Having posted about my COVID travails the other day, the usual suspects have been stirred to action - thanks, people. Among them are the curious sect that insist I have Apple gear I’d never pay for out of pocket. I admitted to needing a phone for a new thing I am going to do, and the iPhone fairy promptly did THIS:

While I’m thrilled to get a device that will let me use the 5G features of my current prepaid plan, there is a twinge of buyer’s remorse, and it brings up some other stuff we should be watching more closely.

Attention Conservation Notice:

The best thing to do is Throw Away Your Cell Phone. The second best thing is to have a whole box of ‘em and mindfully mess with trackers. Herein you will learn to despise “consumer behavior tracking” as thinly disguised spying, and perhaps develop a bit more professional paranoia in this area. Do, or do not, but you might die …

Proxy Buyer’s Remorse:

So this was not a discretionary expense, it was a “get thee to that new type of work, and give me interesting reading as a side benefit” order, which I’m bound to obey. Even so, I’ve been lusting for a Google Pixel with GrapheneOS for the last year. iPhone 12 Mini is about the same price as a Google Pixel 8a, and I was comparing the 8/8a when I noticed what you see below.

I still have some browsers that are running ScriptSafe and I greatly do not like that it’ll no longer load from the Play Store. What you see here is GSM Arena, a decent site for details and reviews of phones. I let the main site load its JavaScript, then holy shit FORTY TWO additional domains want in? It’s reasonable to find some sort of image CDN, maybe a JavaScript CDN provider, then perhaps a media player, or a customer chat app. Finding 10x that much is a site that gets paid tracking what you do, and pushing you to buy! buy! BUY!

Understand that I’m all in favor of people doing things that pay, I’m legit trying to do much more of that myself these days. But the problem here are the entities that are buying that data for purposes other than marketing.

ADINT:

The industry term ADINT is defined as

Using Targeted Advertising for Personal Surveillance

Now I know a guy who does this, he’ll send personalized birthday cards to people via the Facebook ads system. That’s nice.

I worked for some other guys a while back, we were using SNMP OIDs to get cell phone MAC addresses from shopping mall infrastructure, then correlating that with other things known about a specific phone. The end result was that companies would pay $20 - $40 to get an image in front of an executive who was in the market for their particular gadget or service. That’s just business.

But if you wander down to the dirty end of the field, you can start putting correlating data about all the phones within a geofenced area, say an OBGYN clinic, and then you can serve targeted ads that addresses a the receptionist’s shopping habits. Those ads could contain a clickless exploit to plant Pegasus on her phone, and then the doctor’s network is their network, and the patient data starts to flow to anti-abortion nutters.

And this is how a gang gets paid to do a home invasion wherein they beat someone else’s idea of “sense” into you.

Basic Countermeasures:

So what do you do about this?

First, I have a very pedestrian presence. There are two dozen devices besides mine that pass through my hut’s firewall. Some phones, some personal computers, too many IOT gadgets for my taste. It’s a very normal sort of California household, people play games, they stream sportsball, they watch movies, it’s all a quintessential muggle hotspot. The residents are multilingual, and they avoid geographic restrictions to get content in other languages using the VPN(s) I helped them to master.

And in that nest of normality, additional traffic will pass unnoticed.

The only thing I do that’s out of the ordinary is keep separate VLANs. The household traffic is one kingdom, mine is another, and they don’t mix. The edge device will only take instruction from a single ethernet port, so the path from getting one device on either side of the line to seeing the whole network is not impossible, but things are done to make it steeper and slipperier.

The other ways one could manage this without being so invasive have been covered here in recent days. Building A $54 Fail Closed Firewall is the right thing, but not with the Orange Pi hardware, unless you’re a glutton for punishment. Since there’s this new MikroTik RB941 sitting here that I have yet to power on, I imagine there will be a story about how to employ it.

These are lower level measures, well down the network stack from where ADINT plays, but you need them for the next step.

Shut Your Pi-hole:

One of the things I’ve done in the past is put Pi-hole on home networks. This subjected me to temper tantrums every time something broke. Since I was all Linux during those years, I simply installed it on every system. Soon one of the periodic outbursts ensued, and I got to respond with “not on the network, hasn’t been for some time, good luck with whatever is wrong with your stuff”. That triggered another tantrum, of course, but I was firmly out of the technology tantrum remediation business at that point.

So Pi-hole is nothing specific to do with Raspberry single board computers, it’s a very slick DNS server that comes with a curated block list of ADINT facilitating stuff. When your devices use it for name resolution, requests to things like the three dozen unwanted domains up above just quietly fail.

Your mobile devices will need an external source of DNS, but computers can run Docker and use a local install of Pi-hole for their name resolution. That’s a tiny bit tinkery, but once it’s done it’s just there, fending off unwanted traffic.

Get Brave:

As I mentioned, ScriptSafe is dying. This is a surgically precise tool for shutting down network bullshit, but it is NOT a fire and forget sort of thing. Each time you come to a site, you get a new burst of script sources to examine. Having used it for a very long time, I can mostly go by memory any more. It’s REALLY unusual for me to hit a site with half a dozen unknowns, let alone the 42 found on GSM Arena. I’d never noticed them before because I had previously not even permitted the main site to load, it just wasn’t necessary to see the information I wanted.

I haven’t found a good replacement for ScriptSafe, but YouTube’s new subscription push a year or two ago infuriated me, whacking both my ad blocker and my terrible channel ban tool. After a couple months of fiddling and refreshing, I switched to Brave and I’ve never looked back. I haven’t seen a YouTube ad in a very long time, it just works on both computers and mobile devices, and if you aren’t willing (or able) to focus on script interdiction, this is a fine incremental improvement.

Conclusion:

Are you keeping a list of things you can’t trust?

Throw Away Your Cell Phone

Get. Off. Windows.

Get! Off! Gmail!

Despite that previous item, concealing your carrier number using Google Voice is still a good safety move, so long as you get yourself to Signal posthaste, but I am seeking safer alternatives.

Passwords are DEAD, get yourself a 2FA solution, like Authy.

Android phones prior to the ARM8 chip are less secure.

Apple phones prior to the A11 Bionic chipset are less secure.

Single devices for all things, either computer, or mobile, are cause for concern.

I know this is a lot to digest, but you are literally sitting in the midst of a digital panopticon. That’s been a bad thing for a good long time, but now with AI rising in so many places, what are the chances that some network of corporate AIs are going to 1) track you, 2) create an influence campaign that reaches you, and 3) not even their owners will be able to describe the methods or the motivations at work.

Don’t think Skynet, with its sledgehammer ending of civilization in the third installment. The first episode in The Matrix series offers better allegory, but the reality is liable to hew more closely to Huxley’s Brave New World. Things will just be wrong, and you’ll have nowhere to stand to even begin to set them right.

There are a number of songs about paranoia that come to mind, but I think Rockwell said it best …