How do you protect yourself online?

It’s kind of eerie how similar this is to my current situation and my situation going forward. My intention is to flip over to Arch this year, but I will have to keep the MacBook about because of the very same - with AE and AI being replaced in my case by PR. I dislike Adobe the company a lot, but I’ve built up too much familiarity and skill within their products to switch.

As with above, this was also my issue, (near) all of my messaging has been put through Signal, so when I found various PinePhone distros unable to handle it, it kind of knocked my ability to use it. I keep checking back though.

Thanks for all the great feedback. There are many new and interesting things here.

@gnome Do you use an online service to manage your e-mail aliases?

I use Manjaro with XFCE. I recommend Ubuntu if you can’t use a terminal to troubleshoot.

Asahi Linux has been making progress on allowing Linux to run on Apple M1 chips. Don’t forget about virtual machines. There might be some combination of hardware, OS, and VM which makes life easier.

I store documents in a virtual encrypted disc before I synchronize with my online file service.

• VeraCrypt

I use RSS daily. But I don’t associate RSS with privacy. Instead, it is a much better way to organize and deduplicate news. I use Mozilla Thunderbird where the keyboard shortcut n will show the next unread message. Vivaldi also supports RSS in its “Fully Loaded” configuration.

One nice thing about Gemini is it uses TLS client certificates for authentication. So I get FIDO-level of security but the software keys are disposable. I can create as many as I need locally. I can use different keys with different services. And if I want to end a relationship with a server, I can delete my key.

References

• FAQ | Astrobotany (HTTP proxy)
• Specification | Project Gemini (See “4.3 Client certificates”.)
• TLS, client certificates, TOFU, and all that jazz
• help.gmi | Lagrange (See “## 1.6 Identities (client certificates)”.)
• Trust on first use - Wikipedia
• Death of the Password? FIDO Alliance Reveals Its New Plan | WIRED

<Data_Dump>
My default browser is Tor Browser, then Firefox as the fallback. I am tracking arkenfox for extensions(4.1 Extensions · arkenfox/user.js Wiki · GitHub) and using the user.js from GitHub - arkenfox/user.js: Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening with the hard mode settings for uBlock Origin. Using keepassxc for password manager and use unique, complex, long passwords everywhere.

Transitioning from an old iPhone to a new Murena phone and exploring /e/. (Would like to figure out how to get GrapheneOS on the Murena phone.) Plan on getting a SIM from Purism and and porting my current phone number to the new SIM and using that on the Murena phone. Minimum apps loaded on the phone. Keep Bluetooth and WiFi turned off except on those rare occasions when I am actively using them. Keep Location Services turned off except when I need it, then turn it off the minute I stop needing it.

Using ProtonMail for email.

Don’t use Google, Facebook, Twitter, LinkedIn, cancelled and closed the Amazon account. I will look up and research stuff on Amazon but then I go to the manufacture’s site or EggHead.com to buy it there.

Currently using Devuan on the Purism laptop with apt-get, etc routed over Tor for system updates.

The only Big Tech that I am using right now is my ISP, Netflix, and Apple (Phone, laptop & tablet), and I am working on getting off Apple and using only Linux and BSD.

At home, I mostly avoid WiFi and prefer a wired connection. My ISP is Big Tech so I, also, use a VPN, by default, so they can do all the deep-packet inspection they like.
</Data_Dump>

@mike I use a self-hosted Microsoft Exchange server that has been in place for ~20 years for my aliases. Eventually, I’d like to self-host an email server with free software, but it’s low on my list of priorities. I’m not an advanced user of Microsoft Exchange; it’s more inertia than anything else.

My reason for using RSS isn’t privacy-related either, but the reason I discovered it was because I was looking for new and different software than what I used before. I use Newsboat with Vim keys as my RSS reader, and it’s quite nice. Very easy to move to a new computer.

I tried out Gemini with the Lagrange client you recommended a few days ago, and it’s quite neat. The only gemlog I find myself frequenting is gemini://drewdevault.com. I’d like to use it more. Unfortunately, though perhaps I’m misunderstanding something, there doesn’t seem to be an easy way to find Japanese sites in geminispace. gemini://geminispace.info, for instance, doesn’t allow me to input 日本語 characters to search.

Related to macOS, the Mac I use is the ill-fated iMac Pro (2017), so it’s not an M1. The nice thing about macOS is that you get access to most of the software available for GNU/Linux because of POSIX, as well as access to proprietary applications like Adobe and Affinity Creative Suite not on GNU/Linux, without any of the badgering Windows is known for. But GNOME is a much nicer desktop for various reasons.

It’s not so much the applications, however, that keep me there—it’s the file formats. As I collaborate with people who use .PSD, .INDD, and .AEP files, there’s no good alternative to Adobe software. Given that Adobe wants to bring their applications to the web, maybe I won’t need to use macOS or Windows just for these programs in the future.

but I will have to keep the MacBook about because of the very same - with AE and AI being replaced in my case by PR. I dislike Adobe the company a lot, but I’ve built up too much familiarity and skill within their products to switch.

I was a previous user of Premiere Pro, but I actually ended up learning DaVinci Resolve and liking it much more. It’s a workflow I really appreciate now that I’ve gotten used to it, but yes, there unfortunately is a learning curve. I learned it originally because I thought I’d be able to use it on GNU/Linux, but I didn’t yet know that DR doesn’t support H.264 decoding/encoding on ONLY GNU/Linux, and that it’s something that will be unlikely to change in the future. I only work with H.264 generally, as that’s what my clients provide me. But I’m still glad I learned it, at least for use on macOS.

Affinity Creative Suite is a great alternative to Adobe PS, AI, inDesign that is very familiar, is very cheap for a lifetime license, with none of the same invasive DRM. Many of the keyboard shortcuts are the same, although the interface is a bit different. .PSD import/export support is pretty good, but unfortunately text layers will be rasterised. It’s something that’s too complicated to support well.

Affinity makes sense as an alternative if only you are using it, or everyone you’re collaborating with uses it too. I actually like AFPhoto more than Photoshop and use it for some projects. Vector graphics, thankfully, have a much better transport file format in .eps, so it’s probably workable as a replacement for Illustrator. For inDesign, Affinity Publisher doesn’t offer great compatibility, I’ve heard. I’m not a big inDesign user.

Of course, this is just as an alternative to Adobe. Affinity isn’t supported on GNU/Linux, or through WINE/CrossOver. But it would probably be a privacy improvement, given how much monitoring Adobe does.

As with above, this was also my issue, (near) all of my messaging has been put through Signal, so when I found various PinePhone distros unable to handle it, it kind of knocked my ability to use it. I keep checking back though.

I’ve heard Ubuntu Touch (which was my favorite) works with Axolotl (Signal implementation), but I couldn’t get Axolotl working at the time. Even if I could, I’d probably need to have two Signal accounts and setup a group chat with everyone I direct message (them and my 2 Signal accounts) because you can’t have more than one phone with the same Signal account. I’ll have to give it another shot sometime.

Unlikely to happen. The makers of Graphene are not going to make ROMs for too many devices. They focus on the Pixel phones, which is one of the things they are criticised for. But, I guess it is all free and open source, so not fully impossible. I think they released 2 of their apps and you can get them through the appstore (forget what /e/os calls their appstore).

I have made it a habit to do most, if not all browsing that does not require an account, in Tor Browser. Overkill? Maybe, but it’s a quick and easy solution to mitigate pretty much all forms of tracking. I do the rest of my browsing in Firefox with the privacy.firstparty.isolate flag in about:config set to true, an uBlockOrigin on top of that. I have also switched from Windows to Linux.

I PM’d gnome about this issue and wanted to share the result.

From the Lagrange capsule:

Prior to version 1.8, Lagrange’s font library was harcoded and all the fonts were bundled together with the binaries. The number of fonts was limited by needing to keep the packages suitably small for distribution.

gemini://skyjake.fi/fonts/classic/

In our private thread, I was able to demonstrate searching with Japanese characters because I inherited the classic font pack from Lagrange v1.7 and earlier. And gnome fixed the issue by installing the CJK font set.

If you have an issue with input or missing characters, visit the URL above and try the ‘Classic set’ of fonts.

Lagrange manages these fonts via

about:fonts

Mike

sorry, i can’t post more than 2 links so i’ll add them as code…

if one cares about privacy, that eliminates Windows, Google services, Facebook, Twitter, Instagram, YouTube and all the other mainstream platforms i’m forgetting

at the PC level i personally moved to Manjaro or, as i affectionately call it, Arch for Dummies! - it’s a rolling release that’s easy to install

mobile i no longer use, though if i did, it’d have to be an open-source phone like PINE64, Librem, WiPhone or something along those lines - the baseband needs to be isolated else i don’t think there can be any expectation of privacy regardless of the user-facing OS/ROM

at the browser level i use the normal Firefox release version with a “few” tweaks https://12bytes.org/articles/tech/firefox/ - in my personal opinion there is (unfortunately) no other mainstream browser that is as well suited for privacy tweaking - if you want to keep it a little simpler, check out LibreWolf https://librewolf.net/

email is Thunderbird, again with a “few” tweaks https://12bytes.org/articles/tech/the-thunderbird-privacy-guide-for-dummies/ - i want my mail stored locally where i have control over it, so no web-only services and certainly no “free” services such as hotmail, gmail, etc. - personally i use runbox https://runbox.com/ primarily - there are better providers if privacy/security is paramount, but runbox has a decent privacy policy, they’re cheap and the service has been stellar for me

@mike - if you want you can dump all of the add-ons you mentioned by using the arkenfox https://github.com/arkenfox/user.js user.js and uBlock Origin - some additional privacy add-ons may very well decrease privacy - for example, with the newer versions of Firefox, Privacy Badger is not needed, nor are container add-ons

absent arkenfox, i might suggest installing uBO, enabling Strict Enhanced Tracking Protection in Firefox settings, and resist fingerprinting ( privacy.resistFingerprinting in about:config ), OR you could simply go with LibreWolf which does all this for you, and much more, including installing uBO

also see personal-security-checklist, Privacy Guides and my site, https://12bytes.org/articles/tech/, which also has Firefox privacy and uBO setup guides

To avoid personalizations, I try to do search engine evaluations in a disposable Whonix VM. I disable JIT compilation, WebGL, WebRTC, the Battery and Peripherals API, Graphite rendering, and a bunch of other stuff in my “main” non-anonymous browsers for security; I stick to defaults in the Tor Browser’s “safest” setting when possible for anonymity.

I’ve written some bubblewrap scripts to provide rudimentary sandboxing. Unfortunately, I’ve been using the Firefox bwrap script less often because it breaks screen reader support.

I keep my addon/extension usage to a minimum since even the best-intentioned addons significantly weaken the isolation-based browser security model. I make JavaScript, cookies, and localstorage disabled by default in my day-to-day browsers.

Since Linux doesn’t provide robust sandboxing of its own (you’d have to rebuild userspace a la Android to do it properly), I’ve been experimenting with ways to run programs like the browser in little disposable VMs. Qubes-lite, if you will.

I have amended your trust level so that this one shouldn’t be a problem anymore. We’ve kept it pretty similar to the initial setup in that respect, but wherever anyone flags it’s an issue for them I’m more than happy to adjust it. Most of the earlier parts of that are to protect against bots (I believe) which you patently are not

good to know - i was starting to worry about myself

off-topic - i didn’t see any Mojeek beta test stuff on the forum - i was invited to test the next beta and i’m wondering if there’s a place where that’s being discussed

thanks Josh!

This is 100% on the way, and a good part of the reason behind setting this up. In terms of the when I don’t have any specific date, but we are working on it. I’m also eager to hear your thoughts.

DivestOS (divestos.org) is an interesting looking replacement for GrapheneOS for non-Pixel devices. DivestOS applies as much of the GrapheneOS patches as it can to abunch of devices from Lineage. But the Murena phone is not currently supported

In related news, I was using OPNSense on a 4-port Protectli (protectli.com) box for my in-home router, but am switching that back to a bare-bones OpenBSD setup. I’m a tech-control freak (strong GUIs make weak minds).

I have actually used this on my testing phone (Pixel 4a) and it works well. If I’m honest I haven’t dug into it too much, the device is currently only used to have a way of checking things on Android/another AOSP operating system and was purchased at a sizeable discount due to its broken SIM slot. As you say, there are a lot of non-Pixel supported devices: Devices - DivestOS Mobile

Yes, I saw that. I like their site, it is full of great information even if you don’t have a supported device.

I don’t plan on getting any of the supported devices in the future though.

ProPublica published some basic tips for protecting yourself online. The complete story has additional details like how to check your privacy settings on iOS and Android.

Note: In the United States, you will likely also need to unfreeze your credit reports if you are applying for a job.

• Stop reusing passwords
• Delete unused accounts
• Add an additional layer of security (MFA)
• Manage your apps’ privacy settings
• Think before you click
• Keep your software up to date
• Limit what you’re sharing online
• Secure your SIM
• Freeze your credit reports
• Back up your data

• A Former Hacker’s Guide to Boosting Your Online Security | ProPublica

Naomi Brockwell

Home | Avoid the Hack (avoidthehack!)

Dig Deeper

GitHub - arkenfox/user.js: Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening

GitHub - HorlogeSkynet/thunderbird-user.js: Thunderbird privacy, security and anti-fingerprinting: a comprehensive user.js template for configuration and hardening

GitHub - Lissy93/awesome-privacy: A curated list of privacy & security-focused software and services

GitHub - Lissy93/personal-security-checklist: A compiled checklist of 300+ tips for protecting digital security and privacy in 2023

Opt out of global data surveillance programs like PRISM, XKeyscore, and Tempora - PRISM Break - PRISM Break

Raptor Computing Systems::Talos™ II

Libre Silicon

Home » Open Compute Project

Beautiful, Secure, Privacy-Respecting Devices - Purism

Vikings Store

coreboot

Libreboot - Libreboot project

Would not recommend Dig Deeper. The author is a conspiracy theorist, not an expert.

RYF hardware with Libreboot and the Linux-Libre kernel will hurt your security, as this involves disabling microcode security updates (!!). microcode is a proprietary black box whether or not you update it. I’ve written about why FOSS != Secure before. Secure and insecure FOSS exists; Libreboot and the Linux-Libre kernel fall into the latter category.

that term carries with it negative connotations that were attached to it by the CIA, despite the fact that conspiracies happen every day, and it gets bandied around constantly in an attempt to discredit creditable people

granted, the author of Dig Deeper may not have all his ducks in a row, but to simply discredit all of his work by applying the “conspiracy theorist” label is rather disingenuous in my respectful opinion

regarding “experts”, none should be blindly trusted

that said, i’m a bit familiar with your work and do regard you as very knoweledgable