Micah Lee - Saturday Keynote

[music]

[music] [applause] So, I've worked in journalism for over a decade, but this is the first time that I've ever traveled to an active war zone. [clears throat] It's hard to believe that we're not even one year into Trump's fascist takeover of the government. The onslaught of horrifying news is happening too fast to keep track of. But what's clear to me is that the Trump administration uh and ICE in particular is tooling up for technological repression that Americans have never been subject to before. Today, I'll go over the disturbing signs of the coming age of technofascism along with practical ways to defend yourself and your communities against it. I'm Mike Elli. I'm an independent security researcher, a journalist, and a software

engineer. I spent the last decade and a half reporting on classified documents, helping journalists protect their sources, building open source privacy tools, and teaching people how to analyze leaked data sets. These days, I work closely with journalists, researchers, and activists, doing what I can to keep them safe and productive. The views I'm expressing in this talk are entirely my own and not the views of any of the organizations that I'm working with. Since Trump's inauguration, the US has slid into technofascism. So, fascism is a slippery ideology that's kind of difficult to define, and sometimes it borrows from conservatives or from liberals or even from leftists. But in the end, none of the beliefs are actually genuine. It's

all about accumulating unlimited power for an ingroup at the expense of everyone else. One common definition of fascism is imperialism turned inward. So here's a bit of recent uh US imperialism history since September 11th, 2001. We launched wars of aggression based on lies in Afghanistan and Iraq. We ran a covert torture program and imprisoned and tortured innocent people for decades at Guantanamo Bay. We built a global surveillance system and spied on entire populations, all without probable cause. We ran a massive drone assassination program, bombing weddings across the Middle East and Africa and countries we weren't at war with in the name of American freedom. And right now, we're funding and arming Israel while it commits a genocide in Gaza. Huge swats

of the world are subject to intense state repression, violence, surveillance, and censorship. And in many places, this repression is explicitly supported by the US government and by US companies. The thing that makes the Trump era different is fascism. Under Trump, this complete disregard for human rights is now pointed inwards at the enemies within, as Trump calls Americans that he doesn't like. What we've been seeing on the streets of the US with ICE kidnappings and military invasions of cities is the normal American disregard for human rights, but this time targeted inwards towards us. And the American tech industry is totally on board with it. Elon Musk, the richest and most divorced person in the world, donated hundreds of millions of dollars

to make sure that Trump got elected. He then bought Twitter and turned it into X, a assess pool of propaganda, disinformation, and hate. Mark Zuckerberg got a haircut, went on Joe Rogan, and shut down Meta's diversity program. Jeff Bezos, the owner of Amazon and of Washington Post, personally intervened to prevent the post from endorsing Kla Harris, and he restructured its opinion page to make it friendly to fascism. Tim Cook personally donated $1 million to Trump's inauguration committee. You know how right now while the government is shut down and food stamps for millions of Americans are set to expire in about a week, um Trump is tearing down the east wing of the White House and uh building himself a

privately funded ballroom. So, some of the companies who are funding Trump's ballroom include Amazon, Apple, Coinbase Google Meta Microsoft. This talk mostly isn't about the reactionary tech billionaires and their complicant companies. Instead, it's about attacks that we should be prepared for during the age of technofascism and the ways to defend against them. In this talk, I'm going to give some specific actionable advice about three topics. mercenary spyware, device searches, and app censorship. But I don't think uh but don't think of this as a checklist that all you have to do is finished and then you're good. Ultimately, what we need to do is build an intentional and forgiving security culture. These are things to talk over

with your friends, your colleagues, your family members, uh and start doing them as shared practices. Fascists are targeting everyone outside of their inroup. If we want to keep our community safe, our defenses need to be collective and not individual. I'm also going to quickly go through a lot of slides and show my sources. So rather than trying to take a photo of each slide you're interested in, you can uh find links to all of my sources here. Um, and I also want to warn you that this talk is pretty intense. So just to lighten the mood a bit, >> [applause] >> I'm going to put on some frog ears. Um, and so I'm not going to sugarcoat the

awful reality of the current situation, but at least I'll be somewhat dressed up like a frog while I'm giving you all anxiety. So, it used to be that government spy agencies like the NSA developed the most sophisticated hacking tools in the world in house. But over the last decade or so, this has shifted to the private sector. Now, private companies make the world's most sophisticated hacking tools, and they sell them basically as a subscription service to government agencies and police departments around the world. Uh, many of which would never have been able to build these capabilities in-house themselves. Americans have largely been shielded from this type of attack. NSO group's Pegasus spyware is typically configured

to not be able to target US phone numbers, though they could easily disable this setting if they decided to target US phone numbers. Mercenary spyware firms are on US sanctions lists. And in 2023, Biden published an executive order prohibiting mercenary spyware use by the US government without first going through a review process. Those days are over. Mercenary spyware is officially welcome in America. Last year during the Biden administration, ICE tried to sign a contract with Paragon Solutions, another sketchy Israeli firm that makes spyware called Graphite. But the Biden administration blocked this contract from going through. But a few months ago, the stop work order was dismissed and ISIS contract with a Paragon with Paragon officially

began. According to this reporting by Jack Pollson, the US company Red Lattice acquired Paragon Solutions. So now that a Paragon is Americanowned, ICE is allowed to use graphite spyware. Paragon builds graphite as the ethical alternative to Pegasus. The difference between graphite and Pegasus is that Pegasus takes over the entire phone. It does location tracking. It listens through the microphone. It steals all of the data it can get and so on. While graphite is narrowly targeted at spying on encrypted messaging apps like Signal, WhatsApp and iMessage. But obviously, government abuse uh governments abuse it to violate human rights too. So here's a recent report from the Citizen Lab published in June where they caught graphite being used

against prominent journalists in Europe. In this case, graphite relied on a zero-click vulnerability in iOS that exploited a bug in iMessage. And here's an earlier report uh from Citizen Lab published in March. And in this one, they helped fix a uh zero-click exploit in WhatsApp that targeted dozens of people in Italy, including journalists and the founder of an Italian organization that rescues migrants from the Mediterranean Sea. So, it's not a very ethical alternative. Um 404 media launched a Freedom of Information Act lawsuit against ICE demanding documents related to its contract with Paragon. In this post, the journalist mentioned Paragon stance that it's an ethical alternative in the spyware industry. It says, quote, "Selling to ICE, an agency that has

flaunted due process, accountability, and transparency, may complicate that stance for Paragon. ISIS arrested people who were following the steps necessary for illegal immigration, waited outside courtrooms to immediately detain people after their immigration cases were dismissed to rush them out of the country, documented people who had valid work permits in order to deport them, and continues to pick up people around the country while masking their faces and declining to provide their names. There's nothing ethical about anything that ICE does, and there is no way that ICE will use graphite in a way that isn't abusing human rights. But hey, at least the Trump administration isn't using Pegasus, right? Earlier this month, news broke that American investors appear to have

purchased NSO Group. Right now, NSO Group is still on the US sanctions list. Biden's executive order making it harder for governments to use mercenary spyware is still in effect. And there's a trail of dozens of US officials that were hacked with Pegasus, which normally wouldn't be a good sign for NSA group doing business with Americans. But in the age of technofascism, I really don't see those old rules lasting much longer. I wouldn't be surprised at all if we start started to find Pegasus infections on the phones of immigrant defense activists or advocates for trans healthcare or even just people trying to get an abortion. Also, just to add to the absurdity of this, the main investor uh that of of

the group of investors that purchased NSO Group is Robert Simons, a Hollywood producer of Bmovie films. So, if you haven't heard of Robert Simons before, perhaps you've heard of this 1996 Adam Sandler film. Uh, Robert Simons produced Happy Gilmore along with a bunch of other Adam Sandler films. His entire experience is in the entertainment industry, not in tech or cyber security. He also has a bunch of business dealings with Chinese companies. According to the Israeli tech site calcist, for some reason he's been on the board of NSA NSO Group's parent company for a few years, and in 2023, he tried to purchase NSO Group and failed. It appears that he just tried again and was successful.

And also in this article, it mentions that in 2018, Sophie Watts, the president of his production company STX Entertainment, complained of harassment and called him obsessive. So quite likely this guy is the new owner of the most notorious mercenary spyware firm in the world. And quite likely he's going to be selling Pegasus to fascist law enforcement agencies under Trump. But even if the current rules against Pegasus stick, uh there are plenty of American technofascists who don't have any qualms with violating human rights. Remember how I said that the most sophisticated hacking tools used to be developed in-house by agencies like the NSA? This was a big story back in 2019 when Reuters exposed that over a dozen

former NSA operatives went to work for the United Arab Emirates royal family helping them spy on dissident royal uh dissident journalists and activists. It's a bad sign that the US government is embracing mercenary spyw wear from sketchy Israeli firms and the US companies are buying up these firms presumably to make it easier to sell to the government. But I honestly think that there's enough homegrown and talented American technofascists to support a domestic spyware industry anyway even without the Israeli technology. Last month, Bruce Schneider blogged about digital threat modeling under authoritarianism. It's worth a read. In it, he described the shifting risks of decentralization, which is something that I hadn't really considered before. Spyware is targeted

surveillance, not mass surveillance, which means that it doesn't scale easily. If all you have to worry about is staying off the radar of highle fascists like JD Vance and Cash Patel, then most people probably don't need to worry too much about it themselves. But if repression is decentralized with every state and city having its own local fascists in charge of picking targets they don't like, then everyone needs to fear it. It's too early to know how mercenary spyw wear will be abused by the Trump administration, but it's prudent for everyone to get prepared for it now. So this is bad, but it's not hopeless. There's a lot that we can do to defend ourselves against mercenary spyware.

Zeroclick exploits which can hack your device without any interaction from you can feel like magic and like it's hopeless to even try to defend against them. But it's not magic. Exploits are only possible because of bugs. And these bugs are routinely fixed in software updates. Zeroday exploits cost attackers millions of dollars to purchase, which means it's very expensive to hack a fully updated phone or laptop. Exploits for bugs that are already patched though are basically free. So, you should never put off installing updates. And you should not only always install updates, but you should also get everyone that you know to always install updates as well. Apple added lockown mode to iOS in 2022. If you enable it, it prevents your phone

from using certain features that are frequently exploited. Basically, it reduces your attack surface. For example, it blocks fonts in Safari, which might make some websites look worse and the icons might be missing, but it cuts out an entire attack vector. I've been using lockdown mode in iOS since it came out, and it's actually really usable. A few things are broken, but otherwise, it's fine. Um, in the age of technofascism, you should not only turn on lockdown mode, but get everyone you know who uses an iPhone or a Mac to do the same. To my knowledge, no researchers have found a successful infection of a device while lockdown mode was turned on. Um, and you and everyone you know who

uses an iPhone should also enable advanced data protection in your iCloud account. Without it, iCloud is basically a government backdoor into your phone. If your phone gets backed up to iCloud, including your messages, photos, and all of the data in all of your apps, Apple can give this data to the police, the FBI, ICE, or whoever else asks. If you use advanced data protection, most of this data is encrypted with a key that only you control. The recovery key is a long sequence of random characters. So, everyone who enables it either needs to keep this key in on a piece of paper or store it in a password manager. And so while you're at it, if you're helping

people in your community enable advanced data protection for iCloud, it might be a good idea to also get them set up with a password manager. And earlier this year, Google launched Android advanced data protection, which works in similar ways. So if you use Android, um you need to update to Android 16. Uh enable this and you'll be far less vulnerable to mercenary spyware. So, I don't have much love for Apple, and as I'll talk about soon, they recently categorized ICE officers as a targeted group in order to comply with Trump's censorship demands. Um, but I am excited about memory integrity enforcement, which is built into the hardware of the new iPhone 17. Basically, if you're using the new

hardware, every time software allocates a block of memory, this memory is tagged with a secret. If the software ever tries accessing that block of memory again without the correct tag, the request is blocked and the process is killed. So this should effectively eliminate entire classes of memory corruption bugs including buffer overflows, use after free and outofbound bugs. So this diagram shows an analysis of real exploit chains. These were ex these are exploits that were actually included in real mercenary spyware and how each class of bug would perform against an iPhone with memory integrity enforcement. It will prevent all of them from fully hacking the device. So, if [snorts] you could afford it, this is one of the few reasons I'd recommend

considering buying a new iPhone. Of course, if you do get a new iPhone, you should also enable lockdown mode on it and enable iCloud advanced data protection. Mercenary spyware relies on exploits to hack your devices remotely. But there's a whole different set of local attacks against devices, too. Device searches have been a risk for as long as people have carried computers around with personal data. But in the age of technofascism, we should prepare for device searches way more frequently. Celebrate, another Israeli surveillance company, is the most notorious firm that does device searches. They make products that are currently already used by law enforcement across the US, but they're aiming for a much bigger slice of the

market. Last year, Celebrate announced that it formed a US-based subsidiary specifically for selling to the federal government. Celebrate hardware and software used to break into locked phones and extract all of the data from them. It works by exploiting vulnerabilities and lock screens, by brute forcing passcodes, including using exploits to bypass any rate limits, and by rooting devices to get access to all of the data in them. This phone is from or this photo is from a 2021 blog post on the signal blog by Moxy Marllinspike. He said, quote, "By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. Um, it turns out it was Celebrate

equipment. Um, and this was actually right after the Celebrate Youad software started supporting extracting signal messages. Um, [snorts] specifically, uh, this was just the software to extract data from phones, not actually the hardware and a bunch of cables. Um, but it didn't include the hardware that that like hacked into lock phones. Um, Moxy wrote about the security about security vulnerabilities that he actually discovered in the Celebrate EU software. He discovered that quote, "It's possible to execute arbitrary code on a Celebrate machine simply by including a specially formatted but otherwise innocuous file in any app on a device that is subsequently plugged into a celebrate and scanned." And then he also just announced that Signal would start

downloading random files just in the file storage. But don't worry, Signal doesn't do anything with this. Um, so like other Israeli surveillance firms, Celebrate has a history of being abused to violate human rights. In 2020, police in the African country Batswana used Celebrate to break into the phones of detained journalists. According to the Committee to Protect Journalists, in 2021 during protests in Hong Kong, Chinese police used Celebrate to hack into the phones of pro-democracy protesters. According to reporting in The Intercept, in 2022, Russia used Celebrate to hack into the phones of anti-Putin opposition activists, according to reporting in Haritz. Last month, ICE entered into a new $1 million contract with Celebrate. But ICE already has a long history of working

with them. In 2017, they first spent $2.2 million on a Celebrate contract immediately after Trump's travel ban. Um, in 2019, they spent somewhere between 30 and $35 million on um another contract, and now they're starting a new 11 million contract. So, it's fair to assume that ICE is using Celebrate to hack the phones and steal the data from every single person that they arrest, regardless of immigration status. And when your device is searched, authorities stealing your data is only one of the risks that you face. Another is that they might install spyware and then hope that you keep using it. Here's an article from last year about a pro- Ukraine activist in Russia named Krill

Parabets. Armed FSB agents violently raided his home early in the morning. One of them picked up his Android phone and said, "What's your [ __ ] password?" And Parabitz told them. Then they threatened to imprison him unless he agreed to spy on Ukrainians for them. So he agreed, even though he says he didn't plan on actually doing it. And when they released him, they gave him back his phone and it had spyware on it. According to analysis of Parabet's Android phone by the Citizen Lab and the legal assistance group, First Department, the spyware they found allows the operator to track a target devices location, record phone calls, keystrokes, and read messages from encrypted messaging apps, among other

capabilities. And the report also points out any person whose device was confiscated and later returned by a security service should assume that the device can no longer be trusted without detailed expert analysis. So in the age of technofascism, this applies to when your device is seized by DHS, ICE, CBP, the FBI, and in many situations probably local police. Also, sometimes it's legal for authorities to search your device and sometimes it's illegal, but all of that is pretty abstract when it's clear that the Trump administration doesn't care about breaking laws and gets away with it all the time. So, whenever you cross a border or go to a protest, you should be prepared for the fact that authorities

might try to search your devices. It's still important to know your rights even if the fascist authorities are likely to violate them. You should consult actual lawy lawyers for legal advice. But here are just some quick tips. You have the right to remain silent, so don't talk to the police except to assert your rights. Police are kind of like vampires. They can only uh legally enter your home if you invite them in. Uh, so if police or federal agents show up at your house or your business, do not invite them in. If they say they have a warrant, it needs to be a valid warrant signed by a real judge. ICE tries to use their own

fake warrants, and those aren't legally binding. If they try to search you, tell them you do not consent. If they want you to unlock your phone or your computer, don't comply and don't share your passwords. There's a good chance that this will result in them stealing your devices, but at least they'll be encrypted. Before I go into the defenses against device searches, I want to take a minute to plug the Access Now digital security helpline. Researchers at places like the Citizen Lab, Amnesty International, and Access Now have done an amazing job exposing spyware firms and their flagrant abuse of human rights. Detecting spyware is hard and none of this research is possible without the cooperation of spyware victims. So if

you think your device has been hacked by the Trump administration or if there is anyone in your community who might have been hacked, please reach out to the access now helpline for help. If anyone you know has had their phone seized by federal agents and then later given back to them, they should definitely not trust that phone and contact the access now helpline. they could actually like try and get spyware samples, try and do the research and confirm if it was actually hacked or not. While I can't give legal advice, I can give you technical advice on defenses against device searches. These mostly resolve revolve around dis encryption. If someone gains access to your phone or

computer and you aren't using disk encryption, nothing stops them from accessing all of your data. But even with disk encryption, your data is only as secure as how you're able to unlock your device, as well as your lock screen settings. So, for example, let's say you have an iPhone and a strong passcode, but you unlock your phone with your face. This means that when you get arrested at a protest, the cop can also unlock your phone with your face and then access all of the data in your phone. Because of tools like Celebrate, your phone's passcode is also really important. It's orders of magnitude harder to hack into a 10-digit passcode than a six-digit passcode.

You should also harden your devices. [snorts] Um, if these defenses against device searches look familiar, it's because they're also defenses against mercenary spyware. Celebrate and similar similar tools that attack computers rely on vulnerabilities to help them bypass your lock screen or brute force your password without rate limiting. Install updates when you're using the latest version of your OS. There are fewer vulnerabilities in your lock screen that can be exploited. And again, enable lockdown mode in iOS and Mac OS and enable advanced protection in Android. When your device is seized but in a locked state, you should also be careful about what information is on your lock screen. They can access that data without even needing to hack your

device. So, make sure that sensitive notifications like the content of your signal messages don't get displayed on your lock screen. This applies to both computers and phones. If you have disc encryption, the very best thing you can do to keep your devices secure is to completely power off your device when you're not using it. A powered off device before you've entered any password to unlock the encryption is much harder to hack into than one that's powered on but locked. So, when you're going through a security checkpoint at the airport, completely power off your phone and your computer first. Don't just suspend it. When you're going to a protest, if it looks like you're about to get arrested

imminently, power off your phone before you get detained. You could always power it back on if you find yourself to be safe. And finally, turn off all of your computers every night when you're not using them. Most police raids often happen in the middle of the night or in the early morning. So, powering off your computers every night means that if you get raided, your devices will be harder to hack into and they'll give your disc encryption a fighting chance. People often talk about anonymous burner phones, except in very specific situations, truly anonymous burner phones aren't that useful. Using a secondary phone though that you don't even try to keep anonymous on the other hand, it's easy to maintain and it has

some major benefits. If you get detained at an airport or arrested at a protest, the authorities either already know who you are or they're about to. So anonymity isn't really important here. When you set up a secondary device, use a separate Google or Apple account so it can't access any data in your main account. Make a separate Signal account and just add the contacts or groups that you'll need. And if authorities hack into your second device, there won't be much data to extract. It won't have your messaging apps, your contacts, your browser history, your photos, your documents, or anything else. Since secondary devices are just for temporary use to take an international trip or to

bring to a protest, you should factory reset them between uses. This should protect you in case they install spyware on your device and give it back to you. Also, although ideally you should contact the access now helpline and uh let researchers get a sample of that spyware first. Even on your main devices, minimize the data that you retain. They can't steal data if you don't have anything to steal. So, we'll all be better off if we start treating most online communication as ephemeral and delete it after we've read it. If you want to retain anything, take a screenshot, but delete everything else. If you go into the Signal app, you can go to settings, privacy,

disappearing messages, and set Signal to use disappearing messages by default for every chat. And while you're at it, get everyone you know to stop sending you messages in iMessage, WhatsApp, Instagram DMs, or anything else and switch to Signal. You should minimize other data, too, and not just me messaging apps. Basically, think about what data you have on your phone uh and on your computers and regularly take steps to reduce your risk if those devices are ever searched. This isn't really about mercenary spyware or device searches, but I wanted to slip this into my talk, too. Um, we've known for years that ICE and local police departments across the US use cell cells site simulators. Here's the

recent reporting from earlier this month about yet another ICE contract for these street level surveillance devices. If you're not familiar with cell cells site simulators, they're also called MC catchers or stingrays. They're devices that pretend to be legitimate cell phone towers, tricking nearby phones into connecting directly to them rather than to real towers. We know that they're in use across the US, but uh there's a real challenge in detecting them. Ray Hunter is open source custom firmware for cheap mobile hotspots that can detect cells site simulators. It's developed by Cooper Quinton and others at EFF. Um here's a little 4G hotspot that's running Ray Hunter and I can see there's a green bar at the top. So it's not

detecting any cells emulators. Um you need to plug a SIM card into it. Uh but you don't need to actually pay for service. Um, so it's a cheap onetime cost and it's incredibly easy to flash the firmware on these. Um, so if you're interested in trying to detect cells site simulators, uh, check out the Ray Hunter project. A different way that technofascism is expressing itself is app censorship. Apple and Google, the companies that control exactly what software anyone is allowed to install on their phones, are actively collaborating with the Trump administration by censoring their app stores without even a fight. A few weeks ago, at the request of the Trump administration, Apple kicked the Ice Block app off of the App Store. This

was an iPhone app that allowed users to anonymously report ice sightings within a 5 mile radius and get notifications when other report when others reported ice sightings near them. The developer Joshua Erin points out that iceblock is no different from crowdsourcing speed drops which every notable mapping app uh application including Apple's own maps app implements as part of its core services. To justify his decision, Apple has decided to treat ICE officers as a targeted group and to treat apps that help inform the public about abuses by ICE whose job is racial profiling and violence against people based on their national or ethnic origin as the same as discriminating against people for their religion, race, sexual orientation,

gender, or national or ethnic origin. To be clear, the government didn't send a court order to Apple demanding that they do this. The Justice Department asked Apple and Apple simply agreed without a fight. Here's a quick video of Attorney General Pam Bondi lying to the Senate about ICE block. >> Senator Lee, our our federal agents have been doxed and many of you know what that means. It has happened to you on both sides of the aisle. Our federal agents lives have been threatened. We fought while we spoke with Apple and Google to get the ICE block app taken down. That was reckless and c criminal in that people were posting where ICE officers lived. We worked with both Apple and Google to

take that down. >> Threatening. >> It's stunning. I would add here that it took it took as much work as it did by you to >> so first iceblock did not post where officers live. They just posted ICE sightings and which automatically got deleted after a few hours. And also Iceblock was never actually available for Android. It was only for iPhone. [snorts] But don't worry, Google also voluntarily chose to collaborate with the fascists at the request of the Trump administration. And in fact, they use pretty much the same justification. Apple and Google both removed the Red Dot app from their app stores. Red Dot is an app that's similar to iceblock in that it lets people report

ice sightings and gets alert alerts when they're nearby. Since it's been banned by both Apple and Google, it's now only available for Android as an APK that you can silo. Google claims that the Justice Department didn't ask them to ban Red Dot, but I kind of find that hard to believe considering Pam Bondi keeps giving interviews saying she asked Google to ban these apps. But even more disturbingly, Google's justification for banning Red Dot is that working at ICE makes you part of a vulner vulnerable group that is quote associated with systemic discrimination or marginalization. This is just offensive. And even worse, Apple banned an app called Eyes Up from the App Store. Unlike Ice Block and Red

Dot, Eyes Up doesn't do any real-time tracking or alerting of ICE sightings. It simply archives verified videos of ICE abuse and puts them on a map to preserve evidence of their crimes. Also, unlike Iceblock or Red Dot, IUP is a web application. So, it's still online at eyesupapp.com. Here's a screenshot of zoomed into a part of Portland. Apple is voluntarily helping fascists censor videos of violence from DHS DHS officers like this one.

>> BACK UP. BACK UP. BACK UP. BACK UP. Back up. >> That's [ __ ] EXPECT THE [ __ ] FORCE. >> BACK UP. >> NO, we are. This is >> [ __ ] >> He does not [laughter] need to be tackled like that. HE >> IS A VETERAN. A VETERAN OF THIS COUNTRY. >> What the [ __ ] is wrong with this guy? >> It's not just Apple and Google, though. Last week, Facebook deleted a group called Ice Citing Chicago Land with over 80,000 members in it at the request of Attorney General Pam Bondi. Just like Apple and Google, uh just like their excuses, Meta claimed that this Facebook group was violating policies against

coordinated harm. On a recent episode of the podcast On the Media, the 404 media reporter Joseph Cox spoke about this Facebook group. Attorney General Pam Bondi last week posted on X saying that DOJ had successfully gotten Facebook to take down a group page that she said was quote being used to dox and target ICEGV agents in Chicago. I have seen a limited archive of that Facebook page. It's difficult to access now of course because it has been taken offline. But the section that I scrolled through, I did not see any evidence of ICE officials being doxed or specifically targeted. It was more just reporting. Hey, there are ICE officials at this location. Very much in the same sort of

way that apps like ICE block were doing. So in other words, in the age of technofascism, American tech tech companies are collaborators. Uh before going on to solutions, I want to share one final story from earlier this week. This article describes a search warrant that ICE sent to Meta demanding real-time metadata about who a WhatsApp user was communicating with. WhatsApp messages are endto-end encrypted, but Meta freely gives law enforcement all of the metadata. So, if you're using WhatsApp for any sort of anti-fascist activism, stop and switch to Signal. Signal has features like sealed sender that prevent them from even accessing the metadata themselves and so they can't be forced to hand it over to ICE. Um, and this warrant also

specifically allows the government to unlock the suspect's phone using their biometrics. So again, don't use biometrics for unlocking your phone or computer. I actually think it's fine to use biometrics to have it enabled. Just uncheck the unlock the phone with with this. So of these four instances of censorship, Ice Block, Red Dot, Eyes Up, and the Ice Sightings Chicago Land Facebook group, Eyes Up is the only one that's still online. And the reason is because it's a website. What this censorship tells me is that companies like Apple, Google, and Meta cannot be trusted or relied on. So, if you want to make an app that the Trump administration won't like, unfortunately, you should make it with

censorship in mind. Just like eyes up, make it a website that works without a native app. So, when Apple and Google turn on you, your tool can still be useful. And the internet is a global network. There are domain name registars and hosting providers all over the world. and many of them won't cooperate with US authorities. There isn't much internet censorship in the United States yet. But if that changes, uh like if they want to start blocking the eyesapp.com, um uh thanks to activists in places like China and Iran and Russia, we have decades of experience circumventing online censorship. We can use the same techniques here if we need to. Finally, we should all step back from

our computers, put down our phones, and devote real energy into strengthening our communities. Things are really bad right now, and it's easy to feel isolated and alone. Whenever possible, talk to people in person instead of in group chats or video calls. People are facing harassment from Trumpup supporting fascists. Their loved ones are getting disappeared by secret police. The state is making examples out of people who are trying to get gender affirming health care or reproductive health care or for protesting genocide. When they come after you, your friends or your neighbors, the worst thing you can do is keep staring at your phone. We need real community ties with people who have our backs. And we need to have

solidarity with everyone else that they're going after. People living under oppressive regimes have learned throughout history the importance of security culture. A security culture is a set of customs and measures shared by a community to keep everyone safe. So as [ __ ] gets more real. Keeping your community safe is everyone's responsibility. Don't panic if you haven't done all the things that I proposed in this talk. And don't judge others who haven't done them either. It takes time to incorporate these practices into communities as a security culture. But we're all better off if we commit to them. The fascists are probably going to start hacking our phones. They're going to plug them into Celebrate and try to see exactly who

we're talking to and what we're saying. They might want to plant spyw wear on your phone and hope that you keep using it. They're going to pressure tech platforms to prevent us from organizing. They're already doing this. They're going to uh use data from companies like Google and Meta to decide who to target. So, it's not enough to just lock down your own devices. If we want to stay safe and productive in the age of fascism, we all need to work together. Um, and here are a few other resources that you might want to check out. Thank you so much. [applause]

[applause]

Yeah. Uh I I got what do we have like 15 minutes or 10 minutes or something? Yeah, we have time for questions if anyone has any. And I hope you like the uh frog ears. Uh to the point about using signal, I can speak from experience that if you're using social media apps for communication, do not sync your contacts. they pull those into the cloud and then those can be used internally. So don't don't sync contacts people. >> Good advice. I think that um I know Graphine has graphine OS the Android ROM has a uh a contacts scope that lets you choose exactly which contacts. So like you know WhatsApp or whatever thinks that you're syncing all the contacts but

you're only choosing a few limited numbers. And I think the new iOS supports this too. So you can still use those apps without giving it access to your contacts. >> So total Sophie's choice, I know, but um given the state of things right now today, iPhone, Android, which if you know, which would you say is least worst? Um yeah, I mean, I don't know. I think it depends. I think that like it really sucks that there's a duopoly and that like, you know, the Trump administration gets to decide what anyone is allowed to install on any phone at all. I think that that I'm I'm kind of excited about the like new iPhone 17 secure like memory corruption

stuff. Um uh and I've been using an iPhone for a while, so I'm using an iPhone 17 right now. Um but I don't know. I think it's fine to use an Android phone, too. Uh, I think Android phones probably like spy on you more, but iPhones kind of spy on you a lot, too. So, I I mean, I think that as long as you um in install all of your updates, try and, you know, use best practices, disable all of the like bad settings, it doesn't make that much of a difference. Um, one one thing actually though is that uh in terms of security, I don't know. Basically, it's easier to detect spyware on iOS than it is to

detect spyware on Android. And the reason is because iOS has like much more verbose logs. Um, everything you're doing on your phone every time you like reboot, every time you do anything, it records all of this in something called the CIS diagnose log file and you can like extract the cy diagnose and then like look back in time in history. Android doesn't have like a verse log file that like gets to hundreds of megabytes. Instead, it's just like you can take a snap, you can do a bug report, so you can take a snapshot and so it's easier to detect malware on iOS. But that doesn't mean that you should use it necessarily. >> Hi Micah, nice to see you. Um, I try to

have these conversations with friends, family, etc. Um, but often get push back like, you know, it doesn't have to be this hard to use your phone, right? Or I'm not an Antifa super soldier. Do I really need to? And a lot of the conversations tend to trail off because uh the people I talk to, my friends, my family, people who are in my circle don't think that this level of security hygiene applies to them. Are there any trainings that you've come across or any way to bring this to my community in a way that might be more persuasive? >> Um that's a good question. I mean, one thing is most of this stuff actually isn't hard. It does. It doesn't make

things much like like lockown mode um like makes your phone slightly more annoying to use, but like honestly you should just use your phone less anyway and you'll be happier. So, so I find that to be a feature of lockdown mode. Um uh but I mean I don't know. I I kind of think that like just tell people like yeah like maybe you feel like you're not directly threatened right now but but like imagine that this is you know 1938 Germany and you know you don't really need to worry about anyone raiding your house because you're not Jewish or something like that like like I think that it's prudent for us to be prepared. Hi. Uh, do you think a duress passphrase

is helpful for dealing with device searchers? Um, I don't know. Like I I don't know of any like empirical data about this, you know. So, so I mean I think that what I would say is that there's a lot of like you know theoretical stuff that you can think about things like duress pass passwords or things but in the moment especially if like someone is like assaulting you and like threatening you with prison time and stuff like um you know you might not remember your address passphrase. You might you know decide to just give them your password cuz if you give them the duress passphrase and it wipes the device that they might beat you even more. like there's like a lot

of real world stuff that doesn't really apply. So, um I don't know if it's helpful or not, but I think that if you're interested in that sort of thing, go ahead and do it. And um uh yeah, I mean I think that really that just requires more research, but I also think that it's not usable. Like I don't think I think that it might work for you, but it's not going to work for everyone, you know? >> Hi. Uh uh so with mercenary spyware or I guess spyware manufacturers being um moved to companies and in particular companies that are now US-owned. Do you think that there are uh going to be any [clears throat] for security

researchers that are like analyzing or pulling apart this malware? Is it are copyright protections or intellectual property protections going to start I guess coming into play as a way to maybe silence researchers do you think or uh is it >> basically the same as when it was done in-house by government entities? >> Um that's a good that's an interesting question. I mean, like the flip side of that, like there's a big lawsuit that uh where Meta sued NSO Group over um exploiting WhatsApp and they actually won a huge like it was something like $230 million settlement that the NSO group has to pay uh Meta. Um but yeah, in terms of like US, I don't know. I

mean, I think that the good news is that Citizen Lab is not American. It's Canadian. it's a and it's also associated with the research university. Um and uh then like Amnesty International and Access Now are like global NOS's. So I think that there's a bit more re leeway for researchers like even if you're American you can like work with groups and there's actually another thing if you're interested in this sort of thing. Um there's a lot of of demand right now uh uh for researchers to find spyware. So, like if if you live in Portland and you know and like a bunch of people just got arrested by ICE and their phones were taken from

them and then they were given back like yeah, you should contact Access Now um the helpline and and get help and stuff. But also like you as like a security nerd like volunteer to help, try and get a copy of that CIS diagnos try and dig through it and and um you know like I think that this could be a really good way to contribute to your community. >> Hi. Um, I've got a challenge for you. Downtown here, there's building after building of lowincome people living that are not techsavvy that are worried. You'll see them out on the street quarters smoking. They're all over the place. They don't know how to keep themselves safe. I would like to ask you to look out for

your neighbors down here downtown. do what you can because they're very vulnerable. They've already lived through regret the regimes. I mean, these are immigrants, people that um relatives immigrated. Uh and they need help, but they can't help themselves. And I know you're all smart enough to figure out ways to help your neighbors downtown here. this would be a good time to like plug any sort of Portland mutual aid groups that do stuff like this, but I'm not from here, so I don't actually know what groups to plug. >> Uh, thank you. This has been really interesting. Um, you mentioned on one of your slides, if you're a US citizen, um, it was on your know your rights slide

about, um, that they have to let you into the country, but they can confiscate your device. >> Can they like hold you for an indefinite period of time? Can they charge you with anything like failing to cooperate? Um >> um >> if you have you heard of any instances of anything like that? >> So I'm not a lawyer, but I have but I have like kind of recently talked to a lawyer who basically said that for US citizens um they can't hold you indefinitely without charging you with something. I don't know about charging you with failing to cooperate. Like I don't know if if if that would be enough of a crime. Um, but basically that like

the like what this lawyer what a lawyer from ACLU thought that uh the biggest worries for US citizens are um they're going to confiscate your devices and try to hack into them. Um uh but I think they can't hold you for more than something like 2 days or 3 days or something like that. ly they might hold you for a few days, but then they have to let you go. Unless they like maybe they break into your phone and find some excuse to charge you with a crime or something, then they could hold you for longer. Um, but yeah, I haven't heard of instances of US citizens uh like just getting disappeared while traveling. Um, doesn't mean it hasn't

happened. Maybe it happened and they weren't able to contact anyone, so no one knows. >> What's next for you? Or is are you working on anything interesting? I'm so currently I'm doing um a bunch of research. Uh so I'm I'm I'm basically like a consultant now. I just I'm self-employed. Um so I'm do I'm actually working with Citizen Lab. Um and I'm working with Freedom of the Press Foundation like doing a bunch of software development. Um and other other people. So I mean I don't know. I feel like it's really hard to do any sort of planning [laughter] when when there's when everything's crumbling around us. Um, but I'm just going to try and uh,

you know, survive and keep people safe. >> Yeah. What makes you trust lockdown mode if you don't trust Apple? >> Like, so I don't think that lockdown mode is necessarily going to mean that you're safe. Like I don't think that it means that the the device is secure, but I think but basically like what it does is it cuts off um common attack surfaces. So like okay, so like one of the things that it does is it disables a bunch of features in iMessage. Um, so when people try and send you um, uh, like documents over iMessage, it like doesn't work anymore. And when people send you links, it makes those links not clickable. So, it's a lot easier to like

it's a lot harder to accidentally like click on a fishing link and then exploit something in Safari or whatever. So, it's not that I like trust it. It's just that there's um uh like the way that the way that the that modern spyware to hack a phone works is it relies on like a whole chain of exploits. So, first maybe it exploits something in iMessage, then maybe it exploits something in like a font renderer or it exploits something in Safari or whatever. And what lockdown mode does is it just cuts off a bunch of stuff. So like like okay so one of the things that it does it turns off uh JIT just in time or just in just in time

compilation in um the browser and so uh instead it so it makes JavaScript a lot slower to run so JavaScript only applications are slower but it's not actually but like it uh prevents you know like memory corruption bugs from happening in JavaScript anymore where before they would happen. So, I don't know if if that answers the question, but basically it's like, yeah, [ __ ] Apple, but it reduces features that are commonly exploited. >> It was more referred to >> I find it hard to not have a phone. Um, it I think that what would be great is if the Apple Google phone duopoly was like crushed and I can get like, you know, a completely different phone with

a completely different operating system from like, you know, Brazil or the EU or something, but that doesn't exist yet. I think that, you know, Trump is trying really hard to make sure that that that sort of competition is gonna happen. >> I guess uh somewhat related to that, I'm curious on your opinion around big tech like ignoring Zuckerberg and Meta and craziness. I mean, right now it's basically, you know, capitalism and self-preservation. Do you see there be a tipping point where leaders of those companies would essentially become actual fascists, not just collaborators out of money? Uh, incentives. >> I mean, it's like like what's the difference [laughter] like like like because so like another common definition of fascism is like

merging corporations in the state. And so, and I think that like really what's going on right now is we have these huge massive monopolies in the United States that realize that they're going to, you know, they're going to not have like Nina Khan, they're not going to have like their monopolies broken up if they, you know, just like flatter Trump. And so that's what they're doing. And now they're and they're like, you know, getting paid. They're they're making a lot of money from it. And so I mean, I kind of feel like that means they're fascists right? What type of evidence do people look for when they're conducting a device search? >> Um, uh, so like like the like cops look for?

>> Yeah. Like what what might be on someone's phone that they might get flagged for? >> Um, so I mean I So Celebrate uh the like c so celebrate you is their universal forensic extraction device uh uh system. And so what it does is it really it so the first thing it does is it um uh if the assuming the device is unlocked it tries to jailbreak the phone or root the phone. So it tries to use exploits to get root which then gives it full access to the file system. And I think that it will and then at that point it could access the private app data for every app. But I think that basically they um

support uh they have a bunch of custom like plugins basically for different apps. And so I think they probably copy all of the data off of the phone, but then also they like specifically are looking for messaging apps and then for photos and then for uh they probably have like um you know like a custom module for like the Facebook app and then you know they they put it into their database so they have a nice way of reading your entire Facebook uh like message history and everything else. Um, but yeah, I mean I think that like messaging apps are probably like really high priority, but but I mean they'll take all of your contacts. They'll take

uh, you know, they'll take whatever they can get and then I think it's just a matter of the, you know, law enforcement investigators deciding what's useful to prosecute you. >> Let's give Mike a round of applause. Thank you so much for coming. [applause]

>> [music]