Re: Guidance required, Using guix or GNU/Linux, for secrecy, privacy.

[Aniket Patil]

Thank you very much Gary. This is very helpful.

On Sat, 7 Nov 2020 at 12:09 AM, Gary Johnson <lambdatronic@disroot.org>
wrote:

> Aniket Patil <aniket112.patil@gmail.com> writes:
>
> > I don't know whether is this mailing list is appropriate to talk about
> this
> > subject or not, but I am going forward, please don't get me wrong.
>
> Hi Aniket,
>
>   While computer security and data privacy are topics that I imagine a
> number of Guix users are interested in, I imagine the full breadth of
> this conversation may be beyond the scope of the help-guix mailing list.
> However, insofar as Guix may be able to alleviate some of your concerns,
> I would think that's something that folks here could help you with.
>
> > I have been following Richard M. Stallman, Eric S. Raymond, Arron Swartz
> > for a long time. I know how to use and secure myself pretty much I would
> > say. But I don't feel secure and have that reliance on the internet while
> > using it. So I got X200 librebooted it, still using some proprietary wifi
> > card, hence non-free distro like arch is my main OS.
>
> Okay, stop right there. You can buy an inexpensive, fully
> libre-compliant USB wifi card from ThinkPenguin. Here's the link:
>
>
> https://www.thinkpenguin.com/gnu-linux/penguin-wireless-n-usb-adapter-gnu-linux-tpe-n150usb
>
> Plug it into your X200, and you should hopefully be all set to install a
> fully free OS like GNU Guix, which uses the linux-libre kernel and
> therefore contains no proprietary firmware or binary blobs.
>
> > I want to get rid of this Google thing, I do have protonmail account,
> > but I don't think that is reliable either.
>
> Google mines your data for profit. If this bothers you, don't use their
> services. Perform a web search for "degoogle" and get to it.
>
> Protonmail has well-documented security practices. However, their email
> servers don't allow access over IMAP or POP3, which means you have to
> use their Javascript-based webmail interface. If you want to access your
> email locally, you have to install their proprietary protonmail-bridge
> application. There is no Guix package for this as its code is not free
> software.
>
> There are better free software and privacy-respecting alternatives for
> email hosting, such as disroot.org and riseup.net. Or you can install
> and administrate your own email server using Guix!
>
> > Recently, I read zimouns vlog
> >
> > " right, Google is evil, but the storage and the search features are
> really
> > useful. So, I am thinking to switch to notmuch <https://notmuchmail.org/
> >,
> > but not enough time to configure it, yet. "
> >
> > So, is notmuch is reliable?
>
> For a good free software solution on Guix that gives you control of your
> data, I would recommend pairing offlineimap (which stores a local copy
> of all your IMAP-accessible emails on your machine in case you lose
> access to your email server or decide to bulk migrate your emails to a
> new email server) with a local mail indexer like mu or notmuch. I'm
> personally a big fan of mu and its Emacs interface mu4e. Of course,
> everyone has their favorite email client, so go with whatever makes you
> happiest when reading your mail.
>
> > I get paranoid after reading RMS, or Snowden. I think a lot about my
> > privacy and others as well. Hence I am asking this, and participating in
> > GNU projects and Free Software Projects. So coming to the point.
> >
> > How to or which email client shall I use or email service?
>
> I provided my suggestion above, but Guix comes with a wide variety of
> free software CLI, TUI, and GUI email clients. Pick your favorite and
> have fun.
>
> In terms of email security, there are a few simple rules to follow when
> setting yourself up:
>
> 1. Always connect to your email servers (IMAP, POP, SMTP) with SSL/TLS
>    encryption enabled. This will ensure that no one between you and your
>    email server can read your messages.
>
> 2. Whenever possible (and particularly with any sensitive content), it
>    is good practice to encrypt your emails with GPG. This ensures that
>    anyone administrating your email server can't read your emails while
>    they are sitting in your remote folders. Unfortunately, in order to
>    do this, you have to encrypt each such message with the GPG key of
>    the person(s) you are sending it to. That means you have to invest
>    some effort in collecting other people's GPG keys, and often in
>    educating them about the purpose of email security as well. The FSF
>    provides a nice introduction to this here:
>    https://emailselfdefense.fsf.org
>
> > Recently I was browsing on TOR but I guess even TOR exposes my IP address
> > on the internet. So shall I use it with a VPN? If So Which VPN? I know
> > about WireGuard but it has a GPL2 license, not GPL3.
>
> TOR routes your network requests through a randomized series of
> intermediate servers, which can make it somewhere between very hard and
> impossible for your true IP address to be identified by the server you
> are connecting to. The first TOR node that you connect through will know
> your IP address, of course.
>
> Guix provides the tor, tor-client, and torsocks packages.
>
> Connecting to a VPN allows you to make network connections to remote
> servers using an IP address originating from the VPN rather than from
> your personal computer. You can think of VPNs as being similar to TOR
> with just one intermediate node.
>
> Guix provides the openvpn package and service definitions for this.
>
> > What else can I do to secure myself?
>
> Just installing a fully free OS like GNU Guix is probably the most
> impactful thing you can do to take control of your computing.
>
> Using local file encryption with GPG (or even encrypting your entire
> hard drive) are tools you can use if you are concerned about hackers
> getting direct access to your computer.
>
> Using SSL/TLS + TOR/VPN to encrypt and anonymize your network
> connections should go a long way towards preserving your privacy while
> online.
>
> Beyond these steps, the main thing to watch out for is running untrusted
> files you downloaded from the internet.
>
> If you download a large file (such as an executable, ISO image, or zip
> file), verify the file hash (e.g., md5sum, sha*sum) and/or GPG signature
> if they are provided by the remote server.
>
> When you are reading emails, always use a plaintext-only email client to
> reduce your risk from phishing attacks via spoofed links, mail tracking
> via inline images, and a variety of security exploits that are made
> possible by using a web browser engine within your email client to
> render HTML emails. See https://useplaintext.email/ for more info.
>
> When browsing the web, use a privacy respecting search engine like
> DuckDuckGo or Searx, use HTTPS whenever possible (try the HTTPS
> Everywhere plugin for Icecat), and either disable Javascript or run with
> the LibreJS browser plugin enabled. Guix provides the icecat browser
> with these features enabled by default. Alternatively, feel free to
> browse the web using a Javascript-free, text-mode web browser like lynx,
> links, w3m (or emacs-w3m), or eww (the Emacs Web Wowser, which has an
> awesome Readable mode that strips many sites down to their content with
> a single key press). Less websites will work as normal in these modes,
> but using can teach you a great deal about which sites are doing more to
> protect user freedom and security and which aren't.
>
> Another awesome project that I participate in is Gemini. This community
> has been working for just over one year now to create an alternative
> web-like space running over the new Gemini protocol that is:
>
> - Encrypted: TLS is mandatory
>
> - Private: no tracking information other than your IP address is ever
>   sent to a server, and no cookies exist within the protocol
>
> - Authenticated: user logins and sessions are created using user-managed
>   TLS client certificates rather than traditional user/password systems
>   + cookies
>
> - Predictable: one request = one document returned, and no pages trigger
>   unpredictable multi-file download cascades as in HTML (i.e., for CSS,
>   JS, fonts, images, etc.) which can lead to slow page loads and open
>   you up to numerous privacy-violating tracking and analytics software
>   packages.
>
> - Fully Libre-compliant: The Gemini protocol and its associated text
>   markup format (text/gemini, a.k.a. "gemtext") are simple enough that
>   any moderately talented programmer should be able to write their own
>   client or server with a few days of work. (I wrote a full-featured
>   Gemini server in just 200 lines of Clojure that supports both file
>   sharing and arbitrary CGI-style applications.) The simplicity of this
>   protocol and markup format ensure that users can remain in total
>   control of their computing without being forced to use one of a half
>   dozen corporate created web browsers that employ enough programmers to
>   implement enough of the specs for HTTP, HTML, CSS, JS, EME, etc. to
>   actually render most websites correctly.
>
> Guix currently provides the Gemini server, gmnisrv, and the Gemini
> clients, bombadillo and emacs-elpher.
>
> Keep on hacking in the Free world,
>   Gary
>
> P.S. My apologies to any Guix mailing list members who felt this
>      conversation was off topic. I did my best to loop each conversation
>      point back to the relevant Guix packages or services that could
>      fulfill the OP's needs.
>
> --
> GPG Key ID: 7BC158ED
> Use `gpg --search-keys lambdatronic' to find me
> Protect yourself from surveillance: https://emailselfdefense.fsf.org
> =======================================================================
> ()  ascii ribbon campaign - against html e-mail
> /\  www.asciiribbon.org   - against proprietary attachments
>
> Why is HTML email a security nightmare? See https://useplaintext.email/
>
> Please avoid sending me MS-Office attachments.
> See http://www.gnu.org/philosophy/no-word-attachments.html
>