Bill Ryan's Other Blog

Bruce Schneier links to a story over at f-secure about a scam as brilliant as it is evil..  As far as scams go, it’s not ‘evil’ in the sense of taking you to the cleaners (it attempts at getting you to pay $400.00  so I guess the damage largely depends on where you’re sitting at the time) but it’s evil b/c as Schneier puts it, “the level of detail is impressive.”

What it does is basically pops up a warning indicating that you have software on your machine that violates copyright law.  It then demands $400.00 payment to clear up the matter.  There’s a very official looking website and for all intents and purposes, it looks ‘real’.  There’s no typos on it for one thing (I’ll never cease to be amazed at how few scammer ever bother to spell/grammar check their content or bother to get a native language speaker write the content.  It’s really not that hard to find someone who speaks English as their native language. And it’s a highly guarded secret  that there are different dialects of English and most of the major languages.  Typos, culturally incorrect spelling {realise vs. realize if you’re sending it to someone in the US}, usage errors and the like are commonplace in just about every scam I’ve encountered). The e-commerce components appear to work perfectly.  The folks at f-secure already went ahead and looked up the domain registration and while it’s registered to someone already well known in the scamming community, most lay people wouldn’t recognize the name.  All in all, they did their homework and paid a lot of attention to detail.

Then again, considering how little respect some in the law enforcement community regard copyright law, I’m amazed anyone’s actually paying them

[tags] ICPP Copyright Foundation [/tags]

When I first read about How to be Invisible by J.J. Luna in a Playboy article, I couldn’t wait until it came out. If you judge a book by the cover you might be turned off thinking its one of the many shady books “get a new identity” genre.  They are usually written for people who criminals and they are basically some derivation of “Find some dead person and get their birth certificate”. 

Luna is very serious about privacy and his book is for people who are on the up and up who want privacy.  He makes it very clear that he wants nothing to do with people who are trying to use his techniques to facilitate law breaking or tax avoidance.  Luna lived under General Franco and if you read his bio, you find out the following:

     In 1959, J. J. (Jack) Luna sold his outdoor advertising business in the Upper Midwest and moved with his wife and small children to the Canary Islands off the coast of West Africa. Outwardly, he was a professional writer and photographer. Secretly, he worked underground in an activity that was at that time illegal under the regime of Generalissimo Francisco Franco.
�
     In 1970 Franco, yielding to intense pressure from the western world, moderated Spain’s laws, leaving Luna free to come in from the cold. By that time, however, privacy had become an ingrained habit. In the years that followed he started up various low-profile businesses, built them up and then sold them. 

The book starts out with a Quote, “Governments keep secrets from citizens, why shouldn’t citizens be able to keep secrets from governments.”  And that sets the theme for the rest of the book.  I highly recommend this book (make sure you get the updated version which deals with a Post 9/11 world).  He makes it very clear that there are a lot of folks out there who assume that just b/c you want privacy or keep things a secret, you’re doing something bad (and trust me – such people not only exist particular in law enforcement).  I reject that assertion and it’s easy to tear such an argument apart, but you’ll never convince people who like invading other’s privacy that they’re in the wrong.  And you can count on it, the more someone gets mad about someone else keeping things private, the more someone will use their position to invade other people’s privacy, the more butthurt they’ll get when someone does the same to them.  And the “If you keep secrets you have something to hide” crowd will cite every example like the one I’m about to use to back up their lame arguments.  They’ll claim that people like Luna are encouraging criminal behavior by pointing out how people could have gotten away with it.  Luna condems the law breaking in his example and so do i for the record, but that doesn’t invalidate his analysis.

Did you hear about Tiffany Tehan and Tre Hutcherson?  They were both married and living in Ohio but they weren’t married to each other.  Tiffany was in love with Tre and decided to disappear and start over with her lover.  the problem is, she didn’t tell her husband – she just said she was going to the store with their child and then took off, making it look like she was kidnapped.  Before long, she was caught. In a nutshell, here’s  what they did wrong according to Luna:

     1.  They allowed themselves to be caught TOGETHER in a surveillance video from an Ohio convenience store before they took off.
�
2.  Tehan used her ATM card and was also caught on camera there.
�
3.  Hutcherson traded in his VW the day before, and apparently put the new car in his OWN NAME rather than using a corporation, a trust, or an LLC. (Note to those in a hurry to buy a car—If Rosie Enriquez is paid online, she can often e-mail a scanned image of a shelf LLC within the hour.)
�
A fourth error may have been to check into a motel in Florida that required photo ID. And a possible fifth error would be to carry a cell phone without removing the battery.
�
I am of course not in favor of their actions but it’s always interesting to note how easily many such persons can be tracked.  Too bad for their sakes that they didn’t leave a false trail to the Canary Islands

So what would I have done? In addition to Mr Luna’s suggestions, I would have planned in advance. I’d start withdrawing a few hundred dollars a paycheck and stashing it in cash.  It’d have to be small enough your spouse wouldn’t notice but large enough that it could accumulate into a significant amount of money before long.  I’d also make sure I kept the money in small denominations for the most part.  One of the people should have purchased another car, a cheap but reliable one registered exactly as Mr Luna specifies.  I would load up on food and water and would even get two or three full gas cans which I’d put in the car before I left. neither of us would get out of the car for any reason until we were a few states away.  I’d make sure we only got gas (after our supply ran out) at old fashioned, out of the way stations.  I’d also don a subtle disguise, like a Gas Station attendant shirt or something that would make me look very ‘run of the mill’.  I’d opt to camp out for a while b/c national parks and trails are the perfect place to disappear for a while.  If no one was looking for your car, and you didn’t go into any big stores, you could easily disappear for a while and no one would think anything of it when they saw you.  After a few weeks, the hype would wear down and you wouldn’t be front and center on Nancy Grace. At that point, you could start re-integrating into society.  That’s why it’s key to have cash, and a lot of it, so you could hold yourself over for at least a month or so, the longer the better obviously. when you first started to come back in, you can find cheaper motels (which aren’t often very secure but they are low profile).  Then you could start working at one of the work pools or similar service that lets you work off the books.

At that point, I’m not sure where you’d go.  I can’t see any long term strategy that would work.  taking the kid is unforgiveable but it also greatly complicates things. Like it or not, the cops just don’t worry too much about missing adults especially when there’s no clear evidence of wrongdoing.  If you have a missing child though – not only does it attrack more attention in terms of being more conspicuous, it makes cops look a lot harder.  you could stay in some hellhole motel for years without being discovered if it was just two adults.  But throw in a kid and someone would probably call child protective services at some point (although Florida CPS is pretty  pathetic so they’d likely either lose your kid or turn the kid over to some sicko pedophile).  If you didn’t have the kid, you could easily skip over the border and live it up in Mexico for a while.  Or you could get over the border and then use your passport to get to Costa Rica or somewhere a little more liveable.  While there’d be a record of it, if you waited long enough, it’d likely not set off any flags that would get back to start (think about the Atlanta Attorney who had Tuberculosis – even with the flagging system in place, post 9/11, he was able to get through multiple airports).

No  matter how I try to slice it though – I can’t see how you could pull this off long term without a ton of money.  And even with a lot of money, I don’t see how you could do it with the kid unless you had enough money you could buy off border /customs agents.  In this case, every one of those wasn’t applicable so at some point, I think they were destined to fail.

Nonetheless, let’s say she and her husband wanted to skip town for legit reasons. Luna’s points would be totally applicable here and they’d be the difference between  getting away and getting killed (or whatever the reason was that would make you need to skip town). Just out of curiosity, if you wanted to skip town permanently and start over, assuming you had 10k saved up as of today and you didn’t have any kids – can you think of how you’d be able to do it long term?).  One thing I hope is that folks doing this will use Privicy and pay for it a few years in advance

I wonder what Evan Ratliff would have done differently? If you’re interested in reading about what it takes to disappear these days, make sure you read my post on it:

The other argument I typically hear is a reference to Evan Ratliff.  If you’re unfamiliar with him, here’s the rest of the story in a nutshell. He’s a free-lance writer and blogger.  He took a gig for Wired magazine that entailed disapparing for a month.  He was to try to hide out and anyone that found him would simply need to say the magic word, and they’d be privvy to a $5,000.00 prize. Ratliff gave it a great go, but before long he was caught. 

[tags]Tiffany Tehan and Tre Hutcherson, Tiffany Tehan, Tre Hutcherson, How To Be Invisible, J.J. Luna, Privacy, Atavist, Evan Ratliff, Disappearing[/tags]

Ms. Andrea R. Mitchell; Mrs. Carol Wilk Roubal; Mr. Christopher M. Mitchell; Ms. Claire E. Mitchell; Mr. Gregory Allen Mitchell; Mr. James Alexander Mitchell Andrea S Lootens Andrew Alfano Andrew Burdi CPM Andrew Cinque REALTOR Andrew D Sicko Andrew Dirga Properties Andrew Giancontieri REALTOR Andrew J. Fama Dr. Ivan Roubal – Chino Hills, California; Dr. Glen Rouse – Loma Linda, California … Dr. Andrea Rothe – Johnson City, New York; Dr. Lewis Rothman – Valhalla, New York Andrea Brose Cindy Roubal : Rufa Mae Quinto Gabrielle Lazure Ellen Ten Damme Keira Knightley Rachel Scorgie : Seana Ryan Laia Marull Jacqueline Pöggel Alex Andrea —Juliette Andréa —Janice Andreas —Starr Andreeff —Lydia Andrei —Ursula Andress —Julie Andrews —Brittany Andrews —Jacy Andrews Andrea Boykowycz, USA Andras Szigeti, Hungary Petr Roubal, Czech Republic Zoltan Vass, Hungary Taras Slobodyanyuk, Ukraine Vitaliy Levchuk, Ukraine

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

Yesterday, I wrote a post describing a hypothetical situation where two adversaries were trying to gain intelligence on each other (Need someone’s email or access to their computer?). I would have written this follow up last night, but Sarah and I went to dinner a little late and by the time we got home, I was too tired to write. And when we arrived, there was a whole lotta Proliferating going on in our living room. So I spent the last 20 minutes of the evening engaging in some hard core counter proliferation of Poopy Nice Nice (I didn’t have time to conduct full Counter Proliferation i.e. Bungholian Analysis  so I have yet to identify the culprit but rest assured, it’s going down tonight) .  The Sausage Dog of Doom is a very evil Creature, but I digress.

In that post, I described a few different attack vectors and the +/- of each approach.  And I showed what one could accomplish if they loaded the right software on an adversary’s machine.  I did this without giving too many specifics to show people how easy this is to do. And I asked repeatedly, if you were the target, would this attack work on you?  I think in many cases it would.

Now, one of the key pieces isn’t technological, it’s Social Engineering. [Remember that humans are almost always the vulnerability that attackers take advantage of on successful exploits.  In all of Kevin Mitnick’s attacks, almost all of them were based on successful Social Engineering.  In The Art of Intrusion, he goes through a time when he actually used it to show some big shots at the Pentagon how vulnerable there were) A target might be reluctant to open any attachments that came  from you.  In this case, the ‘evil step mother’ didn’t respect the children’s privacy and would read through the kid’s email looking for information about the other parents or negative stuff the kids were saying about her.  So I showed how you might get someone like that to bite.  You put something intriguing sounding in the Subject line – something you know that would get the person’s attention. It should be enough to make sure they want to read more, but not bad enough it could be used against you.  Then, in the body of the message, reference some instructions in the attachment and make the contents sound like a smoking gun of sorts. Now, instead of trying to convince Maria to open the attachments, Maria will WILLINGLY and AMBITIOUSLY take it upon herself to open the attachment, which is how you could install the Keystroke Logger. B/c she has her eye on scandal stuff in the kid’s email, she isn’t thinking about possible infections. In fact, she’ll  likely bypass/ignore any warning the system puts up (assuming any were) b/c they really want to see what’s in the document. And b/c they took it upon themselves to do this, and b/c it’s the kid’s account they were looking through – they’ll be convinced it’s legitimate contraband and doubtfully will ever look back.  At this point, if you don’t put anything juicy in there, they’ll be mad and might smell a rat. On the other hand, if you give them too much red meat, they could use it against you. So meet in the middle. Come up with something that’s mildly offensive.  Something that you know will anger them (just b/c they get angry easy) but that a reasonable person would say Oh, come on, that’s really nothing to.  This gives them their pound of flesh and in this case Maria would be dying to get ANYTHING on Sallie, so she’d be satisfied with anything that she had where Sallie said something negative about Maria in.  Of course, you could just go nuclear, but remember that has the potential to be used against you.  If you don’t put anything in there, the target will wonder what’s going on and will be much likely to think long and hard about the attachment.  If you get them to do it themselves, and it conforms to their suspicions, they’ll never think twice about it. Remember, once you had the keystroke logger on their machine (Rather, I want you to think about what would happen if they got the keystroke logger on YOUR Machine), all of your passwords are probably theirs too. Any email or chat account is there. And God knows what can be mined from Email and Chat accounts.  Any Browsing. Any site passwords. Any banking passwords (heck, they’d even be able to see your challenge responses).  This is about as bad as it could get for most people.

While this is a hypothetical, you can see where stuff like this would really apply. what I was trying to show is the thinking you must engage in to get the other person to drop their guard. After all, once you got the keystroke logger, you’d be able to access their personal emails on external accounts like Yahoo, AOL, Hotmail or Gmail. You’d be able to see what sites they visited. You’d be able to see contents of Chats they engaged in. You’d be able to see documents they were typing.  In short, you would have a gold mine of information.  And if the target was indeed doing something underhanded, dishonest or immoral – you’d have all the details you’d need to crush them.  Even if it wasn’t admissible in court, you’d know enough information to help you ‘coincidentally’ send the right subpoenas or find the dead bodies and smoking guns. 

Let’s say you had the same case, but the adversary respected the children’s privacy. Or, let’s say there weren’t any children.  What would you do then?  One thing you could do is send a copy of a legitimate legal document to them (you could take a legit court document, insert the malware in there and be done with it. They’d be much more likely to ignore any warnings they got b/c it’s something they expect, from a source they ostensibly trust. And if it was discovered, the assumption would be that it started at the source, not with you). 

You could similarly send an ‘official letter’ to them with a title and subject that would make them really want to open it.  Or, you could spoof an email address pretending to be someone they knew (like a supervisor) and attach documents that look like something that might normally be sent.  Call their office and find out who is in charge of Payroll.  Look on the Contact Me form of their company to see the Email Address format that’s used (like FirstName.LastName@companyname.com).  Spoof that email and send a PDF with ‘Payroll Receipt for period ending XX.XX.XXXX”) And just put nothing in it.

If you used an exploit like this one found in Adobe PDF, the possibilities of what you could do are endless. Maybe instead of the boss, you could pretend to be their parents. And in the document, send it with a title that is something they might expect to get.  They open the document, it’s empty so they won’t think much of it, but they’re now infected and you’re able to log into their email accounts and read through everything. You could get extra clever and pretend to be a close friend or relative. Let’s say Maria had a brother named Bill – certainly her ex-husband would know this. Let’s say Bill normally used Bill.MariasBrother@hotmail.com – Sallie could create an account that’s Bill.MariasBrother@yahoo.com – she could spoof the From: part of the email so it comes from Hotmail.com. But she could use the Yahoo account for the Reply To.  Unless Maria is really savvy and pays close attention to this stuff, it’s doubtful she’d ever catch it (in fact, unless she hit reply, she wouldn’t ever even be able to see the Reply To)

Maria:

Hey, it’s me, Bill. I need a favor, Here’s a copy of something I wanted to get mom for her birthday.  (Common Friend) had some trouble opening it so if you open it up and it’s blank, try downloading the new Acrobat reader. If it still doesn’t open, I can resend it to you as an image format.  Let me know what you think. If you like it, I’ll go ahead and order it and sign all of our names.

Maria opens it and there’s nothing there. (Her machine is now infected and her worst enemy now owns her computer.) Because “Bill” already mentioned it as a possibility,  Maria isn’t suprised by the blank PDF document.  So she follows the instructions and downloads the latest Adobe reader and gives it one more try. Again, nothing. So she hits Reply on the email and says:

Bill, I tried opening the document, but couldn’t. I even got the new Acrobat but it still didn’t show up. Can you send me the picture instead?

This time though, it goes to the Yahoo account so the real “Bill” would never know of what happened. Maria already saw the email came from “Bill” originally, so it’s doubtful she’d pay attention the the Reply To address, especially when it’s so similar anyway.  Even if she noticed it, she very likely would just ignore it. ( I use a different Reply To address most of the time and have only had a handful of people ever mention it to me or ask about it. ) A few days later when they spoke, Maria would mention it to Bill. Bill would have no idea or think Maria’s talking about something else or that it got eaten in the spam filter.  When they synced up, chances are they’d just assume it’s spam when they couldn’t figure it out.

And even if they do, at this point, it’s too late. All the counter proliferation measures in the world won’t save them now. Even if they suspected something bad, it’d likely be at least a few hours later, and she’d almost certainly have checked her email by then. She almost certainly will have typed a password to the machine in by then.  So even if they suspected something – there’d be nothing apparent on the machine. By this time, the logger should be deactivated so it’d be really hard to detect (especially if they wrote it themselves, b/c it wouldn’t match any known definitions and even well known ones are good at hiding themselves). Even if Maria and Joe found it, they’d have no idea what it was or what it did and if it was homemade, they'd have to decompile it and have a savvy coder figure out what it did.  Doubtful.  But this would almost never happen. Most people just delete spyware assuming they can find it. How many people do you know that have spyware infections decompiled and looked through?  I’m a software developer and I wouldn’t even go through that hassle. In fact, I can’t imagine ever wasting that much time or energy on it.

Even if they did all of this, it would take forever. By then, the attacker would own their email accounts, chats and most other things.  Here’s the beautiful part.  Since the Logger is deactivated, there’s no indication it’s running (or very little indication).  Let’s say Maria decided to change her password (or just did it as a routine course of action).  Sallie tries to get in and it doesn’t work this time.  No problem.

Sakkue just goes to the configuration, tells the Logger to activate itself, and depending on the product, turn itself off once the file gets to X kb or shortly after the words http://www.aol.com or http://www.yahoo.com are typed.  While not 100% foolproof, this would be 99% foolproof and if somehow it turned off prematurely, Sallie could just try again.  If Joe and Maria cleaned the stuff off of there then it’d be game over temporarily, but it’s doubtful.  And once Sallie has the password, she can get into the email and do all sorts of things to help ensure the Maria’s computer gets reinfected.

Again, I ask you, if you were the target, how would you fare? If someone had a keystroke logger on your machine, what would they be able to discern? If they had all your email passwords, what would they be able to find?  If they saw your new passwords after you changed them, are you still hyper vigilant about checking the IP Addresses that access your accounts? What about the  PDF exploit? Would you think much about it if you got a blank PDF? What if you aren’t in a court case or criminal case.. well, do you think there aren’t criminals out there who’d love to clean out your bank accounts? If they had all your challenge question responses and passwords, what could they do?  Ask some of the victims of DB.Singles.Org who had their Paypal accounts drained (all b/c they reused passwords and ONE SITE THEY USED had weak security measures. Wanna bet at least one site you use has equally lame security?)

Take this stuff seriously and guard yourself against it, whether its a court case or your banking information, you don’t want to ever let yourself fall victim to this, especially when it’s so easy and essentially free to protect against. Spyware and malware are rampant and if you don’t take the responsibility for counter proliferation of spyware and malware on your machines, don’t expect anyone else to either. I know I make a lot of counter proliferation jokes but when it comes to proliferation of spyware, it’s not joking matter. Counter Proliferation of Dog Poop on the other hand, is definitely a joking matter – in fact, while Sarah and I were out at Dinner last night, we had a ton of proliferation  going on.

I have had a few people ask about consulting for them. I’m pretty busy but do have some availability to do assessment, audits and create a strategy to protect yourself with.  Contact me at blogcommenter@williamgryan.com to discuss this further. I’d be glad to help out with basic stuff for free, so feel free to post comments and I’ll do my best to answer them. If it’s more involved and will take some time, then just email me at the address above.

LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

This post and all others on this site are subject to the current Copyright as well as the Sites Terms of Use. Any reproduction, duplication or publication without express written permission from the author is strictly prohibited.

[tags]Email Security, Keystroke Logger, Internet Privacy, Internet Security, db.singles.org, Kevin Mitnick, The Art of Deception[/tags]

Bruce Schneier posted this earlier today and my draw hit the floor:

I really don’t know where to begin. Lock My PC 4 bills itself as a “better way to lock your computer”. The main product pages describes it as follows:

Lock My PC™ is an easy in use, powerful and compact tool to lock your computer from unauthorized use. When you leave your computer unattended, the program disables the hot keys (including Ctrl+Alt+Del), mouse, locks CD/DVD ROM doors and displays a lock screen. Nobody can access your system without providing the correct unlock password.

Unlike another similar computer lock software that cannot lock Ctrl+Alt+Del on a computer running Windows XP, our Lock My PC runs own keyboard driver to block such key combinations. Moreover, bulletproof startup lock guarantee that when your computer locaked at startup, this lock cannot be bypassed even in safe mode!

Why Lock My PC ?

You don’t like snoopers. They are always prying into your e-mail messages, programs, data, files, etc. Lock My PC allows you to lock your computer with a password while you leave it unattended. You can lock your computer manually, with a menu or hotkey, or set up auto lock when your computer is idle.

Hmmm, I guess one could overlook one typo on a corporate page, but looking through this, there are quite  few.   That alone might lead you to question their attention to details, something that’s absolutely critical for security software.

“Well Bill, they are probably from another country where English isn’t their first language. So just b/c they don’t have perfect grammar, it’s not fair to assume they are careless elsewhere.”

I buy that argument in principal, but either way I’d say it would make me look really carefully for other signs of carelessness. It might be unimportant b/c after all, English isn’t their first language or they’re computer scientists not English professors. 

This should clear up any confusion one might have as to how seriously they take security:

From: Bugs NotHugs <bugsnothugs () gmail com>
Date: Wed, 7 Apr 2010 04:23:55 -0600

---

Vendor: FSPro Labs [http://www.fspro.net/]
Product: Lock My PC 4 [http://www.fspro.net/lock-pc/]

---------- Forwarded message ----------

[request for help on locked PC]

Hello,

Please try engineering password:
19740619

Best regards,
FSPro Labs Customer Service

Technical Support  -- support () fspro net
Sales Department   -- sales () fspro net
Information Center -- info () fspro net

The support forum isn’t secure, anyone can browse directly to it.  And if you did, you’d be able to access a Master Password for their product that will let you unlock any version of it.  And I don’t mean unlock as in licensing – I mean Unlock as in Circumvent precisely what this product is supposed to protect against.

This would be patently irresponsible for a software company that sold software that had little in the way of security implications.  For a company that sells a security solution, it’s a sheer and utter disgrace.

I know people make mistakes. I know tech support people have high turnover so you frequently have new people with little product familiarity. I know tech support guys get gunned at all day by rude, annoying and/or idiotic people and often are willing to do anything to make customers happy.  But for this to happen, several things must be in place.

First off, the company has a “Master” password for all of their products. This isn’t item dependent (which would still be bad. Would you still consider buying this product if you knew up front it had a backdoor in it?). Any disgruntled former employee could access it, put it on the web or do God knows what else with it. Next, the password isn’t even kept very secret. If you’re going to have something like this which could expose all of your trusting customers to serious breaches, you should at least safeguard the hell out of it (although I’d maintain you shouldn’t have it at all). Next, the tech wasn’t apparently trained well enough in security to even realize what he was doing was ‘really irresponsible and dangerous.  And no one up the chain of command apparently reviews what their people say in the support forums so it’s stayed up there for a while. You might argue this isn’t necessarily true, it’s possible a higher up reviewed this and found it ok.  That’s certainly true. But if it is the case, it’s infinitely worse than them not reviewing what their subordinates are doing.  It’s one thing for a new low level support tech to make a mistake like this, if anyone who’s been there a while or has any position of authority were to do this – they don’t deserve to be in a position of trust like this.

Sadly, this doesn’t surprise me.  It was just a few months ago I know of a commercial web site that was breached by employing a SQL Injection Attack.  Mind you, this was in 2010.  How anyone can leave an injection vulnerability open after all the publicity is beyond me.  I also know of quite a few companies that do the same thing as this, some of which deal with very sensitive data.  They use master passwords (some even use SA and ‘password’ or the company name ) for all of their apps.  Many don’t ever change passwords, even after employees who knew them are terminated or leave.  And some of them even tell clients the master password, just b/c it makes tech support easier.  I don’t know what’s worse, a security oriented software company or a software company that handles private data for the government/banks/hospitals.  Either way, there’s no excuse for this.

IMHO, this will be the biggest impediment to cloud computing. At first, everyone will be thrilled by the simplicity and value.  Then there will be a high profile breach and many people will second guess the whole thing.  If there are enough high profile breaches, adoption of cloud computing could be seriously hampered.  Having worked or consulted with many software companies and having many friends who do the same, the sad truth is that stuff like this is the rule rather than the exception.  It’s almost always driven by laziness or ego (“No one is ever going to attack our stuff, how would they even know where to begin” or my personal favorite “It’s on an INTRANET, so we don’t need to worry about security”.  Think about the DB.Singles.org debacle (and think about how they ‘responded’)

Ms. Andrea R. Mitchell; Mrs. Carol Wilk Roubal; Mr. Christopher M. Mitchell; Ms. Claire E. Mitchell; Mr. Gregory Allen Mitchell; Mr. James Alexander Mitchell Andrea S Lootens Andrew Alfano Andrew Burdi CPM Andrew Cinque REALTOR Andrew D Sicko Andrew Dirga Properties Andrew Giancontieri REALTOR Andrew J. Fama Dr. Ivan Roubal – Chino Hills, California; Dr. Glen Rouse – Loma Linda, California … Dr. Andrea Rothe – Johnson City, New York; Dr. Lewis Rothman – Valhalla, New York Andrea Brose Cindy Roubal : Rufa Mae Quinto Gabrielle Lazure Ellen Ten Damme Keira Knightley Rachel Scorgie : Seana Ryan Laia Marull Jacqueline Pöggel Alex Andrea —Juliette Andréa —Janice Andreas —Starr Andreeff —Lydia Andrei —Ursula Andress —Julie Andrews —Brittany Andrews —Jacy Andrews Andrea Boykowycz, USA Andras Szigeti, Hungary Petr Roubal, Czech Republic Zoltan Vass, Hungary Taras Slobodyanyuk, Ukraine Vitaliy Levchuk, Ukraine

[tags]Security, Software Backdoor, Lock My PC 4, Bruce Schneier[/tags]

Over the years, I’ve received a good 100 or so requests from people seeking help to break into an email account or someone’s computer.  Without fail, I never knew the people and they found me via Google.  They never bothered to read the pages which the links pointed to b/c the referrals were almost always articles I had advising people how to NOT GET HACKED.  Most of the cases involved teenagers typically looking to find out if their boyfriend/girlfriend was cheating on them, wanting to get even with someone who they claimed was doing evil stuff to them or something along those lines.  A few cases were people involved in court cases looking to get dirt on their baby momma|daddy or former spouse by going through their computer or getting into their email.  Google or Bing must have indexed something I wrote recently b/c I’ve gotten two such requests this week.

Now, I’ve never once written an article or anything explaining how to hack into someone’s machine.  I’ve never once discussed how to breach someone’s privacy.  I’ve went out of my way to teach people how to AVOID this. By comparison  I’ve received probably 50 emails over the years from people asking me to help ensure they don’t get hacked or get rid of malware or spyware (then again, I’ve received a ton of comments so that might explain the disparity). 

So I decided that maybe if I write a HOW TO Article explaining how you would go about hacking someone’s email or computer, maybe that’d serve to help people counteract such measures. Before I continue, I want to warn you that in most cases, hacking into someone’s account is illegal.  Whether or not it’s illegal, it’s arguably immoral and certainly uncool.  I’ve heard all sorts of excuses from “My boyfriend is cheating on me with this girl who I think has herpes and he doesn’t wear condoms and I need to find out if he has it” to people trying to justify it by claiming their baby momma is abusing their kids. People  always have supposedly ‘good’ or ‘necessary’ reasons for breaching other people’s privacy but it’s almost always little more than rationalizations.  So let me be clear, I don’t condone hacking and I don’t condone violating people’s privacy.  I’m going to make my central points here without giving details precise enough to help you hack say, someone’s AOL account but will give you enough information to protect yourself. This isn’t a definitive work by any means but is typical of how you’d get attacked – so pretend the person in question is YOU and think about how to protect yourself.

BEFORE I CONTINUE, LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

Let’s come up with a typical scenario along the lines of one I’ve heard (and for the sake of argument, we’ll assume it’s a legitimate case of needing to get the information at hand).  Say Joe and Sally were married with two children, Joey Jr and Sandy. Sally has primary custody but Joe gets weekend visitation.  Sally’s a great and caring mother and Joe is the exact opposite. And no such story would be complete without an evil step-mother.  So let’s say Joe recently married Maria, the evil step-mother.  Joe recently started a suit against Sally to get his custody agreement changed wanting more time so he could pay less in child support.  Joe’s new wife is really awful to the children and while Joe used to just be a negligent father, he frequently throws his kids under the bus to keep from getting in trouble. If he keeps Maria’s the focus on them, he stays out of the crosshairs.  Sally is horrified at the thought of Maria having more time with her kids and a huge ugly mess ensues.  Maria and Joe start a vicious campaign of lies and distortions and are pulling out all the stops in trying to smear Sally.  Sally *knows* from things her children tell her that Maria is an awful person and does a lot of awful things, and that a lot of it is documented in her email account on AOL or Yahoo.  How should Sally proceed?

Sally needs access to the computer but being a loving mother, would never do anything to involve her kids.  While the kids hate Maria and want to do whatever they can to help, Sally is hesitant to let them even be remotely involved b/c they shouldn’t be in the middle (and if Maria caught them spying or anything, she’d certainly punish the kids ruthlessly).

The first thing she could do is try to guess the Password for Maria’s email account. She could navigate over to Yahoo.com or AOL.com, type in Maria’s email and guess at her password.   Since she’d almost certainly get it wrong, she could select “Forgot my Password” which would initiate the Password reset policy. She knows enough about Maria to answer all sorts of background questions (and the kids certainly could help).  So is this worth a try? Categorically NO.

Why?  Ask David Kernell.  He used this technique and was completely successful.  But it caused some major complications.  However in Sally’s case, it could be a lot worse. Here’s just a few of the problems:

1. If she can’t guess the password, Maria will almost certainly be notified that someone was trying to get into her account. Maria will then likely take much more precautionary measures making any future successes much less likely.
2. The Provider may not let you change the password, it may simply send the new email or a reset link to whatever account is listed in the profile.  This will have the same end result as Item 1.
3. The provider will very likely log the IP Address. Whether its changed successfully or not, Yahoo or AOL may send her an email with the IP Address of the attempt.  If so, Maria will not just know someone was trying to get into her account, she’ll know it was Sally
4. If she gets in, she won’t know the original password.  So the next time Maria logs into the account, she won’t be able to get in.  In such a case, each of the previous items is likely to come into play.
5. Logging in with the Password if you have it is legal, even if the person hates your guts. If you have the credentials, you can get into the account.  But using means such as this or pretending to be someone you’re not (like Sending an email to MyRealBox.com pretending to be your ex-spouse) is not legal and as such, Sally could fail at getting any new info, and give Maria all sorts of ammunition to attack back with

So the first countermeasure here is DON’T ANSWER YOUR CHALLENGE QUESTIONS WITH REAL ANSWERS.  Instead, come up with some canned answers that you know are fake.  If you went to Kiski Prep high school, answer ‘Highlands’ as your high school if asked.  If your fist pet’s name was Spot, answer with the name of the current pet you have. Whatever you do, make sure you use fake answers.  Then pick easy questions that an adversary would likely think they could answer.  By doing both, you’ll egg them into trying to access your account. They’ll fail.  And they’ll likely keep answering over and over sure they have the correct answer and that you’re just spelling it wrong.  They will have a lot of fun trying to convince a jury that they ‘accidentally’ repeatedly put your real high school’s name in the answer box. 

For Sally, the lesson here is DON’T DO ANYTHING ILLEGAL. And forget about trying to guess a password or brute force someone’s password.  It will very likely fail but in this case, Success could easily be much worse than failing.

The next thing Sally might try is having the kids look over Maria’s shoulder and guess her password.  Or she could ask the kids to try to get Maria to give it to her (“Maria, I need to log onto the computer to get my homework assignment, can you just give me the password for now?”) Most people reuse passwords so if you get one of their passwords, you’ll likely be able to use it other places. And even if not, they’ll likely use that password as a basis for another password.

This approach is a complete loser too. Here are a few reasons why:

1. It involves the children.  Any parent that intentionally sticks their kids in the middle of such disputes is an a-hole.  You might need to win, but you never need to win so bad you stick your kids in the middle of it
2. If Maria gave them the password, and then you used emails from that account, she’d almost certainly put two and two together and the kids would pay in blood.

Unlike the last approach though, if she reused passwords and she just gave the kids the computer login, you’d be set. You’d have the correct password so you wouldn’t be hacking or pretending to be them.  Unless you deleted messages or did something obnoxious, Maria would never know it happened so from a technical point of view, it’s much better than the previous method.  But it involves the kids and using your kids as a human shield is just plain f****ed up.

Here’s one last approach, which is precisely what I’d use if I was ever to go over to the dark side, sell my soul to the devil and go for broke.

Sallie could buy or have a software developer friend write her a Keystroke logger.  The logger would hopefully be sophisticated enough that it wouldn’t show up in the task bar, that it wouldn’t show up in task manager either and that it would execute transparently. Ideally, it would be able to remotely send the results to a pre-specified email account.  Here’s a few aspects of how this would work:

1. The logger would be as invisible as possible not showing that it was executing anywhere.
2. If it had to show up in Task Manager, it would use a clever name like “MS Search Indexing” or “McAfee Virus Scanner” (particularly if you knew that they used a specific brand of spyware detectors). Just adding a space in a program name is enough to differentiate it while making it ‘look’ like something legit. Svchost is always a good choice for a name – even though it’s not really a service.
3. It could be toggled off remotely and ideally uninstall itself if it needed installing in the first place
4. It could disappear and then come back to life
5. It would have to be able to be remotely installed
6. It would need to be able to transmit the results (i.e. email, ftp, http) somewhere else where it could be reviewed by Sallie
7. It would need to be subtle enough to not set off any spyware warnings

Pretty much any Keystroke Logger worth its salt would have all of these features.  Any developer with even a small amount of technical skill could write a tool like this in a day or so. Sallie would do something like this:

• She should set up a complete throwaway email account. If the Logger was able to do http or ftp file transfers, the same sort of thing should be done – have access to a throw away account
• When setting up the account, make sure nothing points back to Sallie
• Avoid accessing the account from her home or work. Instead, head to a coffee shop, or use a service like Anonymizer.  David Kernell can tell you why free public proxy servers aren’t the way to go unless Sallie is prepared to keep her mouth very quiet about it.
• Sallie should find a unsecured wireless router and sit in her car when she accesses the email account. Or she should use a Coffee shop or hotel wireless without stepping inside where the cameras can see you.  Even if they require passwords, this isn’t very hard to do (think really hard for a second about how you might do it. If you can’t come up with anything, watch the Mossad Assassination video and think about what they might do. If you still can’t figure it out, I’d highly recommend reading one or all of the following {I’d encourage reading each of them, particularly the Ostrovsky book either way). If she/you can’t figure it out after reading some of these, stay away from anything clandestine b/c you clearly have no aptitude for it.
  • By Way of Deception – Victor Ostrovsky
  • Spy Wars – Tennent Bagley
  • The Art of Deception – Kevin Mitnick
  • The Art of Intrusion – Kevin Mitnick
  • No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing – Johnny Long
  • How to be Invisible – J.J. Luna

Now, Sallie just needs to send Maria an email with an attachment that must be opened. If she thinks Maria won’t be that cunning, well, she could have one of the kids open up their email. Better yet, if Maria is the type of insecure sociopath who violates their kid’s privacy b/c of paranoia but justifies it as parental responsibility, this is the perfect setup.  Sallie sends the email with the program attached to it as an attachment to the kids. She instructs them not to open up the email anywhere but on Maria’s computer. She should give it a compelling name that she knows Maria will go crazy over and perhaps put just enough in the body of the email to set Maria off without going so far as that it could make her look bad.  Maria sees a Title to the effect of “Is the Monster Making your life miserable” and then in the body put “Honey, I‘ve attached the instructions on what to do If Maria starts anything with you this weekend.”  Seeing that, with the taunting title, Maria will almost certainly click on the attachment to see what it is.  Even if a warning came up, Maria would likely just click “Ok” b/c she’d want to see what was in the document so badly.  This would be perfect for a Word Macro or something similar and inside the document, having something like “Just kidding” or Sallie’s home phone number with nothing in it that anyone would get excited over.

I could write volumes on how to get Maria or her counterpart to open the email but I won’t.  That’s where it crosses the line in my book so I’ll leave that up to you (rather, I’ll let you think about this for a second and think what you might do. Would you open it?  Most people would.  So keep that in mind when opening attachments, even if you think they’re legit.  Viruses and malware are only spread b/c of ‘trust’ – so think long and hard about how and why you trust things that you receive via email).

Here’s where things get fun. Sallie should now wait a few days  before retrieving the results. In fact, she should ‘make sure’ that Maria checks her email. She could for instance, send something of a legal nature or something she knows Maria would want to know about.  She could call beforehand and say “I sent you _________________________”  That would give her a time frame among other things to check against in the results dump (those things can get pretty big).

After waiting a day or two, she should now retrieve the results.  If she finds what she needs, she should immediately deactivate the logger at this point. Not uninstall it but deactivate it.  At this point, she should look for any string that has “AOL.com ” in it.  Since she knows Maria’s email address, she should look for that too.  If she sees “AOL.com” followed by “bluemaria007@aol.com” (this is a made up address – or at least I hope. If there is a blue maria 007 please accept my apologies in advance).  Sallie can be pretty confident that the password is the very next string.

She should go test it out once she thinks she has it. If it’s wrong, she should never try more than once in a 30 minute setting. Yes, I’m sure it takes more to lockout most accounts, but why push it. Patience is your friend here.  Once Sallie is in, she could elect to uninstall the Keystroke Logger , which would get rid of any trace of it. The downside is that if it’s discovered, it’ll point back to ‘her’ email address. If she followed the steps above, then not much could come from it but it would put Maria one step closer to finding out what just happened. So it’s best to just remote remove any such information if she was going to leave it installed but deactivated. There’s a gamble at this point.  The quicker She uninstalls it, the less lower the odds that it’ll ever be discovered. On the other hand, if she needs it b/c Maria changes her password or anything, she’ll need to get it reinstalled.

The Logger approach has some other benefits.  Not only will it let Sallie see passwords, she’ll see everything Maria does (and anyone else on the computer). Maybe Maria has a pr0n fetish. Maybe she’s cheating on Joe. Maybe she engages in cybersex. Maybe she’s doing something else she shouldn’t be.  The Keystroke Logger would let Sallie know about ALL OF IT.  Maybe Joe is doing some stuff he shouldn’t. Whatever the case, if they’re doing it on the computer, Sallie will know.

What should Sallie do now?

1. Use the Search feature and search for “Sallie” and each child’s name individually.
2. Search for her Last name (which may produce too many results if it’s still the same last name as Joe)
3. Search for sexual terms
4. Search for common drug names
5. Search for “affair”
6. Look at all the correspondence between Joe and Maria. Are they fighting? If so, what are they fighting about?  This will likely prove to be very useful later on.
7. NOW, SALLIE SHOULD LOOK THROUGH THE SENT ITEMS FOLDER.  She will likely find things that are YEARS old b/c most people don’t clear out their SENT Items.  She should do the same for Deleted Items
8. She should search for any other email accounts Maria or Joe might have. 
9. She should search for Facebook, Twitter, MySpace etc and any other such accounts.  Since she likely uses the same password, she should try to access any of these and see if there’s anything helpful.
10. If she find another email account that doesn’t have the same password, she should wait until about 3:00 AM on a Sunday. She should go into that account and reset the password (while having this particular email open).  She can then reset the password for the other accounts and IMMEDIATELY delete any traces of information about the reset from the existing account. Maria will try to access one of those other accounts and  not be able to get in. But unlike the earlier scenarios, she’ll likely think it’s just a glitch, or that she forgot the right password or whatever. And with all the traces deleted, she’ll never have any idea. Even if she was told there was a reset, at this point, she’ suspects nothing so she’d likely think the email provider was mistaken. Sallie needs to make sure she deletes the item from the Trash though and any Sent Item emails either. If Maria happened to be online and watching her email, she’d see the new email come in then disappear. That’s why it should be done at a time when Sallie is sure Maria isn’t using the computer.  She could always do it while calling Maria to make sure Maria is on the phone with her (although this is far from foolproof).
11. It may be the case that Maria has other email accounts (like her work account) that have all sorts of incriminating information. If she’s in trouble at work, Sallie will know. If she’s stealing money, Sallie will know. If she’s trading on insider information Sallie will know.  If she’s having an affair with a coworker, Sallie will know. This could open up all sorts of doors so it’s not something you’d want to overlook.

Legally, Sallie won’t be able to use much of this as evidence. Depending on the state’s laws, the information may or may not be accessible. So if she admits to hitting the kids, or some other emotional cruelty, it may not be admissible.  However that’s irrelevant in many cases. If she was having an affair, Sallie could make sure someone notified Joe of the details. If she was engaging in cybersex or Pr0n, Sallie could drop Joe or Maria’s boss some of the details.  You get the idea.

At this point, Sallie could search all the Sent items and trash, find stuff years old as well as new material and just save each one.  Most people have all sorts of embarrassing stuff in their emails and if she’s doing something wrong/illegal/immoral, it’s a virtual certainty there’s some record of it on the computer.

Remember, Sallie didn’t just get her email. She know is likely to have Maria’s other email accounts, Joe’s other accounts, Passwords or account information she had saved as Drafts (Drafts are frequently a Gold mine), chat details, documents she wrote to the attorney – just think about how you use the computer. Imagine your worst enemy who you were in a court battle with had full access to it without you knowing.  She could come and go as she pleased. How would that affect you?

If you haven’t read it already, I highly encourage you to read my article on the Hacking of DB Singles.org aka Operation Jesus. There are many valuable lessons to be learned there, most of which I’ll review here.  I’d also point out that in the middle of the attack, I called the computer crimes investigator for a  Sherriff’s Department close to where I live.  This is the same person that was hassling me about something so absolutely silly no one would believe me if I wrote it. Yet in the middle of a huge hacking, where thousands of dollars were stolen, where child porn was being put up on people’s Facebook  pages, where all sorts of false ‘confessions ‘ were being made about rape, molestation etc by people pretending to be the account owners – no one called me back.  Almost all of this damage could have been prevented had law enforcement known or stepped in to intervene. I had full details of what was happening.  I’ll never know why he never called me back but I can speculate. I do know however that he’s been willing to spend quite a bit of time helping someone harass a private citizen (it’s never harassment when someone in Law Enforcement is doing it though – don’t forget that).  Actually, I’m sure that not only will he read this, a friend of his will once again violate my terms of use and he’ll say nothing. By his own words, his friend admitted to doing something that is unquestionably a crime but he did nothing about it.  I guess if the authorities agree with your motivation or don’t like the victim, it’s not a crime either.  Even though I haven’t identified any names and didn’t disclose any details – I’m betting that once he reads this I’ll be questioned or arrested (b/c it’s no secret he’s just dying to arrest me for something).

I bring up the Singles.org incident for two reasons. The first is that it shows you how vulnerable many people are and they never know it. It illustrates how just doing a few small things resulted in a huge difference with respect to how much exposure people had. Some people only had their Profile pages defaced, others had thousands of dollars stolen via Paypal, had their Facebook pages hacked or had people make horrendous confessions from their email accounts – confessions which were about criminal activity in several cases and were completely untrue.

If these people would just not REUSE PASSWORDS, their exposure would have been limited to the Dating site. If they used Dummy Email accounts for public profiles they would have faced no real exposure.  In addition, you should remember to never ever ever ever open attachments unless you’re beyond positive that it’s something you want.  You should always check with the sender. In the hypothetical above, the sender would have verified that she meant to send it, but remember that it was a plant the whole time. If Sallie would have sent Marie the attachment, it would have been received with much more suspicion. You should remember that someone else could do something naive or stupid and you could still be at risk.  You should think long and hard about what you keep stored in your email accounts.  You should think about what would happen if an adversary/enemy had access to everything you were typing.  You should be very careful about keeping virus definitions up to date and what processes you allow to run in Task Manager.  Think about how I described the Logger that I would write.  Would you notice another Servicehost.exe running?  You should also think about watching all traffic coming out of your computer and network.  You should delete everything from your trash as soon as possible. You should keep your Sent Items folder cleaned out. You should use multiple email addresses and always always always use different passwords (strong passwords that are markedly different from other ones).  You may consider using a Biometric reader for account access (at our house,we have finger print readers on all the machines.  You should pay close attention to the IP Addresses that have accessed your email (do you know your IP Address?  You should make sure you know your home and work IP Addresses and take any ‘strange’ items very seriously.  You might even do what we do… That is, I don’t check email from any of my machines. Instead I use a Virtual Machine that I do all my internet surfing and emailing with.  Even if they got a logger on my box, they’d be hard pressed to get much info out of it b/c as soon as I’m done, the Virtual Machine is SHUT OFF.

There’s always a tradeoff when it comes to security and that tradeoff comes at the price of convenience.  Until recently, I never had any enemies I’d be very worried about and the best defense is always to not have people gunning at you. Even know that I know someone is out to get me and I think they’re too crazy/ignorant/psycho to, i started taking security around the house a lot more seriously.  By not doing anything bad you greatly minimize the attack vector, but we all have things some things that are private that we wouldn’t want everyone to know (if one of your parents was dying for instance).  Since it’s a tradeoff, you have to decide where your comfort zone is.  Think about the Maria hypothetical I came up with above.  If Sallie did that to you, how would you fare? If you have someone out to get you , you should assume that they might be able to do just that.

Sun Tzu (and honestly, it was Sun Tzu, not the Godfather had a lot to say about dealing with your enemies. And one of the best ways to lose to your enemy is to underestimate him. You can take this to the extreme and lock yourself in a closet, but isn’t that giving your enemy a victory in and of itself?  Instead, you need to accurately asses the threat, look at the situation as objectively as possible (in fact, you should find some contrary opinions), make sure you’re not believing your own press releases and take reasonable precautions. In most cases, just making a few small changes or taking some very basic precautions is more than enough to safeguard yourself.

And just keep in mind, if Maria used a service like Privicy, she’d never have had these problems.  But I don’t want to shamelessly plug my own products in an article about security – I just mention it b/c in reality, it will solve almost all of these sorts of problems.

[tags]By Way of Deception, The Art of Deception, The Art of Intrusion, No Tech Hacking, Kevin Mitnick, J.J. Luna, JJ Luna, How to be Invisible, www.howtobeinvisible.com, Victor Ostrovsky, Sun Tzu, Email Hacking, Spyware , Malware, Online Privacy, Email Security, Keystroke Loggers, Db.singles.org, Singles.Org, Operation Jesus[/tags]

Again, just to reiterate:

BEFORE I CONTINUE, LET ME EMPHASIZE THAT NONE OF THE CHARACTERS DESCRIBED ARE REAL PEOPLE OR BASED ON REAL PEOPLE. THE ENTIRE STORY IS COMPLETELY FICTIONAL. THE ISSUES RAISED ARE REAL AND SO IS THE ADVICE (WHICH IS OFFERED FOR FREE, WITHOUT ANY WARRANTY BLAH BLAH BLAH) BUT NONE OF THE CHARACTERS ARE.  ANY RESEMBLANCE TO REAL PEOPLE IS PURELY COINCIDENTAL (THERE ARE PROBABLY MORE THAN A FEW FAMILIES OUT THERE WITH DIVORCED PARENTS, TWO CHILDREN, A REMARRIED FATHER AND AN EVIL STEP-MOTHER WHO HATES THE KIDS). THE NAMES, CHARACTERS, EVERYTHING – IT’S ALL MADE UP. AGAIN, EVERY CHARACTER AND THE SITUATION ARE JUST FICTION AND ARE NOT REAL PEOPLE OR BASED ON ANYONE REAL SO ANY SIMILARITIES ARE PURELY COINCIDENTAL)

Being the optimistic fellow I am, having a great week is nothing unusual.  Last week was so amazingly good I thought it would be ages before I had another one that good.  Then Monday came around and things have just kept getting better.  I didn’t think anything could top yesterday, and well, today somehow managed to do so. 

In the course of 24 hours, every sucky thing in my life went away (ok, not totally away, but away enough for my taste – Metaphorically, I’d liken it to getting cured of Ebola, except Ebola is nowhere near as fugly, dresses better and is infinitely more pleasant to be stuck with).

I’m back to being able to focus on value added activities now which among other things involves the launch of my entrepreneurial dream – Privicy.net (it’s just the default MS landing page now but the beta will be up in two weeks). I’ve already managed to learn more about .NET 4.0 and WCF than I could ever want but this has forced me to learn a lot of things I always avoided, like front end work.  One of the coolest things I’ve got to work with is OpenID. I’ve also been able to work with Andriod development quite a bit which was getting really cool – until the Windows Mobile 7 SDK was announced.  I guess now it’s bye bye Java and hello Silverlight. 

I’ve already received a ton of interest over Privicy and I need to have it done by May 2, 2010 or I’ll lose out on a good bit of money.  I’m going to try to , where possible, post some of the cooler stuff that I came across while developing the site.

Anyway, I’m back and have a lot of content ready to go – I’m going to brave the Upgrade to WordPress 2.9.2 and get at it.  Considering my luck with WordPress Upgrades, I need to do it this week while life is smiling so favorably upon me

Read on…

[tags] GSM, Encryption, Snooping, Cracking[/tags]

It’s well documented that we can’t cut taxes without cutting vital government services.  There’s no waste in the government and they are very careful with our tax dollars.  And we know that private corporations are run by greedy bastards whereas government agencies are run by altruists.  Somehow, the mere act of receiving a paycheck from the government instead of private sector makes one immune to greed, avarice and most other vices afflicting the private sector (I can’t believe I wrote that without barfing).

When a private company does something, directly or indirectly if you will, that hurts private citizens, there’s never a shortage of opportunist politicians wagging their fingers and promising that the bad guys get their due. When it’s a Senator/Congressman/Governor/President that does it, an Ethics Committee is convened and the person is almost always cleared of all wrongdoing (unless his crime is politically incorrect.  Stealing money and taking bribes is almost always OK).

What’s really offensive though is how things are handled when the government’s actions hurt people.  Every year hundreds of thousands of people die or suffer needlessly b/c the FDA won’t allow them access to experimental drugs that might kill them.  The US Government says Pot is bad but pretty much makes research to support or refute this claim illegal.   Virtually every major aspect of the housing meltdown can be attributed to government action.  Milton Friedman’s Free to Choose catalogs a ton of such instances and that book was written way before any of this housing nonsense.

So in the latest instance of government incompetence that would lead to arrests if a private sector company did it on their own…

The US government is huffing and puffing about the evils of governments that spy on their citizens.

Obama administration issued statements of support for Google, and members of Congress are pushing to revive a bill banning U.S. tech companies from working with governments that digitally spy on their citizens. [editor’s note:  I have no doubt that if the other party was in power, their position would be no different]

I commend them on their support for the non-ruling members of the world and I share their outrage.  There’s a problem or two though::

The 1994 CALEA law required phone companies to facilitate FBI eavesdropping, and since 2001, the NSA has built substantial eavesdropping systems in the United States. The government has repeatedly proposed Internet data retention laws, allowing surveillance into past activities as well as present

CALEA, also known as Communications Assistance for Law Enforcement Act had a pretty noble purpose no doubt, but the implications seem pretty, uhhh, Orwellian? Totalitarian? What do you think Stalin, Mao, Chavez or Castro would think about such a law compared to say a Churchill or a Ghandi?

CALEA’s purpose is to enhance the ability of law enforcement and intelligence agencies to conduct electronic surveillance by requiring that telecommunications carriers and manufacturers of telecommunications equipment modify and design their equipment, facilities, and services to ensure that they have built-in surveillance capabilities, allowing federal agencies to monitor all telephone, broadband internet, and VoIP traffic in real-time

Then there was that pesky CARNIVORE (And to think that Taxpayer money was used to pay someone to come up with such a ‘brilliant’ name. It’s amazing that it didn’t receive a warmer welcome with such a friendly name, non?)

After the dust settled from the Carnivore PR disaster, the best and the brightest decided to soften the image of their totalitarian snooping initiatives and Total Information Awareness was born.  Just to be clear, these are a few of many such power grabs.  So pretty much every time you turn around, our government, just like the governments of most other countries, tries to come up with some new way to snoop on its citizens.

Sweden, Canada and the United Kingdom, for example — are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.

They keep trying and wait for the right moment to claim such intrusions are necessary.  (For the record, President Bush SIGNED the Patriot Act on October 26, 2001. That means it was written, debated, voted on and confirmed in 6 weeks and 3 days.  It was introduced to the House of Representatives within a week of 9/11.  Check it out for yourself.  Do you really believe that it was all written After 9/11?  Or was it already sitting around as a solution waiting for a problem?) 

So we sit here today with Congress in high dudgeon about the Chinese Governments snooping and we’re ready to really stick it to any government that spies on it’s citizens, yet these same people demanded that companies like Google put backdoors into their software so the government could spy on its citizens.  And because of that mandated back door, Chinese Hackers were able to infiltrate Google’s Gmail service and retrieve who knows what.  This cost Google substantial embarrassment and G*d only knows how much in monetary damages.  Who does Google call to get their reputation or money back? (And for the record, I’m not a huge Google sympathizer – it’s just in this case, I think they got the shaft pretty bad).

While we’re taking a trip down memory lane.  Do you remember the early days of the internet?  Remember any time you installed most major software there was all sorts of text making you promise you wouldn’t export anything that contained encryption?  Remember International Traffic in Arms (ITAR) Regulations?  Do you remember Phil Zimmerman?  This is a prime example of what happens when people who DON’T UNDERSTAND TECHNOLOGY DIRECTLY OR INDIRECTLY , TRY TO LEGISLATE IT INCLUDING BUT NOT LIMITED TO WRITING INTEROGATORIES, OR LEGAL PROPOSALS, BY YOU.  In a nutshell, ITAR made it illegal to export strong cryptography.  Here’s the genius part of it:

You could write the source code that built the cryptography and send it out of the country, even directly to a known terrorist and not break the law.  You could put it in a text file and email it and not break the law.  You could send the source code, a compiler and instructions on how to compile the program and still not run afoul of ITAR.  But if you compiled the source and transmitted it to a specific list of actors, even if you did so accidentally, you were now a federal criminal.  To show how stupid this is, I downloaded the source for PgP along with an old Borland Compiler.  It took me a total of 6 mouse clicks (Open the program, File->Open->PgpSource-Select All-Compile) to build the application to make the program in question. If you include creating the email, downloading the instructions and attaching the compiler, the whole process takes less than 20 mouse clicks.  So we made something a FEDERAL CRIME and a damn serious one at that (try to get hired with “I Broke federal arms trafficking laws” on your record), where the threshold between completely legal and federal criminal was < 20 mouse clicks.  God knows no bad guys would ever know how to download source code or install a basic C, C++ compiler.  It’d be the hitting F5 that would throw them. 

So we have repeated examples of the government screwing up (and as Friedman pointed out, in many cases causing screw ups that lead to lives lost) over and over again. We know that many in the Prison Industrial Complex sit around waiting for an opportune time to get around the Constitution.  We know that Congress often doesn’t read the text of legislation they vote on.  We know many of them don’t have a clue about technology (and in some cases, ideas so utterly stupid most people couldn’t begin to understand them).  Tell me again why we are so willing to let them make laws related to technology?  (Or much else for that matter)

[tags]Total Information Awareness, CARNIVORE, PGP, Phillip Zimmerman, ITAR, International Traffic in Arms, Google – China, Chinese Hacking of Gmail, CALEA, Milton Friedman, Cryptography, Patriot Act  [/tags]

I wouldn’t have.  Bruce Schneier links to an incredibly impressive skimmer that was recently found live, in use, in California.  Check out the pictures and think about whether or not you’d suspect anything funny. And even if you do catch  it, read the whole article and consider if you caught every aspect.   Like Schneier says, he didn’t catch any of it either, and that’s the whole point.

[tags]ATM Skimmer, ATM, Bruce Schneier[/tags]

2009 was a pretty mediocre year overall, but Kim decided to end it with a bang.  She finally accepted the fact that she’s married to a geek and embraced the geek chic while shopping for me.  One of the things she got me was a Cisco WVC210 Wireless G PTZ Internet Video Camera.  We’d been talking about installing some Doggy Cams for a while, but I really wasn’t expecting this.

Historically, the little bit of talent I have resided exclusively in the software realm.  When it came to wiring up anything, I could make a mess or an accidental explosion, not much more.  Trudging through the learning curve though, I started making some progress.  My crowning success for the year WAS turning the interior of my car into a fully functioning T-Mobile Hotspots (I really didn’t think much about having built-in BlueTooth in my car at first, I’ve since learned to really love it b/c with Wi-Fi and the Hotspot, it’s all kinda wireless).

This whole thing started as a father/daughter project and grew.  Santa brought her a NetBook to use with her Webcams so between the XBox Live acct and this, she’s going to be the highest tech kid in SC.  I tried getting it working in the car, not b/c it’s practical or even desirable, but just to see if I could get it to work.  As you drive, you roam and the IP Address is reassigned regularly (in this case, I’m roaming a lot so that’s the most likely culprit) so the forwarding is problematic.  Basically, you can see what the camera is looking at from a computer in the car even while moving. You can look at it over the internet if you sit still.  But for now, that’s all I was able to pull off.  I’ll be checking with the DynDNS.org folks to see if I can get something working while driving, but for now, I’m not expecting any miracles.

The WVC210 sat in the box for a day while we attended to other holiday duties (Santa brought me DJ Hero as well which took precedence).  Setup couldn’t have been easier and here’s what it took from start to finish (Finish being defined as ‘available and on the internet’):

1. Setup requires a CAT5 connection from the camera to the switch (or router).       
2. You need to connect the power cable.                                                  1 minute w/ #1 combined
3. Stick the install CD into a computer and start wizard.                            1 minute
4. Software needs to find the device.                                                         2 minutes
5. Walk through the wizard.                                                                     4 minutes
6. If all works correctly, here’s what you’ll see.
7. Add user accounts.                                                                                              3 minutes
8. Login to account (I used DynDNS.org)                                                                     1 minute
9. Retrieve your settings and write them down or commit them to memory.                  30 Seconds
10. Login to Router and set up Port Forwarding.                                                            3 Minutes
11. Go  to Internet and verify everything works.                                                                2 minutes
12. Enjoy

From start to finish, the whole thing took just about 15 minutes.  There’s one thing I sort of fibbed about.  DynDNS.org is awesome and very easy to use but I screwed up Port Forwarding the time around.  I tweeted asking if anyone knew how to troubleshoot.  Within a few minutes, Chris at DynDNS.org wrote me back and offered direct support.  I took a stab at the Port Forwarding on my own and it worked like a charm, but the whole DynDNS.org was awesome and I’m hooked.

Now a few months ago, someone cracked our doorbell chime.  I’m definitely not qualified to play with electric so it’s just sort of been sitting in limbo for a while. The additional cameras are perfect for such tasks.  Instead of looking like a lame a55 that can’t fix a doorbell, I look way cool for having video monitoring at the front door.  Coupled with some of the X10 (yep, after years of rolling her eyes, Kim has seen the light on X10 and become a fiend believer) stuff we bought recently, home automation has made a lot of progress recently and it’s been absolutely painless.

Anyway, once I got everything hooked up, the final step was removing the wires so it was fully wireless.  That was as hard as unplugging the cable and viola’, it was good to go.

Nothing big or impressive about a Webcam so what makes this blog worthy other than bragging about a wife cool enough to support my inner geek?  Here’s a few:

• It’s cake plugging in additional cameras.
• It provides two way audio which makes it perfect for a doggy tormentor cam or a door monitor.  The Sausage Dog of DOOM has reported back that he does not like me and mommy being able to watch him destroy our living room. What’s more, he really hates that we can say “NO!”  or “Stop it Nikki!” without having to be there.  From my point this is a huge plus, from an evil Sausage Dog’s perspective, it’s a bug.
• You can fully control the camera remotely.
• You can turn on motion detection so it follows around what’s moving.  Coupled with the previous item, this makes it an ideal Doggy cam .  This feature allows you to have emails sent to you directly when motion is detected and you can do really slick stuff like this too.  If only I could get it to recognize gestures, like, a small sausage like dog lifting up his rear left leg… I know I read an article a few years back of a guy that did something similar for his cat.  The cat would drag in dead animals which was a real pisser since he was often out on business for a few days at a time. So he wired the webcam to the cat door and if it detected an anomaly (i.e. a cat shaped critter with a a really wide thing in its mouth, it would lock the door)
• You can record sessions – disk space is your only real limitation. This makes it great for surveillance in business or home scenarios.
• It’s wireless so you can place it in strategic places without “those wires” which drives wives and anally retentive geeks nuts.
• There’s a very easy to use, web based administrative console. 
• Everything is URL addressable
• Features such as Panning and Tilting are available right out of the box.
• All of the functionality can be used w/out any programming

The downsides are few and in all fairness, I’ve only really had it a day or so and I haven’t dug in deep enough to be sure all of these are in fact, valid:

• The instruction manual is really thin. There’s a quick start and that’s pretty much it.  There is comprehensive online documentation however
• You may have to reset the camera once or twice before it can be seen by the software.  I had to reset it twice before it was recognized.  All in all though, this only took about a minute to accomplish
• There is very little guidance along the lines of security.
• I don’t know if there’s an exposed API. The control panel is pretty decent and does everything I need it to but it’d be nice to be able to write custom software to take advantage of it.  My guess is that there is something I’ve just missed it.  The viewer an ActiveX control but I’m going to try sniffing the wire and see if I can recognize any of the traffic.  If you run it securely this won’t work but it may give me a starting point of where to look.
• It appears you have to have it plugged in (i.e. no battery). Coupled with the size, it makes it kinda obvious that it’s there. This is a bug or a feature depending on what you’re using it for.

[tags] Cisco, Video Surveillance, Cisco WVC210, Internet Video Camera, DynDNS, BlueTooth, X10, Home Automation [/tags]

My main purpose with my previous post was merely to inform you about the realities of email privacy.  It’s practically an oxymoron.  Most of us don’t talk about stuff so sensitive that we need to worry much about it.  However if you search through your email for financial information, or other private stuff along those lines, I bet you’ll find it.  The longer you have an account, the more likely you are to have such information stored in it.  Keep in mind that if you had an adversary that didn’t like you and they could get access to your primary email account, they’d have in all likelihood, mounds of information they could use against you, all stored in one nice semi-organized place.  It’d even be in digital form so they could search it easy.  They wouldn’t directly be able to do a lot with it without getting in trouble, but just knowing secrets and details about your life could cause you more misery than you’d ever imagined.  The best solution is to not have any enemies.  But even then, there are hackers and all sorts of other miscreants out there who just like making trouble.  Instead of working on their own marriages and lives, they put all their energy into destroying others, destroy destroy destroy destroy I say.

Encrypting is a pain and it’s not always necessary.  Even if you are willing to encrypt everything, chances are most of your recipients won’t so that’s a dead end right out of the gate. At least at this point in time.  The main thing though is to be aware of the risks.  It’s one thing to keep every email and never encrypt anything b/c you don’t have anything of concern in your emails.  It’s another to think you have safety and privacy.  The last thing I want to do is scare anyone – we have way too much irrational fear about ‘hackers’ as it is.  Hollywood makes it look like every 15 year old with a laptop can hack into banks and missile installations in 10 seconds.  That’s not the case.  But technology isn’t usually the point of failure.  Look at the Palin hack.   The technology didn’t enable it to happen, bad security policies on Yahoo’s end did.   So if you do your part, you can rest assured that you’ll probably never encounter a data breach.  If you do, it’ll be a fluke, like getting hit by lightning.  As computers get more powerful and the internet gets more prevalent, you can rest assured the government is going to do all it can to get access to anything you have stored digitally – if they need it.  And if they can access it, there will be loopholes and failures so other not so good guys will be able to .  A little bit of knowledge goes a long way here and not believing in myths gets you pretty much 99% of where you want to be.  So hopefully this post helped do that for a few folks.

Until the db.singles.org incident, I used strong passwords, changed them every few months and didn’t think much about it.  After that incident, I changed my thinking a lot.  I started segregating accounts so that if someone breached one, they would only be able to get a limited set of data.  I started archiving my data too.  I’d pull out the older stuff, encrypt it and store it on a password protected drive.  By segregating things and archiving, that limits the damage that could happen if my accounts got hacked.  That’s not to say that someone still couldn’t cause me a lot of problems by getting full access to one of my accounts. They could. But it’s a lot less than what it was before I saw the light.  I never posted the full details of the fallout from db.singles.org but I know of a few people that really suffered bad from it. They never thought for a second their information wasn’t safe.  And they never thought (at least I don’t think they did) that a breach in the db.singles.org account would have led to breaches in PayPal, Facebook, Gmail, Yahoo and everything else. I’m sure they also had an expectation that a service they paid for would guard their information. It was repeated screw ups that allowed things to happen as they did.  Think about it though, when someone can write a script on the fly, to pull down all that information for every account, in under a few minutes, something is seriously wrong.  What’s worse, db.singles.org didn’t do squat afterward.  They didn’t even let the people know what happened.  It was shameful, particularly for a site that fancies itself Christian in nature.  But that stuff happens.  They aren’t the only people who’ve handled stuff like this poorly. They aren’t the only ones who tried to brush it under the rug. They aren’t the only ones who tried to dodge responsibility.  The Data Loss Database is a frightening testimony to how widespread data breaches are.  Don’t take my word for it, look for yourself. Read through a few and see how common this is. Look at how frequently it’s not a technology failure rather, a human is the point of failure.  I bet if you go through it and compare it to how frequently you hear about breaches, you’ll see a big mismatch.  And look at how frequently it’s the GOVERNMENT That has the breaches.  That’s the same government that has all sorts of sensitive information of yours. And it’s not just our government or US corporations, it’s widespread.

The fact that you can do some very simple things to add a huge layer of security to your data is very reassuring.   I’d offer  a few of my own.

If someone ever gets access to your email account, they have enough information to make your life hell.  This isn’t an opinion, it’s a fact.  This is why Plaintext email is so dangerous.  If it contains anything sensitive, you don’t want it stored in plaintext indefinitely. I know, it’s a huge convenience.  I know, email services don’t provide encryption with a few exceptions.  I know, much of the sensitive information in your email account will be attached to stuff sent to you – not the other way around.  I highly encourage you to read the whole db.singles.org drama (I covered it in depth, but you can Bing Operation Jesus for more information).  If you can’t keep sensitive information out of your email archives for practical reasons, use a password for your email that you don’t use for any other account.  Use fake answers that you specifically distort for your Password Reset Challenge questions (Sarah Palin can tell you why).  Use big long strong passwords and change it regularly. Never write it down and don’t give it to anyone.  Three people can keep a secret if two of the people are dead.  You may trust your spouse, mother, father etc to never do anything malicious to you, but that doesn’t mean they’ll never do something careless that could put you in really hot water.  Don’t give out your password, ever. If you have to for some reason, change it immediately.

The fewer people that know a secret, the less likely it is to get out.  There’s no reason for anyone else to know your personal account passwords, ever.  If you need shared access, then like I said, create a shared account that is limited to only information both people need.  Accidents happen and even the best intentioned people might mess up and breach the password.  That’s the thing, no one ever intends to give away  a password yet it happens. No one ever means to compromise security, but it happens.  No one needs to know your passwords. If they do, create a new account you both have access to and only use it to forward those emails/documents that you both need. 

Please don’t fall for the “We’re a couple, we share everything” thing as a reason to share passwords.  That’s beyond silly.  No couple shares everything.  I’ve heard people argue this before but it’s simply not true. Do they share a toothbrush?  Do they share undergarments? Do they share all of their clothes? Do they share a purse?   Do they share a jockstrap? Do they share shoes? (Ok, for a same sex couple sharing might be a little more feasible, but even there, no one shares everything).  Would you share cancer medication if only one person had cancer? Of course not.  So get past the whole “We share everything”.  It was cute back in high school, but in real life, it doesn’t fly.  By the time you’re married, you should already know if you can trust your spouse or not. If you don’t know, then passwords are the least of your problem.  

I keep all of my passwords in Password Safe. I have a big long password for it that I only use for it.  Kim knows it.  So if she needed to get into one of my accounts for some reason, she could.  Password Safe is a great utility and is very helpful if you want to stop reusing passwords and want to use strong passwords wherever possible (again, not everything needs locked down – but if you’re going to give something a pass, make sure there’s NOTHING that can be problematic).  From a ‘sharing everything’ POV, I do think that I should be willing to share everything with my wife if need be.  So if she needed my password and I wouldn’t give it to her, that’s a problem. But the # of times someone needs access to your email is so rare, this isn’t really an issue – I’m actually shocked I hear people bring it up so much b/c it’s about as much of a non-issue as I can think of.

[tags]Password Safe, Email Security, Online Privacy[/tags]

It amazes me that there are people who use email regularly but still don’t understand this.  If I send you an email, say from my work account to your work account and I have ‘private’, ‘sensitive’ or whatever information in it, I’m a complete moron if I want to demand it stay private. If anything, complete moron isn’t strong enough of a phrase.

Because I want to stay out of the fray, I’ll leave the parties out of it (if you follow tech news at all, you’ll know who the parties are).  A blogger posted some footage of a media person on his blog.  The purpose of his post was specifically to rebut some accusations that the media person made about him.  Stated another way, had the media person not made some nasty accusations about this person, he wouldn’t have felt the need to defend himself and his response would never have happened.  Anyway, his post along with the video made the media person look like a complete and utter liar/phony/jackass/fool.  Not surprisingly, the media crybaby got butthurt and threw out the war cry of the impotent “You’ll be hearing from my attorney!” via email.  In the bottom of the email he had the standard boilerplate idiocy commonly known as an Email Disclaimer.  It said the typical stuff, you can’t use this without my permission, if you’re the unintended recipient you’re not allowed to look at it, blah blah blah.  My friend and super lawyer Chris insists that this is necessary to establish the communication as valid if you want to assert attorney/client privilege.  But even a diehard like him is acknowledging that this is a pretty weak claim. He’s been reduced to acknowledging that it at least lets him make the case which is better than nothing. Fine, but most of these pieces of stupidity don’t come from attorneys emailing their clients.  In this case, neither party was an attorney.  The text did say that the receiver wasn’t allowed to publish the contents without the author’s permission.  The blogger however, had a firm statement that he’d publish any email that was sent to him regarding the blog if he felt like it. And he made clear that any threats, legal or otherwise, would absolutely positively be published.

So he published it.  Now, the media person who already looked like a complete jackass looked like a much bigger jackass.  He got even more butthurt and threatened to call his attorney even more, or faster, or maybe a better attorney –hell I don’t know but he made an even bigger “You’ll be hearing from my attorney” threat.

The blogger laughed and published that email too.  That infuriated said douchebag even more.  He started ranting and raving that the blogger was invading his privacy. By posting his private email, he broke the law and subjected him (media douchebag) to all sorts of harassment.  As is ALWAYS the case with crybabies of this sort, the “my life is in danger” claim was made.

I’m not lawyer and I don’t play one on TV. But I’ve been down this road before.  For I too maintain a “If you send me an email and I don’t like it, I’m posting it on my blog and anywhere else I damn well feel like posting it” policy. I’ve been threatened a few times about emails I’ve published, in all but one case the people (or a friend of theirs) came back, apologized and begged me to take it down – which I did. 

Here’s a few pertinent points – keep in mind that many aspects of internet law are still in their infancy. Others, like email, are fairly well established.  The points I make are ones I’ve made many times before and will continue to in the future, just b/c hearing ignorant statements is so frustrating.  I’ve provided several links for substantiation and further reading but I didn’t include all the legal research behind it (pretty much everything below is information I’ve obtained from legal counsel over the years.  Well, everything that discusses law) If you would like substantiation or want to argue the finer points here, feel free to email me and I’ll be glad to discuss it further.  I’m not the only person to feel this is a noteworthy issue and countless people have written on it. Many think this is a legal gray area. Hardly.  I encourage you to read an account that’s completely independent of my own – you’ll find the similarities are so strong they are virtually identical accounts:

1. Something doesn’t carry legal weight just b/c you say so. You can say “it’s an invasion of privacy” all year long, it doesn’t make it so.
2. Unless you’ve spoken with an attorney FAMILIAR with the matter at hand, you’re very likely to be wrong about any given legal claim you make.
3. Even if an attorney familiar with that area of law and the particulars of the case says you’re right, that doesn’t make it so either. If it did, judges wouldn’t have much to do.
4. The “Right to Privacy” isn’t something in the Constitution like Freedom of the Press.  It’s a creation from interpretation (which is still every bit as valid as anything else). Nonetheless, a Right to Privacy doesn’t mean what most people thinks it means.
5. A big part of invasion of privacy cases revolve around a reasonable expectation of privacy. You’re free to claim you had a high expectation of privacy when you sent out an email all you want, there’s no there there.  If the recipient agreed beforehand that he/she would keep the contents private, you have a much stronger case.  But simply demanding that they do so means just about nothing. If it did, I could demand that by receiving my email, you owe me $10,000,000,000.00  You’d laugh in my face if I made such a demand, but that demand is no more ridiculous from a legal perspective than anything else we’ve discussed so far is.
6. Encrypting an email is another action that can raise the expectation of privacy (b/c you’re taking steps to ensure that only you and the recipient are privy to the email.  But even that isn’t as legally compelling as some would have you believe.)
7. Plaintext emails are fair game.  That’s because from the time you send it to the time I get it, neither of us could know how many people could see it.  We could do an after the fact analysis and narrow down that number, but that still wouldn’t let you know with much precision.  If 20 different people have access to the contents of the email, any expectation of privacy goes out of the window.
8. Pleading ignorance doesn’t change the law or culpability.
9. Emails from public email hosts (AOL, Hotmail, Gmail etc) carry a little more weight than corporate ones, but they are still pretty much fair game if you send an email from one. Think about this for a second. If you’ve ever used Gmail, when you read a message, tailored ads appear around it. That’s what supports the ‘free’ service. A computer is doing all the analysis and suggesting but in a fraction of a second, your email is scanned, analyzed and targeted ads are posted.  That proves how easy it is to scan messages.  But do you really think all that information just goes bye bye?  I’m not making any paranoid accusations here, you give up a little privacy in exchange for the service and google has a vested interest in keeping things secure.  But anything that easy to scan will not just sit idle.
10. Sending email from or to a corporate email account completely wipes out any privacy claims you might have.  The courts have repeatedly held that companies have every right in the world to monitor employee email.  Most companies do have some form or another of email monitoring.  Among those that don’t most have the capability of monitoring it if they needed to.  Additionally, almost all companies of any size backup their mail servers so your private emails are probably sitting around on countless backup tapes where all sorts of people can see them.
11. If you send anything private from your corporate email account, or to someone else’s corporate email account, it’s almost a certainty that someone in the IT department at either company has either read it, or at least could read it if they wanted to.
12. If you doubt anything I’ve said in the past few items, ask your company or agency HR Director to see the Acceptable Use Policy for Internet and/or Electronic correspondence.  Virtually every company of any size has an acceptable use policy (and every government agency does) which discusses what you are and aren’t allowed to do with your email account.  Most strictly prohibit personal correspondence being transmitted through their email servers. Most also have a de minimus provision of some sort.  These basically say that while sending personal stuff is a violation, if you do it once in a blue moon, it’s ok as long as it complies with other aspects of the policy
13.  Principals are responsible for the actions of their agents.  This is one of the primary legal tenets that allow companies and govt agencies to monitor email and internet use.  Since a company is responsible for anything sent out by its employees, it has a vested interest in being able to know everything that’s sent out.
14. If you send email from a corporate/govt agency email account, you are necessarily representing yourself as an agent. (I can’t find the link for this at the moment
15.  S*** happens.  All the time.  I could fill terabytes of examples of this.  Some is malicious, some isn’t.  Some of the worst ones are just accidents.  When you have humans in the equation, you have mistakes.  So even if you do everything by the book, a simple mistake could lead to data loss of your emails.

These are all relevant to the case at hand b/c they all come into play in one form or another.  One of the biggest points though is that the media douchebag in question sent out his threats to the blogger from his work account.   While the media clip that in question was one made while in the employ of the company who’s email he was using, the company wasn’t the one complaining.  Again, he had made several derogatory comments about the blogger and had made several accusations against him. In those allegations, he claimed the blogger was being dishonest and was making libelous accusations.  The old , Truth in an absolute defense thing came into play, and the blogger decided to answer the ridiculous accusations by Proving they were false.

When the media guy sent out the email, he brainlessly included what looked like an autosig at the bottom (right above the big scary legal disclaimer) of the email that included several pieces of personal information (but he included a VCard that had several pieces of very personal info about the guy’s family). The blogger, mentioned that he had all of this but didn’t publish any of it – the only thing he published was the contents of the email – verbatim (which included the email headers.)  His stated reason was that he didn’t want accused of distorting the context or printing anything false.  The media guy said this was a bogus claim, for he could have redacted all of the identifying information and still kept the integrity of the message intact – hence, he asserted the blogger published all of it to be malicious. This claim fell flat b/c of other elements of the case

The blogger also mentioned that in the past, he received emails from the media guy from media guy’s personal email accounts.  In each case when he received a demand or threat, it typically came from the corporate email.  He intimated that he believed the media guy did this on purpose, to remind him of who he was dealing with and to give off the impression that his employer stood behind him on this. To that end, the blogger had recourse against the media guy’s employer.  There’s a lot to that issue that really has nothing to do with email (it concerns itself with nuances of Principal/Agent relationships) so I’ve left it out of this discussion.

In the end, keep this in mind:

• In general, email is about the least private way you can communicate. If it’s private or personal, email isn’t the venue you want to send it through.
• The advice “Don’t send anything in an email message that you wouldn’t be comfortable showing up on the front page of a newspaper”.  Beat it into your head – THERE’S NO SUCH THING AS A PRIVATE EMAIL. Encryption cam keep it private for a period of time, but if anyone else can decrypt it, you can’t count on it staying private.  Want to know why this adage is so important?
• Backup and storage are very cheap.  Years ago, many companies would save money by getting rid of logs/records/emails older than X years, the opposite is the case now.  Moreover, if you work at a publicly traded company, a private company that contracts with/for the government, or a government agency, there are probably laws requiring that all of those records are kept for a long time.  That varies depending on the nature of the entity, but items like Section 802 of Sarbanes-Oxley have pretty strict requirements for email retention.
• Email disclaimers are pretty much worthless.  Even assuming that one was written perfectly and a sympathetic judge was hearing the case, at best they allow you to seek redress.  They can’t ever stop someone from sharing the information.  Think about the current case of a famous golfer who was having extramarital affairs.  A disclaimer might (and that’s a big ‘might’) have given him recourse to sue anyone who published his emails, but would that do him any good?  Would the amount of money he could recoup from a blogger or one of the women possibly do much for him in comparison to what the revelations have cost him?  There’s no way to sue for your wife and kids back or those endorsements to reappear.  There’s no way to sue for future endorsements that will never materialize.  So even if the disclaimers had teeth, they are a day late and a dollar short.
• Your email will hit several servers between the time it’s sent from your account and the time it’s received by your recipient.  It’s hard to know with certainty how many, or what servers the message will route through.  Additionally, it’ll be very difficult if not impossible to know who all had access to the message. It’s also impossible to know who all will get access or who all will see the message.  It could be sitting on a ton of different backup tapes at each node along its route.  So even if no one read it today, you’re not off the hook yet, someone could look it up and read it 3 years from now.
• Companies and govt agencies have every right to monitor communications sent out through their servers.  Many companies do monitor email. Some more than others and some not at all.  But keep in mind, just b/c your company doesn’t monitor your emails today, there’s nothing stopping them from doing it tomorrow.  Additionally, companies and agencies vary greatly in how much they publicize their monitoring. Some make it well known in hopes of a deterrent. Others do it quietly in hopes of catching the bad guys.  And like everything else, there’s no rule saying they can’t change how much they publicize it.
• Even if a company has a diminimus provision, remember that anything you write on their computers and send through their servers is theirs.  Just b/c the subject matter is your family or your personal info, unless you have it written otherwise, you can rest assured they have legal claim to it.
• VCards might seem like a good idea, but I’d be hard pressed to think of any situation highly personal information such as birth dates, SSN’s, family member’s names or anything else should be included.
• If you put personal information in your autosig, remember that many people you didn’t intend to read it will have access to that information.   If you’re a high profile celebrity , business titan or what have you and you maintain public and private contact points, think long and hard before you include this stuff in an autosig.
• Remember that the correct metaphor for unencrypted email is a Post Card. If anything, the post card metaphor is inadequate b/c email is much more public than a post card.

——————————————————————————————

[tags]db.singles.org, Operation Jesus, Email Security, Privacy, online privacy, password safe[/tags]

Any attempt to shed light on law enforcement’s invasion of privacy is met with all sorts of ridiculous claims.  “Allows criminals to escape blah blah blah” , “puts law enforcement officers in danger blah blah blah”.  And of course, people think they can write you any sort of obnoxious email, but publishing that email is the cause of all sorts of butthurt.  Yep, Yahoo nailed it alright, if it wasn’t for Cryptome publishing that document, criminals would have nooooo idea whatsoever about Yahoo’s services.  I guess I’ve just become desensitized to some point – b/c I can’t imagine how anyone can make such stupid statements publicly (although I’ve heard a lot st00pider).

This is going to backfire.  My guess is that by Thursday, this document will be on all sorts of servers all over the world – well out of reach of the US legal system.

[tags]Yahoo Spying Price List, Cryptome, Privacy[/tags]

Eric Schmidt is a monumental jackass.  His argument is basically that if you don’t want Google indexing something, you shouldn’t be doing it.  This just goes to show you that sophistry is alive and well today.  This is a variation of the “If you’re not doing anything wrong, you don’t have anything to worry about argument.”

If something is already public, I think you have no right to complain if someone publishes it.  That’s not just my opinion, that’s the opinion of the courts and prevailing legal scholars.  What’s made public however, is something you should have some degree of control over.

A typical scenario is something like this.  Information is put out (on the internet typically) and sits there for years.  The person has no problem with it.  If they did have a problem with it, they’ve done nothing to have it removed.  Then someone they don’t like finds it and publishes it. At that point, they scream invasion of privacy.

I can think of one case where someone was accused of posting private information about someone.  The charge was rather serious and the ‘victim’ was making a lot of noise about it.  In response, the author posted the source of each of the links and the dates of their publication.  I can only infer intent here, but I’m guessing the reason dates were posted was to show that this information had been sitting around for ages.  In response, the ‘victim’ started claiming the person had further violated privacy b/c never before had the information been compiled in one place. It was about as silly as an argument as someone could make – clearly the search engine had ‘compiled’ the information already and had put it all together in one place.  To say that taking the top 4 google hits of something and posting links to them on one page, in response to an invasion of privacy charge is invading privacy is bordering on insanity. (The parties involved are a news reporter and a former Florida politician – I’ll leave it to you to figure out who they are) But this is America and people are free to be insane. Fortunately, both sides are allowed to present their cases and the politician in question’s claims went down in flames.

Few things are more intellectually dishonest than criticizing someone for wanting privacy.  That is, provided you want privacy across the board. If you do nothing to protect your privacy and only complain when someone you don’t like finds publicly available information, that’s a whole different issue.

It wasn’t long ago that Mr. Schmidt behaved in the same manner as the cyrbaby Florida politician I mentioned (Not surprising – crybabies and bullies are the same wherever you find them).

generous explanation for Schmidt’s statement is that he’s revolutionized his thinking since 2005, when he blacklisted CNET for publishing info about him gleaned from Google searches, including salary, neighborhood, hobbies and political donations. In that case, the married CEO must not mind all the coverage of his various reputed girlfriends; it’s odd he doesn’t clarify what’s going on with the widely-rumored extramarital dalliances, though.

Schmidt’s new found animosity toward privacy is mighty convenient – after all, his company is in the anti-privacy business.

My prediction is this…. people will find his statements offensive in the extreme.  They’ll hold him to his own standards and in the next few years, all sorts of personal info on Schmidt and his family will appear on the internet.  He’ll somehow draw some ridiculous distinction and say it’s not ok when done to him, but ok for everyone else.  That’s how phonies, bullies and hypocrites always act.  As he trots out his silly arguments, these words will come back to haunt him – as they should. What’s good for the goose, is good for the gander.

This brings up an amazing paradox that I’ve found in life.  The people that are most likely to invade someone else’s privacy are the ones that whine the loudest when anything negative about them is made public – irrespective of whether or not their privacy was actually invaded.

Law Enforcement is the loudest voice against privacy.  “If you aren’t doing anything wrong, you have nothing to worry about.’” But when private citizens try to record police officers, the response is frightening.  Hey, if they aren’t doing anything wrong, what’s the problem?

Bill after bill coming out of Congress has serious privacy violations in it.  Congress always justifies these as necessary and trots out the same canard Law Enforcement does.  But they fight tooth and nail any attempt to hold them to the same standards.  It’s always ‘different’ b/c of their job, profile or whatever. 

Many companies wantonly violate customer’s privacy.  Yet when things are released from a whistleblower, or a customer publishes official correspondence they sent to prove a claim they made – the bellyaching starts.  And of course, somehow it’s ‘different’

What you end up with is one side (bullies) demanding unilateral disarmament from the opposite side. It’s pathetic and transparent. Thank God more people are standing up against them.

[tags]Eric Schmidt, Video taping Police, Video Taping public officials, Privacy  [/tags]

Bruce Schneier covers a Wired story detailing Sprint’s alleged complicity in something that should make your skin crawl.  It’s nothing new, Luna was warning of this stuff since the first draft of How To Be Invisible and several times thereafter.  It may seem that I’m being a tad hypocritical when I say this is a bad thing, after all I find cell phone based snoopware not only cool, but very useful for many folks. Cell phone snoopware is extremely powerful, effective and easily available (and yes, in some cases, legally questionable) so to some extent, it’s silly getting all upset about stuff like this. On the other hand, I don’t have to worry about civillians abusing their power to try to settle  a score with me or make my life miserable.  Without breaking the law, there’s nothing a civillian could do with this sort of stuff to really hurt me [and for the record, I'm using 'me' in the abstract sense here].  Depending on how you spend your free time, someone could ostensibly cause you some embarassment, but there’s plenty of remedies for that sort of thing.

Employees of the various government agencies however, could cause all sorts of problems for people.  For me to effectively make use of snoopware, I’d need to access the phone in most cases and owners would be fully in their power to check for and remove any such snoopware added to their phones.  The same isn’t the case in situations such as the one alleged with Sprint.  If someone bugged my phone and I caught it, I’m entitled to pursue several different legal remedies depending on the circumstances.  If the Sprint story is accurate, the targets weren’t aware of being tracked, couldn’t do anything to detect it and couldn’t do anything to prevent or stop it.

The response from law enforcement types of course is that this is all paranoid nonsense.  If you don’t have anything to hide, you don’t have anything to worry about they’ll typically argue.  And if they never abused their positions and were perfectly honest, that’d be a plausible defense.  Personally, I think most govt agents are decent enough folks and not prone to abusing their positions, but there’s no disputing there are bad apples.  And just one of those bad apples could cause you a bunch of problems.  Whatever you think of the guy otherwise, look at the example of Joe the Plumber. He got on the bad side of some people with access to his personal information and look what happened.  Had those same people been employees of a private corporation, he’d be sitting on quite a lucrative law suit. (And yes, I know Judicial Watch either offered to or actually filed a suit on his behalf – but had it been a private company, he wouldn’t need a high powered advocacy firm to help him out).

Quoting Chris Soghoian, I can’t imagine how this situation will get addressed without government action and well, it’s probably wise to be the under on that one:

Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.The evidence documenting this surveillance program comes in the form of an audio recording of Sprint’s Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies’ extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics — since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.

One thing is for sure, if a private citizen was caught pulling this exact same thing on members of law enforcement or Congress, Congress’ attitude would be just a weee bit less apathetic about responding. 

The other argument I typically hear is a reference to Evan Ratliff.  If you’re unfamiliar with him, here’s the rest of the story in a nutshell. He’s a free-lance writer and blogger.  He took a gig for Wired magazine that entailed disapparing for a month.  He was to try to hide out and anyone that found him would simply need to say the magic word, and they’d be privvy to a $5,000.00 prize. Ratliff gave it a great go, but before long he was caught. 

Following the story, there’s little doubt that people used inside connections in an attept to follow him.  The extent of that is hard to know for sure, but there’s little doubt that people used friends and contacts at various companies to locate him. Those friends almost certainly did things that, well, were out of the bounds of the companies’ rules.  Does anyone really think that you magically become some ethical angel just b/c you work for the government?  Private sector folks bend the rules so you can rest assured govt folks do it too.

Law Enforcement claims this sort of stuff is necessary.  Law and Order types will claim it’s necessary to fight terrorism and similar bad guys.  Seems to me then, that the solution would be kind of simple.  An evidence rule that gave people immunity from anything not specifically relevant to the prosecution of terrorism in the form of throwing out the evidence, would go a long way to mitigate the damage that could be done by rule benders.  Providing EASY to retrieve records for anyone not currently the target of a terrorism investigation would be another.  Creating a ‘paper trail’ of anyone that looked at a person’s information is not hard and not difficult. Granted that doing anything with govt software is infinitely more difficult than it needs to be, implementing such tracking wouldn’t be cheap.  But that line of argument is essentially advocating the rewarding of incompetence.  And even considering the additional expense, there’s certainly at least one or two unnecessary govt programs we could cut to pay for it. (Defunding NPR for instance would work for me). 

If this sort of stuff is really needed for a specific case to prevent some huge atrocity, fair enough. But some fed using this stuff to hassle some guy banging his ex-girlfriend should never be allowed to happen.  I don’t see how anyone can say such a scenario is unlikely.  So if it did happen, the victim should be able to know about it and sue the hell (and have the person fired, not put on some BS administrative leave) out of the person.  

Another possible remedy would be to allow cell phone proivders to offer “opt out” service. (One might argue that this would be extortion, but I don’t see it any different than paying extra for an unlisted telephone #). I missed the official memo when all cell phones became tracking beacons, but it’s something that could be done without.  So say, for $10.00.00 extra a month, T-Mobile (the best cell phone company on Earth) could offer “Secure” service that meant you couldn’t be tracked.  I know all sorts of people, concerned for my safety should I ever find myself stranded a ditch , would have a fit over such a service, but I’m an adult and I’m willing to live with that risk.  After all, I’ve yet to lose a family member or friend (or even know of someone who has) b/c they weren’t able to be tracked by their cell phone.  But I have come across people who’ve gotten on the bad side of a cop (for matters completely unrelated to the law) and been seriously harassed as a result of it.

We’re not able to stop technology from eroding our privacy and even if we were, we wouldn’t want to.  Moreover, this trend isn’t going anywhere but up.  So the solution seems to be minimizing the incentives for abuses.    To Quote Mr Luna – “Governments hide secrets from their citizens, why shouldn’t citizens be able to hide secrets from governments?”

[tags]Digital Privacy, Sprint, Invasion of Privacy, Snooping[/tags]

It’s a truism that Stalkers never think they are stalkers – never.  They ALWAYS have some justification and it’s ALWAYS the victim’s fault.  one of the nice things about Stalkers though is that their zealotry is such that their emotion supersedes their intelligence.  They almost always think they are clever and covering their tracks, but in most cases, they don’t.

They think they can violate Terms of Use b/c their reason overrides any such terms.  They think they can copy, print and distribute your content in direct violation of stated terms b/c again, it’s justified. They think that just b/c a web site is public, they are entitled to use it however they see fit – again, even when it violates the terms of service. 

Sometimes, you don’t even realize you’re being stalked, or the extent of it.  Then something happens, you realize it’s happening and then you start finding out how extensive it is.  They’ll inevitably plea ignorance once the “it was justified’ excuse is dismissed, but ignorance of the law is no excuse.

Thank God for SiteMeeter, google Analytics and Web Server logs.  You can see everyone that’s come to your site.  You can see how often they come.  You can see what they looked at and how long they spent there.  It’s amazing stuff and the level of detail is really impressive.  Heck, even if you’re not being stalked it’s really interesting to see what people visit on your site and their behavior patterns. I for one, am thrilled I installed the extensive tracking infrastructure that I did.  I haven’t looked at it for months, but wow is it interesting.

What’s really intersting is comparing the web server logs to the tracking tools.  Graphs and summaries are one thing, but seeing the individual hits is something completely different.  Seeing the specific IP Addresses can be really interesting too – It’s kinda crazy how some people use their employer’s networks for personal access.

I’m playing around with some log parsers right now b/c I’ve really only worked with IIS and similar tools – looking at what all you can do with Apache is just plain cool.  Anyway, Stalkers are creeeeeepyyyyy to say the least, but I guess it’s better to know that you’re being stalked then being blissfully naive.  In this day and age with all the tracking tools available – I’m guessing it’s a pretty sucky time to be a stalker

So Bruce Schneier posted this earlier today:

This paper, by Cormac Herley at Microsoft Research, sounds like me:

Abstract: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certicates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives [WGR - Emphasis Added] Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.

Sounds like me.

As I was reading this, I thought “Oh crap, I take security very seriously these days but I always blow off certificate errors”.  Then I got the line which I ended up bolding.    I wondered, is it really that high and then started to think about it. In my experience, I don’t ever recall seeing a fake certificate warning other than in a demo about them.  I asked my wife and she couldn’t recall seeing one either. I asked a few of the guys sitting around me – same answer.  Asked a few twitter friends, nothing still.  So yah, using a number like 100% is always a little risky, but I think for the vast majority of the people, (everyone but the select few who’ve been targeted using fake certs), that’s exactly the case.  It makes sense though I guess.

If I created a new operating system called *****, a year from now, there’d be exactly 0 virus attacks against it.  That’s security through obscurity for the most part – no one would really be using it so no one would care to write a virus for it.  So isn’t it the same with certs?  I use them a lot with Server to Server communication – so machines can identify themselves to each other.  I’ve worked a few places where client certs installed on my machine enabled me to hit wireless but that’s still pretty limited and only happens in a professional setting.  If someone wanted to set up such an attack where I work, at most they could directly affect the # of people that use the network and anything gained from there.  All in all it’d be small. But the effort to even get started would be huge and pulling it off (all the while remaining undetected) would be next to impossible. So Lots of cost + limited reward = not to many people trying it. It’s interesting to think about though – until this article, it’s not something that crossed my mind very much.

As you probably can guess, I’m a huge fan of Bruce Schneier (it was his book Applied Cryptography that launched my entire interest in the subject).  If he links to someone, they are interesting.  Cormac Herley doesn’t disappoint

[tags]Bruce Schneier, Certificates, Computer Security, Cormac Herley [/tags]

So I just came across Norbt ( which is an acronym for NoRobot).  So basically, you create a Norbt page which allows you to post a link (here’s a sample).  On the link there’s a question. The user answers the question and they get to see what your hidden text is (the answer is the encryption key).

Give it a try!

The answer is RyanOmniscientUbiquitous

I’m not sure how this offers anything password protection doesn’t, but it’s a darn cool idea.  Encrypting stuff is always cooler than just password protecting it.  I think I have a couple of ideas that this would be cool for, especially for communicating with dissidents who aren’t allowed to talk to you (think Yoanni Sanchez)

[tags]Norbt[/tags]

I just upgraded this version of WordPress to 2.8 like I had been planning to do for a while.  I also added several plugins to the install including Stats – just so I can keep easier track of who’s coming to my site.  Parsing web server logs isn’t all that hard, but it gets old after a while. Then again, knowing EVERY SINGLE visitor to my site is kinda cool.  I mean, you have a pretty good idea of who your readers are and who hits your site, but until you start looking at your logs, you don’t really know EVERYONE.  Once you do, small unexplained things start to make a lot more sense.  You can detect patterns.  You can see how frequently the same visitors come and when they come back to the same pages, you really get to understand their behavior.  The only downside to all of this is that it’s creepy. When you have visitors that come to look at the same pages over and over again, more than the Google and Bing spiders do – you think , someone must really have a crush on me.  Or be some crazy stalker.  Or, well, you know, Or.

So have fun watching me, watching you, watching me. I think I”m going to start a new page (which is like a post but a little more permanent ) with my visitor list – you can see who’s coming here – their IP addresses, machine/browser info and domain registration information.  WordPress is definitely da bomb.

I had an interesting conversation with a friend that made me realize that email privacy isn’t nearly as well understood as I would have thought.  The person was sending emails to a girl he was dating. In the email was a bunch of stuff that I thought he was crazy for including.  He of course asked me why I responded how I did.  And I replied simply – If it’s not something you’d be ok having put on the front page of your local newspaper, you shouldn’t be sending it via email.  He was amazed and asked why.  And I told him that in general, email is analagous to a post card.  The operative notion here is that a Post Card is readable by anyone that touches it.

Well, unless precautions are taken that’s exactly the case with email.  So let’s examine my friend’s situation.  He sent it from a va.gov email address to her corporate email.  So essentially, just about anyone on the I.T. Staff at his company could read the information, anyone on her company’s IT staff could read the stuff, and pretty much every member of every IT staff along the way could read the info (if you want to get all pedantic and point out that all members of the IT staff probably don’t have Admin level access I’ll agree with you.  But it’s impossible to know who has what access so from a privacy perspective, I’d assume the worst case scneario.  At a minimum, there’s at least one person at each place that could read the stuff).

Let’s say that  in the email, my friend was bragging about his sexual prowess and was totally fine with all his coworkers seeing it.   (What I mean is, assume that the sender is fine with all the information being seen by their coworkers – whatever that info may be).  Would that be ok?  Of course not.  B/c the recipient didn’t ask for the email to be sent to her and in it, there’s a ton of private stuff that all of *her* coworkers can see.  If she solicited the email and ok’d the content, then yes, everything would be fine.

But think about this for a second.  You could recieve an email from someone completely unsolicited that contained private/embarassing/confidential etc information. And unless it was encrypted, all that information was just disclosed to anyone that wanted to look at it.  After explaining this to my friend he said “I’m soooo sure that I.T. people sit around and read people’s emails or whatever”.  Josh – let me absolutely positively assure you that there are a LOT of I.T. people that love reading other people’s emails.  You think that a horny geek with crush on the Lady Gaga lookalike in accounting would never think of reading what she likes, where she’s going this weekend or what have you?  You really think some screw up on the verge of being fired never reads emails his supervisor sends to HR?  You really think the guy who hasn’t gotten a raise in 5 yhears would never look at an email message containing an offer letter to some new hotshot they’re hiring?  I’m not saying this happens everywhere – but I am saying it can happen anywhere and it does happen at many places.  Many people don’t even see it as wrong b/c the company has a “Your email is my email” policy.  Email monitoring in fact is part of the job – THAT IS – MANDATORY – at many places.

The answer of course, is simple – if you don’t want everyone and their mother to know about something – don’t send a plaintext email and think long and hard about including it in an email at all. If you do  and it’s encrypted, chances are it’ll never be read (unless your sleeping with the lady some former KGB agent is in love with).

Wired has a great introduction on how to start encrypting your emails (Yes, encrypting and decrypting is a slight inconvenience.  Trading keys is a slight inconvenience.  Locking your front door is a slight inconvenience too, as is closing your curtains before you walk around nude while making coffee).  Once an email is sent, you can’t recall it (well, there are some services that have  Undo functionality but currently most are lame at best).  Many companies (especially publicly traded ones compying with Sarbanes-Oxley) are actually compelled to save all of their emails. Everything.  That includes letters to the boss about manipulating the energy market the whole way to emails discussing which Korean girls you’re going to ****)

I highly encourage you to read the last two links (Enron and Peter Chung).  Just pick a few.  Do you think that the writers ever thought those emails would be read?  Do you really think they realized their emails weren’t private?  Do you really think they would have written about crimes, infidelity and all sorts of other vices if they KNEW how many people could read those emails? Do you really think Chung wanted the entire world to hear him say stuff like “Why do I need 3 bedrooms?  Good question,  the main bedroom is for my queen size bed, where CHUNG is going to f**k every hot chick in Korea over the next 2 years (5 down, 1,000,000,000 left to go) the second bedroom is for my harem of chickies, and the third bedroom is for all of you f****s when you come out to visit my ass in Korea.”

As icing on the cake, Chung decided that he’d include this little tidbit in the bottom of his email – look familiar?

Peter Chung
The Carlyle Group
Suite 1009, CCMM Bldg.
12, Yoido-dong, Youngdeungpo-ku
Seoul 150-010, Korea
Tel: (822) 2004-8412
Fax: (822) 2004-8440
email: pchung@thecarlylegroup.co.kr

Yep, a signature complete with address, email and phone numbers.  Sure, the Carlisle Group is well known and they don’t hide their offices. But imagine if Chung was a woman who had someone stalking her. What if Chung was a Green Beret or Special Forces who’d been deployed to Afghanistan or Iraq.  Something as silly (and useless ) as an autosig could quickly reveal enough information to get him killed (would you want an enemy to know your office address and direct phone line?) Of course a Green Beret or Special Forces member would be way to smart to send unencrypted emails with autosigs, but I’m just trying to illustrate the potential downside here. Can anyone show me an example where an Autosig is really necessary?  Even if you think the person you’re sending the email too needs it – you have no control over who sees it or who it’s forwarded to so it pays to be careful.

 I myself learned the hardway abou the evils of AutoSignatures when I sent out the warnings in the db.singles.org incident. I was in a hurry to warn people to change their passwords.  I wasn’t trying to ruin the Lulz mind you – I’m all about them, but stuff was getting ugly and money was getting stolen.  So I sent out warnings for the people to change their passwords. Problem was, most of the accounts were already breached. So guess what?  People who don’t much like White Knights, let alone /b/rothers that part-time as White Knights, now had my full contact information.  I was in a hurry and used a work account.  I was warned to back down and shut my mouth or face the consequences and call me a coward if you want – but I wasn’t about to go sticking my p3nis in that hornet’s nest.  (While we’re on the subject, reread the Singles.org post and think long and hard about  your own personal use/reuse of passwords – do you really want to put all your online accounts at risk like that?)

No one thinks an email they send is going to be intercepted but the truth is, it’s too easy for it not to happen. If you use email regularly, I can guarantee you that someone has read some of your emails (in all likelihood, you’ve had several of them read).  Not mixing work and business is one way to protect yourself but that’s sometimes easier said than done.  Encryption is one of the easiest ways to get some privacy and offers a big bang for the buck.  PGP and GPG are excellent mechanism to get up and running with encryption quickly, easily and inexpensively.

You may read all of this and decide – who cares, I never write anything I’d be embarassed of.  If that’s true, good for you.  Most regular email users however are in a different situation. A little forethought on things like Password reuse, encryption and auto-sigs can save you a whole lot of embarassment and the little bit of effort can save your career and maybe even life depending on what it was.

[tags] PGP, GPG, Email, Email Privacy, Encryption, Cryptography, Internet Privacy, Bill Ryan, William Ryan  [/tags]