 Jameson brother, how are you doing man? Not bad keeping busy. Yeah, especially now. It's like this like mini bull markets back That's always good for business when you're in the business of security, of course security is always a good business Which is the reason why you and I are talking today Because there's two things number one I've been noticing lately that a lot of people have been getting fished and specifically getting fish from social engineering and having Their login or so-called security feature as a text message And I know you've had personal experience and you wrote an excellent medium post about this going through what happened to you and And what you took in order to make sure that your privacy stays intact and Obviously privacy means security and safety for for your well-being however What I want to talk about today is what are things That people have to look out for and what are things that people can do today? Like what are some small simple security measures? Obviously not bulletproof, but it can greatly help them out And keeping their their safety Well, it depends on how much do you want to focus on the crypto side of things versus just cyber security in general I think we can do it like a little bit both. I think you know since You know, we're both in a crypto space I think a lot of people like I mentioned earlier having issues are getting fishing on exchanges or they're getting Manipulated or people are doing social engineering with their cell phone providers So we can touch base on that and I think it's a great overlap into This general security. It's you know, your web browsing history or Gmail Chrome, etc Yeah, I mean, it's all kind of related basically the advent of these crypto assets have Exposed flaws in these systems that have been there all along but there was never quite the same level of incentive for people to exploit them and And so, you know, we're especially we're seeing these Issues with the various mobile phone providers at least in the United States Where it's very easy for someone to take over your account with very little information Apparently, this is not a big issue at least in Europe because they have More strict lockdown on your mobile accounts for whatever reason And so If people are familiar can you kind of just briefly describe how people are Porting or getting other people's access to their cell phone Basically the issue seems to be that We are, you know, very customer service oriented in the United States and the Customer service agents at all these telephone companies are more than happy to help people Move their phone numbers around, you know, transition between different providers and as a result they they make it very easy for an attacker to do the same thing But of course pose as a user give a little bit of personal information which in many cases can be easily found online and then they Transport the number over to the attacker's phone and now the attacker can basically Assume the mobile phone identity of that person and that becomes an issue if you're using your mobile phone as a Two-factor authentication for various online services. It's actually it's even worse than that Because many services use your mobile phone for account recovery So basically the the attacker may not even have your username and password or or much other Information on you, but if they can get your phone number, there's usually several services They can go around to including your email service in many cases and they can say hey I am I am you but I forgot my my login information But I can do it an account recovery because I have my my phone here, right? And so the the service will then send a link or some other information to that phone number The attacker can then take over your email and other accounts and then little by little work their way through your entire online life and and try to get as much information as much valuable Assets out of you as possible And so basically one I just want kind of recap so once they have your phone They'll go to your whatever Gmail say I've lost my stuff and most people have their phones as like their backup and I guess they send a code to the phone which they use to access your Gmail And I'm pretty sure then they can do the same process for a crypto exchange where they can go to the crypto exchange They say hey, I forgot my password, but now they have access to your email and your phone. Yep Yeah, and and really The best way to to figure out if you're susceptible to this is to just try it yourself Log out of your email account log out of your your exchange accounts And then go through their processes of account recovery and see, you know What would it actually take for a random attacker to get into your account? And so what are kind of some simple strategies people can do today? To kind of mitigate. What's with the security flaws? Well, the most important thing is to not have phone based account recovery enabled on any services specifically talking about text-based recovery Correct anything that is is sending information to a phone number. Okay It's also a generally good idea not to do two-factor authentication Via SMS, you know sending those rotating codes basically If you're gonna do stuff with your phone, then you should be using what's called Time-based one-time passwords, which is like Google Authenticator, which is just an app that's running on your phone And it's not actually tied to your phone number that way, you know Someone can take over your phone number, but they don't actually have the private information That's inside of that app that creates those rolling codes Mm-hmm Other than that, you know, like I said if you're if you're not in America You might not have to worry about the phone porting option But the two things that you can do to really try to secure your mobile phone The first would be to not have a phone number that's actually tied to your name This can be a little tricky But basically if you can go buy SIM cards, you know anonymously and then use That SIM as your phone number, you know, then it's not tied to your name There's there's if the phone company doesn't know that you are this SIM card user Then there's no way for an attacker to call the phone company and say hey I need to change the you know SIM For this phone number tied to this person's name. So There's that and then there is just trying to find Mobile phone companies that don't have these gaping holes where they're getting socially engineered all the time The only one at least That's available to americans that i'm aware of that has not had these attacks would be a google fi And that's because it's basically a google voice number and they don't have you know stores They don't even really have a whole lot in the way of customer service for you to be able to port a phone number It basically has a very hard requirement on every google fi account that you have to know the pin That you put in when you set up the account in order to be able to transfer the number over so there's there's no Means of socially engineering your way through that process And then would you recommend for example your social media profiles and everything you're using online to use Obviously if you can get this uh, you know separated burner phone, let's call it But to implement a 2fa within a google auth system as opposed to sms Almost anything is better than sms the the best thing about of course a lot of services don't support it The best thing is to have hardware based authentication. So, uh, u2f The ube keys Even actually trezor and ledger devices support u2f So you can you can use those as well as two factor authentication But uh, if if the service you're using doesn't support that and really it's it's usually only the extremely popular services Or the extremely sensitive services like crypto exchanges Then you'd probably end up having to go with uh, something like the more More popular totp standard, which is what google authenticator does And beyond that, you know beyond just getting a burner phone and doing 2fa, which is a massive upgrade than existing systems and security Do you have any recommendations when it comes to like vpns and browsers like what are things people can do to protect their privacy? online Yeah, just from a really high level of you day to day internet use I recommend installing a number of browser extensions like ublock origin and privacy badger And https everywhere that will Uh, you know help lock down your browser usage and help keep you more secure and help keep you from leaking too much data um Also, you want to use a password manager Something like one password or last pass. I mean there's a number of different password managers out there And almost you know, they all have pros and cons But almost anything is going to be better than using your brain If you're using your brain, you're going to be reusing the same password all over the place And it's basically guaranteed that over a long enough period of time your your passwords are going to get leaked You're going to be putting a password into some service that has terrible Practices on their back end and they're going to get hacked and your password is going to get leaked at some point so you can at least minimize the damage of of The fallout when that does happen because every time this happens and some Major provider gets all of its usernames and passwords compromised Then these dumps of of databases start being passed around on the dark web And inevitably what we would see when we're running security services is um We see all these bots start hitting our login endpoints on you know popular web based services And they're just going through a list alphabetically of all of these usernames and passwords that got leaked and trying to see if any any of them got reused and and so It's it's Basically an inevitability and if you want to protect yourself from it then you can ensure that If your password does get leaked then it's not going to result in people being able to get into your other Accounts as well as the one that actually got compromised Do you have any recommendations when it comes to stuff like proton mail? I mean, I am a fan of proton mail. Um You're going to be giving up some Usability as a result. I mean, uh, this is something I was just talking about recently Is you know google as as terrible as it is because it's sucking up all our data and and uh compromising our privacy It is extremely user-friendly and it's great how like all the services integrate with one another, you know, like you get an email with A calendar Invite that's like embedded in it and it automatically shows up on your calendar as soon as you accept it and And you know integrates with their mapping system all this other stuff. Um, and proton mail on the other hand you know much more secure and Theoretically they don't even have access to your data because it's all getting encrypted On the back end and only decrypted when you're accessing it But um, you know, even like the search function inside of proton mail is not very good And so it's even hard to like navigate through some of your old emails and figure out what was going on So like for me, I I tend Not to use proton mail for everything But I just use it for the the more sensitive thing is that I would care more about if they got leaked And what's your recommendations for like vpns? For what again vpns Ah, yes, there is um There's no like one size fits all vpn um Because there's so many different factors that are involved. Uh, if I can remember uh, I haven't linked off of The epic post that I made but there's this website Uh, I think it's called that that one privacy site dot net And if you go on there, they have this epic vpn comparison And I think it's got you know, probably 100 plus you know, it looks like 180 different vpns on it And it shows you this breakdown of like all the different types of threat vectors that you might want to care about And long story short, there's there's no like one single vpn that is Perfect with regard to all of these different privacy and security considerations. So, you know, it depends a lot on like what Uh jurisdiction you're in What jurisdiction you would prefer the vpn company to be in and like who you think They may be sharing data with how trustworthy they may be with regard to logging, you know, what type of Of payments do they accept and you know, how private are those and so Uh, I I generally I don't go around and tell people. Hey, you should use this one vpn because there are just so many considerations If anything you probably want to have multiple vpns available Um Actually, I I have tried out, you know proton mail actually has proton vpn now and uh, that seems to work pretty well Nice, what's your take on uh oprah and I've been hearing a lot of people talking about it And I know they have a built-in vpn as well Yeah, the the browser. Yeah. Yeah You know, I actually haven't used it in a number of years. So I'm not as is up to date on what they're doing I have noticed that um I think brave browser started having A tour option as well Yeah, because I use brave on a number of computers and and that Is a pretty user-friendly way, I guess to to get on the tour just opening up a special tab in the brave browser Mm-hmm And so when you were Yeah, actually on that topic What do you like about the brave browser? Is it the ui ux is the simplicity like what would you say it stood out to you when You first used it Just how fast it was because it has this native ad blocking built into it Um, I was also using it early on because they were integrating like automatic bitcoin payments to to various entities that signed up And I thought that I was a novel idea of yeah, sure, you know, I'm I'm interested in blocking ads, but I would be interested in you know making automatic micro payments to certain providers um to try to offset the fact that I'm Trying to protect my privacy by blocking all these ads I know they have their own token, but be pretty cool if they had the option of like I can switch their token into Into satoshis instantaneously Yeah, well, I mean it started out as bitcoin and then they went with their own token and then I actually saw um Just in the past few days an announcement that sounds like they are going to be adding support for a number of different cryptocurrency So not sure how that's going to relate to their token if it really will be something where you can just swap out Uh, whatever your favorite, uh cryptocurrency is Hmm interesting. So besides what you mentioned with getting a burner phone To a fe with google auth or even better if you can use a hardware device such as a A ub or even a trezor and a ledger And uh vpns. Is there anything else people should be looking at? well, the one thing that I tried to get by on the post that I made was that um If you're going with the vpn route you need to make sure that you're using your vpn all the time Otherwise you're going to be leaking data some of the time And when I started out with vpns and I was just using them like configured on each computer it um It became a pain because I would like sometimes forget to turn on the vpn or like I would restart I can relate and so Ultimately what I did was some experiments where I uh, I tried setting the vpn actually at my router level So that everything that was going through my home network would be on the vpn And that worked pretty well But it also became a bit of a pain because then sometimes the vpn would screw up And the vpn connection would drop and I wouldn't know Um, I would notice, you know days or weeks later that I wasn't getting the same amount of like Are you human, you know pop up questions and other types of? um Of like blocking that some services do uh for vpns because of the abuse that they see through them And so then I realized well I need to go even Further down the configuration hole and I need to change my router so that it blocks all traffic if the vpn client screws up Uh, and then after doing that for a while I started realizing how often the vpn was screwing up at least, you know Like every few weeks I had to go like yet another step and figure out how to set up multiple vpn clients That would like automatically fail over and so like it became a bit of a chore to set up And I imagine that you know people who don't have a lot of networking knowledge would give up on it pretty easily No, I don't think so. I you know, that's why I'm a firm believer in What are like small steps like Getting to a fade at google aught. That's a small step. You can do that within one minute, right? Uh Getting a vpn. That's a small step. You can log in and you know choose one or two vpn providers Even like other stuff like talking for privacy is uh, you know, a lot of people use more and more messaging apps is you know For me, I personally use Signal there's other ones, you know people like telegram. I don't really use what's up for any Talk, you know security talking, but uh, what's your take on like the messaging apps Well, there's also you know considerations there You definitely want to use one that is end-to-end encrypted so that there's no third party sitting in the middle snooping on everything But even like like you said with like what's happens and encrypted But there are privacy considerations there because you know that facebook is sucking up all of the metadata They may not be able to see what you're actually saying But yeah, they can see what other phone numbers you're talking to and what times you're talking to them and how often You know can extrapolate other things as a result of that and adding it in with other information and interestingly enough i'm I was actually a big fan of signal, but I don't really use it anymore because it still it requires you to expose your phone number And yeah one of the things that i've gotten Into as a result of all this privacy stuff is using proxies for everything So I don't even I don't even hand out my burner phone number anymore I hand out proxy phone numbers that forward to my phone number And the problem with signal is I can't I can't hand out those proxy phone numbers. It just won't work You have to have the actual phone number that the the messages are final like ending up at their final destination So from from that perspective I actually like uh stuff like telegram more because you can just have a username You don't actually have to give someone your phone number or a key base is another good example. Key base is good But their uiux is horrendous Oh my god If they can fix that I would use key base. Yeah But I mean the the ultimate Messaging app unfortunately is not that user friendly. I'm a big fan of a riot and matrix But um these in order to use them Really well, you basically have to be connecting to your own custom identity server and you have to be uh Manually, you know checking public keys as you're adding people to your list Of contacts and and so once again, it's that privacy and convenience trade-off. But um, that's what I think All of the the decent security companies and the space moved away from slack a while ago because it's just wide open And there there's too much risk there and have taken their communications in-house with stuff like riot matrix and uh spider oak is another one that that has Some and encrypted apps, but it's not quite as user friendly in my experience Cool. Um any last words? I think we wrapped everything up pretty good. You know, I want to kind of make a summary is Get your if you're using sms remove that asap used to a fey google auth or a hardware key Ideally if you can get a burner phone a phone and attach your identity get that You know pick certain vpm vpns that you like um, you can use opera you can use brave for the browsers And the proton mail has its pros and cons as you mentioned Um, are we missing anything else? Um, I mean the the main thing is you can You can learn a fair amount If you just do a few hours of research or if you read that that article that I wrote I'll leave a search cut you off. I make sure for everyone listening I'm going to leave that in the show notes and I highly recommend you read that piece because You really go into detail of what happened and the measures that you took Yeah, and the hard thing though is that what we're really talking about here Is a lifestyle change like you have to get into new habits and so What I found is it you know Getting a new habit going can be a pain. It can take you like a few months basically But once you get into that habit then it just becomes second nature Um, you know another thing for example, we didn't even really start to talk about financial privacy, but another simple way to get a lot of your financial privacy back is to just carry cash and not use Cards that are creating more data trails that can get sucked up and analyzed Yeah, hence why my uh I'm interested to see what happens in Libra as I know everything that you do Well, we won't know for at least another year. I think uh people are getting upset prematurely about that Yeah, yeah, I just look at like your actions speak louder than words and we've seen what facebook has been doing and for me it's I understand why they're doing it. I get it. I'm not hating for them on doing it. It's just like I just don't trust them enough. Let me put it that way Well, yeah, and of course, you know facebook has become so huge Uh, once again, like we we mentioned whatsapp. Uh, there's also I guess instagram um, they're they're just uh their their tendrils are reaching out all over the place and and They've become a lot like google in that sense where it's just really hard to avoid them Mm-hmm cool, man. All right, so if people want to find more information Uh guys, please check out the uh, blog posts. It's in the show notes And jameson if they want to follow you and get to know more information about what you're doing What's the best resource? Well, you can find pretty much everything about me on my website, which is lop dot net lopp dot net Awesome. Well, thanks, brother. Always a pleasure and I'll talk to you soon Thanks. Talk to you later