My privacy toolkit

As someone who always has an eye on protecting private data, not only for our company's customers, partners and employees but also for myself, I've looked at some tools over the years and some of them I made part of my daily workflows. But before I talk about some of them, I want to make clear some points.

First of all, I'm an Apple user. And I am by conviction. I'm not an Apple fanboy who needs always the newest iPhone, iPad, Watch and Mac and sleeps in front of an Apple store to be the first one who can by the newest models. But I work with macOS (and former OSX) for around 10 years now without ever regretting the switch from Linux. Of course my smartphone is an iPhone and my tablet is an iPad Pro. To be honest, I never had so few problems on a Linux machine or an Android device as I have on my Apple devices. Of course, there was never a problem on Linux that I couldn't solve by myself, but if I look back to that times when I used Linux as a desktop system, I see a lot of lost hours that I spent with fixing errors and unwanted behaviors. Since I'm using Macs I never faced similar problems again. And therefore I'm a convinced Apple user. In general macOS is a BSD-like system and I like how smooth the different Apple devices work together. However, for this reason the software I’ll talk about here will be mostly for Apple devices. But some of them are also available on other systems and platforms.

Secondly, I would like to note that my software recommendations are purely subjective. I don't claim that this is actually the best software available for specific tasks. There may be better ones, but the ones I'm going to write about here I just particularly like. Therefore comments like "But XYZ is much better than ABC, because ..." are completely useless. If you want to recommend some software to me, give me facts to compare, not opinions.

And last but not least, I'm fully aware of that I'm using paid software where I could use OSS alternatives. But there are reasons why I prefer the commercial software to open source software. In my experience, software that you have to pay for is mostly better than available OSS alternatives, at least on macOS. 

But now... let's begin...

Email Encryption

I couldn't live without email encryption. Unfortunately this is a task that most Linux machines can do better with free / open-source software than a Mac can do. But there is a solution, that is called GPG Suite. It's not free but worth every cent. It adds GPG / PGP encryption to the Apple Mail application and as soon as you created (or imported) a key for your email address(es), you can use encryption and email signing with a simple click. Your keys and the public keys of your contacts can be easily managed in a keychain-like interface, the GPG Keychain. Also importing keys for specific recipients is easy with the keyserver search that is integrated in the GPG Keychain tool. In addition I'm also using an email provider who provides GPG / PGP even in their webmailer. If you ever thought that email encryption is complicated, try Apple Mail with GPG Suite. You only need to understand: The public key is used to encrypt a message, the private key is used to decrypt it. That's basically all you need to know. Of course, this also results in the fact that you never give your private key to another person, because only you should be able to decrypt a message that was encrypted by somebody with your public key.

Taking Notes

Before I found Standard Notes, I used Evernote. And whenever I wanted to secure some data / notes, for example serials, I encrypted it with the GPG CLI tools before I added them to a note. I simply couldn't trust the builtin function for encrypting notes and I wanted to make sure that Evernote wasn't able to read my private stuff. I'm all the happier to have found Standard Notes. With this tool my life became easier, even if I still miss some features and some of them may never be implemented. But in general I like the idea of Open Source, and for me it's also ok if an open-source projects provides paid features. Good work should give a good income, in my opinion. And therefore I pay to be able to use the available extensions. In addition I also added a sponsorship for the project on Github. It's only 5$ per month, but if more people would do it, such projects could develop faster and their developers would have an easier life. I also support other projects and some artists in a similar way.

2-Factor / Multi-Factor Authentication

What I expect from my colleagues at work I also use in my private life, at least if it's related to information security. This also means, that I also use 2FA/MFA authentication wherever it is possible. But I'm not a fan of purely software-based solutions like the Google Authenticator app, Authy or the builtin 2FA from 1password and similar tools. I'm using a Yubikey from Yubico. Yes, I know the controversial discussions around Yubico. But in general I don't think that you can trust any piece of computer hardware on our planet. Especially U.S. intelligence manipulated hardware too often in the past (what was leaked later by whistleblowers) and by that we should always be skeptical if we buy new hardware, no matter what type of hardware it is. 

In the end my Yubikeys make my life easier and they prevent at least that hackers can log into my accounts even if they get my username and password. What I especially like is the availability of an authenticator app, that reads and stores your account informations on the Yubikey. By that I can use the same authenticator OTP, no matter which device I'm currently working on. As soon as I insert my key or use NFC to connect it to the app on my computer/smartphone/tablet, I see the same accounts in the authenticator app. This app is especially helpful because not all platforms with 2FA also support hardware tokens. Often they provide only an authenticator app interface. In addition I can use my Ubikeys to unlock my computers without entering my password. It needs a little tinkering to make it work on macOS, but the looks I get if I unlock my laptop with a key like other people unlock their cars are priceless. 

Collecting Informations

Anyone who has ever had to do more complex research work knows how quickly you have large amounts of unstructured data that you can quickly lose track of. And sometimes you have to do research work that shouldn't be shared with other people like the employees from your service provider. For that reason I'm using a tool called Yojimbo from Barebones (who also provide the popular BBEdit). It's not the newest piece of software on the market, but I like the idea, that you have a kind of drawer on the side of your desktop where you can simply drop data that you want to preserve. Such data can be a document, an URL, a serial number, a piece of text and so on. Later you can give the data tags to make them easier to search but the builtin search is also very good in finding informations based on their content. However, tags allow to create topic-specific lists of your collected data that can be easily accessed from the left side of the Yojimbo window or from the drawer. If you have any sensitive information, you can encrypt (and decrypt) it with a simple click. Yojimbo is not using any central server to sync data between devices. The data always stays on your computer or your iCloud. And by that you keep control over the data you organize in this tool. 

Translations

If you do research work in the WWW, you'll often find informations in languages you cannot speak or understand. Online translators like Google Translate are helpful to extract at least the essence of a text. A little insider tip is a new translation tool from Germany, DeepL.com. Currently, new languages are added from time to time. But what is particularly striking is that the translations provided by DeepL are far better than the translations provided by other providers. What does this have to do with privacy? If you have a Pro account for DeepL, they don't store your inputs, if you don't allow it in your account settings. And because it's a Germany-based company, it's not so easy for them to store PII that users may input. Our privacy laws are very restrictive and the penalties companies must pay if they process data for purposes to which the user hasn't consented can be very painful, even for bigger companies. So if you need to translate a private text that nobody should have except yourself, use a Pro account on DeepL. The translations may be not perfect (for example the German word "Datenträger" is wrongly translated as "data carrier" instead of "storage device/s" or "medium / media"), but they are much better than the results from Google for example.  And Google will always store your input for further purposes that you'll never know. 

Communication

A lot of digital communication is done via instant messengers today. Unfortunately this means, that the providers of such messengers are mostly able to read your conversations. There are only some exceptions like Signal, but even they have not the best privacy, because they can connect data about you with your user account. A new solutions comes from Switzerland. It's called TeleGuard. Even if the functionalities are very basic until now, the company behind this messenger (Swisscows) is following a very strict privacy policy. They don't store any informations about your chats on their servers, except you allow them to store backups from your conversations, that you can use to restore them on new devices you want to use. But even that backups are encrypted and decrypted only on your devices. The belonging key never leaves you. However, this also means that you can lose your data completely if you forget the password you used to encrypt the data or to access your account. In this case, even Swisscows will not be able to recover your data.

Btw, Swisscows also provides a search engine that is also focussing on privacy (in addition to child protection, why you cannot find stuff like porn with it). If you need a child-friendly search engine with privacy focus, give it a try. 

Data Storage

Data storage is, in my opinion, one of the most critical infrastructure that we use in our daily life today. Of course we can rely on solutions like Dropbox, Google Drive or iCloud, but in the end we don't know what the providers really do with the data we store on their platforms. An easy solution is to use your own servers. You can either host them at home (an old laptop with an additional external harddisk does fine for most requirements for private use) or you can rent servers in a datacenter that are fully controlled by you. But be careful: never try to operate a server if you don't know anything about system administration. If you rent a server you're also responsible for what is done with that machine. And if a bot is injected to your server and you don't notice it, it can become very expensive if the bot causes any harm to other IT infrastructure. In such a case you should ask somebody with the respective knowledge to setup and manage the server for you. 

Another alternative comes from my ISP, the German Telekom. They provide a cloud storage called "MagentaCloud" with a moderate pricing (500 GB for 5 € / month, for example). And because it's a Germany-based company with their data centers only in Germany, they can provide a very good privacy, because even German intelligence services cannot access the data without the consent of a German court. And also the options for accessing the storage - rsync, scp, SFTP, WebDAV and their apps and the web interface - are good and sufficient for my purposes. An additional security layer can be added by using a tool like Boxcryptor to encrypt all files. 

And all the other stuff

Sometimes I reach points in my work, where available software is not meeting my requirements at all. In such cases I often write small scripts or tools with Python, Go or Perl, that do exactly what I need. If you have the time, I can only recommend to learn any programming language. This enables you to write your own software, if you have specific requirements or special tasks. For example, I built a small software in the past that helps me to analyze the compliance of cloud environments used by our company. I can simply add the required access keys and the software can run in the background until it creates a final report for me, that I can use in different security management tools. But often it are simply one-liners. For example you can Base64-encode the content of a file with a simple: perl -MMIME::Base64=encode_base64 -e 'print encode_base64 join"",<>' < myfile.txt 

And before you ask... my preferred editors for programming are Sublime Text and Emacs with Spacemacs

So that's basically my privacy toolkit for my private life. At work I have, of course, much more privacy-related tools, like software for risk management, to create a data processing activities index, manage security incidents and much more. Maybe I'll write something about my "CISO toolkit" sometime in the future. In the meantime... live long and prosper! 


You'll only receive email when they publish something new.

More from FF-Sec