🆕 Software Suggestion | Add OOSU10 #926
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#926
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Information
Name: OOSU10
Category: https://www.privacytools.io/operating-systems/#win10
URL: https://www.oo-software.com/en/shutup10
Description
O&O ShutUp10 means you have full control over which comfort functions under Windows 10 you wish to use, and you decide when the passing on of your data goes too far. Using a very simple interface, you decide how Windows 10 should respect your privacy by deciding which unwanted functions should be deactivated.
Could you describe in your own words what is it and why it should be added?
I'm against such tools
Better make the settings (registry + GPOs) by yourself
Also using PiHole helps a lot against tracking & telemetry
IMO we should be strongly discouraging Windows 10 use in the first place rather than provide recommendations on how to manage it, which ultimately seems like a flawed concept given that Microsoft could change/add things at any time via Windows Update in the future that breaks these protections.
my translation...
IMO we should be strongly discouraging Windows
it's proprietary and so cannot be trusted to protect privacy... then again, there are be bigger problems than the OS (proprietary hardware and firmware)
@atomGit Tbh, the threat of a closed source os is more dangerous then closed source hardware.
i'm no authority on this stuff by any means, but i'm curious whether you'd say the same for smartphones (or any device with a cellular radio in it)?
the reason i ask is because it is my understanding that the base-band/radio firmware is a) proprietary (and there's only 2 companies making it primarily), b) full of security holes, c) has low-level access to various hardware (radio, sensors, mic, cam, keyboard) and d) shares RAM with the user facing OS ... and apparently this is true for essentially every semi-modern cellular device in at least the west if not the world
while apps can harvest all sorts of personal data, it appears that the base-band firmware (perhaps more correctly called an OS in its own right) can potentially harvest everything and there's little or nothing users can do about it since it operates at a lower level than the user OS
i've seen some Defcon talks and read a little about this issue, and i'm aware of some smaller open architecture/software projects trying to rectify this by at least isolating the base-band to its own physical memory
when i wrote that "there are be bigger problems than the OS", i generalized it because afaik essentially the same issue exists with PCs and proprietary firmware and hardware - we just witnessed the fallout of the Spectre thing (Intel CPUs) and before that the Trusted Platform Module circus, then there's the APIs that allow, for instance, a web page direct access to the video hardware/memory/whatever, built-in backdoors and on and on, which leads me to wonder if the OS really is more important than the proprietary boat it's riding in
thoughts?
Thing is, is that we hardly hear about things like baseband expliots in the wild, they are certainly possible, but those are very, very rare. But attacks on your os however are a lot more common.
well, there's what we hear and what we don't hear - we know how highly the NSA regards our phones, as well as that they certainly aren't going to be the ones sharing their exploits which we can obviously surmise exist
and we also know (i believe) that the baseband is less secure than the user-facing OS - if there are less in-the-wild exploits directed at the baseband, i would guess that's because the code isn't published, or the exploits aren't published, but that doesn't mean the NSA doesn't have access to the code - frankly i'd be more surprised if they didn't ("national security" and all)
Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks Ralf-Philipp Weinmann University of Luxembourg
abstract..
Baseband fears were definitely the big thing, but that was before ARM processors had widespread deployment of SMMU (System Memory Management Unit) which was drafted at the turn of last decade and was specifically designed to guard against the attack you've mentioned. Provided the driver is written sanely (I've been told that Google of all people, Google open source their device drivers, and make their firmware sources available under NDA), this provides the operating system with the means to limit DMA access from a malicious device, whether that is the cellular modem, the wireless card, the SSD, your sound card, or even your GPU. Take note that this is not at all a modern thing: the Samsung Galaxy S2 has had a means to limit DMA access from a malicious modem and it was released way way back in mid-2011.
Looks like your reply made it while I was still typing mine. I looked at your paper you had posted. It is pretty old at this point and discusses baseband attacks against the iPhone 4 and HTC Dream. The HTC Dream was released to market more that a decade ago by this point and the iPhone 4 follows closely behind.
Devices have changed significantly over the past ten years.
i appreciate your comments Peter and i started to feel a little warmer at first, but when i poke around on the interwebs i find more recent things that are very worrying
this article is from 2017 and is about research by the same guy that wrote the paper referenced earlier...
Baseband Zero Day Exposes Millions of Mobile Phones to Attack | Threatpost (2017)
Baseband vulnerability could mean undetectable, unblockable attacks on mobile phones / Boing Boing (2016) - this was patched, but i think the point is that regardless of what is done to isolate baseband memory sharing, there are still vulnerabilities
0-Days Found in iPhone X, Samsung Galaxy S9, Xiaomi Mi6 Phones | Hack News (2018)
Tackling Cellular Vulnerabilities (2017)
there's a lot more scary stuff in that article
Software flaw puts mobile phones and networks at risk of complete takeover | Ars Technica (2016) - i assume this was patched, but it serves as another example of vulnerabilities even after the implementation of SMMU
...and that's the result of less than an hour of looking at what is publicly available
given that we know a little more now about the NSA and the utterly illegal and unconstitutional bullshit these jackasses pull, i think it a super-safe bet that they've developed a whole armory full of tools that no one outside the NSA knows a damn thing about and obviously they cannot be trusted in any way shape or form
i don't particularly like peddling a lot of doom here, but i'm not going to pretend it doesn't exist either (not saying you or anyone else here is)
I use this tool on my Windows VM just to shutdown/disable unnecessary features to speed up the system. As for privacy well the software itself says it needs to be run after each update or boot as Windows will revert things. So far when you boot Windows re-enables automatic updates. That being the case and the fact both are closed source it's not really a proper solution for privacy.
I want this reevaluated, along with https://github.com/privacytools/privacytools.io/issues/1624 as a part of the updated Windows 10 page.
The I'm not a fan of using windows firewalls to disable telemetry (what W10Privacy does, https://github.com/privacytools/privacytools.io/issues/938) based features when there are ways within windows to do this that involve disabling the components directly.
I have not tested this tool myself, but am told that it can disable telemetry in ways similar to: https://docs.microsoft.com/en-us/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services
We have given exemptions in some cases to things being proprietary when no other alternative exists. Pragmatically I'm not really bothered by this tool being licensed under a proprietary license, when Windows itself is anyway.
Additionally since Windows 10 build 2004 Cortana can actually be removed ie
Get-AppxPackage -allusers Microsoft.549981C3F5F10 | Remove-AppxPackage
On the argument of "not using windows" this might be all well and good, but we should still maintain a up to date page with best practices for maintaining privacy on the Windows platform regardless. With some usecases it is unavoidable.