Archive for the ‘Protecting Yourself and Others’ Category
The Intercept has started a bit of a shit storm by pointing out that iMessage doesn’t encrypt metadata:
APPLE PROMISES THAT your iMessage conversations are safe and out of reach from anyone other than you and your friends. But according to a document obtained by The Intercept, your blue-bubbled texts do leave behind a log of which phone numbers you are poised to contact and shares this (and other potentially sensitive metadata) with law enforcement when compelled by court order.
Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.
Is this an affront to privacy? Is Apple showing bad faith in its promise to deliver a more security communication system? No and no. The issue at hand here is that Apple has promised confidentiality but hasn’t promised anonymity, which are two different things.
Confidentiality means that a communication isn’t accessible to unauthorized parties. In other words what was communicated is secret. Anonymity means that the parties communicating are secret. A confidential message isn’t necessarily anonymous and an anonymous message isn’t necessarily confidential.
iMessage and other secure communication applications such as WhatsApp and Signal use an identifier that are tied to your real-life persona, your phone number. Using phone numbers as identifiers allows these apps to easily scan your contacts list to see who does and doesn’t have the application. While they do keep what is being communicated secret they make no attempt to keep who is communicating secret.
Tor, on the other hand, attempts to provide anonymity but doesn’t necessarily provide confidentiality. With the exception of hidden services, every website you access through Tor goes through an exit node. Unless the site you’re accessing utilizes Transport Layer Security (TLS) the contents of the site are accessible to the exit node operator. On Tor the content being communicated isn’t necessarily confidential but the parties communicating are.
Applications such as Ricochet attempt (I use this qualifier because Ricochet is still experimental) to provide both confidentiality and anonymity. Not only are the communications themselves kept secret but the parties who are communicating is also kept secret. But since Ricochet users are anonymous be default the application can’t go through your contacts list and automatically inform you who does and doesn’t have the application.
There’s nothing sinister afoot here. Apple, WhatsApp, and Signal never claimed to deliver anonymity. Even if they didn’t use phone numbers as identifiers they still wouldn’t deliver anonymity since they make no attempt to conceal your IP address. Everybody that is freaking out about this is freaking out about the fact that Apple isn’t providing something it never claimed to provide.
There are no magic bullets. Before choosing the right tool for the job you need to develop a threat model. Unless you know what you are guarding against you can’t effectively guard against it. Confidentiality works well to protect against certain types of snoops. Law enforcers wanting to dig through the contents of messages to find evidence of illegal activities and advertisers wanting the same but to acquire information to better sell your products are threats where confidentiality is important but anonymity may not be required. Law enforcers wanting to create a social graph so it can target friends of specific individuals and censors wanting to learn who is putting out unapproved material are threats where anonymity is important but confidentiality may not be required. On the other hand, depending on your threat model, all of the above may be threats where confidentiality and anonymity are required.
Know your threats and know your tools. Make sure your tools address your threats. But don’t get upset because a tool doesn’t address your threat when it never claimed to do so.
Saturday evening there was a multiple stabbing incident at the St. Cloud Center here in Minnesota. Although tragic there are some lessons that can be learned these kinds of situations and this incident is no different:
In a media briefing after midnight Sunday, St. Cloud police chief William Blair Anderson said an off-duty officer from another jurisdiction confronted and killed the suspect. He said the suspect — who was dressed in a private security uniform — reportedly asked at least one victim whether they were Muslim before assaulting them, and referred to Allah during the attacks.
Here lies our most important lesson. The attacker was dressed in a security uniform. This probably allowed him to get close to his victims without raising any red flags, which is important if you’re relying a knife. So the lesson here is that not everybody is exactly as they appear. Just because somebody is dressed like a cop or a security guard doesn’t mean they actually are one. Don’t let your guard down just because somebody is in a specific uniform.
One of my friends pointed out another lesson to be learned from this:
The mall remained on lockdown after the incident, but authorities expected those remaining inside to be released early Sunday. Photos and video of the mall taken hours after the incident showed groups of shoppers waiting to be released, including some huddled together near a food court entrance.
The officers trapped people inside the mall with the attacker. When the police arrived it wasn’t yet known if there were multiple attackers so the mall goers were potentially locked in a building with multiple people meaning to cause them harm. Being confined in an area with an unknown number of assailants is not a good place to be. If you hear that there’s an attacker in the building find the nearest fire exit and go through it. If you’re luck the police won’t see you leave. If you’re unlucky they’ll catch you but in that case you’ll likely be held in the back of a squad car, which is still a safer place than being confined in an area with and unknown number of potential assailants.
Keep your guard up when you’re out and about. Listen to your gut instinct. If that little voice in the back of your head is telling you something is wrong then you should listen to it. We’ve all been doing this human thing for our entire lives so we’re pretty good at subconsciously reading very subtle signs from one another. Anybody can put on any uniform they please but a uniform isn’t going to conceal all those subtle signs we use to judge one another’s intentions. If that voice is telling you the approaching security guard means you harm take heed and book it.
Be aware of all the potential exits. Fire exits are especially good in these kinds of situations because they usually trip a fire alarm. If it’s an audible alarm it will alert other people in the building to get out. If it’s a silent alarm it will still involve a response from the local authorities.
Finally, have a plan to defend yourself if escape isn’t an option. I recommend that people carry a firearm because they give you the best fighting chance. But even if you’re not willing or are unable to carry a firearm you should have some defensive response that you’ve trained thoroughly enough to be instinctual. Be it martial arts, mace, a baton, or even a knife. While you might not win a violent encounter even if you have a means of self-defense, you will certainly lose one if your response is to freeze up.
One of the most important things for anybody to know is that there ain’t no such thing as a free lunch. Everything comes at a cost, even “free” things. Consider public Wi-Fi networks. Companies seemingly provide free Wi-Fi to customers as a courtesy. But those free Wi-Fi networks are revenue generator:
According to an article, which mall officials say they co-wrote, “while being an attractive guest feature, the (Wi-Fi) service simultaneously provides the mall with enough data to fill digital warehouses with information about what people do both online and in the real world while on the property.”
“This type of tracking can happen at any business, any location, any place that there’s any Wi-Fi networks,” Schulte said.
He explained that when your phone connects to Wi-Fi, it’s actually exchanging information with the network.
“You’re telling the Mall of America when you go to the mall, what door you go in, what stores you visit, what level you’re on, as well as what you’re doing on your phone.”
Asked if that means that mall officials could potentially know about it if someone logs onto Facebook while using the mall’s Wi-Fi network, Shulte answered, “Absolutely they know that you’re going to Facebook.”
This is the same paradigm used by websites that rely on ad networks for revenue. Instead of charging the user directly the provider simply snoops on the user and sells the information it collects to advertisers. In this way the advertiser becomes the customer and the user becomes the product.
I recommend against using public Wi-Fi networks. If you have to use one I recommend doing so through a Virtual Private Network (VPN). A VPN encrypts your traffic from your device to the VPN provider’s server. That means your data isn’t visible to the local Wi-Fi network and therefore cannot be snooped on by local network surveillance. Tor can work to a lesser extent in that you can conceal traffic that can be run through the Tor network but it’s not as effective in this case since most systems, with the exception of specially designed operating systems such as Tails, don’t route all traffic through Tor.
Whenever anybody offers you something for free you should try to figure out what the catch is because there is one.
I know that it’s been said again and again but it bears periodic repetition: don’t talk to the police. Period.
Someday soon, when you least expect it, a police officer may receive mistaken information from a confused eyewitness or a liar, or circumstantial evidence that helps persuade him that you might be guilty of a very serious crime. When confronted with police officers and other government agents who suddenly arrive with a bunch of questions, most innocent people mistakenly think to themselves, “Why not talk? I haven’t done anything. I have nothing to hide. What could possibly go wrong?”
Well, among other things, you could end up confessing to a crime you didn’t commit. The problem of false confessions is not an urban legend. It is a documented fact. Indeed, research suggests that the innocent may be more susceptible than the culpable to deceptive police interrogation tactics, because they tragically assume that somehow “truth and justice will prevail” later even if they falsely admit their guilt. Nobody knows for sure how often innocent people make false confessions, but as Circuit Judge Alex Kozinski recently observed, “Innocent interrogation subjects confess with surprising frequency.”
People still mistakenly believe that the police are the good guys and that cooperating with them can only be beneficial if you’re an innocent person. In reality police are not the good guys, they’re the revenue generators for the State. Their goal of raising revenue can only be realized by charging people with crimes. So long as wealth can be expropriated it doesn’t matter to the State whether the person hauled in actually perpetrated the crime or not.
A false confession is just as good as a truthful confession to the police. Either one achieves their goal of raising revenue. That means any belief you have in justice prevailing is wrongly held.
When an officer wants to question you about something you should immediately shut up and lawyer up. Most politicians are lawyers and they have crafted the system to benefit lawyers. The downside is that you’re basically stuck handing money to lawyers if you’re accused of a crime. The upside is that a lawyer knows the ins and outs of the system far better than most police officers and can therefore provide you with decent protection (assuming they’re not incompetent). A lawyer, for example, knows what to say without confessing you were guilty of a crime. They also know the rules regarding admissible evidence and whether or not the police have a case without a confession. You (and me), as a layperson, are likely to naive about the legal system that you don’t even know what you don’t know. And that ignorance can land you in a cage for a crime you didn’t commit.
Carrying a firearm is akin to wearing a seatbelt. You don’t know if you’re ever going to need it but it’s far better to have it and not need it than need it and not have it. There’s no way to predict when you’ll get into an automobile accident and there is no way to predict where or when you’ll be attacked or by whom.
This story highlights that:
Police say 53-year-old Michael Leroy Deyo and the victim worked together at the same Goodwill store since Deyo was hired in June.
On that Thursday afternoon, Deyo invited the victim to the barbecue, but when she arrived she was the only one there. Deyo told her it was going to be a surprise party, according to the criminal complaint.
The victim said they ate and talked, and after they were done eating Deyo said he was going to check the apartment unit across the hall, where he said the party was taking place.
He then asked the victim if she wanted to check the room with him, and she agreed. She said there was no one in the room, the lights were off and it appeared to be a utility room.
The woman said she “did not feel right about the situation” and grabbed her purse to leave. When she opened the door, Deyo grabbed her and forced her back into the apartment, putting his hand over her mouth, according to the criminal complaint.
The victim struggled with Deyo, kicking him in the groin and punching him. She said she grabbed a glass coffee pot and hit him in the head with it, according to the charges.
The victim said Deyo pinned her to the ground and said, “Stop screaming or I’ll kill you.” The victim said she was afraid she was going to die, so she became quiet while he kissed her.
A barbecue a coworker invited you to is generally not the kind of situation where you would expect to have to defend yourself but it can be. James Mattis was the one who said, “Be polite, be professional, but have a plan to kill everybody you meet.” It’s solid advice so long as you follow the spirit of it rather than take it literally. You don’t need to develop a detailed plan for killing everybody you meet but it’s smart to have a strategy as your default if someone tries to attack you and train in until it becomes almost instinctual. That way if you’re taken by surprise you will have an automatic go-to strategy to defend yourself. While a default strategy is a personal decision I strongly suggest carrying a firearm so your default strategy address armed assailants.
You can’t predict when or where, or by whom you may be attacked but you can have a plan of action that will increase your odds of survival.
Several people have asked me about my thoughts regarding the rioting in Milwaukee. Truth be told, I’m only superficially aware of what happened. I know the police shot somebody, which was the spark that lit this fire but I haven’t had time to learn the details surrounding the shooting.
I will say this though. You should have a plan of action in case civil unrest developers in your area. Be it hunkering down and defending your home or evacuating to someplace safe, you should have a plan of what you will do if worst comes to worst. Then you should have a backup plan in case your primary plan fails.
As is common after a violent tragedy, a great deal of electrons are being annoyed by people who are calling for prohibitions. Some want to prohibit firearms, ammunition, and body armor while others want to prohibit members of an entire religion from crossing the imaginary line that separates the United States from the rest of the world. All of this finger pointing is being done under the guise of security but the truth is that any security system that depends on an attacker acting in a certain way is doomed to fail.
Prohibitions don’t eliminate or even curtail the threat they’re aimed at. In fact the opposite is true. The iron law of prohibition, a term coined in regards to prohibitions on drugs, states that the potency of drugs increases as law enforcement efforts against drugs increases. It applies to every form of prohibition though. Prohibitions against firearms just encourages the development of more easily manufactured and concealable firearms just as the prohibition against religious beliefs encourages those beliefs to be practices in secrecy.
When you rely on a prohibition for security you’re really relying on your potential attackers to act in a specific way. In the case of firearm prohibitions you’re relying on your potential attackers to abide by the prohibition and not use firearms. In the case of prohibiting members of a specific religion from entering a country you’re relying on potential attacks to truthfully reveal what religion they are a member of.
But attackers have a goal and like any other human being they will utilize means to achieve their ends. If their ends can be best achieved with a firearm they will acquire or manufacture one. If their ends require body armor they will acquire or manufacture body armor. If their ends require gaining entry into a country they will either lie to get through customs legitimately or bypass customs entirely. You attackers will not act in the manner you desire. If they did, they wouldn’t be attacking you.
What prohibitions offer is a false sense of security. People often assume that prohibited items no longer have to be addressed in their security models. This leaves large gaping holes for attackers to exploit. Worse yet, prohibitions usually make addressing the prohibited items more difficult due to the iron law of prohibition.
Prohibitions not only provide no actual security they also come at a high cost. One of those costs is the harassment of innocent people. Firearm prohibitions, for example, give law enforcers an excuse to harass anybody who owns or is interested in acquiring a firearm. Prohibitions against members of a religion give law enforcers an excuse to harass anybody who is or could potentially be a member of that religion.
Another cost is a decrease in overall security. Firearm prohibitions make it more difficult for non-government agents to defend themselves. A people who suffer under a firearm prohibition find themselves returned to the state of nature where the strong are able to prey on the weak with impunity. When religious prohibitions are in place an adversarial relationship is created between members of that religion and the entity putting the prohibition in place. An adversarial relationship means you lose access to community enforcement. Members of a prohibited religion are less likely to come forth with information on a potentially dangerous member of their community. That can be a massive loss of critical information that your security system can utilize.
If you want to improve security you need to banish the idea of prohibitions from your mind. They will actually work against you and make your security model less effective.
How many of you have taken your computer in to be repaired? How many of you erased all of your data before taking it in? I’m often amazed by the number of people who take their computer in for servicing without either replacing the hard drive or wiping the hard drive in the computer. Whenever I take any electronic device in for servicing I wipe all of the data off of it and only install an operating system with a default user account the repairer can use to log in with. When I get the device back I wipe it again and then restore my data from a backup.
Why am I so paranoid? Because you never know who might be a paid Federal Bureau of Investigations (FBI) snitch:
The doctor’s attorney says the FBI essentially used the employee to perform warrantless searches on electronics that passed through the massive maintenance facility outside Louisville, Ky., where technicians known as Geek Squad agents work on devices from across the country.
Since 2009, “the FBI was dealing with a paid agent inside the Geek Squad who was used for the specific purpose of searching clients’ computers for child pornography and other contraband or evidence of crimes,” defense attorney James Riddet claimed in a court filing last month.
Riddet represents Dr. Mark Albert Rettenmaier, a gynecological oncologist who practiced at Hoag Hospital until his indictment in November 2014 on two felony counts of possession of child pornography. Rettenmaier, who is free on bond, has taken a leave from seeing patients, Riddet said.
Because the case in this story involved child pornography I’m sure somebody will accuse me of trying to protect people who possess child pornography. But data is data when it comes to security. The methods you can use to protect your confidential communications, adult pornography, medical information, financial records, and any other data can also be used to protect illicit, dangerous, and downright distasteful data. Never let somebody make you feel guilty for helping good people protect themselves because the information you’re providing them can also be used by bad people.
Due to the number of laws on the books, the average working professional commits three felonies a day. In all likelihood some data on your device could be used to charge you with a crime. Since the FBI is using computer technicians as paid informants you should practice some healthy paranoia when handing your devices over to them. The technician who works on your computer could also have a side job of feeding the FBI evidence of crimes.
But those aren’t the only threats you have to worry about when taking your electronic devices in for servicing. I mentioned that I also wipe the device when I get it back from the service center. This is because the technician who worked on my device may have also installed malware on the system:
Harwell had been a Macintosh specialist with a Los Angeles-area home computer repair company called Rezitech. That’s how he allegedly had the opportunity to install the spy software, called Camcapture, on computers.
While working on repair assignments, the 20-year-old technician secretly set up a complex system that could notify him whenever it was ready to snap a shot using the computer’s webcam, according to Sergeant Andrew Goodrich, a spokesman with the Fullerton Police Department in California. “It would let his server know that the victim’s machine was on. The server would then notify his smartphone… and then the images were recorded on his home computer,” he said.
When your device is in the hands of an unknown third party there is no telling what they may do with it. But if the data isn’t there then they can’t snoop through it and if you wipe the device when you get it back any installed malware will be wiped as well.
Be careful when you’re handing your device over to a service center. Make sure the device has been wiped before it goes in and gets wiped when it comes back.
A man in Minneapolis stands accused of raping a woman. According to the accusation he used the ploy of asking for directions to approach the woman:
The victim told police she was out for a walk that night when she saw Wilkes’ car go around the block several times. He eventually stopped and got out of his car. Assuming he was lost, the victim asked if he needed help. She said Wilkes then told her he was trying to get to 29th and Franklin.
After the victim gave Wilkes directions, she turned around and continued walking. Wilkes then grabbed her throat from behind and began choking her, saying he had a gun.
There are a lot of common ploys criminals will use to get within close range of an intended victim. Asking for directions, to borrow a cell phone, a couple of bucks to buy a bus ticket to get back home, for help in an emergency situation, and so on. These ploys all serve to drop the intended victims guard so they can be approached more easily.
During a discussion about this story I mentioned to a friend that my standard response to these types of situations is to take a defensive stance, slide my hands into my pocket (usually onto a conceal weapon), and pretend that I don’t speak English (in my experience this tends to reduce the amount of time an individual will invest in trying to interact with me). My friend told me that that sounds paranoid, which brings me to the point of this post. Our society places a stigma on perceived paranoia. People who carry a firearm, for example, are often derogatorily called paranoid. But as the old saying goes, just because you’re paranoid doesn’t mean that they’re not out to get you.
If you live in a stable area, your chances of being in a violent encounter are pretty slim. A pretty slim chance is much different than zero chance though. Most of us recognized this fact and take certain precautions such as installing locks on the exterior doors of our home and avoiding neighbors that we perceive to be bad. But that recognition seems to stop where society’s perception of paranoid begins. This is ridiculous in my opinion.
First of all, only you have the unique knowledge of your life experiences to know what level of defensive measures are appropriate for you. Nobody else has spent their entire life being you so relying on them to decide what level of defense is appropriate for you is an exercise in outsourcing to a less qualified entity.
I have decided that carrying a gun and training to defend myself are appropriate defensive measures based on the knowledge I’ve gained over my lifetime. This isn’t because I believe I have a high level of encountering a violent situation. It’s because the detriments of doing so are minuscule while the potential consequences of not doing so are very high.
Let’s analyze the costs and benefits of the situation of a stranger asking for directions. When somebody initiates contact I take a defensive stance, which is to say that I make it as obvious as possible that I am aware of the person and that I am maintaining awareness of my surroundings. I also maintain a neutral expression on my face and straighten my posture, which serves the purpose of making me look more intimidating without making me look aggressive. What have any of these responses cost me? At most they have cost appearance. I come off as cold and less than friendly instead of warm and friendly. Since I don’t know who this stranger is nor am I likely to ever meet them again the cost of appearance is minuscule to me.
Another thing I do is slide my hands into my pockets. This action deprives the approaching person of some information. If my hands are visible the approaching person can identify whether or not I have a potential weapon at the ready. By concealing my hands the approaching person is forced to guess whether or not I have a concealed weapon in one of my pockets. Since I also regularly carry a firearm putting my hands in my pockets often results in me having immediate access to a weapon. What does this action cost me? Again, it potentially costs me appearance in the eyes of a stranger, which I don’t place much value.
If the person asks for directions and goes about their way I’ve still lost nothing of value to me. On the other hand, if the person meant me ill my positioning may be enough to convince them to find a different target. Predatory criminals tend to prefer easy targets. Making yourself appear to be a difficult target is often enough to convince them to go elsewhere. If my posturing wasn’t enough to dissuade them then I’m in a better position to defend myself when they attack.
What many people would considered paranoid has actually costs me very little and could benefit me greatly if the small chance of something bad occurring is realized.
You have every right to be paranoid. Bad things do happen to good people. Don’t let people who lack your lifetime of experiences convince you that they know what defensive measures are appropriate for you better than you do. Instead analyze your defensive needs yourself. You may discover that you can reap some tremendous potential benefits for very little cost.
I have a sort of love/hate relationship with John McAfee. The man has a crazy history and isn’t so far up his own ass not to recognize it and poke fun at it. He’s also a very nonjudgemental person, which I appreciate. With the exception of Vermin Supreme, I think McAfee is currently the best person running for president. However, his views on security seem to be stuck in the previous decade at times. This wouldn’t be so bad but he seems to take any opportunity to speak on the subject and his statements are often taken as fact by many. Take the recent video of him posted by Business Insider:
It opens strong. McAfee refutes something that’s been a pet peeve of mine for a while, the mistaken belief that there’s such a thing as free. TANSTAAFL, there ain’t no such thing as a free lunch, is a principle I wish everybody learned in school. If an app or service is free then you’re the product and the app only exists to extract salable information from you.
McAfee also discusses the surveillance threat that smartphones pose, which should receive more airtime. But then he follows up with a ridiculous statement. He says that he uses dumb phones when he wants to communicate privately. I hear a lot of people spout this nonsense and it’s quickly becoming another pet peeve of mine.
Because smartphones have the builtin ability to easily install applications the threat of malware exists. In fact there have been several cases of malware making their way into both Google and Apple’s app stores. That doesn’t make smartphones less secure than dumb phones though.
The biggest weakness in dumb phones as far as privacy is concerned is their complete inability to encrypt communications. Dumb phones rely on standard cellular protocols for making both phone calls and sending text messages. In both cases the only encryption that exists is between the devices and the cell towers. And the encryption there is weak enough that any jackass with a IMSI-catcher render it meaningless. Furthermore, because the data is available in plaintext phone for the phone companies, the data is like collected by the National Security Agency (NSA) and is always available to law enforcers via a court order.
The second biggest weakness in dumb phones is the general lack of software updates. Dumb phones still run software, which means they can still have security vulnerabilities and are therefore also vulnerable to malware. How often do dumb phone manufacturers update software? Rarely, which means security vulnerabilities remain unpatched for extensive periods of time and oftentimes indefinitely.
Smart phones can address both of these weaknesses. Encrypted communications are available to most smart phone manufacturers. Apple includes iMessage, which utilizes end-to-end encryption. Signal and WhatsApp, two application that also utilize end-to-end encryption, are available for both iOS and Android (WhatsApp is available for Windows Phone as well). Unless your communications are end-to-end encrypted they are not private. With smartphones you can have private communications, with dumb phones you cannot.
Smart phone manufacturers also address the problem of security vulnerabilities by releasing periodic software updates (although access to timely updates can vary from manufacturer to manufacturer for Android users). When a vulnerability is discovered it usually doesn’t remain unpatched forever.
When you communicate using a smartphone there is the risk of being surveilled. When you communicate with a dumb phone there is a guarantee of being surveilled.
As I said, I like a lot of things about McAfee. But much of the security advice he gives is flawed. Don’t make the mistake of assuming he’s correct on security issues just because he was involved in the antivirus industry ages ago.