Normalcy Versus Risk

Feral Dogs

In the past I have written about the risks associated with feral dogs. Currently, the town of Kenora Ontario is experiencing some difficulties with feral dogs. Having a pack of feral dogs circling your house is not something to take lightly.

When Knives Attack

The recent Calgary mass murder illustrates how people assess risk wrongly. Statistics Canada reports (in 2008) that one-third of homicides and attempted murders involved edged weapons. That is more than any other type of weapon. StatsCan also reported that edged weapons were used against six per cent of victims of violent crime while firearms were used against two per cent of victims. Yet most people and organisations dither over plans for mass shootings.

Knives are easy to obtain, easy to conceal, they don’t run out of ammunition, and they cut in any direction. No training is required and if you can move your hand with the knife in your grasp, then you can kill with it.

This type of crime occurs quite often. Here is a recent sampling:

  • four people were stabbed in a Regina shopping mall
  • student was stabbed at a Brampton, Ontario, high school
  • four coworkers at a Toronto office by a man who was being fired
  • two people killed and four wounded in a Loblaw’s warehouse stabbing attack

Of course the knee-jerk reaction will be to ban assault knives. Of course all prohibitions fail miserably and probably make the situation worse as happened with the ‘war on drugs’ and ‘gun control’. Some foolish individuals will no doubt say that the StatsCan figures prove that ‘gun control’ works and we now need ‘knife control’, no doubt a knife registry will follow.

In the Calgary case, the accused probably took the knife from the kitchen and then started his rampage. I’m sure registering their kitchen knives after getting a licence to buy them would have stopped this attack.

Risk Assessment

Whether it’s feral dogs or knife attacks, you have to measure the relative probability of the event occurring against the consequences of the event. We are hard wired to believe that we live in a safe world–if we weren’t, then we would never have ventured out of our caves to create the world we now live in. This is called the normalcy bias.

Normalcy Bias Vs. Risk

I am paid to respond to situations where the normalcy bias got the better of someone or to plan for situations that nobody wants to contemplate. Decades of experience has taught me that nobody wants to contemplate the low probability, high consequence events.   Legislation and hand wringing won’t change this–planning, preparation, and training might. Unfortunately, the interest in preparation and training wanes quickly as memory of the event that spawned this dissipates, and thereby allowing the normalcy bias to reassert itself.

Black Suits & Dark Glasses

I went to a meeting with a client to help solve a problem one of his customers was having. Sitting in the reception area, I witnessed a wondrous spectacle. In struts a guy in a black suit wearing dark glasses and earwig. He looks around ominously and then talks into his sleeve. Next, the great man enters surrounded by a phalanx of black suits, dark glasses, and earwigs. This is Canada. Private bodyguards don’t exist here. They are just for show-offs who like to look important or for those tricked into hiring some feckless cannon fodder.

It turned out that this was the guy with the problem. My client realised that he was ineptly handling the symptoms rather than treating the disease. He had received threats. He had suffered vandalism to his home and car. He couldn’t in any way identify his persecutor. However, he was a senior executive of a company in an industry that sometimes attracts threats and acts of violence.

When the great man was asked how he had received the threat, he said that he received it on his unlisted cell phone, so it must be a serious threat perpetrated by dangerous people. I Googled the cell phone number. Lo and behold, there it was in a Kijiji ad for some stuff he was selling. The picture of the stuff included the front of his house and enough of his car to identify its make, model, and colour.

His name appeared on the title for his house along with that of his wife. Searching his name in social media sites, I was able to identify his children and wife. I found that his son went to hockey practice at the arena where his car was vandalised.

In half an hour I learned where he lived, his cell phone number, identified his family, where his children went to school, and learned his son’s hockey schedule. More importantly, the social media content related to his family members also identified him. This led me to conclude that it was possible that he was not the target. Of course, the wife and kids didn’t have bodyguards.

Each of his bodyguards was questioned regarding their training and experience. It wasn’t surprising to me that they were repurposed security guards with no training. The agency providing the bodyguards did not conduct any investigation nor did the client’s employer.

Without any idea who in the family was being targeted, new security arrangements were made. The house and office got uniformed security guards. The client and his wife got reliable security drivers. We put in place new security arrangements for the children. All social media content was expunged. I ensured that the police and telephone company became involved.

Further investigation produced a list of suspects. The police tied one of these to the vandalism of the client’s car. Police interrogation lead to a confession. The offender turned out to be the teenage daughter’s jilted suitor who was also a player on a rival hockey team.

How to Use Boolean to Improve Social Media Monitoring

Twitter and Boolean Searching

Twitter has a robust search facility  that includes Boolean search operators. Twitter Support provides the following table of search operators.

Twitter defaults to the AND operator when you include search terms to the search statement. Don’t forget to use the -sign for NOT to eliminate search terms and OR to broaden the search. To get the results that you really want, you can filter the search results using the selections on the left side of the results page or you can start your search on the Advanced search page. Always search for variations of hashtags, spellings, and sentiment words in order to capture the largest number of tweets possible.

Unearthing a GeoSocial Footprint

I try to learn something every day. Today, I learned about GeoSocial Footprints. A geosocial footprint is the combined bits of location information that a user divulges through social media. Now I had to learn an easy way to unearth someone’s geosocial footprint.

First, I had to find an easy way to uncover which social media (SM) a person uses. To do that, I found an add-on for Firefox called Identify. This extension used to help you explore an individual’s web identity across SM sites. However, it is not compatible with V. 26 or later. It was also not compatible with Comodo IceDragon.

That left me with trying Hoverme. This is an add-on for Chrome that provides a SM profile when you mouse a name on SM sites. You will supposedly be able to view the social web profile of the subject by mousing over the profile picture in Facebook, etc.. It should provide links to the person’s profiles on sites such as Facebook, LinkedIn, Delicious, etc..

I tried installing it in Comodo Dragon, which is built on the open source Chrome browser and doesn’t phone home to Google like Chrome. Unfortunately, Hoverme needs the Kynetx browser extension that many apps require. It’s like Greasemonkey for Firefox, but to install this you need to set-up an account or use Facebook or Google to sign-in. This means I might be giving away too much information. This also means that to collect evidence safely, I will have to install it on a sandbox machine or in a VM and then do my main collection on another machine. I would do this because I don’t know what Kynetx might be doing to the machine that is collecting the evidence and I don’t know what information this might be giving away to unknown parties.

I guess it’s back to good old-fashioned Investigative Internet Research to uncover which SM sites someone uses. From there, I will have to figure-out how to collect, collate, validate, and explain all this geosocial footprint stuff.

Veracity of Online Images & Video

My mother advised me not to believe everything I read remains true today as it was 50 years ago. Today, this advice extends to online video and images.

Hoax imagery and video abounds online. A fake video of an eagle trying to fly off with an infant in a Montreal park is only one example. Students at the National Animation and Design Centre created this ‘Golden Eagle Snatches Kid’ video. Their skill was impressive. It took a frame-by-frame analysis to uncover the fake. Frames that lacked the eagle’s shadow revealed it to be a hoax.

Free editing software like VLC Media Player or Avidemux Video Editor can help split video into frames, but locating and investigating the person who posted the video proves more productive in most cases. The following is a short outline of how I approach this problem.

First, start listing the places you find the item and user names that posted it. Look for the first instance of the item by filtering by date. Try to find the first instance as this may be the original and the original poster of the item. Compare video thumbnails to find the earliest and largest as that may be the original. Search the thumbnails in Google Image Search, TinEye, and Bing. However, searching TinEye, et al, will require an image with high contrast and distinctive colour combinations.

Next, try to identify the person who first posted it. Sometimes, discovering the creator of the item is easy because it was posted on a Facebook page or on YouTube, but usually it was just duplicated there and originates elsewhere. Search all text associated with the item—tags, descriptions, user names. Use everything as search terms. Search all the user names to identify the people. Use sites to LinkedIn, Facebook, etc., to get a feel for the background of the people you may later contact.

Once you have found the likely source of the item, examine and question the source to establish his reliability. You need to engage this person to establish that he created the video or image and that it isn’t a hoax or an altered version of something he still possesses.

DuckDuckGo Search Cheat Sheet

A handy cheat sheet for searching DuckDuckGo can be found at Techglimpse. Click on the image to see the larger version.

DuckDuckGo Search tricks

Social Media Early Warning System

Today, Social Media (SM) informs about emergencies, scandals, and controversial events before the traditional media. The news media has become a second source that tries to improve the signal to noise ratio.

Using SM as an early warning system isn’t a new idea, but few organisations actually do it because they never get around to creating an organised process for this function.

How to Create a SM Early Warning System

I start the process by first identifying the subject matter that I need in my early warning system and what informational role it will play. This includes identifying who will receive its output and who must act upon its output.

Carefully plan how you will communicate with the rest of your organisation. This needs to include an emergency distribution list with alternative distribution methods if normal communication methods start to break down.

The people who must act upon your information must trust that you will give them timely and accurate information. They must also know what you won’t provide. Gaining ths trust and understanding will take time and good old-fashioned salesmanship.

Next, I start identifying sources that provide reliable information that I then store, aggregate, and evaluate. As these sources become more trusted, I begin grouping them by topic, special knowledge, geography, and other factors. I then start asking them for more contacts that are equally reliable. To manage my contacts or sources, I build Twitter Lists, Facebook Interest Lists, Google Plus Circles, and use other similar list tools.

I contact my sources by email, Skype, and other means to build a relationship based upon trust and common interests. I note their strengths, weaknesses, skills, contacts, biases, and other relevant characteristics. It is important for me to treat all my contacts with respect and to view them as colleagues, rather than people to order about. I also act as a source to all my contacts as this isn`t a one-way street. I make it clear that I am looking for help rather than someone circulating rumors and misinformation. I do this by letting my contacts know what I do and do not know while steering clear of all inflammatory aspects of the topic as SM tends to amplify these without adding factual data.

I have seen many attempts to use SM for this fail once they realise that for this to work, it must be a collaborative effort. They don`t want to give as much as they receive as that requires too much effort, trust, and organisation.

To organise a SM early warning system you need to start a decision tree that allows you to go through the research, evaluation, and verification process in a logical and orderly manner without missing any steps. Design the process to identify the original content source or creator, verify that it represents events truthfully, and that the context of the content is not intended to mislead the viewer.

Use your favourite flow-chart software to make a decision tree suitable for the type of content and SM that you typically handle. Keep it simple. Start with only yes/no decisions. Each person on the team should add to the decision tree for their tasks as they learn new sources and methods.

Divide the decision tree into three components. First, identify the original poster or creator of the content. Second, investigate the source or creator of the content to help determine his reliability, biases, and online history. Third, investigate the content itself for defects that indicate that it is a fake, an intentional hoax, or some form of propaganda.

Over time, the decision tree and its supporting documentation will make your team seem super-human in its ability to wade through large volumes of complex material to expose fakers and reveal the true story.

WebMii

I have written about pipl.com before and often find it useful when I am trying to track-down people. Unfortunately, its usefulness is limited if the subject person lives outside the U.S.A..

When searching people outside the US, I turn to WebMii. This has data sets for specific countries which you can select or you can select all by selecting ‘International’  as the region.

You may also search by keywords to get a list of people associated with the keywords. However, this has never worked for anything I have searched. Searching by company or brand name often returns useful results, but selecting a region failed to change the results in any search that I have done.

What was the Weather Like?

Wolfram Alpha is an interesting answer engine. It answers questions by computing the answer from curated, structured data, rather than providing a list of web pages that contain the search words like normal search engines.

Investigations often hinge on local conditions such as weather. When I need to estimate the weather conditions or compare someone’s description of the weather to actual conditions, I type in a search term like “what was the weather in toronto on july 1, 1967″. Sometimes, Wolfram Alpha has no data from which to formulate an answer such as happened with this search. If you substitute the years 1950 or 2000 you get answers, but not for 1967.

Of course I verify what I get from Wolfram Alpha through official sources.

How to be an Internet Eyewitness

Eyewitness testimony is the weakest evidence an investigator can collect. The vessel that contains this evidence is subject to illness, death, corruption, and a myriad of defects that compromise the evidence. Being a trained investigator does not make you immune to all these weaknesses.

How we access and share information and how we communicate has changed dramatically over the last 30 years. This evolving technology is changing how we conduct investigations. It is changing how we observe criminal activity. The number sources of evidence available in some investigations have become overwhelming.

The Investigator as an Internet Eyewitness

The key to believable evidence gathered from the Internet is that it is visual, understandable, and could be reproduced if someone else did it at the same time as when it was originally collected.

When I review an investigation, I apply these criteria to determine if it was done by an expert or a bodger.

Investigators are taking on the role of eyewitness by observing evidence that might not be visible to any other available investigator as it appears only momentarily in internet venues. To be a reliable eyewitness, the investigator needs to create a record of what he or she sees at any particular point in time. This must be done in the same manner as handwritten notes. However, these records must provide a visual representation of the evidence collected. With Investigative Internet Research, the computer’s camera and mic, along with software that records screen activity, become the investigator’s notebook.

Typically, screenshots combined with written eyewitness reports, are used to record what an investigator observes in social media and other internet sites. However, screenshots and written reports do not provide a full representation of the research process or the evidence uncovered.

Twenty pages of social media content along with text detailing each screenshot is time consuming to produce and mind-numbing for a Judge or jury to endure. The Judge and jury need an eyewitness to tell them what happened and to illustrate why they should believe this evidence.

As with any eyewitness testimony, two corroborating witnesses are much better than one. The second eyewitness improves the credibility of the evidence presented in the courtroom. The consistency of the eyewitness testimony needs to be established through documentation as would be done with traditional witness statements given at different times to police before trial.

Follow the Script

Wherever possible, rehearse the visual, logical, and reproducible nature of the witness testimony to produce a clean copy of the investigators’ witness testimony. Don’t be afraid to script the testimony. Don’t be afraid to admit scripting the recorded testimony. Explain, if asked, that the recorded collection process is just a representation of what you did without any irrelevant material or wasted time. Explain that the recorded collection process is what really happened as it happened.

Visual

The hallmark of a good report is that it looks organised and complete without being over crowded with text and other material. The recorded testimony of the investigators must also be organised and complete without any extraneous content. Sometimes, accomplishing this requires scripting and rehearsal.

The investigator’s recorded process of collection must present the page as he saw it and the viewer must see and hear the investigator as he goes through the collection process. Just because you did this before and scripted the presentation of your collection process does not make the recorded content any less valid.

Understandable

Above all else, be logical. The collection process must proceed in a straight line from a clearly explained starting point to the next logical point. Continue in like fashion until you reach a logical conclusion.

Explain the logic and connections in the accompanying report. Your report will probably need elements from PowerPoint, screen shots, images, graphs, etc. to accomplish this. Use visual aids to make connections and illustrate logic!

Explain how you got there. Explain what you saw. Explain the importance of what you found. Explain material that meets the elements of the offence or supports the continuation of the offence in some way.

Reproducible

The viewer must see and hear the second investigator doing the same thing as the first investigator. The viewer must see the second investigator collect the same material as the first one. Doing this will require some scripting and rehearsal.

Raw Evidence

Some situations happen too fast to allow scripting and rehearsal. In that case, you will have to use the raw recording of the IIR that captured the evidence. Even if you are creating a scripted and rhearsed presentation of the collected evidence, you should have a recording of the original IIR collection effort.

New Bing Image Search

Images that appear on a web site offer many insights into the people who created the site. They tell you if they have the money to buy copyrighted content, or that they took the time to create their own imagery to get across their message. The imagery may also tell you that they don’t respect copyright law. The use of the same image on several sites may indicate a relationship between the sites that use the image.

Bing now offers an image search facility that allows you to paste the specific image URL into the search box at Bing.com/images.  If you have a picture that you want to match, then you may upload it directly to Bing.com/Images and Bing will search for matches. To match an image, submit a URL, or upload an image, just click on image match.

When you come across an image on a site you find in the Bing Web results, go to Bing Image search and clear the search box. That will make the Image Match link appear next to the search box. When using this, the best approach is to have Bing Web open in one tab and Bing Images in another. As you click on Web results, they will open in a new tab between Bing Web and Bing Images. To isolate the images you wish to search, in Firefox, right click the image and click on view image. This will take you to the image itself and its unique URL. This makes it easier for Bing to isolate the image it is trying to match.

Eye Witnesses & Bears

I have never liked dealing with witnesses. They are fickle things that frustrate and annoy me. They change their stories or offer-up bizarre versions of events. Eye witnesses are the bane of any experienced investigator. A news item and my own failure to observe accurately this morning illustrate the dangers of relying on the eye witness.

The first item is comical the second not nearly so. Early this morning a taxi driver discharged his passenger and then got stuck in the snow. He called police saying he couldn’t get out of his car because there was a bear circling his car.

The bear turned out to be Bear, a Newfoundland dog.

The second example is something much more personal. I have been fighting a cold that migrated to my lungs. During an online interview I began to feel very disoriented and lightheaded. I had to stop the interview but I had no idea what was happening to me.

In a past life I was both a diver and a pilot. I was trained to recognise hypoxia and I had experienced it firsthand during operations. On a quiet morning, during an online interview, I was wholly unable to make out what was happening to me.

So many things can effect what an eye witness reports. The cab driver was a city guy with no experience with dogs or bears. He couldn’t distinguish between a bear and Bear the Newfoundland dog. I wasn’t in a high performance aircraft or underwater with a dodgy re-breather. My environment and mindset this morning made it impossible for me to realize that I was suffering from hypoxia brought on by a lung infection.

Witness testimony may be critical to most investigations, but please give me physical evidence that can be sent to a lab for analysis or documents that can be read, examined, and filed away until trial.

The Strange Case of Juicejacking

Have you ever seen people recharging their mobile phones at a public recharging station in an airport or shopping mall? They no doubt do this to avoid the severe symptoms of Twitter and texting withdrawal.

Don’t they realize that their mobile phone adaptor USB cable is a combination power-and-data connection? Plugging your phone into an untrusted USB cable is just plain stupid. Letting a stranger plug their phone into one of your USB ports is just plain stupid too.

Take a minute to think about the treasure trove of data on that smart phone. Your smart phone has more computing power and memory than my first three computers combined. Your digital and communications life history is on that thing.

When charging your phone from an unknown USB port, use a power-only USB cable. USB plugs have four or five connecting wires. The outermost two are for power. If your cable has two or three of the inner wires missing, then it can’t carry data, only power. This will slow the charging as the data wires allow the phone to control the charging amperage to get it above the minimum 100mA. Never trust a USB cable given to you by a helpful stranger, as a visual inspection will not reveal if it is power-only or power and data (I’ve tested this with a lot of people and over 90% got it wrong). To speed charging in a secure manner, use the charging adapter that came with the phone, not the data connection.

You can increase your security by configuring your device to require a password for all data-transfer features of the charging port. This stops synchronizing your data with another device unless you authorize it. This is good practice, but don’t rely on it if you are hooked-up to a hostile device. Don’t rely on shutting-off the phone as a protection either. It is hard to determine how much of the phone is truly powered-down. Even if the phone is powered-down, a USB connection may provide the hostile device an avenue to the memory card.

If you are in a foreign hotel and don’t have an adapter, please don’t get one from the concierge as you never know where it has been—like maybe to that country’s intelligence agency. I recently encountered a case where the helpful concierge provided an extremely effective and hostile power adapter probably engineered by either a moneyed industrial spy or the host county’s intelligence agency. Most national intelligence agencies conduct economic and industrial espionage— don’t be offended by this, be cautious, don’t take your entire life history with you on that smart phone, and don’t get juicejacked.

Good-bye Windows XP

If you have older machines running Windows XP, then  Microsoft will cut-off support of the operating system on April 8, 2014. That means no more patches, no more new software versions, no more drivers for new peripherals–and most importantly, no security updates and patches.

If you have an older machine that is running properly with XP, then you will probably find that installing Windows 7 or 8 will make it run like molasses in January. Most machines running XP don’t have enough memory to run Windows 7 or 8 efficiently.

I’ve been using Ubuntu 12.04 because it is the most secure of all the current OS offerings. The CESG, the UK government’s arm that assesses operating systems and software security agrees with me. Ubuntu also has the largest collection of applications in the Linux world.

Zorin OS 7, is also a good option when switching from Windows XP. It is faster, looks better and offers better performance than Windows, yet its user interface is similar to Windows and intuitive for long-time Windows users. It allows you to run Windows programs using WINE and PlayOnLinux emulators, as will other Linux distributions.

The US Department of Justice has “found” that Microsoft Windows is run by more than 95% of personal computers and that means that there are thousands of programs that will only run on Windows. WINE and PlayOnLinux allow you to use familiar programs to avoid a steep learning curve.

FinSpy & Browser Hygiene

Recently, I had run-in with the FinSpy trojan, or some variation of it. FinSpy is a component of the surveillance product FinFisher, a commercial trojan made and sold by Gamma International, a UK company. This thing was sold to some very nasty state actors, but now it’s in the wild. It allows the operator of the trojan to have complete access to the computer. Its design  makes it very difficult for the target or his anti-virus software to recognise its presence. It even permits the villain to activate the computer’s webcam and microphone to see and hear what is happening near the computer. Everything collected by the trojan goes to a command and control server located somewhere on the Internet.

This insidious thing tried to masquerade as Firefox. I think it was part of an image I examined for Exif data. It tried to ‘update” Firefox. The funny thing was that I wasn’t using Firefox, but a browser based on it. I was conducting the research within a Windows virtual machine hosted on a Linux distribution; therefore, it was unable to cause any damage.

What surprised me was that the subjects had seeded the site with information that would interest me to get FinSpy onto my PC. They created the site to gather intelligence on anyone who might investigate them. They are not state actors, just a bunch of criminals.