/dev/null

Forum rules
We believe in Hello and Thank You.
User avatar
gutterslob
Resident Tranny
Posts: 997
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob »

^ Mullvad's DNS filtering is nowhere near enough to neuter mobile devices, particularly Android.

A Linux desktop doesn't 'phone home' every other second, so Mullvad's DNS blocking is good enough since it's only your browser you need to worry about (and we have uBlock Origin for that), but on mobile every app is a voyeur, or closet-voyeur at the very least (meaning they use SDKs or libraries provided by Google, Facebook etc). Domains related to Google's firebase analytics or Facebook's graph only get blocked by the most merciless filterlists, like 1Hosts Pro.

Also, technically, I'm only preferring NextDNS for my non-VPN'd connection. That's why I set it in Android's Private DNS setting. I'm not the best at elucidating stuff, so maybe that's why you were mistaken.

My problem is that setting your preferred DoT provider in Android overrides Mullvad's DNS servers (on iOS, the moment you enable your VPN the system-wide DoH/DoT you set deactivates itself, allowing the VPN's DNS to take over). That's why I mentioned using Bromite's own Secure DNS setting to set Mullvad's own DoH address (the same way you'd override systemwide DNS in Linux using the 'Enable DoH' part of Firefox's Network settings), but as I mentioned, the upstream Chromium bug causes DNS request leakage.

NextDNS is actually pretty useful for catching stuff like this, since you can view its logs (just make sure you set logs to be stored in Switzerland). That's how I caught the DNS requests leaking from Bromite. You can also do the same with something like PiHole or AdGuard Home (which I have running on my router), but I didn't want to connect this particular device to my home network under any circumstance, hence the reliance on NextDNS.

Anyways, if you need some tips on DNS filtering, feel free to ask.

Edit:
I didn't expect you to get a Mullvad account after me mentioning them. I hope you've done some of your own research as well. Don't just rely on word of mouth from a fool on the internet! Fwiw, I do have a couple of complaints about Mullvad, biggest one being their mobile apps, especially the iOS/iPadOS version. For that reason, I actually have an account with another provider called IVPN exclusively for my iDevices. They've got a similar philosophy (also no details required to create account), lose out in server numbers but mobile apps are better finished.
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5555
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP »

Great, thanks for the clarification.

And yes, I think you're great at elucidating stuff. ;)
User avatar
gutterslob
Resident Tranny
Posts: 997
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob »

Just the last 7 days, didn't even use it that much.
Basically: 1Hosts Pro – (oisd + Lightswitch05) = Google and Facebook trackers built into SDKs or libraries used by apps, plus maybe some Google/Samsung location services.

Image Image

Bloody thing should be thrown in jail for sexually harassing me!!

Scariest thing is the numbers don't include callbacks that apps like WhatsApp or Telegram make, because those go straight to IP addresses hardcoded in the apps themselves. You could even try blocking Facebook's ASN and WhatsApp would still work. Ugh!!
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5555
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP »

gutterslob wrote:
Fri May 13, 2022 11:36 am
Edit:
I didn't expect you to get a Mullvad account after me mentioning them. I hope you've done some of your own research as well. Don't just rely on word of mouth from a fool on the internet! Fwiw, I do have a couple of complaints about Mullvad, biggest one being their mobile apps, especially the iOS/iPadOS version. For that reason, I actually have an account with another provider called IVPN exclusively for my iDevices. They've got a similar philosophy (also no details required to create account), lose out in server numbers but mobile apps are better finished.
No, actually I've been looking around for a while for a new VPN. I started with PrivateVPN some years ago only because I wanted something cheap for torrenting, but Mullvad's philosophy is closer to what I think right now.
User avatar
gutterslob
Resident Tranny
Posts: 997
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob »

^ Ah, good to know. Either way, Mullvad's pricing structure doesn't try to sucker you into long term commitments, so you can pay monthly and cancel if it doesn't work for you.

I recall you had some issue (which you sorted) with your uni's Cisco/IPsec network a few weeks back. If you need to use Mullvad on your uni wifi and find all ports outside the IPsec default UDP:4500 blocked or rate-limited, you can workaround it with the CLI app;

Code: Select all

mullvad relay set tunnel wireguard --protocol udp --port 4500
...or you can just generate a WireGuard config on their website and use nmcli or systemd-networkd if you prefer that method.
ArchWiki has a Mullvad section, though I'm not sure if it's up-to-date.
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5555
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP »

^ Interesting, thanks for the tip.

Speaking of privacy-related tinkering, I flashed DivestOS on my 6-year old Fairphone 2 yesterday and so far so good. Home banking is going to be a bit trickier, but the little else I need to do with this phone works as fine as before.
User avatar
gutterslob
Resident Tranny
Posts: 997
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob »

^ DivestOS is supposed to be one of the better ROMs out there. They follow proper security practices (unlike LineageOS) and generally do a good job with blocking/limiting most of the beacons built into the internal chipsets, according to what I've read.

What's the reason for banking being harder? Bootloader not relockable or lack of Google Play Services or some issue with microG? Banking is one of the reservations I have as well when it comes to deGoogling Android.

I was tempted to get a Pixel and put GrapheneOS or CalyxOS on it, but the issues I've read about with microG on Calyx or Graphene's sandboxing (checking an app on Exodus doesn't really tell you much, frankly) give me pause. The other issue has been the lack of local availability for Pixels (importing doesn't bring warranty coverage). The new 6a that was just announced will be officially available here, so we'll see.

This current Android I'm using is for a temp job. Helping an acquaintance set up a company. No MDM, but required apps like Chanty, Kyte and the revolting WhatsApp for Business, none of which I was willing to put on my own devices, so they got me a number/plan which included this midrange Samsung. Bloody perverted thing! Disabled as many services as I could and limited as many permissions as possible for the remainder, and even when barely used it still averages around a thousand DNS queries a day (with a whopping 40% being blocked) according to NextDNS, and that's with DNS caching enabled. I'm pretty sure those parole ankle bracelets track less then this. Maybe once I'm done with the job I'll attempt that popular Universal Android Debloater script.
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5555
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP »

Banking is harder because some of it needs Google Play Services. Also, in Italy we have a thing called SPID (https://www.spid.gov.it/en/) which baffingly enough requires Google Play Services as well. I don't think DivestOS supports microG (see here), but this is a newbie at smartphone flashing writing, so I need to research more on this.

Edit: microG is listed here, though, so I seriously need to know more.
User avatar
ivanovnegro
Minister of Truth
Posts: 5341
Joined: Wed Oct 17, 2012 11:12 pm

Re: /dev/null

Unread post by ivanovnegro »

This thread turned into being super interesting.

One thing I will never use my smartphone for and never did and I hope it will stay that way, is online banking. My better half e.g. must use it with her Spanish bank account, there is no way she could manage it outside Spain. It is a fucked up bank anyway like most, but she still has this account in Spain for emergencies.

My question now to you guys that prefer not use Google Play services. If you take microG, does it not destroy the purpose of not using some of those apps that are exclusive to Google's Android? For me at least de-Googling would also mean not to use e.g. Google Maps or Gmail, even Youtube on my phone and I did that on my old Android. I used F-Droid apps exclusively.
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5555
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP »

^ That's the reason I went for DivestOS: complete de-googling (as far as possible, I mean).

Home banking seems to be working just fine, at least the functions I need. I also found a workaround for that SPID thing which lets me use it without the phone app: basically part of the authentication process is through an SMS. There is a 3-month limit of 8 messages, but I need this bloody thing only for taxes so it should be twice or three times a year at most.
User avatar
gutterslob
Resident Tranny
Posts: 997
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob »

Preface: I've been away from Android for a long time, so a lot of this is as new to me as it is for you chaps.

@Ivan
If you're using a deGoogled ROM and can do everything you need via F-Droid* then there is no reason for you to install microG.

Reason some people use microG is for apps they need that require Google Play Services (GPS) and all the components it brings with it (like SafetyNet, GMS, etc) for stuff like banking, shopping, and in some cases push notifications for messaging. It's not necessarily Google's own apps, most of which you can replace with stuff like OsmAnd, Newpipe or any privacy respecting email provider, but for those apps that need some sort of Google backend service.

Basically, if that banking, e-hailing or shopping app you need is only available via the Play Store, that's where microG and the Aurora Store come in. With microG enabled in it's default mode (meaning no Google/Gmail account) you will give up some anonymity - you won't be tied to a Google account, but your IP address (assuming no VPN used) and device identifier (some ROMs like CalyxOS and DivestOS will randomize this) will be sent. Occasionally, depending on the app, location might be required as well, though some ROMs like CalyxOS use Mozilla's location database as a replacement.

For me, with this Samsung, its sole purpose is for the temp job I mentioned. Stuff like the inventory management app requires location services, while the banking app is needed for invoices and scanning cheques. Most business/current account banking applications nowadays (I suspect personal/savings accounts as well) use their own app for the transaction authentication for amounts exceeding a certain amount. Funny how they deem SMS-based 2FA as insecure but are more than happy to depend on GPS for the in-app notifications, instead of adopting proven OTP standards. Anyway, it's solely for that job and I make sure to disable wifi and location before I'm in the vicinity of my apartment.

* I sincerely hope you're using Neo/Droid-ify as your F-Droid client, because the official F-Driod app is slow as heck and looks like its from 1643 BC.
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5555
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP »

gutterslob wrote:
Sun May 15, 2022 9:01 am
Funny how they deem SMS-based 2FA as insecure but are more than happy to depend on GPS for the in-app notifications, instead of adopting proven OTP standards.
This.

And it's why that SPID thing I mentioned is particularly ridiculous. You want to prove my digital identity when I have to deal with my taxes? Fine, I understand. But why should I use a service which depends on me giving up personal data to another party?
User avatar
gutterslob
Resident Tranny
Posts: 997
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob »

^ I suspect it's combination of 1.technical incompetence, 2.cost and 3.wanting to cover their own asses

1. Because politicians/CEOs/marketing are the ones making the final decision
2. Because politicians/CEOs/marketing are the ones signing the cheques
3. Because it's easier to blame everything on Google and other subcontracted companies when something bad happens

Baffling, as you said earlier, but also completely predictable.
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5555
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP »

^ Yes, I think those points pretty much sum it all well.

Although I also suspect the IT department behind SPID preferring the easy solution Google offers (the usual popularity/comfort zone deal) and not caring much about greater concerns. I mean, I am fairly sure they didn't try too much to push for alternatives. Just as Uni has chosen to be locked-in with Google, by the way.
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5555
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP »

gutterslob wrote:
Sat May 14, 2022 3:07 pm
I was tempted to get a Pixel and put GrapheneOS or CalyxOS on it, but the issues I've read about with microG on Calyx or Graphene's sandboxing (checking an app on Exodus doesn't really tell you much, frankly) give me pause. The other issue has been the lack of local availability for Pixels (importing doesn't bring warranty coverage). The new 6a that was just announced will be officially available here, so we'll see.
I meant to reply to this and then forgot.

When my FP2 dies, I'll probably move to a phone more reliable on the security/privacy side than this.

Don't get me wrong, I love the fairness and sustainability of the Fairphone. However, beside the external cover and the battery (just once), I didn't play much with its modular upgrades.

DivestOS on the FP2 is a compromise, of course, and being at home most of the time means I should care more about my network here than what's outside. Still, the FP3 and FP4 are not known to be that privacy friendly.
User avatar
gutterslob
Resident Tranny
Posts: 997
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob »

GekkoP wrote:
Mon May 16, 2022 11:55 am
When my FP2 dies, I'll probably move to a phone more reliable on the security/privacy side than this.
But is there such a phone though, and would it matter? If you're deGoogling, then wouldn't device compatibility with the ROM you intend to use outweigh whatever privacy/security state the stock phone comes in? That's my understanding, at least.

GekkoP wrote:DivestOS on the FP2 is a compromise, of course, and being at home most of the time means I should care more about my network here than what's outside. Still, the FP3 and FP4 are not known to be that privacy friendly.
According to the DivestOS device downloads section, the FP3 seems to have good compatibility. Bootloader is relockable and Verified Boot state is at 2.0 (I'm not quite sure what that means, tbh), while your FP2 is listed with "Relockable: Unknown / Verified Boot: No". Did you manage to relock the bootloader after install? From what I understand, passing the SafetyNet check in Google Play Services (and its equivalent signature-spoof with microG) is the main factor in whether banking/finance apps will work, and the checks done are mostly bootloader related I believe.
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5555
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP »

gutterslob wrote:
Mon May 16, 2022 3:51 pm
But is there such a phone though, and would it matter? If you're deGoogling, then wouldn't device compatibility with the ROM you intend to use outweigh whatever privacy/security state the stock phone comes in? That's my understanding, at least.
They're all good questions, and actually the ones I am asking to myself. If DivestOS proves to be enough for my needs, than the next phone will be another FP.
gutterslob wrote:
Mon May 16, 2022 3:51 pm
According to the DivestOS device downloads section, the FP3 seems to have good compatibility. Bootloader is relockable and Verified Boot state is at 2.0 (I'm not quite sure what that means, tbh), while your FP2 is listed with "Relockable: Unknown / Verified Boot: No". Did you manage to relock the bootloader after install? From what I understand, passing the SafetyNet check in Google Play Services (and its equivalent signature-spoof with microG) is the main factor in whether banking/finance apps will work.
I relocked the bootloader with:

Code: Select all

$ fastboot oem lock
Which replied with:

Code: Select all

OKAY [  some milliseconds I don't remember]
Finished. Total time: [  same milliseconds I don't remember]
User avatar
ivanovnegro
Minister of Truth
Posts: 5341
Joined: Wed Oct 17, 2012 11:12 pm

Re: /dev/null

Unread post by ivanovnegro »

@Gutterslob: Thank you for your thorough explanation. Now I get it.

Basically on my Android, that is now used as some kind of remote or Newpipe music radio for the kitchen, I only use F-Droid apps and as it is not used anymore as a phone, most of the apps were dropped on it and if not in use, the phone is not connected to WiFi or even off.
gutterslob wrote:
Sun May 15, 2022 9:01 am
* I sincerely hope you're using Neo/Droid-ify as your F-Droid client, because the official F-Driod app is slow as heck and looks like its from 1643 BC.
Damn. I missed that. I will check it out ASAP. Thanks. I always found the official client to be a real turtle and often throwing errors on me when updating programs.
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5555
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP »

^ I second the Droid-ify advice.

Also, I went to Uni for an exam today (written test, I feel confident about it, but I don't know the mark yet) and no problem whatsoever with DivestOS: I bought train tickets, listened to some music during the travel and encrypted a couple of emails. VPN was alive and rock solid as well. All good. I'm happy.
User avatar
gutterslob
Resident Tranny
Posts: 997
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob »

@Ivan - in case you're procrastinating;
https://github.com/NeoApplications/Neo-Store
Install and welcome yourself to 2022.

@Gekko - in case you wanna spruce your gnome shell;
https://github.com/Pobega/gnome-shell-e ... -indicator
Good luck with the exam results, btw.
Post Reply