From Smartphones to Smart Fridges: Navigating the Modern Age of Surveillance with a Wink and a WiFi Password!

[sergeylim88]

i think you guys are making some things far more complicated then actually needed.
sure, all that makes sense to a certain extent, but then again you are using their silicone and all that stuff won't actually help.
for reference check Elbrus-8S - Wikipedia
i am sure it won't outperform Intel/AMD in any way or form, and develop cost a fortune. there was a reason why they did it, guess what was it

using linux distro is def.. good thing for privacy(in term statistics wont be shared, there will be no update sharing...like with Windows OS), but linux is not bulletproof (like any other OS) when it comes to security.

actually, i find MacOS to be fairly private, no matter how strange that sound.
privacy leak vectors in a lot of cases have nothing to do with the actual os, but with cookies, temp files, browser fingerprinting (guess why they don't recommend you running tor in full screen mode )

i am not an expert like our friend @0xDEADBEEF
so i would appreciate his comment on what i am saying here, so far i think our opinions were fairly similar

also i would love to read that pdf too, but i am not a gold member, so if possible to get it, it would be great, if not no problem.
speaking of PDF, Office documents...huge vector for attack. running them in isolated systems (virtual machine) could be a good choice (or disabling macros, and using something like SumatraPDF)

 

[JohnLocke]

actually, i find MacOS to be fairly private, no matter how strange that sound.
privacy leak vectors in a lot of cases have nothing to do with the actual os, but with cookies, temp files, browser fingerprinting (guess why they don't recommend you running tor in full screen mode )

With all due respect, I would not put my trust in MacOS - you may be right, and if you are, I will think differently, but Apple is known for selling all the data they have and/or using it for promotional purposes.

 

[sergeylim88]

i fully understand your concern.
question is what kind of privacy are we talking here, are we talking about sharing some anonymized data, or actually sharing your personal data/files.
also, most of my recommendations are not privacy oriented, but security oriented.
those 2 things are not the same, but you can't be private unless you are secure.
infected/compromised device is just one step away from being someone that tells a lot about you to even lower level attacker (ex. other competitor business).

am I right or wrong it is hard to tell, and being right today doesn't mean you will be right tomorrow (and vice versa).
please keep in mind I am not a professional at this, and my knowledge probably has a lot holes.
we do have some smart people here who will tell me.

 

[0xDEADBEEF]

actually, i find MacOS to be fairly private, no matter how strange that sound.
privacy leak vectors in a lot of cases have nothing to do with the actual os, but with cookies, temp files, browser fingerprinting (guess why they don't recommend you running tor in full screen mode )

Based on collection of diagnostic data, it's safe to say that macOS reports less information than Windows, and most settings are centralized on macOS. This makes it easier to control access to private data. What really annoys me about Windows is that if you have an internet connection during setup, you're forced to create a Microsoft account. In my opinion, this is a nasty dark pattern and further proof that they want to tie your "anonymized" data to an identity. Also, Apple is pretty strict about data collection and sharing. Sure, this came after they tried monetizing user data but failed, so now they've ended up disrupting tracking via ads on their devices for competitors without really doing anything with the data (yet).

I run most flavors of operating systems on different hardware (a versatile person is a survivor), but I choose my MacBook as my daily driver because it's incredibly powerful, has amazing battery life, fits in my bag, and is easy to configure. Regarding the other options, there are various levels of privacy and security you can choose, from casual user to keeping all your data local, to full-on tinfoil mode if you're paranoid about Phig Barma stealing your cancer research. So again it is really a personal choice. You can obtain a posture that is objectively secure, but still it does not mean that this is tailored to the threats that are applicable to you.

Security equals control, so if it's true security you want, I'd suggest choosing a Linux distro based on your requirements. For personal use, a MacBook is a great choice. For enterprises, Windows is a practical option if your goal is to manage devices collectively. However, if you have a threat model that requires greater control, you should definitely customize a Linux distro and harden it to your liking.

There's much more to discuss on this topic, but the above is the tl;dr I have in mind.

am I right or wrong it is hard to tell, and being right today doesn't mean you will be right tomorrow (and vice versa).
please keep in mind I am not a professional at this, and my knowledge probably has a lot holes.

You hit the nail on the head. Security is a continuous process where you need to validate, reevaluate, and improve the strategies and controls you've put in place to protect your critical data.

This brings us to the CIA triad, a fundamental concept in security that stands for Confidentiality, Integrity, and Availability. Confidentiality ensures sensitive information remains protected from unauthorized access, maintaining privacy. Integrity safeguards the accuracy and consistency of data, preventing unauthorized changes. Availability guarantees that authorized users have reliable access to information.

I can guarantee that if you implement your controls effectively to uphold the CIA Triad, you'll automatically maintain a sufficient level of privacy.

also i would love to read that pdf too, but i am not a gold member, so if possible to get it, it would be great, if not no problem.

Not sure when, but I will invest some time into making this guide and I will also share it with you.

 

[JohnLocke]

So the only thing missing to do this is to have the technical knowledge yourself, know someone (which poses a security risk), or hire a company, which again can lead to a security breach - what do you do if you don't have the technical skills?

 

[0xDEADBEEF]

Segmented networks are quite good. I assume that @0xDEADBEEF set-up complete physical isolation without bandwidht sharing. In SOHO set-up I would recommend slightly different option - WAN fail-over with VLAN segment isolation and edge VPN (Wireguard is decent; the optimal is with PSK). That would achieve network redundancy. In DC or corporate set-up we use multi-homed network with at least 3 different peers (IP transit providers so you must have your own ASN) - could be SOHO (for home and office) option as well, depending on provider's resources.

I did see this post but forgot to give a proper response. My 'home network' uses a mesh network for WiFi, while my 'office' network is physically segregated with all connections via UTP. The critical data is stored in my 'office' network, so by gatekeeping these segments, I maintain a sufficient level of security. Yes, I have considered using multi-WAN and putting it all behind the same perimeter device, but for multiple reasons, I decided against it. However, I'm thinking about setting up additional logging and monitoring for the 'home' network, though I'm still figuring out how to implement this. So, I might take your suggestion and have the networks share the gateway. That would also mean I need to upgrade the firewall hardware to support IDPS + DPI to handle the full bandwidth.

Hardware - not cloud - firewall is mandatory where OPNSense will suffice with pfSense as alternative. Corporate options such as Palo Alto products are over-kill in SOHO.

I agree that it's overkill, but I'd be lying if I said I wasn't considering getting PAN gear for home use. It would be more for experimenting in a lab setting than a real necessity. However, the price point for PAN equipment is a dealbreaker for me and most organizations. You seem to know your stuff when it comes to networking. Beyond OPNsense/pfSense, what other solutions would you recommend for SOHO/SMEs? I've looked into FortiGate, Ubiquiti, and Sophos. And let's keep vulnerability management for these devices out of scope for now and just focus on functionality and price.

So the only thing missing to do this is to have the technical knowledge yourself, know someone (which poses a security risk), or hire a company, which again can lead to a security breach - what do you do if you don't have the technical skills?

Security controls generally fall into three categories: administrative, physical, and technical controls. If your company lacks the tools or knowledge for technical configurations, it's wise to start with administrative controls. This means documenting everything, outlining potential threats, preparing for worst-case scenarios, and viewing your company from a comprehensive 360-degree perspective. Begin by exploring available policy templates, this can help you understand how to initiate high-level implementations.

The first actionable step is to inventory all your assets to understand what needs protection—this is both an eye-opener and a requirement (know thyself and know thy network). Keeping this inventory current ensures you’re always aware of what you own and can help identify potential attack vectors, thus pinpointing vulnerabilities in your operational security.

The market is increasingly accessible for smaller organizations and entrepreneurs, so there's likely a security solution that fits your budget and threat model. You can opt to upskill yourself and your team or hire a specialist or company for technical and physical implementations. Many SMEs use a managed service provider for IT services, and you might consider expanding this to include a managed security service provider (MSSP).

Managed Detection & Response (MDR) services can set up tools and strategies within your network to enhance visibility, detect anomalies, and respond swiftly. However, selecting the right MSSP can be challenging; many serve diverse clients and may not have deep expertise, especially at non-premium levels. Your data will likely be stored on the provider’s infrastructure, since managing this in-house requires significant expenses and knowledge. So when you engage with other parties, make sure you have ironclad agreements in place (data processing, SOPs, SLAs) with a reputable firm to mitigate the risks of being screwed by/through them.

I agree that bringing an additional party into your operational security adds a layer of risk, but in most cases if you value the security of your operations you have not a lot of alternatives. Therefore, choose a partner that is well-regarded within the (local) security community and has a proven track record. Opting for a provider who values their reputation means they are more likely to maintain high standards of service and security.

 

[mraleph]

So the only thing missing to do this is to have the technical knowledge yourself, know someone (which poses a security risk), or hire a company, which again can lead to a security breach - what do you do if you don't have the technical skills?

A service model. It's a matter of trust - towards lawyers, accountants, bankers, MDs etc. and nowadays engineers.

We are technology dependent but we live in society; hence, boundaries of security model don't end with technology as hostile actors defined by your threat model are always physical persons - the analogous concept to UBO and usufruct.

Optimum is to know the logic and perhaps certain procedures in order to be able to make informed decision - what do you need and from whom to procure and above else, whom to trust - and control performance. Every service provider is bound by means but not performance. Those means are a metric of trust.

The best is that you are competent and able to establish, maintain and develop your own infrastructure and OPSEC.

The key is redundancy and resilience - don't put all eggs in the same basket - analogous to have a holding with plethora of operational companies in different jurisdictions that have multiple accounts with multi-currency option.

I did see this post but forgot to give a proper response. My 'home network' uses a mesh network for WiFi, while my 'office' network is physically segregated with all connections via UTP. The critical data is stored in my 'office' network, so by gatekeeping these segments, I maintain a sufficient level of security. Yes, I have considered using multi-WAN and putting it all behind the same perimeter device, but for multiple reasons, I decided against it. However, I'm thinking about setting up additional logging and monitoring for the 'home' network, though I'm still figuring out how to implement this. So, I might take your suggestion and have the networks share the gateway. That would also mean I need to upgrade the firewall hardware to support IDPS + DPI to handle the full bandwidth.

@0xDEADBEEF approach differs only in matters of operational aspects, not the concepts - we can discuss operationals, but it will always be related to preferences and conditions I would comment two things though.

WLAN and it's mesh set-up is acceptable for any network where no protected information with above private classification are exchanged between users in cleartext; in your case "home" designation with obvious meaning. In this context, I certainly assume that WLAN has appropiate encryption WPA3/WPA2 but the actuall protected information are separately encrypted.

Shielded network cables should be used whenever possible, not just because of TEMPEST.

As for proposition about HW firewall, I'll send a DM so we don't "spam" the thread - I was already "accused" by some satellite bot of spamming

Logging It's somewhat misunderstood topic, good that you mentioned it as that is actually the core of OP's topic.

Beware of marketing about encryption and logging. There is symetric and asymetric encryption - hybrid, zero-knowledge and any other fancy wordings are just that - wordings. As for logging, depends what is assumed as logging. Every POSIX O/S deployed as server has logging capabilities. Those capabilities called daemons register and store attributes for different system and network components - user, kernel etc.

There is no need for those inherent system logging capabilities in POSIX O/S, but they are actually usefull when diagnostics is required as problems are real - there is no failure free design and operational system in the wild.

There are commands that can be executed within shell scripts as cron job and their output piped thru network or stored locally. This is how Wireguard was invented - it was used as a root-kit network capability that was never uncovered on infected/targeted systems.

Hence, logging is quite an ambiguous word. Never believe service providers - perhaps, they themselves don't know or can't comment about the logging, but that is entirely different topic and not a public one.

Regarding OP's topic, I would quote myself, by logging and locating, end users are denied of anonymity, privacy and confidentiality thru persistence of their antipods.

i think you guys are making some things far more complicated then actually needed.
sure, all that makes sense to a certain extent, but then again you are using their silicone and all that stuff won't actually help.
for reference check Elbrus-8S - Wikipedia
i am sure it won't outperform Intel/AMD in any way or form, and develop cost a fortune. there was a reason why they did it, guess what was it

@sergeylim88 mentioned sillicone which is even more related to OP's topic.

Every server machine is controlled via out-of-band management interface (IPMI, iDRAC, iLo etc.) that has it's own SoC - in server machines' case, BMC. Whether smart objects communicate with their vendors and operators thru in-bound or out-bound channels, they must - in order to provide a designed service.

Those smart object are designed with ergonomy and life comfort aims - which they mostly achieve or I would be doing house and air cleaning, but their design concepts allow the misuse.

Personaly, I don't use or disable MIC if smart objects have it - don't use any voice assistant - or CAM.

i fully understand your concern.
question is what kind of privacy are we talking here, are we talking about sharing some anonymized data, or actually sharing your personal data/files.

Good point, but it all depends on you threat model. The bottom line is whether you are protecting yourself and associated data-sets from corporate vultures or highly qualified adversary with destructive interests.

This brings us to the CIA triad, a fundamental concept in security that stands for Confidentiality, Integrity, and Availability. Confidentiality ensures sensitive information remains protected from unauthorized access, maintaining privacy. Integrity safeguards the accuracy and consistency of data, preventing unauthorized changes. Availability guarantees that authorized users have reliable access to information.

View attachment 6768

I can guarantee that if you implement your controls effectively to uphold the CIA Triad, you'll automatically maintain a sufficient level of privacy.

Those concepts require high knowledge, budget and infrastructure which brings back the @JohnLocke question quoted first.

 

[boomy]

Optimum is to know the logic and perhaps certain procedures in order to be able to make informed decision - what do you need and from whom to procure and above else, whom to trust - and control performance. Every service provider is bound by means but not performance. Those means are a metric of trust

They are as much worth as the agreement I have with my dog who should not eat from my plate when I look away!

 

[mraleph]

They are as much worth as the agreement I have with my dog who should not eat from my plate when I look away!

Couldn't agree more but any service provider and vendor's solution is better for regular people then they miserably try-and-fail in today's world. No second chances due to KYC They should at least know the concepts but that's like a life vest in a failing airplane

 

[boomy]

So you can choose between a good deal with the dog or a life vest in an airplane that's about to crash... what should I choose... It's scary that we ordinary people have become so trapped in technology.

The only option for a short-term top security solution is to hire a company or a man and once he has completed the task, encase him in concrete and throw him in the harbor... then the problem is solved for the next 4 - 5 months.

 

[JohnLocke]

The only option for a short-term top security solution is to hire a company or a man and once he has completed the task, encase him in concrete and throw him in the harbor... then the problem is solved for the next 4 - 5 months.

That might be a bit too extreme; there must be other alternatives.

 

[mraleph]

So you can choose between a good deal with the dog or a life vest in an airplane that's about to crash... what should I choose... It's scary that we ordinary people have become so trapped in technology.

The only option for a short-term top security solution is to hire a company or a man and once he has completed the task, encase him in concrete and throw him in the harbor... then the problem is solved for the next 4 - 5 months.

Well, that can't be public proposal and this post shouldn't be considered as endorsement.

So you can choose between a good deal with the dog or a life vest in an airplane that's about to crash... what should I choose... It's scary that we ordinary people have become so trapped in technology.

The only option for a short-term top security solution is to hire a company or a man and once he has completed the task, encase him in concrete and throw him in the harbor... then the problem is solved for the next 4 - 5 months.

A side note about service providers and lifevests.

I consider myself, my employees, business associates and partners and friends as smart, experienced and highly qualified in every business we did or are doing. But, bad things happen. Trully bad. We also made mistakes.

Thru my companies, I was referred to - by a sharky friend who gor robbed by bellow persons - and acquainted to a rising star in international lawyers, fiduciaries and intermediaries world. I knew/know the poor soul as a lawyer and notary just to uncover thru my dd that he obtained one year MLaw which he didn't attend and two PhDs that he didn't write. A reprisal of Dr Ticiano Sudaro
Guess what, that happened in Switzerland and a poor soul got his Swiss citizenship even he wasn't 10y in the country - he is Deutscher Staatsbürger and he had a permit in Austria during that time.
Another one was an Uzbekistani-Afganistani muslim that got his Swiss citizenship thru marriage. Hates Switzerland and all West but tries to ripp anybody. Never paid a bill for lunch. Petty soul and a loser.
Those pests because your life vest will fail are everywhere and are seeking anybody that has a wealth to rip them off. So, your lack of confidence is quite legitimate.
Never had any issue with lawyers, accountants and bankers in Switzerland till I met those two pricks.
So, eyes open - do due diligence always and ask questions - they will fail to satisfy if they are not genuine, without connections and knowledgeable - identify their means and whether they are sincere.

That might be a bit too extreme; there must be other alternatives.

There is. Knowing the tools of the trade and using third parties that you control for everything as you know it perfectly and explained it brilliantly. Anything else is a risk. Can be calculated and legitimate, but still risk. You always need to have a leverage over service providers.

 

[wellington]

View attachment 6761​

I would like to hear from our fellow members here on OffshoreCorpTalk about how they deal with all the new technology surrounding us!

How do you cope with today's cars packed with computers and GPS trackers, smartphones and smartwatches that all keep an eye on you as an individual and sell your data to the highest bidder, be it a company or government?

What do you do in your homes, with intelligent refrigerators, locks, and heating devices controlled by an app?

Are you all living in a cave with cash buried beneath you, only emerging in the darkness?

Remember getting excited when my wife ordered echo for my office then one day I realized in my Amazon account it had all the conversations on it - it went in the bin. From that point I don’t have Facebook, and don’t allow remote access or backups for absolutely everything.

Apart from that there is very little you can do - except remove technology - something I’ve gradually been doing.