Latest revision |
Your text |
Line 1: |
Line 1: |
| == First Disclaimers ==
| |
|
| |
| * Proprietary vs Open Source Code - While Open Source Code is not necessarily more secure than proprietary code, one thing is clear: You as a user can't know whether proprietary code is secure, because unless you sign a Non-Disclosure Agreement, all you can do is to trust the promises of the developer/manufacturer. In addition, proprietary code is obsolete the moment the manufacturer abandons it: open source code can at least be updated by volunteers afterwards.
| |
| * Driver Backdoors - Unfortunately, most ARM devices use proprietary drivers which not only hold the system back from updated Linux kernels, but also could hide backdoors within.
| |
| * ARM Trustzone - Even without a baseband, this piece of proprietary system inside every modern ARM smartphone can be a threat.
| |
| * Hardware Backdoors - If a high level hostile actor (a government or a corporation) gets direct hardware access to your device through various means, don't expect your protections to hold up for long.
| |
|
| |
| This is why you should avoid smartphones entirely if you are under scrutiny from a powerful targeted threat, from a government to even a wealthy corporation or hacking group.
| |
|
| |
| == Before you start == | | == Before you start == |
|
| |
|
Line 36: |
Line 27: |
|
| |
|
| If none of the above apply to you, you're still at threat of random attack events, whereby an attacker from anywhere on the internet obtains or hijacks your machine, identity, or accounts after achieving an exploit in your network, device, or service provider. | | If none of the above apply to you, you're still at threat of random attack events, whereby an attacker from anywhere on the internet obtains or hijacks your machine, identity, or accounts after achieving an exploit in your network, device, or service provider. |
|
| |
| == Devices to Use ==
| |
|
| |
| There are three levels of classification that we abide by for information, as inspired by US Government information protocols.
| |
|
| |
| * Top Secret - Grave danger to your person, your livelihood, or that of your friends and family.
| |
| ** Public/private keypairs - HTTPS certificates, SSH/GPG signing and authentication keys, cryptocurrency wallets
| |
| * Secret - Possibility of harm to your person, your livelihood, or that of your friends and family. Generally, information that the government knows (such as financial information) is considered Secret rather than Top Secret.
| |
| ** Your location, your address.
| |
| ** Account passwords.
| |
| * Confidential - Embarassment, deanonymization, or possible risks to your person, your livelihood, or that of your friends and family.
| |
| ** Contact information, usernames
| |
| ** Unfortunately, if your personal data has been publicly leaked online, consider it only confidential.
| |
|
| |
| Due to the prior possibility of backdoors, you should not consider smartphones to be suitable for Top Secret information. If you have no other choice (such as an emergency situation), try to mitigate your risks by sharing data only through means and services your adversary might not have or be able to compromise in time.
| |
|
| |
| === Top Secret ===
| |
|
| |
| * Devices: Open Source Hardware only: Libreboot laptops, Beagleboard, Raspberry Pi without VGA Blob.
| |
| ** No smartphones are allowed. The proprietary baseband and unlocked bootloader could have unlimited access to your RAM and your storage.
| |
| ** They're not going to be the best devices ever, and maybe not even the ones you use each day, but at least they're something you can trust.
| |
| * Operating Systems: G. Reproducible builds if at all possible.
| |
| * Networking: Onion Networks, i2p or Tor (hidden services only!!!)
| |
|
| |
| === Secret ===
| |
|
| |
| * Chat: Encrypted chat and email.
| |
| * Networking: HTTPS encryption
| |
|
| |
| === Confidential ===
| |
|
| |
| * Chat: Normal chat and email.
| |
| * Networking: HTTPS encryption
| |
|
| |
|
| [[Category:Draft]] | | [[Category:Draft]] |