Skip to content

Location Intelligence

Location Intelligence is a relatively new method of analyzing aggregate data using software based on geographic conditions. This serves a number of efficiency related purposes: Anything from increasing revenue by predicting the best location for a store to be built to predicting the most likely areas wreckage from a crash will be found. Perhaps most importantly, it can be used to track you. People create 2.5 quintillion bytes of data every day—and a huge portion of that data comes from social media sources like Twitter, Facebook, and Instagram. Have you ever seen a location services option on your phone? If you own anything from Apple you can expect to find this option in your settings. Unless you’ve turned this “service” off, the majority of what you post to these social media sites is being publicly tagged with a location and a time. Location intelligence tools turn this abandoned or thoughtlessly published data into a gold mine, by making a business out of tracking you. Of course you’re giving this information freely, and data storage is incredibly cheap, so businesses can effectively harvest and process this aggregate data freely. Furthermore by tracking and predicting your movements they can reduce their costs: Do you like to buy ice cream? Do you only stop for ice cream on the way to work? Does everyone else do the same thing? Probably not, but with this aggregate data location intelligence can provide the most effective location for your shop.

There are two ways to view this, and an invasion of privacy is not one of them—you chose not to disable your location services. This can be viewed as either exploitation or service, much like targeted advertisements. The placement of this new shop based on your aggregate data is exploiting you, by tempting your weak mind into buying delicious treats that you otherwise could have avoided; or you are being better served what you want, leading to your own benefits along with the business. Location intelligence is the way of the future, but who is it really serving?

Advertisements

Advanced Internet Privacy (Paranoia-Level)

As I mentioned in my previous Basic Internet Privacy blog post—you are being watched, tracked, and spied on constantly. No this is not a joke, however the form this sort of spying takes is more passive than active and often consists of data mining via collecting IP addresses and timestamps. Passive internet spying methods are used to collect data and analyze it to find the source of problems after they have occurred in order to “correct” (punish) them. Passive internet spying methods are normally easy to avoid; they are designed to monitor massive streams of data and neglect outliers—those few who actively provide misinformation in order to protect their anonymity. These passive methods are frequently used by advertisers and service providers—who in turn provide their data to the government. A simple VPN (Virtual Private Network) or proxy and a few adjustments to your temporary internet file & cookie settings can protect you from these passive methods quite well. However it is important to note that a VPN or proxy can also turn into a passive spy by recording your real IP address and timestamp; this data can then be used to circumvent your anonymity by connecting your real IP address to an event at a specific time. So choose your VPN or proxy carefully.

The focus of this post regards methods to avoid being actively tracked and spied on. Out of the three groups I mentioned earlier (the government, advertisers, and other people) only two are likely to be problematic—the government and other people. I am American, and in America our legal system views people as innocent until proven guilty. So, for the sake of me-not-aiding-criminals, I shall also assume that you are innocent; if you’re not, then here’s the door.

All active methods have one main goal: To sniff out your identity. Of course the government tends to have the secondary goal of finding evidence to convict you of some crime, but that is irrelevant since such evidence could only exist if you were guilty of some crime and you are not guilty because you did not exit via the door as previously commanded. So you should not be concerned with hiding or concealing any sort of evidence from the government. Although some encryption software could do a pretty good job with that.

When you access the internet there are identities that you take up and discard by creating usernames and switching IP addresses; and then there is YOUR identity that exists as a link between your body and at least one of these disposable identities. The goal is to prevent your identity from being linked to these disposable identities and thus maintain your anonymity. Your identity exists in two places regarding the internet: On your computer and in the data you post on the internet that can be consolidated into individual profile(s). These two places can be further divided into subcategories. Your identity exists on your computer as data that can be retrieved from physical access and remote access to it. Physical access identifying data is retrieved from physically monitoring your device and can exist as anything from a camera positioned to watch what you type to a keylogger physically installed in your keyboard. These risks tend to concern real-life personal privacy more so than anything related to the internet; furthermore these are not things that can be detected or prevented with software. So this is not the appropriate venue for their discussion. Remote access identifying data exists as anything from a webcam screenshot of your pretty little face to personal information like passwords or usernames that you have stored in a text file on your hard drive. This data is not normally accessible by anyone but yourself, unless you have a virus like a RAT that provides a 3rd party with remote administrative access to your computer. These viruses are often picked up from peer to peer filesharing technologies, like torrenting or even downloading a file that someone uploaded for you. Social engineering is one of the largest holes in your security, trust no one. Thoroughly scan any files that were not distributed from a reputable source using multiple anti-virus programs. The purpose of using multiple anti-virus programs to scan is the fact that these viruses/Trojans/malware are updated frequently to avoid scans. Each anti-virus program uses a different scan and updates their database at varying intervals, so by using multiple scans you increase your odds of detecting anything malicious; one program I recommend is Anti-Malware Bytes.

The information you willingly post on the internet is probably the largest hole in your security. Many people, including myself, enjoy using the same username across multiple platforms. Some people don’t like memorizing multiple usernames; others use the same name to garner efame. There is one golden rule to follow: Information on the internet is forever. Unless you are actively controlling your identities, they will begin to form connections. Perhaps a VPN subscription for username Mw15beye paid with Bitcoins from wallet X and username Verse bought Bitcoins for wallet X. Now any (thorough) sleuth can determine that usernames Mw15beye and Verse are controlled by the same person; and if those Bitcoins were purchased with a credit card or paypal account with legitimate information you have just been successfully connected to both of these identities. This is an extreme example that is only likely to be used by the government; a far more likely problem is being doxed. This term was coined on Reddit (it is banned there) and is the practice of gathering all available data from social media and other profiles in order to expose a person’s identity. More often than naught this just involves googling a few names; the majority of people have links between their various online identities that can easily be found through search engines. Controlling and partitioning information is important. This means different usernames, different payment methods, different colloquialisms, different misinformation, and different IP addresses über alles. This is a monumental task for even the most organized person. The best way I have found to automate the partitioning of this information is AHK_L; track your IP addresses and based on those IP addresses automatically sort out your misinformation.

The basics of anonymity all involve programs doing all the work; the advanced techniques mostly rely on the user. The human element is by far the weakest in this equation. The main point to take away from this post is that you need to control your information if you want to remain anonymous.  Otherwise you’ll end up like this guy who gave a little and got taken for a ride.

Bitcoins Don’t Exist

As the title says, Bitcoins do not exist. They do not exist as something you can hold, as some byte of data on your computer, as some file stowed away in your Bitcoin client, or in any other tangible form. They are not something that you can own, merely something that the collective claims that “you” own. They were invented by a man named Satoshi Nakamoto, who does not exist either.  As it turns out this is a pseudonym, and the true identity of Bitcoin’s creator is a mystery.

So what are Bitcoins? Bitcoins are known as a decentralized digital currency or virtual cryptocurrency that are especially useful for maintaining your anonymity while purchasing certain things online, like VPN subscriptions. The core concept regarding Bitcoins as a decentralized digital currency is the fact that Bitcoins have no (naturally occurring) single, controlling payment processor. Instead Bitcoin transactions are processed by a collective of Bitcoin miners, whom also generate new Bitcoins.

How do Bitcoins work? Bitcoin mining is the process by which Bitcoin transactions are processed by being published to the blockchain—which is essentially a list of every Bitcoin transaction—and by which new Bitcoins are created. To create a Bitcoin transaction, a Bitcoin client is needed. If you do not already possess a Bitcoin wallet, which consists of a public and private key pair, then your client will “generate” one for you. The word “generate” is in quotes because it implies that the wallet did not exist before you generated it, which is incorrect. A public key is merely a string of letters and numbers that is derived from a private key using a cryptographic function. These strings do not require any sort of registration to exist as wallets within the Bitcoin network, and—because they do not require any sort of registration to exist—each and every potential key pair has always existed with the potential to be in use. So your keys are not being generated so much as they are simply being chosen and put into use. Although the odds are incredibly low, it is possible that the private key randomly chosen by your Bitcoin client is already in use by someone else—in which case you will have full access to any and all Bitcoins associated with that particular key pair (as will the original owner so long as they have access to the private key.) The reverse is also possible, where someone else’s Bitcoin client randomly chooses to use your private key. However due to the incredibly low probability of occurring, and the fact that stealing Bitcoin wallets requires the same computational power as Bitcoin mining, it is not a viable method to earn Bitcoins. The private key is the focus of these potential issues for two reasons: It is used to derive the public key and it is used to transfer Bitcoins from your key pair—or wallet—to another. The public key, on the other hand, is used to receive Bitcoins and can be given freely because—due to the nature of cryptography—a public key cannot be used to derive a private key. So by giving out your public key, you allow yourself to receive Bitcoins with no risk of having your private key discovered and your “wallet stolen.” A transaction can only be published to the blockchain by using a private key with a number of Bitcoins greater than or equal to the amount specified in the transaction. There are four steps in publishing a transaction to the blockchain: First by sending a valid transaction to the Bitcoin mining network, then the network includes your transaction (along with many others) in a block, and uses a brute-force attack to solve a cryptographic function derived from the information in that block which—when solved—can be published and accepted by the entire network. On average one block is published every 10 minutes. So it takes at least 10 minutes for any single transaction to be forever written into the blockchain, which is then published to the entire Bitcoin network who must—as a collective—agree upon the number of Bitcoins remaining in all affected wallets. Furthermore it is important to note that—because every transaction is published in the blockchain—the Bitcoins associated with any address can be seen by everyone and anyone. In fact, the entire Bitcoin system can only exist due to several ingeniously implemented systematic incentives—it is self-perpetuating.

These sound like a scam? Bitcoins are a pseudo-fiat currency, meaning that they are not backed by anything like gold or silver (like U.S. dollars.) Bitcoins may seem like a scam because they require one of two things: Either trust or a thorough understanding of cryptography. Unfortunately most people, including myself to a large extent, are not versed enough in cryptography to fully or properly understand the Bitcoin platform, and trust is hard to come by over the internet. However Bitcoins have survived in the open-market since 2009, and as of writing this post they are trading for $74.46 USD apiece. If you cannot trust me as to the legitimacy of Bitcoins, then trust the market.

If everyone can see every transaction, how is this anonymous? Perhaps anonymous is the wrong way to describe Bitcoins; Bitcoins have a strong potential for anonymity. They are pseudo-anonymous. Yes, every transaction (ever) is listed and can be accounted for in the blockchain (which is freely available to anyone), but the transactions only include IP addresses and information concerning the keys involved. While either of these pieces of information could be used to identify a single person as owning a specific wallet, they do not necessarily identify that person. A cash-to-Bitcoin transaction, when combined with a WiFi hotspot or VPN, is essentially untraceable. In fact, this is why the Bitcoin platform has become widely used for money laundering and other criminal activity.

Alright, so why don’t Bitcoins exist and if they don’t exist then why are they worth anything? Bitcoins can best be understood as a collective agreement that you have the money (BTC) in your wallet. In this sense a Bitcoin transaction can be understood as the collective agreement that you have paid an amount, using the funds in your wallet, to another wallet. No physical or virtual transfer or funds is necessary, since it is only the communal agreement that determines that you had any Bitcoins in the first place. Bitcoins have value because they are the perfect currency: They are widely accepted, they never degrade, they are infinitely portable and divisible, they never degrade, they are easily recognizable and exchanged, each Bitcoin is identical, and they cannot be seized by the government. The two caveats to using Bitcoins are their transaction fees: Actual transaction fees for Bitcoins are tend to be relatively small, are optional, and average under 1% (which determines how quickly your transaction is included in a block, since the block’s publisher claims all associated transaction fees in addition to their generation/reward transaction from publishing the block); and the various (much larger) fees associated with currency exchange rates. In fact, firms should prefer their customers paying with Bitcoins rather than credit cards due to the lower transaction fees (excluding exchange fees) and the fact that transactions cannot be reversed after they are published to the blockchain.

Bitcoins may be a niche currency, but they are worth watching. I highly recommend this podcast if you wish to learn more about Bitcoins.

Basic Internet Privacy in a Nutshell (Condensed)

Who is tracking you? Why bother being anonymous? How do I do it? Privacy and anonymity go hand in hand on the internet. One is not possible without the other, and achieving any semblance of anonymity or privacy on the internet is quite difficult and potentially costly.

Who is tracking you? There are countless organizations tracking your every move, but for the sake of simplicity they can be divvied up into three groups: The government, advertisers, and other people.

What defines you on the internet? You are defined by a unique identification number whenever you access the internet, in any form, and there are no exceptions. Behind your router you are defined by your MAC address and to the internet you are defined by your IP address. You are further defined by your cookies and other temporary files, along with any personal information you unwittingly or otherwise post. For the most part your MAC address is irrelevant; it can only be seen and used to identify you from inside a network or from behind a router. Your MAC address is specific to your device and never naturally changes, unlike your IP address which changes whenever you change Wi-Fi hotspots or ISP. In other words a MAC address cannot easily be used by someone else to identify you on the internet. However your MAC address contains important information regarding your computer’s manufacturer and identification number, which can be used to identify you (by the government subpoenaing the manufacturer.) IP addresses on the other hand are very important; they are your de facto identity on the internet and incredibly easy to find. Your IP address is displayed to every single web page you visit. In fact, the IP addresses of every blog comment on WordPress is given to the post’s author in the “Comments” section of their dashboard. So if you’ve commented on any of my posts, I know your IP address. Why is showing your IP address problematic? It identifies you and can easily be used to find your location. Cookies and temporary files are rather harmless on the other hand, as long as you have a working anti-virus program to prevent viruses, trojans, and other malware from infecting your computer. These are primarily used by websites and advertisers to track you and tend to be harmless.

How do you browse safely? Safe browsing is fairly simple, all that’s required is an up to date anti-virus program.

How do you browse anonymously? Anonymous browsing is more difficult than browsing safely. As mentioned previously there are a number of ways to identify you on the internet, with the first and foremost being your IP address. The only way to avoid being identified by your IP address is by routing your internet traffic through another server or router, and essentially masking it with another IP address. This can be achieved through either a proxy or a VPN. When using these services your IP address, which is unique to your router (which multiple computers can be connected to and have the same IP address) and not to your computer, will be replaced with the IP address of your proxy or VPN. So the IP address displayed to websites like wordpress will be the IP address of your proxy or VPN and not your real IP address, which could be used to identify you as a person and your current location. The issue here often comes down to the question “How much are you willing to pay for anonymity?” A good VPN can run around $40 a year and will purge their data regularly, whereas a bad VPN can run from the same price to double and will log all of your data. Proxies on the other hand tend to be incredibly slow and do a poor job of masking your IP address from persistent snoopers. The one exception to that rule would be TOR, which does a rather decent job of masking your IP address but is still rather slow and is dangerous to download anything on. For the sake of basic anonymity, masking your IP address is enough. I will discuss more advanced methods to attain more perfect anonymity in future blog posts.

The Algorithm Can Fail Us

Google bombing is the act of enhancing a website’s search engine optimization (SEO)—or raising its page ranking—by repeatedly inputting a keyword associated with the website’s destination. While there are special types of SEO software that are designed to raise a website’s page rank, Google bombing often involves massive or viral participation rather than any software. Many of the recent Google Bombs have very clear roots in Reddit or 4Chan forums. The first Google Bomb was in 1999, where the search term “more evil than Satan himself” returned Microsoft as the top result. A more recent example was made popular during Rick Santorum’s presidential run in 2012, when the first search result for Santorum defined it as “the frothy mixture of lube and fecal matter that is sometimes the byproduct of anal sex.” This Google Bomb was spearheaded by Dan Savage, a columnist, to protest anti-gay remarks Santorum made in the early 2000s by forever associating the then-U.S. Senator with this disgusting, reader-chosen definition. During his presidential bid, Santorum formally requested that Google remove the definition from its search index. Google refused.

There are MANY more Google Bombs out there; these Google Bombs begin as a bored forumer’s prank and becomes reality. I do not support Rick Santorum and I do not condone Dan Savage’s Google Bomb; but before Dan Savage’s Google Bomb, Santorum had no definition. That definition was not a fact. It served as nothing more than a mildly amusing and mildly insulting joke, an interesting joke. That interest that people showed this joke is what caused it to become fact—by cementing the definition in Google’s search results and giving it a permanent place in internet culture.

Did Dan Savage’s actions serve a purpose? Yes, protesting bad behavior serves an important role in our country. However Google is not a medium for protesting. Google is a medium for delivering facts and information, whose purpose is not aided by these random associations. While individual instances of Google Bombing like Santorum, Microsoft, Justin Beiber’s syphilis, George Bush’s miserable failure, Mitt Romney’s completely wrong, or Creed’s worst band in the world can be seen as jokes, they denote a serious failure on Google’s part. People are outsmarting the algorithm; and Google as well—since Google has tried to and can’t seem to fix the problem.

Dan Savage’s Google Bomb may have had a noble purpose, but 4Chan seems to prefer pranks to noble causes and is far more active and successful in their exploits. Google’s algorithm has a long way to go if it hopes to beat pranksters’ crowdsourcing SEO exploits to bomb its search results.

Anonymous

Vi veri veniversum vivus vici. By the power of truth, I while living have conquered the universe. This is my blog’s tagline. This is a Latin phrase taken from some Germanic book written by somebody that I do not care about. Despite all the reasons I have not to care about this quote, I have spent quite a bit of time trying to figure out what it means and how I could possibly make it relevant. Alas, I cannot. The universe remains unconquered; and I’m not enough of a megalomaniac to claim otherwise. This quote is only relevant because each of its words begins with the letter V. I might have preferred to use the Latin phrase, “Veni, vidi, vici” (which means I came, I saw, I conquered) but despite my preference for this quote, unfortunately it was not featured in the movie V for Vendetta like the prior was.

Ironically these sorts of self-aggrandizing quotes never really caught on with Anonymous, at least not in the same way the Guy Fawkes mask from V for Vendetta did. This is ironic because “self-aggrandizing” defines Anonymous far more appropriately than the mask does. Anonymous and its offshoots have had some impressive hacks, but their core “hacking” methodology is quite simple and often masked by hype. Distributed Denial of Service (DDoS) attacks are the heart of the Anon arsenal; whenever a headline reads “Anonymous takes down _____’s website” a DDoS attack is almost always involved. A simple DDoS attack consists of many computers constantly pinging a website and maxing out its bandwidth, thus causing the website to become inaccessible.

How does Anonymous accomplish this? They use botnets, which consist of willing or unwitting participants. How do you know if you part of a botnet? If your computer is connecting to multiple foreign IP addresses and using a large portion of your CPU whenever you connect to the internet, then you are part of a botnet. You are also part of a botnet if you installed Anonymous’s low-orbit ion cannon app (and are willingly participating in an illegal and easily traceable crime.)

The second bit of Anonymous’s method is called social engineering and basically involves tricking customer support into giving them the information necessary to take control of somebody’s account. Neither of these methods, which Anonymous uses to accomplish 90% of their mischief, are very threatening once you understand them. Anonymous does have some powerful techniques in their arsenal, but their primary weapon is fear. Most of that fear comes from the media confusing fear-mongering and news casting, and the rest comes from the majority of people having no idea how these “hacks” are performed. Hopefully this will work to clear the air a bit.

Do copyright holders profit off of their lawsuits?

Yes. Some copyright holders have adopted a “pay up or else” scheme in order to profit from their litigation. There are three main steps to this scheme: Index infringing IP addresses, start a lawsuit against those IP addresses as John/Jane Does and subpoena the Does’ individual ISPs for their personal information during discovery, and then send each Doe a settlement offer threatening to sue if they do not pay up. Copyright holders are able to easily index infringing IP addresses by participating in the torrents that share their content. Most defendants would rather pay the settlement than go to court, so the copyright holders avoid excess legal fees. When defendants do not respond and refuse to pay, the copyright holders frequently ignore them and rarely bring them to court. In such a way copyright holders can maximize their profit.

This scheme has been prevalent in the U.S. since 2010. Only recently have courts started to rule in favor of the defendants (the John/Jane Does) when they realized that privately owned IP addresses do not necessarily represent the responsible party. For instance if I downloaded something illegally from my father’s Wi-Fi, he would be sent the settlement offer and taken to court. Not me. The caveat in this is the fact that public Wi-Fi is protected from such lawsuits, whereas a private ISP subscriber could still be taken to court if their private Wi-Fi was open to the public and some awful person used it to download copyrighted files.

In fact, copyright holders have been working together with ISPs to create a six strike policy. According to this policy, after your ISP catches you downloading copyrighted material on six separate occasions, your ISP will terminate your internet connection and give your personal information to the infringed copyright holders for litigation. This policy has started to go into effect all over the world and has been predicted to activate in the U.S. this year. However, unfortunately for copyright holders the ISPs and governments involved refuse to fund the policy. So in countries like New Zealand copyright holders refuse to use the six strikes policy, claiming that the “costs to send notices to infringers are too high.” In other words their profit margin is too low. They want the government and the ISPs to help foot the bill so they can more easily sue the ISPs’ subscribers and the government’s citizens. In fact the music industry (U.S.) has asked that instead of disconnecting their users’ internet access, ISPs should instead charge their users cash fines. To be paid to the copyright holders, of course.

Currently the music industry, the porn industry, the movie industry, and the video game industry are all on board with the six strikes policy (or the three strike policy in France.) In short, the video game industry (at least in France) plans to join the music, porn, and movie in their new and improved “pay up or else” scheme. Apparently this scheme has proven itself profitable. How long until ever other copyright holder joins in?

I do not condone piracy, because that would be immoral and potentially illegal. However I do condone safe internet use, so I recommend using a proxy or a VPN. The fact that these services prevent you from being identified by your IP address and consequentially prevent you from being sued by these schemes is not my problem.