monovergent 🛠️

  • 0 Posts
  • 3 Comments
Joined 1 year ago
Cake day: November 27th, 2023
  • monovergent 🛠️@lemmy.mltoPrivacy@lemmy.mlWhat is your privacy and security setup? How lengthy will you go to protect your privacy and security? Share your setup.
    3·
    9 days ago

    Limitations

    • Debian with XFCE: I want all of my Linux machines, both older and newer, fast and slow, to be consistent, with the GUI customized to my taste. I accept that I will miss out on whatever security benefits Wayland or distros like secureblue may provide.

    • Networking: In the grand scheme of things, I know jack shit about networking. OPNsense, Pi-Hole, VPN, etc. would probably help my cause but I have yet to implement many network-based measures.

    • Corporate conveniences: There are colleagues I need to reach with Whatsapp or SMS and there is software for my job that requires Windows. I try to sequester all of this among my work devices.

    All of my frequently-used computers on Linux have “hardened Debian”

    • hardened to the best of my ability according to Madaidan, with compromises to avoid obstructing day-to-day work
    • LUKS encryption
    • MAC randomization
    • Mullvad DNS
    • Hyper-threading disabled
    • Rootless Xorg
    • Firewall defaulting to deny
    • unattended-upgrades
    • LibreWolf
    • Passwords in KeePass

    Personal devices

    • Desktop: The usual software. Non-FOSS components are mostly gaming-related.

    • Server: Jellyfin, NAS, Local LLM / Stable Diffusion, and secondary workstation, each hosted on LAN in their own VMs. SSH password authentication disabled. Would like to set up a VPN so I can access it away from home someday.

    • Backups: weekly to server, which is pulled to an offline encrypted 8TB disk about monthly. Repeat for the off-site disk that I store in a drawer at work.

    Phone:

    • Pixel with GrapheneOS and FOSS apps only
    • Messaging primarily using Molly (Signal client)
    • Email from important work and family contacts forwarded to my inbox on PurelyMail
    • Looking to get a non-KYC eSIM once I learn how to pay in Monero
    • Mullvad DNS

    The “DMZ”

    • Tablet: Samsung Tab A7 Lite received as a gift. Installed an AOSP GSI ROM (no Google Play services or GApps), mostly used as a NewPipe and travel device.

    • Laptop: ThinkPad X230 with Coreboot and soft-disabled Intel ME. Also hardened Debian with the usual software, nearly all FOSS components with the exception of intel-microcode and the VGA option BIOS. I say it’s the DMZ since personal stuff resides here, but most of my work also ends up here. Logged in to work-related websites and email in a separate user profile for LibreWolf.

    “Work” devices (for context, work has BYOD policy and does not provide devices for us to bring home)

    • Laptop: can’t be bothered anymore to fuss with Windows VMs or debloating that go stale twice a year, so I just bring a separate lightweight ThinkPad with full-fat Windows for everything that requires it. While some proprietary software packages support Linux, I’ll also just throw the Windows versions on this laptop.

    • Backup Phone (unused for now): Samsung XCover Pro with removable battery, waiting for the day I encounter apps that demand a stock version of Android. When not in use, the battery is removed.

    • Occasional check of social media also takes place on one of these devices, though through the browser rather than an app.

    Phone:

    • Old Pixel with GrapheneOS
    • Nothing I use really needs Google Play services
    • One user profile for work apps, including proprietary 2FA and Slack
    • Another user profile for various proprietary apps that aren’t necessarily work-related, but that I’m not entirely comfortable having on my personal phone.