---------------------------------------- Data Security Ratings August 10th, 2018 ---------------------------------------- Christina has been posting about data security [0][1] with some engagement from others [2]. (TXT) [0] Christina - Infosec And Data Privacy Part 1 (TXT) [1] Christina - Infosec And Data Privacy Part 2 (TXT) [2] Solderpunk - Data Security Ratings It's very interesting stuff which started on Mastodon and continued in gopherspace. It's worth a read. I had one last thought I wanted to share based on an exchange on IRC. Some people have brought up threat levels and planning your security for the type of danger you really face, not ridiculous levels of paranoia. We're not all Snowden, after-all. That being said, I wanted to share my email system so you can see what happens when you go off the deep end with no real reason. First of all, I use neomailbox for my mail provider. They're pretty great, in a country with better data privacy laws than the US, and have solid privacy policies and encryption measures in place to protect their users. They offer a unique feature that I've not found in other providers: they will auto-sign incoming mail with your public key if you request it. While mail that wasn't encrypted at the source may still be vulnerable in transmission, after it hits their servers its safety just took a major step up. Next, I only connect to neomailbox over a VPN & Tor. Outgoing mail relayed through their servers wipes metadata anyway, but it's just another stupid thing to do in protecting the connection itself. How do I connect? Good old pop3, baby. I don't leave anything on the server. Mail is fetched locally and the system auto-disconnects from the internet. When browsing messages I remain offline. I reply and queue up my outgoing mail. When ready to send, browsing shuts down and the machine reconnects safely to send it on its way. The local maildir is backed up over spideroak, encrypting the mailboxes of already encrypted messages offsite to another machine in case of calamity. That's it! Fun right? I want to reiterate, this is completely unnecessary for my threat level and it was done more as a hobby project to see how far I could push it. Airgapping, redundant encryption, it's too much for people to bother with. It's a great illustration of why other people give up and just settle for whatever. If you're new to infosec, do yourself a favor and get a protonmail account. That's about as good as you're going to do without putting in a bunch of work. Is it as good as what Snowden does? Oh hells no. But you're not on the run from the US government, are you? It'll keep google off your back, and you're less likely to fall victim to simple scams.