Protecting Yourself and Others – Page 3

‘Merica!

Here’s an easy thing you can do to make yourself safer: don’t go to malls around Christmas. When American shoppers come together near Christmas weird shit starts happening:

A series of apparently unconnected fights and disturbances broke out at malls across the country the day after Christmas, leaving shoppers desperate for an exit and authorities struggling to wrangle unruly crowds.

Several arrests and multiple injuries were reported — including an assault on an officer — and authorities and witnesses described panic-stricken scenes from Aurora, Colo. to East Garden City, N.Y.

Some of the videos are interesting to watch because they show shoppers trying to flee out of the main entrances, which results in too many people trying to cram through too little space. So here’s another thing you can do to make yourself safer: if you are in a mall when a brawl breaks out make a beeline for an emergency exit. Yes, it will probably set off an alarm but you’ll be out of the confined space with the psychopaths.

Be Safe Out There

This weekend is forecast to be fucking brutal. First we’re supposed to be nailed by snow today and then Saturday and Sunday the temperatures are looking to be rather unpleasant. This kind of weather isn’t a joking matter. It kills people.

If you can avoid traveling do so. If you can’t make sure you don’t let your gas tank drop below half full. If you become stranded you can turn on the engine periodically to keep the inside temperature from dropping to lethal levels but only if you have gas in the tank (also, if you’re stuck in this situation, periodically get out and verify that the exhaust pipe is unobstructed by snow). Have a full winter survival kit in your vehicle that includes warm clothes (as in clothing appropriate for surviving this weather, not an old coat you had lying around that’s barely rated for 10 degrees, let alone -20 degrees), a heat reflective emergency blanket, a jump pack in case you need to jumpstart you vehicle, a small shovel and some kitty litter in case you need to get unstuck, and a winter rated sleeping bag in case you’re going to be stranded for a while.

This kind of weather is lethal, treat it with the seriousness it deserves.

A Retraining Order is Only a Step in a Multistep Plan

Many people facing abuse will pull a restraining order against their abuser. Although my history of advising against interacting with the State may make some believe that I would advise against pursuing a restraining order the opposite is true. I highly recommend getting a restraining order against an abuser. When it comes to survival you should use every single tool available to you. A retraining order does offer several important legal protections, especially if you are in a situation where you have to defend yourself against your abuser. With that said, your survival strategy must include more than just a restraining order. A restraining order is literally a piece of paper and therefore can’t protect you if your abuser decides to violate it.

Stores like this are, unfortunately, all too common:

Lucas A. Jablonski, 25, of Anoka, was charged Monday in Anoka County District Court with second-degree murder in the death in mid-August of 34-year-old Becky L. Drewlo, whose parents have been her guardians since she turned 18 in November 2000.

Jablonski has been jailed since he was charged in early September with violating the terms of the restraining order, which was granted at the request of her mother in September 2014.

Earlier violations by Jablonski of the same restraining order — in October 2014 and January 2016 — led to convictions in both instances but no significant time in custody.

[…]

Jablonski had been living with Drewlo for several weeks leading up to her death, the complaint read, despite the restraining order being in force that “precluded [him] from having any contact with Ms. Drewlo and from being at her apartment.”

In the petition for the restraining order, Laura Drewlo noted that Jablonski had “taken advantage of Becky sexual[ly] many times. Becky lacks sufficient understanding [and] therefore doesn’t understand the consequences.” She said her daughter had considered Jablonski her boyfriend in the months leading up to the petition being filed.

She said her daughter was in a program that allowed her to live independently with professional assistance and keep a job.

This case is more complicated than many since the victim appears to have been suffering from a mental disability, which likely prevented her from being able to protect herself. My usual go to advice, taking measures to improve your ability to defend yourself, likely don’t apply here. But it does illustrate the limitations of a restraining order.

A restraining order is only effective if the person holding it reports infractions against the order and the police respond to the report. Even then punishments for violating restraining orders are often minor. In this case the suspect had violated the order multiple times but received no significant punishments. And if the violation turns into an attack the order has no ability to defend the victim.

Pulling a restraining order should be seen as a step in a multistep plan. A restraining order provides legal protections, which can be valuable in the aftermath of a self-defense case against an abuser. But they don’t offer any physical protection. Other steps in the plan should address this deficiency.

LastPass Opts to Release Ad Supported “Free” Version

My hatred of using advertisements to fun “free” services is pretty well known at this point. However, it seems that a lot of people prefer the business model where they’re the product instead of the customer. Knowing that, and knowing that password reuse is still a significant security problem for most people, I feel the need to inform you that LastPass, which still remains a solid password manager despite being bought by LogMeIn, now has an ad supported “free” version:

I’m thrilled to announce that, starting today, you can use LastPass on any device, anywhere, for free. No matter where you need your passwords – on your desktop, laptop, tablet, or phone – you can rely on LastPass to sync them for you, for free. Anything you save to LastPass on one device is instantly available to you on any other device you use.

Anything that may convince more people to start using password managers is a win in my book. People who don’t utilize password managers tend to reuse the same credentials on multiple sites, which significantly increases the damage that a password database leak can cause. Furthermore, using a password manager lowers the hurdle for using strong passwords. Instead of having to use passwords that are memorizable a password manager also allows users to use long strings of pseudorandom characters, which means if a password database is breached the time it takes to unveil their password from its stored hash is significantly increased (because the attacker has to rely on brute force instead of a time saving method such as rainbow tables).

If money has been the only thing that has held you back from using a password manager you should take a look at LastPass’s “free” version. While ads are a potential vector for malware they can be blocked with an ad blocker and the risk of being infected through ads is significantly less than the risks involved in not using a password manager.

More Malware Spreading Through Advertising

My biggest grip with the advertisement based model most Internet services have opted to use is that ads can easily be used to spread malware. Because of that I view ad blockers as security software more than anything. And the Internet seems to enjoy proving my point every few weeks:

As a security researcher, it’s always exciting to discover new vulnerabilities and techniques used by malicious actors to deliver malware to unsuspecting users. These moments are actually quite rare, and it’s increasingly frustrating from a researcher’s perspective to watch the bad guys continue to use the same previously exposed methods to conduct their malicious operations.

Today’s example is no different. We discovered a malvertising campaign on Google AdWords for the search term “Google Chrome”, where unsuspecting MacOS users were being tricked into downloading a malicious installer identified as ‘OSX/InstallMiez’ (or ‘OSX/InstallCore’).

In this case the malware didn’t spread through a browser exploit. Instead it exploited the weakest component of any security system: the human. The malware developers bought ads from Google so that their link, which was cleverly titled “Get Google Chrome”, would appear at the very top of the page. This malware was targeted at macOS users so if you were a Windows user and clicked on the link you’d be redirected to a nonexistent page but macOS users would be taken to a page to download the malware installer. After running the installer the malware opens a browser page to a scareware site urging you to “clean your Mac” and then downloads more malware that opens automatically and urges the user to copy it to their Applications folder.

As operating systems have become more secure malware producers have begun relying on exploiting the human component. Unfortunately, it’s difficult to train mom, dad, grandpa, and grandma on proper computer security practices. Explaining the difference between Google advertisement links and Google search result links to your grandparents is often a hopeless cause. The easiest way of dealing with that situation is to hide the ads, and therefore any malware that tries to spread via ads, from their view and ad blockers are the best tools for that job.

Unfortunately, the advertisement based model isn’t going away anytime soon. Too many people think that web services are free because, as Bastiat explained way back when, they’re not seeing the unseen factors. Since they’re not paying money to access a service they think that the service is free. What remains unseens are the other costs such as being surveilled for the benefit of advertisers, increased bandwidth and battery usage for sending and displaying advertisements, the risk of malware infecting their system via advertisements, etc. So long as the advertisement based model continues to thrive you should run ad blockers on all of your devices to protect yourself.

Secure Your Assets

Anybody with more than two braincells to rub together and has even a modest knowledge of economic history knows that you can’t trust the State for your retirement. The government issued funny money is in a constant state of devaluation, which means every slip of its paper you save will be worth much less when you retire. Because of that, smart people find alternative ways to preserve their wealth for retirement. Some people invest a portion of their wealth in the hopes they can grow it faster than the rate of inflation while others prefer to rely on time proven precious metals.

If you look at historical trends the latter is a pretty solid choice if your goal is to preserve your purchasing power. However, if you’re going to opt for precious metals you need a secure method of storage, to spread out your assets, and probably a decent insurance policy because physical assets can be stolen:

ST. PAUL, Minn. – St. Paul Police are looking into an reported burglary that stripped a female resident of her entire life savings.

Police spokesman Steve Linders confirms that the alleged victim, a 57-year-old who lives on the 1600 block of Abell Street, had her valuables stashed in her bedroom because she does not trust banks. The thieves got away with 100 gold bars valued at more than $1,200 apiece, $60,000 cash and a diamond ring valued at $36,000.

I’ve seen quite a few comments making fun of the fact that her lack of trust in banks caused her to lose her life savings. But if your money is in a bank account its purchasing power is constantly being stolen in the form of inflation so acting high and mighty because you keep your government funny money in a bank is just as stupid as keeping all of your gold in one location and not properly securing it.

By the description of her storage method (stashing it in her bedroom) I’m left to assume she didn’t have her gold in a quality safe. If you’re going to have a lot of gold on hand you should invest in a decent safe that can be bolted to the ground (i.e. a decent gun safe). Bonus points can be had if you can also conceal the safe. But a quality safe offer two advantages. First, it greatly increases the time it takes for a burglar to get to your valuable assets. Burglaries are often smash and grab affairs where the burglars want to minimize the amount of time that they’re in a house. The more secure your assets are the less attractive they will be to a petty thief looking to get in and out. The second advantage a quality safe offers is fire protection. You don’t want to lose your retirement if your house burns down.

In addition to a quality safe you also want to spread your assets around. Keeping all of your eggs in one basket is not a wise idea. I would personally recommend against a safety deposit box at a bank because the State can and has seized them. And since the United States government has confiscated gold in the past it’s not unreasonable to think another gold confiscation might occur. You’re better off having trustworthy family members or close friends or have a second piece of property where you can install a quality safe and store some of your assets.

The third thing, which can be tricky if you’re concerned about another possible government gold confiscation, is having an insurance policy. Precious metals are valuable and valuable assets should be insured against loss. However, insuring your precious metals also means records of the metals existence will exist. If the government decided to do another gold confiscation they very well may require insurance companies to surrender information on customers who have insured precious metals. Then again, an insurance policy is a nice thing to have if burglars break into your home and get into your safe. It’s one of those risk-reward formulas that you have to figure out for yourself.

Storing your retirement savings in government funny money in a bank is not a good idea but if you’re going to do something else you need to be smart about. Simply buying gold isn’t a solid plan if you don’t have a way of securing that gold longterm.

Confidentiality Versus Anonymity

The Intercept has started a bit of a shit storm by pointing out that iMessage doesn’t encrypt metadata:

APPLE PROMISES THAT your iMessage conversations are safe and out of reach from anyone other than you and your friends. But according to a document obtained by The Intercept, your blue-bubbled texts do leave behind a log of which phone numbers you are poised to contact and shares this (and other potentially sensitive metadata) with law enforcement when compelled by court order.

Every time you type a number into your iPhone for a text conversation, the Messages app contacts Apple servers to determine whether to route a given message over the ubiquitous SMS system, represented in the app by those déclassé green text bubbles, or over Apple’s proprietary and more secure messaging network, represented by pleasant blue bubbles, according to the document. Apple records each query in which your phone calls home to see who’s in the iMessage system and who’s not.

Is this an affront to privacy? Is Apple showing bad faith in its promise to deliver a more security communication system? No and no. The issue at hand here is that Apple has promised confidentiality but hasn’t promised anonymity, which are two different things.

Confidentiality means that a communication isn’t accessible to unauthorized parties. In other words what was communicated is secret. Anonymity means that the parties communicating are secret. A confidential message isn’t necessarily anonymous and an anonymous message isn’t necessarily confidential.

iMessage and other secure communication applications such as WhatsApp and Signal use an identifier that are tied to your real-life persona, your phone number. Using phone numbers as identifiers allows these apps to easily scan your contacts list to see who does and doesn’t have the application. While they do keep what is being communicated secret they make no attempt to keep who is communicating secret.

Tor, on the other hand, attempts to provide anonymity but doesn’t necessarily provide confidentiality. With the exception of hidden services, every website you access through Tor goes through an exit node. Unless the site you’re accessing utilizes Transport Layer Security (TLS) the contents of the site are accessible to the exit node operator. On Tor the content being communicated isn’t necessarily confidential but the parties communicating are.

Applications such as Ricochet attempt (I use this qualifier because Ricochet is still experimental) to provide both confidentiality and anonymity. Not only are the communications themselves kept secret but the parties who are communicating is also kept secret. But since Ricochet users are anonymous be default the application can’t go through your contacts list and automatically inform you who does and doesn’t have the application.

There’s nothing sinister afoot here. Apple, WhatsApp, and Signal never claimed to deliver anonymity. Even if they didn’t use phone numbers as identifiers they still wouldn’t deliver anonymity since they make no attempt to conceal your IP address. Everybody that is freaking out about this is freaking out about the fact that Apple isn’t providing something it never claimed to provide.

There are no magic bullets. Before choosing the right tool for the job you need to develop a threat model. Unless you know what you are guarding against you can’t effectively guard against it. Confidentiality works well to protect against certain types of snoops. Law enforcers wanting to dig through the contents of messages to find evidence of illegal activities and advertisers wanting the same but to acquire information to better sell your products are threats where confidentiality is important but anonymity may not be required. Law enforcers wanting to create a social graph so it can target friends of specific individuals and censors wanting to learn who is putting out unapproved material are threats where anonymity is important but confidentiality may not be required. On the other hand, depending on your threat model, all of the above may be threats where confidentiality and anonymity are required.

Know your threats and know your tools. Make sure your tools address your threats. But don’t get upset because a tool doesn’t address your threat when it never claimed to do so.

Looks Can Be Deceiving

Saturday evening there was a multiple stabbing incident at the St. Cloud Center here in Minnesota. Although tragic there are some lessons that can be learned these kinds of situations and this incident is no different:

In a media briefing after midnight Sunday, St. Cloud police chief William Blair Anderson said an off-duty officer from another jurisdiction confronted and killed the suspect. He said the suspect — who was dressed in a private security uniform — reportedly asked at least one victim whether they were Muslim before assaulting them, and referred to Allah during the attacks.

Here lies our most important lesson. The attacker was dressed in a security uniform. This probably allowed him to get close to his victims without raising any red flags, which is important if you’re relying a knife. So the lesson here is that not everybody is exactly as they appear. Just because somebody is dressed like a cop or a security guard doesn’t mean they actually are one. Don’t let your guard down just because somebody is in a specific uniform.

One of my friends pointed out another lesson to be learned from this:

The mall remained on lockdown after the incident, but authorities expected those remaining inside to be released early Sunday. Photos and video of the mall taken hours after the incident showed groups of shoppers waiting to be released, including some huddled together near a food court entrance.

The officers trapped people inside the mall with the attacker. When the police arrived it wasn’t yet known if there were multiple attackers so the mall goers were potentially locked in a building with multiple people meaning to cause them harm. Being confined in an area with an unknown number of assailants is not a good place to be. If you hear that there’s an attacker in the building find the nearest fire exit and go through it. If you’re luck the police won’t see you leave. If you’re unlucky they’ll catch you but in that case you’ll likely be held in the back of a squad car, which is still a safer place than being confined in an area with and unknown number of potential assailants.

Keep your guard up when you’re out and about. Listen to your gut instinct. If that little voice in the back of your head is telling you something is wrong then you should listen to it. We’ve all been doing this human thing for our entire lives so we’re pretty good at subconsciously reading very subtle signs from one another. Anybody can put on any uniform they please but a uniform isn’t going to conceal all those subtle signs we use to judge one another’s intentions. If that voice is telling you the approaching security guard means you harm take heed and book it.

Be aware of all the potential exits. Fire exits are especially good in these kinds of situations because they usually trip a fire alarm. If it’s an audible alarm it will alert other people in the building to get out. If it’s a silent alarm it will still involve a response from the local authorities.

Finally, have a plan to defend yourself if escape isn’t an option. I recommend that people carry a firearm because they give you the best fighting chance. But even if you’re not willing or are unable to carry a firearm you should have some defensive response that you’ve trained thoroughly enough to be instinctual. Be it martial arts, mace, a baton, or even a knife. While you might not win a violent encounter even if you have a means of self-defense, you will certainly lose one if your response is to freeze up.

TANSTAAFL

One of the most important things for anybody to know is that there ain’t no such thing as a free lunch. Everything comes at a cost, even “free” things. Consider public Wi-Fi networks. Companies seemingly provide free Wi-Fi to customers as a courtesy. But those free Wi-Fi networks are revenue generator:

According to an article, which mall officials say they co-wrote, “while being an attractive guest feature, the (Wi-Fi) service simultaneously provides the mall with enough data to fill digital warehouses with information about what people do both online and in the real world while on the property.”

“This type of tracking can happen at any business, any location, any place that there’s any Wi-Fi networks,” Schulte said.

He explained that when your phone connects to Wi-Fi, it’s actually exchanging information with the network.

“You’re telling the Mall of America when you go to the mall, what door you go in, what stores you visit, what level you’re on, as well as what you’re doing on your phone.”

Asked if that means that mall officials could potentially know about it if someone logs onto Facebook while using the mall’s Wi-Fi network, Shulte answered, “Absolutely they know that you’re going to Facebook.”

This is the same paradigm used by websites that rely on ad networks for revenue. Instead of charging the user directly the provider simply snoops on the user and sells the information it collects to advertisers. In this way the advertiser becomes the customer and the user becomes the product.

I recommend against using public Wi-Fi networks. If you have to use one I recommend doing so through a Virtual Private Network (VPN). A VPN encrypts your traffic from your device to the VPN provider’s server. That means your data isn’t visible to the local Wi-Fi network and therefore cannot be snooped on by local network surveillance. Tor can work to a lesser extent in that you can conceal traffic that can be run through the Tor network but it’s not as effective in this case since most systems, with the exception of specially designed operating systems such as Tails, don’t route all traffic through Tor.

Whenever anybody offers you something for free you should try to figure out what the catch is because there is one.

Don’t Talk to Police

I know that it’s been said again and again but it bears periodic repetition: don’t talk to the police. Period.

Someday soon, when you least expect it, a police officer may receive mistaken information from a confused eyewitness or a liar, or circumstantial evidence that helps persuade him that you might be guilty of a very serious crime. When confronted with police officers and other government agents who suddenly arrive with a bunch of questions, most innocent people mistakenly think to themselves, “Why not talk? I haven’t done anything. I have nothing to hide. What could possibly go wrong?”

Well, among other things, you could end up confessing to a crime you didn’t commit. The problem of false confessions is not an urban legend. It is a documented fact. Indeed, research suggests that the innocent may be more susceptible than the culpable to deceptive police interrogation tactics, because they tragically assume that somehow “truth and justice will prevail” later even if they falsely admit their guilt. Nobody knows for sure how often innocent people make false confessions, but as Circuit Judge Alex Kozinski recently observed, “Innocent interrogation subjects confess with surprising frequency.”

People still mistakenly believe that the police are the good guys and that cooperating with them can only be beneficial if you’re an innocent person. In reality police are not the good guys, they’re the revenue generators for the State. Their goal of raising revenue can only be realized by charging people with crimes. So long as wealth can be expropriated it doesn’t matter to the State whether the person hauled in actually perpetrated the crime or not.

A false confession is just as good as a truthful confession to the police. Either one achieves their goal of raising revenue. That means any belief you have in justice prevailing is wrongly held.

When an officer wants to question you about something you should immediately shut up and lawyer up. Most politicians are lawyers and they have crafted the system to benefit lawyers. The downside is that you’re basically stuck handing money to lawyers if you’re accused of a crime. The upside is that a lawyer knows the ins and outs of the system far better than most police officers and can therefore provide you with decent protection (assuming they’re not incompetent). A lawyer, for example, knows what to say without confessing you were guilty of a crime. They also know the rules regarding admissible evidence and whether or not the police have a case without a confession. You (and me), as a layperson, are likely to naive about the legal system that you don’t even know what you don’t know. And that ignorance can land you in a cage for a crime you didn’t commit.