I am interested in any tool, device and best practice suggestions regarding security of Internet and personal communication. Best bang for the buck for the layman.

I'm under no illusion of being able to completely step away from popular Operating Systems, Google, social media, etc. Nor am I looking to sandbox 'n darknet all the things. However I'd like to limit Terms Of Service-defined spying, e-mail mining, etc. Just because I can.

I've made changes to the services and tools I use for Internet and other communication. E-mail provider, browser, search engine, VPN availability, cloud storage/backup, device encryption, firewalls, phone service provider, etc.

Give me your boilerplate or your special sauce like Purism (https://puri.sm/) devices and Silent Circle (https://www.silentcircle.com/) applications.

Gracias.

Proton VPN, maybe as a start.

Proton VPN, maybe as a start.

Aye, I am using ProtonMail and VPN. Side benefit is a workaround for "this content is blocked in your country".

It sounds like you've already hit all the considerations that are practical for most folks.

I'd have to do serious research into hardened hardware before dropping money on something like that. When you hear a company claim they have the most secure phone in the world, then you learn the company is based in the UAE, you think, "...Right."

I use the signal app for text- from what I read it’s still remaining secure.
I use Dashlane to pick out random passwords.

Run signal for messaging

Sent from my SM-G950U1 using Tapatalk

Listen to the "complete privacy & security podcast" and knock yourself out.

Thanks guys, that's good stuff.

I need to get my phone security in order. If I needed a new phone I would entertain a new "clean" OS device but my Android is fine for now.

Rooting is a given. My rooting options for the AT&T-branded and -bloated phone were nil until someone recently figured a way to retrograde to get around the AT&T blocks. I'll practice the basics on an older Android phone.

In the interim I'm using NetGuard to restrict communication. On AT&T it would cause me to run over 15GB limit in less than a week; AT&T config calculated blocked/retry data as sent data and appeared to double-count actual sent data. I moved to MNVOs recently (thanks, Tom_Jones) and NetGuard works just fine now.

I use LastPass.

I use LastPass.

Password managers are a good idea, I'm currently using KeePass (though I'm not technical enough to compare the two)

My school has no concept of infosec (they don't even encrypt wifi...) so to get some degree of security there I have a subscription to a VPN that I chose because it was the lowest price option that integrates well with my phone and laptop. It's not the most secure service out there but it's all about trade offs.

I also spent some time searching for myself and found a bunch of my personal info listed on whitepages even though I thought I had it removed. I was cross listed with some other family members and whitepages made it unnervingly easy to figure out where we all lived. Something to keep in mind also.

.
.
TL;DR - if you read nothing else, please visit thatoneprivacysite.net (https://thatoneprivacysite.net/) and look at their VPN (https://thatoneprivacysite.net/vpn-comparison-chart/) and e-mail (https://thatoneprivacysite.net/email-comparison-chart/) service comparison pages. The Excel spreadsheet link lower on the page is HIGHLY recommended. Not only is it easier to view... it lists the specific reasons for the good/bad ratings.

-------------

When it comes to privacy you can pay twice. You get what you pay for... and you pay the price for not researching what you pay for.

My subjective goals: I want services that have decent compatibility and reasonable inconvenience. I am not looking for Cheyenne Mountain Complex-level protection for black hat activities. Just a good privacy plan and tools worth the learning curve and hassle. At this point I am only running Android and Windows on a daily basis.

Here are my notes and choices.

E-mail provider


Best comparison of alternative/privacy e-mail providers is this e-mail comparison (https://thatoneprivacysite.net/email-comparison-chart/). Stellar.

My choice
ProtonMail (https://protonmail.com/) paid account. A simple, direct user interface. One web login for all e-mail addresses. Ability to use 3rd party e-mail client and separately access each Proton e-mail address. Dedicated apps or “bridge” for Windows, MacOS, iOS and Android. Encryption keys can be retrieved. Available dual authentication for online login - requires your choice of one of several 3rd party apps running on a separate device (such as your phone) to receive a second, generated authentication code.

Inconveniences
1. Thunderbird, MS Outlook and Apple Mail are the only supported desktop OS e-mail clients.
2. Desktop OS requires a background process “bridge” from Proton. Step-by-step instructions on website.
3. Calendar sync works if you use Tbird/Outlook/Apple Mail. However there is NO external calendar support (Google Calendar, Outlook Calender, CalDAV, WebDAV, etc.) if you only use the web interface.


Web Browser


Desktop computers
Firefox (https://www.mozilla.org/en-US/firefox/new/) for daily use convenience. While it is not ultra secure, privacy is one of the developer core considerations. Firefox is widely supported by major add-ons and extensions such as LastPass, AdBlock, etc. Open source allows quick patches from a huge community. Default settings require tweaking for best privacy.

Epic (https://www.epicbrowser.com/) browser is arguably the most secure mainstream option. However it completely deletes history and browsing trails on app exit. There is a limited range of add-ons and extensions but LastPass is supported. You may gain some browsing speed due to blocked data mining scripts. You will have issues with sites that require ads and data mining to display content.

Android devices
Firefox Android for standard use. Chrome is disabled unless I can’t view content on Firefox.

Firefox Focus is the Android version of Epic desktop browser – except it doesn’t even store login info. Everything is erased on app exit.

Compatibility Note
I have found some of my work and home network-connected devices (new and legacy) require Internet Explorer, Edge or Chrome in order for me to access them directly or configure them for the first time. You can greatly safe these browsers by running the Sandboxie (https://www.sandboxie.com/FrequentlyAskedQuestions)app.

Search engines
Not as good as Google, but good alternatives are DuckDuckGo (https://duckduckgo.com/) and Qwant (https://www.qwant.com/).


VPN


The premier VPN comparison resource is this VPN chart (https://thatoneprivacysite.net/vpn-comparison-chart/). Excel sheet link is best. Interesting to see how the zdnet, pcmag, etc. top recommendations stack up (or don’t and why they don’t).

Choice
Proton VPN (https://protonvpn.com/) is OK (not great), chosen for bundled billing with my Proton e-mail. Higher rated are IVPN and Mullvad but they have similar jurisdiction notes (they are operated in Five Eyes or Fourteen Eyes (https://www.privacytools.io/#ukusa) territories).

Cloud storage/backup


SpiderOak (https://spideroak.com/) is still my secure choice. They were one of the first to offer desktop and mobile apps for end-to-end encrypted data. There is no server-side encryption so they don't even have the encryption keys/password to hand over if court ordered. I don't use it for complete drive backup. Just online/offsite backup of personal work product, insurance inventory, legal, etc. 2GB free account.

I still use DropBox for ease of sharing between all computer and mobile devices. However I don’t store any privacy risk material there. I refuse to use Google Drive on personal devices.


Device encryption


Computers
VeraCrypt (https://www.veracrypt.fr/en/Home.html). While Bitlocker is a good, easy option I don’t have 100% faith in Microsoft.

VeraCrypt is the newer version of TrueCrypt. However some of my computers work better with old TrueCrypt, e.g., one Win7Pro laptop took 12 minutes to boot VeraCrypt to Windows login prompt. With TrueCrypt it takes 10 seconds to same login. TrueCrypt was rumored to have a backdoor for FedGod but it was eventally proven to not have one. However it is no longer supported.

Mobile devices
For now I use native encryption. SD card storage slows down if you are copying mass large files from a computer or from the phone to inserted encrypted SD card. But otherwise zero lag for app usage.

Inconveniences
1. With VeraCrypt I cannot login on a Microsoft Surface tablet without a keyboard attached. Don’t leave they keyboard at home…
2. Noticed larger (4TB) USB 3.0 encrypted drives transfer data at 20% speed of its non-encrypted self, but still fast enough for most work. *Note: there are no noticeable speed issues with encrypted system hard drives, just the USB-connected drives.
3. Vera/TrueCrypt’d USB drives require the respective app running on the host computer. Good idea to have your encryption software on thumb drive or in a DropBox folder.


Android phone/tablet OS


Sad to say the alternative/secure mobile OS scene for individuals is still fractured. There is no turnkey solution and some of the best options are limited to certain phones and tablets.

Lineage (https://www.lineageos.org/) is an option but not without possibly giving up favorite apps… and learning enough to make it work and minimize security risks. Not every single Android device is supported; mostly phones and some tablets. The online Google Play store alternatives Apkpure (https://apkpure.com/app) and F-Droid (https://f-droid.org/en/packages/) do feature a lot of common apps. Even Strelok and other ballistic apps.


eelo (https://www.eelo.io/) seems to be the best developing attempt to completely replace Google-type architecture. It is no small feat to recreate the comprehensive modular system.

Rooting is an option and gives freedom to remove bloatware. However it requires the end user to be security savvy to help close resulting vulnerabilities.

Interesting article on a physical ad blocker built on a Raspberry Pi. It also touches on some unexpected devices found to be communicating:
https://www.bloomberg.com/news/features/2018-05-10/inside-the-brotherhood-of-pi-hole-ad-blockers


"...Pi-hole is installed on only 140,000 networks. Unlike more popular ad-blocking browsers (Brave, which claims 2 million users) or browser extensions (Adblock Plus, 105 million), it requires a dedicated computer and some tech savvy to set up. Still, it has assumed an outsize role in the ad-blocking movement. Its 22,000 true believers on Reddit help a lot, says Drobnak, who’s spending 5 hours to 20 hours a week working on Pi-hole between computer science classes. The developers have discovered spying by internet-connected TVs (which collect data for ad targeting), lightbulbs (users have reported some LED bulbs mysteriously connecting with the manufacturer’s server every 2 seconds), and printers (including one that sent out 34 million queries in a day)..."

Pretty good place to start research

https://ssd.eff.org/en#index

Interesting thread.

I've gotten as far as enabling SPI and MAC address filtering on my router. But then again my VCR was always blinking 00:00. :cool:

Kidding. Good info here. Appreciate the info even though I might not be tracking all of it.

I recently inactivated my FB account because of privacy concerns. I prefer FF as a web brower, so I'm glad it is mentioned here. We are about to dump our current sticks and bricks bank because of yet another data exposure from a former employer.

Interesting article on a physical ad blocker built on a Raspberry Pi. It also touches on some unexpected devices found to be communicating:
https://www.bloomberg.com/news/features/2018-05-10/inside-the-brotherhood-of-pi-hole-ad-blockers


"...Pi-hole is installed on only 140,000 networks. Unlike more popular ad-blocking browsers (Brave, which claims 2 million users) or browser extensions (Adblock Plus, 105 million), it requires a dedicated computer and some tech savvy to set up. Still, it has assumed an outsize role in the ad-blocking movement. Its 22,000 true believers on Reddit help a lot, says Drobnak, who’s spending 5 hours to 20 hours a week working on Pi-hole between computer science classes. The developers have discovered spying by internet-connected TVs (which collect data for ad targeting), lightbulbs (users have reported some LED bulbs mysteriously connecting with the manufacturer’s server every 2 seconds), and printers (including one that sent out 34 million queries in a day)..."

I use Pi-Hole at home. By doing so and monitoring what is blocked, I discovered a very stealthy bit of malware that virtually no antivirus apps detect (and fewer still can clean). I ultimately re-imaged the machine because I couldn't clean it to my satisfaction. The only IOC I had was it repeatedly connecting to an otherwise legitimate domain (one that I've visited in the past). It was connecting every 2min or so. Unfortunately, I was too lazy to do a packet capture to see what it was sending. I used Pi-Hole to block the DNS lookup and my router to drop the packets to the domain AND the IP it resolved to.

I run Pi-Hole on a Pi Zero W.

ETA: One downside of Pi-Hole is many link aggregators and "deal sites" like Slickdeals use domains that harvest data before sending you to your destination. Pi-Hole blocks most of these, making those sites mostly broken.

Chris

.
.
TL;DR - if you read nothing else, please visit thatoneprivacysite.net (https://thatoneprivacysite.net/) and look at their VPN (https://thatoneprivacysite.net/vpn-comparison-chart/) and e-mail (https://thatoneprivacysite.net/email-comparison-chart/) service comparison pages. The Excel spreadsheet link lower on the page is HIGHLY recommended. Not only is it easier to view... it lists the specific reasons for the good/bad ratings.

-------------

When it comes to privacy you can pay twice. You get what you pay for... and you pay the price for not researching what you pay for.

My subjective goals: I want services that have decent compatibility and reasonable inconvenience. I am not looking for Cheyenne Mountain Complex-level protection for black hat activities. Just a good privacy plan and tools worth the learning curve and hassle. At this point I am only running Android and Windows on a daily basis.

Here are my notes and choices.

E-mail provider


Best comparison of alternative/privacy e-mail providers is this e-mail comparison (https://thatoneprivacysite.net/email-comparison-chart/). Stellar.

My choice
ProtonMail (https://protonmail.com/) paid account. A simple, direct user interface. One web login for all e-mail addresses. Ability to use 3rd party e-mail client and separately access each Proton e-mail address. Dedicated apps or “bridge” for Windows, MacOS, iOS and Android. Encryption keys can be retrieved. Available dual authentication for online login - requires your choice of one of several 3rd party apps running on a separate device (such as your phone) to receive a second, generated authentication code.

Inconveniences
1. Thunderbird, MS Outlook and Apple Mail are the only supported desktop OS e-mail clients.
2. Desktop OS requires a background process “bridge” from Proton. Step-by-step instructions on website.
3. Calendar sync works if you use Tbird/Outlook/Apple Mail. However there is NO external calendar support (Google Calendar, Outlook Calender, CalDAV, WebDAV, etc.) if you only use the web interface.


Web Browser


Desktop computers
Firefox (https://www.mozilla.org/en-US/firefox/new/) for daily use convenience. While it is not ultra secure, privacy is one of the developer core considerations. Firefox is widely supported by major add-ons and extensions such as LastPass, AdBlock, etc. Open source allows quick patches from a huge community. Default settings require tweaking for best privacy.

Epic (https://www.epicbrowser.com/) browser is arguably the most secure mainstream option. However it completely deletes history and browsing trails on app exit. There is a limited range of add-ons and extensions but LastPass is supported. You may gain some browsing speed due to blocked data mining scripts. You will have issues with sites that require ads and data mining to display content.

Android devices
Firefox Android for standard use. Chrome is disabled unless I can’t view content on Firefox.

Firefox Focus is the Android version of Epic desktop browser – except it doesn’t even store login info. Everything is erased on app exit.

Compatibility Note
I have found some of my work and home network-connected devices (new and legacy) require Internet Explorer, Edge or Chrome in order for me to access them directly or configure them for the first time. You can greatly safe these browsers by running the Sandboxie (https://www.sandboxie.com/FrequentlyAskedQuestions)app.

Search engines
Not as good as Google, but good alternatives are DuckDuckGo (https://duckduckgo.com/) and Qwant (https://www.qwant.com/).


VPN


The premier VPN comparison resource is this VPN chart (https://thatoneprivacysite.net/vpn-comparison-chart/). Excel sheet link is best. Interesting to see how the zdnet, pcmag, etc. top recommendations stack up (or don’t and why they don’t).

Choice
Proton VPN (https://protonvpn.com/) is OK (not great), chosen for bundled billing with my Proton e-mail. Higher rated are IVPN and Mullvad but they have similar jurisdiction notes (they are operated in Five Eyes or Fourteen Eyes (https://www.privacytools.io/#ukusa) territories).

Cloud storage/backup


SpiderOak (https://spideroak.com/) is still my secure choice. They were one of the first to offer desktop and mobile apps for end-to-end encrypted data. There is no server-side encryption so they don't even have the encryption keys/password to hand over if court ordered. I don't use it for complete drive backup. Just online/offsite backup of personal work product, insurance inventory, legal, etc. 2GB free account.

I still use DropBox for ease of sharing between all computer and mobile devices. However I don’t store any privacy risk material there. I refuse to use Google Drive on personal devices.


Device encryption


Computers
VeraCrypt (https://www.veracrypt.fr/en/Home.html). While Bitlocker is a good, easy option I don’t have 100% faith in Microsoft.

VeraCrypt is the newer version of TrueCrypt. However some of my computers work better with old TrueCrypt, e.g., one Win7Pro laptop took 12 minutes to boot VeraCrypt to Windows login prompt. With TrueCrypt it takes 10 seconds to same login. TrueCrypt was rumored to have a backdoor for FedGod but it was eventally proven to not have one. However it is no longer supported.

Mobile devices
For now I use native encryption. SD card storage slows down if you are copying mass large files from a computer or from the phone to inserted encrypted SD card. But otherwise zero lag for app usage.

Inconveniences
1. With VeraCrypt I cannot login on a Microsoft Surface tablet without a keyboard attached. Don’t leave they keyboard at home…
2. Noticed larger (4TB) USB 3.0 encrypted drives transfer data at 20% speed of its non-encrypted self, but still fast enough for most work. *Note: there are no noticeable speed issues with encrypted system hard drives, just the USB-connected drives.
3. Vera/TrueCrypt’d USB drives require the respective app running on the host computer. Good idea to have your encryption software on thumb drive or in a DropBox folder.


Android phone/tablet OS


Sad to say the alternative/secure mobile OS scene for individuals is still fractured. There is no turnkey solution and some of the best options are limited to certain phones and tablets.

Lineage (https://www.lineageos.org/) is an option but not without possibly giving up favorite apps… and learning enough to make it work and minimize security risks. Not every single Android device is supported; mostly phones and some tablets. The online Google Play store alternatives Apkpure (https://apkpure.com/app) and F-Droid (https://f-droid.org/en/packages/) do feature a lot of common apps. Even Strelok and other ballistic apps.


eelo (https://www.eelo.io/) seems to be the best developing attempt to completely replace Google-type architecture. It is no small feat to recreate the comprehensive modular system.

Rooting is an option and gives freedom to remove bloatware. However it requires the end user to be security savvy to help close resulting vulnerabilities.
Wow. This is great.

We've hardened our privacy, but not as much as that, so far. We've pretty much moved away from email and over to text messaging. I can't think of anything more secure than Signal Private Messenger; we use that for issues dealing with money, health, or other topics we consider private, but unless you install Signal Desktop (still evaluating it), it's limited to keying on mobile phones. Apple Messages by keyboard gets the rest among my family of Apple users. We use Private Internet Access, desktop and phones, using Tunnelblick OpenVPN open source VPN tunnels, even with its limitations, as all we hope to avoid is ISP data-mining. Passwords have all changed to pass phrases, using six- or seven-word Diceware keys. Pass phrases all all kept in KeePassXC, an open source password manager, and backed up regularly with hard drives, half of which are kept at home in the gun safe and the other half in a bank safety deposit box, and swapped regularly. I can see I need to up my game.

This made me laugh - this is the NoScript content list for an REI webpage:

26688

.
TL;DR Android "package disabler" apps allow you to kill persistent software and bloatware. When used in conjunction with a firewall app* they seem to be the best combo option for most normal smartphones: you retain normal phone security and updates and preserve normal app/store convenience... all without the hassle and risk (for newbs like me) of rooting a phone.

I was recommended an Android package disabler (PD) app to target nuisance bloatware apps I could not seem to control. The phones in question cannot be rooted directly**. I found the PD app to be very useful in limiting unnecessary and unwanted outgoing server connections from my phone.

In a nutshell: The PD app is given Admin privileges and provides a way to pick and choose which apps are allowed to run. This is different from my firewall - which simply offers a way to block outgoing communication. The PD keeps the app or process from running in the first place.

Before using the package disabler app I had already chosen "disable" for all unneeded apps in Android. However some elements of these apps were still frequently attempting to communicate with outside servers. Some apps did not have a disable switch in Android. I could see the comm attempts blocked in my firewall log.

The app is relatively new, not widely used so trustworthiness is unknown. I still run the NetGuard no-root firewall to block the PD app from communicating to the outside if it ever tries. To date there are no comm attempts logged by the firewall.

I was stoked to be able to finally disable bloatware Amazon Shopping, Flipboard and other OEM carrier apps. I was aggressive in the initial application and had to tweak it a bit to get Waze and Google Maps working again.

PDP blocking also significantly reduced the load on my NetGuard no-root firewall.

I've only used the apps with this logo and built for Samsung and LG devices but there are other apps in the Play store:

26722

*Be careful with firewall apps. My original attempt to use one on the AT&T network ended up with me running over 15GB in 4 days. AT&T was somehow calculating all blocked traffic as double traffic or worse. Looking at the firewall logs it looked like apps not able to connect were making multiple, serial attempts to connect. I had to remove the firewall. When I moved to Cricket I found the firewall app worked without a hitch. Have not been able to test the Verizon MNVO yet.

**PDP is working well on a locked Samsung Note 5 and a locked LG Stylo 3. The Samsung is an AT&T OEM phone and not able to be rooted without attempting to revert updates and OS first and then try a workaround root solution. The LG cannot be unlocked for a while per carrier agreement. PDP thus far is a big win on both phones.

Listen to the "complete privacy & security podcast" and knock yourself out.

I've listened to six episodes of this at the moment, and I've got to say, I like it overall and will recommend it to anyone interested in the topic.

They go off the deep end periodically, which isn't to say that they're wrong, just that some of what they recommend could end up creating as many problems as it solves. They're pretty transparent about that though, and will include "user beware" notices whenever appropriate.

Their detailed technical understanding is a scooch off every once in a while, but that's me be a computer science pedant. I've yet to hear a technical misunderstanding invalidate their recommendation.

I've picked up two of their (ugh... printed edition) books, and I'm learning a lot about practical OSINT and privacy techniques. Very cool. I appreciate overton pointing this out, and I think anyone interested in this topic would like this material.

I've listened to six episodes of this at the moment, and I've got to say, I like it overall and will recommend it to anyone interested in the topic.

They go off the deep end periodically, which isn't to say that they're wrong, just that some of what they recommend could end up creating as many problems as it solves. They're pretty transparent about that though, and will include "user beware" notices whenever appropriate.

Their detailed technical understanding is a scooch off every once in a while, but that's me be a computer science pedant. I've yet to hear a technical misunderstanding invalidate their recommendation.

I've picked up two of their (ugh... printed edition) books, and I'm learning a lot about practical OSINT and privacy techniques. Very cool. I appreciate overton pointing this out, and I think anyone interested in this topic would like this material.

Thanks, I've downloaded a bunch to listen to in the car. I used to be really big on security, but have definitely been lax lately...

If anyone is interested I can share a zip file of all S&P podcast in 128k mp3. It would be a 5GB download. PM for a link, I should have it up this eve.

In other news...
Something I've always wondered about... can a web browser's auto-fill fields be captured by 3rd party? A lot of browsers auto-fill your saved login, address, etc. info. This article says most browsers failed the test in Dec 2017.

I would think browsers now have that secured. The article lists this website (https://senglehardt.com/demo/no_boundaries/loginmanager/) to test your browser; you enter a FAKE login ID/password, let your browser remember it for you and then click to the next page to find the results. Test with your password manager if you use one.

Keep those browsers updated!

https://www.bleepingcomputer.com/news/security/web-trackers-exploit-flaw-in-browser-login-managers-to-steal-usernames/


Princeton privacy experts are warning that advertising and analytics firms can secretly extract site usernames from browsers using hidden login fields and tie non-authenticated users visiting a site with their profiles or emails on that domain.

This type of abusive behavior is possible because of a design flaw in the login managers included with all browsers, login managers that allow browsers to remember a user's username and password for specific sites and auto-insert it in login fields when the user visits that site again.
...
The trick is an old one, known for more than a decade but until now it's only been used by hackers trying to collect login information during XSS (cross-site scripting) attacks.

Princeton researchers say they recently found two web tracking services that utilize hidden login forms to collect login information.

Fortunately, none of the two services collected password information, but only the user's username or email address —depending on what each domain uses for the login process.

The two services are Adthink (audienceinsights.net) and OnAudience (behavioralengine.com), and Princeton researchers said they identified scripts from these two that collected login info on 1,110 sites found on the Alexa Top 1 Million sites list.
...

thanks for keeping this thread going...

A post initiated from another thread -

The NetGuard firewall I use is an Android firewall app. I don't have extensive iOS experience or personal recommendation but Firewall iP7 for iOS looks similar in capability.

One of the benefits of a phone firewall app is the ability to better control outgoing network communication. I don't think you'll ever get total network traffic control with commercial OSs like iOS and Android. But you can really cut down on the non-core OS apps you add.

Two caveats from my experience:
1) Some service providers may calculate data that your firewall blocks as actual sent data. It may affect your data usage. When I first tried NetGuard on an AT&T phone I found the blocked data was counted and applied against my data plan in a MULTIPLE amount. In one week I blew through a 15GB data plan.

I moved to Cricket unlimited and tried NetGuard again. NetGuard works 100%. I have an AT&T work phone and have verified (using apps Net Monitor, Network Cell Info and LTE Discovery) that my Cricket phone uses the same towers and bands as my AT&T work phone. To boot, for half the price of my former AT&T account I get unlimited data and a separate basic Verizon MNVO phone as well.

2) The firewall may affect your logins to fraud-sensitive sites like Amazon, Summit Racing, etc. I live in Texas but NetGuard seems to consistently connect me through Michigan. You may get some extra CAPTCHA hassle.

On a related note there was a recent article on what became California bill AB 375 (https://www.nytimes.com/2018/08/14/magazine/facebook-google-privacy-data.html). It is a long but interesting read. The meat of it is the latter half of the article.

In a nutshell, a non-tech guy became actively interested in privacy legislation. Google and Facebook met with him while trying and end-around behind his back by forming and financing a counter organization ("Committee to Protect California Jobs") that started pulling the usual dirty tricks in the state community and in state government. The Facebook/Cambridge Analytica exposure helped the privacy legislation effort. Not long before legislative vote a harmful, subtle change to the bill was realized and addressed. The law passed in June and now it's a lot like the Euro GDPR - let's see what worked and didn't work.

Just FYI for those interested: NordVPN (https://nordvpn.com/), which consistently receives good rankings (https://www.pcmag.com/article2/0,2817,2403388,00.asp) from various places, has a three year sale on - $99 for three years, which is worth about $2.70 a month. Worth taking a peek at if you've been considering a VPN.

Well, I've been using NordVPN for the past few days, and overall, I like it. The issue I'm seeing is that a lot of sites seem to block it, which is a common problem for VPNs.

While I could just turn it off to access those sites, some of the sites that are blocked are finance stuff, like my bank. If I can't use it to securely access my bank, it largely defeats the purpose. It also doesn't work with Amazon, which I'm on pretty much constantly.

I'm trying TorGuard at the moment, and it seems to be accepted in places NordVPN is blocked. The speed isn't great though, and the app is terrible (although I should note their customer service rocks). So I'm not sure if I'll switch to TorGuard, keep using NordVPN, or try something else.

What are y'all using for VPNs?

Well, I've been using NordVPN for the past few days, and overall, I like it. The issue I'm seeing is that a lot of sites seem to block it, which is a common problem for VPNs.

While I could just turn it off to access those sites, some of the sites that are blocked are finance stuff, like my bank. If I can't use it to securely access my bank, it largely defeats the purpose. It also doesn't work with Amazon, which I'm on pretty much constantly.

I'm trying TorGuard at the moment, and it seems to be accepted in places NordVPN is blocked. The speed isn't great though, and the app is terrible (although I should note their customer service rocks). So I'm not sure if I'll switch to TorGuard, keep using NordVPN, or try something else.

What are y'all using for VPNs?

Thanks for the heads up regarding NordVPN being blocked by some websites. I was about to jump on the 3 year deal but if it's going to have issues then never mind. I'm currently using encrypt.me, it's $10/month but I got it due to the ease of use on mobile devices. Only issue I've had is with amazon prime video, it won't play anything unless you turn it off, but it otherwise works with everything else.

Thanks for the heads up regarding NordVPN being blocked by some websites. I was about to jump on the 3 year deal but if it's going to have issues then never mind. I'm currently using encrypt.me, it's $10/month but I got it due to the ease of use on mobile devices. Only issue I've had is with amazon prime video, it won't play anything unless you turn it off, but it otherwise works with everything else.

I wouldn't disregard NordVPN just for that, as a lot of VPNs face identical issues. At $2.70 a month for three years, I'm just going to keep it. If it doesn't work in situ, I'll switch to something else. It has solid speeds, the app is very user friendly, and I'm told it supports Netflix/Hulu/Amazon Prime, though I haven't tried it personally.

No one privacy tool is going to do everything, unfortunately. Just the nature of the gig.

I noticed about a year or so ago that bot (spam/seo/whatever) networks started using VPNs to, presumably, get around geo-location based IP bans.

That's becoming more and more common. Age-old conundrum: you can use a tool for something constructive or you can use it to make a mess. I've seen services reject entire Autonomous System Numbers to restrict VPNs. That's pretty drastic, but it's a sign of the times.

We can't have anything nice.... :(

I noticed about a year or so ago that bot (spam/seo/whatever) networks started using VPNs to, presumably, get around geo-location based IP bans. PF doesn't currently have any location based bans in place as we are using a combo of a crowd-sourced spam database pre-registration filter and post-registration moderation queue for new members.
Up until a year or so ago I'd get frequent blocks by P-F of my VPN server. That hasn't been the case lately.

I recently changed from Private Internet Access VPN to IVPN, but that's been very recent. "Normal" price for IVPN used to be $100 a year but I got it for $70. I understand it's now available for $40 (much like my recent too-soon purchase of an HK P30). Still, if I were buying a VPN today I'd look very hard at Mullvad, as they use the new Wire Guard VPN technology. That's just another way of suggesting there's more to finding a good VPN than looking at price; always check for reviews of "DNS leaks," or otherwise whatever money you're spending has been wasted. FWIW.

This is very concise advice that will get most regular people started (https://gist.github.com/grugq/353b6fc9b094d5700c70). If you're the kind of person who gets offended by the advice to not root/jailbreak your phone, just remember that you're probably not the target audience. Also remember that sideloading shady APKs on your daily use phone is monumentally boneheaded.

Here's the highest-priority and lowest-effort stuff in my opinion:

- Opsec opsec opsec. Nerds get hot and bothered about technical controls but red teamers have a lot of success through social engineering (i.e. being con men), and they do a lot of recon on social media. Be careful what you post to social media and what your privacy/sharing settings are. Be especially careful about sites like LinkedIn where you're financially incentivized to share a lot of information.

- Use a password manager. Passwords are a garbage authentication mechanism, but there isn't really anything better in wide use. A password manager allows you to use passwords securely with minimal fuss. I use LastPass; I know cloud-based managers aren't the best but it's a usability tradeoff for me. Use a different password for every website, make sure they're strong, blah blah blah.

- Turn on 2-factor authentication whenever possible, especially on high-value accounts like your primary email and password manager. Use TOTP (Google Authenticator, etc) when possible. Hardware tokens (https://www.yubico.com/) are great if you want to buy them. SMS/telephone 2-factor where a service calls/texts you to deliver a security code is garbage, but for many services (like most banks lol) it's all you have. If you need to use SMS 2-factor, at the very least take some steps to protect yourself from port-out scams (https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-out-scams/), because that's a major way that SMS 2FA gets broken.

- If you can, use virtual credit cards when you buy things online. For example, CapitalOne's Eno (https://www.capitalone.com/applications/eno/virtualnumbers/) app lets you come up with one-off credit card numbers that will only work for a single vendor, which limits the impact of a credit card number breach. Privacy.com is another service that I've heard of but I've never used it. This is an especially big deal for shooters because it seems like the good gun/ammo vendors use fly-by-night payment processors who get owned all the time.

- In my opinion, VPNs aren't as big of a deal as they used to be because everyone's pretty good about using HTTPS now, but I still use one anyway. Make sure you use one that you pay for; anyone who provides a free VPN has an ulterior motive for doing so. I use Mullvad (https://mullvad.net/en/) because they're reliable and they're in a jurisdiction that has strong privacy guarantees.

This is very concise advice that will get most regular people started (https://gist.github.com/grugq/353b6fc9b094d5700c70). If you're the kind of person who gets offended by the advice to not root/jailbreak your phone, just remember that you're probably not the target audience. Also remember that sideloading shady APKs on your daily use phone is monumentally boneheaded.

Here's the highest-priority and lowest-effort stuff in my opinion:

- Opsec opsec opsec. Nerds get hot and bothered about technical controls but red teamers have a lot of success through social engineering (i.e. being con men), and they do a lot of recon on social media. Be careful what you post to social media and what your privacy/sharing settings are. Be especially careful about sites like LinkedIn where you're financially incentivized to share a lot of information.

- Use a password manager. Passwords are a garbage authentication mechanism, but there isn't really anything better in wide use. A password manager allows you to use passwords securely with minimal fuss. I use LastPass; I know cloud-based managers aren't the best but it's a usability tradeoff for me. Use a different password for every website, make sure they're strong, blah blah blah.

- Turn on 2-factor authentication whenever possible, especially on high-value accounts like your primary email and password manager. Use TOTP (Google Authenticator, etc) when possible. Hardware tokens (https://www.yubico.com/) are great if you want to buy them. SMS/telephone 2-factor where a service calls/texts you to deliver a security code is garbage, but for many services (like most banks lol) it's all you have. If you need to use SMS 2-factor, at the very least take some steps to protect yourself from port-out scams (https://krebsonsecurity.com/2018/02/how-to-fight-mobile-number-port-out-scams/), because that's a major way that SMS 2FA gets broken.

- If you can, use virtual credit cards when you buy things online. For example, CapitalOne's Eno (https://www.capitalone.com/applications/eno/virtualnumbers/) app lets you come up with one-off credit card numbers that will only work for a single vendor, which limits the impact of a credit card number breach. Privacy.com is another service that I've heard of but I've never used it. This is an especially big deal for shooters because it seems like the good gun/ammo vendors use fly-by-night payment processors who get owned all the time.

- In my opinion, VPNs aren't as big of a deal as they used to be because everyone's pretty good about using HTTPS now, but I still use one anyway. Make sure you use one that you pay for; anyone who provides a free VPN has an ulterior motive for doing so. I use Mullvad (https://mullvad.net/en/) because they're reliable and they're in a jurisdiction that has strong privacy guarantees.
I agree, with very minor quibbles. I use Apple Pay as a virtual credit card - it works, but while it's growing, not enough merchants accept such things. Encouraging use is a good idea. I'd say VPNs are still a good idea, particularly for people using coffee shop and motel WiFi, and for those who feel their ISP running their metaphorical fingers through the underwear drawer of your web use in order to package and sell it to some other pervert.

Well, I've been using NordVPN for the past few days, and overall, I like it. The issue I'm seeing is that a lot of sites seem to block it, which is a common problem for VPNs.



If you go to settings, click on advanced settings and check "obfuscated servers" that will clear up most of those issues. It still won't play well with amazon, though. I'm OK with that because I'm trying to use amazon less for bad corporate citizen reasons, but yeah, it's a pain in the ass. Also, I've found that connecting through the US I experience connectivity issues periodically. No idea why. When that happens, I switch to another country; typically Sweden for no particular reason.

Is ProtonMail the best option for a private email service? Any other recommendations for a paid for private email service?

What happens if they close the doors? Do you back everything up locally on a hard drive?

Are you looking for something encrypted, or throw-away addresses, or what?

For encryption, ProtonMail is the name that will usually come up. I've used their service for a few months now and it seems pretty capable. I haven't checked, but they almost certainly support POP3, which would allow you to download everything locally.

For throw-away addresses, 33mail is something I'm playing around with. They're not totally anonymous though. Blur is a name I've heard for anonymous emails, but I don't know anything about them.

Is ProtonMail the best option for a private email service? Any other recommendations for a paid for private email service?

What happens if they close the doors? Do you back everything up locally on a hard drive?

I use lavabit (https://lavabit.com/). You have to use an email client like a caveman, but that allows you to back up your emails locally.

I agree, with very minor quibbles. I use Apple Pay as a virtual credit card - it works, but while it's growing, not enough merchants accept such things. Encouraging use is a good idea. I'd say VPNs are still a good idea, particularly for people using coffee shop and motel WiFi, and for those who feel their ISP running their metaphorical fingers through the underwear drawer of your web use in order to package and sell it to some other pervert.

agreed RE: VPNs. That's why I use one.

Apple Pay is a different thing from ENO/privacy.com, unless they let you generate one-off credit card numbers.

Are you looking for something encrypted, or throw-away addresses, or what?

For encryption, ProtonMail is the name that will usually come up. I've used their service for a few months now and it seems pretty capable. I haven't checked, but they almost certainly support POP3, which would allow you to download everything locally.

For throw-away addresses, 33mail is something I'm playing around with. They're not totally anonymous though. Blur is a name I've heard for anonymous emails, but I don't know anything about them.
Just getting away from Gmail and other "free" email accounts that aren't private. I don't need a throw away address or anything top secret. I just appreciate having a small amount of anonymity and privacy.

For the web I use Safari or Firefox along with Duckduckgo. I'm not going crazy but want a bit more security.


I use lavabit (https://lavabit.com/). You have to use an email client like a caveman, but that allows you to back up your emails locally.

I'll compare this with Proton as well, thanks.

Thanks, good tips in this thread.

I am pondering trying to extract myself from google tentacles in all respects; gmail, google earth, google search, etc. etc.

Contemplating first trying out different email servers, but I am also pondering building my own server using a Linux distribution etc. Maybe Mint, perhaps Ubuntu.

What are the parameters of a good email server using Linux?

I can likely source an older Windoze box cheap, and install Linux, no problem. Also I would get a UPS, and some kind of ideally redundant NAS to store critical (well, critical to me anyway) data.

Problem is it is just me, and I don't want some Hillary-level of clown shoes security, I want something that is (reasonably) bullet proof. Plus world wide access on various clients that I control and are in my physical possession. Oh and I would also like the ability to set up and nuke additional email addresses on my domain that I can give out to various businesses so that once the transaction is concluded I can dump that account and poof have them without my "real" email address.

Is something like this possible under Linux?

Thanks, good tips in this thread.

I am pondering trying to extract myself from google tentacles in all respects; gmail, google earth, google search, etc. etc.

Contemplating first trying out different email servers, but I am also pondering building my own server using a Linux distribution etc. Maybe Mint, perhaps Ubuntu.

What are the parameters of a good email server using Linux?

I can likely source an older Windoze box cheap, and install Linux, no problem. Also I would get a UPS, and some kind of ideally redundant NAS to store critical (well, critical to me anyway) data.

Problem is it is just me, and I don't want some Hillary-level of clown shoes security, I want something that is (reasonably) bullet proof. Plus world wide access on various clients that I control and are in my physical possession. Oh and I would also like the ability to set up and nuke additional email addresses on my domain that I can give out to various businesses so that once the transaction is concluded I can dump that account and poof have them without my "real" email address.

Is something like this possible under Linux?

I mean yeah it's possible but I'd rather pay someone like lavabit $30/yr to handle all that sysadmin shit for me.

Is something like this possible under Linux?

Possible, sure. But doing so competently and securely is getting into serious IT territory. Like, for cereal serious IT.

32450

I'd strongly recommend forking over a few bucks to go with an established service. If you have no other ideas, ProtonMail and 33mail are decent places to start. They both have free versions for a test drive.

Possible, sure. But doing so competently and securely is getting into serious IT territory. Like, for cereal serious IT.

32450

I'd strongly recommend forking over a few bucks to go with an established service. If you have no other ideas, ProtonMail and 33mail are decent places to start. They both have free versions for a test drive.

It’s ok. I’m like a professional and stuff. I used to work for a National Political Party. I set up the email server for a high level hush hush VIP at her estate in New York. I think maybe she was associated with the State Department or something.

I mean, Hell, what could go wrong?























:cool:

Just kidding.

Thanks for the tips. I’ll look into Proton Mail.

I'm giving Abine DeleteMe (https://abine.com/deleteme/) a try. While I'm prepared to remove all of my data from aggregators (https://www.schneier.com/essays/archives/2018/03/its_not_just_faceboo.html) by hand, that's more of a hobbyist project for the sake of my own enlightenment. I'm hoping having specialists look over my shoulder is worth the cost, but we'll see.

I'm averaging 1,100 computer science students a year going through my classes, and I piss off a non-trivial percentage of them. I'm going to get doxxed eventually, it's just a matter of time. Hopefully, this reduces the damage.

I'll report back in a few months to let y'all know what my experiences are.


I mean, Hell, what could go wrong?

When Hillary murders you, do you want us to delete your browser history? It's the privacy-conscious thing to do.

Is ProtonMail the best option for a private email service? Any other recommendations for a paid for private email service?

What happens if they close the doors? Do you back everything up locally on a hard drive?Didbyou see the email comparison page at thatoneprivacysite?

https://thatoneprivacysite.net/email-comparison-chart/

I like to download the spreadsheet version because it's easier for me to scroll through and visualize.

I am still using paid ProtonMail and their VPN service, the $40/mo one. I think there's only been one time where there was a brief email outage. They had a serious coordinatedattack on their sites at the time... and took steps to prevent that mode of vulnerability. Happens.

Remember that their Windows interface is via a dedicated ProtonMail bridge application that works with a limited number of email clients. I use Thunderbird on the Windows machines and their Android app on phones. I still use mozbackup to backup any email. It has all been pretty painless once set up, and the setup wasn't bad. I know one member here had an issue with getting their VPN to work on his router. I'm not sure if it was ever resolved.

Very happy with the VPN access. I use the preferred / premium servers. It's been a help getting around geographically-restricted content and also YouTube downloading apps I have set up to watch and automatically download certain channels. For some reason choosing a Netherlands-based ProtonMail VPN server will allow me to get around a lot of stuff.

I often use their web interface. I like the optional availability of two-factor authentication.

***They just rolled out their long-awaited iOS (phone) app!

Just kidding.

Thanks for the tips. I’ll look into Proton Mail.

Ok I may try the free service.

In practical terms, what does the €8 a month for the VPN add on give you?


Sent from my iPhone using Tapatalk

Ok I may try the free service.

In practical terms, what does the €8 a month for the VPN add on give you?


Sent from my iPhone using Tapatalk

ProtonVPN has a free option as well. It's billed as low speed, one device... though I haven't noticed speed issues. To be fair, I'm also not streaming copious amounts of HD video through it, either.

Ok I may try the free service.

In practical terms, what does the €8 a month for the VPN add on give you?


Sent from my iPhone using TapatalkDepends if you will use the Tor/P2P/SecureCore/Plus server/secure streaming features.

Secure Core is their extra "layer" of network obscurity. Makes sense if you want reduced "attack surface" to dedicated, intensive scrutiny of your online activity. I don't have a need for it.

"Plus" servers are reserved for the higher tier subscribers and nice to have during periods of higher network traffic - evenings, etc. Especially if you need to use VPN servers in countries that don't have many servers to begin with.

I have personally have more than 2 devices being used at the same time... So the 5 device expansion is good.

I don't do any Tor/Peer 2 peer/secure streaming stuff, so that's lost on me.

Ok I may try the free service.

In practical terms, what does the €8 a month for the VPN add on give you?

It's €8 a month just for the VPN? That's kind of pricey. NordVPN is back on sale for $3 a month. Other than the fact it blocks my bank, I've been pretty pleased with it. PIA also gets consistent good reviews, and they're on sale for about the same price.

ProtonVPN has a free option as well. It's billed as low speed, one device... though I haven't noticed speed issues. To be fair, I'm also not streaming copious amounts of HD video through it, either.

Ok...but...VPN = Virtual Private Network, right?

As in, an encrypted tunnel between client and server?

What does paying €8 for a ‘VPN’ from Proton give you as Joe Schmoe?


Sent from my iPhone using Tapatalk

Depends if you will use the Tor/P2P/SecureCore/Plus server/secure streaming features.

Secure Core is their extra "layer" of network obscurity. Makes sense if you want reduced "attack surface" to dedicated, intensive scrutiny of your online activity. I don't have a need for it.

"Plus" servers are reserved for the higher tier subscribers and nice to have during periods of higher network traffic - evenings, etc. Especially if you need to use VPN servers in countries that don't have many servers to begin with.

I have personally have more than 2 devices being used at the same time... So the 5 device expansion is good.

I don't do any Tor/Peer 2 peer/secure streaming stuff, so that's lost on me.

No clue what those are so I’d say...no.

Just me and the wife. We’d like two ‘real’ emails for family and close friends. Email traffic is low, less than 25 a day, less than 2-3Mb each and only once in a while sending a photo to grandkids.

Plus, the ability to set up temporary emails we can delete at a moments notice. No streaming, we have a 100Mbs land modem and cable company/Amazon Prime for that.




Sent from my iPhone using Tapatalk

Ok...but...VPN = Virtual Private Network, right?

As in, an encrypted tunnel between client and server?

What does paying €8 for a ‘VPN’ from Proton give you as Joe Schmoe?


Sent from my iPhone using Tapatalk

I'm sure someone else on this board is smarter than me on the topic, but the 30,000 foot view is this...

VPNs make your internet usage (generally) anonymous. It routes your traffic through their servers - if someone who knows what they're doing looks at the incoming traffic, they can see the VPN's IP address etc, but they can't see past it to see where it came from and where the return traffic is going back to. Rather than asking Brazzers for your latest midget amputee porn, you ask the VPN to ask Brazzers for said naughty material, and Brazzers doesn't get to know who asked the VPN. And almost everyone using a VPN is doing so for a reason connected to privacy, so most-if-not-all VPNs take the privacy factor (who actually routed that specific traffic through their server) seriously.

The other advantage is geographic ambiguity. You can make it look like you're coming from somewhere else (e.g. Canada, Netherlands, Switzerland, etc). Let's say you travel overseas and want to catch up on a Netflix series while killing time in a foreign airport... but Netflix doesn't have [title] in [foreign country]. Use a VPN with US server and problem solved (note that many streaming services have started trying to detect if you're using a VPN and will block it based on that...). Can also be a problem on some websites if they trade in arms and you happen to pick an overseas server (and they block anything not coming from the US).

I'm sure someone else on this board is smarter than me on the topic, but the 30,000 foot view is this...

VPNs make your internet usage (generally) anonymous. It routes your traffic through their servers - if someone who knows what they're doing looks at the incoming traffic, they can see the VPN's IP address etc, but they can't see past it to see where it came from and where the return traffic is going back to. Rather than asking Brazzers for your latest midget amputee porn, you ask the VPN to ask Brazzers for said naughty material, and Brazzers doesn't get to know who asked the VPN. And almost everyone using a VPN is doing so for a reason connected to privacy, so most-if-not-all VPNs take the privacy factor (who actually routed that specific traffic through their server) seriously.

The other advantage is geographic ambiguity. You can make it look like you're coming from somewhere else (e.g. Canada, Netherlands, Switzerland, etc). Let's say you travel overseas and want to catch up on a Netflix series while killing time in a foreign airport... but Netflix doesn't have [title] in [foreign country]. Use a VPN with US server and problem solved (note that many streaming services have started trying to detect if you're using a VPN and will block it based on that...). Can also be a problem on some websites if they trade in arms and you happen to pick an overseas server (and they block anything not coming from the US).

Perfect, thanks.

I know what ip2location is.

Yes, no weird stuff between wife and I; I’m just a regular guy looking for more anonymity in this crazy and complex digital world.

Thanks again.


Sent from my iPhone using Tapatalk

Black Friday deal:

"For those of you that celebrate it, we hope you had a great Thanksgiving. Traditionally, the Friday after Thanksgiving is a major shopping event known as Black Friday, followed by Cyber Monday the following Monday.

This year, for our Black Friday sale, we are offering special two-year plans which offer up to a 45% discount compared to the regular monthly pricing.

This promotion is available through the web version of ProtonMail as a special Black Friday/Cyber Monday sale button in the upper right menu bar (if you don't see it, try refreshing your inbox on or after Nov 23). You can also access additional 2-year plans by going to Settings --> Dashboard."https://uploads.tapatalk-cdn.com/20181123/839dae2d7067b75845ff7aa495406e5c.jpg

Based upon the thatoneprivacysite I chose Tutanota email. They were among the top three on that site for privacy.

Tutanota has several advantages.

- It has a free service, but if you upgrade to "Premium" it's only $12 a year - pretty much still "free."

- Anything you send between your account and another Tutanota account is automatically encrypted - no PGP ("Pretty Good Privacy") encryption complications.

- You can also send an encrypted email to a non-Tutanota member. You send an encrypted email to "Joe" and your email stays on Tutanota's server. Joe gets an email link and clicks it. That leads Joe to your email to him, and the channel is encrypted with Joe's own SSL/TLS-encryption - not a complete encryption solution, but a pretty slick workaround.

- Finally, I like their lost account/password recovery better than ProtonMail. Sure, both can use software two-factor authentication (2FA) tokens, e.g., Google Authenticator and Authy), but Tutanota also can use hardware tokens, e.g., Yubikey. I need a few different recovery methods in addition to normal passwords and master passwords - Yubikey is my choice.

agreed RE: VPNs. That's why I use one.

Apple Pay is a different thing from ENO/privacy.com, unless they let you generate one-off credit card numbers.

ApplePay generates a unique approval to pay for the merchant and the merchant never sees my credit card number.

Sorry for the delay - my wife and I were out of the country.

ApplePay generates a unique approval to pay for the merchant and the merchant never sees my credit card number.


That is a very cool, but different, thing. It's better but it requires the merchant to support ApplePay.

Generating one-off credit card numbers isn't foolproof, in that the number can be used at that merchant if it's stolen, but it doesn't require the merchant to support any fancy payment technologies.

Black Friday deal:

"For those of you that celebrate it, we hope you had a great Thanksgiving. Traditionally, the Friday after Thanksgiving is a major shopping event known as Black Friday, followed by Cyber Monday the following Monday.

This year, for our Black Friday sale, we are offering special two-year plans which offer up to a 45% discount compared to the regular monthly pricing.

Thanks! Just signed up for their email service with the BF deal.

.
.
Cloud storage/backup
SpiderOak (https://spideroak.com/) is still my secure choice. They were one of the first to offer desktop and mobile apps for end-to-end encrypted data. There is no server-side encryption so they don't even have the encryption keys/password to hand over if court ordered. I don't use it for complete drive backup. Just online/offsite backup of personal work product, insurance inventory, legal, etc. 2GB free account.

I still use DropBox for ease of sharing between all computer and mobile devices. However I don’t store any privacy risk material there. I refuse to use Google Drive on personal devices.




Is this still a valid choice? I got a new laptop and I need to backup the old one and transfer files. I'd like to backup to the cloud and then make that an ongoing practice (something I should have been doing all along) and would like to do that without compromising privacy. Thanks.

ETA: IDrive is offering a deal at $6.95 for the first year and also says they don't store encryption keys, etc. Plus, it allows mobile device backup. This seems like an obvious choice to try. Is it? https://www.idrive.com/

If I were looking for secure backup, Spider Oak would still be my first choice. I'm afraid I'm not familiar with IDrive, but they sound like they're worth a try.

I'm just talking out loud, but it's worth keeping in mind that if you encrypt the entire backup, it's going to limit the company's ability to help you in the event you find yourself completely hosed locally (i.e., house fire, et cetera). For me personally, backup is about redundancy - if I'm concerned about privacy, I can encrypt it locally, then upload it.

Thanks. That's basically what IDrive says too: If you select a private encryption key, don't lose it because if you do, you're screwed.

Is this still a valid choice? I got a new laptop and I need to backup the old one and transfer files. I'd like to backup to the cloud and then make that an ongoing practice (something I should have been doing all along) and would like to do that without compromising privacy. Thanks.

ETA: IDrive is offering a deal at $6.95 for the first year and also says they don't store encryption keys, etc. Plus, it allows mobile device backup. This seems like an obvious choice to try. Is it? https://www.idrive.com/

I would look at the big picture for yourself - storage size, use across several different platforms, easy setup, easy interface, etc. If you're not already using things like end-to-end encrypted email, VPN and so forth... then IDrive is a decent choice. There are a lot of helpful "X" vs. "Y" reviews of online storage services.

I still use SpiderOak paid account for its privacy/simplicity. I don't need to backup terabytes of data, I don't need to sync a bazillion files between several devices and I'm fine with the slightly kludgy Windows app. I actually appreciate the granular aspect. The Android app is a far cry from polished products like DropBox/Sync but it's OK for my infrequent use. The Hive hot sync directory across my devices works fine. And it's just me saving the data for myself. I no longer use DropBox, Sync, etc. for anything.

IN OTHER NEWS,

Purism is shipping development models of their Linux-based phone, the Librem 5 (https://puri.sm/posts/librem-5-usa/). VERY basic functionality and they're still working on basics such as call audio quality, power efficiency and way more. But it's ALIVE! A phone built with zero closed sourcecode chipsets, 100% their own code (open source - they're uploading all their code to the public as they develop it), discrete baseband module and of course discrete hardware kill switches for baseband, wifi/bluetooth, mic, etc. They were made from the start to act as portable workstations - support for full size monitor/keyboard.

Blocky size due to modular separation of the wireless modem, storage... and no aftermarket support (yet?).

Their regular phone (https://puri.sm/products/librem-5/) is $700. They offer an all-USA-assembly (https://puri.sm/products/librem-5-usa/) pre-order for $2k. Pretty freakin' neat.

I think the closest competitor is still the Pinephone, but that is built on closed sourcecode chips.

Thanks. I appreciate it. This has been a really useful thread for me.

Whelp, today seemed as good a day as any to start this.

I've had a free Proton Mail account for a couple months, seems to work ok. Today I upgraded to the Plus package, and added the VPN service. I have five email addresses, and can protect five devices with Proton VPN. I went ahead and bought an annual package, which brought the price to 115 EUR / 134 USD one time charge.

I added the Proton VPN client to my iPhone, and activated it. I used Speedtest to check down load here at the Apt. Normally I see 115M up, 11 down, and with the VPN active it seems to be about 48M up /8 down. I think for the protection of having VPN all the time, especially when we are traveling, it's worth it. I've activated the ProtonMail VPN widget off the home screen to keep an eye on it while it's running. Hopefully it will do it's thing in the background with no further interaction (which is kinda how I envision this working.)

I'll continue to monitor. I have to add Mrs. RJ's phone as well as our Windows and Linux boxes, and an iPad Mini to the account. Will report back any additional observations.

62628

Got the iOS client downloaded and running on my iPad Mini.

I did some investigating on what the "Use Secure Core" slider button meant. Apparently this adds security with a double hop through the Proton servers:

https://protonvpn.com/support/secure-core-vpn/

I am not sure I need that, so I disabled it for now.

62678

I think disabling this feature should speed up the connection. I did the same on my iPhone 12, and noticed speeds went way up; they are now around 102 M down, 10 M up, or almost back to what's "normal" for my internet connection. I did notice that my Spectrum TV app (I watch TV sometimes from a device) doesn't work with the VPN connection enabled. But not sure I'll need that, since this is primarily a security enhancement for me at least when we are traveling or on the road.

So, one negative comment on ProtonMail so far.

I opted to purchase the "Proton Plus" package for around $135 or so annual fee. This is touted as having up to "five email addresses" as part of the package.

Well I was mentally thinking, ok, five email addresses, that will work; I need an address for me, one for Mrs. RJ, and we use one for common accounts or other things where we need to pool the info. I've set up this pooled address on several clients so we each have access to it. This approach works very well for us.

Protonmail doesn't operate that way. In fact, what they really should say is they have "five email aliases", which you can use with your (single) primary account. Yes, you can send email to "appear" as another email address@protonmail.com, but they don't have a concept of an individual email account and storage for user 1, another for user 2, and so on. They just have one big pool of email for the "one" user.

So it's not like you are buying five separate emails. You really are buying one, with the option to "appear" or alias yourself with another email address.

I was not very happy with this. But since I've gone ahead and bought the package, what I ended up doing was to set up three incoming email filters. If the email filter contains "user 1" as the recipient, I moved the email to a folder called "user 1". Same for "user 2" and same for "user 3".

After setting up these filters, I installed the Protonmail Client on my wife's iPhone, and confirmed with some back and forth to gmail that this indeed does work. She has the same client I have, meaning she can see all "my" email, as I can see all "her" as well, and we can both see the "shared" email, each in their respective folders.

We are ok with this, as our relationship is transparent; we don't have a me/your financial relationship so everything is in one pot anyway (ok actually well I tell a lie: we share the money 50:50: I put it in, she takes it out :cool:).

But if you were looking to get true "multi user" with the basic Proton Plus package, it won't do it.

Ok, I got the VPN installed on both our Windoze box and my Linux Mint laptop.

Windows was easy; just login to Proton VPN, go to the download area, download the app, then open it and follow the install prompts. Once the app is unpacked and started, you log in with your credentials, select "start with windows" and it starts. I picked the "fastest connection" standard profile, and it connected to a server in Miami. And that should be it.

Linux was a bit trickier. I followed their instructions for Linux/Mint here:

https://protonvpn.com/support/linux-vpn-tool/

One tricky bit was I had to go figure out what my "openVPN" credentials were. They are obvious, but over in the Account settings area. They are both like 26 character strings automagically generated by the Proton people. Thankfully they give you a "copy" box, so you can just copy and paste them into the Linux text window when you need to login to setup your profile.

To install, I followed the command line "sudo" commands listed at the link for Mint. I had created a GitHub account for a WiFi driver I needed, but I didn't need it to install this package. In Mint, Proton VPN is controlled by a command line interface. I got it running, but I will have to remember how to include a process to start it automatically when Linux starts; like a cron job or something.

Interestingly, there's no Proton VPN package available in the "software" manager that's available; so yeah you have to follow their guidelines.

62743

One minor comment on ProtonVPN; with my iPad Mini running through the VPN, I can no longer connect YouTube app on the iPad to the YouTube App on my Samsung (Android based?) TV. I would imagine even though they are on the "same" network (the iPad Mini is on the 5G side of my WiFi network, the TV is wired direct to a 4 port switch, along with my Sonos sound bar, then via a 10/100 ethernet cable to a port on the back of the router) since packets out of the iPad through the VPN are encrypted it can't see the TV. If I disconnect the iPad from the VPN temporarily the YouTube app will connect to the TV fine.

It's not a yuge deal; but I do find it useful to control the TV from my iPad for watching random videos at night.

I would imagine even though they are on the "same" network (the iPad Mini is on the 5G side of my WiFi network, the TV is wired direct to a 4 port switch, along with my Sonos sound bar, then via a 10/100 ethernet cable to a port on the back of the router) since packets out of the iPad through the VPN are encrypted it can't see the TV.

When you run a VPN on an end-system, it isolates that end-system from the rest of the network. That's the whole idea. You can check to see if your router will connect to the VPN so your external traffic is protected and your internal traffic works as usual, but that can create issues everyone on your network has to deal with.

I got it running, but I will have to remember how to include a process to start it automatically when Linux starts; like a cron job or something.

I did a quick google and it looks like you can just set NetworkManager to autoconnect your VPN (https://askubuntu.com/questions/1048352/bionic-how-can-i-automatically-enable-vpn-on-a-network-connection?noredirect=1), assuming Mint uses NetworkManager. You could use systemd too I guess but that would be more involved.

EDIT: in case you don't want to click the link, run the command 'nm-connection-editor.' There will be an option for your connection called "Automatically connect to VPN."

cron is for running tasks periodically (like every hour or every day), not for making sure they happen on startup.

If you do configure your laptop to autostart the VPN upon connecting your network interface, realize that many public Wifi APs require that you authenticate through some web page before you're granted access to the internet, even if just to click a checkbox saying that you're agreeing to the ToS of whoever's running that AP. If properly set up, your VPN would block access to that page, so it'd probably be easier to set up your VPN to not connect automatically, and then manually connect the VPN as soon as you're authenticated, but before you do anything else.

I did a quick google and it looks like you can just set NetworkManager to autoconnect your VPN (https://askubuntu.com/questions/1048352/bionic-how-can-i-automatically-enable-vpn-on-a-network-connection?noredirect=1), assuming Mint uses NetworkManager. You could use systemd too I guess but that would be more involved.

EDIT: in case you don't want to click the link, run the command 'nm-connection-editor.' There will be an option for your connection called "Automatically connect to VPN."

cron is for running tasks periodically (like every hour or every day), not for making sure they happen on startup.

Thanks. Linux Mint Cinammon seems to have a "Startup Apps" capability, so for now I've put the startup here:

62915


If you do configure your laptop to autostart the VPN upon connecting your network interface, realize that many public Wifi APs require that you authenticate through some web page before you're granted access to the internet, even if just to click a checkbox saying that you're agreeing to the ToS of whoever's running that AP. If properly set up, your VPN would block access to that page, so it'd probably be easier to set up your VPN to not connect automatically, and then manually connect the VPN as soon as you're authenticated, but before you do anything else.

Understood, and thanks.

This particular laptop is more like my "desktop". It's an older Dell E6530 I bought surplus from work when they had a "get rid of the old equipment" sale to the empoyees. The battery is no good anymore and it just sits on my desk, serving as my main "I need a real keyboard" machine for web surfing or using LibreOffice capabilities to design paper targets, spreadsheets, etc.

So it's pretty much on my home network, all the time; I don't really plan to travel with it.

Well, I never could get the VPN started, either through the network "add VPN" interface mentioned by perlslacker, or anything else I tried. What I eventually did was execute a start script for my box into my /etc/rc.local, and then have it run from my $HOME directory. Crude, but seems to work, and I don't have to fat finger a start up of the VPN every time I log in. Gotta say it was fun re-learning my (fairly rudimentary) bash script skills.

Well, I never could get the VPN started, either through the network "add VPN" interface mentioned by perlslacker, or anything else I tried. What I eventually did was execute a start script for my box into my /etc/rc.local, and then have it run from my $HOME directory. Crude, but seems to work, and I don't have to fat finger a start up of the VPN every time I log in. Gotta say it was fun re-learning my (fairly rudimentary) bash script skills.

Glad you got something going!

Fighting NetworkManager isn't for the faint of heart.

So, one negative comment on ProtonMail so far.

I opted to purchase the "Proton Plus" package for around $135 or so annual fee. This is touted as having up to "five email addresses" as part of the package.

Well I was mentally thinking, ok, five email addresses, that will work; I need an address for me, one for Mrs. RJ, and we use one for common accounts or other things where we need to pool the info. I've set up this pooled address on several clients so we each have access to it. This approach works very well for us.

Protonmail doesn't operate that way. In fact, what they really should say is they have "five email aliases", which you can use with your (single) primary account. Yes, you can send email to "appear" as another email address@protonmail.com, but they don't have a concept of an individual email account and storage for user 1, another for user 2, and so on. They just have one big pool of email for the "one" user.

So it's not like you are buying five separate emails. You really are buying one, with the option to "appear" or alias yourself with another email address.

I was not very happy with this. But since I've gone ahead and bought the package, what I ended up doing was to set up three incoming email filters. If the email filter contains "user 1" as the recipient, I moved the email to a folder called "user 1". Same for "user 2" and same for "user 3".

After setting up these filters, I installed the Protonmail Client on my wife's iPhone, and confirmed with some back and forth to gmail that this indeed does work. She has the same client I have, meaning she can see all "my" email, as I can see all "her" as well, and we can both see the "shared" email, each in their respective folders.

We are ok with this, as our relationship is transparent; we don't have a me/your financial relationship so everything is in one pot anyway (ok actually well I tell a lie: we share the money 50:50: I put it in, she takes it out :cool:).

But if you were looking to get true "multi user" with the basic Proton Plus package, it won't do it.

After discussing options, with my wife, I feel like this feature (“5” email addresses is actually “5” email “aliases”) will not meet my needs, so I’m going to cancel my ProtonMail account and request a refund.

Aside from what’s been mentioned so far, are there any additional paid secure email/VPN services you’d recommend?

Tons of great info here:

https://inteltechniques.com/podcast.html

Bazzell is former military and does this type of work as a professional consultant for celebrities. His podcast and books are great, very informative.

Since listening to the podcast two years ago I've done/have:

Frozen credit w/ all six credit agencies
Password manager
Protonmail
ProtonVPN
New Wi-Fi router setup
No Script installed
Disconnect installed
Cookie Auto-delete installed
Many tweaks for "zero knowledge" browsing, MAC OS settings
TTPs for when/how/where to use cell phone/laptop in public
PO Box
Alias name/phone number for ordering online
more TTPs for use of credit/debit cards

Now we get almost zero credit card offers, most addressed to the dog.

Welcome to 2017, Guerrero: I finally started using a password manager (KeePassXC on Windows and KeePass2Android on my phone). I wasn't sure how to securely share the database across platforms. It finally hit me that with the beta of ProtonDrive, I had a secure, encrypted place to drop some files, so I'm set now. We'll see how it goes.

Welcome to 2017, Guerrero: I finally started using a password manager (KeePassXC on Windows and KeePass2Android on my phone). I wasn't sure how to securely share the database across platforms. It finally hit me that with the beta of ProtonDrive, I had a secure, encrypted place to drop some files, so I'm set now. We'll see how it goes.

I'm not familiar with that app... I've used LastPass and BitWarden... IIRC, the database resides in their cloud, you install the app, log in from whatever device and the database is synched to the device. Then you authenticate on that device and the database is decrypted for use locally. The cloud version remains encrypted and you hold the only key. Or something like that.

No?

I'm not familiar with that app... I've used LastPass and BitWarden... IIRC, the database resides in their cloud, you install the app, log in from whatever device and the database is synched to the device. Then you authenticate on that device and the database is decrypted for use locally. The cloud version remains encrypted and you hold the only key. Or something like that.

No?

I used KeePassXC on my Windows machine(s) to create an encrypted database. I then uploaded it to my ProtonDrive, and the "manually" synced it across my other devices. This way the database is always(-ish) under my control; i.e. I don't have to rely on someone else's cloud (much). I also didn't need to make any additional accounts or pay any additional money.

KeePass (https://keepass.info/download.html) is a locally-hosted, encrypted, password manager. The value prop there is not having a cloud-based password manager that could be hacked. An attacker would need access to your machine or device. Even then, if you have a password on your KeePass database, it's encrypted and they'd have to crack your password before they could access the login/password files in the database.

The other nice thing about KeePass is, there are variants available for mobile devices. You can also keep copies of the database anywhere; encrypted USB stick, a CD, pretty much anything. Only issue with copies is dealing with trying to keep things up to date. The downside of KeePass is the added inconvenience of having to manually copy login info from the program into login forms on sites and apps you use. I highly recommend accepting that inconvenience, as it benefits you with significantly improved security. Cloud-based solutions like Lastpass or 1Password generally seem "okay", but anything cloud-based is always going to be high-risk for exploitation. When it comes to digital security, pretty much anything that adds convenience is a vulnerability.

Those of you using protonmail, would you still recommend it? I am looking at it because, if I understand the services offered correctly, it will:



allow me to sync across multiple devices (I use two laptops and a phone);
give me a secure email that I can transition to over time;
aggregate and allow me to send and receive from my gmail and local carrier accounts;
give me a decent calendar app; and
give me a reasonably user-friendly interface for all of that.


If it can do all that for me and sync with and run well on my de-googled phone, I will be a happy camper.

Those of you using protonmail, would you still recommend it? I am looking at it because, if I understand the services offered correctly, it will:



allow me to sync across multiple devices (I use two laptops and a phone);
give me a secure email that I can transition to over time;
aggregate and allow me to send and receive from my gmail and local carrier accounts;
give me a decent calendar app; and
give me a reasonably user-friendly interface for all of that.


If it can do all that for me and sync with and run well on my de-googled phone, I will be a happy camper.

The main issue I see is that the Android app is only available through Google Play. Even with the open source code repo, for anyone with the technical skills to do it, the app still relies on Google Firebase for push notifications. So it sounds like even trying to install and build from source code, it may not function completely, but I'm just guessing at this point. I started to go down that route awhile back and decided it just wasn't worth the hassle and I'll just deal with evil Google Play for now.

I've used the app, installed through Google Play, for awhile now and haven't had any issues. They continue enhancing the UI and features, so no real complaints there. The calendar app is also decent and has most of the functionality you'd expect.

BTW, ProtonVPN is available through the F-Droid app store, for those that want to avoid Google Play.

The main issue I see is that the Android app is only available through Google Play. Even with the open source code repo, for anyone with the technical skills to do it, the app still relies on Google Firebase for push notifications. So it sounds like even trying to install and build from source code, it may not function completely, but I'm just guessing at this point. I started to go down that route awhile back and decided it just wasn't worth the hassle and I'll just deal with evil Google Play for now.

I've used the app, installed through Google Play, for awhile now and haven't had any issues. They continue enhancing the UI and features, so no real complaints there. The calendar app is also decent and has most of the functionality you'd expect.

BTW, ProtonVPN is available through the F-Droid app store, for those that want to avoid Google Play.

Thanks. That's very helpful. The email and calendar apps are available through Aurora Store, so you don't have to go through Google Play to get them. My understanding is that makes a difference even where apps rely on Google for push notifications but that understanding is based entirely on reading what Calyx OS has to say about it on their website.