Use a fork of Firefox (librewolf), or a different open source browser
even if you modify Firefox to remove all telemetry, Mozilla are bad actors, and will update to add new telemetry like Anonym or Cliqz by default after an update. Unless you really trust your package maintainer, use a fork or a different browser
Disable javascript everywhere, or use a browser without javascript, whenever possible
trying to defend against fingerprinting with javascript enabled is futile, even things like your number of cpu threads (navigator.hardwareConcurrency), list of fonts, webgl support, supported codecs, browser permissions, and variations in canvas rendering can be used in fingerprinting
tor browser is the only project I know of that can come close to avoiding fingerprinting with javascript, but even then you’re advised to avoid using javascript with tor browser
use 3rd party clients for things like youtube that would normally need javascript
Set your system-wide DNS to a provider in a country with better privacy laws. I use quad9. Disable DNS over HTTPS (DoH) in Firefox if you have it enabled, as it sends DNS queries to cloudflare, which may be even worse than sending your DNS queries to your default ISP servers (also disable DNS prefetch). If you’re hosting a DNS server, you can also set up a DNS blocklist if you use something like unbound or unwind.
I would get away from proton, they’re too popular and too much of a target, and most critically they fucked over a climate protestor, and then removed “we do not keep any IP logs” from their privacy policy. If they’re willing to lie about that, what else are they willing to lie about? If you want a fun project, set up your own mail server. Easy (relatively speaking) to do on OpenBSD with a cheap VPS provider like buyvm. Password manager is easy enough to write yourself with an openssl script, or you can use some other open source password manager if you hate scripting. Storage should be cheaper on a VPS than whatever proton is providing, and you can even host your own VPN (though this has potential to be easily routed back to you unless you serve multiple users with your VPN).
Disable javascript everywhere you don’t need it. I use qutebrowser, and javascript is disabled by default, and I only reluctantly enable it per-domain when I absolutely have to.
Use 3rd party open source clients for propietary apps, or move to open source ecosystems (like lemmy!).
I would get off of Android all together, and switch to a real Linux phone, if you can tolerate the jank. I don’t trust Google not to put a backdoor in the Android kernel (which forked all the way back at Linux 2.something). You could also try switching to a dumb phone, but those still run some amount of spooky blackbox software and I wouldn’t totally trust it from any major phone manufacturer.
It will contain software that is also centrally licenced so that your boss doesn’t have to figure out how to pay for thousands of dollars of software, they can just tell IT to bill a licence for software X to your cost centre at $13.75 a month.
To think they could be paying nothing for better software instead.
It will contain company sensitive data which will usually be encrypted by bitlocker, whose keys are stored with your domain account.
As soon as you need to decrypt that data, you’re at best trusting that data to the NT kernel if you use a memory filesystem.
It will have a domain login that is your corporate identity which will usually require multi factor authentication.
I’ve never heard the terminology domain account. Does it prevent you from using a different OS?
It will have the usual Teams/Outlook/SharePoint stuff with a centralised calendar and contacts for your company, and likely security classifications for all the communications you do through it, allowing you to join groups, accept invites to restricted groups, and limit access, all linked to your domain account.
I’d be surprised if there wasn’t some way to get some of these to work on not-windows / not-macos. Either a webclient or Pidgin, the everything client :)
If you’re on Linux, the company may have even released a proprietary native client, but I’d consider that a last resort as it compromises security and privacy.
It will probably have OneDrive, synced to a corporate server, again, linked to your domain account.
And finally, your work laptop does not belong to you. Wiping it and installing Linux plus Wine and keeping company sensitive data on an unmanaged device will attract the ire of HR.
If your HR is that cancer I’d try looking for a different company. If they are scared of “unmanaged” devices why are they using a spyware OS.
Your IT department won’t give a crap. But they also won’t help if anything doesn’t work, such as trying to join a domain to access allllll those domain-linked features with an unauthorised device.
You shouldn’t be using Unix in production unless you know how to use Unix, I agree.
Just make the file root owned and readable by no one. An unreadable file can’t be copied. You can use chattr to add some flags like immutability if you desire (shouldn’t really need to). Use a command like find /some/path -type f -exec chattr whatever {} ; if you need to do this recursively. Root account should need a password, and should (hopefully) not be accessable with an unprivileged user’s password through sudo/doas, but on its own account with it’s own password using su or login.
Note that without encrypting the file, this does not protect you from someone just grabbing your storage device and mounting it with root permissions and then they can do whatever they want with your data. It also doesn’t protect you if someone gets root access to your device through other remote means. If you want to encrypt the file, use something like openssl some-cipher -k ‘your password’ -in file -out file.cipher_ext. If you want to encrypt multiple files, put them in a tarball and encrypt the tarball. You can again also use find with openssl to encrypt/decrypt recursively if you don’t want to use a tarball, which may be better with ciphers like blowfish that aren’t secure at large file sizes; but if you do that, you expose your encrypted file system structure to attackers.
I am not a fan of full disk encryption, because it usually means leaving all your data decrypted during runtime with how most people use it. If you only decrypt a block device when you need to, there’s nothing wrong with that, and can work as an alternative to encrypting a tarball.
Telemetry you can’t easily disable (requires modifying about:config, can change on update), Glean (nastier than anything in chrome), DoH to cloudflare, pocket (adware), Anonym.
Chrome being worse than Firefox doesn’t make Firefox’s default telemetry, adware, and DoH to cloudflare good. When the bar is Chrome, essentially any browser passes.