Slashdot Mirror
Snowden's Tough Advice For Guarding Privacy
While urging policy reform as more important than per-person safeguards, Edward Snowden had a few pieces of advice on maintaining online privacy for attendees at Saturday's New Yorker Festival. As reported by TechCrunch, Snowden's ideas for avoiding online intrusions (delivered via video link) sound simple enough, but may not be easy for anyone who relies on Google, Facebook, or Dropbox, since those are three companies he names as ones to drop. A small slice: He also suggested that while Facebook and Google have improved their security, they remain “dangerous services” that people should avoid. (Somewhat amusingly, anyone watching the interview via Google Hangout or YouTube saw a Google logo above Snowden’s face as he said this.) His final piece of advice on this front: Don’t send unencrypted text messages, but instead use services like RedPhone and Silent Circle. Earlier in the interview, Snowden dismissed claims that increased encryption on iOS will hurt crime-fighting efforts. Even with that encryption, he said law enforcement officials can still ask for warrants that will give them complete access to a suspect’s phone, which will include the key to the encrypted data. Plus, companies like Apple, AT&T, and Verizon can be subpoenaed for their data.
Google and Facebook make our lives easier in many ways. Just understand that what you say is not truly private and use common sense about what you post there.
The key is on the phone. Easy enough for any TLA to get unauthorized access to without the owner's knowledge. Apple's new policy changes nothing.
I am becoming gerund, destroyer of verbs.
They never had the keys in the first place. What they have done is to enable more things to be covered by encryption.
I'm not sure whay "key" means in this context. If I encrypt a file archive, I need to enter a pass phrase, preferably over 20 characters and not easily brute forceable. This pass phrase is they key, as far as I know. What is the equivalent on Apple's devices? Are they encrypting with a 4 digit pin?
Search: duckduckgo
Email: numerous options
App Store: isn't a benefit of android that there can be many app stores? Alternatively, use iOS.
It's not that hard to get away from goog (or fb, for that matter).
Of course government can read my e-mail. All they have to be is waterboard me. Or install enough camera in public places to capture my unlock pattern. The question is what we allow the government to do, and in democracy we deserve what we get. No amount of encryption is going to solve this problem. We should have a direct popular vote for a commission of constitutional enforcement and then if majority of them rule that some secret agency is in violation, they will be able to disclose it legally.
This encryption is only useful when the phone never were unlocked after authorities got suspicious of you. The moment you unlock, it connects to the carrier, the baseband downloads the rootkit (or they use one of the various other backdoors they have), and the authorities get the key, and any other phone content they wish.
Google analytics and ads are everywhere so even if you don't directly use their services like Search and GMail, you are still being tracked by them.
Also, your browser sends referrer headers which tells whatever site you're visiting where you came from. Your browser + browser plugin profile can be used to narrow down who you are even behind Tor. Browser plugins like Adobe Flash save their own set of cookies separate from regular browser cookies.
If you use the Internet, you're being tracked. You may be able to help yourself be tracked _less_ by taking some precautions, but that's about it, I think, for the average person.
I used FB for years before finally closing my account down. No doubt that data will stay in their system forever. Like a drug, better to not start at all than to have to quit.
Basically it boils down to: law enforcement are going to do what they're going to do. I know I'm being tracked, I try and keep my nose clean, and whatever happens happens. I'm not going to live my life all paranoid.
Simply avoiding Facebook, Google and the rest isn't going to serve much. Because that makes you stand out, too. Use them. Fill them with enough goody-two-shoes garbage that you're uninteresting enough. Invent some innocent hobby or two for you to have so you can fill that page with something. Invite friends (whoever you run across will do, just make sure that they're not in some way "odd").
The important bit is just to keep your real life apart from your official one. And yes, before you ask, your work belongs on the "official" side. Along with your official family and everything else that can easily be connected to you with existing data. Don't try to hide what can be proven to belong to you.
And yes, 10 years ago I would have agreed that doing something like this means your tinfoil hat is sitting too tight. Today, I ain't so sure anymore...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
gpg, when you can.
To encrypt, but have the encrypted output be encoded as text (so can be put copy/paste into an email)
gpg --symmetric --cipher-algo AES256 --armor example.txt
(gpg will then ask for a passphrase, make it long, as random as possible, upper and lower case, a punctuation, and a number)
TO DECRYPT
gpg example.txt.gpg
Steve Gibson has a very cool Internet resource for helping people learn about password strength: https://www.grc.com/haystack.h...
Per the haystack page:
Example passphrase = search space size
64characters of hex = 4.13 x 10^99
63characters of hex, plus adding a punctuation symbol = 4.93 x 10^117
62characters of hex, plus adding a punctuation symbol, plus adding an upper case letter = 3.79 x 10^126
Uh, Linux geek since 1999.
On the device, the data that is encrypted uses a key derived from the password or pin. This is very similar to how you'd encrypt any local file. Anything you can still get to after forgetting your password and resetting it obviously was not encrypted with that forgotten password.
On their cloud, some things are technically encrypted, but the encryption isn't very effective. Anything you can access via their website or apps, including email and photos, they have access to. Email is a good example- their web site shows you the To, From, and Subject lines of the messages, so obviously their server has access to read the emails.
In general, encryption of live, working data on a server is _often_ largely security theatre. Sure, if a bad guy physically broke into the datacenter and walked out with the server, the encryption of the disk would make it hard for him to access the data. As long as the server is up and running, any data the server can access can also be accessed by a hacker with a presence on that server. In these cases, the key is for one of the server's disks, so it's generated by Apple and probably sitting on the same server where the data is. With tens of thousands of servers, you don't have human beings walking around typing in passwords, so the key needs to be on the server. If the hacker is in the server ...
The data is encrypted in transit via ssl/tls. For that time period, it's encrypted via tls/ ssl. First Apple's ssl key is used, then a per-connection key is generated.
Holes, where the data is not encrypted at all, and there is no key, occur at transition points. They web server takes the ssl encrypted data, decrypts it, and hands it off to the storage layer to be "encrypted" on disk. Quotes are on the disk encryption because as discussed above the encryption on disk is largely illusory. Similarly with the transition from your phone to the upload to the server. Your phone decrypts it with your key, encrypts it with the ssl key, and then sends it to the server.
Those transition points in which the data is unencrypted are vulnerable points which are targeted for attack. I've confirmed at least one case where I've seen the transition point on the server compromised. Fortunately, I _think_ I may the one who tapped the data and logged at it that point, for debugging and recovery purposes. I forgot to turn off the logging when we went into full production, I think.
The key is on the phone. Easy enough for any TLA to get unauthorized access to without the owner's knowledge.
I fail to see how it would be "easy" for a third party to access a file on my cellphone without my knowledge. If they do it with my knowledge, then they need a warrant, and have to go through proper legal channels.
Apple's new policy changes nothing.
It seems to me that Apple's policy, along with the policy changes by other big tech corps, change everything. Pervasive encryption is coming, and coming fast. These companies no longer have any reason to voluntarily cooperate with the NSA. The NSA screwed them, and that screwage is costing them billions.
Um, so what was the encryption for again?
“He’s not deformed, he’s just drunk!”
Thanks Ed!
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
Here is the rub:
A company breaks up a key into pieces and says that no single division or part can decrypt data.
However, with the proper "encouragement" via a government (similar to how India "encouraged" RIM to give them access to BIS servers), the data can still be obtained. iPhones are quite closed devices, and in theory (mind you, this is theory), Apple could push some code to the phone belonging to a person of interest that would either install a backup key, pull the key out, or download data in the background.
Android, similar... but with Android, there are so many different ROMs, phones, and configurations out there that it would take some doing and not just typing an IMEI number, click "spy", and be done with it. It is quite possible, but not as easy.
Do I trust Apple? There are other big companies who have started to play policeman and actively sift through their subscriber data and hand things over without being told to do so. Apple doesn't actively do the virtual equivalent of going through one's belongings with a fine tooth comb, then bringing in the police if something illegal is found under a couch. There is already enough fighting to keep government powers at bay. Having private companies act as another police force is unacceptable, no matter how noble their aim.
Would I stay at a hotel knowing that my stuff there will be sifted through for anything illegal, and my phone calls taped and actively listened to for any activity? Nope. I'm sure the "do you have anything to hide" argument will be brought to bear, but if the company storing my data is now someone actively trying to find a way to cause me legal issues, I'll take my business to another place that doesn't do that. I feel that Apple hasn't tossed anyone to the wolves, so they are probably a lesser evil in this department, although who knows where their data ends up, as their devices are made in China, and the Chinese government has just as much say in what goes into them as Tim Cook does.
Don't forget -- "illegal" applies globally. The US has extradition agreements with Saudi Arabia and Turkey, so technically, a US citizen can be extradited to KSA for something anti-Islamic (giving a church flyer to a Muslim), and then beheaded even though the person never set foot outside the US. So, what may be something one doesn't worry about now may be something (and their families) that one might be killed over in a few years.
Another example is Thailand's lese majeste laws. A US citizen who poked fun at Thailand's leaders can be deported there, even though the person never was in the country. Having a private company look for these types of things, items that people never thought of, then they get arrested and shipped overseas to stand trial in a country they never even seen is something that is inevitable. Someone may be a 100% law abiding person in the US and have nothing to hide... but with extradition treaties, they might be breaking laws in a country they never have heard from and can be hauled off for that (Kim Dotcom, anyone?). So, privacy is a must.
Do I trust Facebook? Rule 1 of the Net. Don't put it up unless you want the local DA, Feds, and your worst enemies seeing it. With that in mind, plus common sense partitioning (run your FB Web browser in a sandbox or container separate from everything else), FB is tamable. It is a must these days (I've been turned down for jobs because I didn't have a FB ID, as an IT worker without a FB or Twitter account is considered a "fossil".)
Do I trust Google? I use their services, and have found that Android is well written. Even the disk encryption is decent, especially if you separate the dm-crypt partition passphrase from your unlock PIN, making your /data partition extremely tough to brute force open. I'm not really worried, as they are not any worse or any better than other places.
Do I trust Dropbox? Similar to above. Neither worse or better. However, I do pack my own parachute and use Boxcryptor (not 10
Apple isn't any better than google.
[citation needed].
1) All iOS devices are encrypted such that even Apple can't access.
2) After #Celebgate apple rolled out 2 factor authentication throughout the OS and services.
3) iMessages and Facetime are encrypted end-to-end, so even apple can't access them when they're on the server.
4) apple's business model is not to spy on their users in order to make more money from them.
5) if you look through all the NSA leaks and all the hacker actions, none of them have been able to penetrate a iOS device that is not jailbroken.
Well, that"s why you use throwaway identities: http://www.fakenamegenerator.c... It may not be 100% foolproof, but it certainly makes it harder for others to build an exact profile of you. Most especially use something like Lastpass to import 3000 generated identities that you can randomly pick from to auto fill forms.
Neither are more secure than the other and that's a fact and will always remain a fact so long as humans are using these devices. Nevertheless, everything you've listed is also available on android devices so I fail to see what point you're trying to make?
that's actually a really cool site, thanks for this. the user sets his his name set. the name sets are what you expect: american, hispanic, german, etc. but they also have hobbit. My new name is Tomburän Mugwort.
Try startpage.com. It uses results from Google, but isn't Google. As far as I can determine, they don't log anything you do.
It also happens to be the default search engine of the Tor browser, which should say something as it goes way out of the way to make sure your activity is completely anonymous.
Keep your communications limited.
Only talk to people you need to talk to.
PGP, Encrypt, Key-pass, everything, I mean everything.
Hide it all from any networked service
Once a security hack that worked for his former employer, my take away from his recommendations are:
a. hide your cash in your mattress--then again cash has serial numbers (even bitcoin sort of...). Convert to gold.
b. put on your tin foil hat.
c. don't talk to anyone.
BUT what he's doesn't realize is... if you want to be apart of any society:
a. Communications is a 2 way street, I see you, you see me. There's no privacy, just trust. Big Data and the Internet just exposed what's been known by the affluent for what, 300 or so yrs.
b. "Security" in Snowden terms is a pipe dream, and stuff like PGP is nothing but security by obscurity [philosophically] via Math (it's a key no one knows...)--TRUST is the key factor in making communication work.
TRUST, TRUST, TRUST. If you don't have it the system WILL breakdown and no one's going to be happy.
c. what to be useful in society? talk to someone, anyone.
Just vote. And tell your congressman what you want. As for the non-US citizens voicing their opinion on here about how the US should handle their affairs, thank you and your opinions will be considered.
Every movie needs a PR angle--they obviously are playing the fiddle in TFA. Gotta love the Internet.
... it would be like having to constantly avoid highways and grinding your way through crumbly outback routes.
Really? Other than youtube, I don't think I've bothered with google in years. ixquick is a reasonable search engine (and there are others as good). It even has a google gateway, and it's https. mail.com (among others) offer free email.
Other than the wonderful feature of NSA slurping everything you do, what's google really do for you?
I've nothing really against google. I just prefer not to go that way.
"Tongue tied and twisted, just an Earth bound misfit
they need a warrant, and have to go through proper legal channels.
I take it you've been living under a rock for the past decade.
Don't forget -- "illegal" applies globally. The US has extradition agreements with Saudi Arabia and Turkey, so technically, a US citizen can be extradited to KSA for something anti-Islamic (giving a church flyer to a Muslim), and then beheaded even though the person never set foot outside the US. So, what may be something one doesn't worry about now may be something (and their families) that one might be killed over in a few years.
I don't think that's what extradition agreements are for.
What Google analytics? What ads? I don't even see them, haven't since before they were there. Privacy Badger, ABP and noscript take care of that and of facefuck also. As a bonus, you don't see any stupid aggregators that rely on Google for their javascript trinklets.
Listen dude, I'm not trying to get into a pissing match, but your fanboism is starting to wreak. "Of the five things I listed, number 2 -- 2-factor authentication -- is on android as well. But numbers 1, 3, 4, and 5 are all iOS or apple specific and definitely not on android." Yeah they are, it's called using a custom rom that Google has no control over and avoiding the use of specific services. If your really believe that Apple is some Angle from heaven that's here for the good of humanity then you are insanely naive. Most especially if you consider the fact that their OS is not open source thus closed to in-depth scrutiny.
These companies no longer have any reason to voluntarily cooperate with the NSA. The NSA screwed them, and that screwage is costing them billions.
*Golf Clap*.
You pathetic moron. You think Apple or Google umbrage is going to stop NSA suckage? Ho. Ly. ...
"Tongue tied and twisted, just an Earth bound misfit
"No Google" from the guy who does seemingly every interview over Google Hangouts (and, yet, supposedly, we remain absolutely clueless of his whereabouts - oh my!).
The simple fact is that there is no security and there is no privacy. At best, we can take what we think are the wisest and most conservative precautions, but once something leaves our head or our mouth, there is no guarantee. There are only protocols and services and mechanisms which we do not yet know are compromised. If the last two years have taught us anything, it's that anything we rely on probably *actually is* compromised.
Hell, even anything in our head isn't confirmed safe, anymore. Not in a world where we have observation systems that determine your intention by your gait or your facial expression or your body's thermal signature. Not in a world where we're just starting to be able to visually represent actual thoughts from a brain, onto a screen. And not in a world where conclusions are drawn from assumptions of your collective data where you have far less control over it -- from borrowed library books to your database of grocery purchases to your Amazon shopping history and Netflix viewing history.
Worse, I don't see any indication that any truly guaranteed modes of encryption and security and privacy would not simply be outlawed. It is amazingly simple to coerce the American people into accepting any desired infringement upon their rights. If they're not willing to give them up "just because", then tell them that it'll help us protect ISIL from cutting off your head in your living room or will help protect your children from getting Ebola at school. Maybe get a few religious leaders on-board to help spread the propaganda that it's the "Christian/whatever thing to do".
The US does not have an extradition treaty with Saudi Arabia.
http://en.m.wikipedia.org/wiki...
The US treaty with Turkey is first limited to crimes which BOTH countries consider felonies. That requirement is on page 1.
Them there's another 20 pages of requirements for it to apply.
As far as I can determine
But what's that worth? They're pretty much silent on their internal operations. Who owns them? Who runs them? What does their infrastructure look like? How about their business model?
I don't trust any of the search providers as far as I can throw them. If you've got to make a search and you're worried, do it over a public network somewhere else with a spoofed mac and/or over Tor (for starters). Start by locking down your box and then lock down your habits.
You need to take Apple at their word for most of those. There's proprietary hardware and binaries in the mix. There's no independent outside audit. Your level of trust is disturbingly naive in an era where corporations and governments lying to citizens is the norm.
Apple may well be telling the truth about all of them. But to put actual trust in it is fanboiism itself. Right now, you can't trust much of anything. In short, we're stuck between a rock and a hard place. We need to get work done, to interact with others, to be productive in general--but the best options available to us are lousy.
Trust comes at a high premium and isn't given lightly.
His advice is so stupid that I'm really beginning to wonder whether he is still working for the NSA. It's not only inconvenient, it actually puts you at a greater risk.
Computer security is really not that different from physical security: locking up everything from everybody is a lot of work, inconvenient, and expensive.
For most things, Google and Facebook are perfectly fine. Hysterical avoidance of them is not only inconvenient, but switching to supposedly more secure services will either make you appear suspicious, or you may simply be running into the open arms of some intelligence service that is using those services as a front.
Information you don't want to fall into the hands of criminals, you should encrypt; online storage may be fine for some if you are good about encryption and it's not that critical. For really critical information, use local USB drives or paper.
Is there information you don't want to fall into the hands of government? Yes, even if you are law-abiding. You want to avoid being a false positive on some witch hunt for terrorists or drug offenders, and you don't want to give corrupt prosecutors the ability to blackmail or pressure you into admitting things you didn't do. So, keep your Magic Pony gay porn collection off the Internet and encrypt it, keep your medical information on paper, and purchase your fertilizer and cold medication with cash when you can.
People have always been suspicious of people who were different. And people have always had to keep some things secret from their neighbors.
Despite all the beating of chests, I think we are probably better off today than ever before. Many things people used to be able to blackmail you with (homosexuality, extramarital affairs, illegitimate children, bankruptcy, atheism, whatever), people don't give a f*ck about anymore. Furthermore, none of the NSA or CIA bullshit is new, but finally, people are finding out about it and getting upset. I expect these agencies will face more serious restrictions on their operations than ever in their history.
Yes, we need to be vigilant and take action. No, the sky isn't falling.
Burn it. In Russia in the 90s they used to sell kit that could destroy a computer remotely in case the mob or the police visited. Maybe they have the same for the iphone?
Ooooh, I sense a business opportunity - thermite cases! Shouldn't be any less safe to walk around with than the phones themselves, given the batteries. Must just not make the trigger too sensitive...
the mob or the police
B-
Too wordy. Suggest cutting redundant nouns.
Please revise for your final draft next Tue.
I want to give you an A so you can get into a good [0] college [1] and can participate [2] in the planned Russian-style
global economy [3], but work with me here.
My hands are tied. They will cut my funding if enough of you little angels don't pass [4]!
Good day, Sir/Madam [5].
You WILL like my newsletter and you WILL subscribe to it.
Love, the Department of Education/Labour
[0] controlled
[1] indoctrination camp
[2] subjugate
[3] taxpayer-funded bailout/bribe bonanza
[4] do as you are told
[5] Sir/Madam
Actually, I do read source code, you imbecile. I and many others. You think I'm the only one?
The point is that you *can* read the source code. *Anyone* has that ability, or can learn to do so. Many people do so. You're safer in such a scenario than in a scenario where the company is doing who knows what with the software. It's not perfect safety, but it's better.
Disturbing news tonight on the 9 O' clock news. A father accidentally blows his own son's head off after remotely triggering his cell phone case to detonate. Ironically, his son was trying to call his father at his office to let him know that he found his phone.
Actually, I do read source code, you imbecile.
Careful who you're calling "imbecile" there. Reading source code doesn't do a damned bit of good unless every line of code on your machine was built *by you* from the same source you audited, using a known good compiler. Every executable, every driver, every library, every damned line of code that executes on your hardware.
Everyone seems to be collecting data even /.. :(
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Given the amount of data we can store on memory cards (now up to 512 GB), now would be a good time to standardize the one-time pad.
For example, Alice and Bob meet in person. They plug their credit-card-sized one-time pads into each other and exchange giga-Bytes of truely random numbers generated on-card. Then when Alice wishes to send Bob a message over an untrusted chanel (i.e. the internet), she adds a section of the random numbers to her message (modulo 256). Bob then decrypts with his matching set of numbers.
The used numbers are then deleted on both Alice and Bob's cards.
A single meeting between A & B would be enough to encrypt every text message they send for ever after. All that is needed is an international set of standards for doing this and the associated hardware. For example, you could take your OTPad to your bank and plug in into a socket and exchange random numbers, and use them for secure banking at home. No CA's required.
This is future-proof and unhackable (assuming A & B's computers are not compromised).
You could even exchange the random numbers over an untrusted chanel. Just make sure there's a huge number. If everyone does this, it would overwhelm the storage capacity of the NSA and friends.
Blocked in my 'hosts' file. See: http://winhelp2002.mvps.org/ho...
Knowledge is power; knowledge shared is power lost.
And you have to trust the compiler too
But i know, that there are people working with the source code. An obvious backdoor would have been found i.e. by the cyanogenmod people, so it needs at least to be more subtle.
Of hell ya he's a hero, and fuck the government for not saying so. Come to think of it, just fuck the government in general because it's generally fucked up. Thanks for voting!
irony: to login you should use a google account.
Is this where "the man" dangles a puppet in front of your eyes so you forget about everything else? Say I never used facebook, dropbox and google and steer clear. Now "they" only have phones, credit cards, bank statements, anything I get shipped, plane stubs, hotel reservations, car license plates, cell- and/or smartphones and a bazillion other things to know exactly what I ate last Tuesday and to violate my privacy which, judging by the attention wh**ing online, nobody cares all that much about anyway it seems.
"Only one thing is impossible for God: To find any sense in any copyright law on the planet." - Mark Twain
That only has a limited effect. https://panopticlick.eff.org/ This is one of the SIGNIFICANT downsides of being a geek. Running Linux, alternate browsers, having unusual plugins, etc. all make it very easy to identify your particular machine on the 'Net.
The point is that you *can* read the source code. *Anyone* has that ability, or can learn to do so. Many people do so.
Almost no one but the actual developers of the project read the source code. Software projects are so large these days that people seldom wade through the multiple thousands lines of code just for fun.
Here's an experiment people here can do: download the source code of some small project and read it thoroughly. Just try what it feels like. Understanding how the program actually works can take surprisingly big amount of time.
Do that experiment now.
Hmm... the key is NOT on the phone. I don't understand Snowden's comments or yours. The IOS file system is encrypted, and if you use a decent length pass phrase it should be unhackable. No?
I will just tell you this.
Somewhere in the internet, there is a forum dedicated to a group of people that spend all of their time injecting backdoors into open source projects.
There is a whole tricky art of how to design malicious code that seems inoccent enough to pass peer review. Every single time the malicious code is commited along a useful commit, and in many cases even spread out over multiple commits/months for obfuscation.
While most of them target not-so-popular open source projects, I know of at least 2 very big projects that have backdoors injected and them and no one has a clue.
Every single time I see a guy saying they trust open source more I just laugh. Who really spends a huge time studying the codebase of a open source project before installing it?
Both open and closed source methods are insecure, and even if you're writing the whole software yourself you're still vulnerable due to the compiler that you did not write yourself (hint hint) or the OS itself, or the drivers, or everything single fucking thing that you did not write and did not properly audit.
I think his point is that while the NSA has been able to sniff around the internet with impunity, to actually take your phone and examine it, they would need a warrant.
I know of at least 2 very big projects that have backdoors injected and them and no one has a clue.
Really? Well, it's free software, so either inform someone or get cracking. I see you're being very vague about this.
Sadly, Opera 12.x breaks more and more pages these days :(
It is a must these days (I've been turned down for jobs because I didn't have a FB ID, as an IT worker without a FB or Twitter account is considered a "fossil".)
This is probably the dumbest thing I've read today (and I've read other articles on slashdot). How does having a narcissistic "me-too" account help you do anything better in any tech job?
The answer is, they don't. Would you want to work for anyone who thought otherwise?
These companies no longer have any reason to voluntarily cooperate with the NSA.
Until when they invoke those pesky compulsory NSL letters.
And in closed source software, you do not even have the chance to see the backdoor.
For chrissake, talk about waking a sleeping bear...
US extradition treaties only cover actions that are crimes in both countries, which means that the only crimes you could be extradited to Saudi and beheaded for are drug offenses.
Exactly how does that custom ROM get installed??? Does it require modification of a device? Hardware modifications are not stock, are they? Are these devices readily available from a major supplier or must they be custom ordered?
There has been no reported successful hack of iOS devices to install malware where the device wasn't jailbroken. If you know otherwise, please provide relevant links? This can not be said of Android.
Now, what happens on the backend is open to interpretation and subject to debate.
You called the other poster a fanboi. He might be, but you are clearly a FAndroid with a chip on his shoulder and something to prove.
The thermite would cause the battery to explode...
if you use a decent length pass phrase it should be unhackable. No?
Only if you're naive enough to believe that a keylogger can't be installed surreptitiously.
I am becoming gerund, destroyer of verbs.
Like it or not, there's no escape. We've chosen this way.
Given that I don't use two of those services, and occasionally use the other, that advice is not that tough.
In the interim, why you crazies are arguing the difference between deflaguration and detonation, the kid's head falls off.
I hope you are happy with yourselves.....
Faster! Faster! Faster would be better!
"Exactly how does that custom ROM get installed??? "
http://www.android.gs/install-...
"Does it require modification of a device? "
Absolutely!
"Hardware modifications are not stock, are they? "
I think you mean software modifications, but no they're not stock. But you can make a stock backup of the original rom.
"There has been no reported successful hack of iOS devices to install malware where the device wasn't jailbroken. "
http://www.theverge.com/2014/9...
"Now, what happens on the backend is open to interpretation and subject to debate."
No it's not, because the information is not publicly available.
"Now, what happens on the backend is open to interpretation and subject to debate."
A fanboi of what exactly? If you recall, I'm treating both Apple and Google exactly the same...Using an Android device does not always mean you're a fan of Google.
Show me an Iphone that I can install a custom rom on while avoiding all of their services and I'll buy it.
It's not about the obvious backdoor. It's often about the random number generator used for generating keys. Maybe that keyspace is smaller than you think.
How many of the e.g.cyanogenmod people collect a paycheck from the NSA? We've seen very subtle flaws in open source code that looked plausibly like a typo, but weakens security just enough for a powerful attacker while remaining secure from a script kiddy.
Not like it's just open source. Trust was lost for the hardware RNG in Intel CPUs (I'm not sure there was ever any evidence of tampering, only evidence of how subtly it could be done: only one guy messing with a mask at the last minute, and the RNG output would still look random).
Socialism: a lie told by totalitarians and believed by fools.
Living without [a google account] is certainly possible. I've been doing it for years. I would agree that "app" developers seem obsessed with publishing their offerings through a single medium, that takes 30%, and requires their users to buy into the google/apple ecosystem. However, I blame this on the typical "app" developer being a mindless dullard, addicted to the status quo. The entire IT spectrum has been infested with these types of late. It's been frustrating.
If it ain't broke, don't fix it.
New Zealand does have an extradition treaty with the US, and recognizes money laundering and racketeering as felonies.
The precise opposite set of facts vs GGP's imagination.
I don't think committing the crime in the US is grounds for extradition.
Security is just not black and white.
For opensource you have the chance to see something, with closed source you do not have it.
The only argument could be, that flaws in opensource can be found easier by the bad guys, because of the open source. But i doubt it. At least for this not so obvious ones.
I think stuff like the debian ssl bug was known by the nsa. But not because they read the source, but because they collected A LOT of ssl keys. So its like blackbox testing.
People use Gmail because it is generally reliable, they abstract them from whatever ISP they may have at the moment, and appear to be free. But mostly because they appear to be free, because the other two can be had elsewhere. But we all know it isn't free. They have your data. I personally don't believe they don't mine your data. The cost is your personal information not really being personal. But cash money is a powerful thing. And with new job creation tending towards "would you like fries with that," saving cash is more important to most than saving privacy.
-- I ignore anonymous replies to my comments and postings.
Are you looking at the code? I don't think that's relevant.
Companies like Google, Apple, and yes Microsoft have plenty of smart people looking at their closed code for security flaws - well-trained people who's day job is to do just that.
The once-believed advantage of open-source was that companies might be in bed with the NSA, putting flaws in deliberately, but open-source projects wouldn't be. Turns out, not so much. Both groups are just as vulnerable to malicious insiders, and both are filled with techies who would be quite angry to discover a flaw deliberately hidden in their codebase.
Socialism: a lie told by totalitarians and believed by fools.
> Google, Apple, and yes Microsoft have plenty of smart people looking at their closed code for security flaws
same for big opensource projects.
And now show me a case of malicious insider in an open source project.
The once-believed advantage of open-source was that companies might be in bed with the NSA, putting flaws in deliberately, but open-source projects wouldn't be.
With open source, you can start making your own version and modifications. If there is an apparent conflict of interest, someone will start a new project, possibly using the source code. Or you can hire people to work on it for you. You're not beholden to a single company.
Both groups are just as vulnerable to malicious insiders
No, they're not. It's much easier to spot when everything is out in the open. Not only do professionals often look at big open source projects, but 'normal' people also do so; there are more prying eyes.
We already have countless pieces of evidence of companies being in bed with the government, but with open source, there's a greater chance any such malicious activity will be spotted. Not 100%, but then again, who has ever claimed that?
With open source, you can start making your own version and modifications
That is the one real advantage. It's not cheap or easy. It's not going to be a hobby project. But it's possible.
The replacement of OpenSSL, the TrueCrypt audit and fork. That's where you see open source step ahead.
We already have countless pieces of evidence of companies being in bed with the government
There's a big difference between a company giving data to the government -- security doesn't enter into that -- and adding deliberate flaws to security products. There hasn't been much evidence of the latter, though wasn't RSA tainted? The bigger worry with proprietary security products is that they're scams, and that happens a lot, but that's a different issue.
Socialism: a lie told by totalitarians and believed by fools.
mail.com / email.com got bought out by AOL years ago (remember the godawful improvements to the interface?), and require google to be unblocked when you need your password back
They were compromised directly somewhere around 2008, check the helpful infographic on the NSA's "signup" program that was one of Greenwald's first releases, I forget the name of the program
So that's 2 large companies with cross-scripted access to your password/data, and two points of agency entry - catch22 when you forget your password
It's hard to google pre-heartbleed OpenSSL flaws, but there were some serious, subtle flaws in OpenSSL that looked remarkably like typos. After the NSA leaks, there's no doubt: someone committed those flaws deliberately. And the NSA leaks showed a large and well-funded program to do just that: to subvert every public cryptographic tool and standard in subtle ways, vulnerabilities that left tools secure unless you knew about the backdoor (which is particularly pernicious, as when the backdoor is inevitably discovered, the tools are in widespread use).
The open/closed source debate is like a school yard brawl when the Marines land - entirely trumped by vastly more resources spent subverting the tools than went in to writing them. What a damn waste.
Socialism: a lie told by totalitarians and believed by fools.
The hack you posted is not an exploit of the phone - it was a hack against one of the services provided by iCloud. The phone, itself, was not compromised.
There was a report of spyware that could be installed on an iPhone - it required a jailbreak to install. It could not be done OTA and without physical access to the device.
Replacing a ROM chip is both a software and hardware modification. It is not stock, is it? So, out of the box, which platform is more secure at this time?
Now, once you modify the device as you have indicated, it's possible to make the Android more secure. But, as a stock device, it still lags, doesn't it?
And, you are right...you can't insert a custom ROM in an iOS device - best you can do is jailbreak - something I would never do because of the inherent risks.
Why do I refer to you as a "Fandroid"? You attacked the original poster's arguments where they stated that all but one of the items they listed were iPhone only. You said the features were available on Android as well. They aren't without custom, hardware and software modifications as you noted. You ignored their original point and called them a "fanbois". I called you on it.
Well, apparently it's officially a pissing contest now. But to clarify my reasoning behind my previous posts: I was merely promoting freedom of choice over blind trust. It's a double edged sword since the more freedom you give up the more susceptible you become to the fat cats; while the more freedom you have, ultimately, makes you more susceptible to black hats. Either way, I could give two shits less which is more secure for the 'general populace' nor how many retards get themselves hacked due to poor decisions SO LONG as I have FULL control over my devices and am able to implement my own security protcols. Which currently, Apple does not offer...End of debate.
In good contentious, I have to reply to you twice since... "The hack you posted is not an exploit of the phone" Then what is it? "Replacing a ROM chip is both a software and hardware modification. It is not stock, is it? So, out of the box, which platform is more secure at this time?" Do you even know what you're talking about? "Now, once you modify the device as you have indicated, it's possible to make the Android more secure. But, as a stock device, it still lags, doesn't it?" No, it doesn't since everyone involved works closely together in improving whichever device is in question. A most notable case is CPalmar, who not only did it for his wife and his own personal enjoyment, but has done it all for free and has continuously refused donations! Even the creators of Cyanogen (the most popular custom rom) have refused to sell themselves out, even in the face of a billion dollar acquisition offered by Google: http://www.droid-life.com/2014... "And, you are right...you can't insert a custom ROM in an iOS device - best you can do is jailbreak - something I would never do because of the inherent risks." The only risk that's involved is your naivety. People don't just get malware from doing nothing, they download pirated copies of app and single handedly fuck themselves. And you know what, I'd rather people have the freedom to go fuck themselves than no freedom at all since I could care less about these rejects.
I believe you have no idea what constitutes a logical fallacy. So I'll point you to a site that makes it easy for you to print and/or purchase a board that clarifies all of this for you: https://yourlogicalfallacyis.c...
Recent major security blunders with open source software beg to differ.
FBI quietly forms secretive Net-surveillance unit (May 22, 2012)
http://www.cnet.com/news/fbi-q...
Somewhere between a tame telco, tame hardware, tame software and the "Communications Assistance for Law Enforcement Act" https://en.wikipedia.org/wiki/...
an average users gps, voice, text, images, voice print and all other cell related data will be as easy to get as always.
An average user might be sold on the idea that some user data is protected from wider outside network man in the middle efforts but that will not help with CALEA and a tame brand having to sell compliant telco products in the USA over generations.
Staff often then move into the private sector and then contract methods and skill sets back at a city and state level. Thats a lot of people with the keys to consumer grade telco standards.
Domestic spying is now "Benign Information Gathering"
mail.com / email.com got bought out by AOL years ago ...
I don't much care about that. Yeah, AOL in its day was pretty silly, but mail.com seems not bad. Anything I've talked to them about seemed handled professionally. Yeah, I tend to edit my replies in emacs, then attach that to an otherwise empty email (to preserve formatting), but that's the way of the world (Microsoft and its related apps' embrace & extend corruption) that I've come to expect to have to work with in many ways. They didn't invent that. FTP need[ed|s] to be told explicitly when it was handling binary data too.
... and require google to be unblocked when you need your password back
Didn't know that, but I won't forget my email provider account's pword, barring senility or ethyl alcohol (feature! :-). I don't bother going out of my way to block G. I just try not to use them/it, other than Youtube. I don't have much to hide, and I assume something's always been grepping what's been going through the main network nodes. Now, they're just better (more capable, technically speaking) of doing it.
They were compromised directly somewhere around 2008 ...
ty, but that was a long time ago, yes?
So that's 2 large companies with cross-scripted access to your password/data, and two points of agency entry - catch22 when you forget your password
So don't do that. I'm looking forward to getting IMAP access with them. $20/a. IMAP would eliminate my need to use their (IMHO) icky webmail interface. All webmail interfaces blow chunks (imho).
"Tongue tied and twisted, just an Earth bound misfit
The problem is text is decrypted back to plain text looking for advertising on the free email services after they offer their free new https all the way.
The message is then seen as classic random numbers and is then flagged at some stage as using encryption and further sorting by gov/mil.
The gov/mil does not care what is in your message but the slightest hint that any person is using crpyto like numbers or letters in bulk would ensure any ip, user, isp is noted.
That message glows.
Expect 3-4 level of hops to all other communications to be looked at retroactively and users listed for future tracking. Friends of friends going back. "Collect it all" gets it all and can then be given a sorting task.
The good news is the one time pad works. The fun part is getting the format to look very normal and be machine readable for advertizing.
The bad news is random numbers stand out, the path of the message stands out and will ensure a lot of interest from gov/mil with global reach and years of storage.
Domestic spying is now "Benign Information Gathering"
A single word does not make a sentence. But thanks grammar cop for correcting something that doesn't matter in the slightest bit.
I think his point is that while the NSA has been able to sniff around the internet with impunity, to actually take your phone and examine it, they would need a warrant.
Step 1: You are pulled over while driving for .
Step 2: Cop determines that you are acting suspicious and refusing to comply with his orders.
Step 3: Cop tells you to step out of the car, puts you in handcuffs, empties your pockets, and searches your vehicle.
Step 4: Cop takes your phone and plugs in AutoFascist 3.0 device while you watch, pressed up against the hood of your own car.
Step 5: "Thank you, Officer."
Yeah, i suspect the NSA to infiltrate BIG projects like openssl as well. But i fear closed source the same. The only difference is, that commercial (!= closed source) software can easliy be affected by a NSL and that open source (which may be commercial as well) software can be read if something is suspected. And you can patch as soon as possible without waiting for a patch day.