Welcome to ECCIE - Sign up today!

charlestudor2005 · 04-21-2010, 08:31 AM

I pulled these posts from another thread since IMHO it veered of the topic a little bit, and because I think it deserves its own thread.

Now, I will say this topic is way above my head. LOL. But I am interested in whether the tech savvy members of this Board can develop guidelines here that can be followed by us numbnuts. For instance, Laurentius talks about a Linux thumb drive, but doesn't say what size or whether or not it is compatible with PCs/Macs. I have a Mac, but I would guess most everyone out there is operating off PCs. And he talks about GnuPG, but not PGP, which is also free, but I don't know enough to know whether one is better than the other or whether one runs off more platforms.

As far as the online organizer that Emily mentions, I would be extremely skeptical about anything, and I mean anything, online. We know that LE lurks here, but I would be scared of having my ID and Phone # on an online datebook. IMHO, too easily hacked.

So I guess the questions would be:

What systems seem to be most secure (calendars, datebooks, any kind of records)? (I know one lady who keeps her list by phone number in her cell. If she's seen you, she'll answer the call. If not, she won't answer and you have to go thru her alternate screening [Not very secure IMHO.]. What other systems are out there that are secure?)
What kind of setup can be run on multiple platforms?
Which setups are the least expensive?
Can instructions be given in a non-tech manner so we can understand it?
To which sites should pointers be given for tech advice (forums, users, etc.)?
Anything else?

Quote:

Originally Posted by Laurentius

HOWEVER -- I agree with criticisms of provider data security. I have yet to encounter a provider who used high quality Public Key Cryptography for exchanging personally identifiable information in CLEAR TEXT over email. When you consider that the terms of service of most email providers allow their employees to read your email without notice (yes, read the TOS), the security holes are so big you can drive a truck through them.

I have no doubt that there are SOME providers out there who boot their computers from a Security Enhanced Linux thumb drive from whence they mount a secured and encrypted partition; use tunneling to connect to a proxy whence they surf and use encryption technologies cleared for Top Secret data when they exchange email with clients. And they do it all from within a Faraday shield so their monitor emanations can't be read remotely.

But I've never encountered one. I've encountered ladies with SOME level of security (e.g. an encrypted drive which is at least a start); but none who protected email while in transit across untrusted networks.

So I agree that, because the business is arguably illegal; if they are going to ask for personally identifiable data they have a responsibility to safeguard it. After all, the first thing LE grabs when they bust in is the computer -- and there is a reason for that.

With power (to require personally identifiable information) comes responsibility (to safeguard it).

I support both perspectives. I'm happy to give any provider I would choose to see the information she requires -- assuming I have it. But in exchange for my happy cooperation, I think I can reasonably expect a higher degree of data security.

Quote:

Originally Posted by EroticEmily

Hmmm...that was an informative post and I DO care very much about the continued safety and freedom of myself and my clients. I'd be interested to know how much money it would cost to implement such a secure system and if gentlemen would be willing to accept an increase in a provider's rate (if so how much is fair?)if he knew for certain that she was a subscriber to or user of a security system that was that detailed?

Please feel free to reply guys!

Quote:

Originally Posted by EroticEmily

Also, has anyone tried the data secured appointment scheduling online organizer that is advertised on P411 and what were your thoughts on it? I'm not sure if I'm allowed to post a link to the page but It is VERY cheap(like 40 bucks per year) and I've been thinking of using it when I start taking appointments again.

Quote:

Originally Posted by CaseyTaylor

It would be interesting to know if it passes muster with those more expert than myself...any volunteers?

Casey

Quote:

Originally Posted by Laurentius

Actually, ALL of the tools and methods that I mentioned are *free* or nearly so; with the exception of a subscription to a proxy service, which runs about $15/month.

Do a search for thumb drive linux on google. You'll find instructions for making a Knoppix thumb drive with a separate encrypted partition. (Make sure to use the "persistent" option.) Cost? Software is free. There is only the $20 cost (or less) of the thumb drive.

Do a search for GnuPG and read up on how to install it on that thumb drive OS and integrate it with your email client. Cost? Free.

All of the encrypted tunneling software is included for free with the OS. To learn how to set it up, cotse.net (a proxy service that allows encrypted tunneling) is a good start.

I was joking about the faraday cage; but you can make one from aluminum foil if you wish.

So your total startup cost is $20 plus $10-$15/month for an encrypted proxy.

If you don't want to do the setup yourself; search for your nearest Linux User's Group and find a geek willing to do the setup for you. You should be able to get it done for a one-time fee well under $400.

Assuming you only do 50 appointments a year, and you have someone else do the setup for you, this would come out to a $12 increase per session.

Yes, I will happily pay the $12. :-)

npita · 04-21-2010, 10:41 AM

First of all, if you don't know what you are doing, you are setting yourself up to be bitten by a false sense of security. Second, you should never rely on someone else to protect you. Using something like pgp is overkill, especially since the most likely case of getting in legal trouble from an email would be if a provider (or client) was cooperating with LE.

The best thing to do (for both providers and clients) is

(1) Use common sense. Why protect yourself from the cia with pgp when the cia doesn't care and local le is not going to get a wiretap for a misdemeanor? In the unlikely case that your email is ever used against you, it will be because the person you wanted to decrypt it got arrested and is cooperating with le.

(2) Don't send email from work. I repeat, do not send email from work. Doing that is just stupid unless you own the company and even then, it's not very smart;

(3) Don't give out personal identifying information;

(4) Park where you can't be seen walking to and from your car and destination from a single location. That lowers your chances of being identified via your tags.

(5) Don't discuss services and money in the same email/phone call/whatever. Better yet, never discuss services. You aren't doing anything that is illegal until you offer/accept an offer of sex for money. (Money in this context means anything of value). If you haven't done anything illegal, you have a lot lower odds of being arrested.

(6) Use a hobby phone that was activated anonymously. A tracfone from wally world is cheap.

I'm sure there are more common sense things that require nothing more than paying attention, but the above was what immediately came to mind.

Buonas · 04-21-2010, 11:54 AM

Quote:

Originally Posted by npita

...The best thing to do (for both providers and clients) is...(3) Don't give out personal identifying information...

But that is exactly one piece of information in the screening process. was my point in my little vendetta regarding this isse.

but the OP's intention is more a discussion on computer security i assume.

generally, i recommend NOT to lurk or exchange information at your place of work - even using a thumb drive and or portable apps, as they do leave some traces.

e.g. booting your computer with a thumb drive will usually give it another name within the network or it will drop out of the network. a good example is a typical windows machine in a classical windows domain.
then you boot the machine with a linux thumb drive. as a result, your machine will be logically outside the domain network. this is visible because the mac-adress still is present in a topology monitor. mac-adress (network adapter address) -> windows client id from inventory -> john doe.

the thumbdrive will be visible in the windows registry in the hklm hive under the p&p enumerator data.

most applications even of portable drives use the temp directory either %userprofile%...temp or %system%...temp.
often the data remains in that directory and even after deletion some metadata can be recovered (typically file names from ntfs directory information). cookies are allocated to host names in the browser cache. this leaves the clues again.

my recommendation is to use a browser capable phone, smartphone or ultra portable or machines like ipad that run off the public g3 or g4 network.

data storage online:

use a service that provides basic virtual disk services (e.g. skydrive from microsoft). keep 'critical information' either only in your brain or store it encrypted on said virtual online drive. do not share the encryption key.

always set up e-mail service for your hobby in another country than your residence. set up a second e-mail account on a different service and have that one fetch all e-mail from the first one periodically, including removal from first account. only read e-mail from the second account. and delete it.

during setup of the accounts, go through a proxy server.

DO NOT use calendar/appointment/contact features of social networks. the TOS change very often and during such change, the privacy settings are often reset to public or absolute private is removed as an option.

social neworks have a tendency to 'lose' data....accidentally intentionally.

charlestudor2005 · 04-21-2010, 12:08 PM

Good info, Buonas. Most never occurred to me.

atlcomedy · 04-21-2010, 03:15 PM

Quote:

Originally Posted by npita

First of all, if you don't know what you are doing, you are setting yourself up to be bitten by a false sense of security. Second, you should never rely on someone else to protect you. Using something like pgp is overkill, especially since the most likely case of getting in legal trouble from an email would be if a provider (or client) was cooperating with LE.

The best thing to do (for both providers and clients) is

(1) Use common sense. Why protect yourself from the cia with pgp when the cia doesn't care and local le is not going to get a wiretap for a misdemeanor? In the unlikely case that your email is ever used against you, it will be because the person you wanted to decrypt it got arrested and is cooperating with le.

(2) Don't send email from work. I repeat, do not send email from work. Doing that is just stupid unless you own the company and even then, it's not very smart;

(3) Don't give out personal identifying information;

(4) Park where you can't be seen walking to and from your car and destination from a single location. That lowers your chances of being identified via your tags.

(5) Don't discuss services and money in the same email/phone call/whatever. Better yet, never discuss services. You aren't doing anything that is illegal until you offer/accept an offer of sex for money. (Money in this context means anything of value). If you haven't done anything illegal, you have a lot lower odds of being arrested.

(6) Use a hobby phone that was activated anonymously. A tracfone from wally world is cheap.

I'm sure there are more common sense things that require nothing more than paying attention, but the above was what immediately came to mind.

Particularly argree with the initial comment about not trusting any system you don't understand. In another thread someone suggested paying some computer geek a couple hundred bucks to set you up. I'm not sure I agree with that.

For most hobbyists, common sense coupled with following the "seperation of church and state" principle should be enough. That is hobby phone, hobby email, no shared computers, no assets of your employer at all, etc.

If you have a reason to believe someone may be investing resources in proactively going after you (wife, work [because they want a reason to fire you], LE, enemies), you may want to up your game a little, or reconsider your participation.

Buonas · 04-21-2010, 06:41 PM

Quote:

Originally Posted by charlestudor2005

Good info, Buonas. Most never occurred to me.

I started my comment more technical, but then read your post again, which asks for info that people without an educational background in computer sciences can understand and foremost - use.

if you all want to, i can elaborate more on security matters. eg why none of the browsers - regardless of flamewars one might have read - are safe.
or how ip-traffic gets captured.

why any service like p411 - or payment services for that matter - are dangerous.
how cross correllating works - one of the techniques used to identify individuals from 'made anonymous' data as they euphemistically say in many TOS.
why i do not do online banking.

etc.

your call.

charlestudor2005 · 04-22-2010, 09:43 AM

Quote:

Originally Posted by Buonas

I started my comment more technical, but then read your post again, which asks for info that people without an educational background in computer sciences can understand and foremost - use.

if you all want to, i can elaborate more on security matters. eg why none of the browsers - regardless of flamewars one might have read - are safe.
or how ip-traffic gets captured.

why any service like p411 - or payment services for that matter - are dangerous.
how cross correllating works - one of the techniques used to identify individuals from 'made anonymous' data as they euphemistically say in many TOS.
why i do not do online banking.

etc.

your call.

Elaboration is good. However, this thread was intended for the non-geek of us. I would suggest you start one on this topic for the geeks and geek-minded. It is above my head, but I think you guys/gals might get something out of a thread like that. Just my .02.

Those of us interested can lurk, and if necessary, ask questions in that thread.