The Complete Privacy & Security Podcast-Episode 019

Posted on February 22nd, 2017

Episode 019: PIA is here to discuss VPNs

This week we sit down with Caleb Chen from Private Internet Access (PIA) to talk about VPNs.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

ProtonMail Bridge Beta Signup
https://protonmail.com/blog/bridge-beta-signup/

Private Internet Access (PIA-Affiliate Link)
https://www.privateinternetaccess.com/pages/buy-vpn/crimeinfo

PIA FBI Warrant Response
http://bit.ly/1UjK0UW

PIA Warrant Canary Commentary
http://bit.ly/2ek0jkP

LISTENER QUESTIONS:

Veracrypt
https://veracrypt.codeplex.com/

Pipl Optout
mail@pipl.com

OpenDNS
https://www.opendns.com/

OSINT SEGMENT:

Cloudfront Search
https://www.google.com/search?q=site%3Acloudfront.net+test

Document Tools
https://inteltechniques.com/osint/docs.html


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


podcast

Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 019

Android Emulation for OSINT (2017 Update)

Posted on February 19th, 2017

A key piece of my Live and Online OSINT training is the use of virtual Android machines in order to create a mobile environment for online investigations. I have always used Genymotion for this, as I believe it is the best and most stable option. The three videos that I have for this instruction were getting a bit outdated, so I created three brand new videos to replace them. I thought it may benefit others to evaluate my current setup.

Genymotion has had several updates recently, and the latest (2.8.1) appears very stable. I encourage others to update their installs, even if that means creating new devices. After installing the latest versions of Genymotion and VirtualBox, launching Genymotion should appear as the image below (without my virtual machines).

Clicking the “Add” button will present a list of potential devices. Officially, I train others to use “Custom Phone 6.0.0 – API 23” because is it the most basic and stable option. However, I personally use “Google Nexus 5x 6.0.0 – API 23” because of the ability to better store apps on the home screen. They both use the same 6.0.0 backbone. The image below displays both acceptable devices that will work with the following instructions.

This will create a new device ready for execution. It will be missing the Google Play store, which is vital for investigative use. The following instructions will restore the Play store, emulate a more appropriate ARM driver (which will make some apps work better), and execute a patch that will eliminate those annoying Google crashes that have plagued this method for years.

  1. Download the 6.0.0 ARM Driver HERE. Drag and Drop the Zip file directly into your running virtual Android device. Agree to the warning, and acknowledge the completion. Close the device and re-start.
  2. Download the GApps 6.0.0 file HERE. Drag and Drop the Zip file directly into your running virtual Android device. Agree to the warning, and acknowledge the completion. Close the device and re-start.
  3. Login to a Google account that you will use to download apps to the device. Close any errors that appear. Close the device and re-start.
  4. Download the Benzo Patch file HERE. Drag and Drop the Zip file directly into your running virtual Android device. Agree to the warning, and acknowledge the completion. Close the device and re-start.

You should now have a fully-functioning Android 6 device with Google Play and no errors. You can now install any apps within the play store. If any apps refuse to install because of an incompatible device, download the desired app from APK Pure and Drag and Drop it into the machine.

Once you machine is ready for an investigation, close it (and the Genymotion app) and launch the VirtualBox application. Select your device in the menu, right-click, and choose “Clone”. This will create an exact replica of the virtual mobile device, including your apps and settings, which can be used for the next investigation without contaminating your “Master” machine. Selecting any machine within VirtualBox and choosing File > Export will allow you to create a single-file archive of the current machine. This will include any data preserved in its current state. Below is an image that displays the VirtualBox Clone option.

Below is an example of an investigative device ready to go.

 

 

 

 

Filed under OSINT | Comments Off on Android Emulation for OSINT (2017 Update)

The Complete Privacy & Security Podcast-Episode 018

Posted on February 14th, 2017

Episode 018: Listener Questions Part III

This week we tackle another round of listener questions about digital privacy and security.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

Turtl
http://turtlapp.tumblr.com/

Little Flocker
https://www.littleflocker.com/

Micro Snitch
https://www.obdev.at/products/microsnitch/index.html

Objective-See
https://objective-see.com/products/oversight.html

VeraCrypt
https://veracrypt.codeplex.com/

Blackberry Android Apps
https://play.google.com/store/apps/details?id=com.bbm&hl=en

StartPage
https://www.startpage.com/

Duck Duck Go
https://duckduckgo.com/

OSINT SEGMENT:

Gravatar
https://en.gravatar.com/site/check/


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


podcast

Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 018

The Complete Privacy & Security Podcast-Episode 017

Posted on February 7th, 2017

Episode 017: Andy Yen of ProtonMail

This week we sit down with ProtonMail CEO Andy Yen to discuss secure email communications.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

ProtonMail
https://protonmail.com/

Listener Questions:

Sudo App
https://sudoapp.com/

Privacy.com
https://privacy.com/

OSINT SEGMENT:

Searx
https://searx.me/


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


podcast

Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 017

The Complete Privacy & Security Podcast-Episode 016

Posted on January 31st, 2017

Episode 016: Catching up from SLC

This week’s episode of The Complete Privacy & Security Podcast is now available. This week, we meet up at Sudo headquarters in Salt Lake City. We apologize for the audio quality, as we had to use a single portable microphone.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

Sudo App
https://sudoapp.com/

Keeping up
https://www.reddit.com
https://arstechnica.com/security/
https://nakedsecurity.sophos.com/
https://www.schneier.com/
http://www.krebsonsecurity.com/

Autofill Vulnerabilities
https://www.bleepingcomputer.com/news/security/browser-autofill-profiles-can-be-abused-for-phishing-attacks/

Family Tree Now Opt-Out
http://www.familytreenow.com/optout

Turtl
http://turtlapp.tumblr.com/

Signal Forwarding
https://whispersystems.org/blog/doodles-stickers-censorship/

OSINT SEGMENT:

Burner Challenge
http://challenge.burnerapp.com/

 


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


podcast

Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 016

Internet Search (OSINT) Resource: FindFace

Posted on January 29th, 2017

FindFace is a free online service that claims to analyze images in hopes of identifying additional photos based on facial recognition. This is different than a reverse image search, which only looks for duplicate images on additional pages. While Google Images is great for locating COPIES of photos, it does not search for additional images based on FACIAL FEATURES. I have found FindFace to work sporadically, and fail often. However, I have found a couple of scenarios where FindFace located online evidence when Google Images, Bing, and TinEye failed. The following demo should help explain their free service. Below is the Facebook profile of a volunteer willing to help with an example.

I right-clicked on this photo and saved it to my computer. FindFace requires that you upload a target image, and does not allow submission via URL. I uploaded this photo and received the following response. the first result is the Twitter profile of my target.

I must admit that the first three searches that I conducted failed. This fourth option resulted in a success. Also, these photos are identical, so the facial recognition aspect is still questionable. However, I do know that this tool has helped me take Facebook profile photos and locate Twitter profiles of the same person. Hopefully, this limited scope will expand as the service grows.

 

Filed under Facebook, OSINT, Twitter | Comments Off on Internet Search (OSINT) Resource: FindFace

Internet Search (OSINT) Resource: Visual Site Mapper

Posted on January 29th, 2017

When researching a domain, I am always looking for a visual representation to give me an idea of how massive the website is. Conducting a “Site” search on Google helps, but you are at the mercy of Google’s indexing, which is not always accurate or recent. An alternative to this is to use Visual Site Mapper. This service analyzes the domain in real time, looking for linked pages within that domain. It provides an interactive graph that shows whether a domain has a lot of internal links that you may have missed. The image below shows a portion of my own domain after analysis.

Highlighting any page will display the internal pages that connect to the selected page. This helps identify pages that are most “linked” within a domain, and may lead a researcher toward those important pages. The image below highlights a blog post, and displays other internal pages that possess links to that post.

Filed under OSINT | Comments Off on Internet Search (OSINT) Resource: Visual Site Mapper

The Complete Privacy & Security Podcast-Episode 015

Posted on January 24th, 2017

Episode 015: Privacy.com CEO Bo Jiang

This week’s episode of The Complete Privacy & Security Podcast is now available. This week, we sit down with Bo Jiang, the CEO of Privacy.com.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

privacy.com
https://privacy.com/

OSINT SEGMENT:

Search Tools
https://inteltechniques.com/menu.html

LISTENER QUESTIONS:

Signal
https://itunes.apple.com/us/app/signal-private-messenger/id874139669?mt=8
https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms&hl=en


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


podcast

Filed under Podcast, Privacy, Search, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 015

The Complete Privacy & Security Podcast-Episode 014

Posted on January 17th, 2017

Episode 014: JJ Luna

This week’s episode of The Complete Privacy & Security Podcast is now available. This week, we sit down with J.J. Luna, the original godfather of privacy.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

JJ Luna
http://jjluna.com/

OSINT SEGMENT:

I Search From
http://isearchfrom.com/

LISTENER QUESTIONS:

Email address for Ancestry.com Removal
customersolutions@ancestry.com

Epic
https://www.epicbrowser.com/

Disconnect
https://addons.mozilla.org/en-US/firefox/addon/disconnect/

Self Destructing Cookies
https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/

HTTPS Everywhere
https://www.eff.org/https-everywhere
https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/

No Script
https://addons.mozilla.org/en-US/firefox/addon/noscript/


The Complete Privacy and Security Desk Reference
https://inteltechniques.com/book4.html

Michael’s Website
https://privacy-training.com/

Justin’s Website
https://www.yourultimatesecurity.guide/

Please submit your listener questions to us at https://privacy-training.com/podcast.html


podcast

Filed under Podcast, Privacy, Search, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 014

The Complete Privacy & Security Podcast-Episode 013

Posted on January 10th, 2017

Episode 013: Blur CTO Andrew Sudbury

This week’s episode of The Complete Privacy & Security Podcast is now available. This week, we sit down with co-founder and CTO of the online privacy company Abine (maker of Blur) to talk about privacy masking.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

Abine

OSINT SEGMENT:

LightShot

LISTENER QUESTIONS:

Twitwipe

Facebook post manager plugin


Please submit your listener questions to us at https://privacy-training.com/podcast.html


podcast

Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 013

The Complete Privacy & Security Podcast-Episode 012

Posted on January 3rd, 2017

Episode 012: Listener Questions Part II

This week’s episode of The Complete Privacy & Security Podcast is now available. This week, we tackle more listener questions about all things related to privacy and digital security.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

Fastmail

Protonmail

Telegraph

Telegram

Objective-See

TOR

AirVPN

Sudo App

ScanDisk Ultra fit

Davdroid App

Thunderbird

CarbonCopyCloner

Mozy


Please submit your listener questions to us at https://privacy-training.com/podcast.html


podcast

Filed under Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 012

Privacy & Security Video Training is Active Today!

Posted on December 28th, 2016

A few years ago, I started teaching a 2 day course on digital privacy and security. This quickly expanded and became the second most requested training that I offer. The hosts that request this training usually offer it in-house, and do not allow outside registration. In order to get the training out to everyone, I have created an online video training course, very similar to my OSINT training. This new online option currently contains over 18 hours of HD video, with monthly updates as technology changes. This course covers everything from basic computer security and software configuration to completely anonymous purchases and disinformation strategies. While the whole course is not likely applicable to every person, I believe that anyone can benefit from the ideas shared throughout the 20 modules of training. The pricing will be identical to the OSINT training, but we are offering access for half-price while we build up interest. Current members of the OSINT training will receive a further discount. We will not be externally advertising or marketing the course, similar to what we have done with the OSINT training. For complete details, please visit Privacy-Training.com.

Filed under Privacy, Security | Comments Off on Privacy & Security Video Training is Active Today!

The Complete Privacy & Security Podcast-Episode 011

Posted on December 27th, 2016

Episode 011: Nine New Lives with Sudo CEO Steve Shillingford

This week’s episode of The Complete Privacy & Security Podcast is now available. In this episode, we sit down with Steve Shillingford, the CEO and founder of the privacy app Sudo.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


SHOW NOTES:

SudoApp
https://sudoapp.com/


OSINT SEGMENT:

Many Contacts
https://www.manycontacts.com/


The Complete Privacy and Security Desk Reference

Michael’s Website

Justin’s Website


Please submit your listener questions to us at https://privacy-training.com/podcast.html


podcast

Filed under Podcast, Privacy | Comments Off on The Complete Privacy & Security Podcast-Episode 011

Internet Search Resource: Searx

Posted on December 26th, 2016

Meta Search Engines are nothing new, and there are several options that exist. These sites combine search results from multiple engines into one view, removing duplicates. The open-source project Searx allows anyone to take the code and create a personal search engine. Alternatively, you can use any of the pre-built engines such as the following.

https://searx.me/
https://searx.ch/
https://www.opengo.nl/

Each will conduct a standard search across Google, Bing, and Yahoo. The results are quickly combined and most include a direct link to the Wayback Machine’s archive of each. However, my favorite piece of this tool is the “Download Results” option. These allow you to download your search results as a CSV, JSON, or RSS file. This can be beneficial when conducting numerous searches for later review. I have recently included this option in my Search Engines page on the IntelTechniques Search Tool.

 

Filed under OSINT, Search | Comments Off on Internet Search Resource: Searx

Internet Search Resource: Forensically

Posted on December 21st, 2016

Forensically is a robust image analyzer that offers a huge collection of photo forensic tools that can be applied to any uploaded image. This type of analysis can be vital when image manipulation is suspected. Previous tools have offered one or two of the services that Forensically offers, but this new option is an all-in-one solution for image analysis. Loading the page will present a demo image, which is used for this explanation. Clicking the “Open File” link on the upper left will allow upload of an image into your browser for analysis. Images are NOT uploaded to the server of this tool, they are only brought into your browser locally. The following image is the standard view of a digital photo.

screen-shot-2016-12-21-at-1-48-51-pm

The Magnifier allows you to see small hidden details in an image. It does this by magnifying the size of the pixels and the contrast within the window. There are three different enhancements available at the moment. Histogram Equalization, Auto Contrast and Auto Contrast by Channel. Auto Contrast mostly keeps the colors intact, the others can cause color shifts. Histogram Equalization is the most robust option. You can also set this to none.

The Clone Detector highlights copied regions within an image. These can be a good indicator that a picture has been manipulated. Minimal Similarity determines how similar the cloned pixels need to be to the original. Minimal Detail displays blocks with less detail than this are not considered when searching for clones. Minimal Cluster Size determines how many clones of a similar region need to be found in order for them to show up as results. Blocksize determines how big the blocks used for the clone detection are. You generally don’t want to touch this. Maximal Image Size is the maximal width or height of the image used to perform the clone search. Bigger images take longer to analyze. Show Quantized Image shows the image after it has been compressed. This can be useful to tweak Minimal Similarity and Minimal Detail. Blocks that have been rejected because they do not have enough detail show up as black. Below is a result.

screen-shot-2016-12-21-at-1-48-41-pm

Error Level Analysis compares the original image to a recompressed version. This can make manipulated regions stand out in various ways. For example they can be darker or brighter than similar regions which have not been manipulated. JPEG Quality should match the original quality of the image that has been photoshopped. Error Scale makes the differences between the original and the recompressed image bigger. Magnifier Enhancement offers three different enhancements: Histogram Equalization, Auto Contrast and Auto Contrast by Channel. Auto Contrast mostly keeps the colors intact, the others can cause color shifts. Histogram Equalization is the most robust option. You can also set this to none. Opacity displays the opacity of the differences layer. If you lower it you will see more of the original image. Below is the result.

screen-shot-2016-12-21-at-1-53-53-pm

Noise Analysis is basically a reverse de-noising algorithm. Rather than removing the noise it removes the rest of the image. It is using a super simple separable median filter to isolate the noise. It can be useful for identifying manipulations to the image like airbrushing, deformations, warping and perspective corrected cloning. It works best on high quality images. Smaller images tend to contain to little information for this to work. Noise Amplitude makes the noise brighter. Equalize Histogram applies histogram equalization to the noise. This can reveal things but it can also hide them. You should try both histogram equalization and scale to analyze to noise. Magnifier Enhancement offers three different enhancements: Histogram Equalization, Auto Contrast and Auto Contrast by Channel. Auto Contrast mostly keeps the colors intact, the others can cause color shifts. Histogram Equalization is the most robust option. You can also set this to none. Opacity is the opacity of the noise layer. If you lower it you will see more of the original image. The result is below.

screen-shot-2016-12-21-at-1-56-33-pm

Level Sweep allows you to quickly sweep through the histogram of an image. It magnifies the contrast of certain brightness levels. To use this tool simple move your mouse over the image and scroll with your mouse wheel. Look for interesting discontinuities in the image. Sweep is the position in the histogram to be inspected. You can quickly change this parameter by using the mouse wheel while hovering over the image, this allows you to sweep through the histogram. Width is the amount of values (or width of the slice of the histogram) to be inspected. The default should be fine. Opacity is the opacity of the sweep layer. If you lower it you will see more of the original image. The result is below.

screen-shot-2016-12-21-at-1-58-53-pm

Luminance Gradient analyses the changes in brightness along the x and y axis of the image. It’s obvious use is to look at how different parts of the image are illuminated in order to find anomalies. Parts of the image which are at a similar angle (to the light source) and under similar illumination should have a similar color. Another use is to check edges. Similar edges should have similar gradients. If the gradients at one edge are significantly sharpe than the rest it’s a sign that the image could have been copy pasted. It does also reveal noise and compression artifacts quite well.

screen-shot-2016-12-21-at-2-00-03-pm

PCA performs principal component analysis on the image. This provides a different angle to view the image data which makes discovering certain manipulations & details easier. This tool is currently single threaded and quite slow when running on big images. Choose a Mode (Projection of the value in the image onto the principal component, Difference between the input and the closest point on the selected principal component, Distance between the input and the closest point on the selected principal component, or the closest point on the selected principal Component. There are three different enhancements available: Histogram Equalization, Auto Contrast and Auto Contrast by Channel. Auto Contrast mostly keeps the colors intact, the others can cause color shifts. Histogram Equalization is the most robust option. You can also set this to none. Opacity is the opacity of the sweep layer. If you lower it you will see more of the original image. Below is the result.

screen-shot-2016-12-21-at-2-04-07-pm

MetaData displays the hidden exif meta data in the image, if there is any. Below is the result.

screen-shot-2016-12-21-at-2-05-12-pm

Geo Tags shows the GPS location where the image was taken, if it is stored in the image. Below is the result.

screen-shot-2016-12-21-at-2-06-22-pm

Thumbnail Analysis shows the hidden preview image inside of the original image if there is one. The preview can reveal details of the original image or the camera it was taken with. Below is the result.

screen-shot-2016-12-21-at-2-07-20-pm

The next time you identify a digital image as part of your online investigation, these tools will peek behind the scenes and may display evidence of tampering.

Filed under Law Enforcement, OSINT | Comments Off on Internet Search Resource: Forensically

Internet Search Resource: Many Contacts

Posted on December 21st, 2016

Many Contacts is a web-based email search site that leverages unknown API’s in order to deliver social networks associated with an email address. It appears similar to services such as Full Contact, but works within a website and does not require a user account. The result includes direct interactive links to each social network profile. This will usually include Facebook, Twitter and other networks.

screen-shot-2016-12-21-at-1-30-42-pm

Filed under Facebook, OSINT, Twitter | Comments Off on Internet Search Resource: Many Contacts

The Complete Privacy & Security Podcast-Episode 010

Posted on December 20th, 2016

Episode 010: Your Questions – Part One

This week’s episode of The Complete Privacy & Security Podcast is now available. In this episode, we tackle the questions that you have recently sent in.

Listen now at https://privacy-training.com/podcast.html

Subscribe at:

RSS
iTunes
Google
Stitcher


Show Notes:

Disconnect: https://addons.mozilla.org/en-US/firefox/addon/disconnect/

Self Destructing Cookies: https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/

HTTPS Everywhere: https://www.eff.org/https-everywhere

No Script: https://addons.mozilla.org/en-US/firefox/addon/noscript/

Fastmail: https://fastmail.com

Protonmail: https://protonmail.com

Faraday Bags:

Edec

https://www.edecdf.com/

https://www.edecdf.com/product-category/faraday-bags/

Disklabs

http://www.disklabs.com/faraday-bags/

Banktivity: https://www.iggsoftware.com/blog/2016/01/banktivity-is-the-new-ibank/

Turtl: https://turtlapp.com/

Note: Justin mentioned that Turtl shares only text notes. This was in error; Turtl can be used to share files.

Yubikey: https://www.yubico.com/start/

SnowHaze: https://www.snowhaze.com/en/


OSINT Segment

ScreenShots: https://www.screenshots.com/


The Complete Privacy and Security Desk Reference

Michael’s Website

Justin’s Website


Please submit your listener questions to us at https://privacy-training.com/podcast.html


podcast

Filed under OSINT, Podcast, Privacy, Security | Comments Off on The Complete Privacy & Security Podcast-Episode 010

How to Completely Leave Evernote

Posted on December 19th, 2016

I have been watching the drama unfold for Evernote. This extremely popular note-taking application is used by millions of people to organize their lives and thoughts. I used Evernote for many years. I had the app installed on all of my computers and devices. My notes synced perfectly everywhere, and I could add text from anywhere and know my thoughts would be available to me later. I planned several several books with full outlines on Evernote. For a while, my travel itineraries were stored on Evernote. It was convenient and reliable. I no longer use Evernote.

Earlier in 2016, Evernote announced some changes that would impact many users. First, they limited the number of devices that a free user could connect to an account. This decision limited my access to only my laptop and one mobile device. This was fair. I was not paying them, and they had the right to encourage users to purchase their services. This is when I started relying much less on Evernote, and began seeking other solutions. I tried SimpleNote for a while, but it just did not replace Evernote completely. I still desired some of the more robust features. This month, Evernote announced that employees would start reading user’s content, and there was no way to opt-out. The change was proposed as a push towards machine learning to “help you get the most out of your Evernote experience.” It allowed Evernote employees to read through users’ notes in order to ensure that the machine learning technology was working as promised. Users could opt out of machine learning, but there was no way to get out of having notes made available for potentially being read by staff. This seemed very invasive.

The public responded harshly, and Evernote retracted. Evernote CEO Chris O’Neill stated “After receiving a lot of customer feedback expressing concerns about our upcoming Privacy Policy changes over the past few days, Evernote is reaffirming its commitment to keep privacy at the center of what we do. As a result, we will not implement the previously announced Privacy Policy changes that were scheduled to go into effect January 23, 2017.” So, all is good, right? I don’t think so.

I believe that this type of activity will be repeated. Evernote is not upset that they tried to compromise your privacy, they are upset that they were caught. If the public had not noticed this change in the privacy policy, they would not have voluntarily backed down. Further, any content that you store in Evernote is still not secure. It is not encrypted internally, and employees can still access your data. I have seen law enforcement personnel document criminal case activity in Evernote. I also know people that store other sensitive data within the application. This is not appropriate. In today’s climate of data breaches occurring daily, you should not store your life or work in any cloud-based environment without encryption. The following is what I did.

First, I wanted to collect my data from Evernote and populate it into another system. Temporarily, I copied and pasted every note into the default Mac Notes on my laptop. This took some time, but it was nice having my data in a local app that did not connect to the cloud (I do not use iCloud). I then used Evernote’s export option to have the entire notes content in one file that I could always import back into Evernote if desperate.

Next, I wanted to erase all of my content from Evernote. I deleted each note from within the application on my laptop, allowed it to sync, and confirmed that the data was gone from my mobile device. I then properly uninstalled both applications. After, I logged into the Evernote account through a web browser and confirmed my data was gone. Surprisingly, I saw that the content was still present in the “Trash”. We know that services such as email do not permanently delete your content when you click the trash icon, and that you must also remove the data from the trash folder. This applies to Evernote as well. Shockingly, I observed hundreds of deleted notes and revisions dating back to 2010. This content was visible to any Evernote employee that chose to look. I emptied the trash, and clicked on the accounts options. In small text at the bottom of this page is a link to “Deactivate Account”. I pressed this and confirmed my actions. I was notified that I was now logged out of my account, and that it was deactivated. Enough? No.

Evernote still has your account on file. It is still associated with (and searchable by) your email address or user name. There is no online option to completely remove your account. To do this, you must submit a support ticket from the main support page. I chose the drop-down options of “Account”, and then “Deactivated Account”. I submitted the following message:


Hello. I have deactivated my account, and I would like to permanently delete it. I have already emptied the content. Please advise when this is complete.


Within 24 hours, I received the following message:

Thank you for contacting Evernote Support.

We take your privacy seriously. That’s why, when submitting a ticket as a guest, we need to verify who we’re communicating with. Before we can share any potentially private information concerning your Evernote account, please reply to this message to verify that you have access to the email address on file. If you didn’t submit a ticket with Evernote Support, please let us know. If you don’t reply, this ticket will be closed automatically.


I replied to the email confirming my access to the email address on file. Within 12 hours, I received the following message from Evernote:

Hello there, thank you for contacting Evernote Support. My name is Haas and I will be happy to help you sort through this issue.

I’ve verified your account has been deactivated, however, we need to clarify you have removed your account data as we do not provide anyone on our Customer Support team the right to delete your content.

After removing your account data, please reply to this email from the email address on file with the account requesting that we remove your username, name, and email address from our system. If the account has been reactivated in order to delete the content, please ensure the account is deactivated prior to sending the confirmation.


I immediately responded with:

Yes, I have removed my account data. Please remove my username, name, and email address from your system.


Within 24 hours, I received the following from Evernote:

 

Thank you for sending the confirmation. Your Evernote account linked to the email address REDACTED is now closed and your credentials have been removed.


I still have a need for a note-capturing system that syncs to other devices. There are many popular alternatives to Evernote, but none of them encrypt the content that you store on their servers. The only free solution that I found was Turtl. This Open-Source Evernote-like application encrypts your content from end-to-end. This means that no one, even employees of Turtl, can see your content. It is only visible on your devices when you supply the decryption password. Currently, Justin Carroll and I use it for our weekly podcast notes. I can share notes with others, and they can modify in real-time. My only concern is that Turtl is new to the game, and people are flocking to them. This will cause expenses to rise, and I worry about the longevity of the service. They advertise an upcoming premium business plan, which will hopefully remedy any concerns. It is not without bugs. I have had the app crash on me a few times, but data loss was minimal. The flow of creating and accessing notes takes a bit of time to adjust. There is also no way of sorting alphabetically within a “board”, which is similar to a “workbook”. I still recommend it highly. I keep everything sensitive in it, such as my travel details and upcoming book notes. If you use it, please consider a donation to them.

I hope that you consider encrypting anything that you store in the cloud.

Filed under Privacy | Comments Off on How to Completely Leave Evernote

Create Nine New Lives with Sudo

Posted on December 17th, 2016

A few weeks ago, one of my forum users posted about the privacy app Sudo. I had never heard of it, and he swore that it was an amazing new product. It appeared too good to be true. Sudo is a free app that gives you up to nine aliases (or Sudo’s), each with their own email address, username, and phone number. The phone numbers support incoming and outgoing calls and SMS messages. Further, it provides credit card masking for private purchases. It turns out, this app (limited to iOS only) is outstanding. I wanted to know more about the business model, privacy policies, and security practices of the company and app, so Justin Carrol and I interviewed Steve Shillingford (CEO of Sudo parent company Anonyome Labs) for our podcast, which will be released on December 27, 2016. Until then, here is a quick review of the app. A much more detailed explanation will be created for my online Privacy Video Training (January 2017).

Installing the app is automated from the App Store. Creating a new Sudo is painless. Supply any name and create an email address based on the name. Select an area code and be issued a phone number that is attached to the Sudo. Further customization such as photos and colors are also allowed. You can now make calls from this number within the app. Incoming calls will ring through the app if you enable notifications.

screen-shot-2016-12-17-at-8-44-18-am

You can now create up to nine Sudo’s. The lower left image displays the view within the app. Notice the message notifications and icons to access the chat, phone, and email of each Sudo. Communications are encrypted end-to-end. Sudo does not know who you are. The lower right image displays an outgoing call and the Sudo that is making the call. This is very helpful to remind users of the identity being used. This also appears on incoming calls to remind you of how to answer.

1

Finally, SudoPay can be used to make more private purchases. Similar to Blur, add a real credit card as the confirmed payment within Sudo, and SudoPay will create masked card numbers that you can use for purchases associated with any name desired. There are fees associated with each purchase based on the dollar amount of the balance. The image below left displays card number ready for use while the below right displays a SudoPay card associated with a Sudo. This allows you to tie one private card number to a specific name under Sudo to isolate purchases to one alias.

2

There are many possible scenarios for using Sudo. Uber, dating, and online shopping are only the obvious scenarios. I will be expanding much more on this app in the future. Android and Desktop use is in the works, but only iOS for now.

Filed under Podcast, Privacy, Security | Comments Off on Create Nine New Lives with Sudo

ProtonMail adds Two-Factor and Single-Login

Posted on December 17th, 2016

Like many readers, I have migrated the majority of my personal email over to ProtonMail, a free email service with end-to-end encryption. No one, including employees of ProtonMail, can see or give out your content, besides you. When potential privacy consultation clients first contact me, I insist that we only communicate through secure channels, such as ProtonMail.

ProtonMail two-factor is extremely easy to setup, and requires one of the following software tokens: Authy, Google Authenticator, FreeOTP, or Toopher (I prefer Authy). ProtonMail also offers backup codes for emergency use. When you setup two-factor authentication, 16 backup codes are created. These are eight-characters long and alphanumeric (rather than simple numeric codes). With backup tokens you know that loss or destruction of a phone won’t result in a total loss of an email account.

Another interesting feature offered in ProtonMail v3.6 is the ability to use a single password to login and access your mailbox. I only recommend this option if you have implemented the two-factor authentication to your account. Previously, an account password AND a decryption password were required at login.

If you do not use ProtonMail, please create a free account and consider using it for anything sensitive. If you already have an account, please implement two-factor authentication (Instructions HERE). Finally, Andy Yen, the CEO of ProtonMail will be on our podcast in January for an interview.

pm

Filed under Privacy, Security | Comments Off on ProtonMail adds Two-Factor and Single-Login

Previous Posts