At this point, my ultra-private iPod phone is setup and ready to use. If you choose to follow a similar course, it is important to define how you will actually employ the device before you start to use it. This will also dictate the tradecraft you should undertake to support your use case. As I see it, there are essentially two ways this device can be used. Both will make you more private and secure. It is up to you to decide how far you need – or want – to take it.
At this point in the process, the iPod has been initally setup, and the settings modified to make it as organically secure as possible. At this point it is necessary to fund the iTunes account. Even if you only plan to use free applications, the account must be funded before you can download apps. The smallest denomination gift card you can purchase is $10 (I was unable to find anything below $15).
Yesterday’s post covered the initial device setup for my Private iPod Phone. Today’s post will go through the settings that impact privacy and security. The goal of these settings is to make the device as inherently hardened as possible. These changes are designed to lower the footprint of the iPod by limiting the amount of information it transmits, making it less trackable, and generally less “noisy”. These are all important factors to me when creating my ultra-private iPod phone. Many of these settings can also be applied to your iPhone. Continue reading “My Ultra-Private iPod Phone 3”
Welcome back to Part 2 of my attempt to create a private and secure iPod phone! When I started this series I thought it would consist of three parts: procurement, setup, and use. Setup took far more time than I expected, however, so I am going to cover this stage of the process somewhat more slowly. One of the reasons I wanted to do this experiment was to see what roadblocks I might run into. True to form, I ran into a couple of problems right off the bat. This post will cover setting up the iPod phone intially, and modifying basic settings for privacy and security.
Some time ago I read an amazingly good article on using an iPod Touch as a secure/private phone. I love the idea, and I have thought about it for quite a while. An iPod Touch is remarkably similar to an iPhone, but potentially far more private and secure. Recently I decided to try it for myself and see how easy (or hard) it would be to set up. I also had unanswered questions about its actual use. Part 1 of this article will cover device procurement and the lengths I went to for anonymity’s sake. Part 2, 3, and 4 will cover setup, and Part 5 will cover actually using my new, ultra-secure and private iPod phone. Continue reading “My Ultra-Private iPod Phone 1”
My last post covered threat modeling the Tor Network. While I have a very nuanced opinion of Tor, I do think it is ideal for certain use cases. Unless contraindicated . Using Tor is not difficult, but there are some potential pitfalls to be aware of. This post will cover how to use the Tor Browser Bundle.
Download and Install the Tor Browser
The first step is to download the Tor Browser from https://torproject.org. Before you install it you should verify the integrity of the file. The Tor Project has an excellent tutorial on how to do this here. Additionally, I will begin to post checksums for the Tor Browser this month. After you have verified the file, install it. If you use a Mac, double-click the .dmg and drag the icon into your applications folder. A few more steps are required if you use Windows, but setup is not difficult. Instructions are available here.
Begin Browsing with Tor
You are now ready to begin browsing. Double-click the Tor icon. Tor will as you to choose between “Connect” and “Configure”. For the vast majority of use-cases connecting directly is your best option. The “configure” option gives you the ability to use a bridge or proxy. Using a bridge or proxy may be necessary if you are in a country or on a network that blocks Tor traffic. Configuring a bridge or proxy is fairly intuitive, should you need to do so.
When you connect to the Tor network, your request is first routed to a directory server. This server will create your custom “circuit”, the network of three nodes through which your traffic will be routed. When your connection is established, the Tor browser will open automatically. You are now ready to browse through the Tor network. The Tor Browser is a modified version of Firefox. Browsing with Tor is superficially no different than browsing with Firefox with one or two exceptions.
Using Tor-Specific Features
Clicking the Onion button opens some options not available in Firefox. It also displays your Tor circuit and allows you to change the following options:
- New Identity: This closes all open tabs and discards any browsing data, like cookies. A new, clean instance of the browser is then opened. I do not recommend this
- New Tor Circuit for this Site: This feature builds a new circuit for the tab that is currently open.
- Privacy and Security Settings: See below.
- Tor Network Settings: Allows you to configure bridges and/or proxies if needed.
- Check Tor Browser for Updates: Always keep your browser up-to-date. I recommend checking each time you open Tor because updates are frequently released.
Privacy and Security Settings: Click this to open an additional dialogue. The privacy portion has four radio buttons. Leave all of these checked. The security dialogue contains a slider and allows you to choose a desired level of security (low, medium-low, medium-high, high). These settings correlate roughly to threat models. The higher your threat model, the higher a level of security you should choose. I believe you should always use “high”. It is less convenient and requires a working knowledge of NoScript, but if you are going to use Tor you should use it to its full potential. On the other hand, ease-of-use may convince more people to use it overall.
Potential Problems with Tor
Tor is imperfect for everyday use. There are reasons it is not incredibly common. Among them: the Tor Network is slow. Traffic is routed through multiple servers, usually in multiple countries. This inevitably slows your traffic. Additionally, your traffic is slowed at least to the speed of the slowest server in your circuit. You will also be forced to solve captchas to visit or log in to some websites, and encounter other minor inconveniences. You will also encounter security issues when using the Tor Browser. I addressed some of these in my last post. My next post will address one of them specifically: exit node security through HTTPS.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.
The Tor Browser Bundle is a terrific security tool. Tor is a decentralized, anonymization network. To use it you need a specific internet browser, and it allows you to be as close to anonymous as one can be on the internet. It also strongly encrypts your traffic, and best of all, it is free. Readers have asked my opinion on Tor, and why I have not written about it. There are some potential downsides to using Tor. As a result, I have very mixed, very nuanced feelings about using it. Before jumping into and using this tool you should take some time to consider these Tor threat models. Though I typically analyze variations of the tool itself, my Tor threat models are in relation to use cases and user profiles rather than the tool.
The adage that I’ve used several other times on this blog, my books, and one that is nearly a personal credo: convenience is inversely proportional to security. This seems to apply equally well to personal privacy. Said another way, the more convenient something is, the more personal privacy and control of your identity you are probably sacrificing. Credit and debit cards are one such convenience. Though it is certainly more convenient to swipe a credit card for purchases that in is to use cash it also creates a tangible record of each transaction. With cash you have to make time to visit an ATM, carry bills, manage change, etc. Making matters worse, all of these inconvenience factors are compounded if you make multiple small purchases throughout the day.
Despite its inconveniences, making multiple small purchases throughout the day is precisely the reason you should use cash. Your purchases record a wealth of data about you, including your location and movement, purchases, interests, hobbies, and a plethora of other information about us. I didn’t fully realize the extent to which my personal pattern of life was spelled out in black in white until I bought my first home. One of the requirements for the loan application was to submit three months of statements for all bank and credit accounts. I was very, very disheartened when I had to submit statements for several accounts that looked something like this:
|07/01/15||Debit – Local Grocery Store #1||$17.35|
|07/01/15||Debit – Local Grocery Store#2||$31.53|
|07/02/15||Debit – National Coffee Chain near Work||$4.88|
|07/02/15||Debit – Convenience Store near Work||$2.37|
|07/02/15||Debit – Lunch Restaurant near Work||$12.72|
|07/02/15||Debit – Gas Station||$43.68|
|07/02/15||Debit – Local Grocery Store #2||$8.19|
|07/04/15||Debit – National Coffee Chain near Work||$4.88|
|07/04/15||Debit – Big-Box Department Store||$81.41|
|07/04/15||Debit – Local Dinner Place near Home||$27.12|
|07/04/15||Debit – Large National Bookstore||$27.19|
|07/05/15||Debit – Fast Food Place near Work||$6.01|
|And on, and on, and on….|
Unfortunately, years prior I had subscribed to the philosophy that plastic is easier to use and somehow inherently better than paper. What I did not realize was that I was sharing a ton of personal details about my life with others. The packet I handed over to the loan officer painted a very thorough picture of my pattern of life for the three months prior to my loan application (which could be extrapolated to the last few years). Though there was nothing “shady” on my cards, it was a little embarrassing to share such granular level of detail about my life with strangers. The sickening realization that I had been sharing all of this information with my bank and creditors for years sank in that day, too.
Purchasing with cash offers much more anonymity. Unless you are purchasing something that requires you provide your real name, firearms and cars being obvious exceptions that come easily to mind, purchases with cash are about as close to anonymous as you can get. There is no paper trail, no bank statement, and no overarching record of your life and activities. If I had it to do over again (and I do going forward) I would have made some changes in my personal habits. My account statements would have reflected the same period of time a bit more succinctly, like this:
You will notice that because I used cash, this brief statement covers a period over four times as long as the above example, while still being eight lines shorter. Not only is this statement more compact, it also reveals very little about me. It does not reveal where I buy my groceries or how often, or the location my favorite coffee, lunch, and dinner restaurants, or my culinary preferences. It does not associate my name to any of my purchases.
I attempt to use cash as much as possible but I realize I will never be able to fully eliminate credit cards from my life. Air travel, rental cars, and hotels require credit cards. I still find myself in locations where I don’t want to pay exorbitant ATM fees, and end up using my card. But I use it a lot less, which is what I am truly advocating: using more cash and less plastic. This reduces the amount of information about yourself that you give over to your bank, your lenders, anyone curious enough to swipe a statement out of your mailbox (assuming you don’t use a P.O. Box), and yes, maybe even the NSA.
Using cash isn’t bulletproof, and it won’t make you totally anonymous. But it will lower your signature, offer you a lot more anonymity, and make an attacker’s job a bit harder. Every little bit helps.
I am proud to announce that I am currently co-writing a book with well-known author and privacy expert Michael Bazzell. Michael is the author of several privacy- and security-related works including Hiding from the Internet and Personal Digital Security: Protecting Yourself from Online Crime, as well as the immensely popular Open Source Intelligence Techniques. The idea for this project has been a long time coming and we are well underway with the process.
The working title is currently The Complete Privacy and Security Desk Reference. This 600+ page work is intended to a be an all-inclusive privacy and security resource for law enforcement, special operations and intelligence personnel, victims of identity theft and domestic violence, and those with an avid interest in privacy and security. The book will draw from our collective experiences and previous writings and will contain a myriad of new material and techniques. Our intent is to provide the reader with a book that will
“explain how to be digitally invisible. You will make your communications private, internet connections anonymous, computers hardened, identity guarded, purchases secret, accounts secured, and home address hidden. You will remove all personal details from public view and will reclaim your right to privacy. You will no longer give away your intimate details and you will remove yourself from the system. When taken to the extreme, you will be impossible to compromise.”
The Complete Privacy and Security Desk Reference is due for release in January 2016. An accompanying five-day live training course with Justin Carroll and Michael Bazzell will also be available beginning in 2016.
As any of my readers know I hesitate to give out any personal information. Using the same physical address, email address, phone number, and credit card number helps data marketers build very thorough profiles about us and I do everything I can to undermine this. A service that is relatively new (at least to me) helps to make it much easier to avoid giving out this information. This service is called Blur.
Before moving on it should be pointed out that Blur is a paid service. Though there is a free version available, its functionality is very limited. Blur Premium costs a very reasonable $39/year with discounts for purchasing multiple years ($59/2 years and $79/3 years). For the features Blur provides the cost is totally worth it, and most of the features described below require a premium subscription.
Blur helps to protect your privacy through a number of features including Masked Emails, Masked Phones, and Masked Cards. The Masked Emails function works similarly to services like notsharingmy.info and 33mail. When you create a masked email, Blur will give you a randomly-generated email address that will forward your mail to your real account. You can create as many masked email addresses as you like, allowing you to have unique usernames on your accounts and protect your real address. Masked Emails even protect your email address when you reply, a feature not currently offered by notsharingmy.info and only offered as a paid feature in 33mail. Blur allows you to cancel forwarding to any masked email at any time, so if you sign up for a service that is bombarding you with junk mail you can simply login to your account and toggle forwarding to “off”, or delete the address entirely.
Blur also has a built-in username and password generator. When you sign up for a new account or service and generate a username with Blur it will be a masked email address. Unfortunately the passwords generated by Blur are only 12 characters long (though they are complex) and I have found no way to change this. Masked Phone is another interesting feature that allows you to generate a phone number through Blur that will forward calls and text messages to your phone. Unfortunately you can only have one Masked Number at a time, and the cost to change your masked number is $7; additionally there is a $.01 charge for each incoming call, for each minute used, and for each incoming text. At this time you cannot send outgoing text messages from your masked number.
Blur’s most exciting feature by far is Masked Cards. Blur allows you to create masked credit cards for online purchasing. When you wish to make an online purchase you log into Blur and create a new masked card. The amount of purchase will be charged to your “real” card, and the masked card works much like a pre-paid gift card. Blur will give you a credit card number, expiration date, CCV, and billing address, and you can choose the name and shipping address. This limits the amount of information that retailers, credit card companies, and third-parties can accumulate about your purchases, the benefits of which are obvious. It also limits the exposure of your real credit card number on the internet.
With the ability to obscure your email address and phone number, create masked credit cards, generate unique, complex usernames and passwords, and manage it all in one place, Blur is almost a one-stop-privacy solution. Your Blur account can be protected with very strong passwords (I haven’t found a length limit yet) and two-factor authentication and can be accessed through your browser, Blur’s add-on for Firefox/Chrome, or their Android/iOS app.