XPost: alt.comp.os.windows-10, comp.mobile.android, misc.phone.mobile.iphone   
   From: robin_listas@es.invalid   
      
   On 2025-12-01 19:50, Marian wrote:   
   > Discussion:   
   > How to set up your mobile devices & home router for privacy/security.   
   >   
   > For those wishing to know more about this topic, most people have their   
   > router Wi-Fi AP set to broadcast the SSID, which means it's uploaded to   
   > world-wide publicly accessible databases whether they like it or not.   
   >   a. The (unique) GPS location (of the phone uploading it) is uploaded   
      
   Not a problem.   
      
   >   b. The signal strength (of the signal to the phone) is uploaded   
      
   Not a problem.   
      
   >   c. The (unique) BSSID (MAC address) is uploaded - which is essentially you   
      
   Not a problem.   
      
   >   d. The (normally non-unique) SSID is uploaded (with or without _nomap)   
      
   Not a problem.   
      
   Next.   
      
   ...   
      
      
   > Of course, you should always disable Wi-Fi Protected Setup (WPS). Duh.   
      
   Okay. Basically the same as not using it.   
      
   > And, keep your firmware updated (duh),   
      
   My ISP does it automatically if there is a new firmware, which there is not.   
      
   & isolate the guest network (duh).   
      
   Not all routers can, or do it partially.   
      
   > Disable remote administration to your router (duh) & use HTTPS for login.   
      
   That removes the warranty. Seriously. My router is remotely managed by   
   my ISP. Not via plain ssh login, they have their own dedicated channel.   
      
      
   >   
   > You "can" restrict connections by MAC, but if you're randomizing the MAC   
   > address, it's going to be impossible (as is static IP addresses set at the   
   > router level - they now have to be set at the mobile device level instead).   
   >   
   > Also enable and check the router log (duh) for intrusions, but if you've   
   > ever done that, you'll know already you're being attacked constantly.   
      
   The very verbose log in my router does not appear to include external   
   intrusions, or hits on the firewall.   
      
      
      
   > Disable UPnP (duh), and firewall inbound traffic (duh) and enable DNS   
   > encryption (DoH/DoT), which seems easy, but I've found it to be a PITA.   
   >   A. DoH (DNS over HTTPS) wraps DNS queries inside HTTPS traffic   
   >   B. DoT (DNS over TLS) sends DNS queries over a TLS-encrypted channel   
      
      
   Pse.   
      
   >   
   > You enable iOS 14 & up DoH using Settings > Wi-Fi > DNS & you enable   
   > Android 9+ DoT with Settings > Network & Internet > Advanced > Private DNS.   
   >   
   > You enable DoH on Windows in Settings > Network & Internet > Change adapter   
   > options > DNS settings where Windows 11 is still DoH but the GUI is better.   
   >   
   > On Android devices, you can add a system-wide firewall such as NetGuard.   
   > It can block Wi-Fi/CellularData access per app. Not available on iOS.   
   >   
   > I don't have much experience with RethinkDNS, but it's a FOSS Android app   
   > that combines encrypted DNS (DoH/DoT/DNSCrypt) with a system-wide firewall.   
   >   i. RethinkDNS = firewall + encrypted DNS (DoH/DoT/DNSCrypt) + blocklists   
   >   ii. NetGuard = firewall + per-app blocking + ad/tracker blocklists   
   >   
   > You'll never have any privacy/security on iOS, which sucks at both (and   
   > anyone thinking it doesn't suck, clearly doesn't know anything about iOS).   
   >   
   > While we're at it, it's probably a good idea to put smart TVs, cameras, and   
   > IoT gadgets on a separate VLAN or guest SSID, and it goes without saying   
   > further that you should change the rude/ignorant default iOS/Android setup.   
      
   Not viable.   
      
   >   
   > If your neighbor's Wi-Fi is open, Windows can BLOCK accidental connections:   
   >   @echo off   
   >   netsh wlan show filters   
   >   echo Blocking unwanted Wi-Fi networks...   
   >   REM Replace these with the SSIDs you want to hide   
   >   netsh wlan add filter permission=block ssid="SSID1" networkt   
   pe=infrastructure   
   >   netsh wlan add filter permission=block ssid="SSID2" networkt   
   pe=infrastructure   
   >   netsh wlan add filter permission=block ssid="SSID3" networkt   
   pe=infrastructure   
   >   echo Done! The specified SSIDs are now blocked.   
   >   netsh wlan show filters   
   >   pause   
   >   
   > What did I miss?   
      
      
   --   
   Cheers, Carlos.   
   ES🇪🇸, EU🇪🇺;   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)