Threat Model help/suggestions

Mortality6480

Hello, long time lurker. I finally gathered the courage to post. I'm part of a marginalized group that most of society would rather see dead or silenced.

But here I am. In my final moments, I've developed an intense interest in all things related to digital security and privacy in this Orwellian world. I've tried to live as minimalist of a life as I can, and that also goes in regards to technology but I still have parts of the digital world I cannot live without, I.e., banking and such. I'm grateful for this project and its aim for an OS that truly focuses on security and privacy. I can't think of any other mobile OS that comes close. Except for maybe Apple in regards to security but they miss the mark in my opinion in regards to consumer privacy. All of this to say that I'm interested in learning better Opsec in my day to day life, and I would be grateful for any human who can provide tips or suggestions in regards to better Opsec in a digital world. I just want to be free. And to truly have digital sovereignty and autonomy over my life. Thanks in advance for any suggestions or tips. If it helps any, I would consider my threat model to be very high. I would also like to say that I wish to contribute to this project in the future when I have the monetary means to do so. I will end it by saying, spread love. Not hate.

W1zardK1ng

Mortality6480 Owner profile with open source apps installed from Accrescent or obtainium after verifying the source and a private space with gplay services with a throwaway account for apps depending on play servies, apps installed from playstore should be good enough with a vpn on both profiles.

To avoid cell tower tracking use a voip service such as jmp.chat with their own data only sim.
anything more than that is for someone being actively targeted by government.

Finally its all about the apps and services you use which decides you are private or secure.

Mortality6480 I would consider my threat model to be very high.

Could you explain more on this so someone can give you better suggestions.

mr_r0bot

Mortality6480

Greetings,

I've been working with marginalized groups in my local region to try to help them with their digital privacy and digital security. I think your subject is the right place to start. I've been coaching everyone to start by assessing their threat model and going forward from there. Working through the most likely risks you'd encounter and trying to go from easiest to counter down. It means knocking out the biggest risks with the least effort, and not wasting time and frustration where it might not be as important.

Novalissoide

Mortality6480

This may be a reading startkit, together with some of the above answers:
https://discuss.grapheneos.org/d/28682-maximum-security-and-anonymity/4

Mortality6480

Should of also mentioned I'm more interested in good Opsec for my pixel device. As it is my primary device. I don't use social media either. I do have an oldish mastodon account but I have never posted anything on there.

Mortality6480

Thank you for your reply. I use Acrescent and the Aurora store to download my applications. I primarily use open source apps. I'm trying to stay away from any big tech applications/software like Google. My next step in regards to privacy would probably be finding a good VoIP service. Do you know anything about cape? I have heard that they are privacy oriented.

I would consider my threat model to be high since I belong to a marginalized group. I would prefer not to divulge much more than that. I just don't feel comfortable giving out more information.

W1zardK1ng

Mortality6480 Do you know anything about cape?

Cape is a very good service, but they charge $99 per month, if you are willing to pay the amount you can go with it. Cape is targeting business individuals who are ready to pay a high premium for better privacy and security.

In the other hand for a cheaper price you may get a jmp.chat voip number or port your number to them and get a data only sim from them with no identity (Or you can get 3 months prepaid sim like mint and use only for data), they support Monero or you can mail them cash.
You can add additional numbers for $2.45 and could be handy in your case to close the old number and get new numbers once you feel your old number got exposed.

Freedomain

If you search this forum for "rate my setup" (infosec nerd) there is a very good platform for using the OS to its maximum potential.

EverettHitch

My two cents is: if you don't have have to you use an app, don't. If you don't have to web browse for it, don't. Give them as little as you can and stay off grid for as long as you can. Other than that you're screwed. Welcome to the new times.

EverettHitch

mr_r0bot what bloody answer is this? We all have an acute threat model, getting worse by the day. The more you restrict your online activities the better for you. Are you AI?

mr_r0bot

EverettHitch

We don't all have an identical threat model.
Who are the most likely to target you or your community in particular?
What are the tools they are most likely to use?
What mitigations can be used against those tools in particular?

These are important questions to answer. For some of us the answer is do all the hard things because everything needs done. But for some people that is too much to ask. And for some they need somewhere to start, so the question is, where are the big impacts to there highest threats. What will reduce risk fastest while not preventing them from being able to function in their community. If your answer is "well you need to do all the things about everything immediately" then you haven't done the threat modeling or risk ranking correctly.

Novalissoide

EverettHitch We all have an acute threat model

Yes, and we all chose the best basics installing this OS. The rest gets individually differing since people vary.

EverettHitch

Novalissoide just because people are not the same it does not mean that all they do is optimal for their wellbeing.

Novalissoide

EverettHitch does not mean that all they do is optimal for their wellbeing.

Of course not, hence this user asked us for advice. We shouldn't ruin the newcoming users thread in this way, I'm not even sure about what you're arguing about.

EverettHitch

Novalissoide I am not arguing, you replied to my post. Hold your horses now. All I know is this forum is not up to scratch, GrapheneOS (although not perfect) is.

Novalissoide

EverettHitch not arguing

Good, then I'm not either. 🙃

mr_r0bot

"#p210772" @Mortality6480 #25273 I would second what @W1zardK1ng said here. Cape has an interesting service, but is very pricey for what extra protections it layers on to existing GSM.

Something like JMP with a data only SIM is far harder to track and adds as much or more protect from most common risks associated with cell providers as something like Cape would.
JMP will sell you data only SIMs, as will Silent.Link. Neither requires any KYC.

Not related suggestions:
Something simple to verify to start. You noted staying away from Google services, if you do have the GSF installed, you should make sure the Mobile AD ID has been removed in the sandboxed google settings. The majority of tools used by US agencies for tracking rely on CAI that are actually tied to this ID.
Limit or remove location permission from GSF for the same reason.
Be extremely cautious about your own, and your inner circles social media presence. This is another major data source for these agency tools.
(examples for the above: Tangles/Webloc/LocateX)

Onlyfun

@W1zardK1ng zardK1ng"#p210772

Additionally to getting a separate number from jmp you can also keep your old number for convenience. 100% non-kyc, pay monero. Using jmp setup just for communication will cost way less than $99 per year. Achieved easily by utilising wifi where possible.

MineralWater

I would keep it simple.

Data you don't provide can't be taken or observed.

What I mean is, don't do everything on one device. You mentioned banking, do you really need this 24/7 in your pocket? Or can you use it stationary at home through a computer or tablet?

The latter would mean that your bank can't track you and when your phone gets stolen, nobody can access your bank account and history. (this is independent from GrapheneOS).

Do you travel large distance to unknown places or do you stay local in your city or village? If the latter, print out for yourself the local map on old fashioned paper and carry it with you/in your car. So you don't need to use any maps or location services to navigate.

Public transportation etc sadly often does not give out printed tickets anymore. If you want to avoid being tracked by that, buy a very simple android phone or use your old phone (after resetting it and deleting all personal data) for installing the transportation services app and only use it for that purpose and nothing else (you probably will need to connect to a public wifi or something to buy and upload your tickets, but if there's nothing else on the phone, no contacts, no pictures and so on, there's not much to find on it)

Basically, when you can do something without an app, then don't use an app for it!

Things you don't need 24/7 can probably be done stationary at home on a different device or on a device used only for that.

If you need to be accessible for phone calls 24/7, maybe buying a second simple phone (preferred a dumb phone for longer running time) just and only for receiving and making calls will be fine.

We people do too much on an universal device and wonder about privacy and security.

We should keep in mind that nobody forces us to do everything digital and on one single device.