Which distro does she have installed?

I use Librewolf and TBB. Both have NoScript enabled and JS turned off by default. I never turn on JS on TBB obviously, and for the few sites that I frequent on Librewolf, I tweaked it by hand. It’s not that hard.

I will look to also use Mullvad browser alongside Librewolf maybe, not sure which one of them is more private since Mullvad browser comes straight from the TOR project and has their security settings.

How does having those 3 keys on the right help?

Very nice read, I look forward to posts with detailed explanations of realistic privacy setups!

With that said, here we go:

1. TOR has been compromised. It likely doesn’t matter if you’re not doing anything that nations would be interested in, but something to keep in mind.
2. True nerds/privacy hobbyists always have multiple browsers for different use-cases. Bravo! I need to take a look at Mullvad myself, I really don’t like Brave anymore.
3. Do you host your SearXNG instance? It should not be very hard to do on the cloud.
4. Which DNS resolver? I’m assuming this is upstream to your Adguard setup, which means the latter acts as the recursive resolver in your setup, if I understand correctly.
5. Didn’t hear about SecureBlue before this, good distro in theory. Thanks.
6. Ever thought of getting a 10-year old Thinkpad yet to get rid of that pesky BIOS? \s
7. Do you have DoT and DNSSEC set up for your “private” DNS? Also, is this something like Quad9?
8. With the combination of flight mode and a Faraday bag along with not having a SIM, I’m assuming that people don’t reach you using traditional means (calling). How do you stay in contact with others?
9. Define “locking down” of public accounts.
10. I have been thinking of AI for a bit, and you can get a P40 with 24GB VRAM for about $100-$150 on Ebay. Put that in an old computer and fight with licensing for a bit (Craft Computing has a good video on getting VFIO working on Nvidia cards by tricking the software) and you’ll have a great setup for AI.
11. I’d stop with the subscriptions and start sailing the high seas, personally, but I understand if the sentiment does not sit well with people here. Piracy simply gives you more control and privacy. Look at LocalMonero to try and get monero without leaving a trace (directly converting fiat to XMR and exchanging for gift cards online after churning).
12. You must be using an old TV, but if you really need to purchase a new TV at some point (and it’s very likely to be “smart”), you can simply disconnect the WiFi antenna from the back of the device. If you’re really good at embedded systems, you could find the flash chip that holds the BIOS/OS of the TV and remove it (and edit the boot sequence) or flash it with something else. This is true for everyone who has a smart TV.
13. Holy shit this guy programs games to play them what a chad.
14. Please switch to Codeberg, Gitlab is annoying.
15. How do you coordinate local time with other people if your clocks are set to UTC?

That was a lot. Thanks for reading!

You are very good looking

Very interesting, thanks!

On a serious note, if the only reason a person might bring kids into this world is because they are bored; they are going to be, and make the kids equally, miserable.

SafetyNet is deprecated on newer versions of Android

As far as lock out, you create a break glass on everything. Emergency account with non rememberable ridiculous password, saved in a safe place.

This is such a great and a simple idea. Thanks.

I think I followed your setup at a high level, but because I don’t have hands-on experience with AD I didn’t quite catch the scope of it. Thanks for letting me know, I’ll get some reading done when I get the time!

This is the first time I’ve come across Elastiflow, thanks for mentioning it. Seems like an intriguing service to add.

I was considering using Suricata/installing Security Onion to do IDS from the certificate from a private CA. Sophos firewall seems pretty good too.

Thanks, I’d like to know more about your public-facing setup using cloudflare

I didn’t know MS exchange could be used as a WAF. Will need to read more about that.

Can I host Intune completely on-prem?

What do you mean by “My Sophos is self-contained”?

Does your Cisco router get updates? My problem with these companies is that they build backdoors in their firmware for agencies to use. Are you monitoring the network usage of your Cisco gateway?

Using AD/RADIUS on-prem is an intriguing idea. I didn’t consider it because if my AD server goes down I’m essentially locked out of my services. I need to think more on this. Thanks.

Do you use a KVM to interact with machines that can access the Internet?

Would you have to compromise on your security according to your threat model if you ran VMs rather than dedicated devices? I’m no security engineer and I don’t know if KVM/QEMU can fit everyones needs, but AWS uses XCP-ng, and unless they’re using a custom version of it, all changes are pushed upstream. I’d definitely trust AWS’ underlying virtualisation layer for my VMs, but I wonder if I should go with XCP or KVM or bhyve.

This is my personal opinion, but podman’s networking seems less difficult to understand than Docker. Docker was a pain the first time I was reading about the networking in it.

Really like your setup. Do you have any plans to make it more private/secure?

Thanks, never thought of that before. I’ll certainly try it, great way to help the network!

You seem to have a great setup. Since this comment touches on slightly advanced topics, I’ll ask this here:

1. What use do you have for a WAF?
2. How did you get your Android clients to trust your certificate? Do you use an MDM? Did you root your devices to access the trusted root store?
3. Segmenting stuff with VLANs, subnetting and ACLs is a great idea, but do you also make sure that the firmware of the device is somewhat robust? Although I suppose you don’t have to worry about it if Sophos sends out regular updates, however I hate the idea of my switches and routers having to connect to the Internet, pass along credentials and the sort to be able to get updates.

Your measures seem to be focussed more on security than privacy - which is great! It’s my fault for not specifying it in the post, but I’d definitely like to know if you have done anything specific to keep your network private as well as secure.

Thanks for your wonderful comment - saved!

That is very interesting, thanks!

The problem is, you’d expect your switch to mirror all traffic, including what it is generating (switches with web servers, baseband/backdoors like every big manufacturer), but you can never really be sure.

Oh, you have a setup that signals to your power source to shut off internet when it detects an anomaly on the internet? That’s quite specific, and I’m having trouble trying to understand the use-case here, but it’s definitely included in the paranoid-list. Thanks!

Thanks