Esa información se vincula fácilmente a un número de teléfono o datos personas con nombres y apellidos, no números identificativos que anonimizan. El teléfono sabe quién es su propietario. La tarjeta SIM y docenas de apps vinculadas al e-mail o a cuentas en redes sociales revelan fácilmente el origen de los datos.

Los Gobiernos y la industria conocen desde hace años este entramado. Las agencias federales de Estados Unidos piden sus móviles con sistemas operativos libres de este software preinstalado y adaptados a sus necesidades. ¿Y los ciudadanos?, que se espabilen. Sus datos no son tan secretos como los de un ministerio.

"Ejercer control regulatorio sobre todas las versiones posibles de Android del mercado es casi inmanejable. Requeriría un análisis muy extenso y costoso", explica Vallina. Ese caos de ahí fuera permite que vivan en nuestros bolsillos unas máquinas sofisticadas de vigilancia masiva.
https://elpais.com/tecnologia/2019/03/17/actualidad/1552777491_649804.html

#privacidad #telefonos
📡@cRyPtHoN_INFOSEC_ES
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN

🇬🇧 Ad Tech Surveillance on the Public Sector Web

EU citizens being tracked on sensitive government sites
Even on government sites one is not safe from tracking by the advertising industry. According to a report by the Danish company Cookiebot with European Digital Rights (EDRi), 89 percent of all government sites in EU member states use cookies and other advertising trackers. Governments thus help the advertising industry to collect sensitive data about their citizens. According to the report, the website of the authorities with the most tracking cookies in Europe is a website of the Hamburg city government on parental leave and maternity protection.

https://www.ft.com/content/6dbacf74-471b-11e9-b168-96a37d002cd3

https://www.cookiebot.com/media/1121/cookiebot-report-2019-medium-size.pdf

#survilance #EU #citizens #government #why
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🎧 The CyberWire Daily Podcast (March 18, 2019)
Online content and terrorism. Huawei’s shifting strategy. Venezuela’s blackouts

In today’s podcast we hear about content moderation in the aftermath of the New Zealand mosque shootings.
A shift in Huawei’s strategy in the face of Five Eye--and especially US--sanctions: the US doesn’t like us because we’re a threat to their ability to conduct untrammeled surveillance.
Corruption, neglect, and replacement of experts by politically reliable operators seem to have caused Venezuela’s blackouts. Gnosticplayers are back, with more commodity data.
And AI has no monopoly on evil--natural intelligence has that market cornered.
Joe Carrigan from JHU ISI on the recently announced DARPA funded effort to develop and open-source voting system.

📻 The #CyberWire Daily #podcast
https://www.thecyberwire.com/podcasts/cw-podcasts-daily-2019-03-18.html

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🎧 🇬🇧 EU Confidential
POLITICO EU Confidential - Sort of sorry — Twitter strategy — Measuring equality

EU WTF?!
It has now been clarified who was responsible on behalf of the EU Commission for a later withdrawn article on the protests against Article 13, in which the EU Commission described the critics as a "mob". It is Commission staff member Joe Lynam, who previously worked as a journalist for the BBC and whose Twitter denoscription states that he is now fighting disinformation. No kidding! Hallelujah.

📻 #EU #Confidential #podcast
https://www.politico.eu/newsletter/eu-confidential/politico-eu-confidential-presented-by-naftogaz-of-ukraine-sort-of-sorry-twitter-strategy-measuring-equality/

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🎧 Cloak of Invisibility

On the Internet no one knows you’re a dog, as the old joke goes. But does anonymity truly exist on the web anymore? And when it’s taken from us, what else do we lose? So Sad Today talks about the value of anonymity for women and self-care. Jonathan Hirshon shares his personal battle to keep his face off Facebook. New Yorker cartoonists Peter Steiner and Kaamran Hafeez discuss the evolution of memes and digital anonymity, in dog years. And Alison Macrina and Morgan Taylor reveal what’s underneath the surface of the searchable web.

📻 #IRL - Online Life Is Real Life - Cloak of Invisibility #podcast
https://irlpodcast.org/season2/episode4/

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

📺 🇬🇧 The Dirty TRUTH About Amazon's Empire
If you needed more proof Amazon is trying to take over the world, then their acquisition of the popular supermarket chain Whole Foods is a good sign.

It's also a sign that Amazon CEO Jeff Bezos' will extend his one-click tentacles into even more parts of our lives, a gut punch to your conscience when you realize that Amazon doesn't exactly have a great track record when it comes to valuing its employees. Remember that your ability to get your favorite face wash shipped to your house in 24 hours as you sit in your underwear comes at the price of an underpaid, overworked employee competing for a private space in a huge warehouse to cry during the workday.

📺 The #dirty #truth About #Amazon #Empire #why #video #podcast
https://www.youtube.com/watch?v=h2fxTISrJnU

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🇪🇸 Juzgados analógicos vs. delincuentes digitales.

En 2017, España sufrió 122.000 ciberataques, y en 2014 solo se produjeron 18.000.

Las oportunidades que brindan las nuevas tecnologías en manos de los criminales se han convertido en un gran desafío para los tribunales, que no pueden competir con la velocidad y los medios con los que dispone una ciberdelincuencia cada vez más sofisticada y globalizada. La realidad de los juzgados, en los que aún se amontonan los expedientes en papel, y una legislación pensada para la era analógica, minan la eficacia del combate de las nuevas formas de criminalidad. “Los delincuentes están en el siglo XXI y la justicia, en el XIX”, retrata Juan Gonzalo Ospina, abogado penalista y socio de Ospina Abogados. Opinión que comparten los que, día a día, ven cómo la lenta tramitación de los procedimientos judiciales favorece la destrucción de pruebas y facilita la impunidad.

La actividad delictiva en internet es amplia y está en continua reinvención. Se suplantan identidades, se asaltan sistemas informáticos o se blanquea dinero. Otras fechorías muy de moda son las estafas en la red, las botnets y los keyloggers, el hacking, el cracking, el phishing, el fraude con tarjetas de crédito o el espionaje. A esto hay que añadir el fenómeno de la encriptación, la computación en la nube o la inteligencia artificial. ¿Está preparado para combatir todo ello el sistema judicial?

El problema no es menor, porque estos casos son cada vez más numerosos en los juzgados de nuestro país. Más aún cuando uno de los objetivos principales de nuestra justicia es resarcir esos daños, y muchas veces es prácticamente imposible.

Según Moisés Barrio, letrado del Consejo de Estado y autor del libro Delitos 2.0, el impacto económico de los ilícitos relacionados con internet fue del 0,8% del PIB mundial. En España, explica, hemos pasado de unos 18.000 ciberataques en 2014 a más de 122.000 en 2017, de los cuales el 95% afectó a empresas y ciudadanos. Por ello, el experto incide en la importancia de sus consecuencias y de ponerle freno. “El impacto económico del cibercrimen supera al narcotráfico”, asevera.

Por su parte, Ospina pone el foco en la Ley de Enjuiciamiento Criminal, que data de 1882, ya que produce disfuncionalidades para las víctimas y fortalece la impunidad del delincuente. A su juicio, reformas como la de 2015 para fortalecer la investigación de estos ilícitos, “no valen de nada porque los mecanismos para salvaguardar a los ciudadanos del delito llegan tarde”. ¿El motivo? “Un mecanismo de denuncia arcaico”, explica el abogado.

Cuando una persona se ha dado cuenta de que han suplantado su identidad a través de una red social, o ha sido estafada, acude a su abogado y este tiene que interponer una denuncia a través de la Oficina de Atención al Ciudadano (OAC) en cualquier comisaría. Al tramitarla, se remite al juzgado, pero hasta que un juez emite una orden de bloqueo de imágenes íntimas o de cierre de páginas web pueden pasar tres o cuatro meses. “Para la víctima es triste, decepcionante y frustrante que se vulnere un derecho fundamental de forma tan flagrante por una ley tan antigua y que nadie mejora”, critica Ospina. Incluso, reconoce que muchas veces es más fácil obtener una respuesta más eficaz por parte de las propias empresas de las redes sociales que por la justicia española.

El letrado propone que se facilite al abogado denunciar el caso directamente en una unidad de policía judicial especializada para evitar la impunidad del delito. “Cuando el caso llega ante el juez, el dinero de la estafa por internet está ya en Hong Kong, Panamá o Suiza”, declara. Así, la lentitud de los procedimientos provoca que se perciba a nuestro país como un lugar idóneo para delinquir y se degrade la imagen de nuestra justicia: “Gracias a los mecanismos de investigación del delito, está todo pagado”.
La prueba tecnológica

Para los abogados, conseguir que se valide como prueba, por ejemplo, un pantallazo de WhatsApp cuando se ha suplantado la identidad de su cliente y demostrarlo, es muchas veces una odisea. Para ello, el letrado tiene que pedirla a una brigada de delitos informáticos de la policía judicial y la tiene que aprobar el juez: “En el 90% de los casos no los acuerda, entonces aportamos imágenes de WhatsApp o informes de parte que pueden posteriormente ser impugnados en el juicio oral por su falsedad o inidoneidad y los delincuentes quedan impunes”. “Hay inocentes en prisión por la limitación de la prueba”, declara.

Otra de las opciones es contar con un perito informático en el proceso; un experto en ingeniería informática que sabe de lo que habla y de cuyo criterio los jueces se fían mucho. “Al presentar un informe tan técnico, los magistrados no lo cuestionan”, afirma Cristina Carrascosa, of counsel en Pinsent Masons.

No obstante, optar por esta vía encarece mucho el procedimiento, pero es una alternativa a la que se está obligando a acudir a los abogados si quieren garantizar a su cliente una acusación o una defensa de calidad, dada la dificultad de que las pruebas digitales sean aceptadas por la vía ordinaria. “Es una justicia para ricos, porque contratar a un perito informático cuesta de 500 a 3.000 euros, más los honorarios del abogado”, advierte Ospina. A la vez, denuncia que, en la práctica, “la justicia no es igual para todos, ya que depende del abogado que te defienda y de los recursos económicos que tengas para defenderte”.
Formación de los jueces

Por su parte, Carrascosa pone en duda la actualización formativa de los jueces para entender la realidad digital. “Es posible que la judicatura no esté actualizándose al nivel que debería como magistrados que son. Por ejemplo, si le cambian la normativa fiscal cada año, sí que se la saben; pero si acudes con un problema de un virus informático en un contrato inteligente, no tienen ni idea de lo que hablas”, asevera.

Para la abogada, el desafío principal del contraste entre una justicia tradicional y la delincuencia digital es garantizar que quien haya cometido un delito, lo pague. “Me parece complicadísimo terminar demandando a la persona que te infecta tu ordenador con un virus, porque te piden la recompensa en criptodivisas que no se pueden trazar, y quizá es un grupo de jóvenes desde Rusia”, explica. En este punto, detecta en España una especie de “pereza procesal” de llegar hasta el final: “En EEUU esto no pasa. En cuanto el demandado pone un pie en el país, está detenido”.

Por su parte, Moisés Barrio, experto en derecho digital, abre la puerta a crear un orden jurisdiccional específico para luchar contra la ciberdelincuencia en el espacio virtual. Mientras tanto, propone la adopción inmediata de medidas cautelares “para evitar la persistencia de los efectos del delito en el ciudadano”. Por último, recuerda que el factor distintivo al que debemos optar es “disponer de más medios personales y materiales, para la policía judicial y en el ministerio fiscal”, para así hacer frente a la ciberdelincuencia.
https://cincodias.elpais.com/cincodias/2019/03/15/legal/1552651361_922938.html

#ciberataques
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🇬🇧 Attacking the internal network from the public Internet using a browser as a proxy

JavaScript loaded from a malicious site can connect to services running on the user’s local computer (localhost) or on other internal hosts in many circumstances.

Malicious actors are aware of these attacks, but defenders need to be informed as well. In addition to describing the technical details of the attacks, we will discuss means of detecting and protecting against them.

🖨 https://www.forcepoint.com/sites/default/files/resources/files/report-attacking-internal-network-en_0.pdf

#pdf #report #attack #internal #network #browser #java #noscript
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🎧 🇬🇧 The CyberWire Daily Podcast - March 19, 2019

In today’s podcast, we hear that an aluminum manufacturing giant in Norway has suffered a major ransomware attack.
A new version of the Mirai botnet malware is targeting enterprise systems.
The US Homeland Security Secretary says the private sector and the government in the United States need to work together against cyber threats.
Europol has a new cyber incident response strategy.
And cybersecurity executives say some vendors’ marketing tactics are having a detrimental effect on the security industry. Johannes Ullrich from SANS and the ISC Stormcast Podcast on hardware security issues at the perimeter.
Guest is Nathan Burke from Axonius, winners of the 2019 RSAC Innovation Sandbox competition.

📻 The #CyberWire Daily #podcast
https://www.thecyberwire.com/podcasts/cw-podcasts-daily-2019-03-19.html

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🇪🇸 Los usuarios de Android en Europa podrán elegir su navegador y buscador por defecto.

Google ha anunciado en su blog que permitirá a los usuarios de Android de Europa elegir el navegador y motor de búsqueda por defecto.

Este anuncio llega después de que el año pasado la compañía fuera multada con 5.000 millones de dólares por la Comisión Europeo debido a la práctica de pre-instalar las apps de Google en teléfonos de terceros.

“Este implica preguntar a los usuarios de dispositivos nuevos y actuales de Android en Europa qué navegador y app de búsqueda prefieren utilizar,” ha explicado la compañía.

No está claro si esto se aplicará solo durante el proceso de configuración inicial o si todos los smartphones actuales recibirán una actualización que obligará a preguntar a los usuarios por este punto.

Hace unos meses Google también anunció nuevos modos de licenciamiento de sus apps para smartphones de terceros, incluyendo tres acuerdos separados para Chrome, Play Store y Search. Esto significa que los fabricantes pueden incluir Play Store sin verse obligados a incluir Chrome y Search.
https://www.teknofilo.com/los-usuarios-de-android-en-europa-podran-elegir-su-navegador-y-buscador-por-defecto/

#android #navegadores #buscadores
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

LineageOS - Take back control! Part2

1. release from the embrace

With the article series "Take back control!" you as a user should regain control over your Android device or your data step by step. A first step towards independence is the change of the manufacturer's own Android system. This will not only get rid of the manufacturer's bloatware, like pre-installed apps and services, but will also free us from Google's close embrace.

We manage this liberation with the free Android operating system LineageOS - a modification of Google's Android and the direct successor of the successful CyanogenMod. With such a custom ROM or alternative system we disconnect ourselves from the manufacturer's own Android systems. The use of LineageOS should bring us one step closer to our goal of regaining data dominance on the Android.

2. Foreword: Should I or should I not?

The regaining of data sovereignty in the Android universe is not a goal that can be achieved on a free weekend. So before you think about putting the series of articles into practice or installing LineageOS, you should be fairly aware of the possible side effects:

Loss of warranty of the device
Unsolvable technical difficulties
Bricking the device
Certain apps may not run under certain circumstances
Reduced camera quality
Limitation of functionality
Loss of any data
[…]

The road to more self-determination is rocky and full of unpredictable stumbling blocks. So before you embark on the Take back control! adventure, ask yourself if you have the skills you need:

Endurance and/or patience and sufficient time
Willingness to say goodbye to one's own convenience
Basic technical understanding or willingness to read it
Do not regard setbacks as defeat
The willingness (always) to want to learn

If you have doubts about one or more points, then you should better refrain from implementing them - it is not a walk in the park. With the article series I can of course take you by the hand and show you the direction, but you have to go the way alone.
(Ask for help @ https://news.1rj.ru/str/joinchat/FyFlS0X2D7f6YNvdxhEsfw)

3. LineageOS

Officially Android smartphones are delivered with a so-called Stock-ROM, which is pre-installed ex works and usually contains different modifications and extensions of the device manufacturers. Most Android devices or Stock-ROMs are often neglected by many manufacturers, especially with regard to security updates, and at some point are even completely violated. This inevitably creates a "vacuum" in the Android world that makes many or most devices vulnerable to critical security vulnerabilities. Such vulnerabilities enable attackers to gain control of the device, spy on the user or drain data unnoticed. Discovering a critical vulnerability would be enough to make millions of devices vulnerable in one fell swoop. Such serious vulnerabilities are not rare, but occur at regular intervals. In 2018 alone, 611 vulnerabilities were identified in Android - in 2017 even 842.

But in the Android world there is a way out of this security and data protection dilemma: so-called custom ROMs. These ROMs are usually provided by private developers, not driven by commercially motivated interests, for a wide variety of (old) devices.

The most prominent custom ROM is LineageOS, the direct successor of the well-known CyanogenMod, which was discontinued at the end of 2016. The big advantage of custom ROMs and LineageOS in particular is the timely provision of security updates for many older devices and thus also for devices that have long since ceased to be supplied with updates by the manufacturers. A custom ROM such as LineageOS therefore offers the possibility of providing aging devices with current security updates and new Android versions.

3.1 Why LineageOS?

With nearly 2 million installations worldwide, LineageOS is the most widely used custom ROM. However, you should not be "blinded" by the list of officially supported devices - only some of the 250 devices listed there are actively maintained. To find out if your device is not only supported by LineageOS, but also actively maintained by a maintainer, you can click on the device. If you encounter the following warning in a red box:

"The <Device> is no longer maintained. A build guide is available for developers that would like to make private builds, or even restart official support."

the installation is not recommended. Alternatively you can have a look at the XDA forum to see if developers there provide actively maintained custom ROMs for your device - personally I would only want to use LineageOS.

Decisive for the choice of LineageOS was and is finally the availability for a reasonably wide range of about 60 Android devices. This is the only way to reach as many users as possible who want to regain "data control" on their device.

3.2 Device selection

I would like to demonstrate the unlock process and the installation of LineageOS using the BQ Aquaris X Pro. For the following reasons I decided to use the device:

It is officially supported by LineageOS (Aquaris X Pro) - and in my opinion it will stay that way for quite some time, because the LineageOS supporters for the BQ devices are reliable and active.
The device has a rather compact format compared to today's standards of 5.2 inches.
The price is about 230,- €. Who would like to strike used, finds the equipment already under 200, - €.
The manufacturer BQ does not put any stones in the way of the user when unlocking the boot loader.
The hardware comes from mid 2017 and has enough reserves with 3 or 4 GB RAM for future Android versions.
The hardware components can be replaced comparatively "easily".

Of course you can follow the article series even if you don't have a BQ Aquaris X Pro. However, I will demonstrate the unlock process explicitly on this model - and it differs from manufacturer to manufacturer. The LineageOS project provides a manual for each officially supported device, which covers all steps up to the installation of LineageOS.

When purchasing a new device, unfortunately nobody can tell you how long the device will be maintained by the LineageOS maintainers. Of course you want a device to be provided with (security) updates as long as possible - but nobody can give you a guarantee. In this context we would like to give you the tip that you should follow the list of "Most active devices" and buy a device from the top 10. However, this is not more than a clue, as some of the devices listed there are only available second-hand. Furthermore, it is not guaranteed that the Top 10 will continue to be maintained.

All in all, the choice of device is a difficult topic - if you have any tips on this, please feel free to place them in the comments section.
(https://news.1rj.ru/str/joinchat/FyFlS0X2D7f6YNvdxhEsfw #TakeBackControll)

4. guarantee and warranty

Almost all device manufacturers explicitly warn against unlocking the boot loader. You should always follow these device- or manufacturer-specific instructions. For example, the manufacturers point out that the unlocking process completely deletes all data - which is correct and should be observed.

Many of the manufacturers additionally garnish their warning notices with formulations such as..:

"When you "unlock" your device, you automatically lose the warranty"

Some manufacturers go even further and write that when you unlock the device, you also lose the warranty. Naturally, the user is initially unsettled by this and distances himself from unlocking the device.

Unfortunately, I can't give you any information about how manufacturers / dealers react when they receive a device that is still under warranty but has a custom ROM installed. Depending on the manufacturer / dealer, the procedure is probably quite different. The following applies in this context:

"If you install a custom ROM, you lose (depending on the manufacturer and manufacturer's declaration) your rights to the manufacturer's voluntary guarantees. However, this must be strictly separated from the warranty, which you simply don't lose. Because basically unlocking the bootloader has no effect on the hardware for which the warranty primarily applies."

But in this regard a hint: There should be devices (Samsung Knox), with which the unlock process lets a few diodes / contacts of the device melt through. In such a case it can be argued very well whether the user, because then a hardware change (of whatever kind and verifiable) has occurred, does not even lose the warranty.

How courts would judge these cases is not known to me. So far, the topic or the "practice of some manufacturers" has not been discussed in court.

5. unlock bootloader | custom recovery system

Before the installation of LineageOS is even possible, the boot loader must be unlocked, a firmware update performed and a custom recovery system installed. All steps are explained below. The starting point is a freshly unpacked BQ Aquaris X Pro.

5.1 Preparatory work (fastboot)

First you should check if fastboot is already installed on your computer. Fastboot allows you to import images directly to the partition of a device's internal memory - we will switch to fastboot mode later. A quick guide to installing fastboot for Windows and Linux:

Windows: In the XDA forum a minimum version (2 MB) with adb and fastboot is offered for Windows. Additionally you need the device-specific drivers (scroll down to "Drivers USB") for the BQ Aquaris X Pro.

Linux: For almost every known Linux distribution, ready-made packages for the tools adb and fastboot are available. On Debian GNU/Linux, for example, the following commands are sufficient to install the corresponding package including tools:

sudo apt-get install android-tools-fastboot

Detailed instructions for Windows, macOS and Linux can be found in the LineageOS Wiki.
https://wiki.lineageos.org/adb_fastboot_guide.html

As soon as fastboot is ready for operation, we can put the BQ Aquaris X Pro into operation for the first time. After switching on for the first time, the device must first be set up via an assistant. We proceed as follows:

Set language to your language
We do not insert the SIM card for the time being, but skip the process
We select Set up as new device
No network
The further queries are not relevant, there you can choose as you like

After completion, the system starts for the first time in the user interface.

5.2 Unlock the Bootloader

The bootloader is special software that is directly integrated into the firmware of the Android device. After switching on, the bootloader takes control of the Android system's boot process - comparable to a BIOS on a PC. Many manufacturers implement software and hardware restrictions (so-called locks) to protect the bootloader from manipulation or changes.

Since it is not possible to perform system-relevant modifications with a locked boot loader, the boot loader must first be unlocked. Only with an unlocked bootloader are we able to install a custom recovery system, which can then be used to install an alternative operating system such as LineageOS.

In order to unlock the bootloader of the BQ Aquaris X Pro, the developer options must first be enabled. Opens the "Settings" then selects "Over the phone" and taps the build number several times in a row. After unlocking, a message box will appear confirming that the developer options have been unlocked:

"You're a developer now!"

If you prefer an illustrated manual for this process, you will find it here. (https://www.heise.de/tipps-tricks/Android-Entwickleroptionen-aktivieren-deaktivieren-4041510.html)

Then the new button "Developer options" appears in the settings under "System". Opens it and activate the OEM Unlock slider - the warning is confirmed with an OK. Then switch off the device completely.

Now hold down the volume button "Quieter" and the on/off button simultaneously until a screen with a white background appears. You are now in fast boot mode, where some information about the bootloader version etc. is displayed. Now connect your device to the computer via a USB cable and check if the system can be accessed via fastboot:

fastboot devices

After successful feedback (e.g. BL087003 fastboot) you can unlock the bootloader with fastboot:

fastboot flashing unlock

A warning will appear on the display - all (user) data on the device will be deleted during the process. Use the volume buttons to navigate to Yes and then press the On/Off button to confirm. As soon as the process is completed, you boot into the fast boot mode again and issue another command:

fastboot flashing unlock_critical

With the second command we allow the flashing / writing of critical partitions (modem, OEM, bootloader etc.). You also have to confirm this warning again with a Yes and finish the process.

Your bootloader should now be unlocked. Restart the fast boot mode (press volume key "Quieter" and on/off key simultaneously) and issue the following command:

fastboot oem device-info

As output you should receive then:

(bootloader) Device tampered: false
(bootloader) Device unlocked: true
(bootloader) Device critical unlocked: true
(bootloader) Charger screen enabled: true
(bootloader) Display panel:
OKAY [ 0.058s]
finished. total time: 0.058s

5.3 Firmware Update

In order for LineageOS (15.x / Android Oreo) to run properly on the BQ Aquaris X Pro, we must first update the firmware version (at least 2.x). If you paid attention earlier, you could read the firmware version in fast boot mode. The version Build Number: 1.6.0_20180130-1827 was pre-installed on my device.

First we download the latest firmware for the BQ Aquaris X Pro directly from the BQ website. For this article I installed version 2.5.1 (Android 8.1.0 Oreo). After the download you should check the MD5 hash sum and make sure that the firmware file has not been damaged or modified:

md5sum /Downloads/Image.zip

The output should then match the information on the website:

MD5: 13c8e419eb539f5678dad162e2db1cfa

Afterwards you have to unzip the zip file and set your device to fastboot mode again. Change or navigate to the unzipped folder and execute the corresponding noscript depending on your operating system:

Windows:
Right click on the file "8953_fastboot_all_images.bat" and select Run as administrator. Then a command line will open and the flash process will be started. If you already have administration rights, you should omit "Run as administrator".

Linux:
On the console you can simply execute the following noscript and start the flash process with it:

./8953_fastboot_all_images.sh

The process will only take a short time and all data on the device will be deleted again. To check it, you can switch back to Fastboot mode and check the firmware version:

5.4 Team Win Recovery Project (TWRP)

For the installation of an alternative operating system we need a custom recovery system. We use the Team Win Recovery Project (TWRP). Since the bootloader is already unlocked, we can write TWRP to the existing recovery partition. Afterwards TWRP is available parallel to the fast boot mode and allows the installation of LineageOS or other custom ROMs.

First we download the latest TWRP version for the BQ Aquaris X Pro (twrp-3.2.3-0-bardock_pro.img) and set our device to fastboot mode again. The custom recovery system will then be flashed:

fastboot flash recovery twrp-3.2.3-0-bardock_pro.img

The process is quickly completed and is confirmed with an "OKAY" after successful completion:

sending 'recovery' (35104 KB)...
OKAY [ 0.973s]
writing 'recovery'...
OKAY [ 0.180s]
finished. total time: 1.153s

6. installation of LineageOS

Bootloader unlocked: Check
Firmware updated: Check
Custom Recovery System installed: check

Now all requirements for the installation of LineageOS are fulfilled. As the saying goes: "Many roads lead to Rome". The same applies to the installation of LineageOS. In the following I follow the denoscription in the LineageOS Wiki. https://wiki.lineageos.org/devices/bardockpro/install

6.1 Step by Step to the Custom ROM

The steps below may vary depending on the version of TWRP and Co. used. For the installation I used the LineageOS image "lineage-15.1-20190309-nightly-bardockpro-signed.zip" from 09.03.2019. It is the LineageOS version 15.1 or Android Oreo. We do not install the optionally available Google Apps - after all, we want to regain control over our data:

Download LineageOS:
First download the latest LineageOS build for the BQ Aquaris X Pro. It's a zip file and you should check its integrity with the SHA256 hash sum on the website:

sha256sum /Downloads/LineageOS-Build.zip

Recovery:
Afterwards you boot into the Custom-Recovery-Mode or TWRP. First turns off the device completely. Now hold down the volume key "Louder" and the on/off key simultaneously until a white message appears - wait briefly, after 5 seconds the device will boot into TWRP.

Delete:
Actually our system is completely virgin, but we will delete or format everything again. Selects Wipe and then Format Data. Confirm the process by typing yes and confirm. Then we call Wipe again and there Advanced Wipe. Select the cache and system partition and confirm with a wipe to the right.

Sideload LineageOS:
ADB Sideload copies the LineageOS image to the device and installs it. Reconnect your device to your computer via USB cable and select in TWRP Advanced -> ADB Sideload. Confirm with a wipe to the right. The device is then in sideload mode and is waiting for the transfer of an image. On your computer the transfer is started via the console / command input:

adb sideload /Downloads/lineage-15.1-20190309-nightly-bardockpro-signed.zip

Congratulations - that concludes the installation of LineageOS.

6.2 Keeping LineageOS up to date

Of course, switching to LineageOS is not enough. It is much more important to keep the system up to date. At the moment we don't want to install an update, because ideally you already have the latest version installed. Nevertheless I will briefly describe the process:

Start LineageOS (LOS) Updater:

Navigates to "Settings -> System -> About the phone -> LineageOS updates".
Tap on the refresh button in the upper right corner of the display.
Then download the latest update or image.
After the successful download the system will ask you if you want to boot the recovery mode (TWRP). You should say yes.
Your device will restart, call TWRP and perform the update automatically.

After that the system will restart itself and you can log in as usual.

6.3 Other system settings | Google: Root of all evil

The installation of LineageOS is now complete - we have not inserted a SIM card yet. Even if we don't install Google Apps, LineageOS is still connected to Google via certain interfaces or mechanisms (e.g. Captive Portal Check). These dependencies have to be resolved so that Google does not receive a single data package from our device in the ideal case. In the further course of the article series I will go into this in detail.

7. conclusion

The first big step towards independence and data sovereignty has been taken. The alternative Android system LineageOS is now working on your device. But beware: not all that glitters is gold here either and we have to make some improvements. For example, the phone app of LineageOS transmits the phone number / name to Google by default during a search - from a data protection perspective this is of course more than unattractive.

So that we can control the outgoing data traffic of the system and the apps, we will install the firewall AFWall+. But before we can use AFWall+, we must first obtain root rights on our device. In the next part of the article series I will highlight the differences between LineageOS SU and Magisk - both root solutions have their advantages and disadvantages. For the series Magisk will be used in the end.

Source and more infos / read in german

https://www.kuketz-blog.de/lineageos-take-back-control-teil2/

(Part1: https://news.1rj.ru/str/BlackBox_Archiv/156)

#android #NoGoogle #guide #part1 #part2 #LineageOS #kuketz
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🎧 🇬🇧 The CyberWire Daily Podcast March 20, 2019

In today’s podcast, we hear that Norsk Hydro’s recovery continues, with high marks for transparency.
Some notes on the challenges of deterrence in cyberspace from yesterday’s CYBERSEC DC conference, along with context for US skepticism about Huawei hardware.
Cookiebot says the EU is out of compliance with GDPR, it’s sites infested with data-scraping adtech.
Google and Facebook get, if not a haircut, at least a trim, in EU and US courts.
And some animadversions concerning digital courtship displays.
Dr. Charles Clancy from VA Tech’s Hume Center on updates to the GPS system.
Guest is Landon Lewis from Pondurance on balancing AI and human intelligence.

📻 The #CyberWire Daily #podcast
https://www.thecyberwire.com/podcasts/cw-podcasts-daily-2019-03-20.html

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🎧 🇬🇧 The CyberWire Daily Podcast March 21, 2019

Fancy Bear and Sandworm are launching cyberespionage campaigns against European governments before the EU parliamentary elections.
The FIN7 cybercrime group is still active, and it’s using new malware.
A scammer stole more than $100 million from Google and Facebook.
Facebook stored hundreds of millions of passwords in plaintext for years.
And chatbots can learn to impersonate you based on your texts.
Ben Yelin from UMD CHHS on rumors of NSA shutting down the Section 215 program.
Guest is Jadee Hanson from Code 42 on insider threats.

📻 The #CyberWire Daily #podcast
https://www.thecyberwire.com/podcasts/cw-podcasts-daily-2019-03-21.html

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

📺 Ransomware to provide PewDiePie 100 million followers

The more recent ransomware, called PewCrypt, which has been in widespread use since January, allows AES-256-encrypted data to be decrypted. The programmer does not, however, demand an amount of money to release the key for decryption, but PewCrypt only decrypts the data when PewDiePie has 100 million followers on YouTube. At the same time the Ransomware tries to get the attacked to follow PewDiePie on YouTube.

📺 https://mobile.twitter.com/demonslay335/status/1098975600700780545
https://www.youtube.com/watch?v=KzOM31dhrbU

#PewDiePie #Ransomware #YouTube #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES

🎧 🇬🇧 The CyberWire Daily Podcast - March 22, 2019

In today’s podcast, we hear that Finland’s data protection authority is investigating reports that Nokia 7 Plus smartphones are sending data to a Chinese telecom server.
Thousands of API tokens and cryptographic keys are exposed in public GitHub repositories.
The US government warns that certain cardiac devices can be hacked from close range.
A North Carolina county government is dealing with its third ransomware attack.
And Magecart groups go after bedding companies.
Malek Ben Salem from Accenture Labs with thoughts on securing the digital economy.
Guest is Adam Isles from the Chertoff Group on supply chain risks.

📻 The #CyberWire Daily #podcast
https://www.thecyberwire.com/podcasts/cw-podcasts-daily-2019-03-22.html

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES