patrick.net

clambo says

I was looking at Ubuntu touch which can run on my Pixel.

Ubuntu is less privacy focused than they used to be. Started when they introduced their new app store, wanna say it's called Unity back in lts16 I believe.

Hircus says

2FA is becoming popular, especially for those who work in tech companies, and they seem to want their employees to use their personal phones to either install the 2FA app, or to receive text messages. A 2nd dummy device can work well for this use case too.

For this I signed up for 1Password using an email not associated to me. Works well, and if my employer removes that option, will insist they send me a fob.

WineHorror1 says

Is there any truth to a new Tesla phone coming out? It is supposed to be 100% private.

I would trust Tesla anything as much as Windows anything. Musk is a wolf in sheeps clothing, and possible the first AI human due to his neural net implants.

Could anyone explain what 2FA is please?

Simplest explanation, it's bullshit. A lazy man's excuse for not making a good password.

Longer explanation, it's a second authentication method meant to verify only you have access to that site/account/data. First method is your password, second can be a text, push notification, or randomly generated code sent to your fob or password manager.

But if you use a password manager to create unique passwords of 20+ characters for every account you have, that is WAY better security than any secondary authentication.

My opinion, and I think there's a strong case, is dual auth/2fa was created to track us. 99% of people who use 2FA do it from a personal cellphone.

2FA = Two Factor Authentication.

NuttBoxer says

But if you use a password manager to create unique passwords of 20+ characters for every account you have, that is WAY better security than any secondary authentication.

I dont see how one could backup such an argument. 2FA clearly offers meaningful security benefits that you cannot get by just making your password stronger. Whatever strong password you use, will always be improved upon by adding 2FA to it.

A strong password ONLY defends against attackers who try to guess your password. It does nothing to prevent them from copying your password. 2FA adds strong protection against both. 2FA defends against a different category of attacks that using only a strong password cannot help with. It's a fact.

Here's an example: a strong password is easily copied and successfully reused by an attacker some minutes/hours/days in the future. If the account had 2FA enabled, the attacker could not succeed merely by copying attacks, because they cannot copy a 2FA token, because they're 1 time use and expire in a short period of time.

The typical setup where people use a laptop/desktop with a password manager program locally installed as their main computer / web browser benefits by using 2FA on a separate device. There's many cases where an attack / compromise may be made on the laptop, even if just temporarily, or partially, but the attackers ability to gain access to their online accounts is still not successful because they have not also compromised the separate 2FA device.

Even power users, like us software engineers, benefit from 2FA. There's so many attacks that a keen eye just cannot avoid, much less realize they have even occurred.

Using 2FA on a physically separate device is a significant security boost.

Ok, I understand what 2FA is now. I have a Stripe account for my business. Every time I log in, I get a text with a code which I then have to enter in order to complete the log in. How could a person defeat that? No one else has my phone.

Hircus says

It does nothing to prevent them from copying your password. 2FA adds strong protection against both. 2FA defends against a different category of attacks that using only a strong password cannot help with. It's a fact.

How will they copy my password? You're talking about a key logger? Or physically stealing my device? Neither of those would work since I copy my password from a password manager that's set to wipe it from clipboard five seconds after I copy it. My password manager password you say? I don't have one. USB key. And my laptop is encrypted. So unless they jack my laptop while I'm on it, and make sure to get my usb card, they won't have shit.

But what about 2FA, you think it's fullproof? Texts can't be intercepted? Apps can't be spoofed? Any good security expert will tell you another layer of complexity, poorly implemented is actually providing a bigger attack surface, not making you more secure. And if you're not using a password manager(offline preferably), I fucking guarantee your 2FA implementation will leave you exposed.

WineHorror1 says

How could a person defeat that? No one else has my phone.

You are aware cellphones get hacked just like any other computer right? Texts are not a secure method of communication. You are now dependent on Stripe, AND your mobile carrier to keep things patched and up to date.

Also, most hacking is social, or contains huge social components. Years ago I was able to get concert tickets sent to a new email just by calling ticketmaster, without providing any proof I had purchased them, or owned the existing email.

NuttBoxer says

How will they copy my password? You're talking about a key logger? Or physically stealing my device? Neither of those would work since I copy my password from a password manager that's set to wipe it from clipboard five seconds after I copy it. My password manager password you say? I don't have one. USB key. And my laptop is encrypted. So unless they jack my laptop while I'm on it, and make sure to get my usb card, they won't have shit.

Sounds like you put some good effort and thought into it, and have a good setup that reduces the number of attack vectors. But your password can still be copied, and 2FA would help in many of those scenarios. Exploits have existed in the past, and will exist in the future for your OS, browser, extensions, and other software. Every bit of software is a potential vector. Sometimes they allow an attacker root access, but more often they dont - they allow some limited access that lets them read or write a file, or trigger an action, and they get clever and combine things to manipulate other software on the system to do their dirt for them. This is the magic of additional security layers - it makes it more difficult for someone w/ non root to do these things, and often still helps even when they get root. Additional security layers are the safety net for when something goes wrong, and things do go wrong.

Even if the copying doesn't occur on your computer, it can happen in transit, or on the remote server.

Anyway, I don't think were really talking about you specifically, are we? Were talking about users and 2FA in general.

NuttBoxer says

2FA, you think it's fullproof?

I never said that, nor did I imply it. I always used relative improvement terms like "security boost".

NuttBoxer says

Any good security expert will tell you another layer of complexity, poorly implemented is actually providing a bigger attac...

Ya, poorly implemented. I would bet BIG BUCKS that the vast majority of users of the vast majority of 2FA implementations significantly enhance security. And I bet security experts would bet with me, not against me on that.



NuttBoxer says

I fucking guarantee your 2FA implementation will leave you exposed.

How? The benefit of using 2FA is they need both the password and the 2FA token. Exploiting 2FA alone buys you nothing.

Hircus says

Ya, poorly implemented. I would bet BIG BUCKS that the vast majority of users of the vast majority of 2FA implementations significantly enhance security. And I bet security experts would bet with me, not against me on that.

When I used to post on reddit in the subs concerning privacy/security, I usually got support for my outlook on 2FA being BS. 2FA users are unlikely to use a password manager, because they will think as you say, that the additional prompt will protect them, and thus they are more likely to-reuse passwords, or use shitty passwords. And that exposes them to more security risk than if they simply used good passwords, and NEVER re-used them.

Hircus says

Exploiting 2FA alone buys you nothing.

Session hijacking? XSS? I don't need your password, I just need to access your account once and I can change it. Worse, if I steal your mobile device(more likely since you probably take it everywhere), I now have access to all your 2FA codes. I simply go to your sites, click the forgot password link, and easily gain access.

And you haven't addressed the HUGE loss of privacy 2FA entails. I don't see enough advantages over the method I've proposed that would ever justify giving up my privacy/freedom.

https://notthebee.com/article/oh-canada-canadian-government-admits-they-secretly-tracked-87-of-canadians-cellphones-without-consent-during-the-covid-19-pandemic?source=patrick.net

Oh, Canada! Canuck Government Admits It Secretly Tracked 33 MILLION Cellphones Without Consent Due to Covid, Representing 87% of The Population 👀

https://notthebee.com/article/bombshell-new-documents-show-that-the-cdc-tracked-millions-of-phones-to-see-if-americans-obeyed-lockdown-orders?source=patrick.net

CDC Tracked Millions of Phones to See If Americans Followed COVID Lockdown Orders
Newly released documents showed the CDC planned to use phone location data to monitor schools and churches, and wanted to use the data for many non-COVID-19 purposes too.
WWW.VICE.COM

https://www.vice.com/en/article/m7vymn/cdc-tracked-phones-location-data-curfews?source=patrick.net

2FA is bullshit, it's about getting mobile phone numbers (or at least emails) from PC users, and passwords to match with the phone from Phone Users.

They push it way to hard for it to be otherwise.

AmericanKulak says

2FA is bullshit, it's about getting mobile phone numbers (or at least emails) from PC users, and passwords to match with the phone from Phone Users.

Woah, good point. I had not considered it, but it makes sense.

https://reclaimthenet.org/cdc-caught-purchasing-cell-phone-tracking-data/?source=patrick.net

Patrick says

AmericanKulak says

2FA is bullshit, it's about getting mobile phone numbers (or at least emails) from PC users, and passwords to match with the phone from Phone Users.

Woah, good point. I had not considered it, but it makes sense.

They're also pushing people to apps instead of the Website. I don't put financial shit on my phone, period.

Apps are definitely evil.

If they don't want to spy on you then a web page is perfectly fine.

With the push for global digital ID's, regardless of what they are labeled, not sure how more people are not seeing 2FA for what it is, an early form of global ID. 2FA requires you tie your personal cellphone(in almost all cases), to an account. What do we know about cellphones? They track you, they record you, they listen to you. And they export reams of data about you back to the cellphone company, OS company, and app companies. And now you've joined that to additional data points at your work, where you spend the majority of your life.

An ankle monitor isn't this good.

https://armysurpluswarehouse.com/vintage-kellogg-switchboard-supply-co-5812-mx-wall-phone-box-army-signal-corp/?source=patrick.net

https://notthebee.com/article/have-a-laugh-with-this-commercial-for-the-nokia-brick-made-in-the-style-of-an-overwrought-iphone-advertisement

NuttBoxer says

Hircus says

Exploiting 2FA alone buys you nothing.

Session hijacking? XSS? I don't need your password, I just need to access your account once and I can change it. Worse, if I steal your mobile device(more likely since you probably take it everywhere), I now have access to all your 2FA codes. I simply go to your sites, click the

forgot password

link, and easily gain access.

Ok, I interpreted what you said differently. I thought you meant that the usage of 2FA would introduce a new vulnerability in itself, allowing one to defeat 2fa, guaranteed to cause a security problem. What you meant was that 2FA would not solve all possible security problems, which it obviously cant.

NuttBoxer says

And you haven't addressed the HUGE loss of privacy 2FA entails. I don't see enough advantages over the method I've proposed that would ever justify giving up my privacy/freedom.

I don't need to address this. This, like so many of your "counter arguments" are just strawmen. Advancing / debating things I never said to make it sound like youre right and I'm wrong. This all started when you made the claim that 2fa has zero security benefits/applications, which is just so blatantly false. Whether or not you or other people wish to use it is an entirely different discussion. The use of anything always has pros and cons, and I never said that I think you or others need 2fa or anything like that.

For the record though, I don't disagree with your point about 2fa being a privacy issue. I think its a great point actually, and I can think of plenty of other issues with it, as I'm sure you have.

DooDahMan says

Hackers can break into your iPhone even when it's switched off. Cybersecurity researchers have discovered a way to run malware on Apple's iPhones, even when the device is switched off.

I always hated how they prevented removal of the battery. Preventing users from physical control, even if their original intention was for planned obsolescence for moar profit, and not big brother shit, but removal of control seems to lead to malicious shit later.

I suppose even with a removable battery, they could have added an extra internal battery like a desktop CMOS battery to accomplish this, but people would question that much more - why add an extra battery for the scenario when a user wants the battery removed?

This is why hardware switches on some of these new privacy phones is such a win. Well, assuming there's not some way to subvert the switch via software...

DooDahMan says

For instance, upon user-initiated shutdown, the iPhone remains locatable via the Find My network.

Bullshit: I switched my phone off and all I could get from the Find My app on another device was my phone's last location.

https://reclaimthenet.org/russia-fines-threema-app-for-not-collecting-user-data/

June 28, 2022
Russia fines Threema app for not collecting user data
Fined under "anti-terror" laws.
By Ken Macon

A court in Moscow fined Switzerland based messenger service Threema for refusing to comply with the Russian “anti-terror” law.

Threema competes with Telegram and Signal.

Threema was found guilty of non-compliance with rules under the anti-terror law. The law requires tech companies to store data, such as calls, messages, emails, photos, and videos, on their servers for at least six months, and allow the government access to that data if requested.

Speaking to German news outlet Welt am Sonntag, a spokesperson for Threema said that Russian authorities “apparently launched an investigation in March 2022 probably to make an example.”

“Of course, under no circumstances will we hand over any data to Russian authorities,” Threema added, arguing it is governed by Swiss law, which does not allow the transfer of user data to other countries, much less authoritarian countries like Russia.

The company will also not pay the fine.

https://reclaimthenet.org/eu-vehicles-to-have-a-surveillance-based-speed-limiter/

July 4, 2022
From this week, all new vehicles in the EU with have to have a surveillance-based speed limiter
GPS is the most common method.

Tracking and surveillance tech is finding its use in yet another segment of public life in the West – road traffic. ...

For the moment, they are “opt-in,” since drivers can still turn them off. But, the plan is to remove this option completely.

Your car is also spying on you.

https://summit.news/2022/07/05/from-tomorrow-all-new-vehicles-in-the-eu-will-have-surveillance-black-boxes/

You always have the choice to buy used. I'm also pretty sure that unlike cellphones, you have the freedom to identify and remove tracking SW and HW if you own the vehicle.

Patrick says

https://summit.news/2022/07/05/from-tomorrow-all-new-vehicles-in-the-eu-will-have-surveillance-black-boxes/

I thought about this a few days ago when watching a high speed chase - soon they will start pushing to give the govt a button to turn off any car. A series of very deadly high speed chases will all magically occur within 1 week, and it will be the week before some elite group meets to "discuss things". They will run over little girls so they can guilt trip people into "hating children" if you dare not support "the button".

https://instapundit.com/529918/

US carriers want to bring ‘screen zero’ lock screen ads to smartphones.

https://reclaimthenet.org/rcmp-used-smartphone-malware-to-spy-on-targets/

July 8, 2022
Royal Canadian Mounted Police used smartphone malware to spy on targets
A breach of rules.

Members of the Royal Canadian Mounted Police (RCMP) have been using malware in their investigations since 2018 that can secretly turn phones and laptops into full-fledged spying devices, with the news, and some, but not all details about the program only just emerging now.

Traditionally unwilling to “share” what types of surveillance technology it uses unless it has to, mostly pressed during inquiries, this time once again the public is becoming aware of the facts a full four years after the software was first deployed.

https://reclaimthenet.org/tim-hortons-privacy-settlement/

July 30, 2022
Tim Hortons offers customers a free coffee and baked item in settlement for spying on people
The company's invasive tracking was revealed this year.

As settlement in class action lawsuits, Canadian coffee giant Tim Hortons will offer a free hot beverage and a baked good as an apology for tracking the location of users of its app. The app tracked users when they left or entered a Tim Hortons competitor such as Starbucks, their home or workplace, and more.

In June, regulators said that the data collection was in violation of the law.

“Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance.

No one should ever install any app. Anything an app does can also be done by a web page these days. The only reason the want you to install an app is to do exactly this kind of spying on your every movement.

https://notthebee.com/article/amazon-just-bought-roomba-which-means-the-company-will-soon-have-an-extremely-valuable-map-of-your-entire-home

Amazon just bought Roomba, which means if you have one Amazon will soon have an extremely valuable map of the inside of your home

I was working for an AI company that gave moving quotes by having users video the inside of their homes. They were also working on spacial recognition for a insurance offering.

https://unherd.com/2021/06/big-techs-threat-to-democracy/

The Sleep Number Bed is typical of smart home devices, as Harvard business school Professor Shoshana Zuboff describes in The Age of Surveillance Capitalism. It comes with an app, of course, which you’ll need to install to get the full benefits. Benefits for whom? Well, to know that you would need to spend some time with the 16-page privacy policy that comes with the bed. There you’ll read about third-party sharing, analytics partners, targeted advertising, and much else. Meanwhile, the User Agreement specifies that the company can share or exploit your personal information even “after you deactivate or cancel … your Sleep Number account.” You are unilaterally informed that the firm does not honor “Do Not Track” notifications. By the way, the bed also transmits the audio signals in your bedroom. (I am not making this up.)

A bed which spies on you.

Patrick says

No one should ever install any app. Anything an app does can also be done by a web page these days. The only reason the want you to install an app is to do exactly this kind of spying on your every movement.

Yeah, no webpage ever tracks your every move. Websites never install Google scripts to track and market to you across different sites.

Plus, I think there are still plenty of APIs accessible via code on the iPhone that are not accessible from html and javascript. The speed is massively different as well.

Apps from the iPhone web store are authenticated, so you know who to sue. Plus, Apps have a history there and can also be terminated very quickly if something is discovered. Apps (like websites) are pretty well sandboxed these days. You can control which apps have access to photos, addressbook, gps, camera, microphone, etc.

Google's store and sideloading on either platform... well, you're on your own.

https://spectatorworld.com/topic/chinese-tyranny-american-surveillance-is-scary-too/

SunnyvaleCA says

Yeah, no webpage ever tracks your every move. Websites never install Google scripts to track and market to you across different sites.

Have you not heard of Brave or Tor? But really, it sounds like you aren't familiar with the lack of control most smartphones allow their users, which prevents you from blocking tracking. Plus cellphones ping off a tower.

SunnyvaleCA says

Plus, I think there are still plenty of APIs accessible via code on the iPhone that are not accessible from html and javascript. The speed is massively different as well.

Might have more to do with their internal DNS servers that they attempt to force ALL traffic over, giving up even more data.

SunnyvaleCA says

You can control which apps have access to photos, addressbook, gps, camera, microphone, etc.

Except for the ones that block you from exercising any controls, and the ones that ignore your selections, and collect the data anyway. On a laptop you can add HW shut-offs not available on most cellphones.
Right before the scamdemic, google installed a "health" app that I am unable to remove, or clear data from. That's never happened on my laptop or headless servers.

https://www.unplugged.com/upphone

https://babylonbee.com/news/new-breakthrough-treatment-for-depression-just-hammer-you-smash-with-your-phone

NEW YORK, NY — Pfizer has announced the launch of a new breakthrough treatment for depression, Thorovil, a pharmaceutical that consists of a heavy metal head mounted at a right angle at the end of a handle. Patients prescribed Thorovil can use the object to smash their cell phones into tiny pieces, instantly curing all depression.

"We found that when patients smashed their smartphones into tiny bits with a claw hammer, 100% of them saw an immediate and lasting decrease in depression symptoms," said Pfizer researcher Fritz Von Schlegelsteinhausen. "We don't yet understand the connection between smashing your phone and being instantly cured of depression, but you can't argue with those results."

Thorovil has already been authorized by the FDA and has been approved for all ages. It's currently available with a doctor's prescription for only $12,000 per unit from Pfizer or $12 at the local hardware store.

"This is a giant leap forward in the field of mental health, and medicine more broadly," said Dean of Harvard Medical School George Q. Daley, MD, PhD. "We're not sure why none of us thought of this before."