Posted on November 20th, 2017
A recent forum post started a conversation about Black Friday and Cyber Monday deals on the privacy related goods and services that we use. This launched a series of messages asking for recommendations, and the following post contains my suggested items as gifts for others (or yourself). Please note that while most of these are affiliate links, I use the following products constantly.
VPN: Private Internet Access (PIA): This is by far the most important item on the list. If you are not using a VPN to protect your internet traffic, please consider doing so. If you have people in your life that have contemplated using a VPN, this is a great $39 gift that will remind them of you all year. If you would like to read why I choose PIA as my primary VPN, go here: https://privacy-training.com/pia.html.
Yubikey: I always prefer a hardware-based two-factor authentication (2FA) option over a text message or software token. These tiny devices require participating services to verify that the USB device is present before access to the online account can be granted. My email and financial services all require my Yubikey be pressed before I can log into my accounts. You can also use these for GMail, KeePassXC, and many other options. While there are more affordable options such as the Yubikey Fido, I recommend the Yubikey 4 Nano for most cross-site usability and small form-factor.
Books: Books always make great gifts. Selfishly, I will first promote The Complete Privacy & Security Desk Reference Volume I (Digital). While we prepare to release Volume II (Physical) early next year, this book might convince others in your life that they should be concerned with digital privacy and security. They might even apply the techniques in the book toward their own lives. I also rely heavily on two books by Nolo and gift them several times every year. Their latest Make Your Own Living Trust (Direct Link / Amazon Link) is an absolute must-have for anyone considering the creation of a will or trust. Living trusts provide a great layer of privacy when dealing with an estate or titling a home (helps keep you off of those people search websites). This book convinced me to make my own living trust and saved me thousands of dollars in legal fees. Finally, their Form Your Own LLC book (Direct Link / Amazon Link) is perfect for any entrepreneur or privacy advocate looking to use LLCs as a layer of privacy for their assets. I recently used this book to properly title a new home in a new LLC created for a client.
Microphone Lock: This $6 gadget (or $20 5-pack) can be fun, quirky, and unique. It also provides a legitimate value to privacy enthusiasts. It enables the external microphone option on a phone or computer, and then blocks it. If you encounter any malicious software that attempts to listen to you through your microphone, this device prohibits the action. I currently use the BungaJungle version (test unit) on my phone and laptop at all times, but their kickstarter is over and has not been fulfilled yet. Until then, this is the next best thing.
Protectli Vault: We hosted the creator of this device on our podcast, and it is now my most valued possession on my home network. It acts as a high powered router that is capable of running pfSense 24 hours a day. It is low power with great specs. I have mine configured to run my PIA VPN with an absolute kill switch. This small box now protects every device on my network (even guests’ mobile devices). It blocks all incoming connections and forces a VPN on all outgoing internet traffic. I will never be without one in the future (I travel with mine).
Prepaid Gift Card: There are many options, but I always recommend the Vanilla Visa. It does NOT require activation for in-store use. Privacy seekers should always have a prepaid option in their possession, for use when cash is not an option.
Silent Pocket Faraday Bag: Signal-blocking bags are not all created equal. I have tested many that did not work at all. The Silent Pocket is a premium option that has worked 100% of the time for me. It also has a magnetic enclosure to prevent those embarrassing velcro releases that get attention from anyone nearby. They have a medium for most phones and a large for the latest oversized devices.
SanDisk UltraFit Flash Drives: You can never have enough USB drives. I prefer these fast and small devices because they are affordable and reliable. Make sure you have backups of your KeePassXC password databases (You did create a password vault, correct?) and any other valuable data, encrypted on USB devices. These also work great for bootable Linux systems as described in my OSINT book.
I am sure there will be many more gift ideas that come up, especially from the users on my forum. An updated page can always be found at https://privacy-training.com/gift.
Posted on November 20th, 2017
On November 14, 2017, Firefox released version 57 of its browser. While a huge upgrade in terms of speed and overall usage, it killed many of the Add-ons (extensions) that we rely on as internet (OSINT) investigators. In order to bypass this restriction, some users have stopped all updates to Firefox after version 56, which presents a new concern. Outdated browsers are more vulnerable to online attacks since they are not receiving security updates. The more appropriate solution to all of this is to install Firefox ESR (Extended Support Release). This official Firefox browser, which can be installed separately from an official updated version of Firefox, will still receive security updates. More importantly, all of those legacy Firefox extensions will work just fine.
For those of you using the Buscador OSINT Virtual Machine, type the following commands into Terminal (black box, upper left):
sudo sudo add-apt-repository ppa:mozillateam/ppa
sudo apt-get update
sudo apt-get install firefox-esr
Note that I needed to reboot my machine before typing the last command, but your may not need to. After installation, click on the nine small dots in the upper left of your Buscador screen. You should see Firefox-ESR in the applications list. Drag this icon onto your dock, and you are ready to go. The image below displays Firefox ESR on my Buscador VM available along with Firefox 57. You can see the legacy extensions available at the top of the browser and two Firefox icons in the dock.
Windows and MacOS users can download Firefox ESR from HERE. Installation should be straight forward. If you installed Firefox-ESR on a machine that already had Firefox with legacy extensions (such as Buscador), those Add-ons should migrate to this new release automatically. Since official Firefox installs all share the same profiles, you should be able to switch back and forth between Firefox versions and maintain your extension customizations. If you did not have any extensions prior to installation, you can install any of the legacy Firefox extensions from the previous online repositories.
NOTE: Many of the legacy extensions may have been updated by your version of Firefox 57 (and will show disabled in Firefox ESR). If so, simply re-install any of the desired extensions within Firefox ESR and make it your default browser.
Posted on November 1st, 2017
During my Online OSINT Training course, I demonstrate many ways to investigate and collect online content from YouTube profiles. Some of the advanced techniques allow bulk collection of videos and ways to bypass various restrictions from YouTube. However, the majority of the questions that I receive about YouTube involve the easiest ways of collecting the data without the need for special software on your computer. Currently, the following are my preferred ways to collect screen captures, video files, and comments from YouTube profiles.
Screen Captures: It is vital to collect an overall screen capture of the target YouTube page. This will display the standard view of the page, but will not display the video content. Be sure to expand all of the comments before attempting a capture. I currently use Hunchly ($) for this, but Fireshot (Free) is sufficient for most YouTube pages. Hunchly works effortlessly behind the scenes while Fireshot must be activated on each capture.
Video Files: Yout.com provides a slick interface for quickly downloading YouTube videos without the need for special software. Unfortunately, entering a YouTube address on yout.com does not provide the download options. However, yout.com/video/VIDEOID immediately allows for download of the video. As an example, the YouTube video at https://www.youtube.com/watch?v=u0zHRa4AUGU can be downloaded at https://yout.com/video/u0zHRa4AUGU. You can choose to download the video with audio or only the audio from the video file. High definition (720) versions of most videos are available.
Comment Extraction: A screen capture and file download of a video on YouTube may be a great start, but the comments attached to a video page can be more valuable. Screen captures can capture all of this data, but the capture is basically an image, and is not searchable. You may want to extract the comments and attach them to a report. The online service YouTube Comment Scraper at http://ytcomments.klostermann.ca has everything you need for this. The results page received after providing a YouTube video address displays the comments and metadata asociated with them. However, the download option provides a CSV spreadsheet with all of the data. This includes ID, User, Date, Time, Comment, Likes, and Replies associated with the video. This spreadsheet can be extremely valuable when dealing with hundreds or thousands of comments.
These methods only represent the “easy” stuff that can be done online. The video training explains the more advanced options such as bulk download.
Posted on November 1st, 2017
Signal is a secure, end-to-end encrypted, zero-knowledge messaging service that offers voice, video, and text communication that cannot be intercepted. This is far superior to standard communication techniques such as SMS texting or cell/VOIP telephone calls. The vast majority of my communications to friends and family is through Signal, while I use Sudo for all of my standard telephone calls to traditional phone numbers. My biggest complaint about Signal has been the reliance on the Google Chrome Browser for those that want a desktop option. Since I try to avoid Chrome due to privacy concerns, I am always cautious when using Chrome Apps, such as Signal and Authy. Fortunately, the Signal standalone desktop app is now available, and I no longer need Chrome at all. Below are the links you may find of interest.
Release Information: https://signal.org/blog/standalone-signal-desktop/
Further, Authy also now has a desktop app. Authy is my chosen option for Two-Factor Authentication (2FA) when a physical Yubikey is not an option. Authy generates one-time use codes every 30 seconds that allow you to secure your online accounts from unauthorized intrusion. Until recently, Authy also required the Chrome browser in order to be used on the desktop. Fortunately, they now offer a standalone desktop app, which can be downloaded at the following link.
Filed under Security | Comments Off on Signal and Authy are now available as desktop apps
Posted on October 20th, 2017
EPISODE 050: FIFTIETH EPISODE PRIVACY ROUND TABLE
This week we sit down with Drew, Jason, and Jesse for a round-table discussion of privacy and security issues.
Play below or Subscribe at:
Listen to previous episodes at https://privacy-training.com/podcast.html
Intro to guests
In the last year what was THE most important privacy and security issues impacting our community?
Privacy fatigue – who has it?
Could we switch to Linux? What do we NEED a computer/phone to do?
What are our predictions for the coming year in privacy and security?
Sites with difficult or non-existant opt-outs are becoming more common. How do you deal with these?
How do you handle saving “contacts” on an anonymous phone?
If you are aware of a crime is there any way to submit evidence to the police without compromising your own identity/privacy?
OFFENSE & DEFENSE:
Offense: Using Google services to uncover GVoice owners
The Complete Privacy and Security Desk Reference
Please submit your listener questions to us at https://privacy-training.com/podcast.html