From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CDNVC4iYpV9nfgAA0tVLHw (envelope-from ) for ; Fri, 06 Nov 2020 18:40:08 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id QCEpB4iYpV92JwAA1q6Kng (envelope-from ) for ; Fri, 06 Nov 2020 18:40:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4572C9402C2 for ; Fri, 6 Nov 2020 18:40:07 +0000 (UTC) Received: from localhost ([::1]:53682 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kb6ea-0001Eo-CA for larch@yhetil.org; Fri, 06 Nov 2020 13:40:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:57594) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kb6e6-0001Dl-6C for help-guix@gnu.org; Fri, 06 Nov 2020 13:39:35 -0500 Received: from knopi.disroot.org ([178.21.23.139]:43212) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kb6e2-0006bf-N9 for help-guix@gnu.org; Fri, 06 Nov 2020 13:39:33 -0500 Received: from localhost (localhost [127.0.0.1]) by disroot.org (Postfix) with ESMTP id 1533C52211; Fri, 6 Nov 2020 19:39:27 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at disroot.org Received: from knopi.disroot.org ([127.0.0.1]) by localhost (disroot.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6JcpEXgnzjg; Fri, 6 Nov 2020 19:39:24 +0100 (CET) References: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1604687964; bh=spv8JzFssMNrkRjUxOjAON58bPj5oembfNIUn08HPBc=; h=References:From:To:Cc:Subject:In-reply-to:Date; b=G5d6zmy9oC2YQHgXr3GSQqE1U63pBK97zGrM9W3wM41NmBTQvwMuQX7aWx6PlUBjb BE/IH2Y3eZTIuQyoiu8smjrPAmoHwEm6gfpqR27ifMtaVfBYUjubayc8pWeN0WlrXB TscIXcH8nrwk7bvvXYomT51a7WdDXQfhGk7sISLfHYhr2UxxR80uA+v4PrWcebFi25 Eh6RDZeY3Fi5UdQfa6qBj+B1/uN/+Je5MNMJecLIsl0wInZlpNKIn9EIkgz+rqd8tb LEsvvHRyv1df3WqOk1p2PCXN6rIdXPB4/PUa3hPo0VSMawMpQhPW/LyQgoqj4AWvpj /IuvyUJ3xG2IQ== From: Gary Johnson To: Aniket Patil Cc: help-guix@gnu.org Subject: Re: Guidance required, Using guix or GNU/Linux, for secrecy, privacy. In-reply-to: Date: Fri, 06 Nov 2020 13:39:06 -0500 Message-ID: <87zh3u5nzp.fsf@disroot.org> Mime-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=178.21.23.139; envelope-from=lambdatronic@disroot.org; helo=knopi.disroot.org X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/06 13:39:27 X-ACL-Warn: Detected OS = Linux 2.2.x-3.x [generic] [fuzzy] X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=disroot.org header.s=mail header.b=G5d6zmy9; dmarc=pass (policy=quarantine) header.from=disroot.org; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -1.21 X-TUID: F7uXwzlv9DAs Aniket Patil writes: > I don't know whether is this mailing list is appropriate to talk about this > subject or not, but I am going forward, please don't get me wrong. Hi Aniket, While computer security and data privacy are topics that I imagine a number of Guix users are interested in, I imagine the full breadth of this conversation may be beyond the scope of the help-guix mailing list. However, insofar as Guix may be able to alleviate some of your concerns, I would think that's something that folks here could help you with. > I have been following Richard M. Stallman, Eric S. Raymond, Arron Swartz > for a long time. I know how to use and secure myself pretty much I would > say. But I don't feel secure and have that reliance on the internet while > using it. So I got X200 librebooted it, still using some proprietary wifi > card, hence non-free distro like arch is my main OS. Okay, stop right there. You can buy an inexpensive, fully libre-compliant USB wifi card from ThinkPenguin. Here's the link: https://www.thinkpenguin.com/gnu-linux/penguin-wireless-n-usb-adapter-gnu-linux-tpe-n150usb Plug it into your X200, and you should hopefully be all set to install a fully free OS like GNU Guix, which uses the linux-libre kernel and therefore contains no proprietary firmware or binary blobs. > I want to get rid of this Google thing, I do have protonmail account, > but I don't think that is reliable either. Google mines your data for profit. If this bothers you, don't use their services. Perform a web search for "degoogle" and get to it. Protonmail has well-documented security practices. However, their email servers don't allow access over IMAP or POP3, which means you have to use their Javascript-based webmail interface. If you want to access your email locally, you have to install their proprietary protonmail-bridge application. There is no Guix package for this as its code is not free software. There are better free software and privacy-respecting alternatives for email hosting, such as disroot.org and riseup.net. Or you can install and administrate your own email server using Guix! > Recently, I read zimouns vlog > > " right, Google is evil, but the storage and the search features are really > useful. So, I am thinking to switch to notmuch , > but not enough time to configure it, yet. " > > So, is notmuch is reliable? For a good free software solution on Guix that gives you control of your data, I would recommend pairing offlineimap (which stores a local copy of all your IMAP-accessible emails on your machine in case you lose access to your email server or decide to bulk migrate your emails to a new email server) with a local mail indexer like mu or notmuch. I'm personally a big fan of mu and its Emacs interface mu4e. Of course, everyone has their favorite email client, so go with whatever makes you happiest when reading your mail. > I get paranoid after reading RMS, or Snowden. I think a lot about my > privacy and others as well. Hence I am asking this, and participating in > GNU projects and Free Software Projects. So coming to the point. > > How to or which email client shall I use or email service? I provided my suggestion above, but Guix comes with a wide variety of free software CLI, TUI, and GUI email clients. Pick your favorite and have fun. In terms of email security, there are a few simple rules to follow when setting yourself up: 1. Always connect to your email servers (IMAP, POP, SMTP) with SSL/TLS encryption enabled. This will ensure that no one between you and your email server can read your messages. 2. Whenever possible (and particularly with any sensitive content), it is good practice to encrypt your emails with GPG. This ensures that anyone administrating your email server can't read your emails while they are sitting in your remote folders. Unfortunately, in order to do this, you have to encrypt each such message with the GPG key of the person(s) you are sending it to. That means you have to invest some effort in collecting other people's GPG keys, and often in educating them about the purpose of email security as well. The FSF provides a nice introduction to this here: https://emailselfdefense.fsf.org > Recently I was browsing on TOR but I guess even TOR exposes my IP address > on the internet. So shall I use it with a VPN? If So Which VPN? I know > about WireGuard but it has a GPL2 license, not GPL3. TOR routes your network requests through a randomized series of intermediate servers, which can make it somewhere between very hard and impossible for your true IP address to be identified by the server you are connecting to. The first TOR node that you connect through will know your IP address, of course. Guix provides the tor, tor-client, and torsocks packages. Connecting to a VPN allows you to make network connections to remote servers using an IP address originating from the VPN rather than from your personal computer. You can think of VPNs as being similar to TOR with just one intermediate node. Guix provides the openvpn package and service definitions for this. > What else can I do to secure myself? Just installing a fully free OS like GNU Guix is probably the most impactful thing you can do to take control of your computing. Using local file encryption with GPG (or even encrypting your entire hard drive) are tools you can use if you are concerned about hackers getting direct access to your computer. Using SSL/TLS + TOR/VPN to encrypt and anonymize your network connections should go a long way towards preserving your privacy while online. Beyond these steps, the main thing to watch out for is running untrusted files you downloaded from the internet. If you download a large file (such as an executable, ISO image, or zip file), verify the file hash (e.g., md5sum, sha*sum) and/or GPG signature if they are provided by the remote server. When you are reading emails, always use a plaintext-only email client to reduce your risk from phishing attacks via spoofed links, mail tracking via inline images, and a variety of security exploits that are made possible by using a web browser engine within your email client to render HTML emails. See https://useplaintext.email/ for more info. When browsing the web, use a privacy respecting search engine like DuckDuckGo or Searx, use HTTPS whenever possible (try the HTTPS Everywhere plugin for Icecat), and either disable Javascript or run with the LibreJS browser plugin enabled. Guix provides the icecat browser with these features enabled by default. Alternatively, feel free to browse the web using a Javascript-free, text-mode web browser like lynx, links, w3m (or emacs-w3m), or eww (the Emacs Web Wowser, which has an awesome Readable mode that strips many sites down to their content with a single key press). Less websites will work as normal in these modes, but using can teach you a great deal about which sites are doing more to protect user freedom and security and which aren't. Another awesome project that I participate in is Gemini. This community has been working for just over one year now to create an alternative web-like space running over the new Gemini protocol that is: - Encrypted: TLS is mandatory - Private: no tracking information other than your IP address is ever sent to a server, and no cookies exist within the protocol - Authenticated: user logins and sessions are created using user-managed TLS client certificates rather than traditional user/password systems + cookies - Predictable: one request = one document returned, and no pages trigger unpredictable multi-file download cascades as in HTML (i.e., for CSS, JS, fonts, images, etc.) which can lead to slow page loads and open you up to numerous privacy-violating tracking and analytics software packages. - Fully Libre-compliant: The Gemini protocol and its associated text markup format (text/gemini, a.k.a. "gemtext") are simple enough that any moderately talented programmer should be able to write their own client or server with a few days of work. (I wrote a full-featured Gemini server in just 200 lines of Clojure that supports both file sharing and arbitrary CGI-style applications.) The simplicity of this protocol and markup format ensure that users can remain in total control of their computing without being forced to use one of a half dozen corporate created web browsers that employ enough programmers to implement enough of the specs for HTTP, HTML, CSS, JS, EME, etc. to actually render most websites correctly. Guix currently provides the Gemini server, gmnisrv, and the Gemini clients, bombadillo and emacs-elpher. Keep on hacking in the Free world, Gary P.S. My apologies to any Guix mailing list members who felt this conversation was off topic. I did my best to loop each conversation point back to the relevant Guix packages or services that could fulfill the OP's needs. -- GPG Key ID: 7BC158ED Use `gpg --search-keys lambdatronic' to find me Protect yourself from surveillance: https://emailselfdefense.fsf.org ======================================================================= () ascii ribbon campaign - against html e-mail /\ www.asciiribbon.org - against proprietary attachments Why is HTML email a security nightmare? See https://useplaintext.email/ Please avoid sending me MS-Office attachments. See http://www.gnu.org/philosophy/no-word-attachments.html