Hello PG community. I have been running linux now for a little bit now, and privacy brings me into this massive rabbit hole very quickly. I have setup a proper threat model.
Over the course of the past couple months now I have been switching away from closed-source software and services. This made me start developing a paranoia againist running anything or using anything closed-source on my laptop and phone. Software like Minecraft, which I don’t trust, I much prefer to run in a flatpak. I even get paranoid whether flatpak is good enough for sandboxing and run a seperate linux install for gaming (on the same system) because how invasive this software is. At least to my threat model. This paranoia also strengthed when I started using GOS.
Am I going a bit too overboard? This does certainly impact convience to a major degree, which I don’t really enjoy, but at the same time, I still don’t like running closed-source software.
I totally understand where you’re coming from with this, but I also think it’s important to not let privacy and source availability interfere with your daily life too much - if you want the very best privacy in the world it’s generally just better to move into the mountains.
I think context is important here. Not all closed-source software is malicious. For instance, I am a huge fan of Obsidian, and while I don’t quite understand why they don’t open source their code, I do trust the company and developers behind it, especially considering it’s local-first. On the other hand, I do feel that your operating systems should always be open source. The operating system is where everything takes place, including all of the traffic that enters and leaves your device, and it’s really important to be able to have that openness and clarity when it comes to something as foundational as an operating system.
The rest is contextual - but if something is starting to eat away at your mental health, it’s usually best to find a balance of convenience, security, and privacy, rather than leaning hard into extremes.
I don’t know where you are in your privacy journey but these sound like symptoms of one who is relatively new.
I think you’re are indeed going overboard but more in the attitude toward thinking in such a manner than necessarily your behavior. What I am more questioning is where this paranoia is even coming from and is it even warranted thinking about it logically, rationally, and pragmatically. Objectively think about it and evaluate this for yourself as much as possible.
All that said, what you’ve described should not be labeled as paranoia but only that you’re taking steps to better your digital life as much as possible to the extent you can manage. In other words, becoming more privacy conscious and making different choices that are better for your life going forward.
But this is where I think you’re going overboard specifically. One of the points of privacy and security is to find the balance between this and convenience for what you can manage that meets your threat model. If your threat model really warrants all this, then to even think about convenience is illogical because your threat model, privacy, and security are paramount, not convenience.
So ask yourself those questions again and formulate a more balanced and a rational plan for you that doesn’t necessarily makes you go this hard and deep just for the sake of it and make your like more difficult than it should be.
To answer your titular question however: not all closed sourced software is bad. If you have enough trust and faith on the tool and the developers, then it’s totally okay using it. You should consider, project type, history, software fixes, and reputation before making up your mind on any software.
Those are my views. Feel free to ask follow up questions.
Open source is not free software. I try to use licenses such as BSD and GPL as much as possible. For example, I never use AnyType, but I use Notesnook GPL.
What kind of Microsoft stuff are you using from Flatpak? And yes, Flatpak’s isolation is a bit flimsy. You can install software you trust from there and play around with some permissions, which is useful, but if it’s untrustworthy, and especially if it’s closed source and potentially malicious software, it’s easy for it to escape.
There are security researchers out there wanting to make a name for themselves, looking for the next big exposé, looking to unmask the evils of the closed sourced Big Tech. There are also security teams looking to plug holes in their closed source product, trying its best not be involved in the next said exposé.
The reality is, closed source is as much as part of life as is open source. While you may have done a good job of insulating yourself with as much open source as possible, the parts adjacent to you will always use some for of closed source. Signal servers are closed source, or at least not widely accessible to the general public. The computer terminal that just received your personal data in the airport when you checked in is also closed source. The hundreds of CCTVs that you passed by yesterday - its all closed source unsurprisingly. But the thing is, the bad guys (be it the government, malicious state actors, criminal cybergangs or that petty hacker that you just offended with a post) are also surrounded by the same closed source software adjacent to them.
Its just is what it is. Make peace with it. Adapt if change is unlikely. Don’t stress out on the things beyond your immediate control.
Some software is possible to run fully offline. GrapheneOS for example allows you to cut the internet connection for a specific app. It does not really matter what the app can collect if it is unable to send it somewhere.
You can also do network analysis of software to see what kind of data an app actually is sending away. Some people also publish network analysis for example the German journalist/blogger Mike kuketz.
Honestly I think that once you have begun to learn how to give yourself a reasonable amount of privacy, it’s normal for the insane level of data collection by most software (and the fact that so much of it is hidden from the user) to feel…insane.
I allow myself certain conveniences/experiences that can’t be had with open source software by doing just what you have been doing: compartmentalization. I have a private space on my GrapheneOS device with all the closed source apps that I could want/need. I don’t need to use it very much but it is nice to have if I’m driving and stuck in traffic and CoMaps isn’t cutting it or I need an Uber or I need to deposit a check to my bank account. I have a linux gaming computer that is only used for gaming and has Steam and Minecraft installed. This works for me because I prefer to do everything else on a thin and light laptop. I feel I haven’t lost much convenience this way. I’m also lucky to have people around me who respect my wishes enough to at least use Signal to communicate with me.
Privacy is a process, and as others have said, your mental health should take priority. If it feels like too much right now or you are becoming isolated, allow yourself to use the proprietary software that is important to you. Consider simply using flatpaks that are not installed system-wide (using the --user flag) in separate linux user account rather than an entirely different OS install for gaming, for example (if you haven’t tried prism launcher for minecraft, you should -it’s excellent). I have this setup on my laptop for when I’m traveling. With your phone, I highly recommend using a private space for your proprietary software if you’re not already using it. It’s very convenient and very well isolated from the rest of the phone.
Remember that losing some privacy is still far, far better than having no privacy at all. It may take time, and you may go back and forth more than a few times, but you will find a balance that works for you.
I think it’s a bit overwhelming to know how much corporations & the govt collect your data. I’d suggest maybe apply threat modeling for what you’re using the app for, not just your overall threat model. For example, you probably don’t need to game over Tor. But sandboxing or a vm/emulator might help.
To add to what everyone else has said, have you looked for open source alternatives for software? There is a MC clone called Luanti that is open source (I can’t vouch for it myself, as I’ve never used it, but it looks pretty close to MC). After threat modeling and accepting that closer source is all around us (as others have said), finding those alternatives could be a good next step.
I think its a reasoned approach to only run closed source software in a sandboxed environment.
If you can’t control the internals of a software, you should at least control the externals like which files or services are accessed.
Flatpack combined with Flatseal is a great solution to accomplish this.
As your mentioned Minecraft: their are actually open source clients for Minecraft on Flathub.
The microsoft account is not the problem, the problem is that closed source software is a blackbox shich should only run in a sandbox.
What do you mean by closed source that is open source?
Sound like a contradiction in terms.
Closed Source software is much much harder to audit independently then open source software.
The OPEN SOURCE Signal client uses E2EE to ensure that a malicious server cant read the messages.
If you worried about metadata, then host your own matrix server and send messages over it.
Random public thing that are closed source are a very bad argument to run closed source software on our own devices.
I would recommend this video to you as a starting point on why open source is important:
I have been on my personal privacy journey for almost 2 years. This paranoia I have been having just started hitting me quite recently because a change of things in my life.
I generally assume most closed software is bad. Most of my experiences with it have always been bad. Windows for the longest time I used, and I did not enjoy it. Photoshop is another one I have used in the past. Adobe and Microsoft are companies I really don’t trust. In my threat model, I try to avoid the software if I can. Sometimes this does impact me however mentally.
Well. I am really just trying to protect myself from surveilence from Big Tech. I am not concerned about any goverments coming after me or anything like that. I feel paranoid when I run software such as Minecraft on my system just because it is from Microsoft. I much prefer to use closed source software from smaller teams of people and not big corpoartions.
This is not something I feel paranoid about. It is the software running on my own systems that I am concerned about. My paranoia comes to this because I am afraid of such a software scanning my file system for example. Or capturing audio from my mic. This is what gives me paranoia. I prefer things to be comparimentalized from one another. I run closed source software on my phone such as my banking app, because I feel that GOS has the necessarily protections in place to silo it. Linux doesn’t really ofter that. The main application for me at this point is Minecraft. I enjoy playing it with my friends, but I don’t enjoy running it in general. I am always afraid the Microsoft could be messing with something on my system.
True very much true.
I might consider that thank you.
Does this ever feel inconvenient for you? I feel like I have been taking compartmentalization a bit too far.
It used to, back when I had a million browsers/browser profiles and android profiles for different things, and like you a separate desktop OS install for gaming. I was even playing around with VMs for a while. I gradually simplified things because I decided that the privacy benefit I was getting was likely tiny relative to the amount of effort and time I was spending, so I made my compartments larger and in some cases the walls between them lower. The setup process can still feel a bit inconvenient, but once it’s in use, I don’t really find it inconvenient at all.
I just use a different device and have it outside the network. I play games too, the vast majority of them is closed source. While I think some companies are better than others, some companies cannot help themselves and touch everything on the computer with kernel level anticheat (Valorant).
Sometimes a game is completely owned by a foreign parent company that I wonder if the parent company have instructed to put malware in the games to poke around your computer. Epic games has been caught doing this, looking around at your Steam files. I wonder too if Path of Exile 2, a game I am currently playing does this as the game is completely owned by its parent company Tencent, but I am less worried because it is outside of my main network behind a firewall.
Audits are only as good as the version the software is audited. After the software audit you are technically back to the unknown territory. You want ongoing audits, may yearly but not the vast majority of open source doesn’t do yearly audits, if any at all.
You do use closed source software in your devices as the firmware in your GrapheneOS isn’t open at all. The cellular modem in them has closed source blobs and yet we are not as puritan about it because we need it for our phone to actually work.
Your computers have several SOC components in them that are self contained that also run its own proprietary blob.
Also Richard Stallman is a bit of an extreme. You want to go his direction, but not all the way 100%. Stallman does not live normally like a normal human being. He doesn’t have a phone and he doesn’t use anything that he deems has proprietary blobs. Normal people do not live like that.
It’s not paranoia when you know they’re listening. But seriously, you should just worry less and isolate more. Run games on Windows. Run your private life on Linux. Run your journalist life on Qubes. Run your NSA whistleblower life on Tails. Airgap your diary laptop.
Isolation is so much easier than having to micromanage every package or program of your distro.
But seriously, you should just worry less and isolate more. Run games on Windows. Run your private life on Linux. Run your journalist life on Qubes. Run your NSA whistleblower life on Tails. Airgap your diary laptop.