Episode 80 General Full Transcript

Stalkerware: When Surveillance Gets Personal | Eva Galperin

Eva Galperin  ·  July 7, 2026  ·  54:59

Back to Episode
◆ ◆ ◆
SpeakersEva Galperin — GuestJoe Patti — HostAdam Roth — Host
Eva Galperin00:00

when you have full access to ⁓ all of the information off of somebody's phone, that's the next best thing to having access to the contents of their brain. You know where they're going. You have their passwords for their other accounts. You have their photos. You have their phone calls. You have their contact list. ⁓

You have their social media posts that they may have made private or locked. You have all of the most intimate things about them. And it's extremely common in tech-enabled abuse for the abuser to leverage that as a form of coercive control

Joe Patti00:59

Welcome to the Security Cocktail Hour. I'm Joe Patti

Adam Roth01:02

I'm Adam Roth.

Joe Patti01:04

Adam, we have yet another exciting guest today. We have Eva Galperin Eva, welcome.

Eva Galperin01:11

Thank you so much for having me.

Joe Patti01:13

we're glad you could make it. You know, I think for us you're a kindred spirit. Or at least for Adam, I know he wishes he was as good of a hacker as you are at that level.

Adam Roth01:24

I wish I was a hacker at my son's level so I fire lower and go up higher. But hey, I've used EFF in the past myself when I got into a situation.

Eva Galperin01:36

Fantastic. Our lawyers are very powerful.

Joe Patti01:40

So Eva, you're the director of cybersecurity for the EFF, the Electronic Frontier Foundation. ⁓

Eva Galperin01:47

Indeed I am.

Joe Patti01:47

I always find as a former security director myself, it's always interesting to talk to someone like yourself because

You're doing it for an organization that, how do I put it delicately, really pisses off a lot of people and really pisses off a lot of people who have some significant offensive capability,

Eva Galperin02:08

Yes, sometimes. And occasionally, we have even been targeted by ⁓ state actors. But the few times that that's happened, we've actually ⁓ done an analysis and then written up a report and published it, which is a little bit like if an attacker comes, take their head, put it on a spike so that others might be too scared to come at you.

Joe Patti02:09

haha

Adam Roth02:34

Oof.

Joe Patti02:36

Wow, now that's a new level of defense. Very cool.

Eva Galperin02:41

I don't mind ruling through fear.

Adam Roth02:43

Yeah, I'll say this ⁓ Eva when when when I was younger I I ⁓ I played around with smart cards and when I played around with smart cards I was automatically targeted by a company because he said that the tools that I had among others Were hacker tools and they sent their attorneys after me. I never directly used EFF attorneys, but EFF

was instrumental in defending people from afar, saying that a lot of this happened. I ended up getting an attorney and I settled for no contest because I didn't do anything, but I also knew that this company was going to target me for another three or four weeks, which they did to others. So the EFF also does protect the rights of people that are very, I think sometimes, broadly attacked.

They're broadly, you know, they lump everybody into if you are in possession of something or if you're doing something then you're definitely a bad person. But we also know hackers is used as a bad word and hacker does not mean black hat or it means that somebody knows how to tinker with things to see how they work. And then automatically those people are targeted as criminals and it's horrible.

Eva Galperin04:05

Absolutely. We even have a group of attorneys, our coders rights attorneys, who directly advise security researchers, often before they're about to give a presentation about their security research, about how they might present their security research, both to whatever company it is that they are researching, it makes whatever product it is that they are taking apart or whatever platform they're taking apart in such a way that will be constructive rather than

than getting them sued.

Adam Roth04:36

And that's an important distinction because what people don't realize is that a lot of people who hack, who find these vulnerabilities in things are actually protecting people by, ⁓ you know, through, if you present the exploits correctly and rightfully, you might even get a bounty out of it, but some companies don't want that. They want to be able to go after those people because it's going to cost them money.

to patch a lot of this stuff. That's how I've seen it. And I don't want to, there are a lot of responsible companies, but there are also companies that are not so responsible. If I can say that, Eva.

Eva Galperin05:14

Well,

Katie Maceris, who is also a very ⁓ old school member of the hacker community, was really one of the pioneers of the entire concept of having a bug bounty and a bug bounty program. And really bringing hackers over to your side and rewarding them for doing security research ⁓ and having them help you to secure your product.

Joe Patti05:22

You

Eva Galperin05:40

⁓ instead of having them make your product more insecure and allowing people to exploit it. One of the downsides of the golden age of bug bounties and bug bounty programs is that a lot of ⁓ companies instituted bug bounties and bug bounty programs when they weren't really ready to do things with that information. They weren't ready to deal with the ⁓ deluge of claims that

came in, they didn't necessarily know how to test them or how to treat them or how to triage them. And this has become an even bigger problem ⁓ in the last year or so when we've seen just like a huge number of, ⁓ know, LLM generated ⁓ exploits being ⁓ found and sent into bug bounty programs and reported as vulnerabilities.

And some of those are legitimate and some of them are noticeably less so, but learning how to tell one from the other takes an enormous amount of time and skill that most companies don't have. even if they did have it, choose not to apply in this area.

Adam Roth06:37

Yeah.

Joe Patti06:55

I forget who it was, but I remember there was one very popular project where ⁓ the maintainer said, we're just not taking these anymore. We're closing it down because I think he said he was being so inundated with AI slop that most of it was nothing or inaccurate or innocuous things. just, he was spending all his time filtering down to the few real things that there were that he said it's just untenable.

That's unfortunate.

Eva Galperin07:23

Absolutely, and this is also a big problem for people running open source projects. You get a lot of contributions that are essentially written by LLMs and written by AI and the people who are submitting those contributions can't explain what they are or how they work, which makes them slop. The general rule at EFF is that if you're going to use

and LLM in order to help yourself write code, you need to be able to explain everything that that code does and how it does it. Like, we shouldn't notice.

Adam Roth08:03

So.

Joe Patti08:03

Yeah, and it's funny because

if you don't understand it, you can just get the LLM to explain it to you. It's like laziness not doing it, you know?

Eva Galperin08:11

To be fair, the LLM is frequently wrong.

Adam Roth08:14

Yeah, I'll say this right I go to a university where some of my colleagues my cohorts They actually are coders and they said we're even writing using LLM. However As a coder who's using LLMs to code at least we understand what we're doing and why we're doing it and we use it as an aid Not as the primary source But one of the things that i'm writing about now is cyber warfare and the reason why I bring that up

There's a lack of a framework really in cyber warfare lack of treaties lack of everything and that's really no different than AI AI does not have frameworks It does not have the level and correct me if I'm wrong evil because you might know a lot more I don't think I know you know a lot more than me about this but there's not really a large level of frameworks and understanding and things to adhere by and because there isn't these frameworks People are all over the place and you have no structure

Eva Galperin09:10

Well, actually there is a lot of work that has been done on ⁓ sort of what is and is not allowed in cyber warfare. ⁓ Specifically, I'm guessing that you have already read the Talon Manual, but that's sort of like your main document for this sort of thing.

Adam Roth09:29

I'm going to Thailand next week, two weeks. Yeah, so it's not a legally binding document. That's the issue. Yeah.

Eva Galperin09:31

fantastic.

No.

Yes, there are a lot of frameworks, there are a lot of suggestions, but trying to get everybody to abide by international law, honestly, about anything is very difficult, up to and including cyber warfare and also the behavior of LLMs.

Joe Patti09:55

Well, let me ask you this, Adam, have you seen this? We never talked about this aspect of your research. It's like, yes, getting people to follow international law is tough. But when the treaties are put together, aren't they usually put together for things that are kind of well understood? And I wonder if people are backing off making the treaties, making the agreements and following them simply because they're not quite sure what they want to do or cynically how they're going to get around them.

Adam Roth10:23

So I can tell you this, I just found a person I can interview for my dissertation and that's Eva, because she seems to be extremely well known. But one of the things that I lowered, you know, they tell us not to boil the ocean. So I'm specifically doing it about NATO. And with NATO, the nation states themselves, Article 5 does not have a structured threshold. Everyone votes on that threshold. However, there are treaties on biological, radiological, chemical.

kinetic warfare and all treaties in place. again, Article 5 is about voting at that one time. Did this person rise to that level? NATO Article 4 is, does my sovereignty, am I risk for my security of my nation? ⁓ Article 5 is about, let's vote on it and see whether or not this rises to the threshold. Each country has its own interpretation, even in NATO, of what that is in their own minds, their own set.

So and it's actually strategically done on purpose they say so that no one nation can in NATO can say I went to 69 % of that threshold am I hitting I'm making that number up 70 so there is some truth to what what is there however the level of treaties with with with with even AI in cyber warfare there's almost and there's this discussions the Talim manual it was written by a lot of people and actually I'm going to

That convention in two weeks, which I can't believe I'm going I feel like I'm special ⁓ But there's a lot to learn and I think there's a similar Understanding that we need to also rein AI in we do have proposed frameworks We have some structures, but a lot of people have are doing their own and not following this but we can safely say not perfect at all no mean, but

biological, radiological, and chemical, there's a structure. There isn't for the others really adhere to yet.

Eva Galperin12:26

Often, even if we do get structure, we don't get consequences. ⁓ We don't end up with agreements with teeth ⁓ because no one wants to face consequences for violating the agreements. Everybody wants to maintain their ability to do whatever the hell they want, however the hell they want to do it. But if someone does it to them, they would like to be able to complain. And this is one of the, you know,

Adam Roth12:29

Correct.

Eva Galperin12:51

wicked problems at the center of all international agreements and attempts at making frameworks.

Adam Roth12:58

And that's an important distinction. just want to say this. So Eva, from your point of view with EFF, I'm sure it's hard enough in the US alone, but I guess because she's spanned outside the borders of the US, dealing and protecting those, you know, we have our own problems in the US, but I can imagine some other countries that are a little bit more harsh, it must be hard to protect them or we just do the US. How does EFF work?

I would love to hear that. Yes.

Eva Galperin13:28

EFF is international, the internet

is global, and so are we. So we have ⁓ members all over the world and we have ⁓ employees in a number of different regions. We have a number of people who work strictly on international work, know, just like both international treaties and with the UN and ⁓ partnering with digital rights groups in specific countries and regions.

because often we have like only one person to do a work in a region or work in a country. And so it's really important that we partner with grassroots organizations because honestly, having a bunch of Americans come in and tell you how your internet should be and then just like go, my work here is done and then fly off is not a good look. Like this is not the way you actually help people. This is just how you, you know.

Joe Patti14:12

I'm

Adam Roth14:16

You

Eva Galperin14:25

spraying your arm padding yourself on the back over your good works. And we're not interested in doing that. We would like to actually work with the people who are affected by these things. And I work with survivors of domestic abuse all over the world. One of the other organizations that I ⁓ help run is the Coalition Against Stalkerware. And it has ⁓ member organizations all over the world. So we have ⁓ people in Australia and

India and Germany and Ireland and all over. And we're always looking to expand it as well, which I'm very excited about. I just talked to an organization in New Zealand. And the idea is that if the work that you are doing only protects Americans, this is a very, very small slice of the pie. ⁓ Additionally, we need to think about how to protect people

in places where there is no rule of law. Not that it's anarchy, but that there is authoritarianism, where you have sort of a rule by law, which honestly is a little bit America right now. And as a result, you can't just vote your way out of your problems. You can't regulate your way out of your problems. So you need to think about structural ways for

platforms and services and infrastructure to protect all of its users by default.

Adam Roth15:56

Can you expand on stalkerware? Because I think a lot of people would want to know more about that. How it's harmful and what it does to individuals and how they're using it, if you don't mind me asking that.

Eva Galperin16:09

Sure, so StockAware is the class of apps that are commercially available that are designed to be installed on someone else's device for the purpose of exfiltrating data from that device. So the thing that makes it different from a remote admin tool is that the remote admin tool is supposed to be installed on your device, on a device that you control. And whoever it is that is using it has proved

presumably read an entire handbook that they have then signed saying, hey, I know this is a device controlled by another person and therefore all this information is being ⁓ exfiltrated from it. The purpose of Stalkerware is to ⁓ be installed on someone else's device in such a way that does not let them know that they are being spied on and then exfiltrate data from that device. So the most important thing is that it needs to hide. It needs to be sort of circumventing

Joe Patti16:59

you

Eva Galperin17:08

the active consent of a user. And often this stuff is framed as an app to ⁓ catch your partner cheating ⁓ or to ⁓ spy on your two timing employees who are taking breaks when they shouldn't, ⁓ because you're the boss. ⁓ Or, my personal favorite is for protecting the children.

Joe Patti17:27

you

Eva Galperin17:39

We need to ⁓ spy on the kids' devices because otherwise how can we possibly protect them? And we definitely need to do it using apps that don't notify them that they're being spied on and that hide from them and that they can't remove. Because that's really wholesome and great.

Joe Patti17:39

yes, always the children, we can do anything if it's for the children.

Okay, so what that immediately makes me think of are things like the NSO group stuff and the things that the governments are buying to put on, you know, to get after, the dissidents, the journalists, that kind of thing. What's the line between this and stalkerware? ⁓ I mean, obviously.

Adam Roth18:14

TURN ALOUS!

Eva Galperin18:23

Who can buy

it? The only difference is...

Joe Patti18:25

You can buy it. That's

the only difference, that it's available. Really. That's it. Wow.

Eva Galperin18:28

Yes, yeah, that's it. Also,

the kind of apps that are being, or ⁓ the kind of technology that is being sold to governments ⁓ by companies like NSO Group are ⁓ also often come with exploits that allow them to remotely install

Joe Patti18:52

Yeah, they crack it, yeah.

Eva Galperin18:57

the software on somebody else's device with very little or no interaction at all, which is very different from the kind of commercially available stalkerware that I work on, where usually you need physical access to the device and often you also need ⁓ the username and the password, or if it's an iOS device, you need like the Apple ID.

Joe Patti19:20

so it's usually put on, like you say, a friend, significant other. It's put on by someone who trusts you, who's got your password and access to it. ⁓ that's it. But it does the same thing.

Eva Galperin19:25

Yes? Yes. That's... Yeah. And yeah.

It does all the same stuff. The functionality is the same. The only difference is that you need to be in the room. You need to have physical access to the device. You need to have the username. You need to have the password. And the makers of these products often say like...

Joe Patti19:35

Wow, that's crazy.

Eva Galperin19:50

Listen, if you have physical access to the device and you have the username and you ⁓ have the password, ⁓ then that's legitimate access to the device, right? And I have news for them about how domestic abuse works. It is incredibly common ⁓ for the abuser to have ⁓ both physical access to the device of the person that they're abusing and their username and their password, either because they've shoulder surfed it or because they've stolen it somehow.

Joe Patti20:05

Yeah

Eva Galperin20:19

but often because they've simply coerced it out ⁓ of the survival.

Joe Patti20:25

Wait, do you mean that you have cases where the abuse is so deep that the abuser said that the person is being actively abused and the abuser says put this on your phone I'm going to follow you.

Eva Galperin20:37

⁓ even worse than that. ⁓ They will simply put it on their phone behind their back using the password that they have been given by the survivor. Don't you trust me? If you trusted me, you would give me the password to your phone. I need you to give me the password to your phone. Otherwise, how do we know? You can't possibly love me. And also, I need to know where you are at all times in all of your text messages.

Joe Patti20:39

Okay.

Adam Roth21:09

For your safety, of course.

Eva Galperin21:11

Well, sometimes to terrorize them. Sometimes they know that ⁓ they're being watched, but often they don't. And one of the ways in which this sort of tech-enabled abuse works is that

when you have full access to ⁓ all of the information off of somebody's phone, that's the next best thing to having access to the contents of their brain. You know where they're going. You have their passwords for their other accounts. You have their photos. You have their phone calls. You have their contact list. ⁓

You have their social media posts that they may have made private or locked. You have all of the most intimate things about them. And it's extremely common in tech-enabled abuse for the abuser to leverage that as a form of coercive control

and also to essentially carry out a reign of terror. Frequently, the survivors that come to me come away with the impression that their abuser is a

is a computer genius, that they control everything, that they're omniscient and they are omnipotent. Whereas it's just some asshole who's downloaded this app and installed it on their phone behind their back.

Joe Patti22:23

Well, you know, that's, that's so interesting because, you know, we just talk about nation state stuff and, you know, we're always worried about, know, like I started off by asking you about, know, whether you've been targeted by some very powerful organizations and whatnot, where we was talking about our privacy and things. But, ⁓ one of the other things we're going into is we talk a lot about on the show, because Adam's into it is the, how cybersecurity is now and kinetic security.

how they're enabling each other. And we talk about all this nation-state stuff, the armies, the hacking, all that. And you've been seeing it for quite a while at such a simpler level. Put it that way, not a nation-state, just a very nasty and manipulative person who's been able to exploit it.

Eva Galperin23:13

only difference between an authoritarian state and an ⁓ abusive partner is scale.

Adam Roth23:21

So let me ask you this, when you're doing the stalker where, you know, we always talk about things in the stores, whether it's the Apple Store or the Google Play Store, and you shouldn't be able to do it, people are sideloading it or they're able to normally install it right from the store?

Eva Galperin23:38

Most of it is sideloaded. Nearly all of it is sideloaded. There are a couple of apps that slip through the cracks, and so it's really important to continue monitoring the stores and to alert ⁓ both Apple and Google, but I would really prefer that Apple and Google did a better job of enforcing their own TOS and watching these products. The ones that make it through the cracks are usually the ones that avoid framing their product as catch-your-partner cheating.

and that frame their product more as ⁓ keep an eye on your employees or do a child's safety.

Adam Roth24:17

Yeah, for those who don't know, sideloading basically means you're loading it as a third-party app, not trusted, and you're not going through the store. You're able to do it other means, download it directly, open the package on the phone, and install it. you know, there's nothing wrong with third-party apps, providing that you understand where it's coming from and what it's being done, as long as it's not for malicious use. Sometimes apps are not in the store. Sometimes, you know, people don't have the ability to do that, but...

You gotta be very cognizant and very aware of what apps you're installing on your phone because once you install them, especially as a third party, they have access to microphones, access to your cameras, access to your speaker, access to your data, access to your browsing, Bluetooth, they can even connect remotely to somebody else and hop over to somebody. yeah.

Joe Patti25:02

Yeah, but

the nasty thing about it though is that like Apple, I know they go and look for things when they have certain tools and things when they evaluate the apps and they go and look and say, oh, this could be awful. This looks at your data. This wants your camera. This wants your microphone. This wants this and that and all these other things. Well, guess what? That's Facebook and Instagram.

and all these. now I'm curious to go and check, to find some of these and see how different the privacy profile for them is from some of these social media apps, which is frightening in and of itself. Yeah, it's consent, guess, and intent.

Eva Galperin25:38

Well, the difference is consent. ⁓

privacy is not ⁓ living by yourself as a hermit on a mountain, having flung all of your devices into the ocean. ⁓ Privacy is deciding what you're going to share and who you're going to share it with. And that is the difference between ⁓ posting a picture of your birthday party on Instagram

Adam Roth26:00

Cheers.

Eva Galperin26:08

and having your abusive ex see a picture of your birthday party by having broken into your phone.

Adam Roth26:14

What I find Eva is that a lot of people, and I'm not gonna lie, I'm not perfect either, a lot of people don't ever go and sit there and break down the end user licensing agreement. And I remember back in the day when everyone was using their phones and they had their phones and then they wanted to use the flashlight, but there was no flashlight and they downloaded the flashlight app and everyone was like, this is so cool, look at this flashlight app. And I'm like, wait, if you're getting an app for free,

You're paying for it somehow. That app is probably harvesting your contacts, knowing your GPS locations and things like that. And people don't realize it's nothing for free. If you're downloading an app and it has a function and they're not asking you to pay, they're either one of two things. One, they're hoping that you expand it into the paid function. Or two, it's doing something to your phone and it's taking your data and you sign yes.

Eva Galperin27:07

Well, there are ways to check. The good news is that both Apple and ⁓ Google for the Android ⁓ releases that it controls, as well as some other versions of Android, as Graphene OS, ⁓ may give you a granular breakdown of all of the permissions that your different apps are using. And that is worth revisiting, especially if something, you know,

suspicious is happening with your devices or something suspicious is happening with your data. Apple, for example, has like an entire sort of control panel called Safety Check that will walk you through all of your data sharing, ⁓ sort of all the devices with which you are sharing data, all the profiles with which you're sharing data, and all of the different ways in which your different apps are sharing data so that you can control them.

Joe Patti28:01

what drives me crazy is sometimes the cases where it's like you almost have to have it like with WhatsApp. I I avoided that for years. Didn't want to use it. Don't trust their encryption. Certainly don't trust Facebook with my data, but I started traveling to Europe and ⁓ my God, it's virtually impossible. You're like in the stone age if you're not using WhatsApp. Everybody uses it. Yeah.

Eva Galperin28:26

Yeah. Network effects are Network

Adam Roth28:29

I saw

Eva Galperin28:29

effects

Adam Roth28:30

it.

Eva Galperin28:30

are absolutely real. And whenever somebody tells me like, well, I would simply not use blah, blah, blah. I'm like, well, there are, think, like 2 billion, 3 billion WhatsApp users in the world. And if you go to like many parts of Asia, ⁓ most like day-to-day communication, like with stores, is done via WhatsApp. And so, yeah.

Joe Patti28:36

Yeah.

Yeah.

Adam Roth28:51

Yeah, the WhatsApp Business app, yeah.

Joe Patti28:53

Yeah.

Eva Galperin28:53

So what happens when you're like, ⁓ but I, ⁓ a privacy and security purist, have chosen not to use WhatsApp? Like, ⁓ good luck going to a store and buying something, or renting a room somewhere, or paying a tour service.

Joe Patti29:07

You

Well, it's funny because, you know, I've always been very big on privacy and these things and probably a little more, you know, rabid than the average person. And so I teach my kids this stuff too. I'm like, be careful, whatever. And so my, my son is now 19, actually listened to me and, and he started catching me with stuff. He's like, well, you'll be like, what do mean we're using WhatsApp?

or I'll do something else. goes, what do mean you're giving him your number for this? you know, we've we've had it, after I, you know, got them all wound up, I had to unwind them a bit and say, you know, we have to live our lives too. And, and these things do have, there's risk, but there's benefit too. And you need to understand those things.

Adam Roth29:57

Sometimes the shoemaker

has the worst shoes. at the same time, tell you this. I saw an article today. RCS, which is the next generation of texting, for those who don't know, is moving into encryption from phone to phone. So that's a great thing. SMS is plain text. However, Instagram and other apps,

I'm removing the encryption from device to device because it said it's very rarely used. I'm like, wow, you're going five steps ahead with one and then 10 steps back with the other.

Eva Galperin30:37

Like it costs them nothing to keep it. ⁓ So I'm deeply, deeply suspicious and I'm really disappointed in Meta for taking a step back when it comes to protecting their users.

Joe Patti30:52

I'll tell you though,

it doesn't bother me that much and this is why. Because I frankly have very little trust in anything they put in anyway. ⁓ No, seriously, I think the trust is important. mean, that's why if I want something, you know, know WhatsApp is end-to-end encrypted, but if I really want something to be private, I use Signal. I just have more trust in it.

Adam Roth31:02

Yeah

Eva Galperin31:15

I think that people have different levels of trust, but also it is good practice for the people who are making platforms and services to make them maximally secure and maximally privacy protective for everyone every time by default so that you don't have to turn on a special, ⁓ I'm having a particularly secure or private conversation setting in order to have your secure or private conversation.

Joe Patti31:29

That's true.

Eva Galperin31:44

Everything should just be private all the time.

Joe Patti31:47

Point taken.

Adam Roth31:48

So the other thing is what people don't realize is like, my God, I have end to end encryption. No one can listen to me. They do exactly what you're talking about. They use stalkerware or they compromise the endpoint. You don't have to see the tunnel. You just need to get to the endpoint. And sometimes getting to the endpoint is easy enough. Oh, how are doing? This is Verizon. We want to look at your phone to make sure we got to some. think your phone is compromised. Install this thing.

Meanwhile you install an app and now you're back door your whole entire phone I'm not saying that's how it's done by nation-state and threat actors But I'm saying sometimes it's easy as that you perpetuate you somebody else But you're not really them in here now you now you put on a like a Rootkit on somebody's phone and they got everything anyway, so Yeah

Eva Galperin32:36

End-to-end encryption is not magic. ⁓

And one of the big problems that we've had with the way that end-to-end encryption is discussed in sort of ⁓ ordinary life among non-technical people is that it is treated like magic. And so every time somebody manages to get their hands on a signal conversation, what they say is signal can't be trusted, signal has been backdoored. Like man, there is only so much I could do for you.

Joe Patti32:50

It's not.

Eva Galperin33:02

if you add an editor from the Atlantic to our Let's Bomb Yemen chat.

Adam Roth33:05

yeah yeah yeah

yeah yeah yeah that's the point it was this is human this is human failure but also let me ask you this if you had to give five core tips to our listeners every day how to protect yourself what would you say to that like what would you bring up

Joe Patti33:06

Exactly, that's right. It didn't break. It didn't break. ⁓

Eva Galperin33:10

Yes, this is on you, my dude!

All right,

⁓ basic, no, no, I got you. Basic digital hygiene, like the easiest, lowest hanging fruit, the stuff that everybody should be doing, like washing your hands, is ⁓ use a password manager. The best password manager is the password manager you will actually use, ⁓ but also do a little bit of web searching with the name of your password manager and.

Joe Patti33:27

That's tough. Wow. Okay. You got it? Okay.

Eva Galperin33:54

privacy or security vulnerability to get some idea of whether or not they have a history of being trustworthy.

Adam Roth34:02

I know where you're going with that already. I've used them, but you know it's funny Maybe I'm wrong, but that one company you're talking about I think you're talking about They even though they got compromised Did they ever really see any of that in the wild those those passwords? There's there's three of them. There's three big ones

Joe Patti34:16

It's more than one, but...

Eva Galperin34:17

It has, yes. But rather

than making a recommendation or a negative recommendation, I would just say before you choose a company, do a little bit of web searching about their privacy and security history and then make your choices. Yes.

Adam Roth34:30

Sure.

Joe Patti34:35

Yeah, I will, I will make another, ⁓ suggestion. ⁓ I was

in Manhattan once and saw a big billboard for a, ⁓ a VPN and password manager, whatever that I had never heard of. Don't trust the billboards. Definitely go and look them up. So yeah, you agree.

Eva Galperin34:47

Bye.

Adam Roth34:54

And then.

Eva Galperin34:54

Absolutely,

so just when you're making your decisions, do a little bit of searching. ⁓ EFF has a privacy and security guide that you may wish to use. ⁓ You can find it at ssd.eff.org. That stands for Surveillance Self-Defense. And it includes some posts about how do you think about your privacy and security, what kind of stuff is useful for everybody, and also an entire section on password managers.

Adam Roth35:04

Ooh.

Eva Galperin35:24

Number one, password manager. ⁓ Number two, make sure the password for your password manager is a strong and secure passphrase. So usually I go with like six randomly chosen words. And the reason why you want a longer passphrase rather than a shorter password passphrase is because that is stronger. It gets you more entropy. It becomes harder to break. All that stuff about ⁓

Joe Patti35:36

Yeah.

Eva Galperin35:52

letters and numbers and special characters and mixing everything up. This is ⁓ this is bullshit. Ignore it. ⁓ What you want is a password that is long and that cannot be easily guessed even by somebody who knows you. So that's number two. ⁓ Number three is ⁓ keep, keep your stuff up to date. Take your security patches. ⁓ Occasionally this goes wrong, but for the most part,

Joe Patti35:56

That's obsolete. Yeah.

Eva Galperin36:21

When people are compromised, they are not compromised using fancy O-Day. They are compromised using security vulnerabilities that people already know about, that the companies have already patched, and that people simply have not ⁓ installed the patches for. So this leaves you extremely vulnerable. Eat your vegetables and patch your stuff. ⁓ Possibly with one hand, eat your vegetables, and with the other half, click.

Adam Roth36:45

Okay, at the same time.

Eva Galperin36:51

⁓ click yes install. Absolutely.

Joe Patti36:53

If that's what it takes to get you to patch, go for it.

Adam Roth36:56

Or eat vegetables.

Eva Galperin37:01

⁓ I'm sure we could find a vegetable that you will like. Perhaps a french fry. ⁓ If you fry a vegetable, it becomes very delicious. So that is number three. Okay, so we've got passwords, ⁓ password manager, ⁓ update your stuff, or take your security updates. And then also, there is a lot of sort of lore.

Joe Patti37:13

That's three.

Eva Galperin37:30

about VPNs and most of it is wrong. So a VPN is not a magical talisman that protects you from hackers. A VPN is just a tunnel that makes it look like you are coming from somewhere else. And there are things for which a VPN is useful. Like if you are traveling outside of the United States and you want Netflix to work, that's a great, great time. That's when you break out the VPN.

Joe Patti37:54

Yes, that's essential. Absolutely.

Eva Galperin37:59

But if you think that you need to use a VPN before you get on like a cafe Wi-Fi ⁓ It's probably not not getting you much so take some time learn about what a VPN does and does not do and don't install like a bunch of products from people who are planning who are selling you a bunch of you know privacy and security snake oil ⁓ and then finally what you want to do with your password manager now that you have it all installed and it's got a blog and secure password

Joe Patti38:00

Yeah.

Eva Galperin38:30

In addition to backing it up, what you want to do is you want to make sure that every single one of your passwords for all of your accounts is different, that it is different and it is strong. That is what the password manager is for. And then lastly, the very last thing, number five. All right, number five. Number five, back your stuff up.

Adam Roth38:38

It's different.

Joe Patti38:40

different yes

Yeah.

Wait, this is a bonus. This is an x-lot.

Eva Galperin38:55

You need to have backups. Also, if you have not tried restoring from backups, you don't have a backup.

Joe Patti38:56

awesome.

Adam Roth39:01

That's the thing with Joe and I always just I used to work for Joe and Joe loved the fact that I worked for him told everybody he never hired me I was like he inherited me but one of the things that Joe and I always spoke about was that just because you have a backup plan doesn't mean anything if you don't quarterly or at least by yearly try to restore your data then you don't know that your equipment is working so just having a plan is not enough executing the plan and testing the plan

is equally if not more important than having the plane itself. So that's my feeling on that.

Eva Galperin39:34

it's a back things up, like keep them if you feel comfortable keeping them like in your home on an encrypted drive. That's always a good idea. If you're going to be storing it ⁓ on somebody else's computer or as we call it the cloud, ⁓ then you are probably going to want to encrypt that. And in addition to encrypting it, you're going to want to make sure that only you have the keys. And then you want to make sure

Joe Patti39:34

totally. ⁓

Yes, the real encryption,

yes.

Eva Galperin40:04

Yes,

it is not encryption if someone else has your keys.

Adam Roth40:05

So...

Joe Patti40:07

Right,

right.

Adam Roth40:08

yeah, yeah. Joe and I went through that whole exercise of bring your own key, have your own key, silence subpoenas, because you don't know whether or not your keys are being subpoenaed, having a hybrid. Your keys on premise, but your stuff in the cloud. We went through an exercise that many times. But here's the funny part. I... ⁓ Make fun of me. I'm a big believer. If you have a plan, you probably should print it out.

That's the one time I say you should print something out put it in a fireproof safe because if you don't have access to the power wherever your stuff is stored Then you pretty much don't have a plan now I get it if you have no power for anything Then you can't do anything anyway, but sometimes it's nice to have the plan in writing But I want to segue to something you just said something really important something about privacy and something about you know nation-states

What are your feelings about this whole thing about foreign-made routers and the whole thing about being bricked or maybe Someone having access to that data if you don't mind me asking that too

Eva Galperin41:12

Sure, so at least some of the discussion around foreign-made routers is just like, sinophobia It is, hey, let's blame the Chinese for everything bad, and say that ⁓ everything has to be made in the United States in a situation in which almost nothing is made in the United States, and almost everything is made in China, including most of the stuff that you think is American. ⁓

Having said that, ⁓ supply chain attacks are real. And ⁓ government-sponsored supply chain attacks are real. so, yeah, no, yeah, no, Absolutely, governments do this. This is not like some sort of special Chinese government trick that nobody else knows how to do. And so, I would be more careful if I was say,

Joe Patti41:46

Yes.

And the US has done it against US companies. We have to remember that piece too. Yeah.

Yeah

Eva Galperin42:09

choosing the routers that I was going to go put into a US government building full of top secret information. But if your home is not a US government building full of top secret information, then I am not sure you're getting some sort of great advantage by ⁓ being told that you cannot buy a Chinese-made router.

Adam Roth42:29

the the thought process is obviously they worry about the snooping on the data but snooping on data can happen even from being hijacked DNS people don't realize that either but the other part to it is is that the thought is hey at one time a foreign company can just brick every router that they have access to and boom you no longer have the ability to perform any functionality now I don't think any

country is going to do that unless we're in World War 17 but you know we still have to maintain a certain level of decency. mean countries always do espionage to each other but that level of espionage is probably like you might as well just go into a shelter and kiss yourself goodbye I think at that point but maybe I'm sensationalizing that.

Eva Galperin43:24

I mean, I think that there is definitely a danger to ⁓ filling your home or indeed your country with a bunch of surveillance gear that you don't necessarily control. As the Iranians learned earlier this year, ⁓ the Iranian government responded to a ⁓ series of ⁓ really ⁓ serious and prolonged protests ⁓ in Iran

by turning off the internet. And in addition to turning off the internet, they also turned on a lot of surveillance cameras. So like Tehran completely covered in surveillance cameras all of a sudden. And it turned out that the Israeli government had backdoored all those surveillance cameras and was using them to spy on the Iranian leadership. And that was one of the ways in which ⁓ they targeted Iranian politicians for assassination.

Joe Patti44:10

Haha

Eva Galperin44:22

and they were extremely upfront about it. And so that is an important lesson when it comes to building a surveillance state. Your surveillance state can be used against you. And it doesn't matter where the cameras are made. What matters is that you built this system.

Joe Patti44:41

Oh yeah, you know, even our government has made some dangerous stuff

Eva Galperin44:45

just the once?

Joe Patti44:49

thinking of one in particular, but it's not the only one. So Eva, we're going to run out of time soon, but before we do, I have to say you had one other tip for us that was very important, that you have seen me going here. And for us here on the East Coast, it's a little bit later. So we have been having your preferred cocktail from what you told us, an aviator that, I'll tell you what, I not only never heard of it,

Eva Galperin45:11

I'm so pleased.

Joe Patti45:18

and have never seen it in any of the fancy cocktail bars that I've been to. never even heard of the ingredients like maraschino liquor and creme de, what was it? Violette. Yeah. I haven't even heard of the ingredients. like, and it's good. I have to say.

Eva Galperin45:29

Violet. Crimped Violet.

And it matches my hair!

Adam Roth45:41

Bye,

Joe Patti45:41

I've been thinking

that the whole show, but I wasn't going to bring it up unless you did.

Eva Galperin45:47

No, that's totally why I drink them.

Adam Roth45:47

So...

Nice.

Joe Patti45:49

Well, you know, ⁓ if your hair changes green, we'll know you've switched to like apple martinis or something.

Eva Galperin45:54

Yes.

Adam Roth45:58

Well, what type of drink do I drink if I'm bald?

Eva Galperin46:01

Well, that's obviously vodka shots.

Joe Patti46:04

Yeah!

⁓ That's great!

Adam Roth46:09

So Eva, now that we've covered the foreign-made routers and things of that, ⁓ I wanted to just touch back on one more thing that we spoke about with AI. Now obviously when we have issues on your computer, back in the day we had anti-virus, now we have EDRs or endpoint detection and response, more like, you know, whatever you want to call it, it's like next generation. Do you see a time

or is it just ridiculous where there might be some kind of way to kind of put a little bit of guardrails on AI, whatever it's Claude or Chachi PT or Cursor or any of those, or you think it's just that each of these respective companies have to come up with their own framework and their own controls.

Eva Galperin47:01

think you're going to see ⁓ a lot of action from, you're going to see legislation, you're going to see regulation. ⁓ Whether or not you're going to see legislation and regulation at the American federal level is extremely questionable because I think that ⁓ honestly, ⁓ the people who are making legislation and regulation in the United States right now are not very technically adept. ⁓

but they sure do love taking money from AI companies.

Adam Roth47:33

But now, one thing you didn't say was litigation. And the reason why I bring up litigation now is because some of these people, actually, just recently, I don't remember the whole entire aspects of the case. I'm sure that you do. That woman that had, a young woman that had attorneys to sue, that she, the AI caused a lot of issues for her. You know, this is the things that happen. Like people will end up, unfortunately, where AI tells them, you know, you should end your life.

⁓ or you should do this to yourself or harm yourself. That litigation does drive change, does it not?

Eva Galperin48:12

⁓ One hopes so. ⁓ Right now, I don't think any of those cases have actually finished. So I will be keeping an eye on them, but I do know that there is a whole new bunch of cases that have been brought by the families ⁓ of children that have committed s*****e after talking to various chatbots. And that's really tragic.

Adam Roth48:18

Paid off, yeah, correct,

Eva Galperin48:38

whether or not it ends up changing the way that the makers of these chatbots behave, I don't know. But I can tell you that shouldn't be happening.

Adam Roth48:46

I agree, yeah.

Joe Patti48:47

No, it

shouldn't be happening. believe me, I have ⁓ no love for some of the things that AI and other tech companies do, particularly when they're not really thinking through it and the consequences. ⁓ But typically, those things happen to people, I think, who really needed some help and who didn't get it. And maybe that's why they turned to AI. And that is very.

very tragic and something non-technical we need to deal with in this country.

Eva Galperin49:21

Yeah, well, there's a lot of argument that because our mental health systems are so overloaded and honestly not very good and extremely expensive, that this is why we need AI chatbots for health. And I think that this is absolutely not the right conclusion to draw from this. Incorrect.

Joe Patti49:40

Yes, that's the wrong message.

Adam Roth49:42

I

Joe Patti49:45

Yeah.

Adam Roth49:46

I'm 100 % sure that AI is going to be, without a doubt, something that's going to be in everyday life for every single person that's in the business world. ⁓ But the problem is that people are talking about like, my god, these kids are now cheating. We used to have these codes of honors that you didn't have to be monitored. Now we're going to start monitoring people. Yeah, I get it. But like anything, like anything in this world, things that could be used for good could be used for bad.

What's that whole Spidey thing? You know, ⁓

Joe Patti50:18

⁓ god, he

Eva Galperin50:20

With great power

Joe Patti50:20

loves

Eva Galperin50:20

comes great responsibility.

Joe Patti50:20

this. He loves that.

Adam Roth50:22

Yeah, I don't want Joe to say that's why I got him to say it, but the point I'm making is... You just did!

Joe Patti50:25

You can't get me to say it, but

now Eva said it. You've been drinking?

Eva Galperin50:30

I did it.

Adam Roth50:30

I'm sorry even said it. Yeah, I have actually thank you

But no, yeah, so yeah, right. Thank you. So the point I'm making is like anything else You have to have some great responsibility, but let's be honest some of these kids that are younger They don't necessarily have the direction or the understanding of what they're doing and it's unfortunate and I kind of feel like especially

Like if you check a box maybe maybe I'm wrong if you're under 18 or you check that box or you know And we should not be doing actual Validation by uploading your driver's license or ID. Yeah But but the point I'm making is there should be a certain level like if you're a kid You should be treated a little bit gentler than getting this crazy crap hurled at you

Eva Galperin51:12

Hell no.

Joe Patti51:12

Yeah.

we don't have enough time to get into that. I know that's a whole other show.

Adam Roth51:26

you know like you have no friends it's horrible no i don't think any chap should ever say that no matter what the age but wow you know wow i don't know i feel like you have something to say about that i'm i'm i'm i'm waiting for it but you know

Eva Galperin51:43

I mean, we have a limited amount of time. ⁓ But I do think there's a great crisis in schools right now about how to use AI tools. There's a big rush to insert AI tools into every aspect ⁓ of teaching ⁓ and learning and into doing the work. And so you end up having ⁓ students who are using AI tools to do the work, followed by teachers who are using AI tools to grade the work.

Adam Roth51:46

Yes.

Eva Galperin52:10

And so no one is writing it and also nobody is reading it, which does not seem like a situation in which people are learning things. And it's time to really, I think, pull back on this whole thing and try to figure out a way to use technologies that facilitates critical thought and learning. Because I don't think that the existence of AI or the use of AI

necessarily means you cannot have critical thinking or learning, but you have to do it in a very different way.

Adam Roth52:43

And it's ironic because what's happening now is that some of these professors or some of these teachers, run it through these AI detectors and like, you definitely committed a crime. You're in trouble. And meanwhile, some of these kids did not do it. And if I remember correctly, I didn't see it written, but someone told me like the Declaration of Independence is 100 % AI. So it's kind of funny about it, right? Yeah, yeah. So my point I'm making is obviously it's not AI, but...

Joe Patti52:44

Yeah.

Eva Galperin53:05

Okay. ⁓

Adam Roth53:11

Some things will come up if you write a certain way or do it. I mean You and I spoke about this Joe right if you see dashes in somebody's regular writing most likely it is AI right, but but but

Joe Patti53:22

Well, there is some,

yeah, some cliche clues.

Eva Galperin53:24

They will take my dashes from my cold

dead hand.

Adam Roth53:27

HAHAHAHA ⁓

Joe Patti53:28

I've had to

eliminate them completely because I'm like, and although I have to admit, I have abused ⁓ dashes in the past. So maybe it's a good thing in the long run. I don't know.

Adam Roth53:42

Do you- you- Eva, do you write with dashes seriously?

Eva Galperin53:45

⁓ less than I used to since I would not want people to mistake my writing for my eye, but let me tell you, I have engaged in very serious dash abuse over the course of my writing.

Adam Roth53:48

because you don't- and that's the funny part about it.

Joe Patti53:49

That's great.

Adam Roth53:53

That... Yeah.

Joe Patti53:57

Hahaha

Adam Roth53:58

that that's definitely for another episode i want to go and dash another episode yet quit stuff because the point of making is so it has an asset that you did you would have been accused of doing a i when you all absolutely did not as well i removed the a i remove any of the issues from anything because i don't want to be accused you know bob obosso whatever

Eva Galperin54:01

The dash and the Oxford comma,

Joe Patti54:20

All right, well, Eva, we've had a great time. And you know what? There are so many other things we could get into. know. This is a huge field, and you've been very active in it. know. And it means a lot to us, ⁓ So thank you so much for taking the time to join us.

Eva Galperin54:39

Thank you so much

for having me.

Adam Roth54:40

Thank you so much.

Joe Patti54:41

Okay, and everyone, thanks for listening. We'll see you next time.

Eva Galperin54:42

Take care.