Dec 6, 2022 | Front Page, Infosec, Portland Confidential
by Rose C.
Writing this at a time when sadly, I will not be able to stay in Portland, my chosen city, for very much longer. I won’t bore you with the details. My apartment has ventilation and habitability issues. I thought for a long time that I could mitigate the poor air quality with houseplants, fans, and open windows but it’s no longer practical. Not with winter coming on.
I hope to keep PDX Local going strong, though. I will always be a Portlandian in my heart. One of these days I will get around to putting up formal writers’ guidelines. In the meantime, if you have a story, wherever you live, feel free to get in contact and pitch. Unsolicited submissions are also welcome although we don’t print every story that is sent our way.
Anyway, back to today’s chosen topic.
Lesson #1 – Hackers are never as cool as they think they are. As I once wrote to the leader of my Hackerspace in an email, “Hackers think they are cool. Everyone else thinks we are dangerous criminals.”
Rami Malek notwithstanding. His character on Mr. Robot will always be cool, at least to me.
Lesson #2 – Not all hackers are criminals. Ummm, probably not even most. We do tend to think that laws around media piracy are for other people, and freely share audio, video, game, and text files whenever we can. There is so much corporate censorship already in the world that we often feel justified in going down this road. As for me personally, I don’t steal media or make unauthorized copies. I am extraordinarily law abiding.
Hackers like me, who refrain from breaking the law, are sometimes known as whitehats. I prefer the term “lawful and ethical hacker,” because it has no racist connotations. (Criminal hackers used to be called blackhats.)
This has less to do with the chances of getting caught and more to do with the fact that I am an artist as well as a programmer. I believe that creative work should be compensated, and that creators deserve the opportunity to make a living. When only wealthy trust fund kids have the opportunity to write memoirs or play in bands, we know that something is wrong with our universe.
Lesson #3 – IF YOU CALL YOURSELF A HACKER, YOU WILL GET HACKED. Certain people view the label as an invitation to test out your defenses. It can’t be helped.
It may not be anything bad. Maybe just a little spyware, or a Bitcoin miner hidden unbeknownst to you on your computer. Or it might be more severe. So be careful about using the term lightly. Many hacks can be prevented, but as long as people write new software, there will always be new vulnerabilities.
Back when I ran a web hosting company, I asked my former sysadmin what he thought about the slogan, “Your money back if you get hacked.” He wouldn’t go near it. While he was working part-time for me, he was also a VP managing cybersecurity and automation for a major national bank. You would have to assume he knew what he was talking about.
I don’t practice pentech, as hacking techniques designed to crack and illegally break open other peoples’ systems are known. So if I’m not pirating music and movies, and I also don’t try to break into other people’s systems, why do I call myself a hacker?
Lesson #4 – Hackers hack. It’s what we do. What I mean by hack is simple. We like to build things with electronics. Honestly, I would probably pay good money just to have the opportunity to keep doing this type of work. Collaboration, and with it the ethos of Free and Open Source Software (or FOSS) is also key to our worldview. We have our own language, and our own “in jokes.”
Here’s one you’ve probably seen before. The only other form of creativity that comes even close to being this collaborative without being rigidly hierarchical is music. That is probably part of why enjoy seeing live bands and being part of the Portland music scene so much; unfortunately I can’t carry a tune or play an instrument so I had to learn to code instead.
Still learning, actually. And probably will be for life.
Originally published on December 6, 2022. This post has been modified from its original version.
Dec 4, 2022 | Culture, Front Page, Infosec, Uncategorized
Surviving the Surveillance State
December 4, 2022
by Rose C.
Portland ranks among the Top 10 Most Surveilled U.S. Cities, according to Cybernews. Atlanta tops the list.
We live in a world where surveillance is a fact of life. Any encrypted software product may be backdoored, and even if it is not, you have no guarantee that the person on the other end does not have spyware such as keystroke monitoring or screen video capture running on their system. Encryption enthusiasts and amateur hackers, no matter how valiant, simply cannot compete with a nation-state in this game. Cf Pegasus.
Sneak and Peek, or “No Knock,” Warrants have been around since the Patriot Act was passed in 2001, but they receive scant attention from the media. What they mean is that you may have your home searched, and items removed from your home, without any official notice from law enforcement. Ditto for electronic files. If you file a FOIA request and the investigation in which you are named is still ongoing, you will not receive any confirmation that a warrant exists. (Pat Eddington, Cato Institute)
The most frightening aspect of these warrants is the potential for planting false evidence. The second most frightening aspect is the potential for planting surveillance devices for tracking and listening — as if cell phones were not effective enough.
“Nothing to Hide?”
Like roughly 2/3 of the U.S. population, I reside within the 100-mile “border zone” where Border Patrol agents are granted additional authorities and the Constitutional protections of the Fourth Amendment no longer apply. You may think all of this is irrelevant if you are a law-abiding citizen.
The problem is that who you know can get you put on a list. It can also make you a target. To put it another way, we all know somebody who has a cousin who is a drug dealer.
Laws in this country are changing, and not (in my opinion) for the better. Roe v. Wade is gone, and civil rights for gays and lesbians may soon disappear as this country takes a hard shift right. Remember ICE? Children in cages? Forced sterilizations?
Come 2024, they may all be back.
If you don’t feel like being a freedom fighter, if your first priority is keeping your family safe and saving for your children’s college tuition, I am not here to judge. Just remember that in a world where power rules in place of law, abuse of that power is an inevitable consequence.
Get in a traffic accident with somebody employed by the surveillance state? What if one of them rapes your daughter? Or your son? When a large class of individuals are above the law, nothing good will come of it. This is especially true when the same individuals fear consequences from their actions. They tend to lash out and do everything they can to harm and intimidate witnesses and injured parties.
I am not an America-hater. Far from it. The country I grew up in gave me 40+ years of freedom in its purest form: freedom to explore, to create, to love and befriend those I chose, to work as much or as little as I liked. Freedom to just be. I am a GenXer. I don’t mean to talk like a crusty old-timer, but I believe I’ve seen this nation at its absolute best.
Or maybe the best is yet to come.
Nothing is fixed. Nothing is certain.
The combined 2022 budget of Homeland Security, the Department of Justice, and the 17 different United States spying agencies (of which CIA and NSA are only two) is over $150 billion. For comparison, that is roughly one fifth of the Department of Defense 2022 budget of $742B. But remember, the DOD budget covers submarines, fighter jets, aircraft carriers, helicopters, tanks, nuclear weapons, and anti-missile defense systems, not to mention an active network of bases around the world. That’s a lot of people and hardware.
What exactly are we paying for? This remains largely unclear. Marijuana is now legal in 19 out of 50 states, but the DEA’s funding continues to grow. If you were an officer monitoring wiretaps and running undercover operations in Colorado or Washington State, where and to what were you reassigned? And as far as truly terrifying threats to health and safety, the surveillance state could be doing a much better job. We read about mass shootings in the news practically every week. It failed to prevent the violent attempted coup at our nation’s capitol on January 6, 2021.
Your tax dollars at work, my friends.
Government salaries range from $20K (GS-1) to $147K(GS-15) — much less than the equivalent in the private sector. If we assume that wages (including benefits) average $100,000 per year, we would expect that the surveillance states employs as many as 1.5 million people in the United States. Keeping in mind, that is not accounting for slush funds to be distributed overseas, or James Bond style gadgetry, server space, or the cost of buildings and operations. But if we slash that number in half, that is still one federal domestic spy for every 440 U.S. citizens.
And that’s a lot.
Regarding terminology, “federal domestic spy” includes FBI informers, often recruited under duress or experiencing economic hardship. It does not include state or local police forces.
I am an extremely law-abiding citizen. That has protected me to some extent, but not completely. Somebody who has cheated on their taxes or who runs a warez server with their friends is at high risk of being “turned” and pressured by law enforcement to inform on others and further widen the surveillance network.
If you wish to minimize the risk that a conversation will be overheard, consider the New Yorker Protocol.
The New Yorker protocol consists of three simple steps:
- Assume good intent. I am not interested in contact with people for purposes of criminal profiteering (drugs or other contraband) or with groups that instigate violence. My philosophy is nonviolence except in the case of self-defense. I am only interested in working with people who share these values.
- Confirm receipt as soon as possible. If somebody emails you asking to meet for coffee, say, “Hey, I got your email. Swamped right now! Will be back in touch to coordinate a time.” If somebody you know leaves a signed, sealed note taped to your front door with instructions to communicate only by dropping messages in yonder hollow tree, then by all means, drop them a note asking, “Did I get the right tree?”
- Allow up to 90 days when making a major decision. Depending on the stakes involved, this might be anything from agreeing to meet somebody for the first time for coffee to participating in civil disobedience or leaking a story to the news media. If you feel certain of your course of action sooner than that, of course it is ok to let the other person know. Likewise, if you know you are not down for whatever the person is asking, don’t feel that you need to respond at all. The basic courtesy of acknowledging receipt (Step 2) is enough.
Two of these three steps come directly from the New Yorker writer’s guidelines for submitting unsolicited short fiction manuscripts. I was so taken with these guidelines (in particular, their clarity and brevity) that I submitted a short story almost on the spot. I don’t expect that it will get published, but I do appreciate that 90 days after sending it in I am free to re-submit wherever I like. I also appreciate that immediately after emailing my story as an attachment, I received an auto-responder email acknowledging receipt.
The New Yorker protocol should by no means be restricted to clandestine activities. I consider it an effective strategy for social and business networking as well.
Creating an expectation to observe and respect these simple guidelines is an essential first step to initiate an effective communications process that is platform- and technology-independent and minimizes surveillance risk.
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
Nov 13, 2022 | Infosec, Uncategorized
November 26, 2022. By Rose C.
I am concerned because while I was in Phoenix, AZ earlier this month I encountered a dangerous piece of malware allowing an outside entity to take control of a phone.
The thing that complicated matters was that my cell phone locked up on me. Nobody ever touched it — I hadn’t clicked on any links recently or installed any new apps. It just went dark, with a tiny bit of purple visible. Occasionally it would come back to life, but not reliably.
The source of this vulnerability is almost certainly Bluetooth. I recommend turning off Bluetooth on your phones as a precautionary measure.