XPost: alt.comp.os.windows-10, comp.mobile.android, misc.phone.mobile.iphone   
   From: marianjones@helpfulpeople.com   
      
   Discussion:   
   How to set up your mobile devices & home router for privacy/security.   
      
   For those wishing to know more about this topic, most people have their   
   router Wi-Fi AP set to broadcast the SSID, which means it's uploaded to   
   world-wide publicly accessible databases whether they like it or not.   
    a. The (unique) GPS location (of the phone uploading it) is uploaded   
    b. The signal strength (of the signal to the phone) is uploaded   
    c. The (unique) BSSID (MAC address) is uploaded - which is essentially you   
    d. The (normally non-unique) SSID is uploaded (with or without _nomap)   
      
   Every mobile device owned by ignorant/rude people is uploading that privacy   
   to the world-wide publicly accessible databases (which have been abused).   
      
   That means my mobile devices don't ever upload your privacy.   
   But your mobile device almost certainly tries to upload mine.   
      
   What I do to prevent the upload is I set my SSID to not broadcast.   
    a. This prevents a passive upload by rude/ignorant people.   
   I also opt out by adding _optout_ & _nomap to the SSID.   
    b. This (supposedly) removes my privacy information from the servers   
   In addition, I set the mobile device to not connect automatically.   
    c. This stops the mobile device from shouting out "are you there?"   
      
   In addition, due to the ubiquitous existence of WPA2 SSID-salted rainbow   
   hash tables (& reusable butterfly WPA2-handshake hashcat tables), I use a   
   (hopefully) unique SSID (since it's the WPA2 encryption salt) in addition   
   to a (hopefully) non-dictionary passphrase (both of which are required to   
   stay out of those pre-computed and re-used cryptographic hash tables).   
    1. Rainbow tables: Precomputed WPA2 hash databases based on SSID   
    2. Butterfly hash tables: Optimization structures used in WPA2 cracking   
      
   Furthermore, iOS mobile devices can be set to randomize the MAC per SSID,   
   while Android mobile devices can be set to randomize the MAC per instance.   
      
   If you own a new'ish router, you can upgrade to WPA3, which replaces WPA2's   
   vulnerable handshake with SAE (so it's resistant to dictionary attacks).   
      
   Of course, you should always disable Wi-Fi Protected Setup (WPS). Duh.   
   And, keep your firmware updated (duh), & isolate the guest network (duh).   
   Disable remote administration to your router (duh) & use HTTPS for login.   
      
   You "can" restrict connections by MAC, but if you're randomizing the MAC   
   address, it's going to be impossible (as is static IP addresses set at the   
   router level - they now have to be set at the mobile device level instead).   
      
   Also enable and check the router log (duh) for intrusions, but if you've   
   ever done that, you'll know already you're being attacked constantly.   
      
   Disable UPnP (duh), and firewall inbound traffic (duh) and enable DNS   
   encryption (DoH/DoT), which seems easy, but I've found it to be a PITA.   
    A. DoH (DNS over HTTPS) wraps DNS queries inside HTTPS traffic   
    B. DoT (DNS over TLS) sends DNS queries over a TLS-encrypted channel   
      
   You enable iOS 14 & up DoH using Settings > Wi-Fi > DNS & you enable   
   Android 9+ DoT with Settings > Network & Internet > Advanced > Private DNS.   
      
   You enable DoH on Windows in Settings > Network & Internet > Change adapter   
   options > DNS settings where Windows 11 is still DoH but the GUI is better.   
      
   On Android devices, you can add a system-wide firewall such as NetGuard.   
   It can block Wi-Fi/CellularData access per app. Not available on iOS.   
      
   I don't have much experience with RethinkDNS, but it's a FOSS Android app   
   that combines encrypted DNS (DoH/DoT/DNSCrypt) with a system-wide firewall.   
    i. RethinkDNS = firewall + encrypted DNS (DoH/DoT/DNSCrypt) + blocklists   
    ii. NetGuard = firewall + per-app blocking + ad/tracker blocklists   
      
   You'll never have any privacy/security on iOS, which sucks at both (and   
   anyone thinking it doesn't suck, clearly doesn't know anything about iOS).   
      
   While we're at it, it's probably a good idea to put smart TVs, cameras, and   
   IoT gadgets on a separate VLAN or guest SSID, and it goes without saying   
   further that you should change the rude/ignorant default iOS/Android setup.   
      
   If your neighbor's Wi-Fi is open, Windows can BLOCK accidental connections:   
    @echo off   
    netsh wlan show filters   
    echo Blocking unwanted Wi-Fi networks...   
    REM Replace these with the SSIDs you want to hide   
    netsh wlan add filter permission=block ssid="SSID1" networktype=infrastructure   
    netsh wlan add filter permission=block ssid="SSID2" networktype=infrastructure   
    netsh wlan add filter permission=block ssid="SSID3" networktype=infrastructure   
    echo Done! The specified SSIDs are now blocked.   
    netsh wlan show filters   
    pause   
      
   What did I miss?   
   --   
   I invest energy in responding to Usenet posts because I care about people   
   getting full & complete information so we move tribal knowledge forward.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)