this post was submitted on 26 Feb 2024
28 points (67.9% liked)

Asklemmy

43826 readers
856 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy πŸ”

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

This maybe a dumb question but i became paranoid all of a sudden and wanted some answers because i can't find it anywhere else nor can i sleep without it. Like even if i did flash linux on a lets say amd laptop couldn't the chip itself be spying on me ? Also i understand bootloaders are stored or rom is there a way to know what else is stored on it are roms open source ? Are cpu's open source and companies like asus store their logos and shit on their mother boards so what else could they be storing ? Are there open source alternatives for these parts ? Are we all being privacy cautios for nothing ? I know we can use firewall but wouldn't the chip integrated have the ability to bye pass it ?

I know there are linux laptops but having a pre installed linux and some switches isn't gonna solve the problem do they use open source roms and motherboard ? Are there any fully open source chipsets ? I want to know the same about smartphones too ?

IMPORTANT EDIT : Please don't suggest alternatives like dumb phone i wanna know if there is any way to know or ensure we are not spied upon while using smartphones or laptop . And i don't care about my os spying on me or the apps apps or web spying on me all i wanna know is if the hardware i use are spying on me and if not how do you know ? . Also which is better in terms of open source and privacy intel or amd ?

ANOTHER IMPORTANT EDIT : I am also not concerned by my isp tracking me or someon hacking me as i said all i care about is the hardware doing me in .

LAST EDIT I HOPE : AS I SAID MULTIPLE TIMES AND STILL PEOPLE UNDERSTAND IS I DON'T CARE IF ANYTHING OTHER THAN THE HARDWARE IS SPYING ON ME . LIKE ARE YOU TELLING ME THAT TOP CYBERSECURITY WORKERS OR ELITE HACKERS ARE JUST HOPING THEIR HARDWARE IS NOT SPYING ON THEM AND THERE IS NO WAY FOR AN ELITE HACKER OR CYBERSECURTY WORKER TO ENSURE THEY ARE NOT BEING SPIED BY THEIR HARDWARE OR IS THERE NO OTHER FULLY OPEN SOURCE HARDWARE THEY CAN BUY ?I'M NOT INTERNET SHOUTING OR WANTING TO BE RUDE I JUST WANNA GET THE POINT ACROSS ALSO PLEASE DON'T AVOID THIS AND ANSWER SOMETHING ELSE I JUST WANNA KNOW THIS SPECIFIC THING.

EDIT: LET ME MAKE IT VERY CLEAR I'M JUST A RUN OF THE MILL GUY BYING RUN OF THE MILL LAP AND PHONE AND USING IT I AM NOT BEING TRACKED BY NSA I'M SURE OF THAT BECAUSE I AM NOT THAT INTERESTING EVEN IF I WERE ITS NOT THE QUESTION UNLESS THE CIA OR NSA IS MAKING 1000 OF LAPS TO CATCH ME . YOU HAVE NO OBLIGATION TI ANSWER ME AND I AM GRATEFULL FOR YOUR ANSWERS BUT PLEASE ANSWER WHAT I WANT TO KNOW I FEEL LIKE YOU GUYS AND GALS DON'T EVEN COME CLOSE TO THE SUBJECT.

all 42 comments
sorted by: hot top controversial new old
[–] [email protected] 77 points 8 months ago (2 children)

What's with the unhinged edits

[–] [email protected] 40 points 8 months ago (1 children)
[–] [email protected] 10 points 8 months ago

OP has gone batty. I get it. I'm nuts too, just in a different way. Hope OP figures out what he wants to know.

[–] [email protected] 62 points 8 months ago (1 children)

There’s a chance, OP, that you might have carbon monoxide poisoning if it’s true that you β€œbecame paranoid all of a sudden”. For anyone with gas appliances, regularly check that your CO detectors are working.

I don’t mean this as a diss or to invalidate your (totally valid) concerns about data privacy.

[–] [email protected] 40 points 8 months ago (1 children)

I’ll always remember that Reddit (it feels awkward typing that name here…) post where a user discerned from a post that the OP was likely suffering from carbon monoxide poisoning. OP checked it out and there were high levels in his house, random internet stranger basically saved the guy’s life.

[–] [email protected] 7 points 8 months ago

I hope lemmy gets some super interesting posts that become core lore for the entire user base like this one was for reddit.

[–] [email protected] 47 points 8 months ago (2 children)

You don't. It's possible that the firmware or bootloader is doing evil things. They have access to hardware in a way your OS may not detect.

The seminal paper in this area is On Trusting Trust. That link isn't to the original, but it has a nice overview.

The best way to prevent this kind of spying is through air gaps: ie, no network. Realistically, most of us don't want to do that.

At some point, you need to ask yourself what your threat model is. If you're going to have severe consequences from doing something in range of the device, maybe you wanna do it elsewhere.

[–] [email protected] 47 points 8 months ago

"I’M NOT INTERNET SHOUTING", he internet shouted.

[–] [email protected] 27 points 8 months ago

Bro lost his shit in the edits section

[–] [email protected] 22 points 8 months ago

LIKE ARE YOU TELLING ME THAT TOP CYBERSECURITY WORKERS OR ELITE HACKERS ARE JUST HOPING THEIR HARDWARE IS NOT SPYING ON THEM AND THERE IS NO WAY FOR AN ELITE HACKER OR CYBERSECURTY WORKER TO ENSURE THEY ARE NOT BEING SPIED BY THEIR HARDWARE

Yes.

Professional ELITE HACKERS who work for governments need to leave their electronic devices outside secure facilities for precisely this reason.

Similarly, government networks that are air gapped have their hardware physically destroyed when it's decommissioned because it's impossible to be sure that it's secure.

[–] [email protected] 18 points 8 months ago* (last edited 8 months ago) (1 children)

Why did you suddenly become paranoid about specifically your hardware chips spying on you?

If you're trolling that's okay. If not: Please talk to someone. A real person who can check if you're alright.

[–] [email protected] 13 points 8 months ago (1 children)
[–] [email protected] 9 points 8 months ago* (last edited 8 months ago)

Or took the wrong substance...

Anyways, the "spying" is probably not OP's most pressing issue.

[–] [email protected] 14 points 8 months ago* (last edited 8 months ago)

Easy. It's far too expensive to implement, both in money and man-hours. Especially man-hours.

The amount of people required to personally surveil the general populace is way too exorbitant, AND they have to monitor their own people to prevent leaks. The logistics explodes well before this becomes feasible.

Then there's discoverability. Once such hardware is out there, it's only a matter of time before it falls into the hands of someone capable of dissecting it. Given that such spying methods would be 'sold' to federal management on the grounds of national security, there's an interest in not having it fall into such hands. Therefore, these methods are reserved for high-profile targets. Not the average Joe citizen.

To summarize: Too expensive (money), too expensive (logistics), and too expensive (R&D). Unless you're on Interpol's most wanted list or something, you don't need to worry about this.

[–] [email protected] 13 points 8 months ago

If you want to be absolutely sure, the only way is to unplug all the network cables and physically break or disconnect all the wireless equipment. If you have a SIM card, the carrier can automatically install spyware. On the computer you can get malware or the bootloader/UEFI can be compromised. There are many other ways to spy as well, especially if it's a targeted attack (done by the local law enforcement or your own enemy). The Internet was never meant to be private. It's really hard to keep any data secure on a machine that has access to it. You can minimize the risk and decrease it by 1000000% but you can't completely mitigate it unfortunately

[–] [email protected] 10 points 8 months ago (1 children)

I am also quite interested in this. It is not something that keeps me awake at night, and I am not particularly paranoid about it. But I find that working towards answering this question is a fun frame from which to learn about electronics, radio communications, and networking.

Since this appears to be something that is causing you some anxiety, I think it is better if I start by giving you some reassurance in that I have not yet managed to prove that any electronic device is spying on me via a hidden chip. I don't think it is worth being paranoid about this.

I can explain some things that could be done to test whether a Linux computer spying. I am not suggesting that you try any of this. I am explaining this to you so that you can get some reassurance in the fact that, if devices were spying on us in this manner, it is likely that someone would have noticed by now.

The "spy" chip needs some way to communicate. One way a chip might communicate is via radio waves. So, the first step would be to remove the WiFi and Bluetooth dongles and any other pieces of hardware that may emit radio waves during normal operation. There is a tool called a "Spectrum Analyzer" that can be used to capture the presence of specific radio frequencies. These devices are now relatively affordable, like the tinySA, which can measure the presence of radio frequencies of up to 6 GHz.

One can make a Faraday cage, for example, by wrapping the PC with a copper-nickel coated polyester fabric to isolate the PC from the radio waves that are coming from the environment. The spectrum analyzer antennas can be placed right next to the PC and the device is left to measure continuously over several days. A script can monitor the output and keep a record of any RF signals.

Since phones are small, it is even easier to wrap them in the copper-nickel polyester fabric alongside with the spectrum analyzer antenna to check whether they emit any RF when they are off or in airplane mode with the WiFi and Bluetooth turned off.

What this experiment may allow you to conclude is that the spy chip is not communicating frequently with the external world via radio frequencies, at least not with frequencies <= 6 GHz.

Using frequencies higher 6 GHz for a low-power chip is not going be an effective method of transmitting a signal very far away. The chip could remain hidden and only emit the signal under certain rare conditions, or in response to a trigger. We can't rule that out with this experiment, but it is unlikely.

A next step would be to test a wired connection. It could be that the spy chip can transmit the data over the internet. One can place a VPN Gateway in between their PC and the router, and use that gateway to route all the traffic to their own server using WireGuard. All network packets that leave through the PC's ethernet connection can be captured and examined this way using Wireshark or tcpdump.

If one can show that the device is not secretly communicating via RF nor via the internet, I think it is unlikely that the device is spying on them.

[–] [email protected] 4 points 8 months ago

If one can show that the device is not secretly communicating via RF nor via the internet, I think it is unlikely that the device is spying on them.

The best you can learn is that you didn't detect communication while you were listening.

Security researchers typically assume that attackers know the systems that will be used against them.

An attacker could evade this trap by waiting to phone home.

Or the hardware could encode information in timing by subtly delaying data leaving the device.

Or it could sneak information out in the pseudorandom data that it uses to set up secure connections.

Or it could use stenography to encode data in your photos.

[–] [email protected] 10 points 8 months ago (1 children)

You can use Wireshark to monitor all network traffic. It's not a simple task though. But if you take the time to set it up and learn how to use it, you can know everything that leaves your computer.

[–] [email protected] 10 points 8 months ago (1 children)

Throw it on pihole, you can see all traffic coming and going through your house. Also a great anti-advertise option.

In my experience, theres a lot less spying and a lot more BS/bad scripts checking in, but you do you.

[–] [email protected] 1 points 8 months ago

One thing to note, pihole also blocks ads in you're using wifi from your phone. If I'm playing a game or whatever that has "watch this ad for..." half the time I have to switch off wifi or else it'll claim the ad failed and won't give the item.

[–] [email protected] 8 points 8 months ago* (last edited 8 months ago)

Being privacy-conscious can protect your information from being passively collected by mainly corporate entities that track your buying habits, life events, and health.

If you think you're being actively targeted for surveillance, then you need security that is proportional to the resources that the people who are spying on you have. In the case of say, the NSA, they could have a backdoor in a various location in your hardware or software stack. If you have privacy tools like tor, they're liable to target you and collect your data just for that. Most android/IOS phones are thoroughly bugged and tracked, to the point where if the battery is still attached and the phone is switched off you can still be tracked. If the NSA does collect your data, there's a 99% chance no human will look at your data unless they have a reason to search for you.

If you are being spied on, odds are you won't catch it. You might be able to isolate abnormal outbound network traffic if you're really good about tracking that kind of thing on your network. Your phone could connect to a fake Stingray cell station and you wouldn't know.

If you're being stalked by a person with less resources than the NSA, it becomes a lot easier and common-sense privacy protections can help you keep a low enough profile.

It's also worth noting that if private companies get a hold of your data, they'll sell it to any government or private organization who'll pay them. There's scant regulation about what they can't collect and what they can't do with it.

I think the simplest rule of thumb is if you have something sensitive, don't say it near an android or ios phone and don't put it on a computer that's plugged into the internet. Criminals have their own OPSEC, as do people in the intelligence industry, and usually the answer is an "air gap".

[–] [email protected] 5 points 8 months ago

System76, Tuxedo computers and Framework may be close to what you are looking for.

But you need to think about your threat model and decide how much work/study you need to consider yourself "safe", because the only way to be absolutely sure that your hardware is trustworthy, is too build it from the scratch.

[–] [email protected] 4 points 8 months ago

So here's the brief take, you don't know. Firmware is a very opaque thing that will never be truly visible without outright scanning the chip structures and relevant exchange mechanisms. A recent article demonstrated bypassing the Windows full disk encryption through a hardware hack using consumer available SOCs even.

What you can do is control the environment. Data can be extracted through a mess of crazy ways. ICMP and DNS calls can be used to tunnel traffic even. The goal for the end user is mitigation. There has been research where data was pulled via the sounds a spinning disk made even off an air-gapped device. Layering the controls makes it that much less likely that anything can compromise all the controls at once. There is no silver bullet solution however. High security systems are often custom fabricated and even then it's possible a supply chain injection can compromise the product.

Your best bet as a consumer is to trust in the math (crypto) and ensure your data is encrypted at rest and in flight. Keeping keys on a separate vault, generated away from the protected system where possible is a more extreme but possible solution when you control all parts of the communications.

[–] [email protected] 4 points 8 months ago

Short answer. Do you have a computer or smartphone? If yes, it is spying on you.

[–] [email protected] 3 points 8 months ago

You know that it is. Simple as that. Especially phones. Thing is, most of what you do isn't interesting enough to spy on. Don't bring your phone when you do illegal activity. Otherwise don't worry about it.

[–] [email protected] 2 points 8 months ago

You can't know. There's no possible way to verify what any of it is doing.

Unless you've built your own hardware out of discrete components and know personally what every byte in the code does, you absolutely cannot know what's actually going on in there.

And honestly, a large chunk of both consumer harware and networking certainly is spying on people.Every ISP and major datacentre has a TLA room that mere mortals aren't allowed to go into or ask questions about, every phone or motherboard chipset is an absolute rats nest of backdoors and telemetry - and unless you sand the lid off every single chip and go over it with an electron microscope, there's no good reason to assume any component only does what it claims to. But then the data from that will need to be stored on something likely-pwned anyway.

Various governments all have the ability to count your nose hairs if they wanted to - and if you're sufficiently anomalous, you may as well assume they have.

to all of which I say meh. It's evil and hideous of course, but so many things are evil and hideous that you just have to triage.

[–] [email protected] 2 points 8 months ago

Bypass*

If you filtered your data through enough servers, or even better, split your outgoing data through multiple servers, encrypting and bouncing each of the packets multiple times, maybe have a couple filters.... Your shit could still be spying on you because you are attracted to the network, and you need to talk out somehow, and unless you watched the chips be manufactured put together yourself you can't be sure they aren't corrupted.

That said, are you a foreign dignitary? Are you someone worth investing millions into taking down? Any minute a ninja could take you down in your day to day life, there just aren't that many ninjas, and you aren't worth taking down.

I can't find the article because Google is the enshittiest now, but a couple years ago a tech journalist paid 2 different hackers to infiltrate his home system (him taking slightly more precaution than he normally would), he had no chance in keeping them out, he closed the article with a quote similar to the warning above.

[–] [email protected] 1 points 8 months ago

iirc the intel management engine can be disabled through some weird fuckery, not sure if the same can be done for amd’s equivalent. if you custom flash a bios and run an open source os compiled by a trusted source, i think you got most potential backdoors covered (although the cpu microcode might still be an issue).

[–] [email protected] 0 points 8 months ago

You can use wireshark to see every packet that goes through your router. Any weird unauthorized packets? Probably spying.

[–] [email protected] -1 points 8 months ago (1 children)

V2.0: if you don't want your hardware spying on you, get a device that has fully FOSS drivers and an open architecture (neither AMD nor Intel have that cuz they use x86_64 which is proprietary). I think Raspberry Pi and PinePhone have that. Not sure though. And if you meant microphone and camera spying on you then apps, ISP and everything else do matter. Just unplug that devices when you want to stay private and that's it

[–] [email protected] 5 points 8 months ago

ARM isn't any better than x86, and can actually be more restrictive at times (secure boot keys baked onto the CPU, and not being able to disable it). RISC-V is promising, but just because the ISA is open source doesn't necessarilly mean the implementation is, and I'm not aware of any 100% open source implementation being sold.

[–] [email protected] -5 points 8 months ago (1 children)

Well here is my take: there are only like, 35 personalities that exist in the world with slight individual variations. You posting this tells any data scraper which one you fall under. People are in general extremely predictable. So once the algo has sorted you, they dont have to actively listen to you at all. The algo already knows what choices you perceive yourself as having in your life and when you are likely to make those decisions

Heck, the utility company knows if your going through a divorce based on changes in when and how the bill is paid.

Google knows if your getting laid based off location data

If you dont want to be spied on there is only one way my friend. Only lurk the web from one place, never post, only lurk. And just leave your phone in the closet or wherever when your not using it, turned off. The algo's et al will still draw conclusions from this, but at least they will be incorrect