Phone Security and Surveillance Renegade Cut

Show video

Nobody goes anywhere without their phone. Our  phones are our address books, computers, watches,   and calculators – but there is one other thing,  one other feature of our phones that we try not   to think about. Because if we think about it  too much, we'll never stop thinking about it. Our phones are also tracking devices. Even if  we turn off the Wifi, turn off mobile data,   and stop using Google Maps, there are  ways for our phones to be tracked and   monitored. Through a combination of  cell towers, Wifi, mobile data, apps,   and other electronic methods, our phones  can easily be tracked, and since we always   bring our phones with us when we leave the  home, we ourselves can also be tracked. As explained in Security and Counter-Surveillance,  “Cell phones, because they operate through   satellite and transmission tower networks,  can be used to track a person’s movements   and location. Cell phones can also be made into  active listening devices, even when not in use.  

Many also have built-in digital cameras  and video capability. The proliferation   of cell phones and their capabilities greatly  expands the potential for surveillance...”   We have given up privacy for convenience. We  have given up our personal space and security  

for devices that have made addicts of us. It's a  remarkable addiction because contemporary society   has made owning a smart phone so necessary that  the addiction becomes mandatory. We can always   turn them off, but now that everything is set  up to be accessed by smart phone, permanently   turning off our phones would be the same as  permanently cutting ourselves off from the world.

We are being tracked at all times, but we  also can't stop ourselves from this tracking,   this loss of privacy, any more than we can simply  decide to live in the woods or stay off the grid   completely. Such an option technically exists  but is not feasible or practical for comfortable   living. Some people don't care about this and have  simply accepted this as the new normal of the 21st   century, but other people have more cause to be  concerned about their privacy – namely activists,   journalists, and others who might be doing  important work that is nonetheless frowned   upon by the state. Some people, understandably,  feel the need to take greater precautions.

When Black Lives Matter protesters took to the  streets, the United States Department of Justice   contacted the US Marshals and DEA to provide  support to local law enforcement. The DOJ saw   this as an opportunity to collect data from  activists under the guise of public safety. As explained by Kim Zetter of The Intercept,  “...it’s likely that the two agencies were  

being asked to assist police for a  particular reason. Both the DEA and   the Marshals possess airplanes outfitted  with so-called stingrays or dirtboxes:   powerful technologies capable of tracking mobile  phones or, depending on how they’re configured,   collecting data and communications  from mobile phones in bulk. Stingrays have been used on the ground and in the  air by law enforcement for years but are highly   controversial because they don’t just collect  data from targeted phones; they collect data   from any phone in the vicinity of a device. That  data can be used to identify people — protesters,   for example — and track their movements during  and after demonstrations, as well as to identify   others who associate with them. They also can  inject spying software onto specific phones or   direct the browser of a phone to a website  where malware can be loaded onto it ...” Smart phones generally have a location service  feature that uses signals received from GPS,   Global Positioning System, or GLONASS,   Global Navigation Satellite System. GPS is  operated by the United States Department  

of Defense, and GLONASS is operated by  Roscomos, the Russian Space program. I'm sorry, but our smart phones  really are subject to tracking by   world superpowers, and their tracking is highly  accurate. We lost the rights to our private lives   a long time ago. Remember when the United States  Congress passed the PATRIOT Act and said it was   just about catching Osama bin Laden, and then  it was reauthorized over and over again until   everyone kinda got used to it? Well, now it's the  new normal, and 20 years ago feels like a million   years ago. Thanks a lot, everyone who got caught  up in post-9/11 fear-mongering and propaganda. How close can the federal government pinpoint our  location? Well, remember those cell towers? The   greater the amount of towers, the more accurately  a smart phone can be tracked. In urban areas,  

there are a lot of cell towers whereas in  the suburbs or especially in rural areas,   there are fewer cell towers. When a  phone enters the range of a cell tower,   the network operators have some raw data  because they know from which sector the   phone arrived. When the distance is  measured by multiple towers, they can   effectively triangulate that phone's position  in a process called uplink multilateration. 5G   networks can triangulate your position within  a few meters – basically right on top of you. Remember back in 2013 when leaked documents proved  that the NSA was spying on millions of Americans   without their knowledge? The spy program continues  to this day. This isn't like the movies where the  

bad guy is found out, and everything goes back  to normal. Instead, the bad guy was found out,   but since the bad guy is the state, the bad  guy just kept doing roughly the same thing. As explained by Ellen Nakashima of The  Washington Post, “An extensive surveillance   program first revealed by former National  Security Agency contractor Edward Snowden   in 2013 continues to operate with no judicial  and limited congressional oversight despite its   potential to capture Americans’ communications  … According to documents leaked by Snowden,   the program has existed for more than a decade.” The data in our phones is of particular  interest to the state. Our computers are  

always in our home, but our phones  come with us, and our phones contain   an abundance of communication. Phone  calls, text messages, and so forth. So, what can we do? Simply abandon our phones?  Again, that does not seem entirely practical.   We can be a little safer, though. We can  adopt practices that limit our exposure,   that limit our ability to be tracked at a  moment's notice. There is no foolproof plan,   but that doesn't mean accepting  this loss of privacy altogether.  

Let's go through some practical advice  from experts and see what we can do. Malware is not just software from sketchy  websites looking for your credit card information.   It's also utilized by the state to dig deeper  into your smart phone, to spy on journalists,   to sabotage activists, and really to do whatever  the state deems necessary. Mexico, India,   Saudi Arabia and other nations have used Pegasus  software to this end. Some nations like Italy,  

Syria and Kazakhstan have used spyware called  Hermit. Greece and Madagascar are using software   called Predator. The list goes on and on.  Spying on citizens has become big business. Much of this malicious software is  the “no-click” variety, meaning we   don't have to be tricked into clicking on  some dodgy link to have it lodged into our   devices. One method is abusing certificates to  sideload itself from outside of the app store. This level of spyware is not something  easily avoided by a simple antivirus app.  

The United States, for examples, spends  millions of dollars on their malware,   and it's sophisticated enough that common,  free anti-malware apps probably won't cut it. One bit of good news is that while  this malicious software is powerful,   it's also subject to the ever-changing world  of internet software. Malware is often attuned   to particular operating systems, and when the OS  updates, the state must update their malware as   well. If we update our OS frequently, we lessen  our chances of being infected by state malware.

The Pegasus software, for example, has some  weaknesses in this area. The infection chain   has no “persistence” which means a normal reboot  helps clean the device. The problem is most people   don't reboot their mobile devices too often.  Start making a habit of that. Reboot daily.   Multiple times daily. It will force Pegasus to  find your device again and try to re-infect it. Some apps like iMessage and Facetime on iOS  and default apps on Android are commonly   exploited because they are always on  the devices. Disable default devices   and replace them with more secure and less  common apps instead. Speaking of which...

[Apps] [Orange and Blue] Some applications share more of your information  than others. Some have access to your location,   and that location can potentially be  shared with the federal government,   law enforcement agencies, private corporations and   a number of other entities that you did  not consent to share that information. As explained in the book Mobile Security and  Privacy, “Apps such as Facebook, Foursquare,   Swarm, Tinder, Twitter, Uber, and similar  hold and share information about where   you are exactly at what moment, not to  mention a history of where you were. … One of the greater issues for privacy relates  to continuing consumer trust in the digital   economy. In the span of a few short years,  social networking on the Internet has become   the platform for communication among many  mobile device users using apps like Twitter,   Instagram, Facebook, or WhatsApp. Just  because people are much more public in  

the nature and extent of information they  share online does not mean privacy is dead.” What apps and operating systems should  you download? Apple IOS and Android's OS   are well-known enough to be abused, but there  are other operating systems that could offer   better security. Android has a public source  code, and those with security in mind have   created alternate operating systems from it,  such as LineageOS, GrapheneOS, and CalyxOS.

Some people believe that iOS is the most  secure operating system available because   Apple only releases its source code privately,  but if your concern is state-sponsored malware,   simply having an iPhone is not going to help.  You think these huge corporations that supply   governments with spy software don't have  access to the iOS source code? Another   downside of the IOS is that while there may be  fewer vulnerabilities than vanilla Android OS,   that also means that vulnerabilities  do not get flagged as quickly. To further mask our presence, we can always  use a combination of a VPN and Tor browser,   which masks our footprint through multiple layers  of encryption. As explained by Costin Raiu,   “Some exploits are delivered through GSM  operator MitM attacks, when browsing HTTP   sites or by DNS hijack. Using a VPN to mask  the traffic makes it difficult for your GSM  

operator to target you directly over the  Internet. It also complicates the targeting   process if the attackers have control over  your data stream, such as while in roaming.” By the way, do not rely on a free VPN. They  are usually garbage. Tor browser is free,   but it is not garbage. It is essential.

Turn on Encryption in your  phone security settings,   but for added security, use an encryption  app like ZenCrypt, Crypt4All, or iDrive.   Don't use your phone's SMS messenger.  Use an encrypted messenger like Signal,   Telegram, or Wire. Don't use Twitter or facebook  direct messenger for anything you wouldn't want  

the government because they absolutely  will get access to it if they want to. Delete Google Maps from your phone and download  an alternative like NavMii or OpenStreetMap.   What about email? I remember when email blew up in  the 90's and effectively replaced   snail mail by the turn of the century.  Email had been around for a long time,   but not many people were really on the internet  until the second half of the 90's. It felt more   secure, less physical than envelopes that leave a  literal paper trail. But here we are, it's 2023,   and email is not secure at all. For email, do  not use Gmail. Again, don't trust Google. Use  

a more secure email and encrypted email service,  or just bounce from email altogether and message   through one of the aforementioned encrypted  message apps. Never use an email account   provided by your internet service provider, and  never use your work email to discuss anything   you don't want someone to see. Your boss will  sell you out at the slightest hint of trouble. As explained in the book The Art of Invisibility  by Kevin D. Mitnick “If you’re like me,   one of the first things you do in the morning is  check your e-mail. And, if you’re like me, you   also wonder who else has read your e-mail. That’s  not a paranoid concern. If you use a Web-based   e-mail service such as Gmail or Outlook 365,  the answer is kind of obvious and frightening.

Even if you delete an e-mail the moment you  read it on your computer or mobile phone,   that doesn’t necessarily erase the content.  There’s still a copy of it somewhere. Web mail   is cloud-based, so in order to be able  to access it from any device anywhere,   at any time, there have to be redundant  copies. If you use Gmail, for example,   a copy of every e-mail sent and received through  your Gmail account is retained on various servers   worldwide at Google. This is also true if you use  e-mail systems provided by Yahoo, Apple, AT&T,  Comcast, Microsoft, or even your workplace. Any  e-mails you send can also be inspected, at any   time, by the hosting company. Allegedly this is  to filter out malware, but the reality is that  

third parties can and do access our e-mails for  other, more sinister and self-serving, reasons.” The federal government contacts big corporations  and asks them for access to your accounts all   the time. You think AT&T has your back?  You think Comcast is run by activists?   Always put several layers of security between  yourself and a major corporation if you plan   on staying safe from the NSA, FBI, CIA  and other three-letter government goon   squads. Imagine a gang sneaking on to your  driveway or apartment building and rifling   through your mail box. That's what the state  is doing all the time – in your email inbox. So, what else can we do? Get yourself a Faraday Bag to protect your phone  from receiving signals. A faraday bag is a shield  

for your phone. It blocks electromagnetic  fields. If you're worried that you're being   tracked and you don't want to wrap your phone  in aluminum foil all the time, a Faraday Bag is   what you want. Be sure to get one with good online  reviews or you're just buying an expensive purse. Some people mistakenly believe that removing  the SIM card from the phone will prevent the   phone from being tracked, but that is not  true. Removing your SIM does not safeguard   your phone from tracking. Here is why. When  a phone connects to a cellular network,  

they send a unique identification called the  International Mobile Equipment Identity and   subscriber identity called the International  Mobile Subscriber Identity. The latter is   generally stored on a physical SIM card  or Subscriber Identity Module. However,   a phone can operate without a valid SIM card or  IMSI. These just authenticate the device to the   carrier. That's why a phone can typically  make emergency calls without a SIM card. In other words, a phone is still active and  still trackable without that card. In fact,  

switching multiple SIM cards in one device  or one SIM card in multiple devices can   create a trackable link between  device ID and the subscriber ID. Lock your smart phone with a password. I'm  not a lawyer, but according to lawyers,   the current law is that a police officer can force  you to unlock your phone with facial recognition,   but the officer cannot force you to give up  your password. So, if you think locking your   phone with facial recognition is safer,  that's not necessarily true, at least in   this situation. Don't use a fingerprint lock  unless you like the idea of your fingerprints   being stored in your phone. Also, delete old  data from your phone as much as possible. Some people also mistakenly believe  that using an old phone with 2G or   lower instead of a smart phone is more  secure, but that is not exactly true.  

According to Hakan Geiger, author of author  of Mobile Phone Security for Activists and   Agitators, “Because a phone without GPS or  location service can still be geolocated,   simple phones do not offer significant protection  from location tracking. Feature phones typically   lack widely available text or voice chat apps,  and by definition basic phones have no such   capabilities. This means that only unencrypted SMS  and telephone calls are available, and these are   susceptible to interception in more ways than if  they had client-server or end-to-end encryption.

Basic phones ... may only have 2G capabilities  which means that calls and SMS are trivially   interceptable with only about €25 worth  of consumer-grade equipment. Further,   many of these devices may have hidden internet   capabilities that send telemetry data back  to manufacturers without users being aware.”

Do not pay for a burner phone with a  credit card. That would defeat the purpose.   Go to a convenience store or retailer,   and pay with cash. Don't tie your burner  phone to anything you do on your smart phone. There are far more secure smart phones out there,  designed from the ground up for cyber security,   but the prices are pretty steep. Hard  to recommend for the average person,   but something from Sirin Labs or Bittium might be  worth it if you have serious security concerns. Even if you do all of this and more, your  privacy and safety are not guaranteed.   Nothing will completely prevent your phone  from being monitored, but there are methods   to potentially reduce that possibility. Use  them. Use all of them, stay updated on new  

technology, both to utilize and to avoid. Our  private lives have been bought by corporations,   and our safety is maintained by the state, and  they will take it away if you prove yourself to   be an agitator, or even if you're not. If your  response to this is “I don't have anything to   hide!”, that is the attitude that put us  all in this situation in the first place. Be careful out there.

2023-04-30

Show video