A few weeks ago a bunch of us on Slack tried to put together a brief for journalists on why they should prefer iPhones. It's still a work in progress, as you'll see, but here's a draft:
My only qualm with recommending iPhone only is it doesn't take into account other countries where it's unaffordable for a journalist to own one. I know a group of journalists in Venezuela for whom an iPhone is simply far too expensive. Import controls in many countries make it this way. I know another group in another country where the exchange rate and low wages make even a $50/year VPN is unaffordable.
Would be great to see some good guides that take into account the challenges that others outside of the states will face. Perhaps these guides may not have that audience in mind though. Maybe if these guides had a link to a good guide for securing your Android device the best you can, it would serve help those who are financially restrained.
I appreciate this sentiment but I think that requires a specialized document since it'd be focusing on general encryption and data protection tools.
My limited understanding of the Android ecosystem is also that the fragmentation makes it very difficult to have a comprehensive guide for Android, since what is applicable on device A may not be applicable for device B, whereas with iOS, "turn on these settings" is applicable across the entire ecosystem.
I think it's just the difficulty of having a comprehensive and simple reference document for Android, regardless of cost. The same regional difficulties even for specific device recommendations makes such a comparable document difficult, as not all phones are easily purchasable in all regions.
So it's definitely something that needs attention, but the low-cost-secure doc may be more difficult than it seems at first blush.
Why would someone who's threat model includes the US government possibly want to trust a totally closed OS made by a US company?? Do you still not see the US government as a threat to journalists? If not how do you justify this position?
There are clueful people who disagree about Android vs. iOS for security (they're a minority, to be sure). But at this point: people who express shock, surprise, or outrage that security people are recommending iOS are demonstrating cluelessness.
The clueful people who argue in favor of Android start not by saying "you can't trust anything that isn't open source" (that would be especially silly if you're arguing for Google's Android phones, which are the only trustworthy phones), but by acknowledging the consensus that iOS is more secure and then challenging it.
On this thread alone, you've:
* Suggested that reverse engineering is a kind of arms race between the NSA and the "good guys", which it is not.
* Suggested that Tor is inextricable from Tor Browser.
* Complained about the suggestion that you might learn how reverse engineering works, because you're just a software developer.
I'm sorry, but comments the one upthread I'm replying to are indistinguishable from trolling to me. I know that's a bit of an aggro thing to say. But: do you honestly believe that the people who write advice like Matt Green in the story we're commenting on, or in the brief we're commenting on here, don't understand what open source is?
Please keep the personal attacks away from this forum. There is no place for them here.
EDIT
> "I'm sorry, but comments the one upthread I'm replying to are indistinguishable from trolling to me. I know that's a bit of an aggro thing to say."
If that not a personal attack I don't know what it is.
Oh and would you have time to address any of my questions? (In terms other than ios vs. android?)
What are the options for someone who wants a fully trusted supply chain? Is there a modern smartphone made with provably secure hardware (and which I can verify is actually running that hardware and not some behave-alike SOC)?
From my somewhat-naive perspective, it seems like the alternative is an Android phone made in China by a Chinese company, which seems not obviously superior.
> 1) Apple has shown substantial backbone in fighting against the US government when pressed to exploit a phone.
And the phone was exploited anyway. The only thing that was established is that Apple must not be forced to help.
> 2) The other choice is a device made by a Chinese or Korean company with a semi-open operating system made by a US company.
That makes both alike.
> 3) Either device will have a totally closed baseband chip.
This is the one the iPhone got right. On the iPhones, it is insulated by a closed interface.
> 4) Deploying and maintaining secure Linux environment on a Laptop is a full time job that requires expertise journalists don't have.
Ditto for Android, iOS, Windows, OS/2, AIX, GNU/Hurd... And anything else you may think about.
> 5) Open versus closed source is a red herring. Everyone is using pre-compiled binaries.
Open source is a necessary condition for securing against any targeted attack. It's just far from sufficient. Also, pre-compiled binaries can help you.
> 5) Open versus closed source is a red herring. Everyone is using pre-compiled binaries.
With a very salutary trend toward reproducible builds, which will help prove a connection between the source and binaries. (Though it's taking years to get there.)
> Why would someone who's threat model includes the US government possibly want to trust a totally closed OS made by a US company?? Do you still not see the US government as a threat to journalists? If not how do you justify this position?
Let's be honest, if your adversary is the US government, I suspect that there is no electronic equipment you can use.
Most journalists, however, are more in fear of their lives or communications when outside the US. For that, an iPhone is provably a much better choice.
> Most journalists, however, are more in fear of their lives or communications when outside the US.
I've upvoted you because of the first sentence but the second one leaves me a bit puzzled. There are plenty of places where the threat level against journalists is equivalent to the US and quite a few where it is actually less.
In fact, the current 'head-of-state' of the United States is on the record for saying the press is the enemy of his administration.
> There are plenty of places where the threat level against journalists is equivalent to the US and quite a few where it is actually less.
While your point is well taken, I haven't seen any US administration execute a journalist for quite a while.
Russia and China don't have quite so much restraint. And most of the petty dictatorships and theocracies make Russia and China look perfectly reasonable.
The fact that the US is not a bastion of moral rectitude does not automatically grant moral equivalence to bad or worse actors.
I am perfectly capable of condemning the actions of the US government and working to make it better even while acknowledging that it is better than most and worse than some.
"But he does it, too!" is not a valid argument for justification. But neither is it a valid reason to refrain from reasoned comparison.
The FBI / iPhone controversy shows that US government access to those devices is clearly limited to certain agencies.
This is increasingly important as it's now really obvious that the different agencies have different politics and may end up investigating each other to see who's been compromised to the Russians.
(also, you have to pick something: telling a journalist not to use a phone is a total non-starter)
At the end of the day, the FBI has to win cases in court. What are they going to do with this elaborately orchestrated secret? "Your honour, everyone thought we could not extract evidence from an iPhone but... Psych! We totally can!"
What you described is Standard Operating Procedure for FBI, DEA, and intelligence services if the method is too good to give up. What they do in those situations is try to come up with alternative methods tgat can justify how they obtained the information. That process is called parallel construction. FBI and local departments have even been intentionally losing cases to avoid light being shed on some of their tools, esp stingrays.
Not saying it's happening here. Just reminding you they do this.
I understand that but my point is that the FBI is not like an intelligence service - fundamentally, their endgame takes place in the public sphere and under public scrutiny. Yes, they have legal means at their disposal to protect their methods and sources. The operative term being 'legal'. They can't lie to a federal judge to try to compel Apple to help them do something they can already do. If they did, and it came out (which it certainly would), it would be at a massive political shitstorm with fired directors and congressional investigations as an absolute minimum. It would make their actual job a zillion times harder to do. It's just not in their interest at all.
"They can't lie to a federal judge to try to compel Apple to help them do something they can already do. "
You nust have missed the whole Snowden leaks where they were all lying to Congress, courts, and so on. Far as the FBI, here's what they say: "That pertains to highly classified matters of national security. Im afraid I can't discuss that here." (Keep repeating.)
They've also been lying about their counterterrorism cases. That one expose showed they're paying undercovers $100,000 or so to convince harmless people to try something. Even financing, equiping, and training them. They sell it in court as them stopping what was already going on. Despite one informant recording them, nobody leading the FBI is fired or doing time. Deception is business as usual.
You said they dont lie about their capabilities in courts Snowden leaks showed they partnered with NSA on backdooring US companies crypto while lying in court about how they could do nothing about crypto. Esp in the Apple case. It is a good time to modify your ckaims to fit that data or quit.
specific case -> 'Snowden leaks' -> NSA ->? is not really an argument, it's rhetoric. I don't have to modify my claims in the face of the apparent impossibility to pin yours down to anything specific.
You still on this? The Snowden revealed the FBI lied about tons of things they could do. So did the NSA. Piles of them. If you need specifics, start with "Core Secrets" by The Intercept as it includes the slides saying FBI "compelled" companies to "SIGINT-enable" their products/networks. Which means forced backdoors through secret means.
So, in courts, FBI said that targets using encryption by U.S. companies was impossible to do anything about. They needed expanded powers under things such as All Writs Act to get at the information in such devices. In secret, they were backdooring U.S. companies' products with NSA. They and the DEA were getting actionable information from those programs that they had to hide from courts under a process called parallel construction. They had to create a second trail of evidence that made it look like they found the person another way. Then, get the conviction through that second trail of evidence. The FBI was also willing to dismiss cases any time its claims were tested in court presumably because the claims were lies and methods unconstitutional.
So, the Snowden leaks, the San Bernardino case, and activity around things such as Stingrays shows the FBI will lie to courts to achieve political or legal ends. They'll even sacrifice their own court cases to protect their illegal methods. So, your claim that they won't lie in court or that court has some power over their corrupt activities is false. They consistently mislead everyone they can about both encryption and backdoors. They even exit courts when caught without any criminal penalties whatsoever. James Comey is in fact still free and directing the FBI despite caught in tons of lies from Congress to courts to media.
FBI will lie about these topics in court. They've done it consistently for over a decade now and nobody there has been imprisoned for it. QED.
This detail does not support 'FBI lies to federal judiciary in psyop to mislead everyone about their iPhone-cracking capabilities' in any meaningful way.
I agree that's a silly scenario. That didn't stop it from being their exact position in San Bernardino. They were using it to prop up the All Writs Act as a tool to force any telecom to provide backdoors or exploits for them. They wanted it as a precedent. It would make their job so much easier. They bullshitted the courts saying they needed Apple's help, Apple resisted well, they backed off, and then then they suddenly could crack it anyway. Tada!
Unlikely. First, we know what they paid for the hack, and secondly, the iphone involved was an old model without a secure enclave - multiple researchers suggested different attacks.
Smartphones shouldnt be trusted in such a scenario. Many journalists will use them anyway. In that scenario, Apple is probably better since they're not a surveillance company and it's harder to load malware.
So a journalist should use a dumbphone, where every text and call is transmitted in the clear, and the contents of the address book is stored unencrypted, rather than buy an iPhone and leave it at home when attending sensitive meetings?
The policy of most domestic TLA's is to watch for encrypted calls. Those targeting journalists will likely have the journalist's main number in their system. Disposable, dumb phones on both sides are safer. Although the NSA can detect that, I havent heard that many others do or easily.
Typical advice applies, too. Keep batteries out. Drive away from normal location to somewhere with plenty of people in cell radius but off camera. Batteries in, make call. Prearranged times or periods.
Lots of executives and lay people that value privacy. I've met many. In this scenario, the journalist really just needs to be able to receive the call. The need for the OPSEC is mostly on the person leaking stories. They can do less if they don't mind consequences, though.
If your threat model includes an adversarial nation-state that is known to engage in passive mass surveillance, using burner phones while transmitting all communication unencrypted is a terrible idea.
But the OP doesn't go around saying one branch of smart phones are the best of a bad bunch - he goes around saying that they are good. How does he know? Is he better as reverse engineering than everyone as the NSA put together? (And that's not even taking into account all the potential wrench attack targets at a large US company?)
It means on what basis can you stand and say to people who's lives may be at risk that you trust apple's press releases?
Please don't respond with the strawman you keep using of Iphone vs. Android. I am not arguing that Android is more secure. I am saying that taking either to meet an at risk source is bad. Your advice on this forum will contribute to journalists feeling comfortable doing this.
I want to preface this with an apology, because I don't think there's a way to say this without sounding cliquish. For that, I apologize in advance, but because your account appears to be relatively new, I feel like this is somewhat necessary. If this account is a re-roll of a previous one, then I doubly apologize.
Things you probably don't know (whether based on account age or admissions within this thread):
* tptacek has been an exceedingly active member of this forum for many, many years
* tptacek has been giving us all free security advice for as long as I can recall
* tptacek has founded at least two successful companies primarily dealing with security
* tptacek has, in the past, given much advice that I've considered questionable at the time, but which has proven to be right to me after I've learned enough to realize my errors
And because that all sounds very much like an appeal to authority, I apologize again, but here's the thing -- the comments he made that you object to, and consider to be trolling? They're spot on. I'm not saying that you should believe him because he has a history of making believable claims. What I am saying is that you should believe him because he's far more versed on the subject at hand than you are, and that's by your own admissions within this thread.
It's worth taking a step back here and asking yourself how well you actually know the things you think you know in regards to this thread. I am honestly not savvy enough on mobile security anywhere near capably enough to suggest that he's right and that you're wrong, so please don't assume that's what I'm doing here -- but many of the people you're arguing with in this thread are people who have the requisite bona fides to make their claims with confidence, and while you are boldly asserting the opposite, you acknowledge that this is not your field of expertise, and that you haven't bothered to learn reverse engineering.
Again, if this seems harsh, please know that it isn't intended to. Language is clumsy, and I'm not its best handler on the best of days, but while you might be 100% correct in every one of the claims you've made, the consensus seems to be otherwise, and you haven't done a good job of convincing me that you should be believed over someone who literally pays their bills through the dispensation of their subject matter expertise on this type of material.
Because of the fantastic community, it's obvious that HN is a great place to teach and to learn. Knowing which to do, and when isn't always so obvious. Most of us have made that mistake in the time. Consider whether or not you may be making it now, or figure out how to better support your claims so as to teach more effectively, but cat-pawing at each other throughout the entire thread isn't doing anyone any favors.
Thanks, but I'm not even asking him to trust me in this particular subthread. The point he made, about the NSA having better reverse engineers than everyone else, really does seem to me to be a non-sequitur.
Reverse engineering isn't zero sum. The benefit you get from reverse-engineering a closed platform doesn't vanish when someone else reverse-engineers the platform, just like your ability to read open source code isn't damaged by NSA's ability to read it faster.
Please provide some references to back up any of your claims in this or other threads. By references I mean articles by other reputable researchers (preferably peer reviewed). Blog posts and summaries of your chat logs do not count. As you are a researcher this will not be hard (a quick search in your reference manager software should suffice) - or a link to one of your articles from which I can follow the citations.
I've been on here for years. I just don't tend to remember my passwords very well :).
I am very familiar with the OPs posts. I do not want this to become personal. If you re-read this thread (and others in this discussion you might notice that.)
A strong, domestic TLA should be assumed to hack or intercept all of them if companies are local. Then game changes to the caller hiding their identity. Text-to-speech and burner phones can do that. However, messaging and email over WiFi's on devices bought with cash hides voice, has better clarity, allows file transfers, and can still do voice as an attachment.
Good for people I told to keep their burners off unless transmitting from semi-anonymous locations. That's their best privacy technique if they're non-technical.
And how well did they follow this advice? Would you know if they didn't turn their burner off, or even bother with a burner? "They didn't die in a prison camp, so they must have done things right"? Lay people who value privacy can fuck up their opsec pretty bad without noticing consequences. This is getting in to tiger repelling rocks territory, where it's no measure of one's stealth skills by hiding when nobody's looking.
It boils down to two areas of trust: a computer that's potentially malicious against a nation-state with stuff like QUANTUM; their ability to go somewhere remote/crowded and make calls. Im thinking lay people can do the latter because they have for ages. The latter also takes HUMINT to counter which is a precious resource they can't throw at all the reporters simultaneously like electronic attacks.
Given that Apple spent a lot of money last year resisting USG efforts to decrypt their smartphones, it would seem they're an especially trustworthy steward.
Except the part where they immediately agreed to help the US Government, only to find that incompetence had made the problem much harder than it should have been. They then resisted having to do a large amount of unpaid labor to continue to help. Plus, a PRISM member.
To avoid confusion for any readers, you should clarify what this means: Apple has an automated process for serving data in response to any approved FISA court orders from the FBI.
It's not even clear that PRISM implies an automated process. It appears to just be the NSA's internal name for the process of using the FBI to request stored data from service providers.
And to make this clear: U.S. companies must comply with valid court orders. Being a "PRISM member" is not optional.
Thanks for doing this. As much as the conclusion may be unpalatable to me, I think that's where any honest evaluation will end up.
Worst case, this will make people with sensitive information and without technical expertise more secure. Best case, it will compel Google and Android device manufacturers to step up.
Please recommend Silent Circle's Blackphone. We need to promote phones that secure the second operating system in every phone (BaseBand radio processors). We need to encourage open source and security hardened by people dedicated to make it completely secure.
There is probably no better hardware and platform security team in the world than the one that works at Apple (and no software platform security team in the world better than the one employed by Google).
Pretty much the only thing Silent Circle has going for it is a commitment to open source. All else being equal, open source is better than closed source. But all else is nowhere close to equal in this case.
Can you put some citations in the final version? I'd love to read that.
EDIT
Rate lime :( so replying here. any ideas on where one can get started with a literature review on this? There is so much misinformation and big egos in this field so it would be nice to know from an expert where to start.
I have a security review for a news room coming up, and I plan on sharing this blog post with them. Thanks for writing it Matt! I'm definitely behind all of the points you made.
If anything, I worry that non-technical users will still not understand that desktop programs can do anything you can do with your computer even after reading your post. I'm not sure the description is "in your face" enough to translate for the intended audience. In their minds, "reading files" may be better expressed as "copy of every email I've ever sent" or "operate my webcam and grab nudes of me."
I've been trying to secure investigative journalists for about a year and a half, and this article kind of covers two of the points that I make on all of the security trainings. They usually go like this:
* Do not have work-related emails on your Android (unless it's Google-made). iOS (9+) is okay.
* Do not open random attachments on a Windows machine. (We always do our best to convince them to switch to a Ubuntu station with an AppArmor profile for LibreOffice set.)
This is a good start. I think this article would be even better if it included some phishing tips (like HTTPS doesn't automatically mean "secure", and if you're suddenly logged out of Google for no apparent reason, don't just log into the webpage displayed to you, but instead, open Google by typing the address bar manually and log in there).
Interesting side-note: Asshats spend days crafting phishing emails specifically targeted to our journalists, and they never get Google's postal address right in the footer.
I'm not sure I understand how switching someone from Windows+Office to Ubuntu+LibreOffice is a security win. LibreOffice is not an especially safe piece of software.
It takes seconds to turn macros off in Office, far less time than it takes to convert someone to LibreOffice. Meanwhile, straightforward fuzzing is still producing RCEs in LibreOffice.
I imagine AppArmor is configured to minimize the access that LibreOffice has to the rest of the system. Otherwise yeah, vanilla LO is probably not any better than MS Office.
VServer or similar could also work well but might be harder to configure correctly.
If 90+% of a journalist's job is to open documents from sources in an office program, what good does it do to cage exploits in to LibreOffice? Those exploits still get virtually all the data an attacker wants from the journalist.
The data still has to get out though. If LibreOffice doesn't have network access then that can't happen, at least not without an attack on some other systems as well. This protects against generic sort of "drive-by" attacks but if someone is being targeted then yeah, sandboxing the office suite isn't enough.
This advice makes sense given the threat model. However, it might not make sense for someone in Edward Snowden's role. If I were a military agency with a big budget, I would backdoor the shit out of every phone, enforce cultures of secrecy inside companies like google, apple, facebook, intel, qualcomm, at&t, and off any executive that interfered with the mission. Then I would pay experts to spend their lives on internet forums asserting that devices with two cameras, two microphones, wifi that can function as radar, an unremovable battery, a closed-source operating system and root access only available to a major US corporation via ssh, are the most secure computing platforms in the universe. That's just me though, if I had a lot of money and lust for world domination, neither of which I possess :)
Edit: removed sentence "Most mobile devices have baseband chips with DMA"
No, iPhone basebands do not have direct memory access. This is a myth that will not die. The baseband on an iPhone (and on modern Android phones) is connected via a serial bus, as a peripheral. Both Google's and Apple's security teams consider the baseband an adversarial device. This has been true for many years, just as for many years people have been popping onto message boards to confidently inform us that basebands have direct access to memory.
But if a journalist is going to use a secure desktop Operating System, he/she/they should investigate the current trio of recommendations which are as follows, and have different threat models baked into each:
Subgraph. Currently in Alpha version, so be careful using this. Still has to be vetted by the wider infosec community, but worth downloading and playing around with.
TailsOS. Very useful for journalists, but since it heavily relies on Tor it can be tricky dealing with mixed-anonymity workflows where sometimes you just need a Windows environment (preferably an airgapped Windows sandbox you can use to code / play around with files using Windows freeware).
Qubes. Heavily reliant on compartmentalization, and this can sometimes prove too cumbersome if you typically do one type of activity on the web like chat / email / hang out on slack. Typically for when you need to insulate different activities from each other and to avoid contaminating different contextual environments / tasks.
I like Subgraph. I know a lot of people like Qubes (I have no opinions about it, but the people I know who like it are quite smart). I don't think I know anyone who recommends Tails.
But none of these are reasonable suggestions for journalists and activists. We're not talking about people who are running conspiracies and can organize their working lives around opsec. You can barely get these people to the point where they aren't blindly clicking on attachments (and the attachments they open need to open in office software that is compatible with their existing workflows). They're simply not going to use Linux on their desktops.
This is why security people like phones so much: they run secure operating systems that laypeople have accepted and can work with.
There is the caveat that it's hard to get things done in a timely manner on phones, or even tablets/phablets. If I need to crank out a lengthy blogpost, then I need a full desktop environment where I can do cross referencing, wikipedia lookups, file selection, photo editing, and all the other things that a desktop affords. I have tried writing a blogpost on an iPad and it took up my whole day when it should have taken 2-3 hours.
I know people who have developed super-fast methods for working on iOS but they are such a rare creature, and I'm not so sure their workflow is even teachable enough to be widely adopted by journalists or professional bloggers. From my experience they're relying on all sorts of hacks to get a blogpost out the door like using some perfectly curated mix of apps, and being able to pass files to and fro different apps with ease. Hardly the stuff of laypeople.
This is a great article but only really covers half the issue. The other half is why journalists should use secure messaging applications, and not email.
Sometimes the most succesful attacks are phishing attacks that no device will protect against. As an example, it is rumored that John Podesta used an iPad.
Great point, but this sounds like a topic for another blog post. I'm so glad that FIDO U2F is starting to catch on. I keep a drawer full of keys at work and hand them out to all our office visitors. The next generation of Bluetooth, NFC, and software tokens are exciting and a bright spot for the security industry.
The first point being, software flaws and particularly those in low level networking libraries can expose secrets and the key I suppose as covered in the article is to ensure your OS is always up to date. The second point, and Dan covers it elsewhere in this thread, be very cautious about insecure hosted VPNs & you should really never trust proxies which some VPN providers are offering.
Yes, definitely always keep your OS up to date! Even in 2017, this is still a major advantage that iPhones have over Android phones. There will be bugs in any device, and iPhones have a better plan for dealing with them than Android phones. There is a vast amount of empirical data that shows patch adoption rates are far faster on iOS.
"There is a vast amount of empirical data that shows patch adoption rates are far faster on iOS."
Is that still true for the Google reference models? The Pixel, Nexus and other references devices tend to get updates in a much timelier fashion than, say, the Galaxies, Experias, and Notes of the world, and because the reference models aren't laden with proprietary bloatware, they tend to work more reliably after upgrading as well.
A number of years ago I found a crypto flaw in a Samsung component they shipped on their Android phones. Due to carrier update delays it took nearly two years for all the patches to roll out. Apple on the other hand can go from notice to patch available in weeks.
Apple's not perfect about this stuff. Google and Apple both have strengths when it comes to systems security, including on mobile platforms.
The key advantage Apple has is vertical integration. Google has to coordinate with third party vendors to ensure that an OS patch reaches Android users. Apple can just flip a switch.
I wonder how helpful these sort of posts are for actual journalists or whistle blowers. It's one thing to tell a casual user to get an iphone as a reasonably secure choice compared to Android's fragmented mess, but for someone whose job and/or life is on the line, you need a more thorough coverage. You may even need like a mini course of sorts that covers basics of CS and infosec. Short of that, such cavalier advice can be misleading.
Because it fails to mention any downsides of running an ios based phone, and I'm sure that a balanced discussion would find many. Security is complex, and paraphrasing it this way may be fine as casual advice, but when you add "journalists" in the title of your post, it falls short.
It outlines many of the limits of the advice, describes a specific case in which an activist was targeted by multiple iOS zero days, etc. What are the downsides you think it omits and in what ways does Matthew Green misunderstand the complexities of security?
Not so much about misunderstanding as it is about omitting other details. For one, IOS is a completely closed box whereas AOSP is completely open. You can argue for or against security by obscurity v/s security in open software, but at the very least it needs a mention in any fair comparison. Secondly, most of the blog focuses on average case behaviour. In Apple's case the average, best and worst case are all the same since they make only one device and one OS. In contrast, android is a vast spectrum. Now if you were to give out advice to people with sensitive data, you should compare the best case for both of them, which he briefly does, but not quite as detailed as it warrants. For instance, is iphone necessarily better than a Pixel running AOSP or something like CopperheadOS ? I'm not so sure. IOS's centralized behaviour also makes it an easier target in some ways. Want to attack all browsers on an iphone ? Attack webkit. There are other security fails such as relying on either itunes or icloud for getting data in and out of the phone. Much fuss was made over Cloudfare's lack of a bug bounty program. Apple didn't have one either until quite recently either.
I'll just take the bit with the highest inaccuracy density:
IOS is a completely closed box whereas AOSP is completely open. You can argue for or against security by obscurity v/s security in open software, but at the very least it needs a mention in any fair comparison.
This gets addressed by people working in security on every single HN thread, including this one. Assessments of the security of iOS are not dependent on its 'openness'. There is also nobody seriously arguing 'security by obscurity' vs 'open software'. That's not what 'security by obscurity' means nor does the security of iOS depend on 'obscurity'. None of this needs a mention in a 'fair comparison' because it's simply wrong.
Open source doesn't mean it's secure either and you have no proof that Google isn't doing the same via its Google Play Services on top of Android nor do you have any proof that none of the Android manufacturers are not modifying the Android code without your knowledge. Recall this security issue: http://www.prnewswire.com/news-releases/kryptowire-discovere...
and not to mention the nasty Heartbleed that's still affecting us.
Open source only means the code at some "point" may have been vetted and secured but it will not remain secure forever.
At this point, there is no secure anything, as long as it is man-made, it can be broken by another man.
Apple has incentives to protect your data and it has enough money to not have to rely on sharing the data unlike Google and other Android companies. But this is not to say Apple isn't evil. They all are by default as in the nature of for-profit business they're in.
Do you own a disassembler? I do. Also, a decompiler, debugger, and other analysis tools. Closed source does not mean "black box."
And besides, open source doesn't mean anyone has reviewed the code. Reviewing a program for security takes work, regardless of whether it is open or closed.
I really do not understand any of this. I am in the 1st period of the Information Systems course. But I know one thing, it's much easier to find a backdoor with the open code than the other way around. Besides that nothing guarantees that with these techniques you do not miss something.
One of my perennial favorite HN comments: you, the professional reverse engineer, could not possibly do what you do. I've never tried to do it, but I know you can't.
It's fine not to learn. What's less fine is stridently asserting, as you have all over this thread, that security advice from experts is flawed while at the same time huffing about how little time you have to learn about the details.
Whether it's open or closed source, you have to examine the actual binary code to see what's running on the device. And the tools for this are very good. Both Android and iOS have been very heavily vetted.
Explicit backdoors are a tiny part of the risk you are exposed to, so even if the risk of a undiscovered backdoor in a product is higher than in another, it can still be more secure overall. The article we are commenting on explains quite a few points counting in favor of iOS. An adversary doesn't care about backdoors if the thing you use has plain old unplanned vulnerabilities they can exploit instead.
Hi, my name is Dan, and I don't recommend anything on the privacytools website.
Above all the many problems it has, it recommends using insecure hosted VPNs and advocates an app-centric approach to restoring your privacy (e.g., Install this app and you'll be safe!). This is no better than believing you can eat unhealthy food and fix it with weight loss pills.
If you're looking for a better solution to a communications security problem, you're welcome to check out Algo, a self-hosted VPN that I support:
EDIT: If this was crowd-funded (to help pay for the expert's time), I'd be happy to contribute.
The reputation of this page emphasizes (epitomizes?) a need the public has: An authoritative, accurate, comprehensive, usable security guide for non-technical end-users.
* Authoritative: There are too many pages, apps, and too much advice like the parent. Most end users - even most IT professionals, IMHO - have no good way to differentiate between good advice and bad. The solution is for one source of advice to become authoritative; i.e., it needs to be endorsed by people respected in the IT security industry and by names the public recognizes (e.g., the NY Times, ACLU, NRA, etc.). Its authority must stand out from the rest, and in a way the general public recognizes (endorsements on HN don't work), or it becomes just another voice among many.
* Accurate: Written by true IT security professionals who do real homework for it. Not IT pros or devs who read about security and have some sense of it. Not even by cryptographers who don't know the implementation side.
* Comprehensive: A one-stop shop. Otherwise, it loses authority and usefulness.
* Usable: Something non-technical end users can grasp and implement, as easily as possible. The harder it is, the fewer people will use it and the more people will misuse it (i.e., misunderstand it and make mistakes). 'Easily' also means affordably; telling everyone to buy iPhones may not be realistic.
Personally I wouldn't mind a guide for technical users, but that is a very secondary concern.
This page is batshit crazy. The very first thing it asks you to do is sign up with a random VPN vendor. Then it recommends Firefox or Tor Browser --- Tor Browser is the single least safe browser of all possible browsers you can install.
Because it's based on and thus only ever asymptotically secure as Firefox, which is not the most secure browser architecture, and because of the economics of browser exploit development, and the fact that Tor Browser Bundle collapses a whole set of valuable targets down to a single release train, we can be sure that pretty much anyone who uses browser exploits as standard operating procedure has a stockpile of TBB exploits.
Re-evaluate whether the kind of privacy offered by tor is your number one priority. A lot of journalists have notes and work product and contact info they need to protect, but they're not living deep undercover. The information stored on their computer is far more sensitive than the list of sites they visit.
> Re-evaluate whether the kind of privacy offered by tor is your number one priority
A good point. Though in fairness, that's why I included Chrome over a VPN as an option.
> The information stored on their computer is far more sensitive than the list of sites they visit.
Not that it invalidates your points, but I wonder how true this one statement is. First, remember that in addition to metadata Tor hides content (which may be redundant in the case of HTTPS-secured websites, but that's not a bad thing). Also, a journalists' metadata could tell you a lot about the who, what, when, where, why and how they are researching, and expose sources.
What is more valuable, knowing who a journalist is talking to and when, or knowing what was said? IM very HO, I think the former.
Using Tor Browser as your primary browser is a bad idea because it's way behind on security features and you mark yourself out as an interesting target. Using Chrome over Tor is strictly better from a privacy viewpoint than using Chrome on its own. So it depends what you're optimising for. If privacy is your absolute priority, the Tor Browser reduces the number of cases of information leakage but still requires you to have the discipline to avoid any other methods of leaking your identity. If you understand all the issues around that then you probably also understand enough to ignore Tptacek and use it anyway. But if you don't, using the Tor Browser leaves you in a worse position than you'd otherwise be in - you're less secure and you're probably leaking PII anyway.
There are cases where using the Tor Browser makes sense, but it's a terrible blanket recommendation. If you're not actively trying to hide your identity, using it will make you less secure than you would otherwise be.
> If privacy is your absolute priority, the Tor Browser reduces the number of cases of information leakage but still requires you to have the discipline to avoid any other methods of leaking your identity.
Yes. But Tor Browser is released specifically to help you manage this. Information leakage through the web browser is amazingly easy - and it doesn't take logging onto a website to be finger printed (Chrome over Tor is probably a fairly unique fingerprint on its own). Why not find out for your self how unique at https://panopticlick.eff.org/
> If you understand all the issues around that then you probably also understand enough to ignore Tptacek and use it anyway.
No comment.
> But if you don't, using the Tor Browser leaves you in a worse position than you'd otherwise be in - you're less secure and you're probably leaking PII anyway.
Doubt it but again citations needed.
> There are cases where using the Tor Browser makes sense,
agreed.
> but it's a terrible blanket recommendation.
Citation needed.
> using it will make you less secure than you would otherwise be.
Citation needed.
> If Chrome leaks any local information this is not true.
Leaking information over Tor is no worse than leaking it over non-Tor, and in general cases Chrome isn't directly sending information that allows a single site to identify you.
> Chrome over Tor is probably a fairly unique fingerprint on its own
What's your threat model? That's a serious question.
Sandboxing does not have to be provided at application level. The OS or a virtual machine can take case of confinement.
> Leaking information over Tor is no worse than leaking it over non-Tor, and in general cases Chrome isn't directly sending information that allows a single site to identify you.
More like: Leaking local information over Tor is equivalent to not using Tor, and in general cases the user has no control over what data Chrome is sending.
> Sandboxing does not have to be provided at application level. The OS or a virtual machine can take case of confinement.
The OS is in no position to sandbox multiple tabs running in the same browser good grief
> More like: Leaking local information over Tor is equivalent to not using Tor
This isn't even slightly true
> in general cases the user has no control over what data Chrome is sending.
Nor do they have any control over what data the Tor Browser is sending. At some point you have to trust that your software is doing what it's supposed to do.
If privacy is an absolute priority for you, then yes, run Tor Browser. But be aware that in return for privacy you're giving up security. For most people that tradeoff will result in less privacy in the long run. If someone isn't in a position to make an informed choice, a blanket "Use Tor" recommendation may do much more harm than good.
> The OS is in no position to sandbox multiple tabs running in the same browser
Who said anything about tabs?
>> More like: Leaking local information over Tor is equivalent to not using Tor
> This isn't even slightly true
There is no middle ground. There are two states here. Anonymous and not anonymous. Once one is not anonymous they are not anonymous. If one leaks one's local IP one is not anonymous. If one leaks one's voice data one is not anonymous.
> At some point you have to trust that your software is doing what it's supposed to do.
I agree. The thing is that Tor Browser is supposed to be limiting data leakage whilst Chrome is supposed to be sending data to Google.
If all your tabs run in the same process, any vulnerability triggered by malicious content in one tab has access to all the content in any other tab. Sandboxing the brower process makes it more difficult for that to result in taking over your entire system, but in this case merely taking over the browser is sufficient.
So no, OS-level sandboxing isn't sufficient. And if you don't understand that, you should not be making assertions about security.
https://gist.github.com/anonymous/9f789aabd7e8681dec0cf5781a...