No Surveillance State Month, Part 30: Start a Conversation

Last but not least: in order to get change to happen in the government, assuming you don’t have enough money to buy whatever change you want, you need to get society riled up. Snowden did a great job at this, because he illustrated for the country what was being done, and had the credibility to do so, rather than just saying, “yeah, the government is doing all this bad stuff” like many of us have assumed for years.

But, the spread of an idea happens not because the media talks about it, but because families talk about it at the dinner table, co-workers at the water cooler, Redditors bitch and moan on the Internet, etc. No matter how big your “megaphone” is, it is not bigger than the millions of small voices working together. Discussing your concerns and sharing with those who, perhaps, don’t understand why this is a problem, why this is a problem, is so important.

If you’d like to share things they can do to protect their privacy, here’s an index of this series (share this post to share the index, or pick a post and share the direct link):

It’s been an exciting month. I started this series before the Snowden leak, and it just so happened to have perfect timing. I hope it’s raised a little bit of awareness of how we’re all tracked and what we can do to stop it.

This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.

June 30, 2013 1

No Surveillance State Month, Part 29: Contact Congress

This one feels beaten to death, but while we all say it, I bet less than 5% of you have actually called your Congressperson and two Senators. I’ve called mine twice each since the NSA scandal broke out, and it’s easy.

First, how to find them: for Senators, Google. Simply type in their name (if you know it) or type in us senators statename to find the pair for your state. For Reps, use the handy tool put out by the House.

Next, what to say: all you have to do is tell them what you like or don’t like. You can be polite if you want: “Hi, my name is Jon Corbett, I’m a constituent in Miami Beach, and I’m concerned about the NSA’s collection of the information of Americans like me. Is the [Rep./Sen.] working on this?” You can be less polite if you want: “I’d like to know why my [Rep./Sen.] hasn’t gotten off [his/her] ass to fix this whole NSA mess. Has [he/she] not heard of the Constitution? What am I paying [his/her] salary for?” Either way, the person on the other end will probably give you the briefest of statements (or say “I don’t know”), ask you for some demographic information (ZIP code, area code, etc.), and then record your opinion in a database, which gets aggregated and put together as a report for your Rep. or Sen.

Remember, everyone has 2 Senators and 1 Representative, so you have the opportunity to make your voice heard — if you feel strongly about an issue, there’s no reason not to call all three. Each call will likely take 60 seconds. Don’t e-mail, don’t write. Your phone call is the best way to make an impression because you are using one of their resources for the time you’re on the line.

June 29, 2013 3

No Surveillance State Month, Part 28: Tweet Companies Who Abuse Your Privacy

Twitter is such a unique little social networking tool. Never before has 140 characters had the potential to be so powerful. As a company, it’s a great way to generate a buzz about your product or service. But on the flip side, while a company can participate in the Twitterverse, it can never control it. Anyone can send a public message to or about your company, and there’s nothing you can do to suppress that speech. Your only option to counter speech you don’t like is with more speech of your own — a First Amendment advocate’s utopia.

And so, I propose to you this: the next time a company takes more information than necessary, is found to have disclosed information in a way that you don’t like, or otherwise oversteps your privacy boundaries, let them know, in public, on Twitter. You make the company aware that you know (and disapprove) of their transgression, you let their customers know the same, and you place great pressure on them to fix the issue.

Companies must know that you’re watching in order to care. It’s really simple to give them that message.

June 28, 2013 2

No Surveillance State Month, Part 27: Third Party (“Tracking”) Cookies

When you visit a Web page, what gets displayed on your screen can be the combination of the resources of many servers: a YouTube video hosted by Google, an image hosted on Flickr, and text content hosted by WordPress can be the building blocks of a single page. Another one of those building blocks is often advertising.

By default on some browsers (but luckily, fewer and fewer newer ones!) each resource has an opportunity to store a cookie on your computer. Cookies are harmless in themselves — just a small amount of text stored by the server — but when a particular resource is hosted on multiple domains, the resource owner, using cookies, can hold a list of your visits to those domains, effectively tracking you as you go between Web sites that show the same ads. Some advertisers have such a strong hold on the market (Google, for example), that they are a part of a sizable portion of the Internet and develop a clear picture — too clear — of who you are.

The solution is a setting in most Web browsers that allows you to let cookies from the main resource (the server whose address is in the address bar) through, which is required for many Web sites to work, while not allowing servers of embedded resources (such as an ad provider) to live on your computer, which is required pretty much only to track you. Here’s how to do it in all major browsers.

June 27, 2013 1

No Surveillance State Month, Part 26: Big Brother on the Road

Our last post covered how local governments can track you walking on the streets. It doesn’t get much better for other modes of transportation. Consider:

Do you drive? Mind the license plate readers (pictured) tracking you and putting you in a database every time you pass by. This man submitted a FOIA request for the records collected on his car and found that his location had been logged (and photographed!) 112 times.
On the highway? If you use E-ZPass, SunPass, or any other prepaid toll system, each trip you make is logged. They can potentially even use this data to show how fast you were going by timing your passage between two points.
Taking a train? Bought your ticket on your credit card? Or worse, bought a fare card (Metrocard, etc.), which records every swipe?
Taking an airplane? lol 🙂 You know the deal already.

All of these pieces of what the NSA would call “metadata” can be pieced together. You buy a fare card on your credit card, and they know who you are. You swipe it at a turnstyle, and there’s a camera there being recorded and retained. Your entire journey can be watched, and as facial recognition increases, their ability to have a computer follow you from camera to camera increases.

Scary, isn’t it?

What can you do? The #1 lesson here seems to be pay in cash. It’s much harder to track your every step if you don’t broadcast your entry into the dragnet with a credit card swipe. On the road there are nifty little license plate covers designed to make your plates harder to photograph (an example I found on Google). But remember, we should be fighting against these systems before they’re implemented. 🙂

June 26, 2013 4

No Surveillance State Month, Part 25: Local Big Brother

In 2006, I accepted a contract to work as a technical consultant for the NYPD’s Counterterrorism Division. I soon found out that I was to be working on a project known as the Lower Manhattan Security Initiative, which was, at the time, a fairly reasonable security measure: link together the cameras near the stock exchange, a sensitive, non-residential area of downtown Manhattan, for monitoring by the police. We built them a beautiful operations center to do just that, and my contract ended. [Note: While my contract required non-disclosure, all of the information posted herein can be found by searching through news reports. The NYPD is quite proud of their surveillance.]

Of course, fast forward, and the NYPD has now persuaded dozens of private building owners in lower Manhattan to send them 1,000+ camera feeds and has expanded the project to midtown, an area significantly more residential. With the midtown project likely completed, the NYPD would now have 3,000 cameras accessible to them in their command center, giving them the ability to follow you around the city as you travel on foot. These cameras are, of course, recorded, so that the police can go back in time (allegedly for 30 days) to watch you walk around the city. This was especially useful for watching “hot chicks,” whom the officers would regularly review for “suspicious activity.”

New York is not alone. London actually did it first, and you can expect that many large cities have implemented some form of centralized camera monitoring. Many don’t have a problem with it: you’re in public, after all. But personally, I find it a bit creepy that the city can not only watch me live, but go back in time and watch me. Add this to the subway cameras, and you can track someone pretty much the entire time they’re outside.

What to do?

Well, awareness is half the battle. Know that the camera attached to the deli across the street may not be just to watch to make sure you didn’t steal a bag of Cheetos, but may be the police state keeping tabs on you. The rest of the battle is fighting these initiatives when they are proposed. What seemed like a fairly innocuous proposal to watch the financial centers has now expanded, and surely will continue to expand. Be aware that every “reasonable” tool will be twisted until it is nothing like the original.

June 25, 2013 1

No Surveillance State Month, Part 24: The Smell of Packets

If you’ve done everything else we’ve suggested, but still are uber-paranoid that some sort of hacker, government or otherwise, is leeching data from your computer, there’s one way to find out for sure: packet sniffing.

Packet sniffers, also known as protocol analyzers, record and identify all traffic travelling through a network interface, such as your wireless card. When traffic leaves your computer, it is broken up into chunks called “packets,” and this software will make a list of each packet, its “metadata” (date/time, source, destination, port number, etc.), and optionally, the full contents of the packet. If someone is taking data from your machine, you’ll see it.

There is but one gold standard in packet sniffing, and has been for as long as I can remember: Wireshark (formerly known as Ethereal). It’s cross-platform, free, and awesome.

June 24, 2013 1

No Surveillance State Month, Part 23: Hunting Malware

Ever go to a Web site, see things start to blink on your computer, and know that you probably just got some kind of epic computer virus? It happens every once in a while. There’s hope.

First, every Mac user tells me that Macs don’t get viruses, so fine, you guys are on your own. The first stop for a PC user should be Windows Defender (pre-Windows 7) / Microsoft Security Essentials (Windows 7+), which are free anti-malware apps put out by Microsoft. They’re very easy, they fix most malware, and did I mention, free?

Next on the list is to check your HOSTS file. A HOSTS file is a file that overrides DNS, which basically means that when you type in a domain name, you might actually end up somewhere else (generally, right where your attacker wants you). Run Notepad as an administrator (right click and click Run As Administrator), and open up C:\Windows\system32\drivers\etc\hosts. There should only be 2 lines that don’t start with a “#”, and both of them should end with “localhost.” If you see more than that in there, chances are, you have an issue. There are potentially legit (but somewhat rare) reasons your host files may be modified, so in order to make your changes reversible, instead of deleting lines, just add a “#” to the beginning of the undesired lines.

Last, the tool most pros will use to find bad things on your computer is called HijackThis (Note: Not for use at TSA checkpoints!). HijackThis is a brilliant piece of software that lists almost everywhere on your system that a virus can hide. The downside is that it take a bit of tech expertise to know what to remove — but Internet forums and/or that nerdy family member who knows the Interwebs can set you straight. Once you know what you want to remove, you just click on the item in HijackThis and select Fix, and the problem will be removed.

June 23, 2013 2

No Surveillance State Month, Part 22: Archive Your E-mail

There are two good privacy-related reasons to archive (take offline and store somewhere on your local computer) your e-mail:

If it’s not online, the government can’t request it. Perhaps the NSA has already intercepted it, but if they haven’t, or if another agency wants it but doesn’t have the clout to make the NSA produce it, you’re now in control — not Google or whoever your mail host is.
The government thinks your old/read e-mail isn’t constitutionally protected. The DoJ has argued that e-mails that are read, or e-mails that are 180+ days old, are no longer subject to privacy if you leave them sitting on the server. This is obviously fucking absurd, but the idea still hasn’t been officially shot down because last time it was tried, the government withdrew its request rather than fight for it.

How to do it? If you use a corporate mail server such as Exchange server, you can set up personal storage folders (.pst files) using Outlook. Move your e-mail there, and they’re offline (assuming your company hasn’t retained them). Gmail user? Try this article on for size.

June 22, 2013 1

No Surveillance State Month, Part 21: Password Questions Are the Devil

You know those, “If you forget your password, answer these questions to get into your account” things? That always ask you in what city you were born, what your mother’s maiden name was, etc.? Well, think about it for a second: assuming you answer those questions honestly, what are the odds that other people also know or can look up that information? There you were coming up with some kind of uber-complex string of characters for your password, which can be bypassed by searching for your mom’s marriage announcement.

This is how a lot of celebrity account hacks happened. Nude pictures of Scarlett Johannsen are on the ‘net thanks to password questions.

The solution is to make the answer to your password question a password in itself. Simply pick a new password, and use that for your password question. If that makes things too hard to remember, even something as simple as adding an arbitrary word before/after the real answer will make things significantly more secure. “New York” and “Smith” become “New York Blue” and “Smith Blue,” or “Alligator New York” and “Alligator Smith.” Easy to remember, unlikely to guess.

June 21, 2013 5

Category: No Surveillance State Month