Internet Privacy - Hardcore Edition

It's five o'clock somewhere, time for the security cocktail hour. I'm Joe Patti. For over 20 years, I've been working in information security and knocking back martinis all over New York.

I am Adam Rohr from Staten Island. Locksmith, EMT, love to box, and on rare occasions, I've been known to engage in cybersecurity. Let's go!

All right, last time we talked about protecting your identity from marketers and companies, mainly trying to extract money from you, for the most part. That seems to be their motivation, without being too paranoid. Today, we're going to talk about playing in the big leagues. This is when you're trying to protect yourself from law enforcement, government, and the most sophisticated nation state attackers. How does that sound?

Well, just to let everybody know, this is the second podcast we're recording today. Joe is a slave driver, and I want to let everyone know I'm doing this under duress.

Wow. OK. So we started off with, we're talking about privacy, and Joe's a tyrant. Good. OK. So from there, all right, let's get it out here. All right? I'm ready to get it out. You're ready to get it out? Oh, wait.

Is this a therapy session?

You know, this show is, in a sense, a form of group therapy when you think about it. Don't you think? I think. All right. So what we're going to talk about today is really, when you think about it, it's about tools that criminals use to hide their activity, basically. This is used by a lot of criminals and it's used for nefarious purposes, which we don't support. However, In the unfortunate state of the world and society, there are a lot of governments out there that like to label things that they just don't want people doing as criminal, even if many of us would not regard them as criminal. And very often the main crime is really people fighting back against an oppressive or dishonest government. And these are tools used by dissidents, whistleblowers, journalists, and other people in that category. Those are the legitimate purposes of these. You can use them you know, for general privacy, too, if you want to take things up a level from what we used last time. But they're a bit overkill, and they're frankly a bit inconvenient for those uses. But really, these are for people who really need a lot more protection than your standard stuff is going to give you. So the big leagues, as we say.

Don't we call that tradecraft?

Tradecraft to a certain extent, and you know, if you're gonna do this, you need to remember that these tools are just tools. You also, if you're playing there, you know, gets to a lot of stuff that's beyond even what we know, but it is tradecraft. There's a lot of operational security or OPSEC you need to be dealing with, and you gotta be real, real careful. And let's be clear about something else. You know, hiding from law enforcement is not easy. It's actually very difficult. And from nation states, Is even harder. I mean once they target someone look they have all the resources and the smartest people in the world working on this So don't don't think you're clever because you found some piece of software or because you're using the thing that you know Snowden or some other guy endorsed You know, there's a lot more to it than that.

I Mean, yeah exactly that right It's not just about the tools, it's about the individuals using those tools. It's about the team using those tools. And yes, some of these organizations, governments, whatever they are, have such deep pockets and disposable income that it's not money. It's really about, it's not about, when I say it's not about money, they have so much money that they can get whatever resources, contractors or people, that are capable of doing those tactics.

That's right. So we're going to talk here about, you know, the, uh, I don't know, speaking purely metaphorically, the James Bond gadgets that people who do this use. Um, but don't think that just cause you can download or get some of these things that all of a sudden you are, you are a spy. You're going to be able to play in this. Um, you know, this is, these are really, let's say even beyond professional grade things that people use, uh, to protect themselves and sometimes to protect their lives. And, uh, you know, this is really, really, uh, serious stuff for this guy. It is kind of cool. But for those who really count on it, it's serious. And if you're in that league, if you need to protect yourself at that level, if you're doing something that's really irritating, some people who do not like being irritated, and have the ability to strike back. Don't count on just this podcast. You got a lot of research to do and you need some help too from someone you can trust, which in itself is a very difficult thing to come by. So this is, you know, we do joke around a lot and we do talk about a lot of things, but for a lot of people, this is very serious. So we want to acknowledge that and make sure you know it too.

So Adam, go ahead. Yeah, I was going to say, Keep in mind, when people are using these tools, not you, but the audience, keep in mind, when people are using these type of tools and these type of tactics, they're doing things that are part of that. And whether it's exercising a zero day to get access to certain equipment or to a browser or to exfiltrate your data from your tools, they can do that as well. And one of the things I was always taught is don't hack back. And it's funny because hacking back, which is basically saying if somebody you think is trying to compromise you or get data on you or use tools to get information on you, and then you decide to do the same to them, it's illegal in the United States. Though I saw a senator recently wanting to change that law to allow private corporations to hack back. which is kind of crazy in itself, too.

That's such a bad idea. It's amazing. I mean, you may have your problems with some of the things the government does and everything, but I want to see things done better. But, you know, basically, look, government endorsed vigilantism. If you read history, it does not have a great track record, whether it's cyber or anything else.

And that leads me to my next point. When you're using these tools, you don't know who's on the other end or who's monitoring what you're doing. So if you're doing something nefarious, something illegal, and you're using these tools that you know are not for good, just because somebody didn't respond to the same day or tomorrow or the next day, doesn't mean that you're not being tracked as well. So it works both ways.

Yeah, that's fine. I don't think you're invincible. I mean, don't ever think you're invincible. You know, nothing that we talk about is 100% is perfect. You know, all these things that we talk about, too, on the show, everything is hardware and software. They're all machines. And they all themselves can have vulnerabilities also, and have been found to have vulnerabilities. All the things we're going to talk about regularly come out with updates. You know, there have even been, you know, we're going to be talking about Tor in a moment. You know, there are people who think it's, there are places where it's been compromised by governments, where it's been seeded and, you know, infiltrated, so to speak. So this is complicated stuff, but this is a little bit of a little different world that many of us usually have to deal with. So we thought you'd find it interesting. So let's break out the computers, go in the dark web, and start doing it. No, I'll get the edge. There you go. Oh, please don't go in the dark web. It'll only cause yourself pain. All right, so Tor. Tell us about Tor, Adam. It is fundamentally, I think, a networking technology, and you're the network guy.

Well, I took a tour the other day of this warehouse. It was really cool. Oh, wow. That's painful. OK, so it is the Onion Routing Network. Yes. And for those you don't know, the websites typically end in dot onion, which is people don't even realize that, that they think they can go start browsing regular websites as well, which you can't. TOR, if I understand TOR, it derived from a government source project. Does that sound right or no?

Yeah, it did. It was actually originally a government thing.

And TOR has then translated into more of what people think is nefarious. But let's also keep in mind that there's a lot of private organizations besides government that have a presence on Tor to collect data and to do reconnaissance in order to protect their clients as well. So when you think of Tor, just don't think that there's these hackers in little hoodies. Let me clarify, because I know hacker is a bad word for a lot of good people. Bad hackers or black hat hackers are on the internet doing bad things. That's the only people on there. There are a lot of good people on the dark web or using Tor in order to gain information to protect their clients. So I just want to bring that up as well.

Yeah, and you know, it's one of those things that can be used for good or for evil. And unfortunately, there are a lot of people who are not using it for good. I mean, it's basically a networking technology. It's kind of like a VPN. And I mean, to describe it really simply, it uses, they call it the Onion Routing Network, because it basically uses multiple layers of encryption. It keeps kind of wrapping and rewrapping and things so that and it sends things out from different places so that it's very difficult to know where the origin of something is, where even if one part of it gets compromised, you know, the rest, there's still multiple layers of encryption for it. And it is, you know, pretty private. It is pretty secure. It's tough. I mean, I really, I think I referred to it before as sort of the gold standard of VPNs. If you're using Tor, it is really difficult for someone to tell where you're coming from. Difficult, not impossible for places with certain virtually unlimited resources, but very, very difficult.

And TOR doesn't work like a typical TCIP routing. sends multiple packets different ways and they all end up arriving at its destination through its onion routing so it's not like you're like doing a trace route for those who don't know what a trace route is you're saying oh it comes from this source to this destination and the reason why people believe that Tor can be compromised is that either government actors or threat actors compromise the entry and exit nodes to the onion or to the tour or onion routing. So when you enter, it's like almost like saying, hey, I'm going to watch the front of this building. And I saw Adam walk in the building. We don't know where we went in the building, but we know he's in the building. So if we're surveilling the front door, we know that he entered into that tour network. And then when you exit, it's kind of the same too. Does that sound right?

Yeah, I mean Tor is very much, it's like the VPNs we talked about where you enter it, your packets go in and your ISP or anyone in that clear part of it can see what you're doing. And then you exit somewhere else and go to your ultimate destination. And it's much more private than a VPN because the VPN, we talked about, One company is probably running your VPN, and they may or may not, some do, some don't, some say they do, have logs. And the VPN company knows where you're going, because they're running the thing. And maybe they're throwing out the data, not logging it, maybe not. But here Tor is decentralized, and so you can't tell, but it still has those qualities of the VPN that people can see you going in and tie it to you going in, and they see something going out. Now, What does that mean? Well, as Adam said, if everyone's watching all the entry doors, then, you know, well, they know when you go in. And it is theoretically possible if you had a massive amount of surveillance and computing power to then see, oh, right when someone went in here, all the people who exited to tie that together. And, you know, the other thing too, is that you have to make sure that that entry point is secure so they don't know who you are. You also need to make sure that the exit point is secure so they don't know who you are. And of course whoever you're eventually talking to is going to know who you are. So it removes one of the big vulnerabilities of VPNs in terms of there's no single person operating the VPN. And as far as one single entity, you know, telling what you're doing on the VPN, it is significantly more difficult and unrealistic for all but the most heavily resourced entities to even try to figure it out. That's the theory.

And let's also remember that There are plenty of people even recently that have gotten arrested running illegal onion sites because the government has surveilled them. So this is the point. It's not impossible to get caught. But eventually, depending on the level of threat actor, whether it's government or not, if they are able to eventually compromise the machine that you're using to enter into that network, they'll be able to surveil everything that you're doing. So just because you're entering into a private network doesn't mean that eventually you yourself will not be compromised, though people typically who use Tor browsing are more savvy than most. It's not beyond the realm of reality of getting caught. And this goes back to anything you're using, whether you're using your cell phone, whether you're using your laptop or any other electronic device, it's always, you can always get compromised on the device itself, which will provide all the data that anybody needs to get it back.

Yeah, that's right. A couple things can cause you to have your identity revealed. And this actually applies to a lot of things, including VPNs. One is just you make a mistake, you forget to turn it on. There have been cases where people have essentially, you know, decloaked and have accidentally revealed themselves. So you need to be careful with that. You can make mistakes, not set it up correctly. You can do something on the other end, and this gets more into operational security that you say something in the clear out there that reveals your own identity or ties something to you. But what Adam's talking about is really important and this applies to a lot of things. You need to be thinking about your security from an end-to-end perspective. Not just, I have this super VPN and I'm invincible. Well, no. Something attackers figured out a long time ago is like, well, if someone has a really tough network, what do you do? Well, you don't attack the network. You attack their endpoint. That's why we have all this malware now and stuff. It used to be people tried to break networks. They couldn't do it anymore. So they started attacking your endpoint, your laptop, your machine. So you need to make sure that you have a secure machine. And what a lot of people use, you know, who do need that level of security are actually special purpose operating systems that are integrated with Tor and other security tools. In fact, Adam, have you used Tails? I have.

Yes, I have. I have two types of Tails. Though, theoretically, you're not supposed to really put it on a laptop because it's supposed to be disposable. I've done that, and I've also used it on a USB. But, you know, Tails slash Tor,

In my experience- Let me talk about what it is first.

Okay, okay, I'm sorry. You want me to talk about it? It's a self-inclusive, I guess the word is inclusive, operating system that also has Tor on it. So when you boot into the USB, it loads the operating system, Linux-based, and it allows you to execute Tor, do your surfing, and then when you shut down, all your attributes or anything that you use is no longer there, especially if you put write-only on the USB drive. logical onto memory.

Right, it's essentially a special purpose Linux destination with a bunch of security tools and the operating system it's very heavily hardened. It's set up so that it only uses Tor. It has no networking besides Tor and it has a special browser called the Tor browser which you can actually get on other operating systems too but it comes with that and that's a special one where if you remember from the last podcast we talked about how Browsers can be fingerprinted and machines. It actually has some techniques for trying to, you know, the attempt to defeat those, which are pretty cool. So it kind of puts all that in a package where, you know, since it's all set up and packaged and tested, you don't have to build it yourself. So there's less chance you're going to make a mistake. Of course, the guys building it might make a mistake, but the idea is it lessens that. And it also runs off a USB, so it is, Got a word for you, Adam. It is non-persistent.

That's what I'm trying to say. That was the word I was looking for, but I, you know, I should have asked my son. He's 13. He probably couldn't find that word for me. Two things I want to add here. One...

So anyway, I just want to say, so if you turn it off, everything you did is gone. It doesn't save it. You can put some data on an encrypted partition with it. It has some tools with that for like your keys and stuff. But basically, it's like every time you boot it up off the USB, it's like you're getting a fresh machine. That's the idea.

And what I want to add to that is don't try to start logging into other sites. Don't put any personal information on there. I wouldn't even breathe on the PC because I'm afraid that the machine will be able to pick up the DNA in my breath. So yeah, be careful what you do. And then the other thing I was going to add to this, I had something else to add. I think my agent for cop was going to say, I think, oh, we know somebody, you and I, that know somebody that was involved in an investigation where an individual was doing something they shouldn't have done and they were using a VPN and in one second, that VPN failed and allowed for the identity of that IP address unbeknownst to that individual and that's how they got caught. So my point I'm making is, yeah, you can keep the VPN on, but there's nothing promised that that connection will stay completely connected. And if you drop your tunnel, there's a good chance that you can start browsing directly from your machine.

Yeah, well, I think that's one of the benefits of Tails is that I think it pretty much requires you to always be connected to Tor in order to work. But you're right. Yeah, and that's something to think about with other VPNs, too. Some of them have like a kill switch functionality. where if the VPN drops, it'll tell you or it'll disable your networking and stuff. But, you know, it's pretty tricky. And, you know, that's one of the reasons you want to use something like Tails also, because it gives you more security, secures your machine from a lot of things. We'll talk about some of the things they don't. You can use Tor, like a VPN, where you can get it almost like the regular VPN software, where it'll run on Windows or Mac OS or whatever. Separately, you can turn it on and off. I think there's also a browser plugin. Yes. Yeah, and you know, those are good. Those are convenient, particularly if you're using Tor, you know, in more of the consumer role where it's like you just want to do something very privately. You want to keep it from your ISP, that kind of thing. It is free, which is nice. You don't have to pay for it. But you're taking a much greater risk there in terms of a mistake, a misconfiguration, and you better make sure your PC is secure. I mean, if that's a machine that you're using for, you know, regular browsing, and even if you're using your regular browser with the Tor plug in, remember, that's got all your stuff in there. So you gotta be, you know, it's not the preferred scenario.

I was kind of joking in the past episode, but I was kind of serious. When you do Tor browsing, you need a clean machine. You need a machine you've never used before. You need a machine that you're never going to put anything else on it. I mean, even if you took the SSD and you installed one of the other flavors of Linux and you use Tor, I would never use that, that, that SSD again, other than for that, because you don't know what people are capable of doing when you're, when you're browsing. You don't want anything personal. I wouldn't even put, you know, a text file with my name on it in that machine.

Well, the thing about the machine is, you know, ideally you want to use a machine dedicated to it. You want it to be clean. You know, you want to build it from bare metal. And, you know, like Adam is saying, if you say, well, I'm just going to boot off the USB and have it not touch the hard drive. Well, it is possible to get access to the hard drive from it. Either someone should get onto the, you know, onto the machine. So there's that. And remember, they're not going to just use what's there. They're going to try to hack into the machine to get it, drop malware, do whatever. You have that. The other thing is you have to remember that if you're running You know, say you're running Windows and you have your regular machine and you're doing all this stuff and everything.

You're like, well, it may be infected. So let me boot to a clean USB drive.

It's a clean read only USB drive. This is clean. Well, that doesn't machine actually doesn't mean that the machine you're using is clean. There are firmware, you know, malware that goes into firmware and infections and the way that ways that machines can be compromised through that. And remember here, that sounds kind of crazy, but we're talking about the big leagues here. We're talking about protecting against the big guys who have these capabilities. So you really want to have a machine, if you're going to be, if you just want to use Tor as a free VPN or for some occasional use or whatever, and it's not high stakes, Sure. Actually, booting off Tails is frankly more secure and more convenient than using your regular operating system. So you do that. But if you really need to protect your identity, you need a clean machine, and there are even more specialized machines you can get. you know, take steps to make sure that, you know, it hasn't been, you know, compromised by the time it gets to you. That's called a supply chain attack. When the thing comes from the store, comes from the vendor already, you know, already compromised.

And that's another interesting thing, right? A lot of companies that are actually still using physical equipment will, depending on the level of what they're doing and whether they're connected to government contractors or anything, will literally not even use the drives that come with it. They'll buy new drives and hope that those drives have never been used and sealed and they use special vendors and other things. So, you know, you want to be extremely, extremely careful. You don't know everything that's in there unless you're literally ripping apart these machines and reflashing the firmware and You just don't know, so you gotta be really careful. You want your supply to be 100% clean.

And that stuff has happened, and we're in ultra-paranoid mode.

Well, because we know people that are former nation-state threat actors who were never told specific details, but their conversations are usually interesting. Yeah, that's something that could definitely be done. Yes, on the ILO, on those machines where the firmware is for managing that server, the Linux firmware.

Yeah, that can be compromised.

Yes, it can be. And it can be used for living off the land.

Yeah, iLO is something, it's a management system that's put on usually a corporate machines, not what you get from Best Buy. And it actually is almost a separate computer built into the computer that's used to manage it. You know, reload drives and stuff like that. So yeah, anything that's on there can be exploited.

Well, let's do a comparison really quick. If you have a car and your car has a management system or entertainment system, That's the firmware in there. If somebody compromises that, they can report all day long through that cellular chip. Everything you're doing, even your conversations, if they're able to enable a microphone on the Google part or the Apple part. So yes, again, even your car could be compromised, dude. Give every personal detail that's going on.

That's why I drive a 1982 car with an AM radio. And you know, that's not a joke. Cause like, you know, you can be tracked. Well, first of all, if you're carrying your phone, it doesn't matter, but you know, you can be tracked in your car. That's all right. So we talked about TOR or TAILS for running TOR. There is another option for running TOR that I haven't used that much. I've used a little bit. It's called Hoonix. w-h-o-n-i-x and it's a very similar concept you you know you boot it you know live I mean or at least preferably preferably boot it live so it's not persistent but it's got something really cool where it actually uses virtual machines and we'll talk about that in a minute but basically it splits your computer into two computers and one of them runs the tour piece and one of them runs everything else. So it makes it harder to compromise it and do some of the shenanigans that Adam was talking about. I haven't read much about just how tough it is and how its track record is, but the concept is actually very, it may sound new, but it's actually very old school and a very effective concept in general.

Joe, I won't even put entails USB in a computer in the same room as my other computer. I'm afraid that threat actors are going to use near-frequency communication and Bluetooth to jump from it. I don't know. They can go on to the oxygen molecules and transmit it. I'm not doing it. Wow.

Okay, I got another thing for you. Tell me if you trust this. This is one of my personal fears.

Before you answer, the answer is no.

Okay. Go ahead. Let's see if I can convince you. So one of my things, I have always had a penchant for separation. I mean, back in the day, whatever day that was, you know, we used to have separate machines and separate networks and everything was separate when you wanted to protect stuff. And of course, that was quite expensive.

That was the same year Kennedy was shot, right? It might have been the week before. Sorry, go ahead. I'm not that old, God. We were actually the same age.

So anyway, having separate machines is great because, you know, if you have stuff totally separate, it obviously becomes much harder to hack from one to another, even separate networks. But that is inconvenient. So there's virtualization, where you can run a virtual machine. It's like another copy of it on a machine. If you have a Mac, and you've run Parallels or VMware to run Windows on it, that's what's happening. That's not Boot Camp, that's something else. Parallels or VMware is that. If you've used, what's the one that Oracle makes? What do they call that one? Oh, you're talking about VirtualBox? Virtual Machine. A virtual box, that's right. If you run virtual box, it does that. And it's actually, it gives you a lot of protection because it can simulate the isolation of having a separate machine. You can rig it so that the two, you know, your main machine and your virtual machines, if you have more than one virtual machine, you can rig it so they're not allowed to talk. Unfortunately, very often they're rigged so they can for convenience, but you can rig it so that they can't talk. So if one gets compromised, it's isolated. or what's going on and one can't leak to the other one.

So let me, if you don't mind, let me add doom and gloom here. Please. Because both operating systems fall under the same main machine, if a threat actor exercises a zero-day or even something less than that, they can allow the lateral movement from one machine to another. So it is entirely possible, though I know they go out of their way to make sure it doesn't happen, It can.

That is true. And in fact, any vulnerability in the virtualization software is going to be an issue or in the host, like the main operating system. You know, if someone's capturing your keystrokes, like Adam was saying, on the main operating system, they can see everything you're doing in the virtual machine. But I'm glad you mentioned it. because there is something which is one of my favorite things which is called cubes os it's q u b e s where it's specifically built for this it basically almost isn't a virtual it's actually in a sense and you may not may not know what this means but it's less like a piece of desktop software, and it's actually more like what's called a hypervisor, the thing that's used in the cloud and that's used in big data centers to run multiple virtual machines. When you say you're connecting to a server in the cloud or wherever, you're usually not connecting to separate machines. There's usually a lot of them virtually running on one machine. Well, this is one that's built for desktops, and it's built specifically for security that provides a lot of that protection. It's a bit much to get into here. We should probably do a whole episode on it, but take a look. And it has Tor integrated, and the idea is you can run your personal stuff. You can have a personal vault on there with no networking whatsoever. You can run Tor in something. You can run a different VPN in something. have different machines in different roles all in the same machine that, you know, have a very, very limited ability to talk to each other. It's not easy. I know. You don't like it. It's not safe.

I don't trust anything. Physical hardware has to be separate. Physical network has to be separate. You should be in a separate country with both machines.

Well, here's the thing, though, with that. You bring up a very good point. You should. But it's tough. And remember, part of the audience we're talking about here, I shouldn't say our audience, but the users are people who, you know what, maybe they can't travel so easily. Maybe they've got to be in some dodgy places. Maybe they do need to look like someone else. That's the thing. There is risk. I mean, it's not like you're still taking a lot of risk with this stuff.

I said, I, I, um, look, um, I get it. I understand. And don't get me wrong. Everything in life is about mitigating risk. You might not have enough of a budget to buy two separate machines, or you might only be able to carry one machine based on something that you're doing, or you've tried true and tested. the separate virtual machines to a point where you're confident that you can't not move laterally between them. But like I said, and like you said, and like we said, we know threat actors, and we know that they have their unlimited budgets to test and find ways to compromise things. The amount of time that we put in podcasts, they put 75,000 more times in to find out how to compromise that one host.

So that's my point No, that's very true that they will always find a way especially the ones with unlimited resources It doesn't mean they're talking to you.

It doesn't mean they're going after you. I'm just saying that You know, like he goes back to this other this other. What's the word? analogy or antidote whatever you want to call it if you were eating bubblegum, and in the bubblegum machine, where they had those machines where they had the bubblegum balls, and out of a thousand of those bubblegum balls, you had the possibility, if one bubblegum ball in that machine would kill you instantly, would you still be eating that bubblegum?

Well, do you get anything? If you live, I mean, is there a prize? Is this a lottery? Is there a prize?

Or is it just like a death lottery? What I'm getting at is, we know that, we know, like, it's like, you have one in 1,000 chance of being compromised and dying by eating that bubblegum. Would you do it? I wouldn't do it.

I wouldn't be eating it. Yeah, but we're talking about situations here where, you know, people are, you know, maybe very committed to a cause and they're willing to take some risks.

Depends on the use case, of course. But if I was working for you, and it was a corporate laptop, and we had the merger and acquisition data of a $20 billion acquisition, and I said, can I use my machine to browse the internet and use tours on the dark web, and we had that isolation, would you say yes?

Not likely.

Exactly.

But then again, Adam, if you were working for me, you probably would eat the bubble gum, or I'd make you wish you did.

I'm eating it now.

I'm kidding, you're eating it now, all right. Okay, so, well, here's something we can agree on. Mobile phones. If you need to communicate securely on a mobile phone, I mean, there's not a lot of controversy here. Don't use a smartphone. Use a smart old dumb phone and use a burner phone and don't use it more than once, like Breaking Bad style. There's no way around it.

Oh, so I should use those burner numbers that will never show up and won't compromise my phone?

Oh, yeah, OK. Well, what do you think?

I know the answer to that, you know, the answer to that, but this was phones can be tracked.

So ridiculous tracked intercepted. I mean, you know, like I say, if you know cellular, it's simple cellular technology. If you think about it, the basics are how does it find you because it keeps telling the network where you are and that it's you. It's that simple.

So you're going to call somebody, you know, or you have or somebody you're connected to and you're going to buy a burner phone. I the stories are okay. You buy the burner phone cash, but then you have to walk into a store and there's no cameras in there and you have to wear a disguise and you have to stand on one leg and eat bubblegum. Hopefully not one that's compromised. But then, you know, depends on what you're really doing and how far you why you're buying a burner phone. Is it because you're going to a black hat or Defcon Convention and you don't want to have your proprietary data there or is it because you're involved in something nefarious and if you're involved in something nefarious, Okay, well, does the burner phone only take cash or you can enable it or do you have to actually sign up for an account? So you have to actually plan this whole thing through. Like same thing with buying a prepaid credit card. Do you have to really give your name and address or can you just buy it cash and that's it?

Yeah, that's true. That's very true.

I thought about these things by the way.

I can tell you've given it a lot of thought. I've never done it though. It is important if you need to do it. Secure messaging is really important and this does require a smartphone and you know secure messaging there is a lot a lot of not even, you know, wanting to defeat nation-state kind of stuff with it. Secure Messaging is like, you know, you have your usual text messages and yes, now they say WhatsApp is end-to-end encrypted and iMessage is end-to-end encrypted, you know. But whenever you hear that, there are many different levels of that in terms of what they're really providing. Remember my rule, if they can change your password, then they can get your data.

Well, Let me tell you this also. This is the other thing. I wrote a paper on this too. If I'm able to compromise your phone and your backup to your WhatsApp is on your phone and it's being done every day, I can pretty much get all your messages anyway, assuming I'm able to reverse engineer that WhatsApp backup.

Yeah. And if you're putting it somewhere, iCloud, your PC, wherever, yeah, you know, those things are all over the place.

I mean, those pictures of me, in that two-piece bathing suit when I went to Europe. Those are already out on the internet. I don't know how they got them off my phone.

Yeah, but pretty much the, I would say the most favored one right now, or at least with us, I think the most favored secure messaging thing is Signal, which is very, very well done, very well regarded, done by people who really know what they're doing. And we in the secure, many people in the security field actually use it to communicate during security incidents. When you think you can't trust your phone and you can't trust your email, you'll often use Signal.

So in other words, if I might be flying out soon, right? Should I not use the USB juice jacking stations in the airport? And maybe even the cables they provide for you to plug into your phone. And then that data gets exfiltrated off my phone, like my WhatsApp backup or my signal backup with all my messages.

You know what? I mean, we already talked about this and they say this whole juice jacking thing. where plugging into power, you know, that it's not real, that it's overblown. I'll tell you, for a long time, I have really not been comfortable with it. I bring my own little charging block. I guess I'm too...

I have a USB condom. I don't know.

Oh, God.

You know what I'm talking about, right? It only allows the power.

I can visualize it.

No, no, not you. No, I'm kidding.

I have heard of that, yeah.

Yeah, I mean, just in case, I really, really, really, really gotta do it. and I have no other choice, but usually I bring my own power blocks and I charge two or three of them.

Yeah, just bring the little block. It's not a big deal. I mean, I always like that too, how some of the simplest things can protect you, like a little block like that. We've all got them. It costs nothing. Your camera, put a piece of tape over it. Same thing with a microphone. It's amazing how things can...

Put a piece of tape over the microphone?

Yeah.

I use a null 1 1⁄8 inch stereo jack to stop it.

Really? Or you could just put a piece of duct tape over your mouth, that works too.

Oh. Ouch. Man, I can't wait till the after party when you and I get in the ring with that guy Sal.

Oh God, I'm not getting in the ring with you. That's all you. that's all you okay so uh last thing is you know we're going to repeat something that we've talked about before at least i'm going to repeat it it's you know whatever you're using especially like i say if you're playing in the big leagues or doing all this it becomes even more important that you really understand what you're doing and you know what you're going to have to get a little technical In fact, you're going to have to get very technical and really understand how the stuff works, what it does, what it's promising you, and what it doesn't work. I mean, you know, there was a great case a little while ago with Proton. They make a secure mail service. you know some other stuff they're actually very good secure VPN where you know they say we're Swiss we're private we do all this stuff and then they actually turn some information over to the US government on a user and people felt like that was a big betrayal and they said look You know, they kind of fell back to their terms of service, which isn't that cool, but they said, look, we are a Swiss company and Swiss privacy is very strong, better than in other places, but it's not impenetrable. And I think it was that the U.S. law enforcement actually got an international subpoena from the Swiss that they served a proton in Switzerland and they had to give it up. And I said, look, that's it. That's the law. You got to do it. So understand how things work, what you're getting, what you're being provided for, and Adam, maybe you can agree with us, and we're going to go both ways. If the U.S. government wants you, they're going to get you.

If the Chinese want you, they're going to get you. Well, this goes back to the whole thing about, you know, being able to do tradecraft and espionage and all those other things. While we might think on the surface, and I don't know either way, that it was all about the legal power that we exercise. Sometimes a government might say, look, if you don't help me, you're not getting this money that you get for this. Or if you don't do this, we're going to cut off your trading system. So they leverage other ways to manipulate people to give up data. And I'm sure it wasn't just, I shouldn't say I'm sure, I'm guessing it wasn't just, hey, we have this international subpoena. You have to listen to it, otherwise we're going to get upset. They probably had something in their back pocket that said, if you don't do it, this is what we're going to do. And it doesn't mean that they're going to, you know, bomb or use military. It could be sanctions. It could be anything.

Oh, that's true. And then, you know, with that, we are getting beyond the technical capabilities into other forms of... No, that's really important. It's other forms of leverage. Also, have no illusions. Before they get to that, the big players have a tremendous amount of technical capabilities. And I think that we've seen over and over again that a lot of the things we might have thought are like, oh, that would be too hard, or that would be impossible, or that's just theoretical. Yeah, it's happening. At least that's been the track record on it. So be advised. Be careful if you're playing in this world. It is some very, very serious stuff.

Yeah. So, and that's, and when you start doing so many things, you've already started raising the stakes. It doesn't mean you can't just browse, you know, using Tor or Tails on the, on the, on the dark web because you have an interest. But I know what I was going to say before. There's usually three reasons why you're on the dark web. Usually three. One, you're a nefarious actor. Two, you're somebody that's on the good side, just trying to learn and understand and maybe do it as part of your career and work role. Or three, you're a journalist or somebody else researching this to write something or produce something or do something. So if you're one of three, that's fine. I'm sorry, if you're not nefarious, I got confused. Counting to three is a hard thing for me. If you're not nefarious, you're OK. But when you start acting nefarious, you step up your game and you better be ready for the repercussions.

Yeah. And also a little warning or advice on the dark web. You know, we didn't talk about that much. You know, we mentioned earlier, you know, Onion sites were, you know, within TOR, there are the TOR network, there are sites being hosted. You know, they're criminals. That's where the bad guys are. and you know going like I said unless you're a cop you know unless you are in law enforcement or a journalist or there are a lot of well a lot of commercial intelligence services that are in there that's where that's how we get our information on the dark web to protect ourselves uh you know unless you're a defender um going into a you know it's like going into a bad neighborhood unless you're one of the good guys there to fight the bad guys um I would not advise spending any time there. No good will come of it. Put it that way. You may be curious. Don't be that curious. You're just going to get yourself a heap of trouble.

I mean, admittedly, I used to browse the dark web. You know, I used a machine. I used Tails, but it's not even like it's something that's super fast. It's really slow.

Well, that's the other thing. Well, that's it. Like I say, you can use, you know, Tor as kind of a free VPN, whatever. It's slow. You know, it's not built for that. It's not for general use. It's for, you know, more industrial strength protection. Put it that way.

Yeah. So does that mean that we're going to get a free laptop with Tails and a USB from one of our sponsors? How many sponsors do we have now?

Uh, let's see, I think we're up to zero. All right.

All right. And by the way, if you are listening to this podcast, not only should you download the podcast and listen to it, you should follow us. Let's bring those numbers up. Joe and I want to buy a new Porsche.

I think we need a lot of followers for that, but we definitely want to encourage everyone. to, yes, please follow, please send us your feedback at feedback at securitycocktailhour.com. We'd love to hear from you. And if you have any needs in terms of privacy or security, we'd love to help you out with them. We are not going to tell you how to use the dark web, that much I can guarantee you, but just about anything else that's legitimate. We're happy to have a talk about.

And if you utilize us for any of your cybersecurity or IT needs, we'll throw in a free CPR training for one individual.

That's right. And Adam might even give you his hair care tips.

That's true.

You got to watch the after party on video to get that joke. If you haven't guessed it yet.

Well, it's been very enlightening. I enjoyed this. and I'm looking forward to the next podcast.

All right, we'll see you all then. Adam, take it easy. Take it easy.