Conversation

Notices

1. Embed this notice
   Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 04:02:02 JST Håkan Geijer

   Every time I log into Fedi, I see another post with a guide called something like "Activist's Guide to Smartphones" or "Phone Security Guide for Protesters," and every single one of these assumes that the threat model is the kind of police force that exists under liberal democracy where legal protections will afford significant protections. The world is changing, and these guides not only fail to address the threat of an actively hostile fascistic anti-democratic occupying force (I refer here to the police), but such guides generally are limited to "what" and "how" but not miss the more critical "why."

   If you believe that you are facing fascism (or even something close to it), can I please please please convince you to read something written by anarchists who have faced serious repression and are trying to convey just how much phones can lead to the imprisonment of you and your friends for even things that are allegedly "legal."

   https://opsec.riotmedicine.net/downloads#mobile-phone-security

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 04:05:22 JST Håkan Geijer

     in reply to

     Overwhelmingly these guides seem to come from InfoSec or civil liberties focused individuals, groups, or NGOs, but bloody hell, the danger they face tends to pale in comparison to what radicals face, and the level of concern they have is likely far lower than it should be. Watching across the pond at this advice circulating, all I can think is that such liberal notions of rights are security are going to get activists killed or imprisoned for life.

     (not that my advice is perfect. always get a second source. compare what we/i have written to these liberal guides, and diligently study where and how they diverge.)

   • Embed this notice
     Jimmy Havok (jhavok@mastodon.social)'s status on Sunday, 26-Jan-2025 05:10:35 JST Jimmy Havok

     in reply to

     @hakan_geijer Buy a road atlas to travel to demonstrations instead of using your phone to navigate.

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 05:10:35 JST Håkan Geijer

     in reply to

     • Jimmy Havok

     @jhavok Many modern cars have mobile capabilities, and automatic license plate readers capture and incredible amount of data.

     https://www.securityweek.com/eff-issues-new-warning-after-discovery-of-automated-license-plate-reader-vulnerabilities/

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 06:27:11 JST Håkan Geijer

     in reply to

     • Qybat

     @Qybat Why do you think something like Debian or Qubes is significantly different than something like LineageOS or GrapheneOS? (ignoring macOS, Windows, and stock Android for now)

   • Embed this notice
     Qybat (qybat@batchats.net)'s status on Sunday, 26-Jan-2025 06:27:12 JST Qybat

     in reply to

     @hakan_geijer I know enough tech to say that there is one fundamental rule of avoiding surveillance on your phone: Don't. There are too many different ways it can be compromised, if you are a person of sufficient importance that someone in government actually cares to try. If you want secure communications, the first rule is to get a Real Computer which runs a software environment you and you alone can control.

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 06:40:08 JST Håkan Geijer

     in reply to

     • Hard Left News

     @hardleft That may be true, but we still have tried to characterized what the profiles look like and why. Many are still accurate for most of Europe which is my primary audience.

   • Embed this notice
     Hard Left News (hardleft@mastodon.social)'s status on Sunday, 26-Jan-2025 06:40:09 JST Hard Left News

     in reply to

     @hakan_geijer and with the techbroligarchy showing their true colors, a lot of these lower risk profile options are outdated. Most important are the tools of assessing risks & staying disciplined. We're not going to get press releases telling us when to be more careful.

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 08:02:51 JST Håkan Geijer

     in reply to

     • Tariq

     @rzeta0 This always comes down to "what's your threat model." For most people, a cloud-based password manager is the best solution. I use an offline one I manually sync between devices. Pen and paper can be your password manager, but unless you're super human, most people can't come up with sufficiently random and different passwords for their hundreds of sites they have to log in to. I don't use anti-virus, but I also use Linux so it's a slightly different model there too. VPNs protect against a narrow set of threats and for those they are useful. When people treat VPNs like Tor, they're gonna have a bad time.

   • Embed this notice
     Tariq (rzeta0@mastodon.social)'s status on Sunday, 26-Jan-2025 08:02:52 JST Tariq

     in reply to

     @hakan_geijer

     I'm not an expert but I've always thought things like consumer VPNs, password management software and anti-virus software as increasing your risk, not decreasing it.

     The central point is they aggregate your information into the hands of one agent, and agent you don't know - making it easier for them, or those that attack them to get at your data.

     This is a question - I'd welcome comments.

   • Embed this notice
     Chris Real (_chris_real@kolektiva.social)'s status on Sunday, 26-Jan-2025 08:32:22 JST Chris Real

     in reply to

     @hakan_geijer

     Nothing said on surveilled social media is meaningful. The more bold and defying, the more subject to corruption and coopting.

     The revolution will not be televised. Or elevated by the status quo. Or given the win by the referee.

     And the pundits will bicker with the winners. Because that's their bread and butter.

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 08:39:31 JST Håkan Geijer

     in reply to

     • Tariq

     @rzeta0

     > All your passwords in one online service means adversaries (eg the state) have only one place to get your passwords.

     Yes, but a well-designed service will not be able to turn it over. For example, 1Password and BitWarden (don't trust LastPass, fuck 'em for their repeated bad security) claim that they cannot hand this data over to cops.

     https://1password.com/legal/law-enforcement

     https://bitwarden.com/help/bitwarden-security-white-paper/

     The cloud is just a relay to sync things effectively. There's a lot of trust yes, but trust always ends somewhere. For most people and most activists even, this is acceptable. I think the pool of those who need security above what a cloud service can offer is growing because of increasing repression, but it's still a fine solution for many.

     > Isn't Tor a massive honeypot?

     No. It's open source and too many anarchists and libertarians and just plain cryptography nerds can analyze the code and assert that it's not backdoored. Go to the right places and you can meet devs and relay operators yourselves.

     > If it truly is as effective as people say it is, then it would already be banned already, surely?

     Plenty of things that are effective aren't banned, like even basic e2e encryption for chat. Plus the State still benefits from it working as advertised as it undermines other governments and gives dissidents a means of communication and anti-censorship.

   • Embed this notice
     Tariq (rzeta0@mastodon.social)'s status on Sunday, 26-Jan-2025 08:39:32 JST Tariq

     in reply to

     @hakan_geijer

     Thanks for taking the time to reply. I have two follow on questions if you or anyone else has the patience to reply.

     1. All your passwords in one online service means adversaries (eg the state) have only one place to get your passwords. Perhaps this comes down to threat model as you say

     2. Isn't Tor a massive honeypot? It emerged from the US military. If it truly is as effective as people say it is, then it would already be banned already, surely?

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 08:47:19 JST Håkan Geijer

     in reply to

     • Chris Real

     @_chris_real

     > Nothing said on surveilled social media is meaningful.

     Social media is real life. We're real people talking to each other. We might both right now understand the limits to what we can say without attracting attention, but that doesn't mean that we can't exchange ideas.

     > The revolution will not be televised.

     That phrase doesn't mean what most people think it does.

     https://www.youtube.com/watch?v=kZvWt29OG0s

   • Embed this notice
     Chris Real (_chris_real@kolektiva.social)'s status on Sunday, 26-Jan-2025 10:30:08 JST Chris Real

     in reply to

     @hakan_geijer

     "Real life" means actions that have consequences.

     Opinions on social media are the result of moderators, who monetize the drama of conflict.

     Nahhh . . . it's play-acting without consequences. "Social media is reality" is a selling-point for advertisers. Actions have consequences, not content in a medium controlled by algorithms.

   • Embed this notice
     undead enby of the apocalypse (enby_of_the_apocalypse@kolektiva.social)'s status on Sunday, 26-Jan-2025 13:00:16 JST undead enby of the apocalypse

     in reply to

     • Tariq

     @hakan_geijer @rzeta0 one thing I’ve been thinking about a lot, pen and paper might actually be a lot less secure when a significant threat is house searches by cops and stuff like that, since you can’t really encrypt it. (But also, paper can’t be hacked, paper doesn’t track your location and stuff)

   • Embed this notice
     undead enby of the apocalypse (enby_of_the_apocalypse@kolektiva.social)'s status on Sunday, 26-Jan-2025 13:04:02 JST undead enby of the apocalypse

     in reply to

     • Tariq

     @hakan_geijer @rzeta0 what about keepassxc?

   • Embed this notice
     Ozzie D, NP-hard :bikepump: :vegan: (ozdreaming@infosec.exchange)'s status on Sunday, 26-Jan-2025 16:24:12 JST Ozzie D, NP-hard :bikepump: :vegan:

     in reply to

     • MrTHF
     • Soatok

     @MrTHF SimpleX had a security design review last year (https://github.com/simplex-chat/simplex-chat/blob/stable/docs/SimpleX_Design_Review_2024_Summary_Report_12_08_2024.pdf), although I don't know if it addresses your concerns. And if you haven't already read them, @soatok looked at several messaging apps that get promoted as signal competitors:
     https://soatok.blog/encrypted-messaging-apps/
     (They're probably qualified to answer your questions if you wanted to hire them, but I don't know if they're taking clients.)

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 16:24:12 JST Håkan Geijer

     in reply to

     • Ozzie D, NP-hard :bikepump: :vegan:
     • MrTHF
     • Soatok

     @ozdreaming @MrTHF @soatok I am not a cryptographer so the best I can do is parrot what actual experts say.

   • Embed this notice
     MrTHF (mrthf@ohai.social)'s status on Sunday, 26-Jan-2025 16:24:14 JST MrTHF

     in reply to

     @hakan_geijer I've read the entire English text & I wanted to consult some things

     Are you or do know someone qualified to check & compare decentralizable msg softwares like Matrix & SimpleX? I'm more interested in knowing the validity of "post quantum encryption" claims from SimpleX +possible backdoors, but I'm not tech savy

     Orbot & Riseup VPN would still be a good fit in a threat model that could include them?

     Not for comms, but are Tuta pqe and privacy claims also reliable, unlike Proton?

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 16:25:40 JST Håkan Geijer

     in reply to

     • undead enby of the apocalypse
     • Tariq

     @enby_of_the_apocalypse @rzeta0 sure but for most people that's not through threat they face. Like one of our parents using that is better than having two passwords they share everywhere.

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 16:28:31 JST Håkan Geijer

     in reply to

     • undead enby of the apocalypse
     • Tariq

     @enby_of_the_apocalypse @rzeta0 it's what I use and I do manual syncs between devices

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Sunday, 26-Jan-2025 16:29:42 JST Håkan Geijer

     • Nils Skirnir

     @nilsskirnir why do you believe signal is suspect?

   • Embed this notice
     Håkan Geijer (hakan_geijer@kolektiva.social)'s status on Saturday, 08-Mar-2025 04:06:49 JST Håkan Geijer

     in reply to

     • The Sleight Doctor 🃏

     @ApostateEnglishman Can you describe what specific threat it is would be addressing? I feel like this is covered by the distinction between demo and burner phones

   • Embed this notice
     The Sleight Doctor 🃏 (apostateenglishman@mastodon.world)'s status on Saturday, 08-Mar-2025 04:06:50 JST The Sleight Doctor 🃏

     in reply to

     @hakan_geijer This a great guide, however, it's worth mentioning that if you're going to some protest or direct action, it's a good idea to buy an unregistered SIM and take a decoy handset with location settings turned off and a VPN turned on.

     You don't have to be a cybersecurity expert to just not use your everyday comms tech. Way easier and probably safer.