The Pixel Tablet with GrapheneOS is the gold standard, but there’s even more than just the tablets with LineageOS support if you are adventurous.

I was gifted a Samsung Tab A7 Lite, which is without LineageOS support. However, I’ve been able to flash TrebleDroid Generic System Images (GSI), which are vanilla AOSP images modified to support as many devices as possible. They come with no Google apps or services.

Nearly everything works as expected, performance is much better, and battery life is unchanged. I can even run Android 15 smoothly when Samsung will end support for my tablet with Android 14. If anyone wants a writeup to the best of my memory, feel free to reply.

When maximizing uptime, Debian is the no-fuss way to go.

If you are flashing GrapheneOS, it is a very simple and safe procedure. I’ve even interrupted the flashing when my laptop went to sleep, got the system corrupt warning, and just flashed again without a hitch. All that’s needed now is a browser with WebUSB support and USB cable.

Organic Maps. Living in a somewhat walkable area, it gives me good walking directions. I might be a bit out of touch though since I just commit routes to memory if I’m driving.

For the occasional satellite map, Google Maps unfortunately. If anyone knows of a privacy-respecting map with satellite views, I’d be interested.

In my personal life and in communicating with family, there are few compromises. Most of my compromises come from work.

Phone: Pixel with GrapheneOS and FOSS apps only as my primary. Old Pixel 4a with GrapheneOS as my secondary, with the main profile as testing grounds for various apps and a second profile holding work apps. Whatsapp seems to be the lowest common denominator for practical communication with colleagues.

My workplace is BYOD, with MDM only for software licensing. Alongside my customary X230, I carry my lightweight, secondhand X1 Nano, where I have Windows, software licensed alongside said MDM, and Firefox logged into my work Google account.

Key aspect for me is having work and personal life on separate devices. Not completely airtight, but as good as I can get it without making work any harder than it needs to be.

Banking: Fortunately everything my bank has to offer can be done through a browser. My plan if a mobile app with play integrity ever becomes necessary is to buy a regular Android with a removable battery just to host that app.

Transport: If I’m on a business trip without access to my car (no spyware, it’s from the 90s) and there is no public transport, I’ll get a friend or colleague to call an Uber for me. I haven’t gone out drinking at night since college and I’m not inclined to do so in the future.

Maps: Usually Organic Maps suffices, I generally commit routes to memory before going out. For the occasional satellite map, Google Maps in a browser. I have gotten my family to use Magic Earth though.

Fitness: no actual stats, just a handwritten entry in my daily journal as to whether I followed through with my exercise routine.

No, I don’t want to attract thieves and weird fans.

What are NCD and MWoG?

Well said. LUKS implements AES-256, which is also entrusted by the U.S. government and various other governments to protect data from state and non-state adversaries.

Possibly overestimating the value of the data entrusted to me, but whenever I see that xkcd, I like to think that I at least have the option to remain silent and die with dignity if I really don’t want the contents of my disk out there.

I wish I found a guide like that back when I first made the move to FDE. Regardless, I was adamantly against reinstalling and painstakingly replicating my customizations, so I came up with a hacky way of tacking on FDE.

It went something along the lines of:

1. Shrinking the root partition as much as possible
2. From Live CD, dd root partition to external drive
3. Perform minimal encrypted install of Debian
4. From Live CD, open LUKS container of the newly-installed Debian and overwrite the root partition within with my old root partition.
5. Update fstab, crypttab, initramfs, and grub
6. Cross my fingers and reboot

It’s been quite a journey:

• Posting accurate personal info to my Google+ account when I first signed up
• Signing in to Google on my phone and browser
• Using an Android phone from eBay of dubious origin
• Sending confidential info via email
• Using the same gmail address for everything
• Signing up for things with my real info when it wasn’t necessary
• Handing out my phone number to loyalty programs
• Running hacked game APKs without checking for malware
• Using the User Agent Switcher extension on MS Edge, which was subsequently updated to include an infostealer
• Using browser extensions of unknown provenance

How to avoid:

• Ironically, Windows 10 started me on my privacy journey. Microsoft was in my face enough with privacy offenses that I began moving to Linux and investing time into my privacy.
• Don’t post unnecessary info to social media.
• Never email confidential info.
• Use a password manager, or at least some organized text file if you have an encrypted disk.
• FOSS software is more available and user-friendly than ever, always look for a FOSS alternative.

Work and networking (people) makes fully ditching Google, Whatsapp, etc. a practical impossibility for me. So I have a laptop, tablet, and phone dedicated to those purposes and nothing else. I check them on a schedule that my colleagues are aware of, at locations I consider safe. Otherwise they are stowed away, out of sight, and out of mind.

The text editor shortcut on my taskbar runs a sort of autosave script in ~/.drafts. I wanted my text editor to function more like the one on my phone so I can just jot down random thoughts without going through the whole ritual of naming and saving. It creates YYYYMMDD_text in ~/.drafts (or YYYYMMDD_text_1 etc. if it already exists) and launches Pluma, which I also have configured to autosave every 10 minutes.

The other thing extends beyond Linux itself a bit. I like to joke that I have the most secure NT 4 / Windows 95 lookalike ever put together. Aside from the encrypted and hardened Debian base (/boot is also encrypted), I was in part inspired by Apple’s parts pairing (yikes!). So my coreboot is configured to only accept my boot disk. If it’s swapped out or missing, or if I want to boot something else, it will ask for a password. In the unlikely event my machine gets stolen, the thief must at a minimum reflash the BIOS or replace the motherboard to make it useful again. Idk, it amuses me every time I think about it.

Reminds me of a time in biology class

Q: What’s a resource everyone has access to?

A: Water

Skin.

As someone who deals with Windows software and mobile apps of dubious provenance at a BYOD workplace:

• Get a separate device with sufficient horsepower to handle whatever work, school, etc. throws at it. Used ThinkPads and unlocked Google Pixels are a good bet.
• Pick a small and light laptop if you also need to have your primary one on hand. Preferably, both can use the same USB-C charger.
• Use that device for work-related things and nothing else. Assume it is compromised.
• Connect to a separate access point if you need to use it at home.

If a phone or tablet (preferably with GrapheneOS) will suffice, go for it:

• Recent Android and iOS versions have much stronger sandboxing than PCs and laptops in general. Spyware can still do a lot on mobile devices, but not nearly as comprehensively as on PCs and laptops.
• i.e. Commercial spyware can easily plant rootkits and kernel-level trackers on a laptop, but this would be much harder on an up-to-date mobile device.
• For Android devices that support it, limit work and MDM apps to a secondary profile and close that profile when not actively using the phone.
• Turn off cellular, wifi, bluetooth, and location when not actively in use.

If the offender is your partner, practice good digital hygiene, never let them touch your devices, and good luck.

Perhaps several years due to socks and shoes wearing out. The rest should last several decades, assuming I quit using the dryer.

It’s nice getting a glimpse as to what fraction of Linux users are using disk encryption. Full disk encryption is becoming the default on mainstream OSes, but not in most of the Linux installers I’ve encountered. Always made me curious just how many people went out of their way to encrypt their Linux install.

I personally encrypt everything except for VMs already in an encrypted device or USB drives that need to work with non-Linux machines. It’d be interesting to hear what other people’s reasons to encrypt their disks or not are.

Biolinum O for desktop

Liberation Mono for terminal

I’ve used this Windows 10 live image to run the occasional windows-only diagnostic tools and firmware updates: https://github.com/VulpesSARL/MiniNT5-Tools

It doesn’t choke loading GUI programs like the install disc command prompt and doesn’t have any weird blobs except for windows itself.

Agree with most of the other posts here. Some of the cheaper faucets I’ve come across have these miserable plastic valves that set you back $15 a pop and last only a year until they break. Then it either jams or water starts dripping.

That said, an Ikea faucet I got on sale for $20 five years ago still works like it did on day one. In fact, I got two more while it was still on sale, fearing it would break like the other cheap ones, but they’re still sitting in their boxes under the sink.