From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id jyDMGWT1pV/FVAAA0tVLHw (envelope-from ) for ; Sat, 07 Nov 2020 01:16:20 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id AAx6FWT1pV83LQAAB5/wlQ (envelope-from ) for ; Sat, 07 Nov 2020 01:16:20 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DF9159401BE for ; Sat, 7 Nov 2020 01:16:19 +0000 (UTC) Received: from localhost ([::1]:54562 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kbCq2-00041c-Hl for larch@yhetil.org; Fri, 06 Nov 2020 20:16:18 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:47252) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kbCpu-00041U-QG for help-guix@gnu.org; Fri, 06 Nov 2020 20:16:10 -0500 Received: from mail-ot1-x333.google.com ([2607:f8b0:4864:20::333]:38752) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kbCpr-00050M-83 for help-guix@gnu.org; Fri, 06 Nov 2020 20:16:10 -0500 Received: by mail-ot1-x333.google.com with SMTP id a15so1352832otf.5 for ; Fri, 06 Nov 2020 17:16:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bHdPRCdUnCfWmtU2zT21kGrbnr4wXAZOmVLmwHoC4qU=; b=ZCES1m2Gg6a8Y7HveiIZTyAXt7eaVsKHvOm1wDwrSSffEbgq8f7vpGz8Imali+CgOX 2gpARWBAsYCB+O2nBFkKE9gCXQE+iRqN0CS7FWPjwsmFPCRaS6as+HVj+qTVIgp/wcwI 1ASoU44tBZ4X3zSYEh9NkeasPpy+bq1AHx/ydhWSSZfrD9rG6Sm8XIRoyOg2uw3RnImK zfUe9h/5ZG/kCA5QIKjRzcLPhxxy8c7HdTESTcbUFQdxWxi0VuDtLC9TGS1xYEaY+1vt AeHHwyMTKENlr0RvL3vAGCypeA1SRaTven/S1vJe4aKQY+JwksW7d1B2awFbYHS7Mwie nWgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bHdPRCdUnCfWmtU2zT21kGrbnr4wXAZOmVLmwHoC4qU=; b=ANglAQJ5B3pwPQSUmaBhNfln1Ef7EMzu3ebGlkxRFLxfGZWU/yvXr2/V4w28mdpa8W HaKS8GowUmJcfKi7uEIBjk6c06PkkadrvAQM2NHdrxdXI9kQVbdUNuAXm+UH/egnm0Gw LcK9XU0IAagRJWIUQDDrXqumer1/FeaIZH/GbTdnhott6OJU3Y3RAUFEvS4UrVhJeHY2 vX1Mvr7sHCONfM8D/Kvnn8hsYc9EOhSzUkyDQgLgbKeOzvfJMZtm2+1PKGKGE+2Ymr2M 6EuWeQDtlZFj/mucFHH8chKvHd3T5tqznwxML9C77kX0eTgONRq1enJc2IufcGqH3Bc5 YHnQ== X-Gm-Message-State: AOAM5319rki+/n+hdoT7SgP8som4tV0exjG3VldT8SOYuv+lMFKx8tGA k56ZJ/i8jZVWbo7OP0mX4EmmIgpzhbq9Df4MLPk= X-Google-Smtp-Source: ABdhPJx4k9ozzPQHDCsf4HaUsYpuQ04fjwgAJy3ZXp2FGh6hbGicW7UjSEhgWwLyQa/UGoue5qr0UHMsIAyERJbpGBg= X-Received: by 2002:a9d:58c6:: with SMTP id s6mr2998385oth.67.1604711765279; Fri, 06 Nov 2020 17:16:05 -0800 (PST) MIME-Version: 1.0 References: <87zh3u5nzp.fsf@disroot.org> In-Reply-To: <87zh3u5nzp.fsf@disroot.org> From: Aniket Patil Date: Sat, 7 Nov 2020 06:45:54 +0530 Message-ID: Subject: Re: Guidance required, Using guix or GNU/Linux, for secrecy, privacy. To: Gary Johnson Received-SPF: pass client-ip=2607:f8b0:4864:20::333; envelope-from=aniket112.patil@gmail.com; helo=mail-ot1-x333.google.com X-detected-operating-system: by eggs.gnu.org: No matching host in p0f cache. That's all we know. X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=gmail.com header.s=20161025 header.b=ZCES1m2G; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: vdPu2mkvlG7S Thank you very much Gary. This is very helpful. On Sat, 7 Nov 2020 at 12:09 AM, Gary Johnson wrote: > Aniket Patil writes: > > > I don't know whether is this mailing list is appropriate to talk about > this > > subject or not, but I am going forward, please don't get me wrong. > > Hi Aniket, > > While computer security and data privacy are topics that I imagine a > number of Guix users are interested in, I imagine the full breadth of > this conversation may be beyond the scope of the help-guix mailing list. > However, insofar as Guix may be able to alleviate some of your concerns, > I would think that's something that folks here could help you with. > > > I have been following Richard M. Stallman, Eric S. Raymond, Arron Swartz > > for a long time. I know how to use and secure myself pretty much I would > > say. But I don't feel secure and have that reliance on the internet while > > using it. So I got X200 librebooted it, still using some proprietary wifi > > card, hence non-free distro like arch is my main OS. > > Okay, stop right there. You can buy an inexpensive, fully > libre-compliant USB wifi card from ThinkPenguin. Here's the link: > > > https://www.thinkpenguin.com/gnu-linux/penguin-wireless-n-usb-adapter-gnu-linux-tpe-n150usb > > Plug it into your X200, and you should hopefully be all set to install a > fully free OS like GNU Guix, which uses the linux-libre kernel and > therefore contains no proprietary firmware or binary blobs. > > > I want to get rid of this Google thing, I do have protonmail account, > > but I don't think that is reliable either. > > Google mines your data for profit. If this bothers you, don't use their > services. Perform a web search for "degoogle" and get to it. > > Protonmail has well-documented security practices. However, their email > servers don't allow access over IMAP or POP3, which means you have to > use their Javascript-based webmail interface. If you want to access your > email locally, you have to install their proprietary protonmail-bridge > application. There is no Guix package for this as its code is not free > software. > > There are better free software and privacy-respecting alternatives for > email hosting, such as disroot.org and riseup.net. Or you can install > and administrate your own email server using Guix! > > > Recently, I read zimouns vlog > > > > " right, Google is evil, but the storage and the search features are > really > > useful. So, I am thinking to switch to notmuch >, > > but not enough time to configure it, yet. " > > > > So, is notmuch is reliable? > > For a good free software solution on Guix that gives you control of your > data, I would recommend pairing offlineimap (which stores a local copy > of all your IMAP-accessible emails on your machine in case you lose > access to your email server or decide to bulk migrate your emails to a > new email server) with a local mail indexer like mu or notmuch. I'm > personally a big fan of mu and its Emacs interface mu4e. Of course, > everyone has their favorite email client, so go with whatever makes you > happiest when reading your mail. > > > I get paranoid after reading RMS, or Snowden. I think a lot about my > > privacy and others as well. Hence I am asking this, and participating in > > GNU projects and Free Software Projects. So coming to the point. > > > > How to or which email client shall I use or email service? > > I provided my suggestion above, but Guix comes with a wide variety of > free software CLI, TUI, and GUI email clients. Pick your favorite and > have fun. > > In terms of email security, there are a few simple rules to follow when > setting yourself up: > > 1. Always connect to your email servers (IMAP, POP, SMTP) with SSL/TLS > encryption enabled. This will ensure that no one between you and your > email server can read your messages. > > 2. Whenever possible (and particularly with any sensitive content), it > is good practice to encrypt your emails with GPG. This ensures that > anyone administrating your email server can't read your emails while > they are sitting in your remote folders. Unfortunately, in order to > do this, you have to encrypt each such message with the GPG key of > the person(s) you are sending it to. That means you have to invest > some effort in collecting other people's GPG keys, and often in > educating them about the purpose of email security as well. The FSF > provides a nice introduction to this here: > https://emailselfdefense.fsf.org > > > Recently I was browsing on TOR but I guess even TOR exposes my IP address > > on the internet. So shall I use it with a VPN? If So Which VPN? I know > > about WireGuard but it has a GPL2 license, not GPL3. > > TOR routes your network requests through a randomized series of > intermediate servers, which can make it somewhere between very hard and > impossible for your true IP address to be identified by the server you > are connecting to. The first TOR node that you connect through will know > your IP address, of course. > > Guix provides the tor, tor-client, and torsocks packages. > > Connecting to a VPN allows you to make network connections to remote > servers using an IP address originating from the VPN rather than from > your personal computer. You can think of VPNs as being similar to TOR > with just one intermediate node. > > Guix provides the openvpn package and service definitions for this. > > > What else can I do to secure myself? > > Just installing a fully free OS like GNU Guix is probably the most > impactful thing you can do to take control of your computing. > > Using local file encryption with GPG (or even encrypting your entire > hard drive) are tools you can use if you are concerned about hackers > getting direct access to your computer. > > Using SSL/TLS + TOR/VPN to encrypt and anonymize your network > connections should go a long way towards preserving your privacy while > online. > > Beyond these steps, the main thing to watch out for is running untrusted > files you downloaded from the internet. > > If you download a large file (such as an executable, ISO image, or zip > file), verify the file hash (e.g., md5sum, sha*sum) and/or GPG signature > if they are provided by the remote server. > > When you are reading emails, always use a plaintext-only email client to > reduce your risk from phishing attacks via spoofed links, mail tracking > via inline images, and a variety of security exploits that are made > possible by using a web browser engine within your email client to > render HTML emails. See https://useplaintext.email/ for more info. > > When browsing the web, use a privacy respecting search engine like > DuckDuckGo or Searx, use HTTPS whenever possible (try the HTTPS > Everywhere plugin for Icecat), and either disable Javascript or run with > the LibreJS browser plugin enabled. Guix provides the icecat browser > with these features enabled by default. Alternatively, feel free to > browse the web using a Javascript-free, text-mode web browser like lynx, > links, w3m (or emacs-w3m), or eww (the Emacs Web Wowser, which has an > awesome Readable mode that strips many sites down to their content with > a single key press). Less websites will work as normal in these modes, > but using can teach you a great deal about which sites are doing more to > protect user freedom and security and which aren't. > > Another awesome project that I participate in is Gemini. This community > has been working for just over one year now to create an alternative > web-like space running over the new Gemini protocol that is: > > - Encrypted: TLS is mandatory > > - Private: no tracking information other than your IP address is ever > sent to a server, and no cookies exist within the protocol > > - Authenticated: user logins and sessions are created using user-managed > TLS client certificates rather than traditional user/password systems > + cookies > > - Predictable: one request = one document returned, and no pages trigger > unpredictable multi-file download cascades as in HTML (i.e., for CSS, > JS, fonts, images, etc.) which can lead to slow page loads and open > you up to numerous privacy-violating tracking and analytics software > packages. > > - Fully Libre-compliant: The Gemini protocol and its associated text > markup format (text/gemini, a.k.a. "gemtext") are simple enough that > any moderately talented programmer should be able to write their own > client or server with a few days of work. (I wrote a full-featured > Gemini server in just 200 lines of Clojure that supports both file > sharing and arbitrary CGI-style applications.) The simplicity of this > protocol and markup format ensure that users can remain in total > control of their computing without being forced to use one of a half > dozen corporate created web browsers that employ enough programmers to > implement enough of the specs for HTTP, HTML, CSS, JS, EME, etc. to > actually render most websites correctly. > > Guix currently provides the Gemini server, gmnisrv, and the Gemini > clients, bombadillo and emacs-elpher. > > Keep on hacking in the Free world, > Gary > > P.S. My apologies to any Guix mailing list members who felt this > conversation was off topic. I did my best to loop each conversation > point back to the relevant Guix packages or services that could > fulfill the OP's needs. > > -- > GPG Key ID: 7BC158ED > Use `gpg --search-keys lambdatronic' to find me > Protect yourself from surveillance: https://emailselfdefense.fsf.org > ======================================================================= > () ascii ribbon campaign - against html e-mail > /\ www.asciiribbon.org - against proprietary attachments > > Why is HTML email a security nightmare? See https://useplaintext.email/ > > Please avoid sending me MS-Office attachments. > See http://www.gnu.org/philosophy/no-word-attachments.html >