I am a security researcher and three letter agencies have talked to me more than a couple times about their interest in my work.
I got a used manual transmission easy to repair vehicle with no internet, no cell phone, I only use cash IRL, and the only device I travel with is a QubesOS laptop.
If the CIA wants to track me, they are going to have to work for it. I hope to waste as much of their time as possible.
A former NSA guy worked with me seventeen years ago. He had been retired for five years from the agency at that point we worked together.
He did not own a mobile phone or any internet connected device. Was staunchly against it. This attitude was based on what he knew were the surveillance capabilities in 2003. Ended up retiring to a mountain cabin that was off grid.
Maybe he was crazy, but he never seemed like the prepper type. Just very very sober and serious about avoiding electronic communications.
Well, these measures are a bit outdated. To be tracked now you don't need to access someone's personal devices. You can be tracked with flock cams, ring cams, or any other thousands of cams out there that are already recording you and logging your car and your details. That grocery store you went to yesterday? Yep, you are logged from the moment you are in the parking lot till you leave. Oh, you used paid parking a day later? Your car is logged too, same goes with bus/trains tickets. Neighbors cams or building CCTV? That too. Your home address is also logged through many ways but primarily your tax filing and driver's license. Your home internet can be logged one way or another too, at router level (think of the many exploits against that). What about your laptop hardware? Definitely it isn't open source. Plus, have you checked your hardware if it's bugged? I personally know someone who ordered a laptop and an XYZ agency bugged his laptop (man in the middle) before it was delivered. A new laptop you order online and your bank info will trigger someone to intercept it and alter it in the middle. And many more details, like, are you sure someone won't stick an AirTag somewhere in/beneath your car to track you? FBI and DEA already used modified AirTags that won't notify anyone with an iPhone around to track drug dealers precisely. What about personal connections like friends and family or work that could be a weak link? and many ways without going into further details. So while your measures might work against some random internet attack or random stalker, against a surveillance state it won't. If they want to track you, they have all the resources (technical, legal, etc.) needed to do so.
>FBI and DEA already used modified AirTags that won't notify anyone with an iPhone around to track drug dealers precisely.
Don't Airtags now notify the nearby user if they are being tracked? I have heard of airtags getting modded to remove the speaker but Apple bypassed this with software updates that alert you out of band(as far as I know). Your assertion would require government to have special Airtags that iOS ignores no?
If apple really wants to (and put their money where their mouth is when it comes to those stupid "Pro Privacy" ads they run), they can start by filing a CFAA lawsuit against said agencies.
Privacy is like diet, it is not a zero sum game. The less data we give to advertisers and governments the better. The point is to increase the expense of tracking and create as many holes in their databases as possible.
> You can be tracked with flock cams, ring cams, or any other thousands of cams out there that are already recording you and logging your car and your details. That grocery store you went to yesterday? Yep, you are logged from the moment you are in the parking lot till you leave. Oh, you used paid parking a day later? Your car is logged too, same goes with bus/trains tickets. Neighbors cams or building CCTV? That too.
E-Bikes do not require license plates and allow most of this to be mitigated when I use one of those and are what I would recommend for targeted individuals and demographics, but at some level the movements of my vehicle are tracked unavoidably but they certainly cannot remotely control the car or access microphones when they do not exist so these tactics still have value.
> same goes with bus/trains tickets
I pay cash for these and use them short term so little tracking value here.
> our home internet can be logged one way or another too, at router level (think of the many exploits against that).
I significantly reduce the chance of this by using VPNs and Tor for most personal traffic depending on use case, and layers of simple open source linux/freebsd etworking hardware I setup myself.
> What about your laptop hardware? Definitely it isn't open source. Plus, have you checked your hardware if it's bugged? I personally know someone who ordered a laptop and an XYZ agency bugged his laptop (man in the middle) before it was delivered. A new laptop you order online and your bank info will trigger someone to intercept it and alter it in the middle.
I full source bootstrapped my own operating systems and compilers and very often firmware (https://stagex.tools). I mostly use desktops, among them a Talos II which is open hardware/
firmware.
As the lead author of AirgapOS I recommend sensitive use case laptops be purchased randomly from retail locations with cash and document tamper evidence tactics in detail. These tactics are regularly used to move billions of dollars of value around by large financial institutions we advise, but I also recommend these tactics for targeted individuals like journalists as well, along with QubesOS depending on use case.
> And many more details, like, are you sure someone won't stick an AirTag somewhere in/beneath your car to track you?
If I force them to target me in person where I am much more likely to notice, my tactics have done their job and are good to recommend to the general public since they cannot do this type of targeting at scale and thus the tactics can protect most people. I really hope they try something this, because if they do, I am going to waste a lot of their time and have a lot of fun at their expense. I have quite an arsenal of radio forensics hardware and if my vehicle if ever transmitting anything, it is for sure something I did not put there.
> What about personal connections like friends and family or work that could be a weak link?
I do not share sensitive information with people with opsec significantly worse than my own. Everyone at my job uses the same opsec tactics I do for anything work related. We self host everything including E2EE encrypted chat, everyone uses qubesos, etc etc.
> So while your measures might work against some random internet attack or random stalker, against a surveillance state it won't.
My tactics create massive holes in surveillance capitalism and government tracking databases they would need to deploy agents in person to fill. If thousands of people use my tactics, suddenly they run out of agents to stalk people.
My goal is not to make tracking impossible, it is to make myself mostly invisible to surveillance capitalism and blackhats who are my most likely threats, and as a nice bonus require a government to get a warrant and spend a lot of money to track me or anyone using my tactics.
At least by reading all of the above, it seems they have something like Genode (running on https://sel4.systems/ , amongst others ), but instead of some academic research thing, widely deployed commercially, running on consumer ready devices of all sorts.
Lately all based on that HongMeng kernel thing, comparable in performance to SEL4, utilizing containerized Linux-drivers by way of compatibility-shim, still fast.
I really appreciate the scorched earth efforts to redo computing with security from the start, but personally I have reached the conclusion that compatibility is key to adoption, and that desktop focused linux distros like ubuntu with yolo security being used for servers is the practice causing the most harm we must end as soon as possible.
QubesOS falls really short in supply chain integrity, and server solutions, but IMO the overall hypervisor/IOMMU isolation architecture is the most practical and compatible way forward though nowhere near as elegant as some of the ideas in Genode.
In EnclaveOS my team and I chose to focus on remote attestation and best available security isolation technologies available to most server CPUs while still using (hardened) linux kernels. We talk about this here: https://distrust.co/blog/enclaveos.html
> What about your laptop hardware? Definitely it isn't open source.
On some older Thinkpads you can install Coreboot/Libreboot. Or even buy them with that, if flashing the firmware seems to complicated/risky, or necessitating buying equipment one does not have at the ready. Same goes at least for some routers, with OpenWRT, or the likes, or depending on the used connection technology going 'full personal computer' with some Linux/BSD again, with even more options regarding Core-/Librebroot/Dasharo underneath. There are always some paths for at least some aspects of that stuff. Most funny thing, if you don't trust your switches is something like https://www.apalrd.net/posts/2025/network_smartsfp/ <-that's not the only one. Imagine a cluster of firewalls in your ports!1!!
The question is if it's worth it? Or maybe more like a hobby with the benefit of staying technologically fit, but at the end of the day more like LARPing 'prepping'?
I am a nobody who had a mental health breakdown following an ugly divorce and even though I settled my case - 380 days in solitary, Plea Bargain for Class A Misdemeanor - last month I was cuffed and interrogated in one county simply because I visited downtown and my plates were picked up in a different county when I was trying to navigate family law related obligations.
To put it another way, I'm on a legal-to-harass-list probably for the rest of my life and likely can't do a damn thing about it...beyond the obvious, which I've chosen, which is to enjoy a low-key, crime free, introspective creative sabbatical as much as possible on the fringes of society. Last thing I'm interested in is...whatever they accused me of this time...
Even when trying to find killers, with known faces, we find out law enforcement facial recognition even in a city like NYC is actually not that effective as most cameras are not sharing data and wearing masks in public is socially acceptable now. Eyewitness reports are often the way arrests are made and that only works when a face is all over TV.
Yes, Pipecat already supports that natively, so this can be done easily with ollama. I have also built that into the environment variables with `OLLAMA_BASE_URL`.
Since I do not have a smartphone or a cell carrier, I only have a voip number, which most sites think is a fake number. As a result I often have to use these shady SMS verification services to get my own personal legitimate accounts open.
If you're in the US you can get a real cell phone number with VoIP and SMS that works without a phone for $20/mo with Google Fi. You'd need a phone to set it up but after that you could just turn it off and still use VoIP and SMS from any web browser.
There are BYOD prepaid providers that are even cheaper than that. The lowest you can get is ultra mobile's $3.50/month plan, but you need to jump through some hoops to get it working, like getting a physical sim in person. Tello is $5/month and you can activate online.
I went about six months without cell service a few years ago. The only deal breaker is this one - that lots of services require SMS authentication and won't accept Google Voice/similar. GPS navigation is a bit worse, because you have to pre-download the maps and don't get realtime traffic. You also can't be contacted when you're away from wifi; this wasn't a problem for me but I can imagine if you had kids or something it would probably be another deal breaker.
That's a good reason for not carrying a phone, but getting a cheap SIM-connected device and leaving it at home next to their computer shouldn't reveal any more information than they already are by using their home internet and VOIP.
Not sure if it flags as fake but I'd look into getting a dedicated Twilio number, then just forward incoming texts to your email or something like that. It would at least get the "shady" part out of the equation as Twilio is pretty trustworthy.
This does not work, I've tried this before. Google verification for example would not accept my Twilio number as verification (about 2 years ago). You can lookup a phone number for the provider and numbers from Twilio or others tend to not be accepted.
I'd consider them more trust worthy to pass me a MFA code than some random shady website that the GP was currently using, but sounds like people have tried this and Twilio numbers are on a ban list for many services
You do not own your apple account, and you never did. I would take this as a chance to learn about digital sovereignty and self hosting where you control your own data so this never happens again.
Google and Apple can and will delete your content at any time for any reason and there is no appeals court.
Also, I took a quick look and I don't understand how your tool could possibly produce "even smaller images". The article is using multi-stage builds to produce a final Docker image that is quite literally just the target binary in question (based on the scratch image), whereas your tool appears be a whole Linux distribution.
Or just do not use a phone at all. I travel internationally without one a few times a year. Europe, mexico, canada, japan, no problems. Dirty looks, but no problems.
I have heard of malware like this, and engineers that found it at Google were instructed by higher ups to ignore it and never talk about it without explanation.
Good luck getting anyone close to this to go on the record about it though given such things normally come with corporate or government gag orders.
There are hundreds of privileged vendor binary blobs on most flagship devices not even Google gets source code to though so supply chain attacks should be assumed.
Sure, the NSA can probably pull this off. Thing is, the NSA probably does not need to do this at immigration.
I seriously doubt that this is a realistic problem if your threat model is anything less than "The NSA is very interested in me". In that case I don't see how you could trust any phone, regardless of it having been in the hands of border officials or not.
If you are of interest to the US government or any ally, assume your phone comes back from inspection with a compromised bootloader that will continuously re-infect your phone after you wipe/reinstall.
Wipe it, let them inspect it, sell it, and buy a new one.
I got a used manual transmission easy to repair vehicle with no internet, no cell phone, I only use cash IRL, and the only device I travel with is a QubesOS laptop.
If the CIA wants to track me, they are going to have to work for it. I hope to waste as much of their time as possible.
reply