Wording / formatting
All checks were successful
continuous-integration/drone/push Build is passing

This commit is contained in:
Sam A. 2023-04-23 19:37:42 +02:00
parent 27ac107f9c
commit 5e557a141f
Signed by: samsapti
GPG key ID: CBBBE7371E81C4EA
5 changed files with 161 additions and 178 deletions

View file

@ -4,19 +4,17 @@ title: About Me
## Overview
My name is Sam Al-Sapti. I'm a 6th semester Software Development B.Sc.
student at the IT-University of Copenhagen. My main interests are
backend development, DevOps, DevSecOps, IT security, open-source and
Linux.
My name is Sam Al-Sapti. I'm a 6th semester Software Development B.Sc. student
at the IT-University of Copenhagen. My main interests are backend development,
DevOps, DevSecOps, IT security, open-source and Linux.
Furthermore, I'm an advocate for online privacy, I'm against attention
economy and surveillance capitalism, I'm a big supporter of the Free
Software movement, I'm a digital minimalist, and I'm a member of
[data.coop](https://data.coop) (I'm also one of the system
administrators). Also, you won't find me on
[Facebook](https://fsf.org/fb) or any other social media platform
(except for [LinkedIn](https://www.linkedin.com/in/sam-a-dev/), but
that's not really a social media platform).
Furthermore, I'm an advocate for online privacy, I'm against attention economy
and surveillance capitalism, I'm a big supporter of the Free Software movement,
I'm a digital minimalist, and I'm a member of [data.coop](https://data.coop)
(I'm also one of the system administrators). Also, you won't find me on
[Facebook](https://fsf.org/fb) or any other social media platform (except for
[LinkedIn](https://www.linkedin.com/in/sam-a-dev/), but that's not really a
social media platform).
## My skills
@ -41,17 +39,16 @@ Some technologies and tech concepts I'm familiar with are:
I host some online services that you're welcome to use free of charge.
* [Lingva](https://translate.sapti.me)
- [Lingva](https://translate.sapti.me)
([onion service](http://22qfd63ax4zt5arctpfh62kvjekap7yrdfzwq5kv5jvhew5hcpq6vgyd.onion)) -
An alternative way of accessing Google Translate without being
tracked.
* [SearXNG](https://search.sapti.me)
An alternative way of accessing Google Translate without being tracked.
- [SearXNG](https://search.sapti.me)
([onion service](http://gbat2pbpg7ys3fi3pbp64667tt5x66mg45xok35bxdw7v55brm7a27yd.onion)) -
A metasearch engine that gets its results from other search engines
while protecting your privacy.
* [An SMP server](smp://PUDVvQiNbsYG6gXYC2-GYUIQnNICi3BoxKGDKWX55uM=@smp01.simplex.sapti.me,pcexmrs4eod35vdvidq47jce7mnsfm26j27anttoy4zprc25pulkcfyd.onion) -
A server used by [SimpleX Chat](https://simplex.chat)
to relay messages between users. Server address:
A metasearch engine that gets its results from other search engines while
protecting your privacy.
- [An SMP server](smp://PUDVvQiNbsYG6gXYC2-GYUIQnNICi3BoxKGDKWX55uM=@smp01.simplex.sapti.me,pcexmrs4eod35vdvidq47jce7mnsfm26j27anttoy4zprc25pulkcfyd.onion) -
A server used by [SimpleX Chat](https://simplex.chat) to relay messages
between users. Server address:
```txt
smp://PUDVvQiNbsYG6gXYC2-GYUIQnNICi3BoxKGDKWX55uM=@smp01.simplex.sapti.me,pcexmrs4eod35vdvidq47jce7mnsfm26j27anttoy4zprc25pulkcfyd.onion
```
@ -59,8 +56,8 @@ I host some online services that you're welcome to use free of charge.
## Want to know more?
Feel free to contact me if you want to know more about me. As I'll be
completing my bachelor's degree this summer, I'm currently on the
lookout for a full-time job. As such, if you're a recruiter, you're more
than welcome to contact me as well.
completing my bachelor's degree this summer, I'm currently on the lookout for a
full-time job. As such, if you're a recruiter, you're more than welcome to
contact me as well.
Find my contact information [here]({{< relref "contact.md" >}}).

View file

@ -40,7 +40,7 @@ matrix_sessions:
## Signal
I use Signal for messaging as well. If you have my number, feel free to message
me there. If not, you can get it by contacting me via one of the above contact
me there. If not, you can get it by contacting me via one of the other contact
methods.
## SimpleX Chat

View file

@ -20,8 +20,7 @@ sub ed25519/0x899C7CF4B526656F 2022-05-28 [A] [expires: 2023-05-18]
Key fingerprint = FA9B 317E D1D3 4906 46CC D154 899C 7CF4 B526 656F
```
You can download it [here](/pgp.asc), via WKD or from your preferred
keyserver.
You can download it [here](/pgp.asc), via WKD or from your preferred keyserver.
<details>
<summary>
@ -37,30 +36,29 @@ keyserver.
- Change expiry for subkeys or the master key itself
- Sign other keys
My private master key is only ever accessed on an airgapped machine,
with no internet or wireless communication capabilities (all wireless
components physically removed), no camera or microphone and no
persistent storage. This airgapped machine is booted with the latest
version of [Tails OS](https://tails.boum.org). The master key is
protected by a long and secure passphrase and stored on an encrypted
storage medium, which itself is stored in a safe place.
My private master key is only ever accessed on an airgapped machine, with no
internet or wireless communication capabilities (all wireless components
physically removed), no camera or microphone and no persistent storage. This
airgapped machine is booted with the latest version of [Tails
OS](https://tails.boum.org). The master key is protected by a long and secure
passphrase and stored on an encrypted storage medium, which itself is stored
in a safe place.
### Subkeys
My subkeys are stored on an OpenPGP smartcard for daily use. The
smartcard makes sure that the local machine never has direct access to
the keys. It is protected by a pin-code and requires a physical touch
on every cryptographic operation.
My subkeys are stored on an OpenPGP smartcard for daily use. The smartcard
makes sure that the local machine never has direct access to the keys. It is
protected by a pin-code and requires a physical touch on every cryptographic
operation.
### Revocation and expiry
I usually set my master key to be valid for 2 years at a time. I will
always extend it at least 1 week prior to the expiry date. The same
goes for my subkeys, which are set to be valid for 6 months at a time.
I usually set my master key to be valid for 2 years at a time. I will always
extend it before the expiry date. The same goes for my subkeys, which are set
to be valid for 6 months at a time.
If my keys are ever compromised, I have a revocation certificate,
stored in a safe place, that I will publish to this website and
various keyservers.
If my keys are ever compromised, I have a revocation certificate, stored in a
safe place, that I will publish to this website and various keyservers.
</details>
@ -76,58 +74,54 @@ keyserver.
#### Level 0: Generic verification (`sig`/`0x10`)
This certification level is used if I have somehow verified that you
are in control of the email address(es) of the UID(s) to be signed.
No assertions are made about your identity.
This certification level is used if I have somehow verified that you are in
control of the email address(es) of the UID(s) to be signed. No assertions
are made about your identity.
#### Level 1: No verification (`sig1`/`0x11`)
This certification level is used when I have not safely verified you
as the keyholder, but I merely _believe_ that you own the key in
question.
This certification level is used when I have not safely verified you as the
keyholder, but I merely *believe* that you own the key in question.
#### Level 2: Casual verification (`sig2`/`0x12`)
This certification level is used when I have verified your identity
with at least one form of photo ID (government-issued or equally
secure), that your identity matches that of the UID(s) to be signed,
and that you are in control of the email address(es) of the UID(s) to
be signed.
This certification level is used when I have verified your identity with at
least one form of photo ID (government-issued or equally secure), that your
identity matches that of the UID(s) to be signed, and that you are in control
of the email address(es) of the UID(s) to be signed.
#### Level 3: Extensive verification (`sig3`/`0x13`)
This certification level is used when I am _absolutely sure_ that you
are in fact the keyholder. This means that either you are someone I
know personally and trust, or that someone I ultimately trust have
notified me that you want a signature and have given me your key
fingerprint in a secure manner.
This certification level is used when I am *absolutely sure* that you are in
fact the keyholder. This means that either you are someone I know personally
and trust, or that someone I ultimately trust have notified me that you want
a signature and have given me your key fingerprint in a secure manner.
### Signing process
The signing process consists of 2 steps:
1) Verification will take place either in person or over video call.
If we meet in person, you will give me a physical copy of your key
fingerprint. If verification takes place over video call, you will
give me your key fingerprint verbally.
2) You will have to send me your public key from the email address
associated with one of the UIDs to be signed. The email has to be
signed. I will then sign the key and send it back to the same
email address in encrypted form.
1) Verification will take place either in person or over video call. If we
meet in person, you will give me a physical copy of your key fingerprint. If
verification takes place over video call, you will give me your key
fingerprint verbally.
2) You will have to send me your public key from the email address associated
with one of the UIDs to be signed. The email has to be signed. I will then
sign the key and send it back to the same email address in encrypted form.
</details>
## SSH key
If you need to give me shell access to your server or similar, please
use the following public SSH key:
If you need to give me shell access to your server or similar, please use the
following public SSH key:
```txt
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
```
If your SSH server does not support FIDO2-protected SSH keys, use this
fallback key instead:
If your SSH server does not support FIDO2-protected SSH keys, use this fallback
key instead:
```txt
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332

View file

@ -13,95 +13,90 @@ tags:
series: []
---
I wanted to write this blog post (and by the way, this is my first) to
shed some light on my recent choice of email provider. You see, Proton
Mail is a great email service, and I've used them for years, but it just
doesn't fit my needs anymore. This is due to a number of reasons, but
it's primarily due to some issues with external PGP handling (I'll talk
more about this later on) and their recent change of direction.
I wanted to write this blog post (and by the way, this is my first) to shed
some light on my recent choice of email provider. You see, Proton Mail is a
great email service, and I've used them for years, but it just doesn't fit my
needs anymore. This is due to a number of reasons, but it's primarily due to
some issues with external PGP handling (I'll talk more about this later on) and
their recent change of direction.
## Centralization and Proton's new direction
One of the main reasons I chose to switch, is the new direction Proton
is going in. Recently, they've revamped all of their products and their
website, to make it more clear that both Proton Mail, Proton VPN, Proton
Calendar and Proton Drive is under the same family/suite (notice how
there's a space now in their product names, that's one of the changes).
All of this is great for many reasons, now it actually feels like an
alternative all-in-one solution to something like Google's, and I'm sure
this will benefit them in the long run and appeal to more people. A lot
of people like these kinds of ecosystems, because it usually increases
ease of use and convenience. In fact, this change now allows Proton to
better integrate their products together. For example, you can now
easily send large attachments via email, by letting Proton Mail
automatically upload the file to Proton Drive and send a share link in
the email, instead of attaching it in the email itself. All of the
changes are outlined in
[this article](https://proton.me/news/updated-proton) by Proton's CEO,
Andy Yen.
One of the main reasons I chose to switch, is the new direction Proton is going
in. Recently, they've revamped all of their products and their website, to make
it more clear that both Proton Mail, Proton VPN, Proton Calendar and Proton
Drive is under the same family/suite (notice how there's a space now in their
product names, that's one of the changes). All of this is great for many
reasons, now it actually feels like an alternative all-in-one solution to
something like Google's, and I'm sure this will benefit them in the long run
and appeal to more people. A lot of people like these kinds of ecosystems,
because it usually increases ease of use and convenience. In fact, this change
now allows Proton to better integrate their products together. For example, you
can now easily send large attachments via email, by letting Proton Mail
automatically upload the file to Proton Drive and send a share link in the
email, instead of attaching it in the email itself. All of the changes are
outlined in [this article](https://proton.me/news/updated-proton) by Proton's
CEO, Andy Yen.
Personally though, this does not appeal to me. I'm not a fan of
ecosystems and having all my eggs in one basket, and I'm a huge fan of
self-hosting. You see, I'm a big proponent of decentralization. One
aspect of decentralization is to not have everything in one place, when
you don't control that place. For example, I wouldn't have both my
email, calendar, contacts and cloud storage with Google, and neither
would I with Proton. Instead, I self-host my cloud storage, calendar,
contacts, to-do lists, and notes with the help of
[Nextcloud](https://nextcloud.com) at home on a Raspberry Pi. This way,
even though it's all in one place, I'm the one in control of the server
hosting it and what happens with it.
Personally though, this does not appeal to me. I'm not a fan of ecosystems and
having all my eggs in one basket, and I'm a huge fan of self-hosting. You see,
I'm a big proponent of decentralization. One aspect of decentralization is to
not have everything in one place, when you don't control that place. For
example, I wouldn't have both my email, calendar, contacts and cloud storage
with Google, and neither would I with Proton. Instead, I self-host my cloud
storage, calendar, contacts, to-do lists, and notes with the help of
[Nextcloud](https://nextcloud.com) at home on a Raspberry Pi. This way, even
though it's all in one place, I'm the one in control of the server hosting it
and what happens with it.
I can definitely see why Proton chose to go in this direction, and I
fully support them. But they should also expect, and I'm sure they did,
that some of their customers wouldn't want this change of direction. I
have nothing against Proton as a company, but having my digital life
centralized with one company is just not my cup of tea.
I can definitely see why Proton chose to go in this direction, and I fully
support them. But they should also expect, and I'm sure they did, that some of
their customers wouldn't want this change of direction. I have nothing against
Proton as a company, but having my digital life centralized with one company is
just not my cup of tea.
## The way Proton Mail handles PGP
Proton Mail offers zero-access encryption of your inbox, meaning all of
your emails are encrypted, and only you have access to read them after
unlocking them with your password. Behind the scenes, this works by each
customer having a PGP key pair stored on their servers, with the private
key being encrypted by the customer's password. This means that not even
Proton themselves can read your emails, and this is great for privacy.
Proton Mail offers zero-access encryption of your inbox, meaning all of your
emails are encrypted, and only you have access to read them after unlocking
them with your password. Behind the scenes, this works by each customer having
a PGP key pair stored on their servers, with the private key being encrypted by
the customer's password. This means that not even Proton themselves can read
your emails, and this is great for privacy.
PGP has been a standard for email encryption for many years, and it's
widely used for sensitive communication via email. Proton has taken PGP
and integrated it into their email service, automatically providing
end-to-end encrypted emails between Proton Mail users (it also works
with other email providers, but it requires some setup by the
communicating parties). The thing is though, that you're not in control
of the private PGP key when using Proton Mail's PGP integration. Even
though it is encrypted on their servers, and only I can decrypt it, I
want to be in control of my private key myself. This also relates to the
centralization problem I described above. By using Proton Mail, I
PGP has been a standard for email encryption for many years, and it's widely
used for sensitive communication via email. Proton has taken PGP and integrated
it into their email service, automatically providing end-to-end encrypted
emails between Proton Mail users (it also works with other email providers, but
it requires some setup by the communicating parties). The thing is though, that
you're not in control of the private PGP key when using Proton Mail's PGP
integration. Even though it is encrypted on their servers, and only I can
decrypt it, I want to be in control of my private key myself. This also relates
to the centralization problem I described above. By using Proton Mail, I
entrust my email security with a central entity.
This one is more on the technical side of things. I've had some not so
great experiences when trying to use my own PGP key on top of Proton
Mail's encryption. For example, my signatures wouldn't be recognized by
the recipient's email client, due to the second layer of encryption that
is Proton Mail's PGP integration. Because I want to use my own PGP key,
that I'm in control of myself, this doesn't work for me.
This one is more on the technical side of things. I've had some not so great
experiences when trying to use my own PGP key on top of Proton Mail's
encryption. For example, my signatures wouldn't be recognized by the
recipient's email client, due to the second layer of encryption that is Proton
Mail's PGP integration. Because I want to use my own PGP key, that I'm in
control of myself, this doesn't work for me.
## Conclusion
With all that said, I want to end this blog post by saying this: Don't
go ahead and delete your Proton account solely based on what I'm saying.
This is my own personal opinion. If you're someone who's not very
technical and/or are satisfied with what Proton is offering, then stay.
I'm not here to trash talk Proton and tell everyone to abandon them. I
think Proton offers some great privacy preserving services and their
line of products is perfectly suitable for a lot of people, and their
work is important in the privacy world. I'm just someone who's a bit
more technical than the average person, and because of that, Proton Mail
is just not a fit for me personally. For the average person, Proton is
fantastic, and I can only recommend them if you're wondering which
With all that said, I want to end this blog post by saying this: Don't go ahead
and delete your Proton account solely based on what I'm saying. This is my own
personal opinion. If you're someone who's not very technical and/or are
satisfied with what Proton is offering, then stay. I'm not here to trash talk
Proton and tell everyone to abandon them. I think Proton offers some great
privacy preserving services and their line of products is perfectly suitable
for a lot of people, and their work is important in the privacy world. I'm just
someone who's a bit more technical than the average person, and because of
that, Proton Mail is just not a fit for me personally. For the average person,
Proton is fantastic, and I can only recommend them if you're wondering which
email, VPN, calendar or cloud storage provider to use.
You might be asking, what am I using now then? I'm now a happy customer
over at [mailbox.org](https://mailbox.org), and if you're like me, you
should totally check them out. If not, go ahead and keep your Proton
account (you have one, right?).
You might be asking, what am I using now then? I'm now a happy customer over at
[mailbox.org](https://mailbox.org), and if you're like me, you should totally
check them out. If not, go ahead and keep your Proton account (you have one,
right?).

View file

@ -13,36 +13,34 @@ This website and the free services are owned and hosted by Sam Al-Sapti.
## What data is collected
No data is collected about the site's visitors. The webserver's access
logs are discarded immediately, so the server doesn't persist any IP
addresses or other personally identifiable information. Moreover, if
you access this site over a VPN or Tor connection (`.onion` link
available at the bottom of the page), the site won't even be able to
learn your IP address in case of a compromise.
No data is collected about the site's visitors. The webserver's access logs are
discarded immediately, so the server doesn't persist any IP addresses or other
personally identifiable information. Moreover, if you access this site over a
VPN or Tor connection (`.onion` link available at the bottom of the page), the
site won't even be able to learn your IP address in case of a compromise.
Furthermore, the hosting provider of this site is
[Hetzner Online GmbH](https://www.hetzner.com/). According to their
privacy policy, they do not store any log data either. Please refer to
their privacy policy for further information.
Furthermore, the hosting provider of this site is [Hetzner Online
GmbH](https://www.hetzner.com/). According to their privacy policy, they do not
store any log data either. Please refer to their privacy policy for further
information.
If you use my SearXNG instance however, the built-in limiter plugin will
collect your IP address in hashed form. Hashing is a one-way encryption
method that allows data to be encrypted, but not decrypted. This means
that the server does not learn your real IP address, but only a one-way
encrypted version of it so that it can detect IP addresses that behave
maliciously and rate limit connections from those. Furthermore, this
database of hashed IP addresses is stored in memory only, and is not
used for any other purpose than rate limiting. A single hashed IP
address is stored for a maximum of 10 minutes after the last request
from it.
collect your IP address in hashed form. Hashing is a one-way encryption method
that allows data to be encrypted, but not decrypted. This means that the server
does not learn your real IP address, but only a one-way encrypted version of it
so that it can detect IP addresses that behave maliciously and rate limit
connections from those. Furthermore, this database of hashed IP addresses is
stored in memory only, and is not used for any other purpose than rate
limiting. A single hashed IP address is stored for a maximum of 10 minutes
after the last request from it.
## Cookies
No cookies are used on this website. However, your browser's local
storage is used to save your color scheme preference if you ever change
it manually. SearXNG can optionally use cookies to store settings if you
choose to change them from the default. Your settings can alternatively
be stored in a custom URL instead.
No cookies are used on this website. However, your browser's local storage is
used to save your color scheme preference if you ever change it manually.
SearXNG can optionally use cookies to store settings if you choose to change
them from the default. Your settings can alternatively be stored in a custom
URL instead.
## Embedded third party content
@ -50,13 +48,12 @@ Currently no third party content is embedded on this site.
## Analytics
No analytics are used on this site. SearXNG measures aggregate
statistics on how upstream search engines perform, but this does not
include any user data.
No analytics are used on this site. SearXNG measures aggregate statistics on
how upstream search engines perform, but this does not include any user data.
## Changes to this privacy policy
I reserve the right to update this privacy policy from time to time. I
constantly keep it up to date with the latest changes. If this policy
is changed substantially, I will put a clear notice on the front page
for at least 7 days.
constantly keep it up to date with the latest changes. If this policy is
changed substantially, I will put a clear notice on the front page for at least
7 days.