cross-posted from: https://hexbear.net/post/2646239

Many of you may or may not wonder what software to use. People may provide walls of text as a response, but you may just want something to reference without having to look into how the software works. I hope this can be that reference for all of you and anybody else who stumbles upon it. This is up for discussion and change, but I hope this can be a good baseline, as I myself have been making the changes to FOSS for a long time now, and it would be a good idea to have a recommended software/services page on Hexbear.

(The [*] marks the better option)

Workstations:

  • OS: Linux, I reccomend Fedora with GNOME (for a new, but efficient and simple feel) or KDE (similar to Windows with more customization), but I know some people like Mint for new users. Install as much software as possible on flatpaks.

For maximum anonimity and safety, use Tails. Runs on USB, wipes data when removed.

  • Browser: Firefox with Arkenfox, Tor Browser (For reliable anonimity; DO NOT ADD EXTENSIONS TO TOR BROWSER)

Mull can also be a good browser option with better content blocking. It is also not chromium, which while avoiding the monopoly, does leave it without site isolation (security feature) like other firefox mobile browsers.

  • Browser Extensions: Ublock Origin (add Adguard URL Tracking Protection and Easylist Cookies blocklists), Libredirect.
  • Office Suite: Libreoffice, OnlyOffice
  • Password Management: Secrets on GNOME, KeepassDX on KDE. DO NOT REUSE PASSWORDS OR IGNORE THIS STEP!!!
  • Music Downloading: Nicotine+ (Soulseek Client), make sure to use VPN
  • Music Listening: Gnome Music (GNOME), Elisa (KDE)
  • Network Permissions: Flatseal on GNOME, System Settings on KDE (search for “flatpak”).
  • BitTorrent: Fragments (GNOME), Qbittorrent(KDE)

Mobile Devices:

  • Phone: Google Pixel + Graphene OS*, Divest OS
  • Browser: Vanadium*(Only on GrapheneOS), Mulch, Tor Browser* (For reliable anonimity; DO NOT ADD EXTENSIONS TO TOR BROWSER)
  • App Stores: Fdroid Basic*, Aurora Store (Google Play replacement, use as needed)
  • Password Management: Keepass DX, DO NOT REUSE PASSWORDS OR IGNORE THIS STEP!!!
  • 2-Factor Authentication: Aegis (Android, 6 digit codes), Hardware Keys ($$$). SMS Verification is better than nothing, but avoid it if you can. DO NOT USE GOOGLE AUTHENTICATOR OR MICROSOFT EQUIVALENT
  • Music Streaming: Harmony Music
  • Music Listening: Auxio, Fossify Music
  • Network Permission: Graphene OS is the only OS that has this functionality, find it in permissions settings.
  • Camera: Graphene OS Secure Camera*, OpenCamera
  • Notes/To Do: Fossify Notes
  • Weather: Breezy Weather (Fdroid Version)
  • Navigation: Organic Maps
  • Voice Recordings: Fossify Voice Recorder
  • Keyboard: Helioboard
  • Lemmy: Jerboa
  • Youtube Front End: Libretube, Poketube (Web App)

Proprietary Apps (Social Media, Banking, etc.) are best used as Web Apps, as privacy and security benefit from the browser sandboxing.

General:

  • Search Engine: DuckDuckGo (more consistent, proprietary), SearXNG (open-source, less consistent).
  • Chats:
    • Large Groups (Like Discord, DO NOT USE DISCORD): Jami, Matrix
    • Small Groups/Individuals: Briar* (only on Android), Signal (Struggle Session on Signal, I know there might be something wrong but at the same time Signal seems to encrypt everything)
  • Email: Proton Mail + SimpleLogin Aliasing, try to avoid email as much as possible, Chat options are more private and secure.
  • File Sharing and Syncing: Syncthing, but don’t forget that you can directly transfer files from devices with usb-c and usb-a cables.
  • File Storage: Store files locally, sync between devices with Syncthing as needed. If you really need cloud storage, use Proton Drive.
  • Password Management: Bitwarden, more convinient than keepass, while eliminating the risk of losing the file or having to manually sync. Only downside is that data is stored on their servers if not self-hosting, meaning it’s a bit more vulnerable to data breaches.
  • VPN: Proton VPN for free, keep an account for each device as the free tier is limited to one device, Mullvad VPN* at a premium for reduced hassle and faster speeds(5 Euros per month)
  • Social Media: Cut down on big social media as much as possible. Relocate to the fediverse, and be careful with what you post, it’s still public. Do not post too much identifiable information, do not dox yourself.
  • Front Ends: Invidious (Youtube), Poketube (Youtube), Redlib (Reddit), and many others for a ton of different websites, all avaliable with the libredirect extension. I feel like the “datura.network” are pretty private and reliable, with a rotating IP to bypass blockage.

Got a lot of my info from here privacyguides.org, though some of this is based on my own experiences and suspicions.

If anything can be added, let me know! Love you all meow-hug

UPDATE: I’m bad at titles, so that’s up for a struggle session.

    • dead [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      5 months ago

      2006 was a date from my own personal experience. However, here is a document from the National Institute of Standards and Technology (NIST) US government agency. The document is called 800-147 Bios Protection Guidelines, published in April 2011. I am not positive that every manufacturer follows these guidelines but I did see that Dell and ASUS say on their website that all products comply with this document. It is at the very least an industry standard.

      https://www.nist.gov/publications/bios-protection-guidelines

      If you go to page 6 of the document, it says “Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. A malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service (if the BIOS is corrupted) or a persistent malware presence (if the BIOS is implanted with malware).”

      The document then recommends the following guidelines for computer manufacturers to secure the BIOS, which as I mentioned in my previous post, prevents the installation of bios files which do not match the manufacturer’s digital signature.

      Security guidelines are specified for four system BIOS features:
      • The authenticated BIOS update mechanism, where digital signatures prevent the installation of BIOS update images that are not authentic.
      • An optional secure local update mechanism, where physical presence authorizes installation of BIOS update images.
      • Integrity protection features, to prevent unintended or malicious modification of the BIOS outside the authenticated BIOS update process.
      • Non-bypassability features, to ensure that there are no mechanisms that allow the system processor or any other system component to bypass the authenticated update mechanism.

      So yes, I am claiming that is impossible to flash a third-party BIOS without an external programmer on most computers. Considering this was the industry standard in 2011, many computers had this protection before 2011, and even more protections have been added since then.

      • your argument wasn’t that it was impossible on most computers (I’ve already agreed that it’s only possible on certain devices released after the point where BIOS flashing protection became widespread), it was that

        it has not been possible to overwrite a bios chip without an external programmer since like 2006

        and even if you update that to 2011, it’s entirely possible to do on certain systems manufactured after that date using exploits

        • dead [he/him]@hexbear.net
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          your argument wasn’t that it was impossible on most computers

          No. This is not at all what I have been speaking about. In my original post I said that most computers have hardware backdoors and that IME is one example. You said that IME can be neutered. I have been describing to you why that is impractical. I also said that we don’t know if the ME neuter is even safe. I have been speaking in terms of practicality. My post from the very start describes how difficult it is to use me_cleaner. I mentioned that it was something that I have actually done myself using an external flasher. I spoke from my own personal experience to say how impractical it would be to expect any other person to use me_cleaner. It is extremely difficult to use me_cleaner by an external flasher. It is extremely difficulty or impossible in most circumstances to use me_cleaner by internal flasher. I would be surprised if there was 1 other person on hexbear who has actually used me_cleaner. I hope you try it.

          • No. This is not at all what I have been speaking about.

            I quoted you directly claiming that it was impossible; I’m not sure how else to interpret “it has not been possible to overwrite a bios chip without an external programmer since like 2006”

            we don’t know if the ME neuter is even safe

            no, but it’s certainly worth noting that various US three-letter agencies seem to think so, considering they told Intel to include a hidden kill switch

            I hope you try it

            I have, without using an external programmer, on a computer released after 2011