…and around it goes

Justice Department Wants Phone Locales Without Warrant

The article above should alarm you.   Must everyone be reminded of three truths?

• Laws go on books much easier than they come off them
• Governments and power structures change.  A benevolent one now does not mean the same holds true for the future.
• History repeats.  Abuses of the past will reappear in the future.

Picture your worst view of the future in terms of who might hold political office or power (national, local, or municipal) and what they might do.  Then give them the power to locate you any time they want.   Sound unpleasant?  Stop them now.

By Stephen K. Gielda (sorry search engine seeding)

The web never forgets, however the big problem with this lies in the fact that everyone gets to record their voice on it.   I suppose it was inevitable, my daughter running a web search on my name. She quickly stumbled upon some of the pages and posts made by a few of the more unstable individuals who’s path I crossed.

I hear my mother even fell for some forgeries pretending to be me.  Anyway, such is life in my chosen field.  I seem to have a small (very small) celebrity status in certain circles, and as with any (very small) celebrity I have my detractors as well,  The yang must balance the ying, I guess.  Unfortunately, the yang can be very loud.

A little history may be required. Back in 1998 through 2001 Cotse ran a free web interface that posted directly through the then replay, now dizum, mail2news gateway. It wasn’t anonymous, but it was private.  In addition we provided some cypherpunk resources.

In order to be responsible and address any real abuse that happened, we included our contact information in the headers of messages posted through our interface, so as to handle our own abuse issues so they would not be a load on alex (who ran replay/dizum in the NL). This was my introduction into the deep bowels of a thing called Usenet.

Usenet is a discussion forum. Many today think of it as Google Groups, because Google bought the Deja News archives, but Usenet is it’s own entity. Google is merely displaying an archive, making it searchable, and providing a NNTP web interface, allowing the masses to post through pretty web forms instead of a usenet client.  Kind of like what we did on a much smaller scale (ours, not theirs).

Usenet is full of sociopaths. Forum kings and queens. If you have ever seen a craigslist rants and raves forum for any city, you know how it gets when you add a little anonymity. People are vulgar, scathing, insipid, beasts when they can hide. So it is inevitable that egos will clash and insults fly.

The name of the game is to seriously muddy your opponents name and if possible win your argument by account term.   It includes forgeries and then complaining about the forgeries as if their opponent posted them.  The game is still being played across many forums on the Internet today.  It was one of the original reasons I began Cotse (Cotse’s privacy side began as a free web to news interface)

People were and are still losing their Internet access based upon exaggerated lies from someone they crossed online who knows how to play the game.   They are also ending up with their name returning 72,000+ hits due to some lunatic.  It still happens.  If the claims sound real, the forged headers look real, the forged “evidence” looks real enough…

So I created a web to news poster, to add a shield between them and their ISP and their identity.  Naturally this was going to place me (Stephen K. Gielda (more search engine seeding)) at odds with some of the most unstable of individuals when they had no one to attack personally but me.

In addition, that abuse info in the headers along with replay info also caused another problem.  It made some people assume that everything that came out of the mixmaster and cypherpunk remailers came from us.  There was no convincing them this was not the case.  It was also easily to forge, (anyone could post directly to replay mail2new just like my form did).

When some did did not get their way they came after me personally and my service.  There were many, but there were a few that really brought that little bit extra to the party. One example was an individual who contacted me demanding that I terminate the account of a user of ours who called him a liar.

He claimed that this was criminal libel and I was aiding and abetting a known criminal if I did not act and remove the account (there were no accounts at this stage). That his notice was enough to prove that I was complicit if I did not remove the account. He had entire volumes full of why it was my responsibility to silence my user.  I investigated, our user was not abusing our service in any way, it was a standard forum flamefest with both posters arguing heatedly.

So I (Stephen K. Gielda) informed him that we were not a court of law and could not determine if him being called a liar was libel and that he would need to file suit against our user if he believed it to be. That once we were notified of a subpoena for information, we would comply. Well, he went off the deep end.

The emails became more demanding, more threatening, more vulgarity laced.  He was going to make sure the entire Internet knew how evil a person I was if I did not terminate this account. He followed me wherever I went, attacking everything I posted anywhere.  He started forging me and my service.

Now here is where I made a mistake, being new to all this, I got fed up with him and his threats and said “Yes, I think it is perfectly ok that he called you a liar, I can certainly think of far more apt things to call you.  Now ___ off with all the threats and sue us if you have a case.  We are accepting no more email from you.”  And I blocked his mail.

He really went ballistic.  He started posting web pages dedicated to me. He called me every name in the book. He appeared in other forums and posted pretending to be different people making allegations about me. He posted that my business was a scam in may different web forums.  He started small, but rapidly moved to more serious allegations. He seeded search engines to make good on his promise that all would know.  He even found my address and called my local police and my neighbors.  I even received a visit from the FBI.

This continued for years.  Sometimes he’d taper off for a little, then come back form a different angle.  I finally had enough and shut down the web2new interface in favor of just mixmaster (because they can’t be traced back to us).

He eventually peaked in a flurry of anonymous posts asking for a contract killing for me (Stephen K. Gielda) (see the links here).  In fact one of those was printed out and stuck under my windshield wiper by someone who must have seen me and opted for the flyer instead.  Funny how he thought he should be able to post that all against me and keep his account, but I need to silence anyone using our web form for calling him a liar.

Yet the damage he did to my name (Stephen K. Gielda), sorry, I know it’s annoying) still remains, some of his pages return high in searches because of his search engine seeding.   Some of his forgeries do as well.  I never paid it much accord, because I figured anyone reading it all would see it was the work of someone unstable and easily see through it, but every once in a while I find myself explaining.  Something out of context appears in a search.

Unfortunately, the screams of the insane echo for quite some time on the Internet.  Perhaps this post will appear equally high in the search now and I won’t have to explain so many times. .  I think he was committed somewhere.

Thanks,
Stephen K. Gielda

This is a little scary for privacy.  It was bound to happen, everything is getting smaller in the move towards nanotech, but still scary none-the-less.  Imagine a spec of dust able to transmit your position everywhere.  I know the “I’ve got nothing to hide, I welcome all my privacy being stripped” folks won’t care, but the rest of us certainly do.  Even though I don’t do anything criminal, I don’t want to be able to be found at all times by anyone looking, especially if there are certain people I am ducking (”you told me you had to work and couldn’t help me shop, why are you at your fishing spot?”  I can’t think quick enough to answer that one).

A subscriber brought RexSpy to my attention after reading here that I took the plunge into a smartphone.   This, of course, sent me off on a fact finding journey through Google.  There seems to be some trepidation at validating this threat.  It may just be a company (SecurStar) trying to drum up business for their product.  In fact, little has been heard of it since it was announced and I cannot even find the supposedly free removal tool offered by Securstar anymore.  However, it did make me wonder about the safety of what I had thought were plain text messages.

It appears that there is a new version of SMS that allows embedding, because of that SMS messages are not all that secure.  So even if RexSpy was just a marketing ploy it is apparently possible for an invisible SMS message to execute things on the phone, change settings, and potentially copy info while the phone shows nothing happening (apparently all newer smartphones are vulnerable).  Granted, there are limitations and it’s not easy, but it is possible.

This lead me to delve into my Blackberry for some type of solution.  It turns out that it’s firewall (Settings->Security->Firewall) gives you the ability to block SMS, MMS, PIN, and more for: all, all but address book contacts, and all but address book and special addresses (I need to find out what the special addresses means).  Of note is that blocked items are lost if you accidentally block something you want, but I suppose that strict settings here would help mitigate an SMS attack.  I set mine to just address book.

Smartphones, while useful, are still relatively new and as such are probably not going to be trustingly secure for a while, I’d use them with that understanding.  Do a battery pull in any really secure environment you need to be in (or leave your phone behind) and any remote access done should have a secondary access control that is out of band from the phone, like SecureID, either that or utilize a one time use password design.  Also favor certificates for internal authentication, so that you are never typing reusable passwords on the phone.  That way even if the phone is lost or compromised it is less likely to lead to a network compromise.

PS: SMS isn’t your only threat, don’t forget that your phone is a mobile workstation and as such vulnerable to bluetooth attacks, WIFI attacks (if it has WIFI), application vulnerabilities, and viruses/trojans.

Further information on securing your blackberry.

More on the Blackberry firewall.

Phone web sessions hijacked via SMS.

Youtube video showing SMS hotspot attack.

I was reading the latest accusation against the NSA for overstepping it’s legal bounds on truthout.org (article).  It’s interesting, but really nothing new or unexpected.  History has taught us all that powers given will be abused if they can be.  I’ve noticed (and I’m sure many others have as well) that most often that abuse will be by the entity controlling those powers for it’s own protection and preservation.  Granted, the NSA doesn’t yet appear to be at that stage (NSA folks are probably laughing at this comment), but could it become this type of monster?

Well, we originally had checks and balances to guard against the creation of  a self-protecting powerful entity at a risk of self-preservation becoming it’s main goal.  By removing oversight we are creating just such a potential monster and then playing Russian roulette with it.  Which political entity will be in power when it’s finally all powerful after passing through administration after administration that removed checks and balances?  Think of the influence on the democratic process such an entity could exert.  Stop allowing oversight to be removed now and put more in place.

After all, you have nothing to fear from oversight if you have nothing to hide.

I frequently receive questions similar to the following:

“I came across this link (http://cryptogon.com/?p=877), and was wondering if you folks were aware of this type of activity; also, can your Proxy/Tunnel service help to mitigate my exposure.”

Some questions also mention Tor and ask which is better protection.  I recently answered another of these and thought the (now slightly edited)  answer was a good entry for this blog.

The answer:

No proxy service can guarantee to hide you from governments or guarantee flawless anonymity, there are too many areas of potential compromise in every one of them.  The closest to anonymity out there is Tor, due to it’s design, but because it still has to be as real time as possible to be functional it is subject to traffic analysis (an entity who sees both sides can time your packets going in and match them to packets coming out by factoring in the delay it takes to pass through.  In an overly simplistic analogy, cars maintaining the same steady rate of speed enter a tunnel staggered, you know that they will slow down in the tunnel and by how much, you can calculate when each one of those cars will exit that tunnel even if they change lanes inside).

One must also assume a large number of hostile exits with Tor (a researcher recently set up Tor exit nodes and published captured passwords and usernames (PDF), I have to believe that he’s not the only one who ever thought of this).  Yet even given these pitfalls, Tor is still the closest you can get to anonymity because of its decentralized approach and onion encryption.  That makes it the best protection from an entity who can only see the exit, which is most.  Unfortunately given the nature of it’s setup (untrusted and potentially hostile end users running servers), it’s going to be slow and you should probably never use it to log into bank accounts, etc.  Even though many of those are end to end encryption you place yourself at a greater risk of man-in-the-middle attacks.  Your safest bet with those types of accounts is direct access, you lose little as theoretically they already have your personal information.

Paid services and single hop proxies are even more vulnerable to traffic analysis because they are more centralized, strive for as little delay as possible (speed is everything to them), and pass through fewer hops.  Its much easier to match the packets going in to those coming out (the faster the proxy the easier the traffic analysis).  They suffer somewhat like Tor in the way that you must trust that the service you are using is not capturing your login and passwords or compromising you itself (ie. maliciously being a man-in-the-middle), which you can trust most well known paid services in this manner (I would not easily trust free single hop proxies, I have to wonder what they get in return for the cost).  Where paid services really fall behind Tor is back tracing from an entity that can only see the exit.  Tor is going to provide you with better anonymity there.

Both Tor and paid services/single hop proxies can protect you from the unwashed masses as well as snooping ISPs.  Both can also provide you ways of accessing data you might not otherwise be able to access.  Tor will provide you with better anonymity than a paid service/single hop proxy will for an entity that only sees the exit, at the cost of speed.  But neither can protect you from a government that wants to get you.  To be honest, they likely wouldn’t even need traffic analysis in either case.  Their preferred mode of intercept for proxy users appears to be to trojan their machine via a vulnerability in either the browser software and/or plugins and through email or messaging client vulnerabilities (see: http://blog.wired.com/27bstroke6/2009/04/fbi-spyware-pro.html)

It all means that if you want to hide from a government focused on catching you, it’s going to take a lot more than just a proxy.

For those unaware of CIPAV, you can get details here and here.  It’s really not a new concept but it does bring up a point I’d like to make again for the novices.  If the FBI can do it, malicious people or oppressive governments can do it too (and actually have been for some time).

It’s extremely important that you choose the software you use carefully and that you stay current with patches.  Many of your favorite applications have had serious vulnerabilities in the past and may so again in the future.  Only you can protect yourself from what is allowed to run on your machine.

Things running on your machine are your greatest risk.  They can get any information that is available to them and send it anywhere, negating any proxy or vpn, even Tor.  There is nothing automated that will secure everything for you and keep it all updated properly.  You will need to learn about your system and it’s configuration, pay attention to what runs on it, watch for reported vulnerabilities, and patch them.

Each system is different so I won’t try to go into details, but favor peer reviewed open source to closed source whenever possible and get it from jurisdictions that have no issues with how you intend to use it (helps minimize prospect of source tampering).  In other words, don’t download from any entity software you may be using to report abuses by that entity (this should be common sense).

Those of you in serious situations should lose the “cool things” on the net, like video, flash, java, and other plugins, or at least run something that makes them unavailable to untrusted sites.  Participation in Facebook, Myspace, and other large social networks should probably be avoided where possible in favor of a blog you fully control (users may request our web hosting, which allows even a novice to easily install and run things like this blog).

Try to remain as text based as possible on the Net.  Run antispyware, antitrojan, and antivirus software and frequently scan.  Don’t open unknown attachments and don’t follow unknown links sent by mail or message.  Don’t leave your computer on or able to be woken up when you are not at it.  And as always, stay up to date with security patches (not enough of you do this).

Google and ask what you do not know and investigate anomalies.  Everything mentioned is especially important for those of you reporting on abuses or accessing forbidden information from behind a wall of information blackout.

Well, not completely, but my love affair with it has faded.  It fits my needs for a lightly packed weekend trip and it is something I’ll keep for that and for using as a car computer, but I stopped carrying it daily.  Even given it’s pocketable size it’s a tad large to be in your pocket all the time.

In spite of this I was still considering upgrading to the new model for more RAM and the better video performance, but their customer support has fallen through the floor.  Given the unreliability of these machines, that is a huge issue, a showstopper for me.  I won’t be upgrading because of it.  Personally, I think OQO is faltering as a company.  I believe they are trying to find an exit with a buyer now.

What do I use daily now?  Well, I’m trying out a Blackberry Curve 8330 (Verizon had a two for $49 deal when I re-upped and that fit perfectly with my tightwad side…although they did soak me an additional $30 a mo for the unlimited net for it).  I’ve never been one for “smart phones”, to me a phone was just to make calls and use as a modem.  I didn’t even use the contacts list in my last phone.   As for Blackberry, in particular, I’d always though that Blackberries were just glorified phones with a PIM, address book, SMS, and perhaps some limited Internet via their proxy.  I didn’t know they can now do what they do.

So far I am impressed.  I have a SSH client to manage servers with in an emergency (screen is a tad small for any real work on it, but it’s ok for emergency troubleshooting and even managing accounts), I have my e-mail (although I refuse to use Blackberry’s push service and instead use LogicMail, the privacy side of me does not want someone in the middle), I have my real time server monitoring alerts, and I have my web access, in fact I have full net access.  That is all I really need when out daily.

It also has some things that I do not really need, but I like them.  Pandora is something I use a lot.  It’s Internet radio and my first foray into it.  I just plug the phone into the line in jack on my truck then start Pandora and I’m good to go, it even pauses the music if the phone rings.  Slacker is another internet radio app I installed and like.  No need for a Sirius subscription anymore (I think as phone networks and Internet radio progress that it means the death of satellite radio, unless they morph or merge).  I also find myself using Viigo a lot for RSS feeds.

BTW: If you are using a smartphone and Opera Mini, please be aware that everything goes through a proxy in Norway and that it operates as a man in the middle for SSL.  Obviously this is not good from a security or privacy standpoint.  Don’t use Opera Mini for anything like online banking, Paypal, etc. where you really want end to end encryption.

So I have only had the Blackberry for a couple of weeks now which means it is too early to find out if it has staying power, but I do expect it does, at least for a while.  Now I have to WAP enable Cotse somehow as LogicMail, though functional, is very basic. Either that or it’s time to learn to code in Java and write my own mail app for it, which I am considering.

We all already know about our IP address and what it can give away about us (I am assuming, perhaps incorrectly, that readers are privacy and security minded).  I want to talk about other perhaps lesser known risks to your privacy and security that you’ll find in your e-mail headers.   These range from giving away personal and local information to providing an attacker with the keys to your computer.

Lets start with personal information.  Most of you probably use a mail service that hides your IP address, but does it hide/change your message ID?  The message ID is generated by your mail client and may contain information about you, your general location, and/or your machine.   For example, some versions of Microsoft Outlook encode your machine’s IP address into the message ID.  We’ll look at a sample:

Message-ID: <000101c168cc$09359c50$0100a8c0@billsbarn>

You may notice that between the @ and the first $ (moving from right to left) we have c0a80001, that is hex: c0 = 192, a8 = 168, 00 = 0, and 01 = 1, or 192.168.0.1.  Also notice it gives the machine name, billsbarn.  Why give out any unnecessary information?

In the above example it is the IP address of the internal LAN, which gives away information on it’s own, but it could be an externally accessible IP in some situations.  Outlook isn’t alone in this, other clients do it too, be it in hex, octal, decimal, or other base.  It’s not only encoded IP addresses we can find in message IDs, we can often find machine names, isp names, pop account names, and local dates and times, giving away your timezone (in some cases this may matter).  These are often not even encoded.

Besides the message ID, mail clients have been known to stick all sorts of potentially personal information into the mail headers.  The organization you belong to or company you work for, who originally forwarded the message you are quoting, and even your fax and or phone number.   Mail clients are notorious for strewing personal and potentially damaging information throughout the mail headers.

Perhaps the stupidest idea I have ever seen from a security standpoint, most mail clients stamp into the mail headers the software you are using and it’s version number.  And every one of them have all suffered serious vulnerabilities at one time or another. Vulnerabilities that allow an attacker to remotely execute code on your machine.  Potentially giving him access to your computer and all the personal information about you it contains.  The keys to the castle, game over.

As always, you should keep up on patches, but in the event a vulnerability which you are unaware of exists, you may very well be telling your attacker how to gain access to your machine just by sending him an e-mail, either directly, via a mail list, or in a web mailing list archive (ever search google for older vulnerable user agent strings?  You find them all the time in current mai lists, for some of them all it would take to compromise the machine is to send the person a properly crafted e-mail).

Unfortunately your options are limited in correcting this as many clients simply do not give you the ability to change or remove these headers.  If you are good with a hex editor you may be able to change or zero out these headers in some clients.  Or you can research clients and what they place in headers and pick one that adds the least or that gives you the most control.  Or you can subscribe to a mail service that gives you the ability to add, remove, or change your mail headers.  Coincidentally, I happen to run one of those and if you are already a subscriber, you’re covered.

This whole Imus thing reminds me of a piece I wrote some time ago about how no one has the right not to be offended. Now I’m not downplaying anything about what was said nor how it impacts anyone, I’m just commenting on the backlash.

This is a radio show. One that is well known for the antics, comments, and slurs of its host. It is not the BBC news desk. Imus is what is known as a shock jock. His job is to shock and offend and he offends all groups equally. Anyone listening should understand this. Yet when he shocks and offends the wrong group he suddenly must be taken off the air. Silenced.

Now I’m not a big fan of shock jocks, I tend to find them offensive, juvenile, or some combination. So I don’t listen to them. I turn the dial. I don’t demand they be taken off the air because they offended me. This is because I do not have a right not to be offended. This right does not exist.

I can be assured that many things in life will offend me. This is life in a free state. The spectrum of what offends whom is so broad that you can’t have a free state where nobody is offended by anything. And favoring one group over another certainly isn’t the path to an equality based free state.

This is where personal choice comes into play. If I don’t like the show, I change the channel. If I don’t like the shock jock, I change the channel. Speaking out, demanding an apology, they are also options open to me. But demanding that what I dislike be silenced, that’s not one of my options. I’m not forced to listen.

Nobody is forced to listen. Silencing the speaker because he/she offended someone is not the mark of a free state. Certainly not one that promotes equality and freedom of speech. To live in an equality based free state means that I do not have a right not to be offended and neither do you.