Privacy – The Order of the White Rose

The Truth About Anonymous Accounts Online

The absolute first two things you need to ask yourself before trying to make an anonymous Facebook account are why do you want one and who are you hiding from? In fact, these two questions drive even the feasibility of your exercise.

A few months ago we published the beginning of what was meant to be a primer on making anonymous accounts on Facebook. For the next few months, we were besieged by people who wanted the second half of that process and thought we were holding out on them. We weren’t; the information is constantly changing, constantly moving and morphing into something even more shadowy than the personalities people wanted to make online. Part of the thing we accept in order to play in this particular section of the pool is the need to learn, to constantly watch for new information that forces a change in how we think, how we act, how we teach. The members of TOWR talk a great deal amongst themselves, about what information we are learning, how it fits into the bigger picture, what the best way to teach it is. Through it all, we have sought to answer one question every single time: Is the information we are teaching correct? If we aren’t going to teach the correct information, if people cannot trust the information we give them, then we shouldn’t be teaching at all. And while we’d have loved to come out with the second part of the Facebook series immediately, we learned a great deal of information that not only made writing the second piece problematic, but made the first one obsolete.

Sometimes it happens where we all endorse a skill, a device, even a person, and we later find out we were wrong. What should we do? Correct the record? Simply stop teaching the wrong info and hope people figure it out? Make a Facebook group plastering that person’s name all over the place? While social media groups “calling out” people seem to be popular these days, that’s not effective, and it’s not how we work. Those who need to know information we have are given it, using the appropriate channels and the correct process. When it comes to the idea of making anonymous social media accounts, this article is what I’d consider the correct process. So let’s get started. First of all: ignore the previous article on this subject because it is obsolete.

The absolute first two things you need to ask yourself before trying to make an anonymous Facebook account are why do you want one and who are you hiding from? In fact, these two questions drive even the feasibility of your exercise. Let’s take a look at various purposes for anonymous accounts.

“I run my mouth a lot on Facebook, or I like to talk trash to certain people, and I don’t want them knowing it’s me.” If this is your purpose, you don’t need an anonymous account. You need testicular fortitude, which is outside our wheelhouse, sorry. If you were sitting across a table from me and actually said this was your purpose, I would get up and leave.
“I want to join patriot groups as a fake name because OPSEC.” Again, this is very high on the list of reasons that should disqualify you from getting taught how to do this for one reason that will become very obvious later.
“I don’t want the government knowing that I’m in patriot groups on Facebook.” This is not possible. In fact, I’ll say it again: It is not possible to hide from the government on Facebook, and I’ll explain this more in a moment because it needs clarification.
“I want to use Facebook without giving up my privacy.” Nope, sorry — if you have a Facebook account, you do not have privacy. It’s that simple.
“I want a second account to use on my phone for patriot activity coordination.” No. Even if you did make a second account and only accessed it from your phone, you’d be dead in the water BECAUSE you accessed it from your phone, and you’d screw every other person you talked to, whether or not you were coordinating with them.

If any of those reasons are why you want an anonymous account, then walk away now because they are not feasible. Now let’s look at the reasons and ways you can have an anonymous Facebook account.

You want to use Facebook but aren’t comfortable with your boss or coworkers seeing it, or you’re interviewing for a job. This is a perfectly good reason to have an anonymous account. Keep in mind that it will not work if this is a second account; it defeats the purpose. Your best bet, if you really need to do this, is to deactivate your current account and make a fake account with a fake name that sounds reasonable (Jack McCoy, for instance, not Shiggy Sugarbottom or Jane BenghaziJones). The caveat to this is…you guessed it…no politics. Nothing. Puppy videos and likes on food posts. In fact, keep in mind that making that fake account and then adding your family and friends, by nature of the data machine, will automatically identify you anyway, as will using any device or wifi you’re already associated with to access it. You can see the issues already, right?
You want to use the account to infiltrate a leftist group, such as a semi-local Antifa group. Now THIS is doable — but it requires some caveats as well. The people you’re up against often have skills you don’t. If you so much as make the slightest mistake, you’re identified, and then you’re toast. I say semi-local (or even far off) as opposed to very local because if you join the local group, you may be expected to actually show up in person at an event. If you have other photos of yourself on the internet (and who really doesn’t at this point) then you are easy to identify as well. This is possibly best done with a two-man team; you get into his local group and he gets into yours, and you never talk on FB, you never talk at all unless you can pull off meatspace or a message drop on some Tor-based or i2p-based message service that follows the protocols below.
You want to use the account to use Facebook without the government knowing what you’re doing. Here’s the problem. Every single device you own, every wifi you have ever connected to with one of those devices OR done any of your normal routines on, every page you’ve ever visited, every like, comment and share you’ve ever done is part of the data package that is you. That means, if you want to be able to use Facebook while hiding from the government, you need to strictly adhere to the following:
1. Never use a device you have ever used before. Any device you choose MUST only be used for that particular account. So you’re literally talking about purchasing a laptop (has to be a laptop, and a specific kind of laptop, like an old refurb, that’s also been altered for this purpose) just so you can have a Facebook account on it. Is that worth it to you?
2. Never use an internet connection you’ve used before. That means every time you log into that account, it needs to be from a new place. This is true for tradecraft reasons as well as technical. You don’t want to get on a first name basis with the barista at the Starbucks two blocks from your house.
3. Never drive your own vehicle to your connection point. Also, don’t take any means that can be tracked back to you. That means, don’t get in an Uber, etc.
4. Never take a phone with you of any kind. No burners, no flip phone, no smartphone, nothing. Don’t wear your Apple watch or FitBit (why do you have either of those anyway, if you care about privacy so much that you need an anonymous Facebook account?)
5. Never dress in a way that will stand out in the specific venue and area that you’re choosing for that particular outing. In fact, put some thought into your choices of venue. If you’re 50 years old, 300 pounds, and bearded in a non-hipster way, don’t choose a venue in a trendy millennial area because you WILL stick out no matter what you wear. Be honest with yourself about what you can pull off.
6. Never use your debit card on these trips. In fact, I wouldn’t even take them — or anything else that can identify you.
7. Never connect without a VPN. We’ve covered those elsewhere; if you’re not already familiar, you’re sorely behind.
8. Never connect to anything you normally look at. Don’t check your email. Don’t check the hits on your website. Don’t go to websites you normally frequent. And for the love of all that’s holy, don’t sign into your regular Facebook account. There is no such thing as “just doing one thing quick.” You’re done.
9. Never join Facebook groups or like pages that your regular account is associated with. And while it should be freaking obvious, don’t go to that group and announce to everyone that this is your new account. Don’t message people, don’t do anything but lurk.
10. Never tell anyone that you have another account. For any reason, at any time. No one needs to know about it.
11. Never use that Facebook account to coordinate any activity, mention any areas, or mention any fact about yourself. If you need to use the internet to coordinate activity, then you are working with people who are too far away — and you don’t know them well enough to do anything with them.
12. Never visit any websites AT ALL while logged in to your Facebook. Don’t keep it open in a tab while you surf.
13. Never use a browser that is not set up to block scripts, etc. Tor is good, if you’re already following the rest of these protocols.
14. Never stay online any longer than you absolutely have to, in order to do the things you signed in to do.

You’ve probably read through this list and thought, “Man, what a pain!” Yup. It is a pain. If you had some idea that you could sit in your recliner naked while eating cheetos and wreak havoc on the enemy, then I’m glad I could burst your bubble, because anyone who is making Facebook accounts and has violated even one of the precepts above has not only identified himself, he’s also endangered everyone he talks to. I mentioned earlier that it’s impossible to hide on Facebook from the government. That’s true. It is, however, possible to become someone else, if you are willing to put the work in and can compartmentalize to the extent necessary. We cover this in the Internet Privacy webinar, and to some extent I’ve just explained it above.

While the list above may seem overly paranoid, it’s not. If you’ve read the Vault7 disclosures (and actually read THEM, not just read the quick summaries the establishment ‘media’ put out), or if you’ve read the rest of the Wikileaks information on the subject, then you should already be aware that the list above is the bare minimum. In fact, I wouldn’t even guarantee your anonymity if you follow the list exactly, because their capability is always changing, new surveillance cameras are always going up, and depending on where you live, you can be seen on camera more than sixty times a day. That’s not counting license plate readers, facial recognition, touch DNA, or anything else. Like it or not, the surveillance state is total, and it is oppressive, and unless you are willing to do the work, you won’t get anywhere.

In short, the question isn’t really how to set up an anonymous Facebook account; it’s whether your particular purpose is worth the money, time, and aggravation of doing it. I can’t make that decision for you; if you’ve read through this list and you are willing to make that commitment, then more power to you. If you think you can do some of the list and ignore others, then God help whoever you’re talking to, because you just put your own laziness above their safety.

If you’ve gotten all the way through and are still wondering how to make yourself an anonymous account, read it again. The “how” is in there.

Your Anonymous Browsing May Still Identify You

A disturbing study reported on the The Atlantic highlights something we already know: Human nature will screw us every single time; in short, you screw yourself.

If you’re on Twitter, chances are that even if you are browsing anonymously, your history will identify you. Why? Because of how you — and all other humans — behave in a normal setting.

Here’s how the de-anonymization system works: The researchers figured that a person is more likely to click a link that was shared on social media by a friend—or a friend of a friend—than any other random link on the internet. (Their model controls for the baseline popularity of each website.) With that in mind, and the details of an anonymous person’s browser history in hand, the researchers can compute the probability that any one Twitter user created that browsing history. People’s basic tendency to follow links they come across on Twitter unmasks them—and it usually takes less than a minute.

Granted, this was in a test environment. But notice something very critical about the statement the researchers make:

Ultimately, if you want to use Twitter under your own name, there’s little you can do to thwart this de-anonymization technique. “Our deanonymization attack didn’t use any easily-fixed flaw in the Twitter service,” said Ansh Shukla, a graduate student at Stanford and one of the paper’s authors. “Users behaving normally revealed everything we need to know. As such, the research strongly implies that open social networks, detailed logging, and privacy are at odds; you can simultaneously have only two.”

Pay attention. If you tweet (or use Facebook) under your own name, there is no such thing as privacy. While he states you can have two out of the three, note that there are very few ways to stop the detailed logging and still use social media sites because they are designed from the ground up to log and track everything you do. In other words, your only other option is to create a separate everything. Get a throwaway refurbished laptop, run Linux on it, get a VPN, use TAILS, and use that particular laptop away from your home for reading your various stuff, buying your sensitive items, whatever. Save the Windows laptop in your recliner for puppy pics, paper towel orders on Amazon, and answering your grandmother’s messages about whether you’re going to the family campout.

While you’re at it, go to MyShadow.org and take a look at what traces you are leaving.

Are Your Kids’ Toys Spying on Your Family?

Just when you think the surveillance state has reached the apex of creepiness, this happens. Consumer groups say that two toys made by Genesis Toys are spying on your kids–and that’s not all.

The Electronic Privacy Information Center (EPIC), along with the Campaign for a Commercial Free Childhood, the Center for Digital Democracy and Consumers Union have filed a complaint (PDF) with the Federal Trade Commission over the My Friend Cayla doll and the i-Que robot. EPIC and the other consumer watchdogs claim the “toys subject young children to ongoing surveillance” and violate privacy and consumer protection laws.

As if that’s not enough, it gets worse.

…the watchdogs allege that they upload the recordings to Nuance Communications, a voice technology company that has military, law enforcement and intelligence agencies as clients.

Remember Nuance? They were responsible for Dragon NaturallySpeaking, the speech-to-text engine that quickly became the gold standard. What would they possibly want with a voiceprint of your kids? You guessed it.

The consumer groups allege that Nuance uses the recordings to improve the products it sells to military, government and law enforcement agencies. One particular product, Nuance Identifier, helps security officials search millions of recordings and identify criminals by the sound of their voices.

It always goes back to this, doesn’t it? Now watch the dancing by Nuance.

Richard Mack, Nuance’s vice president of corporate marketing and communications, said his company doesn’t sell or use the voice data it collects for marketing or advertising purposes.

“Upon learning of the consumer advocacy groups’ concerns through media, we validated that we have adhered to our policy with respect to the voice data collected through the toys referred to in the complaint,” Mack wrote in a blog post on the company’s website. “Nuance does not share voice data collected from or on behalf of any of our customers with any of our other customers.

Let’s parse that out.

“Doesn’t sell or use the voice data it collects for marketing or advertising purposes.”

Well, that’s a true statement. The government clients of Nuance have no interest in marketing or advertising, and Nuance never says they aren’t using the data for surveillance purposes. Keep in mind that one tactic of deception is to deny something that has not been accused, while not answering the actual accusation. That’s what they’re doing here. They do not address the actual thing they are accused of doing–namely, using the voice data of your kids (and you) to improve products they’re selling to the government, such as a database of voiceprints for ‘identifying criminals.’ They do not address the surveillance actions. They create a wholly new accusation (marketing and advertising) and deny that.

“Upon learning of the consumer advocacy groups’ concerns through media, we validated that we have adhered to our policy with respect to the voice data collected through the toys referred to in the complaint.”

They claim they learned about consumer advocacy groups’ concerns “through media,” and that they “validated that we have adhered to our policy” but take note: They have already told you, through omission, that they do use the voice data collected to improve surveillance products for the government and military. Therefore, we already know what their “policy” is, because they have told us. Now they clarify that further:

“with respect to the voice data collected through the toys referred to in the complaint.”

As opposed to…? The other voice data collected in other products (such as Dragon personal assistant for Android)? Such as Dragon NaturallySpeaking? This sentence is another omission. Let’s look at it in context again. They’re also by default admitting that there are other places where they do NOT adhere to their ‘policy.’

“we validated that we have adhered to our policy with respect to the voice data collected through the toys referred to in the complaint.” The word “with” signifies distance. The shortest sentence is generally the least sensitive and most likely to be true. He takes an incredibly large number of words to say, “No, we did not use the voice data for surveillance,” or “No, we did not give our voice data to the government.” In fact, look again. He never says that at all. He does say that they “share voice data collected from or on behalf of any of our customers with any of our other customers.” Before you look at that as a solid denial, let me point out one thing. What’s the definition of sharing? Even in a digital technology context, it means “to give specific users access to (online content), as by posting it on a social-media website or sending it as an email attachment.” He’s not sharing the content, he’s selling the content. Two different words, two different concepts. Again, he’s using very specific words and then trusting that the listener will interpret them to mean what he wants them to mean, instead of what the truth is.

As further proof of this, take a look at his previous statement. They do not use the voice data for marketing or advertising purposes. Now take a look at one of the dolls’ features:

“My Friend Cayla is pre-programmed with dozens of phrases that reference Disneyworld and Disney movies,” the complaint reads. “For example, Cayla tells children that her favorite movie is Disney’s ‘The Little Mermaid’ and her favorite song is ‘Let it Go,’ from Disney’s ‘Frozen.’ Cayla also tells children she loves going to Disneyland and wants to go to Epcot in Disneyworld.”

Is he lying? Not at all. The doll is absolutely a marketing and advertising tool, but they are not using the voice data for that particular function. Therefore, he is giving a truthful statement—but he is not telling the whole truth. He is still being deceptive, and the loser in this game is always, will always, be you and your family’s privacy.

The surveillance state is real. It is in your home, it is in your kids’ toys. If you buy your kids Christmas presents, think before purchasing something that interacts with your child. You may be buying way more than you bargained for.

TOWR Security Brief: 12 Sept 2016

[et_pb_section admin_label=”section” transparent_background=”off” background_color=”#ffffff” allow_player_pause=”off” inner_shadow=”off” parallax=”off” parallax_method=”off” padding_mobile=”on” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” make_equal=”off” use_custom_gutter=”off” custom_padding=”||0px|”][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” use_custom_gutter=”off” custom_padding=”||0px|” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”center” text_font=”PT Sans|on|||” text_text_color=”#bcbcbc” use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_letter_spacing=”2px” custom_margin=”||0px|” custom_padding=”||0px|”]

TOWR TECH & SECURITY

[/et_pb_text][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”center” max_width=”660px” text_font=”PT Sans||||” text_font_size=”72″ text_text_color=”#1d1d1d” use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”18px||80px|” text_line_height=”1.1em” text_font_size_last_edited=”on|desktop” text_font_size_tablet=”52″]

TOWR Security Brief: 12 September 2016

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section admin_label=”Section” fullwidth=”off” specialty=”off” transparent_background=”off” background_color=”#f7f7f4″ allow_player_pause=”off” inner_shadow=”off” parallax=”off” parallax_method=”off” padding_mobile=”on” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” make_equal=”off” use_custom_gutter=”off” custom_padding=”0px|||”][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”0px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_image admin_label=”Image” src=”https://www.whiterose.us/wp-content/uploads/2016/08/kit.jpeg” show_in_lightbox=”off” url_new_window=”off” use_overlay=”off” animation=”off” sticky=”on” align=”center” force_fullwidth=”off” always_center_on_mobile=”on” use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”-48px|||”] [/et_pb_image][et_pb_text admin_label=”Author” background_layout=”light” text_orientation=”center” text_font=”PT Sans||||” text_font_size=”18″ text_text_color=”#323232″ text_line_height=”1.4em” use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”14px||0px|”]

Kit Perez

[/et_pb_text][et_pb_text admin_label=”Date” background_layout=”light” text_orientation=”center” text_font=”PT Sans|on|||” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”0px|||”]

08 August 2016

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”0px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Intro” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”24″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”40px||0px|” text_line_height=”1.4em” text_font_size_last_edited=”on|tablet”]

Welcome to this week’s TOWR Security Brief. The privacy/tech world is constantly changing, and it’s important that you stay informed because any one of those changes may affect how you need to conduct yourself on the internet. Our briefs are designed to give you a short overview of the pertinent news items over the last week, and let you know what you need to do about them.

[/et_pb_text][et_pb_text admin_label=”Topics” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”30px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

In this week’s brief:

The Killer USB stick, a flash drive that fries any computer it’s plugged into, is now on sale. You need one–for your own computer.
Tor Messenger 0.2.0b2 is out, so you’ll want to upgrade (or get it to begin with).
Speaking of Tor, we’ve got more information on how you can be identified on Tor if you’re not careful.
You know all those Bluetooth- and Wifi-enabled devices and appliances you thought were so cool at first? They’re spying on you. That’s their actual purpose.
Still think that people don’t get paid to be trolls, disrupting your social media conversations and forum threads or posting disinformation to color your opinion on an issue? Think again.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” use_custom_gutter=”on” custom_padding=”50px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on” custom_padding_tablet=”17px|||” custom_padding_last_edited=”on|tablet” custom_width_px=”830px” parallax_2=”off” parallax_method_2=”off” gutter_width=”2″][et_pb_column type=”3_4″][et_pb_image admin_label=”Image” src=”https://www.whiterose.us/wp-content/uploads/2016/09/USBkill.png” show_in_lightbox=”off” url_new_window=”off” use_overlay=”off” animation=”fade_in” sticky=”on” align=”left” force_fullwidth=”off” always_center_on_mobile=”on” use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_image][/et_pb_column][et_pb_column type=”1_4″][et_pb_divider admin_label=”Divider” color=”#aeaeac” show_divider=”on” divider_style=”solid” divider_position=”top” hide_on_mobile=”off” custom_css_main_element=”width:130px;”] [/et_pb_divider][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_font=”PT Serif||on||” text_font_size=”16″ text_line_height=”1em” custom_margin=”20px||0px|” max_width=”130px”]

You need this…for yourself.

[/et_pb_text][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_font=”PT Serif||on||” text_font_size=”12″ text_line_height=”1.2em” custom_margin=”6px|||” max_width=”130px”]

Photograph by USBKill.com

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”0px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Point 1″ background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”46px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

You’ve got all kinds of data on your computer. Whatever you have on your computer is your business….until the feds make it their business. Should you find yourself in need of ditching the info on your computer at a moment’s notice, there’s a little something called USBKill that can help you out with that. It was a proof of concept but now it’s real.

The USB Kill collects power from the USB power lines (5V, 1 – 3A) until it reaches ~ -240V, upon which it discharges the stored voltage into the USB data lines.
This charge / discharge cycle is very rapid and happens multiple times per second.
The process of rapid discharging will continue while the device is plugged in, or the device can no longer discharge – that is, the circuit in the host machine is broken.

They’re $50, and you can get them here. (No, we’re not getting a kickback for that endorsement. We’re buying them too!)

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”50px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_divider admin_label=”Divider” color=”#aeaeac” show_divider=”on” divider_style=”solid” divider_position=”top” hide_on_mobile=”off”] [/et_pb_divider][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_font=”PT Serif||||” text_font_size=”32″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”16px||30px|” text_line_height=”1.3em” text_font_size_last_edited=”on|tablet” max_width=”900px”]

“USB Kill stick could be a boon for whistleblowers, journalists, activists…” – thehackernews.com

[/et_pb_text][et_pb_divider admin_label=”Divider” color=”#aeaeac” show_divider=”on” divider_style=”solid” divider_position=”top” hide_on_mobile=”off”] [/et_pb_divider][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”17px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”30px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

Tor Messenger is out with an updated version. You can get it here. One of the biggest changes is secure updating:

Moving forward, Tor Messenger will prompt you when a new release is available, automatically download the update over Tor, and apply it upon restart. Keeping Tor Messenger up-to-date should now be seamless, painless, and secure.

Nifty.

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”off” width_unit=”on” use_custom_gutter=”on” custom_padding=”50px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on” custom_padding_tablet=”17px|||” custom_padding_last_edited=”on|tablet” custom_width_px=”830px” parallax_2=”off” parallax_method_2=”off” gutter_width=”2″][et_pb_column type=”4_4″][et_pb_image admin_label=”Image” src=”https://www.whiterose.us/wp-content/uploads/2016/09/shutterstock_445905166.jpg” show_in_lightbox=”off” url_new_window=”off” use_overlay=”off” animation=”fade_in” sticky=”on” align=”left” force_fullwidth=”off” always_center_on_mobile=”on” use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_image][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” text_font=”PT Serif||on||” text_font_size=”16″ text_line_height=”1em” custom_margin=”20px||0px|”]

Are Tor hidden services making you easier to catch?

Photo by Shutterstock

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”17px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”30px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

At this point you’re probably using the Tor Browser, and you may or may not be using it to browse the Dark Web. Can you trust Tor’s Hidden Services DIrectories? Naked Security says no way.

In their presentation, Non-Hidden Hidden Services Considered Harmful, given at the recent Hack in the Box conference, Filippo Valsorda and George Tankersley showed that a critical component of the Dark Web, Tor’s Hidden Service Directories (HSDirs), could be turned against users.

Targeting HSDirs is so easy that the researchers suggest you should avoid the Dark Web if you really care about your anonymity.

Isn’t that fun?

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” use_custom_gutter=”off” custom_padding=”17px|||” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” column_padding_mobile=”on” custom_width_px=”620px”][et_pb_column type=”4_4″][et_pb_text admin_label=”Point5″ background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”30px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

If that didn’t put a dent in your day, let’s talk about the Internet of Things, or IoT. Everything in our house is seemingly tied to wifi or Bluetooth now, it seems. From your smart fridge to your smart TV to your security cameras to the thermostat. Apps like IFFFT automate things even further (allowing you to set conditions and actions such as “If my phone leaves the house, turn the thermostat down to 60 degrees, and turn it back up when I am showing as 1 mile from home.”), moving data between apps and devices that normally wouldn’t talk.

One of the things we hammer home in the Basic Privacy class is that the more convenient something is, the less secure and/or safe it is. Robert Gore at Straight Line Logic rounds up a few articles that are so must-read that we’d forgive you if you went over there before finishing this security brief. You need to understand the nature of the IoT threat and what it means for you and your family. You may realize, after reading, that maybe you don’t need all those conveniences after all.

[/et_pb_text][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” max_width=”620px” text_font=”PT Serif||||” text_font_size=”20″ text_text_color=”#363636″ use_border_color=”off” border_color=”#ffffff” border_style=”solid” custom_margin=”30px||0px|” text_line_height=”1.5em” text_font_size_last_edited=”on|tablet”]

And lastly, we have this gem. DIsinformation is not only a favorite tool of the Powers That Be and their lackeys, but it’s big business. Schneier has details.

But Aglaya had much more to offer, according to its brochure. For eight to 12 weeks campaigns costing €2,500 per day, the company promised to “pollute” internet search results and social networks like Facebook and Twitter “to manipulate current events.” For this service, which it labelled “Weaponized Information,” Aglaya offered “infiltration,” “ruse,” and “sting” operations to “discredit a target” such as an “individual or company.”

Schneier makes the salient point that some of the claims made could possibly be exaggerated, but the real point, as he reminds us, is that there are governments interested in these services, and willing to pay big money for them. Do you really think no one’s providing them?

That’s all for this week’s brief. Stay tuned tomorrow for a list of updated class offerings for the next 6 months!

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” custom_width_px=”980″ use_custom_gutter=”off” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” column_padding_mobile=”on” custom_padding=”50px||0px|”][et_pb_column type=”4_4″][et_pb_image admin_label=”Image” src=”https://www.whiterose.us/wp-content/uploads/2015/12/TOWR_LOGO_V2.png” show_in_lightbox=”off” url_new_window=”off” use_overlay=”off” animation=”off” sticky=”off” align=”center” force_fullwidth=”off” always_center_on_mobile=”on” use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_image][/et_pb_column][/et_pb_row][et_pb_row admin_label=”Row” make_fullwidth=”off” use_custom_width=”on” width_unit=”on” custom_width_px=”980px” use_custom_gutter=”on” padding_mobile=”on” allow_player_pause=”off” parallax=”off” parallax_method=”off” make_equal=”off” parallax_1=”off” parallax_method_1=”off” parallax_2=”off” parallax_method_2=”off” parallax_3=”off” parallax_method_3=”off” column_padding_mobile=”on” gutter_width=”2″ custom_padding=”30px|||” custom_padding_tablet=”6px|||” custom_padding_last_edited=”on|tablet”][et_pb_column type=”1_3″][et_pb_blog admin_label=”Blog” fullwidth=”off” posts_number=”1″ include_categories=”68″ show_thumbnail=”on” show_content=”off” show_more=”off” show_author=”on” show_date=”on” show_categories=”on” show_comments=”on” show_pagination=”on” offset_number=”0″ use_overlay=”off” background_layout=”light” use_dropshadow=”off” use_border_color=”off” border_color=”#ffffff” border_style=”solid” header_font_size=”15″ saved_tabs=”all” global_module=”26311″] [/et_pb_blog][/et_pb_column][et_pb_column type=”1_3″][et_pb_blog admin_label=”Blog” fullwidth=”off” posts_number=”1″ include_categories=”87″ show_thumbnail=”on” show_content=”off” show_more=”off” show_author=”on” show_date=”on” show_categories=”on” show_comments=”on” show_pagination=”on” offset_number=”0″ use_overlay=”off” background_layout=”light” use_dropshadow=”off” header_font_size=”15″ use_border_color=”off” border_color=”#ffffff” border_style=”solid”] [/et_pb_blog][/et_pb_column][et_pb_column type=”1_3″][et_pb_blog admin_label=”Blog” fullwidth=”off” posts_number=”1″ include_categories=”62″ show_thumbnail=”on” show_content=”off” show_more=”off” show_author=”on” show_date=”on” show_categories=”on” show_comments=”on” show_pagination=”on” offset_number=”0″ use_overlay=”off” background_layout=”light” use_dropshadow=”off” use_border_color=”off” border_color=”#ffffff” border_style=”solid” header_font_size=”15″] [/et_pb_blog][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section admin_label=”section”][et_pb_row admin_label=”row”][/et_pb_row][/et_pb_section]

TOWR Security Brief: 25 August 2016

Hi everyone,

Please accept our apologies for the delays on getting this brief out. I’m filling in for Kit on this post, so the formatting might be a different than you’re used to.

In this week’s brief, we’re going to talk about:

Surveillance in Baltimore
NSA Word Games
3DES and Blowfish vulnerabilities
Vulnerabilities in Juniper Firewalls

Baltimore:
https://t.co/Eq3iVAs2Lw

From Bloomberg, news of surveillance in Baltimore. Of particular interest is an airborne live feed surveillance system that can view an entire city.

“In 2006 he gave the military Angel Fire, a wide-area, live-feed surveillance system that could cast an unblinking eye on an entire city.

The system was built around an assembly of four to six commercially available industrial imaging cameras, synchronized and positioned at different angles, then attached to the bottom of a plane. As the plane flew, computers stabilized the images from the cameras, stitched them together and transmitted them to the ground at a rate of one per second. This produced a searchable, constantly updating photographic map that was stored on hard drives. His elevator pitch was irresistible: “Imagine Google Earth with TiVo capability.””

Remember that the next time you’re at a protest.

—
NSA Word Games:
https://www.eff.org/deeplinks/2016/08/nsa-word-games-mass-v-targeted-surveillance-under-section-702

The EFF recently published an article illustrating how the NSA torments language to downplay its surveillance of the American people.

“Since 2008, the NSA has seized tens of billions of Internet communications. It uses the Upstream and PRISM programs—which the government claims are authorized under Section 702 of the FISA Amendments Act—to collect hundreds of millions of those communications each year. The scope is breathtaking, including the ongoing seizure and searching of communications flowing through key Internet backbone junctures,[1]the searching of communications held by service providers like Google and Facebook, and, according to the government’s own investigators, the retention of significantly more than 250 million Internet communications per year.[2]

Yet somehow, the NSA and its defenders still try to pass 702 surveillance off as “targeted surveillance,” asserting that it is incorrect when EFF and many others call it “mass surveillance.”

Our answer: if “mass surveillance” includes the collection of the content of hundreds of millions of communications annually and the real-time search of billions more, then the PRISM and Upstream programs under Section 702 fully satisfy that definition. ”

That’s what, in statement analysis, is called a personal dictionary. Make sure when you’re speaking to someone that you know what they mean when they use a particular word or phrase.

—
3DES and Blowfish Vulnerabilies:
https://threatpost.com/new-collision-attacks-against-3des-blowfish-allow-for-cookie-decryption/120087/

Threat Post recently published an article regarding the possibility of older ciphers used to encrypt authentication cookies for the web being cracked.

“RC4 apparently is no longer the lone pariah among smaller cryptographic ciphers. Already broken and set for deprecation by the major browser and technology makers, RC4 could shortly have company in Triple-DES (3DES) and Blowfish. Researchers are set to present new attacks against 64-bit ciphers that allow for the recovery of authentication cookies from 3DES-protected traffic in HTTPS and the recovery of usernames and passwords from OpenVPN traffic, which is secured by default by Blowfish.”

Our advice is to always make sure your browser is up to date, use two-factor authentication where possible, and if privacy is really important use TAILS or Tor Browser.

—
Juniper Firewall Exploit:
http://www.scmagazine.com/juniper-confirms-leaked-nsa-exploits-affect-its-firewalls-no-patch-released-yet/article/518235/

Speaking of our friends at the NSA, security appliance manufacturer Juniper Networks just revealed that, unsurprisingly, they have a vunerability that could allow access to, well, pretty much anyone. How does your traffic flow across the internet? Who else is compromised and hasn’t publicized it yet?

—

That’s it for this briefing. Stay tuned, we’ll have more coming soon. Thanks for your feedback and input!