Trusting your data to MSFT -- ideas?

[blueskull]

As I'm moving back to China, I need to cope with the unavailability of Google services.

I know I can use VPN to access Google services in China, but then accessing local contents would be slow, so I would like to use VPN only for YouTube.

So far, I've shifted from Google search to Bing, Google Drive to OneDrive, Google Suite to Office 2016, and just today, Chrome to Edge Canary, which opens a new question.

Since it manages autofill, should I trust my passwords (banking, PayPal, etc.) to MSFT? I know I can trust Google, not because it doesn't watch me, but because it watches too many people and I'm not of special interest. But since this Edge Canary is a new thing, should I be worried?

BTW, Edge Canary works really well. I can't see it being any slower than Chrome, and it works fine on macOS.

[maginnovision]

What makes you think Microsoft cares any more than Google? Realistically I don't think it should be a concern. Is canary on GitHub?

[thm_w]

I personally wouldn't use the browser for autofill, use lastpass or similar instead. Been around longer and won't auto-sync to some other device by accident if you log in to your MS account (I assume thats what its based on).

https://www.lastpass.com/
https://alternativeto.net/software/lastpass/

[Mr. Scram]

Using autofill in browsers has been proven to be unsafe a couple of times in the past and is generally recommended against from a security point of view. Use a proper password manager if you must.

[BravoV]

If you're nobody, I mean sort of like not working with Chinese military or other geo-political sensitive areas, don't think you should worry too much.

For sure, if someday you've been offered to do say some power electronics for Iranian, then you should start to worry, I mean really-really seriously worry. 

[NiHaoMike]

Why not use DuckDuckGo, Libreoffice, and Chromium?

[maginnovision]

Yea, I never save my passwords anywhere. I just keep them in my head and use 2 factor where available.

[BravoV]

Since my project with DOE, and then with DOD, despite both are non-classified, I got checked every single time when I reenter US.

With that only, a Chinese worked for US govt., I guess you're now carry a "tag" on you, either in US or Chinese agency, especially when crossing borders. 

[BravoV]

And many of us have troubles coming back to US, so I will just save the disgrace.

Yeah, wise move, especially for the upcoming US presidential election, pretty sure the incumbent may will exploit and treat these current "oriental" relationships and matters as commodity in his upcoming campaign, not a good place to stay, imho.

[magic]

I don't think there is much difference between Microsoft and Google.

In fact, Microsoft started out in times when it wouldn't have been acceptable to do what tech companies are doing nowadays to their customers. Microsoft jumped on that stupid cloud and telemetry fad only to stay relevant against competitors like Google and Apple.

IMO it's the Silicon Valley which is the real cancer destroying computer industry and the Internet. Microsoft merely produced software which happened to be of dubious quality and fucked their competitors to sell it anyway, Google started out with the aim to know everything about you.

I wouldn't expect any of those companies to deliberately disclose your bank password to anyone. Unless they are forced by the US government, then both will. I don't know what's the state of Microsoft's cooperation with Chinese government on that matter. I would expect both of them to implement password storage professionally and make it hard or impossible for third parties to hack.

The most secure password manager is one which encrypts your passwords with a secret master password that no one knows before sending anything outside your machine.

[lordium]

From my experience, ANYTHING that is located outside china is subject to the firewall and therefore not guaranteed to work. Only option if you really want reliable services and backups is to use services that provide servers located inside china.
Usually evenings and weekends etc the firewall gets loaded down more and stuff that usually works sometimes don't (depending on area where you live and which ISP).
Me, I just use baidu for online storage/backup, and a VPN for google/youtube/whatever else (there really is no good substitute for googles services if you ask me).

[bd139]

Use Microsoft software, don’t use a Microsoft account and keep your passwords in keepassx or something. I never use the sync services as it’s dead easy for malware to lift all your saved passwords from the browser regardless if it’s synced or not. 

New chrome based edge is actually pretty good. I’ve been running it for a couple of weeks.

[lordium]

Just tried microsoft (aka outlook), still waiting for the mailbox to load in fully(loaded half the icons etc). Onedrive, can't even reach, traffic only goes to firewall then blank after that.

[magic]

Not really surveillance on everyone, otherwise Chinese government would be a reader's club.

Most likely just voluntary censorship, aka search result filtering and regex matching and sanitizing kind of stuff.

I meant the regulations which require companies to enable Chinese government to hack individual customers in special circumstances. I don't know how Microsoft complies with them, whether online password managers are affected and how it affects security of Microsoft's password storage services in China.

[Nominal Animal]

If I were you, I'd use one browser configured to use VPN (via a local proxy that blackholes certain sites), and the other configured for direct access.

I might test a virtual machine (whose network connection is restricted to the VPN via the host network config), but I suspect it would not feel as seamless as two separate browsers would.

Note that I'm a Linux user, and don't know how hard implementing that on other OSes is; I only know that it'd be straightforward to do those in Linux.

[MT]

I know I can trust Google, not because it doesn't watch me, but because it watches too many people and I'm not of special interest.

If an agency finds you an asset for a purpose you can become an asset without knowing it.

[Mr. Scram]

If an agency finds you an asset for a purpose you can become an asset without knowing it.

It's actually one of the most common mistakes people and companies make, thinking you're not interesting enough. In reality people and companies from all walks of life pique more interest than they'd like or would have thought.

[technix]

If you use a Mac, and only if you use a Mac, you can still trust Apple as iCloud on US servers is not banned from China. The Chinese servers of iCloud is only used if your Apple ID is registered with a Chinese payment method, otherwise it goes to the US servers.

Also Apple has a better track record with user data privacy AFAIK.

[technix]

I certainly hope not, but who knows.

*video removed*

I have my doubts if Apple is to be subjected in China. While Huawei don't employ a lot of people in the US, Apple has a lot of employees in China and the last thing China want to see is a huge unemployment wave. The employment issue in China is already problematic with the 996.icu protests.

However I do have the feeling that some other companies might be targeted, as they have way less of a presence here, have a proven track record of spying, and has a product lineup entirely fungible by Huawei products.

[dnwheeler]

Most of Microsoft's telemetry data really seems to be used for improving their products. They use that data to see how people use their products, and which features they use. I haven't seen much evidence of that data being misused (yes, they put some personalized "ads" and downloads on your system). If you follow any of their development groups (in blogs, conferences, etc.) they discuss what they learn from the telemetry and how that guides them as they update/improve their products.

Google and Facebook, on the other hand, make their money almost exclusively from user data.

[Red Squirrel]

For file storage, just setup a local file server, for email, you can use a VPS and host your own.  Or heck even most shared hosting packages will also have email and probably arn't that likely to spy like the free email providers.   For search, use duckduckgo.    For browser use Firefox with an adblocker and privacy badger.

That should at least help in terms of privacy.  Of course Google, Facebook, government etc still know everything you do online, but the more you do offline, the less they know.

[Mr. Scram]

For file storage, just setup a local file server, for email, you can use a VPS and host your own.  Or heck even most shared hosting packages will also have email and probably arn't that likely to spy like the free email providers.   For search, use duckduckgo.    For browser use Firefox with an adblocker and privacy badger.

That should at least help in terms of privacy.  Of course Google, Facebook, government etc still know everything you do online, but the more you do offline, the less they know.

If you set up a server, make sure you know what you're doing. Bumbling about yourself isn't going to lead to safer data than having a big party hosting it securely.

[bd139]

If you set up a server, make sure you know what you're doing. Bumbling about yourself isn't going to lead to safer data than having a big party hosting it securely.

100% that. Best advice on the Internet in this space.

[Electro Detective]

Why intelligent people apply for work with these suss organizations to do the real work for them,

and then whinge later about getting shafted or put on some frenemy 'watch list' escapes me 

This is why these corporatons become too big and out of control, eventually taken over and run by suited psychos in ivory towers, where the air is thinner.

Who needs all that cloak and dagger crap anyway just for a wage,

or does working for rich creeps they know nothing about give some dudes woodies, and or bragging rights ammo at upnose parties or something. 


FWIW: how hard is it to have all your passwords in a text file or some digi note thing, 
and copy and paste manually ?
What's more important in a security situation?  ease and speed or 'security' ?

My browser does what I command it to, and only that,

no autoshyte anything! 

[bd139]

Most people don’t give a shit however intelligent they are and just look at the pay cheque. And for everyone else there is comfortable entrapment. I actually interviewed at google in 2012 for a permanent SRE position and the place was like a Scientologists lair and I was undergoing a psychometric audit not an interview. Despite an offer, I decided to go solo contract instead which I don’t regret.

One thing you have to consider with large companies and your data is bad people float to the top of the septic tank.