OP's question was about coping with surveilance but OPSEC plays important part of those coping mechanisms.
What you want in terms of safety is defined by your threat model.
The safety though doesn't come without costs and discomfort.
My approach is to identify for which data-sets data, information and intelligence can be gathered and thru which vectors. Whether disruption or distortion is applied entirely depends upon assumed threat model.
We should not forget that majority of compromising data is gathered when we are spontanious
To tackle new technology and maintain control over my data, I prioritize keeping as much of it on my own hardware. Some smart devices, like Sonos speakers, are incredibly useful and I haven't found replacements that match their quality. For such devices, I've made peace with the trade-offs.
To ensure secure segmentation at home, I have two different ISPs: one for family and friends, and another exclusively for my work. OPNsense sits at the edge of my network with VPN enabled, and for accessing my network remotely, I rely on WireGuard.
My home setup includes a couple of servers running multiple workloads and tools, virtualized on bare-metal machines. Backups are stored on a local NAS and also sent off-site to an object storage provider. I encrypt everything beforehand for security. While I'm currently using Backblaze B2 for off-site storage, I'm considering a switch to Cloudflare R2.
For businesses, I always recommend a combination of tools like XDR/EDR/NDR for comprehensive monitoring. Cloud-based solutions are often suitable, but for my personal use, I prefer not sharing telemetry with big companies like Microsoft or CrowdStrike. Instead, I run local agents forwarding data to a local SIEM, built on an open-source ELK stack that also collects firewall data. This helps me monitor my network for any signs of intruders.
When it comes to minimizing tracking, I recognize it's impossible to eliminate your digital footprint entirely. The level of risk depends on the threats you're facing. Personally, I don't mind intelligence agencies tracking me, so my car has GPS, and I carry two phones everywhere. I also use smartwatches strictly for exercise, so they're usually just charging at home.
However, in situations where I don't want anyone tracking me, I use a combination of physical and digital precautions to make it more challenging for potential adversaries to follow my trail. These occasions are rare but crucial.
If anyone is interested, I'm happy to write a guide on the first steps to gaining more visibility and control over your digital life. While my current setup is pretty technical and sometimes a pain to maintain, there are plenty of easier-to-use tools available for improving security.
I second this as well, your tools can definitely be used to spy on you, but you still need to wake adversaries up in order for them to take an interest in you.
Owning - controlling
infrastructure is a key for everything else.
Segmented networks are quite good. I assume that
@0xDEADBEEF set-up complete physical isolation without bandwidht sharing. In SOHO set-up I would recommend slightly different option - WAN fail-over with VLAN segment isolation and edge VPN (Wireguard is decent; the optimal is with PSK). That would achieve network redundancy. In DC or corporate set-up we use multi-homed network with at least 3 different peers (IP transit providers so you must have your own ASN) - could be SOHO (for home and office) option as well, depending on provider's resources.
Hardware - not cloud - firewall is mandatory where OPNSense will suffice with pfSense as alternative. Corporate options such as Palo Alto products are over-kill in SOHO.
Quoted backup strategy is quite okay; I wouldn't use any Cloudflare service though. Corporate and personal preference is that backup is performed with rsync via ssh towards dedicated location - we use RAID6+0 with ZFS and btrfs for storage.
Just keep in mind the old Italian saying “anche i muri hanno le orecchie” (“walls have ears”). It’s from a time when the internet didn’t exist. Don’t ever do or say anything that can be used against you. Whenever you really have to, do that outdoors, which is also good for your health.
I have also learnt from experience that being completely spotless can be counterproductive, as it will lead to suspects that you are hiding something, and therefore that you are a big criminal. So it can be wise to create a small criminal background, just enough to be considered a loser and not worth investigative efforts.
Exquisitely good point. If you are not visible then you are quite visible - particularly in modern era when plethora of data sets can be fetched, cross compared and analyzed faster then you can call your barister - with IBM i2 Analyst for instance. What happens when some duty officer sees that you exist yet there is no associated data sets
The old Latins - Romans had a proverb "Silentium est aureum". Today's world require you have a script for any possible situation so you don't became suspicious.
It's so funny when you google the SMART part of SMART HOME, and the results that google gives you are all wrong.
The term "smart" in "smart home" is an abbreviation for "Self-Monitoring Analysis and Reporting Technology", AKA Surveillance.
Power: There are few ways you can fight it, but if you got a smart meter in your house you can only make it malfunction so many times before they catch on, and no, they wont give you that analog power meter back. But you could solve it with solar or wind turbines.
Phone: Old Nokia for $10 or a degoogled Pixel6a. I know it's hilarious to buy a google phone to remove the google software, but it's the easiest option.
VPN: Don't touch that 'free' VPNs from China or US, they are free for a reason. Go for MULLVAD if you want to be safe.
Browser: If you are too stingy for a VPN, at least use Brave.
PC: There is only one way for privacy, it's to keep it off the net. Have a notebook that you never connect to the net. And if you are running any windows after version 7, then I don't know what to tell you. Get a nice linux instead, at least on the second computer.
WIFI: Use LAN cables instead. Even I can wreak havoc and steal your data with KALI LINUX and an external antenna. If you still use WIFI, at least be conscious about the danger (and I am not thinking about radiation here).
Lots of issues you can solve buy buying appliances and cars that were made before they bugged everything.
Nowadays you can't trust even the chips inside anymore, your Intel chip is numbered and has backdoors, as has all communication equipment. Your cleaning robot is sending data to China, as does my headset, and all the security cameras.
Depending on a threat model, LAN cables - copper wires could be more jeopardizing then WLAN with WEP
due to TEMPEST. Also, electric connectivity is susceptible to interference, no matter what shielding it has.
We use almost exclusively optical connectivity but it adds a requirement for media conversion in SOHO. (Un)Fortunatelly, we must use CAT6 and above standard cables for terminal part in SOHO.
But, under threat model of a person not involved in international terrorism, sanctions violation and espionage, shielded copper network cables will be more than sufficient
This is an excellent recommendation that will improve your privacy. Enabling DoH in modern browsers prevents your ISP or other intermediaries from seeing your DNS queries, adding an extra layer of privacy.
For MacOS, I recommend VMware Fusion, UTM, or Parallels if you're looking for easy Windows virtualization.
For this, you can use
What is it? - NoScript: Own Your Browser!. Alternatively in Firefox, you can head to about:config, search for javascript.enabled, and set it to false. On MacOS, enabling Lockdown Mode in Safari achieves a similar effect by limiting website features and blocking JavaScript execution on non-trusted sites.
The easiest thing I can recommend to anyone is using either Little Snitch or Safing. I've used Little Snitch for as long as I've had a Mac:
Little Snitch.
For Windows/Linux check out Safing, which offers cross-platform network privacy and control:
Safing. Both applications can be purchased using Monero through
ProxyStore.
I use both terms synonymously too, but yeah, TLS is the secure one.
Whatever DNS solution that isn't in cleartext should be used as a lack of it could easily destroy whole security model.
Whenever you can, you should have your own VPN server backend - preferably with blend of different upstream network providers and LAG - with fail-over in different locations. Wireguard tunnels traffic thru UDP which may be blocked so an agnostic backup VPN server backend should be available - OpenVPN.
For utmost redundancy and reliability, different L2 and L3 VPN agnostic (to downstream network set-up) server backends with their fail-overs should be established.
I always disable everything what is considered factory and try to use tailored made and solution controlled by me. That's especialy for items that function as CAM, MIC and for positioning.
Isolation thru different virtual instances with separated networking and VPN credentials is a way to protect yourself from cyber threats and possibly even highly qualified threat actors.
