Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Handhelds Microsoft Security

Ask Slashdot: How Do I Reduce Information Leakage From My Personal Devices? 261

Mattcelt writes: I find that using an ad-blocking hosts file has been one of the most effective way to secure my devices against malware for the past few years. But the sheer number of constantly-shifting server DNs to block means I couldn't possibly manage such a list on my own. And finding out today that Microsoft is, once again, bollocks at privacy (no surprise there) made me think I need to add a new strategic purpose to my hosts solution — specifically, preventing my devices from 'phoning home'. Knowing that my very Operating Systems are working against me in this regard incenses me, and I want more control over who collects my data and how. Does anyone here know of a place that maintains a list of the servers to block if I don't want Google/Apple/Microsoft to receive information about my usage and habits? It likely needs to be documented so certain services can be enabled or disabled on an as-needed basis, but as a starting point, I'll gladly take a raw list for now.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: How Do I Reduce Information Leakage From My Personal Devices?

Comments Filter:
  • Simple (Score:4, Informative)

    by NEDHead ( 1651195 ) on Monday February 01, 2016 @02:13PM (#51415549)

    Never use an internet connected device

    • It's rather shocking that APK wasn't the first to post in this discussion.

      • by ihtoit ( 3393327 )

        I think it was APK who did the submission.

        • Re:Simple (Score:5, Insightful)

          by omnichad ( 1198475 ) on Monday February 01, 2016 @03:14PM (#51416053) Homepage

          No, it appears to be reverse-trolling aimed at APK. For one, it links to a competing HOSTS file engine.

          And then the most telling, is this quote:

          But the sheer number of constantly-shifting server DNs to block means I couldn't possibly manage such a list on my own.

          • by jafiwam ( 310805 )

            No, it appears to be reverse-trolling aimed at APK. For one, it links to a competing HOSTS file engine.

            And then the most telling, is this quote:

            But the sheer number of constantly-shifting server DNs to block means I couldn't possibly manage such a list on my own.

            "Managing" the list isn't needed.

            I use the same one linked in the submission, and I update it about once a year when I start to see stuff I don't want.

            Sometimes I add things I want, and sometimes I have to search through it to take something off. But, both of those things are pretty rare.

            For most stuff, the HOSTS file lists are 99.9995% effective at blocking ads, and slightly less effective at preventing malware attempts.

            Some day I am going to figure out how to pull that list into a script and load

            • "Managing" the list isn't needed.

              Never said that it was. Just saying that this fact wouldn't be brought up if it was APK doing the submission.

    • Never have information.

    • Re:Simple (Score:5, Interesting)

      by Anonymous Coward on Monday February 01, 2016 @03:01PM (#51415957)

      Yesterday, I was waiting while sitting in an airplane. I hadn't put my iPhone yet in "airplane" mode. The cell reception was next to non-existent. I turn on the music player and it gets stuck on the startup screen. Nothing I can do. I turn on airplane more, then it works immediately. It's not the first time I noticed this happen. Even just trying to listen to your own tunes Apple still makes your devices connect "home", regardless of how you disable any limited settings that may have an effect on this. Therefore,

      > Never use an internet connected device

      is accurate.

      That's just an example. Almost every program by Apple does that, as seen in the Activity Monitor on OS X. People like to rant on Windows 10 calling home, but MS is just learning from the experts ;)

      • At least they could make phoning home asynchronous. It would at least hide it better.

        • If that is the case, then shouldn't it be possible to create a program that pre-cashes all outgoing streams prior to their being sent and then inject meaningless random signals into the stream so that the receiving end simply gets garbled data?

          This way one could conceivably "randomize" data except that you specifically wish to transmit. Presumably, such an algorithm would intercept all interrupts, trace their source, and randomize as required. No doubt it would greatly slow the system, but would it not i

          • I have no idea what you are saying.

            • by mikael ( 484 )

              turkeyfish is suggesting that the TCP/IP sockets layer attempts to cache all the data being sent. Unfortunately, this isn't going to work because the reason the application stalls is because the TCP/IP layer is attempting to request a DHCP address from the network (which isn't going to happen), look up the address of a particular hostname (which isn't going to happen either), then stalling again when it tries to open a synchronised two-way connection with the desired host (which isn't going to happen as wel

              • My subthread was about this tracking being better (or at least unnoticeable) if performed asynchronously to the main program thread (it works offline just fine). They likely use the word cache (or cash) when they meant buffer. And changing the outgoing data is just going to cause an error response from Apple and still put the app on hold . Why not just block the request or simulate a dead connection (airplane mode) instead? There's no point interpreting his post, it's worse technobabble than you'd find

            • "I have no idea what you are saying."

              Proof that the scheme works.

          • by rtb61 ( 674572 )

            Best bet is for a fire wall router to block all undesirable IPs out and in and this updated from the internet, with user interaction required. Trying to secure an OS from perv http://www.urbandictionary.com... [urbandictionary.com] OS manufacturer, is impossible, the can straight up go around any software blocks you put in and redo them every single update. So either drop the OS or upgrade to a secure modem router designed with the express purpose of blocking pervert corporations. Windows anal probe 10, specifically requires a

    • Re:Simple (Score:5, Informative)

      by Aighearach ( 97333 ) on Monday February 01, 2016 @03:13PM (#51416043) Homepage

      Never say yes to an app permission your use of the app doesn't require. Generally this requires only using open source apps, and downloading the source and turning off extra permissions.

      Never require networking from apps that you don't want to phone home.

      Assume everything that can phone home, does.

      As to the complaint that MS's "privacy mode" isn't as private as some people wanted, it reminds me of Richard Feynman at Los Alamos complaining that otherwise-intelligent people thought that secrets were safe because they were stored in devices called "safes." Had they been called "locking cabinets that reduce the likelihood of access a little bit, especially by honest folks" or something else literal, they might have had less problems with secrets being stolen. "Privacy mode" isn't intended to make everything "private," it is intended to mask your pr0n access from casual examination of your browser history. But that isn't actually private in most cases, it is just web traffic and they could unmask you at the router anyways. Internet doesn't have a "private" option, if you want private you'll need a "private network." Internet is a "public network." It is like wanting privacy on the sidewalk; you can't have it. You can usually keep people from touching you, though.

      Ultimately if you want a private mobile device, you should be buying hardware, replacing the OS with something FL/OSS and only using a private network.

  • Freedome VPN claims to help with this:
    https://www.f-secure.com/en_US... [f-secure.com]

    • by beelsebob ( 529313 ) on Monday February 01, 2016 @02:25PM (#51415657)

      Right - then you just leak information to the VPN host.

  • by Actually, I do RTFA ( 1058596 ) on Monday February 01, 2016 @02:18PM (#51415605)

    Is there a way to use some things (E.g. Google Maps) with known leaks, without exposing every activity to Google all the time on unrelated sites. It seems like limiting some domains make sense, but I'm thinking of things like cloudfront.net

    Also, is there some way to prevent the CDN-style spying/extra downloads?

    • cloudfront, as far as I am aware, usually operates via per-distribution subdomains.

      But then, based on your follow-up, "CDN-style spying", I might simply have no idea what you're talking about. Do you consider CDNs to be a form of spying?

      • To my understanding, some CDNs server a unique datafile to every response, instead of using cached files. This can be done by introducing meaningless arguments into the URL that resolve to the same location, but do not need to. It's similar to the 1 px transparent gifs.

        Unlike the gifs, blackholeing the CDNs doesn't work, because the JS is required by the main page.

        So, it's more expensive, but also more reliable.

    • by amicusNYCL ( 1538833 ) on Monday February 01, 2016 @02:27PM (#51415677)

      There's a curated hosts file here that contains a section for blocking domains used for Windows 10 reporting, if that's your thing:

      http://someonewhocares.org/hos... [someonewhocares.org]

      There are also several domains relating to Google and Apple.

      If you have a small list of several domains you want to block, you can probably just search for hosts files and include several of those domains as additional keywords.

    • Google maps doesn't have a leak; actually, google is the data provider! They're not providing a pipe to some other map, or putting a tollbooth in front of a public map, it is actually their map stored on their server, and when you use google maps you explicitly ask them for that data. Asking somebody for something isn't the same as leaking your identity to them. You're telling them who you are when you show them your face to ask to look at their stuff. ;)

      • Right, I want to use some Google services (e.g. Maps) while preventing a data-leak when not using their service (e.g. being on /.)

        I get that I cannot use G.maps without telling Google things. I just want to only tell Google what I want to tell them explicitly.

        • If you're worried about a data-leak "when not using their service," it sounds like you're a bit confused about what you want. If it is some other thing that is leaking, like slashdot, then why are you even talking about maps?

          Try to describe your complaint in such a way that your words are literally true. Whatever stylistic form you're attempting may be great, but your complaint is not at all clear.

          It may be that you don't have a specific complaint, and just heard some people on the internet say some non-spe

          • I want to use Google maps. This means not blackholing all of Google to

            I want to use /. and other sites, without Google tracking me. Normally this means blackholing all of Google to

            Sure, it's technically /. that put the tracking on their site, but the solution is normally to violently kill Google's IP.

            Similar to how I typically keep FB from getting any requests, which means I could not log into FB if I want to.

            • I presume you use google maps on a mobile device, and firefox on non-mobile device, so uMatrix cannot help you, right? Or am I mistaken?

              For mobile devices, where google maps is most useful, I try blocking all access from it using Xprivacy / firewall when I am not using. This includes contacts, GPS, internet and some other. When using, I only enable GPS and internet, and disable again once I am done.

              Not sure how good this is.

  • How the hell are you someone that's been on slashdot EVER and haven't been bombarded by "APK" posts.
    Google "APK Hosts File Engine".

    • In his quest to block ads that he doesn't want to see, maybe he's just looking for a piece of software that isn't advertised via spamming Slashdot.

      • Then how about a piece of software advertised via the "Third Party Misc Tools" section of a site operated by Malwarebytes [hosts-file.net]?

        Also watch for the "ad spaminem" fallacy.

        • by amicusNYCL ( 1538833 ) on Monday February 01, 2016 @02:50PM (#51415863)

          You know as well as I do that his software would be better received if he maintained a web site for it and didn't treat Slashdot as his personal advertising site. When he posts 30+ wall-of-text advertisements in certain threads then his reputation gets diminished a bit. He is, by definition, a spammer, so people can be excused if they don't want to use a piece of "security software" advertised by a spammer, regardless of who else hosts or recommends it.

        • Re: (Score:2, Flamebait)

          by gstoddart ( 321705 )

          OK, what's the "crazy, strident, screeching nut job" fallacy one?

          Sorry, I've seen the posts, and you don't get to be taken seriously by being a ranting idiot who is only a half a degree of crazy away from the time cube guy. At that point you should just accept that nobody is ever going to decide to try your "product" or listen to what you say.

          Crazy internet troll posting isn't a criteria for ever trusting the crap you keep claiming is awesome.

    • You can't install it as an APK on your Android device because only root can write to the hosts file, and by default, only an Android device's manufacturer (not its owner) is root.

    • I've been here for a long time, and active that whole time, and that doesn't really ring a bell to me. Probably seen it, but probably ignored it too. When was the last time I heard some neckbeard pining for hot grits? I don't know, I never paid much attention to that sort of idiocy. The idiocy itself sometimes rises to a level that feels like a bombardment, but it is generally a wide range of idiocy rather than a specific meme being the bomb.

      When I think of slashdot and hosts files, I actually think of the

      • Who is responsible for that strobing set of web pages? Seriously, that's not cool.

        • Kinda silly to complain about the strobing when I put a warning right on the link.

          It is by some famous artist, you'll have done well in life if you die half as famous as him. If it doesn't speak to you, well that is art. Nobody asked it to speak to you. Go and choose something else. Be strong, little newbie. You can do it. Find some kittens or something.

  • Good luck ... (Score:4, Interesting)

    by gstoddart ( 321705 ) on Monday February 01, 2016 @02:31PM (#51415707) Homepage

    How Do I Reduce Information Leakage From My Personal Devices?

    You haven't been given the same tools on your mobile device as we have on desktops, because the ad revenue from mobile devices is what everybody most wants.

    The OS, and every app largely exist to track you and serve you ads.

    I'd be surprised if there was an easy mechanism, which worked on multiple devices, and didn't require a rooted device. Because this is precisely the kind of thing which isn't nearly as available as it should be.

    Me, I'm betting the OS makers have pretty much decided no way in hell you're getting that kind of control, and if they gave it to you malicious apps would use it to take over where your device really goes.

    Being able to control that is a two way street, and the potable devices don't surrender as much control.

    • Re:Good luck ... (Score:4, Informative)

      by tepples ( 727027 ) <tepples@gm a i l . c om> on Monday February 01, 2016 @02:54PM (#51415893) Homepage Journal

      Disable Google Play Services and obtain free apps through F-Droid instead of proprietary apps through Google Play Store. Better yet, if your phone is supported, install a third-party Android Open Source Project (AOSP) ROM such as CyanogenMod or Replicant. I can't guarantee it'll plug all leaks, but it should stop the big one.

      • Re:Good luck ... (Score:5, Insightful)

        by gstoddart ( 321705 ) on Monday February 01, 2016 @03:23PM (#51416131) Homepage

        So, root it, built it from a kit, forego the apps you really wanted, and hope you can trust these 3rd parties.

        While technically correct, people generally don't wish to build their phone from a kit and have to take that level of control. Because it's a pain in the ass.

        I've pretty much decided I'll use Firefox with no javascript or cookies enbaled for most of my browsing, I'll uninstall any app which is just a wrapper around content I can get from the web or which can't run in airplane mode, I'll mostly leave my wifi off, and when I used the native Google apps I just go "la la la". But for most people, that's not going to be acceptable either.

        Your solution? I'd probably just stop using the device altogether ... at a certain point in one's life, endlessly fiddling with technology ceases to be fun, and just becomes a chore.

        • There is a balance, but it isn't easy for most:

          1: Start with a decent phone that has an unlockable bootloader. HTC devices come to mind, as well as Google Nexus offerings.
          2: Install CyanogenMod, or a good base ROM with support. It doesn't hurt to donate some as well to said project. Gapps after that.
          3: Install XPrivacy if possible. This does an excellent job at stopping nosy apps cold.
          4: Install AFWall+. This is a last resort, but a solid defense at keeping apps that phone home from doing so.
          5: En

        • I'll mostly leave my wifi off

          Good practice, since (for example) a given grocery store can start correlating your media access address with your presence, even if they don't (initially) know your identity. Ditto anyone scanning for wifi pings on the highway.

          So here's an elaboration on keeping wifi mostly off: I have an event managing app (in my case, Llama, there are others) that I've configured to shut off wifi every time I disconnect from any network. I manually re-enable whenever I get to my destination (e.g. home); for whatever

      • CyanogenMod and Microsoft are getting a little too close for comfort. http://www.androidcentral.com/... [androidcentral.com]

        However, the last version I used (6 mo. ago) was very nice if you didn't want to tie your device to Google. At this point for security conscious people, Apple might be the least horrible solution. I've also started to be less critical of Microsoft lately.

  • I've gone the route of using VPN to my home network, and using a DNS Server with the Hosts file installed, effectively destroying many advertising links on my mobile devices. Unfortunately, it's not perfect, but I have ad-block in nearly ever application on my iDevice now.

  • by Nonesuch ( 90847 ) on Monday February 01, 2016 @02:45PM (#51415829) Homepage Journal

    If you don't want to root your device and don't want to tunnel all your traffic to a VPN server (adds latency) , you can use one of the Android "NoRoot" firewalls that routes app traffic through a local VPN for inspection and filtering. This uses more CPU and battery, but all protection is done within your mobile device. It takes a lot of manual effort to build a policy that blocks undesirable traffic and still lets apps work.

    You can tunnel your traffic to a commercial VPN provider, but now you are trusting them to maintain performance and not invade your privacy, and they won't have any visibility to the contents of traffic that is inside SSL/TLS encryption, for better or for worse (e.g. cannot inspect Android apps downloaded as APKs from SSL websites).

    Better yet, you can root the device and add your own Certificate Authority and firewall settings. Now you can use your own VPN to ensure all traffic from all applications goes to a remote VPN headend for inspection/modification, even traffic the device thinks is encrypted with SSL. If you have many users going through the same VPN, you can do things with packets and headers to make it difficult for CDNs and ad networks to identify individual users who are all behind the same gateway.

    If you have more time than money, you can build up a VPN headend with open source tools (e.g. Squid+SSLbump)., and write policy to block traffic that doesn't meet your security policy, and to log what your device tries to send. You can use header modification to strip out identifying information and cookies.

    If you are a business or otherwise have more money than time, the expensive approach is to use a commercial firewall appliance that has a client VPN and URL filtering service (e.g. Checkpoint, Palo Alto, Juniper, F5, etc). You set up the VPN to send all your mobile device traffic through the firewall, and use firewall policy to decrypt SSL, inspect APKs, and block ads. This solution is very effective at blocking ads and undesirable network traffic, and can often detect or block malicious APKs and other attacks.

  • by snarfies ( 115214 ) on Monday February 01, 2016 @02:48PM (#51415855) Homepage

    1) Root your phone. If you don't have full control over your device, you have no chance.

    2) Install Xposed Framework (http://repo.xposed.info/)

    3) Install Xprivacy (http://repo.xposed.info/module/biz.bokhorst.xprivacy)

    Xprivacy doesn't block your programs from sending whatever they want to send - if you try to do that, most programs will crash. Instead, it feeds your programs completely false information. Boom, you win.

    • Does Xposed stuff work on Android 5/Lollipop? At least when I upgraded from 4.4 to 5.1, most of the Xposed plugins that I had stopped working.

  • Two things...

    1. VPN your network connection.

    2. Don't put anything on your device you wouldn't want to publish on line.

    Apart from that, who cares? IF you do, you are either worried about stuff you shouldn't for health reasons, or stupid to put information into that portable computer you call a Smartphone/Tablet..

  • I prevent leakage by using those little plastic bags with the two rows of ziplock. Especially the ones with the yellow and blue making green (even though it’s actually magenta and cyan that make green).

  • Here's how to do it (Score:5, Informative)

    by Artem Tashkinov ( 764309 ) on Monday February 01, 2016 @03:03PM (#51415975) Homepage

    Here's my old comment verbatim:

    First of all there are immortal cookies (infinite cache entries created specifically for your unique PC). Secondly, there's a unique combination of your web browser + OS + fonts + plug ins: https://panopticlick.eff.org/ [eff.org] Thirdly, there are unique patterns in your behaviour (websites that you visit and how frequently you do that) and other wonderful metrics to trace you.

    If you want to avoid being traced and tracked there's just one way:

    • You buy a single time anonymous SIM card with Internet.
    • You go to some public place where there no web cameras installed or you're not under their monitoring.
    • You browse the web using at least TOR, or even better a combination of VPN + TOR.
    • You use the most common computer OS (Windows 7 64), the most common web browser (IE11/Google Chrome or Mozilla Firefox) and the least number of browser plugins and extensions.
    • You do NOT login using Facebook/Google/Microsoft/Yahoo/etc. services, because these companies trace your presence on unrelated websites using various "Share Me" options.
    • You do NOT use Skype/WhatsApp/Vibe other apps.
    • You completely destroy your browser profile and this SIM card after you're finished.

    This is actually a recipe for browsing the web anonymously however this is the reality of the modern web - not to be traced means to be anonymous as much as possible.

    All other ways are only half measures. Or, like people have suggested, you may stop using the Internet completely. It should have long been renamed to a "Trackingnetwork".

  • If you really want to start limiting info gathering, I would suggest a 2nd phone for digital work.

    Your first phone might just be analog voice only, or at least you don't do digital on it.

    Move the digital phone from ATT to Verizon every month back and forth with a new SIM card and disposable email addresses & new phone numbers if you really want to limit access.

    Connecting through your lapto through a cell phone hotspot connection isolates it from WIFI snooping.

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Monday February 01, 2016 @03:13PM (#51416049)

    Brave [brave.com] beta is just out. A project from the former CEO of Mozilla.
    AFAICT out of the box one of the safest and most private browsers around.
    Definitely a leg up from the usual suspects.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The last I read, Brave will inject it's own ads. No thanks.

  • Personally trying to set up a Ubiquity EdgeRouter to do the same. In my case, there are just a few devices I don't want to have any external access, so I will have a dedicated SSID for them and provide local network access but no routing. Other things I will have to manually switch a network port for a device to give access to the Internet.

    Haven't hit the point yet where I feel a need to do a transparent proxy; my goal is mainly to strip "cloud" functionality off devices that I don't want to have it.

    Try to

  • Trust no one.

  • If it can keep crap out, it can keep crap in right?
  • For Computers - OS X and Little Snitch https://www.obdev.at/products/... [obdev.at]
    A bit costly but it does the job you want.
    Also, OS X being a UNIX machine, you can use your hosts file.

  • About 18 years ago, well before our current models of internet, social media and data collection were even born I had an interesting experience.

    I applied for a high end insurance package with a lot of umbrella/liability protection that came at a very low cost. The cost was low because as my insurance agent put it "They're going to crawl up your with a microscope the size of a small country". Since I've held top secret and nuclear q clearances, this didn't really bother me.

    About 3 weeks later I get a call

  • If a smart TV has ethernet and wifi, never use it. Use the USB or that data connections to "sneaker net" any files to the device.
    Buy a camera thats a camera and not a networked database device with a good lens. Select the images you like and upload them later or from an OS.
    Sort the images on a computer and select only the images you want to share. Understand that any free cloud, hosting, advertizing network or OS uploads will have all images examined for facial recognition, for images of interest of th
  • To stop leakage, buy an Ipad with wings.

"I prefer the blunted cudgels of the followers of the Serpent God." -- Sean Doran the Younger