Jan 5
Becoming Virtually Untraceable- “eps10_F0rm4t C:\*.*_W!pE.py”
*Note: This article was originally published by the author on April 14, 2019. This article is also available in Spanish here.
“In making tactical dispositions, the highest pitch you can attain is to conceal them; conceal your dispositions, and you will be safe from the prying of the subtlest spies, from the machinations of the wisest brains.” — Sun Tzu, Art of War
Many warm thanks to those persistent readers who have dared to adventure into the distrustful mind of this privacy-paranoid author, this being the tenth newsletter. Though I normally recommend that readers begin reading any series from the beginning to understand everything that has been previously covered up to this point, you’re welcome to pick up wherever you’d like. In this installment of the series, I will explain some techniques that you can use to avoid becoming a victim of unwanted snooping. We’ll also look at a few spotlight data privacy issues that have been front-page news recently involving the National Security Agency (NSA), Immigration Customs Enforcement (ICE), big telecoms, and how big tech companies like Apple, Google, and Facebook are talking out of both ends when they say they care about customer privacy. Lastly, I’ll finish up by providing you with some additional tips on how you can best maintain a low profile online and what you might want to back up to the Cloud to be able to pick up and go in a hurry.
How Government Overreach Affects Your Data Privacy
The National Security Agency (NSA) recently released its free and open-source Reverse Engineering (RE) tool called GHIDRA at the March 2019 RSA Conference. Though this may seem quite an odd thing for the NSA to be giving away free software, it is actually considered to be a competitor code decompiler tool that is comparable to other RE tools on the market like IDA Pro and JEB Decompiler. Perhaps the NSA’s rationale for giving this free open-source decompiler to the information security community was that it could demonstrate that the NSA stands alongside the InfoSec community while simultaneously helping to improve malware reverse engineering for those who can’t afford the expensive commercial decompilers.
Due to what the NSA is known for, however, many people remain suspicious of anything that has to do with the government and especially the NSA. Free software from the government? My immediate thoughts are that software is going to track me and report activity back to Big Brother, I am immediately suspicious. However, I must admit that thus far GHIDRA appears to be a useful RE tool by most accounts.
Since the unforgettable terrorist attacks of 9/11, the NSA had been collecting metadata from telecom and internet service providers under the authority provided to the agency in the 2001 Patriot Act which then was carried over into the USA Freedom Act of 2015. This metadata collection only ended in the last six months or so of this article’s publishing and was revealed in the 2013 Snowden global surveillance leaks. It has since been replaced by a more “targeted” surveillance system.
“The administration actually hasn’t been using it for the past six months because of problems with the way in which that information was collected,” Luke Murray, House minority leader Kevin McCarthy’s, R-CA., national security advisor, said during a Lawfare.com podcast.
So, in other words, there were a good 17+ years of the NSA violating the Fourth Amendment privacy rights of innocent U.S. citizens that occurred on an unprecedented level that has never been seen before in the name of national security. But this is far from new, it only scratches the surface of a phenomenon that has been happening for many years in one form or another.
Constitutional rights have been watered down to the point now that they may as well not exist anymore.
Under current authority granted to the Transportation Security Agency (TSA), agents can demand that an American citizen provide the passcode to unlock their mobile devices and laptop computer when passing through the airport or other ports of entry.
Telecom service providers have been marketing this sort of metadata for decades. Whenever a terrorist attack occurs against any nation, elected politicians and government policymakers use it as an excuse to enact “tougher” regulations and “increased” surveillance and monitoring to thwart future attempted attacks.
However, what inevitably ends up happening is that all of that tougher regulation and increased surveillance and monitoring gets misappropriated and focused on the nations’ own citizens. How is this fair you may ask? It isn’t and it is unlawful. It is exactly the type of government overreach the U.S. Consitution and its Amendments sought to prevent. Government officials who violate the protections afforded by the Consitution, including laws passed by Congress to strip rights away from citizens, should be charged with crimes and held accountable by the citizens. That is how democracy is supposed to work, the people hold the power. Not elected politicians or government cronies.
For instance, not only did New Yorkers suffer one of the most horrific terror attacks in world history but they were also subjected to increased police presence, random “stop-and-frisk” pat-downs by NYPD police officers all over the city because “we just can’t allow another 9/11 happen again,” and city in disrepair for over a decade while disaster clean and re-building occurred. It’s the same story at airports too with Transportation Security Agency (TSA) pat-downs, “We don’t want another Russia to happen.” TSA is perhaps one of the most extreme examples of a government agency that should be defunded and disbanded. Privatized airport security adhering to federal laws would be much more effective.
Another example of how government overreach affects your data privacy is with the U.S. Immigration and Customs Enforcement (ICE) who contracted the services of a private firm called Vigilant Solutions that shared Automatic License Plate Reader (ALPR) information collected by over 80 local law enforcement (LE) agencies and private businesses in about a dozen States. Over 9,200 ICE officers have Vigilant database account access. The fact that this type of data is being shared with ICE is likely a violation of several States’ data privacy-sharing laws from sanctuary cities or State law, not to mention ICE’s own privacy policies. In California, State Bill (SB)-54 limits immigration data sharing between federal authorities and local authorities.
Oh, did you think these ICE agents were that good that they were just scooping up illegal immigrants by the hundreds all over the country? No Sir, ICE is cheating the system as we have to come to expect under the highly unethical and criminal, and illegitimate “dump-Trump” administration. Now, make no mistake about it, I am all for protecting our national security and enforcing immigration laws that encourage legal immigration. However, when you have local LE agencies willfully sharing ALPR data with ICE officers to apprehend illegal immigrants it seems that we’re playing a bit dirty.
Aren’t we missing a crucial step there normally called a search warrant or subpoena that is reviewed by a federal Judge? I believe so. ICE, an agency of the Department of Justice (DOJ), has effectively cut out the middleman which in this case is the Judicial review process. How convenient for them and how inconvenient for those illegal immigrants, many of which came to the U.S. to escape violence and political persecution only to become victims of racism and political persecution here. I am imagining all of the privileged Americans This is a clever government overreach by ICE and it is only one such example of overreach endemic throughout the federal government.
Many take data privacy for granted until they become victims of someone or some agency exploiting their personal information. Then, suddenly, it is an urgent matter for which they expect everyone to drop what they are doing to address it immediately. Life doesn’t work that way people, you have to be smart enough to see the wolf dressed in sheep’s clothing standing at your doorstep before it’s too late.
Featured Privacy Tactics, Techniques, & Procedures
Data Virtualization
Traditionally, virtualization has been viewed from the lens of security as a major benefit but rarely is it ever viewed from the lens of privacy. When you really think about it though, running The Amnesic Incognito Live System (TAILS) operating system (OS) is kind of the same thing as virtualization because much like the reloading of a virtual machine instance, personal data is wiped whenever the TAILS OS is rebooted. In fact, you can run the TAILS OS in VirtualBox if you want but be sure to run it only within the VirtualBox Open Source Edition and follow the specifications listed on the TAILS site. The main benefit of privacy that virtualization provides is that there is less hardware identity when connecting to Internet sites and services that can be traced back to you.
Privacy Enhancing Technologies
There has been a great deal of effort by different privacy-advocate groups and even commercial enterprises to develop PETs because a lot of people are worried about scandals such as the Facebook/Cambridge Analytica data-mining scandal.
Using anonymous system login credentials makes it harder for anyone outside of a particular organization or community to know who the user is. This is kind of a no-brainer, but strangely it is not used very often within corporate networks. Why do so many websites still require your email address as a login?
Other PETs include things like (some of these you can just do on your own):
- Randomized host IP addresses
- Using pseudonyms/aliases online
- Using shared accounts or credentials to randomize usage
- Data obfuscation techniques that make it harder for algorithms or bots to trace identities
- Limited disclosure technology
- Data transaction logs that users of services can check to see what data of theirs was collected, the time/date, etc.
I think we still have a long ways to go with respect to privacy legislation and privacy-enhancing technologies before they can be considered mutually reinforcing, but we’re starting to see how what that might look like now and we’re making baby steps in the right direction. A huge issue in the American computer science curriculum is that there aren’t classes or curriculum on information security and consequently developers graduate college with very little thought ever having been given toward security-by-design. Well, privacy-by-design is equally important. Why isn’t privacy and security being taught at Universities offering computer science degree paths? Perhaps if that were not the case, then we’d less software code bugs and more privacy.
Spotlight Data Privacy Issues
When big telecom companies are actively selling customer GPS data to bounty hunters and private businesses specifically for the purposes of locating customers, that is a major data privacy problem in my opinion. What if gangs, the mob, or cybercriminals fronting as bounty hunters exploited this loophole to track down adversaries?
First of all, how do Telecom providers get off thinking it is okay to engage in this practice and why isn’t the Federal Trade Commission (FTC) fining them back to the Stone Age?
The fact that these companies can get away with this without so much as a slap on the wrist makes me sick to my stomach. This is enough to make me want to not have a cell phone in the first place which, of course, is the truly paranoid person’s approach. Then there is a related issue involving what is known as “assisted GPS” or A-GPS which first responders (e.g., police, paramedics) use to locate anyone calling 911 from a cell phone. Hmmm? So, you know who often shares a lot of information with the government? Law enforcement. Not that the government would need to access a 911 dispatch A-GPS system to locate someone though, because they have methods like we previously covered for ICE and ALPR systems, or in some cases the telecom and internet service providers just hand it over to the government without a search warrant or subpoena.
EU member Germany has banned Facebook from combining user data from other technology companies it acquired like WhatsApp and Instagram without first getting explicit user permission. This should be a universal law in every country, right? When Internet giants like FB are able to acquire new tech companies like Instagram and WhatsApp, that allows them to combine all of that user data into a single user profile that can be used to more effectively market to them. Google is even more of an offender than FB, but Google appears to at least care about user data privacy as opposed to FB. Normally, I am not a fan of more regulation, but I feel it is needed in this area for certain.
Apple, Google, and Facebook are being pressured by Senate privacy advocates to answer questions surrounding privacy-invasive apps. It is apparent that the tech giants are using technology to sidestep measures taken by smartphone device manufacturers that were aimed at protecting children (i.e., teenagers) online. ‘Project Atlas’ was a Facebook effort that targeted teens with an App called “Research” which gave Facebook unfettered access to users’ app activity, browser searches, even encrypted data, and private messages. Technological techniques like these that Facebook used by introducing an App to collect encryption keys of users so that it could access users’ encrypted data and private messages are no different than what black hat hackers (a.k.a., cybercriminals) use to do the same thing with malware by installing a “root certificate” on users’ phones. I am reminded of an old saying here, “With friends like [Facebook], who needs enemies?” You should really check out this great Wired article (below) for more details on exactly how sneaky Facebook operates if you didn’t know by now. If you’re still using Facebook at this point, privacy is obviously not your primary concern.
Apparently, two Israeli law professors have analyzed the terms and conditions, you know those things you always skip over, for 500 popular U.S. websites. They determined that the language used in these terms and conditions required readers to have advanced levels of education — like in the neighborhood of 14 years of education (so, college-degreed by U.S. education standards), just to be able to read and understand them. In other words, adults and children in some cases, are being held to terms and conditions that many don’t understand (or read for that matter). As I’ve written about in previous installments of this series on Becoming Virtually Untraceable, the Terms of Service (ToS) for Google are pretty telling when you delve into it and analyze them. These tech firms have law firms on the payroll that craft the language in the ToS and they will often bury little nuggets of what I like to refer to as “anti-privacy.”
The moral of the story here folks is that you should read those ToS before using these products and be damn selective on which apps you install on your phone or which websites and browser plug-ins you use. There is an entire industry built around collecting personal data and selling it for marketing products to you or for even more sinister purposes. Think about it, if you’re a government spy agency, why not just pay telecom and internet service providers for metadata instead of trying to pass legislation or create sophisticated malware to spy on citizens? Seems like a troubling prospect any way you slice it. If you think telecoms and ISPs aren’t vulnerable to ‘persuasion’ by Big Brother, think again. History has proven otherwise.
Google is facing heat because they somehow failed to mention that their Nest Secure Guard hub has a built-in microphone that can double as a Google Assistant! Well, thanks a lot Google. Nice of you to inform customers after the fact.
Google referred to the minor detail having been omitted as “an error on our part.”
Luckily, for users, the mic came turned off by default but could you imagine if it came “on” by default? The company could have had unprecedented levels of audio spying capability and as an ethical hacker, I have to wonder how difficult it would be to remotely activate the microphone in the Guard hub? Something tells me that it could be easily done.
Low-Tech Security: Evasion and Anonymity Tips
Creating a “tactical gap” is an important technique for you to know should you ever find yourself in a stalker situation. The way it works is you slowly create some distance between yourself and the suspected stalker, then suddenly turn a corner and run very fast but only for as long as it would reasonably take the stalker to turn that same corner. This will either shock the stalker and they begin running after you or they might just keep walking straight instead of following you. If this happens then use that tactical gap space to flag down help, scream, or take off running and this time don’t stop. In one situation you risk looking foolish but can rest easy knowing you evaded a potential stalker. In the other situation, the stalker catches you and who knows what happens? Personally, I think risking looking foolish is worth it. The same technique can be used if you’re being tailed by someone while driving a car. Check out 100 Deadly Skills (Emerson) and The Gift of Fear (De Becker) for many more tips like this.
If the unthinkable were to happen right now, what would you do? Would you be ready, mostly ready, somewhat ready, or not ready at all to pick up and go? Do you have the means to pick up and go if you had to? Would you know what is physically and digitally essential or would you be one of those people trying to squeeze the 50-inch television into the trunk of the car?
For instance, if I had to pick up and go in a hurry, it’s ok because I’ve taken the time to think it through and ensure that all of my important documents, photos, research are digitally scanned and backed up to the Cloud. I always make a habit of encrypting my personal files before they are uploaded to any Cloud Service Provider (C-SP) so that if the C-SP suffers a data breach or someone wants to snoop, they aren’t going to see anything valuable and it is then protected with double encryption (I & the C-SP each encrypt it). That means that if I am not home and a wildfire rips through our home and destroys everything, it’s ok.
The insurance provider will cut a check and we’ll rebuild, but more importantly, we still have our lives and all of our important documents are backed up in multiple locations physically and to the Cloud. That is one scenario, but there are certainly others that might require similar action. I always think back to that J.Lo movie, “Enough,” in which she plays a woman on the run who is constantly having to escape and reinvent her life due to a persistent stalker ex-lover. We never know when or if we’ll find ourselves in a similar situation. It is always better to be prepared for the unlikely than to have never even considered how we would respond. Always have a plan B, a way out, a backup strategy.
Passwords? All contained in a password manager. So long as I remember my master password, I am good. Your master password is one of those things that is so important that I recommend that you do actually write it down and keep it someplace safe but that’s easily accessible in case you’re in a car accident or something and experience memory loss. People always raise an eyebrow when I tell them that I will write down an important password/passphrase (e.g., a master passphrase) because I work in information security and this is very frowned upon. However, I will tell you that in all my years of experience I’ve never once had a password I wrote down stolen or hacked.
The trick is not writing it down someplace obvious like a yellow sticky note and placing it under the keyboard or attached to the computer monitor. Write it in a personal notebook or something and do it in such a way that only you would be able to decipher it. For instance, a PIN (23–44–59) might be written as a telephone number at the bottom or top of a notebook page as 1–888–523–4459 so as to not draw any attention if the notebook is lost or stolen. What you want to avoid is the obvious clue such as: “password= Y&mmyY#mmy1nMyT%mmy.”
Important documents and other items you might want to scan and back up to the Cloud are things like:
- birth certificates (for you and your family)
- marriage (and divorce) certificates
- immunization and/or other medical records
- diplomas/degrees/awards
- precious, irreplaceable photos and/or video media as well as photos/videos of your valuables in case they are lost/stolen/destroyed because the insurance company will ask for them
- tax statements and supporting documentation (takes us less space digitally)
- legal documents like living trusts, powers of attorney, and wills
- passports
- drivers license, social security, or other types of ID cards (e.g., military, VA card)
- scans of the front/back of all your wallet credit cards in case it is ever lost or stolen, you can easily call the company and replace them
- other important financial/banking documents (most of this type of stuff is available electronically now for download)
Other physical items I would recommend taking are:
- a laptop computer
- backup batteries to charge your laptop/phone
- a smartphone that can also serve as a Wi-Fi hotspot
- Cash and credit cards (only paying with credit cards is safer than using debit cards online); not every merchant accepts Apple Pay, Google Pay, or Samsung Pay
- firearms and ammunition
- non-perishable food and water (bottles with water filters for use in lakes/rivers/streams)
- medicine
- extra clothing and all-purpose (tennis) shoes
This is not meant to be an exhaustive list, just some important items that you might want to consider. There is a lot to think about when it comes to being prepared, especially if you want or need to pick up and go in a hurry without leaving a trace. I hope that these tips will help you should you ever find yourself in such a situation. That’s it for this newsletter. Until next time and remember:
***Trust No One. Verify Everything. Leave No Trace.***
Additional Privacy Resources
z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, #9–20, 16, 17, 45–20, 46–20, 47–20, 48–20, #1–21, #2–21, #3–21, #6–21
*Privacy-related articles also published by the author can be found here.
Other helpful privacy info: EFFector | Atlas of Surveillance | Privacy Tools | IAPP | ACLU | PogoWasRight.org | DataBreaches.net
