Problem is first party tracking. Blocking is just against third parties. For first party tracking you are just going to have to use tor browser.
I learned about Cloudflare mitm quickly because when you use Tor browser you will see how many websites use cloudflare because you can't access all those sites. So I did a little research about this problem about cloudflare and found out how serious and huge problem it is.
Why do you think it's a low risk? And even if it was a low 0.1% risk, the consequence is your entire digital life compromised and at the attackers mercy.
I actually had someone who pretended to be a friend do this to me before when I used to be naive and didn't think about these stuff. I think the risk is decent if you go to tech or crypto events or really anywhere there is money there is going to be black hat hackers looking for a naive victim. And it's not too difficult to be a black hat hacker with all the open source hacking tools available. And most people have 0 security, not even disk encryption.
The more you announce yourself as a target the higher the risk. And if you are putting a lot of effort into securing your computer that will make all kinds of adversaries very curious about what you are "hiding" even tho you aren't actually hiding anything, you just want privacy which is a human right. But this will make all those adversaries try to gather info on you and look for a way "in" just because you are standing out from everyone by having so much digital security and privacy.
That doesnt delete your data. Now they have right to keep it forever for their "legitimate" reasons to protect them from a user who break their ToS. All you accomplish is give up the little rights you have.
Corporations could actually do this anyway because there are so many vague rules in ToS and they can bend them however they want and without any user knowing you could all be flagged as a malicious users just so they have "legitimate" reason to do lots of nasty things with your data such as sharing them with networks who work together to prevent "malicious" users and "russian troll farms" etc. The whole system is rigged and just an illusion of protections for consumers/people.
Lost in the rabbit hole of understanding tamper proof firmware
Lets try to keep this topic around a basic-intermediate level when you try to explain things.
What I mean in the most simple words is a way for me to know if my laptop or any of the accessories such as charger, mouse, keyboard, camera, mic, etc, have been tampered with while I left them in my hotel room while I went out on some tourist attractions.
Adversary could be a local gang with hackers hired as hotel maid, or the adversary could be a corrupt/over reaching authority/intel who thinks citizens and tourists shouldn't have privacy and if they put a lot of effort into privacy then that means they are extremists and must mean they have something to hide.
I know of 3 ways to check for tampering:
- AEM or Trenchboot or Heads.
- Glitter nail polish.
- A device which monitors your room for intrusion.
If there is proof of tampering then the solution is to destroy the hardware and throw in the trash because it's practically impossible with 100% certainty remove any tampering that was done. Better to buy new hardware.
Now to elaborate on each of the 3 ways...
1, Trenchboot is better than AEM or at least it will become better when it supports TPM 2. The plan is for it to replace AEM completely. So to make this simpler we can keep this discussion about trenchboot vs Heads and leave out AEM.
TPM 2 is good and something we should want depending on how important this method of tamper proof is. Because TPM 1.2 is old and weak encryption.
But I've read so many arguments about Trenchboot vs Heads, it's very difficult to understand everything and requires very deep and advanced knowledge and I just don't know, maybe I just have to keep on reading and learning until I eventually begin to understand more of it.
Glitter nail polish is supposed to make it practically impossible to open up the laptop (removing screws) to access the ROM chip and any other hardware. That makes this method of tamper proof perfect and simple and works on all laptops. But there are vulnerabilities:
USB is not protected by glitter nail polish. And if any malware compromises your system it could flash the ROM.
I don't think the malware is much of a threat if we are using QubesOS because it's too unlikely for the malware to escape the Qube, it would mean a 0-day vulnerability in Xen hypervisor.
But an adversary could easily use a bad usb when they have physical access to the computer and glitter nail polish doesn't detect that. I guess that this is why nail polish isn't sufficient on its own and why we need also either trenchboor or Heads.
One downside of Heads is that it's Static Root of Trust for Measurement (SRTM) which means it only checks for tampering when you boot the computer. But I think if the only threat is a bad usb attack because glitter nail polish protects against everything else that can tamper with the hardware, then this Heads downside of being SRTM doesn't matter.
This could be an app on the smart phone which uses the sensors to check for sound, movement and light changes, vibrations. Or it could be a more professional device as a surveillance camera or motion detector.
This way of tamper proof solves all problems if you assume that someone entering the room means that the hardware has been tampered with. But unfortunately this is not a good assumption to make if you are traveling or sharing accommodation. There are plenty of dumb people who would enter your room even if you told them not to even if they have no malicious intentions and are not an adversary. That means this method would give a lot of false alarms.
But if you are using video surveillance the you would know exactly what they did while in your room and you can clearly see if they even touched your hardware. So, with video surveillance you maybe don't need trenchboot or Heads and glitter nail polish.
Another reason to have this tamper method is in case they put any camera in your room to watch what you're doing or watch your enter passwords. If you have for example a motion detector giving an alarm, you can spend some time looking for hidden cameras. There are cameras that are good for this, I think they are called infrared cameras, they can find the heat which a hidden camera would give.
Summary: You probably want all 3 methods because they complement each others weaknesses. Question remains regarding trenchboot vs Heads in the scenario I've explained here I suspect Heads is a better choice but I am mostly guessing. Maybe I'm not as lost in this rabbit hole as I feel like I am. I hope the more advanced and experienced people can give some comments and help.
Another point I almost forgot to make: This whole scenario is meant to be practical, a realistic lifestyle. For example, it's not realistic for most people to be able to bring all their hardware with them everywhere they go such as work. It also makes you a big target to be robbed if they get a hint of how much valuable equipment you have in your backpack. So this means we are leaving the hardware at home which could be a hotel room or a shared accommodation.
Also last point which I forgot to make as well: The accessories need to be tamper proof as well. I don't know if trenchboot or heads is capable of doing that, such as if they replace the charger or something. Maybe the only way to protect against this is one of two ways:
- Bring the accessories with you but leave the computer at "home". This isn't great though because you might not be able to keep your eyes on your backpack at all time.
- Have a box filled with lentils which you put the accessories inside when you leave your room. Then you can take before and after picture and compare them to see if the lentils have moved around or not. This would mean we actually have to use 4 methods to keep all hardware tamper proof. It's not so fun to have to pack all accessories into a lentils box every time you leave your room, and check pics of both glitter nail polish and lentils. It's a lot of work but maybe that's the only way?
It's normal but people don't like it. Just ask the people you know if they are ok with all the mass surveillance, they don't like it. But it's just too difficult for them to do anything about it. They don't like this "small beginner steps" approach to privacy. They want complete privacy without effort or nothing at all and they don't want to pay for it. It's laughable and sad but that's my experience talking about privacy with people. But the point here i guess is that mass surveillance has been forced on us all. They create a new wonderful technology with lots of use case but then they also add in some mass surveillance on it as well as a bonus.
You think i'm intentionally spreading misinformation and I think you are a fed. I won't argue more against you but anyone fair and objective can see that the mistake I made was a simple mistake to make. feds have as a fact been spying on our push notifications in secret and i thought that included signal's push notifications. Simple mistake which I already admitted to being wrong about. You are making this into a bigger deal than it has to be because you are a fed.
You also are intentionally lying (because you are a fed) about that is the only thing the topic is about. For example, if someone is using Signal on Windows OS then I think there's a high chance the conversation isn't private. But I think you already know all this but you pretend not to.
privacy is about making effort to protect it. With your logic you should just use google chrome browser and be signed in to google because it makes an easier experience. Then install alexa in your home and make it a smart home, it also makes life easier.
whonix docs is very good to learn about this stuff
Do you think it's better to use a VPN if you aren't using TOR Browser?
Good suggestion about analyzing network packets. I don't know anything about how to do that except there are tools like wireshark which can help but I still have no knowledge on doing that. And I think you would need to make a script to monitor it for you because it would probably only (talking theoretically now) phone home very quickly on rare occasions, it wouldn't be continous. So your script would have to be able to detect these short and rare anomalies. I don't know anything about how to do any of this though but I will add it to my todo list down the road.
Another problem is you might need to get the NSA's attention first and make yourself a target. You also need to make sure there is no other way for them to spy on you, so they are left with only using intel me as their last resort.
So because I don't know anything about analyzing network packets I can't say if you're right but it does seem convincing. And it would be great for security in general as well, not only for investigating intel ME. I will definitely learn more about this later.
I think a big part of it comes down to what threats are there in theory and what threats are there actually. The problem is that the theoretical threats are possible, they're not unrealistic and that's why it doesn't feel good to not be protected against the theoretical threats but we maybe need to try and accept they are too unlikely to be active threats. Trying to protect from theoretical threats is kind of like trying to protect your house from having an airplane fall down from the sky into your house. Or maybe this is just my trying to cope.
And how do we know what threats are theoretical vs active threats? Just have to keep learning and learning, it takes a long time. Talking in privacy and security communities can help speed up the learning.
Yeah, i did use words that express feelings in this topic I created and it was intentional because when people have to deal with something that involves uncertainty or something so advanced they don't understand it entirely then they can become uncomfortable and scared even though maybe there isn't something to be scared about or maybe the fear is justified.
My post was intended to be a discussion starter so we can dig into this, get to the truth and help everyone including myself to understand everything better.
"spreading misinformation" is a phrase mostly used by feds when they see something they consider to be "wrong think" or not "politically correct". They use this anti-misinformation campaign to support their censorship and mass surveillance system.
When discussing advanced IT topics it would be more appropriate to just correct someone and say they are wrong because it's easy to be get a detail wrong in advanced it topics.
And I am mostly right, I just seem to have been wrong on the detail about Signal push notifications. I admit that I made a mistake on that but otherwise it is official that Apple and Google at least used to share push notification data with governments. This comes from the DOJ senator Wyden saying these corporations can secretly share this data with governments and can include the unencrypted text which is displayed in the notification.
I think this discussion has been very constructive because when we can correct each other and learn that is great.
It was revealed when the feds admitted they had spied on Tucker's signal messages about planning to interview Putin. You can do some searching on that to find the news sources. You can get more in-depth info on it then
How good you feel good about your privacy using apps such as Signal?
Convincing people to use apps such as Signal is hard work and most can't be convinced. But with those you manage to convince, do you feel happy to talk to them on Signal?
The problem is these people use Signal on Android/IOS which can't be trusted and IOS has recently been in the news for having a backdoor. And it has also been revealed that american feds are able to read everyone's push notifications and they do this as mass surveillance.
So not only do you have to convince people to use Signal which is an incredibly difficult challenge. You also have to convince them to go into settings to disable message and sender being included in the push notifications. And then there's the big question is the Android and IOS operating systems are doing mass surveillance anyway. And many people find it taking a lot of effort to type on the phone so they install Signal on the computer which is a mac or Windows OS.
So I don't think I feel comfortable sending messages in Signal but it's better than Whatsapp.
These were some thoughts to get the discussion started and set the context.
Why not is the question and that comes down to guessing. Sheep do what they are told so don't need to guess much there. Those who are not sheep have to go through a long journey to gradually keep increasing their privacy and unlearn the sheep habits we've been conditioned to have.
The end goal is to throw away your phone because you can do everything on your computer instead including buying a phone number, using voip and take and make calls. Phones are unnecessary spy devices used by sheep.
You can buy for cents phone numbers online for one time verification purpose or even rent the number for long term if you need. It's better to use these anonymous cheap throwaway numbers if you want privacy instead of your real phone number for everything.
I don't have experience with that yet. Are you talking about a PI hole? Can you give a little idea on how to make such firewall rules? Because I want to have a laptop with many VMs or Qubes and each VM has different firewall rules. An email qube would only allow connection to the email server. Maybe one of the safe browsing VMs would only allow connections to the websites I typically visit. The unsafe VM maybe to everything except for known bad IPs/domains.
And NSA and other potential adversaries most likely have access to at least one domain that isn't blocked by firewall.
NSA is infamous for illegal and unconstitutional mass surveillance.
How big threat do you think Intel ME is in reality, not in theory?
When it comes to Intel Management Engine, I actually think it's not a threat if you neutralize it. I mean to just set the HAP bit on it. Because if that isn't enough then that means all computers in the world which use Intel CPU can be accessed by NSA but if NSA had this much power then it seems obvious that they aren't using it and why wouldn't they use it?
There's a github project to neutralize/disbale Intel ME: https://github.com/corna/me_cleaner Disable is overwriting intel ME as much as possible with zeros, leaving only a little remaining to be able to boot the computer. The newer the intel chips are, the less likely it is to be able to disable it. But all chip sets can be neutralized which means to set the HAP bit which is an official feature. In theory we can't actually trust the HAP bit to really disable intel ME permanently. It's more like asking Intel to do what they have promised because it's proprietary. But I think it really does permanently disable it because otherwise NSA would be abusing this power.
That's why I think the newer laptop models are better because it's probably not necessary to disable, it's enough to just neutralize withthe HAP bit. And with a newer modern laptop they can have open source Embedded Controller firmware which is better than proprietary Embedded Controller firmware.
I'm interested to hear what you think as well.
They are very cheap, only $1 for 10 aliases and then then $0.1/month for any additional aliases. But can't pay with monero.
Can I open an account with TOR browser and pay with monero without having to give any info like a secondary email or phone number?