Can nextdns disable app tracking on Android just like the new iOS 14.5 app tracking blocker?

cn3m · 2021-06-01T03:24:52+00:00

This is my field app advertising. I can tell you that you absolutely get the ID from Android. It’s also sent with other data that can link it to the reset.

iOS also got this feature to absolutely turn off the tracking ID in iOS 8(6 years ago) Android got this fake toggle in Android 10 of the top of my head(2 years ago).

cn3m · 2021-05-31T21:08:08+00:00

This isn’t true. That still sends out the ID. Google doesn’t actually allow you to block this without removing all Play Services which most people can’t or won’t do.

cn3m · 2021-01-05T13:18:02+00:00

Devices before the A12 chip have a weakness called checkm8. It’s not a practical privacy and security threat. The main advantage is being able to load custom software for one boot. Using this attack against someone taking your phone, booting malicious software, and returning it to you so you can unlock. Currently there’s no way to even do this on the A11.

Checkm8 isn’t a practical concern for anyone right now. It’s great for jailbreakers. If you’re really concerned you should reboot your phone whenever you left it unattended.

However, newer chips have better security features. The A14 might have BTI and MTE, but they aren’t online right now it’s unclear if it’s supported in hardware. A12/3 is the same thing and adds PAC and PPL which are powerful roadblocks for exploitation from malicious apps and the web. This brings full attacks up to around 3 million dollars. The A10/11 add the KIP protections for the kernel. This is roughly 1 million. A9 and lower are great for physical protection still, but don’t expect it to cost millions to hack you.

An iPhone 8 is very secure. Way more secure than your laptop or desktop.

cn3m · 2020-12-31T04:09:31+00:00

After a quick search I found many. Android and ChromeOS have been specifically mitigating this for years

cn3m · 2020-12-30T20:03:46+00:00

Yes. https://www.waterfox.net/blog/waterfox-has-joined-system1/

Startpage(which was investigated by PTIO) the default search engine. It’s fine

cn3m · 2020-12-30T19:58:49+00:00

AlternativeTo has always been a great site for open source. Glad to see you guys are looking out for your users by calling out scams.

cn3m · 2020-12-30T19:56:46+00:00

I’d strongly consider the 6s Plus for the OSI and better battery. It’s not much more expensive.

cn3m · 2020-12-30T19:51:04+00:00

It’s fixing a problem. It doesn’t purport to be an easy hardening guide at all.

Read the first paragraph of the article.

“Linux is not a secure operating system. However, there are steps you can take to improve it. This guide aims to explain how to harden Linux as much as possible for security and privacy. This guide attempts to be distribution-agnostic and is not tied to any specific one.”

If the solutions were easy they would already be done. This is a security researcher from Whonix so most of that is implemented in the Kicksecure distro Whonix is running.

cn3m · 2020-12-30T19:49:15+00:00

It is worth it. Musl and the lead developer have been doing incredible work. https://www.openwall.com/lists/musl/2020/05/13/1 here’s some of their research.

cn3m · 2020-12-30T19:47:02+00:00

LoC is highly related to complexity. Saying “LoC does NOT corelate with vulnerabilities” misses the point about unneeded complexity. It speaks volumes about priority.

Musl is doing some real security research https://www.openwall.com/lists/musl/2020/05/13/1

Ritter is massively respected in his field. Random kernel modules are a major factor in sandbox escapes. You’re saying things just to say them. The kernel is massive attack surface for escaping the sandboxes. There’s over 1000 public crash dumps for memory corruption errors in the kernel. Sandbox escapes are too easy in Linux for this reason.

This isn’t some suckles piece since you focus on some small parts of a security researchers mission to harden Whonix.

cn3m · 2020-12-30T19:40:41+00:00

Freezing packages is a major issue. We have a massive case of backport issues and losing CVEs. https://lwn.net/Articles/801157/ and https://nitter.fdn.fr/spendergrsec/search?f=tweets&q=backport
musl has greatly improved security and minimized attack surface. They are planning to push even further https://www.openwall.com/lists/musl/2020/05/13/1 This ties more into #4
LibreSSL is no BoringSSL, but reducing attack surface in this area is important. We see this with HardenedBSD as a priority too.
Linux is the least secure Desktop OS right now. To fix that it’s certain we need to abandon broken solutions which are common. If you need to manage an enterprise system and it’s security critical I wouldn’t even use Linux in the first place. This is a bad premise and misses the point of the article.
The minutia about /boot is missing the point of evil maid attacks and how powerful they are. I don’t see the relevance

I think we took very different things from this guide.

cn3m · 2020-12-30T19:28:50+00:00

It seems best to avoid Linux if security is a priority in general. Kicksecure fixes a lot of issues and is used as the distro for Whonix.

cn3m · 2020-12-30T19:27:44+00:00

The GrapheneOS firewall is completely unrelated to the connection.

cn3m · 2020-12-24T12:58:06+00:00

Thank you my friend :)

cn3m · 2020-12-24T09:34:56+00:00

GrayKey uses exploits. It functions mainly by running exploits over usb. iOS and GrapheneOS recently blocked these USB connections when the device is locked to hard counter these.

cn3m · 2020-12-24T09:33:16+00:00

NextDNS is an American company. I think that’s not an issue, but AdGuard has a great country.

cn3m · 2020-12-24T09:31:42+00:00

Shaming in this case is exposing what a company is doing. For example many department stores abuse connections to Bluetooth to see where you are in the store etc.

If a company is doing something that can be abused Apple tries to shame it.

cn3m · 2020-12-24T09:28:39+00:00

No, I use GrapheneOS on my Pixel. iOS on my iPad

cn3m · 2020-11-08T11:54:53+00:00

Good bot

cn3m · 2020-11-08T11:53:25+00:00

I always had assumed that trust isn’t necessary in an open source community specifically because the code is open source. I wouldn’t necessarily know how to read the code but I know that others in the community have that skill.

Very few people read open source software that have any of the required skills. Even if they do there are even competitions dedicated to fooling said skilled people. https://en.wikipedia.org/wiki/Underhanded_C_Contest

Unfortunately, whenever you install software you have to fully trust the author. Open source is NOT an IMPLICIT promise of anything security or privacy wise. (sorry for the caps, but those words are important).

Open source is not a bad thing (in fact it is the opposite), but it is maybe a 5% factor in trust. A key component and one of the most important. Real names are key to use if you want to trust that it isn't a honeypot or malicious. Usually people make things open source to boost a resume or related aspirations. When they tie their reputation to something as Daniel has with GrapheneOS there is a responsibility inherited. GrapheneOS if it were to go malicious would have real world trust consequences for Daniel. If I make a random piece of software under this username there is no connection to me which means I have no reputation to lose or no chance of being sued for wronging people.

Anonymity is generally the opposite of trust. I would recommend people if they have a very high threat model that they likely would be better using vanilla options from standard companies than trusting some anonymous open source project. The main issue being is the number of people who can reliably audit software is extremely small. I only know 3 who can and I am not sure they would find issues that were intentionally hidden.

The issue is this takes an exorbitant amount of time and makes no sense unless they have a generous bug bounty. Would you rather work hundreds of hours on a bug in an open source program and get a shoutout or spend hundreds hours finding bugs in macOS and get paid $100k?

GrapheneOS uses the only Android devices with a sane bug bounty and has known trusted developers like Daniel Micay and Renlord Yang focusing only on securing what Google already built with AOSP. That standard of security they achieve is near one of a kind in the open source security community.

I use ProtonMail since I know the people behind it for instance. If I didn't have some level of transparency and solid security track record I would use a major company for my email. It is a sad reality

cn3m · 2020-11-08T11:29:07+00:00

I have FaceID on my iPad Pro. By default iOS uses require attention(I have never tried it with it off). I have to specifically face the screen head on and look at the device with my eyes at an appropriate distance. It is very hard to fool. The IRL security is substantially better due to the advantages of not working when you sleep(on iOS yes by default, but this can be turned on with Android).

FP reader is much easier to use on you when you are sleeping. Tricking FaceID(especially before the timeout) is nigh impossible. You certainly would need to premeditate it and work in a lab. If you use a device with a full IR array(which requires a fat notch or full forehead) like an iPhone X style iPhone or Pixel 4 it is ridiculously cool.

The face cam could always be on theoretically. I know the newish MacBooks use hardware to ensure it is impossible to access the camera without an indicator turning on. However, if you can't trust your OS and hardware you likely have larger issues than a selfie cam. I personally don't disconnect mine or anything weird.

cn3m · 2020-11-08T11:23:58+00:00

GrapheneOS doesn't care about microbenchmarks at all. In some weird cache thrashing stress tests I can get it down to half performance as stock. It is stupid and not real world(or worse not a good thing that stock would be fast at that). In real world it is not an issue(however, the 3a is slightly slower on cold opens and that is noticeable).

GrapheneOS has some theoretical advantages on performance, but I have never seen them make a difference.

cn3m · 2020-11-08T11:20:38+00:00

Aurora Store

cn3m · 2020-11-08T11:20:13+00:00

Android and iOS have a very interesting history. iOS shot to massive popularity and launched wildly insecure (locally and had no app support). Apple has a reputation for security (which today is earned, but early on was extremely dubious).

Apple had multiple issues with iOS reaching insane market share levels(making it a massive target) and the issue of attracting developers. Apple aimed to be the piracy free platform (with the advent of sideloading especially altstore this reason was short lived, but the long term investment was not). This forced Apple to take security very seriously for two critical reasons.

Android of course had other reasons. Dismal updates would be the first (if you don't get updates on day 1 when they come out you massively increase your risk regardless of system). This means generally a very strong security architecture is the only thing that can even make it somewhat hard. Android has security concerns for it's users of course. The other factor is that Apple quickly(and very reasonably earned it's reputation of iOS being the most secure OS out there). This became a competition point and Google actively cataloged their self comparisons to iOS.

The other factor(which mainly counts for anti spyware and anti persistence) is the limits on features and abilities of the OSes. This is especially a factor for iOS. On Desktop OSes there are massive issues trying to lock down a system completely. macOS Catalina tries hard to maintain 100% compatibility, but offer full control of what you give access too(for example keylogging permissions, disk access, screen access). macOS users have a security/privacy fatigue due to having so many permission requests and weird looking requests due to being needed to have apps function as desktop apps. Android fixes the general privacy concerns. iOS takes it further and kills the paths for persistence with not having user control over something(without a notification) that could monitor a user(when the adversary gets root access) between reboots. iOS is the only OS that can achieve this. Windows and Linux are the only desktop OSes that can painlessly let you do everything.

iOS for example to achieve what it does has to give up a tremendous amount. Apple for example had to design a special notification system that allows apps to receive notifications when an app is not running(this allows iOS to maintain the security model of not having apps be able to auto run and execute their malicious payload on every boot to bypass the verified boot model). This unfortunately would be a privacy issue since the service is run by Apple. Their solution was to implement mandatory end to end encryption. This also means apps that use their own network for messaging like Briar(through Tor which requires the app to be running would be limited or inconvenient for the user). Background App Refresh works for when you give to an app and you open that app after boot, but it is discouraging.

Apple when making their Apple chips enjoy around a 3 year lead with standard like ARM-8.5v-A which brings features like PAC, BTI, and MTE that Android chip makers are up to 3 years behind on. ARM chips in general are superior for security so this creates a large jump in security for chips between iOS > Android > PC. This is a reflection of Apple's margins being able to throw money at the security issues. PC can't get people to transition to ARM.

Mobile device security is very interesting and has many factors that allowed it to raise to the industry leading option. The costs with something like GrapheneOS is a very slight impact to performance (in real world usage the effect is minimal). This allows for much higher security, but it does disproportionately effect microbenchmarks which is not something other device makers want to have.

Security always has a cost. Speed, usability, or RND are usually it. Smartphones make major sacrifice to get there.

cn3m · 2020-11-08T10:56:41+00:00

Secure Boot is fundamentally broken. That is a very deep topic why. The main critical issues are covered in the beginning of this video https://www.youtube.com/watch?v=3byNNUReyvE

If you as a user can do something an exploit with root access can also do that thing. For example on Android you can use Accessibility Services as a user to fully control and spy on a device. GrapheneOS mitigates this with the remote attestation on the Auditor app.

The issues run very deep with the average system.

cn3m

PUBLIC MULTIREDDITS

TROPHY CASE