Internet Privacy - Everyone Edition

It's five o'clock somewhere, time for the Security Cocktail Hour. I'm Joe Patti. For over 20 years, I've been working in information security and knocking back martinis all over New York.

I am Adam Rohr from Staten Island. Locksmith, EMT, love to box, and on rare occasions, I've been known to engage in cybersecurity. Let's go!

All right. Hello, Adam. How are you doing this time around?

Hello, Joe. I'm doing great. I'm doing incredible. A lot of rain yesterday, but hey, I'll have to drain the top of my pool next week too.

You know, you don't have to rub it in that you got a pool and I don't, you know, that is totally on this.

That's not, that's how we're starting things. Well, that's how our cybersecurity experts roll.

Okay, so anyway, getting onto the topic at hand, we did an episode on VPNs, if you recall, which was very interesting, at least I thought it was interesting. And, you know, one of the things we talked about that was very important, we said, look, we're focusing on VPNs, we're talking about VPNs here, and they are a useful tool like many other things. But if you want to protect your privacy, your anonymity, your whatever on the internet, The VPN is just one tool that you need. You actually have to put together a whole package, a holistic look and understand what you're doing. Wouldn't you agree? No.

Let me, let me, let me, let me, let me, let me, let me, let me add to that. I've given this great thought. If you really want to remain anonymous, what you really need to do is dress up, go to a Best Buy store, use money, all in cash, while being disguised, buying a laptop that's no longer, that's not registered to you, walk out, set it up, connect to somebody else's Wi-Fi, Uh, don't be near any cameras and don't transmit any personal data using a browser that's already probably incognito while, um, uh, doing it while, uh, traversing to another country and somebody else's machine that's already been compromised. That might work.

That might work. But yes, you could also go to the cemetery or whatever and like, you know, assume the identity of like some infant who died, you know, 30 years ago, however old you are. Like, you know, I think that's what the spies call it.

Were you watching me?

Yeah, I've been watching you.

No, but what I'm getting at is yes, there are steps you can take to mitigate using these anonymous browsers and incognito. But what I'm saying is nothing's ever foolproof. Well, that's right.

And we're going to talk about that a lot. You know, the context is really important to this. This episode is about giving yourself a level of protection and a level of comfort against scammers, marketers, overreaching and aggressive tech companies, big tech and otherwise, if you're concerned about that. And you probably should be. This is not about this is not gonna be about protecting yourself, you know becoming a spy Protecting yourself from like, you know the high-level, you know nation-state sort of law enforcement or anything like that That's a whole separate topic that we're going to deal with in an upcoming podcast nor do we advocate that you take any illegal steps to

disguise yourself to do anything illegal. I mean, I understand there are times when you want to make an anonymous complaint or something, which is fine, but please don't use any of the information contained within this podcast to perform any illegal activity. Insert disclaimer here.

Yes. And if you do certainly say you learned, don't say you learned how to do it on this podcast. But now what we're talking about here again is, is talking about protecting, controlling your own data, your identity, and protecting yourself from overreach by big tech with capital B and capital T and others. You may not realize it. In fact, you probably do. But everything you do on the internet, absolutely everything you do, every site you visit, every video you watch, every email you send, et cetera. Every breath you take. Every breath you take. I'll be watching you. I love that song. Don't sing it. I don't want a copyright strike. We talked about this. Sorry. But everything you do is being recorded. Recorded, repackaged, resold, mixed up, and used to sell things to you, which you may not like. Very aggressive things like that. And potentially being used to manipulate you. in ways that you might not anticipate and that you might not agree with.

It's something called surveillance capitalism. Isn't that cool? Oh, it's really cool. It's like if I went to a site and I by mistake typed in, say, something that brought up, I don't know, let's say a porn site. And then later on, I closed all my stuff and they opened up a browser again. I went to go to Amazon and embedded in the corner was it was a was an advertisement for adult toys, that wouldn't be good, right?

Well, unless you really did want adult toys. But yes, well, it would also be bad if someone else used your machine. You know, gotta look at that. Yeah, that's a problem for a lot of people. But really, it's, you know, it's more than that. They're little jokes and little things that can work out. But I read a book. I read a book. I've heard a few. It's called The Age of Surveillance Capitalism by Shoshana Zuboff. And I think she's a professor at Harvard. So, you know, she must know what's going on. This thing is at home. It's like endless. And it is like the most frightening book you will read. Because whatever you think is going on with this surveillance stuff, how you're being tracked, it's like 20 times worse. And it is being used for, you know, very, uh, you know, very aggressive marketing and frankly, very aggressive, you know, straddling that line into manipulation, which you might have a problem with.

I would think most of us do live in a certain world of, um, ignorance bliss, because if we, let's say for example, any one of us, which I haven't worked for a government agency, let's say the NSA, I'm sure you would see things that would make you, your stomach turn. And, you know, what we know, even at the surface is crazy. I mean, everything is collected on you. You know, when you're doing, you know, Google searches that DNS is given to your, um, to your, uh, cable provider or, or internet provider, assume that you're using their cable, their, their DNS, um, lookups. So everything is collected on you and it's all about money. But what you need to worry about I just want to bring up this one point is everyone's like, oh i'm not doing anything illegal I don't need to worry about anything But what if you're that person? Who has a disease? And that disease you don't want your employer to know and you don't want your employer to know because they might find a risk In hiring you they might say, okay If this person has this disease, they might be out 22 days, six days a year based on a table. So you'd be surprised how much information is sold and collected on you and people have access to it when they're looking to hire you or to insure you.

Yes. And that is illegal for them to do that in many cases, but they do it anyway. And you know, There is nothing immoral or unethical about protecting yourself from other unethical behavior. That is a human right, basically. And like you say, Adam, it is much worse than you think. One of the things we've learned in the last 10 years or so, first with Snowden, that all the things we thought the government might be doing, they actually were doing. In fact, it was much worse. And recently in the past few years, we've learned about the same thing from big tech and all this marketing and behavioral analysis and everything, everything that you thought the tech industry might be doing. They're doing it 10, 20 times worse. I mean, it's unbelievable. If you, if you just go and search for surveillance capitalism, or read this very lengthy book or others like it or the cliff notes, or I have chat GPT, summarize it for you.

if that's your thing.

Um, yeah, there is quite a bit there and it might give you some pause and think, you know what? I want to take some power back and I want to control what places, what people who I don't know who have unknown motives know about me.

But you know that this is really an issue, right? I'm going to be the Debbie Downer and I'm going to tell you, yeah, you can take steps, but I have my cell phone sitting right next to me on my desk. My cell phone's listening to everything I do. You know, when I'm going to the bathroom, whatever sounds I'm making are being recorded, you know.

So while they'll take, I can guarantee you, I'm not listening to that.

I actually sent you the recording. But anyway, in all seriousness, what I'm getting at, yes, take steps, absolutely take steps to mitigate. But at the end of the day, unless you're living under a rock, without a cell phone. And there are cell phones out there that supposedly don't capture your data. But guess what? When you're connected to your provider like Verizon or AT&T, they know where you are, they know how fast you're traveling, they know everything about you. But your phone, whether it's an Apple flavor, or iOS flavor Apple or Google or maybe another brand. It's still capturing a lot of data about you. So yes, you can take some steps of your browser and you can protect yourself, but just keep in mind, there's no way to completely isolate yourself unless you get a gas power generator, live on an island and, you know, bring water there. So.

Well, I'd say you, if you're going to live in this modern world of ours, like it or not, you're going to have to accept certain things and you have to live your life. But what we'd like you to do here is understand better what's going on, know what things you can do to ease it a bit, and you can make some decisions for yourself. And you will also find that one of the really important points is that there are a lot of things you say, oh, it's so easy to do this. They made it convenient. They made it easy for you and stuff. They've given me something for free. Believe me. They're not doing it out of the goodness of their hearts. They're doing it so they can collect more data, tie things to you, and sell that, and sell what they've learned about you. I mean, there are a lot of philosophical arguments about this, but at the end of the day, too, it is just kind of, to most people, creepy and uncomfortable. And I think that's a normal human sentiment.

Well, I think if anybody here listening to this takes the time to read any of these EULAs, these end-user licensing agreements for any of these apps, even if it's a browser, even if it's an anonymous browser, take the time to read what's going on with that browser and what it collects on you. and what it sends, because just because it says, you know, I'm buying a product with zero sugar, and then you look on the label and say, wow, there really is two grams of sugar in it, even though it says zero sugar. That might be within the specifications. And by the way, I don't know if that's how it works with zero sugar, but I'm just saying the label doesn't necessarily translate to what you're really getting.

Well, here's what they do. It's interesting you bring that up, because we're not gonna get into health and nutrition too much, but you know, somewhat of a fanatic about having too much sugar. One of the ways they deal with that is that on the labels, like the devil, sugar has many names. And even if you go and look at the ingredients, you'll find a lot of different words. There are many different types of sugar and different names for it that they will put in there. Very much like the Euless, if you actually go and read them, You'll find a lot of stuff, a lot of boilerplate.

It's boring.

It's tedious. It's covers all these conditions, all this stuff. You don't even know what it is. But if you distill it down, you will eventually find a line in there hidden in there somewhere. Or a few lines that basically boils down to we're collecting whatever we want and doing whatever we want with it. That's what always boils down to it.

You know, nobody ever reads a Euler, including me sometimes. Right. You know, like I don't sit there and read every single page and nor do I have the legal capability to fully understand what that EULA really means. I mean, I can get the basics of it, but EULAs are written in such a way, unless you really are a EULA expert, and I'd be willing to bet you, if there's any attorneys listening to this, you tell me if you can understand every single EULA, because if you're a person that handles medical malpractice, do you really understand technology EULAs? I mean, It's not easy. It's very, very complicated, you lose. And usually they're about seven or eight pages, you know, to really kind of break you down to not wanting to read it.

That's right. If you try to read those things and understand them, you will lose the will to live. It's better to just look at it and say, ah, it says I'm screwed. And they're going to do whatever they want because that's pretty much what it boils down to.

And then what's the alternative? If you're using a free thing, a free browser, a free anonymous browser, I mean, I also understand we're using Google and we're using other browsers out there that have incognito, which is another thing I'm sure we're going to pick up on. But if you're using one of those anonymous browsers to help protect you, you might not be protected.

Well, there are different levels of all these things. And that's what we're going to talk about. What these things do and what you can do to, you know, minimize them or control it to the extent you can and You know, and if not to at least understand it and know what you're getting into again, you know Like like you said Adam you can just opt out and to go live in a metaphorical or literal cave But that's not an option for most of us.

So for example, like if I if I didn't want to be tracked I I might, let's just say I was going over at your house, Joe, and you went to the bathroom. I would use your browser to do my research while you were in there and not put any personal information in there and none would be the wiser.

Are you taunting me? Do you think you're going to be able to walk up to my computer in my house and use a browser?

Come on.

If anything, it's going to be rigged to give you inaccurate information just to mess with you. No problem. I'm not going to see you the next day and you're going to be like, you know, covered in, I don't know, some kind of rash. Be like, oh, you should have looked up that shampoo formula on my computer, should you?

So I shouldn't use one of those USBs that bypass a Mac or a PC and boot into it and it removes the password?

Well, you know, it kind of all depends on who your adversary is. That's what we get back to.

Yes, sir.

All right, so one of the things that's inherent to all of this is fingerprinting. These guys, they need to figure out who you are and be able to preferably identify you personally.

Not literal fingerprints, by the way.

Surprisingly. Yes, not literal. It's surprisingly easy, but from your patterns, figure out who you are. The first stage is kind of they want to know, are you the same person? Can they connect you like this person doing a Google search to this person on Amazon and this person doing that? That's the first thing. But then they want to figure out who you are also, which is not that difficult. So what do they do? They use a number of different things. And this is not new, but let's run through it. The first is your IP address. That's where you are on the internet, which, you know, can really be surprised. The geolocation of this, it can be easily spoofed with VPNs and changed and proxies and things. But when you're using the actual IP address, it is remarkably accurate how close it can get to where you are. Can you tell you which floor you're on? You know, possibly, eventually, because it can be tied. If you're in a company and you are, you know, coming from that company's address, they can maybe not only know where

where you are, but say, Hey, your company is on these floors. So I was kind of being funny about that, but I know that I know you are, and you were trying to embarrass me and it didn't work. No, but I know that if you're, if your machine has a GPS chip in capable of doing three dimensional, it's possible. It can tell you. And they, they use it for geofencing also, but yeah.

Yes, that is true. And there's also some interesting 3D technology going on with that, which again, hopefully is being used for good for things like finding, you know, fire victims and stuff in a building and not following stalking people. Okay. So they do that, your DNS queries. Adam, why don't you explain DNS queries?

Well, as humans, we, so the world is all about IP addresses and an IP address is a number. Let's make up a number. Let's say that number is your IP address is 1.2.3.4. That's kind of like a sample IP address, but your website might be 5.6.7.8. And as humans, we don't really remember what IP addresses are we can barely remember our phone numbers but we do remember words and stuff so if you wanted to go let's say to www.google.com It's a whole complicated system, but I'm not going to get into it. But basically when you look up Google, it goes through something called a DNS server or domain name server. And what that basically does is says the IP address for google.com is this, this, this, and this. And that will direct you to that website. Kind of like if I said, I want to call, um, dad. uh dad would translate on my phone maybe to his real phone number and call him so that's what a dns or domain name service lookup is is that is that a good answer that's a great answer and that's very interesting because that is extremely valuable data because

You know, it's, it's, it's like Adam said, it's like a phone number lookup and you know, it, it doesn't let someone who's listening to it. See what, you know, what you're doing. You can't see the traffic. If you're going to Google and you know, whoever's giving you the DNS can't see what you're Googling, but they can see that you went to Google. They can see you went to Facebook. They can see that you went to a certain health site, to certain stores. You were looking up certain, uh, certain things. Um, so that, so that alone. can give a lot of information. Builds up a profile. Right, builds up a profile of you and of your traffic. And who gets your DNS queries? Well, with all your traffic, obviously your ISP sees all that stuff and they sell that. Your ISP also typically provides DNS. And it's just automatic. When you hook up your router, you do whatever, they're like, oh, it all sets up. And that's one of the things that they set up and they track all that. Google also has a famous DNS server called 8.8.8.8. If you go to that anywhere in the internet, it's, you know, it's a lot of redirection and stuff for it, but you know, that will give you free DNS out of the goodness of Google's heart. They're so good. They're so good. Aren't they good? Of course, they're collecting every single thing that you do, including where you made that query from. So they know where you're going and they're working to tie that to the searches you made too. Um, so interesting stuff there.

It's targeted marketing basically. So if you're looking up, you know, cookies and you're on Belgium and they know your IP address and they know your GPS location, they might direct you to a store that's close by that sells cookies.

That's right. And, and these things are, you know, we gotta be clear too. These things are much more sophisticated than some, some of the obvious things. That's like, you know, they say, oh, I looked up. you know, I Google a pair of shoes and I'm getting shoe ads on Amazon or here and there. It is much, much more sophisticated than that.

Or I'm using AIs. Or I'm Googling flamethrowers and then the United States Marshals or Secret Service shows up or something like that, FBI.

Yeah, but also, you know, they have a much higher level of sophistication using predictive AIs, behavioral algorithms. behavioral algorithms and things like that, where they can say, hey, someone in this area who's looking up this is also interested in this and interested in this. And that's where a lot of the creepiness that you find, like, how do they know I'm interested in this? That's like, well, they have ways of figuring it out that you don't even realize. So that's some of the DNS stuff.

The other thing is in your browsers.

You know, we talk a lot and we're going to talk more about browsers and like, you know, deleting your cookies. Everyone says, use the private mode, delete your cookies. That's not all they can do. They can still fingerprint you based on your browser, based on the browser you're using. They probably know the operating system that you're coming from. There are even things where based on if you're always using the same browser and you have the window size set the same, they will record that. and try to figure out, hey, this is probably the same person who's using this exact same size window. And they have a lot of algorithms for that, too. And there are ways around it as well. And then there's mobile. Mobile is the best. It's my favorite, because if you've ever gone to a website, and I'm sure you have many times, on your phone, and it conveniently says, hey, download the app. You'll get a better experience. Well, maybe you will. but so will the company providing it. Those apps are designed to scoop up data off your phone like you cannot believe. They go and grab everything, and there are companies that sell the software to do that, that make it so easy for anyone developing an app. It's ridiculous.

What I enjoy is watching. I only have one real social media, and that's basically LinkedIn, but When you download these apps, they sync your telephone numbers from your directory, and then they try to figure out who you know and who else you know, and it's like, oh, may I make a suggestion? You might know Joe Patti. Would you like to add him? Sure. Meanwhile, you have like ex-girlfriends and old bosses and people you haven't spoken to in 22 years ago, because they have your phone number and you have theirs, and it's a match.

Yeah, and it's funny because it's so powerful and it's so useful that, you know, Apple put some restrictions on there. I mean, first they started doing things like, you know, before you can access contacts or access your location through the phone. They will, uh, you know, you have to get asked.

It's like, okay, you have to opt into that.

Then Apple did the thing where you could opt out of a lot of the tracking through the apps. And I mean, it ended up Facebook stock. They ended up losing a ton of money because of it, because they're, and if you ever wondered if this stuff is real, that without, as people started opting out that without all that data, they couldn't, they didn't have as much data and they couldn't sell it as much. So that alone is kind of the proof that this stuff is for real. But yeah, the browsers hoover up everything. And even the stuff you're not asked about explicitly, remember there's a lot of data there still. Like Adam was saying, your phone company knows where you are at all times. That's how cellular technology works. They know where you are, but even an app, they're going to look at things like what phone is it? What version of software? From your IP address, what's your location? When you know one of those things, is 100%, but when you start putting them all together, you can narrow it down in a person. And in fact, there's some really interesting research that the big tech companies have known for a long time that, you know, people on the outside have figured out that you would also be shocked at the small number of data points it takes to narrow in and identify you.

Well, I mean, look at it this way, right? You know, if you watch the news, unfortunately, with all these shootings and stabbings and killings and mass murdering, when they look to investigate the individual that they think was involved, they typically grab that person's phone. They typically do forensics on that phone, because they know that those browser and those apps collect. Well, he or she was here at 3.57 PM at coordinates this, this, this, and this. This person searched this, and this, and this in their browser. This person purchased this, and this, and this possibly from this, because your app would store that information directly on your phone. So while your data is encrypted from Endpoint to to the server they might be able just to get that data or subpoena it directly from the Organizations that they're looking for that data. So your phone it used to be that like your phone was a all about calling, but a lot of law enforcement agencies recognize that your phone has a lot of valuable and personal data on you, and it becomes an issue when it's admissible in court sometimes as well. Did that officer have the right to confiscate your phone? Was there a warrant? Was there not a warrant? So yes, all your data you're surfing, especially in your browser, it's there for the picking.

That's right. It's there for the picking. And you need to understand that, you know, even if you do have the protection of subpoenas and things, um, they're not both the tech companies and law enforcement, um, don't always follow their own rules. And even the rules themselves, when they do follow them are extremely lax, which is a very big topic.

Um, yeah, there's stuff all over the internet now another time.

Yeah. But just be aware that, you know, yeah. Yeah, your data is out there. And if it's out there, it's going to be used. And remember, it's not going to be used for you. It's not there for your benefit.

Well, actually, it could be. And I'll tell you why I say that. When I was doing one of my papers for school, one of the gentlemen was accused of a crime. And I forgot which organization, whoever's American whatever it was, it was an organization of free attorneys. And they actually subpoenaed this person's data to show he was never physically at that location, but they claimed he was. So most of the time, it works against you. Rarely, it can work for you. But, you know, you got to be careful.

I think there was a case a couple of years ago after the Snowden thing, where I think some guy, I don't know, I think it was a divorce case. It was something, I forget what it was. But his lawyer tried like subpoenaing me an essay to like prove his innocence. Yeah, that's not happening. It's like that. Yeah, that's not happening. Which, you know, it's kind of crazy though, because when you think about it, it's like, yeah, well, why not? If the government has that data, it is theoretically ours, right?

Yeah. I've had this, I've had this conversation and I said, if the NSA ever gave up a lot of the data that they mined, they can probably solve so many local cases. It would be insane, but they don't do that. And they, and they, and they have to have an anonymity in order to do what they do. at the level they need to do it. Because once people start realizing what is out there, and if one case has a precedence where they're getting that data, it changes things.

Okay. Well, let's get a little... Serious? Yes. Let's divert a bit into civil rights. All this data out there is tempting. It is something that is powerful, And it is, you know, and can benefit you. You're right. It can benefit you when used correctly. It's supposed to benefit us. And it theoretically is no harm to anyone. However, there is the potential for abuse with a lot of it. It's that powerful, both by, you know, private entities, by companies and by the government. And there have been plenty of instances of that. You don't have to, knock yourself out searching for those kinds of things. It is very prevalent. And it's not about the, if you have, you know, nothing to hide, don't worry about it. It's like, well, you know what? I do have a lot to hide. I have a lot to hide from people who might use my information to hurt me, you know? And there's nothing wrong with that. No, nothing that says you have to make it easy for bad intentioned people to harm you.

And that's interesting too, right? You know, at the end of the day, when when an organization, while an organization might be... uh, non malicious, the agent acting for that organization might have their own ideas. And what do I mean by that is this, and I know this is not specifically that browsers, you can walk into a store, give your credit card information to somebody in order to buy something or do a credit card lookup. And I know these days it's a little, it's a little bit more secure, but not always that person takes your credit card information and starts buying new shoes for the kids. So it's the same thing with your browser.

You go to a great, right? There's a great Dilbert cartoon. I think it's from like the early or mid nineties from like the early days of the commercial internet. I remember it where Dilbert is out on a date and he's saying to his date, he goes, Oh, I would never buy it on buy anything on the internet. It's too unsafe, you'll get robbed. And as he's having this conversation, he hands his credit card to the waitress and the waitress comes back wearing a fur coat. And that applies to so many things. You're right. You're talking about trust in the organization, but also trust in the individuals. And does that place you're giving the data to have good controls? Do they have trustworthy people? Are they selling it and giving it away? And what are they doing it? Who are they giving it to?

Let's say you have a laptop. It doesn't matter what flavor. And you do a lot of browsing. You lose your laptop. And that password is like capital P-A-S-S-W-O-R-D-1-2-3-4. Somebody finds your laptop. They have all your browsing history. They have everything. They can find a lot of data on you. You might even have your passwords cached. You don't know. So the point I'm making is just because you have nothing to hide doesn't mean you have nothing to lose.

Dude, we got to trademark that. All right. That's excellent.

Hold on. Let me go on the website, trademark it.

Please don't tell me you scarfed that off someone else. No, I didn't. Okay. All right. So we've had a lot of doom and gloom here on how terrible things are. Let's talk a little bit about understanding some more of the details and maybe what you can do about it, or at least give you the ability to make some choices. Because a lot of this is really not about completely preventing everything if you want to live your life, but understanding your risk and making some choices. And even making some choices with, you know, specific companies or specific things. You know, you might say with some of them, I'm just not comfortable with this, or I just don't like it, or I'm going to be a little more careful with what I do for them.

So Joe, tell me, what does an incognito browser do?

An incognito browser, I like this quizzing each other. Okay. What an incognito browser will do is it's usually a mode in the browser that brings up a separate window and they call it private browsing or incognito or whatever it is. And what it does is it says it will, while you're browsing, it will not save any history and it will not save any cookies. Which is nice. So you go somewhere, you're like, okay, when I go to this site, then they're not gonna remember me. I can do whatever I want and I won't leave a trace. Well, I think we've already learned that that's only a piece of it. That's one part. So what do they still know there? Well, they still know your IP address that you came from. If you're using a VPN, that could help to trip them up a bit, so maybe you can't be tied to something. Whoever you did the DNS query to, they'll know you're going there. So you have that. Your ISP knows you're going there, at the very least, again, unless you're using a VPN. But also they're going to use all those fingerprinting techniques we're talking about. And also remember that just because you are not storing the data on what you've done, they're storing the data on what you've done and probably selling it. So even though you've wiped your cookies, and use the private browser, the site that you're going to may recognize, hey, there's someone here coming from Chrome, this version, from the same IP address, or the same area, with a window size like this, and maybe with these options turned on, or whatever it is. And they're like, yeah. It's probably the same person. So be aware.

I have another quick question for you. I have another quiz. I hope you pass. Did I pass that one? Yes, you did. Actually, I gave you an A. Are there browsers, other than the popular browsers, that I'm not talking about on Linux, on those Tor type of things, are there browsers that any regular person can use on their machine? that really does not capture all your data. They claim that they're better than others and don't track you as much.

Well, it's kind of a mixed bag, in my opinion. There are privacy-focused browsers. Like, I think the most notable one is Brave, where they say they put a lot of limits on what they do, track you. They call it a privacy browser. And there are some others also that are more niche types of things. But with them, you need to be really careful and you do need, you know, again, to look and understand exactly what you're getting in terms of privacy because they have, you know, different uses, different niches. A lot of them will, I shouldn't say a lot of them, but there have been cases where, you know, they will limit what's sent, but maybe they do have arrangements, they'll say with a trusted advertising network or, you know, and that's how they fund themselves. So you need, you need to, When you look at them, understand just what it is that they're not doing and also that they're doing. Now there's another piece too. The other option is to take your existing browser. And one of the things here is that a lot of the browsers keep getting more and more privacy tossed into them, more features here and there. So you can look at the features that you have in your existing browser, in a mainstream browser. There are also plugins that you can get. that can enhance the privacy of them.

And to disclaim here, make sure when you download a plugin that you download it from a reputable place. Thank you.

Yes. So why don't we run down the big browsers and talk about what we think in terms of security. We'll start with the easy one, Chrome. Never heard of it.

Never heard of it.

It is my vote for the worst browser in terms of privacy?

So one of the reasons why people use Chrome constantly, it's one of the more compatible browsers for certain software as a service apps. So when you're going to certain sites and you want to do certain things, or if you're even working for a company and you have to connect to one of your servers internally that has a service, Typically people like use Chrome use Chrome because it's the most compatible people write their apps geared around Chrome. Why? Because it's one of the most popular apps.

We are recording this on Chrome. I tried using something else and it wasn't working right and they said, oh, you should use Chrome. It works better. Okay, that's gonna happen. The thing with Chrome is that It is made by Google and Google's business is data collection. And in fact, when you, uh, you know, especially when you go to Google and they say, Oh, sign into Google. Well, they want to know what you're doing. And it links to your browser. They know you're coming from Chrome. That helps them, um, attract stuff. And also Google has a whole ad network and basically a whole surveillance network. Um, so that even when you go to other sites, um, they, you know, they can track you and know what you're doing. And you know, it's not an accident that Google came out with a browser. Again, this wasn't out of the goodness of their heart. It was for this reason. So they could collect data. In fact, you know, the current CEO of Google, I only heard this a couple of weeks ago. Apparently the current CEO was the guy who started Chrome. So this was so important to them. They made the creator of the CEO.

What do you think of that? I think that's incredible. I also like to remind you. Um, in 1998, if I remember, I'm looking it up. Uh, there was a lawsuit of the United States versus I think Microsoft Corp. And it was about Microsoft having the, um, what's the word, uh, the monopoly on only allowing their browser and had to be sued to allow other browsers into the operating system. So that goes to show you how big of a deal it is to have a browser integrated And Microsoft has come out with plenty of browsers over the years. I mean, some more popular and more known than others, whether it's IE or Edge, right?

Well, my number two pick for the second worst browser in terms of security is Microsoft Edge. Now, Microsoft Edge is interesting. It is not Internet Explorer anymore. It is actually totally different. The underlying core of it that draws the web pages and everything, um, sort of the browser itself, so to speak, is actually the same engine that Chrome uses because it's open source. Microsoft decided to use that, but they add a bunch of stuff to make it Microsofty. You know, the first thing is they, they add it so that you can log in.

I want to get ice cream. I said, it's.

We'll have ice cream later after work is done. Okay. Um, but no, you know, Microsoft does a lot of stuff to edge to, you know, extend its functionality and give you a good experience, including logging into Microsoft, to office, to. Azure, whatever you call it. And just like Google, it's nice and integrated and everything works very well. And it's optimized for them. It's also optimized for all their services and their tracking and their ad networks and all that sort of thing. And Microsoft was recently caught. doing something very, very naughty in terms of privacy. I don't know if you heard about this one, but they had the Edge default settings set up and they were obscure. If you read them, you would never think that, you know, this is what they were doing, but a bunch of the settings buried down there somewhere would by default send Microsoft every URL you were visiting when you use Edge.

So very nice. Can I test you? Can I ask you a question? Very nice. What was the first browser called?

The first browser that I know of was Mosaic.

Yes, that was the first browser that allowed images embedded into text. I believe the first browser before that, yes, Mosaic is considered the first browser overall because it had graphics. I believe the first browser was actually called World Wide Web. WWW that's how they got it.

Supposedly. I remember when Mosaic came out and then the people who started it, sort of with some tech people, yeah, found it Netscape and became rich. And that's where Andreessen got his start. Anyway. Um, so a little browser history for you.

We've come a very long way since then.

Okay. So be careful with edge and take a look. at those settings, they're pretty important to be changing if you care about your privacy. The next one is Safari. And Safari is kind of interesting. This only applies, well, this only applies on the desktop side if you use a Mac, but also if you're, you know, it is the default browser still on iPhones and iPads, which a lot of people use. You know, Safari is interesting because Apple, when it comes to privacy, is probably the best of the big tech companies, probably, because they've always traditionally been, you know, a hardware company for the most part, you know, they weren't so into the You know, they're not like, you know, Microsoft, they don't really, they give a lot of software away for free. Not so into the software, it was just that sell the machines, you know, they're not a search engine like Google and search is where Google makes, and the ads are where Google makes most of their money. Um, you know, so they didn't do that and Apple, you know, they have the reputation for privacy. That's kind of deserved. And actually Safari has a bunch of features that do give you a lot more privacy that are, that are really useful. However, you know, Apple has had their gaffes in the past and, um, they are getting more and more into services. And again, you got all the, they got all this data. And, you know, even if they say we're not an ad network, we're not doing this, we're not going to use it. They got all this data. And when it comes around that they need money, they need to grow. Apple doesn't need money, but they need to grow their revenues. They need to make the shareholders happy. What are they going to do? They're going to look around and say, we got all this stuff and they are growing in the services business. Very much so. So, you know, Safari. Yeah. Use Safari if you got a Mac, but keep an eye on it. Be aware and definitely look at all those fancy schmancy things that they have and understand what it's really... What's that browser?

I heard of a browser called Opera.

Opera is another one that I don't know well. I mean, I used like version two of it years and years ago, but... You know, it's an alternate browser. Um, I think it's on a par with a lot of the features. It's not as far as I know, a privacy's, um, centric browser. It's just another also ran and apologies to anyone who loves opera. I'm sure it's wonderful.

Do you know what the best opera or the best web browser is?

I'll tell you what links. That's the one you don't use. Yes. Well, unfortunately you need to use something and I'll tell you what I use. And this kind of gets to my philosophy. And this is not so people can hack me. I use Chrome for things like this. I use Chrome when I have to use Chrome. Basically for Google because you realistically have to have a Google account these days for a lot of things. I need it for my kids because Google runs our school district essentially. Yeah, Google Classroom, that whole thing. And it's like every time they send something, like, oh, it's on Google Drive. It's on Google Drive. Like, you got to fill out a form. Use your Google account, which I'm not too thrilled about. So I use Chrome for that. And for YouTube, got to watch YouTube. What are you going to do? And for my Apple stuff, for my Mac, and I know, Adam, you don't have a Mac. So just bear with me. I will use Safari to connect to the Apple stuff, um, for all those Apple-y things you need to do, like logging into your account and all. And, uh, you know, for everything else, I do not use a privacy browser. I do use Mozilla Firefox with privacy plugins, and that's it. You can enhance your browser, even, even Chrome and Edge to a certain extent with plugins. Nice. And you know, Firefox. is not a privacy-specific browser, but they are very much about a free internet. They're from a nonprofit corporation. And they have one thing that's really nice is that, assuming it's working the way they say it does, the whole thing that syncs your bookmarks and your history and everything across all your devices, and let's be honest, we've all got a bunch of devices and stuff at this point, is they say that it has client-side encryption and that they can't read all that. I like that, assuming it actually works. So that's cool. So you can get some privacy. That is my current favorite. What's your current favorite? You just use Chrome, don't you?

I just use Chrome, but I... You're not as paranoid as me. No, I'm absolutely paranoid. But I have acquiesced. I realize that while I'm sitting here, Any of the Google devices in my house are listening to my podcast as I record it, as well as Alexa is sitting on the other side of my wall from my daughter's room, while I know that the two phones on my desk are also recording me. And I realized that a lot of our data that traverses out will give an idea of what I'm doing right now. But you know what I wanted to ask you? Let me ask you this. How do I know whether or not my data is being intercepted by my browser?

I mean, whether it's being intercepted by if you're using the browser, it's being intercepted.

No, I mean, in other words, if I type www.chase.com into my browser, is there a way for me to know whether or not somebody's in the middle?

That is, well, you know the answer to this. That is extremely, extremely difficult. The only way to be absolutely sure with that is using something called PIN certificates, which are not, they're not used because they're not realistic and they're actually not considered a good practice because they're completely unmanaged. It's, it's where, it's where Chase, like, you know, sends you something that says, this is Chase, you know, put this in your machine. And, you know, you're only talking to us if you're using this, if you scale that up to tens of millions of people, you can understand.

I was just trying to get an idea. I'm paranoid. I know like, I know when you work for a company, if you go to a website and they have a proxy, there's a possibility that they're going to intercept your data to make sure you're not exfiltrating or doing something that you shouldn't be doing.

But there's also... Well, the other thing you can do with that is protect yourself with a VPN, which that's another good reason to use a VPN, even though... Well, not at work. Well, yeah. Well, at work typically, yeah, something to be aware of. You know, at work, first of all, we'll talk about work. You have no privacy, none whatsoever. Give it up. Your boss sees everything they do. And they, you know, one of the things that we do as security professionals is track and filter everyone's websites. So we can control the malware and phishing, but also so that you can do investigations of people. So they are looking at everything that you do. I'm sure it's in the policy. I'm sure you signed off on it, but regardless, you are. And they are also breaking your encryption to sites. So when you go to websites, yes, there they can do it. And Adam is right. The technique that's used, you know, we've operated these systems and we often have trouble with them. They can be glitchy and they require a lot of tuning because you're basically doing what's called a man-in-the-middle attack to make it work. So yes, your boss is listening to everything, including the encrypted web traffic. That's what I was alluding to.

So in other words, when you were my boss, you were looking at everything I was doing.

Adam, I can tell you that as your boss, I could not think of anything less interesting for me to do than be looking at your web traffic.

That was kind of a backhanded compliment.

I guess so.

Don't choke on the water.

I was also too busy because I was carrying you the whole time. Your back must really hurt. Oh, yeah. My back is killing me. okay so another thing all right wow we got we've gone so long we got so much more stuff to cover a little more a couple things up but yeah so use uh you know you can utilize you got to trust your browser to a certain extent or know how much or how little to trust it interesting point plugins can only download your browser from

the vendor or manufacturer site, do not decide to download the browser like, oh, Google, I want to download Chrome, and you're downloading it from www.anysite.ru, you know, something like that. Yeah, be careful.

And the same thing for the plug-ins that I was just about to talk about. Only get them from the official proper store for your browser or your machine, whatever it is. You can get great plug-ins. Plug-ins are kind of the laboratory where a lot of the new privacy things come from. Before they're baked into the browsers, often they come from you know, they're going to come from a plugin. So EFF makes some great plugins, the Electronic Frontier Foundation, including things like Privacy Badger that will block tracking cookies. It's very helpful. You know, again, it's not going to, cookies are not the end all be all, but it certainly helps with that. There's that. There are some other ones. There are also ad blockers, which are nice, which will not only block you from seeing the ads, but very often will block the ability to track, which may be inserted in ads too.

People are very clever.

So there's all that, but yes, it is incredibly important to make sure that they're coming from trusted sites because those plugins in particular, One of the things they'll ask you is for permission to see all your traffic because they need that to work for them to, you know, block a cookie. They need to be able to see the cookie and know what it is. So, you know, be really, really careful with them, but they can be useful. So Adam, what do you think of email?

I think that most people don't realize that every single one of your emails, um, is in clear text. The caveat to that is that when email servers talk to each other, they talk to each other most of the time encrypted. But what I'm getting at is that your email is sitting on a server and that server gets compromised. All those emails are available for you to see. Or if your email is being transmitted to a server where there's no encryption between the two servers, then your email is also being transmitted in clear text.

That's right. Email is not secure. Email is Unless you're using a very special version that we're not going to talk about here. Email is never secure. Don't put anything sensitive in it and don't put anything in it that you don't want the world to read. and especially your email provider. Here's one of the other fun things. I don't know if they still do it, but Gmail at one point was like reading your email to serve you ads, right? So hey, I'm looking to buy something like that. You suddenly get ads for it.

That goes for every single one of their products, I believe, including their Google voice numbers. They're not giving you a Google voice number because they're great people. What they do is they have bots or whatever listening to your conversations, and they can also solicit ads to you and other things based on that. They could.

Yeah. The other thing in the email is watch out for the email that you get. Um, there are also often, you know, the graphics tracking pixels, all that kind of stuff. Basically when people are sending you mail very often, it's not really just plain text. It's really HTML. It's essentially a webpage and all the things they can do in webpages to track you can be done in an email. Also. Um, there are a lot of email clients that are very good to use. I mean, the regular one on the Mac that I use, we'll do things like, not load images or say block remote content. That's what that means. It means it's going to show you just the text and not everything else. There are some other nice things like where if you're using the web-based email, which it sounds kind of anachronistic, kind of old school to use web-based email, but you know what? that can keep some of the email readers that they have will do things like proxy those connections or apply some tracking protection to those connections so you can read things safely.

So I was going to say so so to give you a quick 30 second overview to the audience if somebody sends you something called a one by one hidden pixel that pixel that you don't even see it in your in your email it's completely not visible to the naked eye. If you're rendering HTML or pictures, if I sent you that one by one pixel and I had a way of rendering to a server that pixel, like I put an IP address in there or URL, I now have your IP address. And if I put your IP address into one of those geotrackers, I can probably figure out to what block you are providing that, you know, your IP address or location is not obfuscated by your ISP. So what Joe was alluding to earlier is if I have Joe's IP, I might know what block he lives on depending on how accurate his ISP is. So be careful.

Right. And they can, yes. And they can get that by sending you an email, not just by getting you to go to a webpage. Another thing that's really useful you might want to use are burner email addresses where you get a temporary email address. That's some God awful thing at something.com. When basically you don't want to give away your real email. You know, it sounds, it may sound kind of dodgy and kind of, you know, spy or whatever, but you know, it does have some uses because, you know, sometimes You know, you wanna communicate with someone and say you send it to them and you know, having an interaction, I sound so corporate, you know. You need to send something, you got a question, you wanna do something. I love doing this with used car dealers. You know what? I wanna talk to the guy. I really don't wanna give him my phone number and I really don't wanna be getting email from him for the rest of my life. You know, you just wanna have a conversation.

And that's exactly right. It doesn't have to be so nefarious. And I'll give you a comparison or analogy. When you go online to buy things, a lot of your credit card companies allow you to give you a burner credit card number. It's a one time use. Yeah. And it's not nefarious. You're not doing anything illegal. What you're doing is you're saying, I'm using this one time credit card number, a virtual number to purchase something. So God forbid, if that ever gets leaked out, one, it's no longer useful. Or two, if it is also a functioning number until you kill it, You'll know who leaked it and it's very similar to what joe is saying you go to uh, you go to an event They say can we have your email address? You might use a certain email address for not important things like, you know, what functions Whereas when you're doing your banking or dealing with family, you might want to have a different email address There are people who have four or five six email addresses And you can even sometimes send it to the same account so, um It's not nefarious. It's just a way of making sure that God forbid, you don't need to keep a relationship with that individual, you no longer have to keep it. So it's not as bad as it sounds.

Yeah, that's right. Because, you know, like I say, you want to get a quote on a car, you want to look into something, you know, that doesn't necessarily, I'll put it this way. If you want to have an interaction like that, you want to do a little business, you want to do something. I don't think you're morally obligated to give that person the right to bomb you with an AI or their auto mailer or basically sell to you for the rest of your life. I think that's getting a little out of hand. And unfortunately, in the past, we didn't have to worry about that because we not only had you know, didn't have the automated systems, but we had a bit more civility. And it's so unfortunate that that's broken down and we have to do these things, but... Well, I'll give you an example of one other thing. Make your own decision.

If I gave you my email address, and I had Facebook, and I had LinkedIn, and I had all these other things, do I want to start getting invites from people? based on my email address. Oh, Adam Roth. Oh, okay. Let's go send him an email, invite him to LinkedIn, Facebook, other social media. But if you give somebody else a different email address, that's not connected to your social media, you're in essence had prevented them from intruding on the rest of your life.

Oh yeah. Well, you mentioned Facebook too. We'll take a little aside here. Facebook is, let's be honest, Facebook is not a social network. Facebook is a surveillance machine. That is all it is. It is a suit and it is not just Facebook itself. It is an entire network devoted to surveillance and serving ads. That is really what Facebook is. So be aware of that. Um, and that's my, my sermon for the day. Okay. So, you know, we got into it and, you know, one of the things that Adam alluded to was, you know, one of the good ways you can protect yourself is with a bit of, you know, isolation, a bit of segmentation. You know, not just using, you know, one browser for one aspect of your life for certain things, but, you know, also an email address. And it's not about creating an identity. It's about, you know, showing something. It's just like you do with your life. You know, you You don't show everyone you meet or everyone you do something with or do business with every part of your life or every part of your being. Like I say, Google I need it for my kids and to watch TV, YouTube. I don't feel like I'm ethically or morally obligated to tell them everything about my life and myself so that we can do that. you know, and the same thing for a lot of other stuff. So a little bit of segmentation can give you a bit of protection and also a bit of peace of mind, I think. But, you know, again, when it comes to tying these things and tracking God, they're ruthless. It is impressive what they can do with even the tiniest bit of information. And again, You may think you've sent information out to a lot of different places, but you don't know how it's being sold and stitched together on the backend. So don't be surprised when seemingly impossible things happen. They're not that impossible at all.

Nice.

I know you're depressed.

I can't be any more depressed than I was a couple of years ago knowing this. All you're doing is just reinforcing what we already knew.

Yes, that's right. And it's not getting better. I don't know if it's getting worse, but it's not getting better. I was going to say, people might be thinking, oh, well, it's going to get much worse with all this AI stuff. The truth is, the AIs that do this have been around for a long time. In fact, this is one place where AI has been used extensively already for a number of years. you don't have to worry about it getting worse because it's already horrible.

That's a plus. Let me give you an example really quick and I know we're probably we'll run over we're over time than we would be in a normal episode but when you work in an organization in essence that organization again it doesn't necessarily mean nefarious because this is what we do for a living that organization is collecting data on you all day long It's not like they're doing the same. We want to investigate, you know, Jane Doe. But what we do for a living in our organizations is protect the intellectual property and the overall safety of the organization's data. And in essence, that's what some of these government agencies are supposed to be doing, right? So when you're surfing, we have your email data. When you're sending emails to your friends, we know that. When you're browsing certain sites it shouldn't be, we probably get alerted to it. When you're sending data over a certain size, again, we get an alert. It's only because we know what normal activity is, And we know what not normal activity is. And that's why we get alerted to that. So there's nothing new that's going on here. This has been going on for many years.

Yes, it has. And you know what? I think that's another topic we can do surveillance at work. And by your security team, you know, as you know, as security professionals, we do need to protect the company. But you know, there are ethical lines too. In practical lines also, so You know what? That should be really interesting but yeah pretty much You know at work you probably have a little banner or something that says you have no expectation of privacy or whatever It's like they mean it you have no privacy give up on it. You know use your phone. Yeah, use your phone It'll be much better. It's scary to say that using your phone can give you more privacy but maybe it's just different set of people watching. Look at it that way.

Is that kind of how it works with when we talk about cloud? You're just using somebody else's machine?

You're using someone else's machine. And you know what? When it comes to the privacy aspect of it, it ain't rocket science or some deep theory. You got all your stuff sitting on someone's server, guess what? They can see. In fact, I'll tell you, here is Joe's immutable rule of privacy.

You have none.

Stuff. Yeah, well, besides you have none. If the company you're dealing with can change your password, if you could do a password reset, they can read your stuff. Think about it.

And there's a lot of cryptography and stuff behind it, but just thinking about it. If they can change your password. Yeah, I'm gonna say to you, every company can change your password. The main thing to remember is most likely they don't have your current password. That's the difference. Possibly, but sometimes they can change it. and then change it back.

The point is, things are not always as tough as you think. Understand what's being offered. And there are some services that we can talk about at some point. Really, when they say, if you lose your password or you lose this key, we can't recover this stuff. We really mean it. Well, then you've got a possibility that it's actually true if they're telling the truth and if they've done a good job. So we are not ending on such a high note.

This is kind of kind of depressing Uh, you know joe If I can make a recommendation to you as soon as you're done with this episode as long as I will as well We'll just have a couple drinks This is one of those security podcasts.

This is for it This is the security cocktail hour. So, you know, we say you might need a drink for this. So you're right. Yeah. All right. Please do a couple of shots. Maybe we'll put the description. You might want to be drinking while you watch this. It's just not going on the expense account. That's all you. All right. Okay. Then that, I suppose, well, you know what, for once I usually say that brings us to last call. But, you know, after this, I recommend that you just keep, keep, keep going on to do shots till you pass out. It's cool. No, no, this, this isn't, this is important because you know, whether you realize it or not, this is affecting your life. And it is important to understand these things. And if you're not comfortable with some of them, do what you can. within the limitations that you have and make some decisions.

One thing I will add is please, please send us feedback. Did you not like what we said? Did we scare you? Did you already know this? Is there more that you want to know? Whatever feedback you can provide, we're looking forward to seeing your emails so we can follow up on this. Thank you.

That's right. And besides feedback, we can also help you with your security or privacy challenges. If you'd like, reach out to us at feedback at securitycocktailhour.com. And we're available for speaking engagements, clown shows, magic shows. Bar mitzvahs. Bar mitzvahs. I did bar mitzvahs. Bar mitzvahs and bot mitzvahs.

I'm actually going to go take a class on being a mohel, but I haven't done it yet.

Well, you know what, Adam, if you do that, you're going to have to handle that job yourself. That one I'll leave to you. Sure. All right. Thanks everyone. We're done.

Take care.