OP's question was about coping with surveilance but OPSEC plays important part of those coping mechanisms.
What you want in terms of safety is defined by your threat model.
The safety though doesn't come without costs and discomfort.
My approach is to identify for which data-sets data, information and intelligence can be gathered and thru which vectors. Whether disruption or distortion is applied entirely depends upon assumed threat model.
We should not forget that majority of compromising data is gathered when we are spontanious
🙄
Owning - controlling
😎 infrastructure is a key for everything else.
Segmented networks are quite good.︂ I assume that
@0xDEADBEEF set-up complete physical isolation without bandwidht sharing. In SOHO set-up I︃ would recommend slightly different option - WAN fail-over with VLAN segment isolation and edge VPN︄ (Wireguard is decent; the optimal is with PSK). That would achieve network redundancy. In DC︅ or corporate set-up we use multi-homed network with at least 3 different peers (IP transit︆ providers so you must have your own ASN) - could be SOHO (for home and︇ office) option as well, depending on provider's resources.
Hardware - not cloud - firewall is︈ mandatory where OPNSense will suffice with pfSense as alternative. Corporate options such as Palo Alto︉ products are over-kill in SOHO.
Quoted backup strategy is quite okay; I wouldn't use any︊ Cloudflare service though. Corporate and personal preference is that backup is performed with rsync via︋ ssh towards dedicated location - we use RAID6+0 with ZFS and btrfs for storage.
Exquisitely good point. If you are not visible then you are quite visible - particularly in modern era when plethora of data sets can be fetched, cross compared and analyzed faster then you can call your barister - with IBM i2 Analyst for instance. What happens when some duty officer sees that you︀ exist yet there is no associated data sets
😵
The old Latins - Romans had a︁ proverb "Silentium est aureum". Today's world require you have a script for any possible situation︂ so you don't became suspicious.
Depending on a threat model, LAN cables - copper︁ wires could be more jeopardizing then WLAN with WEP
😉 due to TEMPEST. Also, electric connectivity︂ is susceptible to interference, no matter what shielding it has.
We use almost exclusively optical︃ connectivity but it adds a requirement for media conversion in SOHO. (Un)Fortunatelly, we must use︄ CAT6 and above standard cables for terminal part in SOHO.
But, under threat model of︅ a person not involved in international terrorism, sanctions violation and espionage, shielded copper network cables︆ will be more than sufficient
😉
Whatever DNS solution that isn't in cleartext should be used as a lack of it could easily destroy whole security model.
Whenever you can, you should have your own VPN server backend - preferably with blend of different upstream network providers and LAG - with fail-over in different locations. Wireguard tunnels traffic thru UDP which may be blocked so an agnostic backup VPN server backend should be available - OpenVPN.
For utmost redundancy and reliability, different L2 and L3 VPN agnostic (to downstream network set-up) server backends with their fail-overs should be established.︀
I always disable everything what is considered factory and try to use tailored made and︁ solution controlled by me. That's especialy for items that function as CAM, MIC and for︂ positioning.
Isolation thru different virtual instances with separated networking and VPN credentials is a way︃ to protect yourself from cyber threats and possibly even highly qualified threat actors.
