We Do In The Shadows: "Going Dark" With Consumer Electronics

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers awesome well let's get into it my name is Tim we're gonna be talking about going dark with consumer electronics today so a little bit about me I'm a father I'm a husband I'm agin xur for one to represent Pittsburgh's the best city in the world by day I'm a security engineer and I'm also the at night I'm the co-founder of black bear InfoSec we do personal privacy management we used to be a pen testing company that doesn't work out so well sometimes so let's talk about what we're gonna be talking about today we're going

to talk about the privacy problem we're gonna go over some essential tools you can use take back some of your privacy we're gonna go through a practical example of how using those tools looks some try harder steps some things you can do to go the extra mile to really take back some of what you're giving away and then hopefully if I get through this in time we should have plenty of time for your some Q&A questions last time I gave this talk we did Q&A for almost a half an hour don't worry organizers I hope that doesn't happen but let's just jump into it so let me ask a question how many of you have

googled yourself okay all of you narcissists every single wanted man but no what did you find when you googled yourself probably you know an old high school yearbook your social media profile your picture does anyone find their address you don't have to raise your hands for that one did anyone find their address anyone find their phone number did anyone find information that they didn't think they gave out but it somehow magically on the web I can tell you that I absolutely did you can find my address my social all this information that I thought was kept safe and apparently it's not so let's talk about something real quick we have you right and then we have

everything you use to live your life right so your devices your credit cards your address and then you have services so places you're buying items from software subscriptions you probably have Netflix if you don't have Netflix stranger things season three is something you're absolutely missing out on but you're buying all this stuff constantly and what that is doing is creating an a unique profile of you and we're gonna put our tinfoil hats on these companies are selling your data that's a that's a fact it's winding up in databases like LexisNexis it's winding up on Spokeo my life and that's how all this information is winding up online and what they're doing is they're using what I call primary keys so

primary keys are things like your phone number your email address your name your address your IP address the IMEI of your phone number your browser fingerprint they're taking all of this information from disparate sources and putting it all together and compiling it to make a nice beautiful profile of who you are all right so these companies are selling your information but if you're sitting in this room I'm assuming you're somewhat into gadgets right that's where you say yes and how right okay cool so like I love stuff like this I adore this I love that my washing machine will email me when the dryer is done I love that I can check the temperature in my

house from Washington DC I want to be able to use all this but all these devices require an account and that is how they're getting your information that's how you're providing these companies with your name your address that they're then going on to sell so what can we do to take back our privacy to take back the information we're giving them or at least mask it a little bit right well it's very very simple don't use it questions I got we should have 40 minutes for questions right no okay oh that's a farce that's not actually the case right we want to be able to use these things so we're gonna do something that's called going

dark so this is what your life probably looks like right now well what have I told you we could actually make it look like this you would be able to set up fire breaks in your life so that every service and every login that you're using has information that is kind of about you in that you know the information but it's not really you new phone numbers one time you used credit cards even one time use computers that's all possible so we just need some essentials okay the first thing we need is a phone I hate to say it because the phones are the bane of my existence but we need a phone right now it's gonna

come down to a question of iPhone and Android how many Android users do we have in the audience you're gonna hate me okay I hate to say it it's not that Android is not secure but there is a big difference between being secure and being private and that's what we're talking about here Android if you look at the phone calls home that it makes when you're not doing anything it is sending a whole lot of information about you back to Google thankfully and I say that reluctantly Apple has somewhat taken a stance for privacy I don't mean that to say that they're good people what I mean to say is they've found that as a financially viable option for their

company right now if you want to use Android I would honestly tell you to take a look at a project called graphene OS it's a fork of Copperhead OS it's by the original dev I say this with no amount of reluctance don't use copperhead OS there's a whole lot of drama around the original business owner and the developer and I cannot guarantee that Copperhead OS is actually as secure as they claim it to be but graphene OS is private by design it has all the hooks in to Google pulled out of it for you and you can use it it's not it's not usable in most instances because you have to have a specific set of hardware

it's only supported on I believe it's only pixels right now but the point my point is if I can't give this to a layperson and have them know what to do with it and how to make sure that the image hasn't been tampered with and then I have to explain boot loaders and their eyes glaze over and they're in a coma bahut by the time I'm done explaining it that's not going to work for a privacy model right we need to make sure that these tools are easy to use not just for people who are technically minded but also for people who they don't care about this on a day-to-day basis right so you're probably thinking the Apple is

expensive it is depending on what you buy right you don't need the latest and greatest in order to be private and I'm going to be talking a lot about things you're going to need to buy or pay for or what-have-you you shouldn't skimp when you when it comes to privacy but this is one corner you can cut the iPhone 6s it's still supported under Apple's latest operating system iOS 13 and you can usually pick it up for about depending on the deal a hundred to two hundred dollars which I would say is a fairly low entry point to take back some of your privacy right next we need self-service right because a phone is useless unless we have a

phone number attached to it so we need a SIM card I'm gonna mention a lot of companies I am not sponsored by any of them I want to make that disclaimer clear from the get-go but I cannot say enough good things about mint sim they do not ask for a whole lot of information upon activation and they don't require any of that information to be validated so you don't actually have to provide your real name and address you can provide someone else's name or a fake name and maybe the address of a hotel as your address when activating you'll need a SIM card but don't worry all we're really concerned about is the data usage on the SIM card we're honestly

never going to hand out the phone number attached to that SIM card we want to avoid sim swapping attacks and you avoid that by not using the phone number that's attached to the SIM card it also allows you the option to swap out your SIM cards regularly without having to hand out your phone number again to a bunch of your friends and family right there is another option and that is to actually buy and I would've said an iPod touch I almost said iPhone 5s if you buy an iPod touch there's a group called the calyx Institute that will sell you a semi anonymized hotspot for 600 bucks a year and all of the apps that I'm going to be

talking about today you can use on the eye on the iPod touch and just pair it to the hot spot it'll accomplish essentially the same thing without ever having to go through a cell carrier which if you can avoid them please do so we have a phone let's go through a tool kit which is really a series of apps and services that we're going to be using in order to maintain some level of privacy right so the first thing we need is a private email so I'm assuming that everyone here has an email that they use for everything right you're giving your email out like it's like it's candy on Halloween right well we need a new

private email address so the one thing we want to do is make sure that the private email provider is privacy focused so don't go out and create a gmail account please don't do that don't go out and do they even does Yahoo even provide email accounts anymore I don't know but they do know I'm not even touching that one okay blows my mind what we're gonna do is we're gonna go find a new private email provider and we're gonna create a new email address make sure you lock it down like you would a primary email address strong password two-factor authentication but more importantly don't use it don't give it out don't let anyone know what it is

we're gonna get to how you're actually gonna access email with a that account later but don't give it out right because that's one of the keys the primary keys we talked about earlier that companies are pinging on and then selling your information with right as far as recommendations if you go to privacy tools I oh and I'll have a list of references in the slides at the end you'll be able to find a list of privacy focused email providers and I can recommend personally the top three I'm a big fan of protonmail I'm a big fan of dis root org and God tonton note I think is how you pronounce it they're fantastic so we have our

email all right now we actually need to be able to receive email right because we need to be able to sign up to services and we need to be able to receive activation emails so we're gonna use a tool called blur and what blur allows you to do is create masked emails that are one-time use so now every time you sign up for a new service you're able to generate a one-time use email and have that email forward everything to that primary email we just created this is how you avoid giving out your primary email this is how you avoid creating that primary key the other tool that you could use is called 33 mail the

only reason why I don't mention this as the primary tool is because it allows you to create a 33 mail sub domain that can be tracked so instead of a unique identifying email for every service you would create like Spotify at Tim 33 mail calm and that sub domain that Tim at 33 mail comm that can be used as a primary key because it looks so unique so we're able to send and receive email now we need to be able to pay for stuff right because a lot of these services cost money right or you could do I guess you could sign up for Netflix with a new email every single month but that's tedious right

we're gonna pay for stuff so we're gonna use privacy privacy allows you to create single-use or single service credit cards it's legal believe it or not and it allows you to provide fake information to these companies so when you sign up for Netflix you don't have to use your name you can be John Doe use your blur email address and a privacy comm card and they'll never know who you actually are it all not only does it prevent the prevent you from having to provide any real information to the company you're buying from it also allows your bank it doesn't allow your bank to see anything that you bought with those credit cards right so as far as my bank is concerned

I shop at the NSA gift shop for everything I get phone calls about that regularly great so we can make purchases with privacy calm next is probably the most critical part right we haven't talked about a phone number yet and we needed a phone so what we're gonna use is a compass a tool by a company called my pseudo my pseudo allows you to create multiple identities with phone numbers and emails attached to them so this is another way you can mask your email it does allow for communication with non pseudo users you do have to pay for that but it allows you to replace your primary phone number it also allows you to replace all your phone numbers for

example I have it set up so that I have a personal phone number as well as a phone number for shopping as well as a phone number that I provide for two-factor authentication you can use it with Twitter so that your Twitter when Twitter gets hacked invariably your number doesn't isn't leaked out into the ether right I will say this though you will still need to keep ahold of your old phone number you don't want to just let that go because you've been living your life up to this point phone calls are going to that old number insurance companies debt collectors credit card companies are still calling that phone number you don't want to release that phone number back into the

pool to have someone else get it and potentially receive phone calls about you and not that right and this is the only time I'll recommend a Google service because Google Voice is fantastic for this Google Voice will allow you to port your phone number to Google Voice for 25 bucks and then forward your google voice messages wherever you want so what I do is I had an old gmail account and you're gonna want to do this with an account you already have if you open up a new gmail account and try to port a phone number in it they're gonna think it's for spam and the last thing you want to do is go through all this trouble and

then still lose access to your phone number so if you have a gmail account which you probably do you can go ahead and port it to port your phone number to Gmail and forward your message notifications to your new phone number and then be able to reach out out out of band of Google Voice to those phone numbers and let them know that your information has changed okay so we have our toolkit and this is the bare essentials so let's walk through what this all looks like in usage right so remember this is what we have before this messy web of blah that anyone can identify because it's wildly finger printable and we're going to this okay

so you get or win and at one of the vendors you get a new echo plus right you're super excited but you're like but that records me right you don't want to give it any of your real information but you want to set it up because you want to get those live weather updates and stream baby shark you know and be able to speak to that again in your kitchen right okay so here's what we do the echo is tied to an Amazon account so we need to create a new private Amazon account and we do that with an email address from blur so we go to sign up we punch in a bunch of fake information and give it a strong

password and then blurr is going to go ahead and forward that email to our private email in protonmail in this case so we need to be able to verify that email so we'll go to plug in to protonmail get the verification code and now we have an email account set up and verified inside of Amazon with not our real information now we need to give it a phone number because now Amazon's texting you when it's packages are on its way and they need to verify your I don't know whatever the point is they're going to want to text you so you need to give them a phone number so that's where we're going to use my pseudo now my

pseudo we're gonna go in we're gonna create a phone number create a new identity and Amazon will happily pass along the second factor code so now we have two factor auth and abled on our Amazon account Amazon doesn't know any real information about us but we want to be able to make purchases with this Amazon echo I want to be able to yell across the room that I need more diapers and I want Amazon to know to buy more diapers and send them to my house that's where privacy comes in so we'll create a new privacy comm card that is an actual card that's live if you use it you get ten bucks go ahead make take a picture

of that but you can see Amazon is more than happy to accept it as well so now we have a fully configured Amazon echo that we can use to make purchases to to query Alexa and it doesn't have any actual real information about me unless of course you say something identifying in front of Alexa but that's a whole other that's a whole other scenario right and that's it right now your private right that should be it I'm sure some of you are already going well wait a minute you're right you're not you're not done yet and these are the insane extra steps that you will the tank right so the first things first your ISP your IP address is identifiable

that's one of the primary keys we identified at the beginning right so you're gonna want to use a VPN now I know that Nord is the largest VPN provider on here this was before everything happened over the weekend now you will hear you'll hear a bunch of people give recommendations for VPNs right if you listen to wire cutter they recommend tunnel bear if you listen to privacy tools I oh they're gonna recommend mole vet there's a list of IP addresses as long as you're armed right my criteria for VPN providers is I don't want to provide them with any information not that I have to but because of the steps we outlined earlier but the less information they know about

me the better the ones I really like are expressvpn and I think it's on here down in the quarter private Internet access they are tested in court as not actually having any information about you the US government has come in and raided their offices and said give us information and they said my guy I ain't got anything they've got payment information maybe but that's about it they do not have connection logs which is key the one thing I will say about VPNs pay for it they're not making money by selling your data you need to pay for it otherwise they will make money by selling your data right so you have a VPN great you

can install the app everywhere but what if you just want everything from your home network going out over that VPN all the time because there's not a VPN app for app for the Amazon echo or the Google home devices or the nest device in your house there's not in there's not a VPN service for that right so that's where we get into a little home networking as far as software is concerned I'm a big fan of open sense and PF sense pick your poison they're functionally the same thing but you're gonna need some not specialized but it's not going to be hardware that you can buy off the shelf at at Best Buy or Micro Center

actually maybe Micro Center now that I think about it the brand's you're gonna want to look at as far as hardware is protect ly they design router hardware specifically for PF sense and open sense I've also run this off of an Intel nook like the real bare-bones one and a USB 3 adapter the speeds are terrible but it's doable eBay hardware this is the only time I'll recommend buying used a eBay hardware you can pick up an old server for 50 bucks and it'll run pfSense like a dream basically you need to nix and four gigs of ram and sport storage space for logs so like you could run this with an old like fireball 2 gig in a plugged into a

computer if anyone remembers us but that will allow you to route all of your traffic on your network over a VPN so now instead of calling home from your IP address your echo your Google software your Apple stuff is all phoning home from a private of BPM right we talked about browser fingerprinting you're gonna need a new laptop probably the one that you have currently is already you've already leaked data about it by logging into your account of your accounts that have already leaked you're gonna need a new laptop my recommendations are here we go again the PC Mac battle you're gonna want to look at old lenovo's or brand new MacBooks rather Mac sir if you want the latest

and greatest Hardware lenovo's is if you want to cheap out right you can pick up an Lenovo x2 24 anywhere between 100 to 200 bucks and get rid of all the proprietary software on it including the BIOS there's a great tool called core boot that's a whole other talk entirely that will remove all the proprietary software you can have a true free laptop or just machan it'll work OS we don't this is something we need to be very careful about right Windows 10 is a privacy nightmare just don't use it don't don't even bother and I don't have a whole lot of great things to say about Mac OS either it's not deliberately evil it just is stupid

so really the option is we're gonna probably be installing a flavor of Linux for you day to day users the ones that are kind of interested in taking back your privacy but don't want to go over overboard Debian is the way to go 110 percent you can get a hardened Debian instance and in in minutes if you want to get be a freak like me cubes is the way to go cubes allows you to do with VMs and with VMs the same thing we just did with what five or six different tools you would have a vm for each pair or each vertical in your life so you'd have your personal vm you would have a business vm a secure

vmware all your passwords are it's fantastic and it allows you to route traffic over to four different different VMs over different VPNs it's nuts and also warrants its own talk but that's if you really really really are concerned about being private I do not recommend tails because of the ephemerality of it right it's supposed to be used as a one-and-done sort of deal that's nothing maintainable in the long term and finally let's talk about services right because this is where they really really get yeah right netflix you're using Dropbox you're using mint you're using Google Drive if you're using todoist you got all this stuff you want to manage and share and I get that there this stuff is awesome too

I can't recommend this enough just self host it don't even bother giving them fake information don't of them any information because you are the product and if you leave these companies have to find another viable business model and hopefully like Apple they will do that by investing in privacy and changing their Terms of Service there are plenty of options out there for you to self host and replace almost all of these services and they're all active and this is one of the areas where you don't have to put a lot in to get a whole lot out I want to pimp one project that I've no affiliation with but I just absolutely adore home lab OS it's by Nick Busey you

can find it on get lab it allows you to spin up a self-hosted environment with most of these services in minutes and it allows you to run it on a Raspberry Pi it's incredible and just doing that alone allows you to take back so much stuff from all of these services you can rip all of these out of your life and and really own your data truly let's take some time real quick though to talk about cons because there are some big ones first of all not all services are gonna like your disposable phone numbers that's why I recommend self hosting they identify them as temporary and they'll kick them back real quick which I think

Facebook is starting to do not all companies are gonna like those prepaid credit cards from privacy they'll kick them back they'll think it's fraud you'll have to upload your ID that defeats the entire purpose of what you're doing in the first place there is an added complexity to your life because now instead of having to remember your name you have to remember your name and the fake name you gave Netflix and the fake name you gave your ISP and the fake name you gave the grocery store if I die today my wife will have no idea what to do she is she's gonna lose the house because there's no way she's going to be able to pay me

the belts and to my final one of my final points it doesn't account for anyone else you can be as private as you want but if you're not on Facebook and your grandma still uploads a photo of you and puts your whole name in the in the photo description that blows this out completely right but there's really two big things I want to talk about and that's privacy fatigue and money I'm sure that you guys probably all think that this is actually you guys probably think that this is probably a good idea right but it is complex and it's hard to remember all of this all the time especially if I have I have three kids

I'm not going to remember this all the time and I have screwed up but I guess what I'm what I'm trying to say here is I shouldn't have to remember all of this right I shouldn't have to do all this work in order to maintain my privacy the other thing is money you know we've been talking about a lot of services we've been talking about a lot of things that I'm recommending you pay for I don't want to do that I don't think privacy should be kept behind a paywall this graphic is produced by the lovely Rachel lamp she works with a group called badass that is not related to this conversation at all they help women

fight revenge porn neither here nor there but she created this wonderful graphic you shouldn't have to pay for this and more importantly the fact that you do have to pay for this we all here have the means and ability to do that but some of the more vulnerable members of our society don't think about the people that are that are in low-income homes right they're not going to be they're not going to have the availability to just go out and buy new devices they're going and buying you know the Android phone that they can find and afford think about your grandma your grandparents you know they don't they're not going to be able to spin up

a server it's unfortunate this is where we've landed with these services and hopefully if enough of us have conversations about this with loved ones or like I self host a ton of stuff for my family I'm slowly working on getting my mom to let go of her stranglehold on snapchat but it's doable you just have to have a conversation and I encourage you to but that's where I'm gonna leave it here are all my resources that I provided I know if you want to take pictures go ahead otherwise I'll put these up on my Twitter for you guys to download I also want to give a shout out to the privacy security and OSINT podcast if you think that this was not

enough if you think you want to make your lives even more difficult than they already are give this guy a listen you'll be putting the tinfoil hat on with me after one episode the guys name is Michael Buzzelli he's fantastic I can't recommend him enough and that's my time I think that leaves us with 20 minutes for questions thank you all right if you've got questions I'm gonna come back with the mic because we're recording this please use mic I do have one quick quick recommendation if we can if we could alternate between people who identify as male or non-binary and women people who identify as female and non-binary otherwise it's gonna be a sausagefest but anyway i

think we have a question in the back real quick absolute like what address did you use your shipping address Ramazan pardon what address did you have a Mazon ship your stuff - I'm so I'm having trouble here and then you create the Amazon account yes where do they ship your products oh okay this is a fun one because this is a whole other this is a whole other topic completely I can talk about privacy in the digital world in the physical world it's even more difficult right because you are giving that while you are giving them fake information if you want stuff to get to you you have to give them an address right so that is something I'm actually

working on the follow-up to this talk on there's a way to be cleared a digital native sort of like truck drivers and move your permanent address to South Dakota put your house in a trust so no one can find your actual address and then forward your mail from South your primary address in South Dakota to a p.o box that then forwards to a UPS box it's complicated and I don't have all the details yet but it is something that you're absolutely right that is that is a problem you are if you want to receive him for mayor like the packages that you ordered you're still gonna have to give out your home address until I come up

with a better alternative is there is there a a female with a question now go that's fine keep going okay I'm late so that's okay okay do you have your presentation in online somewhere you know what I will have it pinned on my Twitter let me pull let's go let's read I know there's probably a faster way to do this plot oh there's nice playing videogames finally paying off there we go I'll pin it on my Twitter it'll be a pinned tweet after the comma after the conference ends so you'll be able to find it on my Twitter at Timmy doomsday hey yeah I got a comment new question sure I've read that book from that

Michael Buzzelli he got a couple of different books but two of whom I've read was on how to reclaim your life and disappear something like that in digital America I just got it from Amazon a couple of days ago yeah I was gonna actually if you can go back to the links and everything you're gonna show that was my question and in the comment also is I know the guy Michael Brazil he refers back to JJ Luna who also wrote a book I don't know how many people familiar with them how to be invisible so in that book he talked about having ghosts drop addresses yes what you do essentially is I don't know if you're

good and you're close with a church but you can't I if you go down to the church you say hey I got to go out of town for a few weeks can you just accept some packages for me and basically have the packages mail to the church that's how you do it that is awesome I will absolutely have to put that in my back pocket I will absolutely have to put that in my back pocket Oh back to my yep let me see here and alright boom resources any other questions any females it's your turn no okay nope do you recommend any like ophtho sources for your home dress like you mentioned like you know everything's on Spokeo

lexisnexis etc I mean I've done it manually yeah it does take forever and it is something that you this is the other thing you shouldn't have to pay to have this stuff removed but that's honestly the easiest way the company that produces blur it's a company called a vine a vine they also have another privacy product called delete me I think it's two hundred and fifty bucks a year and it will do exactly what you're looking for they you give them your personal information and they will go through and start removing it from all of these websites as far as I know no not yet the other thing I will say and I forgot to mention this during my

presentation is please please please please please please please please please with sugar on top read everyone's privacy policy I've read all the services that I've recommended I've read all their privacy policies I know that they're making money somehow and I know that it's not by selling my information but you or that I'm I don't expect you to just blindly trust some dude you harder to talk and go and use these services please I encourage you to read their privacy policy so you mentioned like blur privacy my pseudo and then I was wondering you know it seems like in order to do this effort you're placing a lot of trust in third-party services and things like

that I was wondering that the privacy model is regards of those type of services so let's put it this way if it's companies or motivated individuals like if you're worried about getting swatted most of this stuff is in your is in your wheelhouse this will this will help you a lot if you're the target of any three-letter organizations some of which may or may not be in the lobby or have employees in this room I can't help you my did I can't I'm sorry that's outside of the privacy model for this this is more for people who aren't actively committing crimes you would want to talk if you're the target of a nation-state don't talk to me I'm I don't want any

connection yep are those services completely anonymous you know how are they sort of late you know right so yeah right so that's why I say read the privacy policy but the other thing is that these are companies that have built their business model on making sure that you stay private so yes you do have to provide them with information I know privacy if you want to make payments with privacy you do have to give them your bank information right if you want to if you want to be able to make payments they need some sort of funding source and it's usually your bank account I would argue that these companies are better positioned to take

care of your privacy because that is their selling point that is the entirety of their existence is not to help you make payments it's to help you make payments privately that isn't to say that they can't be hacked or they haven't been breached I'm just saying that these companies are more likely to take the extra steps needed to ensure their security as opposed to just checking a box does that make is that answer your question cool I don't know if you I don't know if you went over this during the presentation but do you have any recommendations for text messaging apps like tor signal versus telegram versus iMessage so so here's what I will say regarding

messaging apps use the best method that you can mice to do will allow you to do text messages and ms you will though appear it is still sending over text message right so it's not encrypted the thing I don't like about signal is you do have to provide them with a phone number to activate which allows them to create allows them to create a pivot point on who that phone number is contacting the one I will recommend is wire if you go to wire comm and actually sign up on wire comm not on the app they do not require a phone number for you to sign up for that service and that will allow you to

communicate with people without having to give out your phone number but honestly like if you can get your mom using telegram use telegram if you can get your friends using whatsapp it's better than using plain old text messages it really comes down to whatever you can get people using and move that conversation forward you know if you can get your family and friends using signal for a little bit maybe you can then have a conversation saying hey you know what the signal isn't really working anymore it's not as secure as it used to be here's this new platform but honestly if you can get people using anything other than the than the stock apps you're better off do we have any

other questions if not okay thank you very much Tim thank you [Applause]