Suppose your smartphone was infected via zero click exploit - so location, camera, mic, and everything else compromised - well getting an old dumb phone is not a perfect solution but helps! Now suppose also your mac was infected the same way with everything compromised - I was wondering what recommendation I should follow (I mostly just use email and visit normal websites like X, reddit) in order to mitigate as much as I could the spyware risk while not being super technical person. Any ideas would be appreciated!
1 Like
I’m confused. Are you asking what to do if your computer is actively compromised with spyware?
No, an ancient and extremely insecure device does not help. This is exceptionally poor advice.
1 Like
Im aksing what would be recommended to mitigate the risk of getting such spyware on a pc - like some creative idea that im not aware of
but if my smartphone was compromised what would u do? how would you go without a sim card and only wifi? do u recommend any voip?
Use a modern, secure device like a Pixel with GrapheneOS or an iPhone with Lockdown mode. Keep your device in aeroplane mode and use Signal over WiFi to communicate.
Restarting your device is an effective method for preventing malware/spyware persistence.
appreciate it a lot! do you have a must go recommendation for the laptop now that we touched on the phone side.
I’m not sure 100% what we are talking about so I’ll just go with the thought experiment that you’re high level target and security is dead and every devies is compromised and try to maximum effort for privacy and anonymity whitout going total Ted kaczynski only 95%.
If you are target like that you shouldn’t be using a phone. you’re shooting yourself in the foot. No matter the phone, specially a dumb phone is a bad idea. Your best bet is with a Pixel with GrapheneOS and with Microphones, sensors, cameras physically removed. But it can easily be tracked so a faraday bag probably a good idea.
For desktop and laptop only use a operating system that only runs on memory like QubesOS+Whonix+Kicksecure in disposable VMs or Kicksecure+Whonix only in live mode or TailsOS.
For hardware Ideally use a desktop or laptop with Coreboot+HeadsOS firmware.
Something like MSI PRO Z790-P DDR5 Motherboard with headsOS firmware for desktop or a laptop from NovaCustom with headsOS firmware. Or laptop with HSI:4 the main reason is for encrypted ram because you should be using a OS that only runs on memory.
And ofc Microphones, cameras, WiFi/Bluetooth card, SSD removed etc.
2 Likes
Thank you!
You shouldn’t be using a traditional desktop OS / hardware. Use a GrapheneOS device in desktop mode or an iPad.
1 Like
Keep up with having hardware firmware and software up to date.
Listen to podcast that news, or subscribe to mailing list and such or follow security people on Twitter/X or on relevant Mastodon instances (infosec.exchange) for the latest on IOCs (indicators of compromise).
Oftentimes regular people aren’t really targeted so keeping devices up to date is oftentimes sufficient.
1 Like
If you’re low level target on the run I’ll agree with you. It’s better for non-technical person to use a phone/tablet with GOS I’ll drop the iPad. 
But no GrapheneOS isn’t a magic box without xploit same go for Ipad.
You don’t following
And
I’ll be using Israel and Iran war as a example of high level targets.
I was reading about how Israel and USA was killing Iranian government officials left and right if I was a Iranian official I wouldn’t be using a phone, GOS or not. There are to many point of failure in a phone, same go for things like call towers, cars, etc.
Why would you as a Iranian official trust google or apple hardware/software when they are American companys and when middle east America is known to buy, sell, use and plant zero days in mobile device’s.
Are you just betting on Israel and USA has no zero days for pixels and iPads? When they can get/has access to Apple’s and google’s source code.
I think your best bet is a lille bit security by obscurity in the short term. By using odd software and firmware with amnesia. That are reasonably secure. operating systems.
But no idea. Nothing is perfect.
1 Like
Even Hezbollah’s pagers were vulnerable to supply-chain attacks!
There comes a point where what type of phone or how you configure it won’t help you against targeted attacks. The question should be geared towards: “How and when should I use my phone”.
If you’re an government official being targeted by foreign airstrikes, you may want to ditch your family WhatsApp group chat and focus on physical safety (i.e. relocating to a bunker and throwing away your phone). If you’re a journalist in decently safe country, your usage case must involve computers in some way. No getting around that. Therefore, Qubes OS and Graphene OS are reasonably secure enough for 99% of people.
3 Likes
I’m lille disappointed when we finally get something that isn’t just the same old boring browser vs browser OS vs OS it’s pretty much a dead thread.
I was hoping on see some theory crafting on lov/med/high threat modeling.
This is a good point.
To go back to @alex7865’s point, cellphones are just SigInt, one of the many branches of intelligence gathering that state levels actors can use to find you. There is still good ol HumInt, same way how Osama was found. He was pretty much living like a hermit in a fortress with very limited access to gadgets and pretty much good OpSec.
If you are targeted by state level actors, its pretty much game over for you unless you have the equivalent state level resources to protect yourself.
No amount of hiding can get you away from a determined state level actor. Being constantly on the move is even worse because you will eventually come in contact with people.