A New Anonymous Phone Carrier Lets You Sign Up With Nothing but a Zip Code

Alas Poor Erinaceus@lemmy.ml · edit-2 1 day ago

A New Anonymous Phone Carrier Lets You Sign Up With Nothing but a Zip Code

gwl@lemmy.blahaj.zone · edit-2 2 hours ago

Wait, they ask for your details when setting up a phone in America?

I thought y’all lived in the land of the free!

The most I’ve ever been asked for to setup a phone is my bank details, and that’s it, so they can setup direct debit for my contract

NewNewAugustEast@lemmy.zip · 2 hours ago

ironically that is the last thing i would want to give to a phone company

gwl@lemmy.blahaj.zone · edit-2 2 hours ago

The ability to pay money for your contract?

Edit: they only ask for that if on Contract, if pay-as-you-go they ask for no details at all

NewNewAugustEast@lemmy.zip · 1 hour ago

I like the ability to pay, I just don’t want to allow them access or even knowledge of my bank account.

quick_snail@feddit.nl · 2 hours ago

He’d sometimes come across anti-surveillance hard-liners determined to avoid giving any personal information to cellular carriers, who bought SIM cards with cash and signed up for prepaid plans with false names. Some even avoided cell service altogether, using phones they connected only to Wi-Fi.

So if this is already possible, what is his new company providing that’s new?

What’s the problem he’s trying to solve?

shortwavesurfer@lemmy.zip · edit-2 3 hours ago

It appears as though cloaked wireless might be a better deal.

Phreeli offers #25/mo for unlimited talk and text with zero gigs of data per month. They give you a free 2GB at signup, but once you are done with that, you have to pay $20 for 5GB. That $25 does include government extortion and fees.

Cloped wireless also offers a $25 per month plan, but does not include extortion and fees in the price, so it would be more like $32. They give you unlimited talk and text with 500 megabytes of high-speed data and unlimited low-speed data after that.

You can pay both of them with Monero, which is why I’m definitely going to switch, but so far, I think I’m going to be going with cloaked wireless instead. Because they offer a lot of the same guarantees, but for a lower price (after data is added to phreeli)

favoredponcho@lemmy.zip · 5 hours ago

A few things. If you sign up, don’t then go use the number with things that associate it to your real identity like a bank account or credit card. Also, if you’ve already used your phone with a provider that has your real name, then it’s compromised because you could be linked by the IMEI. Get a fresh phone that you’ve never linked to your identity before. Also, don’t transfer your number to this service. Get a new number provided by them. Additionally, pay with cryptocurrency.

This is all if you want to stay truly anonymous with no traces back to you.

infinitesunrise@slrpnk.net · 4 hours ago

Nick Merrill! This guy is awesome! I met him a few times back around 2014 when I sold him a bunch of old Dell server racks, presumably for use by his organization Calyx. This was a few years after his case against the FBI ended and he was able to talk freely about it. I’d been following the case previously so it was like meeting a personal hero, even though we were just manually humping Dell pizza boxes into his van. Legit guy, really cares.

Arthur Besse@lemmy.ml · 4 hours ago

Much respect to Nick for fighting for eleven years against the gag order he received, but i’m disappointed that he is now selling this service with cryptography theater privacy features.

shortwavesurfer@lemmy.zip · 3 hours ago

I am incredibly interested in this. I was considering a switch to a provider called cloaked wireless and so I’m going to have to do some research to see what the differences are.

delta_fsociety@lemmy.ml · 8 hours ago

TLDR; Nicholas Merrill, a well known privacy activist, launched Phreeli, a phone service that lets you use mobile data and calls without giving your identity. It runs on T Mobiles network but only keeps a ZIP code and uses zero knowledge crypto so even payments are not linked to you. Merrill spent 10 years fighting the FBI over surveillance and now wants to make privacy simple and normal for everyone.

nobluebird@lemmy.org · 6 hours ago

Removed by mod

quick_snail@feddit.nl · 6 hours ago

Can someone with experience doing ZK Proofs please poke holes in this design?

Arthur Besse@lemmy.ml · edit-2 4 hours ago

Can someone with experience doing ZK Proofs please poke holes in this design?

One doesn’t need to know about zero-knowledge proofs to poke holes in this design.

Just read their whitepaper:

You can read the whole thing here but I’ll quote the important part: (emphasis mine)

Double-Blind Armadillo (aka Double Privacy Pass with Commitments) is a privacy-focused system architecture and cryptographic protocol designed around the principle that no single party should be able to link an individual’s real identity, payments, and phone records. Customers should be able to access services, manage payments, and make calls without having their activity tracked across systems. The system achieves this by partitioning critical information related to customer identities, payments, and phone usage into separate service components that communicate only through carefully controlled channels. Each component knows only the information necessary to perform its function and nothing more. For example, the payment service never learns which phone number belongs to a person, and the phone service never learns their name.

Note that parties (as in “no single party”) here are synonymous with service components.

So, if we assume that all of the cryptography does what it says it does, how would an attacker break this system?

By compromising (or simply controlling in the first place) more than one service component.

And:

obi wan "of course i know him, he's me" meme gif

I don’t see any claim that any of the service components are actually run by independent entities. And, even if they were supposedly run by different people, for the privacy of this system to stop being dependent on a single company behind it doing what they say they’re doing, there would also need to be some cryptographic mechanism for customers to verify that the independent entities supposedly operating different parts were in fact doing so.

In conclusion, yes, this is mostly cryptography-washing. Assuming good intentions (eg not being compromised from the start), the cryptographic system here would make it slightly more work for them to become compromised but does not really prevent anything.

The primary thing accomplished by cryptography here over just having a simple understandable “we don’t record the link between payment info and phone numbers, but you’ll just have to trust us on that” policy is to give potential customers a (false) sense of security.

quick_snail@feddit.nl · 2 hours ago

If they use a payment processor, doesn’t that become the second service component?

Arthur Besse@lemmy.ml · edit-2 1 hour ago

If a payment processor implemented this (or some other anonymous payment protocol), and customers paid them on their website instead of on the website of the company selling the phone number, yeah, it could make sense.

But that is not what is happening here: I clicked through on phreeli’s website and they’re loading Stripe js on their own site for credit cards and evidently using their own self-hosted thing for accepting a hilariously large number of cryptocurrencies (though all of the handful of common ones i tried yielded various errors rather than a payment address).

presoak@lazysoci.al · 8 hours ago

Verbose

DornerStan@lemmygrad.ml · 5 hours ago

I used Calyx Institute for internet for a couple years while working online and living in a car. Solid company. Definitely gonna check out his out.

quick_snail@feddit.nl · edit-2 9 hours ago

So he’s created the next best thing: a so-called mobile virtual network operator, or MVNO, a kind of virtual phone carrier that pays one of the big, established ones—in Phreeli’s case, T-Mobile—to use its infrastructure.

The result is something like a cellular prophylactic. The towers are T-Mobile’s…

So T-Mobile sees all of your DNS queries, the numbers of everyone you call, and can read all your SMS messages. And fingerprint your voice. And triangulate your position.

So, unless you avoid all of this with DOH, never making phone calls (and making sure no friends or family or employer or banks call you), never turn the phone on at your home address, and never using SMS: they’ll be able to identity the owner of your plan within the first week of typical usage data collection

PrettyFlyForAFatGuy@feddit.uk · edit-2 8 hours ago

you can configure some phones to encrypt all sms messages.

It’s a bit like PGP email though in that, despite it working, no one seems to use it

quick_snail@feddit.nl · edit-2 8 hours ago

Don’t spread misinformation. SMS cannot have e2ee.

Sure you can wrap it with some other layer of encryption. But, as you say, that doesn’t work because the recipient can’t decrypt it.

PrettyFlyForAFatGuy@feddit.uk · 7 hours ago

It’s not misinformation. SMS can have end to end encryption if the messages exchanged between two people in a conversation are encrypted.

It’s an add on, in much the way PGP encryption works for email. the first handshake is unencrypted and includes each participants public keys, after that you can have it automatically encrypt each message

Arthur Besse@lemmy.ml · edit-2 4 hours ago

SMS can have end to end encryption

in theory it can, but in practice i’m not aware of any software anyone uses today which does that. (are you? which?)

TextSecure, the predecessor to Signal, did actually originally use SMS to transport OTR-encrypted messages, but it stopped doing that and switched to requiring a data connection and using Amazon Web Services as an intermediary long ago (before it was merged with their calling app RedPhone and renamed to Signal).

edit: i forgot, there was also an SMS-encrypting fork of TextSecure called SMSSecure, later renamed Silence. It hasn’t been updated in 5 (on github) or 6 (on f-droid) years but maybe it still works? 🤷

PrettyFlyForAFatGuy@feddit.uk · 3 hours ago

I was thinking of RCS security apparently, but was mainly talking about what’s theoretically possible.

There’s nothing stopping someone creating a E2E encrypted SMS app. The medium doesn’t matter, only the data. You could have end to end encrypted carrier pigeons if you want.

Crozekiel@lemmy.zip · 6 hours ago

Okay, but like, if the carrier sees all your texts, don’t they also receive the public keys and can then also decrypt the messages?? I’m genuinely curious how this works. The more I think about it, the more I am convinced I don’t understand how any encryption works because the intended recipient needs the key to decrypt it, and if I’m giving them that key, but my traffic is also being watched… doesn’t whoever wants to snoop get the key too??

I feel like I have to be missing something because this just sounds like having an encrypted flash drive that you leave out in the open for someone else to grab, but it has the password written on the side of it in sharpie.

PrettyFlyForAFatGuy@feddit.uk · 5 hours ago

don’t they also receive the public keys and can then also decrypt the messages??

A public key is used to encrypt a message, you need the private key to decrypt.

That’s why you have public key servers. it doesn’t matter who has the public key, all they can do with it is encrypt information that only the private key holder can decrypt.

The more I think about it, the more I am convinced I don’t understand how any encryption works because the intended recipient needs the key to decrypt it

The way it was explained to me that finally made it click was so:

Imagine you have a lockable box (public key) and a key (private key), the box is empty so you give it to your friend. it doesn’t matter if anyone sees the open box because there’s nothing in it. your friend puts something private for you in the box and locks it. People see the box as he’s bringing it to you but they can’t see what’s in the box because neither him nor the people watching have the key to the box; only you do. once it gets to you you can open the box with your key

Crozekiel@lemmy.zip · 5 hours ago

OH. So like, it’s a situation where the “lock” has 2 keys, one that locks it and one that unlocks it. You keep the “unlock” key on your person and never let it out of your sight, but let the “lock” key just gets distributed and copied anywhere because all it can do is LOCK the door, and it really doesn’t matter who locks the door so long as only you can unlock it.

That is very interesting. I still don’t quite understand how it technically works, because I thought if you encrypt something with a key, you could basically “do it backwards” to get the original information… This is probably due to getting simplified explanations of encryption though that makes them analogous to a basic cipher (take every letter, assign it to a number, add 10, convert back to new letter - can’t be read unless someone knows or figures out the “key” is 10) and now it is obvious that it is significantly more complex than that…

But I am much more confident that I understand the ‘mechanics’ of it, so thank you for the explanation!

PrettyFlyForAFatGuy@feddit.uk · 3 hours ago

Yep, you lock with the public key and unlock with the private.

You can’t unlock with the public, it’s one way only

Arthur Besse@lemmy.ml · edit-2 14 minutes ago

So like, it’s a situation where the “lock” has 2 keys, one that locks it and one that unlocks it

Precisely :) This is called asymmetric encryption, see https://en.wikipedia.org/wiki/Public-key_cryptography to learn more, or read on for a simple example.

I thought if you encrypt something with a key, you could basically “do it backwards” to get the original information

That is how it works in symmetric encryption.

In many real-world applications, a combination of the two is used: asymmetric encryption is used to encrypt - or to agree upon - a symmetric key which is used for encrypting the actual data.

Here is a simplified version of the Diffie–Hellman key exchange (which is an asymmetric encryption system which can be used to agree on a symmetric key while communicating over a non-confidential communication medium) using small numbers to help you wrap your head around the relationship between public and private keys. The only math you need to do to be able to reproduce this example on paper is exponentiation (which is just repeated multiplication).

Here is the setup:

There is a base number which everyone uses (its part of the protocol), we’ll call it g and say it’s 2
Alice picks a secret key a which we’ll say is 3. Alice’s public key A is g^a (2³, or 2*2*2) which is 8
Bob picks a secret key b which we’ll say is 4. Bob’s public key B is g^b (2⁴, or 2*2*2*2) which is 16
Alice and Bob publish their public keys.

Now, using the other’s public key and their own private key, both Alice and Bob can arrive at a shared secret by using the fact that B^a is equal to A^b (because (g^a)^b is equal to g^(ab), which due to multiplication being commutative is also equal to g^(ba)).

So:

Alice raises Bob’s public key to the power of her private key (16³, or 16*16*16) and gets 4096
Bob raises Alices’s public key to the power of his private key (8⁴, or 8*8*8*8) and gets 4096

The result, which the two parties arrived at via different calculations, is the “shared secret” which can be used as a symmetric key to encrypt messages using some symmetric encryption system.

You can try this with other values for g, a, and b and confirm that Alice and Bob will always arrive at the same shared secret result.

shia labeouf magic gif

Going from the above example to actually-useful cryptography requires a bit of less-simple math, but in summary:

To break this system and learn the shared secret, an adversary would want to learn the private key for one of the parties. To do this, they can simply undo the exponentiation: find the logarithm. With these small numbers, this is not difficult at all: knowing the base (2) and Alice’s public key (8) it is easy to compute the base-2 log of 8 and learn that a is 3.

The difficulty of computing the logarithm is the difficulty of breaking this system.

It turns out you can do arithmetic in a cyclic group (a concept which actually everyone has encountered from the way that we keep time - you’re performing mod 12 when you add 2 hours to 11pm and get 1am). A logarithm in a cyclic group is called a discrete logarithm, and finding it is a computationally hard problem. This means that (when using sufficiently large numbers for the keys and size of the cyclic group) this system can actually be secure. (However, it will break if/when someone builds a big enough quantum computer to run this algorithm…)

ltxrtquq@lemmy.ml · 6 hours ago

public keys

I’m not too sure how cryptography works, but I’m pretty sure it’s fine if other people have your public key. I’m reasonably sure it’s actually required in a system with public and private keys.

ITGuyLevi@programming.dev · 8 hours ago

I think they may have meant it like that, email does not support PGP out of the box, it is just the medium the data is using. In the same way you can send data via SMS that is encrypted when it leaves one device and decryped when it reaches its destination (unless the recipient doesn’t have a way to decrypt it, which I think is both of your points).

quick_snail@feddit.nl · 9 hours ago

Merrill says. “If we were able to set up our own network of cell towers globally, we can set the privacy policies of what those towers see and collect.”

Well that’s ambitious

Another Catgirl@lemmy.blahaj.zone · 9 hours ago

can I use this for safely tormenting linux ISO’s?

DanVctr@sh.itjust.works · 7 hours ago

I make sure to lock my ISOs in a dungeon every night for maximum tormenting speed.

Crozekiel@lemmy.zip · edit-2 6 hours ago

I find the best way to torment Linux ISOs is using the live environment exclusively to:

Bing search “how to burn iso to usb” 1a) immediately change search to “how to burn iso to usb linux”
Bing search “windows 11 install free iso” 2a) download the first link that is an iso
Follow instructions from step 1a 90% to the letter using the iso from step 2a, changing the 10% ignored until it “works”.
3a) bonus points if you try to write the image to the same USB the live environment is on - if the “chosen” method allows this, congratulations secret ending unlocked, skip to step 6.
Bing search “is windows 11 free install safe” 4a) change search to “is windows 11 free install safe reddit”
Either unmount the live USB while it is still running, or just hard power down the computer, without even closing the browser.
Plug USB drive directly into USB power wall adapter and never plug it into a computer again.

Now, before you ask, yes, you absolutely could do all of this in a VM, but I’ve found it is more tormenting if there is real actual hardware wasted and/or at risk of damage. Linux is the natural enemy of consumerism, so buying a 12 pack of flash drives just to do this on a thinkpad over and over until the thinkpad dies really hurts the linux ISO to their core.

youmaynotknow@lemmy.zip · 7 hours ago

And only feed it every 3 days. Oh, and play fucking ‘dembow’ at full blast 24/7, that’ll drive anyone crazy.

krolden@lemmy.ml · 9 hours ago

You can already use a fake address for any prepaid sim

ArmchairAce1944@discuss.online · 10 hours ago

I have to read this all soon. But I hope something like this shows up for Canada.

youmaynotknow@lemmy.zip · 7 hours ago

In Canada? Not happening. Canada is chasing the EU and the UK in everything related to chat control and all that crap.

ArmchairAce1944@discuss.online · 5 hours ago

Unfortunately.