➡ This text warns about the dangers of sharing personal information on social media platforms like Facebook and LinkedIn. Even if you’re not active, your friends and family can unknowingly expose your data, making you vulnerable to side-channel attacks. The text also shares a story about a successful demonstration attack, showing how easy it is to manipulate information and trick people. It concludes by advising people to use platforms that allow pseudonymous identities and unique usernames to limit exposure to such attacks.

Many years ago, I was doing a live stream on the Periscope app, and a troll started insulting me during the stream. I didn’t block that person, and the only identity obvious was some obscure username. The next day on my next live stream, that troll came back, but this time I announced that I knew who that troll was. I gave hints to his location, which was in Fresno, California, and then who his relatives were in Mexico, south of the Texas border. He was pretty shaken up, and actually became a follower. This was a real incident, and some of my old-time followers can verify this.

He thought he was hiding his identity very well, but I got him. Around the same time, another troll started to interrupt my streams, and the next day I announced that the troll was a minor, and when this troll reappeared, I told him that I knew where he lived, his single mom’s identity, the kind of car they have, and I said I would report him to the principal of his middle school. Again, this is real, and the kid also became a follower. In both cases, there was very little to go on as far as identifying these people, but I did it.

All I had to start with was some handle, a random profile photo, and there was nothing in their profile description. And the photo, by the way, was not a face. What I will reveal to you today is that the main part of the technique I use to find out information is called a side-channel attack, and this attack is particularly easy to do if you’re on Facebook and LinkedIn. There’s a reason I tell people not to be on any meta platform, including WhatsApp and Instagram, and also LinkedIn, because this makes a side-channel attack easy. If you want to find out what these risks are for yourself and for your many friends that are likely on these platforms, stay right there.

There are many supposed cybersecurity experts out there, but you will notice that their skill set is all about hacking a platform or a corporate site or breaking encryption. I, on the other hand, focus on threat on the individual, and I can tell you right now that very few, very few actually understand the cyber threats on an individual, and this is what privacy and this channel is all about. So when someone makes a claim that I don’t know what I’m talking about, I’m very amused, because the stuff I’ve demonstrated I can do, I’ve done even live on a live stream.

Today, I want to focus on a specific individual threat that really requires a different kind of thinking. This is what I referred to as a side-channel attack. The general context of this attack approach is really based on social engineering, indirect data, and metadata, or in general, it’s gaining information on you indirectly using human intelligence. Obviously, if a person is very private and does not do social media, likely such a person will be pretty hard to attack with doxxing methods. But if a person is on social media and specifically is on a meta platform or on LinkedIn, then this opens up that person to the side-channel attack, even when you think you can limit your exposure on these platforms.

Just as background, the first troll I mentioned had a locked Facebook account, friends only, so you couldn’t really find anything out from a direct frontal attack. And this is why the attack approach is to do it on the side. Instead of researching the troll directly, instead look at who he is connected to. Now on Facebook, you can hide who your friends are, but what you cannot hide is who your friends’ friends are. You cannot hide other people’s posts. So all I had to do was look at the people who friended him or are in the same groups, and then by analyzing the traffic of the people on the side, I was able to find mentions of the person, find his real name, and then using other databases, find the public records of this person.

Thus, the attack is based on social engineering of the normie. The assumption is that your friends are your threats. Your friends will not implement privacy strategies. Your friends will be in the attack vector because your friends will be very vulnerable, and you will be tied to that. This is a topic I’ve mentioned many times repeatedly. The big threat with most platforms is the relationship map between people on the platform. If you watch the Snowden movie, one of the techniques used by three-letter agencies, it’s exactly what I’m talking about with a side-channel attack. I think in the movie, the three-letter agency was surveilling a Saudi banker, so their approach was to create a relationship map to see who this Saudi person knew.

If this banker had 1,000 acquaintances, then surveillance would be done on all of those contacts. This will be the first degree of separation. Then they would proceed to surveil the contacts of those contacts, thus creating a second degree of separation. If you did this on and on, likely by the time you get to the fourth degree of separation, you would have mapped relationships of the entire population of the US. Or to put it in other terms, you are defined by who you know. This is the basis of this side-channel attack. If one can’t find out direct information about a particular individual, then the way to proceed is to find you among the contacts.

The closer the relationship to the target, the better. This is a particularly big problem with sites like Facebook. Obviously, you can already have designated friends on Facebook. You would have spent your time on the platform accumulating friends. So that’s already the beginning of a relationship map. And to make matters worse, on Facebook, your name is based on your real identity, your real name. Now, this gets worse. Facebook and Meta, in general, uses your phone numbers as your guaranteed ID. Facebook specifically verifies this identity with a 2FA phone number, and they do not accept voice-over-IP numbers.

It has to specifically be a mobile phone number. Then they upload everyone’s contact lists daily, and from these contact lists, they harvest phone numbers, which they can then use to verify 2FA phone numbers, based on what is uploaded by your friends. And from this, they can find connections with people who are not even tied to you on Facebook yet. This then connects this phone information to data on credit reports and contact lists. Next, your friends will advertise their relationship to you, all immediate relatives, school classmates, workmates, and so on, crowd verify your connections.

Tie this to photos posted on the timelines of your friends with your picture in it, attached to you by facial recognition, and there’s almost nothing you can do to hide. Everything is opened up by virtue of normie friends who do not understand privacy. Trust me, I understand this very well just from my own family members. So in general, the biggest threat is that immediately, on Facebook, you’re part of a well-defined relationship map. Thus, if anyone needs to attack you, they just go find these relationships, starting with the closest ones, and look at their vulnerabilities.

WhatsApp is a meta-platform, and if you understand the data connected by Facebook, then you should also understand the data that is known when you’re using WhatsApp. WhatsApp is touted as a secure and private platform for secret communications, but once you understand the effective relationship maps, then you will see the evils of the metadata this platform has access to. I’m going to create a hypothetical story here of a man and woman who meet at a business conference and starts an affair. Both people are married, they have their own separate circles of friends, and may not even live in the same area.

They decide to communicate on WhatsApp thinking they can have private conversations. Now let me tell you what meta will know. First, because each has a Facebook account, their exact location is already known by meta. Meta knows two people are talking and are from opposite genders. Meta knows that they are not connected on Facebook. This is the alternate use of the side-channel attack, as it can be used to confirm that there is something to hide. Why are two non-friends talking to each other regularly? Frequency and length of communications is known. Likely they will communicate at times when their spouses are not around, like during work hours or late at night.

Likely there will be lots of photos involved, likely there will be video calls. There will be enough of a pattern that Meta could actually find all people having affairs on WhatsApp and tell you who they are from their Facebook accounts. This is pretty funny in a way, but if a three-letter agency asks for this info, then this is fresh data for blackmail. All this can be derived from site data or meta data, indirect data. This brings us to the actual source of these threats, and I call this the normie threat. A normie is the average person who has no idea about privacy because they think they have nothing to hide.

Unfortunately, this is the large majority of the population. And unfortunately, this is where the vulnerability lies in attaining privacy. Think about a person named Jim on Facebook who hardly posts on the platform. Very little activity. But Jim’s friends and family are constantly uploading photos with him in it, where the friends are not aware of the EXIF EXIF data on the photos, which has full GPS coordinates, and of course, Jim is known from facial recognition. Jim’s friends are not caring that each of their beliefs and profile is very well known to Facebook and can thus categorize even what Jim believes just based on the groups that he is in and who his friends are.

Again, learn about Jim from his relationship maps. In the case of Facebook, the knowledge about each person on the platform is extremely detailed, with every like, every idea, every action verified and crowdsourced. Jim himself could be super quiet. This is exactly what I found about the first troll. Jim the troll hardly had any posts. He didn’t even use the real name on Facebook, apparently. But unfortunately for Jim, the normies around him made sure he is known to all. So Jim was not vulnerable to a frontal cyber attack. He was vulnerable to a side-channel attack. I can’t remember now if this was at the DEFCON Security Conference or Black Hat.

I know I saw the presentation on YouTube, so likely it was DEFCON. This presentation described a real demonstrated attack on some famous person. I forget the end goal, but something along the lines of a face-to-face meet with the target. This of course was a demonstration attack and no actual evil was performed. But it just showed the vulnerability of people and this was done via social engineering. Let’s give the character some names. The famous woman will be named Anne. The attacker couldn’t get a direct channel into convincing Anne to meet. So the attacker chose the target to be Jack.

Jack was Anne’s boyfriend, which I’m sure would revealed through Facebook. So by finding information on LinkedIn, the attacker communicated with Jack directly about potential employment. Knowing what he did on LinkedIn, it was a pretty good ploy, as Jack, just like most people, would normally think of communications for job opportunities to be low risk. Regular communications with Jack gave the attacker more of an idea of what Jack was like, plus it gave the attacker a schedule so that there would be no time conflict when meeting with Anne. And then the attacker created another social media account to impersonate Jack and was able to convince Anne that the new account was legit.

Then from this, a face-to-face meet was done and the demonstration was successful. Obviously, this was just a demo and there was no harm done, but it just showed everyone’s vulnerability to attacks on the side. Many people think that information about you needs to be obvious, but listen to the intelligence operatives who will tell you that they can make decisions to send a drone to kill just from metadata. So metadata can signal patterns and these patterns can confirm what you want to know. Just like the example I gave about WhatsApp, someone could infer a lot of information just from metadata.

But what I’m saying here is that it’s also not just your own metadata, but metadata found from people you know. This is the hardest thing you can protect against. I’ve told you in other videos of the new See What You See AI technology and now end-to-end encryption as not being as useful because the person you are communicating with can be exposing the end-to-end encrypted app to tainted AI devices. Again, using See What You See technology and the attack can come from the side channel regardless of your own personal discipline and preparation. By the way, in the original Troll story, after I identified the Kid Troll by name through mostly gaming sites, I was able to link it to his mom’s data from LinkedIn.

So similar to Jack, who was also tracked from LinkedIn. The moral of the story is that if the first Troll had no Facebook, then my story would have ended and I would have not made further progress on identifying him. If the Kid Troll’s mom had no LinkedIn, then I would also have been at a dead end because minors would typically have insufficient public records to search through. I realized that social media sites thrive from these social relationship maps. But unfortunately, these are the same features that make them so dangerous. Let’s say that in comparison, two people were talking on an app like X.

This platform does not really have a profile similar to Facebook, so they have limited ability to do a relationship map. Same with an app called Braxme, my app. A relationship map is used to define you, what groups you belong to, with an exact identity that is used to know a lot about you. This is one of the reasons I don’t really support churches creating their own groups on Facebook. It would have been safer for a church to create its own website with its own community area that is independent of a platform where your identity is exact and verified.

Since you as an individual cannot control your friends and family, nor can you protect yourself with privacy switches on these platforms, the only solution is not to play. Don’t be on meta. Don’t be on LinkedIn. You can be somewhere in social media, somewhere where you are allowed to use a pseudo-anonymous identity, somewhere where you can get away with a voiceover IP number for 2FA. That’s fine. Somewhere where you can have a unique email and unique username for that platform. That will limit your exposure to a side channel attack. The future expansion of the side channel attack is with the See What You See tech in AI, as I said.

This one is a hard one because people will not tell you what device they’re using. If they’re using an iPhone 16 Pro or Windows Copilot, you could be victimized by the side channel attack at the other end of your comms. Folks, as many of you know, this channel does not take sponsors, and we are directly supported by this community. Some of you support us on Patreon, locals, and YouTube memberships. Thank you for that. Mostly we sustain this channel through privacy products that we offer directly. Our newest privacy product is the Community Project called Brax3, which is a privacy phone and involves several OS makers.

Currently IO Day OS and Ubuntu Touch. This is currently sold on the indiegogo.com site and Braxtech.net and received over a million dollars in pre-order crowdfunding. This is set for release around the time when this video is published. We also have other products that help you with privacy. We have the Brax Virtual Phone, which gives you inexpensive, unregistered phone numbers with no KYC. We have Braxmail, which allows for unlimited aliases, no metadata, and many obscure domains, so it protects your identity on online platforms. We have BitesVPN, which is our competitively priced VPN service available worldwide to hide your IP address.

All these products are on our platform, Braxme. Join us there and talk to the community of privacy enthusiasts, which are now over 100,000 people. Thank you for watching and see you next time. [tr:trw].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.