Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: How Do I Reduce Information Leakage From My Personal Devices?

Posted by timothy on from the lead-lined-bag-and-a-memory-wipe dept.

Mattcelt writes: I find that using an ad-blocking hosts file has been one of the most effective way to secure my devices against malware for the past few years. But the sheer number of constantly-shifting server DNs to block means I couldn't possibly manage such a list on my own. And finding out today that Microsoft is, once again, bollocks at privacy (no surprise there) made me think I need to add a new strategic purpose to my hosts solution — specifically, preventing my devices from 'phoning home'. Knowing that my very Operating Systems are working against me in this regard incenses me, and I want more control over who collects my data and how. Does anyone here know of a place that maintains a list of the servers to block if I don't want Google/Apple/Microsoft to receive information about my usage and habits? It likely needs to be documented so certain services can be enabled or disabled on an as-needed basis, but as a starting point, I'll gladly take a raw list for now.

9 of 261 comments (clear)

  1. Simple by NEDHead · · Score: 4, Informative

    Never use an internet connected device

    1. Re:Simple by Anonymous Coward · · Score: 5, Interesting

      Yesterday, I was waiting while sitting in an airplane. I hadn't put my iPhone yet in "airplane" mode. The cell reception was next to non-existent. I turn on the music player and it gets stuck on the startup screen. Nothing I can do. I turn on airplane more, then it works immediately. It's not the first time I noticed this happen. Even just trying to listen to your own tunes Apple still makes your devices connect "home", regardless of how you disable any limited settings that may have an effect on this. Therefore,

      > Never use an internet connected device

      is accurate.

      That's just an example. Almost every program by Apple does that, as seen in the Activity Monitor on OS X. People like to rant on Windows 10 calling home, but MS is just learning from the experts ;)

    2. Re:Simple by Aighearach · · Score: 4, Informative

      Never say yes to an app permission your use of the app doesn't require. Generally this requires only using open source apps, and downloading the source and turning off extra permissions.

      Never require networking from apps that you don't want to phone home.

      Assume everything that can phone home, does.

      As to the complaint that MS's "privacy mode" isn't as private as some people wanted, it reminds me of Richard Feynman at Los Alamos complaining that otherwise-intelligent people thought that secrets were safe because they were stored in devices called "safes." Had they been called "locking cabinets that reduce the likelihood of access a little bit, especially by honest folks" or something else literal, they might have had less problems with secrets being stolen. "Privacy mode" isn't intended to make everything "private," it is intended to mask your pr0n access from casual examination of your browser history. But that isn't actually private in most cases, it is just web traffic and they could unmask you at the router anyways. Internet doesn't have a "private" option, if you want private you'll need a "private network." Internet is a "public network." It is like wanting privacy on the sidewalk; you can't have it. You can usually keep people from touching you, though.

      Ultimately if you want a private mobile device, you should be buying hardware, replacing the OS with something FL/OSS and only using a private network.

    3. Re:Simple by omnichad · · Score: 4, Insightful

      No, it appears to be reverse-trolling aimed at APK. For one, it links to a competing HOSTS file engine.

      And then the most telling, is this quote:

      But the sheer number of constantly-shifting server DNs to block means I couldn't possibly manage such a list on my own.

  2. Re:Freedome VPN claims to do this by beelsebob · · Score: 4, Insightful

    Right - then you just leak information to the VPN host.

  3. It comes down to VPN settings and tuning effort by Nonesuch · · Score: 5, Informative

    If you don't want to root your device and don't want to tunnel all your traffic to a VPN server (adds latency) , you can use one of the Android "NoRoot" firewalls that routes app traffic through a local VPN for inspection and filtering. This uses more CPU and battery, but all protection is done within your mobile device. It takes a lot of manual effort to build a policy that blocks undesirable traffic and still lets apps work.

    You can tunnel your traffic to a commercial VPN provider, but now you are trusting them to maintain performance and not invade your privacy, and they won't have any visibility to the contents of traffic that is inside SSL/TLS encryption, for better or for worse (e.g. cannot inspect Android apps downloaded as APKs from SSL websites).

    Better yet, you can root the device and add your own Certificate Authority and firewall settings. Now you can use your own VPN to ensure all traffic from all applications goes to a remote VPN headend for inspection/modification, even traffic the device thinks is encrypted with SSL. If you have many users going through the same VPN, you can do things with packets and headers to make it difficult for CDNs and ad networks to identify individual users who are all behind the same gateway.

    If you have more time than money, you can build up a VPN headend with open source tools (e.g. Squid+SSLbump)., and write policy to block traffic that doesn't meet your security policy, and to log what your device tries to send. You can use header modification to strip out identifying information and cookies.

    If you are a business or otherwise have more money than time, the expensive approach is to use a commercial firewall appliance that has a client VPN and URL filtering service (e.g. Checkpoint, Palo Alto, Juniper, F5, etc). You set up the VPN to send all your mobile device traffic through the firewall, and use firewall policy to decrypt SSL, inspect APKs, and block ads. This solution is very effective at blocking ads and undesirable network traffic, and can often detect or block malicious APKs and other attacks.

    --

    I do not deploy Linux. Ever.
  4. Re:Recommended by Malwarebytes by amicusNYCL · · Score: 4, Insightful

    You know as well as I do that his software would be better received if he maintained a web site for it and didn't treat Slashdot as his personal advertising site. When he posts 30+ wall-of-text advertisements in certain threads then his reputation gets diminished a bit. He is, by definition, a spammer, so people can be excused if they don't want to use a piece of "security software" advertised by a spammer, regardless of who else hosts or recommends it.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  5. Here's how to do it by Artem+S.+Tashkinov · · Score: 5, Informative

    Here's my old comment verbatim:

    First of all there are immortal cookies (infinite cache entries created specifically for your unique PC). Secondly, there's a unique combination of your web browser + OS + fonts + plug ins: https://panopticlick.eff.org/ Thirdly, there are unique patterns in your behaviour (websites that you visit and how frequently you do that) and other wonderful metrics to trace you.

    If you want to avoid being traced and tracked there's just one way:

    • You buy a single time anonymous SIM card with Internet.
    • You go to some public place where there no web cameras installed or you're not under their monitoring.
    • You browse the web using at least TOR, or even better a combination of VPN + TOR.
    • You use the most common computer OS (Windows 7 64), the most common web browser (IE11/Google Chrome or Mozilla Firefox) and the least number of browser plugins and extensions.
    • You do NOT login using Facebook/Google/Microsoft/Yahoo/etc. services, because these companies trace your presence on unrelated websites using various "Share Me" options.
    • You do NOT use Skype/WhatsApp/Vibe other apps.
    • You completely destroy your browser profile and this SIM card after you're finished.

    This is actually a recipe for browsing the web anonymously however this is the reality of the modern web - not to be traced means to be anonymous as much as possible.

    All other ways are only half measures. Or, like people have suggested, you may stop using the Internet completely. It should have long been renamed to a "Trackingnetwork".

  6. Re:Good luck ... by gstoddart · · Score: 4, Insightful

    So, root it, built it from a kit, forego the apps you really wanted, and hope you can trust these 3rd parties.

    While technically correct, people generally don't wish to build their phone from a kit and have to take that level of control. Because it's a pain in the ass.

    I've pretty much decided I'll use Firefox with no javascript or cookies enbaled for most of my browsing, I'll uninstall any app which is just a wrapper around content I can get from the web or which can't run in airplane mode, I'll mostly leave my wifi off, and when I used the native Google apps I just go "la la la". But for most people, that's not going to be acceptable either.

    Your solution? I'd probably just stop using the device altogether ... at a certain point in one's life, endlessly fiddling with technology ceases to be fun, and just becomes a chore.

    --
    Lost at C:>. Found at C.