SomeLemmyUser
- 2 Posts
- 46 Comments
My setup is similar. Graphene differences: Shelter instead oft Island Fenec instead of iron fox (mainly cause its available in fdroid and I’m to stupid to do code reviews of “random.” Github apps myself Mulvad instead of next DNS Neostore+fdroid
For home I use Debian as my arch broke to often. (But sadly still one Microsoft gaming PC for vive wireless and league)
Freetube instead of YouTube
OPNsense router with ET blacklists, VPN for everything non gaming related and an u6 pro as AP so I can have different wifis for direct/VPN/(maybe home assistant in the future)
Also no arr setup and nothing at all opened to the outside
Well opressivs governments dont work by serving good policys to the people, they work by blaming a part of the people for all problems and then promsing to get rid of them/punish them. A scapegoat basically. The opressors don’t make it better for the people, but the people are happy because the ones they think causing their suffering get punished.
Historically this has been the communists in Nazi Germany, or faschist italy, modern faschists try to make gay people and people from the far east this scapegoat atm.
The problem is: the scapegoat is never the real cause of the problem. After taking them all to the kz, and life for people still not getting better you need a new one. For Nazi Germany those where Jewish people, just because of their religion, has Hitler proposed the “kommunistisch-jüdische-weltverschwörung” (world conspiracy of Jews and communists) When after the pogromes stuff still would get better, they would blame everyone not arian. (Not blonde, blue eyed, northern heritage)
If a fascist government tries to exclude you or not is just a matter of time, at some point they will rum out of scapegoats and come for you.
You never know which aspect someone picks to exclude you (gender, political view, haircolor, Parents, lastname, sexual preferences, religion, mental health, physical health etcpp.) So it’s better to not have someone gather all that info about you in the first place.
You keep referring to concepts like “Keys encrypted with itself” “Tpm are by design encrypted”
When you don’t really say anything from value.
Not every “encryption” is the same.
When we talk about safe encryption we talk about file system level encryption of a system with safe algorithms like aes and a long enough random password (the key). this is safe.
If you store the key unencrypted on your phone, this encryption is no longer safe.
If you don’t know the 16 random digit key it HAS to be on the phone and it CAN’T be encrypted “by itself” because you would no longer have any means to decrypt it.
It could be encrypted with a pin, but again, then its only as strong as the pin, and I don’t know how long an only numeric pin would need to be to withstand modern brute forcing, but I doubt a relevant percentage of people have that kind of pin.
You can’t explain how this would be safe, so you just come at me with russels teapot and say “well you can’t prove its not safe” (which is true because I’m no security expert, but someone with enough knowledge could certainly) and lash out at me “acting in bad faith” because I don’t jump through your hoops of passive aggressive misunderstanding.
All I can do is refer to experts, who found things like CVE-2022-20465 - a bug which allowed lockscreen bypass.
As you could have googled that yourself, but you ask this just to throw me off.
But if you want to keep using your google android and bitlocker win and feel safe, its not my problem.
The device needs to be physically accessed and modified and then unlocked in order to exploit it.
Exactly the service the company offers
Yes it is a vulnerability but with those steps you could also just solder a keylogger to the keyboard.
This is not a hot take at all!
Sure thing, it is equally hard to confiscate/steal a device (if the user notices you just shrug) and open it no user input required And Stealing the device without the user noticing Solder a keylogger, get it back to the user without them noticing and having them put in their password, then steal the device again so you can use said passwort
I totally agree
You are right in a sense of: If the TPM holding the keys were itself encrypted with a strong password, this would be still be considered secure. You are wrong in the sense of: lenovo sells a device, tells its users its encrypted, their data is safe. None can steal their data
in reality the data can easily be accessed, which could be considered as “cracking the device/bypassing the encryption” because what lenovo prevent was someone ripping your ssd l, but not just decrypt it because the encryption was not implemented securely.
I don’t want to debate the security of a luks Linux volume or veracrypt windows laptop, (even though even those are in theory vulnerable to highly targeted and skilled things like cleverly exploiting e.g the logofail bug)
My point isn’t that there are no ways to have a secure system, my point is that the percentage of truly secure systems is low
Dude what encryption are you talking about? Hardware storage encryption is just by now getting more widely adapted, the phone I used till a year ago didn’t even support any encryption.
Sure, aes-256 with secure password only stored in your mind is quasi 100℅ safe, but that is not how most devices handle their “encryption”.
If the key for the encryption is on the device, and either stored in an unencrypted TPM or unencrypted storage, its not a matter if breaking the encryption (quite impossible) but breaking the software/hardware (quite possible for someone with good enough forensics and skilled programmers)
Also also: encryption only helps if the device is off, which is seldom the case with phones.
Yeah TPM chip encryption is mostly not secure (at least not by simply existing, as an encryption with with a strong password that only exists in your head is) I’ve seen a german youtuber crack the bitlocker TPM encryption of a windows think pad, I have no doubt big companies can do this for the 3-4 most used TPM chips in android phones
And if you got the device and can damage it, even if you couldn’t crack the chip, putting the silicia under an electron microscope is always an option (lots of actual manhours of actual experts needed, but you could charge the client heavily to compensate)
I am aware that there are secure encryptions, but android isn’t hardware encrypted isn’t it? Haven’t used google android for a while, but no encryption was one of the reasons I moved away from it.
No idea about apple, but longer startup times for storage encryption doesn’t seem like a very apple thing to do
Also phones are so seldom turned off, and if the system is running storage encryption becomes less of a concern as the key is somewhere in the ram
I did read this part, and while this is generally true, there are use cases of such large models. Some of them require the input of personal data (find bugs in my code, formalize this email, scan this picture for text and translate it, draw an anime version of this picture of my friend tom)
So people being weary of security implications of such large models are certainly not
in a huge circle jerk that never ends, but refuses to understand how it all works.
Sure you can just call them all dumb using ai like the mainstream (putting in personal data) and attribute it to an unwillingness to understand, but this doesn’t match the reality. Most people don’t even understand how an operating system functions, which components work online and which offline and who can access which of their information, let alone know how “AI” works and what the security implications are.
So If people ask those questions, hoping there are alternatives they can use safely your answer “no, u just dumb, machine can’t harm you, its not magic, just don’t put in data in”
Is not only rude but also missing the point. Most usefull/fun/mainstream ways DO in fact, put in data.
You explaining basic models also doesn’t help, as the concern here is not mainly/only the model, but american spy institution to access all prompts you did put in, maybe categorizing you in personality clusters dependent on your usage of language or assigning tags on which political stance a users has (and with entities like the NSA I could imagine far worse)
Also “A model is a model” Is not very accurate in such cases. When someone has control and secrecy over each aspect of the model, it would be very well possible for entities like the NSA to manipulate the content the models puts out in arbitrary directions. A government controlling and manipulating information the public receives is a red flag for a lot of people (rightfully so IMHO)
How are people supposed to get better in digital privacy topics if you just tell them to shut up and insult them when they aks questions trying to learn? You acting like you are in your Elfenbeinturm of genius isn’t helping anyone.
There is a difference between a general scare about the AI buzzword and legitimate distrust in online services which are closely connected to american spying institutions (regardless if they are ai or not)
If my calories tracker app would apoint a (former) NSA official on their board, I would be looking for alternatives too. This is not about AI, this is about a company with huge sets of private data being closely interconnected with american spy institutions.
Sad that you don’t seem to be able to distinguished between legitimate security questions and badly informed hypes/scares ass soon as a buzzword like AI occurs
Dude, that is literally what I did! to quote my original comment:
If you want to be sure you cant be tracked, monitored, spyed on, and calls can’t be intersepted:
Don’t ever connect it to WiFi and don’t insert a sim card.
[Reasons why this is the case]
If you just want to decrease spying by companies and less powerful people:
[Things you can to anyway to increase privacy]
I don’t know what your problem is honestly. Maybe my tone was off, if so thats on me, I am not a native speaker, but I really don’t know why you are targeting me now with your quite harsh stellvertreterkrieg… You are not even op, why are you so offended and talk me down?
Exactly. If you want to be 100℅ sure you don’t get tracked AT ALL you can’t use the internet.
The second you connect metadata is gained by ISP and all the servers which get called. This can be enough to track you down for powerful entities like the government.
If only your aunt may with a evening school IT course is your threat, a pin and graphene os is probably enough
Also OP mentioned his sim card is registered on his real life name, so having that connected to cellphones is enough to track you if you have a warrant to force your internet service provider to share the information
You always need to ask: which data do you want to protect.
If its position data and calls: nothing, it really doesn’t matter what phone you use if the connection is not secure.
If its communication via messenger like matrix: you are already quite good protected with graphene os and matrix from a safe source.
If its Trojans from the police: don’t download any software/apps/services that are not open source and widely reputable. (Most rich western states can probably still get full control if they want to because of zerodays)
If you want privacy for calls: get a simcard without your name/Iban/PayPal/creditcard etc attached to it in any way (prepaid with cash), Reset the phone, drive somewhere where you don’t work or live with phone off Insert simcard and turn on phone. Wait Turn off phone and disable sim card Use only WiFi until you really need sim service (best not at your home or work).
If you want to protect data on phone: don’t have biometric login (you can be forced to put your finger on the sensor, you can’t be forced to type in a password as easily)
Netguard, shelter, only FOSS software, regular updates, no cloud, no google is never a bad idea, also only communicate via safe encrypted protocols (matrix, xmpp, pgp, https, etc., NOT WhatsApp, Facebook, unencrypted mail, http, SMS, calls)
EDIT: people here mentioned that graphene has a build in firewall, which you can use instead of netguard. I have netguard running though as I know the interface and options, have separate profiles for shelter and normal and don’t use a VPN anyway.
To be honest, if kyc means what I think it does (I am not from the states) so that your provider knows your real identity, this phone with this sim will not be private, especially not when constantly connected to cell service.
With a warrant the local police could force your provider to tell them to which cell phone tower you are connected to, effectively giving them live position data. They can also read all unencrypted trafic this way (calls, SMS, telegram, http traffic etc.)
If your thread level is the police, you already f’d up, sry :/
Plus: its google/us hardware. They could always hide something in lower level software like drivers or bios.
(Cant find the arricle i was thinking of, maybe false): It was recently discovered that snapdragons pinged their home server when turning on, which was not noticeable in android as it was on a deeper software level
If you want to be sure you cant be tracked, monitored, spyed on, and calls can’t be intersepted:
Don’t ever connect it to WiFi and don’t insert a sim card.
Graphene or not, your ISP can still share your position or other meta data with government and stuff (in the us they can also be forced to not tell you) - in some countries they legally sell to third party’s, in some probably illegaly
Calls are normally not encrypted so the os doesn’t matter as much if its the government who can force your ISP or if someone is skilled enough for a Man in the middle attack.
Android is a highly complex system, it will never be 100% safe.
If you just want to decrease spying by companies and less powerful people:
Use neo store or fdroid (no google play or aurora) as all apps there are Foss
Don’t install gapps or any other google services/packages
Use shelter for less trusted apps
Use netguard to block apps from accessing the internet
Physically block your cameras
If you want to be absolutely sure no one is recording audio: destroy mics with a needle and connect headset only when you need it
To only use communication apps which are encrypted and you hold the keys should be not needed to be said: matrix, signal, element, xmpp are good, (telegram (normal chats), Facebook, WhatsApp etc is a no go)
It was, that was the kind of information I needed, as it helps to differentiate what kind/level of privacy I have and what kind/level of privacy different actors can circumvent etc.
As I am mostly looking at not generating useful data for shitcompanies like amazon, google, Microsoft etc. The always onvpn and no cookies except YouTube should be more than sufficient. If my country decides that my political opinion is no longer permitted I should nevertheless be using Tor and check if I’m unique (fingerprint wise).
Thanks for the detailed response. I’m sure my IP is most relevant in tracking me, but if I’m tracked while visiting Lemmy/YouTube it would do no harm, while correlating my YouTube activity with my e.g. me reading websites the government doesn’t like would do harm.
I use mullvad, and previously read using tor through a VPN doesn’t really make sense. I have Firefox set to not save cookies, but I have made an exception for YouTube as it is to troublesome to log in with 2fa all the time.
My thought was that it may be easier to match up the fingerprint of @somelemmyuser accessing lemmy with the fingerprint of @somelemmyuser downloading capitalist propaganda while living in China if they come from the same VPN in a similar timeframe, while it would be harder to match the fingerprint of @somelemmyuser acsessing Lemmy from an normal ISP to the fingerprint of @somelemmyuser accsessing capitalist propaganda from a VPN, as you would need both datasets to find matches.
And since me accessing Lemmy is not a problem but my lemmy account could be tracked back to me as a physical person, it could be smart to not do it with the same VPN.
Any suggestions about checking leaks etc? I have done this one check, but I’m not that deep in the matter to know if its enough.
So you say to keep it running - any (technical) reasoning or just that you think my YouTube connection exiting the vpn and the connection to the website the government doesn’t like exiting the VPN can not be correlated that easy?
- SomeLemmyUser to
- •
- 1Y
- •
Imagine trusting a sharepic made by the company itself.
For real though - its a chromium, those are there as long as google let’s them (still provides the source code for the newest version). There are obvious concerns regarding manifest v3 and the possibility (being discussed/implemented right now) to remove of adblockers, tracking blockers etc. In the matter of one update - the company deciding to roll out the update being the same making most money from advertising with google AdSense.
Also they build a monopoly and will slowly transform it I to a cash cow once all competition is whipped (same what is happening with YouTube at the moment).
Don’t use chrome or chrome clones boys.
As a wise german saying goes: Egal ob die tütensuppe von Maggi oder die tütensuppe von Knorr, am Ende is eh alles nestle
öffi is really good.
[https://f-droid.org/packages/de.schildbach.oeffi/](öffis on f-droid)
You can select the source of the info (for example set to your local provider api or just use default) and I like the schedule view very much.
I am not a software expert, but it is Foss and doesn’t require strange permissions.