Re: Guidance required, Using guix or GNU/Linux, for secrecy, privacy.

[Gary Johnson]

Aniket Patil <aniket112.patil@gmail.com> writes:

> I don't know whether is this mailing list is appropriate to talk about this
> subject or not, but I am going forward, please don't get me wrong.

Hi Aniket,

  While computer security and data privacy are topics that I imagine a
number of Guix users are interested in, I imagine the full breadth of
this conversation may be beyond the scope of the help-guix mailing list.
However, insofar as Guix may be able to alleviate some of your concerns,
I would think that's something that folks here could help you with.

> I have been following Richard M. Stallman, Eric S. Raymond, Arron Swartz
> for a long time. I know how to use and secure myself pretty much I would
> say. But I don't feel secure and have that reliance on the internet while
> using it. So I got X200 librebooted it, still using some proprietary wifi
> card, hence non-free distro like arch is my main OS.

Okay, stop right there. You can buy an inexpensive, fully
libre-compliant USB wifi card from ThinkPenguin. Here's the link:

https://www.thinkpenguin.com/gnu-linux/penguin-wireless-n-usb-adapter-gnu-linux-tpe-n150usb

Plug it into your X200, and you should hopefully be all set to install a
fully free OS like GNU Guix, which uses the linux-libre kernel and
therefore contains no proprietary firmware or binary blobs.

> I want to get rid of this Google thing, I do have protonmail account,
> but I don't think that is reliable either.

Google mines your data for profit. If this bothers you, don't use their
services. Perform a web search for "degoogle" and get to it.

Protonmail has well-documented security practices. However, their email
servers don't allow access over IMAP or POP3, which means you have to
use their Javascript-based webmail interface. If you want to access your
email locally, you have to install their proprietary protonmail-bridge
application. There is no Guix package for this as its code is not free
software.

There are better free software and privacy-respecting alternatives for
email hosting, such as disroot.org and riseup.net. Or you can install
and administrate your own email server using Guix!

> Recently, I read zimouns vlog
>
> " right, Google is evil, but the storage and the search features are really
> useful. So, I am thinking to switch to notmuch <https://notmuchmail.org/>,
> but not enough time to configure it, yet. "
>
> So, is notmuch is reliable?

For a good free software solution on Guix that gives you control of your
data, I would recommend pairing offlineimap (which stores a local copy
of all your IMAP-accessible emails on your machine in case you lose
access to your email server or decide to bulk migrate your emails to a
new email server) with a local mail indexer like mu or notmuch. I'm
personally a big fan of mu and its Emacs interface mu4e. Of course,
everyone has their favorite email client, so go with whatever makes you
happiest when reading your mail.

> I get paranoid after reading RMS, or Snowden. I think a lot about my
> privacy and others as well. Hence I am asking this, and participating in
> GNU projects and Free Software Projects. So coming to the point.
>
> How to or which email client shall I use or email service?

I provided my suggestion above, but Guix comes with a wide variety of
free software CLI, TUI, and GUI email clients. Pick your favorite and
have fun.

In terms of email security, there are a few simple rules to follow when
setting yourself up:

1. Always connect to your email servers (IMAP, POP, SMTP) with SSL/TLS
   encryption enabled. This will ensure that no one between you and your
   email server can read your messages.

2. Whenever possible (and particularly with any sensitive content), it
   is good practice to encrypt your emails with GPG. This ensures that
   anyone administrating your email server can't read your emails while
   they are sitting in your remote folders. Unfortunately, in order to
   do this, you have to encrypt each such message with the GPG key of
   the person(s) you are sending it to. That means you have to invest
   some effort in collecting other people's GPG keys, and often in
   educating them about the purpose of email security as well. The FSF
   provides a nice introduction to this here:
   https://emailselfdefense.fsf.org

> Recently I was browsing on TOR but I guess even TOR exposes my IP address
> on the internet. So shall I use it with a VPN? If So Which VPN? I know
> about WireGuard but it has a GPL2 license, not GPL3.

TOR routes your network requests through a randomized series of
intermediate servers, which can make it somewhere between very hard and
impossible for your true IP address to be identified by the server you
are connecting to. The first TOR node that you connect through will know
your IP address, of course.

Guix provides the tor, tor-client, and torsocks packages.

Connecting to a VPN allows you to make network connections to remote
servers using an IP address originating from the VPN rather than from
your personal computer. You can think of VPNs as being similar to TOR
with just one intermediate node.

Guix provides the openvpn package and service definitions for this.

> What else can I do to secure myself?

Just installing a fully free OS like GNU Guix is probably the most
impactful thing you can do to take control of your computing.

Using local file encryption with GPG (or even encrypting your entire
hard drive) are tools you can use if you are concerned about hackers
getting direct access to your computer.

Using SSL/TLS + TOR/VPN to encrypt and anonymize your network
connections should go a long way towards preserving your privacy while
online.

Beyond these steps, the main thing to watch out for is running untrusted
files you downloaded from the internet.

If you download a large file (such as an executable, ISO image, or zip
file), verify the file hash (e.g., md5sum, sha*sum) and/or GPG signature
if they are provided by the remote server.

When you are reading emails, always use a plaintext-only email client to
reduce your risk from phishing attacks via spoofed links, mail tracking
via inline images, and a variety of security exploits that are made
possible by using a web browser engine within your email client to
render HTML emails. See https://useplaintext.email/ for more info.

When browsing the web, use a privacy respecting search engine like
DuckDuckGo or Searx, use HTTPS whenever possible (try the HTTPS
Everywhere plugin for Icecat), and either disable Javascript or run with
the LibreJS browser plugin enabled. Guix provides the icecat browser
with these features enabled by default. Alternatively, feel free to
browse the web using a Javascript-free, text-mode web browser like lynx,
links, w3m (or emacs-w3m), or eww (the Emacs Web Wowser, which has an
awesome Readable mode that strips many sites down to their content with
a single key press). Less websites will work as normal in these modes,
but using can teach you a great deal about which sites are doing more to
protect user freedom and security and which aren't.

Another awesome project that I participate in is Gemini. This community
has been working for just over one year now to create an alternative
web-like space running over the new Gemini protocol that is:

- Encrypted: TLS is mandatory

- Private: no tracking information other than your IP address is ever
  sent to a server, and no cookies exist within the protocol

- Authenticated: user logins and sessions are created using user-managed
  TLS client certificates rather than traditional user/password systems
  + cookies

- Predictable: one request = one document returned, and no pages trigger
  unpredictable multi-file download cascades as in HTML (i.e., for CSS,
  JS, fonts, images, etc.) which can lead to slow page loads and open
  you up to numerous privacy-violating tracking and analytics software
  packages.

- Fully Libre-compliant: The Gemini protocol and its associated text
  markup format (text/gemini, a.k.a. "gemtext") are simple enough that
  any moderately talented programmer should be able to write their own
  client or server with a few days of work. (I wrote a full-featured
  Gemini server in just 200 lines of Clojure that supports both file
  sharing and arbitrary CGI-style applications.) The simplicity of this
  protocol and markup format ensure that users can remain in total
  control of their computing without being forced to use one of a half
  dozen corporate created web browsers that employ enough programmers to
  implement enough of the specs for HTTP, HTML, CSS, JS, EME, etc. to
  actually render most websites correctly.

Guix currently provides the Gemini server, gmnisrv, and the Gemini
clients, bombadillo and emacs-elpher.

Keep on hacking in the Free world,
  Gary

P.S. My apologies to any Guix mailing list members who felt this
     conversation was off topic. I did my best to loop each conversation
     point back to the relevant Guix packages or services that could
     fulfill the OP's needs.

-- 
GPG Key ID: 7BC158ED
Use `gpg --search-keys lambdatronic' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Why is HTML email a security nightmare? See https://useplaintext.email/

Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html