Re: windows mail
I’ve successfully used Evolution (free) on my Linux Mint install for a number of years. Worth a look?
Later - found this link (review)
https://www.zdnet.com/article/finally-this-is-the-linux-email-client-ive-been-hoping-for/
40 publicly visible posts • joined 22 Jan 2020
Its not just Microsoft that I don’t trust with my information and at home I have blocked via my pfsense firewall by default the ASN’s associated with the likes of Google, Microsoft, Facebook, Oracle, Telegram, Twitter, Yahoo, Adobe et al (obviously this breaks a lot of things, but allows me to approve access on a device by device basis)
Interested to learn what Microsoft ASN have been blocked by your employer to see whether I need to add more to my (lengthy) list.
Inevitably there will be leakage to the data harvesters, but short of not going online at all, I aim to loose by the smallest possible margin.
Now where did I leave my tinfoil hat?
I recall many years ago being caught out by this. Having set up voicemail on a new mobile (Vodafone?) attempting to retrieve a message I inadvertently dialled 112 instead of 121 and was most surprised to be talking to a ( fortuitously sympathetic) operator …
At the time I was unaware that 112 was a valid emergency number within the UK. I’m still unclear as to whether 911 will work, but I don’t intend to test it!
Unfortunately (if like me) one is relatively unsophisticated, then you are reliant upon the skill of others to protect your cloud based data (either that or don’t use the cloud - but difficult to avoid these days)
That said, in my experience, people frequently don’t (hassle/convenience preferred?) avail themselves of additional security that is available - say 2FA for your email or (in the case of iOS) activating Advanced Data Protection. Every little bit helps.
As an iOS user, have you activated Advanced Data Protection?
https://support.apple.com/en-gb/102651
Whilst LMS and PiCorePlayer can be controlled via a web browser for those on iOS, iPeng IMHO is money (one off about £10) well spent. A mature application for controlling LMS (and multiple PiCorePlayers) with a very responsive and helpful developer. Its upgraded when necessary to support evolving versions of iOS, otherwise the app is left alone (already has superb functionality - if its not broke, don't fix it!)
See here
https://apps.apple.com/gb/app/ipeng/id767266886
Support forum here
https://forums.slimdevices.com/forum/user-forums/3rd-party-software/51576-ipeng-support-thread
Me thinks time to investigate the Picoreplayer ecosystem (hardware using a Raspberry Pi with potentially amplifier HAT add on) which is based upon the former Squeezebox/Logitech Media Server - now renamed Lyrion. Although Logitech no longer support LMS it has an active developer base expanding its functionality.
Michael Herger (a Logitech employee still supports it and there are a mini army of reactive developers supporting a multitude of plugins enhancing its functionality) eg Tidal, BBC Sounds, I have found them streets ahead in responding in a timely manner to external changes that break functionality (e.g. when the BBC changed their streaming model and broke a lot of commercial digital radios, LMS had a working solution up in hours, whereas it was months before others caught up - some never did and left punters with junked sysyems.
I’ve been using the ecosystem to stream synchronised music around my home for years (this includes locally ripped music, as well as internet streamed from a wide variety of sources). Its most compelling points are its open source, hardware can be easily replaced and superb software support. IMHO Its open source software at its best.
Links
Software site https://www.picoreplayer.org/
Hardware https://thepihut.com/collections/raspberry-pi-audio-hats
Support forum https://forums.slimdevices.com/forum/user-forums?20-User-Forums=
Whilst I am yet to use the wireguard facility on my pfsense router, I do widely utilise Open VPV both as a server (for secure inbound connections to my local network) and also outbound client connections to route traffic of choice via my external VPN provider.
Pfsense is essentially an enterprise level firewall available for free. As you may have gathered its quite a handful to configure (albeit there is a lot of information available online) Just about any scenario can be covered and I would encourage you to explore. I have been “playing” with it for a few years and still feel like a “newbie” The more you play the more you learn!
If you want to further your knowledge, check out Lawrence Systems on You Tube (advert free via Invidious) Tom the owner is a fan and has created quite a few videos hi-lighting its potential.
BTW, if you are looking for something straightforward to setup (perhaps as an interim measure whilst you explore pfsense) try Pi Hole
https://pi-hole.net/
Comparison here
https://www.virtualizationhowto.com/2022/04/pfsense-pfblockerng-vs-pihole-pros-and-cons/
If you want to try going full on at the network/gateway level rather than just browser, look to install pfsense as your firewall and then load a package called pfblockerNG. Utilising the latter it is possible to block both by way of DNS and IP. Also possible to block sites by way of geographical location.
So you could (by way of example) block via DNS e.g. facebook.com or any combination e.g. facebook.co.uk or even by TLD e.g. *.ru *.adult *.aero
Alternatively via IP you could block access to any ASN’s associated with Facebook e.g.
AS11917
AS32934
AS54115
AS63293
AS395291
(or anybody else e.g. Google, Yahoo, Microsoft, Amazon etc)
The nice thing about pfblockerNG is that all the associated firewall rules are generated automatically and can be auto updated as often as you wish. Ditto IP’s associated with ASN’s
I use it to block vast swathes of the internet e.g. all of Google, Microsoft, Adobe etc. only allowing outbound access at an individual device level as appropriate. You can subscribe to (free) lists of malware site and compromised sites. Also know adservers. The list is almost endless.
I find it does provide more granular control, albeit at the expense of breaking things - e.g. Apples iCloud is not exclusively hosted on Apple’s infrastructure. You may find yourself the subject of family complaints and need to spend time unblocking (or just allow the other half white list access to everything, whilst protecting your own devices)
I’ll whisper this, but I never see any adverts when browsing a certain “biting the hand that feeds IT” site.
Of course your level of paranoia may be less than mine (now where did I leave my tin hat?)
Bottom line, only way to be totally invisible is to be offline, otherwise we aim to lose by the smallest possible margin.
BTW did I mention this is all available for free? Note you want pfsense CE edition - Community Edition, not the paid for Plus edition)
https://www.pfsense.org/download
https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.html
Have fun!
I’ve long ago reached that conclusion … I won’t even apply for my bus pass entitlement on the basis I don't trust the council idiots to safely secure my identification data and photograph.
Now if I could just get the DVLA. to delete my driving licence photo … Oh forgot about the idiots at HMRC & NHS and the Electoral Commission (but as to the latter, I seem to recall its already all gone to some foreign entity with them having been hacked)
My personal data is very important to me, but only post hacking, does security become top priority to these numpties (or was that posterior/bonus covering?)
Horse, door, stable, bolts, shut, me thinks
God help us all if they introduce a mandatory biometric national ID card
Whilst I share the outrage of the many, I think the ultimate unaccountable public body is HMRC.
They don’t answer the phone efficiently (if at all) they have no local offices and take months (in my experience) to answer correspondence and then frequently ineptly. They have inherited (via Customs/Excise) forcible powers of entry - they effectively write their own search warrants.
They are judge, jury and executioner all rolled into one, with draconian levels of powers able to impose “assessments” the ultimate steamroller … Essentially you are guilty until proven innocent.
Don’t think it will ever happen to you?
Read this woeful tale of a business destroyed by HMRC and the tortuous route the victims had to follow in order to try and obtain some form of redress. Its positively “Orwellian” To the very end HMRC were attempting to avoid any financial liability for their outrageous conduct.
https://www.rpc.co.uk/perspectives/tax-take/high-court-criticises-hmrcs-conduct-and-compels-it-to-honour-its-undertakings/
Short cut to full (2015) judgement on Bailii.org (for those with time on their hands to digest )
https://www.bailii.org/cgi-bin/format.cgi?doc=/ew/cases/EWHC/Ch/2015/225.html&query=(Abbey)+AND+(Forwarding)+AND+(Ltd)+AND+((in)+AND+(liquidation))+AND+(v)+AND+(HMRC)+AND+(.2015.)+AND+(EWHC)+AND+(225)+AND+((Ch))
Yes indeed and you can also add to the list the scandal surrounding the NHS and those unfortunate to suffer from haemophilia whom decades later are still awaiting meaningful compensation (a significant number having died from HIV)
https://en.wikipedia.org/wiki/Contaminated_blood_scandal_in_the_United_Kingdom
Oh A&A do put their prices up !
I seem to recall them increasing their monthly line rental on VOIP lines (SIP Number service) from £1.00 to £1.20 per month.
Mind you it was their first price increase in over ten years and if you contrast them with the grasping main players (BT/Virgin et al) I consider their SIP services a bargain.
My experience is similar - complex passwords ( > 25 characters) accepted, only to find that the password is later rejected as incorrect.
Experimentation finds that the site (although not mentioned) only actually accepted/recorded (say) the first 20 digits of the input passwotd. Doesn’t say much for their capture/error checking/sanitation code …
My other bugbear (as I use a password manager) is constantly being hassled to rotate passwords. If its a site that I don’t visit frequently, the first 5 minutes of any return are spent messing around updating/resetting passwords.
Naturally the sites that seem to insist on frequent changes are the ones that often don’t offer proper 2FA - only the inadequate SMS version - and perhaps I don't want them to know my phone number (no, I am not referring to “cough” smut sites …)
You may indeed - its VMWare Player which is free for personal non commercial use.
See here
https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html
I migrated to Mint about 5 years ago and its been subject to multiple OS updates (all seamless so far) Just as well really as I am no Linux geek!
Its been such a long time I can no longer recall how I installed player, but it seems reliable and stable.
Windows has become a tool to allow Microsoft to poke its nose into our lives (the OS equivalent of Google Chrome) Oh for the happy days of Windows 7 when the OS (mainly) did what it was asked and nothing more.
When I noticed I seemed to be spending more time fighting Windows, than using it, I gave up and migrated to Linux Mint. An Apple OS initially appealed (because of greater software choices) before I recognised I would likewise be forced into not infrequent hardware purchases to keep current with Mac OS - so another financial treadmill to avoid.
I decided because of security concerns to give the Linux Wine windows emulator a miss and instead use a locked down Windows 10 VM running within Linux for some local windows specific scanning software, Microsoft Money and Mailstore (to archive/backup my external email)
As regards Windows talking to the mothership I blocked every Microsoft ASN I could find at my home firewall (as I likewise do for Google, Amazon, Facebook, Adobe, Yahoo and Oracle) I do allow access, but only on device specific as of need basis.
My approach does break things - a lot of firms utilise Azure for instance, so web browsing can be intermittent, and it does hi light that Apple seems to avail itself of Cloud competitors storage when hosting iCloud et al …. but everything in life comes at a cost.
More recently my Win 10 VM seems to be talking to the mothership once again, so I have taken the nuclear approach of blocking all outbound connections from the VM except specific AV updates and access to Mailstore.
I feel more in control and I have learned a lot trying to repair what my restrictions break. We aim to loose by the smallest possible margin.
Now where’s my tin foil hat gone ?
I believe it was called the Zen “lifetime price guarantee”
It was withdrawn for new or existing customers moving to a new plan but continues for those (like me) who do not change their out of contract plans. That said I am sufficiently old in the tooth to know that ultimately it’s likely my plan will be withdrawn by Zen when they decide its uneconomical to maintain and the offered “improved” plan will come without.
Whilst Zen no longer offer the lifetime guarantee, they do guarantee a fixed price for the term of your contract - a much more ethical approach than a lot of the big boys. Its hard work saving money, which is why the big boys with their automated systems have a field day with the busy and apathetic.
I always review my options (your electronic diary is your friend) - as my late father used to observe “we aim to lose by the smallest possible margin” …
As a person who went to a comprehensive school (unlike my mother who was grammar school educated) its a delight to be educated by the learned readers of the Register, not only in technical IT matters, but also the history of England and its grammar.
Embarrassingly I often feel that my multi lingual friends have a considerably better grasp of the subject (I fear I might be demonstrating my inadequacies in this written response)
That said I do know its “similar to” and “different from” …
Many years ago, on logging onto a website and being advised that I was required to change my password (and as a recent convert to the joys of the password database) I rather smugly decided to update my password to a super secure (so I thought) 30 digit one (system specified a minimum length of 10 characters).
Auto generated new password and cut/pasted into requisite field, which was duly accepted and confirmed updated. Completed my business on site and logged out and happily went on my way.
Next time I came to logon my password was rejected as invalid - impossible I thought as its recorded in a database and was copied/pasted.
So I used the reset password link and updated my password once again, however next time I came to logon again history was repeated - updated password invalid.
It was only much later I discovered that said system not only had a minimum length but also a maximum field length ... which I consistently exceeded, presumably it arbitrarily shortening my input.
That will teach me to be smug (would still wish to shoot the developer - where was the error checking?)
I basically block anything Microsoft related at my pfsense firewall until such time as I need to update my Windows VM at which point I temporarily enable access.
Note there are wider implications in blocking Microsoft eg Azure hosted websites etc. This can be overcome by segmenting your network devices into access lists - appreciate I am a bit of a tin foil hat in this regard. Unfortunately privacy requires some effort (and occasional inconvenience).
ASN numbers listed for Microsoft shown here
https://whois.arin.net/rest/org/MSFT/asns
If you are using pfsense firewall this article describes how to block ASN numbers
https://dannyda.com/2021/04/22/how-to-block-asn-autonomous-system-number-with-pfsense-firewall-how-to-block-an-organization-using-pfsense/
I run a Windows 10 VM (to cater for a few necessary programs - e.g. Microsoft Money) within a Linux Mint desktop. I also run pfsense with the pfblockerNG add on - this provides a DNS sink hole capability as well as IP blocking.
Originally I just added every combination of Microsoft DNS associated names to the sink hole, but still there appeared to be a lot of data being extracted.
I eventually (as far as I can tell) blocked this by adding every Microsoft ASN number I could find (currently 29 in my list) to the IP blocker within pfblockerNG.
Every time I boot the VM my firewall logs fill up with attempted connections to Microsoft allocated IP addresses.
Moral if story - if you want to block Microsoft do it at the IP level
As my eyes descended through Kieren's latest update the more my eyebrows rose ... shortly thereafter my jaw joined in and descended, ultimately hitting the floor when I reached the bit about Eleanor Bradley (recently been removed from the board) now being appointed as interim CEO. Talk about waving two fingers at the membership!
I wonder if this might act as a catalyst for EGM number 2 (similar to the way the shutdown of the Nominet forum during the AGM seemed to have been the final straw last time)
Of course where money is involved those currently in control are unlikely to depart voluntarily ... I fear this may be a long slog to drain the swamp, let us hope Public Benefit are up for a further fight
@Binraider
If I have understood your intentions correctly, I think that blocking individual Microsoft IP addresses will be akin to "wack a mole" much better to block at the ASN level.
As indicated in my original post one of the third party packages I use in pfsense is called pfblockerNG (pfBlockerNG-devel v2.2.5_33) which allows DNS and ASN blocking. Amongst its killer features is it will automatically check and update ASN lists so as additional subnets are added/removed from an ASN it will update the firewall block lists without any further intervention.
Looking at my firewall logs this morning (post Windows 10 VM boot) I can see the following IP addresses (all Microshaft) on port 443 blocked
52.114.75.79
13.69.68.25
13.80.7.77
52.114.132.73
These are different from those I listed yesterdays and would not be blocked via DNS (no entries listed for IP's)
Personally, if you can, I would recommend switching to pfsense full stop. It is very sophisticated and also free open source software! While pi-hole is good (and has a very low hardware requirement) pfsense is IMHO streets ahead in functionality.
For pfsense higher specification hardware will be required but its still relatively modest. I use an Intel NUC (see here https://www.mini-itx.com/~JBC313) which is powered by a 36w supply. Whatever hardware you use for pfsense its strongly recommended that it has Intel NIC’s and AES-NI on the chipset.
Frankly (whilst I am only a home user) I would feel naked without pfsense. Its also excellent for configuring VPN inbound/outbound connections.
Going off at a tangent - I run a Windows 10 Pro (2004) VM on my Linux Mint desktop. I also run a pfsense firewall with the pfblockerNG package installed.
Obviously I have blocked Microsoft at a DNS level but have also blocked all Microsoft ASN I can find (25 so far). I will allow access to Microshaft but only when I decide its appropriate (eg Windows update check) otherwise the VM Win 10 client is blocked.
As soon as I booted the Windows 10 VM this afternoon pfsense reported that it tried to establish a connection (443) to these IP's
52.114.128.43
52.114.77.33
Whois shows they are both Microshaft
NetRange: 52.96.0.0 - 52.115.255.255
CIDR: 52.96.0.0/12, 52.112.0.0/14
NetName: MSFT
NetHandle: NET-52-96-0-0-1
Parent: NET52 (NET-52-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: Microsoft Corporation (MSFT)
RegDate: 2015-11-24
Updated: 2015-11-24
Ref: https://rdap.arin.net/registry/ip/52.96.0.0
Conclusion
You may block Microsfaft at an DNS level but it appears to have some hard coding for IP addresses to circumvent this.
As I am somewhat neurotic I operate a similar ASN policy for Facebook. Google, Oracle, Adobe, Yahoo. Twitter, Telegram and Amazon. It can be a bit wearing at times but at least I decide who has access to what.
Whilst I am only a home user I also operate a default block outbound policy on pfsense - stops any IOT devices phoning home unless specifically authorised.
Think I'll go for a lie down now ....
Interesting article entitled “ A New Needle and Haystack: Detecting DNS over HTTPS Usage“ on the SANS Institute here
https://www.sans.org/reading-room/whitepapers/dns/needle-haystack-detecting-dns-https-usage-39160
IMHO for those who like to see what’s going through their networks and the security conscious, it does not make for happy reading ...
Going "off topic" if you are already using pfsense, I would highly recommend that you investigate using its inbuilt DNS server (DNS Resolver) along with a superb third party add on package (installed from its package manager) called pfBlockerNG-devel (current version 2.2.5_33) which has massively more functionality than PiHole eg can also block IP's by ASN (auto updating).
Handy when you block certain domains, the owners of which then hard code IP's in their code to circumvent DNS blocking - yes Microshaft I am looking at you
I recently disposed of my longstanding .com domain of 20 years standing and moved to a .uk domain on the basis of its much cheaper annual charge (£6 v £12). Then there is 20 % VAT on top as well which is not insignificant. As I recall when I started with the .com it was £4.50 pa.
There way I see it the wider trend is for domain registration to be monetised, hence the only way is up. On acquiring my .uk for this very reason I paid 10 years up front.
As an aside I was originally with 123reg.co.uk registrar, but IMHO found their behaviour unethical. Their hard sell of the associated .uk domain to match my (then) .co.uk was the final straw. Have been much happier since I migrated out to my new registrar. I hope the reader will forgive a personal recommendation for a private company run by proper techs - yes I’m talking about you https://www.mythic-beasts.com/article/about
Whilst I do not disagree with the sentiments of the previous poster, to provide some balance, at least as regards Logitech Media Server, I would observe that they still maintain the infrastructure to support the associated mysqueezebox.com
Also (as I understand it) on discontinuing their hardware products they released the Logitech Media Server (aka Slimserver) software under a GNU Public Licence. Then of course we still have the indefatigable support of Logitech developer Michael Herger in their forums, who also works on the open source side as well.
Logitech Media Server software IMHO is a peach of a product. The outcome could have been worse ... and all is not bad as regards Logitech
Worried about your privacy ? there are suggestions that Startpage is no longer "clean ... sort of gamekeeper turned poacher.
"Recently there has been lots of talk about Startpage being acquired (or at least partially acquired) by a US company called Privacy One Group, which is a division of System1, a “data science” company that specializes in targeted advertising"
More here
https://restoreprivacy.com/startpage-system1-privacy-one-group/ and here https://blog.privacytools.io/delisting-startpage/
When there are excellent open source solutions available, I have always struggled to see what was the attraction for Sonos equipment (beyond its supposed plug-n-play setup) but that is unlikely to be a concern for the techies here. An earlier poster has commented about the continuing availability of the excellent Squeezeserver (aka Logitech Media Server) and I would likewise highly recommend the software and its underlying ecosystem.
My home music system runs on multiple Raspberry Pi 3 Model B's with added combined DAC/AMP HAT running PiCorePlayer OS with Logitech Media Server on my NAS. Add in iPeng running on any Apple Device (and a set of loudspeakers) and you have a fully functional system that can play synchronised music across my whole house.
Added hi-lights
Multiple plugins available for added functionality eg Tidal, BBC iPlayer, Spotify etc ...
Active and incredibly responsive developers (donating their time free)
For anyone interested in exploring further I have posted some links below to various sites (this is only really scratching the surface as the possibilities are almost infinite)
(A) Logitech Media Server (LMS) https://forums.slimdevices.com/forumdisplay.php?27-Logitech-Media-Server
(B) LMS Plugins https://forums.slimdevices.com/forumdisplay.php?4-3rd-Party-Software - a particular shout out for Micheal Herger (LMS & Spotify) and BPA (BBCiPlayer and iPlayExtra)
(C) PiCore Player OS download https://www.picoreplayer.org/ plus wider explanation of your multiple options
(D) PiCore Player support https://forums.slimdevices.com/forumdisplay.php?3-Linux-Unix
(E) iPeng http://penguinlovesmusic.de/ipeng-8/ (check out iPeng support thread within forum link B above (This is NOT free but well worth the modest charge - my only connection is as a happy user)
(F) DAC and AMP HAT http://iqaudio.co.uk/hats/9-pi-digiamp.html (other suppliers are available eg https://www.hifiberry.com/shop/)