Apologies, I didn’t want to assume you knew how hibp works based only on your verbiage. I think I misread your comment and assumed you were implying they werent trustworthy or something.

Out of curiosity, what do you think the vector of attack would be if someone had a honeypot of tokens they were offering people a look at?

Get the browsers unique id and tie it to the token they’re asking about? How would that not be defeated by naming a bunch of queries about extant tokens?

The problem I see is that there’s this public knowledge thing, the license tag number, and it requires monitored access to a restricted system in order to correlate that public piece of information to a human being. So would just fuzzing requests with tags in the db work?

What would you say is a better way to allow users to check if their password is in, last time I looked, over a petabyte of data breaches than to have them enter it?

They are waiting for a new jurisprudence that has decided how police are expected to respond to information from the panopticon.

If the new decisions end up painting a picture where it’s okay to be shown hearsay by the panopticon then as long as there’s a sound investigation and solid evidence they’ll be able to keep using these systems, now with codified policies.

If it comes down that cops aren’t supposed to look at the panopticon then they will just sell them off to people who can (the prison system) and cover up everything they did as best as is possible.

Everything works fine. Stop worrying.

If you want to be 100% sure (and this is smart in general in all of life!), open a bank account and get a credit card tied to it for payments. Go to taobao or AliExpress or something where Alipay or WeChat are used and try them out with your new financial details.

It doesn’t matter what credit card you get because credit cards are an incredibly not private method of paying for stuff and merchants, processors and everyone else are strongly incentivized to collect and sell user transaction data.

This is going to sound counterintuitive, but don’t get a vpn to bypass the firewall if you don’t have a non-espionage reason to do so. The reason I say that is you’re pitting yourself against a nations cybersecurity people and there’s a good chance they’re smarter than you. It would be better to be able to say “I saw on reddit that I could use this vpn to access this forum for a game I play” and then show the cops all your cringey posts and your hundreds of hours of playtime than to say “I wasn’t doing anything!” or “I just value my privacy!”.