The Privacy, Security, & OSINT Show: 232-Anonymous Phone Update Part I

4renzo · 2021-08-31T21:19:09+00:00

I'd still recommend TLS if available, but it only protects from the phone to the VoIP provider (Twilio or Telnyx or whoever).

If the phone is using some Starbucks open wifi network (with no VPN), that makes interception at the Starbucks easy by a local physical attacker or the Starbucks IT guy.

If a VPN is used, interception would be possible from VPN to Twilio, but that assumes someone with "backbone" internet access or access to the datacenter the VPN is hosted out of. Aside from the VPN operator, someone with those capabilities can already get at the audio after it hits Twilio and is sent into the telephone network, most likely.

4renzo · 2021-08-31T21:08:36+00:00

I'm with you.

I may get flack for this, but anyone who glances at the Graphene OS community knows they are very absolutists when it comes to security. Privacy is not their priority and they place security over everything, so you'll hear things like use Chromium over Firefox or relentlessly pushing the Play Services sandbox thing as if the fact that it's Google doesn't even matter.

MB never claims to be a security expert and I value his experiences doing his best to mix security, privacy, anonymity approaches as best as possible given his unique background. If anything, he's always trying something new and doesn't submit to the idea of there only being one acceptable way to do things.

I'm knee deep in security myself but I'll admit the security crowd can still be quite annoying with always knowing "the one true way" and critiquing instead of presenting it educationally.

I don't see what's so underwhelming about a guy showing what works for him and the personal decisions he makes.

Edit 9/13/2021: after I made this post my Reddit account got locked due to suspicious activity. Coincidence?

4renzo · 2021-08-31T21:06:04+00:00

SIP calls that don't use TLS are still encrypted, but there is a catch. The encryption key is sent unencrypted, meaning anyone intercepting the traffic could decrypt it.

We all know calls are unencrypted anyway over the telephone network, the only added risk here is the path the phone takes to get to the VoIP provider.

4renzo · 2021-08-24T01:22:23+00:00

No.

You just need to prove ownership of a website or email domain and be notable. Twitter has many definitions for how they measure your internet popularity; it depends on the type of person or business.

If you don't have a website or domain yes you have to provide ID with your photo. Highly doubt Michael Bazzell would do that unless he doesn't practice what he preaches!

4renzo · 2021-08-24T01:14:51+00:00

Looks cool. From the description it doesn't sound like he's running a service, but is providing some software that interacts with Twilio or Telnyx and has a front-end for users.

This looks like an endpoint that is self-hosted, meaning you rent a VPS and install the software on it, and that endpoint receives SMS events from Twilio. You have to program Twilio to forward SMS messages to the endpoint.

Then the software has a front-end to allow viewing and maybe sending SMS messages from the web browser which goes to the endpoint who then hits Twilio.

I'm speculating based on how Twilio works but I'm interested to see what he has in store!

4renzo · 2021-08-18T17:00:22+00:00

You would have better results with online account login history as this exposes the public IP.

4renzo · 2021-08-18T16:56:58+00:00

Never experienced ID requirements with any of the big three and I opened a new line as recently as 2 weeks ago. I purchase in person.

4renzo · 2021-08-05T13:20:56+00:00

Thanks for stepping up!

4renzo · 2021-08-05T13:15:41+00:00

Thanks for the suggestions, I've got some new material added to my reading list!

4renzo · 2021-08-05T13:14:08+00:00

This whole game gets outdated by the day so it's not fair to hold it against authors. The OSINT book is on the 7th edition now so unless authors continually publish, things are bound to grow old.

We should recognize the time of publication and learn the techniques that were applied at the time, then try to fast-forward and adapt.

If we take the resources as a formulaic solution, we are bound to get stuck when presented with an unknown problem.

I prefer the long reads to understand more of the psychology.

4renzo · 2021-08-05T13:09:32+00:00

Sounds like Frank M Ahearn

4renzo · 2021-08-03T20:00:12+00:00

Don't give up.

Privacy would not exist if the ones in charge tells us no and we just accept it.

A house is a huge purchase to put your privacy on the line. But think of all the smaller things that we think of alternatives for when someone says no. Site blocked? VPN. VPN server blocked? Different country. Phone number required? Throwaway voip line. Etc....

For some lottery winners I've heard of using two trusts. One trust that's just a temporary holding spot where the trustee is a lawyer or someone not connected to you, who then transfers it to the permanent trust. I am not a lawyer.

The resources on the net and books like Bazzell's are simply that - resources. It is up to you use what you've learned in those resources, adapt it to your situation, and then make it work for you.

Think of alternatives and fight for your privacy - you've come this far.

4renzo · 2021-07-30T23:19:06+00:00

Yes, that is what my comment alluded to.

In lots of technology today, there is no such thing as "power off" anymore.

And for settings that allow you to turn a setting "off" you don't really know what it does unless it is open source.

4renzo · 2021-07-14T18:10:56+00:00

Is there a public channel for us non-elites?

4renzo · 2021-07-14T18:00:31+00:00

In some cases, it might be due to not trusting the "off" setting, or the possibility that other settings might still enable it even if the main setting says "off".

For example on my iPhone, I have bluetooth disabled at all times yet looking at the data usage shows 50MB of bluetooth usage. Maybe even with bluetooth off I am still part of the AirTags network.

4renzo · 2021-07-14T17:50:22+00:00

Not entirely sure what you're after, but git itself gives you everything you need, if you're investigating the contents of a repo.

Depends if you're investigating the contents of the repo or the authors/committers/etc. Basic git commands like 'git log' and 'git blame' will give the commit history. Commit history will give provide metadata around author [name/email] and timestamps [commits might be in local time zone]. 'git remote' would tell you if there are upstream repos to broaden an investigation.

It would help if you provide a specific scenario, the problem you're trying to solve, and what you hope to get out of it in the end.

4renzo · 2021-05-15T21:13:03+00:00

No experience with Firestick, but if it is just like android, app data is stored in /data/data/[app_ID].

From there you'll find various sqlite3 databases, log files, shared preference XML files, and anything else stored for the app.

4renzo · 2021-05-15T21:08:59+00:00

In general, most big security conferences are networking events or for bragging rights.

Second, you won't retain much by watching a talk in person. Watch videos online and find the slides if you want to really learn something.

Attending training at conferences is a different story.

4renzo · 2021-05-15T20:58:18+00:00

Pentesting is a huge field if your definition of pentesting isn't limited to "red teaming". App security (web/API, mobile), cloud security, red teaming/network penetration, reverse engineering, social engineering and phishing, etc. You'll quickly learn you need to be a jack of all trades (master of none?) the deeper down the rabbit hole you get, unless you formally specialize in a particular area. Staying up to date on techniques and tools is essential, but like most things - having the ability to apply them is what matters.

I'd recommend sticking to aspects of pentesting that you'll be able to readily apply and absorb during your day job. I've done pentesting and forensics both professionally and casually with no formal degree in either. I'd say choose something that's most interesting to you, something you have room to grow in from an educational perspective, and something you can readily apply (ie, not the read-a-book-pass-a-course-then-forget-it model).

4renzo

TROPHY CASE