Ever had that creepy feeling someone's watching you online? Now imagine if that feeling was actually your reality, not just your browsing history being tracked, but cameras following your every move on the street, your conversations being monitored, your payments scrutinized. For our guest Josh Summers, this wasn't some dystopian nightmare, it was his daily life.
Josh isn't your typical privacy advocate. As the creator behind All Things Secured (both a website and YouTube channel), his passion for digital privacy was forged through nearly 20 years living abroad, much of it in China. There, he didn't just read about surveillance, he lived under its shadow, using VPNs to bypass censorship and experiencing the gut-wrenching moment of being detained and questioned by Chinese authorities.
In our revealing conversation, Josh pulls back the curtain on what government surveillance actually feels like from the inside. He shares how these experiences transformed a personal survival strategy into a mission to help others protect themselves in our increasingly watched world.
We dive into how surveillance actually works from those eerily accurate facial recognition systems to the GPS tracking that follows your every move, and the countless ways big companies turn your personal information into profit. Josh not only makes us aware of potential problems, he offers real-world solutions that balance security with the convenience we all crave.
With Josh's guidance, we discover surprisingly simple ways to shield our digital lives from encrypted messaging apps that keep conversations private, virtual credit cards that protect your finances, and alternative mailing addresses that safeguard your physical location. He also reveals the hidden dangers lurking in those so-called smart devices scattered throughout your home, and explains why privacy matters even if you think you have nothing to hide.
“There’s always a trade-off between security and convenience. You've got to find the balance that works for you.” - Josh Summers Share on XShow Notes:
- [00:34] Josh is the host of All Things Secured. He wants to help people become a hacker's worst nightmare.
- [01:30] Josh, his wife, and children lived in China. There was censorship and social platforms were blocked.
- [02:05] He began using VPNs. Over the decade there, every type of surveillance was used.
- [03:34] He had a travel site and walked around with a camera.
- [04:03] In 2018 he was detained by the government. It was scary and he realized the rights he was giving up when traveling to other countries.
- [05:53] He was kicked out of China, and became more conscious of the pervasive mass surveillance.
- [08:40] He was severely outmatched with the psychological tricks of the interrogators.
- [12:57] Even if surveillance is legal, that doesn't make it ethical.
- [13:18] Small consistent steps towards privacy will make us less of a target.
- [14:25] Josh talks about ways that we are being monitored from cameras to facial recognition. Digital currencies track what we purchase.
- [17:04] Facebook has so many files on us. Being tracked online adds up.
- [21:07] There are ways to build a privacy moat around your digital life and still stay in contact with friends and family.
- [22:27] Steps for practical privacy include being careful about how you share data, encrypted alternatives, and use masking services to reduce your digital footprint. You can also use virtual credit cards.
- [31:46] We talk about using peer-to-peer payment apps.
- [34:12] When your habits and your contacts are public, it makes it easier to social engineer.
- [35:29] Virtual mailboxes can add additional privacy.
- [39:50] Issues with IoT devices include how it's being stored, transmitted, and shared.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Josh Summers
- All Things Secured
- All Things Secured YouTube
- Go West Ventures
- Josh Summers on LinkedIn
- The Unexpected Cost of Privacy with John McAfee
- Privacy.com
- IronVest
- PostScan Mail
- Traveling Mailbox
Transcript:
Josh, thank you so much for coming on the Easy Prey Podcast today.
Thank you for having me. Appreciate it, Chris.
Sure. I’m looking forward to this. Can you give myself and the audience a little bit of background about who you are and what you do?
My name is Josh Summers, like you said. I am the host of the All Things Secured YouTube channel. We’ve also got the website, allthingssecured.com.
At its core, I essentially want to help people become a hacker’s worst nightmare, and essentially, that’s just being aware of the various privacy practices and thoughts that can impact and methods that you can use to ensure better privacy for yourself.
I essentially want to help people become a hacker’s worst nightmare, and essentially, that’s just being aware of the various privacy practices and thoughts that can impact and methods that you can use to ensure better privacy for… Share on XThat’s just something that I’ve become more aware of living internationally because I’ve lived overseas with my wife and my two kids for, gosh, I think we’re closing in on two decades now. It’s been quite a while.
So what got you interested in this space?
Well, for me, it started while we were living in China. My wife and I were out there initially just teaching English and eventually doing business. The thing about living in China that you learn pretty quickly—we were there in 2008 and 2009 when all of the censorship started happening, so Facebook got blocked, Gmail eventually got blocked, you can’t watch YouTube, you can’t do all of these things—as foreigners and even Chinese citizens just began using VPNs. That’s when VPN really started blowing up is when censorship became a big deal.
I used VPNs a lot, and that was my introduction into this world of tracking and what is an IP address; I’m sure a little bit about that.
Just a little.
Yeah, why would I want to change that? Why would I want to hide that? All of these little things. Really for me, it really came to a head at the end of our time in China. We had been there for about 10 years.
To give you a little bit of context, you may have heard of Tibet. A lot of the stuff that happened, we were actually in a region north of that. At least over the past decade and a half, it has been more sensitive than Tibet. There was probably what I would say most of the new surveillance technology that is becoming commonplace around the world right now, it started and was tested in this part of the world. Every type of surveillance that was happening was happening there, and we were aware of it, but it just intensified very slowly over about a decade’s time, thanks to just some unrest and political reasons.
For us, I was running around, I did a lot of stuff with Lonely Planet, travel-related stuff online, and that was where I was getting, doing a little bit of business there was with the travel-side stuff. But that also meant I was running around this very sensitive region with a camera, talking to people and gathering information, things that, if you are a Lonely Planet author or if you are writing your own travel guide, it makes sense. This is what you need to do. But for a government watching from the outside, I can see it now in hindsight, it looked too suspect.
Eventually—this was in 2018—they pulled me in and I received the full treatment. It was definitely scary for me at the time. It’s never fun to be detained and interrogated by a foreign government. You don’t realize when you’re traveling abroad that you’re giving up a lot of rights. You’re not in your home country where you have certain rights that you can hold onto and trust. When you travel abroad, you give up those rights, especially when you’re in a country like China or others that maybe don’t have the same human rights standard that we do in other parts of the world.
So they took me in, and that was when the mass surveillance that my wife and I had been living under for a decade really started to crystallize in terms of, “Wow, I didn’t realize how much they were watching me.” Like, what were these cameras capable of?
I didn’t realize when they had these stands, we would go through and they would actually plug something into our computers. You’d get off the bus and there would just be a stand there. Everybody had to plug. They said they were just scanning for malicious content. They were scanning for things that were anti-government.
You’d get off the bus and there would just be a stand there. Everybody had to plug. They said they were just scanning for malicious content. They were scanning for things that were anti-government. -Josh Summers Share on XWhat they were able to gather from doing that, like all of these things that I knew probably were not right, or not necessarily not right. They legally had the right to do it, but they just didn’t feel right to me. Then during this interrogation time, just bringing up, “Why were you in Hong Kong at this time? Why did you talk to this person? Why did you have this on your phone?” Things that really jarred me. And it was coming out of that experience.
Eventually, thankfully, they decided that I wasn’t enough of a threat, because I wasn’t. I wasn’t a threat, but they kicked me out, told me I wasn’t allowed in China anymore.
That is what really began my journey of, OK, I’m a little more conscious now of what this mass surveillance is. Even though I don’t think it’s possible to completely go anonymous or completely go just invisible, I do want to consciously start making steps to take better care of my privacy. That’s where it started for me.
Even though I don’t think it’s possible to completely go anonymous or completely go just invisible, I do want to consciously start making steps to take better care of my privacy. -Josh Summers Share on XInteresting journey. Can I ask a few follow-up questions about that, if you don’t mind?
Please.
How long were you interrogated for?
My wife and I were interrogated for 17 days. We had our passports taken from us. I was literally taken to an interrogation facility. They had a camera on me at all times. I like to say that, when you think of a movie or a TV show where someone’s getting interrogated like that, that’s what I experienced. It’s fun and games when you’re watching it on TV. It is terrifying when you’re going through it in real life.
And I assume you had no access to the US Embassy during that time?
No. That’s something I learned through the whole process. There are things that you’re supposed to legally be able to do, and then there are ways around that.
For example, I’m pretty sure that according to international treaties or whatnot—I’m not an expert in this—you are allowed to ask for a translator, or you are allowed to ask to call your state department. Something along those lines.
I did that and the response that I was met with was, “Well, we can get a translator for you, but if we have to do that, then we’re going to do this to make your life even harder.” It’s a choice. “We’ll do that for you, but then we’re going to put you in this solitary cell instead of giving you nice food and do all this stuff.”
It’s like, “Well, gosh, I don’t want to be there, so OK, I’m not going to call a translator.” They know my Chinese was good enough to go through this. Same thing with the State Department. All of these things where they use leverage to get what they want.
I think through that whole thing, what I learned—this is probably not even truly relevant to all of your listeners, Chris—was no matter how much you read in books, no matter how much you’ve watched movies and TV, when you get in a situation like that, the people who are doing the interrogating are the experts, and you are not.
I’m not a trained spy or anything like that, so I was severely outmatched for every psychological trick that they were using on me. I can see with a better clarity coming on the other side of it, but at the time, it just felt like they were totally owning everything about me.
Was the concern that they had that you were a spy and that Lonely Planet was basically a cover for that?
Correct. This region of China is known for a lot of, I guess, conflict between the indigenous peoples and then China, who says they’ve always been there, similar to a Taiwan-type of thing in Tibet. They were concerned that I was some government agent that was passing along messages between that people group and whatever government, whether it was the US or some other government. That’s what they were concerned about more than anything else.
Even though they had access to your phone and your laptop from the kiosks, and it was all Lonely Planet content, that wasn’t enough?
Yes and no. It’s interesting. Sometimes when you get into security and privacy, you start adopting certain habits or testing different tools that in some ways are really good, but in other ways, in an ironic way, tend to make you look more guilty. I wish I had it with me. It was this USB device that was locked with a keypad. I love that thing. It is fun.
It looks suspicious.
It looks suspicious. They found this on me and they were like, “Oh, we knew you’re a spy, and now we know for sure because you’ve got this device. Unlock it for us. If you do the nuke code”—because you can do a code that just erases it—”we’ll know about it, and we will just put you straight in jail.”
It was those types of things where I had thought I was being really cute and fun and trying to protect certain parts of my privacy. I think that device had what I call my death file on it. So if I die, “Honey, here’s all of my bank, all the stuff that has to do with our finances and insurance and all that stuff.” It’s on this one device, and I just want to protect it. But by doing so, it just made me look like I was hiding something from the government that I wasn’t.
That’s awful. I can see how that experience and your interest in privacy up to and during that can really shape your perspective. I think it’s one thing if you’re in the US, the chance of that happening is really low, that there’s a little more of the context of, “I want a lawyer.” “OK, we’re going to get you one.” Whereas when you’re in your foreign country, the rules of the game are just fundamentally different.
Correct.
How has that changed your view about having reasonable privacy in your life? Or practical maybe is—
I love that idea of practical privacy, because a lot of times with what I do—very similar I think to you, Chris, in sharing just these tips and ideas for building better privacy, being consistent with that over time—the pushback that I get is usually one of two things. Either, “I don’t have anything to hide,” or, “It’s all out there anyway. We’re screwed. You can’t do anything about it.”
Both of those are understandable. I don’t want to make fun of anybody who has that thought. As far as the nothing-to-hide thing goes, I love this quote by Snowden. He says, “Arguing that you don’t care about privacy because you have nothing to hide, is like saying you don’t care about free speech because you have nothing to say.” Just because you don’t have anything to say right now doesn’t mean it’s not valuable to protect that right.
Just because surveillance is legal in places like China and the US, all over the world, and even with big tech the way that they watch and track a lot of what we do, in my mind doesn’t necessarily make it ethical. When I think about privacy, a lot of what I’m thinking about is yes, total anonymity is going to be impossible. We’ve already lost a lot of that. However, I do believe that small, consistent steps toward privacy are beneficial and helpful to make us less of a target.
When I think about privacy, a lot of what I’m thinking about is yes, total anonymity is going to be impossible. We’ve already lost a lot of that. However, I do believe that small, consistent steps toward privacy are beneficial and… Share on XYou’re never going to go through life and find a place where, “OK, I’m now free from the threat of a hacker, or a threat of phishing, or threat of anything like that.” There are always going to be those hackers and people that are trying to take advantage of us, but becoming not the low-hanging fruit, whatever the opposite of the low-hanging fruit is, is a worthwhile endeavor.
And it doesn’t take as much effort as it seems. It’s not like you’ve got to throw away your iPhone, go off grid, and not use a SIM card, all these things. It’s just what I call small, consistent, practical privacy steps.
I like that. Let’s talk about what surveillance is, whether it’s governments, corporations, marketing agencies, or just the engine that is the Internet. In what ways are we being monitored? And then we’ll talk a little about the steps that we could take. Some of that is malicious and some of it is the system that we live in.
Exactly, I agree with you. I think a lot of it is the system that we live in. When we were in China, cameras were huge. I think they’re becoming like that all over the world now, where there’s facial ID tracking that’s happening. They’re basically monitoring exactly where you’re going. It seems like a big deal, but the device you’re carrying around in your pocket has been GPS tracking you everywhere you go anyway, so it’s not like that’s a massive new thing that’s happening here.
The big thing in China where we’re at again, like digital currencies—I haven’t been there a few years now because we were kicked out in 2018—my understanding is it is almost impossible, it is very difficult now to use cash. There are a lot of places that won’t accept it because they don’t keep the change. It’s just so easy and so accepted to use digital currency.
The thing that I’ve recognized about security and privacy is there’s always a trade-off between that and convenience, and you’ve got to find the balance that’s good for you. -Josh Summers Share on XI think that’s where we’re headed, even in the Western world as well, tap to pay, using your phone, watch, or whatever to pay. And these are not bad things. The thing that I’ve recognized about security and privacy is there’s always a trade-off between that and convenience, and you’ve got to find the balance that’s good for you.
If you go all in on security and privacy, it’s going to be a very inconvenient life. But if you are very concerned about things being easy and convenient for you, you’re going to give up a lot of privacy and security.
If you go all in on security and privacy, it’s going to be a very inconvenient life. But if you are very concerned about things being easy and convenient for you, you’re going to give up a lot of privacy and security. -Josh Summers Share on XA lot of that, the tracking came from what was happening digitally online. Whether that was the payments that we were making, using phones and everything that I was doing on my digital devices, the websites that I was visiting, I was fully aware that I was being tracked by the government while I was there. Just like hopefully people should be aware that when you are searching for something on Google, that Google is tracking exactly what you are searching for, especially if you’re logged into your Google account.
Same with Facebook and the Facebook Pixel. I’ve run across a lot of people that think just because they don’t have a Facebook account or just because they don’t log into it on a regular basis, that, “Oh, Facebook is not tracking me.”
I actually did this once, Chris. I don’t know if you saw this video. I downloaded all of the files that Facebook had on me, and I did a mock-printing of it. I didn’t actually print it all because it was going to be thousands of pages, but I took out what would’ve been thousands of pages, stuck it on my desk, and said, “This is what Facebook has on me, and I’m not a Facebook power user.”
I probably post twice a year on my Facebook page, and that is the extent of the data that they have on me. A lot of that just comes from tracking what we’re doing online. There’s just a lot of that stuff that if we’re aware of it, there are easy ways to sidestep it. But most of us just go through life unaware of the fact that there is a lot of mass surveillance that’s happening. It’s not all malicious. It’s not all going to end up destroying us, but it does add up over time.
And it’s interesting. I’ve seen this come out in a number of cases, like the Apple App Store. “Here’s an analytics developer kit.” And then the developer wants to know how my app’s being used, when, where. That’s the information that the developer is seeing.
But what the developer doesn’t see is that it’s also fingerprinting the devices and using it for advertising targeting. Developer just has a free analytics package and they’re like, “Hey, this is really cool. I got what I needed,” not knowing that this—I don’t want to say it’s side-loaded; it’s not malicious, but there are other stuff going on that they weren’t abundantly apparent of.
Yeah. Google’s made a big deal about, “Hey, we’re not going to be tracking with cookies now.” This whole idea of fingerprinting, there are just so many different aspects of what we do online. Whether it’s the resolution of our screen, the browser that we use, a lot of these data points by themselves don’t mean much, but when you combine 50–100 of these data points together, they actually fingerprint to a pretty accurate degree who you are.
Again there are ways to avoid that, but if you’re just going through life regularly using Chrome and staying logged into all of your services and everything, it is surprisingly easy to track what you’re doing, with or without cookies, with or without a lot of these things that we think are the main culprits.
At least from my perspective, I think very little this is malicious. It’s a monetization game. Hey, everybody runs a business and they want their ads to be more effective. The points in my life when I ran ads and I work for companies that run ads, we want the ads to be effective. We want to go get it to the target audience. We don’t want to waste money trying to sell life insurance to someone who’s 95 years old. They’re not going to buy it.
I always have this little wrestling match within me because I’ve seen both sides of the argument. “OK, well we can make all of our products and services more expensive because the advertising of those products and services now cost way more, and the middleman is making more money now.”
There are different paths you can take here. Again, you could go totally nuclear and say, “I’m going to delete my Facebook account. I’m going to stop using Google anything, YouTube, Gmail, all that stuff.” But I don’t think that’s absolutely necessary if you don’t want to.
There are ways to build a privacy moat around your digital life while still staying in contact with your friends and family via Facebook, Gmail, and all these other things. -Josh Summers Share on XThere are ways to build a privacy moat around your digital life while still staying in contact with your friends and family via Facebook, Gmail, and all these other things. But that really is a choice that every individual has to make. I don’t think everybody has to do that. I think some people really do want to go nuclear. And I definitely don’t think everyone needs to go nuclear on their digital life either.
For the listeners, if you want to know what going nuclear in your digital life is, listen to the episode with John McAfee. The thing that surprised him the most, and we ended up naming the episode after it, was the cost of having privacy.
He had to lie to his friends and family all the time because he was on the run from the government. He didn’t want anyone to know where he was and knew that if I told my family that I was here, they might inadvertently let it slip to someone else.
Then that gets back to the government. His world got a lot smaller of the people that he could trust, and friends and family were not part of that. They were on the outside of that circle.
I’m not advocating that anyone goes that extreme. I don’t think that’s a benefit to most people.
I agree.
Of the practical privacy, what are the steps that we can take?
I think there are a lot of different steps that we can take. First of all, I think that being careful about how you share data is important. Even you and I talking, and this isn’t because I don’t trust you or anything like that, but I’ve shared with you that I’m in Thailand. But that’s about the extent of it.
It’s not, again, because I don’t trust you or I don’t trust anybody who’s listening to this. It’s just, that’s my level of comfort. Some people know what city, but I’d like to maintain a little bit. I don’t need to give out that information. Sometimes we just voluntarily vomit out very personal information that doesn’t necessarily need to be shared. That’s one thing.
I think there’s another aspect where there are a lot of options for alternatives for services that we normally use, that offer an end-to-end encrypted service. That is that alternative.
For example, I have Gmail. I still use it. Everybody that I know that I’m really close with has my Gmail account that I’ve had since I was, gosh, in high school or whenever that first came out. That’s still valuable to me.
But I’ve also opened up an end-to-end encrypted account. There are a lot of them. There’s Proton, there’s StartMail, there’s Fastmail. There are a lot of these that offer end-to-end encryption.
Gmail has encryption, but it’s not exactly the same. So using that and making sure that, “OK, anything that goes between me and my CPA or me and my lawyer gets done through something that is encrypted.”
Same with a lot of the texting apps that I use. I use WhatsApp for some things and iMessage, but Signal is a great option if I really want to make sure that everything is encrypted. So make sure that you’re trying to at least use encrypted services for those communications that are a little more sensitive. Obviously we’re not trying to hide anything illegal here. It’s more just this is something that I think is important.
The other thing that I do when it comes to reducing my digital footprint is using what I would call masking services where possible. This isn’t always, but where possible, I want to mask a few things.
First of all, I want to mask my phone number. Whenever this phone rings—this is the one that I carry with me—the only people who can ring that phone are my wife, my mom, and a couple of other family members. That’s it.
Everybody else gets routed through a virtual number. That virtual number, I have a lot more control over. It doesn’t necessarily ring my device. It allows me to make sure that, OK, I don’t want you to have my exact phone number.”
The same goes with my address. I have a virtual address for my business. It makes it easier living overseas having a virtual address in the US where mail gets sent, it gets scanned, and then I can check that mail anywhere, anytime.
I can have mail forwarded from there to anywhere else that I want internationally. That way when I give out my address, I’m not giving out my home address or my parents’ address or anything like that. I’m masking that information.
I can do the same with credit cards. You can use virtual credit cards to make purchases. I have a house that I rent in the US. I had a guy that like, the city came and they were like, “Hey, they sent me a notice. Your trees are too big, whatever.” I’m like, “OK, fine.” We got somebody to go out and cut down these trees.
I hired a service and they sent me something back. They were like, “Hey, we need your credit card for payment,” and this is just over email. I was like, “Ah, I’m not really comfortable sending my credit card over email.” They’re like, “Well, we don’t accept checks and you’re not here to give us cash.”
I created a virtual credit card number that had a one-time use limit. The cost of the service was like $700. I put $700 on this credit card. They can keep that credit card number. They can distribute. They can publish that credit card number if they want to. It doesn’t matter to me because it is a one-time use. The moment they ran that card, if they ran it for more than $700, it wouldn’t have gone through. Once they ran it for $700, that credit card number was now useless.
So doing that kind of stuff, where I’m masking the data that I’m giving out and being careful who I give it to, is something that you can gradually do over time. Even something as simple as you’re like, “Oh, man. My phone number already is in the hands of a million people.” Well, great. Port your current phone number over to Google Voice or any other secondary phone number service—there are a bunch of them out there—then start fresh with a new phone number that now you give this one only to your spouse and close friend and family member, and start working with the secondary phone number and figuring out how you want to receive those text messages and those calls.
I think there are those, like I said, small steps towards privacy, that layer over time. It’s not something like I said, like we were talking about a minute ago, Chris, where you have to just go nuclear. There are those steps that you can take that do have an impact.
Do you have a particular provider, not necessarily the one that you use for one-time use or virtual credit cards, that you like?
There are a few of them out there. Privacy.com probably has, I think, they give you 10 free ones. The thing you have to note for a lot of this stuff, though, is I think privacy.com has a KYC policy.
Anytime you’re dealing with financial services, they have to know their customer. It is a little bit concerning when you’re sending over your Social Security number or something so that they can verify that you’re a US citizen and all of this type of stuff, but it does allow you, I think, to have 10 free virtual credit cards that you can set up.
They can be one-time use. You can also set it up to where it’s a max use per month. Let’s say I have one set up for my streaming services where it’s like max $50 a month. I’ve had times where Disney+ raises their rates and suddenly they’re sending me an email that says, “Hey, we tried to charge your credit card for more and it won’t go through.” It’s like, “Well, yeah. You raised your rates, and I’m not really happy about that.” So I can have a choice. I either raise that credit limit for the month or I change my service or however I want to do that. So privacy.com is one.
IronVest is another service that offers these virtual credit cards. There are a couple of others. There’s one that I’m testing that’s in beta, so that’s not worth mentioning. They offer different types of services. Either a debit card-type of service or a credit card. But in both ways, you can either prepay or have it connected directly to your bank account.
And I know some of them also allow vendor-specific charges, so like I use this one for, let’s just call it, Netflix. Netflix could charge whatever they want on it. But if there’s a data breach at Netflix and it gets out there, they try to run it, it doesn’t work anywhere else. But it also means that if there was a data breach, you don’t have to cancel that virtual card because it can only be used at Netflix.
I actually had one time where I published—I set it on a YouTube video. I was like, “Here is my credit card for Netflix. You’re welcome to try to use it. It’s not going to do you any good because this is only my credit.” Now imagine if I did that with my actual credit card. That would be terrible.
Before you even finished uploading the video, it would be used.
Exactly. It just baffles me that we still have that problem in our current system. It shouldn’t be like that. It shouldn’t be that this one number gives somebody access to all these free financial services in your name. I’m surprised that that hasn’t changed yet. Hopefully it will soon, but for the time being, using virtual credit cards is great.
How about peer-to-peer payment apps?
I haven’t used that nearly as much. I know that there are a lot out there. Are there certain ones that you use and like?
I will generally avoid doing that. I will only use the peer-to-peer payment apps with people that I actually personally know in person. We went out to dinner and we don’t want to put six credit cards on the table because the poor waitress is going to be like, “I hate you all,” or someone doesn’t have the cash to throw it in. It’s like, yeah, I’ll put it on my card. Venmo, I think, is the one that we use.
I’ve used Cash App, but it’s only people that I would as a result of a transaction that I would do in person. And only done at the time that I’m doing it in person. If one of them contacted me and said, “Hey, can you send me this for that?” “No. It’s not.” Only happens when I’m in person.
I think that’s a great point. I’d also add to that because this doesn’t compute to me. I have used Venmo in the past, and I don’t understand why people make their transactions public.
I know why. For anyone listening, the default for Venmo is everybody can see not the amount of your transaction, but that you made a transaction, what it was, and what you said it was for. That’s the default setting on the app.
And you do not need that. If you use Venmo, go and turn that off. Make sure that your transactions are private because I just don’t think that’s necessary and it’s ridiculous.
Yeah, because anyone looks at any of your friends and they have it turned on, they know exactly when they sent money to people, and depending on how they like to document stuff, potentially exactly what it was for. That’s just social engineering. It’s gotten a few politicians in trouble. Someone found out their Venmo account and was able to see like, “Oh, they’re making these unusual $500 payments to this woman on a very regular basis. I wonder what that’s for.”
And it doesn’t even necessarily have to be something you’re doing that’s wrong. It’s not that we want to hide illegal activity or things that are bad. It’s like you were saying: it makes it easier to social engineer when your habits and your contacts are known and are public. It’s too easy to manipulate.
If you were to look at someone’s Venmo history, and it was always, “Hey, I’m eating with friends.” You are like, “OK, this person likes to eat out. I could send them a phishing email for, ‘Hey, dine out in your local neighborhood. We’re opening this brand new restaurant. We want to have you show up and be one of our soft-opening guests, and we’ll give you a $100 dinner for free.’” If you’re a foodie, that might be enough to get you to click on a link.
Exactly.
And then you’ve been socially engineered.
Yup.
I know you talked about the alternate physical mailing address. Is there a particular service or list of services that you like or would recommend?
There are quite a few that are out there. Some that are more expensive than others. The one that I use, there’s PostScan Mail and there’s one called Traveling Mailbox. A lot of these are geared towards people that are, let’s say, RV-ers or people that live overseas like myself. But I think that they are, like I said, really valuable for those that want privacy.
It’s harder to use if you’re like, “You don’t give Amazon these virtual addresses because that just adds an extra expense.” It gets sent to your virtual mail, then you’ve got to pay to have it shipped to your actual location. But a lot of times, again, there are different types of these virtual addresses. There are some that outsource to third-party mailing centers. Neither of these are bad. It’s just different levels of privacy.
I’ve actually visited one of these, and I don’t know if you’ve been into one of these third-party mailing centers. They’re not Fort Knox. They’re selling you, give greeting cards, and then there’s a pile of mail sitting on a table right behind the counter. I didn’t even have to show my ID. I was like, “I’ve got a piece of mail for Josh.” And they just went over, “Is it Josh Summers?” “Yeah, that’s me.” Then they just handed it to me. So there’s that kind of privacy.
Then for those, like the one that I have that’s PostScan Mail, a lot of those addresses are actually owned and operated by the company itself. It’s an address that’s usually in an office park, the cameras, locked doors, all that stuff.
Again, this is used by companies that want to make sure that they have total privacy for their mail. It’s used by people like myself that just want to ensure that nobody else can get access to these pieces of mail. It makes it a lot easier to digitize your physical mail because I don’t really want to have to go out to my mailbox. I think it just makes sense to have that.
So PostScan Mail is one that I’ve used. Traveling Mailbox. There’s VirtualPostMail. There are a lot of these. I think Earth Class Mail was actually bought by somebody who I think it was like Legal-something.
Anyway, there are a lot of those out there. You just choose an address that’s in the city that you wanted to have it in. Then you choose your plan of how many scans, like how much mail do you expect to receive. I pay somewhere around $15 a month for that.
And I assume it is probably a certain amount of KYC—Know Your Customer—there as well that you probably can’t open it up without providing at least some form of identity.
There is and there isn’t. I think the only thing that’s required in the US is a Form 1583, which is what the USPS requires in order to deliver mail to a location for a particular person. That requires me to notarize the Form 1583. I don’t like that, and then you’ve got to show some ID when you’re doing something that’s notarized, but I don’t actually give my ID to the company, so I don’t give it to PostScan Mail or Traveling Mailbox. They’re just scanning the mail and opening it for me.
And they have a document on a file saying, “Yes, this information was shown.”
Correct. “We have the legal right to open this mail on this person’s behalf.”
If I’m not mistaken, I think that paperwork is actually in the process of being changed out this year.
Oh really?
I think they’re moving it to two forms of ID now.
Interesting. OK.
Just one you’ll find out in your next renewal. I think I saw a document somewhere where it was asking me for my PO box saying, “Hey, you’re going to need to provide two forms of ID now.”
With your PO box, I know that some post offices do that, but do they actually scan anything that comes to the PO box, or is this one of those where you have to go and pick it up?
I don’t use an actual PO box at the post office. I just always call it my PO box. It’s a UPS store. I don’t care. It’s easy enough to figure. They won’t scan anything there. It’s within reasonable traveling distance of where I live. I won’t say how close, though.
Yup.
I think you have talked about this before. What about IoT devices?
IoT devices are interesting. I have to be really careful. I’m actually testing for the first time ever, right over here if you’re watching on video, a camera system in my office here. I wouldn’t ever put a camera system in my home. But I have a lot of expensive equipment in my office, so I’m testing it out.
My biggest issue, especially when it comes to any kind of data, is how is it being stored, transmitted, and shared? Where is it being stored? Is it being stored on an AWS server somewhere that I don’t know, or in Singapore, or who knows where? How is it being transmitted? Obviously, I would hope there’s going to be some kind of encryption, but what kind of encryption? And then who has the right to view any of that information?
The only reason I have this camera system for me is because, and I’m still testing this out so I’m not going to necessarily give the brand name or anything, but they claim that all of the video footage stays on the hub, which is here locked away in my office. It’s not uploaded to their servers. It’s not transmitted to the company. It stays local.
That, to me, is something that I’m more interested in, and that’s true of any IoT device. I want to make sure the data that is being collected by that device, where is that going? And a lot of times, that’s not easy to find out. You think, “Oh, why would my refrigerator upload any information?” Well, it does. It uploads a lot of information.
And why is your refrigerator smart to begin with is always my question.
Exactly. Back when we were in the US, we were having to replace our garage door opener. They were asking me, “OK, well, would you like the Wi-Fi version? You can open and close it from anywhere as long as you’ve got your device.”
Again, it goes back to that privacy and security–convenience balance. Is it cool to be able to say, “Oh, wait. Did we leave our garage door open? Let’s check on our phone while we’re at the grocery store.” Yeah, maybe that’s a little convenient, but I think I would prefer not to have that as an option when it’s not necessary. I would rather just double-check and make sure that my garage door is closed every time I leave.
So I think there are added functionality to a lot of these IoT devices that lure us in with this idea of even greater convenience, even greater creature comforts. I would just view that with skepticism and say, “Is this really going to make my life that much better?” And then what are the risks that I’m introducing if somebody were somehow able to get access to the data that this device has? Or to the feed of whatever that is, whether it’s a camera or something else?
That’s awesome. I know we’re up against a time deadline here. Josh, where can people find you online?
If you just search All Things Secured, we’ve got a website that has a lot of different tutorials and helpful tips there. Then the YouTube channel. If you just go to youtube.com/@allthingssecured, you’ll find a lot of our videos there, and hopefully all really helpful stuff.
Awesome. Josh, thank you so much for coming on the podcast today.
Thank you very much, Chris. I appreciate it.
Leave a Reply