Hello, Lemmy!
It may be difficult to spend time actively improving some of the services you use to have a more privacy conscious presence, and so this thread is dedicated to help people learn and grow in their privacy journeys! Start by stating which services you currently use, and which ones you may be looking for/want to improve. This thread is entirely optional to participate in, because a lot of people understandably feel uncomfortable listing which services they use. Writing those out can be a lot of work, but the payoff is huge!
Remember these rules:
-
Be respectful! Some people are early on in their privacy journey, or have a lax threat model. Just because it doesn’t align with yours, or uses some anti-privacy software, doesn’t mean you can downvote them! Help them improve by giving suggestions on alternatives.
-
Don’t promote proprietary software! Proprietary software, no matter how good it may seem, is against the community rules, and generally frowned upon. If you aren’t sure, you can always ask! This is a place to learn. Don’t downvote people just because they don’t know!
-
Don’t focus solely on me! Since this happened in another one of my posts, I want to mention that this thread is not designed to pick apart only my setup. The point is to contribute your own and help others. That doesn’t mean you can’t still give suggestions for mine, but don’t prioritize mine over another.
-
Be polite! This falls under “Be respectful”, but be kind to everyone! Say please, thank you, and sorry. Lemmy is really good about this, but there will always be someone.
Here is my setup:
Web browsing
-
I use Tor for using online accounts (such as Lemmy, etc.)
-
I use Mullvad Browser for general browsing
-
I use Librewolf for functionality that Mullvad Browser doesn’t have (security keys, etc.)
-
I use Firefox + uBlock Origin for streaming videos that break on Librewolf and Mullvad Browser.
-
I always use a SearXNG instance for web searches. I always use ProtonVPN (free tier). I use a private DNS resolver.
Desktop
-
I use Secureblue (yes, I’m that guy from a post a couple weeks ago)
-
I sit behind a firewall.
-
I only use FOSS Flatpaks with Flatseal.
-
My BIOS is password locked but proprietary (due to compatibility issues).
-
I occasionally use Tails because I think it’s fun.
-
I use full disk encryption, multiple disks, and a second layer of encryption for specific important files (NSA style)
Mobile
-
I currently use hardened iOS until I can scrape together some money for a Pixel to use GrapheneOS
-
Again, I constantly use ProtonVPN (free tier)
-
I use a private DNS when ProtonVPN is turned off
-
I use AdGuard, but I browse the internet with the DuckDuckGo app (I can’t sideload)
-
I use a very strong passcode
-
Airplane mode is constantly enabled, I don’t have a SIM
-
I use a Faraday bag to store my device when I’m in public
-
I use a privacy screen protector
Messenger
- I mainly use Signal with a borrowed phone number, because SimpleX is still buggy on iOS, and Signal is the easiest to switch friends to. I rarely use iMessage, but there are times when I have to.
Online accounts
-
Passwords are stored in Bitwarden for mobile accounts, and KeePassXC for desktop accounts.
-
Yubikey is placed on any account I can, otherwise 2FAS is used
-
I keep public accounts (Lemmy, etc.) as locked down as I can.
Video streaming
-
I use the native YouTube app on iOS, simply because any of the others I’ve tried either don’t actually work or require a Mac to install. I don’t have a Mac, obviously.
-
I use FreeTube on desktop, but as I was writing this I was informed that FreeTube has a few issues I may want to look into (Electron).
AI
-
I would love to know if there are any Flatpaks that run local LLMs well, but I currently use GPT4All (since that’s what I used a year ago).
-
On mobile, I use an app made by a friend that gives access to GPT-4 and Gemini. Because it’s running off of his own money, I’m not going to share the project until he has a stable source of income.
Social Media
- I don’t use any social media besides Lemmy.
-
I use ProtonMail
-
I have addy.io as an alias service
Shopping/Finance
-
I currently either proxy my online purchases through someone else (have them buy it for me and I pay them back), or use a gift card
-
For physical purchases I use cash
-
I only use my bank account for subscriptions (Spotify, etc.)
-
I am working on using Monero and privacy.com
Music streaming
-
I use Spotify on my phone
-
I use Spotube or locally downloaded files on my computer
-
I have multiple AM/FM receivers with some yard long antennas and direct metal connectors
TV shows
-
I stream from ethical services for some movies
-
I go to a theater or buy a DVD for other movies. I am the proud owner of a USB DVD player.
-
I also have an antenna hooked up to my TV
-
There are certain IPTV services I have used in the past
-
I do not use a smart TV.
Gaming
- I download local games, plain and simple. Or I code my own game.
Programming
-
I code in Python using PyCharm. I’m looking for alternatives.
-
I will use GitLab when I decide to publish some of my work.
Productivity
- LibreOffice, although the UI is iffy
Misc
-
I don’t use any location services
-
All my clocks are set to UTC
-
I don’t have a smart watch
-
I don’t have a smart car
-
I use Bluetooth earbuds
-
I cover my webcams with paper and tape. Reason: It’s worth taking a couple seconds to peel tape off when you use the webcam than to risk a massive breach.
Thanks for reading!
Note here: I found out the other day that a Google Streetview car passed by my house, and my blinds being shut were the only thing keeping my room away from prying eyes. Is there an easy way to blur/censor my house without giving up my soul?
Special thanks
Lots of people kindly contributed their personal setups in the comments, and some even made their own posts! I’m really glad I could spark inspiration and start a way for people to learn and grow in their privacy journeys. To think, just this morning, I was stressing on if people would even enjoy the post at all! Thank you all again, and please go forward to inspire others. I am not the person who made this happen, all of you are!
Glad to see you use cash. It’s often forgotten in privacy advice, despite being one of the most importants.
My main issue is with change. Sales tax means I get funky prices, like $2.37, so I get lots of small change. If prices were rounded to the nearest quarter, I’d use cash a lot more.
I keep a jar in my glovebox. My local grocery store has cash-based self checkout registers with a spot to input change. Whenever I go, I grab a handful of change and dump the lot into there. It usually takes like $3-6 off my purchase with some change left over. But it’s an easy way to keep the collection low.
Keeping change in the car is a decent option. If I only need to carry change to/from the store, that’s really not so bad. I’ll consider it.
Most of my money is spent at Costco (they obviously have my data anyway) and online (virtual cards FTW). So it’s really just my grocery store and a handful of other local stores that I’d need to worry about, all totaling ~$100/month (Costco is ~10x that). It would still be nice, especially now that my local grocery store has been bought out by a statewide chain.
deleted by creator
When I say Costco already has my data anyway, the only way around that is to not use Costco. To buy anything there, I have to either scan my membership card or use a Costco gift card, paying with cash just limits the info my credit card company has since Costco would have it linked to my account. To get a Costco gift card, I need to use my membership card, so it’s already linked. I suppose I could use the gift card to reduce the likelihood that they associate the purchases with my account, but they could assume I’m using the cash card myself if I establish a pattern.
So I just accept that Costco knows my spending patterns. I think that’s reasonable, given the benefits that Costco provides:
- awesome return and warranty policies
- great prices
- high quality products
Costco has also never given me a reason to distrust them, so I make don’t see a reason to go out of my way to limit what they have access to. If I didn’t trust them, I wouldn’t shop at their warehouse.
The grocery store is different though. I don’t trust my local grocery store because they have no obligation to keep me happy aside from my going to their competitor, who is part of an even larger chain. That said, I spend very little at the local grocery store, so it’s not a lot of information.
The old jar full of change at home is how most people handle this.
It’s normal to have some change. Theres a famous movie, reservoir dogs maybe, where a cop has to blend in and scoops some change up off his nightstand and considers its weight before he stuffs it in his pocket.
Part of privacy is anonymity and one aspect of security is obscurity. Look normal, carry change.
Carrying change isn’t normal these days, at least in the US. And it’s not something I want to do anyway.
If we had a law that advertised prices must include sales tax, I’d probably use cash again because stores like to advertise simple prices. In the current situation, a $1 item would actually cost $1.08, so I would get $0.92 in change. I rarely go to multiple stores in a given day, and I’m not going to carry change just in case I happen to buy something that day. I do have a change jar, but I almost never use it because change is a hassle.
I’ve considered using gift cards, but the reloadable ones still require your name and the non-reloadable ones are too much of a hassle and too expensive. I do have one reloadable store gift card for a grocery store, but that’s it. Unfortunately, the only options for in-person digital payments are Google Pay, Samsung Pay, and Apple Pay, and I think those are each worse than paying with a credit card (now Google, Samsung, or Apple have all my payment information).
So, I just live with stores being able to track my purchases at their store. It’s not ideal, but at least there’s no one central institution with all of that data (and I use and rotate multiple cards).
That’s weird. I’m in the us and it’s normal to use change or cash. The vending machines all take it, stores all take it. You gotta prepay for gas but whatever. There’s special self checkout registers festooned with cameras that you can’t use but idk if you’d want to go through one of those anyway.
No worries if you don’t want to, but I haven’t seen any weirdness around it.
What are you worried about with the existing cashless payment options?
The vending machines all take it, stores all take it.
Vending machines are reasonable because they’re almost all in increments of $0.25, except a handful of weird ones.
And yeah, I could pay in cash at most stores, but then I’d have a pocketful of change. Much of the time, I’m riding my bike when I go to stores, so now I’d need to carry change as well on my bike, which is really uncomfortable.
What are you worried about with the existing cashless payment options?
- Google Pay - Google would know my transaction history, and I don’t trust an ad company to have that info
- credit cards - my name is transferred along with my credit card number, so they can track me across cards and look up my address (I own my house, so my name is associated with my house as public record)
- Samsung/Apple Pay - only available on Samsung/Apple phones, which I’m not getting
- PayPal - I’m apparently banned (I think my account was compromised, since I’ve never sold anything and haven’t made a purchase in 15+ years)
- Venmo - have to use their physical card, which likely has the same problems as credit cards
I’d really like to switch to a Linux phone once they are daily driveable (just need MMS, decent audio, and all day battery life), and Google Pay et al aren’t compatible with that.
I really wish virtual credit cards were usable at the POS, which would allow me to change the name and switch the card number periodically.
That said, credit cards have a decent trade-off. I spend relatively little at physical stores (except Costco, but they track everything anyway), and I can use virtual cards numbers online, so my exposure is relatively small, and I get purchase protection and chargebacks as an option.
If cryptocurrencies weren’t so volatile and we’re accepted in more places, I’d totally use it.
If you’re worried about your name being given at checkout and being stored and indexed by the merchant or the processor, you’re on the money about credit cards. They have a name associated with them every time like clockwork, it’s how the system is designed and it’s absurdly hard to get gift cards without receiving them as gifts or having people make straw purchases (yes, when pursuing financial crime the police use the same terminology as guns).
Some kind of device tied nfc might work, but the merchant still gets your id along with the transaction.
If you could get okay with apple devices id say that’s the contactless option that helps you the most in the situation you’re describing. But it doesn’t do you any good if you’re not on the devices.
There is an unexpected solution though…
You could always set up a corporate structure that you use to make purchases through. I’m not a lawyer, but something with a principal agent that’s not you but has you and or others as officers would let you buy stuff with a card and not have your name exposed to merchants and processors.
Now there are paperwork requirements and you’re opening yourself up to investigation by your state and federal authorities, but there are often enough kinds of local pass through entities that you can do a low key fake sort of money laundering through them.
Such a thing might seem antithetical to a privacy focused person, but consider that the wealthy use different corporate structures to hide the origin and disposition of their funds all the time. If it didn’t work it wouldn’t take incredible amounts of resources to prosecute.
corporate structure
I actually had something like this when I was contracting, and I know you can legally set up a trust for a family, just not sure if that’s enough to justify funneling expenses through.
Good idea though, I’ll have to think about it. I’d like to keep things legal because, unlike a rich person, I don’t have the resources to drag things out in court if someone (say, the IRS) wants to investigate me.
My local gas station charges extra for using a credit card
I like to use cash. Used it all the time. But now I’ve fallen for the bank-card convenience… (especially self-checkout counters).
I’ve been considering to start using cash more again, but also I’ve noticed a bunch of places that don’t take cash anymore :/
I stream from ethical services for some movies
What are these ethical movie streaming sources?
Is there an easy way to blur/censor my house without giving up my soul?
Have you tried this process? https://mashable.com/article/how-to-blur-your-house-on-google-street-view
Don’t do this or your house will become part of a conspiracy
deleted by creator
What are these ethical movie streaming sources?
Netflix, Amazon Prime, places that host copyright free movies, etc.
Have you tried this process? https://mashable.com/article/how-to-blur-your-house-on-google-street-view
I have not, thank you!
I’m curious what makes Netflix or Amazon “ethical”, and what you’re comparing them to? Are you just meaning not piracy?
Are you just meaning not piracy?
Yes.
Removed by mod
Very nice read, I look forward to posts with detailed explanations of realistic privacy setups!
With that said, here we go:
- TOR has been compromised. It likely doesn’t matter if you’re not doing anything that nations would be interested in, but something to keep in mind.
- True nerds/privacy hobbyists always have multiple browsers for different use-cases. Bravo! I need to take a look at Mullvad myself, I really don’t like Brave anymore.
- Do you host your SearXNG instance? It should not be very hard to do on the cloud.
- Which DNS resolver? I’m assuming this is upstream to your Adguard setup, which means the latter acts as the recursive resolver in your setup, if I understand correctly.
- Didn’t hear about SecureBlue before this, good distro in theory. Thanks.
- Ever thought of getting a 10-year old Thinkpad yet to get rid of that pesky BIOS? \s
- Do you have DoT and DNSSEC set up for your “private” DNS? Also, is this something like Quad9?
- With the combination of flight mode and a Faraday bag along with not having a SIM, I’m assuming that people don’t reach you using traditional means (calling). How do you stay in contact with others?
- Define “locking down” of public accounts.
- I have been thinking of AI for a bit, and you can get a P40 with 24GB VRAM for about $100-$150 on Ebay. Put that in an old computer and fight with licensing for a bit (Craft Computing has a good video on getting VFIO working on Nvidia cards by tricking the software) and you’ll have a great setup for AI.
- I’d stop with the subscriptions and start sailing the high seas, personally, but I understand if the sentiment does not sit well with people here. Piracy simply gives you more control and privacy. Look at LocalMonero to try and get monero without leaving a trace (directly converting fiat to XMR and exchanging for gift cards online after churning).
- You must be using an old TV, but if you really need to purchase a new TV at some point (and it’s very likely to be “smart”), you can simply disconnect the WiFi antenna from the back of the device. If you’re really good at embedded systems, you could find the flash chip that holds the BIOS/OS of the TV and remove it (and edit the boot sequence) or flash it with something else. This is true for everyone who has a smart TV.
- Holy shit this guy programs games to play them what a chad.
- Please switch to Codeberg, Gitlab is annoying.
- How do you coordinate local time with other people if your clocks are set to UTC?
That was a lot. Thanks for reading!
Please proof for “tor is compromised”
Here’s a good document that goes over most of the issues with Tor and provides some tips at the end for how to mitigate issues.
- Yup, here’s a good article about it - TL;DR - it can be useful, but you need to be careful
- I use Brave for testing my work stuff on Chrome; Firefox w/ Container Tabs for pretty much everything else
Piracy simply gives you more control and privacy
True, but I’m also morally against it. I’m not too worried about a game platform knowing what games I buy though, so I just stay away from cloud-based games and call it good.
disconnect the WiFi antenna from the back of the device
I’ve been thinking of putting mine on a DMZ. Do you think that’s sufficient, or is there documented evidence of TVs connecting to free Wi-Fi automatically? I suppose I could run a cable, but I will need some way to connect my streaming server to my TV (I suppose I could throw a Raspberry Pi behind it).
Codeberg
I’ve heard about it, good call-out.
A few notes on the article
-
The article is 3 years old
-
One type of attack, for example, would identify users by minute differences in the clock times on their computers.
This is unreliable, I would like to see how exactly it was done.
-
It references some exploits that have been patched
-
One of the points mentioned is simply “He was the only one using Tor on the network at the time”, which still didn’t deanonymize him from Tor’s perspective.
-
Anybody can operate Tor nodes and collect your data and IP address
Anyone can operate a node, nobody can collect your decrypted data, because of E2EE. Guards can see your IP address, which is why you can use a VPN behind Tor.
I stopped skimming after that. Anyone who wants to continue can, but I’d say the article is mostly stale.
I believe the exploit was done at scale; the government had bought massive compute power from cloud providers to run TOR nodes and thus were able to track information flow (if you have the majority of nodes under your control, you can mathematically trace connections with their metadata across the TOR network).
I haven’t kept up with the news but it’s a safe assumption that they have the funds to keep doing this for perpetuity.
This is unreliable, I would like to see how exactly it was done.
As would I, but the FBI is unwilling to release details. They also can’t be trusted, but I have to assume that there is a legitimate attack here.
exploits that have been patched
The point of this article is to make it clear that just using Tor isn’t a solution in itself, you need to be aware that using it makes you stick out, and that there are attacks that can make you more vulnerable.
If you pair a VPN with Tor, you avoid a lot of the issues.
stale
Do you know if the funding issue is resolved? The article claims Tor is funded 90-100% by US Intel agencies. That’s a pretty massive conflict of interest, and the article points out specific incidents where authorities were notified of bugs before the public. That’s pretty normal security procedure, so the concern is if state level actors are able to delay fixes to get their exploits updated first.
If their funding is more diversified now, I’d be much less worried.
The document does not make clear using Tor is not a solution itself. It uses wrong statements, things that aren’t related to the topic and so on but on the other hand, they state (and so did you) Tor ‘is compromised’. That is not a ‘good’ document. It had some vibes of beging written by a competitor.
(And I do not say using Tor is safe or not I simply do criticize your source)
What’s not related? I thought that document was pretty clear and detailed. For example:
- Tor is largely funded by the US government - this has gotten better and is down to 38%, but they’re still the largest donor - not a big problem, but there may be a conflict of interest here
- FBI doesn’t need a warrant to monitor Tor, whereas the do to monitor sites/ISPs
- many exit and relay nodes are run by state actors
So you can’t just blindly use it and expect to stay anonymous, you need to take certain precautions. I think “compromised” may be a bit strong, but it does get the point across.
Do you know if the funding issue is resolved?
I do not.
I checked, and it seems the US State Department is 38% of funding as of 2021 fiscal year, which is a lot better, but they’re still the biggest donor. So the direction the project is going is good.
-
Agreed on stopping subscriptions. Don’t use Spotify.
Do you host your SearXNG instance? It should not be very hard to do on the cloud.
No, that’s fingerprintable (i.e. Google can see which API key you use to correlate traffic)
Which DNS resolver?
Currently NextDNS, may switch to Mullvad DNS soon
Didn’t hear about SecureBlue before this, good distro in theory. Thanks.
It’s certainly different from others, I would read up on what Atomic distros are
Ever thought of getting a 10-year old Thinkpad yet to get rid of that pesky BIOS? \s
I know that was sarcastic, but when I have the money I will be purchasing a QubesOS certified laptop.
Do you have DoT and DNSSEC set up for your “private” DNS? Also, is this something like Quad9?
I don’t know how. And no.
With the combination of flight mode and a Faraday bag along with not having a SIM, I’m assuming that people don’t reach you using traditional means (calling). How do you stay in contact with others?
Through Wi-Fi (messaging apps). NBTV has a video on how to “survive” without cellular
Define “locking down” of public accounts.
Turning as much as I can private, using fake emails, disabling telemetry, etc.
I have been thinking of AI for a bit, and you can get a P40 with 24GB VRAM for about $100-$150 on Ebay. Put that in an old computer and fight with licensing for a bit (Craft Computing has a good video on getting VFIO working on Nvidia cards by tricking the software) and you’ll have a great setup for AI.
Thank you! My GPU runs AI fine, I’m more interested in certain apps that provide open source models.
I’d stop with the subscriptions and start sailing the high seas, personally, but I understand if the sentiment does not sit well with people here. Piracy simply gives you more control and privacy. Look at LocalMonero to try and get monero without leaving a trace (directly converting fiat to XMR and exchanging for gift cards online after churning).
I plan to move away from Spotify (my only subscription) when I get GrapheneOS
You must be using an old TV, but if you really need to purchase a new TV at some point (and it’s very likely to be “smart”), you can simply disconnect the WiFi antenna from the back of the device. If you’re really good at embedded systems, you could find the flash chip that holds the BIOS/OS of the TV and remove it (and edit the boot sequence) or flash it with something else. This is true for everyone who has a smart TV
Something I will deal with when laws force me to upgrade ;)
Holy shit this guy programs games to play them what a chad.
😅
Please switch to Codeberg, Gitlab is annoying.
Why?
How do you coordinate local time with other people if your clocks are set to UTC?
Math. Add or subtract the offset. Or ask what time it is. My (non-smart) watch is set to the correct time, however.
Tor has very much not been compromised. Don’t believe what the glowies tell you
Do bitwarden and KeePassX share the database or do you have it separated for some reason? Why don’t you use something keepassx compatible on the phone?
Does iOS have a good KeePass option?
I have them separated to reduce attack surface (and because I’m lazy)
Strongbox or in your case probably Strongbox Zero. Costs a pretty penny but well worth it in my book.
Thank you, I’ll check it out!
I use KeePassium
Strongbox (OSS, but paid) is pretty good
Thank you, I’ll check it out!
Thanks for the post!
Here’s some of the things I do:
- browser - Firefox w/ uBlock Origin and container tabs; I’m not worried about my ISP since it only operates in my city, so it’s unlikely they’re selling my data
- desktop/laptop - OpenSUSE Tumbleweed w/ full disk encryption, basic firewall, etc
- mobile - currently Motorola Android, will be getting a Pixel soonish to get GrapheneOS
- messenger - rarely use, but when I do, it’s just SMS w/ my wife and family; work is Slack/Teams; I’d like a replacement, but it’s hard getting people to switch
- online accounts - Bitwarden; will be self-hosting the data soon
- video streaming - NewPipe on Android, YouTube and Twitch with ad blocking on desktop
- music - mostly FM radio in my car, YouTube with ad blocking occasionally at work
- AI - hard no
- social media - lemmy
- email - Gmail (gasp!); switching to ProtonMail on my own domain soon (have an account, just haven’t gotten my contacts switched over
- shopping - occasionally Amazon (no Prime) and Newegg, mostly at Costco and the local grocery; mostly on credit card because dealing with change sucks
- TV shows - Netflix and Disney+ subscription; been using DVDs and digital backups more recently
- gaming - Steam and Heroic (for GOG and EGS)
- programming - neovim for Python, JavaScript, and Rust, VSCode at work for Typescript (our codebase is a massive mess); been using Gitlab mostly for personal stuff, on-prem Github at work
- misc - I use an Enterprise router, and have played with putting a subnet on a VPN (soon) and DMZ; I use a lot of Google Sheets, so need an alternative
So I still have a ways to go. Current priorities:
- eliminate Gmail - mostly just need to ask my family to use my new email, and set up some forwarding rules
- alternative to Google Sheets - probably LibreOffice Online with NextCloud or something; it’s going to be tricky because I use it for stock quotes (
GOOGLEFINANCE()
rocks) and transaction tracking (Tiller integration) - home automation - I want an Alexa alternative for playing music; my kids have been asking a lot, and it seems willow might be good enough; if I can get that working, I’ll try automating other things too
I also want to play with mobile Linux, so I might pick up a Pinephone to mess around with. It’s not quite ready to replace Android for me, but maybe I can help get it there.
I’m not worried about my ISP since it only operates in my city, so it’s unlikely they’re selling my data
Websites can see what your ISP (or IP address) is, and geolocate you based on that. Also, even small ISPs sell data, and being small is all the more reason to do some sketchy things to grow the business.
I’d like a replacement, but it’s hard getting people to switch
I hear that. The easiest thing you can do is try to convince people closest to you to move to something at least a little more privacy respecting. Signal (Molly is a hardened version) has been easiest for me to convince people with.
YouTube and Twitch with ad blocking on desktop
Try Invidious or Piped! It’s not for everyone, but it’s worth trying! Also, you should think about adding SponsorBlock to your setup, in case you didn’t know about it.
AI - hard no
Fair.
Gmail (gasp!)
😱 B-But!!1 /s
I want an Alexa alternative for playing music
Would love to hear the alternatives people have! Keep me posted :)
Yeah, the geolocation thing by websites is an issue, but most sites just guess the region (from the IP range) and not my specific city, so I don’t think most associate the two. I’m behind a NAT at my ISP, so there’s nothing to uniquely identify my house.
That said, we’re getting municipal fiber installed soon (next year or two), and I don’t know if I’ll be behind NAT. I’m guessing I won’t (which is good), but that also means I’ll need to put most of our traffic through a VPN or something. I’ll probably pick one in my metro area, at least until I get replacements for all of the creepy sites I use (e.g. I don’t want restaurant search results for New York or California if I don’t live in either).
Signal
Yeah, just need to get my wife to switch. Getting my parents and siblings on as well may be difficult, but I’ll see what I can do.
SponsorBlock
Honestly, sponsorships don’t bother me. They don’t violate my privacy like ads do, and the people I watch are very respectful with how and when they do it (e.g. one is always at the end, others are always at the start). I would rather just drop channels that don’t respect my time than block their nonsense.
I’m considering moving to Nebula and Odysee, but only a few of my favorite channels are there, though maybe there are decent alternatives.
Alexa alternative
Keep me posted!
Absolutely! I’ll probably make a post once I have time to mess with it and get something working. The intent is to play music on-demand, and here’s my plan:
- Willow for speech to text
- Script on my NAS to turn commands into actions (maybe Home Assistant can help?)
- Some hacks to play YouTube video audio for whatever the song is on some audio output
- Stereo system per room that streams audio from Home Assistant (stuff from YouTube)
The first two should be pretty straightforward, the third is a bit tricky, and the fourth will require some hardware. But once I have things working (assuming it gets to that point), I’ll post about it here. Step 3 would be easy to replace with any other audio source, like a private collection or some other web service.
Thanks for sharing! Most IP addresses are specific enough to locate cities by themselves, just a note.
Yes, but the likelihood of a service doing that is relatively low. Even in the worst case scenario, they’d know my city and ISP, but not be able to track that to my house.
So it’s bad, but not “uniquely identify me” bad. I do sometimes see “local stories in <city>” nonsense in news articles, so it’s certainly something I need to fix.
Alright, so:
When you visit a website without using a VPN/Proxy/Tor, the website can see your public IP address. That public IP address is unique (with exceptions I’ll get to in a moment) to your home router. NAT means that each device connected to your router (Wi-Fi) has a local IP address, hidden to the website, but your routers IP is still unique to the website. That means that, even if you switch devices, if you visit a website using your home network the website knows that it is your Wi-Fi and not somebody else’s. That means that you can get tracked across websites just by correlating public IP addresses. Ads can see this IP address too. The public IP address by itself is enough to narrow down your location to the exact city, in most cases. So, when you visit a website, the website knows
- The city you live in
- Can correlate your public IP address (ad networks usually do this, not the website itself) to all the other websites you’ve ever visited
If your ISP uses dynamic IP addresses, that means your public IP address changes every month or so, so that #2 only has a history of about a month. CGNAT (Carrier-Grade NAT) means that multiple routers share the same public IP address, which removes #2 altogether. This still lets websites know the city you live in, but it reduces mass internet surveilling.
I may have gotten a few minute details a bit off, but that’s a basic shake down of how it works. TL;DR: Your IP can uniquely identify each of your devices if you don’t have NAT, your router if you do have NAT but not CGNAT, and the city you live in. Find an ISP that uses IPv6, dynamic IP addresses, and CGNAT, and use a elite proxy, free VPN, and Tor with a private DNS for maximum privacy.
I’m familiar with networking, with not an expert.
Here’s how my network is:
- ISP - static public address (doesn’t change)
- Router - static 10/8 addr (Ethernet at the curb); no DHCP
- Computers - 192.168 subnets with DHCP
So websites would only get that public address for the ISP. They can still get my city through my ISP’s address, but they can’t uniquely identify me from the address alone.
So yeah, sites will know the city I’m in, but they can’t uniquely identify me. So while I feel like I should use a VPN, I’m not that worried about it.
We’re getting municipal fiber soon (sometime in the next two years), so I’m guessing this setup will change. I’ve already played with configuring a VPN on my network (failed at tunneling IPv6 over IPv4), so I’ll probably work on that sometime this year as I’m preparing for the upgrade (also running cable, reconfiguring VLANs, etc).
I need to read up on NAT and CGNAT, I’ll reply again tomorrow. Cheers!
“My BIOS is password locked but proprietary (due to compatibility issues).”
“I use full disk encryption, multiple disks, and a second layer of encryption for specific important files (NSA style)”
I recommend switching to Libreboot, I’ve recently helped add support for the Dell Optiplex 9020 MT, and will soon add support for the Dell Precision T1700 MT. Libreboot allows for full disk encryption, including the automatically encrypting the /boot partition during installation of an OS. I use RAID 0 with 3 disks (LUKS and LVM) on my desktop, with my /boot unencrypted stored on a SD card so I can easily toss it whenever.
For gaming, I’ve had success using Proxmox to play games like GTA V and Rainbow Six Siege through a VM, even passing through NVIDIA drivers (though I plan to switch to AMD). Although, currently the Haswell boards (9020MT and T1700MT) can’t use IOMMU correctly so I recommend using the T1650 for passing through your GPU to a VM. Beware though, the T1650 board can’t be freed entirely in the BIOS I believe.
Also, updating your CPU microcode can help avoid potential performance issues. If you’re concerned about security, consider GPG signing your kernel with Libreboot GRUB for an additional layer of verification at boot.
If you’re concerned about security, consider GPG signing your kernel with Libreboot GRUB for an additional layer of verification at boot.
Hey! I had no idea that was possible. I usually encrypt everything but /boot, because it’s easy that way.
I don’t have a “threat model” of someone puting malware in /boot while I’m away of the computer. But it would be nice to know how to prevent that.
Do you have a link of a guide or tutorial for that?
I am currently in the process of researching Libreboot. Have you had any concerns or problems when using it? Thanks!
I will use GitLab when I decide to publish some of my work.
I’ve used GitLab for my own stuff (such as it is…) too, but I’ve heard that lately it’s fallen out of favor and… Codeberg, I think…? is the new hotness.
Also, the gold standard is probably a self-hosted Gitea.
deleted by creator
Ouch! Sorry that happened. I will take that into consideration. Thank you!
My own setup from the top of my head would be:
- Browser: Mullvad with Mullvad VPN, LibreWolf for stuff that breaks. Brave if I really have no other choice.
- Phone: Pixel with Graphene, main profile is Google-less, second profile with Sandboxed GServices for apps that don’t work without it but I need them, downloaded through fresh gmail profile. Third profile linked to my old gmail with credit card for the two apps I bought and sometimes need to use.
- Mail: I use Protonmail, with my own domain that sounds vaguely corporate. I have a catch-all address, and generate random [email protected] addresses for each service.
- File storage: I have a NAS, that I use for most file sharing I need.
- Music: Jellyfin server with Headphones and redacted.ch account, and I also make sure to support artists every month by spending what would be my Spotify subscription price on Bandcamp albums
- Desktop: I run Nobara, too lazy to run QubesOS - plus I game a lot, so it would be infeasible. I mostly try to get stuff on GoG and back it up on my own NAS. I have a ZeroTier network set up for streaming through Sunshine/Moonlight when I need to game from a laptop.
- VPN: I use Mullvad paid for with Monero, because it plays nicely with the Mullvad Browser fingerprint.
- Home automation: I have a few basic stuff made for Home Assistant that is running on RockPI I have at home, everything local and without any cloud, mostly through ESP32s.
- Messaging: This is the one I hate the most - most of the groups I’m working with or volunteering for use Messenger, so I have a Matrix server hosted that bridges it and Discord. It’s not ideal, but better than having anything Meta on my phone.
- Payments: This one is the one I’m struggling with the most. I pay by card almost everywhere, because cash is so much effort. I’ve tried looking into crypto or prepaid cards, but it’s really hard to find anything without KYC in Europe, so I’ve given up. I’m looking for advice regarding this, but I’m afraid that aside from switching to cash I’m out of luck.
- Passwords: I just use Bitwarden with YubiKey setup, same as using YubiKey for every important MFA I can. I have two backup keys stored at home, so I don’t need to use other recovery methods that would render it useless.
Nice setup! I think I’ll maybe make one of my own!
I have a few questions, though:
- How did you set up your firewall? What did you use and what rules do you have in place?
- How did you harden iOS? I have read up and implemented a number of basic settings to reduce tracking, and NextDNS blocks the rest, but I wouldn’t consider my current iPhone “hardened”, per se.
-
Since this is a fresh install of Secureblue, I have the default rules in place. I will eventually take a day to crack down and find out what rules I want.
-
This explains now to harden iOS
-
Thanks for letting this inspire you to make your own!
- I see. Guess I’d better load up a guide and get ready to break my internet!
- Lovely. Running on Lockdown Mode now, and it’s actually not that bad!
- Thank you! You can find my post here.
Running on Lockdown Mode now, and it’s actually not that bad!
I have only had issues with it twice, been using it for a year
-
Images on a website wouldn’t load (for security reasons)
-
Some apps break, but you can disable it per-app
-
-
What is the logic beging UTC clocks (assuming you aren’t in a UTC time zone)? Less fingerprinting?
Yes, the purpose is for less fingerprinting in case my browser doesn’t spoof it properly.
spoiler
asdfasdfsadfasfasdf
This is a good guide on how to harden iOS. Basically iOS made as private as possible.
spoiler
asdfasdfsadfasfasdf
Tip, FreeTube is fine, but as you say, certain difficults with some Videos. Because of this, I have specified SMplayer (MPlayer engine) as an external player in FreeTube, this way, if a video does not work in FreeTube, just click on the small rectangle at the bottom left of the thumbnail, so that the Video opens in SMplayer, which practically works always.
If you visit YouTube directly, there is a simple trick to convert the Video into embedded, that is, the video is opened as such in a tab, without going through the YT page. This also avoids a lot of trackers and ads, as well as unnecessary loads (thumbnails, comments, suggestions and other crap).
Simply edit the URL
https://www.youtube.com/watch?v=xxxxxxxx
to
https://www.youtube.com/embed/xxxxxxxx
Simply edit the URL
Thanks for this! It’s a trick I learned a long while back but have since forgotten. Good reminder!
It can be done automaticly with a small script of few lines, like this one (use with Violentmonkey or Greasymonkey). The only drawback is, that are some (few) videos in YT have desactivated embedding, in this case appears a message to watch the video in YT
Thanks! I’ll check that out
Few recommendations from the top of my head, from skimming the post.
I’d recommend checking out QubesOS (https://www.qubes-os.org/), especially since it seems you switch between ToR and already use Silverblue, which is AFAIK similar, but why not go all the way in?
Also for VPN - I’ve switched Proton for Mullvad VPN, because I really like the idea they are going for - if you pair Mullvad browser, that is designed to have the same fingerprint for all users, with a VPN that’s from the same company, you can kind of expect that most of the Mullvad VPN users will also be users of Mullvad Browser. Which means you will not be one of the few Proton VPN users with Mullvad fingerprint, but will have the same fingerprint as most of other users of Mullvad VPN. This will make it harder to fingerprint you based on your browser. One word of warning, though - don’t install extensions to Mullvad. If you do, you break the “same fingerprint” premise, and the more extensions you install, the more identifiable you are. Mullvad should be used without any extensions.
Another thing I see is music streaming - I think that in general I’d recommend just getting a cheap laptop/NAS and run your own Jellyfin, and slowly start building your own music collection. You can also run Matrix server as a bonus, and bridge all your communication (including Signal, even though that may not help that much) - but it does help if you need to use some kind of service, i.e Messenger, for group or work related purposes.
My approach to music was to cancel my subscription, and then use the money I save to spend on albums on Bandcamp, so I still support the artists I want. I make sure to do that every month. Since there’s just wast amount of music to get, I use Headphones with an account on redacted.ch to fill my library, but I still make sure to buy albums I like even if I already have them downloaded. The added bonus is that you actually don’t loose any of your music, if the artist decides to pull it off the streaming service, which has aready happened to me several time.
If you want hosting your own LLM, take a look at https://refact.ai. But note that it’s not really cheap, I’ve recently upgraded my computer and decided to use my NVIDIA 1060 to run refact, and it still didn’t work well - 8Gb of GPU memory is borderline usable, and I couldn’t do the finetuning.
Thanks for these recommendations!
but why not go all the way in?
I’ve tried Qubes in the past, and I’m not ready to tackle the learning curve yet. I want Secureblue to be the bridge to learning Qubes first.
I’ve switched Proton for Mullvad VPN, because I really like the idea they are going for
I’ve considered using it from a fingerprinting perspective, but I don’t have the finances to switch yet.
I think that in general I’d recommend just getting a cheap laptop/NAS and run your own Jellyfin, and slowly start building your own music collection.
Oh?
If you’re reading this and on ios, go do the safety check.
It whips ass and makes a lot of stuff easier to understand.