So, you know commercial spyware? No I’m not referring to ads or things like pegasus. Talking about those weird providers that market to schools, employers and shitty partners

What measures could be taken to mitigate these threats? When physical can be assumes but the attacker isn’t skilled, just using one of said tools? How would this vary between phones and laptops for example?

Thoughts?

No I’m not in danger, just get curious about this subject once in a while

  • monovergent 🏁@lemmy.ml
    2·
    5 hours ago

    As someone who deals with Windows software and mobile apps of dubious provenance at a BYOD workplace:

    • Get a separate device with sufficient horsepower to handle whatever work, school, etc. throws at it. Used ThinkPads and unlocked Google Pixels are a good bet.
    • Pick a small and light laptop if you also need to have your primary one on hand. Preferably, both can use the same USB-C charger.
    • Use that device for work-related things and nothing else. Assume it is compromised.
    • Connect to a separate access point if you need to use it at home.

    If a phone or tablet (preferably with GrapheneOS) will suffice, go for it:

    • Recent Android and iOS versions have much stronger sandboxing than PCs and laptops in general. Spyware can still do a lot on mobile devices, but not nearly as comprehensively as on PCs and laptops.
    • i.e. Commercial spyware can easily plant rootkits and kernel-level trackers on a laptop, but this would be much harder on an up-to-date mobile device.
    • For Android devices that support it, limit work and MDM apps to a secondary profile and close that profile when not actively using the phone.
    • Turn off cellular, wifi, bluetooth, and location when not actively in use.

    If the offender is your partner, practice good digital hygiene, never let them touch your devices, and good luck.

  • bamboo@lemmy.blahaj.zoneEnglish
    15·
    10 hours ago

    If your school or employer has an MDM solution on their laptop that they issue to you, you have 0% of privacy. You could use DNS over HTTPS which will prevent your DNS queries from being picked up, but the MDM could issue their own CA and even intercept https traffic. They can also record your keystrokes and screen. It would be wise to think of the machine as compromised, just not by a threat actor.

    For maximum privacy, only use the devices for the minimal work necessary. Don’t log into anything for personal use, and use a separate device you’ve purchased yourself.

    • sleepybisexual@beehaw.orgOP
      1·
      4 hours ago

      Yea. We don’t have school devices but this is basically how I would treat my windows partition in my old dual boot (said windows was for school)

  • catloaf@lemm.eeEnglish
    9·
    10 hours ago

    Just don’t use devices controlled by the school or company for sensitive purposes. That’s the easiest and most effective mitigation.

  • myself@lemmy.ml
    1·
    7 hours ago

    School: buy a cheap used laptop and use that instead

    Abusive Partner: idk bottle of bleach or sth

  • eldavi@lemmy.mlEnglish
    1·
    7 hours ago

    i somewhat get around this insisting that i use a kvm/linux based virtual machine; but i doubt that it’s very effective given that i’m still using my employer’s vpn connection and software.