JonDo

For anonymous web surfing, at a minimum, two components are required: a proxy and a browser that doesn’t identify you. At the office, I have both and much more to protect my privacy and provide anonymity. If I have to use a Windows computer at a client’s offices, then temporary measures have to be undertaken.

The simplest solution for this, without using an anonymous VPN, is the JonDo Proxy program that will hide your IP address (Java application) and JonDoFox, a Firefox profile optimized for anonymous and secure web surfing. Using the USB doesn’t leave any traces on the computer for some snoop at the client’s office to uncover. This need Windows as the OS.

For more privacy and anonymity, you can use JonDo/Tor-Secure-Live-DVD, a secure, pre-configured environment for anonymous surfing and more. This has its own OS based on the Debian GNU/Linux OS. The live system contains proxy clients for JonDonym, Tor Onion Router and Mixmaster remailer and much more.

The advantage of the live system is that it is on a DVD, which prevents any other system from writing something dangerous to the DVD.

Using these do not make it impossible to uncover individual users, as there is no such thing as a 100% security, but for most users, this will be adequate for most situations. If you are concerned about this, I suggest you read the surveillance reports on the law enforcement page.

Little Snitch

Just to be different, I started using a Mac to do some IIR. One of my quick fixes for security was  Little Snitch, a firewall for OSX. It monitors outgoing network traffic and alerts you if a program you’re running is trying to contact a strange server. This could be a shell or a program that snaps photos using your webcam or one that takes screenshots and sends them to an outside server.

Web Proxies & User Agents

A web proxy provides an easy way to change your IP address while surfing the Internet. They don’t require software or modification to your networking settings.  You just enter a website address and the sites you visit through the proxy see an IP address belonging to the proxy rather than your IP address.

I am very cautious about using web proxies as you never know who actually operates it and what data they might collect as you use it. You also don’t know  to whom they might give that data. On the other hand, I have found one that has a useful feature.

nroxy offers all the usual web proxy features plus something interesting–it offers the ability to change the user agent.  For example, some web sites cannot be viewed properly using Firefox. Sometimes it is an old site that requires MS Internet Explorer (IE) or it may be a site designed for mobile devices. This proxy offers user agents typical of 5 mobile devices and a long list of browsers.

To get the information I need I am finding it necessary to switch user agents more often. Usually, I use the User Agent Switcher extension that adds a menu and a toolbar button to switch the user agent of a browser. It allows you to chose from three versions of IE or an iPhone. Selecting the iPhone user agent often reveals additional  functionality on the site. The extension is available for Firefox and will run on any platform that this browser supports including Windows, OS X and Linux.

Now I have another option when I need to change the user agent and I get the additional proxy features as well.

Social Media & Threat Alerts

A Pew Research Poll indicates that college students are spending less time on Facebook and more on simplified instant messaging services like Snapchat, Instagram, WhatsApp and Yik-Yak. Campus safety officers haven’t caught up with this trend. They still check Facebook most consistently, followed by Twitter and Yik-Yak.

In my experience, very few organizations use social media threat alert software or employ a social media monitoring company. Everything that I have seen indicates that orgainsations that monitor social media for risk management usually monitor the wrong sites.

Turn Your PC into an iPhone

Some web sites cannot be viewed properly using Firefox. Sometimes it is an old site that requires MS Internet Explorer (IE) or it may be a site designed for mobile devices.

The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser. It allows you to chose from three versions of IE or an iPhone. Selecting the iPhone user agent often reveals additional  functionality on the site. The extension is available for Firefox and will run on any platform that this browser supports including Windows, OS X and Linux.

Don’t Believe Everything the Government Says

Here are three simple facts:

  1. Governments are political.
  2. Politics is not about the truth–it’s about getting elected at any cost.
  3. Morally vacuous individuals are attracted to the power inherent in politics and government.

The following is my approach to evaluating the veracity of what government says:

  1. Record what government or politician(s) said.
  2. Conduct a detailed comparison of what they said to the data provided by the same government.
  3. Bureaucrats are political, they champion ideologies, agendas, or politicians that promise them greater power, higher pay or benefits.
  4. A thorough understanding of statistics and their abuse is required.
  5. If they continue pushing their agenda in the face of overwhelming evidence to the contrary, then you are witnessing morally vacuous individuals engaged in self-serving propaganda.

Critical Thinking

Growing up, my mother always told me not to believe everything I read. This was good advice, but it doesn’t go far enough.

Critical thinking is an ancient concept but the actual term began to appear in the mid-20th century. In the information age, developing this skill is essential. It is an intellectually disciplined process of actively analyzing and evaluating information. It transcends all subjects, sources, or problems. Critical thinking protects us from biased, distorted, partial, uninformed, or prejudiced content and ideas. It insulates us from improper assumptions and implications. It prevents undesirable consequences.

Critical thinking is not the application of logic for selfish purposes. Selfishness often appears under the guise of critical thought to skilfully manipulate ideas to promote a vested interest. Fortunately, this usually becomes apparent upon close examination because selfishness typically accompanies lies and an intellectually flawed argument. Examining the issue fair-mindedly, and with true intellectual integrity, the selfish analysis falls apart. Of course, the selfish minded individuals will call the product of true critical thinking idealism, using that term in a pejorative sense, thus further identifying their selfish motives.

Anonymize Your Email

Guerrilla Mail is a temporary, disposable email service. It lets you to easily set-up random email addresses. If accessed through Tor, it ensures that no one can connect your IP address with a Guerrilla Mail address.

Encrypting messages for webmail is awkward. You must copy and paste messages into text windows and use PGP to scramble and unscramble them. To avoid this, you can use a privacy-focused email host like Riseup.net and Mozilla Thunderbird with the encryption plugin, Enigmail, along with another plugin called TorBirdy that routes email through Tor.

Confidential File Transfers

Google Drive and Dropbox don’t provide privacy. Onionshare is an open-source program that lets you send big files via Tor. When you use it to share a file, it creates a Tor Hidden Service, which is a temporary and anonymous website hosted on your computer. Give the recipient of the file the .onion address for that site, and they can securely and anonymously download it using their Tor Browser. The person who is receiving the file doesn’t need OnionShare. All they need is to open the URL you send them in Tor Browser to be able to download the file.

For now it only runs as a bare-bones command-line tool on the Tor-based operating system Tails, which can be launched on Windows or Mac machines.

If you’re trying to send a secret file then it’s important to send this URL secretly. I recommend you use Off-the-Record encrypted chat to send the URL. This provides an end-to-end encrypted conversation over services like Google Talk and Facebook chat that prevents Google or Facebook from having access to the contents of your conversation.

Social Media Early Warning System

Today, Social Media (SM) informs about emergencies, scandals, and controversial events before the traditional media. The news media has become a second source that tries to improve the signal to noise ratio.

Using SM as an early warning system isn’t a new idea, but few organisations actually do it because they never get around to creating an organised process for this function.

How to Create a SM Early Warning System

I start the process by first identifying the subject matter that I need in my early warning system and what informational role it will play. This includes identifying who will receive its output and who must act upon its output.

Carefully plan how you will communicate with the rest of your organisation. This needs to include an emergency distribution list with alternative distribution methods if normal communication methods start to break down.

The people who must act upon your information must trust that you will give them timely and accurate information. They must also know what you won’t provide. Gaining ths trust and understanding will take time and good old-fashioned salesmanship.

Next, I start identifying sources that provide reliable information that I then store, aggregate, and evaluate. As these sources become more trusted, I begin grouping them by topic, special knowledge, geography, and other factors. I then start asking them for more contacts that are equally reliable. To manage my contacts or sources, I build Twitter Lists, Facebook Interest Lists, Google Plus Circles, and use other similar list tools.

I contact my sources by email, Skype, and other means to build a relationship based upon trust and common interests. I note their strengths, weaknesses, skills, contacts, biases, and other relevant characteristics. It is important for me to treat all my contacts with respect and to view them as colleagues, rather than people to order about. I also act as a source to all my contacts as this isn`t a one-way street. I make it clear that I am looking for help rather than someone circulating rumors and misinformation. I do this by letting my contacts know what I do and do not know while steering clear of all inflammatory aspects of the topic as SM tends to amplify these without adding factual data.

I have seen many attempts to use SM for this fail once they realise that for this to work, it must be a collaborative effort. They don`t want to give as much as they receive as that requires too much effort, trust, and organisation.

To organise a SM early warning system you need to start a decision tree that allows you to go through the research, evaluation, and verification process in a logical and orderly manner without missing any steps. Design the process to identify the original content source or creator, verify that it represents events truthfully, and that the context of the content is not intended to mislead the viewer.

Use your favourite flow-chart software to make a decision tree suitable for the type of content and SM that you typically handle. Keep it simple. Start with only yes/no decisions. Each person on the team should add to the decision tree for their tasks as they learn new sources and methods.

Divide the decision tree into three components. First, identify the original poster or creator of the content. Second, investigate the source or creator of the content to help determine his reliability, biases, and online history. Third, investigate the content itself for defects that indicate that it is a fake, an intentional hoax, or some form of propaganda.

Over time, the decision tree and its supporting documentation will make your team seem super-human in its ability to wade through large volumes of complex material to expose fakers and reveal the true story.

Surveillance in a WiFi World

I sat in a hotel lobby recently enjoying a coffee while waiting for someone. I decided to write an entirely different blog article than this one while I waited. This lobby has convenient tables for road warriors and their portable computers–that is why I often arrange short meetings in that lobby.

At another table, I notice something rather familiar connected to someone’s laptop. It was a WiFi Pineapple. This was a bit disturbing.

Do you know what the WiFi Pineapple can do?

Surveillance & the WiFi Pineapple

The WiFi Pineapple allows an attacker to launch a “Man in the Middle” or MiTM attack by inspecting the data flow between the target and any resources he accesses on the web via a WiFi connection. This little Linux box equips the investigator or spy with a versatile surveillance and information-gathering tool.

From a surveillance perspective, it will reveal the names of all the WiFi networks the victim connected to on the highway, in hotels, and far-flung airports. The subject’s computer will cycle through all of the network identities (names) it has previously used. All of this is sent in the clear and can be captured by the WiFi Pineapple. The same applies to smartphones.

All of the network names to which it previously connected are disclosed over a few minutes. Coupled with an online resource such as WiGLE, this information can be used to establish a profile of the device owner–where he lives, works, eats, drinks coffee, his gym, his favorite no-tell motel, and more. Combine the Pineapple with Wireshark and you have an excellent surveillance toolkit or one that could facilitate some real mischief.

Protect yourself

The simplest protection is the best. Shut-off the WiFi on your portable device. Use WiFi in secure environments only.

Tim Horton’s & Investigative Internet Research

An article titled, Tim Hortons apologizes for blocking gay and lesbian news website by The Canadian Press on Friday, July 19, 2013 caught my attention. Tim Hortons is a popular Canadian coffee shop chain.

The online site of a popular paper that caters to the gay community was blocked by the coffee shop chain as “not appropriate for all ages viewing in a public environment.”. Once the outrage got going, Tim Hortons relented and changed its WiFi network policy.

What has all this got to do with Investigative Internet Research (IIR), you ask? Well, think about it. We often work while on the road and that means doing some aspects of IIR in places like coffee shops.

When you do IIR outside your normal work environment, different rules apply. How do you know what the WiFi network allows and what it doesn’t? How do you know if some things are censored and others are not? How do you know that your results are complete?

Now do you understand the dangers that doing this presents? I haven’t even mentioned the security issues.

Secured URL

Secured URL allows you to encrypt a URL with a password. It works like TinyURL.

Enter a URL, its password, and choose the expiration date of the resulting encrypted link. The expiration date can be up to 90 days hence. The encrypted link that you get from this can be shared by email without revealing its contents. You send the password to open the link in a separate email.  It’s best to send passwords to one email address and the encrypted content to another email address.

I can think of many uses for Secured URL where confidentiality is required.

The Dangers of a Bad Pretext

The Daily Mail newspaper in the UK reports that the receptionist who was subjected to a pretext call by two Australian DJs may have committed suicide.

In the call at 5.30am on Tuesday impersonating the Queen, Miss Greig said: ‘Oh, hello there. Could I please speak to Kate please, my granddaughter?’

Thinking she was speaking to the Queen, the receptionist replied: ‘Oh yes, just hold on ma’am’.

She then put the presenters through to one of the nurses who was caring for the Duchess.

The nurse also believed she was speaking to the Queen and went on to make a number of deeply personal observations about Kate’s health.

This prank/pretext was bragged about by the two Australian DJs. This no doubt subjected the receptionist to a lot of ridicule.

The Australian DJs violated two of the three rules for doing pretext calls.

The three rules:

  1. Do not personate a living person.
  2. Do not personate a representative of any existing company (or business) or anything to do with government.
  3. Do not cause anybody to be concerned for their own safety or the wellbeing of any person, business, company, or property.