RFI: Personal information security - Apps, devices and practices

[RJ]

I did a quick google and it looks like you can just set NetworkManager to autoconnect your VPN, assuming Mint uses NetworkManager. You could use systemd too I guess but that would be more involved.

EDIT: in case you don't want to click the link, run the command 'nm-connection-editor.' There will be an option for your connection called "Automatically connect to VPN."

cron is for running tasks periodically (like every hour or every day), not for making sure they happen on startup.

Thanks. Linux Mint Cinammon seems to have a "Startup Apps" capability, so for now I've put the startup here:

If you do configure your laptop to autostart the VPN upon connecting your network interface, realize that many public Wifi APs require that you authenticate through some web page before you're granted access to the internet, even if just to click a checkbox saying that you're agreeing to the ToS of whoever's running that AP. If properly set up, your VPN would block access to that page, so it'd probably be easier to set up your VPN to not connect automatically, and then manually connect the VPN as soon as you're authenticated, but before you do anything else.

Understood, and thanks.

This particular laptop is more like my "desktop". It's an older Dell E6530 I bought surplus from work when they had a "get rid of the old equipment" sale to the empoyees. The battery is no good anymore and it just sits on my desk, serving as my main "I need a real keyboard" machine for web surfing or using LibreOffice capabilities to design paper targets, spreadsheets, etc.

So it's pretty much on my home network, all the time; I don't really plan to travel with it.

[RJ]

Well, I never could get the VPN started, either through the network "add VPN" interface mentioned by @perlslacker, or anything else I tried. What I eventually did was execute a start script for my box into my /etc/rc.local, and then have it run from my $HOME directory. Crude, but seems to work, and I don't have to fat finger a start up of the VPN every time I log in. Gotta say it was fun re-learning my (fairly rudimentary) bash script skills.

[perlslacker]

Well, I never could get the VPN started, either through the network "add VPN" interface mentioned by @perlslacker, or anything else I tried. What I eventually did was execute a start script for my box into my /etc/rc.local, and then have it run from my $HOME directory. Crude, but seems to work, and I don't have to fat finger a start up of the VPN every time I log in. Gotta say it was fun re-learning my (fairly rudimentary) bash script skills.

Glad you got something going!

Fighting NetworkManager isn't for the faint of heart.

[RJ]

So, one negative comment on ProtonMail so far.

I opted to purchase the "Proton Plus" package for around $135 or so annual fee. This is touted as having up to "five email addresses" as part of the package.

Well I was mentally thinking, ok, five email addresses, that will work; I need an address for me, one for Mrs. RJ, and we use one for common accounts or other things where we need to pool the info. I've set up this pooled address on several clients so we each have access to it. This approach works very well for us.

Protonmail doesn't operate that way. In fact, what they really should say is they have "five email aliases", which you can use with your (single) primary account. Yes, you can send email to "appear" as another email address@protonmail.com, but they don't have a concept of an individual email account and storage for user 1, another for user 2, and so on. They just have one big pool of email for the "one" user.

So it's not like you are buying five separate emails. You really are buying one, with the option to "appear" or alias yourself with another email address.

I was not very happy with this. But since I've gone ahead and bought the package, what I ended up doing was to set up three incoming email filters. If the email filter contains "user 1" as the recipient, I moved the email to a folder called "user 1". Same for "user 2" and same for "user 3".

After setting up these filters, I installed the Protonmail Client on my wife's iPhone, and confirmed with some back and forth to gmail that this indeed does work. She has the same client I have, meaning she can see all "my" email, as I can see all "her" as well, and we can both see the "shared" email, each in their respective folders.

We are ok with this, as our relationship is transparent; we don't have a me/your financial relationship so everything is in one pot anyway (ok actually well I tell a lie: we share the money 50:50: I put it in, she takes it out ).

But if you were looking to get true "multi user" with the basic Proton Plus package, it won't do it.

After discussing options, with my wife, I feel like this feature (“5” email addresses is actually “5” email “aliases”) will not meet my needs, so I’m going to cancel my ProtonMail account and request a refund.

Aside from what’s been mentioned so far, are there any additional paid secure email/VPN services you’d recommend?

[2xAGM114]

Tons of great info here:

https://inteltechniques.com/podcast.html

Bazzell is former military and does this type of work as a professional consultant for celebrities. His podcast and books are great, very informative.

Since listening to the podcast two years ago I've done/have:

Frozen credit w/ all six credit agencies
Password manager
Protonmail
ProtonVPN
New Wi-Fi router setup
No Script installed
Disconnect installed
Cookie Auto-delete installed
Many tweaks for "zero knowledge" browsing, MAC OS settings
TTPs for when/how/where to use cell phone/laptop in public
PO Box
Alias name/phone number for ordering online
more TTPs for use of credit/debit cards

Now we get almost zero credit card offers, most addressed to the dog.

[Guerrero]

Welcome to 2017, Guerrero: I finally started using a password manager (KeePassXC on Windows and KeePass2Android on my phone). I wasn't sure how to securely share the database across platforms. It finally hit me that with the beta of ProtonDrive, I had a secure, encrypted place to drop some files, so I'm set now. We'll see how it goes.

[RoyGBiv]

Welcome to 2017, Guerrero: I finally started using a password manager (KeePassXC on Windows and KeePass2Android on my phone). I wasn't sure how to securely share the database across platforms. It finally hit me that with the beta of ProtonDrive, I had a secure, encrypted place to drop some files, so I'm set now. We'll see how it goes.

I'm not familiar with that app... I've used LastPass and BitWarden... IIRC, the database resides in their cloud, you install the app, log in from whatever device and the database is synched to the device. Then you authenticate on that device and the database is decrypted for use locally. The cloud version remains encrypted and you hold the only key. Or something like that.

No?

[Guerrero]

I'm not familiar with that app... I've used LastPass and BitWarden... IIRC, the database resides in their cloud, you install the app, log in from whatever device and the database is synched to the device. Then you authenticate on that device and the database is decrypted for use locally. The cloud version remains encrypted and you hold the only key. Or something like that.

No?

I used KeePassXC on my Windows machine(s) to create an encrypted database. I then uploaded it to my ProtonDrive, and the "manually" synced it across my other devices. This way the database is always(-ish) under my control; i.e. I don't have to rely on someone else's cloud (much). I also didn't need to make any additional accounts or pay any additional money.

[Sig_Fiend]

KeePass is a locally-hosted, encrypted, password manager. The value prop there is not having a cloud-based password manager that could be hacked. An attacker would need access to your machine or device. Even then, if you have a password on your KeePass database, it's encrypted and they'd have to crack your password before they could access the login/password files in the database.

The other nice thing about KeePass is, there are variants available for mobile devices. You can also keep copies of the database anywhere; encrypted USB stick, a CD, pretty much anything. Only issue with copies is dealing with trying to keep things up to date. The downside of KeePass is the added inconvenience of having to manually copy login info from the program into login forms on sites and apps you use. I highly recommend accepting that inconvenience, as it benefits you with significantly improved security. Cloud-based solutions like Lastpass or 1Password generally seem "okay", but anything cloud-based is always going to be high-risk for exploitation. When it comes to digital security, pretty much anything that adds convenience is a vulnerability.

[Erik]

Those of you using protonmail, would you still recommend it? I am looking at it because, if I understand the services offered correctly, it will:

• allow me to sync across multiple devices (I use two laptops and a phone);
• give me a secure email that I can transition to over time;
• aggregate and allow me to send and receive from my gmail and local carrier accounts;
• give me a decent calendar app; and
• give me a reasonably user-friendly interface for all of that.

If it can do all that for me and sync with and run well on my de-googled phone, I will be a happy camper.