287-Listener Questions, UNREDACTED 5, & OSINT 10
287-Listener Questions, UNREDACTED 5, & OSINT 10
287-Listener Questions, UNREDACTED 5, & OSINT 10
Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:00
The personal computer revolution was beginning
0:02
in nineteen seventy five. Let's go
0:04
back to August seventeenth nineteen seventy
0:07
five. Let's
0:10
listen to senator Frank
0:12
Church on NBC's meet
0:15
the press. But let me tell you this.
0:19
In the need
0:21
to develop a capacity city
0:23
to know what potential enemies are doing.
0:27
The United States government has
0:30
perfected a technological capability
0:34
that enables us to monitor
0:36
the messages that go through the air.
0:39
We have a very extensive capability.
0:43
Of intercepting
0:45
messages wherever they may
0:47
be in the airwaves. At the same
0:49
time, that capability at any time could
0:51
be turned around on the American people.
0:55
And no American would have any privacy
0:58
left such is the capability monitor
1:00
everything. Telephone conversations, telegrams,
1:02
it doesn't matter. There
1:05
would be no place to hide. The
1:07
technological capacity that the intelligence
1:10
community has given the government could
1:13
enable it to impose
1:16
total tyranny. You
1:27
are listening to the privacy security and Ocean's
1:29
Show episode two eighty seven released on
1:31
January sixth of twenty twenty
1:33
three. This week, I present the latest
1:36
issue of unredacted magazine, published
1:38
my new book and tack a
1:40
slew of listener questions. Direct
1:42
support for this podcast comes from our services
1:45
training and my new book for twenty twenty three,
1:48
techniques, tenth edition. More details
1:50
can be found at inteltechniques dot
1:52
com. Welcome back everyone and happy
1:54
New Year. I predict this
1:57
could be one of the longest, if
1:59
not, the longest shows we've ever
2:01
done. That's because I have two big announcements
2:03
to make and I know we have a bunch of listener
2:05
questions to get through. So Let's start
2:08
with some maintenance and some releases.
2:10
First and foremost, unredacted magazine
2:13
issue number 005 is now
2:15
available. It came out to fifty one
2:17
pages. It's a digital PDF. It had
2:19
fifteen articles and some
2:21
q and a and some letters from
2:24
Most importantly, it's free.
2:26
The reason it is free is because
2:28
we had five sponsors pick up
2:30
the tab and I'd like to publicly
2:33
thank them now. We had two returning
2:35
sponsors, long time sponsors the
2:37
first is 5 twenty four seven
2:39
over at fortify twenty 4X7
2:41
dot They provide cybersecurity solutions.
2:44
If you have any need for cybersecurity
2:47
solutions, please go check them out and see
2:49
if they have something that you need, especially take a
2:51
look at the Fortify 10 Detection
2:53
and Response, the XDR, Fortify
2:56
twenty four seven been a supporter for quite
2:58
some time. Additionally, MySoto
3:00
came back to sponsor another issue. They've
3:02
been with us since issue number one.
3:04
And I think that MySoto was probably
3:06
I've said before, it's a household name
3:08
to this audience. But if you have not
3:11
tried my suit, if you have not tried
3:13
to add one to or nine additional
3:15
VoIP numbers to your mobile device, please
3:17
go check them out. I rely on their service
3:20
every day. We also had three
3:22
new sponsors. The first is BitWarden, which
3:24
is another household name to this community.
3:26
If you have not established a
3:29
password manager solution, please go check
3:31
out BitWarden. I've been recommending them
3:33
for years, so it was exciting when they reached out
3:35
wanting to sponsor the magazine. Also,
3:37
we have investigators toolbox
3:39
over at investigators toolbox
3:41
dot com. It is an exclusive community
3:44
for investigative professionals. I know that a
3:46
lot of this audience are private investigators.
3:49
If you are looking for that community to
3:51
share ideas and communicate with other people in
3:53
your field, please go check out the investigators toolbox.
3:56
And finally, A new sponsor with
3:58
this issue is social links. Social
4:00
links provides an all in one solution.
4:03
Please go check them out at social links.
4:05
Io. Also, there are ads
4:07
in this issue from all of those sponsors.
4:09
And those ads link directly to them, and those
4:12
links are links letting them
4:14
know that you heard about their product
4:16
through the magazine. They are not affiliate
4:18
links. I don't get a kickback. I don't get
4:20
paid whether you click or not. But clicking
4:22
through those links, let those
4:24
sponsors know that it might be
4:26
justified to continue sponsoring magazines
4:28
like this. I offer a huge thank you to
4:30
our sponsors for this issue. I'm excited
4:32
about this issue. Again, Nick
4:35
over at ASTRO Post did a great
4:37
job putting it all together. The layout looks amazing.
4:39
My anonymous cover designer did a
4:41
great job making a cover for us. As I had
4:43
said before, the production value
4:45
of this is something that I'd I just
4:47
never thought we would have. I thought it would be a
4:49
text file or a Microsoft Word file
4:51
I didn't realize that the magazine would look this
4:54
professional so I sincerely thank all of the
4:56
people involved with that. Please download
4:58
a copy. I will put a link in the show
5:00
notes You can go to unredacted magazine
5:02
dot com that's actually going to forward
5:04
you to Intel techniques because I've
5:06
decided it doesn't really make sense to have
5:08
it in higher website dedicated just
5:10
to the magazine. It probably I
5:12
could have bypassed that and just put it on my site.
5:14
So we moved everything back over to Intel Tech but
5:16
unredactedmagazine dot com will forward you
5:18
to the right place. All of the past issues
5:20
are there. If you have any interest in privacy
5:22
security in OSINT or this show or
5:24
all the topics we talk about, than I
5:26
think unredacted magazine is for you.
5:29
Again, completely free. Next,
5:31
the tenth edition of my OSINT book
5:33
is now available. I've been
5:35
talking about this for several months now.
5:37
We did get it done ahead of time. I want
5:39
to talk a bit about the details
5:42
of the book, who it's for, who not for all
5:44
those things we do every time I release a new
5:46
book. The ninth edition of the OSINT
5:48
book was released in January of
5:50
twenty twenty two. This is the new
5:52
tenth edition, which overrides
5:54
the ninth edition. It overrides every
5:56
previous edition, and now it is
5:58
available in twenty twenty three. You go to
6:00
my site, inteltechniques dot com and click on the
6:02
books tab, you will get right to it. It is
6:04
available right now in
6:06
several countries through Amazon,
6:08
but we also have that option you can pay
6:10
via Bitcoin if you don't want to
6:12
use your Amazon account or create an
6:14
Amazon account. I get that. We
6:16
do have options for people who don't want
6:18
to go that route. Most people still buy
6:20
it through Amazon even when we were offering
6:22
other options. Let's talk details. Price.
6:25
I know it's usually the first question. There
6:27
was a slight increase in the
6:29
price this year. I don't have the exact number
6:31
because I don't have the retail number
6:33
ahead of me right now. But I
6:35
was told there was a slight increase due
6:37
to two things. One, it's a
6:39
bigger book. We'll talk about that in just a moment. It has
6:41
more pages. And two, overall
6:43
price increases for printing and everything related
6:46
to making this book. When Amazon
6:48
applies their discount, it should
6:50
be about the same price as the ninth
6:52
edition, but there might be
6:54
it might be a buck more. Let's get into the
6:56
details. It came out at five hundred and
6:58
fifty pages at and a half by eleven.
7:01
We kept that same size,
7:03
the full page size because I like
7:05
that better than what we were doing in the past. It allows
7:07
us to get in more content per page
7:10
which makes for a more affordable price
7:12
to buy the book. We are still, even at
7:14
this tenth edition with the larger pages,
7:17
less. We are under the price what
7:19
we had to charge for the eighth edition because we
7:21
used a smaller page. So the larger pages
7:23
are making sense from a financial perspective. I
7:25
also just like the size. It's a large
7:27
book. My rough estimate is that
7:30
twenty percent of this book is brand new
7:32
content, twenty percent is updated
7:34
content and sixty percent is
7:36
recycled from the previous editions.
7:38
As with every new edition, we don't
7:40
rewrite the book from scratch. We go through
7:42
find out what's wrong, fix anything we can,
7:45
remove anything we need to remove, and then start
7:47
adding new things we've encountered over the past
7:49
year. So you're going to have some stuff
7:51
from the previous editions, but I don't
7:53
think that's any more than sixty percent.
7:55
Forty percent of it is basically new. When
7:57
I released the ninth edition, I
7:59
think I downplayed a bit
8:01
how different it was from the
8:03
eighth edition. I actually even said on the show that
8:05
for people who have the eighth edition, you've
8:08
kept up with everything, you've listened to
8:10
the show, you've applied the tools, you've applied
8:12
the updates, you might not need that
8:14
ninth edition. I can say
8:16
with great honesty, the
8:18
tenth edition of this OSINT book is
8:21
more different from the ninth edition
8:23
than the ninth edition was different
8:25
from the eighth edition. I think this
8:27
is a justified upgrade
8:29
for most people. There's quite
8:31
a bit new. We're going to talk about that in just a
8:33
moment. We also went with a new cover
8:35
design, which is very similar to the extreme
8:37
privacy book because I do believe that
8:39
privacy and OSINT are very
8:41
closely related. You can't
8:44
have one without the other. If you know
8:46
nothing about privacy, then
8:48
OSENS, you might be missing a bit of your with your
8:50
investigations. If you know know nothing about OSENS,
8:52
you're probably missing a bit when you're trying to make yourself
8:54
more private. So we
8:56
tried to embrace this idea
8:59
that that redacted style cover
9:01
fits both books. With
9:03
privacy, you're constantly trying to
9:05
redact things and make yourself harder
9:07
to find. With Oh, since you're constantly trying
9:09
to uncover things, So
9:11
we went with a different cover, which is
9:13
basically the reverse of the extreme
9:15
privacy book. We also went with a
9:17
slightly different title. The past books were always
9:19
called OSINT source intelligence
9:21
techniques. I've been writing this book
9:23
since twenty eleven, maybe twenty
9:25
10, when OSINT wasn't
9:28
really a well known thing. The acronym
9:30
existed, but no one was really talking about
9:32
Ozent. Ozent is now very, very
9:34
popular, very common. Anyone
9:36
in cybersecurity knows OSINT. So
9:38
we decided to embrace that and
9:40
actually put the word
9:42
OSINT in the title instead of open source
9:44
intelligence. We wanted to shorten that up. And we
9:46
changed the subtitle just a little bit. We
9:48
wanted to kind of modernize the
9:50
overall concept of the book
9:52
and maybe make it less formal. The
9:54
official title of the book now is OSINT
9:57
with a subtitle of resources for
9:59
uncovering online information and
10:01
it is now in the tenth edition available
10:04
online. Let's talk about specific
10:06
changes from the ninth edition. A
10:08
lot of the changes are from
10:10
feedback we received. So for example,
10:12
some people had feedback of
10:15
when I talk about cleaning up computers or
10:17
preparing your computers, I into bundle
10:19
together a lot of things and maybe that
10:21
wasn't as clear as it could be for each operating
10:23
system. We corrected that in this edition to
10:25
say, okay, if you have a
10:27
Linux host, here's what we recommend you 10. If you have
10:29
an Apple host, if you have a Windows host, we really tried
10:31
to break that out to say, if you
10:33
fit in this situation, here's what
10:35
we recommend. And we don't recommend all this other stuff
10:37
if that's not your situation. So we try to make
10:39
that a bit more clear. Next,
10:41
big changes in virtualization. The
10:43
previous edition really focused heavily on
10:46
Virtual Box, which is a great program.
10:48
I still use it in some situations,
10:50
but not for Ascent anymore.
10:53
Virtual Box, the biggest issue is for
10:55
Mac users. If you have one of those new Mac
10:57
machines, an m one machine, which is a great
10:59
machine for then you have
11:01
problems with virtual box. You probably also
11:03
have problems with even fee and more of fusion and
11:05
other things like that. So the
11:07
book focuses a lot more on alternatives
11:10
to virtualization instead
11:12
of pushing virtual box down everyone's
11:14
throat. In the ninth edition, I
11:17
stated quite clearly that I don't
11:19
recommend Apple Silicon
11:21
machines. If you had that new MacBook Pro
11:23
with that m one or that m two chip, you're
11:25
probably going to have a bad time with OSINT. I
11:27
don't feel that way anymore. When
11:29
I was first starting to prepare for this
11:31
book and starting to write it, I
11:33
bought an m one MacBook Pro
11:35
in order to really
11:38
dive into any problems that a
11:40
person having that machine would have if they were trying to
11:42
replicate some stuff, especially with
11:44
virtualization and Linux virtual machines.
11:46
And what happened was
11:48
unexpected? I now believe,
11:50
and this is going to upset
11:52
some people. I believe that
11:54
the Apple m one MacBook
11:56
Pros might be the
11:58
best OSINT machine you can have.
12:00
The reason is the virtualization is so
12:02
much better when you're using the right software in the
12:04
right settings. I on my m
12:06
one MacBook Pro, I can launch
12:08
a macOS virtual
12:10
machine in a few seconds. A Linux virtual
12:12
machine in five seconds. I can then launch a
12:14
Windows virtual machine in less than ten 10. And
12:16
I can shut them all down in a second
12:18
or two. I can't replicate that with
12:20
Virtual Box on a Linux or Windows
12:22
host. I can also launch
12:24
Android virtual machines in their own native
12:26
environment without using Virtual Box
12:28
or JennyMo in about a second or
12:30
two. And it's so fluid, it's
12:32
so much better. I didn't
12:34
expect this, but I really like
12:36
doing OSINT on a Mac book m
12:38
one. Now, don't get me wrong. I don't
12:40
use Macbooks for personal machines.
12:42
I would not use them for my daily
12:45
that I do, but I think they're great o scented
12:47
machines, so I do get into that quite a bit in
12:49
this new book. And I recommend them, I
12:51
think they work great if you have the right
12:53
programs in the right settings. The book
12:55
still offers guidance for Linux
12:57
and Windows hosts, but
13:00
I do put a lot of emphasis on
13:02
the MacBook Pro with an m one, it's
13:04
gonna be much quicker, much smoother, and you're going to
13:06
have less problems, which is something that just
13:08
I I still don't believe I'm saying that. The
13:10
book gets into a brand new
13:13
Linux virtual machine that has
13:15
been built from scratch, lots of changes, new
13:17
applications, new scripts, lots
13:19
of changes to the way we install the
13:21
software and maintain and update
13:23
the software. It's overall just
13:25
much more stable than the previous
13:27
version. Now, If you have the ninth
13:29
edition, you still have access to all those
13:31
resources, but we will no longer be updating the
13:33
ninth edition resources because there's a new
13:35
edition out. However, that content
13:37
will stay online. You will always have access to the
13:39
digital assets. We don't remove anything.
13:41
We just stop updating it. We are now
13:43
updating the tenth edition resources. The
13:45
new Linux VM in the tenth
13:47
edition is just much cleaner
13:49
and more reliable. We went
13:52
through each script and clean things up. We also added
13:54
new things and added entire new scripts,
13:56
which I'm very excited about as well. We
13:58
also make sure that you can run this new
14:00
Linux on any machine, Mac
14:02
Windows Linux, and regardless
14:04
of what your processor is, whether it's an Apple
14:06
processor or an Intel processor. It'll work
14:08
on anything we just talk a lot
14:10
about how some things will work much
14:12
better. This new tenth edition presents
14:14
six brand new chapters. That's
14:16
probably what I'm most excited about. I
14:18
did a chapter on broadcast streams, which
14:20
I've talked about on the show before, but I really wanted
14:22
to sit down and write out a lot of details about
14:24
how to take advantage of all these different live broadcast
14:27
streams. And then a new
14:29
chapter on application programming
14:31
interfaces, APIs. Now that's a bit
14:33
misleading because in these sixth
14:35
and seventh edition. I had a chapter on
14:37
APIs, but I removed that in the
14:39
eighth and ninth edition and just really
14:41
started to combine some of
14:43
that into some of the other
14:45
chapters. The other reason is a lot of the APIs
14:47
we were using in the sixth and seventh
14:49
edition, they would allow you to run the API
14:51
through a web browser, through a URL
14:53
And those services are starting to disappear. It's
14:55
not as easy to run those APIs. Now you have
14:57
to run them all through terminal. You have to
15:00
have maybe some kind of bash script
15:02
made for it. So we brought back the
15:04
API chapter and spent a lot
15:06
of time explaining how the
15:08
APIs work and then offer a script
15:10
which automates the process of all
15:12
the APIs. Stuff. This is
15:14
important because there are some new
15:16
extremely robust API
15:18
services, which will give you
15:20
results for your investigation, you
15:22
cannot get from a web page. So I think we
15:24
need to reintroduce APIs back
15:26
in, not just doing them through URLs or
15:28
through my search tools online, but the
15:30
option of let's have scripts
15:32
ready to go to where we can
15:34
we could put in our API keys. A lot of
15:36
them are free or at least offer a free trial, and we
15:38
can get details about our investigations
15:41
that you simply can't get anywhere else, but
15:43
you have to have that script. So the book
15:45
explains the APIs, manually
15:47
how to do it, and then here you go. Here's an
15:49
automated script. Also, the API script
15:51
is already embedded into the
15:53
Linux VM so you have it ready to go anyway.
15:55
Next, and this is probably what I'm most
15:57
excited about I added a new section
15:59
which contains four
16:01
chapters all about data leaks,
16:03
data breaches, steel logs,
16:05
and ransomware. This is brand new
16:07
content which tries to tackle
16:09
two areas. First, how
16:11
do we find all this stuff? How do
16:13
we get all this stuff? But also
16:15
what do we do with it? So I added
16:17
a lot of new resources of how to go
16:19
find breaches and leaks and all
16:21
this different stuff. Find it
16:23
for free. Don't pay for it. Here's how we get
16:25
it. Here's how we bring it in. Here's how we
16:27
store it. But then here's how we search
16:29
it. Here's how we maintain it. Here's how we how we
16:31
clean it. And I came up with some new
16:33
ideas for people who are
16:35
struggling with how do you search through
16:37
four terabytes of steal
16:40
logs and data breaches and data leaks. I
16:42
talk about a script I
16:44
use that helps me isolate what I'm
16:46
looking for and it really minimizes
16:48
my search time. I can typically
16:50
do a search with this method
16:52
in less than a minute and get back some
16:54
pretty good results versus if you try
16:56
to query four terabytes of
16:58
data on a spinning disk drive, you're going
17:00
to it's gonna be hours before you get results
17:02
back. So we try to really fix that problem. And
17:04
I don't I don't wanna claim that we
17:07
fixed I wanna say that we may have helped it.
17:09
The ideal solution, of course, is always to
17:11
build your own database, which quickly
17:13
exceeds the scope of this book and
17:15
of my abilities.
17:18
So we try to come up with some alternative
17:20
ways of for the average
17:22
person who's diving into breach data,
17:24
here's how to go get it, here's to store it, here's how to search it
17:26
and here's how to maintain it. A lot of the
17:28
things I've talked about on the show or at least
17:30
mentioned are explained in detail in
17:32
the book. About those topics.
17:34
Finally, we updated our search tools
17:36
quite a bit. These are the free online search
17:38
tools over at intel techniques dot com.
17:40
Click on the tools tab we updated
17:42
all of the tools in that tool
17:44
set in order to reflect the changes in the
17:46
book. So they we have those free
17:48
publicly. If you wanna just access
17:50
the tools. Those are up right now. I'll put a link in the show notes.
17:52
You can go play with them. The book
17:54
dives more into here's what each thing does
17:56
and here's why we care about those results.
17:59
I'm sure I say that I'm excited
18:01
about every book release, but this one
18:03
feels a bit different. I feel like
18:05
this tenth edition of the
18:07
Ozent book is breaking some new ground. It's
18:09
getting into some new things that no one else is
18:11
talking about that even I haven't talked about
18:13
on the show. So that excites me when we
18:15
get to enter that next
18:17
layer. The OSINT always
18:19
evolving. We've been dealing with Osince for over a
18:21
decade. The things we talked about in twenty
18:23
ten and twenty eleven and twenty twelve
18:25
probably don't matter much today. I'm excited
18:27
about the things we can talk about in twenty
18:29
twenty three and apply those to our
18:31
twenty twenty three investigations
18:34
and constantly evolve with this
18:36
changing landscape. If you are interested in this
18:38
new ocents book, go to my website inteltechniques dot
18:41
com. Click on the books tab. You'll get a ton more information there. I
18:43
won't waste any more of your time with that. Please
18:45
remember that book sales is what
18:48
drives this show. We don't have
18:50
ads on the show because book
18:52
sales help pay the bills. I sincerely
18:54
thank everybody who's had any interest
18:56
and this dumb little OSINT thing we've been talking
18:58
about for so long, I never thought it would
19:00
get as big as it has, and I am delighted
19:03
to play a small role in this. Alright.
19:05
Enough of all that. Let's get to the real
19:07
reason we are having this show this week and
19:09
that is the listener questions. As I
19:11
have said before, this is my favorite show to
19:13
do because I do absolutely zero preparation
19:15
for this. I get to sit back.
19:17
I get to dispute my opinions for
19:20
better or worse. But I can't do an episode like
19:22
this alone because no one wants to hear me
19:24
ask myself questions. So this year, I
19:26
asked my friend Naomi to come on the show.
19:28
Naomi Brockwell is a tech journalist
19:31
and she's the creator of NBC TV media. She hosts
19:33
some of the largest blockchain and economics
19:35
conferences around the world, interviews
19:37
big names OSINT tech and she can be found
19:39
on national television talking about privacy
19:42
and
19:42
cryptocurrency. Naomi, welcome to
19:44
the show.
19:44
Thanks so much for having me. I'm delighted to
19:47
be here Alright. It's my understanding that
19:49
you have some overall stats
19:51
about the submissions. What can you
19:53
share about what
19:55
we
19:55
received? I can share that you received
19:57
a lot of questions. There
19:59
were one thousand eight hundred and sixty
20:01
three questions submitted, and we can either
20:03
do all of those or we can go with the
20:05
subset of those, which is thirty that have
20:07
been chosen. So it's up to you. We could go
20:09
for days. So we've got
20:12
thirty questions to a show
20:14
related. We've got twelve that are privacy
20:16
related, twelve that are security related,
20:18
and then four that are zero cents. So
20:20
shall we dive into it? Okay.
20:22
The most asked question. We'll start with
20:24
that. And this is a question that is
20:26
dear to my heart. Where are
20:28
all the old podcast
20:29
episodes? I actually emailed you
20:32
about this when they're disappeared. Where are
20:34
they? Are there some missing?
20:36
There are all of them missing. There
20:38
are all of them missing about from about
20:40
a year ago onwards. Yeah.
20:43
We we've been purging
20:45
old episodes for a couple of years
20:47
now. Typically, what we do is
20:49
once or twice a year, we go in and
20:51
purge everything over
20:53
one year old. And the reason for that is
20:55
is twofold. First, we wanna
20:57
be responsible. We don't want to have bad
20:59
information out there and there was some bad
21:01
information. We've been doing the show for many years,
21:03
so things that we've talked about in twenty sixteen,
21:05
twenty seventeen they not only might
21:07
not apply to today, they might be wrong. And
21:09
what was happening was, when this is the second
21:11
part of that, we were getting a lot of complaints from people
21:13
saying, hey, I listened to your show
21:15
episode four whatever from twenty
21:17
seventeen, I did the thing you
21:19
said. And then two years later, I listened to another
21:21
show or, you know, I listened to the show from two years later
21:23
after that, you said, that you shouldn't
21:25
do that anymore and basically you gave me bad
21:27
advice. I'm mad. So what we
21:29
found was easiest was
21:32
let's just prune old shows because a lot of
21:34
people are they're
21:35
taking old advice, which is now bad advice. It might have
21:37
been good advice at the time, but now it's bad advice.
21:40
Now they're applying these techniques, which I shouldn't
21:42
be applying. And we just want to be responsible
21:44
and say, let's don't allow bad information
21:46
to be out there because a lot of
21:48
people are following old stuff
21:50
thinking that still apply. Now I think
21:52
most people listening to the show know that if you
21:54
listen to a tech podcast from five or six
21:56
years ago, you don't put
21:58
faith in everything you hear
22:00
but a lot of people were doing
22:01
that. So we
22:02
pruned them and we will continue to prune them. So I
22:04
think right now, the oldest show is October of
22:06
twenty twenty one. I would anticipate by
22:09
spring we will probably go in again
22:11
and we basically prune everything over
22:13
a year
22:13
old. I realized people don't like that,
22:15
but we felt like it was the right thing to do.
22:17
So I I understand the
22:20
reasoning and it still breaks my heart,
22:22
but we'll go on to question number
22:24
two. This one made me giggle
22:26
when I read it, also because because I have
22:28
exactly two favorite podcasts that
22:30
I listen to religiously. Never miss an episode.
22:32
One is this one, and the other is dark neck
22:34
diaries. And the
22:36
the question I have here
22:38
is has your employee, Jason Edison OSINT
22:40
Jack ReSider from dark net diaries, have
22:42
they ever been in the same room at the
22:45
same time? That's
22:46
good. I can
22:49
say, with great honesty, I have
22:51
never seen Jason Edison
22:53
and Jack Recider in the same room at the
22:55
same
22:55
time, I will leave it that. Let the conspiracies
22:58
play. Excellent. Let's go
23:00
on to privacy questions. So we
23:02
got a bunch of questions that
23:04
are very similar. I'm gonna
23:06
read two at once and you can kind of deal
23:08
with them at the same time. Privacy dot
23:10
com, all of a sudden, wants
23:12
my social security number. I am not comfortable giving
23:14
that out. What should I do? And another
23:16
one was I tried to make a privacy dot com
23:18
account and they want a selfie
23:20
with ID sent to a company
23:22
called
23:22
Onfido. What's up with that?
23:25
Yeah. These are common. And I have
23:27
my frustrations too, but let's tackle both.
23:29
First of all, all banks in the
23:31
United States require what they what
23:33
they call KYC laws, know
23:36
your customer. Banks have to know who you are, your date of birth, your
23:38
social security number. There's no getting around that. Just
23:40
like if you went to
23:42
the local brick and mortar bank down
23:44
the road, and said, I wanna check an account, but
23:46
I'm not going to give you my ID, my
23:48
name, my date of birth, my social security number. They will
23:50
tell you to get out. So as
23:52
far as them wanting your SSN,
23:54
that's pretty standard today. There are some legacy
23:56
accounts where you didn't have to give that, but they
23:58
were still doing a hard pull based on
24:00
your name and date of birth. So
24:02
Either way, they probably have your Social Security number.
24:05
There's just nothing you can do about that. They're
24:07
technically a bank or at least a financial institution.
24:09
They have to do that. Now,
24:11
the second part I
24:13
understand the frustration, and I would
24:15
be frustrated too. I've heard a lot of people they
24:17
make a privacy dot com account,
24:19
and then something fails. Something goes
24:21
wrong and now privacy dot com wants verification and that verification
24:23
goes through a third party company, that third party company
24:25
wants you to take a selfie with your
24:28
ID there's no way I would do that. And
24:30
I think this is all just simply a response to
24:32
fraud. A lot of fraud comes into
24:34
privacy dot com, so they have to be really careful
24:36
They have to protect their assets. I get
24:38
that. What I don't like is the
24:41
the relationship with this third party vendor
24:43
because it's not like you're even sending your
24:45
selfies to privacy dot com and they they
24:48
might try to protect it. You're going to a third party
24:50
vendor. You don't know what they're doing with
24:52
this. So I hate
24:53
that. What I would say
24:56
is,
24:56
first of all, I would never upload a
24:58
selfie of myself holding my ID. I would also never
25:00
send a copy of my ID. So If
25:02
that was the demand, I wouldn't do it, so I don't blame the
25:04
person for being hesitant there. The other
25:06
thing I will say is typically
25:09
if you are sent to third party verification, it's because there's been
25:11
some kind of trigger. You've you've triggered
25:13
something in their settings or in their system to say
25:16
something's wrong with this. And that could
25:18
be you were on a known VPN. You were using
25:20
a masked email address to create your account. You
25:22
were using some brand new VoIP number you
25:24
just got from from a
25:26
third party service, etcetera, etcetera. So in my
25:29
experience, if you don't trigger
25:31
those things, you probably won't
25:33
be asked to complete things like
25:35
third party verification. What
25:37
does that mean for how you do it
25:39
then? I would maybe try from public
25:41
WiFi when that's not behind VPN. That
25:43
could be one way I wouldn't
25:45
use masked email services. Those look
25:47
suspicious. I would use a true email
25:49
address, whatever you determine that to be, and I
25:51
would be careful providing VoIP
25:53
numbers. All those things trigger.
25:55
If you trigger, you get sent to the third
25:57
party verification and then you find yourself in a
25:59
situation. I have done it before. I'm guilty
26:01
of it. So that's my best advice
26:03
One is I would not upload
26:05
selfie and
26:05
two, be careful about what you do to
26:08
trigger those things.
26:09
I have like a question. You're you're
26:11
free to edit this out if you want. But
26:13
I have a question about privacy dot com
26:16
because I have a lot of questions around
26:18
financial data and how
26:20
much data banks versus
26:22
payment processes versus credit card companies
26:24
get access to. And so when I'm using
26:26
privacy dot com and they're giving
26:28
me a Visa card, is Visa
26:30
still getting access this? Like, do they know who
26:32
I am? And do they know what I'm purchasing? Or
26:35
is there some sort of filter there? Do you know how that
26:37
works?
26:37
Everything's gonna be going to be a bit different. But
26:40
overall, no, Visa does not necessarily know who
26:42
you are, privacy dot com knows who you are, but
26:44
Visa obviously knows where you spent the money, how
26:46
much you spent. They could even
26:48
maybe get some IP address information. I don't know
26:50
that for sure. Privacy dot com, and a lot of
26:52
people confuse this with it's an
26:54
anonymous way to make purchases. It's not
26:56
an anonymous way to make purchases. It's
26:58
a way to mask information about your purchase.
27:00
For me, the benefit of privacy dot com
27:02
is I can buy things without my credit
27:04
card or my bank knowing what I bought
27:06
or where I bought them. But the real
27:08
benefit is I can use alias names. So when I use
27:10
a pryzer dot com card, I can say my name
27:12
is John Smith to the vendor and the vendor can't
27:14
confirm whether or not my name is really John Smith.
27:16
I'm card privacy dot com just says, yep, that's John
27:18
Smith. We don't care what name he gives. So
27:21
it's masking. It is not anonymity.
27:23
It's not perfect. There's still a digital
27:25
trail. A court order to
27:27
pryps dot com or whatever bank they're
27:29
using would absolutely unravel all of
27:31
it. So it's really just masking and I think
27:33
that's an important distinction to make. Got
27:36
it. Next question. Are you aware that
27:38
South Dakota changed their
27:40
nomad form
27:41
requirements? If so, does that change things?
27:44
Oh, yeah. That's Well, I'm very
27:46
aware. I'm not sure how much it changes things.
27:48
So I'm going to paraphrase here because I
27:50
wasn't prepared for this, but
27:52
the old form, the nomad
27:54
form for South Dakota basically had two
27:56
questions, something like, are you declaring South
27:58
Dakota your state? Yes or no. Are you going to
28:00
ever return to South Dakota? Yes or no? And it was
28:02
pretty easy to say yes to both of those.
28:05
Now, they ask additional
28:07
questions such as again,
28:10
paraphrasing, do you have any
28:12
other connection to another state? But the big one they
28:14
say is, do you own a home and in the other state?
28:16
And if your answer is yes to either
28:18
those, you cannot be a nomad. There
28:21
are loopholes there. If
28:23
your trust owns your home, then technically you don't,
28:25
but let's Let's get past that. That's probably
28:27
bad advice. Overall,
28:29
it does not impact people
28:31
truly following the book by the letter of the
28:33
law. When we talk about nomad stuff, we talk about
28:35
people who travel a lot, people who maybe don't have
28:37
that permanent home maybe don't declare
28:40
that permanent home. So is
28:42
this a hiccup, of course. It's definitely going
28:44
to weed out the people who are
28:46
probably pushing the boundaries a
28:49
bit anyway. Which might not be a bad
28:51
thing. I have not had
28:53
it be an issue for me or my clients
28:55
yet because we're
28:57
very careful to make sure we are obeying the law when we do these
28:59
things. But for the person who you
29:01
own that home in California and you're trying to
29:03
be a South Dakota nomad, this is going to
29:05
be an extra block to prevent
29:07
you from doing that, which is responsible and
29:10
appropriate. We don't want those situations. We don't
29:12
want to abuse these privileges. We
29:14
want to make sure we're following the
29:15
law. Got it. Alright. Next
29:17
question is about Twilio. I
29:20
recently or I wanted to ask about a
29:22
Twilio email that I received last month
29:24
regarding registering ten DLC
29:26
numbers. Just wanted to check if you guys had seen
29:28
it and whether we need to do something about it.
29:30
I have to confess, I had to look up what
29:32
ten DLC numbers per This
29:35
is basically just response to new regulation.
29:37
There's new regulation that's trying to prevent
29:40
spam calls, spam text
29:42
messages. Which is great. It won't work,
29:44
but kudos for trying. So what happens
29:46
is, like, with most of things, when
29:48
we have prevent people from doing bad
29:50
things, the people who aren't doing the bad things get caught up
29:53
more than the people who are doing the bad
29:55
things, this will not stop spam text.
29:57
But anyway, Tawaleo
29:59
is basically saying and so are a lot of the
30:01
VoIP places. If you want to send text messages
30:03
through our service, we need to know who you are and we
30:05
need to have an EIN number for
30:08
your business. I think this is another reason
30:10
that Twilio is really pushing
30:12
away from individuals. A lot of times
30:14
when you apply for a Twilio count and say you are
30:16
an individual, they say we don't
30:18
want you. Want businesses. So Twilio is now
30:20
saying if you want to send text messages, we
30:22
need your business name and your EIN
30:24
number from the IRS that,
30:26
of course, throws a bit of a
30:28
roadblocks. So my advice is, first of all,
30:30
you have to do nothing right now.
30:32
Even Twilio's saying, if you are a sole
30:35
proprietor we're going to give you an
30:37
option later this year to do that. So
30:39
Twilio is not going to cut you off tomorrow if you
30:41
don't respond to this, but eventually you will have
30:43
to respond to it. If you send text
30:45
messages from a standard number through Twilio,
30:47
you could get a sole proprietorship through the
30:49
IRS, you could get a DBA at doing business
30:51
as name, and you could provide that number keep
30:53
going on and you'd be fine.
30:55
I don't send texts through Twilio.
30:57
That's not how I use it. I use Twilio for
30:59
incoming calls and outgoing phone calls. I
31:01
use Twilio for incoming texts. I don't send
31:04
messages. Therefore,
31:06
because I don't do that, Twilio has not told me
31:08
I have register with this new regulation.
31:11
So that's one thing. Just don't send
31:13
texts, which may be not applied. The
31:15
other option you can do is you can get a toll
31:17
free number for whatever reason, if you had a
31:19
toll free number through Twilio, you do
31:21
not have to respond to this and you do
31:23
not have to declare your EIN. That
31:25
makes zero sense to me
31:27
whatsoever because you can scam from
31:29
a toll free number probably better than a
31:31
regular number. So Advise number one is wait.
31:33
Let's see what they come up with. Advise number two is if you
31:35
need to send messages,
31:37
get a sole
31:38
proprietorship, and advice number three would be
31:41
consider toll free number and just avoid all of it.
31:43
So let's dive into my pseudo because
31:45
there were lots of questions about that.
31:49
People want to know, can you provide any updates on MySudo
31:51
for graphene OS and graphene
31:53
OS push services in
31:55
general? Also, could you please explain your
31:57
usage of My Soto plus graphics
32:00
OS since currently MySoto
32:02
doesn't work with push
32:03
notifications. Can you just overall tell us what
32:06
you've changed since the book in regard to
32:08
mobile
32:08
devices. Loaded
32:10
questions. What happened to yes or no questions?
32:12
Not like that. They
32:14
prefer run on questions with, like, five
32:16
bundled together.
32:17
Yeah. Okay. Alright. Well,
32:21
first, my pseudo
32:23
works fine on GraphinoS as
32:25
is, and it works one hundred percent if you
32:27
have push services enabled.
32:29
So saying that my studio doesn't work with push
32:31
notifications is not accurate. You would just
32:33
have to enable if you're using Gaffing OS, you'd
32:35
have to enable within the Gaffing OS
32:38
apps. The Google Push services,
32:40
which are sandboxed, those
32:43
aren't the same as typical Google
32:45
Push services, which have complete
32:47
access to your entire phone, your entire operating system.
32:49
These are very limited. They
32:51
are sandboxed. And if you enable those
32:54
Google Play services, then
32:56
my pseudo works a hundred percent, well, maybe not
32:58
a hundred percent, but you get you get notifications
33:00
of incoming text and you can answer phone
33:02
calls on your
33:04
device. Now, let's revisit some
33:06
of that though
33:07
because in the past, I've always
33:09
said I don't enable the Google push services,
33:11
and that's still true. I don't.
33:14
I don't enable Google push services within
33:16
Graph OS because I don't need it. I don't
33:18
want my phone dinging, buzzing, ringing all
33:20
the time and interrupting me.
33:22
I check my messages on my terms,
33:25
I pull, I don't push.
33:28
Now, that being said, the
33:30
push services within Graphic OS. Sandbox
33:32
are actually done quite well
33:35
and I don't have a big objection
33:37
if you use them.
33:40
So you need push
33:42
services and you're just worried
33:44
about turning on Google, I would revisit
33:46
that. And the reason
33:48
is Google graphic wise, you don't have an account.
33:50
You're not putting in a Google account. Google's
33:52
not creating a dossier on you like Apple
33:54
does when you put your account for an
33:56
Apple ID. Basically, you're you're
33:58
giving very minimal information to Google. You're giving
34:00
them your IP address. There's no way around
34:02
that. You're giving them some kind of unique
34:04
identifier from the sandboxed services,
34:06
there's no way around that. But it's not like Google can build
34:08
a big dossier on everything you're doing
34:10
and who you are. Now
34:13
again, extreme people, I don't
34:15
blame you for not wanting to connect to Google. That's the
34:18
camp I fit in. But I'm seeing
34:20
more and more clients adopt GraphinoS
34:22
phones. Great. But of
34:24
those, a large majority are saying, I need
34:26
push services fine. No objection. I
34:28
would much rather you have push services
34:30
through sandboxed Google Play and a
34:32
Graph OS device then go back to the
34:34
iPhone or go to a stock
34:36
Android device, which is doing all
34:38
kinds of nefarious things in the background. I
34:40
also believe push services
34:42
sandbox within Graph OS is better
34:45
better than a custom
34:47
rom that has micro g. I don't like
34:49
micro g that much. So you know, there's
34:51
a lot of things to consider. I know I'm maybe not
34:53
completely answering the question. As far as I think
34:55
they asked, what what are
34:57
we doing different? A
35:00
lot. We're looking at eSIMs
35:02
over physical SIMs now. We're looking at a lot of
35:04
WiFi calling options. We
35:06
are considering creating a full
35:08
digital PDF guide probably seventy five
35:10
to hundred pages that will
35:12
walk through everything we
35:14
do when we create a Graph OS device
35:16
for
35:17
a client
35:18
that's not going to happen tomorrow is just something we're throwing around that we can
35:20
make a digital only type of thing. I don't know
35:22
what's going to happen with that. If there's enough demand,
35:25
we'll do it. Did I answer
35:27
that question? What am I missing
35:29
here? Well, I mean, I think you covered everything there,
35:31
but I have an additional question to
35:33
tack on because my though,
35:35
I know historically you haven't been
35:37
able to purchase plans on
35:40
graphene OS because you
35:42
need to either use, like, Apple Pay or Google Pay
35:44
or something. So is that still the case that you need a separate device in
35:46
order to pay for a plan and then you just
35:48
port it over to graphene
35:50
OS? Yes,
35:52
that's absolutely still the case. And that's because you have to not only
35:54
have Google services, you have to have Google Play, and
35:56
you also have to have a Google account signed
35:59
in to make that. And it's
36:01
a pain, but a lot of that is due to regulation by these carriers, so like
36:03
Apple and Google might say, look, if
36:05
you have this app in our store, that's great, but
36:07
you can't go
36:10
out and sell it yourself through your site, you have to sell it through us. Now I don't know the state
36:12
of that right now. I know that there's some
36:14
regulation coming down on that, but that's always been the case
36:16
for a
36:18
long So for me, what I do is I
36:20
keep my an old
36:22
iPhone. I have an old iPhone original
36:24
SC old. I don't
36:26
use it. The only
36:28
purpose for it is it has a
36:30
backup of or a connection association with
36:32
my my pseudo account on it. When
36:35
I need to up the annual whatever, I from that device, from
36:37
another network, whatever I wanna do
36:39
to be super secret. And
36:41
I can pay for it that way. I can also pay for it
36:44
with Apple card. I can add an
36:46
amount to my my
36:48
account. So that device serves two purposes. One, I turn on
36:50
once a year to renew
36:52
and two, it's a backup if I lose
36:54
my prime advice because my
36:56
pseudo doesn't know who I am. I never registered
36:58
with my pseudo. That's not how they work. They don't care
37:00
what your email addresses. They don't care what your cellphone
37:02
number is. So it it's not only
37:04
the backup It's also the
37:06
way I make purchases. Now, if you don't
37:08
have that, I have set up
37:10
an Android emulator before
37:12
with full Google apps and Google Play
37:15
Services logged into a Gmail account and in the emulator could
37:17
make the purchase and then just connect
37:19
it to my my
37:22
studio account on the graphic noise device. So you have a couple of options there.
37:24
Having the second device
37:26
works much
37:27
better, also that serves
37:29
as your backup in case you ever
37:32
lose
37:32
your device. So
37:32
I like that option a bit better than doing the VM. Got
37:34
it. Let's talk about all
37:37
the Authenticator and BitGarden have
37:40
a question here that says at least the versions I see on
37:42
Aurora store require GSF. It
37:45
won't function correctly without. GSF
37:47
is there and it'll 10
37:49
way to install or use these apps on
37:51
graphene without using GSF, meaning Google's
37:54
services framework. Yeah.
37:55
When you go to
37:58
Aurora store, and you look up an app, it tells you whether or not it needs
38:00
the GSF, the Google Services
38:02
Framework. Both of those applications work
38:04
fine without
38:06
it. So First, I would
38:08
encourage you to explore,
38:10
experiment, and test. If it says it requires
38:12
GSF, don't run away without trying
38:14
it. Both of those apps work fine
38:16
without GSF. The reason it
38:18
says you need GSF
38:20
on Aurora Store is because if you want full
38:22
functionality, then yes, you'd have to have it. So
38:24
for example, if you want push notifications about something
38:27
through off your BitWORD and then you
38:29
would have to have GSF. But if you don't need
38:31
that, which I don't think anyone would,
38:33
then you don't need much like if you want to
38:35
buy BitWarden through the Google Play Store, then you
38:37
would need access to GSF.
38:40
So Short answer is both of those applications and most applications
38:42
on Aurora store that say they need
38:44
GSF to work, work fine
38:46
without it. That typically means that
38:49
some functions require GSF. Another example
38:52
is I bet pro I haven't looked. I bet
38:54
protonmail 10 Aurora store says
38:56
it needs GSF. fine
38:58
it. You just won't get push services
39:00
if you don't have that
39:01
installed. So, play around and, you know,
39:03
test it yourself. Can I ask
39:05
a tangential question
39:07
about diving into the world of different
39:10
password managers and the difference
39:12
between them and browser password
39:14
managers. Like, the ones
39:16
in built to the browser. Do like, I I understand there
39:18
is security trade offs for each,
39:20
and I know that you recommend Keypath's
39:22
XC for offline use or a bit
39:24
more than online
39:25
use, but can you walk me through some of trade offs?
39:28
Well, I would never recommend using your
39:29
browser's built in
39:32
password manager if
39:34
you get hit with a virus that has
39:36
a steerer log in it, then
39:38
it's going to grab that from you. So if you're
39:40
just using your browser store, your passwords,
39:43
and you get hit with a stealer log, you're done. All of
39:45
your passwords that are stored in your browser just
39:47
went off to bad guy and bad guy just shared
39:49
them with a bunch of other bad guys. So that's
39:52
completely out. I
39:54
like a desktop version of my
39:56
password manager because that can give me
39:58
one hundred percent offline use. A lot of
40:00
the browser based 10,
40:03
either connect to your desktop or connect
40:05
to the servers online. I don't want to require an
40:07
Internet connection if I need to see
40:09
if I need to see something in my password manager, so it's
40:12
important for me to have complete offline access. And
40:14
typically, the only way to do that is to have
40:16
a desktop application. There
40:18
are exceptions there are caveats
40:20
there, but I don't want to
40:22
rely one hundred percent on anything in the
40:24
browser because offline I might be in
40:25
trouble. That is tremendously
40:28
helpful. Thank you. Let's talk about
40:30
mobile routers. So have you considered
40:32
using a mobile router instead of
40:34
placing a
40:36
SIM card inside the phone. This way, it would eliminate the need
40:38
for a second mobile device for home
40:40
use only as the only device that
40:42
should sit inside a Faraday bag
40:45
would be the mobile
40:46
router. This is particularly interesting to me
40:48
because I'm about to dive into the world of
40:51
like Calix OS hotspots and I'm
40:53
very interested in the for security trade
40:55
offs? I I get the allure
40:57
of and if I'm understanding this
40:59
right, you just put
41:02
a hotspot and that provides access to your phone.
41:04
Your phone never has a cell
41:06
phone, SIM card, or e SIM in it.
41:08
So therefore,
41:09
you don't have to fair day the
41:12
phone. Okay. I get that. But the
41:14
answer is no. I don't
41:15
consider doing that. First, if you have
41:17
a hot spot and that's providing your
41:19
access wireless to your phone. Your hotspot is
41:21
constantly announcing your SSID. Yeah. You
41:24
can hide it, but no, it doesn't truly hide
41:26
it. But basically, now that
41:28
hotspot is not just tracking everywhere
41:30
it goes through cell towers, but
41:32
also WiFi could pick up
41:34
that device. So I don't
41:36
like that. I think there are some battery concerns. I think the hotspots could
41:38
drain on you and now you have problems with charging and
41:40
getting keeping those up.
41:42
You're still carrying
41:44
two devices that way. So I'm not sure what that's helping.
41:46
The same cell location tracking
41:48
is going to happen to the hot spot
41:51
as it would your phone. I guess my answer is,
41:53
if that works for you, great. Not I'm
41:55
not objecting. I'm not dissing that.
41:58
That wouldn't work for me and I don't
42:00
think it my clients. So for
42:02
me, that's a
42:02
no, but it works for you. Great. Cool. Let's
42:04
talk about mint mobile. Can
42:08
mint mobile or, I guess, any carrier actually, see hardware
42:10
identifiers when activating a mint trial
42:12
card and potentially link numbers activated
42:14
on the same device.
42:17
Oh, absolutely. Any carrier is going to get some kind of
42:20
identifiers at least the IMEI at the
42:22
minimum to
42:24
operate. So If you have that one
42:26
phone and you're doing eighteen mint
42:28
mobile trials, you're actually probably
42:30
going to do one because they're not going to let you do a
42:32
second one or a third one. absolutely.
42:34
Any carrier is going to see
42:36
something hardware wise about your
42:38
phone in order to
42:39
function. That was
42:40
a big shock to me when I first
42:42
learned that and I interviewed a guy who talked
42:45
about the messages that your SIM card
42:47
sends out without you even realizing because
42:49
it's just talking with the baseband
42:51
processor, not actual OS. And I was like, oh my god. Like, it was
42:53
it was pretty shocking to me, actually. Well, not just
42:56
your carrier, but all cell phone
42:58
towers. You know? So if you know, if you think,
43:00
oh, well, I don't have coverage with AT and T
43:02
here, so I'm good. Well, if you have your if
43:04
you can reach a Verizon tower, they're collecting the
43:06
same type of information about you anyway.
43:08
And again, that's why I like Faraday bags. That's why for me a
43:10
cell phone is a very intentional thing. When I
43:13
need it, I will use it. When I don't need
43:15
it, it's not in use and it's it's
43:17
being blocked by a fair day bag. Got
43:19
it. So we've got a question here
43:21
about name changes. Someone says getting
43:23
married soon and plan to change my
43:25
name to my husband's. Any issues with leaving
43:27
bills and other subscriptions in my current name for
43:30
an extra layout of
43:32
privacy?
43:33
No issues. No objection,
43:36
no concerns. It might offer
43:38
you a small layer. If you
43:40
change your name to your spouse's name,
43:43
that's going to, of course, get in all
43:45
the systems. So if hunting not help you a whole
43:47
lot. But if you have a very if
43:49
your last name is Smith
43:52
now, and you're marrying someone and taking their last name which is much more unique.
43:54
Yeah. I'd say leave them in the leave them
43:56
in the old name. You're going to create a slight
44:00
distance for your new identity from your old
44:02
identity, but just know that that can always be
44:04
connected back later if you become
44:06
a target.
44:08
And then so from a privacy perspective,
44:10
that could provide help.
44:12
But is there any issue with
44:15
being able to access your accounts if that's
44:17
no longer your legal
44:17
name? shouldn't be. I've had numerous clients
44:20
who still today after
44:22
ten years of marriage 10 their
44:24
maiden names And if something
44:26
ever happens, they can show proof. Oh, well,
44:28
that was my maiden name. And then I got married. Oh,
44:30
did I forget to call you and tell you I got
44:32
married? I've never had an issue because
44:34
even with the a name change
44:36
from a old name to a spouse's name. You have
44:38
the same social security number. You have the same date of
44:40
birth. And your credit report is going to merge the
44:42
two almost immediately. And if you have a
44:44
true problem, company's going to
44:46
have access to a credit report and they will be able
44:48
to see, oh, yeah, you got married. Okay.
44:50
So, no, I've never had an issue with that. If you
44:52
were just if you decided to change your name just because that
44:54
could be an
44:54
issue, but even then we've gotten away with that
44:57
too. Right.
44:58
Next question in unredacted
45:00
magazine 001, pages
45:02
ten to twelve, discuss obtaining a
45:05
Massachusetts liquor ID in
45:07
an alias name. Can you confirm if the method presented
45:09
is effective? Any other comments you would
45:12
add regarding this
45:14
general approach?
45:15
I can confirm it works. I
45:17
won't go any deeper than
45:20
that. However, it is
45:22
a lot of hassle for
45:24
a small
45:24
reward. And I would That's my big caution. Do you need
45:26
it? And that's
45:27
really the question we ask a lot is, before you do
45:29
anything, ask yourself, do I need to do this? And if the answer is
45:31
no, then why do
45:33
it. So, but the answer is yes. Okay. Well, let's talk about
45:36
ways to get this done. So, could you get
45:38
an official state ID from
45:40
Massachusetts in an alias name? Yes. That
45:42
does work. What does that
45:44
get you? What are you gonna use it for?
45:46
And could it get you in trouble? So
45:48
if if you have
45:50
that state ID in one
45:52
pouch of wallet and your real ID and the other pouch and you get arrested for whatever
45:54
and the cop finds
45:54
that, that's going to be a
45:56
problem. Now you might be able to explain all
46:00
day. About unredacted magazine UNREDACTED which
46:02
they won't know about and they won't care about. And
46:04
you might be able to explain all day that no, that's a
46:06
legal ID and a alias name. They won't care
46:08
about that
46:10
either. So A lot of times, it's not whether something's illegal
46:12
or illegal. It's whether
46:14
is the risk of that
46:16
worth the justification to use
46:19
it. So I like to push the
46:21
limits
46:21
for me. It's kind of fun. I don't
46:23
mind that, but I also feel like I
46:26
could maybe talk my way out of that if I
46:28
got caught. So what I
46:30
encourage people to do is
46:32
only go the route of those type of things.
46:34
If you truly need it for some reason,
46:36
if it's truly going to help you, okay,
46:38
consider it. If you're doing it
46:40
for
46:40
novelty, I would say don't do it.
46:41
Got it. I have questions about LLCs
46:43
versus trusts. So the maximum
46:45
privacy with real
46:48
estate estate ownership. Is it best to have a home owned by a
46:50
New Mexico LLC managed by
46:52
a trust or a home owned by
46:54
a trust managed by a New Mexico
46:57
co LLC. Alright.
46:58
I'm doing the
46:59
math of that.
47:00
I'm gonna not
47:03
answer and say neither. We
47:06
are moving away from LLCs
47:08
because of new rules and
47:10
laws requiring disclosure of
47:12
LLC beneficiaries. We
47:14
have a couple of years before we are really
47:16
forced. It starts now. It's an effect now
47:18
for new LLCs, but we have
47:20
until twenty twenty four
47:22
for LLCs created for twenty twenty, and we haven't until twenty twenty five for LLCs we
47:24
UNREDACTED before twenty twenty. But
47:26
anytime you and add
47:30
an LLC to some ownership. No matter if it's the owner of
47:32
something or the beneficiary of something, you are
47:34
now adding a layer which could be
47:37
unraveled. So for me, we
47:40
don't encourage the use of LLCs
47:42
for homeownership or the
47:44
use of LLCs for ownerships of
47:48
trusts which buy homes. And the real reason is
47:50
the trust has more power than the LLC today.
47:52
The trust doesn't have any regulation about
47:54
reporting. The trust, we can keep anonymous.
47:58
The other thing is I see all these companies online that are
48:00
pushing we will create this thing
48:02
for you where we have five
48:05
LLCs, three trusts they all own
48:07
each other and no one will ever track them back down
48:09
to you.
48:10
That I have a problem with
48:12
that because now I only have to
48:14
unravel one piece of that. So if
48:16
you have a trust I'm sorry, if you have a home owned by
48:19
a trust and that's it, you have one
48:21
layer of unraveling. You only have to
48:23
protect that one trust If
48:25
you have three LLCs which own trusts and
48:27
do all this weird stuff, if I can
48:29
unravel any of them, if I can poke a hole in any of them,
48:31
if I can find a state which will give me information
48:33
about any of them, Now I can unravel
48:36
everything about you without knowing the other details. So
48:38
for me, I like to
48:40
reduce the layers and I would much
48:42
rather own a home in the name of a trust and
48:44
that's it. Versus incorporate a bunch of LLCs into the mix, I
48:46
think you're asking for trouble after
48:48
January first of twenty twenty four.
48:50
And it
48:51
was also interest that they specified New Mexico,
48:54
LLC. Because my understanding and maybe I'm
48:56
wrong, but my understanding was that,
48:58
like, sure some states have
49:00
better rules for LLCs,
49:02
but it depends which state you're in
49:04
and you have to abide by the rules of
49:06
other states, LLCs. Or there's like some some
49:08
weird things that kind of make it silly
49:10
to have a an LLC
49:12
in another state
49:13
anyway. Yeah. The New Mexico LLC
49:15
has its long tradition of being the private LLC,
49:17
which it has
49:19
been. That ship has sailed because if you try to buy a home
49:22
in California with the New Mexico LLC,
49:24
the title company is going to mandate
49:26
that you register that New Mexico LLC
49:28
as a foreign LLC within the State
49:30
of California and provide the trustee
49:32
and the ownership and the beneficiary and all that
49:34
stuff. So you lose all
49:36
your privacy. Do I have New Mexico Of I
49:38
have some aged ones that maybe will serve
49:40
me some purpose someday. I if I
49:42
had to open an LLC today, it would not
49:44
be a New
49:46
Mexico LLC. See because it doesn't really matter the state anymore, it's
49:48
not totally true. It matters where you're
49:50
going to use it. Howard Bauchner: Right.
49:53
And question related to LLCs,
49:56
which maybe you've partially already
49:58
answered, but I'll ask it anyway. I've
50:00
had awful luck
50:02
opening business checking accounts at small local credit unions and
50:04
banks for a New Mexico LLC.
50:06
Many straight out refused to open the account
50:08
due to the fact that the LLC is out of state and
50:10
not registered
50:12
a foreign LLCA PMB, as my home business
50:14
address, only provides for further suspicion
50:16
and risk of being
50:18
declined. How do you get past
50:20
these roadblocks when opening a business checking
50:22
account? Yeah.
50:23
I think we just we talked about that a little bit.
50:25
Well but let's revisit. One,
50:27
I'm not surprised. Again, the the New Mexico
50:29
LLC ten years ago was kind of 10 secret
50:32
thing. Now, it makes everyone raise an
50:34
eyebrow at, well, what's this guy doing?
50:36
Why is Why is he in this
50:38
bank in this state bringing a new Mexico
50:40
LLC? We don't like this get out of here. So not
50:42
surprised at all. You're going to have those
50:44
issues. This is
50:46
why we are very
50:48
careful about how we do this. So for example, as
50:50
I said previously, most
50:52
states require foreign LLCs to
50:55
be registered in that state in order to
50:57
do things like open a bank account. So
50:59
for us, if I needed
51:01
a bank account and it need to be
51:03
in a foreign or an LLC, let's say, through South Dakota or New Mexico,
51:05
whatever, I would open it in that state. So for example,
51:08
with South Dakota LLCs, I can create
51:10
those online in
51:12
a matter of seconds. I can get my number right away. I can go to the IRS. I can
51:14
register that right away. No issue
51:16
there. If I go to a bank in the
51:18
county of my PMB in South
51:20
Dakota and show them my Dakota
51:22
LLC, my South Dakota driver's license. I
51:24
show them all those things. I've never had
51:26
an issue opening a bank account. If I
51:28
take that South Dakota LLC and go
51:31
to California, of course, I'm going to have an issue. So is that
51:33
expensive? Yeah. But we pay that cost to say,
51:35
alright. Well, paper rock scissors,
51:38
who's going to South Dakota to open this bank account
51:40
and we just do it that
51:41
way? Yeah.
51:42
That sounds like quite an adventure. We're
51:44
going to open a bank account in another state.
51:46
I maybe one day, I'll tackle
51:49
that. We've got a question
51:51
about custom domains for
51:54
emails. So regarding the generic custom
51:56
domain, suggested for email
51:58
strategy, I have two questions. Taking
52:00
into account that as I'm the only person
52:02
this generic custom domain, how can I avoid
52:04
being tracked? And the second part
52:06
is, are there any tips on out
52:08
of better compartmentalized
52:09
addresses, for example, banks, government, utility services,
52:12
etcetera, on the generic
52:14
custom domain.
52:15
Well, the first thing I will say is all email
52:17
is tracked. Don't think of it as private. Now,
52:19
of course, there are exceptions. If
52:22
I email from my
52:24
proton male to Naomi's proton male,
52:26
okay, there's some privacy or from my two ten oda
52:28
to her two ten
52:28
oda. There's some privacy. However, once you
52:31
leave that ecosystem, you're
52:33
done. I got the most secure private email in
52:35
the world. If I email a Gmail account,
52:37
it's done. So the idea for me
52:39
is all email is tracked except
52:41
that and understand why and how
52:43
you use email knowing that information.
52:46
So for me,
52:47
nothing sensitive has ever sent over email
52:49
from any provider. Period. Now
52:51
that being said.
52:52
As far as your question specifically
52:54
about the domains, first, make sure you
52:56
have a catch all assigned so that you can create
52:59
email addresses on the fly and have them
53:01
sent. For me though, the big piece is
53:03
if you're going to use
53:05
a custom domain for
53:06
personal stuff in your name
53:09
and for alias stuff, then you really need
53:11
two domains at minimum. So for me, I have a
53:13
domain I use for all my personal stuff, not all of it,
53:15
but a lot of it. And I don't ever use it for
53:17
alias. I don't use it for signing up
53:19
for questionable
53:20
stuff. It's all stuff related to my name, so
53:22
who cares?
53:22
And I don't mind that all of that can
53:25
be associated with the same domain. Now, if I wanna
53:27
do something a little more sneaky, and I need
53:29
a custom domain because whatever service is blocking all the free ones, then I
53:31
have a different domain for that kind of stuff.
53:33
I consider it dirty, I
53:35
consider it burnt, but it's never attached
53:37
to my name. So for me, it's a matter
53:40
of isolating real name
53:42
stuff versus non real name
53:44
stuff. That's the priority. And
53:46
then from there, you can create addresses on the fly.
53:48
So if I want if my bank
53:50
demands an email address, I might
53:52
give them the name of that bank
53:54
at whatever domain I'm using for my real name, but I would never give them the domain
53:56
I'm using for alias stuff. So for compartmentalization,
53:59
that's my rule.
54:02
Name, non name. Everything else is kind of secondary
54:04
and there's really no there's
54:06
no privacy
54:06
from tracking in
54:07
the long run anyway
54:10
with email. That's the strategy
54:12
that I used and I actually got it from
54:14
your book. So thank you. But yeah, I
54:16
have a bunch of different domains
54:18
that don't have any association with my
54:20
name really helpful just to set up countless catch
54:22
all addresses on the fly or
54:24
set up a catch all so I can create
54:26
more addresses on the fly. And that's
54:28
been, yeah, it's been really helpful. And now
54:30
I've kind of siloed different
54:32
things to different OSINT. And I guess it's
54:34
just something you kind of evolve over
54:36
time, but Do you have like, do are there certain categories that silo?
54:38
Like, all government things with one
54:40
domain or shopping things with another?
54:42
Or is it kind of a
54:44
mixed
54:45
bag. I used to I used to get crazy with it. I
54:47
don't anymore because there is so many things that
54:49
can tie together. So
54:52
I'm not going to buy a premium protonmail account for
54:54
every little thing and have twenty premium accounts I'm
54:56
paying for. I'm going to use one account and I'm probably
54:58
going to add several dresses to it.
55:01
So, really, if I was doing something
55:03
super nefarious and proton
55:06
mail received a Swiss court order, it would
55:08
tell that anyway So I I
55:10
remind myself, who am I hiding
55:12
from? Am I hiding
55:14
from just the typical data aggregators
55:15
online? Yeah. Pretty much. I'm not trying to from not to
55:18
US marshals. So I don't get
55:20
carry away like
55:20
I used to I used to do it for
55:22
sport and that just gets exhausting, but
55:26
also I really try to replicate what I recommend my clients do so
55:28
that I can understand what they're going
55:29
through, and I would never ask them to go
55:32
that far.
55:34
So we're gonna move into security
55:36
now. This this first question
55:38
that I have is kind of hilarious
55:41
they word it. So I'll just I I kind of wanna read it in,
55:43
like, a dramatic comment 10
55:46
voice. So in the password,
55:48
manages episode you failed
55:50
to mention that browser extensions for
55:52
password managers prevent phishing attacks
55:54
since they won't populate passwords on
55:56
a different domain. Why was this not part
55:58
of the show. I just that that
56:00
question made me go, because the person is they're
56:02
so angry at
56:03
you, Michael. Why did you
56:04
do this? Well, first of all, that
56:07
is the common tone I get. And eat.
56:09
So I don't know what what you're getting at.
56:11
So okay.
56:14
First, Why
56:16
didn't I cover OSINT? Because it's not true. And this
56:18
is going to boy, it's gonna upset some people.
56:20
That's okay. That's what we're here for.
56:24
If I if I hear it correctly, what I'm
56:26
hearing is they're mad that I didn't talk about
56:28
how if you're using a password
56:30
manager and you've got the
56:32
the
56:32
browser, application or the
56:34
browser extension in your browser, then
56:36
if you go to
56:37
a phishing site like bank of america
56:39
two dot com, then it won't
56:41
populate your password. Very valid point, but
56:43
to say that that prevents phishing
56:46
attacks, that's just not true.
56:48
That's naive. Auto
56:50
population does not prevent phishing attacks. It
56:52
might slow it down. It might make someone
56:54
pause and say, wait a minute. Why did that
56:56
not populate? But it doesn't prevent
56:58
it. It prevents
57:00
passwords from automatically being
57:02
populated on an incorrect
57:04
domain. Maybe you're being To go
57:06
somewhere else. Okay. I get that and I I respect that.
57:09
But many websites, especially
57:12
banks, they block
57:14
the entry of passwords from
57:17
password extensions. I have a
57:19
couple of my own where you
57:21
can have password manager extension in your browser,
57:23
when you go to that website, they block it
57:25
and they do not let you auto populate it.
57:27
I even have one bank that doesn't let you
57:29
copy and paste. You have to type
57:32
So anyone who's going
57:34
to fall victim to a phishing
57:36
attack likely has some websites they
57:38
already have to manually populate their passwords
57:40
into anyway, it's not going to be huge
57:42
stretch that they have to go copy and paste
57:44
it from their password manager. It might slow
57:46
things down. It might make them question, but
57:49
it doesn't prevent it. A good attack,
57:51
a really good fishing attack is going to
57:53
scare the victim anyway. Their guard's going to be down. They're
57:55
going to be worried. They're going to
57:57
be upset, and they're going to not question
57:59
about why their password manager browser extension stopped
58:01
working. They're going to go get that password and
58:03
log in. So I think it's
58:05
naive to say that auto population would
58:08
prevent this. I think it's fair to say it might
58:10
slow it down and it might stop it for
58:12
some people. But let's look at the typical victim of a phishing
58:14
attack. Do you think the lack of auto
58:16
population is going to make them
58:18
truly stop and
58:20
not fall for the attack and my belief is no. Most
58:22
people are still going to fall for the attack and
58:24
they're still probably going to become a victim and
58:26
that's why I didn't get into
58:28
that. Yeah. I also I had your instincts
58:30
that this is incorrect. I had done
58:32
some research into different studies on this, and
58:34
yes, it is possible for things to
58:36
be happening in the ground where
58:38
you think you're on a specific site, but there's something else running and is
58:41
actually collecting that password whether it's autofilling on
58:43
the correct site or not. So it's like there's a
58:45
lot going on there and it
58:48
seems that passwordless seems like the future
58:50
of being that hopefully eventually everyone
58:52
will will start to become
58:54
compatible with
58:56
But as long as you are transmitting a password over the Internet,
58:58
there can be a man in the middle,
59:00
there can be phishing attacks. And suddenly when
59:03
you have, like, public, private key, cryptography
59:05
that you kind of get rid of
59:07
that attack
59:07
vector. Is that your understanding?
59:10
Yeah. Well, that's
59:10
why we practice good opposite. That's why we do
59:12
everything we can do. And that's why we
59:14
all should say we're not
59:16
bulletproof. I don't ever for a minute
59:18
think I'm hack proof. I worry about it all
59:21
the time. We all are
59:23
not pack proof, bad things happen, new
59:26
attacks, new zero day things with software.
59:28
So you do the best you
59:30
can. You have unique passwords for everything. So that if
59:32
one does get hijacked, okay, well, we just have one
59:34
problem to deal with, not a thousand problems to
59:36
deal with. So for me, it's doing
59:38
the best we can. For me, I
59:40
don't use a browser password extension because I don't
59:42
need it. I'm fine copy and pasting.
59:44
I'm fine making deliberate
59:46
actions to log in to things. My clients, most of
59:48
them have a password manager browser extension.
59:50
I'm okay with that too. I'm only
59:52
not okay with storing your passwords
59:54
in the browser
59:55
itself. That's what's asking for
59:57
trouble. Got it. The next
1:00:00
question is about Apple, and I'm interested
1:00:02
in your answer because I know that you don't
1:00:04
use any Apple products anymore. So they ask, what do you think
1:00:06
about Apple's new advanced data
1:00:08
protection? Is it the best option
1:00:10
now for Apple users
1:00:12
for secure
1:00:13
backups. You said data. I said data,
1:00:15
and you're
1:00:16
gonna be one of those people that's gonna be like,
1:00:18
she doesn't have an American accent. Why
1:00:20
are you pronouncing
1:00:21
it correctly?
1:00:21
Get off my show. Alright.
1:00:24
Alright. Apple's new advanced data protection.
1:00:27
No reason not to use
1:00:29
it. I have nothing against
1:00:31
it. But you should know what it does and more importantly what
1:00:33
it does not do.
1:00:36
Again, I don't use it, but I I
1:00:38
can speak to it. It only applies. First of all,
1:00:40
if you're using iCloud, and I never recommend using iCloud.
1:00:42
So if you're if you have an IOS device
1:00:44
and you don't use iCloud, then
1:00:46
this does nothing for you. Anyway, If
1:00:48
you use an iCloud, I would question that decision. It
1:00:52
encrypts some things, not
1:00:54
everything. So for example, If
1:00:57
you store backups of your device to your
1:00:59
iCloud, it provides end to end encryption for
1:01:01
that, great. You're protected. If you
1:01:04
upload notes, I believe leave and I
1:01:06
believe all of your photos are now
1:01:07
encrypted. Great. But it does nothing for
1:01:09
your email, your contacts,
1:01:12
your calendar, that
1:01:14
most vital data that you don't want people nosing around in. It
1:01:16
does not provide end to end encryption for that.
1:01:18
And Apple employees would still have access
1:01:20
to your email, contacts, and calendar So
1:01:23
for me, the much, much, much better solution is to
1:01:26
save iCloud and just don't upload anything to
1:01:28
Apple servers be responsible for your
1:01:30
own data. Does
1:01:32
that are you making fun of me, Michael?
1:01:34
Never. Never. Small
1:01:37
anecdote about Apple's bad because, like,
1:01:39
again, following your own suggestions in your book,
1:01:42
I logged out of iCloud and then
1:01:44
logged in to with my Apple 10 d through
1:01:46
the app.
1:01:48
So that it doesn't automatically turn on iCloud.
1:01:50
And that was all great until I
1:01:52
realized that because I I support
1:01:55
I pay to port signal and you get this little badge and all this.
1:01:57
As soon as I turned off
1:02:00
iCloud in the main
1:02:02
settings, it doesn't matter whether I was logged in
1:02:04
under the applications.
1:02:06
It didn't register. I could no longer
1:02:08
use Apple Pay, which meant that it took
1:02:10
away any 10- -- realization that
1:02:12
I paid for a signal and and, like, it was really annoying I'm like, I
1:02:14
want I want that badge. I want that
1:02:16
on my profile. And as have
1:02:20
to choose the badge or iCloud. And I'm sorry, signal.
1:02:22
I I've taken away
1:02:24
that signaling device now, mind the
1:02:26
pun, and I've opted to stay away
1:02:29
from iCloud. I'm I'm annoyed that they do
1:02:31
that. And and, really, that's
1:02:32
it goes so much deeper than that, of all the other
1:02:34
things that they're doing and preventing and blocking because
1:02:37
you don't play with them. I
1:02:39
had someone just the other day who says, hey, I did
1:02:41
your thing with a Mac laptop and I don't use
1:02:43
an Apple ID because I use Brew, Home
1:02:45
Brew to install my app locations,
1:02:47
but now my laptop's telling me
1:02:50
every day I gotta log in with an Apple ID and it
1:02:52
puts that red notification badge on these
1:02:54
system settings. Tell me I have to log in.
1:02:56
And as of right now, there's no way to disable it. I'm sure
1:02:58
that'll come up. It'll we'll find a
1:03:00
solution. So it's it's all those little
1:03:02
things of the Apple ecosystem
1:03:04
that says, wait a minute, you are straying from what
1:03:06
we tell you to do. We're going to
1:03:08
annoy you with little things until you
1:03:10
fall back in line and do things the way we tell
1:03:12
you
1:03:13
10. And I just don't buy into that.
1:03:15
Yeah. No. I completely agree, and I've started moving
1:03:17
into Linux as well. I've I there are some
1:03:19
apps that I need to use on Mac just
1:03:22
editing so ware and
1:03:23
stuff. But, yeah, it definitely makes
1:03:24
it more Linux as well. So
1:03:28
talking still about cloud
1:03:30
storage. This next question says, I know
1:03:32
you don't recommend cloud storage. So what do I do for long term storage
1:03:34
of important things like family
1:03:36
photos? OSINT think you do
1:03:38
the same thing we've been doing for decades.
1:03:42
Especially when online storage was not an option. You have
1:03:44
your own local backups. You have your
1:03:46
own off-site backup and you encrypt them.
1:03:50
When you back up on the cloud, you're just trusting your data
1:03:52
to someone else's servers. I'll stop.
1:03:54
That
1:03:54
was my
1:03:55
last one. Right? That's the last
1:03:56
slide. I'm I'm out of thing up.
1:04:00
So when you do that, I mean, you're
1:04:02
just relying on someone else's servers. If
1:04:04
they go down, you're in trouble anyway. So
1:04:06
I just I don't like this concept of let's allow another company to
1:04:08
be responsible for all the most important things in my
1:04:10
life. I will be responsible for me
1:04:12
that means
1:04:14
numerous local backups. So I have
1:04:16
a lot of valuable data on my devices. Those
1:04:18
are backed up to an external device.
1:04:21
It might be an external USB
1:04:24
see SSD drive. I also back up to
1:04:26
external spinning disks that are kind of like
1:04:28
the the longer term backup and in case
1:04:30
something else fails, I can go back to those. I
1:04:34
also copied my most important data on micro SD cards and they are embedded
1:04:36
into my phone case and with me all the time in
1:04:38
case my house blows up. I've talked about that
1:04:40
before. They're all encrypted. I also
1:04:42
have an off-site backup of everything I
1:04:44
need completely encrypted hidden at a friend's house. And
1:04:46
if I have a true problem, I can call that
1:04:48
friend and say, hey, you're gonna think this is weird, but go
1:04:50
get this box and I'm gonna tell you what
1:04:53
to do with this. So for me, it's
1:04:55
the same thing we did ten years
1:04:57
ago. We do it ourselves. Storage
1:04:59
is
1:04:59
cheap, provide reliable good
1:05:02
storage, and have redundant backups, and you'll never have to
1:05:04
worry about
1:05:04
it. Got
1:05:05
it. And there's another question that's is
1:05:07
very related. What are your thoughts about
1:05:09
using encrypted m disc optical media to
1:05:12
archive data?
1:05:14
I think m disc are a
1:05:17
great medium. I come from
1:05:19
an optical disc world many years ago and that's
1:05:21
what we relied OSINT. I'm
1:05:24
not
1:05:24
worried about the archive quality. I'm not
1:05:27
worried about the the
1:05:28
the long storage of an
1:05:30
m disc. My worry is
1:05:34
Will you have a device to access that
1:05:36
data when you need it in the future?
1:05:38
Right now, I have a
1:05:40
box of mini disks, DVD RAM cartridges,
1:05:44
beta max, etcetera. And I have nothing to play them on.
1:05:46
There's some stuff on there that I might want one day.
1:05:48
I'd have to go find a device to get
1:05:50
that. Now right now, you can find a
1:05:52
way to read m disc. Will you be able to
1:05:54
find a way to read m
1:05:55
disc twenty years from now? And I don't have the
1:05:58
answer to that, that's my concern. So
1:06:00
for me, Well, for
1:06:02
you, if that works for you, great. And
1:06:04
if your data fits on it and you
1:06:06
have enough room and that that's
1:06:08
that's your need, great. Sure you have long term access to a
1:06:10
device, which can read those. For me,
1:06:13
I still prefer drives, SSD
1:06:15
drives, spending drives, micro SD,
1:06:18
whatever. That's better for me because I'm
1:06:20
confident that wherever I am in
1:06:22
the
1:06:22
world, I can find a way to extract that
1:06:24
data. Howard Bauchner:
1:06:25
And then the next question is,
1:06:27
I like you've already answered it, but I'll just ask it
1:06:29
again anyway. Do you back up your
1:06:31
graphene OS
1:06:32
device? If so, how much do you
1:06:34
use?
1:06:34
I do. I've never needed it. I've never, like, went
1:06:37
back to it and accessed anything. I use
1:06:39
the internal app, so which
1:06:42
I I believe is still called Seed Vault. If you go to your Graph
1:06:44
OS device, go to settings. I
1:06:46
don't wanna screw this up. Just search the
1:06:48
word backup. You'll get to it.
1:06:50
You can create a backup. What I do is I connect external USB
1:06:53
10 SSD drive and I back
1:06:56
up my device to
1:06:58
that drive and
1:07:00
then I have it on that drive. It's it's encrypted. They give
1:07:02
you a pass phrase you have to keep. And then it's
1:07:04
in a it's in a folder called dot
1:07:07
seed vault, so that will be a hidden
1:07:09
folder, then I just store it. I've
1:07:11
never needed it. The reason I have
1:07:13
it really, it's not to restore my phone. If I have
1:07:15
a problem, it's it's another
1:07:17
backup of my pseudo. Again,
1:07:20
because my pseudo doesn't have a username and
1:07:22
password, you have to set a
1:07:24
password to your account and then
1:07:26
back up that data somehow. So if I were in some real trouble
1:07:28
and I needed to restore an
1:07:30
account, I could do it through my backup and my
1:07:32
passwords. That's my
1:07:34
main reason. I've
1:07:36
never really needed it. I don't know that everyone needs to do it. I will say though, if you
1:07:38
do it, be sure to disable
1:07:41
the app backup
1:07:44
toggle after you have your backup because if you don't, I
1:07:46
believe it'll still try to
1:07:48
do a backup every day to either
1:07:51
the original external source or an internal source that takes a lot
1:07:53
of resources. So once I've made my backup, I
1:07:56
disable the backup option so it's not
1:07:58
constantly trying to refresh that
1:08:00
backup. I
1:08:02
do not keep sensitive information on my phone. I don't keep documents on my
1:08:04
phone, so I don't
1:08:06
need don't need a a weekly
1:08:08
backup or anything like
1:08:09
that. Got it. Now I've got
1:08:11
a bunch of questions about vehicle
1:08:14
privacy and security. I I feel like I'm asking the
1:08:16
same question but three different ways. So bear
1:08:18
with me. I'm just gonna read them all
1:08:20
at once. First one, a
1:08:22
modern car has well over three thousand sensors, some of which include bluetooth WiFi
1:08:24
GPS, wait sensors that
1:08:27
can't be turned off. Does
1:08:29
one remain private when the car's geolocation is always turned on even when the car is parked? The next one
1:08:32
very similar. Are there
1:08:34
any ways to disable the
1:08:37
telemetry transmission on your vehicles without disabling the vehicle. And if you can
1:08:39
disable the what if what if any
1:08:42
vehicular features would you lose
1:08:47
And then the final one, how do handle privacy for cars in regard to
1:08:50
the technologies which are built into modern
1:08:52
cars like
1:08:54
building sim ads for emergency call systems or entertainment
1:08:56
systems which also send a lot of
1:08:58
data to the car
1:08:59
manufacturers. So a lot a
1:09:02
lot there, but basically the same
1:09:04
essence Again, what
1:09:05
happened? Yes, no questions. So what happened to them? Alright.
1:09:07
These
1:09:07
are loaded. I'm going
1:09:09
to start by saying I don't
1:09:11
have any great answers.
1:09:13
However, many cars, you can still buy many cars which
1:09:16
don't have
1:09:19
OnStar. So that's deal breaker for
1:09:21
me. If a car has on star, no, thank you. I don't want that in my system. So there are many cars that don't have that.
1:09:23
Sometimes you to go down to the
1:09:26
base
1:09:26
models. Can I ask what is
1:09:30
on star. I'm foreign.
1:09:32
I'm sorry. On star is basically that
1:09:34
system that you might see the
1:09:36
button in your rearview mirror. That
1:09:38
allows you to call for help. So you have a cellular connection, you have
1:09:40
a data connection. And if you get an accident
1:09:42
and you're sitting there bleeding, someone from OnStar is
1:09:45
gonna come on your speakers and say, we
1:09:47
detected an accident. Are you hey, do you need
1:09:49
help? We see your location is whatever, and we're going
1:09:51
to send the police. It's it's for emergencies,
1:09:55
mostly. I don't like it because it's always connected and
1:09:57
it's been abused in the past. OnStar
1:09:59
employees have abused it in the past by accessing
1:10:01
they can access a microphone in your card anytime and
1:10:04
hear you. Without notifying you.
1:10:06
So they can turn on the microphone in your car, see where you're at and listen to what you're doing and eavesdrop on you,
1:10:09
and you wouldn't
1:10:12
know it. So for me,
1:10:14
no way, deal breaker. Now, which means I can't buy fancy fancy cars because a lot of them
1:10:20
have it. There are other versions. It's not
1:10:22
just on star. There are other things like it out there, but there are still many cars which
1:10:24
don't have that.
1:10:27
But again, you sometimes have to go for those
1:10:29
base model cars. And I I think that's okay. Twenty years ago, a base model
1:10:31
car was something
1:10:34
you kinda snubbed your nose at today, they're not that bad and upgrade things yourself
1:10:36
if you want things upgraded. There are
1:10:38
also still
1:10:39
many cars which don't have
1:10:41
cellular and or
1:10:44
WiFi built into them. They're
1:10:46
probably all going to have Bluetooth of some sort in the in but
1:10:48
they don't all
1:10:51
have cellular. How think
1:10:54
it was Toyota not too long ago, a client
1:10:56
wanted a Toyota.
1:10:57
And at
1:10:58
the dealership, there was not one
1:11:00
Toyota on the lot, which did not
1:11:02
have an embedded cell connection on all the time, which you
1:11:04
could not disable in the entertainment
1:11:06
system. So we had to get
1:11:10
a different car. So Toyota you might not be able to find one, but forward, you can
1:11:12
find plenty. So you just have to look, you have to
1:11:14
find out, and a lot of times you have to just
1:11:18
read the manuals, look at reviews, and just ask them, how do I how do I use
1:11:20
this infotainment system to make a call?
1:11:22
Is it got something in it? And
1:11:24
if it if it does, the salesperson
1:11:26
will be all about showing you how cool
1:11:28
the cellular
1:11:29
is, and now you know to avoid that model. So
1:11:31
those are the first
1:11:31
two. I'd say next is never connect your
1:11:33
phone via USB or Bluetooth
1:11:36
because now you're
1:11:38
giving your car a cellular signal,
1:11:40
those are kind of the basics. Now telemetry, you
1:11:42
can't disable it completely.
1:11:43
Well, maybe that's not fair.
1:11:47
You're going to have tons of transmissions occurring in your car at
1:11:49
all time, but the majority of those
1:11:52
transmissions are
1:11:54
locally They are happening in your system. They are
1:11:57
only assessable if you have
1:11:59
physical wired access to a
1:12:01
plug underneath your steering
1:12:04
wheel. That's So a lot of the
1:12:06
sensors I don't really care about. Now there are some that are wireless. So chances are your car, your
1:12:11
newer car has a sensor telling you if
1:12:13
your tires are low. That's probably a wireless sensor which I
1:12:15
can read from the side of
1:12:18
the road while you drive by
1:12:20
me get a unique identifier and track you
1:12:22
that
1:12:22
way. Realistically, is anyone
1:12:22
doing that? I don't think so. I don't think they're doing it
1:12:25
to me, so I don't worry as
1:12:27
much about that. But my
1:12:29
point is you'll never get rid of
1:12:31
everything without really severely reducing the
1:12:34
function of the car.
1:12:36
So it's gonna be hard to find
1:12:38
a car that doesn't have some type of
1:12:41
wireless sensor connection, etcetera, but you can find
1:12:43
them with minimal entertainment systems I'm
1:12:45
going to speak out of school a bit here. We are talking
1:12:47
with a large auto shop about adding a bay to their
1:12:49
place in Los Angeles,
1:12:52
which will that
1:12:54
bay will be solely used for bringing your car
1:12:56
in and disabling everything possible that we
1:12:59
can without doing damage. Right now, we're
1:13:01
just looking the liability of that and whether or
1:13:03
not it's justified to try to do it. It's probably going to be a problem. It might never happen, but talking about
1:13:08
that. Can you disable a lot
1:13:10
of this? Absolutely. If you don't know what you're doing, you're probably going to really hurt your car. So
1:13:15
it's it's tough. That's why I still drive my eighty
1:13:18
two cabero. Right. I I feel like
1:13:18
I didn't know about some of those features because my
1:13:22
car is way too old. But just think I mean, so we'll have driverless
1:13:24
cars. And the bad news is is that
1:13:26
they're like three to five years out.
1:13:29
But the good news is is that they always
1:13:31
three to five years out, so I'm not sure we'll ever get there. So we'll see what
1:13:33
happens when
1:13:34
Yeah. I drove a Tesla for a weekend
1:13:36
once. Never again.
1:13:39
Just the amount of stuff
1:13:41
going on on a data level and that
1:13:43
thing. It I felt Iky, I believe. I have such a a love hate relationship with Tesla
1:13:45
because I I too feel
1:13:47
Iky about the data,
1:13:51
but also just the self driving. I mean,
1:13:53
I'm I'm probably gonna be one of the first people in one of
1:13:55
those. It's just I mean, it feels like
1:13:57
I'm living in the future. You know? I I love
1:13:59
tech for all the privacy it gives me, but all the
1:14:01
cool gadgets as well. It's just a shame that they
1:14:03
always collect my data.
1:14:05
So it's concept battle. Concept battle. Alright. Next one,
1:14:08
we've got a question about Android
1:14:10
apps. It says here many Android
1:14:12
apps these days, especially the
1:14:14
banking and video streaming apps detect
1:14:16
if you were using VPN and force you to turn it
1:14:19
off in order to use the service. However, the
1:14:22
same bank or streaming service usually works when you
1:14:25
connect it via a laptop browser
1:14:27
with an established VPN
1:14:29
connection. How do these apps detect the VPN running
1:14:31
on an Android app, and how can
1:14:34
we circumvent this on an Android
1:14:36
device? I
1:14:39
can confirm that that happens. I see it a
1:14:41
lot, so it's not just you.
1:14:43
Let's let's take this in a
1:14:45
couple of levels. First, When you connect to a service
1:14:48
online, they can absolutely see the type of
1:14:50
device you are using, whether that be an
1:14:52
Android iPhone,
1:14:54
Linux, Mac, Firefox, Chrome, whatever. Now there are
1:14:56
ways to spoof that, of course. But for the most part,
1:14:58
if you're not taking any action, they can see that.
1:15:01
So a company knows if you're
1:15:03
connecting from a mobile device, versus
1:15:05
say your desktop. They can also just tell that that probably by the
1:15:07
resolution of your screen, which they can also typically see.
1:15:12
So they
1:15:12
They see that. We know that. But also,
1:15:14
they see your IP address. When you connect to
1:15:15
a service, they see the IP address you're coming from.
1:15:17
They often have
1:15:19
block lists of VPN IP addresses, they
1:15:21
can block it that way. They can also determine if you're on a VPN just based on
1:15:24
the
1:15:27
of your data. So we know that they
1:15:30
can see all that stuff. That's nothing new. The question, what do we do about that?
1:15:32
It depends. It depends on
1:15:33
what they're blocking. So I I have
1:15:36
a bank that
1:15:39
I can go online on
1:15:41
my browser, connect, do everything I want. If
1:15:43
I try the exact same thing
1:15:45
for my mobile device, kicks me out.
1:15:47
And because I'm I'm behind a
1:15:49
VPN on both. What I do
1:15:51
typically is if I
1:15:53
connect to a dedicated IP VPN, which is probably not blacklisted because it's
1:15:55
only one using it because I'm paying
1:15:59
for that feature. And
1:16:01
I changed my protocol to open VPN TCP on port 443. It helps
1:16:04
me almost
1:16:08
every time. I'm not fooling
1:16:10
anyone. They can probably still tell them on a VPN. But I'm not
1:16:12
triggering a handful
1:16:15
of things which causes So
1:16:17
I've got my own dedicated IP. I'm coming through a TCP.
1:16:19
And I just look a little less nefarious maybe. Now, I don't pretend to
1:16:22
know why that works or exactly what they
1:16:24
see. 10 I
1:16:27
can tell you from a vast experience that that does work for me,
1:16:29
for some places. Whenever a website tells
1:16:31
me or even an
1:16:33
app that you can't do that, You can't log in because you're
1:16:35
buying a VPN or whatever, change to a dedicated
1:16:37
IP and typically I can get through with
1:16:40
those settings. Now,
1:16:42
again, you can't fool everything, so
1:16:44
it really just depends on what they're
1:16:47
doing. But for me, I typically
1:16:50
just try to never do any of those things
1:16:52
on a mobile device. That's what my computer's for. That's what my my
1:16:54
desktop is for. That's what my browser's for. That's what my controlled
1:16:58
area where I have a keyboard and a mouse and I can sit
1:17:00
down and focus on
1:17:01
something. Maybe that's just the old man in me
1:17:03
talking, but that's what I care about more. I
1:17:05
just try to avoid doing all that stuff from
1:17:07
a mobile
1:17:08
device because I don't like it, but also
1:17:10
you're typically going to get blocked more. So you'll never fool them completely, but
1:17:14
those things could help.
1:17:15
Okay. The next question is about tofa. So what
1:17:18
stand alone desktop software tofa
1:17:20
solutions are
1:17:22
available or amended under the scenario where a user does not
1:17:24
have a smartphone to utilize a toFA
1:17:27
app and the service
1:17:29
does not support hardware based
1:17:31
toFA. You could use either BitWarden or standard notes. If you don't want to
1:17:33
put all your eggs in one basket, you don't want
1:17:36
to put your passwords and your 2FA
1:17:38
into one password manager like BitWarden, you could
1:17:40
use standard notes
1:17:42
for that. You do have to have the
1:17:44
premium version of standard notes. You don't have to have the premium version of BitWarden,
1:17:46
but you have to have the premium version of BitWarden to secure
1:17:51
with a hardware token, which my book is required if you wanna put 2FA
1:17:54
and your passwords into one thing, you should have
1:17:56
that secured with a physical token.
1:17:58
So those are your two options.
1:18:01
I see all kinds of recommendations for this
1:18:03
app or this app, but very, very few of them are truly that that
1:18:05
very few of them
1:18:08
have true cross
1:18:10
platform support and you need to put
1:18:12
on anything and you can access them offline. Those
1:18:14
are my two mandates. So for me right now,
1:18:18
I'm using standard notes for my two FA
1:18:20
tokens. Interesting. And also, I
1:18:22
mean, two FA security keys
1:18:24
have also evolved to where they're
1:18:27
not just fido anymore. You can they have all kinds of bells and
1:18:29
whistles and you can actually add OTP
1:18:31
codes in there.
1:18:33
Right? For some of them, I'm you
1:18:35
could actually do it through that. I
1:18:36
don't know if you've tried that. I I don't use
1:18:38
it for that. Yeah. You can. I don't recommend
1:18:42
it I don't I only like to
1:18:44
use a hardware token as it's meant to be used.
1:18:46
It's meant to be used as a challenge response
1:18:48
to whatever I'm trying to log into. That's what
1:18:50
I wanna save it for. prefer have software token separate.
1:18:52
I prefer them to be again, I
1:18:54
don't log into things from my
1:18:57
phone. I log into them from my laptop.
1:18:59
As long as I have a couple of ways to access that. So maybe I've got BitWarden with
1:19:02
all my stuff in it secured with the
1:19:04
hardware key or maybe I've got standard notes where I can
1:19:06
get access to that token or maybe I've got a third
1:19:08
OSINT in case to
1:19:10
break. And if all goes to hell, I've got the seed code in my password manager I could get out and
1:19:12
I could recreate that if
1:19:15
I needed to. So Yeah.
1:19:18
I don't
1:19:19
I know you can do it that way with
1:19:21
the hardware key. It's just it's not my
1:19:23
thing. Got it. Next question, I'm getting
1:19:25
ready to launch my blog. Is there
1:19:28
a better platform to use instead
1:19:30
of WordPress. Do you have a preference to another platform and why?
1:19:35
That's subjective. Let's talk
1:19:38
about WordPress. WordPress, the good thing is it could be very secure.
1:19:41
They get patches
1:19:44
very rapidly They
1:19:46
they do have good security. They care about
1:19:48
their security. You're getting updates more often than a lot
1:19:50
of platforms. So as long as you're keeping
1:19:54
your WordPress blog updated, I think you have find security.
1:19:56
That being said, WordPress
1:19:58
is targeted with automated
1:20:01
attacks like crazy just random. There'll
1:20:03
be some system scanning every domain, every
1:20:05
port, whatever. And when they find
1:20:07
a WordPress instance, now
1:20:10
they start trying to try some default
1:20:13
passwords, and they try to look for any
1:20:15
plugins, which are known to have a vulnerability. So WordPress is
1:20:17
highly, highly targeted with
1:20:20
automated
1:20:20
attacks. Because
1:20:22
of that,
1:20:23
I think it depends. Are you putting a
1:20:25
lot of users into this thing? Are you having
1:20:27
people log in and create
1:20:28
accounts? Then I tend to tend to worry
1:20:31
a bit about WordPress. I have
1:20:33
a WordPress
1:20:33
blog. It has one account, mine.
1:20:36
And if you hack it, Alright?
1:20:38
Put up something cool. You don't get any user content. You don't get any customer
1:20:39
content. That's what I
1:20:43
worry most about.
1:20:45
The other thing I would say is if
1:20:47
you're going to use WordPress, move your login page to a different URL,
1:20:49
which you can get an extension for. There's lots of extensions which will
1:20:52
do that. 10
1:20:55
prevents a lot of the automated attacks where they just start brute forcing
1:20:57
logins to see if they can get in and under
1:20:59
an admin account. That
1:21:01
will help a bit keep your extensions
1:21:04
minimal, only install what you really
1:21:06
really need, keep everything updated, that's
1:21:08
gonna stop the majority. Now, is
1:21:10
there something better? I think it depends on
1:21:13
what you're going to do. Are you putting up
1:21:15
an article once a month, then learn
1:21:17
HTML, throw up a static HTML page. It's
1:21:19
kind of a pain. But if you have nothing but static HTML, there's
1:21:21
really nothing to hack. And I
1:21:23
like that. If you don't wanna
1:21:25
win in that, you wanna learn WordPress and you wanna do that,
1:21:27
fine. Just keep it as secure as you can. Keep as many
1:21:30
people off of it as you can. Keep as many accounts
1:21:32
off of it as you can. Have good
1:21:34
backups and buy a WordPress backup, I mean, you export it from within WordPress. You also
1:21:36
clone the files from
1:21:39
your server to your computer
1:21:42
and you export your SQL from PHP
1:21:44
admin. If you have all three of those and
1:21:46
you have a problem, you can restore pretty
1:21:49
easily. I see so many people who have
1:21:52
WordPress. They don't secure them properly. They get hacked. They
1:21:54
don't have a backup and they just have to start
1:21:56
all over. That would be my concern. Other other
1:21:58
platforms, I don't really have an experience, so unfortunately I had nothing to offer. What about you? You you do a lot stuff
1:22:00
you recommend. Oh, gosh. I
1:22:03
don't have recommendations when comes
1:22:07
to the privacy of of that stuff or or
1:22:09
the security of that stuff. I would say that
1:22:11
whatever you do use,
1:22:13
if they offer like, 2FA, make sure that
1:22:15
you're doing that. I I generally just try
1:22:17
to obscure it. I know that security
1:22:19
through obscurity isn't great but
1:22:21
just having email addresses that I've never associated with me and any other website,
1:22:23
I think, is helpful because, you know,
1:22:26
if they're trying to attack me, if
1:22:28
they particular,
1:22:31
they're not necessarily gonna know which credentials
1:22:33
to use, but it's it's
1:22:35
really difficult. You know, and if you're just using
1:22:37
a blog, you I mean, what do you think of
1:22:39
something like sub
1:22:40
stack?
1:22:40
I just don't like
1:22:41
third parties. I like everything I can't control. I like also, with third parties, you can't
1:22:43
control analytics and
1:22:46
tracking. So if that third
1:22:48
party decides to start tracking what's happening with their visitors, you can't control it.
1:22:50
Whereas on my site, if anyone goes to my site right now, you'll see that
1:22:53
ninety nine percent of it is
1:22:55
all HTML static pages. Hackaway.
1:22:57
No. No. No. I don't mean that. Don't don't do that. No. Don't do that. The only other thing I have is a a
1:22:59
blog. If you look at my blog, I've
1:23:02
eliminated all tracking, all analytics. I've
1:23:04
really try
1:23:06
to be careful to say, if you go through my entire site, you block
1:23:09
origin will not pop up once and warn you
1:23:11
about anything. So that's important to me.
1:23:13
It might not be important to the person question, but that's
1:23:15
why I don't rely on third parties. I want everything on my
1:23:17
domain and I want it so minimal that if I
1:23:19
do get
1:23:19
hacked, which has happened,
1:23:22
Alright. Well, it's it's a pain, but
1:23:24
I don't ever lose any
1:23:26
customer information. Right. Well, let's
1:23:29
move on to APFS. So is
1:23:31
an encrypted APFS external volume
1:23:33
with a complex passphrase
1:23:35
sufficient for data protection
1:23:37
or an additional layer such as
1:23:40
cryptomancer be
1:23:40
used. Oh, I think that's plenty sufficient.
1:23:42
APFS is gonna be your Mac. So
1:23:44
if you have Macbook Pro, and you've
1:23:47
taken an external drive, and you've formatted it APFS from your MacBook Pro, and you encrypted it.
1:23:49
And I think
1:23:52
you're fine. There's
1:23:54
no harm adding other layers, but I don't think it's necessary for ninety nine point nine percent
1:23:56
of the people. I think
1:23:58
I think that encryption's fine.
1:24:02
Got it. Towing about emails
1:24:04
again, postal mail and to to
1:24:06
notar both offer the option to
1:24:08
register several email addresses within one
1:24:11
account. Is this a good to do
1:24:13
for creating isolated email aliases? Or do you imagine the connection between
1:24:15
the addresses within one account could be discovered by
1:24:19
a third party? Actually, I already know the answer
1:24:21
to this because you've spoken about this that you have you have
1:24:23
both. You have distinct accounts and you
1:24:25
have some within the same
1:24:28
account. Right?
1:24:29
Sure. And if you have multiple accounts within I'm sorry. If
1:24:31
you have multiple email addresses with one email account,
1:24:33
could a third provider third party
1:24:35
ever identify that, of
1:24:39
course, the third party being your email provider. So if you
1:24:41
have two tenoda and you've got five email
1:24:43
addresses in 5 account and two tenoda
1:24:45
was served a German court order to
1:24:47
tell you which other four addresses were
1:24:49
associated with this address, they would have to disclose that and they could disclose
1:24:51
that. So could it
1:24:55
be discovered by of course.
1:24:57
Could it be discovered
1:25:00
easily and publicly by any other third
1:25:02
providers? Probably not. You would need some type
1:25:04
of court
1:25:06
order or cooperation from email provider you do to expose So if
1:25:12
you through bad hopsack, you
1:25:14
expose it because you used them both in the same place under the same name or the same terminology,
1:25:17
then that
1:25:20
could happen there's always a possibility, but for most
1:25:22
people who are doing things properly, if you have twenty accounts and one of those
1:25:24
providers, no one's going to
1:25:26
by default, be able to put
1:25:29
those together unless you do something
1:25:32
to disclose that or a court order
1:25:34
or malicious employee at the service does
1:25:36
something.
1:25:37
Got it. And this next question about security as well, I don't I
1:25:39
don't know how you're you're gonna answer
1:25:41
this one, but try
1:25:44
your best. How
1:25:46
do you make sure that
1:25:48
none of your calls are getting recorded or
1:25:50
getting listened
1:25:51
to? You don't. It's possible. You
1:25:55
know, we talk about secure calls like you and I right now are on
1:25:57
a signal. So we have a secure call. It's
1:26:00
end to end
1:26:02
encrypted. No one at signals.
1:26:04
At their headquarters, has their headphones on and a computer
1:26:06
listening to us talk.
1:26:07
Great. I there's nothing I can do to
1:26:09
stop you from recording. It's actually I
1:26:11
know you are a record this
1:26:13
and I'm recording this and there's no
1:26:15
way to know. So I look at all calls the same way I look at email and
1:26:17
text messages and things
1:26:19
like that. Anyone
1:26:22
malicious, can record them on the other
1:26:24
end, and you wouldn't know
1:26:26
that. I remember an old secure
1:26:30
messenger, wicker, back when it wasn't owned by Amazon. They had AAA thing whereas if someone took
1:26:32
a screenshot of your text message
1:26:34
back and forth, it sent that screen
1:26:38
after the other person to tell on you. Alright. But that doesn't
1:26:40
stop you from taking another phone and taking a
1:26:42
picture of the
1:26:43
screen. So there's no way to
1:26:45
know. And I treat
1:26:47
everything like
1:26:48
this as if it's being recorded. And that's why when
1:26:50
I do meet face to face with all my clients, we meet in
1:26:52
the middle of an Olympic seismic
1:26:54
pool. That's just my my rule and
1:26:57
you know, they get used to it. It's awkward
1:26:59
at
1:27:00
first, but they get used to it after a while. Okay. Good
1:27:02
good to know. But one thing, I mean, you and I haven't
1:27:04
exchanged secure numbers
1:27:06
on signals. So who knows? Maybe this has been man in the middle, and someone is going
1:27:08
to hear a very private
1:27:10
conversation that is only getting broadcast
1:27:15
to your hundreds of thousands of listeners. Howard Bauchner: Exactly. So it's
1:27:17
all you have to look at the
1:27:19
perspective of what are
1:27:21
you worried about. You worried that other person's gonna do something
1:27:23
bad and maybe should be talking them in the
1:27:25
first place, but also just I treat my words
1:27:28
carefully. That's why III
1:27:30
watch what I say at all times in
1:27:32
any any communication, any type of
1:27:34
format that we're talking with because as
1:27:37
much as I trust this signal call,
1:27:39
we don't know what happened this morning to the signal servers, so there's always
1:27:41
something that could that could happen.
1:27:43
So you just kinda you you start to live,
1:27:45
you start to have your life, you start to do things,
1:27:47
you start to work, you stop
1:27:49
to make calls, just always on the back of your mind. You can't
1:27:51
control that. Yeah. So OSINT
1:27:54
moving into the final stretch
1:27:56
here. We've got the OSINT questions. This
1:27:58
first question. So when I when I first spread
1:28:00
it, I cackled out loud,
1:28:03
but then I thought Is
1:28:06
he? So here's the question. Mister Basil, I have been doing some ossant on you and I would like
1:28:08
some confirmation to
1:28:11
what I have found. Is
1:28:14
it true that you were the drummer
1:28:16
for the band and that
1:28:18
you once toured with Is
1:28:21
it true? I am
1:28:25
speechless. First,
1:28:28
kudos.
1:28:30
That is all absolutely true.
1:28:33
That has
1:28:35
been heavily scrubbed. Are
1:28:38
you
1:28:39
for
1:28:39
real? Is this We'll edit this out
1:28:42
of the show, but, yeah, that's absolutely true.
1:28:45
I know of one
1:28:46
place. That person would have
1:28:48
found that and you had to know
1:28:51
a lot of background details before
1:28:53
you would get to it I'm
1:28:55
impressed. It's true.
1:28:56
Moving on. What's number two? Wait. So you're
1:28:58
scrubbing that. I
1:28:59
I and my head just exploded.
1:29:01
As I said, I tackled what
1:29:03
I read it. And then I
1:29:05
thought,
1:29:06
wait. Yeah. It's true. I just it's
1:29:08
a past life,
1:29:11
so I don't I'm gonna be doing some elephant
1:29:13
on me
1:29:14
tonight. That's awesome. I'm a drummer as well, so that's
1:29:16
kind of cool to
1:29:18
hear. But Interesting. Yeah. So
1:29:20
keep going. Next question. Can you provide any interesting
1:29:23
OSA challenges for us? I already completed
1:29:25
the ones in
1:29:28
the
1:29:28
book. Person is very studious
1:29:30
and well
1:29:31
done. Well, I do have new oastant challenges in
1:29:33
the latest book which
1:29:35
just came out. I
1:29:38
don't wanna spoil those here, so let's what else we can do. Something I about
1:29:41
this before. Anytime
1:29:44
I'm in like
1:29:47
a tractor supply or any kind of store
1:29:49
which sells large gun saves, a
1:29:51
Bass Pro Shop,
1:29:54
etcetera. Every time I'm in one of these stores, there's always a tag
1:29:56
on one of the safes, one of the large safes
1:29:58
on the floor that says sold. And there'll
1:30:01
be some information about the buyer.
1:30:03
I will take that and see
1:30:05
what I can find out, which is usually
1:30:07
everything including the home where they're going to put this big gun safe, which is such a bad practice. So
1:30:12
that's one. The other one, this
1:30:14
one's gonna be creepy, but when I'm in line at say the grocery store and the person
1:30:16
ahead of me reads out loud their
1:30:18
cell phone number for the rewards points,
1:30:23
That's my next urgent challenge. Like, where do they
1:30:25
live? What do you drive? Like, I
1:30:27
start from that one key
1:30:29
point, what can I find out about
1:30:31
you? out don't creepy like that, but that's that's a pretty easy one
1:30:33
because you get a full cell phone number and that can be
1:30:35
a great starting point. So that that would
1:30:38
be the two I will give you for
1:30:40
homework. That's so creepy. I
1:30:42
hope that I mean, that's why I love this show is because I hear all of these things. It's like this half
1:30:44
the show is privacy techniques, half
1:30:46
the show is how do you
1:30:51
find that information about people's techniques, and it's always
1:30:53
so helpful and terrifying
1:30:55
10 hear all these things that
1:30:57
people
1:30:57
do. So Well, thank you, and
1:31:00
I'm sorry. Thank
1:31:01
you. Well, I'm your apology is
1:31:03
accepted. Next question, I have been downloading
1:31:05
steerer logs, but they are huge.
1:31:07
It seems like I
1:31:10
am downloading ninety nine percent of stuff that I
1:31:13
do not
1:31:13
need, what is the ratio of
1:31:15
credentials size to
1:31:17
total size? Yeah. That's welcome
1:31:20
to the world of steerer
1:31:22
logs and a wasted
1:31:23
bandwidth. When you
1:31:26
download large steerer logs, you might
1:31:28
see, hey, here's four hundred gigabytes of steerer logs
1:31:31
and you get excited because that's a huge chunk of
1:31:33
data and then you find out that most of it
1:31:35
is screen captures and cooks keys
1:31:38
and all these things you don't need,
1:31:40
they're not helpful to you at all.
1:31:42
And now
1:31:43
you're just searching through terabytes
1:31:45
of information when
1:31:47
only gigabytes are helpful. So I can I'll
1:31:50
throw out some really rough numbers, which don't always apply, but this could help you.
1:31:52
If you find
1:31:55
a ten gigabyte compressed let's
1:31:58
say, a zip file that still logs online. When
1:32:00
you decompress that, that's probably going to
1:32:02
be fifty to one hundred gigabytes of
1:32:05
data. That same ten gigabytes of compressed
1:32:07
steerer logs probably only has about five hundred megabytes
1:32:12
of actual credentials. Those those will be your passwords dot txt files.
1:32:14
And I go through this a lot in the new book talking about
1:32:16
how to do all of this and what to do
1:32:19
with it. And then of those five
1:32:22
hundred megabytes of actual credentials. If you
1:32:25
clean them up, remove all the
1:32:27
junk that doesn't apply, remove
1:32:30
the the line about what browser they're using. If you remove
1:32:32
all that, it might be a hundred and
1:32:34
fifty megabytes. So that ten gigabytes of compressed
1:32:36
steerer logs, which is maybe hundred gigabytes
1:32:39
decompressed of data might only
1:32:41
be a hundred and fifty megabytes
1:32:43
of valuable data which could help
1:32:45
your investigations. So in the book, one thing I offer is if you do download
1:32:47
dealer logs, how to clean them and how
1:32:50
to extract only the
1:32:52
passwords, get
1:32:54
rid of the rest, and that way you're not searching through, you know,
1:32:56
I think we're at forty terabytes now of stiller
1:32:58
logs. You're not searching through forty terabytes. You're
1:33:01
searching through, alright, eighty gigabytes, which is much easier to
1:33:04
do. But I will say, you're not alone.
1:33:06
You're not doing anything wrong and you're absolutely
1:33:08
right. Ninety nine percent
1:33:10
of the junk and sealer
1:33:12
log files is useless to an
1:33:14
investigator. It's only useful to people doing bad things. And we've got the final question
1:33:16
now. If you're ready for it,
1:33:19
what are the best places
1:33:22
to get leaked data dumps for free.
1:33:25
Telegram, that's probably it. again,
1:33:28
I'll I'll promote the
1:33:30
book again shameless In the book, I talk a lot about specifics.
1:33:32
I'm a little hesitant to say them
1:33:34
on the air here, but Telegram will
1:33:36
get you more steel logs
1:33:38
and you can do anything with
1:33:41
Telegram will get you most of the
1:33:43
popular database breaches and a lot of the old ones too because rooms often
1:33:47
go back months. And you
1:33:49
can go back through all these files and just get get more data than you want to store. I'll put it that way. Is that
1:33:51
really we done?
1:33:53
We're done. That
1:33:56
was it.
1:33:57
Go and and relax and
1:33:58
put your
1:33:58
feet up. Have a drink of water. What's the one question you
1:34:01
think should have
1:34:03
been asked, which wasn't? OSINT,
1:34:06
that's Okay. That's really good.
1:34:09
Well, I'm currently I'm working on a
1:34:11
piece about DNS right now, and I have
1:34:13
a lot of questions about DNS. So here's
1:34:15
my question about that that I'll throw to you.
1:34:17
If you're talking your book about
1:34:19
configuring more private
1:34:22
DNS settings, But then we're also talking
1:34:24
about how, you know, all of our devices
1:34:26
have VPNs, and our entire network has a
1:34:28
VPN as well. And generally, when
1:34:31
you use a VPN, they resolving
1:34:33
your DNS queries for you. So is, like,
1:34:35
is adding a more private DNS
1:34:40
resolver in something like p f cents.
1:34:42
Is that only really useful if your VPN drops? Is that the idea? No. It
1:34:44
would be useful with that.
1:34:46
So in my configurations for my
1:34:50
PFSense boxes. I have a VPN
1:34:52
using the open VPN protocol and
1:34:54
that's only providing the tunnel traffic.
1:34:56
PFSense is also providing the DNS
1:34:58
service, which I do not use my VPN's DNS service.
1:35:00
So if you are on my home
1:35:02
network, you'll be using a different
1:35:05
DNS. You will not be using the VPN's
1:35:07
DNS, and I typically apply that to everything
1:35:09
I do. So my mobile device is
1:35:11
using a specific DNS I want to
1:35:13
use. My computers are using a specific
1:35:15
DNS I want use. So if you tell
1:35:17
your device's operating system to use a specific DNS, it's going to use
1:35:19
that before it relies
1:35:23
on your firewall. Now if you have a VPN application running,
1:35:25
by default, it is going to
1:35:27
use its DNS unless
1:35:29
you disable that, and then it will use your device's
1:35:32
DNS. And if there's no DNS specified there, it
1:35:34
will use your router's DNS. And if there's no
1:35:36
DNS specified there, it will use your
1:35:38
Internet service provider's DNS if you're not using opinion.
1:35:40
So there's many opinions. I don't claim for mine to
1:35:42
be right. It's just what works for me. I prefer to
1:35:47
always use my own DNS provider. I use Next
1:35:49
DNS because I have it set
1:35:51
up very advanced I mean, not advanced,
1:35:53
but I've really put a lot of time in
1:35:55
setting up 10 DNS rules with
1:35:57
NextDNS to where I can really control some stuff not being sent
1:36:00
out at all because
1:36:02
I can say, hey, if
1:36:04
connection comes through. Just don't just block it. Don't let it go out
1:36:06
at all. I don't want to connect to that domain. I don't want it to ever connect to any Facebook dot com domain. So
1:36:08
block all those even if it's an
1:36:10
app that tries to use
1:36:12
it. That's my
1:36:14
preference, and it it may not be the listener's preference, which is completely okay. Interesting. So
1:36:16
if I'm configuring my
1:36:18
DNS settings on p f
1:36:22
sense. It's one thing, but if I have
1:36:24
my device configuring certain DNS
1:36:26
settings and that overrides -- Yep.
1:36:28
-- things like an app Will
1:36:31
that override VPN app on my phone? Or would I have
1:36:33
to disable the VPN app on my
1:36:34
phone? Well, it depends. I'll go
1:36:35
one step further. You can go into
1:36:38
your Firefox browser and specify DNS. So if you go
1:36:40
to a webpage in your Firefox browser with a
1:36:42
specified DNS, it's going to use that before
1:36:45
it relies on anything else anyway. So It's
1:36:47
really whatever's closest. That's what it's going to
1:36:49
try to use. And once the DNS is done,
1:36:51
it's looked up that DNS. It's looked up that domain.
1:36:53
It's got the IP address. It doesn't need to keep doing
1:36:55
that over and over. So it's not
1:36:57
like it's going to keep trying. You've now you've now set that up. So it
1:36:59
really depends. It depends
1:37:02
on what browser you're
1:37:04
using. What does your operating system
1:37:06
allow you to use? What is your VPN using? Are you using a VPN app or are you using a firewall? all
1:37:08
play into it? And
1:37:11
the best advice is test.
1:37:15
Go to DNS leak and
1:37:16
say, alright. I think I did everything
1:37:18
right. You tell me what DNS you
1:37:20
see and you'll find out real
1:37:22
quick if
1:37:23
you messed up somewhere.
1:37:24
So what is the one question
1:37:26
that you
1:37:27
wish people asked they didn't. The
1:37:31
one you're redacting. Yeah. No.
1:37:33
I think this was good. Again, I love these
1:37:35
shows because I
1:37:40
don't engage. Online. And I'm I'm often criticized for that. I don't go
1:37:42
back and forth on Twitter. I don't engage on LinkedIn. It's just not my thing. I don't
1:37:46
go to Reddit at all. So I often don't
1:37:48
know a, if people
1:37:50
are listening OSINT what
1:37:52
am I doing wrong or what can I
1:37:54
be doing better or what am I not saying. So
1:37:56
these help me gauge either what did I screw up and not do enough
1:37:58
or where do we need to go in the future. And
1:38:00
that's something we're talking about
1:38:03
with my staff of what
1:38:05
are we doing with the future of this
1:38:07
show? Are we doing more? Are we doing less? Are we starting over? Are we diving And these
1:38:10
shows help me under
1:38:13
stand a bit more about the audience because I don't
1:38:15
really have that engagement. I know that you engage much more. You're
1:38:19
better at that. You know, what how
1:38:22
do you use feedback from your audience to decide what you do? Oh
1:38:24
goodness.
1:38:25
Well, my audience is
1:38:27
a very different for yours. I
1:38:29
feel like my audience is the audience that needs the trainer wheels before they're allowed to pick up your book.
1:38:32
So I always and
1:38:34
basically every video I'm like,
1:38:37
Here is a very basic thing you
1:38:40
can do. And if you want something that's
1:38:42
actually secure, go and read Michael Basil. But
1:38:44
it's it's tough because some people just
1:38:46
don't get it at all and they'll just fight you and say, well,
1:38:48
I haven't seen any
1:38:51
evidence that Google is getting
1:38:54
my data and I can't help those
1:38:56
people, but I try. So I feel like you probably
1:38:58
have more productive hours in your day because you're not
1:39:02
trying to battle with people who kind of just don't don't really
1:39:04
see the point of any of this.
1:39:07
But, yeah, it is it
1:39:10
is helpful just to hear what people are
1:39:12
interested in. Sometimes, I'll do a video and
1:39:14
they'll actually, can you just really
1:39:17
go into detail about one section, you really
1:39:19
skipped over that. And I realized, oh, gosh.
1:39:21
Yeah. That's something I took for granted,
1:39:23
but I didn't go to explain. But
1:39:25
I mean, what I love about your books
1:39:27
is that you literally explain everything in detail.
1:39:29
I feel like you never miss a step,
1:39:32
so it's it's so thorough and honestly has
1:39:34
been such an amazing resource for me personally. You're you're the first go to
1:39:36
for any of my videos. I'm a
1:39:38
journalist, not a tech expert, as you mentioned,
1:39:42
And so my whole
1:39:44
streak is interviewing experts on text subjects, and
1:39:46
you're the first stop for everything. It's
1:39:48
like, what has Michael Basil said
1:39:50
about
1:39:51
this? So I thank you for, you know, all the super thorough research you
1:39:53
put out there. It's so tremendously helpful.
1:39:55
Well, that's very kind, and
1:39:57
I thank you for saying that. Where know, you talked
1:39:59
a bit for people who don't know you, where do people
1:40:01
find more information about you and what you're
1:40:03
doing? Yeah. So
1:40:06
on all of the really insecure websites
1:40:08
that are gonna steal your data. So you'll find me on all of those.
1:40:10
You'll also find me on a bunch of really obscure
1:40:13
ones that try to
1:40:15
be more privacy preserving. So if you don't wanna go
1:40:17
on to YouTube where I have, like, my main channel, you can go on to Odyssey or library and just
1:40:19
use a desktop client and peer to peer
1:40:21
protocol. You know, you can do all
1:40:24
of that. But I'm I
1:40:26
if you look up Nimi Brockwell or NBTV dot media, you'll find a lot of information about
1:40:32
different types of content we put
1:40:34
out. It's mainly either long form, videos, or it's super short, ridiculous
1:40:36
things where I
1:40:39
choose one privacy fact for
1:40:41
people who don't care about privacy and do a
1:40:43
lot of accents and wear weird costumes in the hope that I can get them And you
1:40:46
know what? It works. Lot
1:40:48
of people who are like, I never knew
1:40:50
Gmail was bad, and I'm like, I don't know I don't know where you've been living, but listen, I'm
1:40:53
glad you finally
1:40:56
got here.
1:40:57
Good stuff. I will put a link to NBTV
1:40:59
dot media so that people can go check out what you're thanks for doing this. You
1:41:02
made the show better without a
1:41:04
doubt. Well,
1:41:06
thank
1:41:06
you so much for having me on. It was
1:41:08
an absolute delight. Alright. Well, that'll wrap it
1:41:11
up. And just as one last promotion, if
1:41:13
you wanna to learn more, please go check
1:41:15
out my new book, 10 tenth edition, just
1:41:17
released in twenty twenty three, five hundred fifty pages of all
1:41:19
new stuff about OSINT. OSINT
1:41:22
if you have more interest in me, things we talked about with Ocean, I do go into much more detail, especially about the data breaches, leaks,
1:41:25
etcetera, in
1:41:28
that book. And also
1:41:30
sales of that book directly support the show because we don't have ads. So thank you for listening and happy Year,
1:41:32
everyone.
Join Podchaser to...
- Rate podcasts and episodes
- Follow podcasts and creators
- Create podcast and episode lists
- & much more
Episode Tags
Claim and edit this page to your liking.
Unlock more with Podchaser Pro
- Audience Insights
- Contact Information
- Demographics
- Charts
- Sponsor History
- and More!
- Account
- Register
- Log In
- Find Friends
- Resources
- Help Center
- Blog
- API
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More
- © 2024 Podchaser, Inc.
- Privacy Policy
- Terms of Service
- Contact Us