The Privacy, Security, & OSINT Show – Episode 178

EPISODE 178-Privacy Crash Course 05: Listener Questions

This week I tackle 50 listener submitted questions about the Privacy Crash Course episodes.

Support for this show comes directly from my new book Extreme Privacy-Second Edition. More details can be found at



Listener Question Report


What Little-Snitch like software do you recommend for Linux?

Do you have any alternatives to MySudo? Twilio often lacks any SMS functionality for virtual numbers, and in some countries charges 14-50$ per number.

What VeraCrypt Encryption option should I use? (AES, Serpent, Twofish, ect.)

we want to download photos from our phones (which as of now are in a faraday bag when they are at or near our house) and we aren't sure how we will do this. Do we make an exception and turn the phone on in airplane mode at our home so that we can connect a wire to our computer purchased for this purpose? Or do we need to take that new computer to a different location outside of the house everyone time we want to download photos?

It seems that using both ProtonVPN and NetGuard on my Android phone is mutually exclusive (there can be only one VPN app at a given time). Is it so? and if it is, what is the more important app.

What is/are the best method(s) for purchasing a phone as anonymously as possible?

Does Apple have a way of tracking from where I download my OS X iso ? The IP address from where I downloaded it, and from which account? If so, how would you go about obtaining a copy that will not be traced back to you.

Thoughts on Keeper?

What are your recommondation/considerations in regard to FileVault2 keys being retained in memory while the MAC is in the "Sleep" mode? How vulnarable is the MAC in such a situation?
(sudo pmset 'hibernatemode' 25)
(sudo pmset destroyfvkeyonstandby 1)

Can you explain the difference between 'encryption' when it comes to privacy friendly platforms such as Signal & Wire VS more commonly adopted platforms such as iMessage & WhatsApp?

On your most recent show, you stressed the importance of full disk encryption. I have read on various forums that due to the design and function of SSD, the encryption task should be done first. What should be the proper procedure of encryption for SSD vs HDD?

how would you approach adopting a 2nd android device as a media player/web browser device that will use wifi often and bluetooth occasionally?

I wanted to see your thoughts about: Syncthing / NextCloud / Brew

You've said that your iPhone stays in a faraday bag and doesn't enter your home. At home you use an iPod Touch (I think) via wifi. I'm curious how you utilize the same communication apps on both devices without sharing an Apple ID. For example, if you have MySudo on your iPhone, how do you get the same MySudo data onto your iPod Touch? If, as you say, the devices are never in the same room together, this would prevent the use of a QR code. Wouldn't it?

Did you go to college and if so what was your major? Also, do you make good money doing privacy stuff.

Once I've hardened my iMac and iPhone, how do I harden an iPad?

Were you aware that virustotal is owned by google? I was surprised to hear you recommend knockknock to send executables to virustotal in the latest show. That is a good chunk of unique data to be giving to google.

When creating accounts that require text verification and doesn't accept VoIP, do you recommend using a paid text verification service

My idea is to buy a crappy, basic phone that just calls and texts, and buy a new SIM card that is in no way identified with my current cell plan. Then, I'll use that new number, which will NEVER be given out or used for anything else, as the phone number/SMS 2FA for those accounts. I use Google Auth or Yubikey where available, but for example my crypto accounts trace back to a proton mail which cannot be 2FA protected.

You suggest using simple login to avoid having to use your main email address. I have a paid protonmail account. Can I achieve the same thing by creating multiple email addresses in protonmail and using them instead of simple login?

I plan on moving from Android to iPhone. What is the best way to start clean and private? Also what should I do if I plan on purchasing some apps through the app store as well.

is CripText mail a good alternative for ProtonMail.

What is the least stupid way to log into a Google account to both keep it active or do limited things? Email/text forwarding works to get messages from it, but I learned the hard way if you don't log into the account after a period of time, google will take back your phone number.

My daily driver is a Windows 10 home laptop, I can't replace my Windows OS with Ubuntu at the moment but I do have Ubuntu set up inside of a virtual machine in Windows 10. Does that set-up provide me with any amount of security or does Windows see everything I do inside of VM Ubuntu and send all that data back to Microsoft?

Where to get a Windows LTSC License? Would you recommend it to install on device or in a vm?

You've spoken quite a bit about controlling inflow / outflow of data to various telemetry collectors from Microsoft, Apple, etc. I have found using a service like, or a Pi-hole, or a Winston privacy devie can accomplish the same without needing to configuration individual machines - they simply block DNS resolution to undesirable sites. Thoughts on the two approaches (individual machine config vs. a DNS blocker)?

You recommend Protonmail but admit you use fastmail for your business. What gives? Why don't you trust PM for your business?

If I want to put Music on my iPhone, I have to import the music into iTunes first, then send to the phone. I also can't copy music onto multiple phones. There must be a better way?

I recently heard you talk about your Apple laptops. What happened to using Linux? WTF?

You said to be wary of Tutanota since they are in a 14 eyed country but then said not to worry about wire being in the US. WTF?

In episode 177 you indicated that OneDrive was not a good product for those who are privacy conscious. What cloud storage product, if any, would you recommend instead of OneDrive?

SIMPLELOGIN: Is it zero knowledge i.e. if subjected to a court order could they reveal the protonmail forwarding email and all the aliases?

Are you certain (and how) you can trust people that are building LibeageOS or GrapheneOS to not put backdoors in them?

does having multiple separate gmail (or icloud) accounts, including, for example, one dedicated to each important financial account, materially increase security?

If I do Full Disk Encryption for my current Mac computer, all files get wiped out?

What do you think about syncing Keepass' db with Dropbox on different devices?

Phone numbers that are used in mySudo app-- are those vulnerable to SIM swap attacks?

What are your thoughts about the recent negative reviews of Signal due to cloud storage of the PIN protected profile?

How do you configure your uBlock Origin?

You mentioned several mail providers in the email and messengers crash course, but I noticed you never really discuss using MySudo. Is there a reason you don’t really mention using the MySudo email address and instead opt for recommending Anonaddy and Simple Login?

What are your thoughts on sophisticated fingerprinting techniques?

What is best practice for using ones real name in an email address? Should anyone ever consider creating an email address that contains ones real name?

Is there anything in Extreme Privacy that you would not recommend to someone with a security clearance?

How do you pay for mysudo on android when they only accept payment from google play? Also, any way to DL to LineageOS?

Recommendation for Linux laptop?

Recommended email Client if you are in a Windows Environment and want to POP or IMAP your email.

Can you explain the benefit of keeping your files in a Veracrypt container when the computer is already encrypted? Is this just to mitigate your exposure if someone has access to your computer when it is unlocked?

In India we cannot buy a sim card without providing some form of ID card, what to do?

If you use Firefox, but you still Google services (youtube or Maps), how would you recommend to block Google from gathering your info? You brought up a way to "fence in" sites in Firefox, is that the only thing? Would you recommend something else?

Do you recommend the Librem or Pinephone at this point?

Since only one laptop, POP over IMAP? Workaround for lack of POP support with ProtonMail bridge?


Extreme Privacy 2nd Edition:


Next week I dive into all of the Privacy, Security, and OSINT topics which I missed while completing the first Privacy Crash Course.

Data Removal Workbook:

Affiliate Links (products we use):
VPN Considerations:
Silent Pocket:
Amazon (Extreme Privacy Book):