How to Boost Your Data Privacy With a Virtual Private Network

“Data privacy matters, and we all deserve respect and consideration from those we visit on the internet. As shown by the numerous data breaches that have affected companies and individual users around the world, individuals and governments, however, we must also look out for our own personal data and privacy. Using a VPN to obfuscate your location and encrypt data is a powerful way to prevent the tracking, stalking and theft of personal and private data.”

—Eric Jeffrey, “How to Boost Your Data Privacy With a Virtual Private Network.” Security Intelligence. November 2, 2018.

A layman’s explanation of VPNs and why you should be using them. I’ve mentioned VPNs before. If interested in using one, check this website for a comparison of different services.

Click Here to Kill Everybody – Bruce Schneider

“There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There’s no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.

This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It’s actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals’ safe houses would be more secure, but it’s pretty clear that this downside would be worth the tradeoff of protecting everyone’s house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.

Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won’t make it impossible for law enforcement to solve crimes; I’ll get to that later in this chapter.) Regardless, it’s worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects. We’ve got more to lose through our Internet+ vulnerabilities than our adversaries do, and more to gain through Internet+ security. We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one.”

—Bruce Schneider. “Five-Eyes Intelligence Services Choose Surveillance Over Security.” Schneider.com. September 8, 2018.

WireGuard VPN review: A new type of VPN offers serious advantages | Ars Technica

“WireGuard is a new type of VPN that aims to be simpler to set up and maintain than current VPNs and to offer a higher degree of security. The software is free and open source—it’s licensed GPLv2, the same license as the Linux kernel—which is always a big plus in my book. It’s also designed to be easily portable between operating systems. All of that might lead you to ask: in a world that already has IPSEC, PPTP, L2TP, OpenVPN, and a bewildering array of proprietary SSL VPNs, do we need yet another type of VPN?”

—Jim Salter. “WireGuard VPN review: A new type of VPN offers serious advantages.” Ars Technica. August 26, 2018.

Do we need yet another type of VPN? Why, yes. Yes, we do.

OpenBSD: Configuring mutt & gpg/gpg2

After spending some time configuring the mutt email client to use gpg2 in OpenBSD 6.1 and not finding a straight-forward explanation online, I thought I would document my process so other novice OpenBSD users would not have the same difficulties I had. I have used these same instuctions with some modification to configure mutt on Debian, Arch and other Linuxes, and it has helped me get to a working configuration.

  • Install mutt and gnupg.

# pkg_add -i mutt gnupg [add cyrus-sasl to your package manager on linuxes without it baked in]

A series of options will display. Pick the current version of mutt-1.8.0v3-gpgme-sasl and gnupg-2.1.15p2.

  • Copy the system example gpg.conf file to your home directory.

$ cp /usr/local/share/gnupg/options.skel /home/bedouin/.gnupg/gpg.conf

  • Add this text to the gpg.conf file [seemed necessary on OpenBSD, not on some varieties of Linux sans gnome]

# Enable gpg-agent
use-agent
pinentry-mode loopback

  • Start the gpg-connect-agent daemon.

$ gpg-connect-agent

  • Import your secret and public keys into your keyring (see man if you need to make them new).

$ gpg2 –decrypt file.sec.gpg | gpg2 –import –batch

  • After import, check to make sure the secret keys imported.

$ gpg2 -K

  • Create a file /home/bedouin/.gnupg/email-password.gpg with this text.

set imap_pass = “yourpassword”
set smtp_pass = “yourpassword”

  • Encrypt email password file.

$ gpg2 –encrypt /home/bedouin/.gnupg/email-password.gpg

  • Finally, create a .muttrc configuration file and add a line to decrypt your password, which also has the benefit of launching gpg-agent and saves your password for use in mutt. Example:

# email configuration

set ssl_starttls = yes

set ssl_force_tls = yes

set folder = imaps://user@emailprovider.com:993

set spoolfile = imaps://user@emailprovider.com/INBOX

set postponed = +Drafts

set record = +Sent

set trash = +Trash

mailboxes = +INBOX

set hostname = emailprovider.com

set from = user@emailprovider.com

set smtp_url = smtp://user@emailprovider.com:587

set postpone = ask-yes

set delete = ask-no

set editor = “emacs”

set visual = “emacs”

set noconfirmappend

# Email password
source “gpg2 -dq /home/bedouin/.gnupg/email-password.gpg |”

# GPG

set pgp_sign_as = user@emailprovider.com

set pgp_use_gpg_agent = yes

set pgp_timeout = 3600

# Reduce polling frequency to a sane level
set mail_check=60

# keep a cache of headers
set header_cache=~/.hcache

# Display download progress
set net_inc=10

This should get you to a working set-up to read and write email. This discussion helps make explicit a few points that took me a few hours to figure out, e.g., without gpg-connect-agent started, I had not imported my secret key into my key ring despite thinking I had.

Also, I tried to indicate where gpg-connect-agent and some of these other steps were unnecessary on Linux distros in an update a year later.

Good luck!