Feeling ready to take more steps. Any recommendations?

So currently I stopped using ISP DNS and im using Adguard’s as the primary and cloudfare as the second

My iPhone and Macbook are both running Adguard so trackers are out and VPN is running 24/7 (not sure how this one works, all i know is theres a vpn logo but idk how adguard’s vpn works).

I use Safari and DDG for web surfing - i sometimes use Tor if I can be bothered, Firefox feels like shit to use on Apple hardware, personally.

I’ve got little snitch on my Macbook but have zero clue on how to utilize it properly. Its the demo though I dont know if its worth paying for the full version

I use Tutanota for my primary email, slowly moving away from outlook for my others.

I use QTox to chat with online friends, unfortunately very hard to move away from Telegram on mobile.

Jumbo is on my phone if that matters at all. The Plus version.

Lastly I use 1password to store my passwords and cards, thinking about using Privacy’s virtual card, the joint thing they have with 1password

So I’ve got no idea how much is covered based on wht Im doing and im wondering what other things can I do to basically be more safe or anonymous whatever. I know that I have to figure out my threat model too but I havent got an idea what a single one is so itd be nice to have an explanation

You write the essential part at the end of your question: You need a threat model and define your use cases.

Why?
Because you obviously can’t protect yourself against every type of attacker. Quoting from one of our posts on PTIO:

Many people ask for the “best,” “most secure,” or “most private” products and service while forgetting that they need to define their own use cases and threat models before asking these questions.
Imagine that you go to a car dealer to buy a new car. You ask her for the best car she offers. Ultimately, she sells a sports car to you, while you needed a van (you didn’t define your use case).
Or you (classic example) want to build the most secure castle: You complete your work, the enemy attacks. You lose after 10 minutes since you never considered that your enemy has 21st century battle tanks and soldiers (you didn’t define your threat model).

So, who is your “enemy”? Your neighbor? Your partner? Your best friend? Your classmate? Your co-worker? Law enforcement? The state?

Depending on this, you can estimate four properties:

Time of the attacker
Money of the attacker
Motivation of the attacker
Skills of the attacker

After you did this, you should define what you need to protect yourself against them. Keep in mind that you can never achieve 100% security/anonymity, etc.

Also, keep in mind that information security consists of much more than some technical countermeasures, see Let's talk about security.

Without a threat model, you just deploy arbitrary (mostly technical) controls and hope for the best.

Thanks. Well I guess my threat model would then be to stay away from the sights of the government. My country has zero laws on privacy or consumer protection so pretty much anything to do with technology, the internet, we are downright fucked. But in the event that this threat model requires me to do too much, im fine with just protecting myself against companies as they are the main ones who would hold my data

And you use adguard vpn and cloudflare dns how about using nextdns and protonvpn?

Not sure what nextDNS does so I haven’t thought about that yet. As for ProtonVPN I rarely use VPNs for anything but if I do need it I use Tor to browse my stuff. Still not too knowledgeable on these VPN things so I guess you could try to convince me to use VPNs more often

oh my god, oh my god.

  • Do not use adguard dns, use any community driven DNS, like open nic or dnscrypt-proxy
  • VPN is not that good as you think (https://yewtu.be/watch?v=gTS17WzsZz8) so understand it’s limits first then run VPN because otherwise it’s really useless because other trackers and stuff already there
  • Why safari? Firefox with tweaks is really good (yes its shit but as always privacy is hard and not convenient)
  • tell me more about I’ve got little snitch on my Macbook but have zero clue on how to utilize it properly. Its the demo though I dont know if its worth paying for the full version because i don’t get it
  • Good move, and if you want more emails remember you got protonmail too
  • Telegram sucks (really) so at least give a try for stuff like signal
  • what is jumbo ?
  • nope, i know 1password joined privacy.com but nope, BIG NOPE! (NOPE NOPE) use trusted stuff like bitwarden (if you want cloud based) or keepass (if you want local database)
  • Getting thread model is easy, just tell me (or us) from who you want to hide your data? companies like google or gov or who ?

Nextdns is like adguard dns but with much more privacy

Do you mean the AdguardVPN or just adguard adblocker

Just some thoughts …

This looks like there is a “universal truth” in InfoSec/privacy, which doesn’t exist as all of us have different use cases, etc. As written before, deploying random technical controls is basically “hoping for the best.”

Furthermore, “OMG! OMG!” can be easily considered “Oh, I’m so dumb” and scare away anybody who wants to ask some questions on this forum.

This is a good example:
Most people change some Firefox settings without knowing what they are changing, only to feel better about being “anonymous” on the internet. Several examples of people broke most websites in their browser on this forum, and a Mozilla developer warned users against changing settings in Firefox for Android because many people don’t know what they are changing.

On the other hand, why is Safari worse in this particular scenario?

So, who trusts KeePass/Bitwarden? Some websites warn against Bitwarden due to relying on web technologies. Then, there is the KeePass 2 vs. KeePassXC “war.” (Similar to the infamous “What is the best instant messenger?” wars.) Some people say that you shouldn’t use a password manager because it is a “single point of failure.” As written before, there is no universal truth.

In our experience, threat modeling is anything but easy. Defining your “enemy” is only one tiny fragment of this.

2 Likes

There is no truth, all i did was saying my point of view. my personal experience trying to help the op


because privacytools made the tweaks on firefox which i feel firefox more advanced so it protects more ?

also ptio have brief bio of each setting sooooo??


Because it’s open source and if you don’t trust it you always have option to self host and keepass is already offline so only single point of failure is your master key


yeah, i was just making it easy for the OP like moving step by step. you want the real work? alright, here let op read this: https://ssd.eff.org/en/module/your-security-plan

Whats wrong with Adguard. Blocks trackers and ads pretty good and the filters and DNS is amazing

I use Safari instead of Firefox mainly due to comfort of use. Its a no brainer using anything except for Safari feels whack on Apple hardware but yes no doubt Firefox would be a better option to be safer, but im not ready to use it fully yet

As for Little Snitch what I meant was I don’t know if its worth paying for the license? People recommend it a lot but well yeah idk

I do use Signal for a few friends. A ton of others dont wanna move away from Telegram so im forced to stick with it

Jumbo is some sorta scanning app for iOS. Scans social media accounts, the dark web for ur credit cards if any leaks or ur email.

As for threat model, mainly the government

Not too sure lmao. My adguard is the premium so its using the DNS and safari blocker thingy and shit

the wrong with adguard that it’s company and to be honest with you, i do hate companies thats why i recommended open nic dns or dnscrypt-proxy servers.

It’s fine after some time you would feel yourself more ready to use firefox so dont stress out i was just pointing to that firefox more good :stuck_out_tongue:

buy license for ?.. if it’s paid app i would tell yo first search on open source apps and for donate the money to those open source apps (I really hate compaines :joy:)

in that case i would suggest telling them to watch the great hack and the social dilemma (it really worked with me)

how does sort of app scanning the whole dark web? its interesting to see, i mean dark web itself got no index (i know some search websites but it’s hard to monitor all of them) so i would really love to see such app in action and if you want to see if your email leaked try haveibeenpwned

oh the gov, its hard one but not impossible. (i wanted to do that too but my country blocked prepaid sim cards so its like impossible for me) so as all say, try to get prepaid sim card

NOTE: yes those dns i recommend does block ads and trackers too :stuck_out_tongue: (and free so you can move the money you pay to adguard to those open source projects and support them)

So how do i choose what password manager to use.

Why do you think that Firefox is “safer”?

As written before: Understand your use cases, define your threat model.
Examples: If you only need your password database on a single device, there is likely no need for any cloud functionality. If you want to share some passwords out of your database, then KeePassXC has such functionality. If you need a managed service for your family, a cloud-based commercial password manager could be best.

It really depends on what you need.


For the rest:
Ask 10 people to get 11 opinions. See The war of recommendations.

1 Like

Are you using Google Drive and/or Google Photos? You are using the Mac ecosystem, have you checked how much files/photos you have on iCloud?

Consider self hosting it at home with your own server if you are tech savvy enough. A lot can be done with a NAS and server to keep you busy.