@semitones Will, I'm not a security spod, but I am an experienced IT professional of nearly 40 years. I've advised multinational banks in their security holes. (They ignored me and were very badly hacked a year later.)

I do both these things all the time. Don't worry. I don't.

My email sig contains my real name, 3 real phone numbers, and it has since 1991 when I signed up for my first personal email address. Which still works today, incidentally.

I have never been hacked.

I once wrote a story about an Israeli security firm whose claims for their anti malware violated the Halting Problem and were literally and specifically impossible.

My editor wouldn't run it. He wrote a fair more dilute one.

A year or so later the vendor was discovered to be unknowingly hosting the largest single pr0n archive on the internet. Terabytes of it, in the 1990s. Rooms full of racks of servers for all the smut, because they'd been pwned very early on and didn't check what types or contents of files they were buying storage to hold. They just bought more.

The more smug the security vendor, the less competent.

@piero "Solded"?

I don't think it is, no. I don't think these are real general threats that are out there in the wider world, even to those using older devices.

I think the point of this open letter is trying to tell people to focus on the real threats, ones that matter, not distract them with imaginary ones that are not really in use.

Solded should have been soldered.

I used to work exposed at this vast user base, and even looking at the devices of my friends and family, I can see a confirmation of what I said.

The primary target of the campaign shall be management boards of mobile OEMs and not ordinary people, who have no technical bases to assess risks or classify which of their devices are critical. And since they are told to use a random VPN in every Youtube video, they will sadly do so.

I am not in principle against this message but the way of its promulgation, which ie. ignores economic barriers to the message application.

@piero

Aha. "Soldered" is a strange way to talk about upgradable firmware that _could_ be updated if the OEM bothered to offer an update... but OK.

> The primary target of the campaign shall be management boards of mobile OEMs

No, I do not think it is. I think it is right there spelled out in the opening lines:

«
To the public, employers, journalists, and policymakers
»

Those are who it is aimed at, not who you seem to be saying.

@piero I am very well aware. I like cheap Chinese phones. I've been using them for a decade, as I have written publicly:

theregister.com/2022/06/02/mur…

«
This reporter is a fan of cheapo Chinese smartphones. In recent years, I've had an iRulu Victory V3, a PPTV King 7, an Umidigi F2 and most recently an Umidigi Bison.
»

All of them got 1 update _ever_, when 1st turned on, and I then used them for the next 2-3 years with zero additional updates to the OS.

And, as I keep saying, I've _never_ got hacked. It's now 40 years since I first got an Internet email address, in 1985.

Murena and /e/ Foundation launch privacy-centric smartphones

De-Googled Android phone does the job, has a few rough edges

^{Liam Proven (The Register)}

>How does something access your device Bluetooth without permitting connection first?
The way demon rectangles are designed is to have the bluetooth card regularly announce its hardware MAC address, so the device is in the "discoverable" state and can quickly pair with bluetooth devices like speakers or headphones - only if bluetooth is in the "off" state that such announcement is not made.

The result is that anyone walking past with f-droid.org/en/packages/net.wi… running can store the MAC address, location and time, but more relevantly, there are bluetooth stingrays in stores that collects such metadata and exploits it.

Later bluetooth versions are meant to have privacy MAC's, with a random MAC being announced generally, but I guess that the current random MAC would need to be stored if you decided to pair with a device, with that MAC needing to persist for as long as that device is to be paired to.

I'm not sure if MAC's are encrypted and if not, having bluetooth headphones that only support a static MAC would allow for long term identification for any listener that intercepts the packets containing the static MAC (bluetooth devices inherently receive all bluetooth packets in range, but are designed by default to drop any packets that don't have a relevant MAC).

Often the privacy MAC implementation is intentionally or mistakenly screwed up; news.osu.edu/study-uncovers-ne… (unfortunately the article refers to the boring exploiting of devices as to "hack", when hacking is playful cleverness)

>Don't you need to "allow" a device to connect by Bluetooth?
No - for demon rectangles in the default "discoverable" state, external devices can connect and request paring; simplymac.com/accessories/why-… (LLM slop, but the first few sentences are relevant).

The "allow" permits the current connection to finish the pairing handshake, while disallow rejects the pairing handshake until the asking device tries again.

The handshake is extremely complicated and when implemented with garbage proprietary software, there are always protocol vulnerabilities.

One example of a possible vulnerability is; wiibrew.org/wiki/BlueBomb#How_… - often with these proprietary bluetooth stacks, an exploit can consist of starting the pairing handshake, inserting a stage0 executable of the correct architecture into one of the data packets of the handshake (which makes the bluetooth stack load the executable data into memory) and then sends an invalidly encoded packet that exploits the bs and causes it to jump execution to the stage0 executable in memory (whoops, the data is executable), which can then be used to do anything - for example to upload a larger executable via bluetooth that does a lot of things - all without even a connection request popping up (the bluetooth will stop working as a side effect, but nobody will notice due to how often bluetooth stops working).

For some Android devices, I guess that sometimes the bluetooth stack is run as root and also is excepted from SELinux (as it's hard enough to get it working without SELinux), meaning a successful exploit would allow for full device compromise.

Why Am I Getting Unwanted Bluetooth Pairing Attempts? - SimplyMac

Unwanted Bluetooth pairing attempts often stem from nearby devices actively searching for connections. Devices in pairing mode, such as headphones, speakers,

^{Alex Westby (SimplyMac)}

There you go. If you think of them as demon rectangles, if you know what the difference is between a Mac and a MAC, then this advice is not aimed at you.

And TBH if your answer involves terms like MACs then your advice will go over the heads of the people who need it -- at the height of an intercontinental 747.

You're not wrong in any way. I am not disagreeing!

But turning off your Bluetooth doesn't stop _Them_ tracking you. It barely even slows Them down.

It does stop your smartwatch working, though. It stops you listening to music, because the "demon rectangles" for the masses don't have headphone ports any more.

So they won't, making it pointless advice.

Don't give pointless advice. Work out what the advice could be that will in fact help.

I'm riding a international GNUKE (I'm as high as space).

>But turning off your Bluetooth doesn't stop _Them_ tracking you.
If it actually turns bluetooth off, it stops bluetooth tracking (of course it doesn't actually turn off bluetooth anymore for some devices), but it doesn't stop gps and mobile location spying.

>It does stop your smartwatch working
The smartwatch isn't yours - it serves another master.

It is highly important to get rid of such surveillance device and get a practical watch that doesn't need to be charged.

>It stops you listening to music, because the "demon rectangles" for the masses don't have headphone ports any more.
If you just want to listen to music, you can get one of these devices dirt cheap if you know where to loop; replicant.us/supported-devices…

>Don't give pointless advice. Work out what the advice could be that will in fact help.
People would regard advise to get rid of the demon rectangle and to cease using as much proprietary software as possible as too extreme.

@number6 I feel we should have a public name-and-shame list of sites that impose restrictions on password choice.

I don't use such long ones but I have a system for generating my own which means no sharing or reuse... But a few banking sites and things break it.

I feel like all these sites borrowed code from one central, early source that was written in the 80s, and never double-checked.

Lots of websites I've been on don't tell you what the naming rules are. So you use "John" and it says "That name has been taken". You say "Rumpelstiltskin" and get the same response. You say "AbracadabraIsMyName" and the same response. What it wants (usually) is a numeral, but it doesn't tell you that.