mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

366K
active users

Every time I log into Fedi, I see another post with a guide called something like "Activist's Guide to Smartphones" or "Phone Security Guide for Protesters," and every single one of these assumes that the threat model is the kind of police force that exists under liberal democracy where the law will afford significant protections to protesters. The world is changing, and these guides not only fail to address the threat of an actively hostile fascistic anti-democratic occupying force (I refer here to the police), but such guides generally are limited to "what" and "how" but miss the more critical "why."

If you believe that you are facing fascism (or even something close to it), can I please please please convince you to read something written by anarchists who have faced serious repression and are trying to convey just how much phones can lead to the imprisonment of you and your friends for even things that are allegedly "legal."

opsec.riotmedicine.net/downloa

Tariq

@hakan_geijer

I'm not an expert but I've always thought things like consumer VPNs, password management software and anti-virus software as increasing your risk, not decreasing it.

The central point is they aggregate your information into the hands of one agent, and agent you don't know - making it easier for them, or those that attack them to get at your data.

This is a question - I'd welcome comments.

@rzeta0 This always comes down to "what's your threat model." For most people, a cloud-based password manager is the best solution. I use an offline one I manually sync between devices. Pen and paper can be your password manager, but unless you're super human, most people can't come up with sufficiently random and different passwords for their hundreds of sites they have to log in to. I don't use anti-virus, but I also use Linux so it's a slightly different model there too. VPNs protect against a narrow set of threats and for those they are useful. When people treat VPNs like Tor, they're gonna have a bad time.

@hakan_geijer

Thanks for taking the time to reply. I have two follow on questions if you or anyone else has the patience to reply.

1. All your passwords in one online service means adversaries (eg the state) have only one place to get your passwords. Perhaps this comes down to threat model as you say

2. Isn't Tor a massive honeypot? It emerged from the US military. If it truly is as effective as people say it is, then it would already be banned already, surely?

@rzeta0

> All your passwords in one online service means adversaries (eg the state) have only one place to get your passwords.

Yes, but a well-designed service will not be able to turn it over. For example, 1Password and BitWarden (don't trust LastPass, fuck 'em for their repeated bad security) claim that they cannot hand this data over to cops.

1password.com/legal/law-enforc

bitwarden.com/help/bitwarden-s

The cloud is just a relay to sync things effectively. There's a lot of trust yes, but trust always ends somewhere. For most people and most activists even, this is acceptable. I think the pool of those who need security above what a cloud service can offer is growing because of increasing repression, but it's still a fine solution for many.

> Isn't Tor a massive honeypot?

No. It's open source and too many anarchists and libertarians and just plain cryptography nerds can analyze the code and assert that it's not backdoored. Go to the right places and you can meet devs and relay operators yourselves.

> If it truly is as effective as people say it is, then it would already be banned already, surely?

Plenty of things that are effective aren't banned, like even basic e2e encryption for chat. Plus the State still benefits from it working as advertised as it undermines other governments and gives dissidents a means of communication and anti-censorship.

1password.comData Availability for Law Enforcement | 1Password1Password remembers your passwords all for you. Save your passwords and log in to sites with a single click. It’s that simple.

@hakan_geijer @rzeta0 one thing I’ve been thinking about a lot, pen and paper might actually be a lot less secure when a significant threat is house searches by cops and stuff like that, since you can’t really encrypt it. (But also, paper can’t be hacked, paper doesn’t track your location and stuff)

@enby_of_the_apocalypse @rzeta0 sure but for most people that's not through threat they face. Like one of our parents using that is better than having two passwords they share everywhere.

@rzeta0 @hakan_geijer Specifically password managers are there to improve the entropy of your passwords and gain insights on when a password was leaked (through haveibeenpwned or similar) automatically. If (and that’s a big if) you manage to create good, long, unique passwords and very regularly check such services… you may as well not use one.

Concerning the attack on password managers: You don’t upload your passwords anywhere, but an encrypted blob. Any cryptographic encryption is indistinguishable from random data – you could’ve literally uploaded a random.zip with random bytes to GDrive and it would give the Feds as much knowledge about your passwords as your password manager.

The good thing about them is that they are local first software. Everything crucial already happens on your device: En-/Decryption, deduplication, generation of passwords etc. It’s much easier for feds to just demand the services you are registered at to give them access to your data too.

@ljrk @hakan_geijer

Thanks - that is helpful, especially the part about uploading encrypted data.

So what remains is the risk of the app on your local device being compromised or backdoor - a much smaller risk I guess -

so it goes back to "what's the threat model" again.

@rzeta0 @hakan_geijer Gladly!

Of course backdooring your device always is an option, but smart phones have great app integrity protection and will refuse running apps with invalid signatures. It’s quite hard to remotely bring up a forged version of your password manager and make it run it. It’s probably much easier to attack you elsewhere and get the passwords in-flight or anywhere else.

For phone security, run GrapheneOS on a modern Pixel or at least iOS with Lockdown and Advanced Protection enabled.

@ljrk @hakan_geijer

Isn't it more likely that the app provider themselves will release "official updates" with the backdoors ... as a result of direction from the state?

I seem to recall some infosec work I did ages ago and we were very alive to the fact that a day-1 device is not the same as an updated day-2 device.

@ljrk @hakan_geijer

I would love to use GrapheneOS just to get rid of the commercial-grade ads/tracking and generally lower resource consumption ... but sadly I'm told banking apps dont' run.