Ask Slashdot: How Do I Reduce Information Leakage From My Personal Devices?

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Do I Reduce Information Leakage From My Personal Devices?

Posted by timothy on Monday February 1, 2016 @06:10AM from the lead-lined-bag-and-a-memory-wipe dept.

Mattcelt writes: I find that using an ad-blocking hosts file has been one of the most effective way to secure my devices against malware for the past few years. But the sheer number of constantly-shifting server DNs to block means I couldn't possibly manage such a list on my own. And finding out today that Microsoft is, once again, bollocks at privacy (no surprise there) made me think I need to add a new strategic purpose to my hosts solution — specifically, preventing my devices from 'phoning home'. Knowing that my very Operating Systems are working against me in this regard incenses me, and I want more control over who collects my data and how. Does anyone here know of a place that maintains a list of the servers to block if I don't want Google/Apple/Microsoft to receive information about my usage and habits? It likely needs to be documented so certain services can be enabled or disabled on an as-needed basis, but as a starting point, I'll gladly take a raw list for now.

9 of 261 comments (clear)

Min score:

Reason:

Sort:

Simple by NEDHead · 2016-02-01 06:13 · Score: 4, Informative

Never use an internet connected device
1. Re:Simple by Aighearach · 2016-02-01 07:13 · Score: 4, Informative
  
  Never say yes to an app permission your use of the app doesn't require. Generally this requires only using open source apps, and downloading the source and turning off extra permissions.
  Never require networking from apps that you don't want to phone home.
  Assume everything that can phone home, does.
  As to the complaint that MS's "privacy mode" isn't as private as some people wanted, it reminds me of Richard Feynman at Los Alamos complaining that otherwise-intelligent people thought that secrets were safe because they were stored in devices called "safes." Had they been called "locking cabinets that reduce the likelihood of access a little bit, especially by honest folks" or something else literal, they might have had less problems with secrets being stolen. "Privacy mode" isn't intended to make everything "private," it is intended to mask your pr0n access from casual examination of your browser history. But that isn't actually private in most cases, it is just web traffic and they could unmask you at the router anyways. Internet doesn't have a "private" option, if you want private you'll need a "private network." Internet is a "public network." It is like wanting privacy on the sidewalk; you can't have it. You can usually keep people from touching you, though.
  Ultimately if you want a private mobile device, you should be buying hardware, replacing the OS with something FL/OSS and only using a private network.
Don't Use One by Anonymous Coward · 2016-02-01 06:17 · Score: 1, Informative

Forget a smart phone. Use a simple prepaid phone and don't link it to anything.
Re:To refine the question, with subquestions by amicusNYCL · 2016-02-01 06:27 · Score: 3, Informative

There's a curated hosts file here that contains a section for blocking domains used for Windows 10 reporting, if that's your thing:
http://someonewhocares.org/hos...
There are also several domains relating to Google and Apple.
If you have a small list of several domains you want to block, you can probably just search for hosts files and include several of those domains as additional keywords.

--
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
It comes down to VPN settings and tuning effort by Nonesuch · 2016-02-01 06:45 · Score: 5, Informative

If you don't want to root your device and don't want to tunnel all your traffic to a VPN server (adds latency) , you can use one of the Android "NoRoot" firewalls that routes app traffic through a local VPN for inspection and filtering. This uses more CPU and battery, but all protection is done within your mobile device. It takes a lot of manual effort to build a policy that blocks undesirable traffic and still lets apps work.
You can tunnel your traffic to a commercial VPN provider, but now you are trusting them to maintain performance and not invade your privacy, and they won't have any visibility to the contents of traffic that is inside SSL/TLS encryption, for better or for worse (e.g. cannot inspect Android apps downloaded as APKs from SSL websites).
Better yet, you can root the device and add your own Certificate Authority and firewall settings. Now you can use your own VPN to ensure all traffic from all applications goes to a remote VPN headend for inspection/modification, even traffic the device thinks is encrypted with SSL. If you have many users going through the same VPN, you can do things with packets and headers to make it difficult for CDNs and ad networks to identify individual users who are all behind the same gateway.
If you have more time than money, you can build up a VPN headend with open source tools (e.g. Squid+SSLbump)., and write policy to block traffic that doesn't meet your security policy, and to log what your device tries to send. You can use header modification to strip out identifying information and cookies.
If you are a business or otherwise have more money than time, the expensive approach is to use a commercial firewall appliance that has a client VPN and URL filtering service (e.g. Checkpoint, Palo Alto, Juniper, F5, etc). You set up the VPN to send all your mobile device traffic through the firewall, and use firewall policy to decrypt SSL, inspect APKs, and block ads. This solution is very effective at blocking ads and undesirable network traffic, and can often detect or block malicious APKs and other attacks.

--

I do not deploy Linux. Ever.
Re:Good luck ... by tepples · 2016-02-01 06:54 · Score: 3, Informative

Disable Google Play Services and obtain free apps through F-Droid instead of proprietary apps through Google Play Store. Better yet, if your phone is supported, install a third-party Android Open Source Project (AOSP) ROM such as CyanogenMod or Replicant. I can't guarantee it'll plug all leaks, but it should stop the big one.
Here's how to do it by Artem+S.+Tashkinov · 2016-02-01 07:03 · Score: 5, Informative
Here's my old comment verbatim:

First of all there are immortal cookies (infinite cache entries created specifically for your unique PC). Secondly, there's a unique combination of your web browser + OS + fonts + plug ins: https://panopticlick.eff.org/ Thirdly, there are unique patterns in your behaviour (websites that you visit and how frequently you do that) and other wonderful metrics to trace you.
If you want to avoid being traced and tracked there's just one way:
- You buy a single time anonymous SIM card with Internet.
- You go to some public place where there no web cameras installed or you're not under their monitoring.
- You browse the web using at least TOR, or even better a combination of VPN + TOR.
- You use the most common computer OS (Windows 7 64), the most common web browser (IE11/Google Chrome or Mozilla Firefox) and the least number of browser plugins and extensions.
- You do NOT login using Facebook/Google/Microsoft/Yahoo/etc. services, because these companies trace your presence on unrelated websites using various "Share Me" options.
- You do NOT use Skype/WhatsApp/Vibe other apps.
- You completely destroy your browser profile and this SIM card after you're finished.
This is actually a recipe for browsing the web anonymously however this is the reality of the modern web - not to be traced means to be anonymous as much as possible.
All other ways are only half measures. Or, like people have suggested, you may stop using the Internet completely. It should have long been renamed to a "Trackingnetwork".
Re:To refine the question, with subquestions by niftymitch · 2016-02-01 08:28 · Score: 3, Informative

This is getting harder and harder to do.
If you do want to make progress invest in a Raspberry Pi
and a WiFi USB thing. Perhaps two....
Run the Pi and the laptop network hardwired together.
Have the Pi connect to the WiFi of the coffee shop.
A Pi can run a decent firewall and Squid proxy with one of many Linux
distro packages. It is easy to reload the uSD card with a clean
OS install. It is easy to remove the uSD card and inspect the
system for anomalies.
The second one... Install it as a VPN access point at your home network
connection. The Pi in your home and the Pi in the coffee shop can contain
shared secrets for a secure link that is harder to man in the middle attack.
There are cooperating groups sharing curated lists of addresses and host
domains that the Pi at home can slurp up and maintain.
The mobile Pi WiFi USB thing can be replaced for ten bucks and
some can have their MAC address randomized to look like yet
another iPhone.
I would love to see a product packaged like the Airport Express
that would manage a firewall and VPN.
It is also important to explore VM. A virtual machine
can operate as a sacrificial OS. Copy the image
start it, get work done, stop it and trash it.
This is astoundingly difficult to do correctly.

--
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Re:Brave might suffice your browsing privacy needs by Anonymous Coward · 2016-02-01 08:49 · Score: 2, Informative

The last I read, Brave will inject it's own ads. No thanks.