Tag Archives: Anonymity

The USA, Narcissistic Rage, A Sense of Entitlement & Holding Our Rights Hostage

The US is taking a giant shit on all of us, and our rights. And we are letting them. This is a nation that is currently led by extremists who inherited the job from a crazily compromised administration.

I previously wrote in All The Presidents’ Messes:

“In my lifetime the American people have elected Nixon (Vietnam, Laos, Cambodia), Ford (by accident), Carter (Iranian Revolution & Iran Hostage debacle), Reagan (Funded the Taliban / Iran-Contra Affair / Nicaragua / El Salvador / Guatemala), Bush the First (Gulf War I), Clinton (Somalia, Rwanda, Haiti / Israel-Palestine / Ethnic Wars in Europe – Croats, Serbs and Bosnian Muslims / Kosovo & Albania), Bush the Second (Iraq / Afghanistan), Obama (IRANDEAL, global appeasement, the relatively unopposed rise of ISIS, and the disintegration of Syria and Libya and Egypt as a result of US Foreign Policy failures) and now Trump.”

All US policy decisions and their side-effects, one way or the other, cascade down into our European democracies. In the current climate that should worry you.

Privacy Is An Absolute Right

I am interested in Privacy. The abuse of Privacy (1) has far more fundamental negative effects than might seem to be the case at first glance.

I am an advocate for the right of every citizen to a private life, the preservation of civil liberties, and the defence of other hard won rights. Technology or rather its unfettered deployment is the single biggest threat to our personal freedoms and by extension to the proper administration of justice.

And so I write about it. Sometimes the writing is a bit technical but most of the time it’s referencing the technical results of other peoples work to support my arguments (which I always acknowledge – most important that is)

Orwell 4.0

Technology facilitated developments have created new tools for the State, Law Enforcement, and Intelligence Agencies to monitor not just person’s of interest but everyone (2). Software industry greed and software developer naivety is also driving an assault on our personal privacy and security (3).

These phenomena have already resulted in wholesale abuses (4) of habeas corpus, an alteration of the perception of what constitutes a fair trial, have worn down the right to silence of a suspect, made the avoidance of self-incrimination almost impossible, made illegal searches and seizures (5) acceptable, and encroached on the ability of defendants to construct a proper defence.

Recently, Graham Cluley (@gcluley) posted a clarification of a definition on Twitter“It’s always bugged me how people say “Innocent until proven guilty”. It’s “Innocent *unless* proven guilty” folks.” – that is worth thinking about in an age of trial by media and JTC-as-a-Service (JTC – Jumping to Conclusions a.k.a Fake News).

In parallel with this there is an increasing trend of “ordinary” crimes being tried in “extra-ordinary” courts, tribunals, or military courts. The checks and balances that used to notionally counter the power of the state and where the actions of government could be publicly scrutinized has almost ceased to effectively exist.

Surveillance politics, the rise of extremists on the left and the right, religious fanaticism, the re-emergence of censorship and even actual talk of “blasphemy laws” in the parliaments of Western democracies leaves one bewildered. How will we fare when even newer technologies such as VRSN, and AI with even greater capacity to embed themselves in our lives begin to mature from the novel stage into the deployment stage?

What will be the effect of kinematic fingerprinting, emotion detection (6), psychographic profiling (7), and thought extraction (8) on the right to privacy and basic freedoms. These are questions and concerns that get lost in the rush to innovate. Software companies and developers have a responsibility but they do not exercise it very often.

What are the ethics? What are the acceptable limits? What are the unforeseen by-products?

The US Has Claimed “Absolute Privilege”

The US is the bully on the block and its “bitch” friends the UK (9), Canada, New Zealand (10), & Australia (11) just follow its lead or actively facilitate them.

The opacity of US laws (12) and SIGINT collection methods is an abuse of the rights of every defendant that comes in front of their Courts. Increasingly, that is just about anybody that they can lay their hands on, from anywhere (13).

The election of Trump just solidified my view that the world has turned upside down and it seems that taking action to reverse the trend of the normalisation of the abnormal (14) is a Sisyphean task and just seems to encourage the buggers (15).

The US position on most of these matters is ephemeral – not just on data protection (16) – and US national interest, national security, or just plain duplicity (17) governs their agenda.

There is so much abuse of power by the US that it is impossible to keep tabs. These things used to matter (18). These things used to enrage us (19). The US has led a race to the bottom on so many fronts that the rest of the world seems to be suffering from bad news fatigue (20) and has zoned out (21).

It is individuals and NGO’s now that are the gatekeepers of our rights and the ones that hold governments to account and increasingly they are being marginalized.

References

(1) Anonymous Chronic; 21st Nov 2016; NSA, GCHQ, The Five Eyes Handing Ireland Cyber-Security Opportunity; AirGap Anonymity Collective

(2) Anonymous Chronic; 21st Nov 2016; Mass Surveillance & The Oxford Comma Analogy; AirGap Anonymity Collective

(3) Anonymous Chronic; 21st Nov 2016; Software Industry Greed is Driving the Assault on our Privacy & Security; AirGap Anonymity Collective

(4) Kim Zetter; 26th Oct 2017; The Most Controversial Hacking Cases of the Past Decade; Wired

(5) Andy Greenberg; 10th Oct 2014; Judge Rejects Defense That FBI Illegally Hacked Silk Road – On A Technicality; Wired

(6) Anonymous Chronic; 3rd Jan 2017; Orwell 4.0: The Stealth Advance of Kinematic Fingerprinting & Emotion Detection for Mass Manipulation; AirGap Anonymity Collective

(7) Anonymous Chronic; 4th Feb 2017; Is Kosinski “Tesla” to Nix’s “Marconi” for Big Data Psychographic Profiling?;AirGap Anonymity Collective

(8) Ian Johnston; 18th Apr 2017; Device that can literally read your mind invented by scientists; Independent

(9) Anonymous Chronic; 30th Nov 2016; My Privacy Lobotomy or How I Learned to Stop Worrying & Love the IP Act; AirGap Anonymity Collective

(10) Anonymous Chronic; 3rd Nov 2016; Overwatch – The Five Eyes Espionage Alliance; AirGap Anonymity Collective

(11) Anonymous Chronic; 21st Nov 2016; Australia Is A Proxy War for the Five Eyes & Also Hogwarts; AirGap Anonymity Collective

(12) American Civil Liberties Union & Human Rights Watch; 21st Nov 2016; Joint letter to European Commission on EU-US Privacy Shield; Human Right Watch)

(13) Tom O’Connor; 6th Jul 2017; Russia Accuses US of Hunting and Kidnapping Its Citizens After Latest Arrests; Newsweek

(14) Anonymous Chronic; 29th Jan 2017; Take Action To Reverse The Present Trend Of The Normalisation of the Abnormal; AirGap Anonymity Collective

(15) Anonymous Chronic; 2nd Dec 2016; Silencing the Canary & The Key Powers & Reach of The IPA; AirGap Anonymity Collective

(16) Mary Carolan; 10th Mar 2017; Max Schrems claims US data privacy protections ‘ephemeral’; The Irish Times

(17) Shelley Moore Capito – United States Senator for West Virginia; 2nd Jul 2017; Stop Enabling Sex Traffickers Act of 2017; https://www.capito.senate.gov/

(18) Adam Taylor; 23rd Apr 2015; The U.S. keeps killing Americans in drone strikes, mostly by accident; The Washington Post

(19) HRW; 9th Dec 2014; USA and Torture: A History of Hypocrisy; Human Rights Watch

(20) Shannon Sexton; 30th Aug 2016; Five Ways to Avoid ‘Bad-News Fatigue’ and Stay Compassionately Engaged; Kripalu Center for Yoga & Health

(21) Susanne Babbel Ph.D.; 4th Jul 2012; Compassion Fatigue; Psychology Today

Mass Surveillance & The Oxford Comma Analogy

Acknowledgments, Contributions & References: This blog post was written in collaboration with and using contributions from Mr. Dean Webb (find Dean’s profile on PeerLyst). The clever and insightful bits are all Dean, the space fillers and punctuation are mine – except the “Oxford Comma” analogy, which even though it is lifted from @Grammarly on Twitter, is mine – and I like it (a lot). Enjoy.

Who Do We Like, Who Do We Dislike (Today)

Wearable tech is on its way, for surveillance during times when one is away from the vidscreen. But we need this stuff in order to protect against Eurasia. We have always been at war with Eurasia. We will always be at war with Eurasia until 20 January, at noon. Then we will always have been at war with Eastasia. And then we will need all this stuff to protect against Eastasia.

On a more serious note, anonymity has been dead for quite some time. As an example, about 10 years ago Dean Webb was running a web forum for students involved in an academic competition.

He and other teachers had volunteered to be admins for the board. They had a student that began to harass others on the board and post some highly inappropriate material. They banned his account, and he would connect again with another account.

So, Dean took down the IP addresses he’d used for his accounts and did a quick lookup on their ownership. They were at a certain university, so he contacted that university with the information and the times of access and they were able to determine which student was involved.

He was told to stop posting, or face discipline at the university. That got him to stop.

Simple Methods, Complex Implications

The point is, that IP address and timestamp for most people is going to be what gets them in the end. They don’t know what a VPN is from a hole in the ground, let alone what a TOR node is.

At best, most of them will use a browser in anonymous / incognito mode, without realising that cookies are still retained and updated, credit card transactions remain on the record, and ISPs will still retain IP address information with timestamps.

It could be argued that a Layer 2 hijacking of someone else’s line is the way to go anonymously, but that involves a physical alteration of someone’s gear, and that means physical evidence, which is very difficult to erase completely.

Even if anonymity is not completely dead (mostly dead, perhaps?), it is certainly outside the reach of most people because they lack general IT knowledge about the basics of the Internet.

I (Graham) was met with the following comment when I posted a tweet some time before Xmas 2016 about Identity Theft:

“despite the hysteria the theft of most peoples personal information is / will be inconsequential”

The use of the word “inconsequential” by the commenter on my post reminded me of the hilarious Doctor Evil therapy session monologue in the Austin Powers movie when Doctor Evil stated, when asked about his life, that “the details of my life are quite inconsequential”. But 60 seconds of monologue later it was quite clear that they were far from “inconsequential” – it is a matter of perspective as to what is and what is not. That is the problem. And that is the potential worry.

Threat Awareness & Counter Measures

The vast majority of people and their browsing habits are innocuous. The point though that the comment misses and which is the point that Dean makes in his comments about the average John Q. Citizen’s awareness of the threats and the countermeasures available is that the public in general has moved their private communications on to a platform where they do not understand the implications of the ability of externals to eavesdrop or to store and reference data at a future point.

There was a blog post I (Graham) made some time ago about the risk of “profiling” and of “false positives” and the threat that they posed especially with respect to miscarriages of justice. (See “The Sword of Islam” story below)

The point is not whether “the theft of most peoples personal information is / will be inconsequential” or the storage of most peoples browsing history or contacts with other parties is / will be inconsequential or not – the point is that it can be made to look very different to what was actually happening originally.

Like a misquoted partial comment in a newspaper article – actions taken out of context can look very different.

The Oxford Comma Analogy

Recently I posted a tweet about the Oxford comma and it does indirectly inform the point that I am trying to make here:

Excerpt begins from Grammarly

“Unless you’re writing for a particular publication or drafting an essay for school, whether or not you use the Oxford comma is generally up to you. However, omitting it can sometimes cause some strange misunderstandings.

“I love my parents, Lady Gaga and Humpty Dumpty.”

Without the Oxford comma, the sentence above could be interpreted as stating that you love your parents, and your parents are Lady Gaga and Humpty Dumpty. Here’s the same sentence with the Oxford comma:

“I love my parents, Lady Gaga, and Humpty Dumpty.”

Those who oppose the Oxford comma argue that rephrasing an already unclear sentence can solve the same problems that using the Oxford comma does. For example:

“I love my parents, Lady Gaga and Humpty Dumpty.”

could be rewritten as:

“I love Lady Gaga, Humpty Dumpty and my parents.”

Excerpt Ends

The analogy serves to demonstrate one of the main concerns of mass surveillance and mass retention of user data. People are now being profiled and tracked and their behaviours stored and analysed and they do not know why or by whom or for what purpose – they barely understand how to use a browser.

In the wrong hands that potentially makes them cannon fodder. Accuse me of being alarmist and dramatic – fair enough – so did everyone four years ago when I wrote about mass immigration as a weapon, the rise of radical Islam and the dangers of the USA supporting a sectarian Shi’a government in Baghdad, the marginalisation of Sunnis and the Ba’ath party, the randomness of the Arab Spring, the threat of Libya turning into a terrorist haven and so on.

The point is people ignore these developments at their peril but you may as well be talking to a concrete block. You can make all the compelling philosophical points that you like to someone but if they do not have the capacity to understand them then you are wasting your time.

And most of our politicians fall into that category.

Mass Profiling, Mass Surveillance Will Be Inconsequential Until It Isn’t

Dean once met a man named Saifal Islam. He has a devil of a time getting on an airplane because a terror group has the same name – “Sword of Islam”.

He is constantly explaining that the man (him) isn’t the group (them) and that he’s had his name longer than they’ve had theirs. That, yes, the group (them) should be banned from getting on airplanes, but that, no, the man (him) should be allowed on the plane.

Hell of a false positive, and that’s not the only one. Mismatches on felon voting lists, warrants served to the wrong address for no-knock police invasions, people told that they can’t renew driver’s licenses because they’re dead, the list goes on.

Be happy in the knowledge though that your data is apparently “inconsequential” and this privacy debate and the growing intrusion on your personal life is all “hysterical” alarmism.

You can use that statement when you are in the dock defending your very own hysterical “false positive” – no charge.

The next post will be “KarmaWare & Thieves of Thoughts” again in collaboration with Mr. Dean Webb.

ENDS

Am I Being Surveilled?

When someone asks that question do they mean that they are worried about rootkits, backdoors, trojans, worms, spyware, keystroke logging; are they concerned that someone has clocked their PGP private key; do they suspect LE have a warrant to eavesdrop their voice comms; or do they fret about the integrity of SIM card encryption and the Gemalto hack? Do they fuck.

No, they don’t worry about these things because they don’t know about these things, they don’t care to spend the time understanding the threats or pay for the solutions and I don’t blame them. And that simple reality assures the continued happiness and abundant joy of the hacking for profit (LE, governments, economic imperialism) community.

If a concerned citizen is an above ordinary John Q then they follow a few simplistic tips they read after a quick Google and subsequently consider themselves bullet-proof and smart. If they are a small business they get comfortable when some self proclaimed infosec expert in a suit charges them a small fortune for “consulting”.

Good Old Fashioned Olde Worlde Surveillance

It’s not all about super-elegant hacks written by PLA Unit 61398 swirling around in the matrix gobbling up industrial secrets. A scene in the documentary CitizenFour showed Snowden using a blanket to cover his head and his laptop screen. The Snowden-Greenwald dialogue was as follows:

37:35 [Snowden pulling blanket over his head/laptop]

37:44 Greenwald: Is that about the possibility of…

37:47 Snowden [still under blanket, interrupts] visual, yeah visual collection

37:50 [Greenwald looking around the room, seems not rather sure what to think and say]

37:55 Greenwald: I don’t think at this point there is anything in this regard that will shock us. [laughter in room]

BLOG - Snowden Blanket

Gras Double commented on this precaution and noted that allegedly: “Still, using some advanced audio software, from the typing sound of the pressed keys, deducing from echo, reverb, comparing with the sound of a keyboard of an identical laptop, you could determine their coordinates in space. You can also analyse the movement of muscles of Snowden’s arms and extrapolate up to its fingers’ location and movement.” – a bold and sort of ridiculous claim 🙂

Another bright spark on Information Security Stack Exchange stated “He was using the blanket to fool visual recording devices attempting to steal his password, even though with modern technology x-ray or thermal imaging you could effectively ‘see through’ the blanket.”

In rebuttal it was noted “I can see how an IR Thermographic Camera has a chance to detect something if the wrong kind of blanket is used. No idea how you want to use XRay, as it requires an emitter as well as a receiver.”

Line of Sight Surveillance for the Common Man

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good location (easy access to and plenty of space behind the plastic covering the B pillar to store the bits).

Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on. Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

Most successful hacks are low tech.

From a low value non-tech savvy target you will get screen lock password, SIM lock password, their main contacts, their email password and transcripts of their conversations during the time slot – even more if they are road safety conscious and use a speaker phone. For the high value target – encryption keys, app locks, timeline stats and so on and so on.

Turning Everyday Visual Objects into Visual Microphones

When sound hits an object, it causes small vibrations of the object’s surface. This project shows how, using only high-speed video of the object, those minute vibrations can be extracted and partially recover the sound that produced them, allowing you to turn everyday objects—a glass of water, a potted plant, a box of tissues, or a bag of chips—into visual microphones.

The sound is recovered from high speed footage of a variety of objects with different properties, and uses both real and simulated data to examine some of the factors that affect the ability to visually recover sound. The researchers evaluate the quality of recovered sounds using intelligibility and SNR metrics and provide input and recovered audio samples for direct comparison.

They also explore how to leverage the rolling shutter in regular consumer cameras to recover audio from standard frame-rate videos, and use the spatial resolution of the method to visualize how sound-related vibrations vary over an object’s surface, which they can use to recover the vibration modes of an object.

In simple terms:

1. Two guys talking out of sight in a room;

2. You, outside at a distance pointing a video camera, through a window at a glass of beer on a table in the room;

3. Record the glass of beer for the duration of their conversation;

4. Take the footage and process it and extract the audio contents of the conversation that was happening out of sight;

5. No installs, no intrusion, no access to the room required, no need to see the targets;

SIM Card Encryption

Here is a sobering thought in plain language that applies to every SIM card that you have ever owned:

“US and UK intelligence agencies after the Gemalto hack in 2010 and 2011 have the ability, with the stolen encryption keys, to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.”

Sentimentality is Your Enemy

The easiest way to ensure that your smart phone remains un-hacked or returns to an un-hacked state is to be willing to survive on cheap throwaways – but most people are not willing to do that. If you are it’s simple as 🙂

1. Take the SIM out of your phone every few days / weeks / months (depending on your level of paranoia or the reality of your work / life), drill a hole in the motherboard, hit it with a hammer, microwave the mess and flush the remnants down a public toilet or a subset thereof;

BLOG - Microwave

2. Insert your SIM card in another cheap smart phone with the proper set of reliable tools that reduce (note the use of the word “reduce” not “remove”) your risk of infection, don’t transfer the data from the old phone or the apps and carry on. For maximum safety – bin your SIM too and buy a new one;

3. As before following a few simple rules like not downloading apps from random sites (although even the Google Play & Apple App Stores have their fair share of dodgy apps and are no guarantee of malware avoidance), don’t click on links in emails from Eastern European porn sites and don’t give your unlocked phones to strangers at airports – although you can just as easily be hacked remotely.

However, if you will insist on treating your phone as a treasured fashion accessory and have to travel everywhere with tons of personal data you haven’t looked at in years at your finger tips (just in case) – then you will not want to do the above and will insist on a different answer to the question.

The Advice “Out There”

A simple search on DuckDuckGo demonstrates the amount of posts out there on the subject and the amount of bizarre “clues” which are considered worthy of worrying about – that’s before you even get into the Android / iPhone variations and exposures. Alarm bells should ring for you apparently, according to many of these posts if:

1. On checking your bank accounts / credit cards you see unusual activity that seems to arise from app purchases that you did not make (sort of blindingly obvious I would have thought);

2. You are also to worry if your pointer starts levitating across the screen to select specific options as opposed to the random behaviour of the pointer on a busted or water damaged handset (I would have thought this would worry even the most non-savvy user or really interest all paranormal investigators);

3. Seeing photos in your gallery that you did not take (Really?) – be very worried if they are of you while watching PornHub 🙂 – RansonWare;

4. Getting text messages from unrecognized numbers with weird characters in them (Oops);

5. Notifications that flash across your screen, disappear and then can’t be found in any app or the notification centre (Seems fair);

END.

Good Tor Behaviours

Using Tor does not ensure your anonymity, there are many many ways that you can be de-anonymised. You will always leave footprints. If you do leave a footprint in error then your job is to try to make them “65 million year old hard to find fossilised dinosaur” footprints and not “freshly pressed custom-made initialled Nike” footprints.

There are all sorts of “novel attack vectors” that can be used to identify Tor users. Developing a counter-surveillance and anonymity mindset while following disciplined behavioural habits combined with the correct installation and isolation of your Tor presence will avoid 99% of the ways that Tor users have their identities exposed.

Try to eliminate the most blatantly obvious technical and non-technical behaviours that will compromise the integrity of your anonymous identity online. Use Tor consistently:

  1. Don’t use Tor at home, in your hotel room, at your favourite coffee house;
  2. Watch out for & monitor for DNS leaks;
  3. Don’t be the only person using Tor on a monitored network at a given time;
  4. Use a bridge;
  5. Leave encrypted laptops in a powered down state when not in use;
  6. Don’t use the same or similar usernames and passwords as your real life online identity;
  7. Don’t mix normal internet usage with Tor usage (correlation attack opportunities);
  8. Don’t talk about the local weather, events, news when using your Tor identity;
  9. Avoid expressions of personal preferences – movies, music, cars, sports;
  10. Don’t maintain a whitelisted website list for java scripting;
  11. Don’t use browser add-ons that can coerce your real IP address from your browser;

More later … Ciao!