Glenn Meder: Achieving Online Security and Privacy

Originally published at: Glenn Meder: Achieving Online Security and Privacy – Peak Prosperity

In today’s Off The Cuff interview, I speak with online/digital security and privacy expert Glenn Meder about the upcoming free webinar he’s hosting for Peak Prosperity followers.

As we learned in the Protecting Your Wealth from the Great Taking webinar, SIPC portfolio insurance doesn’t cover hacking or scams. If you fall victim to those, tough luck.

That’s true for a lot of bank and credit card scams too, which are becoming increasingly sophisticated, including AI generated calls that mimic the voice of a loved one in some sort of desperate trouble with the law or kidnappers.

Glenn takes us through some of the basic steps everyone should consider to increase their security and privacy – which are increasingly related concepts. One can be used to reduce the other.

Be sure to register for the free webinar by clicking this link. In prior years, we’ve received nothing but glowing reviews about Glenn’s offerings and so we’re happy to offer them up once again.

Wednesday, June 26, Central time, 7pm (GMT -5)

Related story that illustrates the threats we face: an aunt & uncle a few months ago fell for one of these sophisticated scams. While elderly, in their 80s, they are not naive dummies by any stretch. But somehow, they did give up a PIN number to the scammers. End result: savings accounts wiped out and their $25.000.00 line of credit was used in its entirety. They are on the hook for it all because they gave out personal info.

I feel so badly for them. How does one recover financially at that age? It certainly is a warning that these things are very real and getting more sophisticated all the time.

The big issue with online security and privacy is that people have no way of knowing if they’ve been hacked. They may be hacked and not know it. And they may feel like they’ve been hacked because suddenly somebody is talking about something that they emailed privately or had in their computer and didn’t share, but that doesn’t mean it was hacked, because fads happen and lots of people may be thinking along the exact same lines.

During the pandemic when everybody was talking about the coronavirus, lots of strange things happened. I’ve written something about it, but let me warn you, it isn’t for everyone and you may not like it one bit, it’s rather spicy:

I don’t understand. When I look on the GrapheneOS website and check which devices are supported, I only see Google Pixel. What is the use of de-google the OS on Google hardware???

Because the main “intelligence” of a computer/smartphone/tablet/WhateverComputerizedDevice is in the operating system, not in the hardware.

The majority of the spying (that we know of) and privacy issues take place at the app/program/operating system level.
It’s very possible to to snoop/hack/breach at lower-levels, like firmware or even hardware, but it’s likely that isn’t as common as the easier vector-operating systems, programs and so on.

And in general, it also takes more skill to be able to write code that does things at the lower levels of firmware/hardware.

Source: I was an IT tech. officially for about 12 years, and also as part of my job description for about another 5. I still dabble in various projects.

What were the applications he said again? I thought it was going to be in the description.

Yes, I know but Google should very well be capable of spying on the hardware level.
Why choose Google hardware when there is also Nokia (Finland), FairPhone (The Netherlands), Gigaset (Germany), Purism (US)? Nooooo… They choose…
GOOGLE!

Hi , I have just watched the security video and went straight to bit warden website. It is totally daunting just as the speaker said it would be. I have managed to register a free account but will have to find a you tube video which explains what you have to do to use bit warden. I registered for the webinar but unfortunately 7:00 pm Eastern time is 4:00am my time​:joy:. I wonder if there will be a recording I can watch​:pray:

Bitwarden (or p/w)

Graphene OS (for phone)

Session (for encrypted messaging)

Ironically, it turns out the Google Pixels are the easiest phones to DeGoogle. I have one myself.

I took his self-pace class a few years ago and found it very helpful. I do use Bitwarden and once I got the hang of it, works very well. I use Brave browser for personal stuff and MS Edge for work stuff. I still keep a hard copy list of my username/passwords but I’m diligent about keeping it updated and not out in the open. I also use 2 factor authentication for financial stuff and while it is rather a pain sometimes, I feel more protected.

And why would that be?

Pretty smart stuff.

Castor oil in the navel, though.

Thank you for your reply, much appreciated.

I have found a lot of tutorial videos on You Tube explaining how to use Bitwarden so hopefully over the weekend I will be able to work out what to do.

I am a pensioner in the UK, I watch all the videos that Chris sends out, we live in scary times…

I am not tech savvy and have in the past pressed a wrong button and caused myself lots of problems with computers so tread very carefully now .

I am looking forwards to viewing the great taking video that has been posted.

kind regards

Peter Dawson

I’ve been using BitWarden for around 5 years. I pay the $10/year for the premium service which allows me to upload images of certain documents, for example my passport and my Vietnam Resident card. I also keep images of my credit and bank cards and other ID as well. Safe and secure.

BitWarden is superior to other password managers. It can do everything that other PW managers can do at a free price and as open software any vulnerabilities would be patched quickly.

I haven’t watched the video yet and perhaps I don’t use all the functions of BitWarden but I think it is a very capable program.

Highly recommended.

There’s a big caveat to this that I wrote about here some time ago. The first thing that I would add to this discussion though is that there is a third, mutually-exclusive category that is often neglected or conflated: anonymity.

When you unbox a new Pixel device, you have to give it internet access before the carrier OEM unlock toggle is available. Keeping in mind that Google is a data company that was propped up out of the Massive Digital Data Services (MDDS) initiative by CIA and NSA. The device in factory state, right out of the box begins harvesting data without any hesitation.

So for those who are aiming for any expectations of anonymity from Google in their personal OPSEC modeling with these devices, you should do everything possible for plausible deniability to limit its data collection activities until you have booted into GOS or whatever alternative de-Googled image build that you’re installing onto the device. This means countering for the:

1. Front and rear facing cameras
2. Geolocation data (GPS, WLAN, BT, cellular radios)

• Google also collects and stores infinitely the MAC addresses of all nearby devices and their signal strengths within proximity of the Pixel (the government is also privy to this data)

3. Front facing thermal imaging sensor
4. Fingerprint scanning module on the front display

That’s all required for getting the device reconfigured to allow for a non-factory image to be installed (GrapheneOS, Calyx, whatever).

I’m saying all of this as someone who has strong and unique background in this arena going back to the early 2000’s with skin in the game. I tell people that in order to take the right corrective measures for their technology posture, they must have an accurate understanding of the true adversarial landscape, and differentiate between security, privacy, and anonymity. We are not only dealing with technical problems, but also human behavioral issues that are challenging to fix, so correcting the overall posture requires a proper understanding of what those problems are in order to develop realistic expectations for the solutions identified.

The adversarial landscape for all of this is on orders of magnitude worse than most people could imagine, with big tech-gov at the forefront. There’s a lot of FUD on cyber-criminals , as it’s becoming very difficult for them to operate. The most successful are those who are operated by or in cooperation with state-level actors. Overall, I sense the landscape looks more like this:

The Venn diagram relationship of big tech > daddy gov are represented as a single circle, i.e. - they are one in the same adversarially to our privacy, anonimity, and ultimately our security. Similarly for telcos, and now thanks to the recent changes to FISA 702 -

“…any company or individual that provides ANY service whatsoever can be forced to assist in government surveillance, provides that they have access to the equipment on which communications are transmitted or stored”.

What I really want to stress is that it’s technologically impossible to expect perfect privacy, security, and anonymity with any smartphone, given the offensive capabilities in the hands of governments and the private sector partnership. Certainly not over any extended period of time. I’m not at all saying that a Pixel with GrapheneOS is futile, because it’s far worse to do nothing at all and allow Apple, Google, and everyone else making devices to harvest data from you, your thoughts and brainwaves, and those in close proximity to the devices. Rather, it can solve for a specific set of security and privacy-related problems and use cases (i.e., it’s a not a magic bullet solution).

You can expect a much higher degree of exploit mitigation using a GrapheneOS Pixel device with the default browser and base applications. The 3rd party apps are what tends to compromise security and privacy. Google Play Services is sandboxed in GrapheneOS, but I would never consider installing it to any device profiles. I just don’t need it, nor do I want it installed.

Session - it’s a fork of Signal that uses the Oxen network. It doesn’t require any phone or email registration. You can run it in “slow” notifcation mode so that it polls for new messages periodically and doesn’t require Google Play Services for push notifications. Biggest user experience caveat with Session on Android and Linux is the inability to send images or videos larger than 10MB. They somehow managed to implement data chunking in the iOS version, which doesn’t have that sending limitation.

PW managers - Personally not a fan of BW for serval reasons. KeePassDX setup with Argon2ID and a dedicated vault for the device with biometric unlock (backed by the Titan hardware security module) is solid and usable.

SIM swap attacks and the Efani MVNO - Efani is an MVNO like US Mobile, Cricket Wireless, et al. Their primary val-prop is mitigating SIM swap attacks on higher net worth individuals. The background on SIM swap attacks is this - there are many banks that use an absurdly insecure and antiquated 3rd party authentication service as a primary factor for customer identify verification. ALL that this 3rd party service really does behind the scenes is check the bank account holders name against the billing name tied to the mobile SIM card / IMSI associated with the phone number that is calling into the bank. They cannot and will not hide the identity of customers from court ordered subpoenas, but in the case of modern authoritarians- FISA grants the gov this visibility.

The reason this is an insecure authentication factor is because there have been instances where an attacker has either tricked the mobile provider, had someone on the inside, or directly breached their system to replace the subscriber’s SIM card with an eSIM on a device that they control - thus stealing your SIM card and mobile number.

An anecdote from my recent past, I opened a new checking account with a local / regional financial institution, I had an account-related issue that required customer support. The number that I had on my account was a VoIP DID, and the unhelpful robotic overseas customer service rep informed me that I could not be verified because the caller ID in the (CNAM) database did not match my name on the bank account. So I updated the VoIP DID entry and changed the caller ID arbitrarily to match, had them try again and it PASSED he authentication step. This kind of authentication is INEFFECTIVE and should NEVER be used by any financial institutions, and yet they’re somehow permitted to use it.

I’ll stop there!

It is actually the reverse with statecraft, especially with regards to ARM-based phones/tablet architecture. The highly proprietary baseband / firmware sits on a much more privileged exception level than the userland operating systems.

Exception_Handling_Guide_11710×1262 89.2 KB

The OS couldn’t even detect when an out-of-band C2 channel is being used (CALEA or any 3GPP surveillance mechanism) on most devices. Very few have true hardware kill switches for the hostile radio hardware (cell, WLAN/BT, satellite modem). Pixels have an IOMMU that’s supposedly controllable in software, but you have to take their word for it (and the manufacturer’s word).

Good to hear your on Brave.

My husband bought me a nice Apple cell phone six years ago, and is upset that I keep it in a military-grade Faraday cage bag 100% of the time. No apps. No messaging apps. The only time I use it is when my car breaks down, the power goes out and the VOIP-based landline along with it, or I’m in the hospital. Never enabled the link to the Apple iCloud – it keeps prompting me to sign in when I turn the phone on and I hit the reset button twice and it finally stops asking me.

Also deleted my Fascistbook account after January 6th, set up a dummy account on Twitter where I never like, post, or comment on anything so I can monitor the “news” chatter, and even on Gab I almost never post, like or comment, and when I do, I go through and delete everything once a month. That won’t stop the nonstop NSA scrapers from caring that I commented about fermenting goat cheese on Gab, but it will stop the less diligent scrapers from crucifying me for a 20 year old “like” on a saucy meme.

The more intrusive they get, the less time I spend online, and the less I use technology. Now if only I could get my husband and kids on board…