Here's my 2 cents ramble.
> So I'm trying to prepare a simple but complete todo list.
This reminds me of a joke: "I've read your manuscript and it was original and
clever. However, the parts that were original were not clever and the parts
that were clever were not original!" I.e. you won't succeed in that. Security
is a process, and a very complex process at that.
> I've read about the proper use of Tor, and Snowden's software list.
I don't really know why Tails is worth it (besides being fully torrefied),
but if it's good enough for him, it's good enough for me.
Anonymity is tails' only professed value. Unfortunately freedom takes a
backseat as tails uses e.g. the vanilla kernel. Also if I was a powerful spy
actor I guess the binary blobs in Linux might be quite tempting. Linus really
should man up and kick the blobs from the kernel...
One issue with tor are the web browser extensions, e.g. you're more private
browsing with Noscript, yet that will set you apart from the flock using the
default tor browser without Noscript. Ditto all other security enhancing
extensions...
One horror story is Intel vPro/AMT. If the hardware is compromised no
software can make it secure.
Yet another of the hard challenges is our own behavior online. We can
compromise ourselves in a million different ways online. That combined with
an illusion of privacy can lead to nasty results. Paranoia is good but
self-censorship should be avoided as far as possible...
I guess one thing we all should do it fire up Wireshark and see and actively
keep an eye on exactly what kind of traffic our machines are spewing.
> The hard work is to determine what's truly important.
Indeed. It's a great subject to think about. Look forward to hearing replies
from knowledgeable people.