low priced devices which surveillance you

11 respostas [Última entrada]
tonlee
Desconectado
Joined: 09/08/2014

In a broadcast a person spoke about the possibility, you buy a device and it will have built in surveillance software. A person could buy several hundred devices. Put surveillance or botnet software on them. Then sell them lowpriced. He spoke about governments doing it. A chinese government entity could order thousands of manipulated devices. Then have them sold low priced in nord america or europe acting as botnets. He mentioned, he had noticed chinese devices being that low priced, he would not rule out they were state paid surveillance or botnet devices targeting people in the west.
There is no protection against such practices?
If I buy a camera, usb memory stick, wifi card, they can have a chip with surveillance or botnet software and still run on debian main?
Thanks.

Soon.to.be.Free
Desconectado
Joined: 07/03/2016

It doesn't take the Chinese government to do that- the NSA can turn most cell phones into such surveillance devices (and probably botnets if they wanted to) pretty easily already. The Chinese government, I suspect, wouldn't even need to bother with loading the malware remotely.

Apart from whatever weak legal protections are in place to ban this, there's little stopping this. A cell phone has two computers- the main processor, and a 'baseband modem' which is used in communicating with the phone towers. It is illegal in most jurisdictions to modify the proprietary software running on this modem- and, unless you count the rather obscure and convoluted OsmocomBB firmware, quite impossible at present- such that there's no way to even determine the presence of backdoors besides observing their use.

Edward Snowden at one point commented that such backdoors exist. Furthermore, even if you can get Debian main running on the main processor, that wouldn't rule out the possibility of the modem being a problem- although I don't know whether or not the modem needs the main processor to load the firmware anyway, which would mean this isn't a problem.

Unfortunately, this dystopian state of affairs is quite plausible.

chaosmonk

I am a member!

I am a translator!

Desconectado
Joined: 07/07/2017

I hadn't heard of OsmocomBB. I was under the impression that no one has liberated a modem. It's hard to tell from their website how complete or active the project is. Is a free/libre mobile phone in fact feasible? RMS seems to think not.

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

As far as I understand rms criticizes the way the technology was designed: by triangulation, the phone operators can quite precisely locate its customers. If the code running on the modem was free, that problem would persist.

@tonless: summing up what Soon.to.be.Free explained, Debian would not know the mere existence of the chip it does not run on (and that would be the real "master" of the device).

Mangy Dog

I am a member!

I am a translator!

Desconectado
Joined: 03/15/2015

Aside from the phone actually spying on it's users, metadata correlation, network, cell tower tringulation, isp..

Invisible Infrastructures : Surveillance Architecture
https://labs.rs/en/invisible-infrastructures-surveillance-achitecture/

let’s start from the beginning and explain the way a device connects to a network, or rather how it authenticates itself on the network. For the purpose of authentication the device uses 2 ID numbers, the first one is the device’s IMEI number (International Mobile Station Equipment Identity), and the SIM card’s IMSI number (International Mobile Subscriber Identity). Both numbers are unique and predefined for every device/SIM card. The mobile carriers have an infrastructures of Base Stations (BS) that are geographically distributed throughout the area that’s being served by the operator

Soon.to.be.Free
Desconectado
Joined: 07/03/2016

As Magic Banana said, Stallman's concern is more to do with the network structure than the freedom of the device itself- and indeed, a fully free phone is (theoretically) possible.

In regards to OsmocomBB, I'm honestly not sure how complete or active it is either. I suspect it is in a working state, but the whole thing is likely too complex, convoluted, and questionably legal to attract significant attention.

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

All Your Baseband Are Belong To Us!

http://www.youtube.com/embed/fQqv0v14KKY

tonlee
Desconectado
Joined: 09/08/2014

My post was about devices to be connected to debian main and other libre gnulinux
systems. The argument on this forum is, your best option is to buy hardware
devices which run entirely on libre software.
The person I mentioned says, criminals and governments may put devices on
the market having botnet or surveillance software integrated. They will work
with debian main. Disclosing the botnet or surveillance software is difficult.
He has not been able to display cases.

If you buy a device which supposedly works on libre software, I see no
practices in place to counter the mentioned botnet and surveillance
software. Likely there are no simple counter measures available to disclose
the botnet or surveillance software. Maybe wireshark and other pieces of
software I do not know about, are relevant in order to disclose the
botnet and surveillance software should it be there.

Mangy Dog

I am a member!

I am a translator!

Desconectado
Joined: 03/15/2015

Maybe wireshark and other pieces of software I do not know about, are relevant in order to disclose the
botnet and surveillance software should it be there.

Yes, you can monitor your network with a network sniffer (like with tcpdump) (Wireshark) Zenmap, EtherApe is a nice friendly gui's.
http://www.aboutdebian.com/monitor.htm

Magic Banana

I am a member!

Desconectado
Joined: 07/24/2010

My understanding is that you will not sniff anything if a tiny secret computer (the real master on all peripherals), inside the same box, runs the malware. You need another computer sniffing what is going in/out of the monitored machine.

Mangy Dog

I am a member!

I am a translator!

Desconectado
Joined: 03/15/2015

Yes, that's what i meant.

ie : i meant with another pc one would have to monitor all that machines incoming/outgoing packets/connections ;-).

SuperTramp83

I am a translator!

Desconectado
Joined: 10/31/2014

Yeah.. Watch the vid I linked and hammerdatphoon.jpg :)