Post AV2cFSEqv5LVM1gabw by cryptgoat@digitalcourage.social
 (DIR) More posts by cryptgoat@digitalcourage.social
 (DIR) Post #AV1aTW2JCd2M7WR5Xc by atoponce@fosstodon.org
       2023-04-25T20:20:02Z
       
       0 likes, 1 repeats
       
       If your phone has a Qualcomm chipset, it might be spying on you. Unfortunately, this is happening at the firmware level, beneath iOS and Android.#privacyhttps://www.nitrokey.com/news/2023/smartphones-popular-qualcomm-chip-secretly-share-private-information-us-chip-maker
       
 (DIR) Post #AV2cDlgBfTp14OfR8i by Orca@nya.one
       2023-04-25T21:28:54.888Z
       
       1 likes, 0 repeats
       
       @atoponce@fosstodon.org Can we please stop spreading this bullsxxt? That's not happening on firmware level, and that's not circumventing host firewall or vpn (if it exists). It's just AGPS and is a part of vendor image, for privacy-focused people this probably should be disabled but this is by no means spying at all.
       
 (DIR) Post #AV2cFSEqv5LVM1gabw by cryptgoat@digitalcourage.social
       2023-04-25T20:37:50Z
       
       0 likes, 0 repeats
       
       @atoponce The article is terrible and cheap marketing.
       
 (DIR) Post #AV2cFZtATakn55bNvE by atoponce@fosstodon.org
       2023-04-25T20:38:42Z
       
       1 likes, 0 repeats
       
       @cryptgoat Yeah. It reads like an advertisement for Nitrophone. For the time being, I'm willing to give them the benefit of the doubt, but I'm also holding the article at arms length. I'm curious to see if the domain shows up in my DNS logs.
       
 (DIR) Post #AV2cFdOpQKrTy9RDBg by cryptgoat@digitalcourage.social
       2023-04-25T20:43:15Z
       
       1 likes, 0 repeats
       
       @atoponce Here is another take on it: https://blog.brixit.nl/nitrokey-dissapoints-me/The #DivestOS dev was very critical as well, saying it is not even firmware related. #DivestOS has Qualcomm NLP removed btw.
       
 (DIR) Post #AV2cJnSHyiveJb2cOu by dcz@fosstodon.org
       2023-04-25T21:02:02Z
       
       0 likes, 0 repeats
       
       @cryptgoat @atoponce This blog overlooks the massive breach of trust and security if the http requests are actually being sent from the hypervisor on the CPU.The other thing missed here is the breach of privacy by leaking IP addresses, "phone’s unique ID and serial number". If that is true, then they must obtain permission from the user. Otherwise it's both unethical an unlawful under GDPR.
       
 (DIR) Post #AV2cJoAxIeeqY7wI1Q by WPalant@infosec.exchange
       2023-04-26T07:46:17Z
       
       1 likes, 0 repeats
       
       @dcz @cryptgoat @atoponce That’s assuming that any data is actually being transmitted, which I’m somewhat doubtful of. I mean, the article doesn’t show the data but instead quotes the privacy policy. List of installed software, seriously? How is firmware even supposed to get this?
       
 (DIR) Post #AV2cLVSzpYTh6UBgDg by dcz@fosstodon.org
       2023-04-26T10:22:50Z
       
       0 likes, 0 repeats
       
       @WPalant @cryptgoat @atoponce A privacy policy that takes effect even if you did not agree to it is enough to ring the alarm bells.If the hidden software can make HTTP requests, then it can modify its own behaviour to exfiltrate whatever data it has on hand.
       
 (DIR) Post #AV2cLWAbDRM9HiaVBQ by WPalant@infosec.exchange
       2023-04-26T10:25:09Z
       
       1 likes, 0 repeats
       
       @dcz @cryptgoat @atoponce Assuming that this hidden software even makes HTTP requests. But judging by what GrapheneOS developers say, it is actually the operating system which does it, in order to download A-GPS files. Meaning: that privacy policy doesn’t even apply, the OS privacy policy does.