lee/hpr-knowledge-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d68885cff84739d6e564ca4409959ae08cee67ec
hpr-knowledge-base/hpr_transcripts/hpr3715.txt

1066 lines
56 KiB
Plaintext
Raw Normal View History

Initial commit: HPR Knowledge Base MCP Server - MCP server with stdio transport for local use - Search episodes, transcripts, hosts, and series - 4,511 episodes with metadata and transcripts - Data loader with in-memory JSON storage 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-26 10:54:13 +00:00
Episode: 3715
Title: HPR3715: Secret hat conversations, Part 2.
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3715/hpr3715.mp3
Transcribed: 2025-10-25 04:36:46
---
This is Hacker Public Radio Episode 3,715 for Friday the 28th of October 2022.
Today's show is entitled Secret Hat Conversations Part 2.
It is hosted by some guy on the internet and is about 65 minutes long.
It carries an explicit flag.
The summary is Twin Tin Hats Featuring, Archer 72.
Hello and welcome to another episode of Hacker Public Radio.
I'm your host, some guy on the internet and I'm joined by...
Archer 72.
Alright Archer.
Today you brought up an interesting topic in the chat and I thought it would be a good
idea.
Let's get together and lay down a couple of words on the track about it.
I got my tin foil hat on nice and tight.
How about you?
Not as tight as yours, but we'll see.
Alright, so you want to go ahead and kick it off?
So I'm trying...
I have it in a different window and I'm trying to reward how it is.
But someone I know thinks that there is all enough of...
I can't think of the word now.
A lot of computing, they're using surveillance with tons of quantum computing to actually
break everybody's passwords.
Oh, well, as I mentioned in the chat, I believe they have had the ability to break certain
levels of encryption that we currently believe to be safe for a long time is just that it
takes a considerable amount of time and energy to do each attempt.
If they were to go wide scale with it, breaking just, you know, untold amounts of accounts,
the security behind them, it would draw too much attention.
At least that's my belief.
Alright, and I feel like I'm such a little guy who would even bother.
Most of my passwords, I use a password generator, the PW and I use a dash Y and do 50 characters
and I believe that's enough.
Yeah, see, that's the thing.
For most of us, I believe that yes, we're not exactly the target today.
But a time will become when maybe just looking for the individual is too hard, so they'll
just, you know, basically like you run a web scraper over dozens of pages to gather information.
Well, if they can just break into numerous accounts on one platform and then scrape information
from the accounts after they've been accessed, they could basically use machine learning
to find whatever they were looking for.
And a point there, I was hoping to use machine learning for something else, but that's
another day.
Oh, trust me, I got plenty of 10 for you for that.
It actually helped me take some of my episodes and use learning to make a few with when
I'm, my voice isn't feeling so well.
A little under the weather.
We were just talking about that with Dave.
Do you see that conversation?
No, I've been hopping in and out.
I missed about, I don't know, six hours worth of chat.
So let me ask you this, for people like you that think that, you know, you're not
a large enough target to have someone point an expensive piece of machinery at and begin
to research your life by breaking in to, you know, accounts or whatever.
What do you think it'll take for them to aim the machine at you?
Maybe the wrong political views.
That's a big one.
I was thinking of that myself.
It can be something as simple as, you know, something said on social media, maybe a neighbor
overheard something and reported you, you know, there's a whole lot of that kind of thing
that can happen.
Maybe kids have something in school and then the school marks it down as a major concern
and they want to know what's going on, but you're a little too private to reveal it, so
they aim the machine at you to gain more insight.
That could be.
Honestly, I think all it really takes is a human being that's just curious about what
other people are doing.
If he's left with access to the machine, to the technology, I don't think anybody in government
is, you know, an angel.
No, I don't trust very many people there.
So I imagine the same way, all sorts of technology gets abused and if you go looking
for it, they'll tell you it's national security, they can't talk about it.
In reality, it's, yeah, one of our guys is, you know, we've been a little rogue with it and
we don't want to face the embarrassment of the issue, so hide it all behind national security.
In some ways it's like lurking pride and I was saying that I'd just try to be a little
low-hanging fruit or not be the low-hanging fruit and have levels of security.
Well, see, that's the thing.
When it comes to an individual like a hacker out there, you know, script kitty trying to
pick off the low-hanging fruit, sure we will put ourselves out of reach of that.
However, the government knows that, you know, we're above the low-hanging fruit as well.
So are the so-called bad guys.
You know, the bad guys also understand the same technology that we do and employ a lot of
these security measures to keep themselves out of the low-hanging fruit category.
So we're all in that same area on the tree, if you will.
We're below the major corporations who can spend tons of money on corporate level,
the security or whatever, enterprise grade security, but we're above the low-hanging fruit.
So we're like right in that middle, we're like the middle class of technology and security.
I see that.
We got just enough knowledge not to be weak, but not enough money to defend ourselves.
So when the government decides that they're going to come after you, I mean, they pretty much
got to target range what they want to look for anyways.
You know, the guys who are so-called careless, you know, don't use pass or managers or anything,
and just kind of use the same pass where it all over the place, they're...
I'm pretty sure they know not to even waste their time with those guys.
It's the guys like us who are constantly, you know, searching on the internet for different
ways to remain secure and things like that.
All right.
Like you're using the alternative emails?
Yeah.
Alternative emails.
I mean, just think about it now.
We're on mumble instead of teams or any of the other wide open platforms where they wouldn't even need a warrant
to come get information on you.
No, and I'm mastered on too, and that's not your usual platform.
Exactly.
But that's what I'm saying.
They can just easily figure out where the, you know, quote, bad guys, close quote are simply because
they're going to be using decentralized platforms and things to kind of keep their activities secret.
All right, I see.
Now, we'll get swept up in it because, I mean, I think of the whole, you know, term bad guy
aside from the obvious, you know, if you're out there killing people or anything like that,
you're on your own.
You can't defend that.
But when it comes to learning, understanding, having different political views and things like that,
I think of it a lot like medicine.
You know, there's that old saying, what's the difference between medicine and toxin?
What's that?
Dosage.
All right.
Yeah, same thing with the information, the technology that we use.
I mean, what's the difference between us and the bad guys?
It's all about what you happen to stumble across.
The bad guys are only really the bad guys because of what they happen to find out or how they use it.
Well, yeah.
Yeah, I mean, it's already bad that you found out a certain thing.
But if you go running your mouth about it on top of finding out about it, I mean, I'm pretty sure that can call
on some very severe actions against you.
So if you ever found yourself in a position where you thought some agency or just,
yeah, an agency, an alphabet agency may have targeted you for some reason or maybe not you specifically,
but somebody in your household, what steps would you take?
Would you try and prevent it?
Would you try and get out in front of it?
Or, you know, what would you do about that?
No, I never thought about that because I always thought I was kind of in the backdrop.
We are until we're not.
I mean, you got a kid, right?
What if your kid one day decides, you know, when they're older, they're going to run for office and try to change things,
try to promote more free software or whatever the case is.
And, you know, the big power players in the software world decides that's bad for business.
So they fund the opposite campaign, but your kid is making a lot ahead of way.
Like, they're, you know, drawing too much attention.
And well, one way of trying to stop somebody who's gaining a lot of ground in politics is to release
some sort of unflattering information about their background.
In order to do that, you got to gain access to, you know, their private information.
So even though your kid is not a criminal or a, quote, bad guy, because they're in politics and going against the people with a lot of money,
they can be seen as the bad guy, at least in the political sense.
I can see the happening.
It's happening a lot now.
Yeah, that's what I'm telling you.
A lot of you can become the bad guy.
You want to make a change in the world.
You want to bring software freedom to the masses and form people on their privacy and have them understand that.
Why give away all that data for free and on top of which have this, this it and, uh,
this very restrictive environment for which they just want to hold you in today to mind your life.
Why not just choose freedom?
The problem is when the companies find out about that kind of thing.
If they can't just drown you out with more promotional ads in their own business.
Well, they'll, they'll find another way to get you out of the game.
I guess so.
I think it was, um, was a Germany before when they wanted to switch away from Microsoft Office to using a more freedom platform.
I think it was LibreOffice or one of the other open office platforms.
I think they were able to switch for a little while, but their Microsoft, you know, installed some new money in their pockets.
And then, oh, yeah, I heard about that.
Yeah, you see what I mean?
I'm imagining if there was a guy there that really, really pushed for it.
Said, no, no, no, we're not going to take the money.
We're going to stand up and we're going to choose freedom over any check.
You can write.
What do you think would happen to somebody like that?
No.
I'm pretty sure some nasty divorce records or, or some unflattering health condition would be surfaced or, or some private information
that was believed to be protected behind encryption,
was somehow come to light and that person would have to, you know, fall back and keep quiet in order to make it go away.
Oh, yeah, of course.
Yeah, of course.
Sorry, you have it.
You just have a lot better things to say about this than I do.
But it is making a lot of sense, though.
I'm the guy that told you to make sure you keep that tinfoil around.
Yeah, I guess I do, I need some tinfoil now.
I mean, I think we gave everybody a lot to think about, though, right?
Yeah.
And I think lurking pride would have a few comments to say about this one, too.
He's a security guy.
And, you know, I like his approaches to things.
I think he makes a lot of sense in his, in his episodes.
One of the things that he brought up earlier.
I left a comment on one of his shows and it was about telling people that security doesn't exist.
He's 100% right.
Security doesn't exist.
And in the real world, or let's say the enterprise world, they just call it, was it called a risk analysis or a threat?
A threat, threat factors?
Yeah, threat factors.
So they understand that this has never gone away.
We just have to buy more time, constantly delaying the attack, basically.
But it never actually stops.
The only problem is they're able to do that because of the amount of money these corporations bring in.
But if you or I were to like, if we were to have somebody targeting us, like spearfishing us or whatever the case is focusing on us alone, threatening to get our data,
there's virtually no chance in hell.
We could possibly even delay that for more than I say a year or two.
You'll eventually fall in some area because I mean, think about it.
If you want to secure your own home network to the max,
I mean, air gaped computers and everything just to kind of make sure that your information is as secure as it could possibly be.
You couldn't be married, first of all, because I'm pretty sure whatever system you set up, your spousal approval factor will go, it will fall right through the floor.
Oh, yeah, that's the hard thing to get through is the approval.
Yeah.
And the same thing with the kids and everybody else.
I mean, you try to tell your family, your loved ones, that hey,
this is the most secure we could possibly be at least for the next month.
And then I'm going to have to employ something different because, you know, we're under attack.
They're just not going to buy it. They're not going to follow it.
And they'll eventually find a way around it.
And that's where the problem, that's where you're going to get caught.
And you can't even get your friends off Facebook or anything like that.
Let alone some of your family members.
Exactly.
And I mean, stop and think about this.
We hear about all these wonderful companies like Proton, Tutonoda and all these others to have these encrypted email services.
What's the benefit of using them if the person you're emailing is on Google?
There's none.
Exactly.
And they hold like, I think the largest platform in the email world.
Them or any of the other ones that are just as bad, Yahoo, and all the other ones.
I mean, they're all peaking at your data anyway.
So unless somebody's self-hosting their email, which is less and less likely these days,
or on the same platform of Proton, Tutonoda and the rest of them.
Well, I mean, there's really no point in using it.
No.
One other thing I want to bring up to you.
We have these secure networks like VPNs and things like that.
And we also have the onion network.
But we're also hearing about, well, from our perspective, the security focused privacy group.
And our minds, the bad guys, other people who are going out trying to buy as many of these onion nodes
so that way they can intercept the traffic that's flowing through them and trying decode and trace that traffic.
What do you think about security and how it can be defeated as far as the VPNs and onion networks?
I never thought about defeating the VPN.
What do you think about the email of Proton mail?
I like Proton as a company.
I like what they're doing.
Same thing with Tutonoda.
All of them, I think, what they're doing is valuable for journalists and others who need to communicate.
And they don't know how to set up all these different measures to communicate securely.
You know, like setting up a wire guard or anything like that.
Being able to just use something that's familiar, like email with Proton provides.
Super valuable. You can just go sign up, get an account and communicate
and inform the person you want to communicate with to also use Proton.
And it's just a simple way to get signed up and begin using security nice and easily.
And it's familiar to the masses.
Anything that's good enough security?
No, it's not good enough security because eventually, say, for instance, as it gains adoption,
as it becomes bigger and it grows, it will also gain a larger attack surface.
And the scariest attacker is the government.
You know, a bunch of script created kiddies aren't who they're really worried about.
They have enough funds and things to hold them off.
But when it comes to state level actors, that's the real threat.
I mean, what attack is more scarier than a guy walking up with a subpoena
and telling you, you have to do what we tell you.
You have to collect logs now.
You have to trace that user.
Wow.
Yeah, and I don't have enough money behind me.
I don't have much at all.
I'll be able to fix that.
Exactly.
So right now, where they are right now, I think it's great for, you know, the normies,
if they learn about how to become secure and they learn about proton,
I think it's valuable for them because they don't have to do a lot of reading through, you know,
blogs and other documentation and self-host and all of that.
And just sign up like they've always done, get a secure channel and begin communicating.
And I also like their VPN, their VPN is really good as well.
And it's easy to use.
It's on all the platforms.
So what they've done is good.
But I just imagine that especially after their past incident with that last guy they had to give up,
that just shows you even though it's pretty secure for against the script kiddies
who go after the low-hanging fruit, it's still not enough to stop the state-level actors.
Even if you pay for it and you're not the product, because they do have a paid tier for proton.
Yeah. Well, that's the thing.
Even though it's paid, you're still in a country that can change its laws at any moment.
Well, what was the thing that they used?
I think that they were saying that their VPN service was not a form of communication or something like that.
So under the laws there, I'm probably getting them mixed up with something else.
But if I remember correctly, they weren't able to trace through the VPN service
because their VPN is technically not a means of communicating or something like that.
It's not like a telephone where it's meant for communicating to someone else.
It's just a tunneling service or something like that.
So the VPN part was safe.
However, the government can simply change the rules at any moment.
So sure today, the laws are your safe with this product that you have
and we cannot legally foreshute, give us the information today.
But we can simply convince everybody to be afraid because,
ah, look, bad guy, you know, mean bad guy over there is going to do bad things
unless we gain access to that information.
Or convince them it's for the children.
Yeah, that's definitely an easy one.
That's the one that he's a lot.
Yeah, because I mean, it's easy to flip the table on you with that, right?
You can easily become the bad guy if you're not for the children.
No.
Do you think you could find the article and post it in the show notes?
That'd be interesting to see.
Yeah, I'm going to go search it.
I remember hearing about it and I went and looked for it.
I'm sure it was something they had to do with the VPN.
But I can't remember if it was, um, if it was Proton's VPN,
or I remember there was a Swiss based company that was going through this.
And that's why I think it, I think it was Proton, but I'll dig it up.
And I can't say it for positive as Proton or not, but it was outside the United States.
Yeah, it was definitely outside of the United States.
Because here in the US, I think that honestly, with most companies,
they really just have to threaten the audit.
You know, they don't have to even change the laws.
They're just threatening the audit to hell out of you.
And most companies are fooled from that alone.
Like you heard about that thing that happened when Facebook handed over the private communications
of the young, the young teen girl and her mother.
They were seeking medical treatment.
No, I missed that one.
Yeah, she, um, it was unmasked it on for a while.
The young girl was seeking a reproductive health.
And she went and she found somebody that could provide this service for her.
It was an abortion.
And when they found out it was a ill, no, it wasn't ill.
I can search my mastodon.
Yeah, what I heard is ill.
No, yeah.
It was on.
People were saying screw Facebook for this and that Facebook could have fought harder
to protect the young girls' privacy.
But the problem is, one Facebook is not in the game of privacy.
They don't, I don't even think they even try to pretend like they're the most private platformer
or anything.
They day to mind the hell out of you.
You know, they invade more privacy than anything.
And two, the young girl and her mother seeking the medical services, they wanted to do the
right thing.
They wanted to use privacy and be secure in their communications.
They just didn't know which platform to use.
So you've had access to something like Proton that would have been a lot safer for them
to use.
Yeah, so we found article on Vice and I'll make sure to link it down to show notes of the
prosecutor who got information from Facebook to prosecutor team for getting medical treatment.
Now, regardless of rather not, you like Facebook because of their business practices
or whatever.
In this particular sense, I don't fault Facebook because they're not a privacy centric company
and who's going to really stand up to the government?
I mean, sure, we can say they got a lot of money and they can afford to fight.
But for one user, you would really bring down the wrath of the government on you when
you're not even that type of company to begin with.
I wouldn't if I were a company.
Well, that's why most of us aren't really those type of companies.
I think in order for you to get to the size of a Leviathan like Facebook, you really got
to step on a lot of people, just really just be a shady individual willing to do anything.
Yeah, you know, people like Zuckerberg, I've heard stories about how he double crossed a
lot of the people who helped him found Facebook.
I still haven't seen that social media movie.
Have you seen anything about that?
No, part of reason I didn't buy that watch it is because I'm pretty disgusted with it now
and I do my best to stay away from it.
I have a Facebook account and I log on like once a year to look and see what the family's
doing because a lot of my family members are still there.
But here's the weird thing.
Ever since I started using Linux and hanging out with you people, I became this weirdo
to all of my friends and family where it's like try to remind them of, you know, just some
simple things.
You know, remember when Dave did that show about the ex of data?
I was trying to tell a family member of mine like, hey, you know, I understand you guys
want to show all these lovely photos.
That's cool, but maybe you should probably run that through an app or something real quick,
clean out some of that location data and just bringing it up.
It didn't open their eyes in a sense of, oh, you're right.
We should try and be more secure.
It became more of what sort of perfect will know that anyway.
You know, like, like, who are you now that you even knew that that was their kind of thing,
right?
You know, it's like, we don't even know you anymore.
And it's like, see, this is what I get for opening my mouth.
I don't know.
I feel like the outsider too comes up.
I don't want to mention a word hacker to certain family members.
It's like, what?
Why would you want to have anything to do with hackers?
Yeah.
And it's a lot of it's what the media has done to the term, right?
Because if they actually talked about what a hacker really was, then it wouldn't be that interesting.
So you got to make the image of hacker be the black hat, you know, wearing a hoodie with a mask on,
breaking into the government or the banks or whatever and stealing tons of money and all this other crap.
Basically, Mr. Robot.
I didn't watch a lot of that, but what I did, like, what I saw.
I watched, I think, two seasons of it.
It started going into it.
Actually, I don't know how many seasons I watched.
No, I think about it.
The last episode I watched disgusted me and I stopped.
They went to a, what they call a hacker party or something like that or a hacker,
the hacker Olympics, yeah, that's what it was.
And the hacker Olympics was basically, you know, like 100 people in like a warehouse type building.
And they were apparently all hacking into stuff at the same time from the same location.
And it was just, and of course they got all this dubstep in the background,
which drove lights and people yelling and screaming, going nuts while looking at monitors all over the place.
And it's like, wait a minute.
I understand it's done for anything in my purposes, but it is only so much I can take personally.
Maybe I'll watch just a couple of seasons.
Did you get up to that part that I just described because I hope I didn't spoil it for you if you were going to continue?
No, I just watched the first five episodes or so.
Yeah, you ain't missing much because of what they hacked into Iron Mountain or whatever that was.
I didn't get to that part.
That's in the beginning.
That's in the beginning, hacked in Iron Mountain.
Or something like that.
I'm sorry.
They were using Raspberry Pi's to control the heating system.
Yeah, I remember that part.
And even that, I mean, stop and think about it now.
This guy just sort of reached into a wall.
And it is apparently like just raw wire hanging there.
They didn't shut off any electricity or anything.
At least not that I can remember.
And he's just like twisting wires to GPIO pins on a Raspberry Pi.
And it's like, yeah, there's just going to, you know, it's stuff like that.
It just kind of makes me go a little bit nuts.
So I can't watch it.
Maybe I'll skip it then.
Yeah, and you know, don't get me wrong.
There are some times I can kind of turn the other way.
But with technology, I'm a little too passionate about it.
I can't, I can't just watch that level of BS.
I want you to imagine somebody going like, yeah, I'm going to hack into the government.
And it is take a Raspberry Pi.
Some wire, he just snatched out of the wall in a piece of, you know, duct tape.
And just stuck the wire to the top of the pie somewhere.
And they were like, okay, we're in.
You know what I mean?
It's just like, you know, come on, man.
I want to come to the hack, hackers type stuff.
What was criminal minds?
I liked that setup they'd had.
I don't, I don't think, yeah, no, I don't think I watched much of that at all.
I should check it out.
It's a good show and the guy that plays the 20-something year old is really smart guy on there.
I like him.
The part, the thing that always gets me with these shows is that they just touch the keyboard.
For like 10 seconds, you know, okay, I got his entire life right here.
Now, let me do a couple more taps on the keyboard.
Several windows open up.
And here's like his most recent photo along with like his date of birth, social security number,
and everything about this guy.
I don't think you hacked that.
I think you just used your badge and got into the database.
That's not how it works, right?
Yeah, right.
And again, with other things, I can look the other way, you know, enjoy it for what it is,
but with technology, I can't, I just can't.
At least on criminal minds, it was a little more realistic than some other, sorry, my cat's getting me.
Wondering why you're wearing that 10-for-all hat.
Yeah, he's just, he just gets in the mood sometimes.
So anything else you want to introduce on the topic of security and 10-for-all hat goodness?
I mean, whenever VPNs, whenever alternative emails, I wonder if there's more alternative emails
besides proton that we didn't bring out.
There's two to know, and what, you know, I do like the idea of self-hosting email is just,
I've heard on other podcasts, they're talking about how most self-hosters usually end up on a block list.
And because the block list is, I guess, centralized or whatever,
and most companies pull from that repository, they don't ever change the block list.
Once you end up on it, you're just there for ever now.
So self-hosting is slowly dying for email.
Yeah, I kind of heard that too.
And it just sounds like it's more pain than it's worth.
I'd rather pay a few dollars to have somebody else do it like proton.
Yeah, I agree, especially for email.
So let me ask you this then.
What about the phone?
To me, the phone is our biggest attack surface as individuals.
It's how we communicate with the open world.
And we basically cannot leave the house without these devices these days.
So having a device that you virtually have no control over,
especially if you have something like an iPhone, you don't even own a hardware.
You got this device that you have virtually no control over.
You got to have it with you all the time.
Yet the way that it functions is still back from like,
when cell phones were first introduced to whether we were like SMS and all that crap from back in the day.
Everybody's able to spoof, you know, phone numbers,
perform these socially engineered attacks on individuals yet.
The system itself has not evolved to combat any of these.
Do you have any ideas on what can be done to help with individuals getting more security on those platforms?
I mean, it started using the Fairphone, which is the price plan as way too much for me.
You think the Fairphone would help with a lot of the socially engineered attacks?
I don't even remember that.
Meaning you have a phone number and that phone number is sort of like your IP address in the phone world.
So people who want to contact you and scam you or whatever can easily pretend to be, you know, from your bank
or from any of the other places that you deal with.
And they can just clone those numbers or whatever and contact you or spoof.
That's where I would hang up and actually call the bank and ask if they called me.
Yeah, see, that's the thing I'm talking about right there.
See, you're an informed individual, you're skeptical, and you're less likely to fall for.
So you're not in a low-hanging fruit category.
However, these type of attacks bring in millions of dollars for these scammers
because there are too many people out there that just aren't aware of the attack, the attacks to begin with.
Yet the system is not built in a way to protect them.
If they're not my contact lists, I just block them and get back to them later because I have work to do.
Yeah, for you, you know to do that.
But think about all the millions out there that don't know.
When they see, like say for instance, your bank numbers, your bank phone numbers like 55555555 or whatever, right?
The scammer spoofs that number and contacts you.
So on your ID, it shows the correct number from the bank.
But it's not actual bank personnel.
Oh, right, so you have never had that done to me.
Yeah, they do it all the time around here at least.
You get spoof calls from someone pretending to be from an agency.
But here's the thing.
If you don't pick up the phone and it goes to voicemail, you can't call them back on that number because that is the actual number for the agency.
So what they tell you to do in the voicemail, don't call the number that they call to you from.
Call this alternative number if you want to resolve the issue.
And then I just ignored after that.
See, that's what I'm not the normal person.
Exactly.
You're the skeptical person.
You're never going to just do.
You're going to think first.
And that's where you defeat their systems.
You're aware that there are these malicious individuals out there and you're not going to fall for it.
However, there are plenty that do fall for it.
And for those who just answered a phone on first rank or whatever, I mean, it is the actual number that's calling them.
I mean, it's their bank calling them and the person is saying they're from the bank.
Persons telling them that a look, there's an issue with your account, et cetera, et cetera.
I'm going to send you a code for you to verify that it's you.
I need you to repeat that code back to me.
And when they do that, they just hand it over the TLTP code to gain access to their account.
Oh, okay.
So this phone system, it's too outdated.
My idea is rather than using phone numbers to begin with, that can be easily spoof.
Say, for instance, like on element, nobody can actually come into the element chat pretending to be you because they can't fake your username.
Now part of it, part of the issue is if you change your username, like I've seen several of the people doing what they changed their username, like two or three times a day or something crazy.
Then that's another problem.
But outside of that, the newer technology that's built into the different chat applications, they don't allow you to simply pretend to be someone else, except for like Facebook as well.
Because a hooker brought up account cloning for Facebook where the accounts have an actual name.
But the alias is what most people see so that alias can be designed to look like anything.
So my family members have seen that and they just say they've been hacked.
Yeah, exactly.
So with systems like that in place, it's too outdated.
That's part of the reason why I don't even do email on phone. It's too insecure.
The phone isn't designed for securities designed for convenience.
So what they do is they don't even allow you to view the addresses a lot of the time.
Only the alias shows up and the alias can be manipulated to look like anything.
You don't even need skill to change the alias.
You can change your alias to Bank of America and just email somebody.
I never thought about that way because I have email on my phone.
Can I email?
Yeah, I never do email on the phone.
The phone is just too insecure for that level of communication.
Email, even though it is technically a little outdated, it's still very valuable.
Means of communicating and before authenticator apps and things like that came along.
That's where I had a lot of my security codes come through the email because you can lock it down.
And I check my email only on PC.
I use security focused fonts like the Ubuntu font that has no indistinguishable characters.
So that all the characters you can't do that type of squatting.
What's that? What's a type of squatting?
Almost phones, they use a font where they have a lot of characters that are indistinguishable.
Like say a lowercase L looks just like a capital I, which also looks just like a one.
So the character values are different, but the character model looks exactly the same.
You know, say if you were calling from some organization that started with an L,
they would just replace that L within capital I because the model looks exactly the same.
And most people look at it and think it's from that legitimate source,
but it's it's type of squatting.
If you were using a security focused font, it will reveal that it's actually not an L.
It's an I or it's a one or something.
The same thing happened with a very popular Python package not too long ago.
Somebody created a package that was similarly named,
but they replaced the L with a one and it actually got a lot of people.
I remember back during that time as well, they were talking about the benefits of going through distros for your packages
versus using PPAs and things of that nature as well because your distro maintainers,
they'll catch it and then they can revert packages or remove the packages from the repository,
you know, the malicious ones.
Whereas if you just got it from a PPA or wherever else, then I mean,
you may not even be alerted that there's an issue.
You'd still be running the malicious package.
I haven't used a bunch in a while, so I don't I do remember PPAs a little bit.
I don't remember the malicious attacks over that.
Yeah, I'm pretty sure they happen a lot.
It's just that most of them get caught, but from time to time,
I think Rust even had one not too long ago, like somebody attempted to do a typo squatting attack
on one of those Rust core libraries or whatever, and they caught it.
But it raised a lot of questions about, you know, how are these libraries being maintained
that somebody was able to do that blah, blah, blah.
So the phone is comfortable as it is to have this device run around with it in your pocket and communicate.
I would limit the amount of communications I have on it.
So things like element and stuff like that.
Fine, because I don't do any banking on the element or anything, you know, private like that.
But my actual private life that I deal with, you know, with email or whatever,
I would never do that on my phone.
Oh, well, to think about.
Yeah, convenience is nice, but you got to give up some of that for security and the phone.
I don't, I don't think that it's all that they don't want you to have security.
I think some of it is, it's just a super small screen.
If they wanted to pack all of those nice security features that Thunderbird and everything else would provide for you,
you would definitely need to be walking around with a 24 inch monitor.
I think there is something else, but I...
Oh, the microphone... on the microphones on the...
Do you think the microphones are always on these Android and Apple phones?
Yeah, I think they even verified that was a Google that allows you to download the data from that,
because the way the dictation works is it has to always be on for you to use it.
So for you to be able to go, hey, digital lady or hey, digital person call so-and-so,
or what is this?
For you to use dictation, the mic has to always be listening, and a lot of that data is recorded.
Well, I have that turned off.
Somebody to be funny, they say, oh, just so they don't set it off, they say, okay, smugle.
And the same thing is true for all those other devices in the home too,
like the Alexa devices and things of that nature.
All of them, they're always on.
The Amazon of Fire TV and Fire, well, not to stick itself,
could stick to have a microphone in it, but if you got the Fire TV box that comes with the remote,
the remote has a microphone in it, and it's always listening.
Today, me and my wife were talking about some show.
I can't remember what it is now, but I remember the feeling of when I decided to turn on the,
switch the source on the TV to the Amazon Fire TV box.
That show was in the top listing, and I had never actually searched it on that device.
My wife had brought it up, and that's all we were talking about it,
but I had never actually searched it myself.
So is that work on the stick too?
If it's got a microphone in it, it probably does,
because the Fire TV that we have, it comes with that remote that has the microphone in it,
and the same thing, but if you have Comcast, Comcast is now given everybody these Xfinity boxes
and the remote for the Xfinity box has a microphone in it, and it's always on.
So if you want to be able to use that fancy feature of just talking and having your device do,
the only way it's capable of doing that is because it will always record your surroundings.
It'll always be listening, and the recordings from what the companies have said
was to train the models or whatever to make it more refined,
but regardless, if you're sitting in your home holding,
imagine if you're sitting in your home holding very private talks about finances
and things of that nature, and you're giving out some pretty serious numbers
about account numbers and things of that nature.
Who's to say any of those individuals that Google or wherever you have this device from
isn't just writing that down?
They don't have to use it themselves,
to sell it to somebody they would.
Yeah, I got to wonder, if my mic, if you have to press the microphone on mine before it does anything,
I think I do have, I'm going to take a look at it, hold on.
So if I remember right, it looks like you have to push down on the microphone button
for this one particular one to listen.
Best practice, I treat it like it's always on,
just like with the laptop, cams, and things of that nature.
I treat them like they're always on.
Since we're using the systems we are, I just turn it off in the hardware,
and I test it with cheese that the little webcam application
and it doesn't show anything, so I assume it's off.
Yeah, if it's the mic on your PC or something, that would be different.
Because especially using Linux, I'm pretty sure you would definitely learn
if your device was on and you weren't aware of it.
So with the devices, we don't control that firmware, that software that's running on there,
like phones and things of that nature.
I treat them like they're always on.
Oh, that's right.
Yeah, it's kind of funny.
I get bothered by when I go to my parents,
and they tell me to put the phone in the other room.
And I can always give them grief over that.
You give them grief for telling you to be more secure?
Yeah, kind of, yeah.
I guess I didn't think about the phone listing too much.
That's the way it is.
And think about it.
You heard about those stories where it was on another podcast
where the guy was talking with his doctor about his kid
and sent some images to the doctor of the kid.
And the images got flagged as, you know, the naughty stuff
and the guy lost his Google account and everything over it.
No, I think I missed that one.
Yeah, that was on a few different podcasts.
If you listen to Jupiter broadcasting or any of the others,
the Linux and open source focused podcasts.
They were talking about it over the last,
so I say two weeks or something like that,
it came up like three or four times.
So the guy, his kid had a problem.
And, you know, they do the video chatting or whatever.
And the doctor asked to see the affected area.
The guy took the photos and everything and sent them over.
And Google flagged those photos as being the naughty stuff.
They alerted the police.
They sent the police.
The guy's entire history.
Everything he ever did with that account.
Every place he's ever been with his Google device or whatever.
So they got this guy entire history.
The police came and talked to him about it.
He was able to prove that those photos were only taken
on medical purposes and his doctor was able to verify it.
So he was not charged by the police.
However, Google refused to restore the guy's account.
So all of his photos and everything that's in Google photos,
all of his family photos and everything he got locked out of.
That's a good reason to use take out once in a while.
And not the food.
Yeah, I use next cloud for all of my backup needs.
Same thing with even sending documents.
When I'm going to send documents back and forth to my job,
I upload them to next cloud.
And then I send the link from next cloud.
Give it a 24 hour expiration with the password.
And then that way, you know, once they get the images and they let me know they got them.
Either I can disable the link right then and there.
Or just wait to 24 hours and let it disable itself.
Another alternative on a different server would be using mega upload.
It used to be called mega upload notes and mega NC.
What do you think about that?
I think you told me about them once before I had not tried them yet.
Can you self-host them?
I don't believe so.
All right. Well, no.
It's got to be self-hostable.
I would say no.
Yeah, because with self-hosting, I mean, I've got the ability to encrypt and lock
everything down.
I feel more secure with self-hosting.
I can do my backups however I want.
And I have full control.
Now it does mean I also have the headache when things go wrong.
But I don't have to worry about somebody else going,
we think you did something bad so you no longer have access to any of your stuff.
You mean self-hosting as in on your own hardware at home?
Correct.
So now you're using a virtual cloud provider?
No, I am using a virtual cloud provider as well, but not for the personal stuff.
I'm using them just to test.
Because before self-hosting at home, I didn't know how difficult it would be.
I think I talked about it in a previous show.
So I set it up on a node and just let it run for a while and start going through the logs.
And as I went through the logs, seeing people attack the hell out of my server,
it gave me an idea on, you know, if I did this on my home network, this is the rest.
This is what would happen to my device on my network.
Learning how to secure the one in the node is practice for doing it on my network.
Do you have any notes or that or did you really do that?
Did I have notes on the show?
On the security and how to secure it down?
Oh no, I don't have any notes written up on it.
Aside from the scripts and everything that I've wrote for my own personal needs.
But no, I didn't take any notes I need to though, because I was supposed to do a show on it.
But it's tough going through the logs alone.
I need time to, you know, focus and go through all of that stuff.
I went with fail to ban for a little while and I set up the tightest fail to ban.
I could possibly set up where basically one failed login attempt gets you banned.
Because with the server, I'm the only one that should ever be logging into the server, especially through SSH.
So if in a disabled root log in, I always do that every time I do no pie.
Yeah, disabled, disabled root log in, set up the key authorization, SSH key authorization.
With the, with the lanode one though, I did it through the, what do you call it, the list or whatever.
It's that little online web terminal that they give you.
I did it through that because I wanted to test it just in case I locked myself out of the SSH session on my system.
I would still be logged in as root through the lanode terminal and then I can unband myself.
Because when you're doing it from a arm from a residential IP and you don't have a static IP, you know,
if my IP were to change and then I can't SSH back into my, into my instance or whatever,
which I don't have to worry about that on my home network because I have physical access to the box.
I can just, you know, plug in the HDMI cable and keyboard mouse.
I have a arm with this keyboard right here.
The Logitech, I think it's the K10 keyboard.
It's the one that has no K400 plus.
It's the keyboard that has the little mouse trackpad on the side of it.
And I, I plugged that one in.
It's a wireless keyboard plugged it down the link to the box.
And that way I got KVM, you know, if anything weird is happening, I can just hop in right there without even SSH and run through the logs, take a look.
And I've been setting up grip commands and things just build on little scripts to help me quickly, you know,
filter through the logs, looking for anybody besides myself running pseudo,
just learning a lot about what the system is doing when it's idle, just doing regular stuff.
Was it called Pam or something like that, those Pam processes?
Something access module.
Yeah, so just, you know, finding out about all that stuff and making sure that nobody else has gotten in,
at least not through SSH and also playing with another reason the node is good to test this out on.
I was running a boom on my load instance, running a boom to 2004 instead of the latest because it still runs IP tables.
And I have a book for IP tables.
So I was playing around with rather than using fail to ban or the other systems that are built on IP tables,
just using the built in kernel routing technology itself.
So just using IP tables to filter out and deny everybody.
Oh, that's another thing in the SSH deconfig.
I put allow only one login, which is myself.
So that also helps to limit anybody else being able to log in.
It's, oh crap, I had to look at it now and I had to SSH back into it to look in it.
I think it's a loud user, that's the command.
One of them is a loud user and the other one is deny user.
So you can allow specific users to be able to log in using SSH.
And you can deny specific users.
You can drop that in the chat here or in an element because I like to add that.
One second, I'm going to go ahead and grab that.
Hopefully, I should probably be putting this in a text pad as well so that way I can have it for the show now.
I open that in Firefox so I could look later.
It's getting late here.
Yeah, I copy the specific session there as well, put that in there.
So that's the allow users command and the description for it.
And the other one is deny users.
And you can drop that right in there and you're a config.
I need to actually clean my config up or private eyes because I even,
I put a lot of different things in there and I don't know exactly what I want to be public.
So I'm going to clean it up and make it look, make it less, less private information.
And then I'll try to dump it into the show notes of this episode.
That's what I keep thinking about doing to another episode.
I keep putting off.
I actually did do a little cleanup of it.
I'm trying to do something on I3 and then I just keep never finding the time.
Yeah, I was using awesome window manager for a while,
but I had to keep dividing my time between configuring that
and all the other stuff I'm trying to learn at the same time.
And when I only have a limited amount of time to learn anything,
it's kind of tough.
So I just stuck with the regular regular desktop environment.
But I do like tyling window managers.
I like the tabs you that awesome gives.
And I just bounced through the tabs using the HTML.
And it does improve the workflow, especially for coding.
But for other things,
I didn't notice any sort of real improvement for anything graphical.
Like working an inkscape or anything like that.
I didn't notice anything different there.
But writing, coding, doing kind of documentation.
That showed a serious improvement.
Because you really never have to take your hands off the keyboard.
You can bounce between multiple documents quick, especially when you got them layered up.
Right.
I never used it for coding,
but I like that I can open up a terminal quickly and do something
and then close it right back again.
Yet normally with any desktop environment I'm using right now.
I'm using pop-o-less.
I was thinking about going back to Linux Mint,
but I'm going to stick with pop for a while.
I learned the keyboard shortcuts almost immediately
because just being able to stick with just the keyboard
as far as long as possible,
especially when you're coding.
Bouncing between different terminals
and the tabs and the terminals to be able to,
you know, I had the man pages up on one
and then bouncing in between kind of going as I'm dealing with scripts
and things of that nature so much easier.
And then the tiling window manager is even easier
because I mean, you can have multiple terminals opened up
and flop between them much quicker
without the visual on the desktop environment.
You can switch between them,
but there's going to be a lot more of that visual confirmation
where like if I use old tab,
it'll pull up that little thing on the screen
and then you got a tab in between the different windows
to get to the one you want.
Windows almost has something like that.
I can super one, two, three between windows.
I didn't think that they had,
I think that with windows, I thought that,
but then again, I never actually tried with windows.
I thought that the last time I tried that,
it opened up a new thing.
So like I think I did super one
and it opened up like a new Firefox instance or something like that
whatever was down there on the taskbar.
Yeah, it has it in order,
whatever is first, it opens up.
Yeah, I was trying to bounce between
the different applications that I have opened,
like you could on Linux with just using the keyboard shortcuts.
And again, you have to go through more of that visual verification
that you're moving to the correct window
versus the tile and window manager setup.
And I go back to GNOME
and I start trying to use super one or super two
and it starts bringing up other apps.
Yeah, that is the GUIs are like that.
I mean, I do like the GUIs because of how convenient they are
and GUIs also give you the exploration feature.
So if you didn't know what all features and applications have,
a lot of them are visible right up there in the toolbar.
You can click on the menu bar, whatever you call it,
where you can click on the menu option
and it will drop down revealing the options visually to you
versus if you were in the terminal dealing with commands
and things of that nature.
A list you jumped into the man pages
or read the documentation ahead of time,
a lot of that stuff really isn't there.
Is anything with a tile and window manager?
Unless you read the documentation
to learn how to use it first,
you're really not just going to be clicking around
and then the random tile.
Window manager trying to get to use it.
I checked out Katie and you're right,
it was easy to find a few,
like I started typing in,
I can't think, I'm getting tired.
I'm hammering you.
It starts stuff for hammering you.
I find a few programs.
That's another thing I want to bring up to you.
I see a lot of you guys talk about hammering you
on going out and getting your licenses and everything
and I think you brought up software to find radio
a couple of times over the past couple of days.
Yeah, but I would say I'm a lurker
or just trying to see what's out there
and what kind of channels I could bring in.
What would you think?
Go ahead and make sure you got that tinfoil head on
again for this right here now.
But what would you think if I told you
the old way of using hammer radio
is going to become the new security?
I might agree.
Because I really do believe it
in order to communicate securely
with others that you want to talk with these days.
Everything you do on the phone
is out of the recorder,
the monitor in some way.
It's all, especially with the whole Web3 technology coming out.
One of the things that I don't point out real quick,
in Minecraft,
they're planning on,
or not planning on,
I think they've already added it.
They've basically built in blockchain
into the messaging system
so that every single message you send
is basically in this blockchain.
So they can always know
whatever you say on any server.
And only the server administrator
has the ability to disable that feature.
But if they don't disable it,
it is automatically enabled.
So you can be banned at any time
for something you said at any moment.
Just because.
And there's no way to deny it or anything
because it's all in the blockchain.
So imagine that technology coming
to your telephone,
a text message you sent.
You know, say it's 2022 right now.
You sent something today.
Six, seven years ago,
when you got a different phone
and everything,
somebody can still pull up that message
that you sent way back here in 2022
and said,
you're a problem because of that message.
Because it's in the chain,
an employer,
and then anybody.
X.
I don't know what I was gonna say.
That sounds like it's trouble.
Now imagine them trying to do
that with ham radio.
You can't.
You can record it if you have an STR
and the right in PANAH,
but we kind of hard to go back in the logs.
Yeah, it'd be very hard.
And I'm pretty sure they're not
gonna waste the time right now
because not most of the people
that are going to go for that level
of technology and security
is just not enough of them
to monitor it right now.
There's the channels I did catch
and I repeat,
there is only a handful of people,
maybe six people on that.
I've been actually looking at a different technology.
I'm trying to study it
before I actually start making purchases.
But the problem is, again,
the limited time.
But it's called Laura.
Have you heard of it?
Yeah, it's a couple miles
for radios.
I've been looking into that.
Some of the boards that they have with it
and the ability to connect a battery to it
and basically set up your own nodes,
repeat your nodes around,
and try to communicate that way.
I'm not exactly sure
how it will work with newer technology,
like with a phone trying to communicate
over what sort of records the phone
would try to still maintain
over that frequency or that technology.
So before I purchase anything,
because it's not crazy expensive
to get involved
and you don't need licenses
or anything to actually run this.
So it's easy to get into.
I don't know if it's worth it yet.
I need to dig into it more.
I don't know enough.
Yeah, I'm doing some research on it.
From what I see, you can send text messages
and things on it.
Now, the problem is I wouldn't...
If I was going to go that far,
I would not use an iPhone
or a standard Android phone or anything like that.
It would have to be something
like a pie and phone
or something that I know is secure
if I was going to do that.
And then the other problem is
would I be communicating with?
And that's the thing there.
Not that enough people would be.
Yeah.
But I'm thinking as the technology evolves,
like once I learn a little bit more about it
and understand
if more people got involved
and build on to it,
it could become viable,
especially if we can set up our own antennas
like repeat nodes,
almost like in a tour network,
how you can host your own repeater or whatever,
your own onion node or whatever,
if you can repeat other signals.
I think it might be worth it,
but again,
a lot of research has to be done on it.
And you have to find out
what your audience,
so to speak, was...
I'm in the union down here,
dealing with a lot of the people in our union.
They're a bit up there in age,
so they're not really familiar with technology.
So when you try to introduce them to these
more secure platforms,
it's better off trying to squeeze water out of rock.
I understand that.
Well, ladies and gentlemen,
it's been fun having you all here.
I'm your host,
some guy on the internet here with...
Archer 72.
And now's the time for you to go ahead and fold up
that tinfoil hat
and put it away for the next episode.
See you later.
See you.
You have been listening to Hacker Public Radio
at HackerPublicRadio.org.
Today's show was contributed
by a HPR listening like yourself.
If you ever thought of recording broadcast,
you click on our contribute link
to find out how easy it really is.
Hosting for HPR has been kindly provided by
an honesthost.com,
the internet archive, and our sings.net.
On the Sadois stages,
today's show is released
under Creative Commons,
Attribution 4.0 International License.
Reference in New Issue Copy Permalink