openmw.org

Ravenwing wrote: ↑27 Oct 2017, 04:34Anywayyyyy, this is a way to add on an extra layer of security to make it just a bit harder for someone who isn't determined to steal my stuff specifically.

So I am far from a computer security expert, but here's a few of the things I do. Others should add theirs, and critique mine as needed.

• Run Linux on all of my computers, always running the latest release with the latest security updates
• Use http://www.duckduckgo.com for search as much as possible
• Run a discrete device for my router, which runs pfSense, which is kept up to date
• I actually run a separate wireless AP for my home network, a separate device from my router. When Krack was announced, there was a firmware update already available to address the issue. I have a Unifi AP because that's what the hardware vendor for my router recommended, but you may find something better
• Run a Nexus 5X for my phone, which allows me to get bleeding edge updates directly from google. I may be replacing this with LineageOS soon to get more open source in my life, and because I am sick of some of Google's UI decisions...
• If you're in the US, here's a one stop shop for your payment privacy info: https://www.privacyrights.org/consumer- ... h-and-more It looks like this hasn't been updated since chip cards became way more common here, but still good info

I've definitely thought about getting a VPN for the same reasons as you, but haven't yet, probably for the same reasons as you. Years ago a friend of mine had a VPS that I would route my web traffic through when I was on unsecured wifi networks, and you may look into that, but it's only going to protect your traffic from your ISP, everything coming out of the VPS will be just as insecure as before.

I linked PRC above but between them ( https://www.privacyrights.org/learn ), the EFF ( https://www.eff.org/issues/privacy ), and lately DuckDuckGo ( https://spreadprivacy.com/ ) there's a lot of info available for you.

You use duckduckgo to avoid using google.com, but use a google phone and OS (android) and praise their security updates?

Never, ever, trust a mobile phone. Even IF you can guarantee that the software you are running is completely under your control (linageOS or others), the RIL is firmware not under your control.

If you're willing to pay and you trust the company behind it:
https://en.wikipedia.org/wiki/Blackphone

psi29a wrote: ↑27 Oct 2017, 09:11 You use duckduckgo to avoid using google.com, but use a google phone and OS (android) and praise their security updates?

Yep, I definitely understand the hypocrisy there. But the google updates are more for security against viruses and malware, and security updates against thinks like Krack. Definitely understand that my privacy against google is completely compromised there haha.

Yeah... you have a google account.

Again, try the blackphone, get your updates from security minded people. Not sure if that puts your mind at ease or not, but even three letter agencies prefer the blackphone over apple and google. Their reasoning is that if a phone is left behind by accident or stolen, that the data inside would stay inside or self destruct.

If you really want to make sure that nobody spies on you, first you have to ensure that each subsystem of your computing device is controlled by you. If there is a possible weakness in even one subsystem, such as the Intel Management Engine, which allows to completely undermine any userland/kernel security mechanism, your complete chain of trust is broken. You need security on all layers:

- The applications running on your operating systems
- Your operating system and device drivers
- Device firmware such a processor microcode control software
- Your devices, the logical design of the circuits in all the chips

Beginning from the ground:

You are pretty much dependent on the goodwill of Intel/AMD/IBM/ARM if you want to operate a computing device which is able to run demanding applications. It is very much possible for a chip manufacturer to hide backdoors in a chip's design, for example by storing all the data associated with hardwired cryptographic operations and transmitting them via the network interface to a web service. Even if there is no intended weakness in the design of a chip, The Intel Management Engine is very much exploitable as recently proven;
https://www.ssh.com/vulnerability/intel-amt/
Manufacturing microchips is expensive, you cannot do it by yourself without spending large amounts of money for photo-lithographic tools or contract a provider to assemble your chips. This option is most likely out of question. If you lower you expectations in terms of computational power you could however build a 16 bit computer on your own using XOR, AND, OR, NAND, NOR, ADD,... gates (In theory, you only need NAND). You would have to think about everything essential on your own: Memory management, Pipelining, Cache, Instruction Set, ... It is a enormous task but very much possible https://www.youtube.com/watch?v=0jRgpTp8pR8 to even compile Minix on top of it. You would know every component of your device and could be certain, that there is no hidden mechanics in the hardware. To run it properly, you would however need an operating system. You can either develop it from scratch or more conveniently, adapt a compiler (for example small ones like TCC or LCC) to generate code for your
computers instruction set and compile your operating system.

Still, there a a bit more convenient options to build your own chip. You could also utilize the flexibility of an FPGA. You would also design your own architecture (or use a prebuild one from https://opencores.org/) but you don't have to braze all those circuits and wires together. You would describe the chips functionality on a regular computer using either schematics or more conveniently a hardware descriptor language such as VHDL. You could use the ZET x86 implementation and try to compile tinylinux or minux for it.

Let's say you trust in the hardware's integrity, but not in the firmware. Then you have the option to use free firmware implementations such as Libreboot or the Talos (No, not the Elder Scrolls God) IBM PowerPC Computer. You would know the firmware running on your device and could compile your operating system to run on it. Indeed, it would not make much sense to go through all the hassle of getting open hardware
just to run a closed source operating systems on it. It's like tuning your car motor to only drive using the first gear. If your hardware is completely under your control and you can trust its integrity only to run Windows on it, you would gain nothing in return. The huge majority of exploits is hidden above firmware level. Thus you really would want to use a free operating system such as Linux.

Once you have ensured, that you can trust your device, firmware and operating system are to be trusted, you can actually go ahead and build up your userspace.
So an optimal setup would be something like:

- Your own chip implementation
- Your own operating system (with publicy proven cryptographic methods like AES in its API)
- Your own applications

Requiering a good part of your lifetime to construct.

A reasonable setup would be something like:

- A Intel/AMD chip running open source firmware
- An open source operating system such as Linux
- An bunch of open source applications with OpenVPN, SELINUX, Chromium or Firefox, ... and of course OpenMW

And all of this does not guarantee that nobody could break into your system, only that your system has no integrated weaknesses (Assuming you trust the Linux kernel if you use it). Although knowing all of this, I am the worst kind of security adviser, running a closed up operating system, with closed up drivers and firmware and an design wise convoluted x64 processor with Intel Management Inside.

I'm a materials engineer and actually learned a lot about how semiconductor devices are made and there is no way a single person would ever have the technical know-how to design a microprocessor and construct it that actually ran at reasonable speeds by today's standards. But it does sound like a fun thing to do for a hobby if you had the money. There are too many things that are required by simply living in society that are completely out of one's control to warrant going to all that effort. I've used a couple linux distros in the past but I'm just too dependent on standard software to really make the switch. You all sound much more concerned about maintaining your privacy than I am haha. Is there much point in using a VPN if I'm not willing to do most of these other things? I'm mostly just trying to make it harder for a hacker to choose me as a target at random. I have no delusions that if someone was heavily motivated that I'd be able to stop them.

psi29a wrote: ↑27 Oct 2017, 09:25Again, try the blackphone, get your updates from security minded people.

I read a little about the company, did they get their finances sorted out? Also wikipedia says the OS is closed source, but discontinued? Did they switch to an open one?