Sunday, November 29, 2015

Life After My Epic Hack



When my data died, it was the cloud that killed it. The triggers hackers used to break into my accounts and delete my files were all cloud-based services — iCloud, Google, and Amazon. Some pundits have latched onto this detail to indict our era of cloud computing. Yet just as the cloud enabled my disaster, so too was it my salvation. 

Yes, you can die by the cloud. But you can live by it too. Here’s how I regained my digital life after it was taken away from me. 

When hackers broke into my iCloud account and wiped my devices, my first assumption was that someone had broken into my local network. So the first thing I did was shut down the internet and turn off all of my other machines. I wanted those assholes out of my house. But that also meant I had no way to send or receive data.

AppleCare’s phone support was useless. The 90 fruitless minutes I spent on the phone accomplished nothing at all to regain control of my AppleID. Nor did a follow-up help to stop the remote wipe taking over my MacBook Air. I had to get online. So to reconstruct my life, I started off by going next door, where I borrowed my neighbor’s computer to use their internet. 

Ultimately, I was able to get back into my iCloud account by resetting the password online. Once I did, I began restoring my iPhone and iPad from iCloud backups. The phone took seven hours to restore. The iPad took even longer. I could use neither during this time. 

From my wife’s phone, I called my bank and completely changed my logins. Then I set about checking online to see which other accounts might have been compromised. By now I felt safe turning on our own home internet and using one of my other computers to check these accounts. But I hit an immediate problem: I didn’t know any of my passwords. 

I’m a heavy 1Password user. I use it for everything. That means most of my passwords are long, alphanumeric strings of gibberish with random symbols. It’s on my iPhone, iPad and Macbook. It syncs up across all those devices because I store the keychain in the cloud on Dropbox. Update a password on my phone, and the file is saved on Dropbox, where my computer will pull it down later, and vice versa. 

But I didn’t have it on any of our other systems. So now I couldn’t get to my keychain. And so I was stuck in a catch-22. My Dropbox password was itself a 1password-generated litany of nonsense. Without access to Dropbox, I couldn’t get my keychain. Without my keychain, I couldn’t get into Dropbox. 

And then I remembered that I had also used Dropbox previously on my wife’s machine. Had I stored the password there? 

Five hours after the hack started, still locked out of everything, I flipped open the lid of her computer, and nervously powered it up. And there it was: my Dropbox. And in it, my 1Password keychain, the gateway to my digital life. 

It was time to get cranking. I set up a new Twitter account. And then, with my now-found password manager, I logged into Tumblr. 

Here’s the thing: I probably got my stuff back faster than you would have. I’ve been a technology journalist for more than a dozen years, and in that time I’ve made lots and lots of contacts. Meanwhile, my Tumblr post spread like warm butter across the piping hot English muffin of the internet. 

A lot of people saw the post, some of whom were executives or engineers at Google and Twitter. I still had to go through official channels, but they pointed me to the right place to start the recovery process on both of those services. On Friday night, I filled out forms on both sites (Google’s is here, Twitter’s is here) to try to reclaim my accounts. 

Someone else saw my posts on that night too: my hacker. 

I had posited that the hackers had gotten in via brute forcing my 7-digit password. This caused my hacker, Phobia, to respond to me. No, he bragged, brute force wasn’t involved. They got it right from AppleCare, he said via a Twitter DM. I still didn’t know how that worked, exactly, but this piece of information led me to start digging. 

As it turned out, breaking into Apple accounts was ridiculously easy. On Saturday, when I fully understood just how Phobia and his partner had gotten in (and how easily it could happen again), I made a distressed phone call to Apple to ask that the company lock everything down, and issue no more password resets. 

It was on this call that I confirmed someone else had called in about my account at 4:33 p.m. the previous day — someone who I now knew to be Phobia. Chandler McDonald, the tech who helped me on that call, was the first person at Apple to take what was happening really seriously, and was one of only two positive experiences I had with Apple that weekend (or since). McDonald reassured me that he was going to get my account locked down, and promised to call me the next day. And he did. I’m still grateful.

Also on Friday night, I began the process of restoring my Google account. Because I couldn’t send a backup to my now non-functioning phone, I had to fill out some forms online that asked me questions about my account usage that, presumably, only I would know. For example, I was asked to name the five people I e-mailed the most. 

On Saturday morning, I received an automated e-mail from Google asking me to go online and define even more personal information. This time, I was asked for things like the names of folders in my Gmail account, and the dates on which I had set up various other Google accounts, like Google Docs. It was a little flummoxing, and I wasn’t sure I knew the answers to these questions. But I tried, and I guess I got the answers right.

That same day, while still waiting for access to my Google account, I was having another Google-related problem that was keeping me from being able to use my phone. Although the restore from backup was complete, and I could use over-the-air data to access internet services, it would not send or receive calls. At first I couldn’t understand why, and then realized it was because I had linked my number to Google Voice.

Since Google has integrated sign-ons across all accounts, not only was my Gmail nuked, but so was every other associated Google service as well. That meant my Google Voice number was dead. And because I (obviously) couldn’t log into Google Voice, I couldn’t opt to disconnect it from my phone. I called Sprint and asked the tech support rep there to do it for me. Done. 

Almost immediately, my phone lit up with text messages from concerned friends, wanting to let me know I’d been hacked. 

Thanks guys, I know. I know. 

Just before noon on Saturday, my Google account was restored. Given what I’ve subsequently learned about how long it has taken others to do the same, I think that had my case not been escalated, this process could have taken 48 hours or more. Yes, I went through the normal steps, and had to prove I was who I claimed to be, but the process was likely faster for me than it would be for most. 

Once in my inbox, I saw how remarkably little the intruders had done. They had torched the joint just after getting a password reset on Twitter. I went through and checked all my mail filters and settings to make sure new messages wouldn’t be also copied to someone else without my knowledge, and systematically revoked every single app and website I’d authorized to connect to my Google account. 

Saturday night, after verifying my Wired e-mail address and exchanging several e-mails with tech support, I got back into my Twitter account too. It was in ruins. There were racist and anti-gay tweets all over the place, as well as taunting remarks aimed at other hackers, and other users. At first I left these up, just as documentation, but then went in and deleted the worst of them. 

That night, I stayed up late, direct-messaging Phobia on Twitter. 

Sunday afternoon, I found myself at the Apple Store in San Francisco’s worst mall. I was, to say the least, cranky. Although I’d called on a Friday night, the first appointment I could get was at 1 p.m. on Sunday. By 1:20 p.m., I was talking to an Apple genius named Max. He was awesome. He’d heard of my case. 

He told me that while Apple couldn’t recover my data, it could probably stop the wipe from progressing further. There was the 4-digit PIN that needed to be entered, as well as a firmware-level password, and I had neither. I told him all I cared about was preserving my data. He scurried away with my machine. 

And indeed, Monday afternoon, Max called to let me know that they had been able to reset the firmware password. They couldn’t crack the PIN, but he said I should be able to pull whatever data existed on there off. Good news. I began researching data-recovery firms. 

A photo of the author and his daughter, shortly after her birth, that existed only on his hard drive.

Getting data back from a SSD drive, like the one in my MacBook Air, is considerably trickier than recovering it from a standard HDD for all kinds of reasons — from the way SSDs reallocate data, to the lack of a physical platter, to hardware-level encryption keys. I wasn’t about to attempt to recover it myself. Max, my guy at the Apple Store, had suggested that I call DriveSavers. Several other people I know and respect, like TWiT’s Leo Laporte, whose show I appeared on that weekend, told me the same thing. 

And so, on Friday, exactly one week after my system was wiped, I sent my Mac away to Novato to see what could be recovered from the drive hackers had wiped. 

In a nutshell, here’s what happens when you take your machine to DriveSavers (and we’ll have a full rundown on this later). First, they remove your drive from the machine and put it in a custom adapter. From there they use a proprietary method to image your system and copy that data to a secure “slicked” disk so there’s no chance of data contamination. This is done extremely rapidly so that the original drive doesn’t have to be powered up for very long. 

Next they put the original drive aside to preserve it, and then begin working off the copy to see what’s on there. In some cases, like mine, there are no more files or directory structures to pore over. So they scour the drives looking at raw hex data. When you see this in action, it looks a lot like The Matrix, with rows and rows of random numbers and characters scrolling up a screen, faster than your eyes can focus on. 

Except, that’s not what they saw on mine. 

When Drivesavers began looking at my machine, the first 6GB of data held a clean install of Mac OS X. And after that, all they saw was row after row after row of zeroes. That data had been zeroed out. Overwritten. No recovery. 

And then numbers. That beautiful hex data started rolling across the screen. Yes, 25 percent of my drive was gone and beyond repair. But the remaining 75 percent? Hope for life. DriveSavers called me to come look at what they had found, and my wife and I drove up there on Wednesday morning. 

My data came back to me on an external hard drive, organized by file types. The thing I cared most about, above all else, was my photo library. And there, in a folder full of JPGs, was photo after photo after photo that I had feared were gone forever. Subfolders were organized by the year, month and day files were created. I went immediately to the folder that bore the date my daughter was born. They were there. Everything was there. We were floored. I nearly cried. 

I am an over-sharer. But the things most intimate in life, I tend to keep private. And so although I have posted picture after picture to Flickr, Facebook and Instagram, the stuff that was really important — the stuff that maybe even was most important — has always been mine alone. It lived nowhere but on my hard drive. 

Some of the photos were ancient artifacts that traveled with me from machine to machine with each upgrade cycle. In fact, much of the data was far older than the last device it was stored on. Most of those older images had been backed up to an external hard drive. And some of the newer ones were safe on PhotoStream, one of Apple’s iCloud services. But most of the shots that I had taken with my camera over the past 20 months since I last backed up were lost forever. And here they were again, recovered. Reborn. It was gorgeous.

I didn’t get everything back. DriveSavers was only looking for the things I specifically requested. I’ve lost all my applications, for example, as well as long-established preferences and settings that have been moving from machine to machine with me. But that’s OK. I can live without them. I can buy them again. Whatever. Besides, sometimes it’s nice to start with a clean slate, and I spent yesterday installing a new, clean operating system on my MacBook Air.

The bottom line is that I have all my photos and all the home movies I’ve shot. Every one of them. And seemingly all of my most important documents as well. That felt like a miracle. 

The bill for all this? $1,690. Data doesn’t come cheap.

I’ve been asked again and again what I’ve learned, and what I now do differently. I’m still figuring some of that out. 

I’m certainly a backup believer now. When you control your data locally, and have it stored redundantly, no one can take it from you. Not permanently, at least. I’ve now got a local and online backup solution, and I’m about to add a second off-site backup into that mix. That means I’ll have four copies of everything important to me. Overkill? Probably. But I’m once bitten. 

And then there’s the cloud. I’m a bigger believer in cloud services than ever before. Because I use Rdio, not iTunes, I had all my music right away. Because I use Evernote to take reporting notes, everything that I was currently working on still existed. Dropbox and 1Password re-opened every door for me in a way that would have been impossible if I were just storing passwords locally via my browser. 

But I’m also a security convert. 

It’s shameful that Apple has asked its users to put so much trust in its cloud services, and not put better security mechanisms in place to protect them. AppleIDs are too easily reset, which effectively makes iCloud a data security nightmare. I’ve had person after person after person report similar instances to me, some providing documentation showing how easily their Apple accounts were compromised. 

And due to Apple’s opacity, I have no way of knowing if things have improved. Apple has refused to tell me in what ways its policies weren’t followed “completely” in my case. Despite being an Apple user for nearly 20 years and having generally positive feelings toward the company, I no longer trust it to do the right thing in terms of protecting my data. I’ve turned off its Find My services and won’t turn them back on.

Amazon also had a glaring security flaw, and although it has fixed that exploit, the flaw’s mere existence should serve as a warning to all of us about all of our other accounts. We don’t often know what’s required to issue a password reset, or have someone get into our account through a company’s tech support system. 

But hackers do.

I’m working on another story looking at how widespread these practices are, and while there’s much reporting left to be done, it’s already very clear that the vulnerabilities at Amazon aren’t unique. It’s also clear that many of these gaping security holes are common knowledge within certain communities online. Bored teenagers up late on hot summer nights know more about social engineering exploits than I would wager most of the executives at affected companies do. That needs to change. 

Previously, when I had the option for ease-of-use versus security, I always went the easy route. I stored my credit cards with the merchants I used for faster transactions. I didn’t enable two-factor authentication on Google or Facebook. I never set up dedicated (and secret) e-mail accounts for password management. I take those steps now. But I also know that no matter what security measures I take, they can all be undone by factors beyond my control.

We don’t own our account security. And as more information about us lives online in ever more locations, we have to make sure that those we entrust it with have taken the necessary steps to keep us safe. That’s not happening now. And until it does, what happened to me could happen to you. 

Go Back to Top. Skip To: Start of Article.


Saturday, November 28, 2015

The Internet of First Responder Things

The Internet of First Responder Things (IoFRT)

IoT-toasterThe “Internet of Things” or IoT is a common buzzword in the technology community these days.  It refers to the increasingly prevalent distribution of sensors throughout the natural world, and the connection of those sensors – as well as other machines – to the Internet.

The running joke is that IoT is about putting your home refrigerator, thermostat, washer, dryer, microwave, range, TVs, computers, smart phones and even toasters on the Internet, or at least connecting them so they can talk to each other.  Now what a toaster would say to a TV, or what the conversations between a washer and a dryer might include, could certainly make for a lot of talk show jokes and lists on a David Letterman show (should he return).

But clearly creating such an “Internet of Household Things” or IoHT would be quite useful.  Take, for example, the urgent water crisis in California and throughout most of the West.   If you could add sensors to every water fixture in the house, and then connect those sensors to computers and smartphones, you could determine where your water is being used and take steps to cut back use.   Going one step further, if those water sensors also had valves, you could control your household water use from anywhere in the world.  So when your teenager’s shower has gone over five minutes in length, you could abruptly get a notification and then shut off the water (or turn on the cold water full blast) from your hotel room in Hong Kong.

How might this Internet of Things concept apply to First Responders – the paramedics and firefighters and police officers who respond to our 911 calls?

I recently had a twitter conversation about this with Ray Lehr, former fire chief in Baltimore, and former FirstNet State Point of Contact (SPOC) for Maryland.  Ray suggested we should start talking about the Internet of Life Saving Things (IoLST) which I morphed into a possible Internet of First Responder Things (IoFRT).

There are many applications for the IoFRT, and I’d guess they fall into several buckets:

  • First Responder Personal Things – the sensors and equipment which would be on or near a First Responder to help that officer do the job and keep the officer safe.
  • 911 Caller and Victim Things – these sensors would help alert 911 centers and responders to problems so First Responders can quickly and accurately respond to calls for assistance.
  • Information and Awareness Things – these sensors and machines would improve public safety by monitoring the natural and built environments.

Seattle Police Body Worn Video

“First Responder Personal Things” would include a variety of sensors and communication devices.  Body worn video cameras – so much in the news recently after the events in Ferguson, Missouri – are one example of an IoFRT device.  Most such cameras today record their video and hold it in the device.  But if wirelessly connected to the Internet (by, say, FirstNet), a police commander, 911 center and other authorized users could see the video in real time to advise and support the officer.

A police officer’s badge or other apparel might have a small radio which broadcasts a signal unique to that officer, which allows many other communication devices (smart phone, radio, tablet computer) to automatically recognize the officer and therefore allow access to restricted databases such as criminal history.  A similar situation for a paramedic would allow her/him access to restricted patient files and healthcare history.

A police officer’s weapon could have a sensor which only allows it to be fired if it is personal possession of the officer.  Firefighters – especially those fighting long, sustained, wild fires, would have an array of sensors to monitor heart rate, respiration, ambient air quality, etc., alerting the firefighter and incident commander to firefighters who are overworked or in dangerous situations.

“911 Caller and Victim Things” would include those sensors on a victim or in their home or place of business which help to monitor and protect them.   Medical sensors are an obvious application:  people with a history of heart disease, stroke, diabetes or other conditions would have such sensors which would immediately alert them and their healthcare providers to impending problems.  Such sensors might further alert 911 centers for dispatch of emergency medical technicians to an immediate problem.

Vulnerable people in high crime areas might have sensors or video cameras which could be activated at a moment’s notice when they come into dangerous situations.   Many homes and businesses are now equipped with video cameras, movement sensors and other sensors.  A 911 call from the premise (or other activation by the owner) could give 911 centers and responding officer’s immediate access to the telemetry and video from those cameras.

Finally, General Motor’s OnStar gives us a premonition of the technology which will go into vehicles in the future.  Vehicles which communicate with roads or automatically notify 911 centers after an accident, to include transmission of telemetry and video are definitely in the future.

“The Internet of Information and Awareness Things” is both more fascinating and frightening.  Applications to support 911 response can be harnessed to many of these “things”.


Seattle Police Demonstrate a UAV aka “drone”

For example, Video surveillance cameras are becoming less expensive and more ubiquitous.   Surveillance camera systems deployed by cities and counties receive significant scrutiny and attention from the ACLU and city/county councils such as the brouhaha surrounding Seattle’s attempted deployment of a $5 million system.  The use of unpiloted aerial vehicles with cameras is just starting deployment.  But most such cameras are in the hands of businesses and private individuals, as demonstrated by the identification the Boston marathon bombers.  Powerful new technology tools are becoming available for automated analysis of video, for examples automated license plate recognition, facial recognition and object recognition.  We aid and abet this analysis by gleefully tagging faces in our Facebook photos, all of which Facebook uses to build its database of known faces.  The largest license plate recognition databases are in private hands.  In the near future every human being is likely to be recognized and tracked (and NOT by governments) whenever we are outside our own homes.

In the wake of the 9/11 terrorist attacks, the Department of Homeland Security was created.  Fearing potential chemical, biological and nuclear terrorist attacks, it deployed a network of sniffers and sensors in cities and other potential targets.  Similar technologies and networks could be deployed to support first responders.

For example, every load of hazardous material being transported by road, air or rail could be tagged and tracked.  Every hazmat container stored in a building could also be identified and tracked, with firefighters watching them pop up on a tablet computer app when they respond to an event in the building.

We could even tag every can of spray paint or every cigarette lighter as the combination of those two items, plus a healthy dose of stupidity (which, alas, cannot yet be tagged) contributes to major home fires like this one.

It is now easy to imagine a world like that depicted by George Orwell in his novel 1984, where surveillance is both nefarious and ubiquitous, fueled by a government (probably controlled by private companies) out of control.

Like so many other choices faced by our early 21st Century society, the Internet of First Responder Things hold both great promise and some peril.   Elected officials and chiefs of responder agencies will have many decisions to make over the next few years.


COINTELPRO: Counterintelligence Program


COINTELPRO (Counterintelligence Program)

["COINTELPRO was the FBI's secret program to undermine the popular upsurge which swept the country during the 1960s.....The FBI set out to eliminate "radical" political opposition inside the US. When traditional modes of repression (exposure, blatant harassment, and prosecution for political crimes) failed to counter the growing insurgency, and even helped to fuel it, the Bureau took the law into its own hands and secretly used fraud and force to sabotage constitutionally- protected political activity. Its methods ranged far beyond surveillance, and amounted to a domestic version of the covert action for which the CIA has become infamous throughout the world."--Brian Glick.  Gang Stalking is modern Cointelpro.]


See: War Against Alternative MedicineGang Stalking  American Indian Movement(AIM)  Police agents provocateurs

SeeMockingbird  CHAOS [2009 July] Judaic Front Group Secretly Promotes Neo-Nazism 

Paul Wolf  William Schaap  Brian Glick Angus Mackenzie  Jim Vander Wall

[2010 Oct] Meet Carol Two Eagle  "I'm The Man, here. I have all the power. I control everything. You can't continue doing what you've been doing! It's not allowed! You give the People hope, & that's not allowed by The Program!” 


United States Terrorism and Repression Against Its Own People by DT Stockton

Is the US a Police State?  When wasn't it?

[2009 Nov] The Jimi Hendrix Political Harassment, Kidnap and Murder Experience by Alex Constantine

Church Committee reports

[2006] A break-in to end all break-insIn 1971, stolen FBI files exposed the government's domestic spying program.

[2004] An Introduction to The Signs And Techniques of Online COINTELPRO By Stephen DeVoy

[1999] Testimony of Mr. William Schaap on the role of the U.S. Government in the assassination of Martin Luther King 

COINTELPRO Revisited - Spying & Disruption By Brian Glick

COINTELPRO: The Untold American Story By Paul Wolf 

The Hunt for Red Menace: Evidence is Immaterial. COINTELPRO Media Operations 

[2002] FBI on Trial. Jury awards $4.4 million to a pair of Earth First activists by Christine Keyser

[2002] Bombed and framed. FBI pays millions in damages to eco-activists by Andy Howell

[1997] How the CIA Got Away With Domestic Spying

Department Of Army Report On The Use Of Chemical Agent Research, Intelligence Corps Experimentation With Hallucinogenic Drugs.
Summary Of CIA Testing Of Lsd, Chemicals For Altering Human Behavior With A Wide Variety Of Methods.
Summary Of FBI Counter Intelligence Operations As Applied To Stated "Apostles Of Non-Violence," "New Left," "Advocates Of New Lifestyles"

Leonard Peltier

[1999] WAR AT HOME by Brian Glick

[1999] SECRETS  The CIA's War at Home By Angus Mackenzie

[1990] The COINTELPRO Papers: Documents from the FBI's Secret War Against Domestic Dissent by Ward Churchill and Jim Vander Wall.

[1988] Agents of Repression: The FBI's Secret Wars Against the Black Panther Party and the American Indian Movement by Ward Churchill, Jim Vander Wall 

FBI Secrets -- An Agent's Expose by M. Wesley Swearingen

A WRIT FOR MARTYRS by Eustace Mullins  The FBI’s illegal campaign to forever silence the message of dissident Eustace Mullins

COINTELPRO The Sabotage Of Legitimate Dissent

he FBI and its allies waged all-out war on AIM and the Native people. From 1973-76, they killed 69 residents of the tiny Pine Ridge reservation, a rate of political murder comparable to the first years of the Pinochet regime in Chile. To justify such a reign of terror and undercut public protest against it, the Bureau launched a complementary program of psychological warfare. [1999] WAR AT HOME by Brian Glick

Within months of taking office, Reagan pardoned W. Mark Felt and Edward S. Miller, the only FBI officials convicted of COINTELPRO crimes. His congressional allies publicly honored these criminals and praised their work. The President continually revived the tired old Red Scare, adding a new "terrorist" bogeyman, while Attorney General Meese campaigned to narrow the scope of the Bill of Rights and limit judicial review of the constitutionality of government action. [1999] WAR AT HOME by Brian Glick

"Black bag jobs" are burglaries performed in order to obtain the written materials, mailing lists, position papers, and internal documents of an organization or an individual. At least 10,000 American homes have been subjected to illegal breaking and entering by the FBI, without judicial warrants. COINTELPRO: The Untold American Story By Paul Wolf 

If I suspect someone is an undercover FBI agent, I just casually interject the fag thing into the conversation, then watch the reaction. For example, I attended an anti-Iraq War rally last September 24, 2005, and there were a bunch of guys screaming these terrible things about the United States Government in front of the White House. Basically, I agreed with a lot of what they were saying, but they spewed it with such venom, it was off-putting. So I decided to test one of them. I walked right up to this young guy and casually said, "You know, J. Edgar Hoover was faggot." He immediately avoided eye-contact. As he looked away, he timidly replied, "I had heard he was a cross-dresser, but I never knew he was homosexual." That was quite a passive response from someone who had just been shouting anti-government rhetoric. I thought to myself, "Bingo." John Lennon's murder - Discussion with Salvador Astucia

The flyer contained several bullet points like that. For example, one line read: "If you see someone with a bullhorn condemning the war and saying lots of sensible things, then tells you to join his group of Communists or Nazis, he's probably on the FBI's payroll." Another good one was "If you see someone making  a speech or handing out flyers containing extremely divisive issues that have nothing to do with the Iraq war, like gay marriage for example, he's probably on the FBI's payroll." The flyer was really pretty funny, I thought. But obviously the FBI people didn't agree. John Lennon's murder - Discussion with Salvador Astucia

Then on March 8, 1971, a group calling itself the Citizen's Commission to Investigate the FBI, broke into an FBI office in a small town called Media, Pennsylvania. They subjected the FBI to what the FBI has been habitually subjecting political dissidents to throughout the course of its history. That is, in Bureau parlance, a black bag job. The information they obtained was widely distributed through left and peace movement channels, and summarized the following week in the Washington Post. 
An analysis of the documents in this FBI office revealed that 1 percent were devoted to organized crime, mostly gambling; 30 percent were "manuals, routine forms, and similar procedural matter"; 40 percent were devoted to political surveillance and the like, including two cases involving right-wing groups, ten concerning immigrants, and over 200 on left or liberal groups. Another 14 percent of the documents concerned draft resistance and "leaving the military without government permission." The remainder - only 15% - concerned bank robberies, murder, rape, and interstate theft. COINTELPRO: The Untold American Story By Paul Wolf 

According to FBI memoranda of the 1960s, "Key black activists" were repeatedly arrested "on any excuse" until "they could no longer make bail." The FBI made use of informants, often quite violent and emotionally disturbed individuals, to present false testimony to the courts, to frame COINTELPRO targets for crimes they knew they did not commit. In some cases the charges were quite serious, including murder. COINTELPRO: The Untold American Story By Paul Wolf 

Many counterintelligence techniques involve the use of paid informants. Informants become agents provocateurs by raising controversial issues at meetings to take advantage of ideological divisions, by promoting emnity with other groups, or by inciting the group to violent acts, even to the point of providing them with weapons.  Over the years, FBI provocateurs have repeatedly urged and initiated violent acts, including forceful disruptions of meetings and demonstrations, attacks on police, bombings, and so on, following an old strategy of Tsarist police director TC Zubatov: "We shall provoke you to acts of terror and then crush you." COINTELPRO: The Untold American Story By Paul Wolf 

A concise description of political warfare is given in a passage from a CIA paper entitled "Nerve War Against Individuals," referring to the overthrowing of the government of Guatemala in 1954: 
The strength of an enemy consists largely of the individuals who occupy key positions in the enemy organization, as leaders, speakers, writers, organizers, cabinet members, senior government officials, army commanders and staff officers, and so forth. Any effort to defeat the enemy must therefore concentrate to a great extent upon these key enemy individuals.
    If such an effort is made by means short of physical violence, we call it "psychological warfare." If it is focussed less upon convincing those individuals by logical reasoning, but primarily upon moving them in the desired direction by means of harassment, by frightening, confusing and misleading them, we speak of a "nerve war". 
    The COINTELPROs clearly met the above definition of "nerve wars," and, in the case of the American Indian Movement in Pine Ridge, South Dakota, the FBI conducted a full-fledged counterinsurgency war, complete with death squads, disappearances and assassinations, recalling Guatemala in more recent years.
    The full story of COINTELPRO may never be told. The Bureau's files were never seized by Congress or the courts or sent to the National Archives. Some have been destroyed. Many counterintelligence operations were never committed to writing as such, or involve open investigations, and ex-operatives are legally prohibited from talking about them. Most operations remain secret until long after the damage has been done COINTELPRO: The Untold American Story By Paul Wolf 

Between 1968-1971, FBI-initiated terror and disruption resulted in the murder of Black Panthers Arthur Morris, Bobby Hutton, Steven Bartholomew, Robert Lawrence, Tommy Lewis, Welton Armstead, Frank Diggs, Alprentice Carter, John Huggins, Alex Rackley, John Savage, Sylvester Bell, Larry Roberson, Nathaniel Clark, Walter TourĂ© Pope, Spurgeon Winters, Fred Hampton, Mark Clark, Sterling Jones, Eugene Anderson, Babatunde X Omarwali, Carl Hampton, Jonathan Jackson, Fred Bennett, Sandra Lane Pratt, Robert Webb, Samuel Napier, Harold Russell, and George Jackson. COINTELPRO: The Untold American Story By Paul Wolf 

The Chicago Special Agent in Charge, Marlin Johnson, who also oversaw the assassinations of Fred Hampton and Mark Clark, makes it quite obvious that he views the murder of Malcolm X as something of a model for "successful" counterintelligence operations. COINTELPRO: The Untold American Story By Paul Wolf 

During the 1960's, the FBI's role was not to protect civil rights workers, but rather, through the use of informants, the Bureau actively assisted the Ku Klux Klan in their campaign of racist murder and terror. 
    Church Committee hearings and internal FBI documents revealed that more than one quarter of all active Klan members during the period were FBI agents or informants.  However, Bureau intelligence "assets" were neither neutral observers nor objective investigators, but active participants in beatings, bombings and murders that claimed the lives of some 50 civil rights activists by 1964.
    Bureau spies were elected to top leadership posts in at least half of all Klan units.  Needless to say, the informants gained positions of organizational trust on the basis of promoting the Klan's fascist agenda. Incitement to violence and participation in terrorist acts would only confirm the infiltrator's loyalty and commitment. 
    Unlike slick Hollywood popularizations of the period, such as Alan Parker's film, "Mississippi Burning," the FBI was instrumental in building the Ku Klux Klan in the South COINTELPRO: The Untold American Story By Paul Wolf 

Virtually every known AIM leader in the United States has been incarcerated in either state or federal prisons since (or even before) the organization's formal emergence in 1968, some repeatedly. After the 1973 siege of Wounded Knee the FBI caused 542 separate charges to be filed against those it identified as "key AIM leaders." This resulted in 15 convictions, all on such petty or contrived offenses as "interfering with a federal officer in the performance of his duty." Russell Means was faced with 37 felony and three misdemeanor charges, none of which held up in court. Organization members often languished in jail for months as the cumulative bail required to free them outstripped resource capabilities of AIM and supporting groups. COINTELPRO: The Untold American Story By Paul Wolf 

Most people, when they think of the FBI, have an image from movies like Mississippi Burning and characters like Clarice Sterling from Silence of the Lambs. The media image of the CIA and NSA is much more sinister, but most people think of the FBI purely as a crime fighting organization. 
    The FBI has been very successful at disrupting and destroying perfectly legitimate organizations involved in dissent  - They would like to project the image of crime fighters, but it is not really their principal role. 
......What they have been very successful at is disrupting and destroying perfectly legitimate organizations involved in dissent: civil right organizations, women's organizations, generally organizations on the left. So while they would like to project the image of crime fighters, it is not really the principal role of the FBI.  [Interview] Jim Vander Wall

In many ways, the stark unwillingness of the federal government to accord Leonard Peltier even a modicum of elementary justice is symbolic of the entire AIM experience during the 1970s and, more broadly posed, of the U.S. relationship to American Indians since the first moment of the republic. The message embedded, not only in Peltier's imprisonment, but in the scores of murders, hundreds of shootings and beatings, endless show trials and all the rest of the systematic terrorization marking the FBI's anti-AIM campaign on Pine Ridge, was that the Bureau could and would make it cost-prohibitive for Indians to seriously challenge the lot assigned them by policy-makers and economic planners in Washington, D.C. The internal colonization of Native America is intended to be absolute and unequivocal. 
In 1953, just prior to the passage of PL-280, Felix Cohen, one of the foremost scholars of Indian law compared the role of the Indians in America to that of the Jews in modem Germany. He noted that, "Like the miner's canary, the Indian marks the shift from fresh air to poison air in our political atmosphere ... our treatment of Indians, even more than our treatment of other minorities, reflects the rise and fall of our democratic faith." 213 Given that all that happened on and around Pine Ridge occurred long after COINTELPRO allegedly became no more than a "regrettable historical anomaly," 214 Cohen's insight holds particular significance for all Americans. In essence, if we may ascertain that COINTELPRO remained alive and well years after it was supposed to have died, we may assume it lives on today. And that, to be sure, is a danger to the lives and liberties of everyone[1990] The COINTELPRO Papers: Documents from the FBI's Secret War Against Domestic Dissent by Ward Churchill and Jim Vander Wall.

COINTELPRO was an acronym that the FBI had for its counter intelligence programs. Now normal counter intelligence is something carried out by most intelligence organizations and it basically means looking for spies in your own organization or looking for spies in the populace as a whole. So counter intelligence in its normal parlance would mean activities designed to detect and combat espionage. Within the FBI, it was actually a code word for their programs to infiltrate and disrupt legitimate legal organizations engaged in activities that the government found objectionable.   It can range simply from sowing dissent within the organization to, at the other extreme, assassination of the leadership of the organization or the framing of key personnel in the organization on bogus criminal charges and supporting those with fabricated evidence to obtain convictions.  [Interview] Jim Vander Wall

Officially, it ended in 1973, but what apparently ended was the use of the term COINTELPRO, because the same sort of activities were conducted against the American Indian movement by the same personnel in the period from 1973 to 1977, for example.  [Interview] Jim Vander Wall

So that if you're talking about first oil in Oklahoma, and then low-sulfur coal and uranium in the West, those mineral deposits lay principally on the lands of indigenous people. This led to an outright war on the Pine Ridge Reservation with a group called the Goons, being sponsored by the FBI and the U.S. government and the American Indian movement and local organizations like the Independent Oglala Nation supporting native sovereignty and traditional ways of life. 
    During the period from 1973 to 1975, at least 60 people were killed by the Goon squads on the Pine Ridge Reservation, and I say at least because these are reported homicides. It is probably much larger than that because the agency to which you would report a homicide was the FBI, who were of course sponsoring the people committing the homicides. So a lot of assaults and murders went unreported. On June 25, 1975, the FBI went on to a property called the Jumping Bull Compound on Pine Ridge supposedly looking for Jimmy Eagle, who was a young Native American man, on charges of having stolen a pair of cowboy boots. 
    The real reason for them being there was that there was an AIM encampment there and when they encountered people from the encampment, a firefight ensued and the two FBI agents who went in - Ron Williams and Jack Coler were killed in the firefight, as well as AIM member, Joseph Stuntz. Leonard Peltier wound up being framed for those murders and when I say framed, I mean that the FBI coerced witnesses and fabricated evidence in order to obtain a conviction.
.....Peltier has now been down in federal prisons since 1976 on bogus charges and fabricated evidence.  [Interview] Jim Vander Wall

One of the other operations the FBI was into was people working for social justice in Central America in the 80s. I was working with a group who was helping mainly Salvadoran and Nicaraguan refugees find jobs in the Bay Area and I remember our offices being broken into with nothing being taken… Later, I found that seemed to be happening across the country with similar groups. 
    Basically what we had going on was the U.S. supporting a massive terrorist campaign against the people of El Salvador. And I mean terrorism in the very specific narrowly defined sense of the word. We're talking about tens of thousands of political murders, torture and so on. Rather than investigate the supporters of this terrorism in the U.S., the FBI of course investigated those people who opposed this terrorism and then tried to help the victims of it. They did this by infiltrating the organizations, attempting to indict people on immigration charges simply for helping political refugees from terror that was being sponsored by the United States.  [Interview] Jim Vander Wall

The FBI and its allies waged all-out war on AIM and the Native people. From 1973-76, they killed 69 residents of the tiny Pine Ridge reservation, a rate of political murder comparable to the first years of the Pinochet regime in Chile. To justify such a reign of terror and undercut public protest against it, the Bureau launched a complementary program of psychological warfare. [1999] WAR AT HOME by Brian Glick

Within months of taking office, Reagan pardoned W. Mark Felt and Edward S. Miller, the only FBI officials convicted of COINTELPRO crimes. His congressional allies publicly honored these criminals and praised their work. The President continually revived the tired old Red Scare, adding a new "terrorist" bogeyman, while Attorney General Meese campaigned to narrow the scope of the Bill of Rights and limit judicial review of the constitutionality of government action. [1999] WAR AT HOME by Brian Glick

Harassment, intimidation and violence: Eviction, job loss, break-ins, vandalism, grand jury subpoenas, false arrests, frame- ups, and physical violence were threatened, instigated or directly employed, in an effort to frighten activists and disrupt their movements. Government agents either concealed their involvement or fabricated a legal pretext. In the case of the Black and Native American movements, these assaults--including outright political assassinations--were so extensive and vicious that they amounted to terrorism on the part of the government. COINTELPRO Revisited - Spying & Disruption By Brian Glick


60-minute security makeover: Prevent your own 'epic hack

Cross Posted: 

60-minute security makeover: Prevent your own 'epic hack'

How's this for a digital nightmare? Your Twitter account hijacked; racist and homophobic tweets posted in your name. Your Apple account breached; data wiped from your iPhone, iPad and Mac laptop. Your Gmail password reset by hackers and your Google account deleted.

That's what happened to Wired journalist Mat Honan recently. And while news coverage of his "epic hack" may be easing, you can bet there's an army of would-be imitators who, as you read this, are trying to duplicate that attack. 

Honan was somewhat careless (especially having no backups of his wiped data) but also very unlucky. However, now that word of the attack has been widely publicized, it would be wise to try to protect yourself from these now well-known vulnerabilities.

The good news? It won't take long. And while you can't expect to create an impenetrable defense in an hour, you can implement some strategies to harden your own accounts.

Issue: Using public email addresses for account access, password recovery

Threat: It's hard to believe that attackers only needed Honan's email address to kick off the process of hijacking his Twitter and Apple accounts. But the attackers did indeed start with only Honan's Gmail address and billing address (available in many public records) to leverage lax security policies at Amazon and Apple and access his accounts. 

Defense: Don't use a publicly known email address for your account login and password-reset contact info. Instead, use one or more separate addresses that you reserve only for this use and not for any other type of communication. This makes it harder for someone who knows your personal or business email address to use that information to gain access to other accounts.

Your ISP likely allows you to add additional email accounts. Alternatively, you can use an email service you trust to create a new account, or you can register your own domain and add a hard-to-guess email address (which you should not use as the contact address for that domain). 

Really security conscious? Set up multiple email addresses so you've got different ones per account, or have multiple addresses that forward to one private box. This way, even if one account is breached, it won't help anyone gain access to another by knowing the email address you use there. 

Bonus: People trolling for information about you will have less success overall.

Time: Setting up a new address at your ISP or domain: 3-5 minutes. Setting up multiple forwarders to that address: another 3-5 minutes. Changing login/contact/password reset email address: 1-2 minutes per account. Suggestion: It will probably feel less onerous if you change contact addresses the next time you log into each of your accounts, instead of sitting down to do them all at once. (story continues on next page)


The paranoid's survival guide, part 3: Opting out, and how to protect your personal data offline

The paranoid's survival guide, part 3: Opting out, and how to protect your personal data offline

You have more control over your privacy than you think. While it's true that you can't control absolutely everything that's out there about you, with a little work you can exert more control than you might expect over what's gathered, its accuracy and how it may be used, say privacy experts.

Computerworld asked nine privacy professionals to share their best tips for minimizing your online and offline data footprint.

Part 1 of this series covered how to maintain your online privacy and surf the Web without leaving a data trail. Part 2offered advice on how to approach social media, messaging and some general rules you should follow when using mobile apps. (For more tips, also see our "60-minute security makeover: Prevent your own epic hack.")

In this last installment we cover best practices to lower your offline data footprint, and where to go to opt out of everything from direct mail offers to online behavioral advertising.

Offline safety tips

Use cash or disposable credit cards

If you prefer keeping what you purchase to yourself, consider using cash for most transactions, including at restaurants, bars and retail stores. "When you use a credit card, your bank knows what you bought, and the merchant has a way to track you over time," says Justin Brookman, director of consumer privacy at the Center for Democracy and Technology.

"Using cash really does wonders to minimize how much your footprint is being automatically tracked," says Rob Shavell, co-founder and CEO at privacy software vendor Abine -- and you don't have to worry about having your card data stolen from a retailer's point of sale system.

Another option, especially for online purchases, is to use disposable credit card numbers, says Brookman. For example, Abine's MaskMe service provides a one-time use credit card number that hides your real number from the vendor -- which means it can't be added to a customer profile or stolen from their database.

On the other hand, Brookman advises, don't bother with those rechargeable cards from retailers. "If you use the same rechargeable card over time, you have some of the same problems as credit cards -- you can be tracked by unique number by the retailer over time," a privacy issue, and the number "could be compromised and used by identity thieves," which represents a securityproblem. "I'd use cash over a rechargeable gift card," he says.

Check your credit report annually

Monitor your credit report for any suspicious activity by ordering free credit reports at, and challenge incorrect data. You're entitled to a free report from Equifax, Experian and TransUnion every 12 months.

Consider a permanent security freeze

A permanent security freeze puts your credit report under your control: No one can access it to open up new credit accounts in your name without your permission. Businesses cannot access your credit report unless you unlock it, and identity thieves can't set up new credit accounts in your name unless they can present the credentials required to unlock it. EquifaxExperian and TransUnion are required by law to allow consumers to place a permanent security freeze on their credit reports.

There may be charge to set up the service, depending on your state of residence, as well as a charge to temporarily unlock your credit report for an authorized lender. Pros: The option is much less expensive than credit monitoring services. Cons: The credit reporting agencies make the process for unlocking/locking your credit report cumbersome and, except in states where prohibited by law, they charge you a fee -- generally in the range of $10 -- every time you make a lock or unlock request.

Know your options for opting out

Direct mail and email offers

Visit the Direct Marketing Association's DMAchoice website to opt out of mail and email direct marketing from the DMA's approximately 3,600 member organizations. You must individually choose to opt out four distinct categories of direct mail: Catalogs, magazine offers, credit offers and other mail offers. There's no global opt-out option.

You're asked to fill out a form with your personal information, including your social security number and date of birth. Unfortunately, the opt-out choice is only good for five years when you sign up online. To opt out permanently, you must mail in your request.

Telephone solicitors

Use the Federal Trade Commission's Do Not Call Registry to opt out of receiving telemarketer calls and report violators. There are loopholes for politicians and nonprofits, and some offshore operators continue to flout the law. But your volume of unwanted solicitation calls should go down.

Page 2 of 2

Page 2 of 2

Online behavioral advertising

The Digital Advertising Alliance's Ad Choices site and Network Advertising Initiative's Consumer Opt Out page both describe how interest-based advertising works and let you choose to opt out of behavioral online advertising and the online tracking associated with it. Go through the opt-out process on either site and your request will be honored by 118 ad agencies, ad networks and other DAA members.

When you visit these pages you'll see which DAA members are currently tracking you. From there you can selectively opt out, or click a button to opt out of interest-based advertising from all DAA members. When you opt out you will still see advertisements on the websites you visit, but you will no longer receive advertisements based on what the ad networks know about your Web activity -- and your activity online will no longer be tracked.

"The DAA Principles prohibit the collection of browsing behavior once a consumer has opted out, unless the entity requires that information for one of the DAA's limited exceptions, such as fraud prevention or ad reporting," says Mike Zaneis, senior vice president and general counsel with the Interactive Advertising Bureau, a trade group that represents publishers and ad sellers.

Offline privacy

There are some limitations to the process, however. During the opt-out process, the site places a cookie in your browser to maintain your preferences, and it prompts you to download a browser extension that will maintain your preferences even if you clear out the cookies in your browser. "We have made the easiest consumer experience possible given the current state of technology," Zaneis says. But because your preferences are tied to your browser, you'll need to go through the opt-out process for every browser on every computer you use.

And don't forget to set a calendar reminder when you're done: Your choice must be renewed every five years.

Alternately, you can achieve similar results by configuring your browser to block third-party cookies. Using an anti-tracking browser add-on has a similar effect. The difference is that you'll still receive non-targeted ads if you block third-party cookies, but you'll get nothing at all if you block tracking, since communication with the third-party ad networks is disrupted. (While you may not like them, those ads do pay for the free apps and content that Web publishers offer you.)

Online public records databases

Aggregators such as Intellius pull information from telephone directories, sex offender registries, court records, real estate transactions and other public data, combine it into a profile, and make the information about you available online -- both free, for people searches, and fee-based, for background checks. The data comes from many different sources, and it's not always combined correctly, which can lead to the dissemination of erroneous information about you -- particularly if you have a common name.

Some services, such as, let you claim your identity and update it online if you register with them. But you can also opt out of having your information listed. Security vendor Abine provides a list of opt-out pages for the most popular data-aggregation services, including Intellius.

Use a service to monitor what's out there about you

-- and remove it

It's time consuming to go to every data broker and opt out of having them list or share your name, address, telephone number and other personal information. Alternately, consider using a third-party service such as SafeShepherdReputation Defender or DeleteMe to monitor public databases and do the work for you. These fee- or subscription-based services ask to have your information removed, but then continue to watch to make sure your information doesn't pop up again as the data brokers continuously pull in new information.

It's not just about opting out, however, but also pushing down negative information in search-engine rankings by careful editing of your Facebook and LinkedIn profiles. "You have a right to determine what is out there about you," says Jules Polonetsky, executive director of the Future of Privacy Forum. "Shaping who you are and being seen on your terms, that's brand management for today's world."