Removed by mod

Here is my setup:

Web browsing

• I try to stay in Tor, but it doesn’t work everywhere.

• For general browsing I switch up using Brave, LibreWolf, Mullvad Browser, and (semi-hardened) Firefox. Working on shortcut(script) to randomly select my browser for me. Theory: Rotating browsers because fingerprinting and mitigating currently unknown security risks.

• I wrote a program I call the Browser Condom. It’s a separate application because extensions increase fingerprinting. It’s a clear window so I can still see the browser underneath, but the mouse movements aren’t sent to the DOM because the OS thinks I’m in another application. Working on adding the ability to pass text through at random intervals to prevent both mouse and keyboard tracking. Still a WIP
• Copy and paste all text into the browser until the browser condom is finished.

• I Host a SearXNG instance and Adguard DNS... Working on improvements to my DNS, I haven’t gotten it as secured as I’d like

Desktop

• QubesOS, Kali, Tails, Debian

• “More firewalls than the devil’s bedroom.” 

• Application specific firewalls and VMs for all banking/financial needs.

• Full disk encryption

• For files that need encryption I use 2 different programs to encrypt just in case there’s a vuln in one. Files are on air-gaped machine. I also have lots of encryption programs installed onto that computer so you’d have to try lots of programs to find the right combo.

Servers (too much to list but here’s some random stuff)

• SearXNG

• AdguardDNS

• NextCloud

• Calibre

• pfSense, OPNSense, combine with Software Firewalls

• Intrusion prevention and detection

• Proxmox

• Kali – Custom web scraping, pen testing, misc scripts running.

• Nginx

• A Reverse Proxy

• Traefik, tinyproxy, and HAProxy

• AWS, Linode, Some dark web services

Mobile

• LineageOS + GraphineOS + Kali NetHunter + Android (multiple phones + Sims)

• No GApps

• For my daily carry I have VPN on work profile and TOR on main profile

• I use InviZible Pro for main profile for  Tor + DNSCRYPT + Firewall So I can selectively block apps from the internet and route everything else through tor or VPN depending on the profile.

• Faraday bag

• Privacy screen protector

• Developer mode enable so I can disable mic and other phone sensors

• Headphones both with and without microphone

• Opened phones and removed: cameras, some mics to eliminate triangulation, and fingerprint sensors. 

• Change number, provider, and phone every year.

Messenger

• Signal

• Telegram

Online accounts

• Bitwarden for passwords but all emails are incorrect so if it’s compromised they still can’t login. I use their cloud sync service because with how many time I brick my machines/servers, I don’t trust my backups. I have physically lost 3 different backup external HDDs in the last 2 years. 

• Have to go to email forwarding services to get login email address. 

• Yubikey

** Video streaming**

• Invidious

• NewPipe

• GrayJay

• Torrents

AI

• GPT4All on air-gaped computer.

**Social Media **

• Lemmy  - always rotating accounts, post both what I believe and what I don't

Email

• ProtonMail + Addy.io + SimpleLogin.io + IronVest + DoNotPay

Shopping/Finance

• Gift cards

• Pay friends to purchase.

• IronVest (used to also have Privacy.com, when they worked they were great)

• Cash

• P.O. Box with a name as the 'business name'.

Music streaming

• Nope. Downloaded files or nothing.

Programming

• VSCodium (VSCode with Microsoft telemetry stripped)

• Personal Git server

Misc • I don’t have a smart watch

• I don’t have a smart car

• I don’t have a TV

• Reflectacles for glasses

• Custom Firmware on multiple routers so I can have networks that route through VPN/Tor/AdGuard/etc… depending on the needs for my device at the time

• I physically remove webcams from all devices and use USB webcam if needed.

• I don’t use Docker, I build my servers up from scratch. Takes a lot longer with many more headaches, but I learn so so much more. Also Docker is so easy it’s just boring. 

• Tinfoil hat wasn’t good enough, melted down pop cans and forged my own just in case tinfoil comes with spyware preinstalled. 

I feel like I’m missing a bunch of stuff and I probably am, but that’s all I’m going to include or I’d probably have to self-publish as a novel.-

Very nice read, I look forward to posts with detailed explanations of realistic privacy setups!

With that said, here we go:

1. TOR has been compromised. It likely doesn’t matter if you’re not doing anything that nations would be interested in, but something to keep in mind.
2. True nerds/privacy hobbyists always have multiple browsers for different use-cases. Bravo! I need to take a look at Mullvad myself, I really don’t like Brave anymore.
3. Do you host your SearXNG instance? It should not be very hard to do on the cloud.
4. Which DNS resolver? I’m assuming this is upstream to your Adguard setup, which means the latter acts as the recursive resolver in your setup, if I understand correctly.
5. Didn’t hear about SecureBlue before this, good distro in theory. Thanks.
6. Ever thought of getting a 10-year old Thinkpad yet to get rid of that pesky BIOS? \s
7. Do you have DoT and DNSSEC set up for your “private” DNS? Also, is this something like Quad9?
8. With the combination of flight mode and a Faraday bag along with not having a SIM, I’m assuming that people don’t reach you using traditional means (calling). How do you stay in contact with others?
9. Define “locking down” of public accounts.
10. I have been thinking of AI for a bit, and you can get a P40 with 24GB VRAM for about $100-$150 on Ebay. Put that in an old computer and fight with licensing for a bit (Craft Computing has a good video on getting VFIO working on Nvidia cards by tricking the software) and you’ll have a great setup for AI.
11. I’d stop with the subscriptions and start sailing the high seas, personally, but I understand if the sentiment does not sit well with people here. Piracy simply gives you more control and privacy. Look at LocalMonero to try and get monero without leaving a trace (directly converting fiat to XMR and exchanging for gift cards online after churning).
12. You must be using an old TV, but if you really need to purchase a new TV at some point (and it’s very likely to be “smart”), you can simply disconnect the WiFi antenna from the back of the device. If you’re really good at embedded systems, you could find the flash chip that holds the BIOS/OS of the TV and remove it (and edit the boot sequence) or flash it with something else. This is true for everyone who has a smart TV.
13. Holy shit this guy programs games to play them what a chad.
14. Please switch to Codeberg, Gitlab is annoying.
15. How do you coordinate local time with other people if your clocks are set to UTC?

That was a lot. Thanks for reading!

Do bitwarden and KeePassX share the database or do you have it separated for some reason? Why don’t you use something keepassx compatible on the phone?

Few recommendations from the top of my head, from skimming the post.

I’d recommend checking out QubesOS (https://www.qubes-os.org/), especially since it seems you switch between ToR and already use Silverblue, which is AFAIK similar, but why not go all the way in?

Also for VPN - I’ve switched Proton for Mullvad VPN, because I really like the idea they are going for - if you pair Mullvad browser, that is designed to have the same fingerprint for all users, with a VPN that’s from the same company, you can kind of expect that most of the Mullvad VPN users will also be users of Mullvad Browser. Which means you will not be one of the few Proton VPN users with Mullvad fingerprint, but will have the same fingerprint as most of other users of Mullvad VPN. This will make it harder to fingerprint you based on your browser. One word of warning, though - don’t install extensions to Mullvad. If you do, you break the “same fingerprint” premise, and the more extensions you install, the more identifiable you are. Mullvad should be used without any extensions.

Another thing I see is music streaming - I think that in general I’d recommend just getting a cheap laptop/NAS and run your own Jellyfin, and slowly start building your own music collection. You can also run Matrix server as a bonus, and bridge all your communication (including Signal, even though that may not help that much) - but it does help if you need to use some kind of service, i.e Messenger, for group or work related purposes.

My approach to music was to cancel my subscription, and then use the money I save to spend on albums on Bandcamp, so I still support the artists I want. I make sure to do that every month. Since there’s just wast amount of music to get, I use Headphones with an account on redacted.ch to fill my library, but I still make sure to buy albums I like even if I already have them downloaded. The added bonus is that you actually don’t loose any of your music, if the artist decides to pull it off the streaming service, which has aready happened to me several time.

If you want hosting your own LLM, take a look at https://refact.ai. But note that it’s not really cheap, I’ve recently upgraded my computer and decided to use my NVIDIA 1060 to run refact, and it still didn’t work well - 8Gb of GPU memory is borderline usable, and I couldn’t do the finetuning.

Thanks for the post!

Here’s some of the things I do:

• browser - Firefox w/ uBlock Origin and container tabs; I’m not worried about my ISP since it only operates in my city, so it’s unlikely they’re selling my data
• desktop/laptop - OpenSUSE Tumbleweed w/ full disk encryption, basic firewall, etc
• mobile - currently Motorola Android, will be getting a Pixel soonish to get GrapheneOS
• messenger - rarely use, but when I do, it’s just SMS w/ my wife and family; work is Slack/Teams; I’d like a replacement, but it’s hard getting people to switch
• online accounts - Bitwarden; will be self-hosting the data soon
• video streaming - NewPipe on Android, YouTube and Twitch with ad blocking on desktop
• music - mostly FM radio in my car, YouTube with ad blocking occasionally at work
• AI - hard no
• social media - lemmy
• email - Gmail (gasp!); switching to ProtonMail on my own domain soon (have an account, just haven’t gotten my contacts switched over
• shopping - occasionally Amazon (no Prime) and Newegg, mostly at Costco and the local grocery; mostly on credit card because dealing with change sucks
• TV shows - Netflix and Disney+ subscription; been using DVDs and digital backups more recently
• gaming - Steam and Heroic (for GOG and EGS)
• programming - neovim for Python, JavaScript, and Rust, VSCode at work for Typescript (our codebase is a massive mess); been using Gitlab mostly for personal stuff, on-prem Github at work
• misc - I use an Enterprise router, and have played with putting a subnet on a VPN (soon) and DMZ; I use a lot of Google Sheets, so need an alternative

So I still have a ways to go. Current priorities:

• eliminate Gmail - mostly just need to ask my family to use my new email, and set up some forwarding rules
• alternative to Google Sheets - probably LibreOffice Online with NextCloud or something; it’s going to be tricky because I use it for stock quotes (GOOGLEFINANCE() rocks) and transaction tracking (Tiller integration)
• home automation - I want an Alexa alternative for playing music; my kids have been asking a lot, and it seems willow might be good enough; if I can get that working, I’ll try automating other things too

I also want to play with mobile Linux, so I might pick up a Pinephone to mess around with. It’s not quite ready to replace Android for me, but maybe I can help get it there.

My own setup from the top of my head would be:

• Browser: Mullvad with Mullvad VPN, LibreWolf for stuff that breaks. Brave if I really have no other choice.
• Phone: Pixel with Graphene, main profile is Google-less, second profile with Sandboxed GServices for apps that don’t work without it but I need them, downloaded through fresh gmail profile. Third profile linked to my old gmail with credit card for the two apps I bought and sometimes need to use.
• Mail: I use Protonmail, with my own domain that sounds vaguely corporate. I have a catch-all address, and generate random name.surename@mycorpdomain.com addresses for each service.
• File storage: I have a NAS, that I use for most file sharing I need.
• Music: Jellyfin server with Headphones and redacted.ch account, and I also make sure to support artists every month by spending what would be my Spotify subscription price on Bandcamp albums
• Desktop: I run Nobara, too lazy to run QubesOS - plus I game a lot, so it would be infeasible. I mostly try to get stuff on GoG and back it up on my own NAS. I have a ZeroTier network set up for streaming through Sunshine/Moonlight when I need to game from a laptop.
• VPN: I use Mullvad paid for with Monero, because it plays nicely with the Mullvad Browser fingerprint.
• Home automation: I have a few basic stuff made for Home Assistant that is running on RockPI I have at home, everything local and without any cloud, mostly through ESP32s.
• Messaging: This is the one I hate the most - most of the groups I’m working with or volunteering for use Messenger, so I have a Matrix server hosted that bridges it and Discord. It’s not ideal, but better than having anything Meta on my phone.
• Payments: This one is the one I’m struggling with the most. I pay by card almost everywhere, because cash is so much effort. I’ve tried looking into crypto or prepaid cards, but it’s really hard to find anything without KYC in Europe, so I’ve given up. I’m looking for advice regarding this, but I’m afraid that aside from switching to cash I’m out of luck.
• Passwords: I just use Bitwarden with YubiKey setup, same as using YubiKey for every important MFA I can. I have two backup keys stored at home, so I don’t need to use other recovery methods that would render it useless.

Check out Yattee on the App Store for a YouTube front end utilizing Invidious and Newpipe instances. Can even self host those if you want

What is hardened iOS?

What is the logic beging UTC clocks (assuming you aren’t in a UTC time zone)? Less fingerprinting?

I stream from ethical services for some movies

What are these ethical movie streaming sources?

Is there an easy way to blur/censor my house without giving up my soul?

Have you tried this process? https://mashable.com/article/how-to-blur-your-house-on-google-street-view

Nice setup! I think I’ll maybe make one of my own!

I have a few questions, though:

• How did you set up your firewall? What did you use and what rules do you have in place?
• How did you harden iOS? I have read up and implemented a number of basic settings to reduce tracking, and NextDNS blocks the rest, but I wouldn’t consider my current iPhone “hardened”, per se.

If you’re reading this and on ios, go do the safety check.

It whips ass and makes a lot of stuff easier to understand.

Tip, FreeTube is fine, but as you say, certain difficults with some Videos. Because of this, I have specified SMplayer (MPlayer engine) as an external player in FreeTube, this way, if a video does not work in FreeTube, just click on the small rectangle at the bottom left of the thumbnail, so that the Video opens in SMplayer, which practically works always.

If you visit YouTube directly, there is a simple trick to convert the Video into embedded, that is, the video is opened as such in a tab, without going through the YT page. This also avoids a lot of trackers and ads, as well as unnecessary loads (thumbnails, comments, suggestions and other crap).

Simply edit the URL

https://www.youtube.com/watch?v=xxxxxxxx

to

https://www.youtube.com/embed/xxxxxxxx

“My BIOS is password locked but proprietary (due to compatibility issues).”

“I use full disk encryption, multiple disks, and a second layer of encryption for specific important files (NSA style)”

I recommend switching to Libreboot, I’ve recently helped add support for the Dell Optiplex 9020 MT, and will soon add support for the Dell Precision T1700 MT. Libreboot allows for full disk encryption, including the automatically encrypting the /boot partition during installation of an OS. I use RAID 0 with 3 disks (LUKS and LVM) on my desktop, with my /boot unencrypted stored on a SD card so I can easily toss it whenever.

For gaming, I’ve had success using Proxmox to play games like GTA V and Rainbow Six Siege through a VM, even passing through NVIDIA drivers (though I plan to switch to AMD). Although, currently the Haswell boards (9020MT and T1700MT) can’t use IOMMU correctly so I recommend using the T1650 for passing through your games to a VM. Beware though, the T1650 board can’t be freed entirely in the BIOS I believe.

Also, updating your CPU microcode can help avoid potential performance issues. If you’re concerned about security, consider GPG signing your kernel with Libreboot GRUB for an additional layer of verification at boot.