As a custom ROM developer, what is your motivation behind developing AND maintaining a free software? This is not a question specifically to you, but one directed at developers in general.
Also, it is one thing to note/ discover something by chance, and completely another to do a thorough audit, more importantly a continuous one since we have many instances in the past on how either developers had gone rogue, or they sold their product to a rogue, or their platforms were compromised, etc.
“to break away from Google tracking just buy google hardware, signaling Google that tracking is fine and users want more tracking”
“sandbox, security, etc etc etc, they are great…no, you can’t use them since you can’t control the software”
“netguard, afwall - don’t work, don’t try”
Great article, useless article.
What is your suggestion then?
A conspiracy?
Words and communication become worthless if we use words carelessly. “Conspiracy” should be changed to something else in your OP.
(Conspiracy legal definition of conspiracy)
None of your “Key Points” alleges any sort of illegality AFAIK. Therefore, you should change the title of your OP.
The real privacy conspiracy: I wanted to link you to an interview of Nicholas Merrill where he explains how the US government’s Patriot Act was unconstitutional, and would be found to be so by US’ courts, if not for legal maneuvering to keep any cases from getting to the Supreme Court (and because few people are willing to stand up for their constitutional “rights”).
However, Youtube/Google again would not grant me access, without surrendering my anonymity (Tor Browser).
So it’s up to you to get G’s help finding it if you wish.
As with some things that we do online which we might want to keep completely private, use a non-google browser (like Firefox Focus or Duck Duck Go) in incognito mode with Duck Duck Go search engine. An even better alternative would be to use a dedicated device with it’s own SIM.
You are mistaken if you think “incognito mode” is all it takes to be private. It’s obvious you have not even read (or understood) what mozilla says about what incognito mode does and does not do. From everything else (TL;DR), it’s surprising you don’t think DDG is a fake front for Google. It could be… As for another device with another SIM, are you actually trying to give bad advice here?
Dunno, better advice in line with reality (or Pixel availability, or price)?
Solutions for users that can’t unlock?
Solutions for users that don’t have one of the supported 6 (six!) devices, but can unlock?
You already know what I mean…
Key points that were summarised are about the post itself, which was subsequently elaborated and discussed. Therefore, there is no need to change the title.
That’s true, but incomplete. Words and communication can appear worthless when the reader isn’t understanding them too.
In your own words:
It could be. Just as F-Droid could also be one such front…In which case, this is indeed a ‘conspiracy’. So by definition (including the link you quoted), the term has indeed been used correctly.
I’m not. I’m fully aware of the limitations of incognito browsing. The reason I mentioned it is to keep that particular activity separate from the normal stuff, to minimize tracking. Also, all that is for people who have hardly anything to lose if those activities were to be actually discovered by someone else, which in other words mean that there is nothing ‘illegal’ about it.
No. Why is that bad advice? That suggestion is indeed a way to beat device fingerprinting.
Thanks. Sorry for being abrasive. My interactions ever since that merge-request with the community has been bitter-sweet. For ex: https://archive.is/H7BPd (on reddit, albeit)
Interesting. For what reasons, if I may so ask, especially when PrivacyInternational and ExodusPrivacy continue to endorse it? (:
Apps downloading stuff is as much a threat, since most 0day exploits are “downloaded” onto the device.
Android’s sandbox is as good as its permission model (TOFU aka trust on first use), which has been repeatedly exposed and abused. At least it isn’t the nightmare that Windows once was, especially given Android is installed on 3B+ devices world-wide, a scale Windows never reached.
Exfiltration of data (aka uploading without consent) is a concern, but you’d need a good firewall in place and continuously monitor traffic. For me, app-level monitoring doesn’t work. What works is blocking all TCP/UDP outgoing connections by default except the ones I allow (note: Exfiltration could also happen over IPSec/ESP, ICMP, and DNS; so the attack surface is really beyond the scope of most firewall implemenations).
Yes, and you do not even need root, I believe. AppManager on F-Droid can help “firewall” intents and exported components in various apps (like activitys, recievers, services, and content resolvers).
Depends on your threat model, really. Just because apps can bypass a firewall doesn’t mean they do. It is lot of work and the app would need to be built like a literal malware. Of course, user-space firewalls cannot defend against a determined attacker who’s willing to put in the time and resources to compromise various defenses (think: NSO’s Pegasus) but that does not mean you do not use one. Discarding credible defenses is like reasoning: since my password can be stolen if my browser is compromised, I’d rather not keep a password at all. What’s needed is both a password and a secure browser.
Not sure why one NEEDS to NOT block Download manager. I actually find that it’s rarer for apps to use it as opposed to straight connecting.
Too bad there’s no “INTERNET permission revoke” without a full system recompile, eg. Use custom ROM
This is a breakdown of the hidden post made by hunterOpsec10rules. The post makes references to people in the Newsweek article about an undercover army employed by the pentagon I linked to earlier; namely humint, short for human intelligence; and opsec, short for operation security.
The post is written in a strange manner for several reasons. To people other than the target, they’re not sure what to make of it and just ignore the post entirely. The target has already been conditioned to believe he’s been contacted by a higher intelligence, in this case probably aliens. The odd language used serves to reinforce the target’s belief that this message is otherworldly.
[Zero day] is the day the target believes he is supposed to make his big move. It is not likely that the target has ever been given a date, instead vague references, such as zero day, are made to give the target a sense that there is a day in which he is supposed to make his big move, however, unbeknownst to the target, it is up to him to come up with this date on his own.
The target likely believes he’s been able to piece together bits of information left for him here and there to reveal the date, but actually he just came up with it himself. A date was not supplied because it doesn’t matter when the target makes his big move, he hasn’t actually been contacted by aliens and zero day is not the day he makes his big move against, probably what he believes to be the Illuminati in this case, but the day he gets shot and killed by the police as an active shooter in what everyone else will see as just another lunatic mass shooting.
Additionally, not supplying a date serves to sever any evidence trail. Supplying the date would link the post to the crime. As it is, to everyone else, it just looks like some weirdo posted some weirdo shit.
The target is being instructed to kill humint, human intelligence agents. I’m not sure about the Osint, possibly operation security agents, or smartphoting, but it probably makes sense to the target and his handlers.
Where can the target find human intelligence agents? Everywhere. The target believes spies are virtually everwhere. He’s being instructed to go on a shooting spree killing random people, although he believes these people are spies employed by:
Even the username is part of the trigger “hunterOpsec10rules.” Operation Security hunter. I don’t know what the 10 rules is in reference to, but I’m sure it makes sense to the target.
This post is a trigger meant to instruct someone to initiate a mass shooting event, although the target believes he will be killing Illuminati spies at the behest of a higher intelligence. The target probably believes this higher intelligence will protect him during his mission, but will, in fact, just be shot dead or otherwise jailed as a madman.
I couldn’t say why this person has been targeted for elimination, I don’t know who the target is, but I hope he’s reading this.
What the fuck dude. I really didn’t understand it all. Please I need more elaboration or context.
It seems trolling to me, idk
Custom ROM doesn’t account for the fact that OEM has many firmware bits running with higher privileges outside of Android itself.
I wrote about it on Hacker News here: Replacing OEM Android is only one part of the equation. There are many component... | Hacker News
Custom ROM cannot offer privacy… Far from it. Hopefully, PINE64 and Librem become serious enough alternatives.
I would like to have a PinePhone, I don’t care about hardware perfomance in general, but battery life is a no-go for me, sadly.
I hope they eventually add 4000mAh battery with similar price.
what is your motivation behind developing AND maintaining a free software?
Personally:
I do it for myself first because nothing provides what I want the way I want it.
Further I already benefit on the mountains of FOSS, why not make it available the same? Why should it sit on my hard drive only to be used by myself?
Lastly, I myself always try to use FOSS whenever/wherever possible, why would I make something proprietary?
Custom ROM doesn’t account for the fact that OEM has many firmware bits running with higher privileges outside of Android itself.
It is an issue, but can be managed given reasonable expectations.
I’d far rather see PinePhone and Librem support AOSP first.
Linux on mobile is too far away to be usable and F-Droid already has over 3,000 FOSS designed-for-mobile apps.
And Linux desktop security is currently far behind what AOSP provides, such as extensive compile time hardening and aggressive isolation of all services and apps.
Custom ROM cannot offer privacy… Far from it.
Strong disagree. That is too defeatist.
I say this as someone who both maintains a “deblobbed” ROM and helps support the leading Linux desktop sandbox utility.
Integrated firewall to revoke INTERNET is a step forward, why keep on moving the goalposts for every answer? Yes, you are right…but…
Can mere downloading of something be a threat? I thought, on Android, as long as ‘unknown sources’ are disabled, there is very little a downloaded file can do.
How does the average user configure this?
I tried this app. For most apps (actually almost all of them) that I tried to block trackers, it gave me the error ‘Could not disable trackers’. I am using OnePlus device with OOS 11.0.9.9, not rooted.
I also checked ReThink DNS. It is a little complicated and time consuming to setup.
Here is my requirement:
1. Block all sorts of trackers and ads from all apps.
2. Block internet access to apps I choose.
3. Block intents for apps I choose (e.g. a gallery app should just show me the pictures and videos on my device. There is absolutely nothing more it should do or be allowed to do)
Is there really a solution? Preferably a non-root solution.
For the sake of simplicity, we can ignore the possibility of a determined hacker, and therefore a super-hardened security solution is unnecessary in my case (also true for most users too).
I guess it is impossible to use technology without being tracked.
"Replacing OEM Android is only one part of the equation. There are many components that run with full privileges (EL2/EL3?) outside of Android and never subject to Android’s sandbox. Well, at least until Google can force OEMs to stricter standards with their effort to KVMize those privileged executables [0].
If you do not trust the OEM, replacing its ROM with GrapheneOS / CalyxOS / LineageOS isn’t going to help much anyway.
One right answer to this is fully open-source (hardware and software) phones like the PINE64 and Librem, among others."
Even if you take care of the software/ firmware, you still are using the same hardware (e.g. the chips used in the device) that can spy on you. For example, how iPhones can keep track of location even when switched off.
Appreciate that. I also read through some of the comments in your OS post where you made it clear that you do not want obligations (which happens when you put a price for your product).
I don’t know why, but i am increasingly suspicious of everything free (since there are no free lunches). I am more inclined to think that going anti-Google is basically handing over your data to another entity, who can do pretty much the exact same things that you wanted to get away from. Besides, it is very much a possibility that the new entity is actually the same old entity in a disguised form.
I think most apps rely on the system download manager. So blocking it will prevent the downloads too.
Depends on your apps, yes,
Browser? Email client? Chat app? Osmand? None use it…
Looking at my allowed hosts: organicmaps (not using it), trekarta (for a bug test) and radiocells (if I remember to update it once a year)…nothing else
How might a person come to believe that a higher power is communicating with them? Take the religious type as an example. Religious people tend to think that god might communicate with people through “signs,” which is to say events in a persons everyday life.
As an example, let’s say someone was thinking about proposing to his girlfriend. As he’s thinking about this on his daily commute he passes a bus with an ad for a wedding chappel and thinks to himself that this was a sign from god that he should pop the question.
Now, if you wanted someone to think that you were god all you have to do is communicate with them in this manner. So let’s return to our marriage example and say you’re a well funded, well connected organization and you wanted the guy from the above example to get married so you bought ad space on a bus you knew he would pass on his way to work.
To really hit the message home you also bought ad space on a park bench near his apartment. On his way home the guy contemplating marriage was also cut-off by a car with the license plate “gotspouse,” that might be too many characters for a license plate, and maybe a few other things.
Of course you knew he was thinking about getting married because you had access to his internet search records and browsing history and knew that he had recently searched about marriage failure rates and the cost of engagement rings. You also had access to his location history, call history, contacts, social media presence, etcetera so it’s not too hard to develop a picture of the things going through his mind.
Once the subject is under the belief that a higher power is communicating with him he’s basically putty in your hands. He’ll do anything you say without question. So if you want finer control over his actions you can start communicating with him more directly.
For instance, you might pay an actor or social media influencer to say something on Facebook then share that message to the target’s social media feed. To the social media influencer the message looks like a plug for some product, but to the target it’s part of a broader campaign to steer his world view.
Maybe the plug says something like “so good even the Illuminati can’t resist.” The influencer thinks it’s just a stupid crack about conspiracy theorists, but the target sees it and thinks “man I’m seeing Illuminati stuff everywhere I go lately.”
You write articles and pay to have them published on websites the target is known to frequent. And finally you start indirectly posting cryptic messages to him on forums he’s known to frequent.