White-list mode:
Only selected apps (with a check mark) may use WLAN, mobile data or another interface for communication in order to establish a data connection. As a result, all apps that you have not checked will not be allowed to communicate "outside".
Black-List Mode:
Here it's the other way round. Here you have to select (check) all apps that are not allowed to communicate "outside" via the corresponding interface.

When delivered, the AFWall+ works according to the white-list principle, which I also keep and recommend to everyone. The basic functionality is thus quickly explained: All apps that you tick are allowed to establish a connection to the Internet or from the device to the "outside".

When delivered, the AFWall+ works according to the white-list principle, which I also keep and recommend to everyone. The basic functionality is thus quickly explained: All apps that you tick are allowed to establish a connection to the Internet or from the device to the "outside".

3.2 Basic Configuration

Via the three dots in the upper right corner of the AFWall+, you get to another options menu, where you reach the "Settings". My suggested settings are as follows:

Change language:
If the AFWall+ is still running in English, you can change the language under "Languages/Plugins" in German.

APP-UID:
With Android, each app is assigned a unique ID (UID) by the system, which you can use to track the "behavior" of an app. To make the assignment via the firewall log easier, you should check the box "User interface" -> APP-UID display.

Interfaces | IPv6:
Under the entry "Rule/Connection" you should check if the check mark is set for Active rules. If yes, the rules defined in AFWall+ will be reloaded each time the network state changes (e.g. WLAN On / Off). Furthermore you can activate or deactivate network interfaces, which will be used by the apps to communicate later. For example, I set a check mark for VPN control, because I often establish a VPN connection and certain apps are allowed to communicate with the outside world via it. If you want to keep the IPv6 support active you have to decide for yourself - personally I deactivate the IPv6 support.

Prevent data leaks at startup:
This is a useful feature to prevent apps from establishing connections to the outside during the boot process. Therefore, an AFWall+ script will be integrated into the system as a systemd script in an early boot phase and can prevent the data leak. For the activation set the start directory for the script to /data/adb/service.d/ under "Experimental". Afterwards I must not forget to check the box Fix Start Data Leak.

DNS requests:
In order for AFWall+ to assign all DNS requests to the corresponding apps correctly, you should deactivate DNS via netd. Open the menu "Binary Files" and choose DNS-Proxy and deactivate DNS via netd.

3.3 Recommended rule sets

After an initial installation of AFWall+, you are faced with the challenge of deciding which apps actually need or should get Internet access. Furthermore, it is necessary to resolve supposed dependencies between apps and their "helper apps" in order to allow them access to the "outside" if necessary. As a general rule, you should only allow Internet access to apps that are really necessary.

Based on a "fresh" LineageOS installation, I suggest the following whitelist rules for your AFWall+:

(Root) - Apps with root privileges:
A check at this system rule is mandatory. It is needed for DNS name resolution, among other things.

(NTP) - Internet time server:
Enables time synchronization, if you have activated the function "Get automatic date/time".

Updater:
For LineageOS, updates usually appear continuously. The whitelisting of the "Updater" app should inform us about new updates, which we will install if necessary.

Media storage, download manager [...]:
You should also check this rule. Otherwise you can't download files via browser. This release is a "Helper-App". Some of your apps will only work correctly if you identify such helper apps and unlock them accordingly.

After that you can activate the firewall for the first time. Tap on the three dots and select Activate firewall. After the initial configuration (without additional checkmark for VPN interface) you will see the following picture...(kuketz website)

In individual cases, it may be necessary to allow further "helper apps" access to the Internet. For "normal use", however, the rule sets shown above should be sufficient for the time being. However, experience has shown that you will encounter initial difficulties especially with apps with video or audio content, as many Android apps require the system component "(Media) - Media Server" for this. Only after this app is also allowed Internet access, the display or playback of video and audio content can succeed with some apps.

3.4 Logging function

The firewall protocol is a useful tool to identify dependencies between apps and their helper apps or simply to visualize which requests for "outside" are blocked by the AFWall+. By default, this logging is not active in the AFWall+. Therefore you have to activate it via "Settings -> Protocol". To do this, simply check the box Switch on protocol service. If you also want a message window to show you in real time what the firewall is blocking, you can also check the box Show messages.

You can then view the log by selecting Settings -> View log. Via the menu I selected Switch to old view to see the IP addresses.

As we can see from the picture (kuketz website), the newly installed LineageOS system tries to connect to Google addresses via the FM radio app and the Chrome browser. This is questionable because the apps were not even started. So let me remind you again: simply switching to an alternative operating system like LineageOS does not necessarily protect us from the unwanted outflow of information or contact with data collectors like Google.

Don't worry, in another part of the article series we will identify and deactivate these data slingshots. With the AFWall+ you now have a first "basic immunization" against such unpleasant connections.

❗️Advice:
Another tool for identifying network connections is the App Net Monitor. https://f-droid.org/packages/org.secuso.privacyfriendlynetmonitor/

3.5 Deactivating Captive Portal Check

You may have noticed that the WLAN icon in the Android menu bar shows a small cross. Each time your Android device connects to a WLAN, the system performs a Captive Portal Check. Android wants to make sure that your device is not only connected to a WLAN access point, but can actually reach destinations on the Internet. Usually, the Captive Portal Check is useful whenever you are in a hotel and access to the Internet must first be activated via a coupon or similar. You can now tell that the check failed by a small exclamation mark or "X" directly at the bottom of the WLAN symbol - AFWall+ simply blocks the corresponding packets.

Android sends a request to the address "http://clients3.google.com" for verification. If the request is successful or answered with the HTTP response code 204 (The request was successful, but the response deliberately contains no data), you have access to the Internet. With this request, the system transmits information to Google about the IP address of the connection, the time of Internet access and which browser is currently being used.

To prevent this under Android Oreo, you need root rights for the ADB. So first open Magisk navigates to the settings and selects Apps and ADB for superuser access. Then you open the system settings of Android and navigate to System -> Developer Options. Then check the box Local Terminal. Then open the terminal app, authorize root access (on request) and enter the following commands:

su
su
pm disable com.android.captiveportallogin

settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0

reboot

The command "su" (substitute user identity - change to user root) probably has to be entered twice due to SELinux. Only then will the commands be accepted or executed. After a restart the Captive Portal Check will be deactivated and the small cross at the WLAN symbol will disappear.

❗️Advice:
Deactivation of the Captive Portal Check can lead to the fact that the login page for WiFi is no longer displayed in hotels. So far I haven't been able to solve this problem - maybe someone has a solution how to log in anyway.

4. custom scripts: For nerds only!

Experienced users can use CustomScripts of the AFWall+ to access the full functionality of the iptables firewall. But before you experiment wildly, you should inform yourself in detail about iptables and the possibilities before this not uncomplicated undertaking. A good source of information is the Wikipedia article and also the official introduction to the CustomScripts in the AFWall+ Wiki.

❗️Advice:
A wrong handling of iptables or CustomScripts can lock your smartphone completely for all network connections from now on. A removal of this block is not so easy or only possible if you have informed yourself sufficiently in advance. The following explanations will show you how to use CustomScripts effectively.

4.1 Startup and shutdown script

The script "iptables.sh" is always executed when the firewall is started or the rule sets are reloaded. All commands are commented - please don't just copy and paste the rules into your system, but first take a close look at iptables and customize it to your needs:

## iptables.sh
## AFWall+ CustomScript & some tweaks
## Mike Kuketz
## www.kuketz-blog.de
## Changes: 25.09.2018
##
## iptables -L
## iptables -S
## iptables -L -t nat

####################
# Tweaks #
####################
## Kernel
# Disable IPv6
echo 0 > /proc/sys/net/ipv6/conf/wlan0/accept_ra
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
# Privacy IPv6 Address
echo 2 > /proc/sys/net/ipv6/conf/all/use_tempaddr
echo 2 > /proc/sys/net/ipv6/conf/default/use_tempaddr
## System
# Disable Captive Portal - Android Oreo 8
pm disable com.android.captiveportallogin
settings put global captive_portal_detection_enabled 0
settings put global captive_portal_server localhost
settings put global captive_portal_mode 0
# Disable Global NTP Server
settings put global ntp_server 127.0.0.1

####################
# iptables #
####################
IPTABLES=/system/bin/iptables
IP6TABLES=/system/bin/ip6tables

####################
# Defaults #
####################
# IPv4 connections
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# IPv6 connections
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
$IP6TABLES -P OUTPUT DROP

#####################
# Special Rules #
#####################
# Allow loopback interface lo
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A "afwall" -o lo -j ACCEPT

# Set a specific DNS-Server (dismail.de AdBlocking DNS-Server) for all networks except home WiFi (192.168.150.0/24)
$IPTABLES -t nat -I OUTPUT ! -s 192.168.150.0/24 -p tcp --dport 53 -j DNAT --to-destination 80.241.218.68:53
$IPTABLES -t nat -I OUTPUT ! -s 192.168.150.0/24 -p udp --dport 53 -j DNAT --to-destination 80.241.218.68:53

# Force a specific NTP (ntp0.fau.de), Location: University Erlangen-Nuernberg
$IPTABLES -t nat -A OUTPUT -p tcp --dport 123 -j DNAT --to-destination 131.188.3.222:123
$IPTABLES -t nat -A OUTPUT -p udp --dport 123 -j DNAT --to-destination 131.188.3.222:123

#####################
# Incoming Traffic #
#####################
# Allow all traffic from an established connection
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



# Alle Pakete ordentlich zurückweisen
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -j REJECT --reject-with icmp-port-unreachable

And the shutdown script to disable / shut down the firewall:

## iptables_off.sh
## AFWall+ shutdown actions
## Mike Kuketz
## www.kuketz-blog.de

####################
# iptables #
####################
IPTABLES=/system/bin/iptables
IP6TABLES=/system/bin/ip6tables

####################
# Purge/Flush #
####################
# Flush/Purge all rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IP6TABLES -F
$IP6TABLES -t nat -F
$IP6TABLES -t mangle -F

# Flush/Purge all chains
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IP6TABLES -X
$IP6TABLES -t nat -X
$IP6TABLES -t mangle -X

####################
# Defaults #
####################
# Allow IPv4 connections
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Deny IPv6 connections
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
$IP6TABLES -P OUTPUT DROP

❗️Advice:
The path "/data/local/" is suitable as storage location for your CustomScripts.

4.2 Effectively blocking data collectors

With the option "Set script" I can add more scripts. Among other things I block all outgoing connections to Google and Facebook with the help of the ASN script:

bash asn_ipfire.sh --afwall "Google,Facebook"

The scripts are each entered as a separate line under Specify Scripts:

The content of block_google.sh:

#####################
# Block Google #
#####################

/system/bin/iptables -A "afwall" -d 8.8.4.0/24 -j REJECT
/system/bin/iptables -A "afwall" -d 8.8.8.0/24 -j REJECT
/system/bin/iptables -A "afwall" -d 8.34.208.0/20 -j REJECT
/system/bin/iptables -A "afwall" -d 8.35.192.0/20 -j REJECT
/system/bin/iptables -A "afwall" -d 23.236.48.0/20 -j REJECT
/system/bin/iptables -A "afwall" -d 23.251.128.0/19 -j REJECT
/system/bin/iptables -A "afwall" -d 35.184.0.0/12 -j REJECT
/system/bin/iptables -A "afwall" -d 35.200.0.0/14 -j REJECT
/system/bin/iptables -A "afwall" -d 35.204.0.0/15 -j REJECT
/system/bin/iptables -A "afwall" -d 63.88.73.0/24 -j REJECT
[...]

And the content of block_facebook.sh:

#####################
# Block Facebook #
#####################

/system/bin/iptables -A "afwall" -d 31.13.24.0/21 -j REJECT
/system/bin/iptables -A "afwall" -d 31.13.64.0/18 -j REJECT
/system/bin/iptables -A "afwall" -d 45.64.40.0/22 -j REJECT
/system/bin/iptables -A "afwall" -d 66.220.144.0/20 -j REJECT
/system/bin/iptables -A "afwall" -d 69.63.176.0/20 -j REJECT
/system/bin/iptables -A "afwall" -d 69.171.224.0/19 -j REJECT
/system/bin/iptables -A "afwall" -d 74.119.76.0/22 -j REJECT
/system/bin/iptables -A "afwall" -d 103.4.96.0/22 -j REJECT
/system/bin/iptables -A "afwall" -d 157.240.0.0/17 -j REJECT
/system/bin/iptables -A "afwall" -d 173.252.64.0/18 -j REJECT
/system/bin/iptables -A "afwall" -d 179.60.192.0/22 -j REJECT
/system/bin/iptables -A "afwall" -d 185.60.216.0/22 -j REJECT
/system/bin/iptables -A "afwall" -d 204.15.20.0/22 -j REJECT

As soon as the new rule sets are loaded, the following happens: Whenever your browser or other (system) app is instructed to download content from the external IP addresses (Google, Facebook), the connection is discarded by the AFWall+ or the requesting app gets a "-j REJECT". Technically, the requesting app receives a so-called ICMP destination-unreachable packet and knows that no connection can be established. External content on websites or apps that originate from Google or Facebook or are hosted there are "victims" of the CustomScripts. As a positive side effect, websites are loaded somewhat faster and the data volume is relieved.

❗️Advice:
As soon as you block all Google IP addresses, you will of course no longer be able to use the Google service or you will no longer be shown captchas on websites - this may lead to the situation that you will no longer be able to solve the Google captchas. If you block all Google IP addresses, you should be aware that this will not work via mobile browsers, especially when registering websites. Alternatively, you can use the Tor desktop browser or Tor Android browser. https://blog.torproject.org/new-release-tor-browser-android-10a2

5. conclusion

What's the saying?

"Trust is good - control is better."

AFWall+ is an indispensable tool for the article series "Take back control! It was therefore a special concern of mine to present the iptables firewall interface in detail. It should become clear by the above explanations that even an alternative or "free" system like LineageOS does not protect us per se from the establishment of data connections to the "outside" or to Google and Co.

Even in the standard configuration, AFWall+ provides valuable services. But only the CustomScripts and the additional small tweaks, such as redirecting all (mobile) DNS requests to the provider I trust or blocking the IP address spaces of known data collectors, are the icing on the cake.

In the following article of the article series we will put the alternative App-Store F-Droid into operation. A Mecca for critical users who value free and open source applications or FOSS apps.

Source and more info (german):
https://www.kuketz-blog.de/afwall-digitaler-tuervorsteher-take-back-control-teil4/

#android #NoGoogle #guide #part1 #part2 #part4 #AFWall #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

How healthy is the internet?

Our 2019 compilation of research and stories explains what’s key to a healthier internet across five issues, from personal experience to global concerns.

https://internethealthreport.org/2019/

#report #pdf #internet #healthy #research
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🎧 As Amazon Gets Bigger, Sellers Feel the Squeeze

Jason Boyce built a successful business selling sports equipment on Amazon. As the platform has grown, Amazon has pushed sellers to lower prices, shorten delivery times and compete harder for every sale. This week on Decrypted, we explore whether entrepreneurs like Jason have reached a breaking point. They now face a competitor who’s potentially unbeatable: Amazon itself.

📻 https://www.bloomberg.com/news/audio/2019-04-22/as-amazon-gets-bigger-sellers-feel-the-squeeze-podcast
#Amazon #DeleteAmazon #Bloomberg #Podcast

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

📺 Crashes of Convenience: Michael Hastings

Michael Hastings was that rarest of breeds: a mainstream reporter who wasn’t afraid to rail against the system, kick back against the establishment, and bite the hand that feeds him. On the morning of June 18, 2013, he died in a fiery car crash. But now details are emerging that he was on the verge of breaking an important new story about the CIA, and believed he was being investigated by the FBI. Now even a former counter-terrorism czar is admitting Hastings’ car may have been cyber-hijacked. Join us this week on The Corbett Report as we explore the strange details surrounding the untimely death of Michael Hastings. https://en.wikipedia.org/wiki/Michael_Hastings_(journalist)

📺 https://www.corbettreport.com/crashes-of-convenience-michael-hastings-video/
#Hastings #corbettreport #carcrash #convenience #video #podcast

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🎧 The 31st Human Right

This week, on a riveting edition of Down the Security Rabbithole Podcast Raf sits down with Richie Etwaru, a human data ethicist and Founder and CEO of Hu-manity.co.

What's a human data ethicist, you ask? Listen to the podcast, and find out.

Highlights from this week's show include...

👉 Richie walks us through data ownership as a fundamental human right, including why now is the right time in history

👉 Raf and Richie discuss the principles of data ownership and how they're different from privacy or security

👉 Richie discusses data ownership as a great leveling factor for society

👉 SO much more...

📻 #DtSR Episode 343 #podcast
http://podcast.wh1t3rabbit.net/dtsr-episode-343-the-31st-human-right

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

And the Net forgets: The Utopia of the Eternal Memory

The Internet offers undreamt-of possibilities. But it is not permanent. What can be found online today will disappear tomorrow in digital nirvana - with serious consequences, especially for journalism.

The Internet forgets nothing, so the widespread belief. But appearances are deceptive. While we type, scroll, wipe, liken and post and drive the digital knowledge store to new, dizzying heights day after day, its foundations rot faster than they can be saved from decay. Old websites disappear, links lead nowhere after just a few years. This will have dramatic consequences for journalism and public memory in particular. Digital journalism is a fine thing. However, it is not constant in time.

To understand why, it is worth taking a look into the past. The mass loss of information is not a phenomenon of modernity, it can be found again and again in history. The cause does not lie in a lack of knowledge about correct archiving, but in our attitude. The reliable protection of information over long periods of time is a deliberate act. It requires the awareness that something should be preserved and decisions about what should be preserved and how.

The beginning of book printing in the West in the 15th century is a good example of this. Many early books were found on paper on a medium that, compared to parchment, does not necessarily stand for longevity - they were often not considered valuable enough to be preserved due to their mass availability. Accordingly, little has been preserved of them. Even in monastery libraries, for many the ultimate repository of knowledge, not everything was preserved. Old manuscripts or early printed books were often exchanged for newer ones and the old copies were then misused, for example as basic material for book covers or inner book covers.

The drama was repeated in modern times. Large parts of the American film stock from the first four decades of cinema are now considered lost. In particular, films made before the beginning of the sound film era around 1928 have hardly survived - some estimates speak of just 10 percent that have survived. Here, too, an insecure carrier medium is to blame. The nitrate film used was highly flammable and often went up in flames by itself. But here, too, the well-known lack of interest in preservation is to be found. The studios needed space in their camps, silent films were considered almost worthless in the age of sound film. What one could get rid of was wasted, the rest destroyed.

Paper lives longer

So it seems we've made the same mistakes over and over again. The web is no exception. Digital data may be tempting at first glance - they can be copied endlessly, are machine-readable, can be stored in large quantities in the smallest space - but what is lost here is usually irretrievable. Even paper beats the longevity of a server hard disk by several hundred years.

Added to this is the short life cycle of the file formats used. Adobe Flash, the dominant software for displaying multimedia content on the World Wide Web at the turn of the millennium, has long since retreated two decades later and will no longer be supported by Adobe since 2020. Other software formats and operating systems are also constantly changing, with serious consequences. Within a few years, old files can no longer be used on new devices, and if so, then often only with considerable restrictions. In the digital world, archiving is becoming more complicated than ever due to the combination of carrier media and software environment.

Also in the Web we meet again and again the question after the will to the preservation of the existing. All too often we forget that the structure of the Internet has not been designed to store information. There was never an exact plan, an executing instance, let alone a clearly defined goal. There was never any talk of a long-term archive.

And just as the net and its contents do not belong to anyone alone, there is also no central place for archiving the contents. Even if initiatives like Archive.org try to store as many websites as possible, they fail with their limited means because of the sheer mass. In 1994, three years after the invention of the World Wide Web, there were only about 2700 websites. In 2019 there are more than 1.6 billion, and the trend is rising. It is hardly possible to conserve such a living organism, especially not while it is running and especially not when more and more content is being created within the walled gardens of the major platforms or within encrypted messaging services.

When journalism is suddenly gone

"Why should we care?" one might ask, of course. But it is impossible for us to predict which of the many pieces of information we produce will help future generations better understand our time. After all, some have recognized the danger. Vinton Cerf, one of the developers of the Internet, warned that if you rely on the durability of digital data and the everlasting existence of the web, mankind is heading for a "forgotten century".

But nowhere is the danger of digital memory loss more evident than in journalism. Even if print is holding its own bravely, the journalism of the early 21st century takes place predominantly online and digitally. But in view of the dazzling new world, hardly anyone asks whether the beautiful products of the new era will still be accessible in the future. A newspaper page is comparatively easy to archive, a website with elaborate multimedia content is not.

Without prior warning, older websites and web content from some newspapers can no longer be correctly displayed with newer browsers, or will disappear completely at noon. One should actually expect media houses to give sufficient thought to this problem. But far from it, as a new study by the Tow Center at Columbia University in New York shows: The scientists Sharon Ringel and Angela Woodall found that out of 21 American newspapers and news organizations surveyed, 19 had no guidelines or routines, not even informal archiving practices, to present their digital material to posterity.

Apart from the fact that organizations surveyed failed to archive the articles on their own websites, no publications were stored on social media platforms - all virtual places where journalism happens today. Responding to these omissions, respondents repeatedly replied that the focus of journalism for them was on "what's new" and "what's happening now" - and there are still some back-ups and Internet archives in need. But a back-up is not archiving. Backup copies are useless if the technology around them changes. And the Internet Archive doesn't back everything up for a long time and only conserves it irregularly. It does not have access to platforms.

Ultimately, however, the long-term preservation of digital journalistic content fails not only because of a lack of will, but also because of the effort and costs involved. Not every media company can (and wants) afford archivists who are constantly developing new methods for safeguarding its content and keeping it accessible in the future. Local and small media houses in particular often do not have the financial leeway to do so. And even if the necessary measures are taken: If a media house closes, it is far from guaranteed that the digital archive will continue to exist elsewhere. If the associated websites are also no longer operated, sooner or later nothing will remain of the fruits of journalistic work - a more than painful loss for journalists, scientists and not least the public of the future.

What should be archived?

Many questions will inevitably arise in this process. Which media content should be archived, by whom and how often? And are we only interested in the articles? Or videos, graphics and interactive applications? And what about readers' comments and discussions on articles in social networks? They are uncomfortable questions without simple answers, but they have to be asked.

The idea of archives may not be as "sexy" as ideas of the beautiful new world of digital possibilities. At a time when the press is struggling with completely different problems, it is not high on the agenda. But without reliable archives, not only do we risk certain versions of history gaining the upper hand later if there is nothing to correct them - we also risk the historical gaps in knowledge that will inevitably open up in the future being even greater than those of the past. But if we want to learn from history, journalism owes it to future generations to counteract it with all their might.

Source and original text:
https://www.nzz.ch/feuilleton/internet-und-datenspeicher-das-nerz-vergisst-doch-ld.1476987

#report #thinkabout #eternal #memory
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

Android Captive Portal Check: 204-HTTP response from captiveportal.kuketz.de

Each time your Android device connects to a WLAN, the system performs a Captive Portal Check. Android wants to ensure that your device has not only received an IP address from the access point, but that it can also actually reach destinations on the Internet.

Android sends a request for verification to the address "connectivitycheck.gstatic.com". If the request is successful or answered with the HTTP response code 204, access to the Internet is available. With this request, the system transmits information to Google about the IP address of the connection, the time of Internet access and which browser is currently being used.

If you block this request to Google via AFWall+ or anywhere else on your network, a small cross will appear in the WLAN icon in the Android menu bar. Depending on the Android version, you will also see a message saying that there is no Internet available. Especially data protection-conscious users don't want to send a "ping" to Google every time they go online. There is now a solution for this for all users with root access on their devices.

👉 Android Nougat (7.x) | Oreo (8.x)
You open a terminal and enter the following:

su
settings put global captive_portal_http_url "http://captiveportal.kuketz.de"
settings put global captive_portal_https_url "http://captiveportal.kuketz.de"

Please note that in the third line at the URL you have to consciously omit the s of https.

👉 Android Pie (9.x)
You open a terminal and enter the following:

su
settings put global captive_portal_http_url "http://captiveportal.kuketz.de"
settings put global captive_portal_https_url "https://captiveportal.kuketz.de"
settings put global captive_portal_fallback_url "http://captiveportal.kuketz.de"
settings put global captive_portal_other_fallback_urls "http://captiveportal.kuketz.de"

Then we can query the URL via curl (from a computer):

curl -I http://captiveportal.kuketz.de

As an answer, you get:

HTTP/1.1 204 No Content
[...]

This is exactly the answer your Android phone expects. One or the other will wonder why the HTTPS URL does not work. Let's have a look at the output:

curl -I https://captiveportal.kuketz.de

As an answer you will then receive:

HTTP/2 204

Android Nougat and Oreo cannot cope with this - Android Pie, on the other hand, uses the HTTPS URL. Either the "No Content" at the end is missing or Android expects a HTTP 1.x response. On port 443 my nginx webserver generally responds with HTTP/2 - unfortunately this cannot be changed because at least one other virtual host is listening via HTTP/2.

Temporarily (until Android 9) you can either use the HTTP URL or you can use HTTP/1 to host yourself. Via nginx this is relatively simple. Here is my configuration:

## SITE HANDLING HTTP ##
server {
## INIT ##
listen 80;
server_name captiveportal.kuketz.de;
root /var/www/sites/captiveportal.kuketz.de;

## LOGS ##
access_log off;
error_log off;

## SECURITY HEADER ##
include /etc/nginx/conf/headers.conf;
add_header Content-Security-Policy "default-src 'none'";

## ENTER HERE ##
location / {
# Let's encrypt location
location ^~ /.well-known/acme-challenge {
default_type text/plain;
}
location = /.well-known/acme-challenge/ {
return 444;
}
## CAPTIVE PORTAL RESPONSE
location / {
return 204;
}
}
}

## SITE HANDLING HTTPS ##
server {
## INIT ##
listen 443 ssl;
server_name captiveportal.kuketz.de;
root /var/www/sites/captiveportal.kuketz.de;

## LOGS ##
access_log off;
error_log off;

## SECURITY HEADER ##
include /etc/nginx/conf/headers-ssl.conf;
add_header Content-Security-Policy "default-src 'none'";

## SSL ##
ssl on;
ssl_certificate /etc/ssl/certs/captiveportal.kuketz_ecdsa.pem;
ssl_certificate_key /etc/ssl/private/captiveportal.kuketz_ecdsa.key;
# OCSP-Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /etc/ssl/certs/captiveportal.kuketz_ocspresponse.der;

## CAPTIVE PORTAL RESPONSE
location / {
return 204;
}
}

The decisive thing is actually only this small part:

## CAPTIVE PORTAL RESPONSE
location / {
return 204;
}

This will allow nginx to respond to requests on the domain "captiveportal.kuketz.de" with an HTTP-204 status code. This should also work with Apache (not verified):

RewriteEngine On
RewriteCond %{REQUEST_URI} /
RewriteRule $ / [R=204,L]

Conclusion:
Now you can use my service or host the Connectiviy-Check yourself. Google won't get any more data via this function.

Source and more info (german):
https://www.kuketz-blog.de/android-captive-portal-check-204-http-antwort-von-captiveportal-kuketz-de/

#android #captiveportal #check #HTTP #guide #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

Fishing in the Piracy Stream: How the Dark Web of Entertainment is Exposing Consumers to Harm

https://www.digitalcitizensalliance.org/clientuploads/directory/Reports/DCA_Fishing_in_the_Piracy_Stream_v6.pdf
#piracy #stream #malware
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🇪🇸 La policía británica exige a las presuntas víctimas de una violación que entreguen los datos de su móvil

La Fiscalía defiende la medida para evitar absoluciones por falta de acceso a las pruebas

A primera vista es un dilema entre la garantía de un juicio justo y el derecho a la intimidad. Aparentemente, porque las asociaciones en defensa de las mujeres víctimas de delitos sexuales denuncian que lo que se pretende es cuestionar la actitud o la moralidad de las agredidas, en vez de centrarse en los hechos objetivos con relevancia penal. La policía del Reino Unido trabaja ya en los casos de violación con un formulario digital en el que se requiere a las presuntas víctimas que permitan a los investigadores el acceso a los datos de sus teléfonos móviles. El caso de Liam Allan alteró el modo de proceder de la acusación pública. Este estudiante universitario fue acusado en 2017 de 12 delitos contra la libertad sexual, acabó siendo absuelto después de que la Fiscalía entregara a la defensa el contenido de mensajes de las víctimas que aparentemente le exoneraban. Un año después, la cifra de presuntos violadores formalmente acusados había descendido en un 23% en el Reino Unido.

"Tenemos un problema extremadamente grave con la persecución de los casos de violación en este país, y es un hecho probado que la mayoría de los violadores consiguen esquivar el castigo. Parte de las causas reside en que las investigaciones se centran demasiado a menudo en la personalidad de las mujeres, en su honestidad o en su historial sexual —a pesar de todas las normas diseñadas precisamente para prevenir que esto ocurra—, en vez de centrarse en las acciones o el comportamiento del acusado", ha denunciado Rachel Krys, vicedirectora de End Violence Against Women Coalition (Coalición para el Fin de la Violencia contra las Mujeres).

Más de 90.000 agentes de policía y personal administrativo han participado en cursos de formación en los que se insiste en la obligación de entregar a los abogados defensores de cualquier acusado de violación las pruebas que puedan resultar relevantes para su estrategia, y de hacerlo cuanto antes. El formulario que se da ya a las presuntas víctimas les deja claro que no están obligadas a entregar sus móviles, pero acompaña esta información de la siguiente advertencia: "Si usted no da su consentimiento para que la policía acceda a los datos de su teléfono, tendrá la oportunidad de explicar los motivos de su negativa. Si rechaza dar permiso a la policía para que investigue o para que la Fiscalía pueda revelar material que permitiría al acusado tener un juicio justo, es posible que la investigación o la acusación formal no pueden seguir adelante", dice el formulario.

La policía justifica la necesidad del formulario en que es el único modo de obtener un consentimiento general de la víctima —el consentimiento sigue siendo obligatorio para hacer uso de esa información— ante un volumen de información que puede ser desorbitado. Si se imprimiera en folios tamaño A4 el contenido medio de un teléfono inteligente convencional, explica el asesor de la Policía Metropolitana, Nick Ephgrave, el resultado final serían millones de folios. Por eso en la actualidad las fuerzas de seguridad están utilizando métodos de Inteligencia Artificial para hacer un rastreo más selectivo de la información.

Defensores y detractores del nuevo método coinciden en la necesidad de dar mayor cobertura legal y claridad a una investigación en detalles tan personales de la víctima. "Con el formulario, las víctimas obtienen indicaciones más precisas de cómo se usarán sus datos. Porque la acumulación de tal volumen de información de datos personales, sin que haya un método consistente y claro a la hora de determinar su relevancia, es un problema que nos preocupa", ha dicho Katie Russell, cofundadora de Rape Crisis England and Wales (Crisis de Violaciones en Inglaterra y Gales). Esta organización, sin embargo, comparte el temor de que el acceso a toda esa información personal se vuelva en contra de la presunta víctima. "Las estadísticas nos muestran constantemente que los delitos de violación o abuso sexual registran históricamente un número menor de denuncias, comparados con otros delitos graves. Entre los motivos de este dato, según nos cuentan las víctimas en los centros de atención de Rape Crisis, está la desconfianza que tienen hacia el sistema de justicia y el temor a que acaben siendo ellas las que se sientan objeto de investigación o juzgadas", ha dicho en un comunicado.
https://elpais.com/sociedad/2019/04/29/actualidad/1556544192_229884.html

#justicia #privacidad
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

RFID keys can be cloned

The Secvest alarm system from Abus can be conveniently activated and deactivated using an RFID key. But the keys can be copied within seconds. A solution to the security problem is not in sight.

Vulnerability Details:

SySS GmbH found out that the RFID technology used by the ABUS Secvest
wireless alarm system and its ABUS proximity keys (MIFARE Classic RFID
tags) is vulnerable to RFID cloning attacks.

The information stored on the used proximity keys can be read easily in
a very short time from distances up to 1 meter, depending on the used
RFID reader. A working cloned RFID token is ready for use within a
couple of seconds using freely available tools.

Thus, an attacker with one-time access to the information of an ABUS
proximity key for an ABUS Secvest wireless alarm system is able to
create a rogue RFID token that can be used to deactivate the alarm
system in an unauthorized manner.

PoC:
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-005.txt

Video:
https://t.me/BlackBox_Archiv/344

#ABUS #Alarmsystem #RFID #cloned #security #risk #poc
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

📺 ABUS Secvest Proximity Key Cloning PoC Attack Proof of Concept (PoC)
https://youtu.be/sPyXTQXTEcQ

#ABUS #Alarmsystem #RFID #cloned #security #risk #poc #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🇪🇸 La mitad de los compradores de Amazon prefiere ceder sus datos a Bezos que al Gobierno

Una encuesta revela que el envío rápido es el principal motivo de los clientes para suscribirse al servicio Prime.

Si los usuarios de Amazon tuvieran que elegir a quién confiar sus datos personales, un 55,5% elegiría a Jeff Bezos. Un 48,1% los confiaría a su lugar de trabajo, un 25% al Gobierno y solo un 9,3% a Facebook. Estos datos han sido extraídos de una encuesta con varias opciones de respuesta realizada por Investing.com a más de 1.000 compradores de Amazon en Estados Unidos.

Otra muestra de la confianza que los usuarios de Amazon tienen en la tecnológica es el servicio de Amazon Key, que permite la entrega de paquetes a domicilio aunque no haya nadie en casa, puesto en marcha en Estados Unidos. Desde Investing.com señalan que “ese nivel de confianza es difícil de conseguir y muy apreciado en el sector minorista en general”.

Los resultados de la encuesta revelan que la generación milenial es la que en mayor medida opta por el servicio Prime. Y es que el envío rápido es lo que más valora el 73% de los encuestados, seguido por un 48,2% que elige esta modalidad por el servicio de televisión que ofrece el marketplace.

Desde el punto de vista de la retención de clientes, los beneficios de ser Prime pueden fomentar la fidelidad de los compradores, según el informe. Más del 80% de los usuarios estuvieron subscritos al servicio durante al menos un año y más de un tercio (37%) son miembros Prime desde hace cuatro años o más.

Cambios en los hábitos de consumo

El comercio electrónico ha pasado factura a las grandes superficies comerciales. En España, hasta el mes de abril, los centros comerciales han perdido un 5% de visitantes. Esta tendencia está llevando a que las grandes superficies busquen convertirse en centros de experiencias más allá de las compras.

Los usuarios de Amazon contribuyen a este déficit de visitantes. Según la encuesta, el 43% ha dejado de comprar en centros comerciales. Además, casi uno de cada tres compradores aseguran realizar pedidos en Amazon, al menos, una vez al mes.

El gasto mensual está en los 120 dólares y, aunque el surtido de productos en Amazon cada vez es más amplio, los libros siguen siendo su producto estrella. El 49% de los encuestados “buscaron libros y audiolibros a través de la web de venta minorista, y el 48% hizo lo mismo para sus compras de electrónica”.

Desde Investing.com señalan que “como resultado de unos precios extremadamente competitivos y de su relación con las pequeñas editoriales independientes, algunos analistas han llegado a decir que Amazon ha creado un monopolio de la industria del libro”.

Los compradores se sienten también menos inclinados a buscar en otros sitios películas, música y juegos (37%), productos de belleza y salud (30%) y ropa, zapatos y joyas (26%).

Crecimiento continuo

La mayoría de los compradores no cree que Amazon haya tocado techo tampoco. El 88% de los encuestados cree que seguirá creciendo, diversificándose hacia otras industrias. Uno de cada 4 compradores prevé que la empresa irrumpirá a continuación en el sector de los servicios de reparto, seguido del de los productos farmacéuticos (19%), la inteligencia artificial (13%) y la salud (9%).

Los inversores coinciden en que Amazon va a seguir creciendo. Las acciones de la compañía crecen alrededor de un 30% desde principios de año. El primer trimestre de 2019 supuso unos ingresos por encima de los 59.700 millones de dólares para este gigante del comercio electrónico
https://www.elespanol.com/economia/empresas/20190505/mitad-compradores-amazon-prefiere-ceder-bezos-gobierno/394711521_0.html

#amazon #privacidad
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES