The Freedom Phone – A Response

My post on the Freedom Phone received more views than any other post ever on this blog (link).

One longtime reader of the blog chimed in with some actual technical concers regarding cell phones in general. Another reader left a comment about not doing bad things with certain body parts, essentially saying (I assume) that I was bashing the Freedom Phone. What I said was that I was taking a “wait and see” attitude. I am hopeful this new option provides exactly what they say the do. I responded to the commenter with some more specific concerns about the platform which I think bear mentioning in a post.

So here you go:

The offering is interesting but before I make a decision I would like more information. The company selling this phone offers VERY LITTLE in the way of technical specs for either the hardware or software. Before I give anything a thumbs up form a security perspective I want to see more than marketing blurbs.

While the Android OS is open source and based on Linux the vast majority of the code is developed privately by Google employees and contractors. Google is also the major sponsor and funding source for the open source community around Android OS. Many components necessary for the operating system to be used on a phone are still proprietary and closed software maintained by Google. It would be extremely easy for Google to insert code that could be used to spy on those running Android-based systems without anyone being aware. In fact, it is proven that they do exactly this. One of Google’s operating units, Jigsaw, is a government contractor assisting the NSA and otheragencies in their spy efforts. So, there is not only a political incentive but also a financial incentive for Google to plant spyware in the Android OS stack.

The hardware for the phone is sourced from China. It is a phone designed for the Chinese market by a Chinese company with ties to the CCP. Now, pretty much all phones are manufactured in China or from Chinese made parts. However, Apple, Google, Intel, etc. go to great lengths to ensure that the phones or components are free of embedded spyware (they hate competition). They have not always been successful with Intel being the most visible victim of this activity. If you buy ANY Chinese made electronics not under contract by a major US, Japanese, Korean or Taiwanese company it is almost guaranteed to have spyware embedded.

With all that said, it is POSSIBLE that the folks selling the Freedom Phone have overcome these obstacles and provided exactly what they advertise. But before I accept that as fact I want a lot more information and independent verification especially considering the recent history of even cybersecurity companies being compromised (supposedly by the Russians but more likely by the Chinese).

I certainly hope the folks at Freedom Phone have or can accomplish what their marketing claims.

With that said, cell phones technology as a whole has some critical security gaps which no vendor can bypass (technically or legally):

    • Every cell device is required to have a unique identifier in order to access cellular networks. These numbers are tied to your account with a provider. Legally, retailers of so called “burner phones” are supposed to record personal data and tie it to the phones identifier (some may not if cash is used).
    • When that device is powered on it connects to multiple cell towers providing a location (through triangulation) of the device. This information is tracked by the carrier and is available to the government, in most cases without a warrant. Just ask the folks who were in Washington DC on January 6th.
    • Apps like Signal, ProtonMail and VPNs that encrypt communications are a good idea (I highly recommend using them). However, if the device itself is compromised/spyware installed the data on the device can easily be accessed including that sent over encrypted channels.

Another good point to consider and plan for is how you will communicate if cell service/Internet access is shut off. We are seeing that today in Cuba and have seen it in Hong Kong and other places recently.

Stay alert, stay prepared and stay safe.

God bless.

Freedom Phone

Several blog sites and Conservative blogs are sharing the news that the Freedom Phone is here.

What’s the Freedom Phone?

According to the web site (link) it is:

The Freedom Phone is a free speech and privacy first focused phone. With features like tracking blockers and an uncensorable app store.

Sounds like a noble goal.

It is based on the Android phone platform and runs a variant of the Android OS called “FreedomOS.” For me, that’s the rub. See Google is the driving force behind Android and Android OS. Yes, technically it is an Open Source project but it is primarily driven and supported by Google who are most definitely not pro-freedom (unless you agree with their social and political views, then you’re free to burn cities down, assault those you don’t control, and commit murder and mayhem). I am not an expert on Android but from what my friends who are say, they could have accomplished most of this simply by creating an alternate app store.

I will be needing a new phone before too long, but for now, I’m taking a wait and see attitude on the Freedom Phone.

If you are more inclined to jump on this new offering there is a $50 discount from The Gateway Pundit on them. Just use the code TGP at checkout.

Stay alert, stay prepared and stay safe.

God bless.

Colonial Pipeline: Something Smells Fishy…

After non-committal answers from the current administration during the Colonial Pipeline incident the Department of Justice has announced that they have recovered much of the money (Bitcoin) paid in ransom.

A couple of things I have been able to determine from the press coverage of this “win” for the justice department.

First, the bad actor in question was (supposedly) smart enough to infiltrate and bring down a critical component of national infrastructure (more on this in a moment) but dumb as all get out by having the Bitcoin transferred into an online wallet maintained by a US-based company with its servers in the US. Basically, said bad actor gave them his personal bank account info to deposit money into…

Second, the DoJ shared that the bad actors involved (the ones dumb enough to give out easily traced info for the payment) were not in fact the Russian (oh, the scary Russians again!) DarkSide hackers. They were the one (or ones) who contracted with DarkSide to perform the hack (yes, Ransomware as a Service (RaaS) is actually a real thing).

Something doesn’t pass the smell test on this whole thing. It may have been an inside job by a Colonial employee wanting a quick payout when he/she recognized the security lapses. It may have been a government sting that actually failed but they are spinning it as a win. I don’t know but I know.

For a good analysis of the facts check out this article:

https://dossier.substack.com/p/the-colonial-pipeline-hack-the-russians

Stay alert, stay prepared and stay safe.

God bless.

New Diversions: Raspberry Pi and Kali Linux

Over the past few weeks I have been indulging my TechNerd self. I have been spending more time thinking about and privacy and security from a personal perspective and that effort lead to a couple of new areas of interest; Single Board Computers specifically the Raspberry Pi and Kali Linux.

While researching personal security and privacy I came across a post detailing how this particular person used the Raspberry Pi (and other single board computers) to help ensure his own data privacy. I have looked at these devices before and although I thought they were cool I never really saw a need for one but after reading that I was interested enough to go ahead and spend the $90 to get a full set up; board, case, power supply and MicroSD card preloaded with the Raspberry version of Linux.It was cool and all but became even cooler when I bought a second MicroSD and loaded it up with Kali Linux.

Kali is a Linux distribution geared towards security professionals and is loaded up with tools for penetration testing, security auditing and forensic analysis. It’s a “one stop shop” for a ton of hacking tools geared towards the “white hat” hacking community.

Now, to be honest, this really isn’t just a diversion. I work in the cyber-security industry helping customers secure their environments from the bad guys. I know our product pretty well and I know the threats it is designed to counter but I really don’t know the other side of the story at any more than a conceptual level. I know the attacks we deal with and how we deal with them but I really don’t know how those attacks are performed. I have depended on other teams within the organization to research and educate us on them. Working with Kali will help me learn the attack side of things in addition to the defense since many of those tools are there to work with.

That will help make me better at my job. It also builds another marketable skill set. I doubt most penetration testers (pentesters) need to go onsite for their work very often so it is a skill set I could easily utilize remotely even after the COVID nightmare is over.

Hopefully, some of what I learn will make it into the blog in order to help others keep their data private and secure.

Stay alert, stay prepared and stay safe.

God bless.

Cyber Security/Privacy Suggestions

In these strange and dangerous times it would probably be a good idea to pay a little more attention to ensuring your privacy in electronic communications. Here are a few suggestions:

Instant Messaging/Texting – Although the security on most of the texting/Instant Messaging platforms is getting better it would be a good idea to take certain conversations a little more secure. Telegram and Signal are both pretty good solutions for the average person. Both offer end-to-end encryption of messages, the ability to set messages to expire and to actually delete messages without them being archived on servers. Both assure their users that they are not tracking usage.

Do you need to encrypt the latest pictures of the kids or grandkids? No, but given the fact that The New Regime (AmSoc) qualifies support of the Constitution, questioning the validity of the last elections, support for Trump or opposition to the the new order as being seditious, white supremacist, domestic terrorism just about any political talk should probably happen in a secure manner. There are other options that are both more secure and more technically challenging to configure but these are fine for most of us.

Personal VPN – Again, it should be no surprise that you Internet browsing history is no secret. Various business and government organizations habitually track where you go, what you search for, what time you search for them, etc. Using a personal VPN can help. Personal VPNs create a secure (encrypted) “tunnel” to keep your passwords and confidential data stay safe, even over public or un-trusted Internet connections. They help keep your browsing history private. I recommend ProtonVPN, if you decide to choose another vendor do your homework before selecting a VPN provider, especially for your mobile devices. A number of those in the two main app stores are based in China and do the opposite of securing your data…

Secure Email – Sometime text messaging is not enough but you still want to be secure. There are a number of secure email services out there (hint: Gmail, Outlook, and Apple mail are not among them). I recommend ProtonMail for many of the same reasons as I recommend their VPN solution; secure, based in Switzerland, relatively easy to use, and anonymous.

Social Media – Always assume anything you post on social media is being read by The New Regime (AmSoc), their Thought Police, and their street thugs. Even if you are on one of the “free speech” sites and seem to be surrounded by like-minded folks be cautious of what you post/share. Nothing posted on social media should be considered secure. Period. Always assume that those on the other side are watching and taking notes. While it may be your right to question the election results or express dissatisfaction with life under The New Regime it could also put you and your family at risk. If you attend an event or protest do not post photos that include others who attended without their explicit approval. Just being photographed at pro-Trump events has cost people their jobs.

That’s enough for now, we’ll have more suggestions in the future.

Take care and God bless.

What About Four Or More?

If Ian Fleming was right and Once is happenstance. Twice is coincidence. Three times is enemy action. I don’t know how to count these:

Solar Winds was a partner with a company named Huawei. Huawei is the largest telecommunications equipment manufacturer in the world, second largest cell phone maker and a network storage vendor. IT guys have been warned for years about Huawei including back doors for Chinese spying. As a partner and solution provider Solar Winds would have had to maintain Huawei equipment at least on their development network (which is part of what was compromised).

Silver Lake is one of the major investors in Solar Winds. They are also tied to Huawei and other Chinese government owned tech companies. Kenneth Hao, spearheaded the Silver Lake investments in China and opened the offices there. He is on the board of directors for Solar Winds…

Two more victims of this breach were announced today. One is Comcast a major network provider to businesses and government agencies. More interesting is the local government of Pima county Arizona. Why would the most advanced cyber attack on the planet target a local government instead of a large oil or insurance company? I can’t answer that for sure but oil and insurance companies don’t run elections.

Repeat after Ian Fleming:

Once is happenstance. Twice is coincidence. Three times is enemy action.

Take care and God bless.

Once is happenstance. Twice is coincidence. Three times is enemy action

If Ian Fleming was right we could be seeing the indications of a incredible enemy action.

The WuFlu hit (got loose/was released) in October 2019. The initial attacks linked to the Sunburst data breach started in October 2019

The WuFlu hit the US around March of 2020. The code for the Sunburst breach was injected into the supply chain in March 2020.

In December 2020 a new and more virulent strain of the WuFlu is discovered just weeks after the Sunburst breach was discovered

Repeat after Ian Fleming:

Once is happenstance. Twice is coincidence. Three times is enemy action.

By the way, despite what is being spun in the media there is nothing conclusive to show that this was the work of the Russians. The techniques are similar to those the Russian intelligence service uses but there is no hard evidence that this was a Russian operation.

Take care and God bless.

Seven VPN Apps Exposed Private Browsing Data

A group of seven VPN providers (all leveraging the same underlying infrastructure) was found by an independent lab of exposing the personal browsing data of the services users; despite claiming none of that data was even being collected (link).

The exposed data included browsing history of the users, personally identifiable information (such as name, address, phone number, Social Security numbers, etc.), user IDs and passwords for online services and even payment information including credit card data.

Research these apps and security providers before trusting them with your personal data.

Take care and God bless.