First it was a huge backdoor, then it turned out not to be a big deal. Whatever is the case with this issue with Samsung phones – it only serves to highlight what I wrote about several months ago:
It’s kind of a sobering thought that mobile communications, the cornerstone of the modern world in both developed and developing regions, pivots around software that is of dubious quality, poorly understood, entirely proprietary, and wholly insecure by design.
Whether or not this is actually a huge security issue, I don’t care – it just further highlights the dire need for a properly and truly open baseband firmware.
And it won’t come from Android, iOS, or Windows phones or Blackberry or … well who is left? Non smart phones? Nope.
Jolla and Ubuntu. And no, they won’t have open basebands.
Then again, any mobile phone can and will be location tracked from the towers, so anyone pretending some brand of phone guarantees your privacy is just a shill.
AFAIK, it’s illegal in most countries to use a device with a cellular connection without providing adequate identification, so unless you have forged credentials, you’re always being tracked by the mobile provider anyway – otherwise, they can’t know where to send calls/data responses.
Obviously it’d be much better if the tracking/etc. ended there, but Stallman’s right about this one: if you *really* care about privacy, don’t use a mobile.
TBH, that would also mean not using the internet either, since you need an ISP, and *they* need to know where to send data, so…
Really, the only way to “guarantee privacy” is to go off-grid completely and live in the forest, off on-site solar/wind power and farming.
Edited 2014-03-14 02:34 UTC
woegiub,
It’s not quite the same though. An IP address doesn’t identify you to the same level as a cell phone IMEI & Sim card.
If you really want to, you can go to a coffee shop and clear your cookies, that gives you moderate security right there. If you need more privacy, you’d need to modify your MAC address. and then modify your browser’s fingerprint such that it does not point back to you.
https://panopticlick.eff.org/
At this point you are pretty safe on the computer side assuming you don’t give yourself away online. However if you still wanted even more privacy from the most sophisticated adversaries, then you should probably turn off your cell phone BEFORE going to the coffee shop (otherwise your cell phone trivially proves you were there at that time).
On the other hand, it might be best to leave your phone on and leave it at home. The NSA already correlates disparate network events in order to identify “co travelers”. (Turning off one phone, then turning on another, will flag both phones to the NSA as “co-travellers”). This correlation could conceivably exist also between phones and other activities. In other words, leaving your phone on and not moving it makes “them” think you stayed at home. There is no event data to correlate against.
http://leaksource.info/2013/12/05/co-traveler-analytics-nsa-collect…
Most people would balk at going to such lengths to protect their privacy. However in this day and age of government agencies who indiscriminately collect our data without regards to privacy rights or suspicion of crime, it’s what you’d have to do.
My point was that although your IP doesn’t identify you, your ISP still needs to know where to route your data.
Using anonymous wifi/public access points would work though, you are right. I actually totally forgot those existed.
IEMI is pretty much enough – a GSM mobile phone without SIM card can still call 112, so it still must be tracked by the cellular network.
If you did that over here you’d have the government knocking on your door as soon as they found your solar panels on satellite images (I’m not sure about that qualifying as “guarantee privacy”).
Yes, we are charged extra taxes for producing our own energy. How fun is that?
And yes, they actually spend time looking at satellite images to find things to charge for. A friend of mine got a notification saying he had to pay for the swimming pool he had built… which wasn’t a swimming pool but a shed with a blue roof.
That is insane. Which country do you live in?
It’s something I can easily see mine wanting to do, but being unable to (Australia is freaking *huge*).
The sunny and windy Spain, a place were you’d expect renowable energies being fostered instead of punished.
AFAIK, that’s fairly standard throughout the EU – the idea being, I think, that you’re just another energy producer.
Not quite so simple – remember, a GSM mobile phone without SIM card can still call the 112 emergency number.
Small scale water power is also pretty straightforward in many places.
No it isnt,
#1. Rosenberg has a valid point, having proprietary code running in the modem isn’t proof in and of itself that it’s exploitable. It’s nevertheless alarming that the application processor would allow the modem to access user files.
#2. Rosenberg’s statement failed to debunk any claims with this one. In fact he even echos the original claims that the daemon can run as either root or as under a limited account with access to /sdcard.
#3. So what? A hacker who’s gotten this far would not be phased by “../../”. It doesn’t much matter (to hackers) whether the vulnerability is intentional or not. In fact the best backdoors are made to look accidental:
https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt…
So, we know that the application processor is vulnerable. Whether the Modem is will have to remain an open question. It’s not even clear to me that the binary machine code for the modem is accessible for reverse engineering? Lots of micro-controllers offer code protection that makes it near impossible to access the binary code:
http://www.stmcu.org/download/index.php?act=down&id=4207
Q: Does anyone know if the modem’s firmware can be flashed over the air (like a cable modem)? If so, then it doesn’t even matter what’s in the firmware. An entity such as the NSA could just flash a new firmware at will to do whatever it wants, like exploiting the application processor’s vulnerabilities.
I know someone that writes some of that software. For some reason, he doesn’t like carrying or using a cell phone ….
Hmm….
I used to work at Maccy Ds, I don’t like burgers from there either.
Does one exist? Even an in development one? If there was I’m sure some people would go out of there way to get compatible hardware to achieve this kind of assurance.
An ideal opportunity for the Firefox phones?
Edited 2014-03-13 21:05 UTC
There is an ongoing effort:
http://lists.openmoko.org/pipermail/community/2013-February/068280….
and here:
http://bitbucket.org/falconian/freecalypso-sw
but that’s only targeting one specific hardware.
Edited 2014-03-13 21:31 UTC
Make your own phone. From easy to make Arduino phone http://www.instructables.com/id/ArduinoPhone/
to a more advanced Rasberry Pi phone.
You can even make your own cell tower with a Rasberry Pi (though it’s shit for range). http://www.phonearena.com/news/DIY-enthusiasts-make-their-own-cell-…
with these you still have a binary-blob inside the gsm-module
“the cornerstone of the modern world” Hahaha bullshit. if it had said “a cornerstone” it might have been more truthful. Words matter.
How about “no”?
Well, if you refeer to the Babylonian mythology, phones… and the Internet, allows people to communicate broadly worldwide, without much limit (if being spyed by the NSA).
So, in a sense, “cornerstone” would quite fit the description, whenever you agree or not.
Travelling fast is another “cornerstone”.
Kochise
“the” cornerstone is very different from “a” cornerstone though. It’s even more dubious that it would be the cornerstone in a developing country.
Edited 2014-03-14 09:51 UTC
Nutella is obviously the cornerstone.
Nope, lolcats…
Kochise
The airwaves are controlled by the government and big corps that are in bed with the government so having a 100% FOSS phone wouldn’t help you one single bit.
As we saw here in the USA a few years back with the AT&T whistleblower they control the backbone…game over,you lose. Once you have control of the backbone a MITM is beyond trivial and even if you encrypt the call they can still gleam enough from the metadata to build a scarily accurate portrait of your life.
The only thing we can really do is accept the fact that anything broadcast, be it over the net or the airwaves, might as well be considered blasted over a megaphone in the town square and treat it as such. The founder of Google wa right, privacy IS dead, we just didn’t realize HOW dead it was until all the whistleblowing.
bassbeast,
“What would be the point of open firmware?”
That’s simple, the point of open source in such circumstances would be to increase our confidence that the software running our devices does not have a backdoor.
I disagree, open source would help security researchers find vulnerabilities regardless of WHO was responsible for them. Heck, having big corps in bed with the government is even more of a reason to have open source because it logically follows that their binary blobs would be even less likely to be trustworthy.
Of significant historical relevance, Microsoft’s NSAKEY key was only discovered when MS accidentally released a debug build of their cryptographic code. This “NSAKEY” was allegedly a key the NSA could use to sign their own code and get windows to accept it as a trusted component of windows. MS officially rejected this allegation, however they’ve never provided any good reason for having named it “NSAKEY”, which doesn’t leave much to the imagination. In hindsight it seems even more likely that it was a key for the NSA. Regardless of our thoughts on this conspiracy, I think the incident itself makes a pretty compelling case for open source over proprietary blobs. It enables the public to discover what’s lurking in the software.
http://www.cnn.com/TECH/computing/9909/03/windows.nsa.02/index.html…
Maybe, yet it makes google’s response to the NSA leaks even more ironic:
http://money.cnn.com/2013/11/04/technology/google-nsa-snowden/index…
Perhaps there’s an element of hypocrisy at google…
Edited 2014-03-16 07:22 UTC
1
Browser: Mozilla/4.0 (compatible; Synapse)
1
Browser: Mozilla/4.0 (compatible; Synapse)