Well this is happening at a convenient time. My 3G 20? year old “Flip Phone” is dying. The power connection has an orientation metal ring that now comes out with the power cord. Verizon is slowly nuking 3G service towers (so it doesn’t get calls in some local areas around Cupertino). The Battery is good for about 5 minutes of talk time (so it mostly lives on life support).
Since it is clearly time to get a new phone, I guess I may as well “bite the bullet” and get one of the Linux phones that you can make secure. It will be bigger and clunky in comparison, and have a lot fewer “Apps”, but I’m OK with that.
Why?
We now have an Existence Proof of State Installed Tracking Software, against your will, that re-installs upon removal.
Note that what this app does is essentially “contact tracing”, one of the basics of spy craft used to identify all your “associates”, known or otherwise.
Bolding by me as editorial emphasis.
https://thenationalpulse.com/breaking/massachusetts-massnotify-app-consent/
COVID-Tracker App Installs Itself Without User Consent, Including On Parental-Locked Devices.
JUNE 19, 2021WAHAGEN KHABAYANMassachusetts state officials recently announced the launch of the “voluntary” MassNotify app, which monitors the spread of COVID-19 in the state. The only problem is the app appears to be installing itself on residents’ and their kids’ smartphones, unbeknownst to users, and without their consent.
The news creates a disturbing new dimension to privacy laws and even private property concerns as hundreds of users have reported their Android phones have had the app surreptitiously installed, without their prior knowledge.
“Thank you MA/Google for silently installing #MassNotify on my phone without consent. But I have a request: Can you also silently install an app that makes my phone explode and k*ll me?” wrote Twitter user Justin Jacobs. Others have taken to the Android app store to register their complaints.
The MassNotify app was developed in cooperation with both Apple and Google, and claims to work anonymously and “not track” users’ private information. This claim was made by Republican Governor Charlie Baker, who said this week: “As we embrace our new normal, MassNotify is a voluntary, free tool to provide additional peace of mind to residents as they return to doing the things they love.”
[…]
Now, nearly 300 users have reviewed the instrusive app on the Android app store, leaving it with a one star rating.User Callie M wrote: “App automatically installed without consent. Weirdly it has no icon and I can’t find any way to open it and see if it could be useful. Bizarre that the state did something like this the very day the state of emergency ended, when over half of adults, myself included, are vaccinated. What info could possibly be necessary with this egregious level of invasiveness NOW? A year ago it would have made sense.”
The app is also managing to install itself despite parental restrictions, as illustrated by user Lex Neva:
“This installed silently on my daughter’s phone without consent or notification. She cannot have installed it herself since we use Family Link and we have to approve all app installs. I have no idea how they pulled this off, but it had to involve either Google, or Samsung, or both. Normal apps can’t just install themselves. I’m not sure what’s going on here, but this doesn’t count as “voluntary”. We need information, and we need it now, folks.”
Steven Nassor wrote: “Installed itself without consent, my rights have been violated and feel as if I’ve been spied upon.”
[…]
Many in the state had no idea the app had been pushed to their devices until they got a notification. The app also appears to be reinstalling itself once forcibly removed by users.“Ghost installed without my permission, and keeps sending me push notifications. I removed it and it reinstall itself. This isn’t something I want in my phone, it’s not something that has permission to be on my phone nor should the commonwealth or any other place/company be allowed to put something on my phone without my permission,” said user Beth Silvaggio.
So now that The State has clearly demonstrated that they can, and will, forcibly install software that is capable of tracking you and that is not visible to the user (only seen as it has the function of notifying users of their proximity to someone marked as a diseased person… Big Scarlet “C” maybe?) there is now absolutely ZERO to stop them from shoving a “Track Me” app on any “Person Of Interest” at all.
Was your phone ever in Washington DC in early January? Expect it…
So I’m going to look at my prior postings on Linux phones. Revisit the current state of the art. Work up a posting, and tell folks what I’m going to run with.
For now, I’ll continue with my “App Impaired” old Flip Phone, but as its days are numbered and few, it’s time for me to embrace the future…
Musings from the Chiefio 
George Orwell 1984.
Thematically, Nineteen Eighty-Four centres on the consequences of totalitarianism, mass surveillance, and repressive regimentation of persons and behaviours within society. Orwell, himself a democratic socialist, modelled the authoritarian government in the novel after Stalinist Russia. More broadly, the novel examines the role of truth and facts within politics and the ways in which they are manipulated.
The story takes place in an imagined future, the year 1984, when much of the world has fallen victim to perpetual war, omnipresent government surveillance, historical negationism, and propaganda. Great Britain, known as Airstrip One, has become a province of a totalitarian superstate named Oceania that is ruled by the Party who employ the Thought Police to persecute individuality and independent thinking.[5] Big Brother, the leader of the Party, enjoys an intense cult of personality despite the fact that he may not even exist. The protagonist, Winston Smith, is a diligent and skillful rank-and-file worker and Outer Party member who secretly hates the Party and dreams of rebellion.
@earl: “The protagonist, Winston Smith, is a diligent and skillful rank-and-file worker and Outer Party member who secretly hates the Party and dreams of rebellion.”
“The protagonist, E.M. Smith, is a diligent and skillful rank-and-file worker and Outer Party member who secretly hates the Party and dreams of rebellion.”
Fixed it! (Just kidding!)
After viewing the video of the Moto 7 root and install of base Android, I got one and have rooted it. I got stuck trying to install base Android because Cyanogen mod ceased to keep updating. Haven’t had a chance to revisit it due to time constraints, but will get back to that soon.
I wonder if you have to be using Google store for this tracking app to be forced upon you? The Moto 7 scheme uses FDroid, no “official” store. If they can push this over a cell connection, that would totally suck.
It’s bad enough big tech uses your computer at will to track you, now this!
I found some additional info on it …
In reality, Apple and Google announced plans for the new software back in April. It was released as a software update in iOS 13.5 and as an update to Google Play Services around the same time.
“The bad news is that you can’t uninstall it, the good news is that it’s not doing anything,” said Feibus.
To see the feature on an iPhone, go to Settings > Privacy > Health > COVID-19 Exposure Logging.
On Android, go to Settings > Google > COVID-19 Exposure Notifications.
The feature is only activated when you install an official COVID tracking app and right now, at least in the U.S., there aren’t many of them.
So far, North Dakota, Alabama and South Carolina say they’re building apps that use the framework. In a statement, Apple says 22 countries have expressed interest in using the system, but big states, including New York and California haven’t gotten on board.
Ironically, the system is highlighting the extreme tracking abilities of our phones. Sales are up at a company called Silent Pocket. They sell a $70 smartphone privacy pouch.
https://ktla.com/morning-news/technology/covid-tracking-iphone-android-update/
Washington State, months ago, began sending notices about possible contact, but I was not carrying a cell phone, and I think most people ignored it.
Just a guess, but it was likely useless.
My old flip-phone stopped syncing with the car Bluetooth.
I just bought an iPhone. Still learning how to use it. Being far from towers, at home I can connect (most times) via the in-house wi-fi. I have POTS with DSL.
@TTN:
I’m not so sure the “just kidding” is correct…
What good is my flip phone to the GEBs when I mostly leave it at home and charge it only when it bitches at me with kinda cutesy bell-like dings? I check missed calls and voicemails every 2 to 3 months whether I need to or not.
I grew up with party lines. A private, to-your-house-only line was something to put on airs about.
If things went South, and you were away from home, you just figured things out. No phone. You were on your own and better have enough wits to get yourself out of normal, day-to-day jambs.
.
.
.
That said, when I’m in Florida, I check missed calls and voicemail regularly because I get together with Ossqss from time to time. We talk now and then when his schedule prevents a meetup. He still works and has kids that need minding. I’m retired with time on my hands and ridiculously sucky cell service down in Florida. We manage.
Well, we have an old saying here in farming circles, that when there are too many Gaffers proffering advice, just “pull the honnel back” and create a Stour. ( which translates into ‘open the throttle and create a great volume of particulate emissions of work ( dust ) which will cause the those professors to shift away. So: my “personal” phone is not mine – it , like my PC, is not for personal use at all – ‘that don’t happen here’. they’re ALL for the common family /business good. So the watchers can fill their great heads with total rubbish. Is this a UK thing – hence why the UK gubbermints come out with so much trifle legislation?
Privacy Pouch for < $70:
https://www.infowarsstore.com/infowars-privacy-pouch
Also, I have any state or company issued card in a RFID blocker sleeve and the wallet is also RFID blocking.
@saighdear:
It is a global thing. It is embedded in Google Android and Apple iOS as a “framework” (See Jim2’s comment above).
@Jim2:
Those are nice, the RF blockers, but they also prevent getting calls and when you take it out of the blocking pouch it fingers you. I’m interested in a Linux phone that still works while not fingering me… Basically “Pouch good” especially as a stop gap, “Non-tracking phone better” as a longer term solution.
My old flip phone has a removable battery, so I can just pop that off if I want.
When driving cross country, I put the Florida Turnpike Transponder in a metal cookie tin to prevent random reads of it. Also when not actively using it on the Florida Turnpike. I can just put the phone in the cookie tin too if I wish. Doesn’t fit in a pocket, but it isn’t $70 either ;-)
I did an interesting test with the cookie tin. Put a radio inside. It still picked up AM stations just fine. Seems the lower frequencies penetrate free floating metal shielding rather easily. Maybe I’ll test it with a cell phone… In theory the microwaves just do not penetrate it.
EMS – doesn’t any phone ping for towers? Those pings can be used to track also.
Right, the Moto 7 base Andriod install just de-googles the phone. And after that you have to be careful what apps get installed, otherwise you end up “googled” anyway.
“In theory the microwaves just do not penetrate it.”
There are answers on Quora (2019) that seems relevant, but I’m not knowledgeable about such stuff.
https://www.quora.com/How-does-5G-penetrate-its-signal-in-to-buildings?share=1
Just recently, person visiting a large metro-hospital in Cleveland reportedly had difficulties using an iPhone deep in the interior of this monolith. She was told that was common there.
Well, at my local WallyWorld, my 4G phone loses signal quite quickly. A few feet into the building is enough (steel building on a concrete slab). The tower is a few miles away from the WallyWorld on one of the nearby ridges.
Read the terms of service for any carrier. You pretty much agree to allow anything they want, or you don’t get service.
I recently had to upgrade as my OS was too old for support for several apps I use regularly. That said, I got an unlocked (not associated with any carrier) unit for 1/4 the cost for a 2 year old “New In Box” Note 9 with 512 gig storage. There is no carrier bloatware on unlocked phones and most support all CDMA and GSM connections now days. I use the Pen so needed a note. Unlike IOS, at least in android, you can dig into the bowels of your OS and control much of what you want as long as you know what you are doing. That includes complete control of permissions to the app level. Of course, some permissions are required for some apps to work. I would also say that wireless charging is a great thing to have. I added that capability to other phones that didn’t have it with adapters. This eliminates the plug wear as was evident in EM’s case and seems to be better for the battery than super fast charging that can strain the cells into premature demise. IIRC, HR had a hand crank on his old phone :-)
FWIW, Examples below of what was used for wireless conversion if the phone doesn’t have it in it already.
Yootech Wireless Charger – multiple smart wattage rates for different phones. Amazon link has a ~ in front to halt any mischief in wordpress.
~https://www.amazon.com/Yootech-Wireless-Qi-Certified-Charging-Compatible/dp/B07N682SWY
My Maxx adapter https://www.pricepulse.app/mymax-type-c-1300ma-magic-tag-super-fast-qi-wirele_us_7417445
@EM: Then there’s always the ‘build your own’ route:
https://www.raspberrypi.org/blog/piphone-home-made-raspberry-pi-smartphone/
You could also get a cheap smartphone and root it and install your own OS like Jim2 mentioned.
As for the tracking, I try to keep both bluetooth and GPS turned off (although some apps will turn on location services (GPS, I assume) while others alert you that the app wants location services turned on, which gives you the option). I also tend to turn off Mobile Data, so all I’ve really got is the cell phone and wifi (no data). Hopefully turning these things off at least interferes with the contact tracking apps.
I think I will just put my phone in a tin can. The only thing I use it for is getting calls from numbers I know (all else get sent to email) and reading the news. As it is against the law to dial and drive now, there is no reason to have it on me when I go out. If I get a call that is important, that is what I have Voice mail for.
I wonder if some of the smaller companies have flip phones?
I linked this to SDA – some feedback
“Quicksilver
June 20, 2021 at 10:46 am
Ive been waiting for the Librem 5 phone being produced in the USA. Its Linux based and can become your home PC with a USB C port and converging a monitor, a keyboard and mouse.
It uses physical switches to disconnect bluetooth, wifi, microphone and GPS.
I did some checking today. It doesnt look good.
Sadly, it has a lot of trouble making calls. Could it be carriers arent recognizing something NOT embedded in its privacy focused software?
Ron Braxman explains — Spyware-Free Phones in 2021: We’re being Squeezed!
When they started all that tracking and tracing nonsense, I stopped carrying my phone everywhere I went. I figure if my phone is never within 6 feet of someone else’s phone, that should eliminate a lot of the possible dings.
I also now have 2 land lines at home. The first one was part of a Suddenlink bundle. At $10, it was too cheap not to get. I like to have a land line as a backup in case my cell phone goes wonky and I have to spend lots of time on a phone with tech support. Historically, land lines have tended to keep working even if, say, we have a tornado and the power where I am goes out. I don’t find myself in that situation frequently, but when it happened in 1975, it made quite an impression on me!
The reason I have a 2nd land line is that the Suddenlink land line is apparently VOIP. To make it work, you have to have the modem turned on. I prefer to have the modem turned off when we are asleep. But I still want a phone near me at night. I just don’t want to have it radiating me. So I signed up with another company to have them activate the old copper phone lines that are still in my house, from back in the day when land lines were all you could get. I have two phones on that line. One is in the kitchen and is a new-fangled Vtech corded phone. It does have caller ID and memory, etc. But I have a vintage Trimline phone in my bedroom. I figure if I’m going to have to answer a phone in the middle of the night, or when I’m taking a nap, I’d rather just have a simple one that doesn’t require entering a passcode or finding the fingerprint sensor.
Beyond that, I have made it my habit to forward my cell phone to whichever land line I’m close to, depending on the time of day, and whether I’m at work or not. When I’m at work, it has made it so I almost never get spam calls anymore. Apparently, my workplace has put a significant amount of effort into blocking spam calls. Woohoo!!
Enough about me…
If I remember correctly, Osama Ben Laden required his messengers to remove their cell phone battery as they approached his hideout.
I’m not sure how to do that on an iPhone. But I guess a cookie tin or RF-blocking bag could be helpful.
I will be interested in reading more about the Linux phone idea. It’s just creepy to know that we’re being surveilled so much these days…even if we’re just a little nobody in flyover country.
@Jim2:
I’m not too worried about tower pings. That is a very large radius. I’m more interested in phone GPS, microphone, position and velocity data, cameras, wifi history fingerprinting, etc. Etc.
And some folks wonder why I don’t like to carry my phone around….
Power Grab: “But I have a vintage Trimline phone […]”
Ours is in the front office and has been the only working phone on several occasions.
P.S. Don’t believe a thing Ossqss said about my old phone. I only use that one as a backup. I do not routinely carry it around 😜
I have been looking at
https://e.foundation/e-os/
It supposed to be a clean android “/e/OS is a complete, fully “deGoogled”, mobile ecosystem”
I wonder if you or any of your readers can say anything about them.
If you can manage to root your android phone (getting more difficult!), then even the standard anti-virus satuff gives you a lot of power to restrict apps – including “this app can have data, but only WiFi” and you can “allow” the app permissions when installed, but block those permissions at run time.
@EM: Nice to see your post on Catalaxyfiles.com. I presume that came from from a search of some kind.
AJ – thanks for the e/OS reference. Doesn’t have my phone on it, but maybe, someday, I’ll see if it works on mine.
I think I’m seeing a trend:
I, too, have a Trimline Phone. I use it as a “Butt Set” when doing phone work (that “linemans phone” you see them clipping to wires in old movies). It isn’t hooked up at present, but maybe someday.
@Kneel:
I get to the Catalaxyfiles site from time to time, often via a chain of links from some news article. I think I have it in my bookmarks too. I usually don’t say much, just read. But that guy spouting absolute trash needed a counter.
@Another Ian:
I looked at “e/OS” some time ago and it looked pretty clean. What was unclear was how well it worked. I plan to play with it “someday” but at present don’t have a phone to put it on.
Probably in a few months I’ll just toss some money at it.
@PhilJourdan:
You can still get flip phones, but the hardware is getting so cheap it is reaching that point that you will end up with Android under the shell anyway. IIRC, when I got my testing “burner phone” (as a White Hat I need to know what Black Hats do to know how to counter them, so it was R&D) they had a $19 flip phone – but it was sold out everywhere…. so I paid something like $60 for a Samsung “smart” phone.
@PowerGrab:
Yes. OSBL did require all electronics be deactivated / depot elsewhere. Even cameras.
IF you want privacy, you avoid electronics. (Try, just try to buy a car without electronics. The “Black Box” alone tracks your movements. Preserve antiques!).
@Another Ian:
Looks like that Librem phone uses a FreeScale processor, so not made in China… Nice.
@Pinroot:
Yup. DIY is a possible for me. (Just for the fun of it if nothing else…)
FWIW I first got that bug when I was working at Apple. Visited some other folks in Engineering and one of them was at his desk. In front of him was a bread-boarded phone (eventually to become the iPhone product line). That was the “penny drop” moment that phones were headed toward a computer with attached cellular radio.
Now it is easier to DIY than then. Stuff is a lot cheaper, and smaller, with more ability.
I’d likely not use a Raspberry Pi for it though. There’s other smaller and more capable hardware available. But really, it is easier to just swap the OS on existing integrated phone hardware. (Though if you want full control with hardware switches the set is limited…)
I’m most likely to just start with an OS swap on existing hardware. Buy some used phone where I don’t care if I bugger it swapping the OS, then give it a shot. Maybe later doing a DIY hardware phone.
Bought a phone to play around with this https://grapheneos.org/ based on exactly this (now real) scenario…anyone have experience or thumbs UP/DOWN?
Dear E. M.
In Australia, we get scant and filtered news from the USA.
I have just heard that some January 6th demonstrators in Congress are still being held in solitary without trial.
How can someone check the truth of something like this?
Thank you for your reporting from the event.
Rgds
Richard Hill
Not sure how to check it. The only folks who will know for sure are the D.C. Police and the TLAs.
@Hillrj:
Does look to have corroboration:
https://www.usatoday.com/storytelling/capitol-riot-mob-arrests/
400 seems high to me. Don’t think there were nearly that many on the steps, but maybe there were more inside that I never saw (and don’t show up in photos that only show maybe a couple of dozen).
There was an area on the grass in front of the steps, but past the barricades, that may also have been deemed “off limits”… but that would be mighty petty. Why? Because by the time folks from the Trump Talk got TO the Capitol building the barricades in that area were pretty much moved out of position and it was hard to know what was off limits and what was OK.
In this photo, taken from the approved road area in front of the Capitol, you can see how a barricade part has been moved into the street and disconnected from the rest. We pretty much had to guess (assume?) that the barricades were supposed to be blocking off the lawn area and just didn’t go any closer than this:
This is looking the other way toward the Capitol Steps. You can see it is a very few folks actually up there at the top of the steps. All those folks in between are, I think, maybe past where there ought to have been an official barricade on the other side of the street, but you can’t find it in the photo (or I can’t).
We then turned and fairly soon after left the area returning to the car, then left D.C. So I don’t have photos after this point.
Just sayin, unless you use a CB radio or unregistered SW, you are not going to be invisible, no matter what you do. You gotta have a SIM card or equivalent on a cell phone. I don’t care if you use a cash burner. You still paid for it somewhere and your activity, all activity, is completely visible no matter what you do. All you can do is limit what is shared. You cannot eliminate it.
@Ossqss:
Generally true, yes. However, you can pay cash for the sim card and have NO name on the “account”, then pitch it when done.
In my “Burner Phone Experiment” I did find it was incredibly hard to leave NO fingerprints. OTOH, it was possible to leave so few as to not really be trackable.
Biggest things I noticed (some of which I did “wrong” in my test case):
Need to be disguised during the cash purchase so you are not recorded on cameras. MUCH easier now with mask mandates ;-)
Do NOT use a credit card or debit card. Just cash.
Do NOT activate the phone for a few days. Buy the activation or refill cards (also for cash) somewhere other than the phone. Also do have a disguise on. (The sale is of a known card that becomes linked to a known phone and known sale, so again photo tracking of the sale is an issue / feature for dark / white hats.)
When activating, do it through the phone at a neutral location far from home / work / whatever. Again physical disguise may be needed.
Keep the phone OFF unless actively using it. Don’t leave it on on the charger at home as that just fingered you. Use it in places you do not normally hang out.
If activating / loading more time via their web site: You need an anon computer (getting harder to do with serial numbers in OS and all) at a non-tracking site (or burn the computer identity and MAC address as soon as you use it – easy on SBCs where flashing the uSD card does it.)
Once you get through all of that, the real fun begins.
Who do you call? Family? Friends? Your calling pattern makes a “Contact Trace” that also becomes a fingerprint of sorts. It will tend to match who you call on your regular phone. Soo… You can only use the “Burner Phone” to call folks you don’t normally want to call…
WHERE do you call from? Physical patterns make a fingerprint and narrow a search grid. Also, if used on WiFi, the WiFi names / SSIDs make a fingerprint too, that with enough use becomes a unique identity. For example, I’m certain there is exactly ONE person in the world who has my HOME WiFi ids, my Florida Friend WiFi IDs, and my work WiFI IDs in their phone. Fingered in as little as 3 WiFi detections. (You need not connect to the WiFi for it to record having seen it).
So the bottom line on “Burner Phones” is that not only must you be very crafty and careful in the purchase and activation, but use must be very limited in time, space, and contacts; so that the “fingerprint” is not match-able to the real you on your other phone.
If found it an enlightening experiment, and figured out a half dozen ways to “catch myself”; which is what a White Hat does during that sort of Pen Testing like process.
But I also learned what to do if I needed a private call without contact tracing and how to assure that call stayed private and non-traced. (Unfortunately, that also means tossing the rig after a very short use in time / space / and contacts…)
Note that this is different from just wanting to thwart commercial data harvesting. That is a quantity game. You can “win” just by cutting it down 90% and “rotating identities” from time to time. Find out how to reset the phone EIN (identity number). Swap SIM cards every few months. Block “chatty Cathy” apps ability to ‘phone home’. Etc.
Where a Drug Lord needs 100% perfect secrecy, a privacy advocate just needs 90% reduction and occasional identity marker rotation. Things like flushing the WiFi records of places you have been and changing the SSID (network name) your home router uses when you swap SIM cards. Making a “New You”. You also don’t need to worry about being in disguise when you buy the phone or refill cards as Google does not have subpoena powers over Best Buy & CVS Pharmacy… (at least not yet ;-)
So I’m happy to “just” get a privacy enhanced phone, and a way to change the “identity” it projects from time to time. All I need to do is “dirty the commercial data”. I don’t need to survive a $Million Dollar FBI Man Hunt… (IF the FBI wants to talk to me, they can just post a comment and I’ll phone them up. Or they can come to my home. I’m in the Federal Security Clearance Database for the Federal Reserve Bank. The address has not changed since then. They “know me” already.)
@EM, your not changing the phone IEMI or other designated identifiers contained within it by virtue of your efforts. If that level of worry exists, just use a payphone if you can find one :-)
Not always easy, but here’s a randomly chosen example of how to change it:
https://crazytechtricks.com/change-imei-number-android-mobile-phone-without-rooting/
So yes, I can change the IMEI number should I ever want to / need to.
I hear ya EM, but your IMEI is bolted onto your phone number (SIM) in the network along with other digital identifiers in the device. I have switched devices many times using my old SIM. You have to verify IMEI and properly register every time prior to activation or it doesn’t work and will be blacklisted.
@Ossqss:
Yes, going “that way” is problematic (moving SIM to new hardware). What I’m talking about is changing the IMEI number on a given hardware phone then paring it with a NEW SIM (thus losing the history of the old hardware as being “you” on the prior SIM).
Basically how to reuse the hardware with a new number instead of just pitching it in the trash and buying a new burner (like you see in the movies…).
Keeping the same SIM and account sort of defeats the purpose of trying for more privacy / anonymity as you are already fingered via the SIM and Account.
Sticking a new SIM / account into your OLD phone fingers you via the persistent IMEI number.
But sticking a new SIM / account into either a NEW phone or your old phone with the IMEI changed loses that link of the old IMEI number to you as you in that phone.
I trust that all here have come across the Anom story:
https://www.dailymail.co.uk/news/article-9663125/Fake-encrypted-app-cooked-beers-Aussie-cops-FBI-leads-global-sting.html (there are a number of stories on the Mail site about it.)
– You’d have thought people with something to lose would be a bit more careful, but it looks like clever social engineering can get round a lot of assumed security …