Your Anonymous Browsing May Still Identify You

A disturbing study reported on the The Atlantic highlights something we already know: Human nature will screw us every single time; in short, you screw yourself.

If you’re on Twitter, chances are that even if you are browsing anonymously, your history will identify you. Why? Because of how you — and all other humans — behave in a normal setting.

Here’s how the de-anonymization system works: The researchers figured that a person is more likely to click a link that was shared on social media by a friend—or a friend of a friend—than any other random link on the internet. (Their model controls for the baseline popularity of each website.) With that in mind, and the details of an anonymous person’s browser history in hand, the researchers can compute the probability that any one Twitter user created that browsing history. People’s basic tendency to follow links they come across on Twitter unmasks them—and it usually takes less than a minute.

Granted, this was in a test environment. But notice something very critical about the statement the researchers make:

Ultimately, if you want to use Twitter under your own name, there’s little you can do to thwart this de-anonymization technique. “Our deanonymization attack didn’t use any easily-fixed flaw in the Twitter service,” said Ansh Shukla, a graduate student at Stanford and one of the paper’s authors. “Users behaving normally revealed everything we need to know. As such, the research strongly implies that open social networks, detailed logging, and privacy are at odds; you can simultaneously have only two.”

Pay attention. If you tweet (or use Facebook) under your own name, there is no such thing as privacy. While he states you can have two out of the three, note that there are very few ways to stop the detailed logging and still use social media sites because they are designed from the ground up to log and track everything you do. In other words, your only other option is to create a separate everything. Get a throwaway refurbished laptop, run Linux on it, get a VPN, use TAILS, and use that particular laptop away from your home for reading your various stuff, buying your sensitive items, whatever. Save the Windows laptop in your recliner for puppy pics, paper towel orders on Amazon, and answering your grandmother’s messages about whether you’re going to the family campout.

While you’re at it, go to MyShadow.org and take a look at what traces you are leaving.

Where’s TOWR been?

Hello all,

Greetings!  We know we’ve been pretty quiet lately, so we thought this would be a good time to let you know we’re not currently guests of the Gray Bar Hotel.

Kit has been posting over at her new blog http://www.recoveringstatist.com/.  She always has valuable material so make sure you’re subscribed.  She is also currently eyeballs deep in her continuing education.

Steve is also buried in his education and with his day job in the belly of the beast.  He is routinely surrounded by safety pin wearing snowflakes and learning more daily about the mind of our opponents and the useful idiots than he would prefer.

Our other members continue to work behind the scenes.

Next up, the privacy webinar.  Without going into more detail that we are at liberty to at this time, we have reason to believe that Tor is more flawed than previously thought.  This is requiring us to rethink the advice we give to make sure we aren’t leading anyone astray.  We take this responsibility seriously.  For now, for the truly paranoid, for maximum privacy – use TAILS with a secondary identity, connected to an internet connection that cannot be traced to you, on a burner laptop, with an external network connection (such as a USB wifi card) that can also not be traced to you.  Even then, you need to be thinking tradecraft, tradecraft, tradecraft.

We’re still on for the Sparks31 class next year – contact us at TOWR@hushmail.com to sign up.  During the holidays we’ll be evaluating some new class opportunities and reworking our digital privacy offerings.

Do you want to help the mission of TOWR to educate patriots and partisans?  We are accepting submissions of original content.  Just about any subject is welcome as long as it fits in with our mission.  If you would like to teach a class sponsored by us, please contact us with a course outline and cost.  If you live outside of the Pacific Northwest and would like to host classes under the TOWR name, hit us up and we’ll be happy to help you get started and post your classes here.  Again, our general email address is TOWR@hushmail.com and is visible by the whole team.

In closing, we would like to take this opportunity to thank those of you who have given us words of encouragement and have supported us in this endeavor.  We are humbled and grateful.  Thank you.

Privacy Webninar 11/14 canceled!

IMPORTANT: If you are enrolled in the privacy webinar for tomorrow, we are canceling it. This is due to recent developments in some of the technology we discuss that requires re-evaluation on our part to make sure we are delivering current and accurate information.
 
We apologize for the inconvenience and will contact students directly via our Hushmail account to discuss next steps.

TOWR Security Brief: 21 Oct 2016

It’s been a little while since our last Security Brief, partly because I’m still working on my master’s thesis and partly because I’ve been writing more over at Patrick Henry Society–including two recent articles on topics you should read if you’re looking to keep from being infiltrated and exploited.

At any rate, there are some pretty disturbing things on the tech/privacy horizon today (every day!). Let’s get started.

More on the ongoing Geofeedia ruckus–apparently police departments weren’t the only ones using it. Public schools were spying on their students too. For their safety, of course.

There’s an interesting study out claiming that workers are largely more productive if you give them some privacy. Novel concept.

Facial recognition is “taking over the US,” and privacy researchers aren’t happy. How bad is it? Take a look.

Esquire says they have proof that Russia has been behind all of the recent data leaks from Clinton/Podesta/etc. Read their article and you be the judge. Then again, does it matter WHO? I posit that it only really matters WHAT.

Dirty Cow is a recently discovered kernel exploit that affects just about every Linux distro out there. Lovely. Here are the links for each Linux distro type:

From the super creepy department: If you’re on Skype and you’re also typing, the people on Skype can take the sounds of you hitting the keys and reconstruct them as text, thereby knowing what you’re typing to other people or in other windows while you’re on Skype. May want to rethink what you’re doing while chatting on skype.

For the hash nerds: Is SHA-256 still safe or is it going the way of md5 and others? Darknet.org.uk says it’s good to go…for now.

In case you didn’t know, a lot of what you see on Twitter may be bots. Also called “computational propaganda.” In other words, you’re being manipulated. Like that’s news.

If you bought a #NeverHillary sticker in the last 6 months, your credit card is probably compromised. Read this for details.

If you’re running a Tor hidden service, don’t be this guy.

You may not have noticed early this morning, but a lot of major sites were down due to a Denial of Service attack.

That’s it for now. If you haven’t registered for the Basic Privacy and Anonymity Webinar in November yet, better get on it.

 

You are responsible for your own safety

Hello Patriots,

Today we present to you a letter that we received the day before the Cascade Mall shooting.  In it, the author, who wishes to be identified as El Pavo, describes for us the security situation at what may be one of the most under appreciated targets in Western Washington – the Puyallup Fair.  Over one million people attend the fair every September, making it a fairly tempting, and soft, target.

Out of respect for El Pavo’s position, we’ve adjusted the language of his letter and changed minor details to protect his identity.  I assure you, however, that his experience is genuine and the threats he describes are real.  After the letter we’ll come back and add a little commentary before closing out.

Hello TOWR,

As we discussed, I’d like to share with you my experience working at the Washington State Fair.  Now that I’m just about done working there for the year, the risk of blowback is reduced, even if my identity is compromised.

During the three weeks the fair was open, I worked several days a week with one of the food vendors.  One of the most troubling things about the fair was the attempted appearance of security.  Outside of the fair, if you stick to the main parking lots, your vehicle will be reasonably secure.  There’s a lot of staff and law enforcement there, bored and directing traffic.  There’s the usual “We’re not responsible for your stuff” disclaimers as you would expect.  When you get to the gate the cracks in security begin to show.

If you’re fortunate enough to be an early bird and show up before noon, you can flash your ticket and breeze through into the fair unmolested.  After noon, however, you will be forced to submit to a bag check or be denied entry.  The bag check is a joke.  On one of my first run-ins with the bag check mafia, I was asked to unzip the main compartment of my backpack.  The checker, most likely a TSA reject, shined his light inside, ignored the medium MOLLE pouch inside, and said it was fine.  He did not check any of the other pockets.  Had I chosen to, I could have smuggled in two pistols and a dozen magazines in this bag without effort.

The funniest part of this incident came as I was putting my bag back together.  The checker pointed directly at my gun, concealed by an untucked shirt, paused a moment, and told me, “You need to take care of that.”  Had I printed?  Did my shirt ride up when I wasn’t paying attention?  I stared incredulously at him for a moment before he clarified.  “Your knife.  You need to put it in your pocket so I can’t see the clip.”  I repressed a smirk and an eye roll, dropped my knife in my pocket, and entered the fair.  I put my knife back in its normal place and was comforted by the weight of my full sized Glock on one hip and two magazines on the other.

Inside the fair you find a reasonable police patrol presence and EMS presence.  They are on autopilot, however.  Many vendors will, when you speak to them, express their distress at the lack of enforcement of the most basic rules.  People litter, smoke, and do things that are actually dangerous, such as riding bicycles through heavy pedestrian areas.  During lost child events the police take a report and then stand still, not taking any action or calling for help as the parents scramble looking for their child.  Their rounds are also highly predictable.  I am confident that any crime that is not violent or a significant property crime will be overlooked.

With just these few vulnerabilities in mind, how could someone with terroristic intent attack the fair?

Backpack sized explosive devices?  No problem.  Simply come before the bag checks start.

Bigger explosive devices?  Easily done with almost zero risk for around $5,000.  All the attackers need to do is apply as a vendor and pay for a booth.  Vendors get early access to the fair and the attackers could simply bring their equipment in with the props they need to maintain their appearance.

Mass shooting?  I think the answer is easy for pistoleros.  An individual could walk in with a couple of pistols and a bunch of magazines on their person and never be given a second look.  Could someone sneak in a rifle?  A broken down AR with a bunch of magazines will fit in a backpack just fine.  All our fictional attackers need to do is come in before the bag checks start

There are many choke points and areas where an attacker could do large amounts of damage with a vehicle, both inside and outside of the fair.

As you can see, security is just so much Kabuki.  I hope you find this letter useful.

El Pavo

El Pavo has given us a first-hand account of the security at the fair.  I don’t think, even if the management cared or was motivated to improve it, that they would be able to do so without negatively impacting their business.  You’d have to do metal detectors, pat downs, and stop and frisk, along with searching the vendors, reducing access outside, and so on.

The key thing to remember is that if you choose to go to an event like this, safety is your responsibility.  Carry your gun, carry a compact trauma kit, and know how to use them.