Andromxda 🇺🇦🇵🇸🇹🇼

Mastodon: @Andromxda@infosec.exchange

wiki-user: Andromxda

  • 14 Posts
  • 424 Comments
Joined 9 months ago
cake
Cake day: March 22nd, 2024

help-circle
  • Pros:

    • Websites can’t see your real IP and thus can’t figure out your real location that easily
      • You might also be able to blend in with other users who use the same VPN server
    • Your ISP can’t see what you’re websites you’re connecting to
    • Your Network operator (e.g. a coffee shop offering public wifi) and you’re ISP can’t see your unencrypted connections (e.g. HTTP, Telnet)
    • You can bypass regional censorship or other forms of content unavailability

    Cons:

    • Your VPN provider can see everything you’re connecting to (but not the content if you use HTTPS, which thankfully has become very common), so you need to be able to trust them
    • A good and trustworthy VPN usually costs money
    • Slightly slower connection and higher latency

    Things to look out for when choosing a VPN provider:

    • No-log policy
    • Regular security audits
    • Open source client applications
    • Private/anonymous payment options (crypto currency)
      • Monero is the best option if you want to stay fully anonymous
    • Minimal information required for signing up, ideally none (some providers don’t even require an email address, they just give you a random generated Account ID)






  • We don’t know everything it can do

    Neither do we know this about any other CPU on the market. All chipsets on the market are proprietary. All of them. And no, despite many people (who don’t know anything about what they are talking about) claiming this, RISC-V won’t actually solve any of these issues. Sure, the ISA is open source, but the ISA would be the worst place for malicious actors to introduce a backdoor. I can guarantee you that despite using the RISC-V ISA, the chips themselves will still be fully proprietary and the IP will be highly protected as trade secrets. You can build a fully RISC-V conformant chip with a backdoor, there’s absolutely nothing in place that could stop this, and it surely won’t change for the forseeable future.








  • Those conspiracy theories often come up in discussions here on Lemmy, but the TLDR is: Google is a tiny player in the smartphone market, compared to vendors like Apple, Samsung, Huawei, Xiaomi, and others (https://www.statista.com/chart/25463/popularity-of-google-smartphones/). They also serve a much smaller geographical region than most other manufacturers. The Pixel 9 lineup, for example, is only sold in 32 countries. Most of those are wealthy industrial nations. Google doesn’t even try to assume market share in developing countries in Africa and Asia. It can also be assumed that over 97% of Google Pixel users keep the Stock Pixel OS, where Google doesn’t need a hardware backdoor since they can just implement it in software. So that leaves only a tiny fraction of all users: people in some wealthy industrial nation who specifically buy a Pixel to install a custom ROM. GrapheneOS for example has about 300K users. Do you really think Google would put in the effort to create a hardware backdoor and take all the risk associated with it (negative PR, loss of sales, etc.) just to collect some data about this tiny amount of users? Google already controls EVERY Android phone on the market by forcing vendors to include Google Play Services as a system application through their contracts, licensing and monopolistic market position. Be realistic for a second, and you will realize that your backdoor theories make absolutely no sense and that no business in the world would ever take such a huge risk with such little reward.







  • I don’t think it’s a coincidence that the shittiest companies are those, who enforce Google’s broken and monopolistic “Play Integrity” API. Revolut has connections to Russia, McDonalds supports the Israeli genocide in Palestine and Authy has always just been a massive piece of shit, not even allowing users to export their TOTP seeds. These are three companies I would NEVER even consider using anyway.

    And “Play Integrity” API actually does NOTHING, absolutely NOTHING for your security as an end user.
    You use an outdated, unpatched Android version with multiple severe, publicly known exploits on an insecure device?
    Google doesn’t give a single fuck.
    You use the newest version of Android with all the patches applied on Google’s own hardware, with a locked boot loader and a hardened operating system?
    That’s not allowed by the “Play Integrity” API.
    It’s only purpose is to serve Google’s monopolistic business interests.