cross-posted from: https://lemmy.ml/post/74540
Hello! I think it is a nice time to re-mention some 101 tips of IT security for folks here, that I also practice. Pegasus malware investigation will be big news for a good while, so the more awareness it helps spread, the better.
RULE 1
DO NOT CLICK ON RANDOM SMS AND EMAIL LINKS. Please, do not do this, ever. Just do not do it. Do not do it. Do not do it. Do not do it.
Yes, that is how many times I repeated that line. That is how important this rule is.
Also, do not download random email attachments.
Phishing is such a common tactic that one would think this problem has been solved by now, but it has not.
RULE 2
Keep OFF auto download of photos, videos, documents and so on on WhatsApp, Signal and such apps.
Drive by downloads being self executable surprise bombs is not a new thing. Basically, this rule is similar to keeping off AutoPlay for external USB sticks on Windows computers.
RULE 3
Avoid using popular software too much.
I get it, this is a hard rule to workaround considering how much we need to use WhatsApp, Signal, Telegram and so on, so it is a lot better to compartmentalise your activities among multiple messengers.
Pegasus and a lot of specialised malware uses zero-days to be able to design zero click deployment tricks, which is what these government surveillance tools are good at reserving. They use their millions of dollars of funding and R&D properly, so you have to be careful.
As an example, try to keep WhatsApp internet turned off most of the times via NetGuard, and turn it on only when needed, a good method I have earlier suggested as well in my smartphone hardening guide.
CONCLUSION
Those were some thoughts on the top of my head, before I go to sleep. Stay safe against surveillance! And feel free to ask whatever you want to!
Seeing this post again made me think, apart from my previous reply, about something else.
I think your “popularity of software” argument is great because it probably holds true, in that an investment in finding an exploit has larger returns if the exploitable software is widely used. But rather than thinking in terms of apps, we could think in terms of operating systems. What if the vector of infection is not an app and rather is an OS? This is perfectly possible and there are massive incentives to find such exploits since this is not app-dependent.
This means that merely using iOS or Android in any capacity (either through Lineage OS or perhaps even Replicant) could be enough for infection. And so far, not knowing what the vectors of infection are for Pegasus, this is perfectly possible.
Perhaps using Linux OS is a good idea, given it’s not as popular.
deleted by creator
Yes, I agree, but Android is sufficiently secure as Google has incentives (now even more with grifter Apple blocking others’ spying to allow just theirs) to make more and more users get trapped in Google’s ecosystem, plus the development is open source, due to which zero days are extremely costlier to find on Android than for iOS: https://www.wired.com/story/android-zero-day-more-than-ios-zerodium/. This also shows us closed source obscure security model failed with Apple, and even for Windows.
Also, Android is a lot easier to be able to exercise control on and lockdown, and use trusted FOSS software on.
Moreover, if you are doing mission critical work like dissent, journalism, whistleblowing and so on, phones should exclusively be used as communication tools and to click photos and so on. I have covered this in my Activist and Protestors Handbook: https://lemmy.ml/post/34220
One should definitely try and use Linux based distribution, tweaked for your own security needs, for as much work as possible in such cases.
I am having trouble with creating my Linux Hardening Guide currently, which I definitely want to try completing in its entirety like I did the Smartphone Hardening Guide. This is essential because no such guide for Linux exists that is as easy, digestible and considers a lot of things that all current guides lack. And I definitely would love to intertwine it with a new version of the Activists and Protestors Handbook.