I really need such service(similar to Purism’s anti-interdiction) to protect me when shopping online. And I prefer it will work globally. Does that exist?
It depends on what your threat model is. The best anti-interdiction is end-to-end but that means that it can’t really be offered as a shipping service.
Wanting it to work globally is a very big ask, as you are basically expecting one of the major global shippers (like DHL) to provide this. It depends on what “globally” means. Does “globally” mean … the source country can be any country (wherever you shop online) but the destination country is one specific country (where you are physically located)? or does “globally” mean any-to-any?
To bypass customs? Smuggling or shipped by an embasy?
Easy then. Create fictitious country, establish diplomatic relations with the destination country and the source country, and use the diplomatic shipping container. Ha ha.
Technically there is a difference between bypassing Customs (smuggling) and tamper-evident. The goal of the latter is not to deny access to Customs but merely to detect access by Customs. For that purpose, the outer surface may deliberately not detect tampering while the inner, important, surface does.
Can’t the NSA get into any phone anyhow?
The original question may go way beyond phones.
Again, the point isn’t necessarily to stop the NSA getting into the phone (may be impossible) but to ensure that the NSA can’t get into the phone without being detected.
sure they can … if it’s the kind of situation that requires it they simply do it the old fashioned way … black-bag-over head then drive to abandoned location where a spoon is shown to the person being interrogated and then “please unlock your phone or else …”
Except we are talking about interdiction, where the owner of the phone hasn’t yet even taken custody of it, and may not yet be able to unlock it.
So the NSA has hooks into the shipping company, diverts the parcel temporarily, tampers with it, and then allows the parcel to resume its journey. No need for old-fashioned thuggery.
would such a short window allow for hw implants or mallware only or both ?
Who said it’s a short window? Both.
The original question talked about shipping globally. That can easily take weeks anyway. So if the NSA holds the parcel for 48 hours while they do sw and/or hw “implants”, would you even notice the delay? Add an extra week to the expected delivery date for “unexplained reasons” (bad weather at source or destination location / transport accident / industrial action / backlog (sheer volume of parcels) / global pandemic) and the NSA has a heap of time to do their worst.
so by that logic what would you estimate to be their current MAXIMUM “infection” rate potential ? would 1 in 4 people who order anything gadgety-techy online have a possible “infected” “toy” ? what would you say has the LEAST chance of this type of mallware being installed ? proprietary things or open-source things ?
since the 3 letter agency came up again i’d like to not miss the chance to link to another AV-docu
it has some US military intelligence propaganda in it but overall i think it helps to keep the paranoia level just right
I would just be guessing but I think destination country would be a significant factor in attracting 3 letter agency attention. Another significant factor would be a person or company on a “watch list” (and that applies at both ends). For tech companies that are under effective agency control and where the toy has internet access, the malware could be implanted retrospectively.
I would just be guessing but I wouldn’t think that the agencies have resources anywhere near enough to tackle 1 in 4 gadgets, nor would there be much point. Amazon alone delivers a few billion parcels a year. Admittedly, not all of those are gadgets.
the point of the above linked AV-docu was to let people know that there are OTHER players in the world who are actively involved in this so it’s not just US, China, Iran, Russia but others as well. they talk about some infrastructure that already suffered the power of these attacks (mainly financial damage but rather SEVERE)
also they insisted on the fact that carrying out these types of attacks is usually cheaper than the expected damage. what i didn’t understand very clearly is what kind of collateral are we talking about here ?
There are some issues with this. Mainly, tamer-evident packaging is not a silver bullet, and tamper-evident packaging at scale is easy to fake.
Think of it this way. DHL starts offering tamper-evident packing tomorrow, where they encase your packages in shrink wrap with their logo and a seal of some kind being repeatedly printed on the shrink wrap (this and packing devices in permanently sealed plastic bags are common tamper-evident solutions).
Now, the NSA decides that they want to break into [insert whistle-blower, journalist, or other person/org that is on “the list”/they just generally dislike]'s new phone from [insert tech company]. The phone is being shipped via DHL.
The NSA has 2 very easy options after intercepting the package.
Make a clone of the already-on-the-device tamper-evident packaging to re-seal the device after opening and breaking/compromising it.
Pay (or steal from) DHL for a sheet of their wrap, or pay/steal from their supplier (assuming they aren’t making it themselves).
The more packages that are shipped this way, the easier it is for the tamper-evident packaging to just be opened, pried through, and re-sealed without anyone knowing.
There are really no easy ways to make it obvious that a package has been tampered with. For the really paranoid, the best way to have a reasonable chance of finding something is to verify internals with pictures provided by the OEM, and reinstalling everything to ensure software tampering is removed.
If you want to be really paranoid, I have a new question for you. How do you know that the pictures that you get from the company are the real pics, and haven’t been swapped out? How do you know that the NSA hasn’t replaced the pictures with ones showing their bug so you think it is normal?
Even if you drive down to [insert phone company]'s office to pick up your phone, how do you know that they aren’t a front for the NSA as a company and their computers are bugged by default? How do you know that their supply chain has not been compromised by the NSA?
IMO, life is too short to worry about such things. You can take precautions (buy from small companies, reinstall firmware), but I don’t bother doing much else. At that point, you’ve earned it in my opinion. At the same time, I am not an active target but rather one of many, so simply changing my habits can severely limit the amount of data being collected with minimal effort. I can 100% understand a target taking additional precautions.
My point is that if an adversary wants to, they can (relatively) easily make you think that something has not been tampered with when it really has been. I don’t think that major shipping carriers providing tamper-evident packaging would be very helpful.
(I am using NSA here, but it can be swapped out for anyone who is your enemy or is a bad government/agency and also has lots of money and/or power)
Didn’t Snowden(sp) say the government or others don’t need to intercept phone/computers/etc to spy on anyone they want to after we have said devices? ISPs are obliged to give them access and others too? Google is a major funding source for Firefox. And on and on.
Have parts/components shipped separetly directly to you and assemble it yourself? Almost a losing battle sadly to say. I just want my cool Linux Librem 5. Theres been some disturbing movies about thie government/corporations spying on us. Our government collaberates with other governments too sharing back and forth our phone conversations and such. Sorry to kill a dead horse.
but democracy still lives right ?
That’s what my cat Feefee tells me
This, and the bull**** “nothing to hide” argument are the same tactics the Chinese government loves to use on their citizens. Basically, it goes like this…the nothing to hide argument is for those who are fine with a false sense of security, and the hopelessness is designed to make you give up. Both of those things are wanted by intelligence agencies.
There are still reasons to be optimistic, but keep this in mind. Governmental reform does not happen when everyone is complicit, and does not happen when we are all seen as the “crazy tinfoil bunch” that won’t join Facebook because we think they are spying or something.
Education has been the biggest issue in explaining mass surveillance (not to mention getting people to believe in it), and we have an extreme lack of it.
In addition to all of that, we have people repeating these arguments about how they have nothing to hide or are giving up, and that just furthers this idea that Privacy is impossible to reach, further destroying the message. By posting things like that, all you are doing is helping the 3-letters spread their message.
I never said give up. You got to have some hope. Government reform? That is a complete fantasy. You cannot legislate thinking. Like what is going on currently.
is Snowden still in Russia ? that’s where the book stopped anyway …