Mastodawn

annia ciezadlo Jan 26, 2025

Every time I log into Fedi, I see another post with a guide called something like "Activist's Guide to Smartphones" or "Phone Security Guide for Protesters," and every single one of these assumes that the threat model is the kind of police force that exists under liberal democracy where the law will afford significant protections to protesters. The world is changing, and these guides not only fail to address the threat of an actively hostile fascistic anti-democratic occupying force (I refer here to the police), but such guides generally are limited to "what" and "how" but miss the more critical "why."

If you believe that you are facing fascism (or even something close to it), can I please please please convince you to read something written by anarchists who have faced serious repression and are trying to convey just how much phones can lead to the imprisonment of you and your friends for even things that are allegedly "legal."

https://opsec.riotmedicine.net/downloads#mobile-phone-security

Downloads

Riot Medicine

Qybat Jan 25, 2025

@hakan_geijer I know enough tech to say that there is one fundamental rule of avoiding surveillance on your phone: Don't. There are too many different ways it can be compromised, if you are a person of sufficient importance that someone in government actually cares to try. If you want secure communications, the first rule is to get a Real Computer which runs a software environment you and you alone can control.

Brahms Jan 25, 2025

@Qybat @hakan_geijer sorry but this is a really wild take.

while I love linux desktop it is nowhere close to the security you can have on mobile devices (mainly by using graphene).

if (big if) you can really control the whole software environment you also need to audit that. And then we completely disregard physical attack vectors and of course as op mentioned non technical vectors.

you cant use general advice in these cases anyway, assess your threat model and act based on that.

Hard Left News Jan 25, 2025

@hakan_geijer and with the techbroligarchy showing their true colors, a lot of these lower risk profile options are outdated. Most important are the tools of assessing risks & staying disciplined. We're not going to get press releases telling us when to be more careful.

Bytebro 🇬🇧 🇺🇦 🇬🇱Jan 25, 2025

Agreed. Everyone ought to be getting clued-up on operational security (op-sec) and communications security (com-sec).

Top tip - for #2, try Signal - bloody works, does voice, vid, text, and even Signal can never learn what was discussed. For #1, never talk about what you may or may not be about to do online. Ever.

I AM BANKSY ☕ / 🗑‍🔥Jan 25, 2025

@hakan_geijer Nicely put together document. I think western people might care more about opsec in these situations if they acted less like the police are held to some rule of law, and acted instead as the state actors could be a legitimate threat to the activist's life.

More like they're the teens that killed Nazis in the Dutch and French woods. in the 40s -- keeping secrets, planning and effecting direct action.

Irenes (many)Jan 25, 2025

@hakan_geijer for people who know us: this is good advice and we endorse it

/home/sour Jan 25, 2025

@hakan_geijer

are computers that i installed linux on better

lj·rk Jan 26, 2025

@sour @hakan_geijer Better than smart phones? No way. It’s why the text begins with “use a smart phone”. Mobile security is *way* ahead of general computer security and covers many more threat scenarios. Basically, if your laptop is in the hands of any decent adversary it’s over. At worst they can directly read out anything, at best (for you) they can only modify it in a way that’s not recognizable by you but will effectively covertly give them full access. Modern macBooks may be the only exception here.

Disregarding physical access, things become a lot more tricky. With Linux you usually don’t download a .exe from a website and run it. That closes a big attack vector. You can lock it down quite well to also restrict execution of other binaries – if you know your way about. But in the end, the security model of a PC is very leaky.

My recommendation is to get Pixel phone with GrapheneOS or an iOS device with Lockdown and Advanced Protection enabled. For your laptop, use fedora or ChromeOS (beware, the latter might get discontinued soon), or an ARM macOS with Lockdown etc. enabled, or at least Windows Pro and enable complete BitLocker on there. You can run Qubes for specific tasks if you want to.

/home/sour Jan 28, 2025

@ljrk @hakan_geijer

is tails good

lj·rk Jan 28, 2025

@sour @hakan_geijer Absolutely! Security focused live systems are neat for some throwaway work, just do recognize that if the hardware is tampered with, it's hard for the OS to defend against that.

But most attacks that work well against Linux but not so against modern Windows/macOS are attacks targeting the installed OS. With a live system you circumvent that. In theory, you can harden a Linux to a similar degree as Windows BitLocker (i.e., measuring Secure Boot state + long password or fido2 stick, using
signed UKIs, etc.) or perhaps even more than that, but it's not the default and requires quite some knowledge.

/home/sour Jan 28, 2025

@ljrk @hakan_geijer

üü

Riven Skye 😶‍🌫️Jan 25, 2025

@hakan_geijer Determining you threat model is always the number one thing new privacy people should do.

Chris Real Jan 25, 2025

Nothing said on surveilled social media is meaningful. The more bold and defying, the more subject to corruption and coopting.

The revolution will not be televised. Or elevated by the status quo. Or given the win by the referee.

And the pundits will bicker with the winners. Because that's their bread and butter.

@_chris_real Why do you post?

The Nexus of Privacy Jan 25, 2025

@hakan_geijer excellent work, thanks much for writing and sharing it!

sortius Jan 26, 2025

@hakan_geijer I've been saying similar for weeks, but I don't have the expertise to point out exactly why the advice is bad.

I grew up under totalitarian governments in the global south, and it was only diplomatic immunity that stopped my family from being under the thumb.

Even then, dad's phone was bugged, we knew this, as Cambodian government officials would mention stuff we'd discussed in calls home. They just don't care about the rule of law, at all

➴➴➴Æ🜔Ɲ.Ƈꭚ⍴𝔥єɼ👩🏻‍💻Jan 26, 2025

@hakan_geijer I've also come to realize that a ton of things we figures out how to do during the Anti-Globalization protests have been lost.

A lot of modern advice for protesters is... not good.

There's no cultural and intellectual legacy.

Ian Williamson Jan 26, 2025

@hakan_geijer Great guide. FWIW Apple do now offer E2EE backups to iCloud https://support.apple.com/en-gb/guide/iphone/iph584ea27f5/ios

Use Advanced Data Protection for your iCloud data

Advanced Data Protection on iPhone provides end-to-end encryption in additional data categories.

Apple Support

Robots can be gay deal with it Jan 29, 2025

@hakan_geijer A lot of these guides also forget about smartphone XLs, also known as "cars". Your Tesla is on AT&T IoT, your Kia is on Verizon IoT solutions... If it has an LCD screen or has OnStar, it has a SIM card. Removing the SIM card isn't enough, as the car will still transmit its IMEI and MEID to the tower which can be tracked back to a VIN and thus you. Learn how to remove the telematics unit, and be prepared to drive in silence if it's a part of your radio. You may have to arrange different transportation, as some cars won't start without the radio or telematics unit on the canbus.

Nic Czarny Mar 7, 2025

@hakan_geijer thanks for the info.

The Sleight Doctor 🃏🍉Mar 7, 2025

@hakan_geijer This a great guide, however, it's worth mentioning that if you're going to some protest or direct action, it's a good idea to buy an unregistered SIM and take a decoy handset with location settings turned off and a VPN turned on.

You don't have to be a cybersecurity expert to just not use your everyday comms tech. Way easier and probably safer.