More to the point, the FCC will not approve open source radio drivers. Your baseband will either be closed and under the control of your carrier and various government spies or it will be illegal in the USA.
The official reason is that open source radio firmware would be too easy to alter to violate FCC regulations on power, frequency band, and such. It's the same reason that non-proprietary antenna connectors are mostly prohibited.
Is this actually true? I've seen this repeated in many comments over a decade, and whenever it's researched it turns out there is no basis for it.
The usual conclusion is that the manufacturer claims that they cannot allow open access to their radio because of licensing restrictions, but that no restriction actually exists. It's a lazy way for them not to bother.
You can buy a board from Ettus Research and write your own baseband software. The trick is that you need a license to operate a radio at those frequencies, if you buy a phone you get to tag along on the phone company's license because they have made sure that you can't do anything that they didn't show the FCC they could do. If you have an Ettus board and you want to run a base station or an edge device you need to get a license from the FCC to use it.
Strictly speaking, the phone company could have an "open source"[0] baseband stack and they would need to provide some way for the phone to know that it is running the approved version. And that is where it gets tricky, how do you do that? You could provide some sort of EFI type signature on the baseband bits that proved they were the right bits, and you could provide instructions on how to compile to exactly those bits, and while that would help folks understand what could and could not be done with the firmware it wouldn't help them fix problems. And of course people would scour it for vulnerabilities. So we're left with the current situation.
If you're interested in playing around with radio stuff though it is pretty straight forward to get an amateur operators license and a Gnu radio kit and start exploring.
[0] -- Not 'freely licensed' so much as 'you can read the source code, and it is compilable from source'.
You would still have to trust the manufacturer that it didn't implement fake reporting of well-known signature while in fact using something different. Pointless.
Well there ARE FCC restrictions on what frequencies you're allowed to transmit on. Most frequencies are "owned" by someone that has the right to transmit cell phone, radio, television, or other data across them. You may recall, for example, that there was a big bidding war several years ago when some of the old UHF bands were sold off. There are some open frequencies which you're allowed to broadcast without a license on, these are the ones that your cordless house phone and such will transmit on. Whether or not this is a legitimate reason for the closed source antenna code is beyond my scope of knowledge.
what good is such increase, if client (un-altered, standard Tx power) devices will hear router from afar, but router will not hear their replies from the same distance?
I think the truth lies somewhere in between, so you'll never find an explicit 'basis' - manufacturers are worried that publishing radio source code and encouraging open access will subject them to FCC requirements for any possible "end user modification" rather than just for the straightforward simple behavior they've programmed.
Yeap. BUT between trashing your phone and filling it with proprietary apps there is a huge gap. This is what this post is about. I don't claim you'll get ultimate privacy. I'm sure that most people reading my post or commenting here are using a smartphone.
Well the post mentioned NSA several times as a motivation for those privacy changes. But the NSA can "talk" to cell operators, and cell operators can talk to baseband chips, and baseband chips can "talk" (DMA) to the rest of your phone, so let's be explicit here: this will not protect you from intelligence agencies / state actors. This only might protect you from overly targeted ads.
True, but NSA is mentioned just because it made these discussions more vivid and relevant over the last months. The post doesn't claim that you get an NSA-proof phone. I don't think such thing exists.
Not sure if you really did this by accident, or if you're playing dumb, but the article does sound like claiming it'll make a phone NSA-safe. Yeah, now that you said so, I notice that it doesn't explicitly claim so, but first paragraphs are sure sprinkled with the name; if you really cared about the reader's safety, it would be responsible then to explicitly state that this advice does not protect against NSA.
Well, if you already mention the NSA to make discussion "more relevant" to recent events (which were about... NSA surveillance), then it would be also good to mention that the advice from your article are not meant to secure you from the NSA :).
It's good for people to know exactly how much security they get by following particular advice :).
Agree, but when discussing privacy/anonymity it would be good if people talked more explicitly about the end result. Because most of the solutions that "will improve your privacy" and/or "security" will do so only against targeted ads and technically inept stalkers. Without calling out limits to which the solution improves our "privacy", we're just creating false sense of security in people.
Is there any reason in particular that Twitter is one of the apps that you're putting on your ideal privacy-phone? I would've imagined that stuff like http://dcurt.is/twitter-is-tracking-you-on-the-web would would put them in the same boat as the other services that were rejected.
In theory , for phones with cortex-a15 cpu, one could use ARMORED[1] , which encrypts the content of ram, with keys saved outside the reach of the baseband, inside registers. But still, CPU backdoors are possibility.
I agree, but I think the value of such initiatives is the awereness it brings to the table _and_ the implications of that to manufacturers, that is, the fact that an increasing number of people may care for privacy. Your point certainly adds to the discussion, but we have to start somewhere.
Free-restricted is a spectrum. You shouldn't dismiss people's effort to move toward the free end. Rome was not built in a day.
May be one day grid will help us get rid off carriers.
There's a closed-source firmware running on your PC mainboard, HDD/SSD/SD card, mouse, keyboard, GPU, Ethernet card...
All of it can be rather nefarious. Get rid of the PC?
(or simply use phones which connect their modems as a peripherals and implement monitoring, like Neo900, not as a master with DMA as most phones today do)
Even if you had open source baseband firmware, the NSA is still willing and able to impersonate and/or infiltrate cellular operators sufficiently to listen to just about any cellphone conversation it wants to.
It's still useful for tablets. There could be other back doors, but, without a PLMN-connected radio it will be harder to find you in order to backdoor you.
With statements like this, the author is doing the community a disservice. It is very important to understand that a modern smartphone contains enough CPUs to be used against you, even if you only run Open Source on the primary one.
This might not matter for most users, but it can decide about live and death for some, like journalists in crisis zones.
There is so much prorprietary firmware everywhere that can fuck you over.
Your mainboards almost always have proprietary firmware. Coreboot is woefully underutilized and underfunded in this regard.
All hard drives have proprietary firmware, and often have proprietary processors on board. They are for all intents and purposes isolated computers in and of themselves, and nobody talks about how closed they are.
Graphics hardware is predominantly proprietary, even the most open discrete cards (AMD's) which have technical documentation have proprietary firmware blobs. I can only barely trust myself using these on the pretense that others have already decompiled the blobs and found nothing particularly malignant on a few older model cards. Every other manufacturer except Intel and very recently Broadcom with a single model of GPU are whole stack proprietary.
Network radios, as mentioned in this article, are almost always either wholly proprietary or have a firmware blob like GPUs.
CD drives also have proprietary firmwares like hard drives.
All TVs are running proprietary whole stack firmware on internal computers.
Dumbphones also are computers, just whole stack proprietary.
Your fridge, toaster, many ovens, and microwaves, if digital, are also whole stack proprietary computers.
This stuff is everywhere. There is literally no way to liberate yourself. Even Richard Stallman is driving a car with a proprietary on board computer, and probably cooks food in a proprietary Microwave.
The example that I found most amusing was that SD Cards have proprietary firmware -- turns out buying old SD Cards may be the cheapest way to get a single-board programmable microcontroller. [1]
> Your mainboards almost always have proprietary firmware. Coreboot is woefully underutilized and underfunded in this regard.
If you care about this, buy a Chromebook. The new ones have Coreboot. Of course, Google blah blah evil, but you can put your own OS in so the stack goes Coreboot->Uboot->(preferred Linux distro)
The real problem with many chromebooks is how they use firmware blobs Intel provides as injectors in Coreboot. They aren't really open firmware at all.
AMD is pretty much the only company doing anything in this regard. Many of their recent chipsets are supported, like fm1 and fm2.
There's a fork of it that is 100% free software: http://libreboot.org/ . Unfortunately it only supports one computer, the Thinkpad X60.
(They even removed the CPU microcode updates, which IMHO is going a bit too far; there's already microcode in the CPU, and Intel issues those updates to fix various errata in the hardware. Maybe it was done more as an ideological thing.)
And of course having different firmware for different OSes defeats the point of firmware standards. I think it is possible to run UEFI as a payload in coreboot.
There is usually little or no security boundary between the AP and complex peripherals (like the baseband, cameras, GPU, audio subsystem, etc.) Usually these will have direct access to main memory (like having a DMA channel given to them), and will have firmware loaded into them by the AP at boot. After which, they can damage the integrity and privacy of your 100%-OSS AP software.
The baseband, particularly, is of concern because it's connected to the outside world, and is powerful and complex. And almost always closed, and provided by an American company (Qualcomm).
The firmware that runs the baseband processor manages communication via the radio (and sometimes wifi and bluetooth as well)[0]. Once loaded, that firmware will have plenty of opportunities to phone home or otherwise provide information about your location, activities, etc.
e.g. The camera firmware blob could be tagging all your pictures with some kind of hidden watermark. Who knows ?
EDIT: Just to clarify, firmware blobs are not executed "on their own", they are normally executed on a micro-controller that is embedded in the baseband / power management / gpu / any other chip.
That my have been what you meant, but it wasn't what you wrote in the blog post. And besides, it's irrelevant if it runs "on its own" or not; in fact, technically, only the bootloader runs on its own, everything else has to be loaded by some piece of software, including the OS itself.
FYI the cameras in most phones (at least the ones I've played around with) contain no firmware. It's just a relatively dumb image sensor connected via a MIPI interface to the main SoC, and is under control of it. It cannot access memory on its own.
Don't know of any particular blogs/articles but you can e.g. Google "OV5647 datasheet" and read the datasheet for the RPi's camera chip. There's not much that could be a security concern on the camera module itself, since it's relatively dumb; it's what controls it that's a different issue.
This is more of a rant, but still, mildly relevant.
I tried to free my Android. I did, I really, really did. I overcame the "your version is not supported by Cyanogenmod" message with a custom build that took forever to find. I overcame the "download the Windows and Windows only installer". I managed to find the Windows-only instructions for unlocking the Bootloader. I managed to install custom drivers for the phone, despite the fact that Windows doesn't really want you to do that anymore.
And then I got stuck, because my phone and Windows 7 are not in speaking terms, so the fastboot tool does nothing.
I spent a couple hours on the task, and yet I haven't even managed to complete step 1. The dead links, the contradicting instructions, the forums full of unanswered questions, it just proved to be too much to me. I'm down to the magic advice now - advice in the lines of "try a different USB port", "change your USB cable" or "restart your computer" (of course). Should I succeed in my task, I may or may not have access to Bluetooth, video and/or tethering - there are contradictory accounts, so I won't really know until I'm done.
"Very detailed instructions"? Yeah, right. How about useful instructions instead?
I've definitely been there. For probably a majority of the phone models, the modding community is a loosely-organized collection of barely-tested hacks and vague tales of something that worked for somebody once. Use anything you find there, and you will probably run into lots of strange problems that nobody available has any idea how to solve, so you're on your own to debug it and get your device back into a usable state.
If you manage to get it working in some modified state, it's entirely possible that some random thing will cause it to go completely off the rails at some random moment, whether or not you need it then, or have access to alternate hardware, troubleshooting tools, or anybody who could help.
If you really want to have a modified phone, it's probably best to check out the community first and choose a phone model based on what is best supported. Even then, you probably shouldn't mess with it much if you aren't in a position to troubleshoot any problems that come up.
It is both true and practically useful advice... what's negative about that?
Speaking from years of experience (and as someone whose day job is Android app development) for every Android phone that has high quality developer support for 3rd party OS builds in the custom build "scene" there are dozens with really crappy half-ass amateur hour "support", and this tends to happen more on the phones that most non-hacker-types want to mod (because their carrier/vendor has stuck them on an old version of the OS for no good technical reason, etc).
If you aren't on the latest flagship phone from a big vendor or on a Nexus device, you probably shouldn't bother with custom builds unless you are prepared to deal with a lot of random issues.
I'd say that a necessary part of being a hacker includes considering the purpose and importance of things that you're hacking on. Hack on your hobby Raspberry Pi or the side project you're working on at home to your heart's content. Don't hack around on the production servers for your multi-million dollar business.
The phone that you use to organize your real-life events, keep in touch with the people in your life, get important alerts, etc. is more towards the production server level of importance than the toy gadget. I recommend thinking twice before putting some hacked-up barely-supported ROM on it.
I feel the complete opposite: the phone I use everyday and has become more important in my digital life than my pc, must be hacked (owned) by me even more.
Hacking means making it work to your needs, despite all the limitations some clever suits have decided on your behalf.
For example my phone carries some immigrant files and I need them stored as files, therefore I am not able to use non hacked Apple devices.
There are a few steps that are usually needed that you didn't list. You may have done them, but I figure I better check.
1) Your phone must be in developer mode. This is achieved by going to Settings >> About Phone >> and tapping the Build Number item 5 or 10 times (you will see a notification that developer mode is active).
2) You must go into developer mode and check the "Enable USB Debugging" menu. After that, you can plug in your phone (while powered on) and after a few seconds you should see a notification on your phone asking for confirmation to allow debugging from the computer.
3)The "fastboot" command only works from the bootloader screen. "adb" is the tool you can use when the phone is on with debugging enabled. You can run "adb reboot-bootloader" and should be able to use fastboot from there.
I used to have a Nexus device where unlocking the boot loader and flashing a custom ROM is easiest. It took me several tries and reading of several tutorials, that were all omitting different crucial steps or assuming domain specific knowledge.
If you have an HTC phone and to worry about S-On and stuff like that it's even harder.
The forums (especially xda) are full of voodoo (wipe cache three times!!!11!) and ridiculous claims (so fast! much battery life! very scheduler!). It's really hard to get at the useful information.
Let me outline the general steps to installing Cyanogen.
1. Unlock bootloader (this involves downloading at least one piece of software)
2. Flash custom bootloader
3. Flash custom ROM
4. Wipe and start over
Once you have managed to install Cyanogenmod, it's a really nice experience.
Using Cyanogen with only free software is a pain for die hard RMS fans and other masochists. It makes your phone a lot less useful and a lot more high maintenance. Central app installation and automatic updating? Not really.
If you want a fully Open Source or Google free phone there two several alternatives: Jolla, Firefox OS.
If you don't need the latest and greatest check out the N800, N900 and N9 Nokia phones.
One of my criteria when buying phones is "Must support Cyanogenmod". It hasn't been a problem; frankly speaking, there are enough good phones that are fully supported that I don't need to mess around with the semi-working ones.
Same here, I had to choose the European edition of the galaxy note 3 N9005. The most difficult part was to buy this exact piece of hardware. Then I played two days with the Samsung oily os, and got the real android with CM11.
Yeah. I want to install Cyanogenmod on my phone, a T-Mobile Moto X. But their wiki page for this device[1] lists only nightly builds, no stable builds whatsoever. I'm sorry, I'm not going to install an automated nightly onto my phone.
Their installation instructions are pretty worthless as well, as they're clearly built from a template with the device name swapped in.
If you're serious about wanting to install CM (or another distribution) on your device I'd first read through the relevant development thread on the forum or mailing list used for the distribution. This is where you'll find out which version to install, which problems you're likely to encounter and - if you're lucky - even ways to solve those problems. You'll find loads and loads of opinionated posts by people who often don't have a clue what they're talking about but that should come as no surprise given the subject matter and the medium. There'll probably be some good posts by the original developer(s) and a core of knowledgeable people, just focus on those and ignore the noise.
For the Motorola X you could have a look at the relevant XDA forum (http://forum.xda-developers.com/moto-x), there might be something worth your while there. Not having one of those devices I can't tell.
Just look at the last few pages in the XDA development forum for the ROM you're trying to install to figure out which NIGHTLY is the most STABLE. :/ You shouldn't run into very many issues.
I had a similar experience with last phone. After nearly bricking it, I found an image that sort of worked.. There would always be some feature that crashed or some other annoyance I'd have to live with. Once I found myself flashing my phone on a subway because it wouldn't turn on. I thought i'd be free once rooted, but it felt more like i was owned. Thanks to being gainfully employed at 60hrs/week I just want a working dependable smart phone.
All that said i'm itching to do it again because my HTC One is on 4.3 and I can't get the latest lens blur camera onto it!
if I remember my encounter with fastboot and Windows 7 machine correctly, W7+ does not allows unsigned drivers, but, unlike XP, which asked you to confirm installation of unsigned drivers, W7 silently skips it. Your fastboot drivers maybe installed but not loaded, until you allow unsigned drivers in W7 as such, via special "testing" reboot. Google "permanently disable driver signature enforcement". or use XP inside Virtualbox. That actually works.
Freeing your Android device is nothing on whatever the massive 20GB of code running under Windows might be doing at any moments notice. I'd never tell someone to try to run a secure and privacy preserving version of Android while they were still using Windows as their primary productivity OS.
Why are people downvoting this? Just because you don't like it doesn't make it not true. You may be able to argue that Windows is necessary (ha! for rooting Android? why is that?), but that doesn't make the most insecure and malware-ridden platform out there exempt or immune from criticism, especially since you can't see the code. Same goes for OSX.
Just spin up a VM with the OS that everyone else that was successful was running. :/ It's really not that hard to set up an environment to use tools or execute exploits.
As a small "experiment", I've been trying to use only free software for a while (firmware/driver blobs excluded) on my Nexus 7 (2012).
I can say that it's definitively doable, but it really depends on what one need. If what you need is a browser (Firefox), an email client (K9 & the standard KitKat client) and a Terminal (ConnectBot, Hacker's keyboard), then you won't miss the Play store at all. There are also some good clients for social/media consummation (Tinfoil for Facebook, Twidere, TT-RSS...).
If you need something more, then it's an hit or miss. For maps, OsmAnd+ is nice, but not nearly as good/user friendy as Google Maps. Forget about the latest/cool apps. Forget games, unless you want to emulate some console (and also, running closed games on top of an open emulator is "ethically right"?).
It gets better if you're a little more lenient. For example, I have some Humble Bundle games installed. Those come drm-free, and (usually) don't depend on the Google services. One can also get applications from the Play Store, and install just the .apk for it (I can't remember if one can buy applications with the web interface, or has to do it from the mobile store). In the end, the choice is "I want to avoid Google" or "I don't want proprietary applications on my phone". In the first case, there are many alternative stores (SlideMe, AndroidPit, Amazon...).
Another problem is that F-Droid is small, and doesn't even have all the (F)OSS applications available for Android. For many, the only way to get them is either the Play Store or compile the source. I'm not blaming the F-Droid project, they're doing a terrific work for their size, but it seems that there's little interest in a completely open store, even from the developers.
That said, I'm still running this setup, but I'm considering just giving up and installing the Play Store/Google services because after a while seeing new cool applications but not being able to try them is kinda painful.
On a side note, I haven't noticed any increase in battery life/speed of my device. So it seems that Google's applications aren't an huge battery/resource hog.
So it seems that Google's applications aren't an huge battery/resource hog.
Tried Google+? Just opening it by mistake (and immediately closing it) is enough to start glgps and kill my battery in a couple of hours, until I reboot.
That!! I now completely disable Google+ and advice all my friends to do the same. I actually enjoyed some of its features like automatic Photos Backup.
But then I would find out my phone's battery died overnight, while it was almost full before I went to sleep, like what the hell? After few weeks of keeping an eye, I found out it was Google+. Hunderds of complaints on Android emailing list, 0 comments from developers.
Google+ is a single Google's project driving me away from being their slave for life.
I'm not an huge Google+ user, so no, sorry. My usage of it it's limited to few bored moments where I just open the website.
Anyway, I'd install one of those "minimal" packages that contains only the Play services and the Play store, and eventually install the various Google apps (Maps, maybe Keep) from the Play Store.
Personally I find OsmAnd to be truly awful. The interface is stuck in the Android 1.6 era and I can't even get the online maps to show anything. Offline maps are nice but not that useful unless I am travelling overseas and don't buy a data enabled SIM card.
Yes, but OsmAnd lets me download a map for my entire country. This is important to me because I don't have a large data plan or access to Wi-Fi when I'm on the road. I also might not necessarily know exactly where I'm going to be going when I'm away.
I've noticed a significant battery life increase after getting rid of all the Google apps from my phone. I generally get two days of normal usage with my free software apps (F-Droid stuff) while other owners of this phone report getting a single day of battery life.
> "...stops using Google's DNS servers, that has a permanent log policy."
This is misleading. Google's DNS privacy policy is very reasonable. The only permanent logs are at the city/metro level. I trust their servers far more than I trust Comcast's or Verizon's. https://developers.google.com/speed/public-dns/privacy
>I trust their servers far more than I trust Comcast's or Verizon's
I agree with you, but if Comcast of Verizon are your ISP, they can already see/log which sites you browse (Unless you use Tor or a VPN, that's it) without the need to log your dns requests.
So, as funny as it sounds, I use my ISP dns server for "privacy" (the right term would be "for not telling even more third parties which sites I browse").
The better way would be to install a dns resolver on the phone, and stop sending log entires to other companies in order to save a few milliseconds. On debian (PC), its about as complicated as answering a couple of install questions.
DNS name resolving work by having a resolver traversing the domain name from right to left, starting in theory (but not in practice) by contact the dot servers, then to a TLD (com, org, net) server, and last to the domains name servers.
However, this is not how things is commonly done. Most client machines simply sends this work over to their ISP (or google), and wait for the third-party to do it for them. The third-party then datamine this traffic in order to get revenue.
In general, what you willingly give to a third-party can never be seen as inherently private. Additionally, An intruder that want this information would have to hack, tap or steal the information rather than just leaning on the ISP/Google.
Right, so Google end up with the IP address of the NAT gateway that my mobile provider puts me through. Hundreds, if not thousands, of other people will be sharing the same gateway.
In addition, DNS doesn't send my GPS co-ordinates along with the request, so it will just be IP geolocation data which Google will collate for their own stats on their DNS servers (So they can see/log what regions people access from, etc.).
Just because it mentions storing location doesn't mean they are trying to monitor every step you take when using their DNS.
I just submitted a blogpost from the Tor Project (Mission Impossible: Hardening Android for Security and Privacy) which covers everything between removing the microphone (from a Nexus 7) and baseband software to recommended apps and configurations.
I find it quite interesting that blog post about such topic uses Google API JavaScript which can track you, and link to your Google account that you are reading it and mark that you are interested in such stuff.
Yes. It makes three requests to googleusercontent.com and one to fonts.googleapis.com.
It's interesting because the site has gone to some length to host jQuery, Bootstrap and other stuff you could see referenced in HTML source, but CSS file requires stuff from Google servers. So maybe they simply missed that one.
This is silly. There's two types of people in the world: people who are not of interest to the NSA, and people who are.
FOR PEOPLE WHO AREN'T OF INTEREST TO THE NSA (THIS IS MOST PEOPLE): You're putting massive amounts of effort into keeping the NSA from getting your data, which, let's be honest, is just chaff they're collecting so they can pick through it for wheat. You really want to do something against the NSA? Start sending your data directly to them so they have to waste time sifting through the logs of what cat photos your friends want you to look at.
IF YOU ACTUALLY ARE A TARGET OF INTEREST TO THE NSA: Everything in here is completely inadequate to secure you against the NSA. In fact, you are probably increasing your own inconvenience more than you are theirs.
> Remove Google analytics from CyanogenMod by flashing freecygn.
> Stop CyanogenMod from reporting tethering usage to your provider
I get why they are using Analytics, but why is a ROM like CyanogenMod reporting tethering usage to the carriers?
> Change DNS settings so that CyanogenMod stops using Google's DNS servers
This is probably something "nice" they thought to do for their users, but I'd rather not have that enabled by default in CM. If they're still trying to be a "privacy ROM" and whatnot, they should be using an OpenNIC DNS or set up their own encrypted DNSChain (https://github.com/okTurtles/dnschain).
The idea of freeing your phone is cute, however, there are some considerable dangers.
* The software that you give access to your phone (be it drivers or the recovery images themselves) isn't signed by anyone. Some of the software isn't even available via HTTPS. I think it's a bad idea to trust some HTTP and unsigned executable more than Google, who are making all they can to ensure the integrity of anything that runs on your phone.
* Unlocking your bootloader is a bad idea. Google erases all your data whenever you unlock your phone[1]. They don't hate you, they've just realized the security issues that come from having an unlocked phone. Take this for example: You're at the airport and ready to leave. However, TSA stops you for a "random" check. They have your phone for about 5 minutes and there's nothing you can do about it. Now, they could ask you for your passcode but then you'd know something's wrong. Now, your bootloader is unlocked, which means they can see your device at firmware level and alter it to their liking it. Nothing can stop them from plating a backdoor in there or just making a copy of all your files and you wouldn't know. That's why Google does [1].
A good few steps for people looking for alternatives. You still have a proprietary radio chip in your phone though. That is where the bad stuff likely hides.
I guess you have to ask yourself - who are you competing with? Do you just not want to be used as an advertising product? Or are you hiding from the NSA?
And what's more - modem often has full access to the main RAM without CPU control. It has the ability to read or even manipulate every bit of any executable or data you run on CPU without you knowing anything about it. And even if someone doesn't care about NSA and stuff, modem firmwares are often ridiculously buggy and easy to exploit, so go figure...
While producing free radio chip is practically impossible due to both economical and legal reasons (the closest you can get to it is OsmocomBB running on old 2G TI Calypso modem, and the only reason it exists is that TI Calypso has mysteriously disabled checking of firmware signature even thought the functionality for it is present...), there are devices that mitigate the risks by connecting the modem as a "slave" (for instance via USB - this might impact the performance and battery life, as CPU is busy copying data from/to the modem, but it's way more safe than DMA access) or even implement "modem firewalls" that monitor any modem activity and alarm if it does something when it wasn't supposed to do it. Neo900 (http://neo900.org/) is such project and soon there should be a longer article about this modem firewall solution published.
Looking at the Replicant status, I'm surprised that they managed to get Telephony/3G working without non-free firmware (presumably) but not WiFi/Bluetooth/GPS, since the telephony protocols from what I understand are far more "closed" than the rest.
What I would really like, is just to be able to install a bare-bones linux on my phone. Android (even Cyanogenmod) is just so limiting and 'user friendly' (i.e. as few configuration options as possible so as not to confuse the masses). I feel like I'm being hand-held by my hand-held.
My approach is different. I still use a completely Google tied Moto G with everything turned on. Hiding in plain sight (the grey man principle) is a better tactic.
If privacy is required, I leave the handset at home and get on my bike. There is no hiding unless you turn it all off.
> If privacy is required, I leave the handset at home and get on my bike. There is no hiding unless you turn it all off.
What you do on your bike may be inferred from what you do without your bike. So, your sense of privacy when you are not carrying a phone is an illusion too.
In this case it is. Privacy is about control and unless you have absolute control you cannot guarantee any privacy at all. And you don't control your phone's operating system, the GSM module OS/firmware, the carrier, the client applications and even the radio signals.
What you want is an illusion of privacy. The two are vastly different.
This is like saying there is no privacy for email so here I post my password on pastebin.
I control the software I run on my phone, so I have a better privacy. It's not perfect I know. But doing nothing because it's not perfect is the biggest illusion of all.
1) You do not control the software you run on your phone. You control almost none of the firmware, which if malicious could easily steal all of your data with impunity.
2) Simply controlling the software is not enough. Cell towers are programmed to track your every move and accessing this information is easy for the government.
3) Even if you did control the software you run on your phone, it implies nothing. The trivial example would be that clearly even when you bought the phone you controlled the software you ran on your phone.
3) Detecting usage of tethering is trivial. The stopping the reporting of the use of tethering just makes it easier for them.
4) DNS settings do not matter. Google's DNS logging policy is fine - and in any case they get no information since your phone provider will be using NAT so they'll have no way of differentiating between your phone and any other. There's no large benefit to privacy by not using Google DNS, but there is a performance cost.
5) You say that you feel safer - this is exactly the problem. All of these apps you've specified could easily have security problems in. They're not widely used, and likely are not widely reviewed. Following this guide gives a brilliant false sense of privacy, but likely little real additional privacy.
- Remove Google analytics from CyanogenMod by flashing freecygn.
- Stop CyanogenMod from reporting tethering usage to your
provider, by changing the "tether dun required" setting.
Nice read. I too highly encourage people to use CyanogenMod.
One thing that was worth being mentioned is one of the very best features of CyanogenMod: Privacy Guard.
It basically allows grained control over what permissions can an application have (read/write contacts, phone logs, location, etc). It's of course possible to allow an access all the time, or just when needs it.
Thanks to privacy guard, one can use applications that might compromise privacy, without compromising privacy.
When using the "ask every time", I've been surprised how many applications try to access my info for no obvious reason, sometimes even when your phone's idle.
More than anything I would like to use open protocol for chatting. Personal communication is a mess. I currently have Hangouts, Facebook Messenger, Skype, Viber and Whatsapp on my phone. General folks use whatever is popular and XMPP is not really a choice. Moreover I looked into Jabber and the account sign-up page's certificate has expired and account sign-up has been inactive for close to a year. It is hard to establish trust over such a network.
Hangouts chat uses Jabber, Facebook Messenger uses XMPP. Skype uses a proprietary protocol, and licensing restrictions prohibit any unofficial client from connecting to the Microsoft severs. I don't know much about Viber or Whatsapp internals, but I would hazard that Viber is similar to Skype.
Chances are that you can connect with most people over Google or Facebook, but it's not perfect. If you are still using their servers, then it might defeat the purpose of avoiding their clients. You can use Off The Record (OTR) to avoid the privacy implications of using the servers with both of them, but none of the official clients support it, so they would have to use an alternative client as well, which defeats the purpose of using existing networks.
Hangouts doesn't actually really totally use Jabber. It supports it if a Jabber client is involved, but between Hangouts sessions they use some proprietary bullshit. That is why my chat history on, say, telepathy won't show up if I was using the Android hangouts app to message someone.
Also, there is literally no good foss voip and conferencing options. Jitsi videobridge is the closest thing I've found, and that isn't an XMPP standard and isn't supported by my preferred IM tools. Also, Jitsi is an ugly as sin Java app....
I'm definitely going to try putting aside a week this summer to see how hard it would be to implement videobridge in telepathy. If we could get that and group OTR encryption in it, there would finally be a FOSS communication alternative...
Jabber and XMPP are the same thing. WhatsApp uses a version of XMPP with just enough encryption to stop anyone from creating their own WhatsApp compatible client.
" CyanogenMod is not perfect. It contains scripts that extract proprietary code necessary for some phone components (eg. camera) to work. The good thing is that these parts are firmware, thus non-executable code."
I'm either misunderstanding what is being said, or the author has no idea what they are talking about if they think firmware does not execute...
Well dude, that's exactly what I've done on my phone some months ago, but you know what? after heartbleed i installed back gapps and some other non free (as in freedom) apps.
Heartbleed has been a lightening to me. It statistically says a lot about software.
"So if you are using Iphone or Windows Phone, let me remind you that both of these companies are in the infamous NSA slides for giving access to users private data." I checked the link he refers to and it shows Google is also a Prism company, am I wrong?
Oops, I see now he mentions this.
Firefox OS has exactly the same problem that Android has.
Android is open and free and all, but most of the devices out there don't give the user this freedom at all. Firefox OS has exactly the same problem - Mozilla does not enforce by any way that the officially branded FxOS implementation should be open. Most of FxOS phones to date, maybe except Geeksphone, are simply closed and need some ridiculous rooting or unlocking in order to just reflash them with newer version of FxOS.
Just look at GTA04/Neo900 (and possibly Freerunner too, but it would probably be massively underpowered) - you could run both Android (Replicant) and Firefox OS there without using any single line of closed source line - but that doesn't represent the usual customer experience for Android and FxOS branded phones. So where's the difference?
Anything is nice as a concept. In real world you have to make compromises. When the ball goes to proprietary-chip-maker's court you don't get to play with your rules.
Just like in any 3G USB dongle you attach to your PC (in fact, Neo900's modem operates in exactly the same way). For something as close to "free baseband" as possible, get a Neo Freerunner (or some other phone with TI Calypso) and install OsmocomBB - however, you won't be allowed to use it legally on public networks in most of jurisdictions in the world.
The article, and other comments in this thread (mentioning "baseband" etc.) suggest that encryption on the phone can not possibly work.
Closed-source code on a lower abstraction level could read the plaintext I type on the keyboard before it reaches your app. That code can apparently also "phone home" on its own term.
The article is a list of what you'll be limited to using if you want to steer clear of the NSA, right? Firefox has less than half percent of mobile market share for a reason. Maybe I should get out my flip-phone to stay safe instead.
Since when is privacy necessary for freedom? For all I know, privacy actually is what keeps us away from freedom.
When is this meme going to stop? When are people going to realize that there's no point in glorifying and seeking privacy?
This article is a perfect example of everything you lose when you get into this craze. Why would anyone actively limit their opportunities and disconnect themselves from others? For an imaginary reward?
Why would anyone actively limit their opportunities and disconnect themselves from others? ... It's plain loss
I don't think you understand the meaning of freedom. Some people choose to do what you question because they want to. The nature of freedom is that people can do what they believe (so long as it hurts no one else), even if you think it's stupid.
First, people seek privacy because they take it for granted (they always had it) and because of they're being told that they should value it. In reality, I'm sure most people would prefer to be able to live in a world without privacy.
Second, the whole quest for privacy ultimately hurts the freedom of everybody. How you ask? By leading to the creation of arbitrary laws that limit non-coercive access to information.
A right to privacy give people an exclusive right over anything that's a product of their existence. "That photon bounces off of me and gets into your camera lenses? Well, I guess you'll have to hand over that tape if you don't want to get into troubles."
No information should ever be made private by legal means. Only physical privacy must be allowed.
Go move to Pakistan or Egypt as an agnostic or atheist, or Jew. Or move to China as a dissenter to their government. Let us see how "no privacy" works for you.
Or hell, just live in the US. There is plenty of prosecution of ideologies people don't agree with - have a pedophile who doesn't practice it express their physical attraction to children and see how people like that. Or maybe you like polygamy. Or hell, in many towns it is as bad as the Middle Eastern countries - profess your agnosticism or atheism and you get denied service at establishments and mugged.
Privacy is an essential guard when people with power don't like what you think. The ability to hide information you don't want them to know can keep you alive.
Privacy is like wearing an air-pollution mask in China. It might be a wise thing to do right now, but this is not something we want to be doing forever. This is only meant to be temporary.
When people talk about privacy, they don't think about it as a tool. They don't talk about it like people in China talk about an air-pollution mask. Do you often hear about how air-pollution masks should be a right and why we need them to preserve a freer future?
So if you really want to be 'free', get rid of the cellphone.