Reality of FOSS projects...A conspiracy?

KEY POINTS SUMMARIZED

1. FOSS is NOT necessarily anti-tracking, anti-analytics or anti-surveillance. FOSS isn’t the solution if these things are what you want. FOSS ‘may’ free you from Google, but not necessarily from tracking.

2. FOSS platforms CAN have contributions (in the form of apps) from large corporations (like Google, Facebook, etc.) or intelligence agencies. App developers are often anonymous, and there is no assurance that they aren’t working for a large corporation, intelligence agency or even a hacking group.

3. Apps may be masquerading as open source, when it is quite possible that only some of the libraries used in the app are open source, and there are hidden codes within the app that aren’t actually open source.

4. There is no accountability/ audits for FOSS platforms. While they may make the platform available with good intent, there is immense scope for the same to be exploited.

5. If tracking and surveillance is something that you want to seriously avoid, there is ONLY ONE WAY: don’t use gadgets and stay away from internet.

I guess most users in this forum are those who are looking for ANTI-TRACKING solutions. Some, including myself, are quite happy with Google products and services. The reason being the benefits outweigh the costs, and more importantly the fact that there is no clear understanding of what these costs are, or to put it differently, what risks are associated with so-called costs.

I believe, in the absence of convincing explanations, the risks are overstated and much of the paranoia is based on hypothetical situations/ circumstances. You can’t have meaningful output without an input. A doctor can’t prescribe correct medication if you don’t tell him/ her the problems correctly. You have to let go of privacy if you want to solve a problem.

Having said that, I won’t be surprised if Google, Apple, Microsoft, Qualcomm, Intel, AMD, etc. (who essentially cover the major OSes and Hardware all over the world, and used by more than 90% of the world population) are all companies run/ monitored by intelligence agencies. A country’s military (or surveillance system) is estimated to be about 20 years advanced in terms of technology (I read this somewhere) available commercially/ publicly. They have the tools/ technology to bypass security systems known/ available commercially. So while we may think that we have a foolproof security system in place, it could well be just a false sense of comfort. If you are online, you can be tracked, you can be monitored.

Most people in this forum, are NOT anti-Google. Instead, they are anti-Tracking. Google is just one company that tracks you because of it’s business model. Going Google-less, may actually mean little, if your intent is to avoid surveillance. Open-source projects, VPNs, etc may just be adding a layer or two to make it difficult to track you, but then none of it is foolproof.

I strongly think that many of the open-source projects could well be products of intelligence agencies or even corporations like Google itself. It is just that they are marketed in a way to make you believe that you are free from tracking/ Google. The reality could be far from it. Even if the code is available for audit, we have to remember:

1. No one (reputed and reliable) is auditing it CONTINUOUSLY.
2. The tools and technology known/ available commercially are not enough to track codes that are built-in using technology that are way more advanced than what is commercially known/ available.

This might sound like a conspiracy theory, but this could well be true.

Also, many apps are often touted as open-source to mislead users. Apps often have closed-source codes, but may include a few open-source libraries and this aspect is misrepresented to give the impression that the app itself is open-source. So this is another thing one must keep in mind.

What do you think?

ARE PRIVACY CONCERNS OVERRATED?

The single most important, most debated subject of being online - privacy and security.

While security is undisputed, privacy aspect is.

So what exactly is the concern? As normal people in normal professions (which is easily more than 90% of the population), is there a need for worry?

For a long time since I started using smartphones, I had a natural inclination towards remaining anonymous and private online. I would always use incognito browsing for everything I do online, never create an account with a service as much as possible (e.g. I would watch YouTube videos without signing in), etc.

With time, I began realizing that I am actually missing out on so many interesting things that matter to me, and much of the content that would interest me would be made available to me without much effort using machine learning and artificial intelligence, an area where huge investments are being made.

So slowly I started accessing content and using services with my Google account. Over time, everything from Google feed to YouTube videos were showing me content that I am interested in, and sometimes they were so intelligent that I have been amazed with the whole technology that is at works. Surely, you cannot expect a doctor to give you the right prescription without giving him complete details about your problems. You can’t talk privacy there. So unless the system learns what you like and what you don’t, there is no way it will present stuff (including ads) that will be interesting to you.

With that said, why are are we overemphasizing this aspect of our lives? Is the privacy lobby inflating the privacy problem more than is necessary? Especially since much of what Google learns (according to them) about you is private, and only you can access/ control it, and also because the open-source alternatives are overrated. I say overrated because there are no audit reports (from trustworthy audit entities) available. Their codes may be available for audit, but is there a trustworthy source that is actually auditing them? Are the platforms where they are available being audited? So the issue of privacy and security applies to these platforms too, and more so because they aren’t scrutinized as heavily as Google products and services.

As far as more personal info is concerned, like location, age, gender, searches I perform, accounts, mobile number, etc - Google already has all those because I provided them with much of that info when I created my account. Sure, one can always provide fake info for some of them. But if you use ‘Find my Device’, you are pretty much giving away your location to Google REAL-TIME. While this can potentially be misused, how else is Google supposed to help you if you were to lose your device? Mobile numbers and email addresses are necessarily required to be correct because they are needed when you are locked out of your account. They are the only means to get your account back.

While I am a strong proponent of privacy, I also feel that too much is made out about a lot of stuff that aren’t really something to worry about. Those stuff are essential to get the service we expect in return, in other words, putting technology to use.

That said, it is still important not to give anyone a free hand over data, and there has to be several layers of checks and balances, and accountability for safeguarding and using them.

All that said, my current position is this. Make best use of the technology at hand, because if you don’t provide the necessary inputs, there cannot be a proper output.

As with some things that we do online which we might want to keep completely private, use a non-google browser (like Firefox Focus or Duck Duck Go) in incognito mode with Duck Duck Go search engine. An even better alternative would be to use a dedicated device with it’s own SIM.

The point of free software is “the four freedoms” a.k.a. the freedom to inspect, share, and modify the software running on your hardware. Privacy, security, tracking, ads, etc. are secondary concerns. Anyone who told you free software is “about privacy” is sadly misinformed. The free software movement came about 40 years ago when a man wanted to fix a printer.

Personally I am not “anti-Google” in as much as I am anti proprietary software industry (Google, Apple, Microsoft, etc. included). I’m not so much “anti-tracking” (I actually think there is actual or potential FUD about “tracking” in the privacy community (e.g. people don’t really distinguish between helpful tools like loggers and crash reporters from adware and analytics libraries)) but privacy and security are more complex than “just use privacy-oriented FOO instead of regular FOO” or “just scan FOO with this magic tracker detector.” If an intelligence agency is after you then you need to do far more to protect yourself.

As for your allegations that there may be spyware hidden inside free software, until you name names that is nothing more than FUD. If you have actionable proof of such please show the evidence. As far as I am aware, every time a major free software project has been shown to have spyware (e.g. Audacity) the community has reacted appropriately.

There have been intelligence operations against “privacy conscious” individuals, such as the ANOM operation, but I don’t know if these involved free software. The ANOM device was a locked down Android device with a backdoor that, importantly, none of its users/targets could inspect or modify. I’m also reminded of this analysis of how the FBI infiltrated the plot to kidnap the Michigan Governor in 2020 - they were all using encrypted messengers, right? But they had an FBI mole in their midst the entire time, so no privacy-oriented knick-knacks could save them.

Re. your second post, I think this assumes that such “services” are desirable or necessary for the user or for humanity. You mention the Google/YouTube algorithms for example, and I disagree with that assumption. I don’t trust mysterious algorithms to always provide the best results or to have a positive effect on the community; I am often disturbed when fellow users are advised to “just use Google” to find an answer instead of answering it or even pointing towards an FAQ. You don’t know what the algorithm will give you or the person you are suggesting that to, you are just blindly trusting it.

The YouTube algorithm in particular has been known to be problematic and still is in 2021.

I don’t think one could say the entire open source community is a conspiracy, but I believe it remains true that many of the people governments around the world find, shall we say, troublesome are members of the open source community or otherwise users of open source software. It is therefore obvious that open source software is a target of nation state backed sabateurs working to undermine security in open source projects.

We’re talking about government agencies with near limitless resources at their disposal who have trained agents capable of fooling the most sophisticated counter-intelligence methods in the world. If a Russian agent can infiltrate the CIA or an American agent can infiltrate the BND what chance does a ragtag band of like minded open source volunteers have in identifying an intelligence agent in their midsts?

As demonstrated by researchers at the University Minnesota, it is possible to introduce known security vulnerabilities to the Linux Kernel by concealing them over a series of submissions and spreading them out over multiple areas of the kernel. Individually the submissions pose no threat, but when combined they produce vulnerabilities.

UMN was banned from contributing to the Linux Kernel over this, but the truth is there’s nothing the Linux or open source community can do to combat this type of attack. The resources required to successfully defend yourself from nation state backed sabateurs is astronomical. The wealthiest, most advanced and capable organizations in the world cannot successfully prevent infiltration.

This is hardly limited to the open source community. If they can infiltrate the GRU what makes you think they can’t infiltrate Microsoft or Google?

In conclusion, I do not believe Linux, Windows, Android or iOS are government sponsored trojan horses, but I’d be fooling myself if I thought nation state backed organizations around the world haven’t been meddling with them.

P.S. If I were a betting man I’d guess Google, Apple and Microsoft are positively teeming with nefarious actors. Not all of them playing on the same team either.

That doesn’t mean I think you should throw in the towel. If they’re trying to hang you make them work for it.

The point of free software, as per your link, is a very noble idea. But without a revenue cum profit stream, I don’t see why someone would invest (both time and money) in such solutions.

Personally, I’m neither against paid solutions, nor am I against proprietary solutions. Every maker has the right and freedom to determine the price of his creation. However, I am completely against locking down products after the sale! In other words, I am strongly in support of the Right to Repair movement, which is trying to stop large corporations from owning the products they have already sold. The large corporations should know that they have ‘sold’ the products, and not leased them for a perpetual revenue stream.

I’m not alleging that spyware is hidden inside all free software. I’m saying that such a potential exists and can be easily exploited. Intelligence agencies and large corporations may easily infiltrate FOSS projects and platforms like F-Droid with their own apps disguised as open source, that cannot be audited properly with the ‘dated’ tools and technology that these platforms have.

I’m aware that intelligence agencies may plant their own men among criminals to keep track of what they are planning to do. But that is just one way to do it.

But as I described in the OP, the technology and tools available with intelligence agencies are way superior to what is publicly available, and more importantly much of it is unknown too. So while we may think that the current encryption technologies are fail-safe, they may actually not be so for the intelligence agencies. They may be able to break into the encryption much faster and easier than we think they can.

As with the 2nd post (or 1st comment), it is true that the services are ‘desirable’, though not necessary. Algorithms can be manipulated to feed someone with content that ‘they’ want them to know, or be brainwashed into knowing. I acknowledge that after a point, they have the ability to influence the way one thinks and acts. So it is always advisable to use such services in a very limited way.

I didn’t imply all of open source community. May be I should have worded my post better to remove ambiguity.

The post only refers to the possibility of apps, or even platforms being actually funded or even founded by intelligence agencies or large corporations themselves.

And platforms like these are more of interest to the surveillance systems because those who come here are usually ones who don’t want tracked. While there may be completely genuine (or nothing illegal) reasons for doing so, such platforms are often also used by members who are often ‘persons of interest’ for governments/ intelligence agencies.

The open source community isn’t as funded as large corporations. So they are easy to break into.

Any app, corporation, person or organization bears with it the possibility of being more than meets the eye. There are no safe spaces or obvious indicators, you just have to roll the dice and hope for the best.

It’s dangerous out there. Just getting out of bed in the morning you put yourself at risk of tripping over the shoe you left in front of the staircase in your drunken stupor the night before, taking a nasty spill down the stairs and breaking your neck, but you can’t live in fear.

No matter what happens, you’re going to die sooner or later, might as well make the best of the time you have.

“The force, more than ten times the size of the clandestine elements of the CIA, carries out domestic and foreign assignments, both in military uniforms and under civilian cover, in real life and online, sometimes hiding in private businesses and consultancies, some of them household name companies…”

“The newest and fastest growing group is the clandestine army that never leaves their keyboards. These are the cutting-edge cyber fighters and intelligence collectors who assume false personas online, employing “nonattribution” and “misattribution” techniques to hide the who and the where of their online presence while they search for high-value targets and collect what is called “publicly accessible information”—or even engage in campaigns to influence and manipulate social media. Hundreds work in and for the NSA, but over the past five years, every military intelligence and special operations unit has developed some kind of “web” operations cell that both collects intelligence and tends to the operational security of its very activities.”

Absolutely. And that is the point of the OP.

Most users seem to think FOSS is the solution. But it could well be the unknown angel that is worse than the known devils.

I agree, many people think that FOSS is the solution, but it’s not really any less likely to be compromised. Although I wouldn’t say that commercial is better or worse. My guess is, and this is just a guess, that one may be better in 2021 while the other is better in 2023 only for the whole thing to flip again in 2024.

So, in that respect, you’re probably best using a mixture of FOSS and commercial and, if you don’t mind the hassle, changing it up periodically. Maybe using Windows in December and Debian the following March then Fedora combined with the Brave browser then Firefox followed by Vivaldi.

I guess if you’re being targeted specifically the idea might be that it takes time to find, craft and exploit vulnerabilities. By the time they’re ready to attack your Windows system you’ve moved on to Debian. Of course that’s a pretty big pain in the buns so, you know, how much are you willing to effect your quality of life I suppose.

At any rate, no level of code transparency, secrecy, oversight or security measures will ever keep you safe from prying eyes or nefarious actors. What you want is a world where you don’t need address space layout randomization, 2048-bit encryption or trusted platform modules because no one is trying to steal your information or silence your dissent.

We’re not really allowed to talk about that though.

In my opinion, you are talking about something that you don’t even understand yet, because this point is currently running in the background. You are talking about the benefits being higher than the costs. Yes they are, but only because you do not bear the costs. That will be subsequent generations, which will have to live extremely limited due to your views. You completely disregard the consequences that this data collection will bring. You can already see what the future will look like in China, where whole ethnic groups are ethnically excluded by algorithms, just like individuals. And the fact that they want to go in the same direction here shows how envious the West is of China’s digital possibilities. Or also how Western IT companies repeatedly try to act against their users. Taking two steps forward and then one step back. Open source is not perfect but the best way to show alternatives…

Translated by deepL

When I surf through online forums, I find that people consider FOSS as synonymous to anti-tracking, anti-analytics, anti-surveillance. This is an incorrect and highly misinformed view…

The point of the OP is just this: FOSS is just as risky, probably even more, than traditional solutions from large corporations like Google. Unless you personally know the developer, the app you have installed is very much capable of doing the very same things that you wanted to avoid by coming to such platforms.

Continuously switching platforms is an impractical suggestion.

If the nature of your work is such that you have to stay away from surveillance, there is only one solution: Don’t use any gadgets or technology. Relying on encryption, TOR, VPNs, etc. won’t save you.

You have just done that: a vague comment with no specific, supporting, convincing arguments.

If you had read through the comments, I had said this. Algorithms can be manipulated to influence the way people think and act. So they carry the potential to make one dumb and misinformed. Technology can be used to propagate a false narrative of vested interests.

So people must use them in limited ways and not rely on them completely. Staying away from them isn’t ideal either if you want to be competitive and informed. People must have a clear understanding of risks and must not assume something is safe just because it claims to be ‘free and open source’.

I agree with you there, of course. Blind trust is never good. However, it must be emphasized that open source stands for principles that are generally accepted as good. Certainly, the partial lack of support or manpower carries risks. However, nowadays, as much as I don’t like to say it, we have to weigh which risks have the greater consequences for us. And in this weighing, open source software generally performs better. Because sooner or often later, it comes out that code was compromised. With open source code, you at least have the possibility of control, even if very few are able to do so. With your argumentation, you give up this crucial advantage. If you want the appearance of security, you should generally stick to projects that have a broad community.
Open source software is not used for nothing in almost every aspect that surrounds us. Closed systems have no future. As they are an island built on dependency and pseudo-security in an open sea that will be flooded. This is illustrated by the theory of the metaverse

Translated by deepL

A lot depends on whether you are likely to be a target or not. Did Seth Rich ever believe his cell phone location was being tracked by a hit team? Did you know you can turn location services off all day long because all anyone really needs is your phone’s EMEI number to track you?
Speak publically about a controversial topic, attend a demonstration, blow the whistle on corruption on Facebook or Twitter and all of a sudden you are a target for surveillance. Does anyone really think that guy in Afghanistan was hit by a drone strike because they thought he had a bomb in his car? Why would anyone fire a hellfire anti-tank missile at a car parked at a house in a residential neighborhood if they thought there was a bomb in it? Only callous psychopaths who have no regard for human life could do that and they are doing that kind of activity routinely in other countries because they are callous psychopaths. We will never know the real reason why that guy was targetted but you can be sure that he was being tracked by his cellphone. No one believes they would ever do that here. Right.

anyone? That statement reads as hyperbole. How/when is one’s EMEI leaked, and to whom?

This crossed my mind when shopping MVNO sites recently. Some of 'em claimed a compatibilty lookup was not possible (or was indeterminate) based on a device model number & demanded “To check, enter your EMEI”. Other sites just reported based on model# (after performing a client-side API call to an ultramobile.com database) and offered an XX day no hassle refund in case things (comaptibility, local signal strength) don’t work out.

Yes, for a given model#, some devices may be carrier-locked. However, even if schmuck doesn’t sign up, the MVNO and partners gain a fresh (ostensibly salable) EMEI+IPaddress (+HTTPRequest metadata) fingerprint.

my belated, considered, response to this nebulous question:

The loss of, or perceived loss of, personal agency.

(search engine bubbling… discriminatory pricing, based on profiling [amazon]…)

That’s true. I made that clear when I said for most people (over 90% of the population).

Didn’t find anything called EMEI. So I guess you meant IMEI.

Unsurprisingly, all tech companies that control the hardware (particularly chips) and software are US companies. They like to collect data on everyone. No wonder China built their great internet wall.

Your service provider can triangulate your position based off of your signal strength. It’s not the most accurate method, but it’ll get you to within a few miles if not better. Service providers are certainly not immune to government warrants, but many of them are selling this information now so, you know, anyone with your name, number and a few bucks I guess.

My service provider emailed me some months ago to inform me they were going to start selling user data, although they didn’t go into detail over exactly what data or how much they were selling it for.

@HunterOpsec10rules People who have a great deal have a great deal to lose and the more they have to lose the more the fear of losing it consumes them. I’d much rather live my life then spend it worrying where the next threat to my empire is going to arise.

That is to say, if there is someone out there spending their time watching everyone; sounds like a miserable existence to me. That’s fear, they watch because they are afraid and so it is that fear that has taken control of their lives.