If the only thing holding you back from NixOS is my python comment, my issue was with Numpy, which really really demands that you install it globally. Pretty sure you can make it work by using a dev-shell, installing it globally in that shell, then doing everything else in that dev environment normally. I was newish to nixos at the time.

Otherwise I tend to fall back to ubuntu server, but only because it was something I knew. I prefered Centos7 back in the day before RedHat killed Centos. NixOS was my move from there. Been using Alpine as the os in my docker images, but havent really explored a lot of other recent linux os’s at the moment.

Ton of comments, and I havent read them all, but I wanted to ask if you really meant popular or if you wanted something for a specific reason. Easy for new ppl to linux, good for desktops, etc etc.

I dont really use GUIs on linux, except for when I want to have a fancy pants riced network monitor type situation. I am a big fan of NixOS except for python Dev stuff. Big fan of being able to clone a machine or recover a machine with a single conf file.

Yes, you can give fake info. I would say thats kinda the next step. Harden your browser and associated tech stack so you are secure. Then provide fake data that is generic enough so that it blends in. firefox or chrome standard agent, windows 11, etc.

for example https://deviceatlas.com/blog/list-of-user-agent-strings

The problem with hardening your system is that you become more identifieable unless you provide fake data. For example, here are my test results from coveryourtracks.eff.org

Within our dataset of several hundred thousand visitors tested in the past 45 days, only one in 2054.58 browsers have the same fingerprint as yours.

plugins are definitely detectable. just came across this, worth checking out your browser security.

https://coveryourtracks.eff.org/

everything you do to customize your browser makes your browser fingerprint unique. but you have a mostly unique fingerprint due to things you arent considering as well. system related stuff that your browser tells about you.

you have some options. 1) there are addons that limit privacy issues, 2) use a local web proxy, im using squid proxy for example just have it running on an old laptop. Optionally, I would also say, from a privacy standpoint look into DNS blackholing pihole, unbound, etc, and there are plenty of other things.

my favorite addons are ublock, privacy badger, i run noScript which is probably more painful than most are willing to put up with but I have heard that jShelter is a good compromise.

Checking out RethinkDNS right now, this looks great! Thanks. Was tracking most of the other stuff, that stuff holds true on computers as well, but on mobile I was kinda drawing a blank.

Interesting in learning more about that. I do a lot of dev work with AI, agentic and otherwise. Did a proof of concept for quick fact finding but of course you run into “where do you source the truth” and the more I looked the harder it was.

Yeah, I am pretty close to that, the pihole to unbound, unbound DoT to cloudflare. What I am doing at this point is bypassing the DNS to ISP, but as I stated in my response above, not yet blocking everything on the net from using the regular stuff. Just feasibility testing at the moment.

Love the dual setup for DNS. I set my primary to this and my secondary to just cloudflare at them moment for when I bork my primary DNS will fidgeting with it, haha.

“Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet.” 100%, I decided to break up my posts into sub components of the total stack, but to your point currently im enforcing a deny all inbound and outbound at the host level, as the network is shared with the fam and they are not ready for that level of learning (pain, lol)

I just learned about unbound, didnt realize it had a blocklist capability so thats great to know. Gotta dig into it.

I like that last bit, blocking DoT except for the one approved path. Much like TLS 1.3 it offers insider threat protection against inspection. So with that in mind when you said you are using unbound instead of using DoT forwarding, you mean instead of allowing clients to DoT forward, right? Thats what I am doing now as well, though I am not actively blocking it yet. Just currently enabling and testing feasibility on a single host to see the performance and operational impacts of privacy/security implementations.

Curious to your IDS solution, I gotta dig into opnsense. I know about it, its been around a long time, but havent touched it in so long I cant remember its capabilities.

Ive only started looking into these. GrapheneOS looks cool, but being stuck with only the Pixel is kinda annoying and google is being shitty about supporting it. Removing drivers and squashing git commits, making it harder to support.

I need to look at the others to see how they fair.

I should mention that DuckDuckGo recently released an android browser and it is privacy focused. I cant tell you how well it does its job BUT the important thing is that it has an experimental feature that creates a virtual network interface that routes coms and blocks phone home attempts and tells you what app is doing what.

I have had it running for a few months and its crazy to see how much traffic is going on without your knowledge.

exactly, we cant be going by vibes here. lets talk about specific metrics and then say ok, well these metrics are important, and this one has the ones I want.

I would stay away from chromium forks in general. Google is doing some underhanded stuff using web manifest v3, not to mention all the bastard stuff they are doing in general.

I am very curious not only to hear the answer to your question regarding FF forks, but also why they get rated that way.