RFI: Personal information security - Apps, devices and practices

[schüler]

.
.
TL;DR - if you read nothing else, please visit thatoneprivacysite.net and look at their VPN and e-mail service comparison pages. The Excel spreadsheet link lower on the page is HIGHLY recommended. Not only is it easier to view... it lists the specific reasons for the good/bad ratings.

-------------

When it comes to privacy you can pay twice. You get what you pay for... and you pay the price for not researching what you pay for.

My subjective goals: I want services that have decent compatibility and reasonable inconvenience. I am not looking for Cheyenne Mountain Complex-level protection for black hat activities. Just a good privacy plan and tools worth the learning curve and hassle. At this point I am only running Android and Windows on a daily basis.

Here are my notes and choices.

E-mail provider

Best comparison of alternative/privacy e-mail providers is this e-mail comparison. Stellar.

My choice
ProtonMail paid account. A simple, direct user interface. One web login for all e-mail addresses. Ability to use 3rd party e-mail client and separately access each Proton e-mail address. Dedicated apps or “bridge” for Windows, MacOS, iOS and Android. Encryption keys can be retrieved. Available dual authentication for online login - requires your choice of one of several 3rd party apps running on a separate device (such as your phone) to receive a second, generated authentication code.

Inconveniences
1. Thunderbird, MS Outlook and Apple Mail are the only supported desktop OS e-mail clients.
2. Desktop OS requires a background process “bridge” from Proton. Step-by-step instructions on website.
3. Calendar sync works if you use Tbird/Outlook/Apple Mail. However there is NO external calendar support (Google Calendar, Outlook Calender, CalDAV, WebDAV, etc.) if you only use the web interface.

Web Browser

Desktop computers
Firefox for daily use convenience. While it is not ultra secure, privacy is one of the developer core considerations. Firefox is widely supported by major add-ons and extensions such as LastPass, AdBlock, etc. Open source allows quick patches from a huge community. Default settings require tweaking for best privacy.

Epic browser is arguably the most secure mainstream option. However it completely deletes history and browsing trails on app exit. There is a limited range of add-ons and extensions but LastPass is supported. You may gain some browsing speed due to blocked data mining scripts. You will have issues with sites that require ads and data mining to display content.

Android devices
Firefox Android for standard use. Chrome is disabled unless I can’t view content on Firefox.

Firefox Focus is the Android version of Epic desktop browser – except it doesn’t even store login info. Everything is erased on app exit.

Compatibility Note
I have found some of my work and home network-connected devices (new and legacy) require Internet Explorer, Edge or Chrome in order for me to access them directly or configure them for the first time. You can greatly safe these browsers by running the Sandboxie app.

Search engines
Not as good as Google, but good alternatives are DuckDuckGo and Qwant.

VPN

The premier VPN comparison resource is this VPN chart. Excel sheet link is best. Interesting to see how the zdnet, pcmag, etc. top recommendations stack up (or don’t and why they don’t).

Choice
Proton VPN is OK (not great), chosen for bundled billing with my Proton e-mail. Higher rated are IVPN and Mullvad but they have similar jurisdiction notes (they are operated in Five Eyes or Fourteen Eyes territories).

Cloud storage/backup

SpiderOak is still my secure choice. They were one of the first to offer desktop and mobile apps for end-to-end encrypted data. There is no server-side encryption so they don't even have the encryption keys/password to hand over if court ordered. I don't use it for complete drive backup. Just online/offsite backup of personal work product, insurance inventory, legal, etc. 2GB free account.

I still use DropBox for ease of sharing between all computer and mobile devices. However I don’t store any privacy risk material there. I refuse to use Google Drive on personal devices.

Device encryption

Computers
VeraCrypt. While Bitlocker is a good, easy option I don’t have 100% faith in Microsoft.

VeraCrypt is the newer version of TrueCrypt. However some of my computers work better with old TrueCrypt, e.g., one Win7Pro laptop took 12 minutes to boot VeraCrypt to Windows login prompt. With TrueCrypt it takes 10 seconds to same login. TrueCrypt was rumored to have a backdoor for FedGod but it was eventally proven to not have one. However it is no longer supported.

Mobile devices
For now I use native encryption. SD card storage slows down if you are copying mass large files from a computer or from the phone to inserted encrypted SD card. But otherwise zero lag for app usage.

Inconveniences
1. With VeraCrypt I cannot login on a Microsoft Surface tablet without a keyboard attached. Don’t leave they keyboard at home…
2. Noticed larger (4TB) USB 3.0 encrypted drives transfer data at 20% speed of its non-encrypted self, but still fast enough for most work. *Note: there are no noticeable speed issues with encrypted system hard drives, just the USB-connected drives.
3. Vera/TrueCrypt’d USB drives require the respective app running on the host computer. Good idea to have your encryption software on thumb drive or in a DropBox folder.

Android phone/tablet OS

Sad to say the alternative/secure mobile OS scene for individuals is still fractured. There is no turnkey solution and some of the best options are limited to certain phones and tablets.

Lineage is an option but not without possibly giving up favorite apps… and learning enough to make it work and minimize security risks. Not every single Android device is supported; mostly phones and some tablets. The online Google Play store alternatives Apkpure and F-Droid do feature a lot of common apps. Even Strelok and other ballistic apps.


eelo seems to be the best developing attempt to completely replace Google-type architecture. It is no small feat to recreate the comprehensive modular system.

Rooting is an option and gives freedom to remove bloatware. However it requires the end user to be security savvy to help close resulting vulnerabilities.

[schüler]

Interesting article on a physical ad blocker built on a Raspberry Pi. It also touches on some unexpected devices found to be communicating:
https://www.bloomberg.com/news/featu...le-ad-blockers

"...Pi-hole is installed on only 140,000 networks. Unlike more popular ad-blocking browsers (Brave, which claims 2 million users) or browser extensions (Adblock Plus, 105 million), it requires a dedicated computer and some tech savvy to set up. Still, it has assumed an outsize role in the ad-blocking movement. Its 22,000 true believers on Reddit help a lot, says Drobnak, who’s spending 5 hours to 20 hours a week working on Pi-hole between computer science classes. The developers have discovered spying by internet-connected TVs (which collect data for ad targeting), lightbulbs (users have reported some LED bulbs mysteriously connecting with the manufacturer’s server every 2 seconds), and printers (including one that sent out 34 million queries in a day)..."

[holmes168]

Pretty good place to start research

https://ssd.eff.org/en#index

[RJ]

Interesting thread.

I've gotten as far as enabling SPI and MAC address filtering on my router. But then again my VCR was always blinking 00:00.

Kidding. Good info here. Appreciate the info even though I might not be tracking all of it.

I recently inactivated my FB account because of privacy concerns. I prefer FF as a web brower, so I'm glad it is mentioned here. We are about to dump our current sticks and bricks bank because of yet another data exposure from a former employer.

[mtnbkr]

Interesting article on a physical ad blocker built on a Raspberry Pi. It also touches on some unexpected devices found to be communicating:
https://www.bloomberg.com/news/featu...le-ad-blockers

"...Pi-hole is installed on only 140,000 networks. Unlike more popular ad-blocking browsers (Brave, which claims 2 million users) or browser extensions (Adblock Plus, 105 million), it requires a dedicated computer and some tech savvy to set up. Still, it has assumed an outsize role in the ad-blocking movement. Its 22,000 true believers on Reddit help a lot, says Drobnak, who’s spending 5 hours to 20 hours a week working on Pi-hole between computer science classes. The developers have discovered spying by internet-connected TVs (which collect data for ad targeting), lightbulbs (users have reported some LED bulbs mysteriously connecting with the manufacturer’s server every 2 seconds), and printers (including one that sent out 34 million queries in a day)..."

I use Pi-Hole at home. By doing so and monitoring what is blocked, I discovered a very stealthy bit of malware that virtually no antivirus apps detect (and fewer still can clean). I ultimately re-imaged the machine because I couldn't clean it to my satisfaction. The only IOC I had was it repeatedly connecting to an otherwise legitimate domain (one that I've visited in the past). It was connecting every 2min or so. Unfortunately, I was too lazy to do a packet capture to see what it was sending. I used Pi-Hole to block the DNS lookup and my router to drop the packets to the domain AND the IP it resolved to.

I run Pi-Hole on a Pi Zero W.

ETA: One downside of Pi-Hole is many link aggregators and "deal sites" like Slickdeals use domains that harvest data before sending you to your destination. Pi-Hole blocks most of these, making those sites mostly broken.

Chris

[Jaywalker]

.
.
TL;DR - if you read nothing else, please visit thatoneprivacysite.net and look at their VPN and e-mail service comparison pages. The Excel spreadsheet link lower on the page is HIGHLY recommended. Not only is it easier to view... it lists the specific reasons for the good/bad ratings.

-------------

When it comes to privacy you can pay twice. You get what you pay for... and you pay the price for not researching what you pay for.

My subjective goals: I want services that have decent compatibility and reasonable inconvenience. I am not looking for Cheyenne Mountain Complex-level protection for black hat activities. Just a good privacy plan and tools worth the learning curve and hassle. At this point I am only running Android and Windows on a daily basis.

Here are my notes and choices.

E-mail provider

Best comparison of alternative/privacy e-mail providers is this e-mail comparison. Stellar.

My choice
ProtonMail paid account. A simple, direct user interface. One web login for all e-mail addresses. Ability to use 3rd party e-mail client and separately access each Proton e-mail address. Dedicated apps or “bridge” for Windows, MacOS, iOS and Android. Encryption keys can be retrieved. Available dual authentication for online login - requires your choice of one of several 3rd party apps running on a separate device (such as your phone) to receive a second, generated authentication code.

Inconveniences
1. Thunderbird, MS Outlook and Apple Mail are the only supported desktop OS e-mail clients.
2. Desktop OS requires a background process “bridge” from Proton. Step-by-step instructions on website.
3. Calendar sync works if you use Tbird/Outlook/Apple Mail. However there is NO external calendar support (Google Calendar, Outlook Calender, CalDAV, WebDAV, etc.) if you only use the web interface.

Web Browser

Desktop computers
Firefox for daily use convenience. While it is not ultra secure, privacy is one of the developer core considerations. Firefox is widely supported by major add-ons and extensions such as LastPass, AdBlock, etc. Open source allows quick patches from a huge community. Default settings require tweaking for best privacy.

Epic browser is arguably the most secure mainstream option. However it completely deletes history and browsing trails on app exit. There is a limited range of add-ons and extensions but LastPass is supported. You may gain some browsing speed due to blocked data mining scripts. You will have issues with sites that require ads and data mining to display content.

Android devices
Firefox Android for standard use. Chrome is disabled unless I can’t view content on Firefox.

Firefox Focus is the Android version of Epic desktop browser – except it doesn’t even store login info. Everything is erased on app exit.

Compatibility Note
I have found some of my work and home network-connected devices (new and legacy) require Internet Explorer, Edge or Chrome in order for me to access them directly or configure them for the first time. You can greatly safe these browsers by running the Sandboxie app.

Search engines
Not as good as Google, but good alternatives are DuckDuckGo and Qwant.

VPN

The premier VPN comparison resource is this VPN chart. Excel sheet link is best. Interesting to see how the zdnet, pcmag, etc. top recommendations stack up (or don’t and why they don’t).

Choice
Proton VPN is OK (not great), chosen for bundled billing with my Proton e-mail. Higher rated are IVPN and Mullvad but they have similar jurisdiction notes (they are operated in Five Eyes or Fourteen Eyes territories).

Cloud storage/backup

SpiderOak is still my secure choice. They were one of the first to offer desktop and mobile apps for end-to-end encrypted data. There is no server-side encryption so they don't even have the encryption keys/password to hand over if court ordered. I don't use it for complete drive backup. Just online/offsite backup of personal work product, insurance inventory, legal, etc. 2GB free account.

I still use DropBox for ease of sharing between all computer and mobile devices. However I don’t store any privacy risk material there. I refuse to use Google Drive on personal devices.

Device encryption

Computers
VeraCrypt. While Bitlocker is a good, easy option I don’t have 100% faith in Microsoft.

VeraCrypt is the newer version of TrueCrypt. However some of my computers work better with old TrueCrypt, e.g., one Win7Pro laptop took 12 minutes to boot VeraCrypt to Windows login prompt. With TrueCrypt it takes 10 seconds to same login. TrueCrypt was rumored to have a backdoor for FedGod but it was eventally proven to not have one. However it is no longer supported.

Mobile devices
For now I use native encryption. SD card storage slows down if you are copying mass large files from a computer or from the phone to inserted encrypted SD card. But otherwise zero lag for app usage.

Inconveniences
1. With VeraCrypt I cannot login on a Microsoft Surface tablet without a keyboard attached. Don’t leave they keyboard at home…
2. Noticed larger (4TB) USB 3.0 encrypted drives transfer data at 20% speed of its non-encrypted self, but still fast enough for most work. *Note: there are no noticeable speed issues with encrypted system hard drives, just the USB-connected drives.
3. Vera/TrueCrypt’d USB drives require the respective app running on the host computer. Good idea to have your encryption software on thumb drive or in a DropBox folder.

Android phone/tablet OS

Sad to say the alternative/secure mobile OS scene for individuals is still fractured. There is no turnkey solution and some of the best options are limited to certain phones and tablets.

Lineage is an option but not without possibly giving up favorite apps… and learning enough to make it work and minimize security risks. Not every single Android device is supported; mostly phones and some tablets. The online Google Play store alternatives Apkpure and F-Droid do feature a lot of common apps. Even Strelok and other ballistic apps.


eelo seems to be the best developing attempt to completely replace Google-type architecture. It is no small feat to recreate the comprehensive modular system.

Rooting is an option and gives freedom to remove bloatware. However it requires the end user to be security savvy to help close resulting vulnerabilities.

Wow. This is great.

We've hardened our privacy, but not as much as that, so far. We've pretty much moved away from email and over to text messaging. I can't think of anything more secure than Signal Private Messenger; we use that for issues dealing with money, health, or other topics we consider private, but unless you install Signal Desktop (still evaluating it), it's limited to keying on mobile phones. Apple Messages by keyboard gets the rest among my family of Apple users. We use Private Internet Access, desktop and phones, using Tunnelblick OpenVPN open source VPN tunnels, even with its limitations, as all we hope to avoid is ISP data-mining. Passwords have all changed to pass phrases, using six- or seven-word Diceware keys. Pass phrases all all kept in KeePassXC, an open source password manager, and backed up regularly with hard drives, half of which are kept at home in the gun safe and the other half in a bank safety deposit box, and swapped regularly. I can see I need to up my game.

[schüler]

This made me laugh - this is the NoScript content list for an REI webpage:

[schüler]

.
TL;DR Android "package disabler" apps allow you to kill persistent software and bloatware. When used in conjunction with a firewall app* they seem to be the best combo option for most normal smartphones: you retain normal phone security and updates and preserve normal app/store convenience... all without the hassle and risk (for newbs like me) of rooting a phone.

I was recommended an Android package disabler (PD) app to target nuisance bloatware apps I could not seem to control. The phones in question cannot be rooted directly**. I found the PD app to be very useful in limiting unnecessary and unwanted outgoing server connections from my phone.

In a nutshell: The PD app is given Admin privileges and provides a way to pick and choose which apps are allowed to run. This is different from my firewall - which simply offers a way to block outgoing communication. The PD keeps the app or process from running in the first place.

Before using the package disabler app I had already chosen "disable" for all unneeded apps in Android. However some elements of these apps were still frequently attempting to communicate with outside servers. Some apps did not have a disable switch in Android. I could see the comm attempts blocked in my firewall log.

The app is relatively new, not widely used so trustworthiness is unknown. I still run the NetGuard no-root firewall to block the PD app from communicating to the outside if it ever tries. To date there are no comm attempts logged by the firewall.

I was stoked to be able to finally disable bloatware Amazon Shopping, Flipboard and other OEM carrier apps. I was aggressive in the initial application and had to tweak it a bit to get Waze and Google Maps working again.

PDP blocking also significantly reduced the load on my NetGuard no-root firewall.

I've only used the apps with this logo and built for Samsung and LG devices but there are other apps in the Play store:



*Be careful with firewall apps. My original attempt to use one on the AT&T network ended up with me running over 15GB in 4 days. AT&T was somehow calculating all blocked traffic as double traffic or worse. Looking at the firewall logs it looked like apps not able to connect were making multiple, serial attempts to connect. I had to remove the firewall. When I moved to Cricket I found the firewall app worked without a hitch. Have not been able to test the Verizon MNVO yet.

**PDP is working well on a locked Samsung Note 5 and a locked LG Stylo 3. The Samsung is an AT&T OEM phone and not able to be rooted without attempting to revert updates and OS first and then try a workaround root solution. The LG cannot be unlocked for a while per carrier agreement. PDP thus far is a big win on both phones.

[Chance]

Listen to the "complete privacy & security podcast" and knock yourself out.

I've listened to six episodes of this at the moment, and I've got to say, I like it overall and will recommend it to anyone interested in the topic.

They go off the deep end periodically, which isn't to say that they're wrong, just that some of what they recommend could end up creating as many problems as it solves. They're pretty transparent about that though, and will include "user beware" notices whenever appropriate.

Their detailed technical understanding is a scooch off every once in a while, but that's me be a computer science pedant. I've yet to hear a technical misunderstanding invalidate their recommendation.

I've picked up two of their (ugh... printed edition) books, and I'm learning a lot about practical OSINT and privacy techniques. Very cool. I appreciate @overton pointing this out, and I think anyone interested in this topic would like this material.

[brockb]

I've listened to six episodes of this at the moment, and I've got to say, I like it overall and will recommend it to anyone interested in the topic.

They go off the deep end periodically, which isn't to say that they're wrong, just that some of what they recommend could end up creating as many problems as it solves. They're pretty transparent about that though, and will include "user beware" notices whenever appropriate.

Their detailed technical understanding is a scooch off every once in a while, but that's me be a computer science pedant. I've yet to hear a technical misunderstanding invalidate their recommendation.

I've picked up two of their (ugh... printed edition) books, and I'm learning a lot about practical OSINT and privacy techniques. Very cool. I appreciate @overton pointing this out, and I think anyone interested in this topic would like this material.

Thanks, I've downloaded a bunch to listen to in the car. I used to be really big on security, but have definitely been lax lately...