Glenn Meder: Achieving Online Security and Privacy

pnwdefector · June 22, 2024, 1:41pm

pnwdefector:

There’s a big caveat to this that I wrote about here some time ago. The first thing that I would add to this discussion though is that there is a third, mutually-exclusive category that is often neglected or conflated: anonymity.

When you unbox a new Pixel device, you have to give it internet access before the carrier OEM unlock toggle is available. Keeping in mind that Google is a data company that was propped up out of the Massive Digital Data Services (MDDS) initiative by CIA and NSA. The device in factory state, right out of the box begins harvesting data without any hesitation.

So for those who are aiming for any expectations of anonymity from Google in their personal OPSEC modeling with these devices, you should do everything possible for plausible deniability to limit its data collection activities until you have booted into GOS or whatever alternative de-Googled image build that you’re installing onto the device. This means countering for the:

Front and rear facing cameras

Geolocation data (GPS, WLAN, BT, cellular radios)

Google also collects and stores infinitely the MAC addresses of all nearby devices and their signal strengths within proximity of the Pixel (the government is also privy to this data)

Front facing thermal imaging sensor

Fingerprint scanning module on the front display

Mentioned this in the thread I posted on GOS, but I just realized that I didn’t include one of the primary forensic issues pertaining my recommendation for this caveat. The Pixel devices that are officially supported by GrapheneOS have a static identifier that persists across user profiles and factory resets. The ID is called Media DRM ID. This ID is unique to each physical device and thus can be used for device fingerprinting by Android and apps.

This unique ID resides in some low-level component that is non-writable by end users (may be burned into an EEPROM or some other chip with data persistence). The GOS developers have said that they would like to introduce a permission toggle to gate access to this identifier, and / or implementing per-app and profile identifiers, but there’s no current workarounds.

shplad · June 22, 2024, 11:49pm

Most systems are theoretically hackable/capable or snooping or already doing so already. To try to avoid that 100% is nearly impossible unless you can build your own circuits. How many of us have those skills?

I say: Don’t let the perfect get in the way of the good.

pnwdefector · June 23, 2024, 1:08am

Your personal sense of good isn’t a one-size fits all. Everyone has their own unique threat model.

The vast majority of people who gravitate towards de-Googled smartphones do so with the assertions of privacy and anonymity from Google. In other words, they prefer that Google fuck off from their smartphones.

These are the folks who should consider the technical caveats that I took my personal time to convey. By not taking the up front precautions to enable the carrier OEM lock toggle, the users are compromising their personal identities to Google, and their personal identities will be forever associated with the unique media DRM ID.

The devil is in the details. Capisce?

isecurityguru · June 23, 2024, 12:08pm

It is important to distinguish the 4 objectives and not conflate them together:

Cybersecurity
Scams
Privacy
Anonymity

Cybersecurity is the protection of your fort (devices and online accounts) to ensure that no one breaks into it. Consequences of having someone break into your fort includes loss of privacy (e.g. spyware), anonymity, money (e.g. unauthorised banking transactions) and damage & destruction (e.g. ransomware).

Scams - Nowadays, with sophisticated scams running amok, this is a whole new category. The big difference between scams and cybersecurity is that in cybersecurity, you are protecting against unauthorised transaction (e.g. a malware running in your phone, hackers guessing your passwords). In general, banks will cover you in case of unauthorised transaction.

In scams, you are protecting yourself from yourself making authorised transactions to scammers. This is a big problem in Australia because banks are not obligated to recompense you against authorised transactions. So, Australia is a magnet for scammers.

Privacy is basically keeping information about yourself and your business confidential.

Anonymity is basically to keep your identity private while you conduct conversations and business openly on the Internet.

Who is your adversary?
And then, when you consider the 3 objectives, you need to define who the adversary you want to protect against.

In cybersecurity, if you are primarily concerned about hackers and cybercriminals, it is relatively easy. If you are concerned about state-sponsored hackers, then it is very difficult.

In privacy, if you primarily concerned about Big Tech, then it is relatively easy. If you are concerned about Big Brother, then it is very difficult.

In anonymity, if you are concerned about keeping your anonymity from fellow citizens, then it is easy. Against Big Tech, it is much harder, but still possible. But if you want to be anonymous from the government, then it is extremely hard, in fact impossible.

What are the capabilities of Big Brother?
I recommend people watch the reality-TV series called Hunted, which is shown in Australia. In this show, a group of ‘fugitives’ (reality TV show contestants) were released in Melbourne’s Docklands. They were given 21 days to evade capture by an elite team of investigators (working for governments and elite companies used by governments) called the Hunters. At the end of 21 days, the ‘fugitives’ who can beat the ‘Hunters’ will win a big prize money.

I casually know one of the Hunters.

I’m not sure whether this show can be streamed to the US, but if it can’t, you need to VPN to Australia.

This show gives you a glimpse of the capabilities of Big Brother. It is chilling!!!

P.S. In one of the episodes, it shows that the Hunters can see what the fugitive was searching on Google. I asked one of the Hunters, how could that be possible since all Google search are encrypted with TLS nowadays. I couldn’t get the answer from him that comports with publicly known security architecture of TLS. My only conclusion is that this is only technically possible if Google is in cahoots with the government by sharing the private key of their cryptographic certificates with them.

pnwdefector · June 23, 2024, 2:49pm

Just wait until more of the Rockefeller Clever Together doctrine plays out with the accelerationism pulling us into the AI-driven cyber-physical hellscape backed by (centralized) global blockchain (which RFK Jr. is also pushing). The government surveillance that people can imagine is nothing compared to the panoptic sousveillance that accompanies the nano-bio-digi-cogno (NBIC) technologies being rolled out to control every facet of human, animal, and organic life.

This isn’t science fiction 5-10-20 years from now, it is happening in real-time. The human race has no idea what is hitting us given the speed with which they are shoving these technologies into our lives, our bodies and our DNA - and that undoubtedly by design. Tristan Harris said that these entities should slow-roll the next 2 year’s worth of AI-related tech over the course of 20 years to allow the human race time to decide whether they want them or at least to adapt. Instead, they will forced assimilation onto the human race, because they believe that if they don’t do it - their competitors will.

Like I’ve mentioned, they are starting to off-load the on-prem processing power onto the end-user devices in this “de-centralized” sousveillance architecture. Something that regular folks can do is opt-out of these new AI-embedded technologies and all of the other devices and interventions like wearable cameras that will cater to the hyper-neurotic (likewise for anything that will contain or be suspected of containing nanosensors). People gravitate to the newest and most powerful shiny toys when those with minimal processing power is far less capable of feeding their control grid.

acorn-endeavors · June 23, 2024, 3:28pm

We can thank the Clinton administration for the clipper chip!

rebel1984 · June 23, 2024, 6:10pm

Will this presentation be available for viewing at a later time?

acorn-endeavors · June 24, 2024, 1:37pm

Thought I’d toss this here. Keep in mind, I’m no pro, but the premise is possible!

russcr5187 · June 24, 2024, 2:00pm

This is a test; only a test. It’s because I’m having a peevish morning so far. Why does an apostrophe appear in COMMA’S and not PASSWORDS?

acorn-endeavors · June 24, 2024, 2:02pm

Good eye, dead eye!

kevinsk · June 24, 2024, 2:08pm

Good for you. I am in the same camp and I have a IT background.

I have never owned a smartphone and never will. My little flip phone works just fine, and rarely do I carry it on my person. Imho opinion it is foolish to carry around a sophisticated spying device that’s purpose for spying is to manipulate you.

I loath Smartphones, they are ruining society. I know I know there are almost countless factors right now ruining society. I apologize If I offended anyone.

shplad · July 18, 2024, 6:44pm

I’d like to see a couple of videos discussing email privacy and security. I’m leaning towards switching from one of the large (Read: surveilling) services.

So far, I’ve learned a lot from Rob Braxman’s videos, but he often covers a ton of ground in a short time and his explanations are sometimes brief.

dramey · August 28, 2024, 4:55pm

Heads up, the webinar basically introduces the topic, pitches the paid course, explains several purchase options and offers a strong promotional offer to this community . There is no option to increase the speed of the nearly 2 hour video. Some people may find it helpful but if you are time sensitive like I am you may just want to purchase the course and get right to it . The offer is available when 59 minutes remain. Hope this helps people.