“Standard Notes is a safe place for your notes, thoughts, and life’s work.
Free, open-source, and completely encrypted.”
“Data privacy matters, and we all deserve respect and consideration from those we visit on the internet. As shown by the numerous data breaches that have affected companies and individual users around the world, individuals and governments, however, we must also look out for our own personal data and privacy. Using a VPN to obfuscate your location and encrypt data is a powerful way to prevent the tracking, stalking and theft of personal and private data.”
—Eric Jeffrey, “How to Boost Your Data Privacy With a Virtual Private Network.” Security Intelligence. November 2, 2018.
“Intra protects you from DNS manipulation, a cyber attack used to block access to news sites, social media platforms and messaging apps.”
An app from Google’s Jigsaw Team that incorporates encrypted DNS lookups that come stock in 9 into older versions of Android. Not as good as using a VPN, but better than nothing.
“There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There’s no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.
This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It’s actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals. Fixing those locks would also mean that criminals’ safe houses would be more secure, but it’s pretty clear that this downside would be worth the tradeoff of protecting everyone’s house. With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.
Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won’t make it impossible for law enforcement to solve crimes; I’ll get to that later in this chapter.) Regardless, it’s worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects. We’ve got more to lose through our Internet+ vulnerabilities than our adversaries do, and more to gain through Internet+ security. We need to recognize that the security benefits of a secure Internet+ greatly outweigh the security benefits of a vulnerable one.”
—Bruce Schneider. “Five-Eyes Intelligence Services Choose Surveillance Over Security.” Schneider.com. September 8, 2018.
“WireGuard is a new type of VPN that aims to be simpler to set up and maintain than current VPNs and to offer a higher degree of security. The software is free and open source—it’s licensed GPLv2, the same license as the Linux kernel—which is always a big plus in my book. It’s also designed to be easily portable between operating systems. All of that might lead you to ask: in a world that already has IPSEC, PPTP, L2TP, OpenVPN, and a bewildering array of proprietary SSL VPNs, do we need yet another type of VPN?”
—Jim Salter. “WireGuard VPN review: A new type of VPN offers serious advantages.” Ars Technica. August 26, 2018.
Do we need yet another type of VPN? Why, yes. Yes, we do.
After spending some time configuring the mutt email client to use gpg2 in OpenBSD 6.1 and not finding a straight-forward explanation online, I thought I would document my process so other novice OpenBSD users would not have the same difficulties I had. I have used these same instuctions with some modification to configure mutt on Debian, Arch and other Linuxes, and it has helped me get to a working configuration.
- Install mutt and gnupg.
# pkg_add -i mutt gnupg [add cyrus-sasl to your package manager on linuxes without it baked in]
A series of options will display. Pick the current version of mutt-1.8.0v3-gpgme-sasl and gnupg-2.1.15p2.
- Copy the system example gpg.conf file to your home directory.
$ cp /usr/local/share/gnupg/options.skel /home/bedouin/.gnupg/gpg.conf
- Add this text to the gpg.conf file [seemed necessary on OpenBSD, not on some varieties of Linux sans gnome]
# Enable gpg-agent
- Start the gpg-connect-agent daemon.
- Import your secret and public keys into your keyring (see man if you need to make them new).
$ gpg2 –decrypt file.sec.gpg | gpg2 –import –batch
- After import, check to make sure the secret keys imported.
$ gpg2 -K
- Create a file /home/bedouin/.gnupg/email-password.gpg with this text.
set imap_pass = “yourpassword”
set smtp_pass = “yourpassword”
- Encrypt email password file.
$ gpg2 –encrypt /home/bedouin/.gnupg/email-password.gpg
- Finally, create a .muttrc configuration file and add a line to decrypt your password, which also has the benefit of launching gpg-agent and saves your password for use in mutt. Example:
# email configuration
set ssl_starttls = yes
set ssl_force_tls = yes
set folder = imaps://email@example.com:993
set spoolfile = imaps://firstname.lastname@example.org/INBOX
set postponed = +Drafts
set record = +Sent
set trash = +Trash
mailboxes = +INBOX
set hostname = emailprovider.com
set from = email@example.com
set smtp_url = smtp://firstname.lastname@example.org:587
set postpone = ask-yes
set delete = ask-no
set editor = “emacs”
set visual = “emacs”
# Email password
source “gpg2 -dq /home/bedouin/.gnupg/email-password.gpg |”
set pgp_sign_as = email@example.com
set pgp_use_gpg_agent = yes
set pgp_timeout = 3600
# Reduce polling frequency to a sane level
# keep a cache of headers
# Display download progress
This should get you to a working set-up to read and write email. This discussion helps make explicit a few points that took me a few hours to figure out, e.g., without gpg-connect-agent started, I had not imported my secret key into my key ring despite thinking I had.
Also, I tried to indicate where gpg-connect-agent and some of these other steps were unnecessary on Linux distros in an update a year later.