127 comments so far with no mention of the partial solution described at the bottom of the article:
> take all the Play stuff and move it out of its tight integration with the low level system and into userland, where it can be sandboxed. That gives you back granular control over all the resources Play Services wants to use, and what data it and the app which use it want to send back. That's the approach GrapheneOS takes, a Pixel-only open source Android distro – OK, ROM – that by many reports hits the sweet spot of maximum control over security with minimal impact on the daily Android experience.
> Teamed with a second-hand last-but-one generation Pixel, GrapheneOS raises the seemingly oxymoronic possibility that the most data-tight and user-configurable mobile platform costs less than $200, has negligible environmental impact, and is powered by the data ogre Google itself.
> It doesn't matter how badly the FBI, NSA, GCHQ or the dictatorships behave, they can't have your data if you never send it. You'll still have to take care of what you do online and how you do it, but at least you can build that castle on a halfway decent rock.
Yes this is the option striking the best balance of function and security which I have been using for over three years. I have tried other custom operating systems and debloated carrier provided devices, but Graphene tops all the options IMO.
The baseband could be exploited for targeted surveillance. First they would need to identify your device. If your device is anonymous and you carefully use your SIM for data only, identification is difficult.
Brave and patient folks are working on Linux handsets such as Librem and Pinephone that have fewer attack vectors. I hope to switch to one of those when my Pixel stops receiving updates.
Don't forget about your cellular provider. They can always easily triangulate your location. And if they know where it is at night, almost every night...
The more important piece highlighted by your comment is "Why should we have to?" They're the one committing crimes, in pursuit of hypothetical crimes we're not committing, and also with very little evidence that what they're doing even helps.
This sounds like the mindset adopted by folks who accuse others of "victim blaming" (not saying that you accuse folks of this!)
"Why should you have to avoid dark alleys? No one should be mugging you"
"Why should she have to dress modestly just because men can't keep it in their pants?"
An ideal world would be great, and it's awesome to fight for an ideal world.
But until that world arrives, it's prudent to take steps to protect yourself. That's why you lock your car after parking it.
Get a phone case that lets you have an NFC-capable credit card in the back? Not exactly the same, but might be good enough. (I do appreciate the advantage phones have; you have to unlock the phone first, NFC is not always active.)
Are there other trust worthy distros for older not Google android devices? I remember checking out the space half a decade ago and it was dismal. IE, may brick your device, may be malware, may have worse security issues, etc.
The problem with older hardware is that all the phone kernels are such piles of kludges, and once the manufacturer stops maintaining the kernel fork and/or binary driver blobs, you get no security updates for wifi/bluetooth/baseband bugs.
I gave one to my sister, mom, and tech challenged partner. They love them. The area that required help was coaching them on operational security by picking better apps/networks and maintaining their firewall settings properly.
Waco is more an example of the FBI doing something it should have been doing, but doing it incompetently. Which is certainly a discussion to have, but intervening against the Branch Davidians seems well within the mandate of law enforcement given what was going on there. It shouldn't have happened the way it did, but that doesn't mean the ATF or FBI were over-reaching.
I think the ATF has a much higher incident rate of over-reach then the FBI, the FBI tends to create thier own crimes by "infiltrating" non-violent groups, then making them into extremist, providing them with a plan for a crime, then arresting them before they carry out the FBI informants plan...
ATF however tends to just rewrite regulation based on political goals, and then use their new regulations to make people felon's then respond to these new felons with extreme violence.
Ruby Ridge, Waco, and many other famous cases like them were all started by the incompetent ATF not FBI.
ATF routinely violates the civil rights of citizens and an business owners, openly and with out remorse. Personally I think Waco would have turned out far differently if the FBI was the original agency going after them. the FBI only came in after the ATF royally fucked everything up, as usual
I'm mad too because, look six weeks ago. The FBI declared "radical-traditionalist Catholics" to be a potential enemy to infiltrate, develop tripwires for, and put under surveillance. Even more ridiculous was that it actually attempted to define the term by internal theological opinions (do they like the Vatican II council from 1965? Do they accept or reject the Pope?).
Now, one doesn't need to be a fan of far-right or "radical-traditionalist" Catholics to think that this is an absurdity. When is the last time you've heard of a Catholic bombing a plane? The memo itself had not one incident listed, but said that it was a preemptive action (literally no history of violence listed, but they could be!!). Merrick Garland announced after the leak that the memo was atrocious and would be deleted immediately and rushed to declare that the memo did not meet FBI standards and that the FBI would not investigate 1st-amendment protected activities - but nobody's going to face consequences.
And to top it all off, it used the SPLC (Southern Poverty Law Center) as a source and got away with it, even though the SPLC is blocked as a source in the FBI due to bias concerns. So it's OK to use blocked sources if it's the right motive. What the heck...
The second you grant government agents rights and privileges not given to the general population, and then on top of that provide them immunity from just about all accountability both systemic, and individual you have the makings of Tyranny...
As the saying goes, the road to hell is paved with good intentions, and we have had plenty of "good intentions" granting both federal and local police ever increasing power, and ever decreasing accountability.
Total armchair hero here, even with accountability tyrannical behavior is still persistent, because at the end of the day you still have to go and actively put your hands on people. It's reminiscent of how DRM is always circumvented because it's inherent that the content must at some point finally be revealed, and how immune cells inevitably kill the occasional normal healthy cells.
The Waco incident obviously had a less than ideal outcome but actually I’m a huge, huge fan of the fact that someone went after a compound of militant child-enslaving rapists.
Kind of weird to put it here as an indictment of the FBI.
I think you can both support going after "militant child-enslaving rapists" and disagree with the methods they choose in waco...
To move it away from political charged event like waco generally the police have a habit today of creating more violent situations, often under the guise of "officer safety" when in reality is "street justice" they are after.
This suggests that "going after" the compound was not really about the welfare of any children. They could have hardly performed worse in said child welfare unless they had made an itty-bitty Dachau and ran the kids through it.
The problem with law enforcement in pretty much any country and with the intelligence services in particular is that they tend to see everyone as a suspect and the group think perspective is that the means justify the end.
And most of the time oversight of these agencies is a joke. Unless a director and its subordinates actually do jail time for what they did, just maybe firing them is a slap in the face of the victims.
The problem I see is, that there is no personal responsibility for anything.
A cop beats someone, plants drugs, fbi does an illegal search, cia trains a future terrorist and people die, etc...
The "best case" that can happen to victims is, that taxpayers cover some costs, and that's it.
For every action, there is a field worker, a chain of command and someone paid to give commands and take responsibility for that. If those people ended up in jail for everything illegal they do (as do all the other people in other industries), the world would be a lot nicer place.
There are several challenges with this: first, courts have adopted the concept of “sovereign immunity” that shields government personnel in most situations. Next, prosecutors usually have a very close relationship with law enforcement and are generally reluctant to prosecute (although there are some that seem to delight in it, different problem).
Finally, we have a judiciary that in general is very deferential to law enforcement (again there are some exceptions but the rule holds).
I think that there are two cultural aspects to the whole law enforcement apparatus that are undesirable- first, that they are a closed brotherhood and have to always take care of each other, and second, that it’s “us against them”, eg that LE is adversarial to the general populace.
For most of US history the armed forces have tried to stamp out these ideas in our officer corps, trying to walk the fine line of encouraging obedience to superiors while emphasizing personal responsibility and ethics. Not always successful but a serious attempt to establish and maintain a culture that avoids the toxic aspects that we see in LE culture.
> If those people ended up in jail for everything illegal they do ...
Are you and I included in "those people"? The problem is the western legal system. People don't understand whats illegal. We can't require people to be lawyers just to have a job.
I’ve got curve 25519 inked on one arm, a stylized “citizen four” on the other, and little else (a Galois quote).
My opinions on this are no secret.
But I don’t see a solution or even mitigation at lower cost than the benefit. It’s just too easy for mediocre technologists with a mandate to do effective surveillance.
I’ve adopted a policy of transparency so extreme that surveillance is a non-issue, and that’s a privilege. I live in a jurisdiction where the authoritarian ambitions of the state are still merely ambitions, and I understand that not everyone has that luxury.
For people really against the wall on this, political dissidents in an authoritarian state, there are ways to be hard as fuck on cryptography and privacy, but it’s a lot of work and you only need to make a mistake once. And that sucks.
The real answer feels like a fantasy but it’s always worth remembering the fantasy: stop capture, the fungibility of wealth into political power, and the ability to inherit legal immunity as well as a mansion.
"Or you can buy a top brand like Samsung, if you're happy with the bloatware and the recent deal with Meta – details not revealed, but it's safe to assume Zuck's hummingbird will be slipping its tongue into your sweet data nectar somewhere along the line. That may not end well."
It doesn't mention Samsung's cloud backup, which is enabled by default. It stores EVERYTHING from your phone on a server in South Korea. (This includes the contents of the removable uSD card, if one is present.) I'm sure the NSA loves this.
Alexander Acosta the US attorney who let off Jeff Epstein reportedly did so because he was told Epstein "belonged to intelligence". Turns out Epstein was an FBI informant.
just yesterday on the pro-cashless WSJ article comments someone mentioned the fbi was a bad actor, and everyone jumped in saying there were so many rules added after JER that something bad would never happen again. sigh.
My perspective is this, and disclosure: I've been working with the FBI on numerous occations.. The FBI is a large organization of around 35 000 - 40 000 employees with 50+ field offices.
The FBI's mission is to uphold the consitution and protect the U.S from foreign intelligence, espionage and terrorism. Note that the U.S. population is ~ 332 million right now.
I think the FBI's dilemma is "damned if you do, damned if you don't", constantly having to find the right balance with regards to "what is too little, what is too much?".
There is also the classic services-dilemma of.. if you get attacked.. everybody will yell "where was the FBI??". If an attacked is stopped in it's tracks the majority of times you won't even know about it.
Another (equally flawed) take on the FBI is that it's main job is serving as the enforcement arm for the organized white-collar crime cartel known as Wall Street. This is supported by the fact that so many FBI executives get lucrative jobs on Wall Street after they retire, and that very few executives are ever prosecuted or investigated for criminal behavior (see 2008 subprime fraud - in contrast, Iceland sent 39 bankers to jail over that).
A nice case example is the HSBC drug cartel laundering scandal, in which HSBC laundered $2 billion in Central/South American drug cartel money and yet noone in that organization ever served prison time for it, due to decisions made by the FBI and the US Justice Department. Indeed, James Comey (later FBI head) got a job as an HSBC consultant.
However, if we didn't have some kind of federal legal enforcement system, then American corporations would start acting like drug cartels, e.g. if Goldman Sachs could steal from JPMorganChase without any consequences, then JPMorganChase might retaliate with violent attacks on GoldmanSachs offices (which is how cartel wars play out in Mexico, and see also alcohol prohibition in the 1920s).
The problem is that the FBI doesn't limit itself to legitimate law enforcement issues, but also tries to manipulate and destroy political movements that are not aligned with the interests of Wall Street, the military-industrial complex, and their corrupt Washington politicians, using illegal surveillance and infiltration tactics, etc., rather like the Gestapo/STASI outfits in German history.
> There are four major classes of threat vector in your phone. Hardware, OS, apps and malware.
I would correct this as hardware, OS, Apps (including malware), and external systems including carrier and destination sites.
In my opinion when it comes to data flow, there is little to no distinction between apps and malware. On the other hard, the carriers do collect both meta and data about activities, so do the other end of most communications.
I am also uncomfortable with not dwelling in to this vector. It is very much akin to "just use Private/privacy/Incognito mode when browsing". It may take care at the device, but nothing outside of the device is protected. APTs often pick their target based on external data availability.
"A fundamental vulnerability in the Network Processing Unit (NPU) chipset has been uncovered recently, which can be exploited by attackers to eavesdrop on data transmitted over a wireless network, affecting over 89% of real-world Wi-Fi networks." [0]
Yeah, in the discussion about privacy, most of it centers on the social networks and the OS, but dishearteningly leaves out the cell carriers and the internet providers. I'm sure AT&T, Verizon, and Comcast, et. al. love this. They're flying under the radar, and I'm convinced that data is a lot of what organizations like the FBI are buying, so that Facebook and Twitter can claim they aren't giving them that data.
Readit News
> take all the Play stuff and move it out of its tight integration with the low level system and into userland, where it can be sandboxed. That gives you back granular control over all the resources Play Services wants to use, and what data it and the app which use it want to send back. That's the approach GrapheneOS takes, a Pixel-only open source Android distro – OK, ROM – that by many reports hits the sweet spot of maximum control over security with minimal impact on the daily Android experience.
> Teamed with a second-hand last-but-one generation Pixel, GrapheneOS raises the seemingly oxymoronic possibility that the most data-tight and user-configurable mobile platform costs less than $200, has negligible environmental impact, and is powered by the data ogre Google itself.
> It doesn't matter how badly the FBI, NSA, GCHQ or the dictatorships behave, they can't have your data if you never send it. You'll still have to take care of what you do online and how you do it, but at least you can build that castle on a halfway decent rock.
The baseband could be exploited for targeted surveillance. First they would need to identify your device. If your device is anonymous and you carefully use your SIM for data only, identification is difficult.
Brave and patient folks are working on Linux handsets such as Librem and Pinephone that have fewer attack vectors. I hope to switch to one of those when my Pixel stops receiving updates.
They've broken trust and should lose all access.
"Why should you have to avoid dark alleys? No one should be mugging you" "Why should she have to dress modestly just because men can't keep it in their pants?"
An ideal world would be great, and it's awesome to fight for an ideal world.
But until that world arrives, it's prudent to take steps to protect yourself. That's why you lock your car after parking it.
Dead Comment
There's no real alternative to Google Wallet for this that I'm aware of in my part of the world (Australia).
Ruby Ridge. Waco.
The FBI hasn't "gone rotten" recently; they've been like this for quite some time.
The FBI's history of over-reach and wire-tapping goes back to the 40s and was well-known [even in the mid-80s](https://en.wikipedia.org/wiki/List_of_FBI_controversies).
ATF however tends to just rewrite regulation based on political goals, and then use their new regulations to make people felon's then respond to these new felons with extreme violence.
Ruby Ridge, Waco, and many other famous cases like them were all started by the incompetent ATF not FBI.
ATF routinely violates the civil rights of citizens and an business owners, openly and with out remorse. Personally I think Waco would have turned out far differently if the FBI was the original agency going after them. the FBI only came in after the ATF royally fucked everything up, as usual
Now, one doesn't need to be a fan of far-right or "radical-traditionalist" Catholics to think that this is an absurdity. When is the last time you've heard of a Catholic bombing a plane? The memo itself had not one incident listed, but said that it was a preemptive action (literally no history of violence listed, but they could be!!). Merrick Garland announced after the leak that the memo was atrocious and would be deleted immediately and rushed to declare that the memo did not meet FBI standards and that the FBI would not investigate 1st-amendment protected activities - but nobody's going to face consequences.
And to top it all off, it used the SPLC (Southern Poverty Law Center) as a source and got away with it, even though the SPLC is blocked as a source in the FBI due to bias concerns. So it's OK to use blocked sources if it's the right motive. What the heck...
https://www.wsj.com/articles/fbi-catholics-traditionalists-r...
As the saying goes, the road to hell is paved with good intentions, and we have had plenty of "good intentions" granting both federal and local police ever increasing power, and ever decreasing accountability.
It's a genuinely unsolved problem from antiquity
Kind of weird to put it here as an indictment of the FBI.
To move it away from political charged event like waco generally the police have a habit today of creating more violent situations, often under the guise of "officer safety" when in reality is "street justice" they are after.
This suggests that "going after" the compound was not really about the welfare of any children. They could have hardly performed worse in said child welfare unless they had made an itty-bitty Dachau and ran the kids through it.
was the article even remotely suggesting this?
Dead Comment
And most of the time oversight of these agencies is a joke. Unless a director and its subordinates actually do jail time for what they did, just maybe firing them is a slap in the face of the victims.
A cop beats someone, plants drugs, fbi does an illegal search, cia trains a future terrorist and people die, etc...
The "best case" that can happen to victims is, that taxpayers cover some costs, and that's it.
For every action, there is a field worker, a chain of command and someone paid to give commands and take responsibility for that. If those people ended up in jail for everything illegal they do (as do all the other people in other industries), the world would be a lot nicer place.
Finally, we have a judiciary that in general is very deferential to law enforcement (again there are some exceptions but the rule holds).
I think that there are two cultural aspects to the whole law enforcement apparatus that are undesirable- first, that they are a closed brotherhood and have to always take care of each other, and second, that it’s “us against them”, eg that LE is adversarial to the general populace.
For most of US history the armed forces have tried to stamp out these ideas in our officer corps, trying to walk the fine line of encouraging obedience to superiors while emphasizing personal responsibility and ethics. Not always successful but a serious attempt to establish and maintain a culture that avoids the toxic aspects that we see in LE culture.
This is all my own opinion.
Are you and I included in "those people"? The problem is the western legal system. People don't understand whats illegal. We can't require people to be lawyers just to have a job.
My opinions on this are no secret.
But I don’t see a solution or even mitigation at lower cost than the benefit. It’s just too easy for mediocre technologists with a mandate to do effective surveillance.
I’ve adopted a policy of transparency so extreme that surveillance is a non-issue, and that’s a privilege. I live in a jurisdiction where the authoritarian ambitions of the state are still merely ambitions, and I understand that not everyone has that luxury.
For people really against the wall on this, political dissidents in an authoritarian state, there are ways to be hard as fuck on cryptography and privacy, but it’s a lot of work and you only need to make a mistake once. And that sucks.
The real answer feels like a fantasy but it’s always worth remembering the fantasy: stop capture, the fungibility of wealth into political power, and the ability to inherit legal immunity as well as a mansion.
Nice dream right?
It doesn't mention Samsung's cloud backup, which is enabled by default. It stores EVERYTHING from your phone on a server in South Korea. (This includes the contents of the removable uSD card, if one is present.) I'm sure the NSA loves this.
https://technofog.substack.com/p/confirmed-jeffrey-epsteins-...
Or there was that time the FBI found links between the 9/11 hijackers and Saudi government. Which they promptly covered up.
https://archive.is/20230115173049/https://www.nytimes.com/20...
The FBI's mission is to uphold the consitution and protect the U.S from foreign intelligence, espionage and terrorism. Note that the U.S. population is ~ 332 million right now.
I think the FBI's dilemma is "damned if you do, damned if you don't", constantly having to find the right balance with regards to "what is too little, what is too much?".
There is also the classic services-dilemma of.. if you get attacked.. everybody will yell "where was the FBI??". If an attacked is stopped in it's tracks the majority of times you won't even know about it.
It's more "tutted at if you do, damned if you don't", so they are strongly incentivised to do.
A nice case example is the HSBC drug cartel laundering scandal, in which HSBC laundered $2 billion in Central/South American drug cartel money and yet noone in that organization ever served prison time for it, due to decisions made by the FBI and the US Justice Department. Indeed, James Comey (later FBI head) got a job as an HSBC consultant.
However, if we didn't have some kind of federal legal enforcement system, then American corporations would start acting like drug cartels, e.g. if Goldman Sachs could steal from JPMorganChase without any consequences, then JPMorganChase might retaliate with violent attacks on GoldmanSachs offices (which is how cartel wars play out in Mexico, and see also alcohol prohibition in the 1920s).
The problem is that the FBI doesn't limit itself to legitimate law enforcement issues, but also tries to manipulate and destroy political movements that are not aligned with the interests of Wall Street, the military-industrial complex, and their corrupt Washington politicians, using illegal surveillance and infiltration tactics, etc., rather like the Gestapo/STASI outfits in German history.
I would correct this as hardware, OS, Apps (including malware), and external systems including carrier and destination sites.
In my opinion when it comes to data flow, there is little to no distinction between apps and malware. On the other hard, the carriers do collect both meta and data about activities, so do the other end of most communications.
I am also uncomfortable with not dwelling in to this vector. It is very much akin to "just use Private/privacy/Incognito mode when browsing". It may take care at the device, but nothing outside of the device is protected. APTs often pick their target based on external data availability.
"A fundamental vulnerability in the Network Processing Unit (NPU) chipset has been uncovered recently, which can be exploited by attackers to eavesdrop on data transmitted over a wireless network, affecting over 89% of real-world Wi-Fi networks." [0]
[0] https://blog.apnic.net/2023/05/29/mitm-attacks-in-public-wi-...