Win11 vm (encrypted + mac spoofed and ipv6 disabled), windows itself is debloated and running a local account with all telemetry off (using o and o shutup)
Browser: brave (webrtc routed thru mullvad) + mullvad browser
Vpn: mullvad, lockdown mode, kill switch, daita wireguard, quantum res, and auto connect
Host os:
Windows debloated and telemetry disabled
Emails:
Pissmail, ctemplar
Passwords:
Keepass
Numbers:
Smspool
Hi
sorry I just wanna ask a question before actually offering suggestions, do you have a threat model?
ps: hope I’m not sounding rude by asking just like that, but you offered a list of steps without even specifying what the issue/goal is
Eh, my threat model is just wanting to have as much opsec as possible. For hypothetical purposes lets just say a highly intelligent/ top tier osinter/ investigator
Your email service choice is questionable to say the least
What would you recommend?
Proton or Tuta.
Proton forked over information to swedish feds, no?
No.
Proton is a Swiss company, not Swedish, and they are only allowed to comply with Swiss law enforcement.
Also breaking news, companies have to comply with the law. This should not surprise anyone, and you shouldn’t expect a company to go to prison for you just because you pay them 5 bucks a month.
Fair, anything else i can improve besides email?
I would use KeePassXC over Keepass.
You can also configure using a Mullvad SOCKS5 proxy for your browsers as an extra layer of leak protection beyond lockdown mode.
Alrighty, im assuming keepassxc has a note feature like the normal keepass does
UI seems to be the major difference. KeePassXC also supports passkeys which keepass doesn’t (if I’m not mistaken).
And if using macOS, Strongbox is a better client for KeePass but some features are paid. Well worth it, but paid.
I personally wouldn’t trust Strongbox after they lied about being open-source but that’s for you to decide. Should be aware of it before making a decision though:
TIL.
Thanks!
Since your threat model only concerns itself with third-party adversaries utilising publicly available resources through OSINT to obtain sensitive information, I would argue that the mentioned tools are not relevant. Given the difference between your stated threat model and your applied countermeasures, I would recommend revisiting your threat model.
Regarding the mentioned threat model, the relevant threat category on Privacy Guides is Public Exposure. See Account Deletion
in the knowledge base; Data Removal Services
, Email Aliasing
and Payment Masking
under providers; Data and Metadata Redaction
under software. Generally be wary of what you say and share. Tiny details add up to a detailed profile, and especially images can unknowingly contain a lot of details in its contents. Of course, security is required for privacy, so basic security such as best practices for passwords are still recommended.
A very brief summary is to not share data in the first place, and to delete/reduce/pollute with false info/limit visibility and accessibility/redact unnecessary (meta-)data/disconnect it from your identity, for data you do share.
More advanced adversaries require defenses against deanonymisation. But this is getting complex, so you’ll need to do the research yourself. Similarly, you should figure out what threats apply to you. There are threat modeling, OPSEC, and OSINT methodologies you can apply to yourself or from the perspective of an adversary.
Regarding your tool choices, did you read the main site? Most of it is extensively covered…
It seems more and more the tools are 10% of the solution, the main problem is people not being able to shut up about personal info. Or stupid slip ups ie: dread pirates rob, lulzsec owner etc