Taking your Privacy Back!

let's begin okay so here's another talk but we're going to talk about privacy not so much security and we're going to explain the relationship between that and yeah so buckle up hopefully it's fun um kind of the very loosely held together agenda but going to talk about privacy kind of some concerns current state things like that state of affairs and talk about the privacy scale something i made up and it's not patent pending so go ahead and steal it or you know maybe you can do an ntf of it i don't care whatever and other stuff so a little bit about me um i reused this slide i was being super private when i first gave this but

colin jackson i go by didymus security engineer i have hobbies i i've also wanted to get more privacy enthusiast type i'm not there yet maybe someday but i'm giving a talk without a mask on so i get what i get anyway cool all right um a lot of the material i took to put this slide together a lot of it was based on u.s laws we're all in this room currently in the u.s but so it's going to be kind of geared towards that but you can apply it to wherever you may be also i'm not a lawyer i don't pretend to be one much and i'm not an expert so these are my opinions blah blah blah you get what you

paid for actually don't you get less than that and if you're looking for legal advice you know blah blah disclaiming disclaimer phase blah blah blah okay here are some of my favorites um either people that i follow or blogs or podcasts or things like that here are some of my privacy advocates um michael basil does intel techniques he does a really cool really cool um privacy security and ascent podcast i listened to that almost religiously uh justin carroll uh john jarvis he gave a b-side talk and some def con talks privacy rockstar i like it a couple others um camera kate rose i'm going to talk about that in a second honorable mention the hated one that's a really fun youtube

channel that's worth following and very privacy centric and also keeps up to date on current affairs privacy-wise so it's good all right so why privacy how many of you had this question before like i've got you know why should i care about privacy i've got nothing to hide just just by show of hands have you have you ever thought that or do you have friends or family who say that i got nothing to yeah there you go friends or family definitely a lot more hands um this is a link to a academic like paper explaining why i've got nothing to hide is a horrible argument i'm not going to click it but it's by daniel

solovey i think yeah but it's like you know i've got nothing to hide i'm okay my life's an open book i share stuff because i want to feel connected and especially like 2020 where everyone's at home a lot of it and it's like i feel even less connected it's like so i want to post pictures of this or you know different things like that and it's like who would care about my information my you know my life is boring anyway you know why why would you want to see pictures of my kids you know on their first day of kindergarten you know holding up pictures and why would you want that so some things to think about

okay and then privacy and security they're different things some people say they're the same they're not they're definitely really good roommates and when you have both of them you have trust it's really great when you have one of them it's you know better than nothing but it's important especially in workforce you know securing our organizations and stuff it's important to have both because when you have privacy and security you have trust um so yeah so quick poll we're gonna kind of do just a live poll or whatever i'm just by raising your hands because i'm not technical so who is concerned about tailored advertising all sudden you you know you google search something and all sudden you

start getting ads for that something it's like i didn't want that data collection don't worry don't worry we collect your data but we anonymize it we replace your name with a guide anyone concerned about that you should be cameras and microphones i mean every laptop pretty much has a camera and a microphone i'm staring at a camera our phones have microphones on it and cameras for forward and back face the concerns right you can rabble and stuff this is pretty informal facial recognition who loves this especially like developments they're making it yeah nice throwing the mask on i love it you know especially where they're like trying to make facial recognition work from just the bridge of the nose up

because everyone's wearing masks now so these are things that concern me too you know cell phone tracking and location enabled apps got this new calculator app it needs low access to my location why would anyway exif data first of all who knows what exif data is who doesn't know what exif data is i won't judge okay exif data for those that don't know it's data that's embedded within a digital file often like photos videos that it basically shows meta data you know especially with photos you can glean like you know exposure type f-stop if they have geo if they have location gps tracking when they took the picture and you automatically do that it'll say

this picture was taken at this location at this time kind of glean that information so imagine i don't know next time you're bored go go to a website or something and like download the download the picture and then throw it into exif tool and just see what information is there this is one of the way that you know criminal investigators as well as nefarious people will try to track people down by things they post and like oh let's see where this picture was taken oh they were here and creepy right my goal at the end of this is to make you all more privacy and conscious and paranoia is a good thing i guess we'll

see third-party data sharing don't you love it like when you get that terms and conditions have been updated and we're now going to share your party with authorized third parties or your data with third parties i'm concerned about this third-party data sharing what about second party what's that can anyone explain second party i i thought about this i was thinking like okay first party that's obviously me third-party data is like you know professional like business relationship or co-created agreement or something like that but what second party and like i was trying to explain this the other day i was like what if you have a partnership or a sister company or something like that and you can share data for example

don't quote me on this don't sue me or anything but you know originally there was just facebook and then facebook acquired instagram and before they were kind of siloed but then changed the terms and conditions now it's like facebook community of whatever and now they've got whatsapp and they've got these others and now there's meta and everything within meta is you know they can freely share data across it they change the terms and conditions don't quote me on that i'm not a lawyer see slide number one anyway second party data sharing interesting so what data is out there this is good this is a good thing to do for yourself just to find out what of my data is out

there that's freely available or you know as an authorized user i have the accounts i can go to so you can actually go and request your amazon data like especially with gdpr you know the lovely thing where all of a sudden you get like the gdpr notification on every website and the cookies notification on every website some of the good things that came out with that two-bladed sword was you can request your data you can request that their date your data be deleted if you fall under the certain criteria like you're in the european union or like ccpa you're in california or you do business in california or something so these are privacy laws that have been passed

that kind of gives some of the rights back to you so you can download your facebook data google activity go to people search websites and look yourself up look up your family and loved ones like if you're privacy conscious and have deleted yourself off these people search websites have you deleted your significant other or someone who's associated with your address spouse roommate children for example some things to link about to think about wow words are hard in front of people so here's an example i used to have facebook like over a year ago i got deleted it but i downloaded all my facebook data it's a big zip file and basically they give it to you and so

i had all this so that first column there is all the folders and everything on facebook that i've done which is kind of interesting you can see all that information and then the next one over is that was my amazon for one of my amazon accounts i just downloaded it just to see anything i'd ever so you have you know prime video watch history search data you know image click data all this stuff that they're collecting like this is this is analytics that they can then use to and mine and find out more stuff you can get your own data it's sort of about you it's not necessarily your data but it's data about you and you can request this

is anyone freaking out yet i'll try harder okay so john jarvis back at b-sides 2017. he gave this presentation he also did a workshop but he gave a presentation on surveillance capital capitalism and stuff and kind of all the stuff that's been going on very privacy uh focus he actually presented this also at defcon at the crypto privacy village opened my eyes like this is cool and terrifying at the same time and you know really good talk you should go look it up watch it it is well worth it it talks about how privacy equates to secrecy and also privacy versus privacy equates to control so i'm going to try to talk about that in an educated

fashion no guarantees so privacy is about control it's it's not so much about like you know no one's allowed to know anything about me but i want to be the one in control of what gets shared out about me like yeah you you can know about my professional whatever i have a linkedin and you know i work for this company or i work in this industry i don't want you to know where my kids go to school because that's creepy why would you need to know it so privacy is about controlling what information you're okay sharing kind of a thing there's a quote by bruce schneier you know privacy failure is a control failure you know

stuff like that um yeah more about how being able to control our privacy is important privacy is the right to consent of your information privacy should be a human right and privacy is constantly evolving um yeah if you follow the news at all you know there's always stuff and if it's interesting there's a lot of data breaches it's like what information can we get and what customer data is valuable to us us hackers or you know nefarious people not saying i'm one of them uh data is everything so-called big data is where i kind of kind of imagine us like machines and all and the exhaust is data and they're trying to take all of our

data exhaust and see what they can get out of it and reverse engineer what we're interested into and what political views we lean towards and what what marketing like you get where i'm going i'm beating i'm beating the dead horse okay so this is a quote from cosmo you know he's a futurist innovator crypt analyst you know it's all about it it's all about information there's a war going on out there you know it's not about bullets or guns or anything like that it's about who has the most information by the way this from the movie sneakers this isn't actually a real person but it's actually ben's ben kingsley by the way that's my favorite hacker movie

it's just so good and it's aged really well everyone should watch it um the economy basis of the internet is surveillance think of all the marketing analytics that um your companies put on their web page for example or things that you know what what are people tracking how many people got an email from every single website they ever bought something from on black friday yeah that was me it's like ah i guess it's black friday aka unsubscribe day again we're going to talk about some tactics to avoid this so there is a great show documentary on netflix called the great hack and this is just kind of a it's looping through too fast but it's

talking about how like all this data is being collected and it's got some really cool visuals and stuff another similar uh one that i really enjoyed was the social dilemma talked about the dangers of social media mental health kind of the cambridge analytica stuff it was yeah it was it's interesting stuff check them out they're worth it this is an old old pitcher but if zuckerberg puts tape on on his camera and microphone maybe you should too i don't know this this is very old but there you go kind of interesting makes you think so where do i fit in so this is where you come to the unpatented privacy scale that i made up one time in a notebook

and i wrote it down so t take it for what you want but whatever so more on the left side you have like the i have nothing to hide my life's not that interesting or i like sharing i like being an open book and then moving more towards the right more along the more privacy like i'm aware of privacy like when people ask like hey can enable all these cookies and it's like i don't want to enable all those cookies just the necessary cookies or i have a ad blocker kind of thing moving more towards a privacy enthusiast you know what active things can i do active steps to help better wrangle in my data that gets stolen and then off

the grid extreme private this this would be like law enforcement um people who work for government who you know undercover people as well as victims of you know domestic abuse or different things like that who need to get away from people and like reset their life that so that's extreme private so privacy scale anyone following it i kind of made it up so it doesn't make sense it's because i made it up um yeah so we're going to kind of talk about some of that so areas of privacy so online presence we're going to cover that a little bit our phones because everyone carries a phone now things we can do for email as well as social media safe social

media whatever you want to call it and then overall lifestyle so open source intelligence we've talked about it we call it ocent this is publicly available information or information that anyone can get to look up information about people a lot of this is passive like you don't let the third you don't let the person know or the target some people like to call you don't let the target know that you're creeping on them this is just public information that's out there so your facebook linkedin instagram stalking whatever also going through public records uh county records things like that people search websites 100 legal still creepy so oh ocean it's a cool skill to have to be

able to do that because i'm going to challenge everyone to like go hack yourself go look up your information and see what you can like request and clean up like am i okay with them having that stuff on their website i never agreed to it but it was sold to you as a third party anyway rant this whole thing's gonna be a rant by the way um so let's talk about internet browsers um avoid chrome and there's a lot of browsers that are based on chromium um so i'm a bit of a hypocrite big surprise but i do use brave which is a chromium build but it has a lot of analytics stuff removed and privacy focused things

baked into it it is an open source project that uses chromium but then they try to lock it down more firefox is great firefox is getting better they're doing dns over http they're doing um is it containerized tabs i think that's what they call it something like that where tabs can't talk to each other you can have like a business tab or you can like have personal or shopping or banking or something like that um search engines use dark dot go when i wrote this they didn't have billboards all over the interstate now they have billboards and it's like i love this this this is cool honey look at this like that's great no no this is really

cool and as we learned from a recent uh security conference here you know instead of saying i googled it we started saying i ducked it so we're going to try to make that a thing it's like oh yeah i ducked that the other day and i saw i read up on that it was interesting so duckduckgo i ducked it instead of you know i googled it or i binged it i know there's one or two who still bing um plugins so oh this is out of date https everywhere has actually gone away it's no longer supported the eff electronic frontier foundation makes several plugins and different things to kind of take you know have this privacy ability

in the end user now browsers are offering https everywhere so i can actually get rid of that slide um privacy badger that's interesting because you can see the trackers and the different things that are going on same with ublock origin ghostry no script block every js javascript or other script things from running so these are things that you can put in your browser and you can start tweaking it and adjusting it there's other stuff this isn't an exhaustive list this is just to kind of get you thinking like i want to try that out kind of stuff phone okay so most of us have a smartphone some of us have a dumb phone some of us have

burner phones it's fine um so some of the things that we can do with our phones uh one try to have an alternative number like if you're trying to go away from google then don't go get a google voice you can get third party like mysudo is a great one i use so i have like a couple my sudo email addresses and phone numbers so it's like this is my i give out to vendors when they ask so you know only vendors get this number or when i shop and it needs a phone number i do this or you know google voice i use this um another thing mint mobile you can buy a mint mobile sim card on amazon for five

bucks and it's like a really cheap plan and it's an actual sim card because there's some places where you go and you put in a phone number it's like uh you gotta put in a real phone number that's a voip number it's like they know buy a mint mobile card and you get an actual physical sim card with a physical number that isn't a voip number switch your stuff over to that number and then either do like forwarding to my sudo or like google voice there's stuff out there on the internet you should duck it and find it see what i did there ah okay um smartphone apps versus progressive web apps pwas so these are

things where you know you can download the the link linkedin app let's say that you can download the linkedin app and it will have access to your phone and you can see what permissions it has access it has access to the contacts on your phone well maybe i don't want to share that or it can have all this they want you to use the app but what if you just use the browser and go that way and you can you know go to linkedin on the browser so progressive web apps you go to a website and i'll show some screenshots later where you can go and you can download sorry go to the website log in on the mobile browser and then

say save to desktop or save to like home or something like that and it gives a little shortcut icon to that so instead of using the app you can use the progressive web app and it's still contained in within that mobile browser try it i'm going to show some pictures later um you can set a private dns you can make sure your phone's encrypted password protect it you can put biometrics on your phone if you take that you i there's some stuff i think the eff wrote about it or maybe the i can't remember citizen lab but they say don't use biometrics to unlock your phone because law enforcement doesn't need a warrant to unlock your phone with biometrics

so use it for like apps or two-factor but don't use it to unlock your phone kind of interesting you can read more about it you can duck it okay privacy focused android operating system so there's two big ones out there there's graphene os um and there's lineage os open source no googled services even though they're android based um graphene os goes on pixel devices so i have a pixel device and as soon as there's an update it's like graphene os has an update for it but so they only go on pixel devices which is interesting because it's made by google but you completely blow it away and put graphing os and then there's alternative stores

other than google play stores like f droid and aurora where you can download you know open source versions of those apps where they've gone through the apk and like remove some of the things that the telemetry and tracking lineage os competitor i guess similar used to be cyanogenmod i believe i could be wrong i'm not a lawyer slide one anyway supports a lot more different phone models so something you could look at okay phone apps uh i use bouncer this is an app that i put on android and basically as soon as i install an app or it's like hey i'm going to take a picture of this and as soon as you do it's like hey you just

granted access to your camera to this app do you want to keep it do you want to remove it or do you want to schedule me to remove it in five minutes five seconds whatever it's really nice because as soon as you grant access it's like hey did you mean to grant access to your contacts to the calculator app we may it's kind of nice netguard lockdown those are two similar things like a phone-based firewall kind of thing there's some screenshots of it but you can block things at the phone level and some of them don't require a rooted device so if you don't want to root your device that's good to know run a vpn client on your phone tor

browser messaging secure messaging so their signal sudo which is my suru that's another another messaging wire wicker key base these are more privacy centric and doing encrypted they all work a little different but they work email i'm sure a lot of people have heard about protonmail but if you haven't it's encrypted mail service they don't have access to it it's really interesting to go there and actually read their requests like by law enforcement like hey we want to know what this person did he's like cool we can tell you when they got our email we can't tell you the contents because we don't have the keys it's true end to end zero trust which is nice

uh browsers so these are mobile browsers you can use on phones um so there's a duckduckgo browser they don't make one for desktop but they do make one for phone brave has a browser as well as firefox camera and microphone so this is a picture i really like silent pocket these are little stickers that you can put on your phone and basically you can cover up you know your stuff you can cover up the cameras and it's nice because they're they're not really sticky but they cling pretty well and you can put them on your webcam whatever and this one is called a mic lock so you can actually if you have a headphone jack in your phone you can

actually plug it in and your phone will think oh that's the microphone so those of you who are paranoid that your phone's always listening you plug that in you can't listen mic block is also making one that works with iphones and the iphone single connect thing whatever online storage so protonmail also makes proton drive encrypted storage so i think like dropbox or google drive type thing but you know spider-out proton yeah how am i doing on time oh geez okay um i'm gonna post some of these in the slack channel so just some of these sites but um there's an email comparison site where you can check different things um you can use pgp it's a

you can take a little bit of a learning curve email forwarding throwaways you can do the plus whatever that some people catch on to that and strip it out okay social media i'm not saying you don't have social media but i'm saying if you do do social media have it for a specific purpose don't have it be your everything don't authenticate to sites with your social media if you can avoid it you know like hey logged in log in with your facebook account to this site that isn't associated with facebook but you can log in with your facebook thing and then we have a data sharing agreement we get to see your facebook pro just use email

um so for example linkedin lock it down this is a picture of my linkedin one of my linkedin profiles that's from uh this person does not exist.com it auto-generates people's faces every time you refresh the page so that's on one of my linkedin things that's not a real person so fun stuff lifestyle i'm i'm not a paid sponsor of this sweatshirt by the way um home network so you know think about your home network but is there stuff that you can block from coming in or telemetry you can block from going out um dedicated cell phones so we talked about mint mobile or like having specific phone numbers for specific things like one you give out to family one you give

out like you throw away that you know is gonna get spammed by telemarketers stuff like that faraday bags this i don't really have time to go into this but um silent pocket mission darkness they make these faraday bags where you can drop your phone in it and it stops all all signals rfid all that stuff it's interesting because some of the argument now is like even when you power off your phone it's powered off yeah but your battery is still connected and on newer phones you can't take out batteries they do that like they have little capacitors and batteries and it's like it can still send little heartbeats or something this is this is your

tinfoil hat people you know you'd have to take your phone apart to be for sure but fair day bags just peace of mind privacy.com christmas is coming up so this is a cool site where you can generate a one-time use credit cards or like specific use credit records so instead of using your one credit card for everything and then there's a credit card breach and has access to all that privacy.com so like when i'm buying gifts from my wife or children since we have a shared bank account with 2fa it's like hey i'm going to be buying christmas gifts but it's going to show us privacy.com because i don't want you to know where i was buying your

christmas gift in room christmas so privacy.com helps christmas that's not their slogan um disinformation campaign i don't really want to talk about that too much but that's like getting magazine subscriptions or sending packages to your house under a different name it can cause problems when the name doesn't match the postal record or things like that or you know like sign up for a magazine you'll actually read under a different name and then they're like oh bob bob billyson lives here it's like there's no bob billy's in here sorry i don't know adversarial clothing so this is this is an example of this this is designed to like throw garbage data in automatic license plate readers so my brother

actually has one of these and a license plate reader and i went in front of his house and i like walked in front of it without telling him he was like hey are you messing around by my house like maybe like just had a bunch of cars drove by it's like no it's this adversarial fashion it's kind of fun and then i like the concept of gray man gray woman this is like hiding in plain sight you know when you're out and about and you don't want to be easily recognized nondescript clothing you think jason bourne you know didn't have logos didn't have things like this you know kind of like rather than being in camouflage in like

a white snowy field it's more like you blend in with your surrounding people like you're non-memorable rant um home network so there's things you can do at home you can uh you know pf sense is free it's open source you can put this on your home network firewall things if you have a raspberry pi you can do like a pie hole which is really fun block a lot of stuff as well as falcon gate does similar stuff too you can set up your own vpn so all your connections go through your home isp i don't know the hated one has some great youtube videos on this talking about the difference between differences between privacy versus anonymity

kind of stuff and true anonymity is very very very difficult like there's some data like unless you have a dedicated machine you only shop online shop on that machine and you have a different machine for this kind of stuff so all right demo i'm not really going to show demos but i took screenshots in case demo failed so we're going to use that instead uh you can buy vpns there black friday would have been the best time but i use hma i'm probably going to switch but there's things like private internet access and proton vpn and different things like this and you can install them on your phone so all of your data goes through a vpn and your

cell phone provider doesn't know what sites you're going to or you can change like i went to europe this summer and when i went to a different country i'd switch to that country so it's like okay they're coming out of here or i had to call my credit card company here i switched to a u.s one and then i did a voip call home so it didn't look suspicious or things like that i'm taking control of what i'm allowing to share out so vpns they're good they're affordable and i have a link to a vpn comparison chart that i can post in the slack channel so here's here's an example of some pwas i got rid of

these things but like i don't have twitter on my phone i use twitter but i go through this thing and it blocks all these ads and i do watch youtube videos but i watch it through the brave browser pwa and i don't ever get ads on my mobile device it's great i love it so basically you go to a website and you just say like hey add to home and then it's like cool you want to add to your home screen okay let me know where it goes pwas way better than putting a bunch of apps that have access to your phone uh setting up private dns on your phone so this is basically route your stuff

through private dns server so added measure privacy i'm not going to go into that i don't really have time but something you can look at you can set this up on your phones now so this is lockdown this is that ios firewall sort of app and basically you can go through and you like turn it on like hey i want to block facebook and crypto mining and different things like i want to say you know my phone can't send that home they can't send that telemetry home and here over on the right is bouncer where basically i can go hey what permission let's look at the camera permission what are all the apps that have access to my camera right now and

it's a bit better than like the native one because as soon as you add it it'll bounce and say hey did you want to do that there you go so so now what what do we do from here what's my call to action so my call to action figure out where you're currently at on the privacy scale and it's not like a one two three four it's a scale it slides you know whatever you know where are you at right now go to people search websites go request your data and see what they have on you from amazon or facebook go go do these data requests it's kind of you know if you're watching tv at night like you

know pull up your laptop and pull your data while you're watching tv sort of a thing so find out where you're currently at and then decide where you want to be do i want to like request some of my data do i want to delete my social media accounts i don't use anymore but my data's still out there do where do you want to go and then make the steps to move that direction i have resources and stuff in this slide that i'm going to post in slack with links and stuff you know there's this thing called the data detox this 10 day data detox i think it's put out by mozilla that you can you can duck it and

find it opt out requests evaluate accounts you need close the accounts you don't kind of stuff so that's more or less it does anyone have any questions i'm not an expert cool cool i'm going to show you the appendix things and then i'm going to post them in the slack but anywho feel free to connect so link to the detox kit how to data detox your phone or get off of your phone and stuff um request links uh data request links from various things um vpn and email comparison charts so they take all these different vpn and email providers and compare the different things that they can do do they log do they do the stuff it's really nice

warrant canaries we didn't cover this but several websites have a warrant canary so like if they get served a warrant it's like you're not allowed to disclose this it's like well we have a warrant canary page so it's like have we ever received a warrant yes we can say yes we received one so you can go to websites and look for warrant canary it's kind of interesting because there's they'll say we can't say who requested it or what it was but we can tell you if we've been warranted before so um several other things resources podcasts books interesting stuff um other stuff i'm going to post all these links in the slack channel so there you have it that's michael basil's

extreme privacy if you want to go clear the way to the right so and then some random memes that i wasn't sure if i was going to use or not but there you go that's yeah that's my presentation thanks for coming