1/ Use Tor, use Signal -- unless your life depends upon them. https://twitter.com/TinkerSec/status/1267158243866001409">https://twitter.com/TinkerSec...
2/ If your life depends upon the security of your communications, then there is no substitute for learning how these things work. Experts might also use Tor and Signal -- but not in the ways naive users would that would expose their privacy. Experts might use something else.
3/ If you wait until your life depends upon it (such as you& #39;ve suddenly decided to take up arms against the government), then it& #39;s probably too late. The government will already have access to all the communications records up to that point.
4/ It& #39;s like Reality Winner& #39;s google search history: when she decided to cross the line, she had already left a trail up to that line.
5/ Thus, you should be using privacy protecting technologies now, such as the Brave browser (when not using Tor), Signal/WhatsApp/iMessage for routine communications, and so on.
6/ Signal (and some others) use end-to-end encryption, meaning it& #39;s impossible for anybody in between to eavesdrop on your messages/call -- not even Signal itself.
7/ But this does not protect the ends. If you& #39;ve been tricked into installing malware on your phone, the malware is on the "end" and thus can eavesdrop on anything that end does.
8/ Nor does it protect metadata. Eavesdroppers can& #39;t know the contents of a phonecall, but will know that you are using Signal, and will often know who it is you are calling.
9/ Much of the controversy of NSA spying and FBI gathering phone records is based on interception of this metadata, rather than intercepting the contents.
10/ If you don& #39;t fully understand the endpoint protection and metadata problems (much better than I& #39;ve described them here), then using Signal will give you a false sense of security that isn& #39;t warrented.
11/ Your phone is a GPS tracker. Your phone keeps a log of its own location to an accuracy of a few feet. The nearby celltowers keep records of your location with varying accuracy which can often be less than 20 feet, but is usually more like 500 feet.
12/ Your phone updates its log every few minutes, so if they get your phone from you and run forensics, they can draw map where you& #39;ve been. Celltower records update much less frequently.
13/ I have no idea about Stingray IMSI catchers. I doubt they are used because they tend to disrupt communications. They can easily be detected at mass protests, and the fact they aren& #39;t also leads me to believe police don& #39;t use them.
14/ (If I weren& #39;t afraid of the violence, I& #39;d be downtown right now running Android tools to catch this.)
15/ The last several tweets are intended to show you that when you run Signal on a mobile phone for communications, the mobile phone can give you away.
16/ You can get cheap "burner" Android phones for $50. It helps a lot, the police have limited resources to go after you. It& #39;s not perfect -- if they REALLY want to get you, they& #39;ll go pull security cam feeds from mobile phone stores to get your identity.
17/ In other words, burner phones help your security a lot unless your life depends upon them.
18/ According to current court cases, the police can force you to put your finger/face on the sensor to unlock the phone, but they can& #39;t force you to divulge a passcode. However, constantly typing in a passcode every time risks people being able to see it. Tradeoffs.
19/ I asked the last time I bought one. The store said "three months". I& #39;m sure it& #39;s hit-or-miss -- they aren& #39;t trying to track burner phones but instead keep away the riff-raff. https://twitter.com/VessOnSecurity/status/1267168782738432000">https://twitter.com/VessOnSec...
You can follow @ErrataRob.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled: