A Geek With Guns

Chronicling the depravities of the State.

Archive for the ‘Protecting Yourself and Others’ Category

Social Media for Activists

with one comment

After eight years of unexplained absence, neoliberals who are critical of the State have returned. I’m not sure where they were hiding but I’m glad to see that they’re safe and sound. But a lot has change in eight years so I’m sure many of them are out of the loop when it comes to online security. For example, what if you’re a federal employee who was told by your employer to shut up and you wanted to criticize them for it but didn’t want to be fired from your parasitic job? This isn’t as easy as opening a Twitter account and blasting criticisms out 140 characters at a time. Your employer has massive surveillance powers that would allow it to discover who you are and fire you for disobedience. Fortunately, The Grugq has you covered.

The information in his post regarding Twitter is applicable to any activist who is utilizing social media and might raise the ire of the State. I think the most important piece of information in that article though is that you shouldn’t immediately jump in with the sharks:

These are a lot of complicated operational rules and guides you’ll have to follow strictly and with discipline. If you “learn on the job” your mistakes will be linked to the account that you’re trying to protect. It would be best that you go through the steps and practice these rules on a non sensitive account. Make sure you’re comfortable with them, that you know how to use the tools, that you understand what you’re supposed to do and why.

Some underground organisations have something they call “the first and last mistake,” which is when you break a security rule and it leads to discovery and exposure. You’re the resistance, you need to make sure you can use the tools of resistance without mistakes – so practice where it is safe, get the newbie mistakes out of the way, and then implement and operate safely where it matters.

If you’re planning to partake in activism you should do a few trail runs of creating and maintaining pseudonymous social media accounts. Maintaining the discipline necessary to avoid detection is no easy feat. It’s best to screw up when it doesn’t matter than to screw up when you could face real world consequences.

Written by Christopher Burg

January 31st, 2017 at 10:30 am

The Privacy Arms Race

with 4 comments

Big Brother is watching. Many people have been defeated by the constant improvements in government surveillance. Instead of fighting they lie themselves into complacency by claiming that they have nothing to hide. Don’t allow yourself to fall into that trap. Privacy is an arms race. As surveillance technology improves so do countermeasures:

The use of facial recognition software for commercial purposes is becoming more common, but, as Amazon scans faces in its physical shop and Facebook searches photos of users to add tags to, those concerned about their privacy are fighting back.

Berlin-based artist and technologist Adam Harvey aims to overwhelm and confuse these systems by presenting them with thousands of false hits so they can’t tell which faces are real.

The Hyperface project involves printing patterns on to clothing or textiles, which then appear to have eyes, mouths and other features that a computer can interpret as a face.

Camouflage is older than humans. In fact, much of what we know about camouflage comes from our observations of animals. As predators improved so did the camouflage of prey. To win against the predatory State we must constantly improve our defenses. Against surveillance one of the best defenses is camouflage.

I admire people like Adam Harvey because they’re on the front lines. Will their plans work? Only time will tell. But I’ll take somebody who is trying to fight the good fight and fails over somebody who has rolled over and surrendered to the State any day.

Written by Christopher Burg

January 5th, 2017 at 10:00 am

‘Merica!

without comments

Here’s an easy thing you can do to make yourself safer: don’t go to malls around Christmas. When American shoppers come together near Christmas weird shit starts happening:

A series of apparently unconnected fights and disturbances broke out at malls across the country the day after Christmas, leaving shoppers desperate for an exit and authorities struggling to wrangle unruly crowds.

Several arrests and multiple injuries were reported — including an assault on an officer — and authorities and witnesses described panic-stricken scenes from Aurora, Colo. to East Garden City, N.Y.

Some of the videos are interesting to watch because they show shoppers trying to flee out of the main entrances, which results in too many people trying to cram through too little space. So here’s another thing you can do to make yourself safer: if you are in a mall when a brawl breaks out make a beeline for an emergency exit. Yes, it will probably set off an alarm but you’ll be out of the confined space with the psychopaths.

Written by Christopher Burg

December 28th, 2016 at 10:30 am

Be Safe Out There

with one comment

This weekend is forecast to be fucking brutal. First we’re supposed to be nailed by snow today and then Saturday and Sunday the temperatures are looking to be rather unpleasant. This kind of weather isn’t a joking matter. It kills people.

If you can avoid traveling do so. If you can’t make sure you don’t let your gas tank drop below half full. If you become stranded you can turn on the engine periodically to keep the inside temperature from dropping to lethal levels but only if you have gas in the tank (also, if you’re stuck in this situation, periodically get out and verify that the exhaust pipe is unobstructed by snow). Have a full winter survival kit in your vehicle that includes warm clothes (as in clothing appropriate for surviving this weather, not an old coat you had lying around that’s barely rated for 10 degrees, let alone -20 degrees), a heat reflective emergency blanket, a jump pack in case you need to jumpstart you vehicle, a small shovel and some kitty litter in case you need to get unstuck, and a winter rated sleeping bag in case you’re going to be stranded for a while.

This kind of weather is lethal, treat it with the seriousness it deserves.

Written by Christopher Burg

December 16th, 2016 at 10:00 am

A Retraining Order is Only a Step in a Multistep Plan

with one comment

Many people facing abuse will pull a restraining order against their abuser. Although my history of advising against interacting with the State may make some believe that I would advise against pursuing a restraining order the opposite is true. I highly recommend getting a restraining order against an abuser. When it comes to survival you should use every single tool available to you. A retraining order does offer several important legal protections, especially if you are in a situation where you have to defend yourself against your abuser. With that said, your survival strategy must include more than just a restraining order. A restraining order is literally a piece of paper and therefore can’t protect you if your abuser decides to violate it.

Stores like this are, unfortunately, all too common:

Lucas A. Jablonski, 25, of Anoka, was charged Monday in Anoka County District Court with second-degree murder in the death in mid-August of 34-year-old Becky L. Drewlo, whose parents have been her guardians since she turned 18 in November 2000.

Jablonski has been jailed since he was charged in early September with violating the terms of the restraining order, which was granted at the request of her mother in September 2014.

Earlier violations by Jablonski of the same restraining order — in October 2014 and January 2016 — led to convictions in both instances but no significant time in custody.

[…]

Jablonski had been living with Drewlo for several weeks leading up to her death, the complaint read, despite the restraining order being in force that “precluded [him] from having any contact with Ms. Drewlo and from being at her apartment.”

In the petition for the restraining order, Laura Drewlo noted that Jablonski had “taken advantage of Becky sexual[ly] many times. Becky lacks sufficient understanding [and] therefore doesn’t understand the consequences.” She said her daughter had considered Jablonski her boyfriend in the months leading up to the petition being filed.

She said her daughter was in a program that allowed her to live independently with professional assistance and keep a job.

This case is more complicated than many since the victim appears to have been suffering from a mental disability, which likely prevented her from being able to protect herself. My usual go to advice, taking measures to improve your ability to defend yourself, likely don’t apply here. But it does illustrate the limitations of a restraining order.

A restraining order is only effective if the person holding it reports infractions against the order and the police respond to the report. Even then punishments for violating restraining orders are often minor. In this case the suspect had violated the order multiple times but received no significant punishments. And if the violation turns into an attack the order has no ability to defend the victim.

Pulling a restraining order should be seen as a step in a multistep plan. A restraining order provides legal protections, which can be valuable in the aftermath of a self-defense case against an abuser. But they don’t offer any physical protection. Other steps in the plan should address this deficiency.

Written by Christopher Burg

November 23rd, 2016 at 11:00 am

LastPass Opts to Release Ad Supported “Free” Version

with 5 comments

My hatred of using advertisements to fun “free” services is pretty well known at this point. However, it seems that a lot of people prefer the business model where they’re the product instead of the customer. Knowing that, and knowing that password reuse is still a significant security problem for most people, I feel the need to inform you that LastPass, which still remains a solid password manager despite being bought by LogMeIn, now has an ad supported “free” version:

I’m thrilled to announce that, starting today, you can use LastPass on any device, anywhere, for free. No matter where you need your passwords – on your desktop, laptop, tablet, or phone – you can rely on LastPass to sync them for you, for free. Anything you save to LastPass on one device is instantly available to you on any other device you use.

Anything that may convince more people to start using password managers is a win in my book. People who don’t utilize password managers tend to reuse the same credentials on multiple sites, which significantly increases the damage that a password database leak can cause. Furthermore, using a password manager lowers the hurdle for using strong passwords. Instead of having to use passwords that are memorizable a password manager also allows users to use long strings of pseudorandom characters, which means if a password database is breached the time it takes to unveil their password from its stored hash is significantly increased (because the attacker has to rely on brute force instead of a time saving method such as rainbow tables).

If money has been the only thing that has held you back from using a password manager you should take a look at LastPass’s “free” version. While ads are a potential vector for malware they can be blocked with an ad blocker and the risk of being infected through ads is significantly less than the risks involved in not using a password manager.

Written by Christopher Burg

November 3rd, 2016 at 10:00 am

More Malware Spreading Through Advertising

with one comment

My biggest grip with the advertisement based model most Internet services have opted to use is that ads can easily be used to spread malware. Because of that I view ad blockers as security software more than anything. And the Internet seems to enjoy proving my point every few weeks:

As a security researcher, it’s always exciting to discover new vulnerabilities and techniques used by malicious actors to deliver malware to unsuspecting users. These moments are actually quite rare, and it’s increasingly frustrating from a researcher’s perspective to watch the bad guys continue to use the same previously exposed methods to conduct their malicious operations.

Today’s example is no different. We discovered a malvertising campaign on Google AdWords for the search term “Google Chrome”, where unsuspecting MacOS users were being tricked into downloading a malicious installer identified as ‘OSX/InstallMiez’ (or ‘OSX/InstallCore’).

In this case the malware didn’t spread through a browser exploit. Instead it exploited the weakest component of any security system: the human. The malware developers bought ads from Google so that their link, which was cleverly titled “Get Google Chrome”, would appear at the very top of the page. This malware was targeted at macOS users so if you were a Windows user and clicked on the link you’d be redirected to a nonexistent page but macOS users would be taken to a page to download the malware installer. After running the installer the malware opens a browser page to a scareware site urging you to “clean your Mac” and then downloads more malware that opens automatically and urges the user to copy it to their Applications folder.

As operating systems have become more secure malware producers have begun relying on exploiting the human component. Unfortunately, it’s difficult to train mom, dad, grandpa, and grandma on proper computer security practices. Explaining the difference between Google advertisement links and Google search result links to your grandparents is often a hopeless cause. The easiest way of dealing with that situation is to hide the ads, and therefore any malware that tries to spread via ads, from their view and ad blockers are the best tools for that job.

Unfortunately, the advertisement based model isn’t going away anytime soon. Too many people think that web services are free because, as Bastiat explained way back when, they’re not seeing the unseen factors. Since they’re not paying money to access a service they think that the service is free. What remains unseens are the other costs such as being surveilled for the benefit of advertisers, increased bandwidth and battery usage for sending and displaying advertisements, the risk of malware infecting their system via advertisements, etc. So long as the advertisement based model continues to thrive you should run ad blockers on all of your devices to protect yourself.

Written by Christopher Burg

November 2nd, 2016 at 10:30 am

Secure Your Assets

without comments

Anybody with more than two braincells to rub together and has even a modest knowledge of economic history knows that you can’t trust the State for your retirement. The government issued funny money is in a constant state of devaluation, which means every slip of its paper you save will be worth much less when you retire. Because of that, smart people find alternative ways to preserve their wealth for retirement. Some people invest a portion of their wealth in the hopes they can grow it faster than the rate of inflation while others prefer to rely on time proven precious metals.

If you look at historical trends the latter is a pretty solid choice if your goal is to preserve your purchasing power. However, if you’re going to opt for precious metals you need a secure method of storage, to spread out your assets, and probably a decent insurance policy because physical assets can be stolen:

ST. PAUL, Minn. – St. Paul Police are looking into an reported burglary that stripped a female resident of her entire life savings.

Police spokesman Steve Linders confirms that the alleged victim, a 57-year-old who lives on the 1600 block of Abell Street, had her valuables stashed in her bedroom because she does not trust banks. The thieves got away with 100 gold bars valued at more than $1,200 apiece, $60,000 cash and a diamond ring valued at $36,000.

I’ve seen quite a few comments making fun of the fact that her lack of trust in banks caused her to lose her life savings. But if your money is in a bank account its purchasing power is constantly being stolen in the form of inflation so acting high and mighty because you keep your government funny money in a bank is just as stupid as keeping all of your gold in one location and not properly securing it.

By the description of her storage method (stashing it in her bedroom) I’m left to assume she didn’t have her gold in a quality safe. If you’re going to have a lot of gold on hand you should invest in a decent safe that can be bolted to the ground (i.e. a decent gun safe). Bonus points can be had if you can also conceal the safe. But a quality safe offer two advantages. First, it greatly increases the time it takes for a burglar to get to your valuable assets. Burglaries are often smash and grab affairs where the burglars want to minimize the amount of time that they’re in a house. The more secure your assets are the less attractive they will be to a petty thief looking to get in and out. The second advantage a quality safe offers is fire protection. You don’t want to lose your retirement if your house burns down.

In addition to a quality safe you also want to spread your assets around. Keeping all of your eggs in one basket is not a wise idea. I would personally recommend against a safety deposit box at a bank because the State can and has seized them. And since the United States government has confiscated gold in the past it’s not unreasonable to think another gold confiscation might occur. You’re better off having trustworthy family members or close friends or have a second piece of property where you can install a quality safe and store some of your assets.

The third thing, which can be tricky if you’re concerned about another possible government gold confiscation, is having an insurance policy. Precious metals are valuable and valuable assets should be insured against loss. However, insuring your precious metals also means records of the metals existence will exist. If the government decided to do another gold confiscation they very well may require insurance companies to surrender information on customers who have insured precious metals. Then again, an insurance policy is a nice thing to have if burglars break into your home and get into your safe. It’s one of those risk-reward formulas that you have to figure out for yourself.

Storing your retirement savings in government funny money in a bank is not a good idea but if you’re going to do something else you need to be smart about. Simply buying gold isn’t a solid plan if you don’t have a way of securing that gold longterm.

Written by Christopher Burg

October 27th, 2016 at 10:30 am

Confidentiality Versus Anonymity

without comments

The Intercept has started a bit of a shit storm by pointing out that iMessage doesn’t encrypt metadata:

APPLE PROMISES THAT your iMessage conversations are safe and out of reach from anyone other than you and your friends. But according to a document obtained by The Intercept, your blue-bubbled texts do leave behind a log of which phone numbers you are poised to contact and shares this (and other potentially sensitive metadata) with law enforcement when compelled by court order.

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

Is this an affront to privacy? Is Apple showing bad faith in its promise to deliver a more security communication system? No and no. The issue at hand here is that Apple has promised confidentiality but hasn’t promised anonymity, which are two different things.

Confidentiality means that a communication isn’t accessible to unauthorized parties. In other words what was communicated is secret. Anonymity means that the parties communicating are secret. A confidential message isn’t necessarily anonymous and an anonymous message isn’t necessarily confidential.

iMessage and other secure communication applications such as WhatsApp and Signal use an identifier that are tied to your real-life persona, your phone number. Using phone numbers as identifiers allows these apps to easily scan your contacts list to see who does and doesn’t have the application. While they do keep what is being communicated secret they make no attempt to keep who is communicating secret.

Tor, on the other hand, attempts to provide anonymity but doesn’t necessarily provide confidentiality. With the exception of hidden services, every website you access through Tor goes through an exit node. Unless the site you’re accessing utilizes Transport Layer Security (TLS) the contents of the site are accessible to the exit node operator. On Tor the content being communicated isn’t necessarily confidential but the parties communicating are.

Applications such as Ricochet attempt (I use this qualifier because Ricochet is still experimental) to provide both confidentiality and anonymity. Not only are the communications themselves kept secret but the parties who are communicating is also kept secret. But since Ricochet users are anonymous be default the application can’t go through your contacts list and automatically inform you who does and doesn’t have the application.

There’s nothing sinister afoot here. Apple, WhatsApp, and Signal never claimed to deliver anonymity. Even if they didn’t use phone numbers as identifiers they still wouldn’t deliver anonymity since they make no attempt to conceal your IP address. Everybody that is freaking out about this is freaking out about the fact that Apple isn’t providing something it never claimed to provide.

There are no magic bullets. Before choosing the right tool for the job you need to develop a threat model. Unless you know what you are guarding against you can’t effectively guard against it. Confidentiality works well to protect against certain types of snoops. Law enforcers wanting to dig through the contents of messages to find evidence of illegal activities and advertisers wanting the same but to acquire information to better sell your products are threats where confidentiality is important but anonymity may not be required. Law enforcers wanting to create a social graph so it can target friends of specific individuals and censors wanting to learn who is putting out unapproved material are threats where anonymity is important but confidentiality may not be required. On the other hand, depending on your threat model, all of the above may be threats where confidentiality and anonymity are required.

Know your threats and know your tools. Make sure your tools address your threats. But don’t get upset because a tool doesn’t address your threat when it never claimed to do so.

Written by Christopher Burg

September 29th, 2016 at 10:30 am

Looks Can Be Deceiving

with 2 comments

Saturday evening there was a multiple stabbing incident at the St. Cloud Center here in Minnesota. Although tragic there are some lessons that can be learned these kinds of situations and this incident is no different:

In a media briefing after midnight Sunday, St. Cloud police chief William Blair Anderson said an off-duty officer from another jurisdiction confronted and killed the suspect. He said the suspect — who was dressed in a private security uniform — reportedly asked at least one victim whether they were Muslim before assaulting them, and referred to Allah during the attacks.

Here lies our most important lesson. The attacker was dressed in a security uniform. This probably allowed him to get close to his victims without raising any red flags, which is important if you’re relying a knife. So the lesson here is that not everybody is exactly as they appear. Just because somebody is dressed like a cop or a security guard doesn’t mean they actually are one. Don’t let your guard down just because somebody is in a specific uniform.

One of my friends pointed out another lesson to be learned from this:

The mall remained on lockdown after the incident, but authorities expected those remaining inside to be released early Sunday. Photos and video of the mall taken hours after the incident showed groups of shoppers waiting to be released, including some huddled together near a food court entrance.

The officers trapped people inside the mall with the attacker. When the police arrived it wasn’t yet known if there were multiple attackers so the mall goers were potentially locked in a building with multiple people meaning to cause them harm. Being confined in an area with an unknown number of assailants is not a good place to be. If you hear that there’s an attacker in the building find the nearest fire exit and go through it. If you’re luck the police won’t see you leave. If you’re unlucky they’ll catch you but in that case you’ll likely be held in the back of a squad car, which is still a safer place than being confined in an area with and unknown number of potential assailants.

Keep your guard up when you’re out and about. Listen to your gut instinct. If that little voice in the back of your head is telling you something is wrong then you should listen to it. We’ve all been doing this human thing for our entire lives so we’re pretty good at subconsciously reading very subtle signs from one another. Anybody can put on any uniform they please but a uniform isn’t going to conceal all those subtle signs we use to judge one another’s intentions. If that voice is telling you the approaching security guard means you harm take heed and book it.

Be aware of all the potential exits. Fire exits are especially good in these kinds of situations because they usually trip a fire alarm. If it’s an audible alarm it will alert other people in the building to get out. If it’s a silent alarm it will still involve a response from the local authorities.

Finally, have a plan to defend yourself if escape isn’t an option. I recommend that people carry a firearm because they give you the best fighting chance. But even if you’re not willing or are unable to carry a firearm you should have some defensive response that you’ve trained thoroughly enough to be instinctual. Be it martial arts, mace, a baton, or even a knife. While you might not win a violent encounter even if you have a means of self-defense, you will certainly lose one if your response is to freeze up.

Written by Christopher Burg

September 19th, 2016 at 10:30 am