> Decline location-sharing or at the very least restrict it to only when the app is open
These seem obvious but I guess need repeating. The last one is only an option for Android 10+ users which apparently only account for ~25% of Android devices out there. So 75% of Android users can't even do this yet. Not sure about iOS but I know they've had it longer at least.
> Reset you phone’s Advertising ID
This one I personally was not aware of
> Don't use iOS and Android's FindMy or FindMyDevice features
What happens if I lose my phone though? I wonder what the numbers are on people who have successfully retrieved their phone using these compared to people who can see where their phones are but never got it back.
> consider using a trusted VPN provider.
I clicked on their link and just skipped straight to their "Advanced User" recommendation, because this is HN, and they recommend Mullvad. Curious to see what HN users think of that one.
I met one of the founders/owners of mullvad at CCC in Germany over 8 years ago.
I gotta say, I've never met someone so happy to talk about how unbelievably paranoid they are about security and how much effort went into not only protecting the VPN endpoints themselves but the team's devices so they can't be used as a point of compromise. Wasn't a sales pitch, just a multi hour long discussion around privacy and tech that enables it.
I learnt a lot from that dude and have been using mullvad for years since since it's the only VPN provider I've ever personally met.
Oh yeah, decent speeds etc as well :P
> and they recommend Mullvad. Curious to see what HN users think of that one.
There is no signup information when creating an account, and one of the payment options is "cash in an envelope". Even if they're lying and do keep logs, it's as disconnected from your identity as I think is possible (assuming you do use that payment option instead of the others).
one of the payment options is "cash in an envelope"
I was intrigued by this line in your post, and it turns out it's true. I'm not all that paranoid, but I kinda like that idea.
Also, right now there's a caveat about it:
"Cash payments are delayed due to corona
6 May 2020 NEWS
If sending cash is your preferred method for topping up your Mullvad VPN account, please plan ahead. The coronavirus is causing delays in postal delivery.
To avoid being stuck with no time on your account, send your payment well in advance. Mail coming from the US is taking four weeks longer than usual, and even post from countries in southern Europe and England are delayed."
I recommended Mozilla VPN to my dad due to the clear simple Mozilla user interface, known (to him) and trusted brand, and accessible documentation and explainations. Other than that they use the same servers as far as I can tell.
If you are truly security paranoid, you write it off and get a new one. It will hopefully be secure enough that whoever got it won't be able to access it because they lack the passcodes, biometrics and bluetooth 2fa tokens you use to unlock it. If the cost of this scares you, perhaps the NSA/Mossad/whatever should not be in your threat model.
Years ago now, living in the US Virgin Islands, while drunk, I left the Ritz (great beach and bar) and requested that they get me a cab to my usual local bar that was stumbling distance to home. Upon arrival I realized I didn’t have my phone.
I’d left my laptop at the office, so I ran back there and used Find My iPhone. It was moving, so I assumed it was in the cab I’d been in. I locked it, added a display message, and used the office phone to call the Ritz and tell them... they called the cab company, and within 10 minutes the phone was back at the Ritz.
I’m positive that this was only because I’d used the cab company the Ritz contracts with and their drivers are terrified of losing a lucrative job, but it was a successful recovery in a territory not known for honesty.
Had I not had FMI enabled I probably wouldn’t have connected the dots, assumed I’d lost it on the beach, and lost my phone forever. As it was, I got my phone back and it only cost me an extra cab ride. I’ll never turn off FMI again, though.
Completely anecdotal, but my point is the system can actually work. At the very least I can lock the device and wipe its data.
Even when you turn off all that stuff, shit like iBeacon still makes you locally trackable. Try installing the apple store app for example, turning off everything and walking into a physical apple store, you'll still get an iBeacon induced notification on your phone from that app.
There is no way to turn off iBeacon tracking on iPhones.
At this point you need to walk around with a faraday cage evidence bag to not have your phone stop fucking transmitting & receiving radio waves.
Isn’t iBeacon a passive technology, though? I don’t think the beacons are listening for any incoming client connection, they just blindly broadcast their identifier (UUID+major+minor IDs). Unless you are assuming an app might store the beacon IDs and then report back via the Internet.
I think the turning off FindMy one really depends on where you fall on the security-usability spectrum. For example if you want to truly harden your Mac there is a ton of steps you can take, but they get gradually more intrusive to the experience of actually using the system: https://github.com/drduh/macOS-Security-and-Privacy-Guide
I wonder what the numbers are on people who have successfully retrieved their phone using these compared to people who can see where their phones are but never got it back.
When my wife got her iPhone stolen in Rome, we were able to use the Find My Friends feature to watch it move across the country, and eventually end up in Tunisia. This was before you could remotely wipe an iPhone, so there was nothing I could do other than send angry text messages to whomever stole it.
> I clicked on their link and just skipped straight to their "Advanced User" recommendation, because this is HN, and they recommend Mullvad. Curious to see what HN users think of that one.
They're the best VPN provider, hands down. They offer the best privacy protections of any provider at a very reasonable price, and the service itself is excellent.
If you lose your phone, you lose your phone. I've personally done this before, but since I have a secondary low-end device for such contingiencies, it wasn't so much a problem. It does require some preparation, though.
The find your phone is nice, but not necessary. Especially the hassle of getting it back if it's been stolen. First - don't keep nudes on your phone. . .
Then just add your contacts and other files from your phone to a monthly/weekly (depending on your personal preference) backup schedule.
I have all of my home data set to backup automatically monthly. I just make sure my phone is plugged into my desktop the last Saturday of the month. Problem solved.
>Also important to remember is that GPS is not the same as location services. Even if GPS and cellular data are unavailable, a mobile device calculates location using Wi-Fi and/or BT. Apps and websites can also use other sensor data (that does not require user permission) and web browser information to obtain or infer location information.
Wondering what kind of sensory data they meant here, I had a look at the citation[0]. If anyone else is curious:
>We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure and device’s timezone, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS, are turned off. Unlike previously- proposed attacks, PinMe neither requires any prior knowledge about the user nor a training dataset on specific routes. We demonstrate that PinMe can accurately estimate the user’s location during four activities (walking, traveling on a train, driving, and traveling on a plane).
Microphones too. Signage and TVs etc can emit ultrasonic beacons your devices can hear, with applications like tracking your viewing habits and your location.
Ditto the proximity sensor: it's just a photocell and a simple room light could comprise a beacon. Flashing over, say 30hz would be invisible to us.
We demonstrate that PinMe can accurately estimate the user’s location during four activities (walking, traveling on a train, driving, and traveling on a plane).
Wonder if they can track someone who is "lost in remote area without hope of being rescued."
Even traveling on a plane has a transponder to piggy back on IIRC. Remote area implies a spotty network at best. The best that could be done is noting when and where contact with a network of some sort is lost or regained.
Thats the purpose of an IMU[0]. But even the best IMU have a limited amount of precision, and, has time goes by, these imprecision can accumulate to a very big margin of error in your location.
With the cheap IMU in phones, you very quickly reach the 100+ meter margin. That is why you usually combine it with other sources of localization to keep the margin down. If no other sources are available, the localization provided by the IMU become next to useless.
The NSA invests heavily in its defensive role, providing guidance and awareness training both to the US privately and globally through open recommendations.
It doesn't matter. We've invested so heavily in offense that we can tell people how to defend themselves and we'll still own them.
This is the NSA Chief of Tailored Access Operations telling people how to defend themselves against the NSA (and other similar capabilities organizations), and it's all really valuable. None of it is fancy ML 0day detection or whatever, it's just about understanding your network better than an attacker can.
> The NSA, the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000.
> Last year, Microsoft even hired Ralph Reed, the political consultant who was at the time a senior adviser to the Bush campaign. His job was to urge Mr. Bush to take a softer approach toward the company if elected president.
GWB dropped the antitrust case again Microsoft after elected to be the President of USA
The specific point that NSA halted SELinux development at Microsoft's behest (I had never heard of this) is more demanding of citations than Microsoft's general lobbying of the federal government (which they certainly did). There's no mention of NSA or SeLinux in that NYT article.
The idea that Microsoft killed NSA work on SELinux is trivially disprovable. There are NSA developers active on the SELinux and Linux Kernel mailing lists... https://lkml.org/lkml/2020/8/5/727
Microsoft was worried that the tech sector would focus on Linux especially for TCO if Linux development was funded using public money. This was all explained years ago in marketing material from Microsoft.
Does Microsoft receive money from the government for Windows licenses? Yes, then MS is funded using public money. You mustn't forget that whenever you point a finger, there are three more pointing back at you.
Sometimes when hackers break into a system or network, they will actually stop and PATCH the systems, to prevent others from using the same vulnerabilities or other vulnerabilities from compromising the device they now own.
Suffice to say, these attackers will already have ensured they maintain persistence even with closing their initial entry points.
Likewise, the NSA has many avenues to get into a device, or (more practically, when it concerns most of the public instead of specific users and devices they need access too) they use mechanisms that aren't affected.
As they've proven, they have a huge catalog of malware and similar, but that's for actual targets. People they already believe to be threats or targets, that they need to directly attack.
But for the majority of the public? The information will come from the companies themselves, not the user devices. Why would you spend thousands or millions on developing and maintaining an application you can put on everyone's devices, and may be removed, or even just disabled due to an upgrade (until you can patch it) when you can find and obtain data from a company that already has common apps on a device, across the public, and the public not only knows they are there, they WANT the app and will take steps to complain if access is rejected? And the companies will gather as much as they legally can (and sometimes more), put it into databases, sort it, categorize it, etc?
Why would you duplicate ALL of that, when you can just take the finished product, the sorted data that's stored, either legally and knowingly, or unknowingly from a company?
And you ensure that while you can maintain that access, either to the company or the device, you direct the users and company on how to protect themselves from random attacks, or other entities that want to target the users, often with automated software that hits the "low hanging fruit".
They're making the tips they're providing to the NSS/DoD publicly available. It's a basic training guide for government employees seemingly based on normal internet research, no reason to make it classified.
It's like in Rick and Morty episode where Scissorshand says "you can run but you can't hide" and the run ends with "since when we take advice from this guy"
They truly do want government employees (and citizens) to be informed about security.
But let's be real, if you truly can evade them, you've probably already received a job offer.
Defense will always be harder than offense. The best you can do is make it extremely EXPENSIVE for an attacker. But can you outspend the NSA on your defense? (the answer is NO)
Not even Snowden thought it wise to reveal secrets related to ongoing operations. That would have been TOO expensive for him. We would not have known his name if he had done that.
Best way not to be tracked is not to carry a mobile phone.
It's also surprisingly good for your mental state.
I broke my phone earlier this year, and when leaving the house to go shopping or whatever, it was absolutely liberating not to feel chained to a device. It was like a weight off my head and shoulders.
Now I'm back to carrying a phone because my wife requires it.
Month ago I built my own android app that automatically switches on airplane mode whenever the display switches off (and vice versa). Made in 10 minutes with Tasker, it's even in the play store.
Since then I really enjoy life again without any notifications, it's just wonderful.
I just use the moderate power saving mode which disables network traffic of the background apps. Now my 2017 Samsung A3's battery lasts about 3.5 - 4.5 days / charge. If I need to be "urgently" contacted people can still call or SMS me but I don't want any realtime notifications from apps.
Your phone? Ha!! Count the connected wireless devices in your home. Cellphones, Amazon Echo, garage door opener, fitness watch, Ring doorbell, cable tv boxes, tv's, computers, printers, tablets, digital pencils, modems, wifi APs, earpods, wireless speakers, cordless phones, ovens, fridges, door locks, light bulbs, automobiles, VR goggles, quadcopters... Are we there yet?
You all probably already knew this, but I recently discovered "airplane mode" does wonders for battery life. Then again, I'm from a generation old enough to feel no qualms about wandering about with no device whatsoever, so YMMV.
Airplane mode will always remind me of traveling with my trusty iPhone 4S or SE, whose batteries always struggled to get through a full day of maps, camera, messaging, and ad-hoc Google and Wikipedia. My workaround was to keep airplane mode on by default, using Google Maps offline data downloaded ahead of time off airport wifi, only occasionally "going loud" for a few seconds at a time to ration the 100 MB/day of roaming data that was cheap and convenient enough that I never bothered buying a local SIM card. The battery life difference was really dramatic.
Do recent phones actually honour the Airplane mode absolutely or do they still allow WiFi/BT to bypass it, or override the user and activate the mobile radio under exceptional conditions?
Airplane mode will disable all radios but will allow the user to enable WiFi and BT. Some older Androids will keep the Wifi and BT on if you're connected to something though :(
I'm interested in this too. Recently I downloaded a podcast locally and turned off cellular on my phone before going for a walk.
About halfway through my walk I looked at my phone screen and noticed that my phone was still showing cellular bars. It wouldn't communicate and the LTE symbol was gone, but the signal bars remained. Made me wonder what turning cellular off actually meant, was it still connected but data was off? Are the bars just a client side thing and no comms were going out? No idea.
Great, thanks. So I guess pressing the clearly designed cellular icon does not turn off cellular and the real action is hidden in a popup.
Very intuitive! /s Glad I wasn't doing it for a more serious reason (in which case I would have just left the phone at home, but still..).
edit:
comment chain got too deep to reply to. But I think the fact that I failed to see a difference is clear evidence that the airplane mode icon is NOT an adequate indicator.
Airplane mode means turn off all wireless, everyone knows that much. But that isn't what I wanted, I still wanted bluetooth with nothing else and as such turned off the unwanted radios individually.
Airplane mode intuitively to me means just a quicker/easier way to toggle them in one swoop, not a completely different action that you can't accomplish with the individual buttons.
For most people, turning off all cellular functionality is a relatively uncommon action, and very strongly associated with the airplane mode icon. The presence of that airplane mode button serves as an adequate indicator that the cellular icon has a different function.
I rarely use airplane mode outside of being on an airplane but I am always impressed with how much battery is saved in airplane mode even with continued use for a long flight.
VPN usage is problematic - my phone provider blocks the major VPN providers so I have to switch it off whenever I'm outside wifi range. About half the financial sites I visit consider VPN usage a threat and the response ranges from CapitalOne's extra authentication to Synchrony's lock out the account for 72 hours to Goldman Sach's refuse to load and ask you to call a toll free number (where the confused rep just says they block some vpns and has no real advice to offer).
There have been a number of cases where someone was a suspect in a crime because their phone was in the area. I'm thinking it might be better to keep the data service shut off all the time and just use wi-fi calling when I get to where I'm going. Phones don't work on the subway and are a distraction when driving, so maybe solve multiple problems that way.
Between your handset and the base station, when your handset is active the vast majority of RF power going through you is from your own handset.
I'm not sure if it's still the majority on average when your handset is idling, but I suspect it still is on the whole. I also suspect when walking around a dense urban centre that the handsets of other people nearby (in combination) also provide more RF than the base station.
In locations where there is a poorer signal, personal RF exposure is likely to be higher, as the handset transmits at a higher power level to be "heard" by the base station far away.
Counter-intuitively, this means where people successfully campaign to remove a mobile mast in order to reduce RF exposure, people's RF exposure can actually increase in a halo region around where the mast was, though decrease closer to where the mast was.
For people who really want to reduce ambient mobile RF exposure, they need to campaign for all people in their neighbourhood to turn off their handsets (and for the remaining people who don't to not use all the freed up bandwidth). That's a tough thing to achieve though.
Indeed, the thing trying to reach a 2km distant tower 50cm from your head is a bit more powerful than the signal coming from 2km away trying to reach your phone.
Your comment seems intuitively entirely backwards. You think the tiny battery powered device in your bedroom is producing more EMF than the hundred foot tower hardwired to the grid actively sending the same exact type of data to thousands of devices in every direction beyond every wall that surrounds you?
If you're asking about ability then yes: a grid-connected tower will both be able to produce stronger radio waves and last much longer (indefinitely versus some battery), but that's not legal, not what they do in practice, and wouldn't make sense: if the tower is so much stronger, then only your phone would be able to receive the tower. The tower wouldn't hear your phone's reply if the phone were significantly weaker. Since both generally want the maximum possible range, they'll transmit as much as regulations allow. A tower might have bigger and more sensitive antennae, but not so much that the transmissions are significantly different in power output. Both are safe to be nearby, but in case of long phone calls with the cell phone at your literal ear, your brain does heat up a measurable amount (if you have the right equipment), or so I've heard.
To confirm this "both sides need to be roughly equally strong to hear each other" story, do a 30 seconds search online, or for a practical example you could look at the dBm (decibel-milliwatt) values your WiFi devices' output (the access point versus the stations; it's not the same as cellular but in the case of WiFi both are under your control so you might be able to observe both values).
Well that’s sorta uncalled for. When at home I always have airplane mode on. Battery use and radiation reduced. WiFi calling works perfectly on T-Mobile/Mint Mobile
I'm not sure there's any science to back up the vague "radiation" concern. Unless you live in the middle of nowhere, you are awash in EM radiation. I don't think there's any reason to believe that turning off the cellular antenna on your phone while being bathed in all manner of other RF signals is likely to have any heath effects whatsoever.
It would really depend on the specifics. I was somewhat surprised to learn that my girlfriend sleeps with her phone under her pillow. That's pretty close to your head, for a fairly large portion of each day. That said, I was more concerned about battery malfunctions / fires.
EDIT> Inverse square law. Presumably those other emitters aren't right by your head.
> Turn on Airplane Mode
> Decline location-sharing or at the very least restrict it to only when the app is open
These seem obvious but I guess need repeating. The last one is only an option for Android 10+ users which apparently only account for ~25% of Android devices out there. So 75% of Android users can't even do this yet. Not sure about iOS but I know they've had it longer at least.
> Reset you phone’s Advertising ID
This one I personally was not aware of
> Don't use iOS and Android's FindMy or FindMyDevice features
What happens if I lose my phone though? I wonder what the numbers are on people who have successfully retrieved their phone using these compared to people who can see where their phones are but never got it back.
> consider using a trusted VPN provider.
I clicked on their link and just skipped straight to their "Advanced User" recommendation, because this is HN, and they recommend Mullvad. Curious to see what HN users think of that one.
https://gs.statcounter.com/os-version-market-share/android
https://source.android.com/devices/tech/config/tristate-perm...
https://mullvad.net/en/