It Could Happen Here - Keeping Your Information Secure Online
Episode Date: June 27, 2022Robert sits down with Karl Kasarda from InRangeTV to discuss information security and protecting yourself and your communicationsSee omnystudio.com/listener for privacy information....
Transcript
Discussion (0)
You should probably keep your lights on for Nocturnal Tales from the Shadowbride.
Join me, Danny Trejo, and step into the flames of fright.
An anthology podcast of modern-day horror stories inspired by the most terrifying legends and lore of Latin America.
Listen to Nocturnal on the iHeartRadio app, Apple Podcasts, or wherever
you get your podcasts.
Ah, welcome to It Could Happen Here, a podcast about things falling apart and how to deal
with that and hopefully take care of yourself and your people.
Today, we have a returning guest, Carl Casarda from InRangeTV. Now, Carl, every time you and I
have chatted on a show together, it has been about firearms, which is obviously your passion
and specialty. Well, one of your specialties. But today, we're not talking at all about guns.
I mean, maybe here and there. But today we're talking about the thing that is has been your your career for what most of your
working life. Fair to say. That's true. Yep. You want to kind of walk through your background here
because we're going to be talking about information security and like sort of the future of threats
that are going to be like coming throughout like the next few years of our lives obviously this year in
particular there's been a bunch of stories about like russian attacks on digital infrastructure
and vice versa and that's always like pretty much has been something that's in everybody's
back burner since we got the internet usually through like questionable films with sandra bullock
um i think net that was net right um? Yeah, the net. The net.
Yes, exactly.
Yes.
Where they somehow hacked a car in 1998 or something.
Very well.
You got to do that when you're flying through cyberspace with your VR helmet on and your gloves, right?
Yeah.
But yeah, you want to walk everyone through kind of what your actual background is in this industry first.
Yeah, totally.
So if anyone watches in Rangers, watched it for a long time, you'll see this reflected in some of my content because i do deal with some of this intermittently on the channel
and it's definitely influenced how i approach my work there with the social media and all that but
so way back when i was like one of those kids that was in the hacker space and i grew up like
trying to make computers and technology do what it wasn't designed to do and learn to make it do
things it shouldn't have done for my own interests or others around me not in any really negative way but like
just a deep curiosity and how does this stuff work and being part of the the early online
community we're talking pre-internet where you'd have like an acoustic coupling jack modem and you
would dial in like war games yeah literally plug your headset into the god i was on boards like
that way back when we never should have gone past those days
doing things wirelessly was such a mistake like i'm so pissed off that when i like sit down to
research i'm not like jacking into a gigantic box um like it that makes me livid like shadow run
promised me that i was going to be like using one hand to shoot at the the approaching corporate
security guards
and have another hand on my like keyboard that I wear around my neck
that I like plug into the wall to hack buildings.
Well, hey, maybe someday we'll have neurological implants
or wet wire implants brought to us by Monsanto
that will eventually get DRM'd and we'll just get shut off in our own rooms, right?
From your mouth to God's ears, Carl.
Absolutely. Who doesn't want that?
Who doesn't want my neural tissue tied
directly to a corporation oh fuck yes but anyway so i grew up in that space and it actually
back then it naturally turned into a career it wasn't like now nowadays you pretty much have to
go get a bunch of certificates and a college degree to even start looking at an infosec career
but back then if you kind of had like skills with a Z at the
end, you could get a job. And I landed up doing like help desk at this one company and landed up,
they noticed that that's where my interests were. And I landed up becoming their information
security architect over a couple of years. And that turned into a multiple decade career,
pretty much culminating in working at a tier one internet backbone provider,
doing sub C fiber optic, like routing, networking,
and DDoS mitigation and botnet control search and destroy.
So it really turned into a really wide career,
not only like when I started off backbone internet,
but like encryption firewalls, application layer controls
across the board for multiple corporations.
So it was a weird and interesting space,
but I don't really do that much
anymore except on the side, but I've had a pretty exciting career with it. So I think probably a
good place to start is just in general, because folks are always interested about this. What is
your recommendation for people who ask, like, what should I be doing to kind of protect myself
as I force my head under the constant stream of sewer water that is social media these
days? Well, yeah, you know, the simplest thing and everything in InfoSec is always controversial,
just like anything in life. Any recommendation you make, someone's going to be like, but otherwise,
or anyways, or there's a better solution. And there always is a better solution. But the
realistic thing is when you talk to the average person, the average person isn't going to sit
there and hack a Linux box to have a better social media experience. That's
not realistic. So the best thing anyone can do, the simplest best thing is to get one of the
trusted password managers. There's a number of them out there. I'm not going to recommend an
individual one right now because anyone I recommend someone's going to go, but there's
another one, but there's a few of them out there. Having a password manager and having a unique, difficult, complex password for every
account you log into on the internet is the first number one thing you can do as an individual
to protect your interests. Because if you're logging in with the same password monkey to
Facebook, Twitter, and your bank account, that is a disaster waiting to happen. So the first thing you can do, password manager, passwords you yourself can't remember as a result. I allow
the password manager to generate like 24 character long alphanumeric crypto nonsense. You put a gun
on my mouth and say, what's your password to your bank? And I don't know. I can't give it to you. I
have no idea. And so that right there is the first thing any basic individual can do to protect themselves on the internet.
That is totally sensible.
I don't, I'm not great at password managers, but I never know what my passwords are and
they're all different.
And so my life is this constant stream of like needing to figure out what my password
was, failing and resetting it.
But it does mean that I change passwords regularly.
Right.
But what's so great about password managers is you can have passwords that you could never
human remember, and you can have unique ones per website.
Every website you log into could be unique.
And by having it in this database that's properly encrypted with a key phrase or even dual factor,
then at that point means you literally just can cut and paste your passwords into things.
You don't yourself know what they are.
And if depending on your privacy
levels, you can do that locally with local solutions, with files like on your own machine.
But frankly, a couple of the cloud-based solutions, as much as the cloud freaks people out,
is the better one because it'll work on your phone. It'll work on your laptop. It'll work
on everything everywhere. That makes total sense. I think another good thing to get into while we're
on this subject, we just started talking
about passwords, and obviously it is important to keep and secure those.
I think one thing folks don't often think about, especially people who are activists,
who may foresee or have engaged in things that are legally questionable, don't think
about enough is social media networking, And by which I mean having social media
that like it is possible to find your other social media
by like knowing, you know,
like having the same name in Twitter
and on Instagram and stuff.
Having social media that like can be tracked
across accounts.
Most people would be surprised
at how easy it is to do that.
And Bellingcat, a huge amount of tracking Nazis,
tracking even like a ton of the what the work i did not do but my colleagues did to like doc doc's russian like secret service
agents and stuff was like oh we found them in you know somebody uh their their boss's wedding
like they're tagged in this thing in vk and from that we were able to like find their uh their
account on this other site and like from that like now we have this like map of everywhere they've
been for the last like three weeks and we can like build this social map of their entire life
yeah no by list by just literally existing in modern space you're constantly leaking
some form of metadata right you are you are always leaking metadata and the more of you allow
to exist in the world the more that's the case. So like, there's also, you got to think about what
the threat is and what the risk is, right? There's the risk of the individual having a
parasocial relationship with the internet. Like I do as a content creator is one thing people,
there's always someone that wants to delve into your private life, but that's a very different
risk than a nation state actor, right? Those are two different things.
And when it comes to a nation state actor, quite honestly, unless you're real good and have been doing it for a long time, the individual bluntly is kind of fucked.
To be honest, as a general rule, your best security as an individual in that situation is the anonymity of the crowd. But when we're also not talking about most people who are
threatened kind of by the state in that situation are not being threatened by the federal government,
but they may have they may like be attending protests and not want the Louisville police
to like put together that they're in an affinity group with people. And like something you can do
for that is make sure you're not like if you have a personal account that's under your name with
your friends, that account shouldn't be liking and sharing things from like a political account that you have or from the account of like a group that you're a part of or something like that.
Like just try to think about and look at your your digital footprint from the outside and think, is it possible to connect me to people I don't want to be publicly connected to through this?
And the minute you've breached that connection once, it's gone forever, right?
This is forever.
Yes.
This is the same thing as like with phones, like someone will have like their regular
phone, which by the way, all these smartphones are just surveillance devices in our pocket,
right?
Let's say you go get a burner so that you don't want to be connected to the device that
you normally use on a level that's one step above the regular individual level.
If you ever have those two devices emanating at the same time, they're now connected in a way that, like, let's say the authorities can associate them together because of triangulation and seeing a burner phone and your phone coming from the same house.
You've breached all the privacy you would have had from your burner phone, for example.
Now, Carl, do you have much to say on the subject of because I know one thing I have seen who are, you know, having conversations that they're concerned about is put bags in Faraday cages.
And I've heard mixed things about how reliable Faraday bags and stuff are for actually stopping signals.
Do you have much to say on that matter?
My experience with that is not all, not all bags that you can just buy off the internet are made equally.
So what you want to do is test it.
And you can only test it to a certain degree.
made equally. So what you want to do is test it and you can only test it to a certain degree,
but the really simple tests are you put it in the bag and you try to dial the darn thing or use any wifi connections to it. And that's a simple test. Now, is it as good as like,
is it as good as not having the thing on you? Of course not. Leaving it somewhere else is always
the best answer, but a properly, in my opinion, a properly built Faraday box or cage or bag
that you've put some testing into is a pretty reliable solution.
And it's, you know, there are so a problem that you might encounter is or that I have.
So one thing I have heard people talk about is like, well, in order to have kind of a private conversation, we like drove to a specific location and we left our phones off in the car and then went on a walk.
specific location and we left our phones off in the car and then went on a walk. And the problem with that is that now you have both just driven to a location with those phones and those phones
are associated with each other, right? Right. Well, so first of all, you got to think of a
world where all of this metadata is being collected at all times. So these phones and
their associations and physical proximity to one another is stored somewhere at all times,
whether or not it's going to be resourced or accessible to
the powers that be when they want it to be. It's all there. My phone next to your phone,
next to that guy's phone, those associations all exist. They're all talking to the same cell phone
towers in the same area, giving them not only GPS coordinates, but triangulation data, which by the
way, if you go way back to the hacker, Kevin Mitnick, that stuff was going on back then before
they had GPS triangulation data to get him. Right right so that stuff's all still happening and those associations
occur in regards to saying i turned my phone off how do you know that's off most of these
modern phones what does off mean and yeah okay pull the battery maybe but even then i would not
trust any of these devices in the regards to them quote being
off especially things like phones that have unremovable or not removable batteries
off is more like sleep than it is right yeah i mean i think one of the worst things that's
happened for personal security is the end of the phone where you can remove the battery like
being unable to actually cut power to it
without you know disassembling it is a real issue one could argue that there was like that that's a
much much more insidious reason they did that or one could also argue that it was just one of design
and comfort and it's like hard to say it doesn't really matter if it was insidious or not that's
reality kind of a por que no los dos situation right yeah totally so now we're talking about phones, here's another thing that's been near and
dear.
And I think you've seen some posts from me about this.
Everybody really likes the convenience of things like biometrics, thumb authentication,
fingerprint ID, facial identification.
And here's the reality of that.
We know this already.
And there's legal, this exists in legal space already.
But the reality is, is that you can be coerced to provide biometric data against your will.
So if your phone is authenticated to you with a fingerprint ID or your facial ID, they can pretty much say, you must give us your thumb to unlock this phone.
Or for that matter, frankly, they could hold the phone in front of your face in certain circumstances, even against your will, and it will unlock the device.
And that is considered not a violation of your rights. So for example, if you had a long, strong password on the phone, they cannot
coerce you to give that up because that would be a violation of your own rights and fifth amendment,
which is interesting. So, but at the same time, one could also argue that in certain circumstances
where there's a lot of cameras that are not necessarily watching everything you do, but you
could also consider that passphrases could be dangerous like say in an airport because all those cameras could see you
plugging in your passcode so it's a matter of if when and where right so what's the right solution
at the best time but i would say that if you were going to be in a place that was contentious um it
is almost always better to make sure you do not allow for any biometric authentication on device. Yes.
I never like never turn on,
don't even like ever have had it in the,
like ideally you have never turned on facial recognition on your phone.
Like even if you like deactivated,
I,
I don't know.
I don't,
I,
I really,
that was,
that was one of the first,
I used to be in tech journalism,
right?
Obviously I'm not an expert on any of this,
but like the,
the,
the worst thing in terms
of like my personal comfort with devices was when they were like, everything's going to read faces
and fingerprints now. I don't love that. But, you know, it's inevitable, right? Because it is.
And I had in the past, I did a fingerprint unlock earlier in my life, and I do not have any devices
that unlock that way anymore.
But you do like it is more convenient, right?
You miss it when you need to get to your phone quickly and you can't do it.
But like, I don't even I don't even let my phone have just like a four phrase like password anymore.
Like it's eight characters for me.
It's a little bit of a pain in the ass, but it comes with fewer risks.
And one of the things that's challenging to every individual is they have to
look at what their threat profile is. Right. So like, for example,
soccer mom driving her kids to school and stuff,
she might be really good well off with a biometric authentication on her
phone, frankly, because if she didn't use that,
maybe she wouldn't even use a proper four character passphrase.
And if she's not concerned about being at a protest, for example,
and having some authoritarian take her phone away from her and authenticate to it, maybe she doesn't need to worry about that.
But for a lot of us in the worlds we live in, that's a different risk profile, right?
We got to think about what our risks are as individuals and what makes sense.
So if your passphrase is going to be one, two, three, four, or use a thumbprint ID, for most people, they'd be better with the thumbprint ID.
But for someone like myself, no, it's not a good idea.
Yeah, I think that kind of brings us to probably the last part of this,
which is, do you have specific advice on VPNs?
Obviously, I recommend everybody use Signal,
just for messages in general, like especially stuff that is secure don't if you
if you like number one first rule of of any kind of this sort of security don't ever put anything
on your phone ever that's legally questionable if you can avoid it like conversationally like
right do not don't send it over a phone if it's something you would not be
able to survive having read to you in a courtroom so for the audience a lot of the audience may not
know what signal even is right so signal is a is a text messaging alternative so like for example
on your phone you've got regular text or if you've got an iphone you've got iMessage signal is an
end-to-end encrypted solution that you install as an app. And because
it's end-to-end encryption, it means that it passes the wire, in theory, not decryptable by
the parties that are passing the data packets in the middle. So that's a man-in-the-middle
decryption, right? So for example, iMessage is encrypted theoretically end-to-end, but Apple
ultimately has the cryptographic keys. So there is, while they might say one thing,
there is nothing really preventing them from being man in the middle
and being able to read the message in transit
from A to B.
But if the keys are stored on your device,
which are then protected with your passphrase
or whatever your authentication mechanism is,
and those keys are not archived
or kept by some hierarchical man in the middle authority,
if it's done right, which Signal has done pretty well,
it means that your data in transit is probably not decryptable.
And that's why Signal is a good solution.
And it's a good one for the average person.
Install the app.
It works just like text messaging.
But you can have a pretty good level of knowledge
that the data you're passing is not being decrypted
or caught in
transmission or in the path.
Welcome, I'm Danny Thrill.
Won't you join me at the fire and dare enter Nocturnal Tales from the Shadows, presented
by iHeart and Sonora.
An anthology of modern-day horror stories inspired by the legends of Latin America.
From ghastly encounters with shapeshifters
to bone-chilling brushes with supernatural creatures.
I know you.
Take a trip and experience
the horrors that have haunted
Latin America since the beginning
of time.
Listen to
Nocturnal Tales from
the Shadows as part
of My Cultura podcast network
available on the iHeartRadio app, Apple podcast or wherever you get your podcast.
So I would say get signal.
It's it's your best bet.
Right. Signal. It's your best bet, right? And again, I said you don't want to ever say anything over a phone that is something that could get you in trouble, but also life is life, and that's not always realistic for people in certain situations.
perfect. And again, if you're putting it on your phone, there's a number of things that could go wrong every single time you do that. But that's one of your better things that you could do.
And then of course, we talk about VPNs. Yeah. So VPN to those, I'm just going to go with the
basic levels because I don't necessarily know the level of knowledge that people are listening.
VPN is a virtual private network. So what that is, is you connect to this virtual private network and it
passes your data through an encrypted tunnel to an exit point somewhere else on the internet,
in theory, masking the source and origin of your request. So like, for example, let's say you were
looking up something on the internet that you didn't necessarily want people to know you're
looking up. Yeah. Let's say you're researching the truth about the assassination of President John F. Kennedy by Bernard Montgomery Sanders. And you know that the
NSA is looking for truth seekers who are who are finding out the reality of that situation. You
know, you don't necessarily want them to know that you have have become pilled. Right. So if you were
to do this from your computer at home, what would happen is to
people that don't know how this all works, you would be coming from an IP address that's associated
with your account that you're connecting to, whether it's Verizon or Comcast or whatever,
and you go and search up that truth. And the NSA finds you with a keyword search for JFK
and the truth. And therefore, because of that keyword search, they go to Comcast or to Verizon
and say, hey, we are requesting you tell us who did this search. They will get them essentially
a request that's a legal request for information. And then Comcast or Verizon will provide the NSA.
This is the IP address and account of the person that did that. What VPN does is you connect to
the VPN service first. The connection from your machine to the VPN service is then encrypted.
Now, does the VPN service know your IP address?
Yes.
But when you actually type in that information or go to the internet to request that data,
it actually goes through the VPN's private tunneling network and egresses from somewhere
else on the internet, thus masking your actual IP address and in theory, your origin of
source. Now that's not a hundred percent true, but what that does is mean that if someone, if say the
NSA wanted to know who was doing this truth search, they would then find an IP address that actually
came out of, let's say Joe's VPN service. And they would have to go to Joe's VPN service and go,
we noticed this emanated from your network. Who did this? At that point, you have to trust
Joe's VPN service to not disclose their account information about you. So what you've done is
you've changed it. We know that telecoms will communicate with the government or whoever,
if they need to. They always will.
You don't necessarily know if Joe's VPN service will.
You've changed your trust model from your telecom to your VPN service.
So if you're going to pick a VPN, you have to do a little bit of research to know that it's a trustworthy resource that won't just give you up at the lightest form of interrogation. Yeah.
And none of them.
Again, there's nothing perfect. And often like we did find out what was it last year that one popular VPN was like run
by the feds.
Like, yeah, that's not an impossible thing.
I know a lot of folks, particularly journalists, use Proton, which is, I think, based in Switzerland.
And you will get given up if you if the Swiss government is angry at you, right?
You brought up a very good point.
Services that exist outside of the CONUS, the continental US,
mean that they are under different legal jurisdiction
than ones that exist wholly within the CONUS.
So as a result, if something from the United States government
comes as a request to the Swiss company, there's a much higher chance that a Swiss company would be like, we don't really care about your request.
So that's worth considering.
Also, think about this.
This actually works in reverse, and I don't want to get too deep into this. provider, you should know that sometimes traffic strangely gets pushed offshore and then back to
the United States for analysis that would normally be, let's say, not necessarily constitutionally
legal in the United States. So there's a lot of shenanigans going on. Yeah. And again, like,
I think Proton's generally a pretty good service. I've had no problems with it.
But we should be clear.
None of these are perfect solutions.
There is no perfect solution.
The only perfect method of digital security is not putting things on the Internet or like through, you know, mobile networks and stuff like that is if it stays between you and someone else.
That is your best bet of it not being intercepted or something. A conversation that you have in the woods without phones anywhere near you is the most secure kind of conversation.
Let me second on Proton.
I agree it's a good service.
There are others out there.
We're not trying to pick on one in particular or pick against anyone in particular.
There's a bunch that work.
Yeah.
Another thing that you need to consider in this sort of thing is also what you're dealing with like so for example on i put up a post a
while back because there was a bunch of stuff going on in ukraine with with people posting
photos that got their locations oh yeah bad things happen i mean that's and that has been happening
for a decade in that war like almost a decade as long as it's been going on and i posted something
about it and one of the recommendations i made on there was a contentious one but i'm going to back
it up in a minute as i use i mentioned tor the onion relay so the tor is essentially a it was
originally created as a as a way to deal with the the dark web quote unquote and to also relay
traffic in a way to mask the origins very much like a vpn service now there are a bunch of these
so what it was is there's these onion relay nodes all over the internet. And when you connect to the onion network,
your traffic bounces through three, four, five, six, seven of these nodes. You can sort of
dictate what you want depending on the client you have. And so let's say you connect to an
onion router network node in Arizona, and then you egress somewhere in France, and you've jumped
through six nodes in the process. Well, one of the things that's a well-known fact is that a number of these onion relay routing nodes
are owned by nation-state actors, whether it's the United States or others.
So one of the things I got taken to task for, and I want to explain this, is people are like,
well, that's a compromised network. It doesn't mean that it's useful. Actually, it does,
because depending on what you're trying to do may matter.
If you're trying to mask the origin of your data source or your upload or your search for a short duration of time, this will still help.
You jump through six nodes.
They've got to relay back six nodes to figure out the origin of the person connecting to the relay network.
And that's assuming that there was a compromised node in the process.
So that means if you're passing data through a compromised node, does that mean the data
in transit is safe?
No.
But is the anonymity of the origin of the poster safer for a longer duration of time?
Yes.
So these things get really complex real fast.
And this is, again, one of the
best things you can do because there's no single perfect solution, but stacking. So not just going
through Tor, but also Tor into VPN at the same time. And I think one of the better ways to think
about security is kind of the way Sebastian Junger describes how insurgent war works, which is it's
all about creating friction
for anybody trying to spy on your shit. There's no perfect answer. But the more things you can
make be a pain in the ass, the better your odds that you will not have an issue, right? Like,
that's all you can do is make it potentially more annoying and more difficult for for whoever might
be looking right, like it, the more friction you can create, broadly speaking,
the more secure you're going to be. Absolutely. Now, another thing to think about, and we're
getting kind of deep in the weeds here. This is above and beyond the average person, right? The
average person, get a password manager. Don't use your same password everywhere. And don't use
biometrics unless you're forced, like pretty much have to, and move on with your life. But once
you're beyond the average person, this is what we're talking about now so like if you're if you have a computer and you
use it as your normal day-to-day operating system talking to your friends doing dot dot dot dot dot
but then also need to do something else a little more privacy inclined you should not trust that
device so at that point your web browser may have all sorts of cookies and metadata and storage in it that even if you're going through a VPN, still may be able to reveal your identity, as well as Mac addresses and other stuff.
So if you really want to get pretty into the weeds with this, you have to do something like use an ephemeral operating system install that has no legacy data on it.
One example of that is a Linux-based one.
It's called Tails.
You essentially use it like a live USB drive. legacy data on it. One example of that, that is a Linux-based one, it's called Tails. You
essentially use it like a live USB drive. You boot off of that only, or you use a machine dedicated
for this, and you burn the OS down every time you're done because there's no legacy information
or data that can be pulled out of your web browser or your cookies or your Mac address
information that can associate it with you, regardless of if you've
done everything right to mask your IP address of origin. God, that's the hot girl shit when you're
doing that kind of stuff. And again, I think at this point, I think up through most of this,
it's been kind of like 50-50 people being like, that's too much. And people being like, okay,
yep, this is exactly what I already am or need to be doing. This is probably very few people need to be concerned about that sort of thing.
But, you know, it is I know like, again, I worked at Bellingcat.
I had a number of colleagues who were like personal enemies of the Russian state who had to do stuff like this.
And it's, you know, paranoia. I mean, and here's the thing going above. So again, like if you're a normal person, you probably don't need to be, you know, doing stacking a VPN, you know, getting signal and all this stuff. But also, why not? Right? Like there's no harm in the additional security. It is a little bit frustrating.
It is a little bit frustrating.
But here's one of the things I think people don't often think about enough.
You're not engaging in that kind of security stuff purely because there's a threat now, but in part because you don't know what the future is going to bring.
And one of the things that I would point out for that is a lot of people right now have
been having for years conversations about a thing that may soon legally be murder on a federal level,
you know, abortion.
Right.
And so it is possible that overnight an awful lot of conversations a bunch of people have
had legally will suddenly be very illegal conversations.
And then you may be glad that you took greater care with your your personal security prior
to that point.
Yeah.
I mean, like, so think of the I mean, I'm not a person that menstruates,
but a menstruation tracking app is very useful to a lot of people who do. And those tracking apps
now, that metadata in there at some point could be extremely dangerous or incriminating to someone
who otherwise was doing nothing more than trying to
maintain their natural health. And so that is a really dangerous concept. So at this point,
I mean, within the United States, I hate to say this, those apps are probably dangerous to the
individual because that data could be easily used by a government resource to do something bad to
someone who's done nothing wrong. So I think we should move. I mean, at this point,
I think we've covered the basis that you could kind of responsibly the
advice you can responsibly give someone in a podcast and folks should be
able to.
Let me throw one thing out real quick.
So you mentioned like,
for example,
we don't,
you don't necessarily have the risk vector that requires using VPN or
signal,
but let me say this way back when,
gosh,
when I was doing crypto work decades ago,
I was, by which you mean cryptographyography and not we should specify these days.
Oh, yeah. Excuse me. Cryptography encryption. Yeah, yeah, yeah, yeah.
I had the opportunity to work with Phil Zimmerman of PGP and actually PGP pretty good privacy, which was one of the fundamental security project or projects way back when was actually written for human rights violations. He wrote it because people were doing research of like warlords were getting their laptops taken
away and then finding out who spoke to them and getting people killed. So PGP was like this human
rights thing right from the beginning. And cryptography back when I was young and naive,
I always thought to myself, this is what we need. This is the future. When everyone gets proper
crypto, we'll blind the government, we'll blind the corporations. We're going to have this crypto
anarchist future where the government and corporations can't get us. And the reality is
most of that got usurped. And the truth is cryptography is too hard for most people to use.
And as a result, we don't. But here's what I will say. The more people that do something simple,
like use Signal or use a VPN just to browse the internet,
not because they're doing anything nefarious,
just because their privacy like conscious.
Yeah.
Because it makes it normalize.
And that means that the person that's using it because they need to,
for likes,
let's say to protect human rights.
Yeah.
It doesn't stick out like a needle in the haystack because everybody's
already doing something sane in the first place.
Normalizing proper privacy and cryptography is better for everyone.
Yes, yes, absolutely agreed.
Welcome, I'm Danny Threl.
Won't you join me at the fire and dare enter?
Israel, won't you join me at the fire and dare enter?
Nocturnum, Tales from the Shadows, presented by iHeart and Sonora.
An anthology of modern day horror stories inspired by the legends of Latin America.
From ghastly encounters with shapeshifters,
to bone-chilling brushes with supernatural creatures.
I know you.
Take a trip and experience the horrors that have haunted Latin America since the beginning of time.
Listen to Nocturnal Tales from the Shadows as part of my Cultura podcast network, available on the iHeartRadio app, Apple Podcasts, or wherever you get your podcasts.
This is a nice segue because you were just talking about the past and how beautiful and bright it seemed.
Let's talk about what you see as kind of the future of info security threats.
Well, I mean, so there's so many levels to that.
First of all, if we're talking nation state level, I personally strongly believe that all of the big players have already compromised everyone's network.
Oh, yeah.
Everybody's got everybody. We got Russia. Russia's there's a million zero got us china's got us we got china anybody right now could go in and pretty much fuck up the grid on someone else like that and there's it yeah and
that's not actually the least that's that's safer than other possibilities like because there is a
level of mutually assured destruction there where it's like, yeah, man, Russia could take down the grid, but like that wouldn't be good for them and vice versa, you know?
Yeah, no, true.
So the reality is, though, everybody's in everybody's network.
Those days are over.
When it comes to the individual and I'm going to have the audience, there might be people in the audience to feel differently, and it still doesn't mean that we don't try.
So one of the things I want to say is you're going to hear some skepticism here because I've been doing this career for a long time
and I've seen things go wrong more than right. And so in that regard, this is going to sound
kind of cynical, but when it comes to the idea of individual privacy, in my opinion, with the
exception of when you're taking a very active effort in something very specific that you want
to keep private, because that's something you're working on personally. The reality is individual privacy is dead and gone. And we're
just starting to smell that corpse. Whether it is credit card data transactions, your cell phone
history, your phone numbers, what you've done on the internet, what you've done on social media or
not done on social media, whether you have an account on Facebook or not, it doesn't even matter.
The metadata and the trail you're leaving behind you is all aggregated, all of it behind
big data corporations, all of it compromised, all of it searchable, even stuff the government
has on you has been sold to large corporations.
Because I can tell you that some of the data that they kept for like, let's say, DMV or MVD,
they decided to sell it off to a corporation
and they themselves access it through a third party
when doing research on you.
So all of that big data, there's a law of physics.
The more you aggregate, the more it'll get compromised.
Jeez.
I'm sorry, that's the truth.
No, no, no.
I mean, yeah, you're, you're, you're like,
it's this, uh, there's this frustration. Cause I can remember the days when the, the privacy
hounds, and I don't say that in a negative term, we're like warning everybody about,
Hey, you don't want to be aggregating all of these different social media things together.
Hey, you don't want to be using all of these services. Hey, there's
actually some like real downsides, like all of what's happening. Like part of why things are
so cheap on Amazon is, you know, that, that your data there is, is one of the assets that they
have. And, um, those people were absolutely right. And they, they lost harder than anyone
has ever lost at anything. That's true.
So when I was back there at that company doing all that cryptography work,
we were trying to give crypto to the average general population in front of the internet.
I had this, like I said, this naive view of the future.
That was going to be this place where we're going to have the internet,
where everyone was connected.
And it was going to be, not only will we have personal privacy through cryptography, but we would be able to transfer information to one another in a way that would make the shenanigans impossible.
Well, to some degree, that's been true. We've seen some of that.
But to another degree, we also have Snowden dropping the bomb on revelations about what the government has done to the individual and how they've broken the law with all of our privacy and data.
And what came of that? A man in exile in Russia and pretty much fucking nothing.
Yeah.
Right? Nothing.
And I was sitting at a DEF CON presentation
where General Alexander was on the screen
talking about what they weren't doing
while Snowden was dropping revelations,
proving him to be lying.
And nothing comes of it, right?
Nothing really comes of it.
And one of the things
that's so real. And so whether it's the tribal level, your neighbors across the street or the
internet tribe, we as a people in the aggregate are always willing to give up our rights to
something bigger for convenience. And we've done that and it's called facebook and twitter and social media
and in the process what was going to be an amazing resource has become the trap uh it's such a
it's because you know you know garrison i i my my friend who is much younger than me um
has grown up with the internet being, being what it is now,
right?
Like this,
this kind of like nightmare trap,
you know,
that that's sucking us all in this like giant squid that has us in its
tentacles.
And it's,
I get,
I sometimes like dissociate talking with them about certain internet
things,
because in my heart,
it's still the promised land.
Yeah.
I wish I,
I guess my,
I wish I felt that way. It doesn't feel like that way to me anymore, to be honest. I mean, it's not the promised land yeah i wish i i guess my i wish i felt that way it doesn't feel like
that way to me anymore to be honest i mean it's not right like in what i mean that in like sort of
i have this i don't know i've never entirely been able to like let go of the vision of like
oh it could have been there's so many things that could have been uh well it's like you know it's
like all technology anything can be weaponized right right Like an AR-15 can be used for good or for evil.
A knife can be used to make a beautiful meal or to commit a murder.
And the internet is technology and it has been weaponized.
It's been weaponized against us.
But at the same time, if we just turn a blind eye to it and then not learn how to use this
technology to our advantage, we're allowing them to do that unabated.
And that's where like the kind of hacker mindset comes from, which is like, how do I make this thing do what I want it to do for me
while not letting someone else do it for them? And unless we take control of the technology for
ourselves, like I said earlier, normalizing using Signal and even basic VPN and cryptography,
then we're just giving it up. We're not even making it a challenge. We're just like, here you go,
have it. And that's something that I think that's more important as a community. Maybe
as people grow up on the internet versus seeing it becoming something that I saw become something,
maybe either A, they'll just accept, which I hope isn't the case, that the reality is privacy is
dead. Or maybe they'll approach the internet differently than say someone of my age did,
where frankly, we kind of messed up and we didn't realize that Primrose Path was actually a trap.
And that was a mistake.
And maybe we can kind of evolve beyond that.
But you were asking, where is InfoSec going now?
I don't have good notes for that.
When I first started working in the career, it really felt like a great thing.
We were doing important stuff. We were doing DDoS mitigation. We were going into
hospitals and making sure that insulin pumps weren't compromised as a DDoS host. Believe it
or not, hospitals are infosec nightmares. And we were doing stuff that felt good. And then later
in the career, I realized, wait a minute, I'm not doing anything to secure anybody's personal
information or make
the internet safer. I was just protecting some corporate coffer. And the reality was that the
private information that we were supposedly protecting, the debate would turn into calls,
which was what's more expensive, losing the data or the lawsuit for losing the data.
Literally, those were the conversations in corporations. And those are the conversations
that corporations have now about each and every one of ours, personal information.
I was doing, I had these things that were like sort of the this kind of attack is going to happen at some point. I feel that very much about like drones. There's going to be like a mass killing of civilians, not in a war zone by a civilian weaponized drone at some point in the not too distant future is going to happen. It's going to be done. It's absolutely an inevitability.
That kind of stuff. Do you what are you when you think about kind kind of the digital equivalence of that,
like what are you looking towards?
Well, I agree with you about the drone.
Like you can see stuff.
Oh God, yes.
You plot the dots and you know it's going to occur, right?
It's not possible to avoid.
We've unleashed that out of the cage and it's going to happen.
Quite honestly, I think we're seeing it already.
We're seeing the level of privacy invasion
that I don't think people already know has happened.
Like I know some of us realize that
and we talk about it and we rant about it.
But like, I don't think people realize
the level of the incursion that has occurred
to the point where all of this data aggregated
to the point they know what toilet paper you prefer
to buy like i'm talking like people like facebook knowing that um or the size of the corporate
oligarchy that controls the internet whether it's the small like alphabet court facebook apple
microsoft's becoming a smaller player weirdly but when you think about those big names they kind of like control everything and
every piece of data about you and everything you move and say that i think i think what's the end
of that i don't think we're got to the end game of that but i don't know how we roll it back and
that's the thing so what's the prediction my prediction is it's going to get worse and we're
going to get to the point where there isn't room to move without that's happening already. And that facial
recognition stuff that's going on is happening currently now. We're just not that aware of it
happening. The cop car is driving down the road and every license plate is being measured with
the cameras being OCR, optical character recognition. And that's coming back and
they're tracking every car they're driving by on the highway even though there's not a gps unit on your car the ability to not be tracked will soon be
impossible how's that yeah i mean allegedly when i was younger there were like certain stupid
petty crimes i would commit just because like people will not be able
to do this in the future. And I have a moral responsibility to steal the light bulbs from
in front of this bar and throw them at my friends. Like what one day that will be a thing that people
can't do without getting caught. And so like, I just, I had to, you know, there are like some
bright spots. Cause I think you're absolutely right. There's no, on like a broader scale,
there's no turning back the clock for stuff like facial recognition and how fucked up it's
going to get there are states like where i live in oregon where like they have passed laws that
are just like you public facial recognition is not a thing that is legal in this state
um and i definitely support more attempts like that because again anything you can do to stymie
them to reduce the spread
of the grid to reduce the profitability of these things even though it's again overall a doomed
cause right um yeah i don't know i mean i i obviously i think that that's a good law but
i don't know that laws stop corporations when corporations have more power than law yes of
course um and it's like i mean obviously you can you can ban it for police to use and stuff, which does something to the extent that, you know, they follow the law.
But none of this is I don't know, like I that's one of the things that makes me most depressed about the future is the thought that like.
is the thought that like the the space for and this is not like a major issue i guess but like the space for kids to just like fuck around and do dumb shit when they're 19 is going to get so
much smaller i mean i would say i mean i think the thing is like as a natural human being whether
you're doing anything wrong even if you're not doing anything wrong the nature to feel like you
have a private space that's to you or a private community space.
I'm not even talking about wrong or right here. We're just talking about just that feeling that
at this moment, this is my space where I'm not being watched is a natural, healthy need of the
human orgasm or organism. Interesting. Yeah. But no, it's a human need.
And I think we're going to find those spaces become smaller and smaller.
And I think when you said, what's your prediction?
I hate to say it, but I think the prediction is it will become impossible to not be tracked.
Now, the bright side of that, maybe.
Maybe there's a bright side.
Maybe at some point when that's the reality, it could somehow also affect the people that are powerful.
And the people that are small and we all realize that humans are humans and therefore the failings that sometimes we have as all human beings, we just kind of acknowledge and be like, oh, yeah, of course, that's just what people do. Like maybe we just realize people are people. But the idea that there's never going to be a space to not get tracked.
I don't know.
To me, I find darkly disturbing.
It is disturbing.
I do think kind of to pivot off of what you were saying, the other aspect of that that is more positive is that all of this stuff, all of this surveillance shit, or at least not all, but quite a bit of it is, you know, in a way, it's like a knife fight.
There's no way that both parties don't get cut.
And, you know, the ones wielding the knife might get cut less, but they're still going to get cut.
And part of what that means in this situation is that the prevalence of all of these different ways to surveil and track also allows us to track that
in the same way that like police law enforcement watches people through their phones but also
a hell of a lot of cops are getting filmed doing fucked up shit now right no that's that's a great
it does cut both ways right now again the the balance of the cuts i don't think is going to
be work out in our favor but it's not going to be nothing on them either. And you're right. I think there are there are some things that we will learn in the future about
the people in power in the world that it wouldn't have been possible for us to learn in the past or
may not be possible even right now. And that could be beneficial. And if we learn that about people
in power, then they can't weaponize it as much against the people that aren't in power, right?
Yeah. Yeah. You know, one thing that I'm'm i'm thinking a lot about the fact that a bunch of folks in the
reproductive health care industry have pointed out that right-wingers have started using drones
to follow people home from like planned parenthoods and followed them to their
cards to like build databases of people who are going to places to potentially like do that kind of reproductive
health care that these folks don't think should exist. The other side of it, though, is that
it is also possible to surveil them and it will be possible to track the people doing that sort
of thing. And it will be possible to do that in terms of like legal accountability. And it will be possible to do that for the people who embrace questionably legal tactics for for
frustrating those efforts or illegal tactics for frustrating those efforts. They have access to
the same technology. And again, it's it's it is a knife that will cut everybody. And I guess that's
better than just one person getting cut in
this situation that's that's the concern i have right i agree with that like i said technology
goes it's a weapon and it's weaponized in all directions depending on how you use it for good
or for bad and so this is the same place i come to when it comes to the gun control argument i mean
we did get to guns no no no no i no. No, no, I agree. It's the same problem, right? Because if we allow only one side to have all of the control and power and understanding
of the technology, then we at ourselves are at a huge deficit.
We cannot defend ourselves or fight back.
So when it comes to this kind of data and technology, knowing the basic fundamentals
of what you can do to protect yourself, understand the reality of what the surveillance state or corporation is,
and then doing your best to not make it easy for them is at least one step forward.
But if we don't own this technology, if we don't own the tech,
someone else will, and they will use it against us.
It's as simple as that.
And there's super simple stuff.
I was going to bring this up, but you can't see video because it's a podcast.
But there's these cool glasses from Doctorow called Reflecticles that I'm showing you, Robert.
And it looks like regular sunglasses.
But when you put them on, they do they reflect IR light and actually mess with cameras in a way that your turns your face into a ball of light.
So you can wear these.
You can wear they're called Reflecticles.
You can wear them and just walk around the mall and all the cameras get
blown out by your,
by your glasses.
Like doing that just cause you can,
it's kind of fun.
That's the hot shit.
That's the shit.
I was promised that,
that at least does exist.
It's not everything I had hoped it would be in terms of its ability,
but it is like that kind of stuff rules.
And I will be picking up a pair of those. Well, we should probably close out. I did want to note,
because I mentioned this, um, I got something a little wrong when I was talking about the facial
recognition ban. Um, it is an, an ordinance in the city of Portland itself. Um, it's the first
city that has done this and it prohibits the use of public facial recognition technology by all private businesses in the city.
So that is the scope of the ban that exists in Portland.
I recommend looking it up.
It is the kind of thing that I would support everyone pushing for in their city.
Because, again, the more holes you can make in this thing, the better.
Yeah, I don't want to put that down.
That's a good thing.
But the challenge of this is, just like I mentioned earlier, moving the data out of the CONUS and back the minute photos from like,
I take my iPhone and scan the crowd and then put that picture up on the
internet.
Yeah.
It's not under their jurisdiction and all that facial recognition happens on
every face in that.
Yep.
And that is again,
we'll,
we'll do another episode at some point about things that you can do to
discuss like there that's a whole different bag of tricks. Um, but this has been really useful and really
valuable. Carl, do you want to plug anything before we roll out here? Uh, not much. That's
my normal thing. If you're interested in this kind of content, but with a more firearms oriented
thing, you can find me at in range.tv, but you'll also find some information security stuff there
as well. I cover that intermittently when it applies to both topics. So if you, if you, um, even if you disagree, but appreciate my approach to this,
come check me out. I appreciate it. Awesome. Uh, check out Carl, check out in range TV
and continue to listen to podcasts because the only thing that will save us is podcasts.
That didn't seem right, but good for business.
It Could Happen Here is a production of Cool Zone Media.
For more podcasts from Cool Zone Media, visit our website, coolzonemedia.com,
or check us out on the iHeartRadio app, Apple Podcasts, or wherever you listen to podcasts.
You can find sources for It Could Happen Here updated monthly at coolzonemedia.com.
Thanks for listening.
You should probably keep your lights on for Nocturnal Tales from the Shadow.
Join me, Danny Trejo, and step into the flames of right.
An anthology podcast of modern day horror stories
inspired by the most terrifying legends and lore of Latin America.
Listen to Nocturno on the iHeartRadio app,
Apple Podcasts, or wherever you get your podcasts.