April 12, 2024

Global surveillance, VPNs, and Tor w/ Smuggler



Published June 11, 2023, 7:20 a.m. by Jerald Waisoki


Wondering how global surveillance could realistically work, or how VPNs can play a role in your privacy? This episode, we're sitting down with Smuggler to chat about global surveillance, a realistic look at VPNs (and Tor!), and his journey as a cypherpunk.

More about Smuggler:

Smuggler's guest profile -- https://www.optoutpod.com/guests/smuggler/

Cypherpunk Bitstream Podcast -- https://taz0.org/bitstream/

Smuggler's blog -- https://opaque.link/

Smuggler's paper on global surveillance -- https://opaque.link/post/2011-06-16-global-spying/

Smuggler's recommended tools to Opt Out:

Cash

Glasses and mask for physical privacy

Face-to-face meetings

Shipping containers as a Faraday cage

Voice masking technology

This week's project to help you Opt Out - Whoogle:

Github -- https://github.com/benbusby/whoogle-search

My instance: https://search.sethforprivacy.com

My instance on Tor: http://nuifgsnbb2mcyza74o7illtqmuaqbwu4flam3cdmsrnudwcmkqur37qd.onion

Setting it as your primary search instance -- https://github.com/benbusby/whoogle-search#set-whoogle-as-your-primary-search-engine

Opt Out's Sponsors:

Cake Wallet, an easy to use Monero mobile wallet -- https://optoutpod.com/sponsors/#cake-wallet

LocalMonero, an excellent and privacy-preserving way to buy and sell Monero -- https://optoutpod.com/sponsors/#localmonero

IVPN, an ethical, no-nonsense, non-logging VPN provider -- https://optoutpod.com/sponsors/#ivpn

Supporting Opt Out:

Donations -- https://optoutpod.com/about/#donations

Leave a review on your favorite podcast platform, if possible!

Share it with your friends, family, and other communities!

Timestamps:

1:06 Smuggler introduces himself

3:21 What was it that woke you up to the need for personal privacy?

5:39 What about privacy makes it such an important topic for you today?

12:42 What is a common myth about personal privacy you've run into?

35:41 How do you motivate or prompt people to get past that myth?

43:04 What's something that you feel like almost no one agrees with you on?

45:06 What prompted your paper on global surveillance, and what is it focused on?

51:40 A shout out to Opt Out's sponsors

54:04 What is a realistic look at the effectiveness of Tor as a tool for privacy?

1:13:46 Who should (and shouldn't!) use a VPN, and what a VPN's main purpose should be?

1:21:46 Once someone decides that they do want to start using a VPN, what criteria do you recommend or consider in selecting a VPN provider?

1:33:44 Where does the name "The Real Smuggler" come from?

1:34:52 Why are you a cypherpunk and cyberpunk, and what are both?

1:44:10 Would you mind sharing a bit about your podcast, Cypherpunk Bitstream?

1:45:43 What are some of the tools you use regularly to opt out that you’d recommend others take a look at? Why?

1:47:33 What advice would you give to someone who is just starting to realize the need for personal privacy?

1:51:53 Thanks and where listeners can find/communicate with Smuggler

1:53:09 This week project to help you Opt Out - Whoogle

You may also like to read about:



[Music]

hello i'm seth simmons and welcome to

season 1 episode 11 of opt out

opt out's a show where i sit down with

passionate people to learn why privacy

matters to them the tools and techniques

they found and leveraged and where we

encourage and inspire others towards

personal privacy and data sovereignty

wondering how global surveillance could

realistically work or how vpns can play

a role in your privacy

this episode we're sitting down with

smuggler to chat about global

surveillance a realistic look of vpns

and tor

and his journey as a cypherpunk welcome

on opt out smuggler

thank you for having me

yeah i've followed your work for a good

while um have listened to a bit of the

the podcast that you have with frank

braun and uh just kind of seen both of

your journeys and your your insight into

being a cypherpunk and

cyberpunk cryptoanarchy um your

dedication of privacy and i'm just

really excited to to have you on to to

chat with me today i think it's going to

be really helpful for me and then

hopefully get a good listen for my

listeners um

but for those listeners who aren't

familiar with you would you mind

introducing yourself

sure um

my name is smuggler which is

probably not the name that my parents

gave me

i also go by the name jonathan logan

which is also not the name that my

parents gave me

i've been active in the

cypherpunk crypto anarchy scenes since

the 90s

late 93 exactly i think i joined

uh i don't know 90 somewhere between 95

and 98 i joined um it's a long time ago

so my memory is a little flaky there

um and i've worked on

a number of things in that context

i've done a lot of

what they call deviant i.t by now um

back in the day we called it black itt

which is all the it projects that don't

show up on any budget

i ran a distributed data haven

until 9 11 happened

i've run a couple of

remailers

vpn services

um offshore mail services offshore

storage

and several payment systems

and so on so it's a long list of

uh medium successful projects that i

accumulated over the last 25 years

um and

from time to time i also commit the

mistake of writing about what i think so

um

i wrote a couple of small two thesis um

in the context of

um privacy crypto anarchy

um

post-libertarian thought and stuff like

that so

and right now i'm

working at a company

and being their chief security and

infrastructure engineer so

that's my background

awesome a lot a lot there and i'm

excited to chat about one of those

papers you've written the the one from

2011 about global flying is something

we'll we'll get into later but i i first

want to kind of dive into a bit more

about your your personal journey towards

privacy um and i'm curious what was it

that woke you up to the need for

personal privacy

yeah there's one of those biographical

questions that i think most people

answer with some well thought out

narrative

i've thought about that

and i honestly don't have an idea so

i have a sense of where it comes from in

the senses that

it had to do with my family upbringing

so there was a

come from a relatively conservative

family

and for them

privacy in certain matters was very

important so

specifically towards people that were

not part of family

so family secrets and family privacy was

a big thing

while

internally there was no privacy at all

so

i

i think i wouldn't

lock my door as a teenager ever so

because it didn't even have a lock so

um

so it's i think it's it's partially from

that context it's a

very

very experienced a high

value of privacy in a social sense

but also this conflict of lack of

privacy in a in a personal sense

and i think that has contributed a lot

to my thinking

yeah it's been interesting to hear the

different

answers that people have had throughout

the previous 10 episodes of opt out i've

asked that same question for everyone

and i think everyone but one has had

kind of a wake-up story of something

that woke them up um but you're not

alone in having it where it just was

kind of a part of the the culture of

your upbringing and it

it was just native because of the things

you're exposed to whether they were

cultural or like you familial i think

it's it's interesting to think about the

impact that family life can have on our

view towards privacy and it's something

that dramatically yeah dramatically yeah

i mean it's like with many other topics

you know we

in the end we become more of more like

our parents than we ever wanted to

become so

it's very true definitely definitely

lean that way

um and you talked a good bit already

about the the different privacy focus

projects you've been a part of but what

is it about privacy that makes it such

an important topic for you today

so

i by now i have a slightly more

reflected

view on that and it's both um

philosophical

spiritual and political um

say from a from a philosophical

spiritual standpoint it's

in a world where nearly everything can

be measured and everything can be known

it's the secrets that you can control

that make you distinctly an individual

that set you apart

uh from being some somebody else you

know like

if everything about you is known then

you can be basically replaced you know

by your digital shadow um or somebody

mimicking you or whatever but it's the

it's the things in our heads and it's

the

silent conversations we have with our

best friends that um

really make us true individuals it's the

things that cannot be known

it's the things that cannot be

mimicked it's the things that cannot be

um

falsified in a way

and in that sense

i think that privacy is a tremendously

important aspect of

in individuation so not

individualization but individuation

uh becoming an individual becoming a

human has a lot to do with those

distinct things that we know the

distinct things that we think

the motives why we act

those those are the things that really

make us unique

and that also make us really valuable

in the world

because it's

all those very private things

that

create color

in the world

and

that really makes us um

pretty valuable

because we become unreplaceable in a

sense

so that is the philosophical spiritual

view on it and then there's a political

view and the political political view

is

that

in the modern world

knowledge

and the ability to modify the the

perception environment of people are

probably the the core

tools of political control

and

i

consider the

the advances in those fields to be truly

frightening

and essentially uncontrollable um

politically

at best you can control them with

personal behavior

and maybe to some degree with technology

but we're quickly

moving into

something that could be called the vet

dreams of barney

so where

media

government corporations etc are able to

shape our perception

but shape it in the response

to what they already know about us

and hence that perception shaping

becomes almost perfect

um to

guide us

towards what they want

and as a little anarchist at heart

i find that

dramatically disgusting let's call it

that way yeah it's up you know is

it allowed to say okay it's

up

it's up and i don't want to be

part of that that's it

yeah yeah i uh

it's definitely something that i've

started to feel like more and more is

not something that we can change through

political action um it's definitely

something that i would hope that that

would be possible but privacy seems to

be an issue that is

maybe even past the point of no return

when it comes to political action at

least in most countries that there may

be exceptions out there but

um

and there was a was there a third point

that made it

well

the philosophical and spiritual points

are mixed together

okay

i wanted to make sure we covered all

those yeah those are these are really

really interesting and i like the the

philosophical and spiritual one that you

brought up i think is a very good

companion to that idea that privacy is

the ability to reveal yourself

selectively to the world um i think that

goes really hand in hand but you

mentioned that the things that you can

choose to keep secret or the things that

are

yeah the things you choose to keep

secret are the things that are unique to

you and irreplaceable and um

yeah very much not necessarily give you

value as a person because i feel like we

i think we do have innate value but

they're the things that make you unique

and and uh irreplaceable i think that's

a that's a fascinating angle that goes

hand in hand with that idea of privacy

yeah it would i would

probably make it to even a stronger

point so you say that we have innate

value as a person

in theory i agree to that

in practice it

is something that needs to be expressed

to be true

and if you

treat

the unique and

secret and

let's use a bad word here sacred things

about you um and you but just throw them

out in the world

and you're kind of demonstrating that

that your value might just be very

theoretical

nearly showing that you don't value

yourself enough to to keep those things

to keep those things private or at least

to share those things only with people

who you trust and love and are close to

you

exactly and the other thing you do but

uh is also you you demonstrate towards

other people

that you value them

so if if i tell you a secret if i share

with you

um

it elevates you it's a demonstration of

your elevated

value to me yeah if i don't share that

secret with everybody else on the planet

you know so it's a it's actually a way

to

to show and to demonstrate closeness

and

if you have nothing

private to share anymore

then

how do people actually know what they

mean to you

yeah yeah it's definitely true i mean

without without privacy there's no

ability to have intimacy or close

relationships because there can be

nothing unique about that relationship

if everything is known by by everyone

else there's a fascinating angle i

hadn't really thought about before

um

yeah i don't even know how to properly

segue from that on to the remaining

questions that one that one kind of hit

hard there

um

you could take a break if you want to

sit on that one for a while

uh we'll just we'll jump right into the

next one then maybe we'll come back to

that that later on as i think through it

a little bit more but

what's the common myth that you've run

into with with personal privacy

well that is one of those things i have

been discussing with a friend today um

because i really stumbled over

um you sending me the preparation for

this this call

and where where you asked this question

or said okay i will ask this question

and um i was thinking like that that is

a question that would have been easy to

answer a couple of years ago

um but that has become really hard to

answer for me today and i'll explain so

a common myth

there there are a lot of common myths

about privacy um there's this common

myth um

if you have nothing to fear you have

nothing to hide you know um

or

um

that

price privacy has become valueless in a

civilized society

um

or that this is impossible to maintain

privacy so those are like common things

that that you hear you know

or things like you know nobody is

interested in me you know so i don't

have to protect my privacy um which i

find a traumatically um

sad statement very very intimate

but so those are like standard tropes

you hear

um

but i think that

for a long time i have assumed that

those

standard words mean something you know

when somebody says that to you that they

actually mean it

and by now i'm not sure about that

anymore i think that

a lot of that is just repetition without

content um

and more like a

a justification

like a social justification not a

rational justification

so

um

i think that the the common obstacle

so i will rephrase it the common

obstacle is

that

we

live in a culture most of us live in a

culture like for the west that is true i

really hope that there are other

listeners than just americans and

europeans um

that for for the west it is true that

privacy has

become

something that is not a cultural value

anymore yeah absolutely

and it is something

it has been overcome

by

[Music]

an all compulsion for sharing and

transparency

and

your

your thoughts about

what to share how to share it

what to demand from others what they

share

has become

an important

aspect of the

intercultural status games that are

going on

and

i have to admit that i don't fully

understand that because

i find those aspects of of culture um

disgusting to a certain degree or at

least um

[Music]

at least i don't have a real emotional

access to them so i can't really

reply to that anymore

um because

it's just alien it's an it's an alien

cultural cult to me

and i think that

cross-cultural communication is

dramatically

more

difficult than

in within a culture

and

i think that so far

we haven't really considered it to be a

cross-cultural argument

so i i don't have a really good answer

for you i'm sorry

no i think that i think that was a great

answer i mean breaking down those common

myths are not

not often closely held beliefs like you

said they're things that have been

impressed upon us

that we just repeat it's just repetition

and not something that we i don't i

don't think anyone you actually thought

deeply about

that kind of a response to the issue of

privacy

could honestly say that that's a

personal belief they've come to on their

own but i think

i think you're right that culture has

shifted away especially obviously i'm

talking about western culture i'm from

america

culture has shifted away from what was a

closely held belief and right to privacy

it was very much a part of this country

early on and even until fairly recently

but i think that the the narrative has

been so deftly shifted by

governments and more recently

corporations um

that we've we've given that up in

exchange for other things that we've

been promised most notably we've been

promised safety or we've been promised

freedom from fear

and

the thing that we've been asked to give

up is the notion that privacy is

something that we

we have a right to or privacy is

something that that is good and that is

a native good that everyone should have

yeah

i think it's actually worse than that so

um you're talking about the

the promise of of safety and security

versus privacy

um and that it's a bill of goods that

has insulted people and i think it's

it's worse than that um

i actually think that media has far more

to do that with this shift than

um

the politics itself

because there's this thing that comes up

i think in the 80s and there is this

this notion of um

50 minutes of fame

um this notion of

being a celebrity

and be you know sticking out from the

masses

and

you suddenly get this thing i mean it

started in the 60s but it accelerated

into the 80s

it's this

it's all about expressing yourself

expressing yourself expressing yourself

and

if you add another 20 years on that you

end up with instagram

and

no

politician says you have to go on

instagram because it makes you safe or

secure

you know

people go on instagram and all those

places

because for them it's a way to to

demonstrate that there are somebody

i mean of course it is curated so

there's still something like privacy in

there in the background

um because they still choose what the

publisher wants not to publish

but

the notion that you should publish

is

relatively universal

and

you kind of have to be places to exist

you know if you're not on linkedin insta

tik tok whatever you don't exist

you know and you see that and how people

um make apartments for a party or uh how

they

uh manage their

social environment you know it's all

put on those systems you know i mean

what the people put family photos

on facebook and think that is sharing

you know and having a community

so but it's it's really what we have

done as a culture it's a it's a circuit

activity

for having actual relationships

and

the moment you're stepping out of that

and you're saying okay i'm not going to

participate

then

um your life becomes dramatically harder

so for example um ask

a normal high school girl these days if

she would date somebody who doesn't have

a social media presence the answer to

that is no of course not you know he's

probably a serial killer because

otherwise he would share you know and

there's certain truth to that you know

it's you're sticking out of the masses

if you're

you know not there

so in in a way it has become a new

social

mechanism

that is far more than just politics it's

a social mechanism that is much deeper

and it's been pushed by by media and of

course

i.t companies and all those things but

it is

it is always

people that accept those those cultures

and really implement them and they

enforce us in their peer group it's not

the government you know there's the

government is usually not running around

uh with you know guns and saying you

have to join um facebook you know they

they usually don't

not yet at least

so it is a thing that we are doing to

ourselves as a culture

and

not because of of uh political promises

and i think that is the real issue

because the political promises you can

rationally argue about

um when it comes to

those new cultural mechanisms

arguing about them

is

it's like a

hindu and a christian talking about

theology

you know it's

there's a limit to how far you can talk

before you don't understand each other

anymore

yeah

yeah i think

yeah governments are definitely not

involved in that i guess that would be

more the corporations that have been the

ones that have been incentivizing us to

to share broadly but it has become a

a tenant of our culture

we have access to publish those things

oh yeah absolutely we have accepted it

it's become core

it's something that i've seen i mean i'm

obviously relatively young and have

grown up in kind of the beginning of

social media taking over and i have no

social media presence outside of my

twitter which is not it's not a personal

uh social media account it's not

something that i'm using for like

sharing family photos and things that

i'm doing but it's something that i use

as a as a platform but i i have seen how

not being on those platforms i miss out

on things not being on linkedin

miss out on job opportunities because i

choose not to be on there there's a lot

of things that you

you almost get excommunicated from the

core of culture

because you choose not to be on social

media or if you are on social media

because you choose not to be constantly

sharing and revolving your life around

what you can share next on those

platforms um it is a it's a very

interesting thing that we have we have

chosen and not even not even because of

fear but we've chosen because of a

desire for social acceptance because

that has become a core tenant of our

culture in the west

because of that desire we've just

voluntarily given up our privacy and

made it natural to share any anything

and everything that's going on in our

lives with a

a community that is likely not a close

community i mean i i have cutting myself

off of social media i haven't lost close

relationships i've actually realized

that the relationships i actually have

in real life have gotten better because

i'm not spending time in this places

building these kind of pseudo

relationships with people that i may or

may not be close to and it's been an

interesting transition for me but i

think that more people

would realize that if they

limited and limited limited and maybe

cut off completely their time spent in

social media and revolving their life

and what they do around how they're

going to share and interact on social

media and focus on real-world

relationships and real world friendships

yeah

yeah

and and i think there's a dangerous

aspect to that and the dangerous aspect

is really

what what happens in the culture if you

don't participate like you you know or

like me i mean i have a twitter account

but it's not a personal one

um

but what happens if if you actually

value their privacy offensively what

happens is that

it causes mistrust because you're you're

in a certain way

you become

an uncalculatable outsider of society

and

there's this

insecurity that people have about you

and when i say people i mind both

specific individuals but also the mass

of people

and

we there i think politics comes into

play again

because you know politics is about the

money right

so

and one of the things we see there is

this push

there's this this triple push that is

happening around privacy

um in our culture and the one push is

uh we want transparency

so we want transparency about

um everybody that we perceive as being

um powerful or rich or

famous or whatever we want transparency

about them and we think we're entitled

to know everything about them

and if you don't um the next thing that

happens is conspiracy theories you know

why why doesn't you share that you know

why isn't he open with us does he do

something in the shadows you know so

it's it's immediately this

it's almost like an immune reaction of

society

against people that don't follow the

code

and

you can see that

dramatically in stuff like the pandora

papers and panama papers and stuff like

that

where

most of the behavior in in those papers

and i consider

publishing those papers as a violation

of personal privacy

without public interest

[Music]

what you see in those papers is not a

bunch of criminals but it's a bunch of

people that have chosen to protect their

financial privacy in one way instead of

another

and

the fact that they have chosen to do

that

creates panic and creates oh we have to

know you know there must be something

behind it you know whatever the

the kindergarten friend of putin has so

many millions so it must be connected to

putin and this is where all the shadow

money is and then this politician bought

a house for whatever 20 million

that must be bribery

you know and it's

it's an obsession with transparency that

you have there that's number one

the number two is of course this

narrative

um

we have to limit privacy for security

sec

but i actually think that that narrative

becomes less and less catchy

because

so far they haven't been good in showing

that this link actually exists yeah

and on the other hand there might be a

pretty good argument for the opposite

and that is

you need privacy to have security

especially in the digital age that might

actually be

truly the case

because

data leaks and

hacked cloud accounts etc they are a

security issue because you were not

private in the first place

so

there might be a strong link actually

that supports security by having privacy

and then there's this third aspect and

the third aspect is this

that is really between the political

camps you know the left and the right

so

whoever is in power will blame the other

side for surveillance

because they're like five percent of

votes you can get by blaming the other

side for surveillance so if the if the

right is in power they will say whatever

in the u.s you know obama you know what

was it um yes we scan you know the

slogan yes we scan you know um the left

is bad because obama is the president

and he uses surveillance

so you get a few points in the next

election for that and then you turn it

around and um

the next dude is trump you know and then

oh trump now has access to all these

things that we collected this is really

bad you know we have entirety with

access to the data

um you know you shut down the nsa

because trump could abuse it you know

and then

i don't know maybe in half a year or a

year you know it will be or biden is

spying on all of us

you know from the right again so

but none of that is actually an honest

argument

you know because when they do it

themselves it's never a problem you know

it's only when the other one does it

and i think you only get to the truth

when you're not part of any of those two

camps and you realize that they're both

abusing you

and that when

power is connected with surveillance and

all these things

you get into really bad situation

so it doesn't really matter who's spying

on you

um but i don't think that the nuance of

that argument

is actually well received in society

anymore because of this cultural shift

and this cultural shift also includes

something

where

we more and more consider privacy as a

privilege not a right

so it's a

it's only given to people as long as

they're behaving nicely

but we have no problem of taking that

right away for somebody who doesn't fit

either by his behavior or criminal acts

or whatever then we take it all away

and because we want to be able to take

it away we can never fully grant it

you know if all the world would support

privacy

then

you cannot take it away from criminals

anymore you cannot take it away from the

celebrities anymore you cannot take it

away anymore to gossip about your

neighbor you know suddenly you have to

respect it even for people that you

don't like

but i think that's an issue

yeah those are these are great points

and that the last one about just blaming

the other side and everyone feeling like

the whatever

political party or group they're not a

part of they feel like that group is

always the one who's creating these

surveillance tools and using them

wrongly but don't realize that like you

mentioned both sides are just as to

blame and have both either implemented

or continued to use

the surveillance tools that we have to

fight against nowadays and it's not

something where one side is better than

the other the current people in power

are the ones

responsible for that something that i

have to bring up a good bit as people

just kind of get i think blinded by the

political views that they hold whether

those views are right or not

they get blinded by those and don't see

that there is a joint effort to destroy

our privacy that continues no matter the

political candidate and continues no

matter the political party it's

something that is constantly growing

exactly and and i think there's um a

real danger there and that is

whenever your side is in power

you also believe that you can um have

legal action to protect your privacy

and then people rely on

on legal codes

and i can just tell you as one thing as

somebody who's who's working in tvnit

the law only exists where it can be

enforced

and

if it's

companies if it's other organizations if

it's states if it's private parties it

doesn't matter

they only protect your privacy when they

could be caught breaking the law

otherwise they try to

to get everything they can

and

legal

protections are really weak so number

one you don't see where they're broken

necessarily that's number one number two

is they can be changed all the time

and then

data that has been collected under one

legal regime suddenly becomes available

under a different legal risk

and

that really means that when we're

talking about the legal aspect of

privacy

the only thing that we really want there

is the right to protect ourselves and to

help others to protect themselves

that's it

if you think that

some nice act can prevent cloud

providers from having

secret databases about your connections

and data whatever you're grossly

mistaken

you have to protect it yourself and you

have to protect it in cooperation with

others so it's not a really individual

thing it's

you kind of have to have a community of

people that protect privacy but um

the law ain't going to save you no

matter who's in power it doesn't matter

so the law never saves you when it comes

to privacy

it's

it's really just about

decriminalized privacy you know that's a

that's the main thing decriminalized

privacy and very good

yeah i love that that point of

i i just want the ability to

claim reclaim privacy for myself and to

help others do the same thing like

that's really the the core of it i want

to have control over what i share and

what i don't share and then i want to be

able to help others to do the same thing

and that really that that should be true

regardless but definitely not relying on

the law to enforce those things or

things like gdpr to ensure privacy

it's not gonna it's not gonna be the

end-all be-all of of privacy it's

something that we're gonna have to take

control of ourselves and take

towards ourselves

and and the law is often actually

negative so the the impact of privacy

laws

is often negative because people then

turn around and say okay we can trust

the law

and then everything will be fine

but as i said before the law doesn't

work

you know it doesn't it's it especially

doesn't work when it comes to data

because data is easy to copy to hide to

transmit to

you know all those things so

there's no policeman that is going to be

able to um go after every single copy of

your

pawn collection you know so they won't

and they can't

and

because that is the case all the laws

are

they work against people that actually

respect the law

but

the problem is that we actually write

laws to catch bad people

and that simply doesn't work so if you

rely on the law here we're basically

mistaken you know it's the

it's always going to fail

yeah grants a false sense of security

for sure

yeah and uh

i we went through quite a few different

things that that people believe and

different roadblocks people run into um

but i wanted to kind of circle back to

that idea of

society voluntarily giving up their

privacy and i'm curious if you have any

approaches or ways that you try to help

show people why that's a problem and

help them to get past that roadblock and

realize the need for personal privacy

usually i do that by insulting them

um

um

[Music]

and i'm not going to repeat that just so

we can stay within the ability to

publish this recording but um

the

i have given up on a lot of these um

rational things

because um

people make decisions most of the time

emotionally and they're not making them

rationally

and

even if they sometimes have a rational

implementation

it usually washes away with emotion you

know it's this it's a typical thing um i

don't know you have that with bad

behavior in general you know you

you're smoking too much and rationally

you know that you should stop smoking

and if you stop smoking just from a

rational standpoint and nothing else you

will start again you have to have an

emotional inner drive for it as well

and

it's the same thing with privacy you

know even if you convince them on an

intellectual point once

just

wait

a few months and i'll be stripping on on

twitter so

and because of that

um

because i've seen that too often i i

kind of switched over to insulting

people and

comparing them to

to other people that are offensively

anti-privacy

and

that has an interesting effect so

there are some people that of course

completely freak out

and um that is okay because then

you show your true callers

uh and there are other people that

actually actually

[Music]

are stopped

in their thinking because they realize

that all the things they say against

privacy all the arguments that make

against it

are just

justifications for something they

pre-decided

on a false emotional image

so

is that

black rhetoric yeah i think it is but

come on you know it's

closer of time you know it's

yeah yeah i mean i the time for license

has kind of ended i think yeah it's a

it's a uh divisive approach one that can

be can be helpful and i think

i think that that point you mentioned

about needing an emotional reason or uh

something more than just a logical or um

reason-based approach to privacy is very

important and i think a lot of times the

people you see that have woken up to

privacy it was because it was very it

was something very personal

that affected them or it was something

very

aggressive that they faced it's people

who grew up in countries that

um had struggles with authoritarian

rulers and they had struggles with

privacy affecting people's actual lives

not just theoretical but actual lives or

as people who had something that was was

very important that was revealed without

their

their knowledge or revealed without

their consent and it shook them up and

showed them why privacy matters and yeah

i don't i haven't had much success

talking to people and just showing them

like these are the reasons why privacy

matter it has to be something that they

realize like oh i actually do care about

this actually i do have things that like

we talked about earlier

that are unique to me that are special

to me that if i share those with

everyone

it hurts the ability to have intimacy

with other people or have close

relationships or to maybe in the future

if your government changes or something

like that we've talked about that a lot

it could hurt you in the future with the

ability to have a livelihood to have a

job to have potential leave in your life

depending on on how serious things get

so it's it's something where people need

to have a visceral reaction in some way

um and prompting that can be can be as

simple as just telling your story your

your approach to privacy and why that

why that has woken you up or um yeah i

haven't taken your approach yet but

we'll see

it's probably because i'm an old cynic

by now so

um i'm happy that you still have nicer

approaches

i'm trying this trying to stay away from

cynicism but it does get harder and

harder i i understand

why people end up there and it's a it's

a constant a constant battle to try to

stay

hopeful but realistic i think is kind of

the approach that i take realizing where

we are but but hopeful that we can keep

pulling people in and keep uh growing

the community that that does realize the

need for privacy and are taking active

steps

yeah so for me this is actually

like the approach of of uh evangelizing

a privacy

has kind of stopped so for me it's

really about

helping people that already know that

they want it

and

also not just helping them technically

or emotionally or

rationally but also

trying to create

um

a subcultural appreciation of them you

know

and that for me has become a much more

important aspect of this whole struggle

is to

to care about the people that have

yeah you know fallen down the rabbit

hole so yeah i definitely agree i mean

that's that's why i started started

doing this podcast as i i wanted for

those people who did wake up like i know

people aren't just gonna listen to opt

out and suddenly decide they care about

privacy or at least i would doubt that

would be the norm

but i want a resource for people who do

realize that need to be able to start

figuring out the i think the

philosophical reasons we talked about

are very important

for people to realize what the

narratives are and and why

we're going against them and for people

to to realize both what the tools are

available to them and how to use them so

that's definitely i i do think that

that's the most value add it's very hard

to wake people up but if we can create

the tools create the resources create

the material that helps those who do

wake up

i think that can be a much more much

more vital approach towards that

indeed and i think it's it's really

important because if you're alone with

going against the grain opting out etc

um there can be really tough like

emotionally tough

and

just seeing that there are other people

that that care about the same thing

um

just care you know and talk about it

they might not have the except exact

same opinion but

just seeing that other people care

and seeing that there are other people

that appreciate your choice

to be more private

that is greatly empowering

yeah no kidding community is such a such

a huge huge part of

of this journey towards privacy and i

mean to life in general but

especially like you said when you're

when you're choosing to become counter

cultural as we talked about this is it's

very counter-cultural to care about

privacy to take active steps towards it

so when you're choosing that it's very

important you have people around you who

who realize that who can both help you

technically and just be a support system

for you

yep

um one of my favorite questions that i

ask every guest and i'm really curious

to hear your responses is uh what's

something that you feel like almost no

one agrees with you on

since i'm probably the most disagreeable

person i know it's

it's just

um

i'll take um

two things

um number one uh cryptocurrencies are

the solution for privacy for financial

privacy

and i disagree on that

i think that they're a bad idea

so that is number one that people

disagree with and number two is i don't

think that

low latency privacy protection is

is really useful in most cases and that

includes

holy cows like

tor for example

and i think that

a lot of privacy defenders are

dramatically naive when it comes to the

approaches of

state corporations and organizations in

between when it comes to undermining

their privacy

so a

constantly get into battles with people

that defend tor and

um

bitcoin and stuff like that so i'm very

disagreeable there

yeah i definitely i would love to get

into into both of those more i'm really

curious um especially about the first i

don't know if we'll get to that today

but may just have to chat

chat offline about that more um i think

the second point that you mentioned ties

in really well to the paper that you

wrote in 2011

um and that was pre-snowden so very

early days for talking about global

surveillance i know there have been many

people who talked about that in the past

but uh at least pre kind of the the wake

up for many people um and you wrote that

on how global surveillance can

realistically be accomplished

and i'm curious if you don't mind

breaking down kind of the core of that

what prompted you to write it and then

um

how you've seen those things play out

but also just how that explains your

what you're just talking about about uh

how like tor and those kinds of tools

aren't kind of the holy grail of privacy

yeah

so

the paper was originally a single email

that i wrote on

on an email list of people that cared

about

privacy and freedom

and

there was this

constant argument that was made that it

is impossible to surveil everything

and

everybody just said that but nobody

really was able to to show that it's

true you know so

and

so when

there was this day again you know i

probably had too much coffee or

something and there was another email

saying

you cannot surveil the internet the

internet routes around surveillance

and i freaked out so most of the things

i write are from

a position of anger you know

sooner or later i'm fed up and then i do

research and then i write a rebuttal

so this is where the paper comes from so

it was originally just a very long email

by somebody who had been in

in digital networking et cetera for a

couple of years

at that point i had like 10 years under

my belt working with isps

running vpn providers

running hosting systems etc so i knew a

bit about how to

how to deal with data and and how to

deal with networks

so

i sat down and just wrote this this

email

and

steve was on this email email list as

well and

steve said okay

great points you make now

i know that it's all true but let's add

some source material to it so

that people just not have to believe you

but can actually go to the sources for

that

and then

all of that came

this this paper that was uh presented at

the defcon among other things

and um

got exactly zero response from the

privacy community

and got a lot of response from the

intelligence community

so i actually had like

at least a dozen um reach-outs from

uh intelligence agencies from um

companies that provide technology uh for

for lawful interception

um data analytics people etc like not

directly from the heads of those

organizations but for people working

there

and um the response was more or less

uh yeah yeah it's all true great paper

but it's even worse

so

i never got around following writing a

follow-up to this but um i had all kinds

of people like cisco

nokia siemens networking um

[Music]

i had

several nsa people contacting me et

cetera et cetera et cetera

and um

actually opening up my my own knowledge

much more in the field

so

the the paper itself

is not complete you know it's a very

very shallow treatment actually of the

topic and it's frightening enough if you

really understand it because

what i try to do in the paper is to show

how much does it cost

to surveil the whole internet what's the

money you need for that

um and that has to do with you know what

what kind of traffic do you have how do

you deal with traffic

uh how to do you optimize your

collection

um

and then comparing that a little bit

with the perceived

use of surveilling everything

and then making the game theoretic

argument that the moment everybody knows

how cheap it is you have to do it

because otherwise

you're locked out of strategic

information

so it is something that

if you realize how cheap it is

you're entering an arms race you have to

do it yeah and

that is

more or less exactly what happened at

that time without me knowing you know

from i didn't have like

uh insider information so it was just

public sources and

my own understanding of how things

worked but there was no um

no background information i had i didn't

work for any of them

i didn't know what exactly they were

doing

um and the fascinating thing is that

in a way the the strategies that we

propose in the paper are very much what

the nsa has done

or nsa plus

chcq and whatever else

the parties there are

with the little exception that they have

optimized the

they have optimized it to a point that i

never thought about

and that is um

they didn't view it as a purely

competitive environment

but as a competitive and cooperative

environment yeah which makes it so much

worse

and i i didn't think about that so

um

the argument why global surveillance is

inevitable

is much stronger if you if you realize

that

they have ways of cooperating

with allies but also like with

competitors

so there might be sections where where

their interests overlap and they can

cooperate

and that makes the argument so much

stronger

and a lot of the strategies as i

mentioned um

are what you find later in this northern

papers uh if it's you know tapping into

um internet exchanges if it's tapping

into landing points um

x-key score is something that is

shallowly um

described um

in the paper um as you know

your ability to do

global filtering and selection to reduce

data and

[Music]

focus in on on sources that really

matter

and of course the nsa has done it

dramatically better you know i thought

about the thing

between breakfast and lunch and

they thought about it for a couple of

years with people that were dramatically

smarter than me

and

they have created a pretty awesome

system that is really frightening so

that is what the paper is the paper is

the argument why such a system must

exist

[Music]

let's take a quick break from this

episode to chat about the sponsors of

opt-out cake wallet and local monero

cakewallet is a key tool that i use

daily as it allows me to easily and

quickly use monero for private by

default payments

it's available in both ios and android

it is a fantastic way to get started

buying and using monero with a simple

and easy to understand user experience i

regularly onboard new users to

cakewallet and hope that it will help

simplify and ease your journey into

cryptocurrency

if you're interested in purchasing

monero for the first time or helping to

bring others into a parallel economy i'd

recommend you look at using local monero

like i do to buy and sell monero while

maintaining your privacy and avoiding

invasive exchange surveillance

local monero is entirely peer-to-peer

and is an important part of opting out

of the surveillance state and into a

parallel economy

thank you to both sponsors for their

incredible support and partnership and i

hope you'll take a moment after the

episode to learn more in the show notes

or at opt.pod.com

sponsors

[Music]

yeah i unfortunately didn't get a chance

to read it before jumping in but um i as

someone who has worked in cyber security

and obviously studied the the resources

that snowden leaked and

looked through that it is it's

terrifying once you realize the

capabilities that have been out there

for quite a while and not to even

mention that yeah you mentioned motive a

lot in the paper and that's kind of more

a core focus and

um once you have that motive and you

have essentially unlimited resources

because they don't really have budget

constraints or at least not in the the

normal way um

you realize that

yeah they're not startups yes yeah no

they are they're not startups they have

consistent funding and

probably far more than is is publicly

listed on budgets so

that's not it's not something where they

don't have the means and we know that

they have the motivation and we know

that they've been doing it for quite a

while and are only improving in how they

do it which

should hopefully be a wake-up call and

give give those who have woken up a

sense of urgency to to take some active

steps

towards protecting your own personal

privacy but you mentioned in the the

last question about something people

don't agree with you on that

that tools like tor aren't effective

would you mind explaining a little bit

like your thoughts around that it's

definitely something that's counter to a

lot of what i've heard but um i'm

curious to hear

how that comes in

when i say that um it's um

it's a statement that is kind of

designed for

um pissing people off

um

because

tor is effective in some sense and not

effective in other senses

and let me explain that whenever you're

talking about security and i consider

privacy

as a security question

you really have to define your threat

model like who are you defending

yourself against

and what are the capabilities of your

attackers

what are the motivations of your

attackers what are the constraints of

your attackers

and you have to to know these things

and put them into your threat model so

you can measure

a method of defense against the threat

model

and

there's one threat model that

even tor admits that they're not

protecting against and that is the

so-called global passive

attacker so what a global passive

attacker can do is he can listen to all

traffic on the planet

the interesting thing is we know of at

least one of those groups that can do

that you know it's called the nsa

so they can in theory do that

if they do it in practice and if they

target you on tour with that is a

different question

um

but the ability is there they they can

listen to it

and there's a simple reason why torque

cannot

protect against that

and that is that tor does not conceal

um the

the signaling metadata when it comes to

package size package frequency etc

and

it's even worse than that because

the changing of the tor cells like the

connections within tor

that they change relatively frequently

actually leaks information about

where you're coming from

because you have the same traffic

pattern in multiple parts of the network

and if any of those parts of the network

are compromised

then

you have a problem

so what does it mean in practice i've

made some practice that if you're using

tor to go to something like

facebook um and you're looking at

a profile that is widely looked at

let's say

biden you know despite have a facebook

profile probably

i would probably say

i thought that he's only on on defense

never mind so

um

so you go to to only fans and look and

buy it in profile um

you

are one of many people that do that so

your specific traffic pattern like what

images are loaded like how big are the

images in which order uh do you do you

load stuff it's not really leaked

because a lot of other people do the

same thing they look at the same profile

more or less at the same time

so you're leaking nothing however if you

go to a website that is relatively

unique

then you're leaking a traffic

fingerprint that

you don't share with a lot of other

people

and when it comes to surveillance and

de-anonymization

this single

call on a website and loading the

website is actually not what matters

what matters is that surveillance is a

multi-round game

so

you're looking at the network you make a

hypothesis about who could be the person

looking at a certain website

and then you wait a certain time and

then you test

the hypothesis again

and then what you get is a subset of

people you know those two sets the the

two candidate sets intersect and there's

a new set that is much smaller and then

you do that again

and then the set becomes smaller again

so it's a it's a multi-round game

and

while a single

call to a website might be

protected by something like tor

it is not protected

when you go to the website again and

again again again

because sooner or later this hypothesis

becomes more and more

matchable

so

and that is the the theoretical reason

why

something like a low latency

relay network cannot protect you

and that is

widely documented and known in the

anonymity research community like in the

academic community everybody knows that

and then

there are

of course more elaborate attacks you

know uh something like um network

intersection so you're looking at

what potential hops could you have

made through the network and you can do

that by

for example time tagging

you can see

how long does it take a certain

stream of packages that have a certain

characteristic to enter the tour network

on one side and then

exit at

the

the entry guards so um

and there are quite a number of those

attacks

that

make use of

the fact that tor

cannot hide certain characteristics and

it's i'm a blaming tour for that it's

it's just that

um there are limits to the model and no

matter how good you you create your

software you will not

um overcome the limits of of the model

and the problem is when people run

around and try to sell

use cases for tor that break the limits

of the model

because they don't actually understand

how things work that is a problem

and so i don't understand me as bashing

tour i'm bashing uh people that consider

tor

as the best solution

for all threat models

because it's simply not

and this even goes down to the point

that

one of the main issues of tor

if you're not

a global attacker but you know you're

just a company like mine

you want to analyze tor

and see what people do um one of the the

main issues is that

you can run sibling attacks against tor

which which basically means is you're

introducing tor nodes into the network

and you can do that stupidly and you can

do it smartly so if you do it stupidly

the tour people will figure that out and

block your your notes

you can also do it smartly you know take

your time

have a few company front companies run a

few sock pocket accounts etc etc and

then sooner or later you have a few

hundred or maybe a few thousand of those

notes established

and what you can do then is

the more of those notes you have this

more stable they are the longer they're

in the network the more likely

they are selected as entry cards

which is awesome because you directly

see the ip address of the user

and

if you on the other hand are something

like a

big company or a police or whatever you

can also afford running an exit note

and then what you can do is you can

control how traffic between your exit

node and all entry guards flows in the

sense of that you can delay traffic

that you can compress traffic etc

and this pattern of delay and compress

you will be able to find at your entry

notes again

and

that is just one of many attacks you can

do

and for that you don't need any special

privileges you need money for it not

much

so there are estimates

like academic estimates and how much tax

like this and others cost and they're

roughly around twenty thousand per month

and twenty thousand per month is so

small

that

again game theory hits

um because game three really tells you

if you're able to do that and you have

an advantage from doing it you should do

it

you know because especially because

others know that as well

um because it might be a strategic

advantage to have control over it

and that means that it is um

extremely likely that there are

companies out out there

that

have infiltrated the tor network and i'm

not talking about caa or something like

that because um in reality

like c a nsa blah blah blah do do not do

most of their dirty work most of the

dirty especially when it comes to

technology is outsourced

it is you know there's a company that

comes and says okay i have a really good

solution for you to de-anonymize tor

and

then this deal with the company gets a

special compartmentalization so

basically nobody who's not involved with

that will know about that the company

probably gets something like five

hundred thousand a month for a job that

only costs twenty thousand uh

everybody's happy uh there's a lot of

cocaine and hookers and um then you can

basically call the company and say hey i

need historic data you know we had an

access to this website give us potential

um

matching users for that

and then they'll deliver you know

something between one and thousands of

potential

users that could have accessed this

resource

and then

it's the job of the police or whoever

else to drill down on those ip addresses

further and say okay

how good is the case that you can make

especially without

revealing where we have the data from

and that's called parallel construction

you have to come up with a story that

explains why you know that

some person was on

biden's only fan profile

so to summarize a bit i the core of what

you're saying i think is that tor is not

i mean hopefully everyone agree with

this tor is not the perfect solution to

all privacy problems

and it is not specific specifically not

effective against

targeted and

motivated attackers or attacks

but

it is a useful tool to protect against

dragnet surveillance and against general

surveillance

but it's not it shouldn't be viewed as

like if you use tor you're fine and if

you don't use it you're not fine

no i disagree i don't i don't actually

think that it's that great against

strikenet it's very interesting so um

so from a technical point of view

there's

it is not

um

there is however um

there's a standard argument that is made

all the time and that is that the tor

nodes are distributed around the planet

if you really want to get into that you

have to deal with a ton of tour

notes you know like write warrants blah

blah blah

in different jurisdictions so you'll

never be able to do that it's too

expensive to do that

and

that is the argument why why it doesn't

work for dragnet surveillance but that

is not how dragon surveillance works

dragnet surveillance doesn't work by a

prosecutor sitting in his little office

and writing a million warrants

it's by tasking a unit and the nsa to

say how can we get this data without a

warrant

and then you come up with things like oh

wait a second we have a public list of

of tour notes

we have a very limited of a number of

routes that the traffic between those

tour nodes can have

and we have an extremely limited number

of

internet exchanges etc where we can see

that traffic and you know what we

actually don't have to capture that

traffic ourselves we can actually buy it

from the internet exchange or from the

data center directly

because that data is sold

because it's needed for other things

like anti-ddos

or um

for

incident response in in cyber security

cases where you basically go to certain

companies and say hey i really want to

know

who used

what the ip address of somebody behind

an open proxy was

and you can look these things up because

they're recorded

and the same thing

with less precision

is true for something like tor it's less

precise

i mean that is true so tor

increases the ambiguity of course

you know and there are a lot of cases

where it will not make sense

to go and try to analyze torque traffic

because

number one um

you don't want to leak that you're able

to do that

and number two is because it's actually

expensive and hard to argue in court

because it's a very probabilistic

argument

so

you might not use it in court but you're

using it you know as a lead or whatever

you know you never tell anybody that you

used it

and

when it comes to dragon and surveillance

dragon surveillance technically again is

not this individual warrants whatever

it's

trying to get a global view

and we know that they can do it and we

know that they refine it so they might

not be able to make too much of tall

traffic

six years ago

but

they're continuously improving

and they're learning and they're they're

creating new tools if you look at the

tools that were used by the nsa

when snowden did his leaks those tools

are

were a little bit disappointing because

a lot of those tools were off the shelf

for open source stuff

you know i mean x key score is basically

a

web front and to a mysql database

you know that is basically exactly what

the papers say

after a couple of years

and doing that for a longer while

you begin

looking at more targets you know what is

what is interesting what

where can we invest the money to

specialize on so there's a difference

between what can we do hypothetically

and what do we actually do

because you have to distribute resources

so

yes even the resources of the nsa are

not unlimited you know they have they

have a ton of people to spy on you

know they have to you know focus

and um

so from that

from that point of view

there's no technical argument

why tor should be great against dragnet

surveillance there might be

a momentary momentarily argument

um

like a snapshot in time argument that

says okay they're not they haven't been

doing it like three years ago or they

haven't been doing it two years ago

um

but there's no argument why it shouldn't

happen in the future because the the

threat model and the technology

um don't match

so is tour not something that you use or

recommend or it's just something that

you're trying to kind of tame the

expectations of

it's taming the expectations so i i use

tor all the time so

um

tor is booted when i boot my computer so

um there's no no question about that

there's actually

i'm a little bit split when it comes to

um talking about tor so because on the

one hand i don't want to bash it but on

the other hand it's really important to

understand what a candle cannot do

and where we have to continue

in developing other stuff

because um over expectations on tor

also limit the

the uptake of better technologies

because everybody says oh yeah tour

works so i don't have to think anymore

you know it's a it's an easy excuse and

it's throwing a tool that you don't

understand

but the the nerd down the road said oh

it's a great tool you you can use it and

protect yourself against the nsa you

know so

that's not a good good way of arguing

your your um digital offset so yeah um

what i'm saying is

using there are certain things that tor

is dramatically great for

and

that's a another of those topics that

are hard that are hard to agree on but

um tor is practically the only

widespread global

pseudonymous addressing system that we

have

so that

meaning hidden services

it is dramatically easy to set up a

hidden service it's dramatically easy to

use one

and even though the implementation of

hidden services in tor

are

technically problematic i mean they're

improving recently with version three

but

uh before that it was like um a little

stepchild you know that was kept in the

in the heating room

um

they're improving on that and i think

the tour is dramatically good for that

and even to the degree that you can have

a little bit of privacy

if you have like high rotation of cells

um only use it for lookup etc

um and in a way it's actually a really

good sysadmin tool uh because of that

so um in that sense tor is very useful

but i wouldn't ever

bet my

physical freedom on tour and this

especially i wouldn't make anybody else

do this and do the same thing

yeah thank you i mean thanks for going

into the the nuance there i think that's

such an important thing that nuance

often gets kind of tossed aside in many

areas but especially in

the privacy community oftentimes nuance

goes out the window and everyone

just kind of goes black or white with

like tourists perfect or towards a

failure and uh you need to use this or

you shouldn't use this and most people

don't dig into the nuance so i'm glad

you're you're willing to dig a bit more

into the the details and in your thought

process there i think it's really

helpful and um

there's an argument for it and the thing

is

in security privacy surveillance dealing

with with shady organizations it is

nuanced very where they get to

you know it's not the the common mistake

that

is the big thing it's the

you know the particular slip up you know

the

the false sense of security the

not

completely thought through threat model

etc where where you fail

and

that is why it's important to have known

so you have to understand

the tools that you're using versus the

capabilities of your your attacker

yeah yeah definitely agree there um and

i'd love to kind of transition into

the background that you have in vpns um

both that's an easy segue because tour

and vpns are often talked about hand in

hand and kind of the advantages of

either one

um but i also just want to kind of take

a more realistic look at vpns it's

another thing that's very divisive in

the the privacy community and

i'd love to hear more about why you've

worked on vpns in the past why you've

run companies that provide vpn services

and

kind of your thoughts around vpns as a

tool for privacy or security or not as a

tool for privacy as a security it's kind

of your views around vpns and their

usefulness

okay

so i'll make it very short

um

all the bad things you have heard about

vpns are true for almost all of them

so

vpns

as a class of tools are dangerous

and and there's a reason for that

the reason is

what you're doing when using a vpn is

moving the trust that you might have in

your internet service provider

towards

an organization

that will be able to capture exactly the

same data that your isp could capture

but

can capture it even if you move

because you know you're traveling you're

not always using the same isp if you're

using the same vpn you know you bring

all of the data home

and those companies

usually fall under a different

legal regime than your isp

so the

the communication

security and privacy requirements

that your isp has to fulfill

are usually dramatically higher than

that what a vpn has to do

which means that

you will find a real big bunch of

dramatically shady providers

that will

promise you absolute privacy no no dogs

whatever

and in reality you you couldn't sue them

over it there's no legal recourse you

have there's no law that forces them to

to protect your privacy nothing

and you give them all of that

and

that is the argument against vpns

um

the argument is basically also true for

torah by the way because you're doing

the same thing

and in in tour you don't even have the

protection of having a contract

um so from a from a legal standpoint

nobody can force a tor exit note to not

capture your traffic well it kind of

depends on what jurisdiction they are in

but in general

if i'm running a tor exit node and i

want to capture your traffic i'm going

to do that

and it's something that has happened in

the past there there have been huge

leaks

that

have been released by exit note

providers um

you know academically just to see what

people are using with tor so

so that is that is like the fundamental

problem the second fundamental problem

is that

most vpn providers

only look at one single thing and that

is the question of do you keep blocks or

do you not keep blocks that's the only

definition of privacy protection that

they have

and that is

a definition that is far too small

because even if the

vpn provider doesn't keep logs

nobody prevents the data center where

the vpn provider has his computers

from keeping those locks

and again it's a low latency relay same

as tor which means that it's very easy

if you just look at the timing of the

packages on the incoming side and

outgoing site ingress egress it's very

easy to match them

so it's very easy to trace through a vpn

uh if you're watching it

and

most vpn providers don't do nothing

about that you know they they just

plainly copy your your traffic from a to

b and that's it

um it's actually pretty easy to run a

vpn provider

you install ubuntu you know a little

with a wire guard you know two

well four ip tables entries and that is

it then you're a vpn provider you know

um

but the nuance of you know how do and

how do i prevent timing attacks um how

do i prevent um flow matching between

incoming and outcome

traffic

um

how do i prevent that i myself know

which who the client is

uh all those things are are very hard to

do and most vpn providers never do that

um they they never even have a technical

argument how they would be doing that

but instead they just say we don't keep

locks and that's it

and that is why i think that

99.9

of all vpn providers are worse than

using your isp with one exception

and the exception is if you're living

in a country that is problematic where

you don't have any protection in the

first place

or when you're um

[Music]

on a badly secured wi-fi uh in a hotel

you know then

using a vpn has a little bit

of an upside because you at least know

who's spying on you you know a

provider so

um

that is the the only place where it

really makes sense

um

and the the other things are non-privacy

related so there are other uses for vpns

that are not privacy related um

like you know overcoming to uip

blocking etc you know you want to watch

netflix or

or hulu or whatever then

uh vpns can make a lot of sense there as

a tool

but when it comes to providing privacy

there are very very few vpn providers

out there that deserve being taken

seriously

and

it's relatively easy to

to recognize them

because

you can ask them those questions you

know like how do you prevent matching of

ingress and aggress

um

how do you prevent that

your you can tag your traffic by the

user account and stuff like that and you

ask those questions

and you either get a reasonable answer

and potentially even a way to verify

that because a lot of these answers are

verifiable

or you get hand-driving

and if you're looking for privacy then

the answer to those questions should be

a really long email with a lot of

answers and command line

um

[Music]

command lines to try out that their

claims are actually true

do you have any

specific recommendations of providers or

is that right or not

so there's another thing that is really

important and that is in a way you have

to trust

your vpn provider

and there's

yeah

you cannot get around the trust in

systems like that

and again that is true for tor as well

you know in tor you have to trust the

faceless number of relays and you're

just hoping that because the trust is

distributed over multiple hops the event

of um having a cell a

chain of relays that are all

untrustworthy doesn't happen you know

that's the

the basis of the security model of

something like tor you know it's like

there are enough people that are honest

you know i claim that's not true but

um there are enough people that are

honest so i'll usually not

find only bad apples

with vpn providers it's the same thing

and

that means that unless you're

technically really good

you will not be able to verify what i'm

saying

and

if i recommend a vpn provider you will

not be able to verify that what i'm

saying

and

then you will trust that vpn provider

even if you have no argument for trust

same as tor

and then you will trust it too much

and then you're

so i will not make an a recommendation

one's saying is there's a process so

you have to

when you when you buy a vpn there are a

couple of things you should be looking

for

number one is

as i said you know there are certain

questions to ask

um

and the responses to that should be

reasonable technically verifiable

that's number one number two is

a vpn provider that has no face like

there's there's no person at all that

you

could talk with or that stands with

their name for the thing

um is a bad idea

a vpn provider that

does not do any security research

doesn't have security people on staff is

a bad idea

um a vpn provider that is in the

jurisdiction where they're

completely free from any risk of ever

being sued or a bad idea

because all that are signs how people

are trying to escape

the

the consequences

of how you call it dishonest marketing

so

you want somebody who is making

themselves accountable

and

sadly that means that most of the big

vpn providers are completely

and i mean just look at

what has happened to to expressvpn um

it's like it's a perfect story you know

i mean

um

it's

i'm sorry

it's um

it's a company with ties to israeli

intelligence

um

with people um

that have been involved in the nso

scandal that have been

uh involved in this dubai

spying

organization

and so on and so on you know and those

people

run

expressvpn now

um

for privacy i wouldn't use them you know

like privacy in the sense of i want data

not to be leaked you know i don't want

anybody to know which website i'm going

to

if i want to prevent a specific website

from knowing that yes

that still works you know as long as you

think that they're not selling the data

back to the website which i think is

doubtful um

but yeah in general the the really big

flashy ones

um i have issues with

there there are a few

that i would look into

um

there is

one that i i find um

friendly

mostly because i know the people

um

and so for example molvet is

a provider

that you could look at because um

they don't make too much of a claim you

know they're kind of honest in what

they're doing

and then

yes there are extreme vpn providers

that actually make good like huge claims

but they also can explain why they can

make those claims but you don't want to

pay for them

because that is like very much in the

even i.t sector and

um they're expensive

like you have to pay for dramatic

services a lot you're not going to get

away with 10 euros a month

yeah i was curious if if molvod or ivpn

would come up since they seem to be two

of the ones that are very forward about

the the limitations of vpn and forward

about what they are good at and what

they are not good at which is usually a

sign of of good actors but obviously not

necessarily a reason to blindly trust

just usually a good sign if someone's

not making grandiose claims and they're

actually telling people you probably

shouldn't be using a vpn i think that's

that's usually a good sign when a vpn

provider does that so yeah they've been

too that i've enjoyed and heard good

things for many people about yeah i mean

i would i would add one more thing and

that is this trend of saying uh don't

pay for a vpn build your own

um you know get a vps somewhere and and

run openvpn or firecart or something

like that

don't do that no

please it's it's you're you're not

getting

anything from that because

the hosting provider has exactly zero

um legal limits on on

what they can do to your traffic and

they're actually

there are actually reasons why they have

to release

information about your traffic

so the legal scenario of running

something through a hosting provider

is

it's not in your favor it's a really

stupid thing to do

um there's no anonymity there like zero

you know that host knows who you are and

that's it

um

so don't do it

the other thing is you don't even have

any crowding effects you know you don't

have

a multiple

potential clients that you could hide

behind you know it's it doesn't exist

and the thing is if you're always using

your little vps there and i want to do

something against you i only have one

single point that i have to listen to

and i know all your traffic i know where

you're coming from where you are located

etc

so

if

if your threat model includes hiding

your ip address because that is the only

thing that tor or

a vpn would be able to do is hiding your

ip address like your original

address if your threat model includes

having to hide that

then

both the vpn and tor are better than not

having that

if you're careful with the who you

select as a provider

and they're always better well a good

provider is always better than running

it yourself

yeah i'm glad you mentioned that it's

something that i've seen people bring up

and i

i stand pretty strongly against because

even i think people think oh i just

won't log and then i'm good and i have

as good of privacy and as good as

security as a non-logging vpn provider

who who knows what they're doing and

that it's not the way it works in

practice or in

theory or in reality and you 100 will be

logging and i think that point about it

being a single

a single point of attack it would be a

very easy thing to surveil all of your

traffic there just by taking over that

vps that the hoster can do at any time i

mean they have complete access so they

can just easily take that over and start

logging all

they don't to their

take it over because they already own it

you know they get interesting

yeah yes

so um exactly so it's it's always better

to choose a good vpn provider over

running it yourself

so

if you're of course

getting a shitty vpn provider then yeah

bad luck you know but um good good vpn

provider like mouldwat for example um

it's better than running it yourself

and also keep in mind that

the vpn

does not protect

the the traffic itself so it of course

it protects the traffic between you and

the vpn provider

but the traffic will exit at the bpm

provider

in whatever format you put it into the

vpn

so that means that you still have to be

careful

with using dns privacy for example

it's a it's a thing that most people

never think about but the easiest way to

surveil you is by just looking what

queries you do at their dns provider

so

use something like dns script for

example

um

you

at least use something like one hop

between you and

um

quad 9 or something like that so that

that you don't immediately leak the

query and your original ip address

and i would actually suggest often to

not use the dns provided by the vpn that

the vpn provider

don't use the dns provider that the vpn

provider offers

because

that already tags your dns queries

so it's it's very easy to poison your

local dns cache and then if you switch

off the vpn and then do something else

and your dns cache has still the

poisoned entry um you're

so there is something that

very careful about so dns is really

important to to control and the other

thing is always and always and always

um use tls um like end-to-end encryption

for for your connections

um

there is no argument to ever not use it

that's it you know it should be a crime

against humanity if you ever switch off

tls so

um you have to use tls but even if

you're using dns security and if you're

using

tls

please still know

that

the ip address that

the service

is using that you're accessing you know

the website whatever

this ip address might not be unique for

that service

because there are a lot of shared

hosting and cloudflare and all these

things but it's unique enough

and

furthermore

your tls usually leaks

what the menu actually want to talk with

so it actually makes sense to have

um a very very modern configuration on

your own computer so for example there

is something called encrypted smi

that

prevents the hostname from being leaked

in your tls connection

and stuff like that so that makes a lot

of sense

and also keep in mind that

when you want to protect yourself

against the website that you're using or

the service that you're using there's a

lot of other things they can do except

for for logging your ip address

so that is actually one of the things

where i applaud the tor project yeah

because they have invested a lot of of

effort

and they really have to let the charge

against browser fingerprinting

so by now it's trickling into other

browsers which is awesome

but um browser fingerprinting is a real

issue

and then everything around super cookies

eternal cookies etc is a real issue

so if you

want to have like real privacy it will

not ever stop with a vpn know this is

not a single click solution

but it means selecting the right browser

probably actually executing your browser

in a virtual machine

on a

very widely spread

operating system using exactly the same

fonts as a million other people doing

same plugins same whatever

um

and even then

if your attacker is good enough you're

still because the web is

is becoming a holistic resource for uh

for internet privacy we're kind of

hitting on all the different sectors

here um

yeah it's been really really interesting

to dig into the technical stuff but i

i did want to jump into a little bit

your kind of your background um both

your name as the real smuggler which i

thought was really interesting um and

just you talk a good bit about crypto

anarchy and and being a cyberpunk um so

i'd love to just hear a little bit more

about that before we finish up here um

just to get to know a little bit more

about your your crypto anarchist and

cyberpunk views and then kind of where

your name came from if you're willing to

share that

okay so uh the name is really easy so um

a couple of years ago i had to change my

main pseudonym because the other one was

burned

so i had to come up with a new one and

both my family and i have a little bit

of a

background in smuggling

so

that is

one of the reasons i took smaller and

there's another one

that i just recently remembered and that

is there was a computer game called dsx

and there's a weapons trader in

[Music]

that game by the name of smuggler and i

really like that character

so i think those two things overlapped a

little bit and um led to me selecting

the pseudonym

uh

the pseudonym is only smuggler and not

the real smuggler the only reason the

real swagger is used is because

uh i had to get a twitter handle

and

the original smuggler and uh just

smuggler and whatever

were already taken so that is why the

real smudger

um so that's the easy explanation for

the for the uh pseudonym

um

crypto anarchism cypherpunk and

cyberpunk okay

cryptoanarchism is this idea of

using cryptography and specific

cryptography that

leads that protects confidentiality

to implement an anarchistic society

so in a

society in where in which

coercion on the body

is made impossible

and they're

generally two

to schools of anarchism so one school is

i would call it the legal school

you have a system a society where it's

simply illegal to to act

cursively against somebody

and that is where most libertarians come

from et cetera

and then there's crypto anarchism and

crypto anarchism wants to make it

technically impossible to attack you

um so no matter what the legal

environment is you're protected by

cryptography

and

i

have been

a proponent of that idea for i don't

know 20 years at least

um

well more or less i become

more extreme than all i get um

but um that is that is crypto anarchism

and

i think that if you

if you realize what is happening today

with globalization

with the internet digitalization

um

cyber physical systems etc

then it is it is clear that

our current structures of governance

are really challenged by the

new world that they might actually not

fit at all

and they might actually be

counterproductive and dangerous to to

humanity itself

because

the the wrong political system in the

wrong um technological environment can

lead to dramatic failures

um not just totalitarianism but also to

to just mistakes you know if you

centralize your systems to too much if

you couple them too closely you can

come into into really bad situations and

we're seeing one of those right now you

know with the supply chain crisis that

is exactly that it's an unfitting system

um for the environment and and we're um

paying the price for it right now

um

[Music]

and the same thing is true in politics

and i think that

crypto anarchism is the right

political model

for the digital age

and

i don't want to dive into it too deeply

because that's a podcast in itself at

least i mean i think we did a recording

on that there was like three or four

hours so i'm going to spare you that um

but

just as a teaser it's the right model

for the digital age

and it's the opposite of the

transparency and

um show everything and instagram

whatever model

um

okay that is crypto anarchy then

cypherpunk and cyberpunk so um

cypherpunk refers to a mailing list that

was created in the late 80s early 90s

that

dealt with questions of cryptography and

their

political implications

and

a lot of the

technologies that you're using today

have been more or less invented in that

context like by people that were on that

mailing list or

even on that mailing list directly

and i've been

a subscriber to that list

under various pseudonyms for

almost 25 years i think

and

have contributed in various ways to

this and that project

so um

that makes me

a member of the cypherpunk mailing list

so

handsome cypherpunk uh and then there's

cyberpunk and i like that you actually

put that in there because um cyberpunk

is

a literally a literary category or um

i call it a

genre

um

and

so for example you have william gibson

um with his neuromancer trilogy etc

and the interesting thing with cyberpunk

is

um

[Music]

it is focusing on the

challenges

of

technology specifically computer

technologies

and society

and

it is

not very optimistic there

and is trying to to think about things

like

um

what can hackers do

or what if you can upload our brain to

the computer um which is basically what

we do with facebook um or

what um

what are the implications if only the

rich and the powerful have access to

technology and not the rest of the world

which in a way is true because we're

underestimating um the powers of

technology in the hands of our enemies

and um so from from that standpoint uh i

find a cyberpunk a very interesting

aesthetic

thought environment

um

especially the statement of um

low life high tech even if you're at the

bottom of the society you can repurpose

technology to to your own advantage

and i i always love that about the

hacker culture is you know um take the

manual burn it and do something else

with whatever you bought

so um i

that is

an important aspect the other aspect is

that

um though it's science fiction it is

kind of becoming true in a lot of ways

like the feeling of cyberpunk

specifically

um

specific predictions but it's not you

know it's not prophecy it's thinking

about things that could happen in our

context

and in a way we we live in a cyberpunk

world or starting to live in the

cyberpunk world where big corporations

and technology and state and robotics

and

um psychological manipulation and all

these things really really begin to

really matter

and

like in the circle of my friends

there's an almost daily

um

post that we do on an internal channel

um where somebody finds something in the

news or a picture of a new technology or

something and the commentary to that is

cpaf this is cyberpunk as

and we're living in a cyberpunk as

world

it definitely does seem like that i mean

i i do i love the cyberpunk aesthetic

and that that literary genre i think is

so important like you mentioned it's

just a way to

envision what the future could be like

and like not necessarily prophecy but

i think a lot of it has been has turned

out to be almost prophetic because it

has been a very good

kind of thought project to to think

about what can happen when technology

becomes central in all these different

aspects of life so i think there's a lot

of

a lot of good that has come out of that

and hopefully a lot of uh chances for

people to continue that thought project

and when new technologies come out think

about the ways that they could go to to

make smart decisions as early as

possible on how you use it or how you

support it or fight against it or just

lots of different aspects but

a lot of value there beyond just the

enjoyment of reading good cyberpunk

literature and there's this fascinating

personal part actually and that is

one aspect of a lot of um cyberpunk

literature

is dancing around the concept of

superempowerment um like in an

individual suddenly through technology

finding

an amount of power over themselves or

others

that

breaks all categories

and that is an interesting aspect

because i think it was never completely

explored in in literature but i think

it's the

long-term most important aspect of

cyberpunk is that

we are

probably entering an age of super

empowerment where individuals

and usually not the good ones

will have powers that

can challenge

nation states

yeah yeah definitely good

a good point and one that is somewhat

terrifying but

good to have in mind and think about as

we're kind of walking through the world

and building culture around

us it gives you something to strive for

i guess

there you go

uh awesome well last kind of personal

thing i wanted to get to is uh you are

part of a podcast cypherpunk bitstream

um and there's a lot of value there i'd

love for you to just quickly plug kind

of what that is and what people can

expect taking a taking a listen to that

sure cypher from bitstream is a podcast

by taz0 which is a temporary autonomous

zone in the building uh in berlin

germany

and it's hosted by

frank brown and me

and we're talking about all things uh

digital politics

crypto anarchy surveillance weapons

building stuff out of shipping

containers um

the future of politics the corruption of

culture and so on and so on so it's

basically two dudes

uh with um

[Music]

a strange background um discussing

um topics that might interest other

people with a strange background so

there's a lot of great stuff there i

love the topics that you'll cover there

a lot of them are very rarely covered in

other areas so i feel like there's

there's so much value there and i like

the long format just get get to hear a

lot of deep thoughts i need to listen to

more of them

yeah

thank you thank you yeah for sure

definitely wanted to to make sure that

was mentioned because i think there will

be a lot of crossover between my

listeners and

at least a few of the topics that they

all have covered there a lot of value um

a question i ask everyone who comes on

it's just what are some of the tools

that you use regularly to opt out that

you'd recommend others to take a look at

and then why

um i know we've covered this a good bit

and i talked about tor and vpns and all

of that so it may just be a summary of

what we've talked about before but i'd

love to get your thoughts okay i'll i'll

i'll go a little bit left field here um

and give answers that hopefully nobody

else gives

except for one and that is cash so i'm a

lover of cash and i paying cash whenever

i can

um so that's number one number two is i

really love the pandemic for one reason

and that is it gives us a justification

to wear sunglasses and face masks at the

same time

so

um that has been a a dramatically

liberating moment for me because i've

done that before that pandemic and i

always stood out and now it's like

everybody's doing it

yes exactly so um

i do i do like hoodies face masks and

stuff like that

um

face-to-face meetings is a really

important thing um it's a tool that i

use regularly it's the walking together

in the park and having a confidential

conversation

and then there are

a few um

crazy things so for example

containers that are a faraday cage

um

and voice masking technology that

prevents microphones from picking up

what you're saying

those are definitely unique so far

i think we've talked a little bit about

cash but it's never kind of like a core

tool that people focus on but i yeah i

as long as it is an option which

hopefully it will continue to be an

option for a very long time it is one of

the most powerful tools we have for

financial privacy

i also love gold coins

you know the the combination of gold

coin a shovel and gps is dramatic

you're be your own bank taken to another

level

exactly the world is big

and the last question i have for you

smuggler is uh just what advice would

you give to someone who's just starting

to realize the need for personal privacy

um

don't be timid about it

so

really realize that

it is a thing you have the

inborn right to do

there's no good argument that says that

you should not be able to control your

privacy

and

be proud of being private don't feel

awkward about it

know that it's a highly valuable and

very enlightened thing

and

prepare yourself for for really learning

a lot of things and surrounding yourself

with people that

already know a lot of these things and

um

realize that it's a community effort but

also a fun effort it's very fun

and test and test the things that people

say

a lot of people run around with wrong

advice

you have to be able to test advice

and you have to spend time on that

yeah yeah i love that i think that's

something that doesn't get brought up

enough is that like the journey towards

privacy is an enjoyable process and

there's so much you learn along the way

there's so many

amazing people that you get to meet i

mean if i hadn't started to care about

my personal privacy i would never have

been sitting down and chatting with you

for two hours about all of these topics

and learning about your background and

all the other guests that i've had on

not to mention the communities that i

have online now and and just the actual

technical process of trying out new

tools and and there is a lot of there's

a lot of fun there just a lot of

enjoyment of learning new things trying

new things like you said testing out

things that people are suggesting and

recommending and uh it's it's not all

kind of doom and gloom there's there's a

lot of enjoyment there and you find such

good community as you take those steps

um that that can often be one of the

best things that happens is yes you get

your personal privacy but you also have

great community around you as you're

you're doing that and that can that can

be a lot broader of a of a of a pro for

you than necessarily privacy is or at

least maybe that you notice today yeah

and let me add something there and that

is um

a lot of people today think too

technically about privacy

and that kind of discourages people that

don't have a technical uh background

my experience is that the masters of

privacy are not technical people

they're disciplined people

and

they're people that enjoy what they're

doing

that love a little bit of subterfuge

if you're a person

that

enjoys living in the real world and it's

not a computer geek

then you might actually be able to

master

privacy so much more

than most of the geeks

because

some of the most valuable things in

privacy

are the ability to

talk a hotel into letting you stay

without identifying yourself for example

that's not a

computer thing you know that's a human

human-to-human thing

or

being able to

have a private face-to-face meeting and

setting that up without

actually leaving a digital choice

so there's a lot of

one of the things i really

suggest to people

is to have those two aspects of privacy

and that is there's a game part of

privacy

which might not be the perfect method

but it's an enjoyable method and it's

fun to do with friends and then there's

the if it really matters

part of privacy and you should indulge

in both you know it can be it can be a

little bit of a game and and fun and you

don't have to be a geek

yeah yeah i'd love that um well thank

you so much for coming on smuggler it

was a a long one but there's so much so

much meat in here so many good things i

i'm really excited to share this and

hear people's thoughts but thank you so

much for taking taking the time out of

your day to to come on and chat with me

and share a little bit more about your

views your journey and uh your thoughts

on different tools

it was a pleasure thank you

uh well is there any specific place or

uh uh kind of way to to keep up with you

or follow fellow on your work that you'd

like to share um

easy

tazero.org

so tazer.org

so the podcast is opaque dot link is

where my personal website is which

sometimes is down

um anaplex.net is where a lot of um

community effort is happening

and

yes also twitter at the real estate

awesome i will i'll make sure to have

those links in the show notes as well

but

thanks again so much so much of a

pleasure getting to sit down and chat

with you and i'm really excited to to

share this with with more people

thank you

[Music]

thanks for listening and i hope you

enjoyed this episode of opt out if you

did please take a moment and subscribe

to the podcast or if you're already

subscribed share it with one friend or

family member this week

as always you can check out the links to

our guest's content and contact info as

well as links to all of the tools we

discussed in today's episode in the show

notes or at optoutpod.com

now get out there and opt out this week

[Music]

this week's tool to help you opt out is

a simple one google search

google is a privacy preserving

javascript free self-hosted front-end

for google search that lets you make

searches preferably over tor using

public instances without any of the

tracking or bloat present on google

itself

search and the tracking around it by

providers like google and bing is an

important factor in the constant attack

on privacy and opting out of that system

is a key step in the journey

i run a google instance that's available

for public use at search.seth

and have that link and how to set it as

your primary search instance in the show

notes feel free to test it out and use

it if you enjoy it

thanks

[Music]

you

Resources:
Tags:

Similar videos

2CUTURL

Created in 2013, 2CUTURL has been on the forefront of entertainment and breaking news. Our editorial staff delivers high quality articles, video, documentary and live along with multi-platform content.

© 2CUTURL. All Rights Reserved.