Protecting Yourself and Others – Page 5

The Risks Of Backing Up To The Cloud

Online backup services are convenient and offer resilience. Instead of managing your own backup drives a cloud backup service can upload your data to the Internet automatically whenever you’re connected. If your house burns down you don’t lose your data either. But, as with most things in the universe, there are trade offs. By placing your data on somebody else’s server you lose control over it. This can be mitigated by encrypting your files locally before uploading them but sometimes that’s not an option as with Apple’s iCloud Backup for iOS:

“If the government laid a subpoena to get iMessages, we can’t provide it,” CEO Tim Cook told Charlie Rose back in 2014. “It’s encrypted and we don’t have a key.”

But there’s always been a large and often-overlooked asterisk in that statement, and its name is iCloud.

It turns out the privacy benefits Apple likes to talk about (and the FBI likes to complain about) basically disappear when iCloud Backup is enabled. Your messages, photos and whatnot are still protected while on your device and encrypted end-to-end while in transit. But you’re also telling your device to CC Apple on everything. Those copies are encrypted on iCloud using a key controlled by Apple, not you, allowing the company (and thus anyone who gets access to your account) to see their contents.

I don’t use iCloud Backup for precisely this reason. My backups are done locally on my computer. This brings me to my point: you need to fully understand the tools you use to hope to have any semblance of security. One weakness in your armor can compromise everything.

iMessage may be end-to-end encrypted but that doesn’t do you any good if you’re backing up your data in cleartext to somebody else’s server.

A Smaller Taser

It’s hard to argue against handguns being the most effective self-defense tool for the average person but there are many people, either through personal conviction (which is perfectly acceptable) or legal restraints (which is entirely unacceptable), that cannot carry one. I appreciate the market providing in-between solutions that improve an individual’s ability to defend themselves but don’t go as far as a firearm. Taser, which primarily targets law enforcement agencies, has announced a new Taser that is aimed at the civilian market. Overall I think it’s a pretty decent idea:

Additionally, the Pulse comes with rechargeable batteries, two live Taser cartridges, laser-assisted targeting and a 15-foot range. Most importantly, Taser says that if you end up using it for self-defense and leave it at the scene, the device will be replaced for free.

While the $399.00 price tag seems a bit steep for me since it’s approaching real handgun territory the free replacement program makes it a bit more palatable. In fact the free replacement program may be the best feature of this weapon. It gives a person who was just subjected to a self-defense situation one less thing to worry about. As far as size goes it’s in the compact handgun territory, which I believe is an excellent size for something aimed at regular people.

I hope we begin seeing more in-between self-defense tools aimed at regular individuals. They gives people who cannot or will not carry a firearm an option other than dying. And that increases the overall cost of committing violence.

The Networks Have Ears

As a general rule I avoid local networks I don’t personally administer. If I’m at an event with free Wi-Fi I still use my cell phone’s data and tethering mode when I need to access the Internet on my laptop. For those times I cannot avoid using a local network I route my data through a Virtual Private Network (VPN) connection. Although these measures won’t stop my Internet Service Providers (ISPs) and their partners from snooping on me they do prevent malicious actors on a local network from snooping on me. Attendees at the Consumer Electronics Show (CES) who opted into the free Wi-Fi became excellent demonstrations on the lack of privacy you have when using a local Wi-Fi network without a VPN connection:

This week, more than 170,000 tech and media professionals converged on the city of Las Vegas to see the latest in technology at the Consumer Electronics Show, and––inevitably––some of them used their smart, connected devices to try to get laid.

Vector Media offered attendees free WiFi at major hotels, shuttle buses, and convention centers throughout the week in exchange for collecting anonymized app usage data. More than 1,800 people opted in, and Vector found a whopping 61 percent of attendees’ used Tinder while at CES––nearly five times more than productivity app Slack, which only 12.8 percent of attendees on Vector’s network used. Facebook Messenger came in first place with 74.3 percent, and Grindr also made an appearance on its list of apps in use, at 16 percent.

The amount of information a local network administrator can obtain about you would likely surprise most people. In addition to that the amount of attacks a malicious actor on a local network can perform is notable. If you value your privacy or security I would recommend avoiding Wi-Fi networks you don’t personally control as much as possible (granted, even your own network isn’t necessarily trustworthy but you have far more control in most cases than with other networks).

Why Centralization Fails

While the politicians discuss ways to further centralize security here let’s take a moment to review why centralization, specifically as it relates to security, fails. Imagine a society where private firearm ownership is illegal. In this society the only people who have access to firearms are the military, the police, and the attackers. It’s not hard to imagine since I’ve just described a good percentage of countries.

Under such circumstances society consists mostly of soft targets with a few hard targets scattered about. The hard targets consist of military bases, police stations, and any place where a soldier or police officer may be at a particular point in time. Everywhere else is a soft target. There are two major and very apparent weaknesses with this setup. First, the soft targets are all known. Second, the response time of somebody capable of thwarting your attack can be reasonably determined.

Attackers can cause a great deal of damage by finding a high value target far away from either a military base or a police station (and in societies, such as the United States, where the military is legally prohibited from operating in civilian spaces without approval you can focus primarily on police stations). For example, a school, museum, or sports stadium 10 to 15 minutes away from a police station will give attackers a lot of time in a target-rich environment, which will allow them to cause a great deal of damage.

Centralization fails precisely because the central points of failure can be identified and worked around. Decentralized systems tend to be more difficult to exploit because central points of failure either don’t exist or additional layers exist to support the centralized ones.

We can illustrate this by making a single alteration to our above model. In addition to soldiers and police we will allow licensed armed security agents to own firearms. Assuming any place can hire a security agent the difficulty of identifying soft targets becomes more difficult. Selecting a target now requires determining how far it is from a military base or police station and whether the it employs armed security agents. Another layer of security has been added and the complexity of pulling off an attack has increased.

Let’s take things a step further. In addition to soldiers, police officers, and licensed security agents we are now going to allow any adult who wants to own and carry a gun to do so. How do you identify the soft targets now? While a school, museum, or sports stadium may be 10 or 15 minutes away from a police station and doesn’t employ armed security agents anybody within the facility could be armed. While there is no guarantee that an armed individual will be at any specific target the possibility of one or more armed individuals being there always exists. Another layer of security has been added and the complexity of pulling off an attack has greatly increased.

What I’ve just described is a concept known as defense in depth. The idea is to have multiple layers of overlapping security so any single layer failing doesn’t result in total failure. As the politicians continue to argue that security must be further centralized under the State remember that the more centralized security becomes the more fragile it becomes.

The Privacy Arms Race

The National Security Agency (NSA) is listening in to every phone call. Closed circuit television (CCTV) cameras are seemingly in every businesses and on every street corner. Police cars have cameras that automatically scan the license plates of other vehicles they drive by. Surveillance is so pervasive that we must accept the fact that privacy is dead.

Or not. Doomsayers will declare the death of privacy but the truth is privacy is an arms race. This has always been the case. When aerial surveillance came into its own so did camouflage canopies and hidden shipyards. Criminals kept tabs on the movement of beat cops so their activities wouldn’t be spotted and now surveil the location of CCTV cameras for the same reason. Electronic forms of communication lead to the development of taps, which lead to the development of encrypted electronic communications.

The privacy arms race is alive and well today. As the State and corporations utilize more surveillance technologies markets are springing up to offer countermeasures. One market that is starting to dip its toes into modern counter-surveillance is the fashion industry:

Last spring, designer Adam Harvey hosted a session on hair and makeup techniques for attendees of the 2015 FutureEverything Festival in Manchester, England. Rather than sharing innovative ways to bring out the audience’s eyes, Harvey’s CV Dazzle Anon introduced a series of styling methods designed with almost the exact opposite aim of traditional beauty tricks: to turn your face into an anti-face—one that cameras, particularly those of the surveillance variety, will not only fail to love, but fail to recognize.

Harvey is one of a growing number of privacy-focused designers and developers “exploring new opportunities that are the result of [heightened] surveillance,” and working to establish lines of defense against it. He’s spent the past several years experimenting with strategies for putting control over people’s privacy back in their own hands, in their pockets and on their faces.

Admittedly many of the fashion trends and clothing shown in the article look silly by the average standard. In time counter-surveillance fashion will either begin to take on an appearance to appeals to our sensibilities or our sensibilities will change to view this counter-surveillance fashion as fashionable.

Using fashion as counter-surveillance is as old as surveillance itself. Spies always try to dress to blend into their surroundings. Street criminals often choose a manner of dress that is unlikely to catch the attention of police. Undercover police select clothing that doesn’t scream “I’m a cop!”

Privacy isn’t dead. Far from it. It’s true that surveillance technology appears to have the upper hand for the time being but counter-surveillance technology will overcome it and then the cycle will repeat itself.

Going Medieval On Their Asses

Because I study the use of Japanese swords several of my friends were kind enough to send me this great story about self-defense:

Dolley, standing 5-foot-6, said she immediately attacked, punching him about 10 times and cornering him in her bedroom.

She reached for her gun in a nearby drawer, but she accidentally opened the wrong drawer during the chaos of the moment, so her gun wasn’t there.

She reached for her backup weapon, a Japanese-styled sword called ninjato, which she keeps near her bed. Her intruder crouched in the bedroom as she held him at sword-point until police arrived, she said.

She called 911 and police arrived within two minutes, she said.

Karen Dolley just showed the world how it’s done. When she saw the intruder she didn’t freeze up, which is a common reaction, but immediately attacked. She was following the first rule of a gun fight but having a gun but didn’t open the correct drawer. Again, instead of freezing up, she simply went for the next weapon available to her, a sword.

When you think self-defense Karen is the model you want to follow. Be ready to defend yourself, take the initiative, don’t freeze up, and have a backup plan to your backup plan.

Install That Bleeping Ad Blocker Already

iOS 9 has been released and with it the ability for iOS users to install ad blockers. Online publications are already crying foul and declaring an end to the “free” web:

When Apple launches its new software update for the iPhone on Wednesday, users will be offered the chance to surf the mobile Web without annoying ads cluttering up their screen.

But Apple’s support for ad-blocking technology is ringing alarm bells on Madison Avenue, where critics warn it threatens not only the lifeblood of their business — but also the economic underpinnings of the free Internet.

“We don’t think ad blocking is right,” Scott Cunningham, senior vice president of the Interactive Advertising Bureau, told The Post.

[…]

“Advertising is the economic engine that drives the free Internet,” Cunningham said. “The reality is the last 20 years have seen people developing content online for distribution, and consumers have opted in for that free content.”

As a general rule when a business has to guilt trip you into abiding by its business model it’s time to let it die. Then there is the ironclad fact that past performance does not predict future results. Just because the last 20 years of Internet content may have been fueled primarily by advertisements doesn’t mean it will always be that way. Advertisements have worked because consumers have felt the benefits outweighed the costs. But the costs of advertising are increasing.

Most cellular providers are charging customers based on data usage, which means the additional bandwidth used by advertisements is beginning to have a very real cost. Mobile devices are also becoming the predominant means for web access. Since advertisements require additional hardware resources to render they negatively impact battery life and that is a major problem for users of mobile devices. Ad networks are also increasingly being used to spread malware.

The reason advertising has been a successful model is because most of the costs have been hidden from the consumer. Now the costs are becoming very visible to consumers. Because of that consumers will likely change their behavior. One of those changes will likely be an increased use of ad blockers. As more consumers block ads more content producers will have to change their business models to survive.

There has never been a free web. Don’t let advertisers bullshit you into believing that. And don’t let them guilt trip you into making yourself vulnerable by not using an ad blocker. I promise you that the web won’t die. You may have to pay content producers directly but that isn’t so bad when you consider how much money you’ll save on bandwidth, extra batteries, and not having to deal with malware.

The Illusion Of Control

On Friday six people were shot in Minneapolis:

Police said the incident happened around 2:30 a.m. on 5th Street between Hennepin and 1st avenues near an alley by Sneaky Pete’s.

Minneapolis police officers were nearby and took three people into custody. Two guns were recovered. The six who were shot received noncritical injuries and were treated at Hennepin County Medical Center.

“Violent acts like last night’s shootings are abhorrent and contrary to the values we hold as a city,” Mayor Betsy Hodges said in a statement.

The mayor pledged a full investigation into the circumstances leading to the incident, which occurred around the time most downtown bars close. However, in an e-mail exchange with the Warehouse District Business Association executive director obtained by the Star Tribune, First Precinct Inspector Michael Kjos said there was no evidence that the two rival groups involved in the violence came from a bar or nearby business.

Kjos said the area was “saturated with police officers” and several officers witnessed the gunfire but did not engage because there were too many pedestrians in the area. The arrests and recovery of the two handguns followed a foot chase, Kjos said.

The responses have been typical. Calls for more gun restrictions, hiring more police officers, and restrictions on establishments that serve alcohol are being made. Gun restrictions have only ever served to disarm people willing to follow the law. Officers were on the scene so having more available wouldn’t have changed anything. And there was no evidence that the perpetrators had been in an establishment serving alcohol so additional restrictions on bars wouldn’t have made any difference. What this story demonstrates better than anything is that centralized controls are ineffective.

The question still remains, what can be done to deal with situations such as this? Contrary to popular belief the solution isn’t relying on third parties to deal with the problem. As with anything else in life the only solution is to roll up your sleeves and get your hands dirty.

You cannot control the actions of others so the first step is getting that silly notion out of your head. Once you’ve accepted that fact you need to ask what steps you can take to make yourself safer. For situations such as this the most effective option is avoidance. Our subconscious is pretty good at picking up on subtle signs of danger. Oftentimes people write off these feelings by telling themselves they’re just being paranoid. Don’t do that. If the little voice in your head is telling you something isn’t right then you should listen to it and vacate the area.

Another step would be to keep a clear head, which means not drinking. But telling people not to drink is worthless because they aren’t going to listen. Instead I will take the middle ground by pulling a page from the responsible drinker’s playbook. Every group is supposed to designate a sober driver. There’s no reason that person should only be concerned about driving. I like to think of designated drivers as designated adults. Their job is to ensure everybody gets home safely. In addition to driving that should also involved being the lookout. If their little voice is saying a situation is dangerous they should inform the group that they need to be elsewhere. Granted, herding drunks is like herding libertarians but a designated adult can only put forth their best effort and each person is ultimately responsible for themselves.

If you’re not drinking you should also carry a gun. You can’t control when you’ll find yourself in this kind of situation but you can increase your odds of survival. As with popular belief regarding centralized control the popular belief that having less armed individuals increases overall safety is bullshit. Relying on a third party for protection isn’t a solution because you can’t guarantee a third party will actually protect you. Take charge of your defense and carrying the most effective means of defending yourself when you’re responsible enough to do so (i.e. not when you’re drinking).

Stop asking what “we” can do. There is no we. There is only you so ask what you can do. Until you ask the right question it’s impossible to come up with the right answer.

Cell Phone Carrier Illegally Tapped Journalist’s Phone Proving Privacy Can’t Be Protected By Laws

Whenever a bill purporting to strengthen privacy protections enters the political field I receive numerous requests to support it. I always politely decline, which results in the advocate saying some variation of “I know you’re an anarchist but it doesn’t take any time to call your representatives.” It’s a false argument because it does take time to call the person who supposedly represents me (even though I never appointed him to represent me) in Congress. And since privacy laws are ineffective at protecting privacy it takes time that will gain me absolutely nothing, which is not a wise investment in my opinion.

Privacy laws are just like any other State decree. Those who are willing to tolerate the laws will follow them and those who find them burdensome will ignore them:

Telco giant Vodafone illegally accessed a journalist’s mobile phone records to discover the source of stories about the company, hid systemic privacy breaches from authorities and covered up fraud in its Brisbane office, according to internal documents.

An investigation into these allegations is currently under way. The outcome is irrelevant since the damage has already been done and it’s unlikely Vodafone will be made to pay compensation to the involved parties (usually whatever government agency oversees the regulation gets the winnings from any trail with maybe a pittance given to those actually harmed).

Protecting privacy can only be done by directly protecting it. Once privacy has been violated it’s too late to defend it. That’s why I push cryptography so heavily. Privacy laws are irrelevant if you have taken effective measure to protect your privacy. If you’ve failed to protect your privacy the laws are still irrelevant because the damage has already been done.

Begging the State to issue decrees is a waste of your time that can be better spent learning how to actually address the issue you’re petitioning the State about.

Security Exists As A Spectrum

When I discuss security, be it online or offline, I often mention threat models and cost-benefits analysis. Unless you understand what you’re defending against it’s impossible to develop an effective defense. And if you don’t perform a cost-benefits analysis you may end up investing far more into securing something than it’s worth. The thing with threat models and cost-benefits analysis is that they’re, like security in general, subjective. This is a fact lost on many people as Tam so eloquently explained:

People buy into safety. It’s important for people to feel safe. For some reason, people view safety as a binary state and not an ongoing process. Therefore, when something comes along to remind us that we might not be as safe as we think we are, or there’s an optional activity we could undertake to improve our safety, it rustles our jimmies and we get all upset and fling poo at that thing and wave branches at it until it goes away and we can return to feeling safe. It’s why people who ride without helmets come up with all kinds of BS excuses about hearing and wind drag rather than just admitting “Hey, I’m comfortable with the extra risk of skull fractures in order to feel the wind in my hair.”

[…]

And here’s the thing: It’s okay to not wear a helmet. It’s okay to not carry a gun. It’s okay to not like the Gadget. It’s okay to open carry and not take thirty-eleven years of BJJ and weapons retention training. It’s still (mostly) a free country… *but own the types of risk you’re assuming*. Don’t hand-wave them away and shoot the messengers who point them out. Say “Look, I’m comfortable with these risks and don’t want to make the life commitments it would take to mitigate them” and most people will totally understand that.

People often get caught up in their binary view of security. This phenomenon has lead to countless discussions that were ultimately pointless. Motorcycle helmets are a classic example of this. Before donning a helmet a motorcycle rider first does some threat modeling. Usually the threats involve large four-wheel vehicles the motorcyclist has to share the road with. After identifying potential threats they then add perceived risks of encountering those threats to the model. Then they do a cost-benefits analysis. Many feel the costs of a helmet; the lack of feeling wind on their face, for example; outweigh the benefits when applied to their threat model. You can bitch at them all you want but security is subjective.

Carrying a gun is another example. I carry a gun because the costs, to me, are lower than the benefits. My manner of dress lends itself to carrying and concealing a firearm and my setup is comfortable. The benefits, for me, are having a tool available if I should happen to be attacked. Although my threat model indicates the risk of me being attacked is very low it’s still high enough to offset the low costs of carrying a gun. Somebody else may look at their threat model, which also sees the risk of being attacked as very low, and compare it to the costs of completely changing their manner of dress to conclude carrying a gun is more costly than the benefits provided. They’re not right or wrong; security isn’t binary.

As a general rule, unless it’s asked of me, I try to avoid critiquing other people’s security plans. There’s just no point unless I known what criteria they used to develop their plans. While a lack of a home alarm system may seem incredibly stupid to some people it may be more cost than its worth to somebody who has really good theft insurance.