Security and Safey conference, June 2000
Attracting unwanted attention is a frequent danger to those of the VC, so preventative security or a switch of identity is sometimes our best tool to self-preservation. This process is not as simple as it once was but neither is it overwhelmingly difficult when approached properly. Online safety is as critical as offline precautions in protecting our identities and thus in some cases, our lives. At the root of this is the necessity for shielding ourselves from the invation of a variety of stalkers, researchers, and hackers as the internet is a vast gateway leading directly to our doorsteps. This campaign of safety must take place both Offline and Online simultaneously in order to be successful.
Areas of expertise for the hosts:
NARRADAS: Online - Safety and security related to email, guestbooks, ICQ, message boards and websites. Offline - Security and safety issues involved with meeting people for the first time one-on-one: where, when, how to get there, what to do, precautions to take, etc.
ISTHME: Paper trail chasing (from the registrar of voters to your magazine subscriptions), Reverse tracing to your home (name, phone, address, etc), electronic security (email, PGP and firewalls), tracker cookies, IP tracerouting and the dangers of cable IP's, mail drops (relaying and forwarding), and advice on personal safety.
==== SURVIVING THE ONLINE IDENTITY GAME =============================
Be willing to change identities without looking back. If your identity is cracked, you must shed it and that includes all the paid ISP services as well. Never get the same nicks again. Safe identities are the ones you are not attached to.
This also means you do NOT tell anyone what your previous online identity(s) is/was.
Protecting yourself online goes a long way to protecting yourself offline. Most online data leads to offline data, and a paper trail.
==== EMAIL BASICS ===================================================
When presenting yourself in the VC, never EVER use an email that you pay for. This leads to your identity and you can be hacked in much worse ways than mailbombing if your attacker is sly. Freemails and many webmails now have spam protection and can also be abandoned if there is a problem with full mailboxes and such.
When using webmails, bear in mind, that many of them have YOUR outgoing IP address in the headers when you use them to send mail. This cannot be shut off in a webmail system! You'll just have to hunt around for ones that don't show your outgoing IP address.
Even though many of these are not "truly secure", they are good intermediaries and contribute greatly towards keeping your identity confidential, and because of their disposable nature, can be abandoned without cost.
It's actually a good idea to run multiple email accounts; use one as a "spam dump" (for, say, posting to Usenet newsgroups, a common target of spammers) and one as a more "secure" email, given only to a select few.
When you send email by whatever system, the first and last name you enter in the configuration is what shows up when it arrives in the other person's email - if you don't want them to see your real name, don't use it! Most webmails never verify real names when signing up, so you can use whatever name you'd like. Use fake information when signing up to freemail services as well (i.e., NetZero, Juno, etc)
Check to see if the IP address shows up in the headers - an IP address is the online equivalent of a street address - if yours is sent out with outgoing mail headers, it can come back to haunt you later.
If you have trouble remembering fake identities, write them down in a safe place - never keep them near the computer, it's a common thing to stick userid's and passwords under the keyboard for instance. If you have at least two accounts, you can send email from one of your accounts to another to read the headers the first one sends out.
You can also use a freebased mail forwarding system.
Isthme: Whatever the case, when using browser based mail, it registers the intermediary server as the ip as it serves as the SMTP portal rather than coming directly from you by using an intermediary CGI/backend script to process the mail rather than accepting a transmission directly from your ISP. Browser based mail is mail that uses creates a mail program in your browser window rather than using Outlook; Eudora is an example of a browser based mail retrieval system.
==== LISTSERV BASICS ================================================
On the whole, most lists request confirmation from the email address when signing up. In the event that you do not with to be subscribed to a given list, you should refer to the listserver for directions to be unsubscribed. Usually this is a very simple process (either from the "home" site or through an email command) but it varies from system to system.
==== SPAM AND MAILBOMBING ===========================================
Remember that the desire of the mailbomber is to bog you down and under a heap of data. They hope to keep you uninformed and occupied. If you use the email address of an account you pay for and you choose to retaliate by contacting his ISP to have his service severed, he has succeeded in eating up your time.
(SphynxCat: OTOH, the faster you can get the spammer offline, the faster he doesn't bother anyone else either. Just my opinion, I have a zero tolerance approach to spammers.)
==== DO YOU HOST YOUR OWN DOMAIN? ===================================
If you host a domain and have email through that, do not use it at any level for VC interaction! If they ever catch on, they can do a simple Internic search and know your address for the registration. (Although you can have your ISP "cloak" your identity when they register your domain for you, you then have the risk of the "social engineering / bullshit factor" than some people can talk their way into getting almost any information from the ISP.)
==== ISP BASICS =====================================================
Regardless of what you use for email and such, use a service with a random IP assignment like AOL or earthlink for your browsing in questionable areas. They will give an IP that will route to the corporate HQ of the company regardless of your dialup in most cases.
Some ISP's have static IP addresses that don't change. You can find out by calling your ISP.
==== BROWSER BASICS ================================================
Use a proxy server that does not "pass through" your actual ISP information.
==== IP ADDRESSES AND TRACEROUTING ==================================
Be aware of what contains your IP address:
* ICQ * Outgoing email headers * /whois information in chat * posts made to message boards * entries made in guestbooks (if not public, then to the owner) * outgoing webmail headers * Many cable IP's are static, and LAN security sucks (SphynxCat: If you have no hardware firewall, invest in a program called "ZoneAlarm" - it's a software firewall. Take the time to learn this package, it's VERY worthwhile!) * DSL's tend to have static IP's as well
Your personal info can be tracked from:
* /whois in chat - city/state, city/province/country, ISP hostmask... * embedded cgi programs or cookies in other web sites * email - name, IP address (and thus ISP) * ICQ - if you put personal info, web address, etc in ICQ settings - ICQ has almost no security! * whatever you put in your website can give someone a "profile" of you, this plus all the previously mentioned items can make tracking you down much too easy. (Many people have lots of personal info on "about me" pages - for instance, where they work, what they drive, what pets they have, even their resumes!) * And all of these don't require any special gadgets or special software programs!
Hit tracking software can give:
* IP address * Your ISP and YOUR timezone * Browser type and version * Whatever personal information YOU put in the browser (and even information that you don't put in it!) * Operating system/computer type, version * screen resolution and how many colors your running (i.e., 1024x768 and 16million colors) * And all this is recorded THE INSTANT YOU ARRIVE!
You can bypass this with a proxy server that does not "pass through" your actual information. You can test a proxy server with the Anonymizer web site: http://www.anonymizer.com/
You will have to text proxy servers yourself, and do a search to come up with useful ones. This WILL be a time-consuming process, and you'll have to check each one to be sure it doesn't pass your real information through. Develop a list of at least a half-dozen so if one stops working, you can move on to the next and search for more. You may have to repeat the process frequently, as some proxy servers become unavailable in a short time period.
==== RECOMMENDED READING ============================================
How to Disappear Completely and Never Be Found by Doug Richmond Reborn in the U.S.A. by Trent Sands Counterfeit I.D. Made Easy by Jack Luger
==== GOOD RESOURCES =================================================
One of your best ways to learn to protect yourself is to run a mock stalking of yourself. Do everything you can think of based on what data you have posted publically to trace it to your identity. Even call your ISP and lie badly about who you are, do not give any confirmation that you are yourself and try to lie your name, password or any sort of information out of the customer service rep. This will prove very enlightening. Often an ISP when looking up your account before asking for more annoying information to confirm you identity may simply say: "alright firstname.lastname@example.org... looking it up... alright...Isthme? OK..." then proceed. This is an error on their part that they avoid but it is a natural reaction on the part of a weary tech.
Not everyone is a hacker, but there are people who are just good at finding info or know the tricks.
==== SELF DEFENSE ===================================================
Always carry a weapon that you are intimately familiar with. If you can't carry a weapon, always be aware of what in your surrounding you can use as an impromptu weapon, and the emphasis here is speed AND effectivess in that order.
If you don't have any weapon skills, get some. Buy training and lessons. If you really don't want to carry firearms, learn alternate weapons (especially whatever is legal to carry in your state/province/country.) Take martial arts classes, and lots of them. If you're caught without a weapon, just flailing your fists isn't going to do a lot of good unless you get lucky. Learn where on the body are good targets.
Always be aware of your surroundings - the people, what they're doing, behavior of drivers in parking lots and roads, etc. Learn to recognize what IS normal, then learn to spot what isn't. If you can, see about taking police self defense classes.
==== WHEN MEETING SOMEONE FOR THE FIRST TIME ========================
* Let someone know where you are going to be * what time you're leaving * what time you're coming back * who you're going to be with and any other information you have about them. * If you can, take an active cellphone with you. If you have to get the hell outta there, you can call for help. * observe their body language - how they carry themselves and how they walk/stand/sit can speak volumes about their everyday occupation and lifestyle. What they wear and how they wear it will tell you even more. * Always pick a neutral location - a strip mall, etc - and check out the place beforehand so you're familiar with the surroundings.
* let the other person have total control - if they pick the place, you pick the time/date or vice-versa. * trust anyone just because they say they trust you * trust anyone who has the same interests - people are too quick to figure they're safe because they have something in common. * get into the car of someone you don't know, no matter how harmless they seem. * judge someone to be harmless based on their body size - a 110-pound female in a miniskirt and tube top can be just as dangerous as a 6-foot 300 pound jock - and sometimes more dangerous because you don't expect it! * let your hormones make decisions for you. s/he may be a babe/stud, but if you don't know them, it doesn't mean it's safe. * Never call them from your home or work number - in this day and age of CallerID, that can give out too much information, especially since there are publically available websites that will do reverse lookups of phone numbers.
One good meeting does not mean they're safe.
Many public places will have cameras in them - airports, etc - and can provide proof that you were there and who you met with if something happens to you.
Carefully decide whether to meet at night or during the day and why. If at night, make sure the area is well lit.
If you're really paranoid, plan to meet the person in someplace outside of your native city, and outside of their native city. Arrange ahead of time topics of discussion (what you will or won't talk about, etc) and agreed upon contact (i.e., shake hands but no grasping of forearms - what may be normal for one may be interpreted as hostile by the other.) Choose a place with at least 2 exits and be someplace where you can watch the entrance.
Use cash only - no cards that might show a name, bank, or PIN when buying anything. This prevents information that might be identifiable from being left behind.
Don't dress the way you normally would, unless that is very mainstream.
Use public mass transit to get there if possible. Cabs can be useful, but you can be tracked down later from your description. Busses/subways are nice, anonymous transport modes.
If you're really REALLY paranoid, bring a couple friends and have them show up AHEAD OF THE MEETING. (Give them time to blend in to the "scenery".) Preferrably two friends who can be really good at not looking in your direction. Be aware that 2 beefy guys can draw attention because they'll look like bodyguards.
If your instinct is screaming at you to leave, DO SO!!! Your health and safety are far more important than finding someone with things in common! Don't feel you have "an obligation to stay" either!
==== PORTABLE PHONES ================================================
Cellphones/digital phones have the advantage of being small and portable wherever you go. Especially the new ones that practically fit in the palm of your hand.
Cellphones, however, can be picked up easily by scanners and radios if the radios go in the right bandwidth. No, it's not easy to pick out a specific individual's phone transmission, however, it's easy enough to stumble across in a random search. In the USA there was a high-profile news story about one congressman who's cellphone conversation was taped from the radio. Never never NEVER assume cellphone conversations are completely private!
Baby monitors have been known to pick up both cellphone and cordless phone transmissions.
Compiled by SphynxCatVP; Hosts: Narradas and Isthme