gopher.black

       ----------------------------------------
       Data Security Ratings
       August 10th, 2018
       ----------------------------------------
       
       Christina has been posting about data security [0][1] with some
       engagement from others [2].
       
 (TXT) [0] Christina - Infosec And Data Privacy Part 1
 (TXT) [1] Christina - Infosec And Data Privacy Part 2
 (TXT) [2] Solderpunk - Data Security Ratings
       
       It's very interesting stuff which started on Mastodon and
       continued in gopherspace. It's worth a read.
       
       I had one last thought I wanted to share based on an exchange on
       IRC. Some people have brought up threat levels and planning your
       security for the type of danger you really face, not ridiculous
       levels of paranoia. We're not all Snowden, after-all. That being
       said, I wanted to share my email system so you can see what
       happens when you go off the deep end with no real reason.
       
       First of all, I use neomailbox for my mail provider. They're
       pretty great, in a country with better data privacy laws than the
       US, and have solid privacy policies and encryption measures in
       place to protect their users. They offer a unique feature that
       I've not found in other providers: they will auto-sign incoming
       mail with your public key if you request it. While mail that
       wasn't encrypted at the source may still be vulnerable in
       transmission, after it hits their servers its safety just took
       a major step up.
       
       Next, I only connect to neomailbox over a VPN & Tor. Outgoing mail
       relayed through their servers wipes metadata anyway, but it's just
       another stupid thing to do in protecting the connection itself.
       How do I connect? Good old pop3, baby. I don't leave anything on
       the server.
       
       Mail is fetched locally and the system auto-disconnects from the
       internet. When browsing messages I remain offline. I reply and
       queue up my outgoing mail. When ready to send, browsing shuts down
       and the machine reconnects safely to send it on its way.
       
       The local maildir is backed up over spideroak, encrypting the
       mailboxes of already encrypted messages offsite to another machine
       in case of calamity.
       
       That's it! Fun right?
       
       I want to reiterate, this is completely unnecessary for my threat
       level and it was done more as a hobby project to see how far
       I could push it. Airgapping, redundant encryption, it's too much
       for people to bother with. It's a great illustration of why other
       people give up and just settle for whatever.
       
       If you're new to infosec, do yourself a favor and get a protonmail
       account. That's about as good as you're going to do without
       putting in a bunch of work. Is it as good as what Snowden does? Oh
       hells no. But you're not on the run from the US government, are
       you? It'll keep google off your back, and you're less likely to
       fall victim to simple scams.