Archive by Author

So you want to be anonymous: Your IP address, the low hanging fruit.

April 22, 2012 in Privacy and Anonymity with 0 Comments

This is part 1 of a series of posts on how to increase your anonymity and privacy on the Internet.  The introduction and index can be found here.

Most people technical or not understand that your IP address is a unique way to find an individual on the Internet.  Law enforcement, criminals, people needed to be anonymous as well as most technologist understand the basics of an IP address and how it can be used to identify you.  It is by no means the only way, but it is the easiest and to a degree the most cost effective.  It is so easy and so cost effective that as a society we are trying to make it even easier.

There are many proxy services that will ‘hide’ your IP address and offer you anonymity and privacy.   While they may claim they do not log identifiable information such as IP address, what if they change their mind and don’t tell you?  Maybe an advertising company approaches them and gives them an offer they can’t refuse.  Maybe an employee is willing to risk making some extra cash on the side to extract the data.  The laws of the country where the provider is located, the atmospherics the government is facing with respect to anonymity and privacy both nationally and internationally might force the provider to go against claims they have made to their users.  For example there are laws in several countries that allow law enforcement to not only request your ISP provide personally identifiable information without a court order, but they can add a ‘gag’ order not permitting them to tell you if they stated they would in their contract. The reason this is possible boils down to control.  ISPs and other service providers on the Internet are a business and registered in at least one Country.  That makes them traceable, they can be found, and can be forced by government, law enforcement, or other powerful organisations to comply to certain demands.  These businesses could have employees that are willing to risk helping a third party for some extra cash.  Their systems could be hacked and data stolen, or they just may not care about your privacy even if they say they do.  If you want to have privacy and reduce the exposure of that privacy being taken away, you have to maintain a certain amount of control. You need to maintain control of your electronic devices, physically and technically.  Control of the services you use and how you use them.  You need to keep enough control that the amount of work to determine who you are is not worth the cost of discovering it (more on this in a future post in this series).

Services such as The Tor Project, The Freenet Project, and i2p are some examples that allow you to hide your IP address.  While they do not guarantee anonymity, they are distributed, not centrally controlled, open source and information, and are specifically designed to improve anonymity and privacy.  As such, they drastically increase the time and complexity of anyone trying to discover the identity of a target.  While I use all these networks for various projects, I am most familiar and have the most experience with Tor as an end user and how it works technically, so I will use it as an example.

Tor is available for many operating systems including Windows, Linux, osX (Mac), and Android.  I am most comfortable with the Linux operating system and use several versions of it regularly, I’ll use Windows for this post to demonstrate hiding your IP address as Linux is more technical when it comes to the set-up and I want to ensure people who are not technical at least get an understanding of the ease at which you can get some privacy.  Using a simple Windows 7 install, I downloaded the Tor Browser Bundle for Windows and installed it (which is really just extracting it into uncompressed files).  Going to the extracted files you will find an executable called “Start Tor Browser.exe”.Running this executable will bring up a control window similar to the picture below and immediately connect you to the Tor network.  Once completed, a browser will appear (Firefox) and should send you to the URL https://check.torproject.org, which will confirm you are on the Tor network and tell you what your current IP address looks like when you browse.  This address should change every so often, and you are not connecting directly to this IP address either. You are connecting through a relay of 2-3 systems and each of these systems is unaware where the source of the data is coming from (except for the initial connection point) or where the data is destined (except for the exit system).

Below, you can see the log entry from this blog where using Tor I accessed the blog.  The IP address recorded is 31.172.30.4 which is located in Germany.  I am sitting in Canada on an IP address that is in the 24.x.y.z (24.0.0.0/8).

Tor is actually much more functional and complex than what I have demonstrated here.  The bundle that I installed to create this blog has been packaged up and put together so that regardless of your technical abilities, one can get on the Tor quickly and easily and increase their anonymity and privacy.  Tor actually can anonymize almost any program you have not just your browser (assuming it is TCP protocol based).  For those requiring more than just anonymous web browsing, you can get quite complex with Tor configurations.   You can also control where you exit, how often your relay and paths change, and many other aspects.  I encourage anyone interested in the more technical details of how Tor works to head over to the Tor Project website.  There you can find research papers, guides, protocol descriptions, concepts and many other articles to get as knowledgeable about Tor as one wishes.

Finally, usage of any of the anonymous networks (not just Tor) does not mean that your identity can not be discovered.  Adversaries that want to take the time, resources, and potential financial requirements can find other ways to reveal an individual or groups identity.  I will discuss some of these in future posts in this series.  However, a curious ISP wanting to know what their customers are up to or an entity that has an IP address and is using that to try to connect it to an identity will have to put more effort forth if they wish to discover the real identity.  For good people simply wanting some privacy, this increased cost incurred by the entity trying to discover the identity will not be worth the hassle.

 

 

What The Eyes Reveal

April 22, 2012 in Behaviour, People with 0 Comments

What The Eyes Reveal: 10 Messages My Pupils are Sending You http://goo.gl/mag/m0l4L

How the mind really works

April 21, 2012 in Behaviour, musings, People with 0 Comments

How The Mind Really Works: 10 Counter intuitive Psychology Studies http://goo.gl/mag/U1YIi

Can You Spot The Fake Smile?

April 21, 2012 in Behaviour, Profiling with 0 Comments

With practice, most people can tell the difference between a fake and true smile. You don’t need to read the article, just take a look at the two photos of Julia Roberts.  The Duchenne smile (named after the researcher that discovered it), activates additional muscles in the face when true happiness is experienced. 

http://www.facscodinggroup.com/facial-movements/can-you-spot-the-fake-smile.html

Cybercrime – it might not be as bad as you think

April 19, 2012 in musings with 0 Comments

Article by Dinei Florencio and Cormac Herley on how typical Cybercrime statistics we see are flawed by the statistical methods used resulting in numbers that are not typical of our conventional wisdom.

Capacity Planning quiz

March 24, 2012 in musings, Profiling with 0 Comments

If you are involved with capacity management, a set of basic questions you can ask yourself and your team.  If you are a consultant on a gig involving capacity management with a new client, excellent questions to casually ask in initial conversations to get a baseline of the clients actual knowledge and identify potential gaps.

http://www.uptimesoftware.com/uptimeblog/uptime/key-to-capacity-planning-is-knowledge/

How Society Works: 8 Revealing Psychological Insights Into Our Social Behaviour

March 23, 2012 in Behaviour, People with 0 Comments

Most people will at least heard of some of these experiments  by Stanley Milgram.  What I find interesting is how they play out in real life in a work or office setting.  I have found them to be very applicable over the years.  I don’t think it is good or bad, but I find applying these to situations I see or am involved in a good way to further understand and baseline individuals you interact with.

How The Changing Face Of Mid-Market IT Is Going To Change Your Security Strategy

March 18, 2012 in Uncategorized with 0 Comments

Good summary post on how security and infrastructure are changing rapidly with cloud computing and the advent of BYOD (Bring Your Own Device).
http://feedproxy.google.com/~r/StillsecureAfterAllTheseYears/~3/NxCfwgw-5Yc/how-the-changing-face-of-mid-market-it-is-going-to-change-your-security-strategy.html

So, you want to be anonymous: An Introduction

March 13, 2012 in Privacy and Anonymity, Security, Surveillance with 0 Comments

I often have conversations with people about being anonymous specifically while on the Internet.  Most people believe that anonymity is not possible today.  Others believe that by doing specific steps (deleting your browser history, ensuring SSL is active are two of many examples) you will not be traced.  In my opinion and experience both points of view are correct.  While there is never a 100% guarantee of being totally anonymous, you can take steps to improve your anonymity.  The first step to being anonymous is to understand that anonymity it is not black and white.  There are lots of questions you have to assess and answer.  What is the situation you find yourself in?  Why do you want to remain anonymous in the situation?  Who may try to discover your identity in that situation?  How badly will someone or a group want to obtain your true identity? What resources and intelligence do you you have at your disposal to protect your anonymity?  What resources and intelligence does the individual or group that would want to  discover who you really are have available to them?  These are but a few of the many questions and their applicability depends on the situation.

A good analogy to anonymity is basic physical security.  I have security at my home, the doors lock, the windows close and lock, only certain people have keys, there is an alarm system.  If you compare my home security to the home security of a criminal organization’s leader, you can be certain they will have more security than I do in my home.  They may have people standing post  watching all sides of the house, large perimeter fences with alarms, bullet proof windows, steel doors with re-enforced frames, hired bodyguards through the home, rehearsed escape plans with get-away vehicles and whatever else they deem necessary.  You can walk up to my front door and ring the doorbell, I might even answer if I am home.  You would have to first find the home of the leader in a criminal organzation.  They probably have multiple homes, so you would have to determine which one they were in at a particular time.  Assuming you could accomplish that, you probably will not make it to the front door if you were to try let alone have the leader answer the door if you were able to physically get to the door.  It is not just that the criminal organization has way more money than I do as to why they have better security.  It is because they have something that is of much higher financial value than I do.  A criminal organization that has something of value to protect (merchandise, leader, industry knowledge) and is willing to spend more money on security because the risk of loosing what they are protecting is greater.  Security is the same with any organization be it financial, private, pharmaceutical, mining, government, or whatever.  What are the most treasured items or knowledge I have to protect?  How much do I have to loose if those items or knowledge was stolen or obtained?  What is an acceptable level of risk for loosing this property or knowledge?  What will the cost of security be to get to an acceptable level of risk?

Anonymity is no different.  If I want to purchase a gift for a family member that costs $100. I can spend hours, setting up tunnelling protocols, configuring a special browser and operating system, setting up an untraceable method of payment so that I can place my order knowing with confidence that my family, my ISP, law enforcement, and anyone else won’t know (at least not without a lot of time and money on their part).  I may have to learn how to do all this.  But even if someone does know it takes time to set this up, check that it is in fact secure.  For me, that time is worth more than the $100 dollars I am spending on the gift.  I’d probably just order it on a normal PC, using a normal Internet connection, clear the browser history, and hope no one sees the credit card statement before the gift arrives.  Could my ISP see that I ordered flowers? If they wanted to yes.  Do I care? Not really.

But what if I want to browse a particular website and not have Google know about it?  What if I wish to do research on a particular topic that I don’t want any person, group or company knowing that I am interested in that topic?  What if I am conducting an investigation into an individual who works for a company and we know he is technically savvy and has an intricate knowledge of security?  In those cases, it is worth my time to plan properly so the risk of being exposed is reduced.  These questions and how to will be the topic of a series of blog posts I will write entitled “So, you want to be anonymous.”  I am not sure how many posts will be in the series yet (I suspect 4 or 5), but I will try to keep each post short and cover one topic of maintaining anonymity.  Anonymity on the Internet is something that has always interested me and many others.  There is lots of information on the Internet about it (both true and false information).  I used to have to keep up with being anonymous in order to do some of the work I have done in the past.  Today, I mainly keep up with it, just because it interests me.  The next posts in this series will start with a general discussion on a few of the basic ways you can be monitored from the network as well as application levels. Next we can discuss ways to avoid being monitored, minimize digital trace evidence that can lead back to a particular target from the network, service, and application perspective.

Series Index:

1. Your IP Address, the low hanging fruit

  Photo courtesy of…

 

The 5 year post

March 10, 2012 in musings with 0 Comments

If you are reading this, then this blog has been around for 5 years.  The post was set to automatically publish at the 5 year mark.  Technically my first post was September 16, 2006 entitled “Hello World” which you can find here, but it was nothing other than a test.  At the time, I was experimenting with blogs and was not sure if I wanted to participate in having a blog or not.  My two main reasons for considering starting a blog were:

Practice my writing skills: I always struggled with writing essays or stories in school and to this day I do not consider myself a good writer.

A place to record my interests:  I constantly read, research security and other topics of interest and I wanted a way to keep track and reference items of interest.  This seemed like a way to do this and to share it with anyone else that might be interested.

After lots of thinking and quite a few conversations with friends I was on the fence. Dan Siemon convinced me that it was a good thing.  Dan has very strong engineering skills which are combined with an understanding of how technology affects people.  He is also a past co-worker and a present good friend.  In a conversation over coffee, Dan stated that social media gives the opportunity for people to quickly post truths and lies about anyone.  Once it is out there, it is difficult if not impossible to erase.  Having an active history that you control, showing what you have accomplished, your opinions and experience, your relationships and associations, all help to greatly reduce the impact of one person or group potentially spreading false accusations.  That convinced me.  5 years later, here we are.

I have read and researched into the multitude of ways to run a blog.  Some people just write about all things in their daily lives, what they do, what they are interested in, what concerns them.  Others keep their blog very focused on a particular topic or area.  My blog initially started out with a network security focus (since that is what I have been doing for a career and continue to do to this day).  But I have interests outside of security as well.  As such this blog has grown and it is not a single focused blog.  But it isn’t a random blog either.  If you had to pick a single focus to describe my blog, it would be “Things that Michael is passionate, interested or amused about”.   Generally posts fall into a few large categories:

  • Network Security -  technical.
  • Network Security – implications, impact, concepts
  • People (behaviour and profiling)
  • Information Privacy and how information connects and relates
  • Leadership and Management.

The list above is not exhaustive but it covers most of the topics of the posts.  I am working as time permits to reduce my Categories and tags to closely as possible match list to the above.

I have been asked on occasion questions such as why do I blog? Do I have lots of traffic to my blog?  What do I intend to do with my blog?  Lots of expert bloggers have articles with suggestions of ways to increase build traffic to your blog, increase your subscribers, or make a  business out of your blog.  These were never my goals or intent and still are no t.  It is a place for me to practice my writing and keep track of what interests me.  If something I write interests someone and they wish to discuss, great.  If they don’t that is okay too. It really is just a place on the Internet — my place.  I’ve enjoyed the last 5 years, and will continue to post for the foreseeable future and/or until it no longer fits my life.

Photo courtesy of Highlighthealth.com

 

 

Page 1 of 2312345»1020...Last »