Lesley Carhart 
🙂↔️
Yes it’s real and have times and threat models ever changed
I’ll spell it out for you guys - CBP provides open free WiFi in the immigration line at the airport where the typical person with no mobile service is on a visa.
This is a very different consideration now in the era of wiping phones than three years ago.
XCondE@hacks4pancakes So even without MITM, they can work-out what your device has been accessing.
So if you say you don't use Twitter, they can catch on a lie and send you back.
What else?
@xconde undesirable pages and private messaging apps. VPN. News sites.
@hacks4pancakes this is borderline entrapment. Pun intended.
@xconde it was there before, but now…
Wombatadon@xconde @hacks4pancakes it's also in that legal no-persons land that is immigration, where human rights seem to cease to exist.
Carina C. Zona@hacks4pancakes @xconde it also is baiting people into having their phones conveniently unlocked when grabbed out of the line.
Tom@xconde @hacks4pancakes know your email/drive/calendar/... providers so they know who to contact to get your info. And can say when and from what IP you did connect so they don't need your username and can discover covert accounts.
Rachel Rawlings@hacks4pancakes It took me this post to realize that CBP meant Customs and Border Patrol rather than Citizens Bank Park.
(And how those two in contrast feel very uncomfortable.)
LumiWorxI'll assume US Customs and Border Control... and where they could slurp up anything datawise they want - even phone calls themselves, for those using phones/providers capable of WiFi calling. That might only be tip of the iceberg.
Social engineering at its worst.
ulveon.net@lumiworx @hacks4pancakes Encryption is ubiquitous nowadays certificate pinning and elliptic curves make MITM attacks not only unlikely but almost entirely impossible. Add E2EE to the mix and, yeah, CBP isn't eavesdropping on your calls anytime soon.
Let's stop spreading FUD: The Internet has never been safer before for consumers. Anyone trying to do weird MITM in the WiFi you're connected to will have your phone show endless scary red warnings.
Let's stop spreading FUD: The Internet has never been safer before for consumers. Anyone trying to do weird MITM in the WiFi you're connected to will have your phone show endless scary red warnings.
@ulveon@derg.social @lumiworx this is incredibly dangerous misinformation, and I will be blocking you for sharing it. Encryption protects data sent once connections are established. It does not, in many cases, protect metadata on services and protocols used, such as social media, VPN devices, and websites which may be deemed unpatriotic.
JW@hacks4pancakes @lumiworx
And police and intelligence agencies have repeatedly said metadata can be more useful than the message content.
And police and intelligence agencies have repeatedly said metadata can be more useful than the message content.
Steve@hacks4pancakes @lumiworx big yikes on that one. Like other than any attacks they may be performing for data in transit, the metadata is the juicy bit to examine before they even dig deep into what you’re doing on those services
Kal Feher@hacks4pancakes @lumiworx every FW in the history of ever uses the 1st few unencrypted bits of TLS to make security choices. How do ppl think DPI works? Luckily only trust worthy orgs know this.
So no, we are not living in the golden age of secure channels.
Maybe one day when ECH is deployed and browsers correctly handle HTTPS records and unicorns fart rainbows we will get there.
Guillaume Rossolini@hacks4pancakes @lumiworx there is also the issue of how the end user would handle these warnings, should they exist
A lot of end users have endless notifications that they have been ignoring, and security is unlikely to rank higher than any of those in their mind
Especially in a situation where they are probably stressed out and just trying to get through this
@GuillaumeRossolini @hacks4pancakes
A valid and interesting point. My gut tells me it might come down to the users themselves always having to be preemptive about any nonsense from outside sources, long before it would be needed. Phone providers - much like internet providers - aren't providing much security that I've seen so far. Aside from Android 16 giving alerts to StingRay switching to 2G/3G.
Users are left to protect their own devices. Does FairPhone or Nothing load anything by default?
Phoenix Gee@hacks4pancakes @lumiworx
Step 1: Have an organization with access to a widely used CA (to avoid having to install the CA on client devices)
Step 2: Have a TLS MITM configuration on the router for the public wifi
Step 3: Profit?
I believe i remember something like that for enterprise "security"...
This was something like a certificate rewrite, so that the router infra could decrypt/reencryt transparently and sniff the packets...
Grant Joseph@phoenixgee Certificate transparency prevents issuing rouge certs without getting caught. https://en.m.wikipedia.org/wiki/Certificate_Transparency
@GrantJoseph Yeah that would put an end to that. Wonder if FF caught up to it meanwhile...
I will never make assumptions about the capability of superpower governments to do what others call impossible.
I also won't make assumptions about the technical savvy of each and every potential user in line at CBP check points or that they use the latest and greatest hardware/OS and the security features they may have or lack.
Dataline@somebody @ulveon @hacks4pancakes
I'm too old and too damn grumpy to give a shit anymore, so if I knew magic, I'd be holding classes 3 days a week. 😃
@lumiworx @ulveon @hacks4pancakes you are wise enough at least to err on the side of caution. I was addressing the authoritative sounding and extremely misleading handwave I directly replied to. A protip is that you cannot and should not ever connect to a random stranger's plug or wifi hotspot. exfiltration is trivial in a shocking number of cases you might take for granted. arguing that layer seven sniffing and man in the middle stuff isn't going on at hotspots provided courtesy of the gestapo, let alone the feds, is best case a childish effort to flex something you heard in the little leagues, worst case active and deliberate disinformation. there's a reason the big dogs only trust air gap (and even then I could show you some side channel stuff that'd make you shit)
Alan Miller 
🇺🇦@ulveon @hacks4pancakes @lumiworx if you connect your phone to this it's almost certainly possible to build a profile that the phone with MAC xxyyzz is being used with a Google account, Apple, Facebook, WhatsApp, Instagram, Signal, Telegram, X, Bluesky, Truth Social, TikTok, reddit, Microsoft personal, Microsoft business, and a variety of other services because all of those will connect automatically behind the scenes for updates. Boom, there's your checklist of services for an agent to check for thoughtcrime.
Some Android devices automatically randomize MACs but not all (and may not randomize device names), and it looks like Apple devices don't default to randomizing AND it's an option that you have to set for each network you connect to. So, even if some users are using everything they can (or simply not connecting) this could impact many or most.
Heck, take the next step: while checking your device, they connect to that network with MAC randomization and Private Relay or VPN disabled. Didn't get a list of services before? You have one now.
NosirrahSec 🏴☠️ guillotine enthusiast@ulveon @hacks4pancakes @lumiworx Yeah, this isn't even correct. The fact you can even try to say this as confidently as you just did, is sort of amazing.
Just too ignorant of how it works to know better, hopefully.
@NosirrahSec @hacks4pancakes
@somebody
Well, if I've learned nothing more - today has certainly shown that I truly may be grateful that toot quotes will soon be available, so I can at least tell who's yelling at who.
@lumiworx @NosirrahSec @hacks4pancakes I think the way you typically tell is by seeing which post is being replied to in the thread. if they were yelling at you they'd reply directly to you, and not to the reply to your post. the tags only tell you who's CC'd, not the thread relationship
@NosirrahSec @hacks4pancakes @somebody
No worries... Hopefully I can still 'read the room', and I certainly didn't think it was directed toward me, anyway.
I would much prefer for things to get steered openly into a discussion stage when it could be relevant, and it is far more than a little relevant right now.
ideaPDishWhat do you know the pocket fisherman and the chop-o-matic of surveilance.
@hacks4pancakes I mean I wouldn’t be surprised if they started deploying stingrays too, just to make sure they capture everyone they can
Matt Blaze@hacks4pancakes My guess is that this isn't intended for broad surreptitious surveillance (which would run into Title III problems), but rather to have a network available for when they tell you to unlock your phone and log in to your social media accounts.
Cassandrich@mattblaze @hacks4pancakes Need citizens going thru with flippers doing deauth attacks (even just dropping one under a trashcan or chair).
GeneralX ⏯️@dalias @mattblaze @hacks4pancakes
It's an Open network. Why perform deauths when you can (absentmindedly) run an AP with the same SSID that drops all packets!
dm@mattblaze @hacks4pancakes more benignly, there’s also the Mobile Passport Control app.
@_dm @mattblaze there were plenty of reasons to install it, and now plenty of ways to horribly abuse it.
sabik@hacks4pancakes Throwback to that free phone charging courtesy of the NSA meme pic 😂 😬
Jeff Grigg
Kévin ⏚@hacks4pancakes they got that trick from the Israelis
@kc Defeated by a power-only cable.
Are their APs also listening to the phones as they scan for other APs the phones already had connected to? That could be interesting.
@sasutina13 @hacks4pancakes that is a very good question, the only part I know is that they actively offer you the WiFi and sniff what your phone is up to.
I imagine there is some kind of other device tracking hiding somewhere, wouldn’t at all surprise me if they were also running a mobile phone relay to catch those pesky non-WiFi users
K. Reid Wightman 
🌻 
@hacks4pancakes did....did you join it?
@reverseics my shit posting would set off
1990s bro and then I would be disappeared
1990s bro and then I would be disappeared
rk: it’s hyphen-minus actually“Guess what y’all are accessories to!”