upload contacts to Google servers. I don't.
And you store contacts in the default contacts database. I don't.

No, the real difference is between using apps that employ cloud sync
versus having to setup local resources that are securely accessed from outside your home network. That latter is possible, but how many
smartphone users would go through all that setup, and make it secure?

In one breath you say you're constantly sending all your contacts to
someone else's server, and in the next breath you ask for security?

Who does that?

I get it you're trying to justify your use model, but you don't have to.
I know what your use model is. It's the one Google told you to use.

It's the same use model everyone who knows nothing about privacy uses.
So you don't need to explain to me why you use it. I know all about it.

Every company would love to have all your contacts.
And every contact of every contact in your contacts.
Even Google Maps asks for all your contacts nowadays.

Don't you think Google has a reason for wanting you to upload contacts?

If you want security, just put the contacts into an encrypted container. https://sovworks.com/eds/

Did you hear about the huge privacy breach that was reported just today?
https://9to5mac.com/2024/01/23/trello-data-breach/

Just recently my ISP got hacked, and their customer records stolen.

Good. Now you know why I say EVERYTHING you put on the Internet will be
hacked into, so that's one reason for not putting anything on the net.

I use e-mail with them although they are not my primary e-mail service.
ANY e-mail provider I use can breached. Please explain how a hacker
with access to all my e-mails with their From, To, CC, Sender, and other headers with e-mail addresses as value are not just as accessible as my contact records at the same e-mail provider? A contacts list would be
easier to steal, but a hacker can still harvest e-mail addresses from e-mails. Once your online account has been compromised, ALL your online
data is in peril.

When you look at what you're doing & what I am doing, our use model is not
much different from mine except in two critical ways that I've told you.

1. You store contacts in the default Android contacts database. I don't.
2. You use (bad) apps which upload those contacts to servers. I don't.

Other than those two things, what happens to you happens to me.
Well, not really.

As I already stated, I periodically seed my Android default contacts
database with spoofed contacts, which is a minor tweak and not important. https://f-droid.org/en/packages/me.billdietrich.fake_contacts/

And I use encrypted email, which is far less likely to succumb to attacks.
But I didn't intend for this thread to be an Android User Guide to Privacy.

My only point was that the best place (for privacy) to store your contacts
on your phone is NOT in the default contacts sqlite database. That's all.

Yes, I could register my own domain, setup my own nameserver, add all
the SPF, DKIM, and MX records in the DNS table, get the site
certificates, and run my own IMAP and SMTP server hoping the other
servers will cooperate with mine in order to ensure that e-mail
providers that get breached won't have either my contact records nor my e-mails from which to harvest e-mail addresses. Um, no thanks. Way too
much work just to do e-mail.

I am being nice when I say I think you're in the wrong century because
nowadays you stick a drive on your router and it's "on" the Internet.

That breach isn't important other than to point out that EVERYTHING you
upload to the Internet WILL BE HACKED INTO bar none. Accept that concept.

Will is different than can. Your statement is saying that I will be
infected by every malware rather than it is vulnerable *if* attacked.
You've protected your contacts. How are you protecting your e-mails?

I already said how I'm protecting sensitive emails but the topic of overall Internet security is a different topic than keeping Android contacts local.

If you upload all your contacts, they will be obtained by the hackers.
The solution to that problem is not to upload your contacts at all.

And have all my e-mails both encrypted in-transit and in-situ. The
first is easy. All e-mail clients and webmail clients can use encrypted traffic between client and server. The second depends on your e-mail provider. Not many provide in-site encryption of your e-mails.

Proton Mail: Encrypted Email https://play.google.com/store/apps/details?id=ch.protonmail.android

Somehow you managed to secure your contact records while
still providing access to multiple hosts and doing it all securely, but
it seems you closed the barn door but left open the hay loft door.

It's not rocket science.
1. Don't put anything in your default contacts database that you care about
2. Choose good apps which will import/export the master VCARD contacts.vcf
3. Maintain that master in Excel (because it merges and removes dups good)

What's so hard about understanding that?

My contacts don't change every minute of the day so I don't need to put
them on my flash drive stuck into the back of my router which is available >> anywhere in the world over a static IP address - but I could if I want.

Since, as you claim, everything in Internet is hackable, why can't a
hacker get at your contact records residing in your home network that
you opened to the Internet?

All they're going to get is an encrypted file container, that's why. https://veracrypt.eu/en/Beginner%27s%20Tutorial.html

If you can access your files from outside
your network, why can't someone else?

I could leave my encrypted file container in the middle of Grand Central Station and it would still be secure. That's what encrypted containers do. https://www.herts.ac.uk/__data/assets/pdf_file/0020/55460/truecrypt-guide-v7-1a.pdf

Regardless of all the security
you put in accessing that device in your intranetwork, so did all the
ISPs, e-mail providers, and companies that attempted to secure their
data, but they got breached, so there is no perfect security. Nothing
you do cannot be impossible to hack.

Did I say it was?

The only thing I really said was that it's dumb to use the default Android contacts database if what you care about is the privacy of your contacts.

You opened access to your contact
records to the outside, so you can access them from the outside.

I didn't say I put my contacts on the "outside." You made that up.

I only said if you must force me to put the contacts on the Internet, I'd
only do it inside of an encrypted file container on a NAS drive hanging off
the router (which is how everyone would do it so that's no big thing).

That's why I asked you what century you were living in.
The way I'd do it is the way anyone would do it in today's day and age.
You encrypt it.

Heck, you can doubly encrypt it just in case someone puts a gun to your
head. You can give them the outer password instead of the inner password.

This isn't rocket science. This is basic stuff that everyone already does.

In that case, I'd put the contacts.vcf in an encrypted container file.

Won't protect against keyloggers to get the password. The point is you
can try to increase security, but it will never be absolute.

You're joking, right? You think they're going to spend five, ten, twenty million dollars, just to get the password to your encrypted file container?

And even then, they don't know if they have the inner encrypted file
container, as they might have only guess the password to the outer one. https://arcanecode.com/2021/05/31/creating-and-using-hidden-containers-in-veracrypt/

If I was Snowden, they might go to that trouble. But I still have my
passport so I don't think that they will spend years on one of my files.

You seem to think your system is drastically different from mine.
It's not.

The difference is only three things but the use model is exactly the same. >> 1. You store contacts in the default Android database. I don't.
2. You upload contacts to the Google servers. I don't.
3. You use bad apps that can't import/export from a VCARD file. I don't.

Understood. But how is access to the .vcf file obtained to each host
(phone, tablet, laptop, desktop, netbook, and even hosts you don't own
but have to use when travelling) while ensuring the records are secure?

It's simple. I said it already but you seem to want me to repeat it.
a. You put contacts.vcf inside an encrypted file container
b. You put that encrypted file container on a USB drive
c. You stick that USB drive into your router's USB port made for that

Now you're on the Internet (assuming a static IP address, which I have).
If not, I'm not sure how you figure out your IP address, but you can.

That's so simple and also so obvious that maybe I don't understand you.
Why would you ask me how to walk and chew gum at the same time.

It's actually hard to answer a question of a process that is so simple.

Anyone can do this.
And everyone does.

You could encrypt the file, but failing that just how do you get the
data to each host to share that data? And how is whatever method you
used completely unhackable or non-breachable?

See above. And you don't generally bother to "encrypt the file".
Because you usually have more than one file on your WAN-facing drive.

You put the file (along with other files) into an encrypted container file. It's what everyone does so I shouldn't need to explain it further for you. https://en.wikipedia.org/wiki/VeraCrypt

You raised the bar to make hackers hurdle higher, so less of them can
make it over the bar. Understood. Security is about finding a
comfortable medium between protection and usability.

I won't disagree that people say trying to stay private makes their head
hurt, but the goal of privacy while on the Internet make my head think.

No, I'm not wasting time, money, and resources on setting up a NAS drive within a DMZ that I have to punch holes in the router's firewall which I
can access via a DNS lookup on a hostname that I can remember using a
service that provides the lookup to convert from name to IP address nor
pay extra to get a static IP address from my ISP where the .vcf file is encrypted, so I can transfer the file to multiple hosts to sync my
contact records. What I might do, however, is use an encrypted .vcf
that is stored in a folder sync'ed by OneDrive or Google Drive which
lets me access the .vcf file on each host where the OneDrive or Google
Drive clients are installed, but I'd still need the decrypter on each
host to use the contents of the .vcf file. I can figure out easier machinations on providing remote access to files that are encrypted and
the means to decrypt on each host. But none of that is going to stop
theft of e-mail addresses from e-mails I receive and send that are up on
the mail server that a hacker could get at. I cannot further secure my e-mail provider's service.

I think you're being overly dramatic on these simple steps everyone does.
1. You put the encrypted file container onto your USB drive
2. You plug that USB drive into your router
3. You flip the switch on the router to make it available on the net

That's what everyone does so your drama is overblown to the nuclear level.

Google offers encryption in-transit and in-situ, but requires using
their Workspace accounts which means you pay for those. Proton Mail
does in-transit and in-situ encryption, but its quotas might be too
small on their free accounts for some users.

What I like about protonmail is the high level of expectation of privacy,
so it easily allows the Tor browser which Google mail accounts won't allow.

It also has an onion node, but I'm not really worried about MITM attacks.
All this isn't rocket science. I'm sure the protonmail site explains it.

Their quotas are fine for
my personal use, but it seems most users have far more e-mail volume
than do I, and a company would have even more e-mail volume. You can
protect your contact records up the wazoo, but all that effort is wasted
if your e-mails are unprotected.

If desired, I'd use protonmail to send sensitive files which themselves are ensconced maybe two levels deep in innocuously named encrypted containers.

Since I don't do it that often the free account limits are fine for me.
(100 attachments/message, 25 MB/message, 150 messages/day)

And note, if you have five thousand attachments, you can still do it
because the encrypted file container is only a single file after all.

So the only real limitation of the free account is 150 messages per day.
But again. This isn't rocket science. It's what everyone already does.

Oh, and as far as storing your contacts online at Google, Microsoft,
Yahoo, other other e-mail providers, please provide evidence that those providers are harvesting e-mail address from contacts lists. Google
settled a $5 billion lawsuit over its non-disclosure regarding its
incognito web browsing mode. Google is big, but more billion dollar
lawsuits on user data theft or misuse would eventually mean Google disappears. It would be self-destructive for e-mail providers to
harvest their customers' contacts. I've not seen reports of Google
stealing contacts from their users, nor of Microsoft, nor of any other
e-mail provider. There is a huge difference between what they could do versus what they actually do. Oh yes, there could be data breaches, and hackers can get into accounts, but which is more valuable: the contacts,
or the content of the e-mails? Not only might there be valuable info in
the e-mails, those also have all the contacts that sent you e-mail and
to whom you sent e-mail. Protecting one with protecting the other means
both are unprotected.

What does Google do with the contacts that it loads into the Maps app?

A padlock on the front door of your house but leaving unlocked your back
door means you have an insecure home. Protecting contacts is only part
of protecting your data. It's worthless without protecting the e-mails.
To me, your privacy scheme(s) handle one side of the coin while ignoring
the other side. Protecting contacts is a start, but an incomplete
solution.

You are the one who turned a simple statement about where to store your contacts into a treatise on A Complete Guide to Internet security. Not me.

The only thing I said that set you off apparently was that the best place
for your contacts' privacy is not in the default Android contacts database.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 25/1/2024, Andrew wrote:

Understood. But how is access to the .vcf file obtained to each host
(phone, tablet, laptop, desktop, netbook, and even hosts you don't own
but have to use when travelling) while ensuring the records are secure?

It's simple. I said it already but you seem to want me to repeat it.
a. You put contacts.vcf inside an encrypted file container
b. You put that encrypted file container on a USB drive
c. You stick that USB drive into your router's USB port made for that

I think you're doing a great job answering the inane questions he's asking
but I think VanguardLH doesn't realize that all your contacts are always on
the Android phone all of the time already so there's no need for the
Internet. VanguardLH thinks there are no contacts on the phone. I think VanguardLH doesn't want to understand you when you say you don't put
contacts in the *default* location. He thinks not putting them in the
default location means they're not anywhere, when they're clearly there.

He doesn't understand what "default" means.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frankie <frankie@nospam.usa> wrote:

On 25/1/2024, Andrew wrote:

Understood. But how is access to the .vcf file obtained to each host
(phone, tablet, laptop, desktop, netbook, and even hosts you don't own
but have to use when travelling) while ensuring the records are secure?

It's simple. I said it already but you seem to want me to repeat it.
a. You put contacts.vcf inside an encrypted file container
b. You put that encrypted file container on a USB drive
c. You stick that USB drive into your router's USB port made for that

I think you're doing a great job answering the inane questions he's asking but I think VanguardLH doesn't realize that all your contacts are always on the Android phone all of the time already so there's no need for the Internet. VanguardLH thinks there are no contacts on the phone. I think VanguardLH doesn't want to understand you when you say you don't put
contacts in the *default* location. He thinks not putting them in the
default location means they're not anywhere, when they're clearly there.

He doesn't understand what "default" means.

Thanks for clarifying what I assumed ... but did not.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 25/1/2024, VanguardLH wrote:

He doesn't understand what "default" means.

Thanks for clarifying what I assumed ... but did not.

Then why do you need the net to use contacts already on the phone?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frankie <frankie@nospam.usa> wrote:

On 25/1/2024, VanguardLH wrote:

He doesn't understand what "default" means.

Thanks for clarifying what I assumed ... but did not.

Then why do you need the net to use contacts already on the phone?

Guess you completely missed synchronizing contacts between devices, and
why I wondered how Andrew did it. Here we go again.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 26/1/2024, VanguardLH wrote:

Then why do you need the net to use contacts already on the phone?

Guess you completely missed synchronizing contacts between devices, and
why I wondered how Andrew did it. Here we go again.

You're making this about a million times harder than it really is.
Have you never used Microsoft Office not even once in your life?
How much trouble can you have synchronizing a simple MS Office file?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

Frank Slootweg wrote on 25 Jan 2024 15:17:28 GMT :

I've never needed to use "someone else's host", but if I needed that contingency plan, I would store my contacts in encrypted form in 'the cloud' (which I do anyway for some important files).

It's not hard to store contacts in a plain file in an encrypted container. https://play.google.com/store/apps/details?id=com.sovworks.edslite

But if "someone else's host" only gives you web access, you probably
have no way to decrypt the contacts (or use some on-line decrypting service, which needs you to trust that service).

If they're in an encrypted container, you decrypt on the Android device.

Please read the context before snipping it.

In VanguardLH's scenario there is no Android device, because he's on
vacation and he lost it, "both literally and via damage".

If you have a mail provider which you trust, you could store your contacts there, not neccessarily in their contacts facility, but just in
a file.

You could store master contacts in an encrypted container on your LAN. https://www.howtogeek.com/108501/the-how-to-geek-guide-to-getting-started-with-truecrypt/

If you have a static IP address, you can access a USB stick in your router from the middle of Antarctica if you lose your phone & suddenly need them.

On vacation, hence no LAN.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH <V@nguard.lh> wrote:

Frank Slootweg <this@ddress.is.invalid> wrote:

[...]

That's where storing an encrypted
file in a folder included in sync for OneDrive or Google Drive might
work, but I'd need a decrypter on each host. I could use cloud file
storage for transfer between hosts, but I'd want sensitive data
encrypted which also means it's of no value if there is no means to
decrypt.

I like using TrueCrypt on my home desktop for encrypted containers.
There is no TrueCrypt app for mobile (Android or iOS), so I'd have to
invest time to research, test, and use a different encryptor for which
there is a matching app on my mobile devices.

I have Peazip (a fork of 7-zip) on my home desktop which can encrypt,
too (and NOT use the vulnerable PKZIP encryption scheme). Again, no
mobile app version of either Peazip or 7-zip, so I'd have to invest in
using a different compressible archiver with encryption.

I indeed also had to do quite some searching to find a decryptor on
Android. My need was/is for unpacking/decrypting archives, possibly only
one file from that archive, but possibly more, so my needs are more than
for a single (contacts) file.

That said: I use 7-Zip on the Windows side. On the Android side, the
standard Samsung 'My Files' can extract an encrypted .zip file (I just
use plain zip archive with ZipCrypto encryption), but it can only
extract the whole archive, not individual files/folders.

So I searched Google Play for something better, amongst them
'SecureZIP Reader' (by PKWARE!) [1] and 'RAR' [2], but ended up with 'FX
File Explorer' [3]. For decrypting single files, FX is probably over the
top and probably not very handy, but since I needed a 'better'/other
file manager anyway, that's what I ended up with.

Hope this is of use to you (or someone else in the audience).

[1] <https://play.google.com/store/apps/details?id=com.pkware.android>

[2] <https://play.google.com/store/apps/details?id=com.rarlab.rar>

[3] <https://play.google.com/store/apps/details?id=nextapp.fx>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg <this@ddress.is.invalid> wrote:

[1] <https://play.google.com/store/apps/details?id=com.pkware.android>

"Updated on Jul 28, 2015". Tis possible nothing needs changing in the
last 8 years over 9 Android versions. Went to:

https://www.pkware.com/products/securezip

Where it mentions "Try It Free", but also mentions having to buy it. It
is 30-day trialware, so it might cripple itself therafter.

[2] <https://play.google.com/store/apps/details?id=com.rarlab.rar>

"Updated on Oct 5, 2023", so better maintained. As I recall, RARlabs
allowed you to extract for free, but you had to buy it to create .rar
files. That's why other archivers can read/extract from .rar files, but
they can't write/create .rar archive files. Despite the app page shows
a RAR app for Android, https://www.rarlab.com/shoprarlab.php does not.
I did find a link on their home page (https://www.rarlab.com/) to their
Android app, but no info at their own site about it.

[3] <https://play.google.com/store/apps/details?id=nextapp.fx>

Created a shortcut to the app page to look at this one later.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg <this@ddress.is.invalid> wrote:

Andrew <andrew@spam.net> wrote:

Frank Slootweg wrote on 25 Jan 2024 15:17:28 GMT :

I've never needed to use "someone else's host", but if I needed that
contingency plan, I would store my contacts in encrypted form in 'the
cloud' (which I do anyway for some important files).

It's not hard to store contacts in a plain file in an encrypted container. >> https://play.google.com/store/apps/details?id=com.sovworks.edslite

But if "someone else's host" only gives you web access, you probably
have no way to decrypt the contacts (or use some on-line decrypting
service, which needs you to trust that service).

If they're in an encrypted container, you decrypt on the Android device.

Please read the context before snipping it.

In VanguardLH's scenario there is no Android device, because he's on vacation and he lost it, "both literally and via damage".

If you have a mail provider which you trust, you could store your
contacts there, not neccessarily in their contacts facility, but just in >>> a file.

You could store master contacts in an encrypted container on your LAN.
https://www.howtogeek.com/108501/the-how-to-geek-guide-to-getting-started-with-truecrypt/

If you have a static IP address, you can access a USB stick in your router >> from the middle of Antarctica if you lose your phone & suddenly need them.

On vacation, hence no LAN.

Sounds like he is toting or transferring a .vcf file. Until I mentioned
it, encrypting the file wasn't indicated. He mentions using a NAS drive
in his intranet, but he'd have to punch a hole in his router's firewall
(point to which host a connected goes without blocking), put the NAS in
a DMZ, setup up something to do the file transfer, like FTPS, and either
pay for a static IP address, or use a DNS lookup service, like OpenDNS,
where you run a dynamic IP updater client on a host inside your intranet
that reports back to the service what is your current WAN-side IP
address of your router (since most users get dynamically assigned IP addresses). You use the hostname that points at OpenDNS which redirects
to whatever is your current WAN-side IP address with the router
redirecting the traffic to the appropriate intranet host. Another
method would be to replace FTPS with VNC for remote access to his
intranet to get at the file on his NAS drive. I used the above setup
with the OpenDNS client to access my home computer from home via VNC (I
forget which variant since I have up on that long ago to do newsgroups
from home while on vacation). Another possibility is using TeamViewer,
but you have to run their server on one of your intranet hosts.

He gave generalities and possibilities when asked how he did it (get all
his hosts/devices using the same contact records). Then it was he only
updates his contacts maybe once per year as though that is typical of
other users. I probably change (edit, delete, create) contacts about 3
to 4 times per month, but I recognize that my e-mail volume is very low.
With such infrequent updates, I mentioned Sneakernet (toting around a
locked USB drive with the .vcf file) whereupon I was lambasted for the
old method that still works today, but geez I must be ancient or stupid
to think of that. I gave up on what might be done versus solid
instructions on how he did it. There was some description, but nothing
anyone could replicate except at the client end regarding which apps to
use where contacts got imported (but no mention of which contact apps he
uses).

All his focus is on keeping his contacts private. Okay, that's part of securing his contacts. The other part is securing his e-mails, so
contacts cannot get harvested from there. Even if forcing encryption of
your e-mails (you always send encrypted, and you don't accept
non-encrypted) using x.509 or PGP certs, that doesn't secure the headers
where contacts are defined. Google Workspaces (paid service) makes
claims about securing your e-mails, but I don't see they are in-situ
encrypted to prevent theft from breach or employees. ProtonMail claims
in-situ encryption, but not sure how they handle IMAP clients since I
don't want to use their webmail client every time I want to do e-mail,
plus I like getting notifications with a local client of new mails. You
have to pay ProtonMail to get IMAP access along with using their local
proxy (bridge) to handle decrypting the retrieved e-mails to view in an
IMAP client. So, they have a means of keeping e-mails encrypted on
their server, so even they cannot look at them, and no breach is going
to expose your contacts specified in e-mails, but IMAP access and the
bridge costs $4/mo or $48/yr. Too much to pay for peace of mind on a
nebulous attack vector for personal use with low e-mail volume.

I'm not wasting my time, effort, and experimentation on various setups
to protect my contacts when my e-mails remain unprotected. My needs
would differ for business contacts and e-mails, not for my personal use contacts and e-mail services. I could also enclose my home in a
100-foot reinforced concrete enclose trying to survive a meteor hit.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Fri, 26 Jan 2024 13:30:46 -0600 :

If you have a static IP address, you can access a USB stick in your router >>> from the middle of Antarctica if you lose your phone & suddenly need them. >>

On vacation, hence no LAN.

Sounds like he is toting or transferring a .vcf file.

If you think that, then you didn't understand a single word I had said.

This all started when I stated what is a defensible point of view that the safest place to keep your contacts private is NOT in the default Android contacts database. You're making that into an insurrection against God.

Until I mentioned it, encrypting the file wasn't indicated.

Encryption is trivial. So trivial it isn't worth being discussed further.

He mentions using a NAS drive
in his intranet, but he'd have to punch a hole in his router's firewall (point to which host a connected goes without blocking), put the NAS in
a DMZ, setup up something to do the file transfer, like FTPS, and either
pay for a static IP address, or use a DNS lookup service, like OpenDNS,
where you run a dynamic IP updater client on a host inside your intranet
that reports back to the service what is your current WAN-side IP
address of your router (since most users get dynamically assigned IP addresses). You use the hostname that points at OpenDNS which redirects
to whatever is your current WAN-side IP address with the router
redirecting the traffic to the appropriate intranet host. Another
method would be to replace FTPS with VNC for remote access to his
intranet to get at the file on his NAS drive. I used the above setup
with the OpenDNS client to access my home computer from home via VNC (I forget which variant since I have up on that long ago to do newsgroups
from home while on vacation). Another possibility is using TeamViewer,
but you have to run their server on one of your intranet hosts.

It's so simple that the two tasks are copying the file & making it
available to all devices that you want it to be available to.

How complex are you trying to make copying a file anyway?
Hanging a NAS drive on the router is a simple & secure "this century" task.

He gave generalities and possibilities when asked how he did it (get all
his hosts/devices using the same contact records).

I gave you specifics. Even down to the programs used.
Even down to the name of the file and the encryption tools used.
I gave you everything but my email login/password & encryption passphrase.

For you to say I gave you generalities means you didn't understand a single word I said. Let's give up. You are living in the wrong technology century.

The solution is as simple as copying a file is.

Then it was he only
updates his contacts maybe once per year as though that is typical of
other users. I probably change (edit, delete, create) contacts about 3
to 4 times per month, but I recognize that my e-mail volume is very low.
With such infrequent updates, I mentioned Sneakernet (toting around a
locked USB drive with the .vcf file) whereupon I was lambasted for the
old method that still works today, but geez I must be ancient or stupid
to think of that. I gave up on what might be done versus solid
instructions on how he did it. There was some description, but nothing anyone could replicate except at the client end regarding which apps to
use where contacts got imported (but no mention of which contact apps he uses).

Every time you mention sneakernet I have to respond that you are living in
the wrong century. It's so simple, it's just copying a single file.

Have you never copied a file before?

All his focus is on keeping his contacts private. Okay, that's part of securing his contacts. The other part is securing his e-mails, so
contacts cannot get harvested from there. Even if forcing encryption of
your e-mails (you always send encrypted, and you don't accept
non-encrypted) using x.509 or PGP certs, that doesn't secure the headers where contacts are defined. Google Workspaces (paid service) makes
claims about securing your e-mails, but I don't see they are in-situ encrypted to prevent theft from breach or employees. ProtonMail claims in-situ encryption, but not sure how they handle IMAP clients since I
don't want to use their webmail client every time I want to do e-mail,
plus I like getting notifications with a local client of new mails. You
have to pay ProtonMail to get IMAP access along with using their local
proxy (bridge) to handle decrypting the retrieved e-mails to view in an
IMAP client. So, they have a means of keeping e-mails encrypted on
their server, so even they cannot look at them, and no breach is going
to expose your contacts specified in e-mails, but IMAP access and the
bridge costs $4/mo or $48/yr. Too much to pay for peace of mind on a nebulous attack vector for personal use with low e-mail volume.

You're making a simple problem & simple solution harder than it is.
1. The problem is storing contacts in the default Android location
2. And using bad software that uploads them to someone else's servers

The solution is as simple as not doing that - and copying a file.

I'm not wasting my time, effort, and experimentation on various setups
to protect my contacts when my e-mails remain unprotected. My needs
would differ for business contacts and e-mails, not for my personal use contacts and e-mail services. I could also enclose my home in a
100-foot reinforced concrete enclose trying to survive a meteor hit.

This all started when I stated what is a defensible point of view that the safest place to keep your contacts private is NOT in the default Android contacts database. And the solution is as simple as copying a file.

If you can't understand those 2 statements, then let's stop this now.
You're not capable of comprehending either the problem, nor the solution.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg wrote on 26 Jan 2024 15:46:43 GMT :

There is no TrueCrypt app for mobile (Android or iOS), so I'd have to
invest time to research, test, and use a different encryptor for which
there is a matching app on my mobile devices.

I indeed also had to do quite some searching to find a decryptor on Android. My need was/is for unpacking/decrypting archives, possibly only
one file from that archive, but possibly more, so my needs are more than
for a single (contacts) file.

This has been discussed something like a thousand times on this newsgroup
so I'll just say that Truecrypt/Veracrypt containers decrypt just fine on Android. It has already been stated in this thread which free app to use.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg wrote on 26 Jan 2024 15:48:39 GMT :

If they're in an encrypted container, you decrypt on the Android device.

Please read the context before snipping it.

In VanguardLH's scenario there is no Android device, because he's on vacation and he lost it, "both literally and via damage".

I understand VanguardLH's use model because that's the default use model.

Most Android users keep their master contacts on Google servers.
And most Android users store their local copy in the default Android db.

Why do you think Google makes that use model so easy?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Fri, 26 Jan 2024 12:55:13 -0600 :

[1] <https://play.google.com/store/apps/details?id=com.pkware.android>

"Updated on Jul 28, 2015".
https://www.pkware.com/products/securezip
Where it mentions "Try It Free", but also mentions having to buy it.

[2] <https://play.google.com/store/apps/details?id=com.rarlab.rar>

"Updated on Oct 5, 2023", so better maintained.

a. Encryption/decryption
b. Comes with 10GB free cloud storage
c. Updated a month ago
d. Free
e. Ad free

Since you seem to like storing things encrypted "on the cloud" and yet you
want updated free software, what do you think about this encrypted storage?

"Syndoc supports cloud management and also has its own storage space
as "My drive" providing 10 GB free space." https://play.google.com/store/apps/details?id=com.syndoc.merlin

Syndoc Cloud File Manager
Easy and intuitive UI for accessing files and folders across multiple cloud storage providers. Many useful features such as multi-account support,
*encrypt and decrypt files*, compress multiple files and folders and
extract functionality and many more new features are included.

And the best part is it is 100% free (and No Ads)!

With Syndoc, you can:
1.Upload/download files to Google Drive, OneDrive, Amazon S3 and DropBox
2.Copy and move files quickly between multiple accounts and providers
3.Rename and export files and documents, preview and edit files
4.Compress and extract folders on the go with quick & easy zipping.
5.Designed to protect your data whenever you transfer, store, or access it. 6.Change access permissions for files & folders whenever you need.
7. Access all the functionality through website : https://syndoc.com.

SUPPORT:
1.Refer User's Guide (https://syndoc.com/html/help.html)
2.Read the FAQ (https://syndoc.com/html/faq.html)
3.Support forum (http://forum.syndoc.com)
4.For any other support email us at support@syndoc.com
Version1.206 Updated on Dec 27, 2023
Requires Android4.4 and up
Downloads 10,000+ downloads
Released on Dec 23, 2019 Offered by Vedist Systems

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

"Syndoc supports cloud management and also has its own storage space
as "My drive" providing 10 GB free space." https://play.google.com/store/apps/details?id=com.syndoc.merlin

Will manage files on OneDrive, Google Drive, and Dropbox. I have those
clients on my phones, laptop, netbook, and home desktop. So, here's a
file manager to help manage all those cloud-sync'ed files. But I have
to wonder if I need yet another file manager to do that. The OneDrive
client, for example, will sync files in designated folders. All I have
to do is put a file in one of those, and it syncs to my MS OneDrive
cloud storage. Any file manager can look at the folders monitored by
OneDrive, Google Drive, and Dropbox, so this file manager needs to do
more. It supports encrypt/decrypt, so that would eliminate needing one
on my Android phone. I would prefer variations of the same app on
Windows (and later Linux), Android, iOS, and elsewhere instead of using multiple separate apps, but that's somewhat the nature of the beast for cross-platform use.

I'd probably look more into Syndoc if I needed more cloud space. I
already have 15 GB with MS OneDrive (only 1.1 GB used, so far), 15 GB
with Google Drive (only 11 MB used), and 2GB with Dropbox (which I only
use to transfer files to a development collaborator since we can share
Dropbox spaces). From what I can tell from the app's description,
perhaps I wouldn't need all those cloud clients on my phone assuming
Syndoc utilizes the API to each cloud service.

https://play.google.com/store/apps/details?id=com.syndoc.gem&pli=1
$29.99
"Syndoc Lifetime is a paid app and offers all features unlimited for
lifetime."

The page for the free version doesn't mention the 10 GB cloud quota.
The paid version mentions getting 10X more cloud storage, so the free
version gives you 10 GB, and the paid version gives you 100 GB. No subscription thereafter to maintain the 100 GB quota. I wouldn't need
anywhere that much. Even the 10 GB free quota would be enough, but I've already got 15 GB OneDrive + 15 GB Google Drive + 2 GB Dropbox, and I'm
using only a small partial amount overall.

I've seen these cloud storage consolidator apps before. Interesting,
but not enough to make me test them. Adds some convenient aggregate
management of multiple cloud storage services, but that's more glitz to
me than required. Didn't see anything about encrypt/decrypt in their
app pages. Did find mention of encrypt/decrypt at https://syndoc.com/html/help.html, but that me using their web client.

Thanks for the info on Syndoc. Don't yet need nor want a cloud storage consolidator. Encrypt/decrypt looks to be through their web UI. Only
AES-256 is supported, but that's still pretty good. I'd look more into
Syndoc if I need another 10 GB of cloud storage to add to my existing
mix.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew wrote on Sat, 27 Jan 2024 01:46:45 -0000 (UTC) :

"Syndoc supports cloud management and also has its own storage space
as "My drive" providing 10 GB free space." https://play.google.com/store/apps/details?id=com.syndoc.merlin

Now that you have an updated free archiver for any cloud storage (for those
who do that) you might want a powerful archiver for your LOCAL storage.

What do you think about this free app for encrypting/decrypting archives? https://play.google.com/store/apps/details?id=ru.zdevs.zarchiver

It has been discussed many times on this newsgroup for about a decade.
Of course it is free and has no ads and it was updated only two days ago.

ZArchiver is a program for archive management
(including managing of application backups in archives).

It has a simple and functional interface.
The app doesn't have permission to access the internet, so cannot transmit
any information to other services or persons.

ZArchiver lets you:
Create the following archive types: 7z (7zip), zip, bzip2 (bz2), gzip
(gz), XZ, lz4, tar, zst (zstd);
Decompress the following archive types: 7z (7zip), zip, rar, rar5, bzip2, gzip, XZ, iso, tar, arj, cab, lzh, lha, lzma, xar, tgz, tbz, Z, deb, rpm,
zipx, mtz, chm, dmg, cpio, cramfs, img (fat, ntfs, ubf), wim, ecm, lzip,
zst (zstd), egg, alz;
View archive contents: 7z (7zip), zip, rar, rar5, bzip2, gzip, XZ, iso,
tar, arj, cab, lzh, lha, lzma, xar, tgz, tbz, Z, deb, rpm, zipx, mtz, chm,
dmg, cpio, cramfs, img (fat, ntfs, ubf), wim, ecm, lzip, zst (zstd), egg,
alz;
Create and decompress password-protected archives;
Edit archives: add/remove files to/from the archive (zip, 7zip, tar, apk, mtz);
Create and decompress multi-part archives: 7z, rar (decompress only);
Install APK and OBB file from backup (archive);
Partial archive decompression;
Open compressed files;
Open an archive file from mail applications;
Extract split archives: 7z, zip and rar (7z.001, zip.001, part1.rar, z01);

Particular properties:
Start with Android 9 for small files (<10MB). If possible, use direct
opening without extracting to a temporary folder;
Multithreading support (useful for multicore processors);
UTF-8/UTF-16 support for filenames allows you to use national symbols in filenames.

Updated on Jan 17, 2024
Downloads 100,000,000+ downloads
Released on Jan 24, 2012
Offered by ZDevs

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

Frank Slootweg wrote on 26 Jan 2024 15:46:43 GMT :

There is no TrueCrypt app for mobile (Android or iOS), so I'd have to
invest time to research, test, and use a different encryptor for which
there is a matching app on my mobile devices.

I indeed also had to do quite some searching to find a decryptor on
Android. My need was/is for unpacking/decrypting archives, possibly only
one file from that archive, but possibly more, so my needs are more than
for a single (contacts) file.

This has been discussed something like a thousand times on this
newsgroup so I'll just say that Truecrypt/Veracrypt containers
decrypt just fine on Android. It has already been stated in this
thread which free app to use.

Must be in those thousands of other discussions where a TrueCrypt-
compatible Android app was mentioned. Wasn't mentioned in this thread.

While TrueCrypt was mentioned (by me), it has been dead for a while.
Once they published their yellow canary web page alluding to them
getting an NSL (National Security Letter), they disappeared with their
last version only reading from TC containers, not writing to them
anymore. VeraCrypt replaced TrueCrypt. VeraCrypt (and TrueCrypt)
support not only one hash scheme (SHA-256), but 5 of them, and you can
use them alone, or combine them to further increase security.

In those thousands of discussions, was an encrypter/decrypter app
mentioned that supports .tc files? Do those apps support both regular containers, and protected containers? There's a fake partition at the beginning holding dummy data that you dole out its password when
threatened, and a hidden partition using a different password for where
you really store your sensitive data; see https://www.veracrypt.fr/en/Plausible%20Deniability.html. Do they
support variable sized (dynamic) TC containers, or just fixed ones?

For these apps that have been so repeatedly discussed regarding support
of Veracrypt/TrueCrypt containers, do they support:

- No filetype extension (.tc is not specified) in filename?
- Support all 5 hash algorithms, and 1 to 3 combinations of them?
- Support hidden partitions within the TC container file?
- Support variable sized aka dynamic partition(s) in the TC container?
- Are passwords and keyfiles both supported? Or just passwords?
- Do the apps only read TC files, or can they create them, too?

Considering the robust feature set of VeraCrypt, I doubt any Android app
will support more than a fixed partition using SHA-256 with no hidden
partition inside and password only (no keyfiles). That's the simple
use-case, and likely the one used by most Veracrypt users. For
everything that VeraCrypt can do, I suspect only a crippled version
would show up supporting the simple use-case if they ever made an
Android, iOS, or MS UWP version of their Win32 program. Apps that can
read TC files have limited use as I would also want to create TC files.

I haven't participated in those thousands of discussions on Android apps
that support TrueCrypt/Veracrypt containers. I remember looking at
AxCrypt a long time ago, but it only supports the AES-256 hash, not the
others supported by Veracrypt nor combinations of them.

https://play.google.com/store/apps/details?id=net.axcrypt.axcrypt2x

It covers the simple use-case for VeraCrypt, so I'll create a shortcut
to again look into this one a bit more. There are Windows (installed
and portable), Android, and iOS(*) versions, so I could become
accustomed to its use on multiple platforms.

(*) Local storage encryption is only available on Android, not on iOS.
Should have no problem under Windows.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Fri, 26 Jan 2024 20:37:50 -0600 :

The page for the free version doesn't mention the 10 GB cloud quota.

Yes. I noticed that too. But I read their literature before telling you
about it as I spend time on an app before I tell you anything about it.

But the free storage was confusing to me too, as it says different things
about it depending on where you look, but nothing on the main page.

Here it mentions only 5GB of free storage.
https://syndoc.com/html/help.html (How to add a Cloud drive to Syndoc?)
"Syndoc supports cloud management and also has its own storage drive "My
drive" - providing 5GB free space. "

And yet in another spot they mention 10GB free storage. https://syndoc.com/html/faq.html (Is Syndoc a cloud storage service?)
"Syndoc supports cloud management and also has its own storage space as
"My drive" providing 10 GB free space."

We'd have to test it out for real to find out which it is, 5GB or 10GB.

Thanks for the info on Syndoc. Don't yet need nor want a cloud storage consolidator. Encrypt/decrypt looks to be through their web UI. Only AES-256 is supported, but that's still pretty good. I'd look more into Syndoc if I need another 10 GB of cloud storage to add to my existing
mix.

Thanks for looking at it as the reason I pointed it out is because if you really wanted to store your contacts encrypted on the cloud, that app would
do it easily for you with more control than you would have otherwise.

I found it because I use the best Google Play Store search engine in the
world (which has been discussed many times on this newsgroup in the past).

If it's out there, it will find it. Since you wanted freeware without ads
that had been updated recently, I set the search filters on that, plus I noticed you wanted recent updates, so I had it sort by recent updates.

That's where ZArchive showed up on top of the list for the encryption and decryption of 7-zip archives that Frank Slootweg was discussing with you.

There were 70 other apps which showed up in my search of a free archiver without ads and without any in-app purchases so there are too many of them.

Some were special purpose archivers, such as this one which shares files. https://play.google.com/store/apps/details?id=shareit.lite

Others were file managers, such as this one which handles encrypted zips. https://play.google.com/store/apps/details?id=com.lenovo.FileBrowser2

There were quite a few zip decryptors/encryptors but with only a few
downloads, and sensing you are risk adverse, I didn't mention them, such as https://play.google.com/store/apps/details?id=com.extractor.easyextractfile.zipper.filezipper

But that app hasn't been updated in a while, and it isn't downloaded much. That's why I had suggested the ZArchiver as the one you might want to test.

That app does what I think Frank Slootweg had asked it to do, which is:
"Easy Unzipper enables archived content display without decompression."

But I'm just trying to help you, so here's what it says about it.

KGApps Unzipper is good and an all-in-one free, simple, easy and quick compression application, archiver, backup tool, extractor and even a basic
file manager for easy to use.

Unzipper can create rar and zip and unpack RAR, ZIP, TAR, GZ, BZ2, XZ, 7z,
ISO, ARJ archives easily and professionally. List of functions include
repairs command for damaged ZIP and RAR files, Unzip is a program for
archive management tool Application.

It has a simple and functional interface and very easy to operate.
The app doesn't have permission to access the internet it is an offline application you can easily access it without internet.

Easy Unzipper, Unzip & Zip allows you to extract rar and zip files easily.
It has its own browser to view files on your phone and zip files.

Supporting different versions of rar files, archives protected by a
password and multi-part archives.

*Get simple zip compression, multi-part compression and AES encryption.*
*Easy Unzipper enables archived content display without decompression.*

Save time by selecting files and extracting them on your phone storage.
Then open the files directly in your app.

Unzipper Master is an app to manage files and extract and compressed, it creates archives in ZIP or 7Z file formats. Unpack numerous archive file formats unZIP (extract ZIP files).

Unzipper lets you:
it Converts the following archive types: 7z (7zip), zip, bzip2 (bz2), gzip (gz), XZ, lz4, tar, zst (zstd),Decompress the following archive types: 7z (7zip), zip, rar, rar5, bzip2, gzip, XZ, iso, tar, arj, cab, lzh, lha,
lzma, xar, tgz, tbz, Z, deb, rpm, zipx, mtz, chm, dmg, cpio, cramfs, img
(fat, ntfs, ubf), wim, ecm, lzip, zst (zstd), egg, alz. You can view
archive contents: 7z (7zip), zip, rar, rar5, bzip2, gzip, XZ, iso, tar,
arj, cab, lzh, lha, lzma, xar, tgz, tbz, Z, deb, rpm, zipx, mtz, chm, dmg, cpio, cramfs, img (fat, ntfs, ubf), wim, ecm, lzip, zst (zstd), egg, alz;

*Create and decompress password-protected archives;*
Edit archives: add/remove files to/from the archive (zip, 7zip, tar, apk,
mtz);
Create and decompress multi-part archives: 7z, rar(decompress only);
Partial archive decompression;
Open compressed files;
Open an archive file from mail applications;

Extract split archives: 7z, zip and rar (7z.001, zip.001, part1.rar, z01); Easily and efficient fast Zip and Unzip File Extractor File Opener is a Zip file opener & Compressor Application. Reduce your all kind of Files Size
Like Doc,Images, and extract all your Zipped files & Compress them. Zip-Unzip-File Extractor-File Opener allows you to protect your files
before with best encryption. You can Browse your Album and select multiple
zip and share photo collections. You can compress files and shrink them
easily. Unzip and view your files. You can Zip Photos & Videos from your
device and share them Easily.

Version 1.4
Updated on May 30, 2022
Requires Android 5.0 and up
Downloads 500+ downloads
Released on May 8, 2022
Offered by Prep Apps

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Fri, 26 Jan 2024 20:42:12 -0600 :

Must be in those thousands of other discussions where a TrueCrypt-
compatible Android app was mentioned. Wasn't mentioned in this thread.

You're wrong, but you're also right, so I'll correct what I said by saying
the app that decrypts/encrypts TrueCrypt/VeraCrypt container files was mentioned twice in this thread
Message-ID: <uoumc0$2p9t$1@nnrp.usenet.blueworldhosting.com>
Message-ID: <uou4en$nd6$1@nnrp.usenet.blueworldhosting.com>

As I recall, both you and Frank responded to one of those each, so I simply assumed you had understood what was stated - but apparently you didn't.

Each mentioned encrypted containers.
You were supposed to know that meant TrueCrypt/VeraCrypt containers.

So we're both right. And we're both wrong. :)

Anyway, I don't really like the EDS GUI, but it works as I've been using it ever since it was suggested on this newsgroup many years ago for Veracrypt.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg wrote on 26 Jan 2024 15:46:43 GMT :

I indeed also had to do quite some searching to find a decryptor on Android.

If it's Android VeraCrypt/TrueCrypt container files you want decrypted/encrypted using a free app then you might want to re-read these.

Message-ID: <uoumc0$2p9t$1@nnrp.usenet.blueworldhosting.com>
Message-ID: <uou4en$nd6$1@nnrp.usenet.blueworldhosting.com>
Message-ID: <up1u6m$jl8$1@nnrp.usenet.blueworldhosting.com>

My need was/is for unpacking/decrypting archives, possibly only
one file from that archive, but possibly more, so my needs are more than
for a single (contacts) file.

That capability of single file plucking was also discussed in this thread. Message-ID: <up1s3g$h9p$1@nnrp.usenet.blueworldhosting.com>

That said: I use 7-Zip on the Windows side. On the Android side, the standard Samsung 'My Files' can extract an encrypted .zip file (I just
use plain zip archive with ZipCrypto encryption), but it can only
extract the whole archive, not individual files/folders.

See if the ZA app will do everything you've ever wanted such an app to do. Message-ID: <up1p82$dmq$1@nnrp.usenet.blueworldhosting.com>

So I searched Google Play for something better, amongst them
'SecureZIP Reader' (by PKWARE!) [1] and 'RAR' [2], but ended up with 'FX
File Explorer' [3]. For decrypting single files, FX is probably over the
top and probably not very handy, but since I needed a 'better'/other
file manager anyway, that's what I ended up with.

If it's encryption/decryption inside of a file explorer that you want,
maybe you might want the Moto app which seems to do it as a file explorer. Message-ID: <up1s3g$h9p$1@nnrp.usenet.blueworldhosting.com>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH <V@nguard.lh> wrote:

Frank Slootweg <this@ddress.is.invalid> wrote:

[1] <https://play.google.com/store/apps/details?id=com.pkware.android>

"Updated on Jul 28, 2015". Tis possible nothing needs changing in the
last 8 years over 9 Android versions. Went to:

https://www.pkware.com/products/securezip

Where it mentions "Try It Free", but also mentions having to buy it. It
is 30-day trialware, so it might cripple itself therafter.

Oops! I did post the correct name 'SecureZIP Reader' (note: 'Reader'),
but I didn't realize that you probably also need writing. My need is
only for extracting/decrypting zip archives. Sorry about that.

[2] <https://play.google.com/store/apps/details?id=com.rarlab.rar>

"Updated on Oct 5, 2023", so better maintained. As I recall, RARlabs
allowed you to extract for free, but you had to buy it to create .rar
files. That's why other archivers can read/extract from .rar files, but
they can't write/create .rar archive files. Despite the app page shows
a RAR app for Android, https://www.rarlab.com/shoprarlab.php does not.
I did find a link on their home page (https://www.rarlab.com/) to their Android app, but no info at their own site about it.

While the app is *named* "RAR", it can handle many other archive
formats, including ZIP, which was the topic of this subthread.

And the 'About this app' pop-in clearly states that it can both extract/unpack and create archives. And it mentions "encryption", so I
assume it can decrypt and encrypt.

[3] <https://play.google.com/store/apps/details?id=nextapp.fx>

Created a shortcut to the app page to look at this one later.

A quick check shows that FX File Explorer can indeed also create
archives in all kinds of archive formats, BUT - at least so far - I've
not seen a way to set encryption when creating an archive (I know it can decrypt when extracting and archive, because that's what I use it for).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-24 18:23, Andrew wrote:

Carlos E. R. wrote on Wed, 24 Jan 2024 12:31:13 +0100 :

That is why you should keep your default Android contacts completely empty. >>> Each app you use should be chosen to maintain its own private contacts db. >>

Bollocks.

That's nuts.

Very inconvenient and cumbersome.

Nobody ever said staying private wasn't "very inconvenient & cumbersome".
So your feeling it's too hard for you to remain private is likely correct.

The people who take your contacts make it very convenient to upload them.
Did you ever stop to wonder why they make it so easy to get your contacts?

I don't upload them. And WhatsApp doesn't upload them either, AFAIK.

I can not have one contact list for phones, another for street
addresses, another for whatsap, another for mail addresses. I don't do
it, and I refuse to do it, period.

You have a problem with that, then design some other ecosystem different
than Android, cheap and popular. Or change the laws, internationally,
and make them be obeyed.


--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-26 09:44, Frankie wrote:

On 26/1/2024, VanguardLH wrote:

Then why do you need the net to use contacts already on the phone?

Guess you completely missed synchronizing contacts between devices, and
why I wondered how Andrew did it. Here we go again.

You're making this about a million times harder than it really is.
Have you never used Microsoft Office not even once in your life?
How much trouble can you have synchronizing a simple MS Office file?

I don't use MS Office, ever.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Carlos E.R. wrote on Sat, 27 Jan 2024 22:30:50 +0100 :

The people who take your contacts make it very convenient to upload them.
Did you ever stop to wonder why they make it so easy to get your contacts?

I don't upload them.

Google does.

And WhatsApp doesn't upload them either, AFAIK.

How does WhatsApp know who in your contacts is a WhatsApp subscriber?

I can not have one contact list for phones, another for street
addresses, another for whatsap, another for mail addresses. I don't do
it, and I refuse to do it, period.

I agreed that it's too much work for people like you to be private.

You have a problem with that, then design some other ecosystem different
than Android, cheap and popular. Or change the laws, internationally,
and make them be obeyed.

It's easier than that as I've already designed it & explained how.

1. Don't store your contacts in the default Android contacts database.
2. Use (good) apps that respect that.

There are plenty of those app which we've already discussed in this thread.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 27/1/2024, Carlos E.R. wrote:

You're making this about a million times harder than it really is.
Have you never used Microsoft Office not even once in your life?
How much trouble can you have synchronizing a simple MS Office file?

I don't use MS Office, ever.

What kind of absurd argument do you have which is that you have to upload
your contacts to Google servers because you don't know how to sync files?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-27 22:54, Andrew wrote:

Carlos E.R. wrote on Sat, 27 Jan 2024 22:30:50 +0100 :

The people who take your contacts make it very convenient to upload them. >>> Did you ever stop to wonder why they make it so easy to get your contacts? >>

I don't upload them.

Google does.

And WhatsApp doesn't upload them either, AFAIK.

How does WhatsApp know who in your contacts is a WhatsApp subscriber?

That has been explained before in this forum.


For example.

When somebody registers to WhatsApp, that phone is added at
headquarters. Only that phone number.

Later, phone numbers on your contact list is compared to list and
headquarters, and it tells you which phones are subscribers. Then your
query is deleted.

You don't believe this? Prove it.

I can not have one contact list for phones, another for street
addresses, another for whatsap, another for mail addresses. I don't do
it, and I refuse to do it, period.

I agreed that it's too much work for people like you to be private.

It is not my problem.

You have a problem with that, then design some other ecosystem different
than Android, cheap and popular. Or change the laws, internationally,
and make them be obeyed.

It's easier than that as I've already designed it & explained how.

1. Don't store your contacts in the default Android contacts database.
2. Use (good) apps that respect that.

There are plenty of those app which we've already discussed in this thread.

No, I will not do it.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg <this@ddress.is.invalid> wrote:

<https://play.google.com/store/apps/details?id=com.rarlab.rar>

While the app is *named* "RAR", it can handle many other archive
formats, including ZIP, which was the topic of this subthread.

Yep. I was surprised it was free since they license their lib/tool to
create .rar files; however, they don't need to license to themself.
That one went on my short list of candidates.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-27 22:58, Frankie wrote:

On 27/1/2024, Carlos E.R. wrote:

You're making this about a million times harder than it really is.
Have you never used Microsoft Office not even once in your life?
How much trouble can you have synchronizing a simple MS Office file?

I don't use MS Office, ever.

What kind of absurd argument do you have which is that you have to upload your contacts to Google servers because you don't know how to sync files?

I know how to sync files, I have been doing that for decades. I choose
not to and use the convenience of Google.

Your arguments are ridiculous to me.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Fri, 26 Jan 2024 20:37:50 -0600 :

Thanks for the info on Syndoc. Don't yet need nor want a cloud
storage consolidator. Encrypt/decrypt looks to be through their web
UI. Only AES-256 is supported, but that's still pretty good. I'd
look more into Syndoc if I need another 10 GB of cloud storage to
add to my existing mix.

Thanks for looking at it as the reason I pointed it out is because if
you really wanted to store your contacts encrypted on the cloud, that
app would do it easily for you with more control than you would have otherwise.

I found it because I use the best Google Play Store search engine in
the world (which has been discussed many times on this newsgroup in
the past).

If it's out there, it will find it. Since you wanted freeware without
ads that had been updated recently, I set the search filters on that,
plus I noticed you wanted recent updates, so I had it sort by recent
updates.

That's where ZArchive showed up on top of the list for the encryption
and decryption of 7-zip archives that Frank Slootweg was discussing
with you.

I was looking at AxCrypt, because it is cross-platform: Windows,
Android, and iOS. Alas, a bit more reading shows you can view (read)
encrypted files, but to create them requires a subscription. No thanks.

Syndoc claims to do both encrypt and decrypt; however, that requires
using their web site. Yuck! They only have Android and iOS clients, no Windows client. 10 GB of cloud storage is nice, but unneeded in my
scenario with 32 GB in a OneDrive, GoogleDrive, and Dropbox scenario
(all free). Syndoc's free version has limited features and throttled
bandwidth (so there is a lure to pay for their Pro version). No thanks
to Syndoc mostly from having to use their web site to do
encrypt/decrypt.

Zarchiver has no network access, so I would have to incorporate the use
of the OneDrive, Google Drive, or Dropbox clients to perform cloud sync
between devices. Zarchive doesn't list .pea as supported, but .7s is supported, so perhaps the TOC can be encrypted, too. I didn't find
Windows or iOS versions of Zarchiver. I'd be using Peazip on my Windows
hosts, and Zarchiver on my Android phones.

.7z (7-Zip) can include encrypting the file and folder names in the
hierarchy of objects (TOC - Table of Contents) contained in the
compressed archive file. Filenames often reflect their content. A file
names "2012-01-27 Bahama vacation" is probably not about you having to
chainsaw a tree downed from your neighbor's yard during a tornado that
smashed your fence. A folder named "Credit cards" with files underneath
named "MasterCharge", "Visa", "Home Depot", etc would be something that
pique's the interest of an attacker. A file named "Contacts" would be
more intersting than your vacation pics. Showing file and folder names
(TOC) leaks info to an attacker. The only other archive formats I know
of that let you encrypt the TOC is .rar and .arc. RAR format requires a license to RARlabs to create .rar archives which means free apps won't
create .rar files. There is a RAR Android app which can read and create
.rar archives, but then RARlabs doesn't have to license to itself. I
rarely run across .rar files. Their Android app can read and create
.rar files, but I'd need a matching archiver on other platforms, and I
haven't seen an archiver that was free and created .rar files. WinRAR
costs $30.

.pea (Peazip) and ZPAQ, by design, have the files and folders (TOC)
remain hidden until the correct password is used to open them. For that
added security, you would need a decrypter that supports .7z and .pea
archives. I've never used ZPAQ (incremental journaling backup utility
and archiver) which seems more oriented to saving [incremental] backups
in compressed archives, and never seen anyone using it.

It's been decades since I last looked at SEA's ARC format, and don't
relish having to open a command shell to run its SQ and LU programs.
PKARC and PKXARC from Katz are for Windows: no mobile versions.
Archivers highly popular on Windows don't seem to have variants
available on mobile platforms, so I'd likely end up with a mixed app
setup: using Peazip on Windows, and something else on mobile platforms.

I do use Microsoft's OneNote which can encrypt sections in a notebook.
It is available on Windows, Android, and iOS, but not Linux (might be
usable under WINE, but probably has lots of .NET dependencies), and is
free. Like Syndoc, I could access OneNote using a web client on any
platform, but I'd rather not. While it integrates with OneDrive, files
could also be saved in folders monitored by the Google Drive and Dropbox clients for cloud sync. However, OneNote uses AES 128 for encryption.
AES 128 is still secure, efficient, and fast, but AES 256 is more
resilient against brute force attacks. I was surprised, thought, that Microsoft only used AES 128 encryption in their OneNote product.
Hackers would have to get past my online account's password, and then
past the encryption of protected sections in a OneNote notebook.

https://www.clickssl.net/blog/128-bit-ssl-encryption-vs-256-bit-ssl-encryption Key size Time to crack
56 bit 399 seconds
128 bit 1.02 x 10^18 years
192 bit 1.872 x 10^37 years
256 bit 3.31 x 10^56 years

Then add the time to crack my account login password (13+ chars with no
words, just random chars, digits, and punctuation chars to avoid
dictionary attack), along with sites that throttle access on too many
failed password attempts. However, remember that the first guess in a
brute force attack could match the key. It could happen.

So, with OneNote available on multiple platforms, I have both a note
organizer (more than just text) and a decrypter on each platform. As
for my phones, I don't leave them unlocked. I use them, then lock them,
or rely on the 1-minute timeout to lock.

There were 70 other apps which showed up in my search of a free
archiver without ads and without any in-app purchases so there are
too many of them.

Some were special purpose archivers, such as this one which shares
files.
https://play.google.com/store/apps/details?id=shareit.lite

"We transfer absolutely without mobile data usage." So what's left?
Wifi, Bluetooth, and NFC. My phone is configured to prefer wifi over
data, but that's mostly for when I'm at home and the phone connects to
the wifi router. While there are lots of open wifi hotspots, I rarely
use those except when at a resort while on vacation. They say their app doesn't use cellular data, but they don't say what it uses instead.
Maybe it parallels Tesla's attempt to pass electrical power through the
Earth. From https://www.ushareit.com/help/, file transfers are by wifi.
That severely limits when and where I can do transfers. I'd need access
to an open/public wifi hotspot.

Others were file managers, such as this one which handles encrypted
zips.
https://play.google.com/store/apps/details?id=com.lenovo.FileBrowser2

Just a file manager that adds .zip support (and only .zip format). No
network access to do file transfers, so I'd have to incorporate with
cloud clients (OneDrive, Google Drive, Dropbox). With having to
integrate parts into a total solution, I'd probably go with Zarchiver
that supports more archive formats, the cloud clients, and the file
manager already bundled on the phone.

There were quite a few zip decryptors/encryptors but with only a few downloads, and sensing you are risk adverse, I didn't mention them,
such as https://play.google.com/store/apps/details?id=com.extractor.easyextractfile.zipper.filezipper

Says it is free, but also says it can create .rar files. Either they
didn't pay the license fee to RARlabs, or they're misleading with a
claim to create RAR archives. App pages says "Prep Apps" is the author,
but the description says "KGapps". No web site to get further info.
Their telephone number is in Pakistan. Calls itself Easy Unzip,
Unzipper, Easy Unzipper, Unzipper Master. No network access, so another offline app that could be integrated in my cloud setup; however, I don't
trust this app.

That app does what I think Frank Slootweg had asked it to do, which is:
"Easy Unzipper enables archived content display without decompression."

That could be simply looking at the TOC showing files and folders. Most archive formats don't hide that info. .7z, .pea, and ZPAQ will hide the
TOC, by design. Some archives add the option to hide/encrypt the TOC,
but they don't do anything unless one of the above archive formats.

I'm still looking, so thanks for the suggestions.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-27 22:54, Andrew wrote:

Carlos E.R. wrote on Sat, 27 Jan 2024 22:30:50 +0100 :

The people who take your contacts make it very convenient to upload them. >>> Did you ever stop to wonder why they make it so easy to get your contacts? >>

I don't upload them.

Google does.

So?

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Alan <nuh-uh@nope.com> wrote:

Apple let's you upload your contacts...

This is an Android newsgroup.

...but they're encrypted:

'End-to-end encrypted data can be decrypted only on your trusted devices where you’re signed in with your Apple ID. No one else can access your end-to-end encrypted data — not even Apple'

<https://support.apple.com/en-us/102651>

The only Apple product I have is an iPad that was free from my HMO with
tons of pre-loaded health apps. It's locked down (managed by HMO), so
of little other use. I can use it for more than the health stuff, but I
really don't care for Apple stuff. It does have an Apple ID assigned to
it (that I created for myself), but I don't do e-mails from it. Not
much point in having contacts there for now, but maybe I can unlock the
iPad so it is no longer managed. It mostly sits around collecting dust.
I've asked them about returning the iPad to them to eliminate wasting
it. It's probably getting trashed.

Can contacts from an Apple ID account (assuming contacts are stored
there in the cloud) be accessed by non-Apple products? I would think
without an Apple ID assigned to the device that end-to-end encryption
was not available.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

Carlos E.R. wrote:

And WhatsApp doesn't upload them either, AFAIK.

How does WhatsApp know who in your contacts is a WhatsApp subscriber?

WhatsApp claims end-to-end encryption: from client to client, and what's
on the server remains encrypted (in-situ on server). However, while
they do end-to-end encryption on messages, I cannot find specific
reference to encrypting contacts at the server. Also, even with
end-to-end encryption, that doesn't mean the data is encrypted at an
endpoint (client device). Malware or a hacker can still get at your
data if they get on your phone. End-to-end encryption is in-transit protection, not necessarily in-situ protection at the clients, but it
looks like the WhatsApp server sees only encrypted data.

There is the Whatsapp.com web site, but you cannot log into an account
to look at your contacts. I didn't see a Login button or web form to
enter login credentials. Seems you must use their apps which employ
end-to-end (in-transit) encryption. The server would have the encrypted
data. However, I don't know their clients keep the data encrypted
in-situ. In-transit encryption, and no means to decrypt at the server
using a web site, means your data is as secure as how well you secure
your phone.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Sat, 27 Jan 2024 17:25:27 -0600 :

How does WhatsApp know who in your contacts is a WhatsApp subscriber?

WhatsApp claims end-to-end encryption: from client to client, and what's
on the server remains encrypted (in-situ on server).

I know how WhatsApp says they do it but that wasn't his (Carlos) objection.
He said "And WhatsApp doesn't upload them either, AFAIK", which is wrong.

If you store your contacts in the default location, WhatsApp uploads them.
So do plenty of other apps (probably thousands but I don't know them all).

Just like you were doing, he was trying to find objections to why he was
doing exactly what Google told him to do (store contacts in the default location and let any server that wants to upload them, upload them).

Privacy makes his brain hurt to even think about.
And he's like most people are.

You do the same things he does too.

The difference is his objections were absurd (and his statements wrong).
Your objections were based on you just being lazy (which is different).

However, while
they do end-to-end encryption on messages, I cannot find specific
reference to encrypting contacts at the server. Also, even with
end-to-end encryption, that doesn't mean the data is encrypted at an
endpoint (client device). Malware or a hacker can still get at your
data if they get on your phone. End-to-end encryption is in-transit protection, not necessarily in-situ protection at the clients, but it
looks like the WhatsApp server sees only encrypted data.

As I understand how it works, unless you set the phone up like I do,
every time you run WhatsApp, it uploads your contacts to its servers.

Those contacts are encrypted & WhatsApp compares the hash to known hashes
of WhatsApp subscribers, which is the answer to the question I asked him.

"How does WhatsApp know who in your contacts is a WhatsApp subscriber?"

I knew the answer.
He didn't.

Your objections are because you don't want to do the work to remain
private. His objections are absurd as it made his brain hurt to think.

Specifically, he thinks his contacts are safe from WhatsApp but what he
doesn't know is there's a Venn-Diagram overlap going on that he missed.

So not only are his arguments absurd. They're wrong.

What he's trying to find a flaw in is my statement that started all this:
a. The safest place to store your contacts is NOT in the default location
b. And then to use (good) apps that respect that choice.

He can't find the flaw.
Neither can you.

All your objection were simply that you didn't want to have to think.
Because for every hurdle that you threw up, I gave you a simple solution.

There is the Whatsapp.com web site, but you cannot log into an account
to look at your contacts. I didn't see a Login button or web form to
enter login credentials. Seems you must use their apps which employ end-to-end (in-transit) encryption. The server would have the encrypted data. However, I don't know their clients keep the data encrypted
in-situ.

It's encrypted. And hashed. But why do you need to tell WhatsApp exactly
the Venn-Diagram overlap between their databases and _all_ your contacts?

In-transit encryption, and no means to decrypt at the server
using a web site, means your data is as secure as how well you secure
your phone.

Most people store their contacts unencrypted in the default database.
And many (bad) apps habitually upload those contacts to their servers.

You lost control over them the instant that happened.

My statement still stands true that the safest way to prevent that (since
you won't know when it's happening) is to NOT store your contacts there.

That way there's nothing for misbehaving apps to upload to their server.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Sat, 27 Jan 2024 16:43:41 -0600 :

I was looking at AxCrypt, because it is cross-platform: Windows,
Android, and iOS. Alas, a bit more reading shows you can view (read) encrypted files, but to create them requires a subscription. No thanks.

I was about to test AxCrypt when you mentioned it, but not if it's that. https://play.google.com/store/apps/details?id=net.axcrypt.axcrypt2x

Syndoc claims to do both encrypt and decrypt; however, that requires
using their web site. Yuck!

Yes. But. You said you wanted your contacts even if you lose the phone.
And you wanted contacts stored encrypted plus decrypted on the phone.
Plus you said you didn't want to have to set up the NAS drive to do that.

They only have Android and iOS clients, no Windows client.
10 GB of cloud storage is nice, but unneeded in my
scenario with 32 GB in a OneDrive, GoogleDrive, and Dropbox scenario
(all free). Syndoc's free version has limited features and throttled bandwidth (so there is a lure to pay for their Pro version). No thanks
to Syndoc mostly from having to use their web site to do encrypt/decrypt.

Yes. But. You said you wanted access to contacts if you lose the phone.
And you wanted contacts decrypted on the phone while stored encrypted.
Plus you said setting up your own NAS drive to do that was too much work.

You kept throwing up hurdles and I kept solving them in an easy way.
I'm not expecting you to all of a sudden start NOT storing your contacts in
the default Android database, nor to all of a sudden NOT be uploading them
to every server out there that asks for them.

I'm just expecting you to understand my point of view which is simple:
1. It's simple not to store your contacts in the default location.
2. And it's simple to do whatever it is you want to do with them afterward.

A person only need 2 things, which, unfortunately, most people don't have.
A. They have to be wise enough to know _why_ they don't want to store
their contacts in the default Android database & uploaded to servers.
B. They have to be intelligent enough to create their own solution
when they don't store their contacts in the default Android location.

That other guy who said that doing anything that Google didn't tell him to
do hurt his brain, for example - won't have either one of those two things.

Zarchiver has no network access, so I would have to incorporate the use
of the OneDrive, Google Drive, or Dropbox clients to perform cloud sync between devices.

I did give you a few other apps that do both archival and network access,
but ZArchiver solves a _different_ problem set. I mentioned ZArchiver
mostly to solve all the problems that Frank Slootweg said he wanted solved.

Frank hasn't responded, but I think ZArchiver solved all his stated needs. https://play.google.com/store/apps/details?id=ru.zdevs.zarchiver

Zarchive doesn't list .pea as supported, but .7s is
supported, so perhaps the TOC can be encrypted, too.

What does "TOC" mean in this context. I see you mean "Table of Contents",
so I guess you mean what Frank meant by looking inside the
password-protected encrypted archive but without decompressing it first?

I didn't find
Windows or iOS versions of Zarchiver. I'd be using Peazip on my Windows hosts, and Zarchiver on my Android phones.

That's a completely different problem set, which wasn't stated, AFAIK,
until now, where cross-platform tools will mostly be the open source apps.

That's a completely different set of search filters which I didn't run.

.7z (7-Zip) can include encrypting the file and folder names in the
hierarchy of objects (TOC - Table of Contents) contained in the
compressed archive file. Filenames often reflect their content. A file names "2012-01-27 Bahama vacation" is probably not about you having to chainsaw a tree downed from your neighbor's yard during a tornado that smashed your fence. A folder named "Credit cards" with files underneath named "MasterCharge", "Visa", "Home Depot", etc would be something that pique's the interest of an attacker. A file named "Contacts" would be
more intersting than your vacation pics. Showing file and folder names
(TOC) leaks info to an attacker. The only other archive formats I know
of that let you encrypt the TOC is .rar and .arc. RAR format requires a license to RARlabs to create .rar archives which means free apps won't
create .rar files. There is a RAR Android app which can read and create
.rar archives, but then RARlabs doesn't have to license to itself. I
rarely run across .rar files. Their Android app can read and create
.rar files, but I'd need a matching archiver on other platforms, and I haven't seen an archiver that was free and created .rar files. WinRAR
costs $30.

.pea (Peazip) and ZPAQ, by design, have the files and folders (TOC)
remain hidden until the correct password is used to open them. For that added security, you would need a decrypter that supports .7z and .pea archives. I've never used ZPAQ (incremental journaling backup utility
and archiver) which seems more oriented to saving [incremental] backups
in compressed archives, and never seen anyone using it.

It's been decades since I last looked at SEA's ARC format, and don't
relish having to open a command shell to run its SQ and LU programs.
PKARC and PKXARC from Katz are for Windows: no mobile versions.
Archivers highly popular on Windows don't seem to have variants
available on mobile platforms, so I'd likely end up with a mixed app
setup: using Peazip on Windows, and something else on mobile platforms.

I do use Microsoft's OneNote which can encrypt sections in a notebook.
It is available on Windows, Android, and iOS, but not Linux (might be
usable under WINE, but probably has lots of .NET dependencies), and is
free. Like Syndoc, I could access OneNote using a web client on any platform, but I'd rather not. While it integrates with OneDrive, files
could also be saved in folders monitored by the Google Drive and Dropbox clients for cloud sync. However, OneNote uses AES 128 for encryption.
AES 128 is still secure, efficient, and fast, but AES 256 is more
resilient against brute force attacks. I was surprised, thought, that Microsoft only used AES 128 encryption in their OneNote product.
Hackers would have to get past my online account's password, and then
past the encryption of protected sections in a OneNote notebook.

https://www.clickssl.net/blog/128-bit-ssl-encryption-vs-256-bit-ssl-encryption
Key size Time to crack
56 bit 399 seconds
128 bit 1.02 x 10^18 years
192 bit 1.872 x 10^37 years
256 bit 3.31 x 10^56 years

Then add the time to crack my account login password (13+ chars with no words, just random chars, digits, and punctuation chars to avoid
dictionary attack), along with sites that throttle access on too many
failed password attempts. However, remember that the first guess in a
brute force attack could match the key. It could happen.

So, with OneNote available on multiple platforms, I have both a note organizer (more than just text) and a decrypter on each platform. As
for my phones, I don't leave them unlocked. I use them, then lock them,
or rely on the 1-minute timeout to lock.

That's all very good information. Thanks for describing the issues.
You know this better than I do. I'm just trying to help you & Frank.

There were 70 other apps which showed up in my search of a free
archiver without ads and without any in-app purchases so there are
too many of them.

Some were special purpose archivers, such as this one which shares
files.
https://play.google.com/store/apps/details?id=shareit.lite

"We transfer absolutely without mobile data usage." So what's left?
Wifi, Bluetooth, and NFC. My phone is configured to prefer wifi over
data, but that's mostly for when I'm at home and the phone connects to
the wifi router. While there are lots of open wifi hotspots, I rarely
use those except when at a resort while on vacation. They say their app doesn't use cellular data, but they don't say what it uses instead.
Maybe it parallels Tesla's attempt to pass electrical power through the Earth. From https://www.ushareit.com/help/, file transfers are by wifi.
That severely limits when and where I can do transfers. I'd need access
to an open/public wifi hotspot.

This special-purpose archiver was simply suggested to solve another hurdle
that you threw up which is how to transfer the encrypted files from one
place to another when you're not at home. That's all. It's another way.

For every need you state, there will be an app that solves that need.

You might not find one app that solves all of your stated needs like we did
for Frank Slootweg with the ZArchiver app - but a collection of apps will.

I'm just trying to help you and Frank.

Others were file managers, such as this one which handles encrypted
zips.
https://play.google.com/store/apps/details?id=com.lenovo.FileBrowser2

Just a file manager that adds .zip support (and only .zip format). No network access to do file transfers, so I'd have to incorporate with
cloud clients (OneDrive, Google Drive, Dropbox). With having to
integrate parts into a total solution, I'd probably go with Zarchiver
that supports more archive formats, the cloud clients, and the file
manager already bundled on the phone.

I understand your objections and I agree with your resolution above.

This was suggested only to help Frank who was the one who had mentioned
file managers that handle encrypted files.

It wasn't to solve your objections to not storing contacts in the default location on Android which always ends up being uploaded to many servers.

There were quite a few zip decryptors/encryptors but with only a few
downloads, and sensing you are risk averse, I didn't mention them,
such as
https://play.google.com/store/apps/details?id=com.extractor.easyextractfile.zipper.filezipper

Says it is free, but also says it can create .rar files. Either they
didn't pay the license fee to RARlabs, or they're misleading with a
claim to create RAR archives.

Good catch. You also caught Syndoc 10GB/5GB limitations so it's good you're checking my recommendations. I don't know enough about RAR to help though.

Anyway, that was for Frank more than for you since he was looking for a
good free zip archiver that did the things that Frank had wanted them to.

App pages says "Prep Apps" is the author,
but the description says "KGapps". No web site to get further info.
Their telephone number is in Pakistan. Calls itself Easy Unzip,
Unzipper, Easy Unzipper, Unzipper Master. No network access, so another offline app that could be integrated in my cloud setup; however, I don't trust this app.

You found good information about this app, which is probably why it had
only a few downloads, where here is a bit more information about them. https://easyunzipper124.blogspot.com/p/unzipperprivacy.html

Based on what you found out about them, I apologize for suggesting it.

I'd stick with ZArchiver instead - unless you find something wrong with it. https://play.google.com/store/apps/details?id=ru.zdevs.zarchiver&hl=en_US&gl=US

That app does what I think Frank Slootweg had asked it to do, which is:
"Easy Unzipper enables archived content display without decompression."

That could be simply looking at the TOC showing files and folders. Most archive formats don't hide that info. .7z, .pea, and ZPAQ will hide the
TOC, by design. Some archives add the option to hide/encrypt the TOC,
but they don't do anything unless one of the above archive formats.

I'm still looking, so thanks for the suggestions.

I was just trying to help where my strength is I have the best app search engines in the world on my side - which most people don't know how to use.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:
[...]

I did give you a few other apps that do both archival and network access,
but ZArchiver solves a _different_ problem set. I mentioned ZArchiver
mostly to solve all the problems that Frank Slootweg said he wanted solved.

Frank hasn't responded, but I think ZArchiver solved all his stated needs. https://play.google.com/store/apps/details?id=ru.zdevs.zarchiver

For once, try to follow the discussion and try to read for
comprehension!

I don't have any problem. I was only giving information/suggestions to *VanguardLH*, for encrypting/decrypting a contacts file *if* he wanted
to do that, which is *not* (yet) a given.

[...]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH <V@nguard.lh> wrote:

Frank Slootweg <this@ddress.is.invalid> wrote:

<https://play.google.com/store/apps/details?id=com.rarlab.rar>

While the app is *named* "RAR", it can handle many other archive
formats, including ZIP, which was the topic of this subthread.

Yep. I was surprised it was free since they license their lib/tool to
create .rar files; however, they don't need to license to themself.
That one went on my short list of candidates.

And - according to the 'About this app' pop-in - the "RAR" Android app
can also handle 7z archives, which you seem to prefer because it can
encrypt the TOC.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-01-27 22:54, Andrew wrote:

Carlos E.R. wrote on Sat, 27 Jan 2024 22:30:50 +0100 :

The people who take your contacts make it very convenient to upload them. >>> Did you ever stop to wonder why they make it so easy to get your contacts?

I don't upload them.

Google does.

So?

Indeed. And "Google does" [upload your contacts] is also misleading,
because Google only does that if you - implicitly or explicitly -
tell/ask them to do so. You can select to not sync contacts or/and other
parts of your Google Accounts.

The wording also - dishonestly - implies that you give your contacts
to Google and that 'hence' Google can and does abuse/misuse/spread that information. That's ofcourse nonsense, because Google would be sued to
bits.

*Fact* is that *if* you choose to upload your contacts to 'Google', it
only gets into *your* Google Account storage. Duh!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH <V@nguard.lh> wrote:

Andrew <andrew@spam.net> wrote:

Carlos E.R. wrote:

And WhatsApp doesn't upload them either, AFAIK.

How does WhatsApp know who in your contacts is a WhatsApp subscriber?

WhatsApp claims end-to-end encryption: from client to client, and what's
on the server remains encrypted (in-situ on server). However, while
they do end-to-end encryption on messages, I cannot find specific
reference to encrypting contacts at the server.

Probably because WhatsApp does not store "contacts at the server"! :-)

I/we could point for the umpteenth time to what WhatsApp *does* do,
but where's the fun in *that*!? Better let 'Arlen' (or one of his
look-alikes?) dance around some more with all his urban legends, FUD,
innuendo, etc..

Sofar he's disparaged Google and WhatsApp without providing any
substance, proof, etc.. Why should he stop there!?

[...]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Sat, 27 Jan 2024 17:25:27 -0600 :

How does WhatsApp know who in your contacts is a WhatsApp subscriber?

WhatsApp claims end-to-end encryption: from client to client, and what's
on the server remains encrypted (in-situ on server).

I know how WhatsApp says they do it but that wasn't his (Carlos) objection. He said "And WhatsApp doesn't upload them either, AFAIK", which is wrong.

If you store your contacts in the default location, WhatsApp uploads them.

Nope, as Carlos correctly said, WhatsApp does *not* upload your
contacts! (Umpteenth repeat of clue-by-four: WhatsApp Legal)

If you think otherwise, *prove* it, with a cite from a *reputable*
source (complete with URL).

[...]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-28 16:32, Frank Slootweg wrote:

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-01-27 22:54, Andrew wrote:

Carlos E.R. wrote on Sat, 27 Jan 2024 22:30:50 +0100 :

The people who take your contacts make it very convenient to upload them. >>>>> Did you ever stop to wonder why they make it so easy to get your contacts?

I don't upload them.

Google does.

So?

Indeed. And "Google does" [upload your contacts] is also misleading, because Google only does that if you - implicitly or explicitly -
tell/ask them to do so. You can select to not sync contacts or/and other parts of your Google Accounts.

The wording also - dishonestly - implies that you give your contacts
to Google and that 'hence' Google can and does abuse/misuse/spread that information. That's ofcourse nonsense, because Google would be sued to
bits.

Indeed!

*Fact* is that *if* you choose to upload your contacts to 'Google', it only gets into *your* Google Account storage. Duh!

Exactly.

And to the NSA and the CIA, but such is life. My Google Account is
backed up on the cloud, but that doesn't mean that Google gives or sells
it to Meta, for instance.

Proof being that when I get a call from some new phone number, Google
doesn't display the name unless it is in *my* phone book. Google may
show the business name of some phone numbers, but that is a different information that google gets by different methods. Not by reading phone
books of clients, and this is an information that could be found there
easily.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Sat, 27 Jan 2024 16:43:41 -0600 :

Syndoc claims to do both encrypt and decrypt; however, that requires
using their web site. Yuck!

Yes. But. You said you wanted your contacts even if you lose the
phone. And you wanted contacts stored encrypted plus decrypted on the
phone.

Web site access to contacts is a backup method. Be nice to get them
from there as a last resort, like if I lost my phone (lost, damaged,
stolen). However, my statement wasn't about whether or not the
contacts, or any file, was available at the server, but that you were
stuck using their web site to encrypt/decrypt rather than using their
client app. It was about where I could do the encrypt/decrypt that
dropped Suncoc as a candidate. Not even their $3/mo Syndoc Pro has encrypt/decrypt in their client. Encrypt/decrypt at the client end is mandatory for me, and web site encrypt/decrypt would be a backup feature
should I no have my client devices available.

Plus you said you didn't want to have to set up the NAS drive to do that.

Not as easy as you mention. I've setup other servers on my intranet,
like VNC. The setup is not intuitive.

- Run the NAS or VNC server inside a DMZ (often a subnet off the
router).
- Punch a hole in the router's to allow inbound connections. You define
a rule to point at the server for inbound connections on a designated
port.
- Get an account with a DNS provider who supplies a DDNS (Dynamic DNS)
redirect service, like OpenDNS (they make finding their free service
hard to find).
- Install their IP updater client (*) which reports to your account with
the DNS provider what is your current IP address. I get a dynamic IP
from my ISP. A static IP would cost me money.
- In my OpenDNS account, define a hostname. I use that hostname to
reach OpenDNS who then looks up my account to see what is my current
IP address, and OpenDNS then redirects the connection to the WAN-side
of my router, which has a rule to punch through its firewall to
connect to the intranet server host (NAS or VNC).
- Obviously the intranet server host must be left powered on 24x7, and
the same for the router.
- Hope you aren't discovered violating your ISP's TOS on a personal-use
(non-business) service tier regarding operation of publicly accessible
servers on your intranet.

https://en.wikipedia.org/wiki/Dynamic_DNS https://support.opendns.com/hc/en-us/articles/227987767-Using-Dynamic-DNS-with-OpenDNS
https://support.opendns.com/hc/en-us/articles/227987867-What-is-the-OpenDNS-Dynamic-IP-updater-client

I recall No-IP (https://www.noip.com/) was another similar DDNS service.
Been too long to remember why I chose OpenDNS over No-IP. Perhaps
because OpenDNS has categories (of censoring) of who would get blocked
through their redirection service.

Wouldn't need DDNS if I got a static IP address assigned to the WAN-side
of my router from my ISP's DHCP server, but that costs money. There are
free methods of transferring or accessing files across hosts or networks without having to pay for a static IP address, like cloud sync.

Yes, for always-on cable Internet setups, IP addresses do not often
change. In fact, after the bind's expiration, and after losing the bind (powering down your router, or resetting it), often the ISP's DHCP
server will assign a new bind using the same IP address. It's held in
limbo for a while. But once you lose the bind, there's no guarantee
you'll get the same IP address. That's why it's called dynamic IP.
Dynamic IP addressing is included in my service tier with my ISP. I
would have to upgrade to and pay for a business account to get a static
IP address. A business account would also allow me to run publicly
accessible servers on my intranet hosts. Doing so with a personal-use
service tier violates their TOS.

Note when you speak of NAS, I assumed you means a NAS drive sitting on
your intranet, not cloud NAS storage which, for me, would provide
nothing more than cloud storage services already provide to me (e.g.,
OneDrive, Google Drive, Dropbox) and which can be access via web browser
or, more preferrable, local sync clients.

They only have Android and iOS clients, no Windows client.
10 GB of cloud storage is nice, but unneeded in my
scenario with 32 GB in a OneDrive, GoogleDrive, and Dropbox scenario
(all free). Syndoc's free version has limited features and throttled
bandwidth (so there is a lure to pay for their Pro version). No thanks
to Syndoc mostly from having to use their web site to do encrypt/decrypt.

Yes. But. You said you wanted access to contacts if you lose the phone.

Again, the statement was about having to use their web site to do encrypt/decrypt. Granted I would have access without an endpoint
device, but remember we were discussing how to protect those contacts.
You mention using apps that don't upload contacts anywhere, but mention
somehow toting or transferring a file full of contact records, so then
it became how to protect those contacts wherever they are stored. That
the apps don't upload them still meant you had to protect wherever you
had them.

I'm just expecting you to understand my point of view which is simple:
1. It's simple not to store your contacts in the default location.

True. As noted by someone else, I can save contacts on the phone in its storage which is still accessible by pointing the app there. They don't
get synchronized from there. Works okay for a single device, but
cumbersome when managed multiple devices. Then you mentioned importing
into the app (which presumably means the app is configured to save
contacts in local storage only). Then 2 points came up: how to protect
the contact records you import (via encrypt/decrypt), and how protecting
your contacts list protects all your contacts defined in your e-mails.
Got some info on how to supply encrypters/decrypters on each device, but keeping the e-mails protected in-situ on the mail server was never
addressed (and I've only found 1 solution, so far, using ProtonMail,
that will still work with local e-mail clients).

2. And it's simple to do whatever it is you want to do with them afterward.

A person only need 2 things, which, unfortunately, most people don't have.
A. They have to be wise enough to know _why_ they don't want to store
their contacts in the default Android database & uploaded to servers.
B. They have to be intelligent enough to create their own solution
when they don't store their contacts in the default Android location.

Yep, increased security is often not easy. However, I'm not wasting
time protecting my contacts if the e-mails are not protected. I might
consider the scenario where I transport an encrypted file to my devices, decrypt it on the device, and import into an app configured to store
contacts on local-only storage. However, as ancient as it sounds to
you, however the mode of transport (file transfers, cloud storage, USB
drive), we're still back to the old Sneakernet scenario. Instead of
toting around a drive, you're toting around a file. In fact, since I
have to be physically present with the device to do the import into an
app that stores local-only, all that setup with cloud storage, NAS, FTP,
or whatever other electronic means is more difficult than toting around
a USB drive. After all, you claim you only modify your contacts maybe
once per year. All other setups take more effort than bringing a USB
drive to each device. You can have a smart-door on your house where you
wave your hands around to gesture an opening action, or you can just
stick a key in the lock to open. Sometimes folks come up with the most convoluted (Rube Goldberg) schemes to peform a simple task.

Zarchiver has no network access, so I would have to incorporate the use
of the OneDrive, Google Drive, or Dropbox clients to perform cloud sync
between devices.

I did give you a few other apps that do both archival and network access,
but ZArchiver solves a _different_ problem set. I mentioned ZArchiver
mostly to solve all the problems that Frank Slootweg said he wanted solved.

Frank hasn't responded, but I think ZArchiver solved all his stated needs. https://play.google.com/store/apps/details?id=ru.zdevs.zarchiver

Since I already have the cloud sync clients (OneDrive, Google Drive,
Dropbox) on my devices, that solves the deficiency of Zarchive, or any
other archive app, of not having network access. So I'd get the
convenience of cloud sync across devices, the security of encrypted data transfer, but I could also tote along a USB drive without anything going
across a network or stored online. No network solution is going to be
as secure as requiring a physical device.

Zarchive doesn't list .pea as supported, but .7s is
supported, so perhaps the TOC can be encrypted, too.

What does "TOC" mean in this context. I see you mean "Table of Contents",
so I guess you mean what Frank meant by looking inside the
password-protected encrypted archive but without decompressing it first?

Yep. The TOC (Table of Contents) in an archive is the list of folders
and files. Most archive formats do not protect the TOC, so anyone can
get a list of what is inside the archive. Often folder and file names
provide a hint of what is inside. .pea, .7s, and .rar allow including
the TOC when the archive is encrypted. .zip, and other archive formats,
do not. If you don't want anyone to snoop inside your encrypted archive
to get at its contents, perhaps you don't want them to snoop at the
folder and file names, either. Just because you can include the TOC in encryption with some archive formats doesn't mean you must. It's a
security option.

Say you're trying to hide in a house. Someone rings the bell. You go
to the door and say "Andrew here. What do you want?" You identified
you're in the house where you were trying to hide.

I didn't find Windows or iOS versions of Zarchiver. I'd be using
Peazip on my Windows hosts, and Zarchiver on my Android phones.

That's a completely different problem set, which wasn't stated, AFAIK,
until now, where cross-platform tools will mostly be the open source
apps.

I mentioned cross-platform when I first mentioned AxCrypt. I thought I
found a cross-platform client app for encrypt/decrypt on Windows,
Android, and iOS. Nope, it will decrypt on all those platforms, but not encrypt (unless you pay for their subscriptionware). What you get is
their archive viewer (decrypt only). To add encryption costs $4/mo.

I'll probably continue using the cloud sync clients (OneDrive, Google
Drive, Dropbox) which are available for Windows, Android, and iOS. If
and when I add Linux into the mix, I'll have to find what to use there.
Since all those cloud services provide an API to use them, some Linux
app probably utilitizes the APIs to access the cloud services. I'll
figure that out when I get there.

For now, I have Peazip (7-zip fork with more features and better GUI) on
my Windows hosts, and installed Zarchiver on Android. I only have 1 iOS device, it's locked down by my HMO that gave it to me for free, so not important to get contacts there in encrypted form since I don't yet use
it for e-mails. Plus, as you mention, decide to use apps that keep
contacts local.

I already have a working setup, though. I have the cloud sync clients
on my devices. Any file manager can use the cloud sync folders. I have OneNote on my Windows and Android devices, and it supports AES-128
encryption. If I'm without access to my devices, I can still get at my
OneNote data using a web browser. For the encrypted sections, I have to provide my password (which is different than for my account login). So,
I already have transport of my contacts, or any file, across multiple
devices using cloud sync.

I need to look further into closing both doors into the barn. As you
state, I can close one door by not saving my contacts where they would
get synchronized to my e-mail accounts online. Before I do that, I need
to determine how to close the other door into the barn: access to the
e-mails with all those contacts in the headers. I found one solution (ProtonMail), but that's not free, and requires running their "bridge"
(local proxy) to decrypt all my e-mails that remain encrypted while on
their server. I'll keep looking for an in-situ encrypted scenario for
the e-mails.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg <this@ddress.is.invalid> wrote:

VanguardLH <V@nguard.lh> wrote:

Frank Slootweg <this@ddress.is.invalid> wrote:

<https://play.google.com/store/apps/details?id=com.rarlab.rar>

While the app is *named* "RAR", it can handle many other archive
formats, including ZIP, which was the topic of this subthread.

Yep. I was surprised it was free since they license their lib/tool to
create .rar files; however, they don't need to license to themself.
That one went on my short list of candidates.

And - according to the 'About this app' pop-in - the "RAR" Android app
can also handle 7z archives, which you seem to prefer because it can
encrypt the TOC.

It can create .rar and .zip archives. It can only read/extract from .7z archives, and others. I've decided to use Zarchive on Android which can
create .7z, .zip, and read other archive formats. Although I've run
into .rar files from which I needed to extract, I've never needed to
create .rar files. The cloud sync clients (OneDrive, Google Drive,
Dropbox) overcome Zarchiver's lack of network support.

While encrypt/decrypt is mentioned for the Zarchiver app, the algorithm
is not mentioned, like if AES 128, 256, TwoFish, Whirlpool, Serpent, or
what. From a screenshot (http://zdevs.ru/en/za/user_guide.html), looks
like AES 256, but there is a down chevron indicating there are other
choices; however, the other choices might only be ZipCrypto which is the
old PKZIP encryption algorithm that has long been vulnerable, but is
compatible across all Zip archivers.

I already have OneNote on my Android and Windows hosts, and it can
encrypt (AES 128) sections of a notebook, and each page in a section can
have attachments, like files, images, etc, so I could use the setup I
already have for transferring contacts, or any other data across
devices. Funny to see how some users so negatively react to Sneakernet.
I don't need to use all that cloud sync setup with a USB drive. I can
use whichever transport method that's most convenient or available at
the time (what, never heard of Internet outages?).

I still remember the age-old analogy of a truckload of magnetic tapes
having a far higher bandwidth than any electronic communication
technology. A truckload of 1000 16-TB magnetic tape media hurdling down
a highway that takes 30 minutes to move from the vault to onsite is 7.1
Tb/s bandwidth. I only have 945 Mb/s downstream, and 18 Mb/s upstream
for my always-on cable Internet connection at home. An encrypted file
on a USB flash drive in my pocket is far more secure than the encrypted
file accessible on any network or server.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH:

How does WhatsApp know who in your contacts is a WhatsApp
subscriber?

WhatsApp claims end-to-end encryption: from client to client, and
what's on the server remains encrypted (in-situ on server).

If you store your contacts in the default location, WhatsApp uploads
them.

To where? Everything on the server is encrypted. It was encrypted by
the clients, some of it is stored on the server, but the majority of
traffic is end-to-end encrypted between the clients. I have not yet
found out where WhatsApp stores contact data.

That a service operates over a server in the cloud does not mandate
anything is stored in the cloud. Take Team Viewer for example. It
facilitates connections between clients. They do not participate in the
data transfer and that is client to client.

Since the WhatsApp clients are connecting to each other facilitated by a server, why does anything need to be stored on the server? In the same
way you mention using clients that do not upload their contacts to a
server, but keep them local, why can't WhatsApp clients store contacts
local only? This would be exactly your scheme where the contacts app on
the phone stores contacts in a local file (that is not synchronized to
any server). Those in-storage contacts are available ONLY to the app on
the phone. They aren't up on the server. In fact, if you configure
your Contacts app to store local only, none of those contacts are
visible when you use the web browser to your online account. Those
local-only contacts remain hidden on the phone. Well, if you claim
contact apps can store contacts local only, why can't WhatsApp, too?

I'd have to see a technical paper describing just where contacts are
stored when using the WhatsApp service. Are they local only, or are
they up on the server? What would be the point of storing them on the
server if you cannot log into an account to look at them? I didn't see
a way to log into the whatsapp.com web site to look at an account. From
what I've read so far, WhatsApp doesn't maintain a contacts list. It
gets that list from your phone's address book. Well, we've already been
over how contacts can be kept local instead of synchronized to a server.

https://faq.whatsapp.com/345939311073077

As I understand how it works, unless you set the phone up like I do,
every time you run WhatsApp, it uploads your contacts to its servers.

Not what I read on how the WhatsApp operates.

So not only are his arguments absurd. They're wrong.

So far, I think you're wrong about how WhatsApp handles contacts.

It's encrypted. And hashed. But why do you need to tell WhatsApp
exactly the Venn-Diagram overlap between their databases and _all_
your contacts?

Because you register your phone number with WhatsApp, and so do other
WhatsApp users, and the WhatsApp client checks your contacts in your
phone's address book (wherever it might be stored locally) to see if
another WhatsApp client is online with that phone number.

Uploading your contacts to WhatsApp is *optional* to have them validate
your list against those who have registered with their service.

https://faq.whatsapp.com/1191526044909364/?helpref=hc_fnav

Well, just like you chose to store your contacts local only, you could
choose NOT to upload your contacts to have WhatsApp verify them.

I don't think either of us has full knowledge regarding the security of contacts used with WhatsApp. Are you a WhatsApp user? I'm not. You're
making guesses based on how other apps operate, and I'm guessing from
what they say.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg <this@ddress.is.invalid> wrote:

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-01-27 22:54, Andrew wrote:

Carlos E.R. wrote on Sat, 27 Jan 2024 22:30:50 +0100 :

The people who take your contacts make it very convenient to upload them. >>>>> Did you ever stop to wonder why they make it so easy to get your contacts?

I don't upload them.

Google does.

So?

Indeed. And "Google does" [upload your contacts] is also misleading, because Google only does that if you - implicitly or explicitly -
tell/ask them to do so. You can select to not sync contacts or/and other parts of your Google Accounts.

The wording also - dishonestly - implies that you give your contacts
to Google and that 'hence' Google can and does abuse/misuse/spread that information. That's ofcourse nonsense, because Google would be sued to
bits.

*Fact* is that *if* you choose to upload your contacts to 'Google', it
only gets into *your* Google Account storage. Duh!

Yep. If you do not create a Google account, or assign your phone to
one, then your phone has no Google account to which it can sync
anything.

Android settings -> General -> Accounts
(navpath on my LG V20 smartphone)

You can store your contacts, and other info, anywhere on your phone, but
they won't get sync'ed anywhere unless you added a sync account. That
was the whole point of managing accounts in Android was to have one
place to manage them. In fact, when you install or configure an app,
you may be asked to select an account already defined. Instead of
having to go through all the settings to get an app to connect online,
you reuse an account already defined.

If you delete a sync account, no more sync'ing to it. Most of mine are
for e-mail accounts. However, that's a list of accounts, not what app
or sync is involved with that account. My Hotmail account, for example,
is used for: dropbox, Exchange and IMAP apps (e-mail), and OneDrive.
Deleting a sync account, or not creating it, means no sync with that
account. I have done this accidentally where I deleted an account for
e-mail sync that I didn't realize that account was used for other
purposes. Oops.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Sun, 28 Jan 2024 15:10:31 -0600 :

*Fact* is that *if* you choose to upload your contacts to 'Google', it
only gets into *your* Google Account storage. Duh!

Yep. If you do not create a Google account, or assign your phone to
one, then your phone has no Google account to which it can sync
anything.

All three of you are always dead wrong because you've never tested it.
I have.

Try this simple test _before_ you respond and say Google doesn't get your contacts the very first time you log into your Google account to get email.

1. (Optional) Wipe out every vestige of your Google Account on your phone
2. Create a new contact "Frank Carlos Vanguard, +1-234-567-8910 & save it
3. Simply tap on the default GMail app, get your mail & close the app

Guess what.
Google got your contacts.

Note it doesn't matter *how* you set up GMail to *not* get your contacts. Google got them. (I have tested this many times, but not recently.)

Do not respond to this until you've tried it.

Android settings -> General -> Accounts
(navpath on my LG V20 smartphone)

It doesn't matter if you don't have a Google account on the phone.
Google will *create* that Google account if you use some of their apps.

In the test above, notice it doesn't matter that you wiped out every
vestige of the google account on your phone. Google will _create_ it.

Without even asking you.
Again, don't respond until you've tested it out.

I speak from real world experience.
You do not.

You're all just guessing.
And you're all guessing wrong.

And it's not just Google that does this as many apps have access to your contacts. Any one of them can do this. Are you going to test every one?

The safest way to prevent your contacts from being uploaded to Internet
servers is simply to not store your contacts into the default database.

You can store your contacts, and other info, anywhere on your phone, but
they won't get sync'ed anywhere unless you added a sync account. That
was the whole point of managing accounts in Android was to have one
place to manage them. In fact, when you install or configure an app,
you may be asked to select an account already defined. Instead of
having to go through all the settings to get an app to connect online,
you reuse an account already defined.

No wonder every statement from the three of you has been wrong on it.
Syncing isn't rocket science, Vanguard.

Syncing contacts is as simple as copying a file & merging contents.
There are plenty of apps which will sync & merge & clean your contacts.

That the three of you think it's complicated means that the three of you
don't have any clue how to use a file system, a file editor, or Android.

Each of you have these fundamental learning problems that are in common.
1. You don't understand what you're talking about because you're guessing
2. You're guessing wrong every time
3. You think copying a file is the most complicated thing in the world

If you delete a sync account, no more sync'ing to it.

See above. If you use certain Google apps, then the account is created for
you even if you deleted it. Why don't you try this before guessing wrong?

Most of mine are
for e-mail accounts. However, that's a list of accounts, not what app
or sync is involved with that account. My Hotmail account, for example,
is used for: dropbox, Exchange and IMAP apps (e-mail), and OneDrive.
Deleting a sync account, or not creating it, means no sync with that
account. I have done this accidentally where I deleted an account for
e-mail sync that I didn't realize that account was used for other
purposes. Oops.

If it's a Google account on the phone (which is different from just having
a Google account that is not set up on the phone), and if you use certain Google apps on Android (such as Google Voice or Google Maps with a login),
then guess what. You will have that Google account back on your phone.

You can't stop Google.
That you think you can is a problem.

Not because I can't.
But because you can't.

You can't stop what you don't even understand.
And you can't stop what you think is happening - but something else is.

All of you are uploading your contacts to Google every time you use their
apps (such as GMail, Google Voice, logging into Google Maps, etc).

The only way to stop it (if you use those apps) is to not put anything into
the Android default contacts database (because that's where they look).

Please do not respond until you've run the simple tests I ask of you above. It's discouraging to hear people be as confident as you are in being wrong.

I will no longer respond in this thread until you've shown you ran the
tests asked of you because otherwise, everything you say, is dead wrong.

Worse, until you prove it to yourself, you'll guess that I'm dead wrong.
And we'll just go around in circles until you realize what I said is true.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg wrote on 28 Jan 2024 15:52:21 GMT :

If you store your contacts in the default location, WhatsApp uploads them.

Nope, as Carlos correctly said, WhatsApp does *not* upload your
contacts! (Umpteenth repeat of clue-by-four: WhatsApp Legal)

If you think otherwise, *prove* it, with a cite from a *reputable*
source (complete with URL).

You're not as stupid as Carlos is so bear in mind I dumbed it down because people like Carlos & Vanguard already told me a file copy is too hard.

If they can't handle how to copy a file, then they can't handle hashes.
Plus they can't handle common WhatsApp switches like "Contact Upload."

Since this was covered long ago (I think it may have even been you who
found all this out) so from my memory, this is how it works for WhatsApp.

When you use the built-in WhatsApp contact upload feature, for example, WhatsApp will upload your phone numbers *daily* from your default contacts database (frequency depends on how often you use the WhatsApp app).

They only save the hash of the phone numbers on their servers & they say
they will disregard the other data like real addresses and real names.
That's what they say so you have to just trust them on it.

Notice I said "all" your contacts and not just the ones that use WhatsApp.

I'm going to repeat this for effect because they say that they do save the
hash of *every* contact even *before* that contact has joined WhatsApp!

When they create a hash of each phone number in your address book, they say they delete the original so the only thing they say they store is the hash.

Notice they link it to you. That is important. It's not wholly anonymous.
They do that to make it faster when that contact eventually joins WhatsApp.

So it's not a completely anonymous hash so much as every one of your
contacts is forever linked to you by an anonymous hash - which isn't the
same thing as being anonymous because they know who you are exactly.

All those phone-number hashes are stored on WhatsApp servers.
That is, you are linked, on WhatsApp servers, to everyone in your contacts.

They will even track what they call unusual changes in your address book.
So you have to wonder what kind of "activity" they consider suspicious.

As a nefarious example, let's say you live in an non-abortion state and you contact numerous abortion doctors - maybe they'd consider that suspicious.
I'm not accusing them of that. I'm just telling you what they say they do,
and from that, I'm surmising what they can do with the info that they have.

If you don't use "Contact Upload" then you'll have limited functionality.

Bear in mind, Frank, that I dumbed this down greatly for Carlos because he already said that copying a file was too difficult for him so it wouldn't
have been worth my time to explain it with more than a single sentence.

Yet he immediately wrongly objected to my single sentence explanation.
So he wasn't worth even that much of my time trying to help him understand.

Let me know if you are.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Sun, 28 Jan 2024 15:10:31 -0600 :

*Fact* is that *if* you choose to upload your contacts to 'Google', it >>> only gets into *your* Google Account storage. Duh!

Yep. If you do not create a Google account, or assign your phone to
one, then your phone has no Google account to which it can sync
anything.

All three of you are always dead wrong because you've never tested it.
I have.

Try this simple test _before_ you respond and say Google doesn't get your contacts the very first time you log into your Google account to get email.

1. (Optional) Wipe out every vestige of your Google Account on your phone
2. Create a new contact "Frank Carlos Vanguard, +1-234-567-8910 & save it
3. Simply tap on the default GMail app, get your mail & close the app

How does the Gmail app on your phone know to what Google account to
connect to poll for e-mail or to synchronize its local data if there is
no Google account on your phone? The Gmail app does not store accounts.
It gets them from the account manager in Android.

Somehow in your above test you are still connecting to a Google account
despite you claim you wiped it off your phone. Since the Google account
is gone, how is any app going to connect to a non-existing account? I
think your process is flawed, because once signed out of your Google
account, and with none available from the Android account manager, the
app doesn't know where to connect. You got prompted to re-add your
Google account, you did, so then the app knew where to connect. There
is no master directory with all our names, e-mail addresses, phone
numbers, and so on that the Gmail app could somehow detect who was using
the phone to then match up with a master directory.

You reveal the flaw in your above procedure with "get your mail". Not
possible without logging into your Google account, but you don't have
one defined anymore on your phone. To "get your mail" meant you
reauthorized the app to connect to your Google account, and that meant
you were prompt as to WHICH Google account your phone should connect.

Removing your Google account (and others) is what you do before gifting, selling, or trading your phone. You don't want to grant access to
someone else to get into your accounts.

Removing a Google account from your phone signs you out of Google's
apps, like Gmail, Maps, and Calendar. Some Google apps still retain
some functionality, like Maps and Search, but they cannot use a Google
account that no longer exists on your phone.

No Google account on your phone. How does the phone know you are using
it, and what, if any, Google account is yours? It knows that by the
account you created in Android's account manager.

Even after deleting the Google account on your phone, or even resetting
it, there is still one place that retains records on which device you
used with Google: up in your online Google account. Go to Your Devices
to delete them. However, that is information in your Google account
that apps on your phone no longer know about because you deleted the
account on your phone. They don't know where to connect.

Guess what.
Google got your contacts.

And this is verified how? By going online into your Google account to
look at contacts?

Android settings -> General -> Accounts
(navpath on my LG V20 smartphone)

It doesn't matter if you don't have a Google account on the phone.
Google will *create* that Google account if you use some of their apps.

No, you get prompted to enter that information. Your choice to add the
account or not. You slipped up by re-entering the Google account on
your phone.

In the test above, notice it doesn't matter that you wiped out every
vestige of the google account on your phone. Google will _create_ it.

Only in your world. No accounts get created on your phone without your
say-so. Ignoring the prompts doesn't change you added the account. I
have never owned a phone where I wanted to do e-mail without having to
specify the account to poll. That could be Google, Microsoft, or
whomever is operating the e-mail service. At best, when setting up a
new app, I get prompted which account to reuse that is already defined;
else, I have to provide specifics on how to log into my account.

At this point, it's obvious you're just spreading FUD about Google's
control over Android phones. You gave them your account, so they knew
where to connect. Delete all accounts, and you go through the setup
again. And, yes, I have been through that scenario.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

Start with this simple explanation first and then tell me I'm wrong. https://faq.whatsapp.com/1191526044909364

Start with the first sentence that reads "Contact upload is an optional feature".

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg wrote on 28 Jan 2024 15:43:33 GMT :

WhatsApp claims end-to-end encryption: from client to client, and what's
on the server remains encrypted (in-situ on server). However, while
they do end-to-end encryption on messages, I cannot find specific
reference to encrypting contacts at the server.

Probably because WhatsApp does not store "contacts at the server"! :-)

I drastically dumbed it down for Vanguard & Carlos, Frank. Remember, Carlos said that Microsoft Excel was far too complicated for him, and in fact
Carlos even ridiculed the use of any Microsoft Office tool ever on a PC.

So it wouldn't have been worth any energy not to dumb it down for him.
Even so, he disputed what he doesn't even understand, as do you & Vanguard.

See this post to you which still dumbs it down for you, but not as much. Message-ID: <up6th9$25lj$1@nnrp.usenet.blueworldhosting.com>

And if you go down the hole that it's optional if you are willing to put up with loss of basic functionality, then you're missing what most people do.

Sofar he's disparaged Google and WhatsApp without providing any
substance, proof, etc.. Why should he stop there!?

This conversation is over until and unless you grow up and understand the
GMail example I gave to Vanguard is something you have never even tried. Message-ID: <up6qig$2h2$1@nnrp.usenet.blueworldhosting.com>

Because you have never tried it, you're just guessing how it works.
And you're guessing wrong.

Stop that.
Try it.

Then tell me it doesn't work the way it works.
When you tell me it doesn't work the way it works, you sound no different
than Carlos when he ridiculed the use of Microsoft Office tools on a PC.

Who is that stupid, Frank?
Carlos is.

Don't you be that stupid.

When you tell me that WhatsApp doesn't save the hashes on their servers,
then you sound stupid Frank - just as stupid as Vanguard did when he
brought up a million desperate hurdles for why he can't copy a file.

He sounded stupid.
Because he vehemently complained about something as simple as s file copy.

He threw up inane hurdle after asinine hurdle, Frank.
Like what if he's on vacation or what happens if he loses his phone.
He demanded to know my MUA. And my contacts manager. And what encryption.

He went on and on about his last century sneaker net frustrations, Frank.
And then he complained endlessly about how much he hates mail servers.

All because he's too lazy to think about how to copy & merge a file.
Don't be like that Frank.

You are smarter than Carlos & Vanguard combined and multiplied by ten.
Don't just guess.

Remember, I can use WhatsApp with a direct dialer.
They can't.
Can you?

I don't know, but most people are too stupid to understand the implications
of not feeding any app that asks for it their default Android contacts DB.

Until you understand the concepts, I've wasted already hours on you.
In your response, please don't refute what you are just guessing about.

For example, if you've never used the GMail app, then don't tell me it
doesn't create an Android account on your phone the moment you use it.

I'm trying to help you (and Vanguard and Carlos) understand what you don't.

I don't guess.
You shouldn't either.

I don't guess. I test.
You should too.

After you test what I've said, then YOU tell me that I was right all along. Until then, good bye.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Sun, 28 Jan 2024 15:01:52 -0600 :

How does WhatsApp know who in your contacts is a WhatsApp
subscriber?

WhatsApp claims end-to-end encryption: from client to client, and
what's on the server remains encrypted (in-situ on server).

If you store your contacts in the default location, WhatsApp uploads
them.

To where? Everything on the server is encrypted.

Encrypted or not, each contact is linked to you on WhatsApp servers. (Specifically the hash of the phone number but I'm dumbing it down for you)

I'd have to see a technical paper describing just where contacts are
stored when using the WhatsApp service.

Start with this simple explanation first and then tell me I'm wrong. https://faq.whatsapp.com/1191526044909364

As I understand how it works, unless you set the phone up like I do,
every time you run WhatsApp, it uploads your contacts to its servers.

Not what I read on how the WhatsApp operates.

I'm going to stop this conversation soon becasue it's frustrating trying to have a sensible conversation with people like you, Carlos & Frank because
you guess at everything. And you're constantly guessing wrong.

Look at the reference I just gave you.
They say they upload your contacts as frequently as daily.

Please stop guessing.
Every one of your guesses is dead wrong.

So not only are his arguments absurd. They're wrong.

So far, I think you're wrong about how WhatsApp handles contacts.

I don't guess.
You do.

So I'm not wrong.
You may misunderstand me.
I might make a typo.
Or a mistake.

But if I say it, that's what is happening.

Did you look at the reference I gave you? https://faq.whatsapp.com/1191526044909364

You tell me what you think it says.

And no, don't go down a million extra asinine needless hurdles that you did when I told you how easy it was to NOT put your contracts into a database.

You spent ooodles of time telling me all about how much you hate email.
That had NOTHING to do with it. You were just desperate for an excuse.

You demanded I tell you what contacts app I use.
You demanded to know my MUA.
And you demanded to know my master editing tool (merging & unduplicating).
You demanded to know how I encrypted them in storage and transit.
And then you want on for multiple tirades about copying a simple file.
You threw in all sorts of absurd hurdles like losing the phone.
And on and on and on, you demanded information from me and I responded.

And then in the end you told me that thinking was too hard for you to do.
So did Carlos. He insulted me saying nobody uses Microsoft Excel on a PC.

WTF?

Stop that.
Assume I know what I'm talking about.

Not because I'm smart.
And not even because I'm not stupid.

But because I don't guess.
And because I've done it.

You guess.
And you've never done it.

So you guess wrong.
Every time.

Uploading your contacts to WhatsApp is *optional* to have them validate
your list against those who have registered with their service.

I never said it wasn't.
If you think I said that, then you guessed at that.

What I did say was that even WhatsApp will say that WhatsApp functionality
will be limited if you don't do that. So it's only optional if you don't
want full functionality (which makes it not really optional in my book).

BTW, this isn't a problem for me.
I'm not stupid. And I'm not lazy.

This is a problem for everyone else who is.

I've got nothing (that's real) in my contacts database.
So none of this applies to me.

But it applies to you (if you use WhatsApp).
And to Carlos (if he does).
And Frank too.

And to just about everyone else who uses WhatsApp.
Just not me.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Sun, 28 Jan 2024 19:39:40 -0600 :

Start with this simple explanation first and then tell me I'm wrong.
https://faq.whatsapp.com/1191526044909364

Start with the first sentence that reads "Contact upload is an optional feature".

I never said it wasn't and, let's be clear, I use the WhatsApp direct
dialer so they only get the contact that I'm communicating directly with.

And, let's end with the sentence that says something to the effect of if
you don't do this, you won't get the functionality that you expect of the
app (which you don't understand as you've probably never used the app).

With those two statements in mind, I expect an apology before I respond any further because you wasted hours of my time when you were wrong all along.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Sun, 28 Jan 2024 19:36:15 -0600 :

How does the Gmail app on your phone know to what Google account to
connect to poll for e-mail or to synchronize its local data if there is
no Google account on your phone?

Idiot. Now you're just wasting my time. I'm not reading further.

I was sincerely trying to help you understand what you just guess at.
I gave you a simple test case.
And you stubbornly refuse to test it.

You just want to guess.
And you always guess wrong.

Which is fine.
But don't tell me I'm wrong when you're only guessing that I'm wrong.

I'm completely different from you.
I don't guess.
I test.

Without even testing it for a single second, you throw up absurd hurdles
which show you didn't even read what I wrote, let alone understood it.

Until you test it, stop guessing that it doesn't work how it does.

Give me some credit.
Nothing I've ever said in this thread has been wrong.

Almost everything you said was.
Think about that.

If/when you apologize, I can teach you what you clearly do not know.

If you remain an obstinate idiot objecting to the simplest things like
Carlos did when he claimed nobody uses Microsoft Office on a PC (in effect, because _he_ doesn't) then you're only proving to not be worth my energy.

Try it first.
Then respond.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg wrote on 28 Jan 2024 15:16:29 GMT :

For once, try to follow the discussion and try to read for
comprehension!

I don't have any problem. I was only giving information/suggestions to *VanguardLH*, for encrypting/decrypting a contacts file *if* he wanted
to do that, which is *not* (yet) a given.

I was trying to help you Frank, because you typically choose dumb apps.

The apps I provided are (IMHO) much better for what _you_ said you wanted
to do than the apps you listed (I searched for them to help you, Frank).

In fact, I'd like to ask you what, of what you expressed you needed in this thread, do you NOT get with that ZArchiver that I helpfully found for you?

As for Vanguard, simply copying a file he said is too much work for him.
I spent hours trying to address each and every one of his concerns.

And in the end, like Carlos when he ridiculed the use of Microsoft Office
on a PC, Vanguard ridiculed the concept of copying a file as a master db.

Who throws up so many hurdles such that their hurles are these two thing?
a. Who ridicules the use of Microsoft Office on a PC (but Carlos)?
b. Who ridicules copy & sync to maintain a Master DB (but Vanguard)?

The objections you three are throwing up are simply absurd.
I'm wasting my time trying to explain to you what you can't comprehend.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Sun, 28 Jan 2024 14:08:12 -0600 :

I need to look further into closing both doors into the barn.

It's a simple file copy-&-merge process (removing dups) for Christ sake.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Sun, 28 Jan 2024 14:39:12 -0600 :

From a screenshot (http://zdevs.ru/en/za/user_guide.html), looks
like AES 256, but there is a down chevron indicating there are other
choices; however, the other choices might only be ZipCrypto which is the
old PKZIP encryption algorithm that has long been vulnerable, but is compatible across all Zip archivers.

I don't mention an app that I don't install unless it's to solve a problem
that you have which I don't have the energy or equipment or time to test.

I installed ZArchiver though, after spending my valuable time and energy to find it to solve the problems that I thought that Frank & you wanted
solved.

If you can present to me a simple quick way to test ZArchiver for you, I
can do that, but if it's something you can test, you should do that first.

Keep in mind a thank you wouldn't be out of place given I listened to every
one of your objections (many of which were absurd) and I responded to every one. Likewise with Frank. And Carlos (although CArlos' objection that using Microsoft Office on a PC has to take the case as he ridiculed that and in effect, he ridiculed me).

I get ridiculed for trying to help people, which is fine, but Carlos
ridiculed me for using Microsoft Office on a PC, which is absurd.

Don't you think?
That's what I'm dealing with here.

Until I get a thank you or an apology (actually both are due) I've wasted
my time trying to help you understand how Android & contacts work.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Sun, 28 Jan 2024 14:39:12 -0600 :

From a screenshot (http://zdevs.ru/en/za/user_guide.html), looks
like AES 256, but there is a down chevron indicating there are other
choices; however, the other choices might only be ZipCrypto which is the
old PKZIP encryption algorithm that has long been vulnerable, but is
compatible across all Zip archivers.

I installed ZArchiver though, after spending my valuable time and energy to find it to solve the problems that I thought that Frank & you wanted
solved.

If you can present to me a simple quick way to test ZArchiver for you,
I can do that, but if it's something you can test, you should do that
first.

Zarchiver has no network access, so you'll need another way to test
across devices. My simple and most often scenario would be to encrypt a
file on my Windows host to transfer to my Android device (I tend to say
host for both since both are networked endpoints). On Windows, I use
Peazip, a variant of 7-zip (I started with that one before Peazip).
That's where I'd create the encrypt file, like one with my contact
records.

Then I transfer/transport the file to my Android phone where I need to
decrypt it. AxCrypt would work in that scenario on the Android phone
since it is an archive viewer/extractor, but I wanted the option to
encrypt on Android if I wanted to migrate data the other way back to my
Windows hosts. As long as Zarchive can encrypt and decrypt an AES 256
file then that covers the major scenario.

I installed Zarchive on my smartphone, and will go forward with that on
the Android end. However, OneNote gives me AES 128, too, and it has
apps for Windows, Android, and iOS. So, I have 2 choices. I do save
sensitive data in sections in my OneNote notebooks, and those sections
are encrypted, and a password is required to open those sections whether
it be on my Windows or Android hosts, or when using the MS web UI to my
OneNote account. I figured on adding Zarchiver on Android, and continue
using Peazip on Windows, for when I don't want to employ OneNote to do
both transport and encryption.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Sun, 28 Jan 2024 14:08:12 -0600 :

I need to look further into closing both doors into the barn.

It's a simple file copy-&-merge process (removing dups) for Christ sake.

Don't know where you are going there. You argue that protecting the
contact records is better security. I agree, but that's only half the protection. Not securing the e-mails with their contact info is the
other half. Once I figure out how to secure BOTH is when I'll bother to implement both.

Think of the cops chasing a perp. The perp is dressed all in black, the
cops are chasing the perp at night, but the perp is wearing those
sneakers that light up at the heel with every step. He's hiding while
visually broadcasting his location. All the blackout clothes were a
waste with those blinking sneakers.

I think we've pretty much hashed out how to protect the contact records.
I've been hunting around for where the e-mails are protected not just in-transit (end-to-end encryption), but also in-situ (residing on the
server). I found one solution, but it isn't free unless I restrict
myself to using only HTTPS to access my account. For cooperation with a
local IMAP client, I'd have to use a local proxy that decrypts the
e-mails on my end on incoming, and encrypts e-mails on my end for
outgoing. That's ProtonMail with their bridge (proxy). However, that
is about $48/year. A bit pricey for my low volume of e-mail.

I'm not talking about using PGP or x.509/SMIME certs and key pairs to
send encrypted e-mails. That encrypts the body, not the headers where
is the contact info. Used to be there were a few places you could get
free e-mail certificates. They're almost gone now. Comodo was the
last, but now they want $12/yr via their InstantSSL CA. The only one
I've found, so far, is at:

https://shop.actalis.com/store/it-en/certificati-s-mime

My local e-mail client also supports PGP, but the problem there is the
cert doesn't identify a CA server, and recipients have to guess which
PGP repository to query to verify a PGP cert. It was created as a free alternative to using x.509 certs from CA (which required payment).
Sometimes you see someone here in Usenet adding their PGP signature as
though that really helps to secure their identity, but no one is going
to bother looking it up at various PGP repositories to find a match. I
use eM client which support X.509/SMIME and PGP encryption. They offer
their own key repository for others to look you up to verify your
identity with your public key, but, again, that's yet another PGP
repository to check. x.509/SMIME certs say who is the CA (Certificate Authority) that issued the cert.

E-mail encryption doesn't cover encrypting the headers, so the contact
records are still vulnerable to breaches, hacking, theft, abuse, etc.
You're protecting the body of the message, not the headers (which are
required for routing and tracing). I'm checking where the e-mails
remain encrypted in-situ at the e-mail provider to ensure no one can get
at the contact headers in them. ProtonMail is too expensive for me. I
haven't yet found a cheaper or free alternative.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Sun, 28 Jan 2024 19:36:15 -0600 :

How does the Gmail app on your phone know to what Google account to
connect to poll for e-mail or to synchronize its local data if there
is no Google account on your phone?

Idiot. Now you're just wasting my time. I'm not reading further.

Everyone else knows who is the idiot here. You have been deemed a
troll. Not the obnoxious and obvious type, but the original type that
was subtle.

No app can connect to an account it is not told about. No phone is sold
that comes pre-bundled with YOUR Google account defined on it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Sun, 28 Jan 2024 19:39:40 -0600 :

Start with this simple explanation first and then tell me I'm wrong.
https://faq.whatsapp.com/1191526044909364

Start with the first sentence that reads "Contact upload is an optional
feature".

I never said it wasn't and, let's be clear, I use the WhatsApp direct
dialer so they only get the contact that I'm communicating directly with.

And, let's end with the sentence that says something to the effect of if
you don't do this, you won't get the functionality that you expect of the
app (which you don't understand as you've probably never used the app).

Yep, not uploading your contacts doesn't let others see your online
status (online, away, offline, whatever) same as when others don't
upload their contacts then you don't get to see their status. For me,
and I'm probably not typical, I don't give a gnat's fart about someone's
status with a service. When I call them, and there is no answer, I call
back. I don't need to be told they are on the phone, taking a dump, out
at a restaurant, or anything why they didn't answer the call. They
didn't answer, I'll try later.

I'm sure there other features available with WhatsApp when you upload
your contacts, but WhatsApp still works in its basic mode when you keep
private your contacts (don't let WhatsApp app read your phone's address
book). Often lots of glitz gets added to a product or service that I
don't care about.

With those two statements in mind, I expect an apology before I
respond any further because you wasted hours of my time when you were
wrong all along.

And I say you were wrong, so you apologize first. This is Usenet, not
some uber-friends club where Mom tells us to play nice together. We
don't learn by agreeing to what we think we already know. We learn
through contrast or contention.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

Frank Slootweg wrote on 28 Jan 2024 15:43:33 GMT :

WhatsApp claims end-to-end encryption: from client to client, and what's >>> on the server remains encrypted (in-situ on server). However, while
they do end-to-end encryption on messages, I cannot find specific
reference to encrypting contacts at the server.

Probably because WhatsApp does not store "contacts at the server"! :-)

I drastically dumbed it down for Vanguard & Carlos, Frank. Remember, Carlos said that Microsoft Excel was far too complicated for him, and in fact
Carlos even ridiculed the use of any Microsoft Office tool ever on a PC.

So it wouldn't have been worth any energy not to dumb it down for him.
Even so, he disputed what he doesn't even understand, as do you & Vanguard.

See this post to you which still dumbs it down for you, but not as much. Message-ID: <up6th9$25lj$1@nnrp.usenet.blueworldhosting.com>

And if you go down the hole that it's optional if you are willing to put up with loss of basic functionality, then you're missing what most people do.

Sofar he's disparaged Google and WhatsApp without providing any
substance, proof, etc.. Why should he stop there!?

This conversation is over until and unless you grow up and understand the GMail example I gave to Vanguard is something you have never even tried. Message-ID: <up6qig$2h2$1@nnrp.usenet.blueworldhosting.com>

Because you have never tried it, you're just guessing how it works.
And you're guessing wrong.

Stop that.
Try it.

Then tell me it doesn't work the way it works.
When you tell me it doesn't work the way it works, you sound no different than Carlos when he ridiculed the use of Microsoft Office tools on a PC.

Who is that stupid, Frank?
Carlos is.

Don't you be that stupid.

When you tell me that WhatsApp doesn't save the hashes on their servers,
then you sound stupid Frank - just as stupid as Vanguard did when he
brought up a million desperate hurdles for why he can't copy a file.

He sounded stupid.
Because he vehemently complained about something as simple as s file copy.

He threw up inane hurdle after asinine hurdle, Frank.
Like what if he's on vacation or what happens if he loses his phone.
He demanded to know my MUA. And my contacts manager. And what encryption.

He went on and on about his last century sneaker net frustrations, Frank.
And then he complained endlessly about how much he hates mail servers.

All because he's too lazy to think about how to copy & merge a file.
Don't be like that Frank.

You are smarter than Carlos & Vanguard combined and multiplied by ten.
Don't just guess.

Remember, I can use WhatsApp with a direct dialer.
They can't.
Can you?

I don't know, but most people are too stupid to understand the implications of not feeding any app that asks for it their default Android contacts DB.

Until you understand the concepts, I've wasted already hours on you.
In your response, please don't refute what you are just guessing about.

For example, if you've never used the GMail app, then don't tell me it doesn't create an Android account on your phone the moment you use it.

I'm trying to help you (and Vanguard and Carlos) understand what you don't.

I don't guess.
You shouldn't either.

I don't guess. I test.
You should too.

After you test what I've said, then YOU tell me that I was right all along. Until then, good bye.

Why does this guy remind me of Alan Connor?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-29 06:36, VanguardLH wrote:

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Sun, 28 Jan 2024 14:08:12 -0600 :

...

E-mail encryption doesn't cover encrypting the headers, so the contact records are still vulnerable to breaches, hacking, theft, abuse, etc.
You're protecting the body of the message, not the headers (which are required for routing and tracing). I'm checking where the e-mails
remain encrypted in-situ at the e-mail provider to ensure no one can get
at the contact headers in them. ProtonMail is too expensive for me. I haven't yet found a cheaper or free alternative.

Contact information in email can not be encrypted: the software server
needs to be able to read it in order to route the email to the proper destination.

Once archived, the storage might be encrypted in full, but you probably
will not be able to get this for free.

And this means that further processing is not possible. Email would be impossible to display on webmail or available via imap, so the server
needs to have the key.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-29 03:06, Andrew wrote:

Frank Slootweg wrote on 28 Jan 2024 15:16:29 GMT :

For once, try to follow the discussion and try to read for
comprehension!

I don't have any problem. I was only giving information/suggestions to
*VanguardLH*, for encrypting/decrypting a contacts file *if* he wanted
to do that, which is *not* (yet) a given.

I was trying to help you Frank, because you typically choose dumb apps.

The apps I provided are (IMHO) much better for what _you_ said you wanted
to do than the apps you listed (I searched for them to help you, Frank).

In fact, I'd like to ask you what, of what you expressed you needed in this thread, do you NOT get with that ZArchiver that I helpfully found for you?

As for Vanguard, simply copying a file he said is too much work for him.
I spent hours trying to address each and every one of his concerns.

And in the end, like Carlos when he ridiculed the use of Microsoft Office
on a PC, Vanguard ridiculed the concept of copying a file as a master db.

Who throws up so many hurdles such that their hurles are these two thing?
a. Who ridicules the use of Microsoft Office on a PC (but Carlos)?

Hi, Arlen!

I did not ridicule the use of Microsoft Office.

I simply said I never use it, in decades.

b. Who ridicules copy & sync to maintain a Master DB (but Vanguard)?

The objections you three are throwing up are simply absurd.
I'm wasting my time trying to explain to you what you can't comprehend.

I'm not throwing objections. You can do what you please, and I will keep
doing what I please, in this case, using the Android default Address
Book. To each his own.

Don't try to teach me how to sync things differently. I know how to sync
things since computers came with RS232 ports.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

Frank Slootweg wrote on 28 Jan 2024 15:52:21 GMT :

If you store your contacts in the default location, WhatsApp uploads them.

Nope, as Carlos correctly said, WhatsApp does *not* upload your
contacts! (Umpteenth repeat of clue-by-four: WhatsApp Legal)

If you think otherwise, *prove* it, with a cite from a *reputable*
source (complete with URL).

You're not as stupid as Carlos is so bear in mind I dumbed it down because people like Carlos & Vanguard already told me a file copy is too hard.

If they can't handle how to copy a file, then they can't handle hashes.
Plus they can't handle common WhatsApp switches like "Contact Upload."

Since this was covered long ago (I think it may have even been you who
found all this out)

Yes, I pointed to this information several times.

so from my memory, this is how it works for WhatsApp.

When you use the built-in WhatsApp contact upload feature, for example, WhatsApp will upload your phone numbers *daily* from your default contacts database (frequency depends on how often you use the WhatsApp app).

They only save the hash of the phone numbers on their servers & they say
they will disregard the other data like real addresses and real names.
That's what they say so you have to just trust them on it.

They will not "disregard the other data ...", they will not retrieve
it in the first place! "disregard" is already misleading and FUD.

Notice I said "all" your contacts and not just the ones that use WhatsApp.

I'm going to repeat this for effect because they say that they do save the hash of *every* contact even *before* that contact has joined WhatsApp!

Now - and later - you're mixing up "contact" and "phone number". They
do *not* retrieve, upload, collect, store, save, <whatever> "contact"s.
They only retrieve/store *phone number*s. And for non WhatsApp users,
they store only a cryptographic hash value, not the phone number itself.

And *because* they only store *phone numbers*, not contacts, they
*can not* do the dreadful things which you and others say/imply do /
might do.

So now try to remember the difference between a phone number and a
contact, so we will not have to do this silly dance over and over again.

[...]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH <V@nguard.lh> wrote:

Andrew <andrew@spam.net> wrote:

Start with this simple explanation first and then tell me I'm wrong. https://faq.whatsapp.com/1191526044909364

Start with the first sentence that reads "Contact upload is an optional feature".

The main problem, is that "Contact upload" is a misnomer. WhatsApp
does *not* upload your "contact"s. What they do and do not do, I have
explained in the response to 'Arlen', which I posted a little while ago.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-29 06:45, VanguardLH wrote:

Andrew <andrew@spam.net> wrote:

Frank Slootweg wrote on 28 Jan 2024 15:43:33 GMT :

...

After you test what I've said, then YOU tell me that I was right all along. >> Until then, good bye.

Why does this guy remind me of Alan Connor?

Who is that one? Another name of Arlen, perhaps?

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH <V@nguard.lh> wrote:
[...]

Why does this guy remind me of Alan Connor?

You asked yourself that in December 2021 as well about 'Joel' in the
Windows 10/11 groups.

This was my response:

Message-ID: <sqn87q.qgg.1@ID-201911.user.individual.net>

Can't be bothered to back-track that to see if 'Joel' was 'Arlen'.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrew <andrew@spam.net> wrote:

Frank Slootweg wrote on 28 Jan 2024 15:16:29 GMT :

For once, try to follow the discussion and try to read for
comprehension!

I don't have any problem. I was only giving information/suggestions to *VanguardLH*, for encrypting/decrypting a contacts file *if* he wanted
to do that, which is *not* (yet) a given.

I was trying to help you Frank, because you typically choose dumb apps.

<barf!>

The apps I provided are (IMHO) much better for what _you_ said you wanted
to do than the apps you listed (I searched for them to help you, Frank).

In fact, I'd like to ask you what, of what you expressed you needed in this thread, do you NOT get with that ZArchiver that I helpfully found for you?

FX File Explorer is - as the name says - a file explorer *and* it has *integrated* *selective* archive (decryption and) extraction
functionality. *That* suits *my* needs better than any standalone archiver/extractor.

Moral: Try to learn the difference between people asking for help and
people trying to help/advise other people.

[...]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH <V@nguard.lh> wrote:

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Sun, 28 Jan 2024 15:10:31 -0600 :

*Fact* is that *if* you choose to upload your contacts to 'Google', it >>> only gets into *your* Google Account storage. Duh!

Yep. If you do not create a Google account, or assign your phone to
one, then your phone has no Google account to which it can sync
anything.

All three of you are always dead wrong because you've never tested it.
I have.

Try this simple test _before_ you respond and say Google doesn't get your contacts the very first time you log into your Google account to get email.

1. (Optional) Wipe out every vestige of your Google Account on your phone 2. Create a new contact "Frank Carlos Vanguard, +1-234-567-8910 & save it 3. Simply tap on the default GMail app, get your mail & close the app

How does the Gmail app on your phone know to what Google account to
connect to poll for e-mail or to synchronize its local data if there is
no Google account on your phone? The Gmail app does not store accounts.
It gets them from the account manager in Android.

Somehow in your above test you are still connecting to a Google account despite you claim you wiped it off your phone. Since the Google account
is gone, how is any app going to connect to a non-existing account? I
think your process is flawed, because once signed out of your Google
account, and with none available from the Android account manager, the
app doesn't know where to connect.

[...]

Guess what.
Google got your contacts.

His flaw is that he says "Wipe out every vestige of your Google
Account on your phone", but that does not delete the Google Account
*itself*, it only wipes out *references (from the phone) to* the Google Account. The Google Account still lives happily ever after and the 'Your devices' list is still there and kept for 28 days, so also logging out
on your Android device probably still allows Google to re-connect your
Android device to your (non-deleted) Google Account.

So 'Arlen' hasn't actually proven anything.

As to "Guess what. Google got your contacts.", as I said, it's not
"Google" - i.e. FUD - which got your contacts, but <FS>"*your* Google
Account storage"</FS> has got your contacts. Duh!

[...]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

[Disclaimer: This might be (partly) a duplicate.]

VanguardLH <V@nguard.lh> wrote:

Frank Slootweg <this@ddress.is.invalid> wrote:

Carlos E.R. <robin_listas@es.invalid> wrote:

On 2024-01-27 22:54, Andrew wrote:

Carlos E.R. wrote on Sat, 27 Jan 2024 22:30:50 +0100 :

The people who take your contacts make it very convenient to
upload them. Did you ever stop to wonder why they make it so
easy to get your contacts?

I don't upload them.

Google does.

So?

Indeed. And "Google does" [upload your contacts] is also misleading, because Google only does that if you - implicitly or explicitly -
tell/ask them to do so. You can select to not sync contacts or/and other parts of your Google Accounts.

The wording also - dishonestly - implies that you give your contacts
to Google and that 'hence' Google can and does abuse/misuse/spread that information. That's ofcourse nonsense, because Google would be sued to bits.

*Fact* is that *if* you choose to upload your contacts to 'Google', it only gets into *your* Google Account storage. Duh!

Yep. If you do not create a Google account, or assign your phone to
one, then your phone has no Google account to which it can sync
anything.

Android settings -> General -> Accounts
(navpath on my LG V20 smartphone)

You can store your contacts, and other info, anywhere on your phone, but
they won't get sync'ed anywhere unless you added a sync account. That
was the whole point of managing accounts in Android was to have one
place to manage them. In fact, when you install or configure an app,
you may be asked to select an account already defined. Instead of
having to go through all the settings to get an app to connect online,
you reuse an account already defined.

If you delete a sync account, no more sync'ing to it.

Yes, but my point was/is, that even if you *do* have a Google Account
for syncing, "You can select to *NOT* sync contacts or/and other
parts of your Google Accounts.".

So Arlen's '"Google does" [upload your contacts]' is false from any
angle. First - and most importantly - it's not 'uploading' and hence not
the innuendo implied by that term - and secondly, as I wrote, <FS> it
only gets into *your* Google Account storage. Duh! </FS>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg <this@ddress.is.invalid> wrote:

VanguardLH <V@nguard.lh> wrote:
[...]

Why does this guy remind me of Alan Connor?

You asked yourself that in December 2021 as well about 'Joel' in the Windows 10/11 groups.

This was my response:

Message-ID: <sqn87q.qgg.1@ID-201911.user.individual.net>

Can't be bothered to back-track that to see if 'Joel' was 'Arlen'.

I need to retract that. With Alan Connor, if you agreed with him you
were God's right hand, but if you disagreed or even asked for more
information you became Satan. Andrew seems familiar due to his style,
but I can't place him yet. Perhaps your NNTP client's (tin) retention
is longer than mine. How long has Andrew been here? More than 3
months? Maybe he nymshifted. I previously purged messages older than 2
months since the older the thread then the less interesting it is. I
upped retention to a year, but that change was in the last month.

Claims an app can connect to an undefined account. I've experienced the opposite. I suspect eventually he would suggest I reset my phone, and
load the bundled Gmail app which will divine my Google account. Says
there have thousands of posts here about hiding contacts. "It's so
simple that it's obvious. Elegant. Efficient. Private. Secure." as that
must be so detailed as to help others ... not. Needs prodding to give
details (similar to micky). Thinks his setup on a LAN is of any
importance regarding a solution across devices over the Internet. Makes statements about WhatsApp that refutes info by WhatsApp and elsewhere. Belittles others, but he wants apologies from those who contend his
statements ... in Usenet, no less. Claims Internet access to a NAS
device on his intranet is easy, yet doesn't describe how he manages that
so easily compared to how I describe a possible setup. Focuses on
contact lists, but never addresses why unprotected e-mails on the server
with all those contact headers doesn't obviate his solution on
protecting contact lists.

Not everything Andrew says is bogus. There's enough content to keep
interest in reading him, whether I agree with him or not, but it can
take some prodding to get specifics rather than his sweeping claims.
Yes, for some users, keeping their contacts private is very important,
and some methods have been mentioned here, but it's only been about
protecting contact lists, not about the e-mails that contain the
contacts. If a breach can get at your contacts, it can also get at your e-mails with contact headers.

I'm still looking into how to keep everything encrypted on the server, including the headers. ProtonMail is too expensive for my very low
e-mail volume. I prefer to use a local e-mail client, not their web
app, and that requires using their bridge (local proxy) that locally
decrypts the e-mail traffic to then handed to the local e-mail client,
but their bridge requires a paid service tier with them. They do
encrypt all content (body and headers) in-situ on their server, so a
breach won't get at my contacts or e-mails (and their headers with
contact info). Their free service tier has me using their web site
instead of a local e-mail account; however, there is an option to send notifications of new mails in a Proton account to another account, so I
do can get notification by my local e-mail account of new mails at
ProtonMail, but I would still have to use a web browser to see the new
mail. I've found other ProtonMail wannabees, but they don't have the
e-mails themselves fully encrypted, including headers, so a breach could
expose contacts via e-mail headers.

PGP or x.509/SMIME certificates with public/private key pairs encrypt
only the bodies of e-mails, but not the other headers in an e-mail
containing the contact info needed to route and track transfer of
e-mails. Plus, you cannot force your senders to always encrypt their
e-mails to you (after you've given them your public key). The headers
aren't encrypted, because they're needed for routing the message until deposited into your account, but once in your account the headers could
be encrypted, too.

E2EE server-to-client doesn't protect your e-mails on the server from
hacking or breaches. E2EE client-to-client can protect better, but
that's a scenario hard to do with e-mail built on a trust model with
some security tacked on (PGP/SMIME, SPF/DKIM/DMARC/MX DNS records).
E-mail is intrinsically "open". For users that want their contacts and messages protected wherever they reside, E2EE client-to-client works,
and easier to implement. E2EE client-to-client for e-mail (with headers
also encrypted) is hard, the solutions a bit clumsy, and may require
getting stuck with HTTPS to a web app at a free service tier.

For now, I use ProtonMail to keep e-mail data (whole messages, so
headers included) protected in-situ on the server. It's configured to
notify my Hotmail account when new messages arrive at ProtonMail. That
gives a URL back to their web site to securely read the new mail. I can protect my e-mails to others with a passphrase: the recipient has to
enter the passphrase after they are redirected from their e-mail client
to ProtonMail's web app (they don't need to login, just give the
passphrase). Unlike doling out a public key, you need to somehow get
the passphrase to the sender. I configured my ProtonMail account to
always add a PGP public key to my outbound messages to let the recipient
use it to encrypt their message back, but not all e-mail clients support
PGP (or x.509/SMIME), webmail apps typically don't support digital
signing or encryption (lots of users use webmail instead of local
clients), and recipients may not know how to implement encryption in
whatever client they use. Getting a message taking them to ProtonMail's
web site (no login required) to enter a passphrase is much easier for
them to figure out. But separately getting them the passphrase is a
nuisance unless you can allude to the string value by a combination of
info only they would know.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg <this@ddress.is.invalid> wrote:

VanguardLH <V@nguard.lh> wrote:

Andrew <andrew@spam.net> wrote:

VanguardLH wrote on Sun, 28 Jan 2024 15:10:31 -0600 :

*Fact* is that *if* you choose to upload your contacts to 'Google', it >>>>> only gets into *your* Google Account storage. Duh!

Yep. If you do not create a Google account, or assign your phone to
one, then your phone has no Google account to which it can sync
anything.

All three of you are always dead wrong because you've never tested it.
I have.

Try this simple test _before_ you respond and say Google doesn't get your >>> contacts the very first time you log into your Google account to get email. >>>
1. (Optional) Wipe out every vestige of your Google Account on your phone >>> 2. Create a new contact "Frank Carlos Vanguard, +1-234-567-8910 & save it >>> 3. Simply tap on the default GMail app, get your mail & close the app

How does the Gmail app on your phone know to what Google account to
connect to poll for e-mail or to synchronize its local data if there is
no Google account on your phone? The Gmail app does not store accounts.
It gets them from the account manager in Android.

Somehow in your above test you are still connecting to a Google account
despite you claim you wiped it off your phone. Since the Google account
is gone, how is any app going to connect to a non-existing account? I
think your process is flawed, because once signed out of your Google
account, and with none available from the Android account manager, the
app doesn't know where to connect.

[...]

Guess what.
Google got your contacts.

His flaw is that he says "Wipe out every vestige of your Google
Account on your phone", but that does not delete the Google Account
*itself*, it only wipes out *references (from the phone) to* the Google Account. The Google Account still lives happily ever after and the 'Your devices' list is still there and kept for 28 days, so also logging out
on your Android device probably still allows Google to re-connect your Android device to your (non-deleted) Google Account.

So 'Arlen' hasn't actually proven anything.

I do see in my online (web) Google account, as part of security showing
which device has connected to your account, it will list those devices.
This is for history, not a reverse connection setup where Google
connects to your phone to reinstate an account definition for Google.

The Google FindMyDevice service runs on your phone. However, without a
Google account online, you don't get that feature. The service has
nowhere to report the phone's location. The service connecting to
Google's servers is of no use if the service on your phone doesn't know
to where it reports the phone's location. You still need to tell the
service on the phone where to report.

Andrew's claim is deleting the Google account defined on the phone will
still have the Gmail app find your Google account. Opposite happened to
me: when I deleted the Google account defined on the phone, the Gmail
app didn't know where to connect.

There are Google apps that still access Google services, like Maps, but
those don't need a Google account to perform basic functions. It won't
connect to your Google account, because you didn't define one, but it
still uses Google's Maps API to access their maps service.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Carlos E.R. wrote on Mon, 29 Jan 2024 14:55:43 +0100 :

I did not ridicule the use of Microsoft Office.
I simply said I never use it, in decades.

Microsoft Excel is a perfectly good way to sort, merge & remove dups.
The only better MS Office tool would be Access (but that's overkill).

b. Who ridicules copy & sync to maintain a Master DB (but Vanguard)?

The objections you three are throwing up are simply absurd.
I'm wasting my time trying to explain to you what you can't comprehend.

I'm not throwing objections.

All you had to do was say that you understood the concept of NOT storing
the contacts in the default contact database and that would have been
better.

By throwing up objections (such as the fact that you're the only one on the planet who doesn't use Microsoft Office on their PC), you were ojecting to
the concept.

Simply state you understand the concept.
And then you can say but it's too much work for you to think.

Mice don't think. They can't put 2 & 2 together. They can't learn anything. Don't be a mouse.

You can do what you please, and I will keep
doing what I please, in this case, using the Android default Address
Book. To each his own.

As I said, you'd have to think in order not to do exactly what the
well-funded marketing people told you to do - just like this mouse should
have thought before it ate the peanut butter next to this other mouse. https://i.postimg.cc/dVzTCbvz/mouse1.jpg

Don't try to teach me how to sync things differently. I know how to sync things since computers came with RS232 ports.

I'm trying to help you NOT be that mouse you see above as tomorrow there
will be more (and more after that). Try not to be that mouse, Carlos.

The safest way to not be that mouse is to NOT eat that peanut butter.
The safest place for your contacts is NOT to put them in the default db.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Frank Slootweg wrote on 29 Jan 2024 15:36:20 GMT :

I was trying to help you Frank, because you typically choose dumb apps.

<barf!>

Of what ZArchiver claims it does, what isn't to your liking? https://play.google.com/store/apps/details?id=ru.zdevs.zarchiver

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-29 21:20, VanguardLH wrote:

Frank Slootweg <this@ddress.is.invalid> wrote:

VanguardLH <V@nguard.lh> wrote:
[...]

Why does this guy remind me of Alan Connor?

You asked yourself that in December 2021 as well about 'Joel' in the
Windows 10/11 groups.

This was my response:

Message-ID: <sqn87q.qgg.1@ID-201911.user.individual.net>

Can't be bothered to back-track that to see if 'Joel' was 'Arlen'.

I need to retract that. With Alan Connor, if you agreed with him you
were God's right hand, but if you disagreed or even asked for more information you became Satan. Andrew seems familiar due to his style,
but I can't place him yet. Perhaps your NNTP client's (tin) retention
is longer than mine. How long has Andrew been here? More than 3
months? Maybe he nymshifted. I previously purged messages older than 2 months since the older the thread then the less interesting it is. I
upped retention to a year, but that change was in the last month.

Andrew first message appeared on 2023-12-21.
Wally J aka Arlen last message was on 2024-01-01

Arlen has also that trait, he insults you if you contradict him. Past
month he was praising me, today I'm stupid.

...

Not everything Andrew says is bogus. There's enough content to keep
interest in reading him, whether I agree with him or not, but it can
take some prodding to get specifics rather than his sweeping claims.
Yes, for some users, keeping their contacts private is very important,
and some methods have been mentioned here, but it's only been about protecting contact lists, not about the e-mails that contain the
contacts. If a breach can get at your contacts, it can also get at your e-mails with contact headers.

Right.

I'm still looking into how to keep everything encrypted on the server, including the headers.

I don't think you can.

ProtonMail is too expensive for my very low
e-mail volume. I prefer to use a local e-mail client, not their web
app, and that requires using their bridge (local proxy) that locally
decrypts the e-mail traffic to then handed to the local e-mail client,
but their bridge requires a paid service tier with them. They do
encrypt all content (body and headers) in-situ on their server, so a
breach won't get at my contacts or e-mails (and their headers with
contact info). Their free service tier has me using their web site
instead of a local e-mail account; however, there is an option to send notifications of new mails in a Proton account to another account, so I
do can get notification by my local e-mail account of new mails at ProtonMail, but I would still have to use a web browser to see the new
mail. I've found other ProtonMail wannabees, but they don't have the
e-mails themselves fully encrypted, including headers, so a breach could expose contacts via e-mail headers.

PGP or x.509/SMIME certificates with public/private key pairs encrypt
only the bodies of e-mails, but not the other headers in an e-mail
containing the contact info needed to route and track transfer of
e-mails.

That can not be done, it breaks transport.

Plus, you cannot force your senders to always encrypt their
e-mails to you (after you've given them your public key). The headers
aren't encrypted, because they're needed for routing the message until deposited into your account, but once in your account the headers could
be encrypted, too.

Maybe. I have my doubts. If they have webmail and you can read email
there, they have the key too.

E2EE server-to-client doesn't protect your e-mails on the server from
hacking or breaches. E2EE client-to-client can protect better, but
that's a scenario hard to do with e-mail built on a trust model with
some security tacked on (PGP/SMIME, SPF/DKIM/DMARC/MX DNS records).
E-mail is intrinsically "open". For users that want their contacts and messages protected wherever they reside, E2EE client-to-client works,
and easier to implement. E2EE client-to-client for e-mail (with headers
also encrypted) is hard, the solutions a bit clumsy, and may require
getting stuck with HTTPS to a web app at a free service tier.

For now, I use ProtonMail to keep e-mail data (whole messages, so
headers included) protected in-situ on the server. It's configured to
notify my Hotmail account when new messages arrive at ProtonMail. That
gives a URL back to their web site to securely read the new mail. I can protect my e-mails to others with a passphrase: the recipient has to
enter the passphrase after they are redirected from their e-mail client
to ProtonMail's web app (they don't need to login, just give the
passphrase). Unlike doling out a public key, you need to somehow get
the passphrase to the sender. I configured my ProtonMail account to
always add a PGP public key to my outbound messages to let the recipient
use it to encrypt their message back, but not all e-mail clients support
PGP (or x.509/SMIME), webmail apps typically don't support digital
signing or encryption (lots of users use webmail instead of local
clients), and recipients may not know how to implement encryption in
whatever client they use. Getting a message taking them to ProtonMail's
web site (no login required) to enter a passphrase is much easier for
them to figure out. But separately getting them the passphrase is a
nuisance unless you can allude to the string value by a combination of
info only they would know.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-29 22:22, Andrew wrote:

Carlos E.R. wrote on Mon, 29 Jan 2024 14:55:43 +0100 :

I did not ridicule the use of Microsoft Office.
I simply said I never use it, in decades.

Microsoft Excel is a perfectly good way to sort, merge & remove dups.
The only better MS Office tool would be Access (but that's overkill).

Did I say otherwise?

b. Who ridicules copy & sync to maintain a Master DB (but Vanguard)?

The objections you three are throwing up are simply absurd.
I'm wasting my time trying to explain to you what you can't comprehend.

I'm not throwing objections.

All you had to do was say that you understood the concept of NOT storing
the contacts in the default contact database and that would have been
better.

It is fine for you if you want to do that. I don't.

By throwing up objections (such as the fact that you're the only one on the planet who doesn't use Microsoft Office on their PC), you were ojecting to the concept.

There are millions that do not use M$ Office. All Linux users, and then
some more.

Should I call you names for you ignoring their existence?

Simply state you understand the concept.
And then you can say but it's too much work for you to think.

Arlen, I simply hold a different opinion than you, and I'm not stupid.
You have the trait that if someone doesn't agree with you, you call us
stupid.

So I stop reading here.

--
Cheers, Carlos.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Carlos E.R. wrote on Mon, 29 Jan 2024 22:39:20 +0100 :

You have the trait that if someone doesn't agree with you, you call us stupid.

You're wrong. I love to learn from others. I've always loved to learn.

If you gave me a rational sensible & logical reason for telling me the moon
was made of cheese, I'd believe you (if it made any real sense, that is).

But your sole objection to privacy was that you don't use Microsoft Office.
As if Microsoft Office had anything whatsoever to do with the concept.

Any file editor would have worked as well.

What kind of person exists that doesn't know how to use any file editors?
You and who else?

Nobody else.
Just you.

If your objection to privacy made sense, I'd think differently about you.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

VanguardLH wrote on Sun, 28 Jan 2024 23:36:11 -0600 :

It's a simple file copy-&-merge process (removing dups) for Christ sake.

Don't know where you are going there. You argue that protecting the
contact records is better security. I agree, but that's only half the protection. Not securing the e-mails with their contact info is the
other half. Once I figure out how to secure BOTH is when I'll bother to implement both.

Good apps import & export of the standard-format contacts vcf vcard file. https://i.postimg.cc/Rh89RMHc/contactsexportimport.jpg

I snapped this picture in my wood shop which shows what you're planning. https://i.postimg.cc/dVzTCbvz/mouse1.jpg

Those are two different mice. One certainly knew about the other.
And yet one fell into the small trap. And one fell into the large trap.

Yet the small trap and the large trap ended up the same for each mouse.
What you're speaking about is the same two similar but different traps.

1. There is the contacts database (which is the big trap).
2. There is the contacts in your email (which is a smaller trap).

It's clear there is much more data in your contacts database than in the
email header since the contacts database contains extra information such as
the name and address and cell phone versus home phone and maybe even a
photo or birthday or other information which the email header doesn't have.

The email header is the small trap.
I'm not denying both traps exist.

I'm just explaining to you (and more to others readings this) the simplest
most effective way to avoid the big trap is to not take the bait in it.

Don't store your contacts in the default Android database & you're fine.
Simply use apps that respect your wishes (via import/export of vcf files).

To avoid the big trap, all you have to do is click the buttons shown below. https://i.postimg.cc/Rh89RMHc/contactsexportimport.jpg

All good apps that deal with contacts should have both those two buttons.
(Note some apps have only one - which is always import - which is sneaky.)

Good apps import & export of the standard-format contacts vcf vcard file.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)