Saturday, May 19, 2018

John McAfee Going Underground


An article in Global Coin Report (May 17, 2018) stated: Known for his well-timed predictions (and their explosive results) within the cryptocurrency community, John McAfee is in the headlines again, going underground as the Securities and Exchange Commission (SEC) attempts to silence his voice. A vocal critic of the SEC, McAfee has taken to Twitter to update his followers on current developments as the SEC has allegedly infiltrated his property, disturbing McAffee’s peace and forcing the hand of a man most famously known for his wild Bitcoin predictions.

Perhaps the most vocal and angry critic of the SEC, McAfee has spoken out numerous times concerning the commission’s actions to destroy value in the market. Now, with an increase in suspicious activity happening around his home in Tennessee, his twitter feed has lit up with the dramatic unfolding of this newest dilemma.

Mr. McAfee is now located in a tiny American hamlet whose residents have a long history of abuse by Federal authorities. The local police are practiced in the art of sending invaders back to Washington. (Loggiaonfire)

"Mr. McAfee has on occasion been labeled as crazy by people who have never had entire governments out to collect them. He has been called paranoid by people who have never had their lives threatened. And he has been accused of grandiose delusion by people who themselves lack the nerve to speak out against corrupt and tyrannical government agencies."


Bomb Scare that Nearly Shut Down Seattle Library Was "Realistic" Army Exercise



On Saturday, April 14, staffers at a downtown Seattle library discovered two alarming objects on its third-floor shelves: Two books had been hollowed out and filled with what appeared to library staffers to be two primitive homemade bombs, according to an internal library email about the incident.

Each of the books contained batteries, wires, and computer chips. According to the police report, obtained through a public disclosure request, staffers considered the objects to be "potential explosive device[s]."

The staffers on duty that Saturday morning, according to multiple accounts of the incident, then called 911, stationed security guards on several floors, and prepared to evacuate the entire 363,000-square-foot building and its approximately 3,500 occupants in response to the apparent potential bomb.   (CIS, May 18, 2018)
--

Off-post training for certain types of military units improves realism and when working with civilian law enforcement and emergency services can provide a benefit to the civilian community as well. But these exercises must be properly coordinated by the participating installation.

Government Should ‘Stop Pretending’ Your Social Security Number is Secret



Government and industry rely on Social Security numbers as a fail-safe way to ensure people are who they claim to be, but massive data breaches have led cyber-security experts to argue the nine-digit identifier is past its prime.

High-profile data breaches have dumped hundreds of millions of Social Security numbers into the on-line wilderness recently, fueling a rise in identity theft and financial fraud. In 2015, experts estimated between 60 and 80 percent of Social Security numbers have at some point been stolen by hackers, and that was before the massive breach at Equifax exposed information on 143 million Americans last year.

“Social Security numbers are so deeply compromised and so widely available to the public...that they can no longer be used as an authenticator,” said Paul Rosenzweig, a cyber-security expert at the R Street Institute, before the House Ways and Means Subcommittee on Social Security. While he and other witnesses largely agreed the number can still work as a unique government ID, the days of using it to prove someone is who they say are long over.

“Using my Social Security number as an authenticator is as stupid as using the last four letters as my last name as authenticator, or the last four digits of my phone number,” said Rosenzweig. (NextGov, May 17, 2018)
--

You should never provide your SSN unless specifically required to do so by law. Request that businesses and organizations that use your SSN for identification purposes adopt and use an alternate method.  As explained in the Next Gov article, using an SSN for identification is just not safe.

As we saw in my blog post in January 2018, even the Social Security Administration states that: Organizations should avoid using Social Security numbers (SSNs) as identifiers for any type of transaction.


Friday, May 18, 2018

Researchers Say a Breathalyzer Used in Multiple States Produces Incorrect Results


Two researchers say a police breathalyzer, used across the US, can produce incorrect breath test results, but their work came to a halt after legal pressure from the manufacturer.

This most recent skirmish began a decade ago when Washington state police sought to replace its aging fleet of breathalyzers. When the Washington State police opened solicitations, the only bidder, Draeger, a German medical technology maker, won the contract to sell its flagship device, the Alcotest 9510, across the state.

But defense attorneys have long believed the breathalyzer is faulty.

Jason Lantz, a Washington-based defense lawyer, enlisted a software engineer and a security researcher to examine its source code. The two experts wrote in a preliminary report that they found flaws capable of producing incorrect breath test results. The defense hailed the results as a breakthrough, believing the findings could cast doubt on countless drunk-driving prosecutions.

The company that makes the breathalyzer sued the researchers to prevent release of their data.  ZDNet (May 10, 2018)
--

Most any attorney will tell you that You Should Never Take a Field Sobriety Test (SFST). These tests are voluntary, are subjective, and generally are not accurate. However the breathalyzer is "mandatory" under implied consent laws.

Every driver in the State of Washington (and other states) impliedly consents to providing a breath or blood sample after being arrested for DUI. Failure to provide such a sample after a lawful request is known as a “refusal”.

For a Washington Court or the Washington Department of Licensing (DOL) to find that you have refused to provide a properly requested breath or blood test, a number of things must be proven. First you have to have been read or been allowed to read what are know as your implied consent warnings.

It is important to note that behavior apart from saying, “I refuse” can constitute a refusal. An officer may construe a refusal in cases where a person delays too long in making a decision or pretends to blow into the breath tube. This is known as a constructive refusal and while it may be harder to prove than an actual refusal, Washington DUI law does recognize it as a refusal nonetheless.

So, while you are required to submit to the breathalyzer under implied consent laws, and the result of the test can be used against you in court - it seems that the breathalyzer can produce incorrect results, casting doubt on countless convictions.

Department of Justice “Put a Spy” in the Trump Campaign in 2016


For the second time in two days, President Donald Trump shared a claim on social media Friday that the Department of Justice “put a spy” in his campaign in 2016.

The previous morning, Trump quoted “Fox & Friends” guest and former federal prosecutor Andrew McCarthy, saying the “Obama FBI ‘SPIED ON THE TRUMP CAMPAIGN WITH AN EMBEDDED INFORMANT.’”

“If so,” Trump added, “this is bigger than Watergate!”

Trump allies in Congress have been seeking information on a longtime intelligence source who reportedly provided information to the FBI early in its investigation of possible ties between Trump’s campaign and the Russian government. The FBI and DOJ have warned that revealing the source could endanger lives and operations.  (KOMO 4 News, May 18, 2018)

Using 'Delay Delivery' to Send "Please Check on Me" Messages


In October 2017 I wrote about an app, Kitestring, that lets you schedule a notification to be sent to friends, family, or some other emergency contact if you go missing or fail to respond to a check-in message. 

 
You can use the 'Delay Delivery' option in Outlook to accomplish the same type of notification.

To set up delayed delivery of an e-mail from Outlook:
  • In the message, click Options.
  • In the More Options group, click Delay Delivery.
  • Delay Delivery command on the ribbon
  • Under Delivery options, select the Do not deliver before check box, and then click the delivery date and time that you want.
  • After you click Send, the message remains in the Outbox folder until the delivery time.

 
Using the 'Delay Delivery' option you can prepare an e-mail to be sent at a certain time. Maybe you want somebody to check on you if you don't return from a sole hike or weekend camping trip. Are you going on a blind-date or meeting a stranger to purchase something that you saw on Craigslist?

For whatever reason you might want to send a message to someone at a specific time, 'Delay Delivery' gives you that option. Of course, you should always test this system and arrange with friends and family in advance of using 'Delay Delivery' to ask them to check on you. The delayed message is just an automated reminder - it shouldn't come as a surprise to the person receiving it.

For the 'Delay Delivery' option to work, Outlook must be running with a connection to an e-mail server (you must be on-line) at the time the message is scheduled to be sent. A power failure, computer crash, or automatic re-start could cancel your delayed messages, but generally speaking the 'Delay Delivery' option works as described.
 
In addition to just sending an e-mail, you can use the e-mail to text (SMS) to help ensure that your message is seen as soon as possible after it is sent. You may only check your e-mail when you are sitting in front of your computer, but your cell-phone is probably in your pocket allowing you to receive a text message at any time.

Use the following formats to send a text message from e-mail:
  • Alltel   10-digit-number@message.alltel.com 
  • AT&T   10-digit-number@txt.att.net 
  • Boost Mobile  10-digit-number@myboostmobile.com 
  • Cricket Wireless 10-digit-number@mms.cricketwireless.net
  • Project Fi  10-digit-number@msg.fi.google.com
  • Sprint   10-digit-number@messaging.sprintpcs.com 
  • T-Mobile  10-digit-number@tmomail.net 
  • U.S. Cellular  10-digit-number@email.uscc.net 
  • Verizon [insert  10-digit-number@vtext.com 
  • Virgin Mobile  10-digit-number@vmobl.com 
  • Republic Wireless 10-digit-number@text.republicwireless.com 
  • US Cellular:   10-digit-number@mms.uscc.net

Remember to keep e-mail sent as a text message short (less than 160 characters). You can always send short notifications as text messages, and follow-up with e-mail containing additional details.

If after setting up a 'Delay Delivery' message you find that you don't need to send it (which should be most of the time for "Please Check on Me" type messages), just delete it from your Outbox folder prior to its scheduled delivery time.

Please Check on Me messages, scheduled with 'Delay Delivery' are a way to add a little bit of extra personal security to your life.  


Support TOR in Public Libraries


Libraries are trusted community spaces and education centers -- quite often as the only such resource in their communities. Libraries serve people from all walks of life, including immigrants, poor and working people, and others who are under greater threats of surveillance. Finally, libraries have a deep historical and ideological commitment to protecting privacy; for example, librarians in the United States were some of the earliest opponents of overbroad government surveillance programs like the USA PATRIOT Act.

The use of TOR is not, in and of itself, illegal. There are legitimate purposes for its use. Originally designed, implemented and deployed by the United States Naval Research Laboratory, TOR affords users a way to share information over public networks without compromising their privacy.

When we consider the threats we face from government agencies Spying on Democracy - the disturbing increase in surveillance of ordinary citizens and the danger it poses to our privacy, and to our civil liberties - it only makes good sense to take steps to safeguard our personal privacy and civil liberties, and what better place to do that than in our public libraries?

Contact your local library and encourage them to run a TOR Relay. By running a Tor relay they can help make the Tor network:
  • faster (and therefore more usable)
  • more robust against attacks
  • more stable in case of outages
  • safer for its users (spying on more relays is harder than on a few)
This article on the TOR WIKI explains how to set up a TOR Relay.



Librarians may also be interested in the Library Freedom Institute.

The Library Freedom Institute (LFI) is a privacy-focused six-month program for librarians to teach them the skills necessary to thrive as Privacy Advocates, from installing privacy software to influencing public policy.

Army Reserve COL Alleges Investigative Misconduct by Army Finance and CID


A May 17, 2018 article in Stars and Stripes alleges investigative misconduct on the part of Army Finance and Army CID.

Richard Gulley, an Army Reserve Colonel with a top secret clearance, says he is the victim of an investigative process that has run amok, as finance officials and agents from the Criminal Investigation Command are operating with little oversight.

Patrick Hughes, a Washington-based attorney (http://www.patriotslawgroup.com/) representing at least seven soldiers in the lawsuit against the Army, says what’s missing is greater oversight from Congress on abuses by finance officials and agents for the Criminal Investigation Command. 

Soldiers say the investigations have crippled their finances, caused hassles abroad and damaged their future job prospects.

As a well-paid commercial pilot in civilian life, COL. Gulley said he can financially rebound from the $103,000 debt imposed by the Army in connection with the accusation that he shouldn’t have been paid BAH.

But the consequences are hurting him on the job. The Army never prosecuted, but every time Gulley pilots an international flight, he is stopped for questioning by police at customs.

The electronic trail of charges means he’s been flagged. He also can’t obtain a gun permit, which compromises his ability to protect the cockpit, Gulley said.

"Why was I arrested at all? Why is it still on my record, and why do I get stopped at customs every single time?" he said.

Gulley also said he was subjected to harassment from CID agents, who staked out his home in Germany, followed him around, and questioned neighbors back at his New York City home as part of their investigation.
--

An article in Stars & Stripes certainly doesn't tell the complete story in this case. The Army CID agents that I have known have always demonstrated the highest degree of professionalism. Yet, as with any group of people there may be those who act inappropriately during the conduct of an investigation.

The question I see here isn't whether the CID agents conducted a proper investigation with the appropriate oversight - they probably did; but since the Army never prosecuted COL Gulley, why is this still "on his record"? If the Army chose not to prosecute the illegal receipt of  $103,000.00 in BAH, did the investigation clear COL Gulley of the offenses with which he was originally titled?

Once cleared in an investigation, a person should no longer be listed as the Subject of that investigation. Unfounded, or false allegations should not follow a person for the rest of their life.


Thursday, May 17, 2018

Shamir's Secret Sharing Scheme


Using one-time-pad schema it is possible to store a password (combination, account number, etc.) by dividing it into multiple parts.  All parts or shares of the encrypted password must be combined before the final password may be revealed. Of course, you cannot simple cut a password in half or quarters, as this would reveal at least part of it and provide clues to finding the rest and reduce the number of combinations to try out before the final password was revealed.

Shamir's secret sharing scheme is especially useful in situations where you feel uncomfortable in sharing a secret with others and you have doubts about the reliability of some of them. You don't want one of them to misuse the secret behind the other's back. A person might be entitled to have the secret information but that doesn't mean you trust him to have full control over it. With secret splitting, misuse or unauthorized disclosure of the secret is impossible if there's at least one reliable person among the shareholders. And what's really great, more people with shares means more security, because more people have to agree on putting the shares together. That's just the opposite of sharing the secret itself, where more people means more risk.

Dirk Rijmenants has published a mathematical method of splitting a password (or another secret) among multiple people.  

Computer based implementations of Shamir's Secret Sharing Scheme can be seen on these web-sites:

https://secrets.dyne.org/

http://point-at-infinity.org/ssss/

https://iancoleman.io/shamir39/

http://www.asecuritysite.com/Encryption/shamir

Don't rely on any web-site to split and restore your secrets. If the web-site is down / gone at a future time you would be unable to restore your secret from the divided shares. You can however download these programs to your local machine which gives you greater control over their use and availability in the future. Generally speaking however, I prefer the pen and paper method of secret splitting since it is always available, and more secure than a system done on a computer that could be potentially compromised.



Google is (Still) Reading Your E-mail



A NBC News article (May 10, 2018) "Google sells the future, powered by your personal data" makes some interesting observations. - The more Google products you use, the more Google can gather about you. Whether it’s Gmail, the Android smartphone operating system, YouTube, Google Drive, Google Maps, and, of course, Google Search - the company is collecting gigabytes of data about you. Google offers free access to these tools and in return shows you super-targeted advertising, which is how it made $31.2 billion in revenue in just the first three months of 2018.

Google's data collection practices include scanning your email to extract keyword data for use in other Google products and services and to improve its machine learning capabilities, Google spokesman Aaron Stein confirmed in an email to NBC News.

"We may analyze [email] content to customize search results, better detect spam and malware," he added, later noting Google has customized search in this way since 2012.

How Google collects data from Gmail users and what it uses that data for has been a particularly sensitive topic. In June 2017, Google said it would stop scanning Gmail messages in order to sell targeted ads. After this article was published, Google’s confirmation that it does still collect data from the email of Gmail users drew attention from some journalists that cover technology and digital privacy.
--

To prevent Google (or anyone else) from scanning the content of your e-mail for key words - ENCRYPT, ENCRYPT, ENCRYPT !

Consider using a privacy focused e-mail provider, such as Protonmail or Tutanota, for your personal e-mail. Use other secure communication services, such as Signal Messenger, to communicate sensitive, private, and personal information. End-to-End Encryption is essential to safeguarding your privacy.


Wednesday, May 16, 2018

The Politicization of the FBI


In a speech delivered at Hillsdale College on January 25, 2018, Joseph E. diGenova a former U.S. Attorney stated:  Over the past year, facts have emerged that suggest there was a plot by high-ranking FBI and Department of Justice (DOJ) officials in the Obama administration, acting under color of law, to exonerate Hillary Clinton of federal crimes and then, if she lost the election, to frame Donald Trump and his campaign for colluding with Russia to steal the presidency.

A pall hangs over Mueller, and a pall hangs over the DOJ. But the darkest pall hangs over the FBI, America’s premier federal law enforcement agency, which since the demise of J. Edgar Hoover has been steadfast in steering clear of politics. Even during L. Patrick Gray’s brief tenure as acting director during Watergate, it was not the FBI but Gray personally who was implicated. The current scandal pervades the Bureau. It spans from Director Comey to Deputy Director McCabe to General Counsel Baker. It spread to counterintelligence via Peter Strzok. When line agents complained about the misconduct, McCabe retaliated by placing them under investigation for leaking information.

A great disservice has been done to the dedicated men and women of the FBI by Comey and his seventh floor henchmen. A grand jury probe is long overdue. Inspector General Horowitz is an honest man, but he cannot convene a grand jury. We need one now. We need our FBI back.




10 Alarming Cyber-Security Facts



PC World Australia (May 1, 2018) listed 10 Alarming Cyber-Security Facts
  1. There are 41 cyber criminals on the FBI’s Most Wanted list as of 2018
  2. The most expensive computer virus of all time cost $38.5 billion
  3. Social Media is a hackers favorite target
  4. 99% of computers are vulnerable to exploit kits
  5. 59% of employees steal proprietary corporate data when they quit or are fired
  6. Social engineering is a cyber criminals favorite way to manipulate victims
  7. Your government is making you more vulnerable
  8. There is a real time map that shows cyber attacks in action
  9. Hacktivism is the main motivation that drives cyber attacks
  10. 68% of funds lost as a result of a cyber attack were declared unrecoverable

Use of Personal Cell-Phones for Official Government Business



It is estimated that more than 90% of adults in America own a cell-phone. While we use our cell-phones for personal communication, should we also use our personal cell-phones for official government business?
Some individuals don't have access to a business / government cell-phone and sometimes use their personal cell-phone to conduct official business. That shouldn't happen, but if you are using your personal cell-phone for government business, here are some things that you should consider:

Although Federal law is unclear on this issue  the California Second District Court of Appeal held in Cochran v. Schwan’s Home Serv., Inc., Cal. Ct. App. No. B247160, (August 12, 2014) that California Labor Code section 2802 requires employers always to reimburse employees who are required to use personal cell phones for work-related calls for a reasonable percentage of their cell phone bills, even when employees have cell phone plans with unlimited minutes or the plans are paid for by third parties. - While your employer probably should reimburse you for using your personal cell-phone for work, outside of California they may not have to do so.
If you use your personal cell-phone for government business, the government can require that you provide access to your phone to government investigators.
If you use your personal cell-phone for official business, the content of your phone may be subject to release under FOIA. The Arizona Court of Appeals, the California Supreme Court, and the Washington State Supreme Court have all held that a public employee’s private cell-phone records can be considered public records if the employee used the cell-phone for a public purpose.

In addition to the reimbursement questions raised by Cochran, employers need to be concerned about data security and IP issues when employees use their own devices.

Employees often have less sophisticated anti-hacking, anti-virus and encryption software on their personal devices. There is a risk of those devices being lost without the employee informing the employer. Employees also tend to be less than rigorous in backing up the data on personal devices. All of this means that data is more vulnerable to loss and systems are more vulnerable to damage when employers allow or require employees to use their own devices.

Equally important is what happens to important and sensitive information when the employee leaves. If the information is on a personal device, getting control of that device in order to transfer or delete the information is often much more difficult than it would be if the employer owns the device and the service contract. This increases the difficulty or preventing intentional misappropriation of sensitive information or simply loss of valuable information that sits on the ex-employee’s device.
 
From a data privacy and personal security viewpoint, using your personal cell-phone to conduct government business is a very bad idea.
Even government issued cell-phones should not be used in place of wired / landline telephones.
Army: AR 25-1, Army Knowledge Management and Information Technology, paragraph 6-4u - Portable, mobile, cellular, and wireless telephones and devices states:
* These types of telephones will not be used in lieu of established ‘wired’ telephones.
* These devices are to be used for official business and authorized use only.
* Authorized personal use of [government] cell phones is subject to the same restrictions and prohibitions that apply to other communications systems. Authorized use is limited since these types of telephones cannot be used in lieu of established ‘wired’ telephones.  
As a best practice, use cellular telephones only in exigent circumstances. Cell-phones and Blackberries will be used only when the mission clearly demonstrates a critical need for immediate communication and government / military telephone service and/or e-mail is not reasonably available. Government issued cell-phones will NOT be used in lieu of established land-line telephone service. Official calls should be made from official government land-line telephones when available. Government issued cell-phones and Blackberries will only be used to communicate UNCLASSIFIED information, and only used when a government land-line is unavailable.  Do NOT use personal cell-phones to conduct government business.
 
SMS / Text Messages Are Unsecure
According to the American Bar Association (2015): ‘While text messages have increasingly replaced phone calls, users do not always stop and realize that individually identifiable information, once captured in a traditional text message or third-party messaging system, likely becomes a PII record.’ Consumer text messaging services also offer little protection from sending messages to an unintended recipient. Texting a personal message to the wrong recipient can be embarrassing, but text messaging PII to the wrong person potentially carries significant consequences. Indeed, a single text message including PII sent to the wrong number or wrong person would likely constitute a PII breach and Privacy Act Violation, subject to mandatory reporting and investigation by the Defense Privacy and Civil Liberties Office.
 
Government Required to Protect Personal Telephone Numbers
You may choose to provide your personal telephone number (home / cell-phone) to your employer so that they can contact you. If you provide your home address or home telephone number (this might be your cell-phone) to your government employer, the government may not release that information to others without your specific consent. Release of home address or home telephone numbers is normally considered a clearly "unwarranted invasion" of personal privacy and is exempt from mandatory release under the FOIA.  32 CFR505.7
Distributing personal telephone numbers on social and recall rosters may create an invasion of personal privacy unless everyone on the roster consents to sharing their information with everyone else on the roster. 
 
 

Tuesday, May 15, 2018

Privacy Awareness Week


The Federal Trade Commission (FTC) has released an announcement promoting Privacy Awareness Week (PAW) May 14-18, 2018. PAW is an annual event fostering awareness of privacy issues and the importance of protecting personal information. This year’s theme, "From Principles to Practice," focuses on privacy protection and online security for businesses and individuals.

Additionally, the following tips from US CERT may be of interest...

Protecting Your Privacy - https://www.us-cert.gov/ncas/tips/ST04-013
Safeguarding Your Data - https://www.us-cert.gov/ncas/tips/ST06-008
How Anonymous Are You? - https://www.us-cert.gov/ncas/tips/ST05-008

Drivers Have Reasonable Expectation of Privacy


The Supreme Court unanimously ruled yesterday (May 14, 2018) in Byrd v. United States that the driver of a rental car could have a reasonable expectation of privacy in the car even though the rental agreement did not authorize him to drive it. In Byrd, state troopers stopped Terrence Byrd while he was driving a rental car alone on a Pennsylvania interstate. Once the troopers realized he was not an authorized driver (i.e. not listed as a driver on the rental agreement), they went ahead and searched the car...

The Court explained that as in any Fourth Amendment case, the starting point is to determine whether the individual has demonstrated a “reasonable expectation of privacy” in the place searched.

When it comes to places like houses and cars, the Court has developed a kind of sliding scale: owners and those in lawful possession (like tenants) “almost always” have a reasonable expectation of privacy, while short-term visitors do not. On the one hand, it’s not enough to simply happen to be somewhere in order to contest a search, but you don’t have to have a strict property interest in the place either, since overnight guests can contest a police search. 

Perhaps the more interesting question in the case, however, was whether the Budget Rent a Car agreement that Byrd’s friend signed before giving him the keys should have negated Byrd’s expectation of privacy in the car. That agreement provided in capital letters that permitting an unauthorized driver to drive the car was a violation of the rental contract that could void its coverage. The government argued that this provision automatically nullified Byrd’s expectation of privacy in the car.

Thankfully, the Supreme Court refused to go down this road. Your Fourth Amendment Rights Shouldn’t Come with Terms and Conditions!  (EFF, May 15, 2018)  (Washington Examiner, May 14, 2018)


SMS Verification Message Web-Sites



Mike Bazzell, author of "The Complete Privacy & Security Desk Reference: Volume I: Digital" (and several other books), web-master / owner of IntelTechniques, and general privacy and OSINT guru has added a SMS Verification Texts page to his web-site. 

Many web services require a phone verification in order to create an account. They send a verification code to your cell phone number that you have to enter on the website. If you do not feel comfortable providing your personal cell-phone number to receive a SMS text every time you sign up for an online service, there are numerous websites that could help you to receive a message on a Computer.

SMS Verification Messages.

Don't use these sites as part of 2FA to log into your accounts - this would be extremely dangerous since the SMS messages sent to these sites are publicly viewable. However, when needing to receive a SMS message as a one-time verification they have their place.



Understanding Your Fourth Amendment Rights in the Workplace



Warrantless Workplace Searches of Government Employees: A Report from the Federal Law Enforcement Training Center (FLETC)
  • A search of a government employee's workplace must comply with the Fourth Amendment.
  • According to the 9th Circuit Court in United States v. Taketa - a government employee has a reasonable expectation of privacy in his or her office if among other things, the office is not open to the public and is not subjected to regular vis its of inspection by [agency] personnel.
  • If an employee has a reasonable expectation of privacy in his workplace, then an intrusion into that area qualifies as a "search" governed by the Fourth Amendment. Kyllo v. United States, 533 U.S. 27, 33 (2001)
  • "The Fourth Amendment protects individuals from unreasonable searches conducted by the Government, even when the Government acts as an employer." Generally speaking, when searches are performed, courts have expressed a strong preference that they be performed pursuant to warrants. Nat’l Treasury Employees Union v. Von Raab, 489 U.S. 656, 665 / United States v. Holloway, 290 F.3d 1331, 1334 (11th Cir. 2002)
  • Although government ownership of the property to be searched (e.g., a government-owned computer assigned to a government employee) is an important consideration, it does not, standing alone, dictate a finding that no reasonable expectation of privacy exists. Applicability of the Fourth Amendment does not turn on the nature of the property interest in the searched premises, but on the reasonableness of the person’s privacy expectation.  Gillard v. Schmidt, 579 F.2d 825, 829 (3rd Cir. 1978) / United States v. Angevine, 281 F.3d 1130, 1134 (10th Cir.)

Privacy Expectation in Public Workplace Electronic Communications
  • The Fourth Amendment protects the "rights of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures." This Fourth Amendment "right to privacy" affords protection against unreasonable government intrusion into protected privacy interests. 

Government Searches of Workplace Computers (Oregon District Court)
  • The Fourth Amendment applies when the government acts in its capacity as employer.

Employee Monitoring and Workplace Privacy Law (American Bar Association)


Each of the above short (<20 pages) papers discusses court cases and laws involving workplace privacy. In January 2018, I wrote a short post here: Privacy at Work: What Are Your Rights?  Reading the above reports expands on the information in my earlier post.

As an employee it is important that you understand your rights. As an employer (and especially as a government employer) it is important that you understand your responsibilities.

"Government employers are subject to federal constitutional constraints because their conduct is considered "state action."  Private employers are not subject to constitutional claims unless their investigations become intertwined with a state investigation.  Therefore, a search of an employee's office by a governmental employer is justifiable only "when there are reasonable grounds for suspecting that the search will turn up evidence ... of work-related misconduct, or that the search is necessary for a non-investigatory, work-related purpose such as to retrieve a needed file."- O’Connor v. Ortega, 480 U.S. 709, 716.

Monday, May 14, 2018

LC4: Another Pen-and-Paper Cipher



Bruce Schneier mentioned the ElsieFour (LC4) cipher in a recent blog post: "LC4: Another Pen-and-Paper Cipher

ElsieFour (LC4) is a low-tech cipher that can be computed by hand; but unlike many historical ciphers, LC4 is designed to be hard to break. LC4 is intended for encrypted communication between humans only, and therefore it encrypts and decrypts plaintexts and ciphertexts consisting only of the English letters A through Z plus a few other characters. LC4 uses a nonce in addition to the secret key, and requires that different messages use unique nonces. LC4 performs authenticated encryption, and optional header data can be included in the authentication. The above (linked) paper defines the LC4 encryption and decryption algorithms, analyzes LC4's security, and describes a simple appliance for computing LC4 by hand.
--

I tried this cipher using letter squares made from index card stock. The cipher, once you are familiar with it, is easy enough, but the movement of the squares is slow (at least when using squares made from index cards).


Sneak & Peek Warrants - Are Government Agents Breaking Into Your Place?


A sneak and peek search warrant (officially called a Delayed Notice Warrant) is a search warrant authorizing the law enforcement officers executing it to effect physical entry into private premises without the owner’s or the occupant’s permission or knowledge and to clandestinely search the premises; usually, such entry requires a stealthy breaking and entering.

According to the ACLU, the PATRIOT ACT allows "law enforcement agencies to delay giving notice when they conduct a search. This means that the government could enter a house, apartment or office with a search warrant when the occupant was away, search through her property and take photographs, and in some cases seize physical property and electronic communications, and not tell her until later. Any protections afforded by a warrant are meaningless when the searching officer has complete and unsupervised discretion as to what, when and where to search and the individual owner is not provided notice so cannot assert and protect her rights." 

The Fourth Amendment protection against unreasonable searches and seizures requires the government to both obtain a warrant and to give notice to the person whose property will be searched before conducting the search. The notice requirement enables the person whose property is to be searched to assert her Fourth Amendment rights. For example, a person with notice might be able to point out irregularities in the warrant, such as the fact that the police are at the wrong address, or that because the warrant is limited to a search for a stolen car, the police have no authority to be looking in dresser drawers."

The Oregonian (April 15, 2018) reported that "Oregon is No. 2 in nation in requests for 'sneak-and-peek' search warrants". During FY 2016 (1 Oct 15 - 30 Sep 16) there were 851 sneak and peek warrants issued in Oregon."

Although the initial rationale under the PATRIOT ACT for throwing the doors open to these searches was the need to protect the United States against terrorists, of the 15,164 delayed-notice warrants or extensions granted nationwide in 2016, only 71 — or 0.5 percent — were related to alleged terrorism. 

Matthew T. Mangino, counsel with Luxenberg, Garbett, Kelly & George P.C comments on Sneak and Peek warrants in a short YouTube Video, posted on April 20, 2018.


PGP Vulnerability ?



What You Need to Know About E-Fail and the PGP Flaw

A group of researchers released a paper today that describes a new class of serious vulnerabilities in PGP (including GPG), the most popular email encryption standard. The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim’s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim. The proof of concept is only one implementation of this new type of attack, and variants may follow in the coming days.

EFF is advising PGP users to pause in their use PGP and seek other modes of secure end-to-end communication for now.

--

ProtonMail  has stated that it is safe against the efail PGP vulnerability. The real vulnerability is implementation errors in various PGP clients. PGP (and OpenPGP) is fine. Any service that uses our @openpgpjs library is also safe as long the default settings aren't changed. It is not correct to call Efail a new vulnerability in PGP and S/MIME. The root issue has been known since 2001. The real issue is that some clients that support PGP were not aware for 17 years and did not perform the appropriate mitigation. Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.
--

The research paper discussing the PGP vulnerability is available at: https://efail.de/efail-attack-paper.pdf



Lock Picking Channels

http://deviating.net/lockpicking/gringo/

In December 2017, I wrote here in the blog "Most residential (home) locks can be quickly and easily bypassed by picking or bumping. This can allow an adversary covert access to your home, and if someone breaks into your home using these methods and steals your property a police report reading that there were "no signs of forced entry" can complicate any claim that you may file against your homeowner’s or renter’s insurance."

Yet, according to research, only 6% of burglars would attempt picking locks to gain an entry into homes. 32% would go for an unlocked door or a window, 26% would try to gain a forced entry (by breaking the door, locks, window, etc.), and 24% would try jimmying or prying.

Your threat model may increase the likelihood that someone will attempt to bypass your security by lock picking. Many in the "hacker" community have at least some knowledge and skill in lock picking. And government agents may break into your home to sneak and peek. A sneak and peek search warrant (officially called a Delayed Notice Warrant and also called a covert entry search warrant or a surreptitious entry search warrant) is a search warrant authorizing the law enforcement officers executing it to effect physical entry into private premises without the owner’s or the occupant’s permission or knowledge and to clandestinely search the premises; usually, such entry requires a stealthy breaking and entering.

There are a few YouTube channels that teach and demonstrate lock picking and similar techniques to defeat and bypass locks. Included in my favorites are:

For those interested in such things, these channels can be entertaining. If you are trying to learn how to pick locks, these channels can be informative. And, if you are planning to buy new locks to secure your property, these channels can help you avoid buying a lock that has an inherent security weakness or vulnerability.

Some places to purchase quality lock picks include:

Lock Pick Shopwww.LockPickShop.com
Multipick Germanywww.multipick.com
PickPalswww.pickpals.com.au
Sparrows Lock Pickswww.sparrowslockpicks.com
UK Bumpkeyswww.ukbumpkeys.com

Consumer Reports has published reports on choosing the best locks for your home:

Door Lock Buying Guide

5 Door Locks That Will Keep You Safe and 5 That Won't

My personal recommendations for door locks are the Mul-t-lock MT5+ Hercular and the Abloy Protec2, although both of these locks cost more than some people are willing to pay (or need) for home security.



Sunday, May 13, 2018

FCC Says 'Net Neutrality' Rules Will End on June 11



Reuters, 10 May 2018: The Federal Communications Commission said in a notice Thursday that landmark 2015 U.S. open-internet rules will cease on June 11. An FCC spokeswoman confirmed the new rules will take effect on June 11. A group of states and others have sued to try to block the new rules from taking effect. The revised rules were a win for internet service providers like AT&T Inc (T.N) and Comcast Corp (CMCSA.O) but are opposed by internet firms like Facebook Inc (FB.O) and Alphabet Inc (GOOGL.O). The U.S. Senate is set to vote as early as next week on whether to reject the FCC repeal of the net neutrality rules. Proponents currently have the backing of 47 Democrats and two independents who caucus with Democrats, as well as Republican Senator Susan Collins. With the prolonged absence of Republican Senator John McCain due to illness, proponents believe they will win on a 50-49 vote. Senator Ed Markey said it was “likely” the vote will take place in the middle of next week. On Wednesday, senators officially filed a petition to force a net neutrality vote and 10 hours of floor debate under the Congressional Review Act. The FCC voted 3-2 to reverse Obama-era rules barring service providers from blocking, slowing access to or charging more for certain online content. Once they take effect, the new FCC rules would give internet service providers sweeping powers to change how consumers access the internet but include new transparency requirements that require them to disclose any changes to consumers.

A BAT File to Create a Hidden Folder


Versions of this BAT file have been around for years. Still, I though that it was an interesting trick to hide a folder (and its contents) on your computer.

Open Notepad and copy the following script (every thing between the ------- lines) and save the file as NAME.BAT  You can name the file anything that you wish, but it must be saved as a .BAT file, not a .TXT file, for it to run.

In the script change the text "Your-Password-Here" to whatever you want you password to be.

When you run the BAT file it will create a folder (MDLOCKER) called "Locker". You can change the folder name in the script if you wish.

You use the folder like you would any other, but are able to use your BAT file to hide the folder. When your folder is visible, run your BAT file to hide it. When the folder is hidden, run the BAT file to make it visible.

------
cls
@ECHO OFF
title Folder Locker
if EXIST "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" goto UNLOCK
if NOT EXIST Locker goto MDLOCKER
:CONFIRM
echo Are you sure u want to Lock the folder(Y/N)
set/p "cho=>"
if %cho%==Y goto LOCK
if %cho%==y goto LOCK
if %cho%==n goto END
if %cho%==N goto END
echo Invalid choice.
goto CONFIRM
:LOCK
ren Locker "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
attrib +h +s "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
echo Folder locked
goto End
:UNLOCK
echo Enter password to Unlock folder
set/p "pass=>"
if NOT %pass%==Your-Password-Here goto FAIL
attrib -h -s "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
ren "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" Locker
echo Folder Unlocked successfully
goto End
:FAIL
echo Invalid password
goto end
:MDLOCKER
md Locker
echo Locker created successfully
goto End
:End
-----------

How It Works.

This BAT file creates a folder "LOCKER" on your computer. When you run the BAT file again, it renames the folder and sets its attributes to a Hidden / System Folder with the Windows Class Identified of Control Panel.

The password in the BAT file is a simple IF/THEN statement. When the correct password is entered the BAT file runs and renames the folder making it visible. If an incorrect password is entered the BAT file fails and the folder remains hidden.

It is important to note that the LOCKER folder is not actually password protected. You can navigate to that folder from the command line and reset its attributes. If you understand file attributes you can do everything the BAT file does by typing commands into the command line. The BAT file just makes it easier. To protect documents within the hidden folder you should consider some form of encryption, such as Microsoft Office Encryption.

If you want to learn more about this BAT file, do a Google search for "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" and there will be several additional articles for you to read.

This YouTube video explains how to use the above BAT file.

Go ahead and try it out.

--
Although this BAT file uses the Windows Class Identifier (CLSID): "Control Panel", there are other CLSID that could be used, such as:

My Computer.{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Recycle Bin.{645FF040-5081-101B-9F08-00AA002F954E}
Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}
Internet Explorer.{871C5380-42A0-1069-A2EA-08002B30309D}
Network Neighborhood.{208D2C60-3AEA-1069-A2D7-08002B30309D}
Subscriptions: {F5175861-2688-11d0-9C5E-00AA00A45957}
ActiveX Cache Folder.{88C6C381-2E85-11D0-94DE-444553540000}

Whenever the Windows shell needs to access such a system folder, it uses the CLSID to search through the Windows Registry to find the appropriate .dll or other object.

An advantage to using this technique to hide a folder is that it doesn't require any outside software. You could hide a folder on a company network, even if you are unable to install executables (as long as you can access system files).

To add a bit more security to your hidden folder, keep your BAT file on removable media (such as a CD). Copy the BAT file to your computer desktop when you need to access your hidden folder, and when you are done delete the BAT file from your desktop and take the CD with you when you leave.


Advances in DNA Technology Give Law Enforcement Hope for Solving Cold Cases

According to a report on KOMO 4 News (May 11, 2018) advances in DNA technology give law enforcement hope for solving cold cases.

Phenotyping is the latest crime-fighting tool in helping solve cold cases, most recently in the disappearance and murders cases of Lindsey Baum and Jennifer Bastian.

"DNA Phenotypin is predicting someone's appearance or their biogeographic ancestry, just from DNA," said Ellen Greytak, PhD., Director of Bioinformatics.

Local detectives send DNA samples to Parabon Nanolabs in Virginia. The labs then create sketches of the possible suspects.

Phenotyping predicts more than identity, it can tell police things they weren't able to tell before, without the technology.

"DNA is a blueprint for a person. It defines our hair color, eye color, skin color. All of that is written in the DNA. And the trick is just to figure out what parts to look at in order to make those predictions and learn something new about a suspect, just based on the DNA," Greytak said.

"For example, if they had a case that happened 20 years ago and this (the sketch) comes out and they go, 'ya know I had a friend of mine he looked like that 20 years ago, that could be him. Then they can go see if it is him and if it's close enough they can get a DNA sample on that guy," said Cloyd Steiger, Chief Criminal Investigator for the State Attorney General's Office.

Though sketches are another useful tool, there are no guarantees that it'll lead to identifying a suspect.
--