Just leave your phone at home, and bring a Digital camera, and few SD Cards ... Oh, wait.. < insert company name here > makes Cameras that spy on you... nevermind...
maybe we should hire a fast sketching artist to draw police brutality ... What.!... your pencil can track you now... come...ooooonnn
Burner phones are a strange concept. If you want to store sensitive data on it, you shouldnt use some cheap android phone or even a dumbphone without encryption support.
All Android phones have Google malware installed by default, as system apps, which means those apps can do whatever they want.
So every piece of data you put on there is possibly tracked and collected.
Then there are 2 more problems
the software is proprietary and cannot be externally wiped clean
the software is outdated
This makes it vulnerable to Pegasus attacks and others. There are tons of secure practices to avoid getting it, like LTE-only, HTTPS only, encrypted and trustworthy DNS, sandboxed processes, blocked javascript execution from unknown websites...
But still if the phone is outdated there are unpatched and publicly known security issues. Just spamming them at all phones is likely to succeed as so many people run vulnerable versions, as vendors suck.
Then if you have pegasus, the only way for security is to reflash the A/B partitions, both. Factory reset is not secure as it will keep what is already in the system partitions.
The firmware is protected and signed by the vendors, so it is likely clean.
But Pegasus installs itself to the phone storage.
If you A cant obtain factory images or B cant flash the phone at all, you cannot wipe it clean.
So a good activism phone needs
trustworthy and minimal system apps / stock software
modern software updates
possible to reflash whole device externally
nice to have: ability to verify checksum of system partition, like GrapheneOS Attestation
This makes them poorly pretty expensive. I think a slightly outdated GrapheneOS phone is okay though.
Yes I know, and I want to try DivestOS one time. But they do incomplete patches.
They cannot update the kernel themselves or even worse the firmware. The kernel needs to be built and patched for the specific hardware, GrapheneOS relies completely on Google here. And the firmware needs to be signed by the vendors, so no chance either.
And especially baseband, cellular stuff has extremely many vulnerabilities in the code.
Most of that is solved by installing a ROM that's not user hostile, keeping it updated of course, and using the phone strictly as a purpose specific device.
That means you run a trusted VPN on it so HTTP/S and DNS concerns go out the window.
Sandboxed processes, blocked JS? Fine if you only install what's necessary and don't use the web browser. JS blocking is not a huge hurdle though, ublock does it with just 2 clicks.
Then if you have pegasus, the only way for security is to reflash the A/B partitions, both. Factory reset is not secure as it will keep what is already in the system partitions.
That's right but I don't think that this is enough. If the Pegasus malware (package) really is able to do that many things, it's a walk in the park for it to modify any of the partitions, including that which contains the modem, or just data like the modem's IMEI and MAC addresses.
In the cause I would either restore a backup of all partitions, or throw the phone away (not literally).
The firmware is protected and signed by the vendors, so it is likely clean.
Except if they patched the verification mechanisms of the OS.
Also, the firmware may be protected, but what about data partitions which are read by vulnerable software.
This makes them poorly pretty expensive. I think a slightly outdated GrapheneOS phone is okay though.
Are you sure? My 6 years old phone still receives LOS updates
Not sure if VPN eliminates all risks with 2G and 3G, maybe it does.
Sandboxing, javascript
Vanadium has sandboxing but its javascript blocking is useless (no granular control)
Mull has no process isolation at all, but support for UBO and Noscript. Bad situation
it's a walk in the park for it to modify any of the partitions
These cannot be written without TPM verification or stuff, ask GrapheneOS devs about that, I dont know. The firmware signing is required, the verification will not be done inside the OS, that would be totally flawed.
If they have the firmware signing keys, they can fuck you. If they dont, they can only write to the system partition, and Attestation can see that.
Reading data has nothing to do with that. They likely can, but that doesnt matter.
My 6 years old phone still receives LOS updates
This will not include firmware and likely even the kernel.
Not sure if VPN eliminates all risks with 2G and 3G, maybe it does.
It doesn't, but probably even on modern phones it only does if you explicitly set it to only use 4G but nothing below that.
Mull has no process isolation at all, but support for UBO and Noscript. Bad situation
If you only visit known reputable websites it's probably not really a problem, but also, I think there are chromium browsers that have addons. Not sure though if there's one that besides that also has the security patches.
These cannot be written without TPM verification or stuff
I doubt that it couldn't be written, I believe TPM can only verify its contents and make the phone refuse to boot if it doesn't agree on the authenticity of the partition contents.
However it's also a question which partitions are checked that way: only the system partition? Or more? Probably not all, because they can't verify e.g. the main user data partition, because it's ever changing contents were never signed by the manufacturer. There's a few dozens of partitions usually so this is not trivial to answer.
the verification will not be done inside the OS, that would be totally flawed.
Yes, verification is done by one of the bootloaders. At least partly, the OS and maybe other layers must be doing it too, just remember why Magisk had a feature to hide it's processes and the controlling app itself from select system services and other apps.
Reading data has nothing to do with that. They likely can, but that doesnt matter.
Didn't mean that. I meant writing data that is later being read by other important system software that is vulnerable to specially crafted quirks in that data.
Not sure but GrapheneOS has an "LTE only" mode, stock Android only has preferred Network afaik.
visiting only known websites is not a scaleable option, a browser needs to be secure. Kiwix is the browser that basically runs desktop Chromium on Android, so it has Addon support. But that is also soon manifest v3 restricted, and likely pretty insecure.
of course the user data partition is not checked, but every other important one. I have not tested what would happen when it is modified though.
I dont know what magisk did, but I think that is only about Google Play adding their "safety" scanning to the OS. Nothing regarding boot. But yes, likely there could, can or should be OS components scanning things too.
Googles stuff is pretty insecure, for example the latest SafetyNetFix simply disabled hardware cryptography, as they still support insecure phones.
For sure this is very complex and there are always vulnerabilities found in Android and GrapheneOS.
The point is not cheapness but that you don't care about the future of that phone. It's only a tool for the protest, if it lasts longer that's good but you expect it to get confiscated and never given back, you don't care what cops did with it if you get it back, it does not have data you need in your daily life or anything irreplaceable, and you're not really afraid that it gets destroyed by accident or maliciously.
But what if you get it back? Or if you just keep it?
There is a chance that you have Pegasus on there, and I wouldnt want a phone without the detection of this.
You attempt to flash your full backup to it. And maybe then read it back if you can for verification that it was actually written to memory, but that probably won't be possible when using fastboot. That's all you can do that's reliable, to some extent.
No, its better to have a smart device that syncs photos to your encrypted cloud in case you're attacked and your attacker breaks your SD card to destroy the evidence
Maybe also just consider any email insecure by default ? Like it's fcking email, having privacy, let alone security or anonymity is just like trying to mod a skateboard into a secure highway vehicule imho
Good for Mullvad. Long overdue, as they say. Wish I could still be a customer. Whoever induced them to turn off port forwarding did the world a disservice.
The possibility that some of those bad customers might've had the specific objective of permanently crippling the service as they successfully did is often under-appreciated.
Layer one: "front line": folks should be acting on passive listen/pushed information from folks far back that will not get kettled or trapped. Media they collect should be Livestreamed for safe storage... But they should be focused on non violent protest, emit the protest message and find/eject bad actors. Equipment should be "burner" quality, wiped and purpose setup with the expectation of seizure.
Layer 2: "observe, document, report": folks should be using encrypted apps to communicate, and should intend to not be arrested, and to collect as much quality content as possible. These folks should be ready to be arrested, but avoid as possible.
Layer 3: "coordinate": these folks should be digesting all possible data about risks, police activity, lawful orders, movements, etc. They should be feeding information about proper actions. They should use encrypted tools but plan to avoid arrest.
Ror this one I think they advertised somewhere that the groups would still be available if you download the apk from their website, I did this and I can still see the hamas group
Say, if I run only OpenBSD, carefully selecting non-base applications, with tightened setup and so on, the baddies may just come when I'm not at home and flash a trojan into my laptop's UEFI.
Well, it's easier with phones because these likely already have plenty of backdoors to do this remotely, available only for nation-states.
I'm starting to like the taste of this "conspiracy theorist" thing.
There's been enough zero day remote exploits that there's bound to be more.
Pretty sure there's more than 1 about receiving an SMS and the payload rooting the phone and you not even knowing it happened. At least 1 but I think 2 or more.
Something about a malicious image also rooting a phone.
It goes on and on and phones don't always get security updates.
You can do your best, but then longer you use a given phone the higher the risk. That's why people switch out phones frequently when doing shady or important shit
Language Transfer is much, much better than Duolingo for learning a language.
I am learning Spanish using language transfer after having learned four other languages in more traditional ways. Obviously, immersion is the best way to learn. But if you have to learn any other way, this is the one. Far, far better than Duolingo.
It's made up of MP3s, usually about 10 minutes each. You just listen to them and respond to the instructor.
You can use SoundCloud, or YouTube, or the simple but practical smartphone app. The whole thing is run by one guy, and there is no charge but he asks for donations. I have been paying $10 per month on Patreon for several years now, and consider it well worth it.
You can learn French, Spanish, Italian, German, Greek, Turkish, and Swahili.
The problem with Language Transfer is its very limited language selection and its format.
Duolingo allows reading, writing, listening and speech (last two can be disabled if unsuitable in your context), and it does not impose daily limits. I've yet to find an alternative app that does all 5 of those things.
Yes, Language Transfer doesn't have as many languages as Duolingo. Hardly surprising, since the entire system and all the language lessons were created by one man!
For me, the most important thing is to learn to think in the other language. Everything else follows from that.
Language Transfer makes a conscious effort not to get you to memorize things, but to internalize them and understand the system. That works perfectly with my own way of learning.
The US government / CIA did in fact develop the protocol back in the day, with the goal of helping people in China and other countries message securely, probably with ulterior motives.
But the protocol itself is open source, and you can use it without any affiliation with the US government.
The claim " It looks almost as if big tech in the US is not allowed to build its own encryption protocols that would be independent of government interference 🐕🦺" is therefore so stupid it almost invalidates everything else being said because the person writing is either an idiot or purposely misrepresenting the facts.
Not having reproducible builds is definitely weird though. Does anybody have more information on that?
My theory is that apple wont let the developer share there code for IOS because of "security"
I remember an emulator (retro arch i think?) Got on ios at one point and was later removed because it showed apples file system layout. Which apples reason was "because it could be used to make malware for IOS"
I feel like there is some similar thing with signal IOS
Not having reproducible builds is definitely weird though. Does anybody have more information on that?
They boast this as a feature, but on the instructions for how to do this for iOS, even Telegram admits "As things stand now, you'll need a jailbroken device, at least 1,5 hours and approximately 90GB of free space to properly set up a virtual machine for the verification process". Browsing the steps, it's extremely complex, and doesn't seem like something that is very user friendly and that you'd do weekly or monthly when a new version is released.
On the GitHub issue linked to in the body, it's disingenuous to claim they refused to implement this, and that the technical hurdles Apple has in place make this extremely difficult which halted progress. In the community forums where the conversation was moved to, someone pointed out that even if you were to reproduce it on a jailbroken iPhone, that there's no way to confirm that non-jailbroken iPhones aren't receiving a version with a backdoor.
And even if you are using a jailbroken device exclusively and can confirm the reproducibility of the iOS app, then the risk becomes the latest available jailbroken iOS could be outdated from the real versions, and you'd have other issues with not receiving timely security updates. This same issue applies to Telegram also.
have you considered using alternatives front ends for some of the major social platforms?
I use libreddit/redlib to browse reddit. you can run an instance locally or connect to remote ones. this way your IP isn't logged by reddit in the first place & no JavaScript is required to be run for the website to function properly.
there is even an extension called libredirect which can automatically swap clicked reddit (& other platforms) links to the same page on public frontends, which removes the hasstle of manually changing the URL.
Yeah I used to do that before they broke all of them. Used the Stealth app every day but it stopped working a few months ago. Possibly due to VPN, don't really know exactly how that service works.
redlib is the updated version of libreddit & it seems to have circumvented the issues reddit caused so maybe consider giving it another try.
I think stealth also broke when they removed free API access. although, you can still use the webscraping mode by changing it in the settings I believe. if u want another option maybe try out RedReader or Geddit.
I would avoid trying to make sure you use the "official instance" as it kind of works against the projects purpose of decentralizing web requests. pinging around instances helps with avoiding outages as well. you can find active instances here on the uptime monitor.
otherwise, stealth should work just fine if u turn on webscraping mode. I have been using it since the reddit changes with only very occasional issues, as similar to you I have some quams with alternative reddit clients.1000018448
oh damn I see sorry u can't get the apps to work I guess I'll do a little digging on my side. in the mean time I hope I've been at least somewhat helpful haha 🙏
LibRedirect automates most of that for you. Also, I've been using safereddit.com for over 6 months and never had any issues. Just try it out and see if it works for you :)
It fetches an updated list of working instances. It also has a built-in tool that let's you ping all instances and remove the broken ones. I'm pretty sure this will work well, even if you remove all instances except for safereddit.com. That's another way you can use it: Just find one working instance and remove all the others.
Btw you can also use normal third-party clients with your custom developer API key, there's a patched version of Apollo for iOS/iPadOS (you can download it from AltStore using their custom repository, it's explained on the website) and ReVanced offers a patch for Infinity on Android. The patched Apollo version has a quick guide on how to get an API Key, it works with all apps that support these custom keys though:
Sign into your Reddit account and go to the link above (reddit.com/prefs/apps)
Click the "are you a developer? create an app..." button
Fill in the fields
Name: anything
Choose "Installed App"
Description: anything
About url: anything
Redirect uri: apollo://reddit-oauth
Click "create app"
After creating the app you'll get a client identifier which will be a bunch of random characters.
Yeah, well, they couldn’t “shut it down” before E2E encryption, either, so, obviously, the problem isn’t necessarily the encryption, but that the cops suck at their jobs.
“We couldn’t really catch them before, but now we can’t real their text messages! Merde!”
Nah, I'm good. I'm fine with services being limited to what information they can convince my browser to give them, rather than what they can convince my phone to give them. Or try and convince me to give them permission to access.
I started hosting this when 12ft wasn't working for many things. I told a friend and they said "what about 1ft?" Which I hadn't seen before. Now that other commenters said 1ft is shutting down, I'm glad I went ahead with self hosting Ladder
Also might check out /c/selfhosted for more self hosting info.
Privacy
Top
This magazine is not receiving updates (last activity 54 day(s) ago).