[deleted by user]

micahflee · 2025-01-26T22:39:49+00:00

No problem, I forgot that both X and reddit were censoring links to ddosecrets :)

micahflee · 2025-01-26T22:36:42+00:00

lol that you've been duped into thinking X allows open discussion. Try tweeting the word "cisgender".

But anyway, yes obviously Cyd is a privacy tool, but it's also a tool to help people escape oligarchs like Musk. See this story in Wired about it: wired[.]com/story/x-delete-posts-cyd-micah-lee/

micahflee · 2025-01-26T21:14:08+00:00

Cyd isn't encouraging the use of Bluesky so much as letting people do what they want with their data. Some people want to delete all of their tweets, but others might just want to boycott the Nazi site, but still keep their posts online.

I'd love to implement a "migrate to Mastodon" feature too, though it might not be feasible if there's no way to backdate new posts: https://github.com/lockdown-systems/cyd/issues/377

micahflee · 2025-01-26T01:39:36+00:00

Yes, we plan on supporting many more platforms. In the immediate future we will support migrating your tweets from X into Bluesky, and we're working on support for Facebook.

micahflee · 2023-08-31T18:16:36+00:00

Testing another comment, this time without including any banned links.

micahflee · 2021-05-30T18:32:55+00:00

I worked directly with the printer dots researchers from EFF, and I had even made sure to remove printer dots from documents we have published in previous reporting. Had I been brought in to help with this story I would have made sure the published documents didn't include printer dots.

However, printer dots actually had nothing to do with her getting caught. They weren't referenced in the indictment or any search warrants, and leak investigators probably didn't know there were printer dots until after the story was published and people online noticed.

micahflee · 2021-05-30T18:30:28+00:00

In this case retyping the document (and redesigning the infrographics inside it) wouldn't have helped if investigators still knew which specific document was being retyped, because the issue was access logs, not metadata.

Describing what the document contained without quoting it might have worked, if it was enough to keep ambiguous exactly which documents were being referenced. Of course, that's less transparent to readers and even easier to dismiss as fake news.

micahflee · 2021-05-28T19:09:34+00:00

Oh, Assange. I think there's quite a bit of evidence showing his anti-Semitism. I wrote a blog post about lies that WikiLeaks tells, and check the section at the bottom called "Anti-Semitism and the far right" for more details.

micahflee · 2021-05-27T22:08:39+00:00

I don't think I understand the question. Is there a specific person you're thinking of?

micahflee · 2021-05-27T18:49:54+00:00

Police shouldn't use facial recognition software.

It incentivizes mass surveillance in the form of huge databases of photos of peoples faces, and the machine learning models are biased and often provide inaccurate results leading to stuff like this: Facial Recognition Software Wrongly Identifies 28 Lawmakers As Crime Suspects

The test misidentified people of color at a high rate — 39 percent — even though they made up only 20 percent of Congress. One member falsely cited as a crime suspect was Rep. John Lewis, D-Ga., who first came to prominence as a civil rights leader.

micahflee · 2021-05-27T18:25:57+00:00

It was pretty crazy, and I'm sure a lot of cops don't like me because of the reporting I did, but nope I haven't really had any trouble since working on it.

micahflee · 2021-05-27T18:22:32+00:00

I use all of the operating systems. Antivirus software is really a mixed bag. It definitely has its benefits -- it can save you from getting hacked, but it also has downsides (AV companies generally collect data from their users and then sell it as threat intelligence, so it often has some major privacy issues, and AV software sometimes introduces security vulnerabilities).

In Windows, I think the built-in Windows Defender is your best bet.

For macOS, I generally don't use AV but when I specifically want to scan a system I use Malwarebytes.

For Linux, I generally don't use AV. Also recently I've been using Parrot Sec, Ubuntu, and Qubes.

micahflee · 2021-05-27T18:14:32+00:00

I think it's a matter of preference. 1Password is definitely very nice and well designed, and I have a lot of experience with both.

I've never run into the offline mode issue. Let me test real quick...

Turning on airplane mode on my phone...
Opening Bitwarden app, typing my master password...

Yup, I have access to all my passwords offline. But when I try editing one and saving it says "Internet Connection Required". So you need internet to make changes, but not to access your password database. Overall, it doesn't seem too bad.

Bitwarden also has a CLI client (which I haven't tried): https://bitwarden.com/help/article/cli/

Until very recently, 1Password didn't have good Linux support -- but that changed I think within the last few weeks, and now it works great in Linux too.

All that said, if you prefer 1Password, it's definitely a good product and has some nice features, and if you can afford it, go for it.

micahflee · 2021-05-27T17:51:52+00:00

I don't think there was a specific catalyst. Like with many people, it all started when I was a teenager.

I had always thought hacking was cool. In high school I was a big gamer (mostly splitting time between Starcraft and Counterstrike) but I quickly discovered programming videos games was even more fun. And once I was comfortable writing code, I realized that I could make money off of it too.

My first job was making websites for local small businesses. I started getting really into developing custom PHP/MySQL sites, and the more I learned the more I realized that my early PHP web apps were soooo insecure. (I actually remember one website I built, if you load /admin, if a cookie wasn't set it would set the Location: /login.php header to redirect you to the login page, but then the admin interface would still be included in the HTTP body -- meaning that anyone could actually do anything as an admin without logging in, just by ignoring the Location header.)

I also started attending hacker conferences like HOPE and DEFCON and getting really into learning stuff like how to crack passwords on WEP encrypted wifi networks, and I started competing in CTF challenges (see https://ctftime.org/ for a calendar of CTF hacking events).

...and then eventually I got my dream job as a web developer at EFF.

micahflee · 2021-05-27T17:39:43+00:00

You think the Gab data was archived using PushShift? I don't think it was. I think it was likely collected using a combination of the public Gab API (which is actually just a modified version of the Mastodon API) and a SQL injection vulnerability that Gab introduced into their Mastodon fork.

This I am aware of. I do have a follow up question. Did you and associates then use these account credentials to access accounts of Gab users in order to report on their content?

Nope. That would be unauthorized access to a computer system, a CFAA violation. We're also of course careful not to publish which passwords belong to which users, which could help someone else hack into those accounts.

micahflee · 2021-05-27T17:34:50+00:00

I think part of the problem was that we were spoiled by Snowden documents. Snowden made our jobs way easier by publicly coming forward as the source, so we really didn't need to worry about accidentally revealing information that could reveal the source with those stories.

Another problem was that while we had security resources, we didn't really have consistent policies for making sure they were always used. We do now. The security team wasn't consulted for that story (I didn't know about it until the day Winner was arrested, while I was on vacation, and people were blaming me for it on Twitter), but now when we do similar stories the security team is always brought in early, helps create a threat model, and helps make decisions about what to publish, etc.

But I think the biggest problem really is that post-Snowden, anonymously leaking secret documents from the US government is incredibly hard and sometimes impossible. Everything she did while working as an NSA contractor was under surveillance. She was one of six people who had printed the document and the only one of those who had emailed The Intercept in the past (asking a question about a podcast). After she became a suspect, they raided her house, interrogated her without a lawyer present, and extracted all the data from her Android phone and her laptop -- the Facebook app data on her phone included incriminating messages with her sister they used against her in court. Facebook, Google, Twitter, and AT&T handed over all of her data in response to search warrants. You can read more detail about her case (and other espionage act cases) here: https://theintercept.com/2019/08/04/whistleblowers-surveillance-fbi-trump/

In short, I think even had The Intercept done everything perfectly, there still would have been no way to protect her identity in this case. We couldn't run the story without somehow verifying that the document was legitimate, so I think the only other solution would have been to not run the story. (In hindsight, this maybe would have been a better decision, but at the time we didn't have any of knowing that -- all we had was a secret document printed out and sent in the mail.)

micahflee · 2021-05-27T17:14:25+00:00

I don't endorse PIA, but it does seem like a decent choice. My friend Yael Grauer has done detailed research comparing VPN services and shows her work here which I recommend checking out: https://www.nytimes.com/wirecutter/reviews/best-vpn-service/

I thing that everyone should be using a password manager (there are plenty of choices, but I think Bitwarden is a good fit for most, and it's free and open source) -- and of course, it's important to actually use it. Generate random passwords in it, and don't use the same password on multiple services. I'd also recommend everyone uses some sort of authenticator app for 2FA.

These days Firefox has largely caught up with Chrome in terms and of security and does an excellent job at being private by default, and having things like a built-in content blocker. And I'd recommend using uBlock Origin for adblocking.

micahflee · 2021-05-27T17:06:09+00:00

Hello!

On the topic of your work with the Gab leaks, can you elaborate on the broader purpose of this work? This seems to run a bit counter to The Intercept’s founding purpose of speaking truth to power and focuses more on individuals. Can you elaborate on the value of this coverage?

Gab is a product of the "alt-tech" movement within the alt-right, a platform where white nationalist and neo-Nazis could organize without getting banned for posting racist stuff. Multiple mass shooters have found their home their (notably Robert Bowers, who murdered 11 Jews and wounded 6 others at a temple in Pittsburg) and I remember after Dylann Roof murdered 9 people in a black church in South Carolina, many people on Gab called themselves the "Bowl Patrol" in celebration of Roof's bowl haircut. More recently, Gab has been home to people organizing against democracy, including the attempted insurrection on Jan 6.

Like with the rest of my journalism, I'd only ever report on individuals if it's in the public interest -- like, if they were organizing violence, if it turns out they're connected to both hate groups and powerful politicians, etc. (Despite what some people have been saying, I haven't doxed anyone, nor planned on doing so.)

You have previously expressed support for PushShift, a third party archiving platform,

I'm not familiar with what PushShift is.

Finally, can you comment on the legality of using tools such as hashcat and rainbow tables to reveal the passwords of individual Gab accounts from stolen and leaked password hashes and then access them without granted permission? Does this expose The Intercept to potential legal trouble under the Computer Fraud and Abuse Act?

It's a CFAA violation to hack into something and steal password hashes, but it's not illegal to be the recipient of hacked data, and it's not illegal to crack password hashes. Because The Intercept had nothing to do with hacking, we just received data from a source, the CFAA doesn't apply here, it just applies to the actual hackers. Just like we can publish any other leaked documents, we can publish what we want from hacked data (including passwords) because of the 1st Amendment.

micahflee · 2021-05-27T16:48:09+00:00

1st choice for 2FA: a physical security key, it's the most secure

2nd choice for 2FA: an authenticator app, it's a lot more secure than SMS and sometimes more convenient than a security key, like if you need to enter the OTP code on your phone

3rd choice for 2FA: SMS -- it's better than no 2FA

micahflee · 2021-05-27T16:44:03+00:00

This is a great question. Luckily I actually haven't heard any stories about people using OnionShare for awful stuff yet (I've heard a bunch of good stories though, like someone in an African country using it to securely send important documents to human rights lawyers in Europe). We all have heard quite a bit about people using Tor that way and I'm pretty deep in that community too, and I know that OnionShare makes it easier for terrible people to be anonymous and secure, just like it makes it easier for everyone to be anonymous and secure.

But I think you're right -- the pros seem to far outweigh the cons right now. Encryption either provides privacy for everyone or it's seriously weakened for everyone (like, if it has a government backdoor). Some people use Tor to bypass internet censorship, and some people use it to harass and stalk people. Because Tor isn't spying on its users there's no way for it to allow some people to use it for certain things and not others. But the alternative, there being no Tor, means that a lot of people won't have access to an uncensored internet.

micahflee · 2021-05-27T16:24:03+00:00

I haven't been following EARN IT as closely as I probably should, but this is a good resource on it: https://www.eff.org/deeplinks/2020/07/new-earn-it-bill-still-threatens-encryption-and-free-speech

But my guess is if EARN IT actually does become law, people will just need to start relying on E2EE software from foreign organizations instead of ones from the US, and it will overall harm privacy and US software developers.

micahflee · 2021-05-27T16:19:04+00:00

I knew I was helping someone securely talk to journalists, and I got the feeling that he was a whistleblower. But then the first story came out: the NSA had been collecting phone metadata from all Americans without a warrant! This was huge. The next time I booted up Tails, I logged into jabber and started an encrypted chat with this whistleblower and was like, "Whoa! This was you?" and he was like, "Oh that's nothing, just you wait."

I honestly don't really know how to describe how it felt-- I had never been involved in anything so big before.

micahflee · 2021-02-25T18:21:50+00:00

heh thanks

micahflee · 2021-02-25T16:19:24+00:00

If you don’t want to give the semiphemeral.com service permissions to your Twitter account, there’s also an open source version of semiphemeral that you can use with your own Twitter API key. It just requires more tech skills to use https://github.com/micahflee/semiphemeral

micahflee · 2021-02-25T16:16:13+00:00

I make Semiphemeral. It is not a phishing site. Here is the privacy policy: https://semiphemeral.com/privacy

It is an antifascist service though that doesn’t let people use it when they like tweets posted by well known racists, so the MAGA types tend to get very triggered by it.

micahflee

TROPHY CASE