Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Do I Reduce Information Leakage From My Personal Devices?

Posted by timothy on from the lead-lined-bag-and-a-memory-wipe dept.

Mattcelt writes: I find that using an ad-blocking hosts file has been one of the most effective way to secure my devices against malware for the past few years. But the sheer number of constantly-shifting server DNs to block means I couldn't possibly manage such a list on my own. And finding out today that Microsoft is, once again, bollocks at privacy (no surprise there) made me think I need to add a new strategic purpose to my hosts solution — specifically, preventing my devices from 'phoning home'. Knowing that my very Operating Systems are working against me in this regard incenses me, and I want more control over who collects my data and how. Does anyone here know of a place that maintains a list of the servers to block if I don't want Google/Apple/Microsoft to receive information about my usage and habits? It likely needs to be documented so certain services can be enabled or disabled on an as-needed basis, but as a starting point, I'll gladly take a raw list for now.

28 of 261 comments (clear)

  1. Simple by NEDHead · · Score: 4, Informative

    Never use an internet connected device

    1. Re:Simple by ihtoit · · Score: 2

      I think it was APK who did the submission.

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    2. Re:Simple by Anonymous Coward · · Score: 5, Interesting

      Yesterday, I was waiting while sitting in an airplane. I hadn't put my iPhone yet in "airplane" mode. The cell reception was next to non-existent. I turn on the music player and it gets stuck on the startup screen. Nothing I can do. I turn on airplane more, then it works immediately. It's not the first time I noticed this happen. Even just trying to listen to your own tunes Apple still makes your devices connect "home", regardless of how you disable any limited settings that may have an effect on this. Therefore,

      > Never use an internet connected device

      is accurate.

      That's just an example. Almost every program by Apple does that, as seen in the Activity Monitor on OS X. People like to rant on Windows 10 calling home, but MS is just learning from the experts ;)

    3. Re:Simple by Aighearach · · Score: 4, Informative

      Never say yes to an app permission your use of the app doesn't require. Generally this requires only using open source apps, and downloading the source and turning off extra permissions.

      Never require networking from apps that you don't want to phone home.

      Assume everything that can phone home, does.

      As to the complaint that MS's "privacy mode" isn't as private as some people wanted, it reminds me of Richard Feynman at Los Alamos complaining that otherwise-intelligent people thought that secrets were safe because they were stored in devices called "safes." Had they been called "locking cabinets that reduce the likelihood of access a little bit, especially by honest folks" or something else literal, they might have had less problems with secrets being stolen. "Privacy mode" isn't intended to make everything "private," it is intended to mask your pr0n access from casual examination of your browser history. But that isn't actually private in most cases, it is just web traffic and they could unmask you at the router anyways. Internet doesn't have a "private" option, if you want private you'll need a "private network." Internet is a "public network." It is like wanting privacy on the sidewalk; you can't have it. You can usually keep people from touching you, though.

      Ultimately if you want a private mobile device, you should be buying hardware, replacing the OS with something FL/OSS and only using a private network.

    4. Re:Simple by omnichad · · Score: 4, Insightful

      No, it appears to be reverse-trolling aimed at APK. For one, it links to a competing HOSTS file engine.

      And then the most telling, is this quote:

      But the sheer number of constantly-shifting server DNs to block means I couldn't possibly manage such a list on my own.

    5. Re:Simple by Anonymous Coward · · Score: 2, Funny

      Almost all apps, even a basic fleshlight app

      That was an interesting error.

  2. To refine the question, with subquestions by Actually,+I+do+RTFA · · Score: 2

    Is there a way to use some things (E.g. Google Maps) with known leaks, without exposing every activity to Google all the time on unrelated sites. It seems like limiting some domains make sense, but I'm thinking of things like cloudfront.net

    Also, is there some way to prevent the CDN-style spying/extra downloads?

    --
    Your ad here. Ask me how!
    1. Re:To refine the question, with subquestions by amicusNYCL · · Score: 3, Informative

      There's a curated hosts file here that contains a section for blocking domains used for Windows 10 reporting, if that's your thing:

      http://someonewhocares.org/hos...

      There are also several domains relating to Google and Apple.

      If you have a small list of several domains you want to block, you can probably just search for hosts files and include several of those domains as additional keywords.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:To refine the question, with subquestions by niftymitch · · Score: 3, Informative

      This is getting harder and harder to do.

      If you do want to make progress invest in a Raspberry Pi
      and a WiFi USB thing. Perhaps two....

      Run the Pi and the laptop network hardwired together.
      Have the Pi connect to the WiFi of the coffee shop.
      A Pi can run a decent firewall and Squid proxy with one of many Linux
      distro packages. It is easy to reload the uSD card with a clean
      OS install. It is easy to remove the uSD card and inspect the
      system for anomalies.

      The second one... Install it as a VPN access point at your home network
      connection. The Pi in your home and the Pi in the coffee shop can contain
      shared secrets for a secure link that is harder to man in the middle attack.

      There are cooperating groups sharing curated lists of addresses and host
      domains that the Pi at home can slurp up and maintain.

      The mobile Pi WiFi USB thing can be replaced for ten bucks and
      some can have their MAC address randomized to look like yet
      another iPhone.

      I would love to see a product packaged like the Airport Express
      that would manage a firewall and VPN.

      It is also important to explore VM. A virtual machine
      can operate as a sacrificial OS. Copy the image
      start it, get work done, stop it and trash it.

      This is astoundingly difficult to do correctly.

      --
      Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
  3. Re:Freedome VPN claims to do this by beelsebob · · Score: 4, Insightful

    Right - then you just leak information to the VPN host.

  4. Good luck ... by gstoddart · · Score: 3, Interesting

    How Do I Reduce Information Leakage From My Personal Devices?

    You haven't been given the same tools on your mobile device as we have on desktops, because the ad revenue from mobile devices is what everybody most wants.

    The OS, and every app largely exist to track you and serve you ads.

    I'd be surprised if there was an easy mechanism, which worked on multiple devices, and didn't require a rooted device. Because this is precisely the kind of thing which isn't nearly as available as it should be.

    Me, I'm betting the OS makers have pretty much decided no way in hell you're getting that kind of control, and if they gave it to you malicious apps would use it to take over where your device really goes.

    Being able to control that is a two way street, and the potable devices don't surrender as much control.

    --
    Lost at C:>. Found at C.
    1. Re:Good luck ... by tepples · · Score: 3, Informative

      Disable Google Play Services and obtain free apps through F-Droid instead of proprietary apps through Google Play Store. Better yet, if your phone is supported, install a third-party Android Open Source Project (AOSP) ROM such as CyanogenMod or Replicant. I can't guarantee it'll plug all leaks, but it should stop the big one.

    2. Re:Good luck ... by gstoddart · · Score: 4, Insightful

      So, root it, built it from a kit, forego the apps you really wanted, and hope you can trust these 3rd parties.

      While technically correct, people generally don't wish to build their phone from a kit and have to take that level of control. Because it's a pain in the ass.

      I've pretty much decided I'll use Firefox with no javascript or cookies enbaled for most of my browsing, I'll uninstall any app which is just a wrapper around content I can get from the web or which can't run in airplane mode, I'll mostly leave my wifi off, and when I used the native Google apps I just go "la la la". But for most people, that's not going to be acceptable either.

      Your solution? I'd probably just stop using the device altogether ... at a certain point in one's life, endlessly fiddling with technology ceases to be fun, and just becomes a chore.

      --
      Lost at C:>. Found at C.
    3. Re:Good luck ... by AlanBDee · · Score: 2

      CyanogenMod and Microsoft are getting a little too close for comfort. http://www.androidcentral.com/...

      However, the last version I used (6 mo. ago) was very nice if you didn't want to tie your device to Google. At this point for security conscious people, Apple might be the least horrible solution. I've also started to be less critical of Microsoft lately.

    4. Re:Good luck ... by castionsosa · · Score: 2

      There is a balance, but it isn't easy for most:

      1: Start with a decent phone that has an unlockable bootloader. HTC devices come to mind, as well as Google Nexus offerings.
      2: Install CyanogenMod, or a good base ROM with support. It doesn't hurt to donate some as well to said project. Gapps after that.
      3: Install XPrivacy if possible. This does an excellent job at stopping nosy apps cold.
      4: Install AFWall+. This is a last resort, but a solid defense at keeping apps that phone home from doing so.
      5: Enable mock locations, and set your GPS when on long trips.
      6: Get a good VPN service. I am a fan of VyprVPN because they had a good Linux booth at a recent convention in Austin. There are others as well. Or, you can set up one yourself on a remote virtual machine hosting service.
      7: Install F-droid and Ad-Away.
      8: For a web browser, I have found Dolphin pretty decent, and good at stopping some of the nastier stuff.
      9: Install Titanium Backup to back up apps and their data encrypted, then push them off to a cloud provider.

      Yes, this takes time to set up, but it works well, and takes very little fussing or upkeep to keep things working.

  5. Self Controlled VPN + DNS Forward with Hosts by xanie · · Score: 2

    I've gone the route of using VPN to my home network, and using a DNS Server with the Hosts file installed, effectively destroying many advertising links on my mobile devices. Unfortunately, it's not perfect, but I have ad-block in nearly ever application on my iDevice now.

    --
    Fundamentalism stops a thinking mind.
  6. It comes down to VPN settings and tuning effort by Nonesuch · · Score: 5, Informative

    If you don't want to root your device and don't want to tunnel all your traffic to a VPN server (adds latency) , you can use one of the Android "NoRoot" firewalls that routes app traffic through a local VPN for inspection and filtering. This uses more CPU and battery, but all protection is done within your mobile device. It takes a lot of manual effort to build a policy that blocks undesirable traffic and still lets apps work.

    You can tunnel your traffic to a commercial VPN provider, but now you are trusting them to maintain performance and not invade your privacy, and they won't have any visibility to the contents of traffic that is inside SSL/TLS encryption, for better or for worse (e.g. cannot inspect Android apps downloaded as APKs from SSL websites).

    Better yet, you can root the device and add your own Certificate Authority and firewall settings. Now you can use your own VPN to ensure all traffic from all applications goes to a remote VPN headend for inspection/modification, even traffic the device thinks is encrypted with SSL. If you have many users going through the same VPN, you can do things with packets and headers to make it difficult for CDNs and ad networks to identify individual users who are all behind the same gateway.

    If you have more time than money, you can build up a VPN headend with open source tools (e.g. Squid+SSLbump)., and write policy to block traffic that doesn't meet your security policy, and to log what your device tries to send. You can use header modification to strip out identifying information and cookies.

    If you are a business or otherwise have more money than time, the expensive approach is to use a commercial firewall appliance that has a client VPN and URL filtering service (e.g. Checkpoint, Palo Alto, Juniper, F5, etc). You set up the VPN to send all your mobile device traffic through the firewall, and use firewall policy to decrypt SSL, inspect APKs, and block ads. This solution is very effective at blocking ads and undesirable network traffic, and can often detect or block malicious APKs and other attacks.

    --

    I do not deploy Linux. Ever.
  7. Re:HHG reference by ihtoit · · Score: 2

    you've been to my house, clearly. Please turn off the light next time, hm?

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  8. got root? by tepples · · Score: 2

    You can't install it as an APK on your Android device because only root can write to the hosts file, and by default, only an Android device's manufacturer (not its owner) is root.

  9. Xprivacy by snarfies · · Score: 2

    1) Root your phone. If you don't have full control over your device, you have no chance.

    2) Install Xposed Framework (http://repo.xposed.info/)

    3) Install Xprivacy (http://repo.xposed.info/module/biz.bokhorst.xprivacy)

    Xprivacy doesn't block your programs from sending whatever they want to send - if you try to do that, most programs will crash. Instead, it feeds your programs completely false information. Boom, you win.

  10. Re:Recommended by Malwarebytes by amicusNYCL · · Score: 4, Insightful

    You know as well as I do that his software would be better received if he maintained a web site for it and didn't treat Slashdot as his personal advertising site. When he posts 30+ wall-of-text advertisements in certain threads then his reputation gets diminished a bit. He is, by definition, a spammer, so people can be excused if they don't want to use a piece of "security software" advertised by a spammer, regardless of who else hosts or recommends it.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  11. Re:My thoughts exactly by tepples · · Score: 2

    Just install FC23 or whatever and be done with it.

    That's fine if you either A. own hardware compatible with Fedora (or whatever X11/Linux distribution for PCs) or B. were planning on replacing your PC anyway. Desktop compatibility is pretty good, I'm told, but laptop compatibility is not guaranteed unless it's from an explicitly Linux-friendly manufacturer such as System76.

  12. Here's how to do it by Artem+S.+Tashkinov · · Score: 5, Informative

    Here's my old comment verbatim:

    First of all there are immortal cookies (infinite cache entries created specifically for your unique PC). Secondly, there's a unique combination of your web browser + OS + fonts + plug ins: https://panopticlick.eff.org/ Thirdly, there are unique patterns in your behaviour (websites that you visit and how frequently you do that) and other wonderful metrics to trace you.

    If you want to avoid being traced and tracked there's just one way:

    • You buy a single time anonymous SIM card with Internet.
    • You go to some public place where there no web cameras installed or you're not under their monitoring.
    • You browse the web using at least TOR, or even better a combination of VPN + TOR.
    • You use the most common computer OS (Windows 7 64), the most common web browser (IE11/Google Chrome or Mozilla Firefox) and the least number of browser plugins and extensions.
    • You do NOT login using Facebook/Google/Microsoft/Yahoo/etc. services, because these companies trace your presence on unrelated websites using various "Share Me" options.
    • You do NOT use Skype/WhatsApp/Vibe other apps.
    • You completely destroy your browser profile and this SIM card after you're finished.

    This is actually a recipe for browsing the web anonymously however this is the reality of the modern web - not to be traced means to be anonymous as much as possible.

    All other ways are only half measures. Or, like people have suggested, you may stop using the Internet completely. It should have long been renamed to a "Trackingnetwork".

  13. Brave might suffice your browsing privacy needs. by Qbertino · · Score: 2, Interesting

    Brave beta is just out. A project from the former CEO of Mozilla.
    AFAICT out of the box one of the safest and most private browsers around.
    Definitely a leg up from the usual suspects.

    --
    We suffer more in our imagination than in reality. - Seneca
  14. Re:Perhaps Not Simple but ? by omnichad · · Score: 2

    I have no idea what you are saying.

  15. Re:Brave might suffice your browsing privacy needs by Anonymous Coward · · Score: 2, Informative

    The last I read, Brave will inject it's own ads. No thanks.

  16. Re:APK - hosts file engine by Hognoxious · · Score: 2

    You should have put the warning before the link. His finger got cramp before he reached it.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  17. Re:Perhaps Not Simple but ? by rtb61 · · Score: 2

    Best bet is for a fire wall router to block all undesirable IPs out and in and this updated from the internet, with user interaction required. Trying to secure an OS from perv http://www.urbandictionary.com... OS manufacturer, is impossible, the can straight up go around any software blocks you put in and redo them every single update. So either drop the OS or upgrade to a secure modem router designed with the express purpose of blocking pervert corporations. Windows anal probe 10, specifically requires a redesign of the firewall router to keep M$'s prying eyse out of you system. You might very need to check and approve of disapprove every single IP address the router firewall attempts to access. So the firewall reports back with a delivered page for each new IP access with a request for temporarily approve, allow or block, with details gathered about the site and presented, before access to the site is allowed.

    --
    Chaos - everything, everywhere, everywhen