Is madaidans-insecurities fake news?

Hi

https://madaidans-insecurities.github.io/firefox-chromium.html -> Firefox
https://madaidans-insecurities.github.io/android.html -> LinageOS
https://madaidans-insecurities.github.io/linux-phones.html -> PostmarketOS

This guy say the products recommended by PrivacyTools are insecure

I am confused

For the linux phones article, I would advise reading the comments of the lobste.rs post (this one in particular).

1 Like

Technically the article about Firefox and Chromium is correct, but this is a strictly security perspective in the same vein as saying Google Play is more technically more secure than F-Droid. When viewed with a security and privacy perspective, Firefox is better, albeit falling behind Chrome a bit, simply because Google is pretty much dominant in the mobile web pages and pretty much sets the standard.

In the desktop browser, Chrome is not good, even security-wise, at least according to Steve Gibson (of Security Now!), especially with regards of how it handles site certificates


With regards to Android Security:

It does not implement rollback protection so an attacker can downgrade the OS to an old version and exploit already patched vulnerabilities.

If an attacker could gain possession of your phone and/or have access long enough, its pretty much over regardless of what OS you are using on your phone.


As for the Linux phones, it feels more like opinion than fact. Notice that the most “finished” of the Linux phone is the PinePhone and its pretty much a prototype of sorts and not yet ready for primetime. There is a reason why the first batch is codenamed “Braveheart”.

The microphone kill switch is useless since audio can still be gotten via the gyro sensors.

Assuming you can get a good signal to noise ratio with that, this kind of approach to hacking is along the threat level of being hunted by APTs. All known devices will fall to them, given time.


All in all, the user reads like it is written with a one-sided mindset. It is not fake news, per se, more like propaganda. Notice how the site doesnt have bad things to say about Microsoft or Google, the worse offenders of privacy and security.

2 Likes

There are citations littered over the site if you’re wary of it being “fake news”.

That post is full of people making wildly inaccurate claims. You can even see people attemping to argue in the replies to those comments.

Also, when did random people on forums become more credible than real evidence?

The site is mainly about security, not privacy. This a straw man. When did I ever mention privacy in that article?

This is not just about physical access. Rollback protection also helps greatly from a remote attacker.

Besides, using encryption + verified boot gives great local security and does not make it “pretty much over”.

It’s not at all.

No, it’s not. Sensors are known to be a massive risk, not just to APTs.

This is plain FUD.

The site is mainly about security, not privacy. Stop with the straw men. Microsoft and Google aren’t security offenders.

These replies are exactly why I didn’t try to make posts about my site anywhere. People refuse to believe their favorite software isn’t perfect and then I get attacked with all the “shill” and “propaganda” claims. It’s ridiculous.

3 Likes

thanks @madaidan
very nice that the original author answers.

I am curious what tools/setup do you use?
What about the vendor Apple?

To be fair, what you say is true. Google is more secure overall but then again, this is a privacy first forum. And while you do need good security to maintain privacy - sacrificing privacy for plain security seems like a bad proposition to me, in my opinion.

A prison is extremely secure.

4 Likes

You complain about Linux, heck you even complain about BSDs that was purpose built to do security but having no rant for MS or Apple doesnt seem to do an overall justice and fails to give a complete picture. How else am I supposed to perceive this?

1 Like

I’m not the one who posted it here.

Microsoft and Apple are doing a lot of work for security. Whatever privacy concerns you have are irrelevant.

1 Like

Why are they irrelevant?

We’ve already covered the fact that the site is mainly about security, not privacy.

Sure, it’s a privacy forum. But what does that have to do with anything for that matter? The person posted madaidan’s website inquiring whether or not the articles in regards to options which are popular amongst the PrivacyTools echo chamber are actually insecure as the articles prove.

This is madaidan’s website, where he provides a list of insecurities as the title very blatantly and intuitively suggests. He does not even recommend Google (expect for the Pixel which is obviously for GrapheneOS) on his website at all, why is it relevant here?

Well, I know why. Because you made the strawman that the website is security and privacy focused when it is only the former. What privacy are you sacrificing by using the specific alternatives madaidan gives? While his website is not privacy-oriented he still gives pretty private recommendations…

1 Like

inb4 “but this privacy forum tho!”

Then why this?

Wire
Wire stores all metadata unencrypted and is owned by a US company, a country known for privacy abuses.

I don’t know if Wire had any security issues so far, so it should be good option for security focused users, right? Especially since it has way more features than e.g. Signal (which is also US company, country known for privacy abuses. Just like Keybase or Wickr, also good secure messengers)

But I like the site, lot of useful information there :+1:

Because the context of that page is in regards to secure messaging where privacy is a factor of “secure messaging” otherwise if someone is eavesdropping your messages then are they secure?

Sending unencrypted metadata is a concern in itself, and being based in the US where governments been known to secretly backdoor services like these or request user data. A good example of this is Lavabit, look into it.

No, it would no be a good option for security focused users because their metadata is not secure, nobody has been known to audit the code or protocol, no respected security expert to my knowledge recommends it and is based in a calculated risk country.

I reference this site frequently on PrivacyToolsio Matrix. It is trustworthy. I would like to first address some inaccuracies in posts here and explain why I use this site and why the implications should be considered.

Steve Gibson is not a reliable source. http://attrition.org/errata/charlatan/steve_gibson/

It is a meaningful security feature mainly to protect from remote attacks. None of the advice is for local security. Due to the nature of Android and iOS is extremely restricted at every point. On Android init does not even have unrestricted root access. This attention to detail is why verified boot is so critical. An exploit maintaining persistent at worst is limited and a chore. At best it is impossible. Factor resets are 99.9% effective at wiping all persistent attacks(assuming your attacker is not an insider with say access to Qualcomm signing keys).

Sensor data access is a serious concern. The data leaked has lead to voice recognition, location detection, gender, age, and even pin swiping. Android and iOS have made major strides to protect this. Particularly iOS and GrapheneOS.

Google and Microsoft are all privacy infringers. However they have unmatched security records and are in the top 3 phone makers of all time. Apple supports their phones for 5 years. Microsoft for 4. Google for 3. There’s no debate that these companies will protect you.

The site is about security and informing people of the risks they take running things like Lineage and Firefox instead of GrapheneOS and say Bromite. GrapheneOS and Bromite are accessible and secure. They respect and actively protect your privacy (GrapheneOS has far better protection for your privacy than Lineage).

Security and privacy can be achieved together. I avoid one sided solutions. However, this website is not a solution it is informative for security only. If anything consider it more as a companion to privacytools.io

LineageOS has a lot of very poor implementations. It has no support for a secure and effective firewall. Afwall+ and Netguard do little to nothing to protect from ipc leaks. XPrivacyLua is running only client side checks and bypassable. If you use ExodusPrivacy you’ll see there is a lot of 3rd party code for tracking built into apps. Even if they app appears the break it doesn’t mean the trackers did at all. Lineage has worse privacy and security.

BSD for Desktop has no sandboxing available for browsers and everyone knows the issue with jails. BSD is not secure for Desktops in any way.

Not the intent of the site to make recommendations for privacy. It is to inform users of the risks of insecure software. At least that’s how I use it

There have been security audits, it is mentioned in the article also. And they have good history and probably good future as secure messaging /VoIP service. Messages are secure. I know the confidential message I send to my contact will be seen only by us (unless there are unknown vulnerabilities, but it’s the same with all the others).

https://medium.com/@wireapp/wire-application-level-security-audits-98324d1f211b
https://wire.com/en/blog/bringing-mls-into-the-mainstream/
https://wire.com/en/blog/regular-security-audits
https://wire.com/en/blog/wire_partners_with_fedresults/

Signal, Wickr, Keybase… are also being based in the US where governments been known to secretly backdoor services like these or request user data.

Signal also had security issues in the past (quickly fixed). Though they might leave US if EARN IT passes. We’ll see if others will follow if that happens. But until then, from what we know, you can use any of those, or even Skype with private chat (implemented by Signal) for secure (but not so private) communication. You can send your credit card PIN and delete it after some time or set exploding message. Wire, Keybase, Wickr, etc. might only know you sent something to person B in 3 pm, but that is ok for many people who focus on security first

One of the reasons for Wire’s metadata collection is in the features they provide. And it will be improved, if it isn’t already (link in the original article is from 2017)

https://github.com/wireapp/wire/issues/214#issuecomment-538499456

I think only WickrPro offers almost as many useful features and remains secure as Wire (external communication is something it doesn’t have, and it’s not open source). But Wire can also be self-hosted (on-premises), so no issues with (meta)data collection.

1 Like

i think the most secure is Tor Browser. However, there are some sites that Tor cannot go to. What browser do you use at that time? I think Firefox is the most common, but I’ve seen information that it’s probably not safe. I heard that Bromite is better for Android. How is it actually? The links below are sources of information.Also, what is the alternative browser to Firefox for Desktop version?

https://madaidans-insecurities.github.io/firefox-chromium.html

Graphene sounds great but I dont have Pixels to put it in. Im wondering if they will ever do other devices.

Yes, it’s a lot of fake news that doesn’t look at the bigger picture of things, instead cherry picks things saying “this software has X, while this one doesn’t!”.

The author tries to instill fear to convince people and it spreads a lot of FUD and misinformation.

Also what is with the empty accounts created solely for the purpose of posting on this thread? Are they the same person?

1 Like

You haven’t given a single rebuttal to any point. You’re making blanket claims that directly contradict what the evidence given proves. Extraordinary claims require extraordinary evidence.

You’re really the only one spreading FUD and misinformation here.

No, we aren’t the same person. I have no interest in this forum. I only created an account to counter the misinformation in this thread.

1 Like