Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk
You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."
Today's Topics:
1. Privacy ethics of smartphone manufacturers (Y Martin)
2. Re: Privacy ethics of smartphone manufacturers (Nigel Sollars)
3. Re: Privacy ethics of smartphone manufacturers (Y Martin)
4. Re: Privacy ethics of smartphone manufacturers (Martin)
5. Re: Security of LUG (David Smith)
----------------------------------------------------------------------
Message: 1
Date: Sat, 05 Sep 2015 15:13:41 +0100
From: Y Martin <ym2013@riseup.net>
To: bristol@mailman.lug.org.uk
Subject: [bristol] Privacy ethics of smartphone manufacturers
Message-ID: <55EAF895.9010002@riseup.net>
Content-Type: text/plain; charset=utf-8
Hi
I am interested in buying a smartphone and flashing it with Cyanogen Mod
(an open source firmware). When I heard in the Snowden cables
about how Apple actively collaborates with the NSA in installing
backdoors into iPhones it made me not want to touch Apple hardware.
I also read about a report of China being up to the same misdeeds with
Huawei and ZTE:
http://www.cnet.com/news/lawmakers-to-u-s-companies-dont-buy-huawei-zte/
Google are a bit too creepy for my liking.
Given that Cyanogen Mod is not supported on Nokia phones, that rules 5
manufacturers out so far. The remaining seem to be:
Samsung
Sony
HTC
LG
Motorola
It would be good to get a clearer picture of the smartphone market from
the perspective of privacy ethics. Can anyone provide any further
information about the privacy ethics of these or any further companies?
There must be some existing reviews or good articles out there about
this topic.
Sincerely,
Yousef
P.S. I know that the idea of 'smartphone-security' is a bit of a
contradiction, but I would prefer to give my money to companies that do
not sell out on their consumers' rights to privacy.
P.P.S. No I dont have the money for a Blackphone2!
------------------------------
Message: 2
Date: Sat, 5 Sep 2015 10:54:44 -0400
From: Nigel Sollars <nsollars@gmail.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Privacy ethics of smartphone manufacturers
Message-ID:
<CAG6aBkVjiKYtB-9EG+7vT7nDpf+EirBVA0zKHTNY01yyUKjDpg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
With regards to Mobile, your gunna be SOL for anything thats not NSA / GCHQ
centric tbh, unless of course you totally role your own.
Cyanogen is in league with the M$ crowd also iirc..
Nige
On Sat, Sep 5, 2015 at 10:13 AM, Y Martin <ym2013@riseup.net> wrote:
> Hi
>
> I am interested in buying a smartphone and flashing it with Cyanogen Mod
> (an open source firmware). When I heard in the Snowden cables
> about how Apple actively collaborates with the NSA in installing
> backdoors into iPhones it made me not want to touch Apple hardware.
>
> I also read about a report of China being up to the same misdeeds with
> Huawei and ZTE:
> http://www.cnet.com/news/lawmakers-to-u-s-companies-dont-buy-huawei-zte/
>
> Google are a bit too creepy for my liking.
>
> Given that Cyanogen Mod is not supported on Nokia phones, that rules 5
> manufacturers out so far. The remaining seem to be:
> Samsung
> Sony
> HTC
> LG
> Motorola
>
> It would be good to get a clearer picture of the smartphone market from
> the perspective of privacy ethics. Can anyone provide any further
> information about the privacy ethics of these or any further companies?
> There must be some existing reviews or good articles out there about
> this topic.
>
> Sincerely,
>
> Yousef
>
> P.S. I know that the idea of 'smartphone-security' is a bit of a
> contradiction, but I would prefer to give my money to companies that do
> not sell out on their consumers' rights to privacy.
>
> P.P.S. No I dont have the money for a Blackphone2!
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
--
?Science is a differential equation. Religion is a boundary condition.?
Alan Turing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150905/bcd43a63/attachment-0001.html>
------------------------------
Message: 3
Date: Sat, 05 Sep 2015 16:52:38 +0100
From: Y Martin <ym2013@riseup.net>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Privacy ethics of smartphone manufacturers
Message-ID: <55EB0FC6.2060208@riseup.net>
Content-Type: text/plain; charset=windows-1252
Wow..so the Cyanogen Mod and M$ partnership wasnt just some April fools
day joke afterall!
Perhaps the Nokia N900 with Maemo is the way to go. But there are hardly
any apps with Maemo.
Though expensive, the Neo900 project looks pretty interesting.
Yousef
On 05/09/15 15:54, Nigel Sollars wrote:
> With regards to Mobile, your gunna be SOL for anything thats not NSA / GCHQ
> centric tbh, unless of course you totally role your own.
>
> Cyanogen is in league with the M$ crowd also iirc..
>
> Nige
>
> On Sat, Sep 5, 2015 at 10:13 AM, Y Martin <ym2013@riseup.net> wrote:
>
>> Hi
>>
>> I am interested in buying a smartphone and flashing it with Cyanogen Mod
>> (an open source firmware). When I heard in the Snowden cables
>> about how Apple actively collaborates with the NSA in installing
>> backdoors into iPhones it made me not want to touch Apple hardware.
>>
>> I also read about a report of China being up to the same misdeeds with
>> Huawei and ZTE:
>> http://www.cnet.com/news/lawmakers-to-u-s-companies-dont-buy-huawei-zte/
>>
>> Google are a bit too creepy for my liking.
>>
>> Given that Cyanogen Mod is not supported on Nokia phones, that rules 5
>> manufacturers out so far. The remaining seem to be:
>> Samsung
>> Sony
>> HTC
>> LG
>> Motorola
>>
>> It would be good to get a clearer picture of the smartphone market from
>> the perspective of privacy ethics. Can anyone provide any further
>> information about the privacy ethics of these or any further companies?
>> There must be some existing reviews or good articles out there about
>> this topic.
>>
>> Sincerely,
>>
>> Yousef
>>
>> P.S. I know that the idea of 'smartphone-security' is a bit of a
>> contradiction, but I would prefer to give my money to companies that do
>> not sell out on their consumers' rights to privacy.
>>
>> P.P.S. No I dont have the money for a Blackphone2!
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>>
>
>
>
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
------------------------------
Message: 4
Date: Sat, 05 Sep 2015 22:29:05 +0100
From: Martin <inkubus@interalpha.co.uk>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Privacy ethics of smartphone manufacturers
Message-ID: <1441488545.25977.223.camel@raphael>
Content-Type: text/plain; charset="UTF-8"
On Sat, 2015-09-05 at 16:52 +0100, Y Martin wrote:
> Wow..so the Cyanogen Mod and M$ partnership wasnt just some April fools
> day joke afterall!
>
> Perhaps the Nokia N900 with Maemo is the way to go. But there are hardly
> any apps with Maemo.
>
> Though expensive, the Neo900 project looks pretty interesting.
Also possibly relevant to your interests:
http://www.theregister.co.uk/2015/08/25/wileyfox_phones_tick_reg_readers_boxes/
http://www.ubuntu.com/phone/devices
https://www.silentcircle.com/products-and-solutions/devices/
http://wiki.openmoko.org/wiki/Main_Page
http://neo900.org/
I think the really key areas of question about trustworthy-ness that it
is hard to get around are 1. it will be assembled in China and 2. the
baseband processor will be running some kind of binary blob.
Unless you have an FPGA and a decent open hardware system (some of the
Open Cores projects look quite promising and it is an area where free
software style commoditisation really could become a thing), you are
really going to have to trust the hardware manufacture and assembly
chain (and even then what about the FPGA etc. etc. although it is much
harder to come up with a generic, hardware exploit for a system running
on an FPGA), so, for now, I think you'll have to live with 1.
[ As an aside, I used to think that CPU level backdoors were largely a
theoretical issue. Some of the more recent "features" of Intel
processors have somewhat changed my mind. AMT seems to create a
back-channel from the network to full control of the processor, via
non-user accessible, proprietary software which has already been shown
to have security bugs. If you are concerned about BIOS freedom, this is
much much worse. Then there is SGX, which give a *completely* new
security architecture for the entire chip, unlike *anything* currently
or previously available. For a change this sweeping and radical it has
been kept remarkably quiet. Although I can see it has positive uses, it
also has the capacity to be ALL of the things people feared when
"trusted computing" was first proposed. Disturbingly when I spoke to
some of the designers they didn't seem to realise that it would
effectively make malware analysis impossible for these processors. All
of which makes the statement:
?It doesn?t matter what state the system will be in, it will be
listening all the time,?
http://www.technologyreview.com/news/530491/hello-computer-intels-new-mobile-chips-are-always-listening/
just that bit more sinister. ]
A free software baseband and a system to run it on would be
*interesting* and more achievable. Osmocom's work on this is amazing
( http://bb.osmocom.org/trac/ ) but is only really for research use
(free software baseband + software radio = fun ?). There was a baseband
implementation of one phone which may have been released at one point
and you can still get the code if you know who to ask but it's copyright
status is ... questionable and the hardware is long gone. Given that a
baseband that supports GSM, GPRS, EDGE, LTE, etc. is likely to be in the
millions of lines of code this is a non-trivial project (and a
non-trivial attack surface) but one can hope. [It could be an
interesting strategy for someone like Blackberry, who have control of
the whole stack and the need for some interesting strategies. ] Given
all of this I think the thing to do is to treat the baseband / modem as
an untrusted blob and use the architecture of the system to prevent its
compromise being escalated to a full system compromise. To my
understanding this is beginning to happen on some of the more secure
phone designs but one can mimic this with a USB "mobile internet" dongle
and a linux box. You keep as much compute as you can on Linux and just
use the modem (hooked over the (hopefully secure) USB serial device) to
send and receive SMS and hook up to the Internet. Voice is a pain to do
like this though.
ANYWAY, please forgive me for rambling, as this is something I have been
thinking about and allow me to finish on a question : do people have any
good recommendations for the most minimal feature phone that can be
effectively used as a peripheral for a Linux box? Basically a 3G or 4G
USB dongle with battery, screen, keyboard, mic and speaker and nothing
else.
Cheers,
- Martin
------------------------------
Message: 5
Date: Sun, 06 Sep 2015 07:53:33 +0100
From: David Smith <David.Smith@ds-electronics.co.uk>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] Security of LUG
Message-ID: <1441522413.16742.39.camel@ubuntu>
Content-Type: text/plain; charset=utf-8
On Tue, 2015-09-01 at 12:43 +0100, Andrzej Jarz?bowski wrote:
> Linux User Group mailing list is place for professionals to exchange
> their knowledge about usage and security of Linux systems. It's safe
> to assume that place like that has been build by professionals with
> experience in systems security.
>
>
> If that is the case why LUG is storing passwords of all their users in
> clear text and why those passwords are sent to us every month in clear
> text as an email?
>
>
> Can this by changed? It's highly insecure especially for people that
> may use same password for other services. I understand that each
> password should be different but there is al lot of people that don't
> follow that rule. I would be happy to help fix that issue.
Firstly, as has previously mentioned, there is little difference between
storing information in plaintext, and storing it encrypted with the
decryption key. Therefore, if I say that something is stored in
plaintext, I am including the possibility that it could be stored
encrypted with the decryption key on the same server. This is also
because I suspect that the server actually *will* be storing it in
plaintext.
On Wed, 2015-09-02 at 01:34 +0100, Allen Coates wrote:
> Don't forget it's not just my data being stored. If someone
> compromises the server, they will have a complete list of all the
> subscribers.
> Depending on how things are organised, perhaps of all the subscribers
> to all the LUGs in the country.
Well, by definition, the server needs to have a list of the email
addresses of all of the subscribers in a plaintext format. Otherwise,
it's going to be pretty useless as a mailing list server.
OK, so what is the password actually protecting?
1. Your email address? No, since your password is only useful to
someone who already knows your email address.
2. Everyone else's email address? No, it doesn't give you access to the
complete subscriber list; it does give you access to the email address
of everyone that has ever posted (by downloading the archives), but an
attacker could just subscribe to the list and download that information
themselves.
So, all it's really protecting is your subscription settings - whether
you want digest versions, whether you want a mail at all, etc.
Given the low value of the information it's protecting, I don't consider
it to be much of an issue. The BBLUG list is hosted on a server that
serves most of the LUGs in the UK, and we are simply a customer of that
service. If you can persuade the SysOps of that server that it is worth
their time and effort to upgrade to a newer version of Mailman, then
feel free, but I doubt they'll be bothered.
There are clear warnings given about sharing passwords between the
mailing list and other places; people shouldn't be stupid enough to
ignore those warnings.
It's quite simple - don't use your LUG password for anything else; if
you're still worried, turn off the reminder mails, and if you're
completely paranoid, unsubscribe from the list.
------------------------------
Subject: Digest Footer
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
------------------------------
End of Bristol Digest, Vol 616, Issue 11
****************************************
Tidak ada komentar:
Posting Komentar