Who am I?

My name is Alex McGeorge for 11+ years I broke into things for a living with Immunity, Inc.

What kinds of things?

• Websites, applications and networks
• Other people's software
• Other people (social engineering)

I also used to teach some of these things to others and occasionally I would put on a suit and talk into a camera

Disclaimer!

• I do the same job but for a different company so ....
• I am speaking to you today in my capacity as a private citizen, the views, opinions and information I present herein do not necessarily represent those of my employer

• I am not an employee of: Facebook, Google, FetLife, Recon, DropBox, Microsoft, etc.
• I can not comment on what they actually do with your data only what is possible
• You may ask me a question I am not allowed to answer, I'll just say I can't answer it and that will be the end of it

Why am I here?

• I'm here to be a resource, to give you straight answers in plain english and to dispell bullshit
• We have ton of content to cover

There are some limitations..

• Unfortunately I am not here to fix your computer
• I'm not here to recommend specific products or services
• I'd really prefer not to get into a technical dick showing competition

Who is this class for?

1. Non IT professionals
2. We will also cover only personal privacy and security
3. This is not a tutorial on breaking the law

A note on choosing your enemies

Nothing I say here will prepare you for a nation state level adversary

Allow me to save you some time: if the NSA is your enemy, you're fucked

As promised there will be porn

A brief note on why I include porn

A non-techincal introduction to threat modeling!

• For a non-technical audience this allows us to order our thinking a bit and more easily ask for outside help
• Allows us to identify the risks we are affraid of
• Allows us to prioritize those risks by impact or likelihood
• Allows us to identify mitigations for those risks

The curious case of the connected chastity device

Premise: two people wish to engage in long distance chastity play, they have chosen a device which allows the key holder to lock and unlock the device remotely at their whim

Given: we have increased the number of people who may interact with the chastity device

• Risk: An attacker can unlock the device when the real keeper does not want it unclocked
• Mitigation: The person in chastity re-locks the device on their honor
• Risk: An attacker can render the device permenantly locked
• Mitigation: A physical override key that manipulates the lock
• Mitigation: Home depot and a friend
• Risk: An attacker may be able to unmask the identities of the users of the device
• Mitigation: Can we rely on compartmentation of identities?
• Mitigation: Can we force a VPN from all users of the device?

The Looking Glass War

Premise: you are concerned with people near you spying on your internet traffic

Given: the people you're afraid of do not have physical access to your device

• Risk: folks on the same network as you can be tricky and spy on your traffic
• Mitigation: a VPN!

A Most Wanted Kinkster

Premise: you want to keep your kink and vanilla identities separate

Question: who are you worried about finding out? Are they actively looking? This will inform what capabilities are at their disposal

• Risk: a third party will connect your vanilla and kink identities
• Mitigation: physical compartmentation of identities
• Mitigation: digital compartmentation of identities
• Mitigation: logical compartmentation of identities

Compartmentation

Physical Compartmentation

• Devices are cheap(er), if you are able to, purchase dedicated mobile and/or laptop (ex: a Chromebook or tablet)
• These are now the only devices you will conduct kink business from

Note The security of many devices is much less when the attacker has physical access to them, keep your devices to yourself

Digital Compartmentation

• Always connect via a VPN, explore configurations on your device which will enforce connections via a VPN
• This includes your phone!

Logical compartmentation

• Create a distinct kinky email address, only access from your kink phone
• Use a service like Google voice to create a distinct phone number
• Create unique kink user names AND PASSWORDS for the sites you wish to use
• Do not follow vanilla or kinky accounts you follow with your non-kinky social networking
• Use a password manager, let it create and store the passwords for you

What is a VPN and how does it work?

• A Virtual Private Network as a technology that establishes an encrypted connection between your computer and another
• All your network traffic that would go outside your home network will now go through the VPN

• Someone snooping on your traffic as it leaves your home will only see a few things:
• That you're talking to a VPN server, and what IP that server is at
• How much data you've sent for the period they have been observing
• They will not be able to
• Know what data you've passed
• Insert data pretending its from you
• Know where the data is going after it is received by the VPN*

Let's visualize

• The top image is logically what happens when you visit a website, the bottom is closer to what happens in reality

Let's visualize but with SSL

• Now we add SSL, this encrypts our connection to our destination
• BUT! Someone snooping on our traffic will know we visited Google (or Fetlife)

Let's visualize but with SSL and a VPN

• We add a VPN, so anyone snooping between our home network and the VPN server is in the dark (sorta)
• Now we add SSL, this encrypts our connection to our destination through the tunnel
• BUT! Unencrypted traffic going INTO the tunnel will be unencrypted going OUT of the tunnel

Questions of the day!

What precautions do I need to take now that I'm working from home?

• Risk: my work computer may expose me to spying on my home network by my employer, or vice versa
• Mitigation: Network compartmentation!
• Option 1: You can buy a second wireless router, connect it to the ethernet port on your main router, connect your personal equipment to the new router and your work equipment to the top router, use VPNs
• Option 2: Some wireless routers allow you to create guest networks, connect your work computer to the guest network

Should I be doing work for my employer on my home PC?

Opinion: Not if you can avoid it

• Risk: My employer may spy on me or I may inadvertently expose personal information from my home PC
• Mitigation: Your employer may provide you with a solution like CITRIX which allow you to have a virtual remote desktop without installing something on your computer which would give them access
• Advice: Prioritize solutions from your employer that allow you to install little or no software
• Mitigation: If you are able to use a dedicated system (which you provide) for work, use it strictly for work (tax writeoff?)

What's a deepfake?

• Given a target photo or video, and a large library of photos or videos of the person I want to insert into the target media, I can do that with a high degree of believability
• How is this possible? Math! (which is beyond my abilities)
• How can you detect if an image is deepfaked?
• Most fakes available to the general public look good, but don't pass the 'this looks kinda off tho' test
• Our pal Jane Lytvynenko has a good twitter thread
• More advanced fakes require help from our friends at DARPA

I am worried about photos connecting my two lives

This is going to be a rabbit hole

• Risk: Someone may recognize my face
• Mitigation: You can cover your face or turn around
• Sub-risk: you can remove a person from a photo and search for photos with similar backgrounds
• Sub-mitigation: I will choose innocuous backgrounds or backgrounds that can not be linked to me
• Risk: the image metadata (lat/long, type of phone, camera details) may connect me
• Mitigation: You can scrub metadata from images: bring image up on the screen, take a screen shot, crop screenshot, you now have new image with no metadata

More about photos

• Risk: Fixed-pattern noise (FPN) or PRNU may be used to connect my photos
• Mitigations: I will only take kinky photos with my kinky phone, I will never post photos from my kinky phone anywhere other than kinky sites
• Question: Can I mask or alter these? Yes, but I am unaware of a user friendly way to do that
• Good deepfakes already do this

Which meeting software is best?

Opinion: They are all a pile of garbage

• Risk: I am concerned about the meeting software negatively impacting the security of my computer
• Mitigation: Use a private/incognito session in your browser to connect to the meeting, close the browser when done
• Mitigation: Several cloud providers allow you to 'rent' a virtual desktop, use one of those and then destroy it
• Advanced Mitigation: you can explore virtualization (VMWare, VirtualBox, Hyper-V) or containerization (Docker)
• Risk: I am concerned about the meeting software knowing my IP address
• Mitigation: Use a VPN to connect to the meeting
• Risk: I am concerned about going to the meeting revealing my identity
• Mitigation: Only join meetings where you trust all participants
• Mitigation: Only join a meeting from your kinky device
• Mitigation: Do not allow the meeting access to your camera or mic

Do I trust covid tracking apps?

• Risk: I am concerned about the COVID tracking software impacting the security of my phone
• Mitigation: Allow the app to auto update
• Risk: I am concerned about someone using this to track my movements
• Mitigation: Understand what data is collected and how
• Fact: without a lot of configuration, your phone is constantly using its radios to beacon for other devices already
• Risk: I am concerned about someone figuring out I specifically have covid
• There is not a mitigation I am aware of here, you trust how they handle your data or you don't

Verdict for Alex: Worth the risk

How deep does the opsec rabbit hole go?

Start here

Questions?

This presentation has been made with Flowtime.js