This is the time of cyber-stalking. Right now, as you stare at your device with cameras enabled and network ports open, with speakers powered and WiFi on, as handheld devices crisscross a mesh of public networks with interfaces readied to connect, and the use of routers sharing bandwidth between Ethernet and wireless interfaces proliferates, this is the moment of stalking and lurking, this is the time of cyber-crime.
The conditions that make this moment perfect for cyber-crime are not limited to the proliferation of devices populating the Internet of Things (IoT) or the near-global access to the Internet. Those conditions are human, both in the individual and the institutional sense.
The human tendency to disparage concerns that are neither personal nor immediate is an immense factor in the fact of cyber-crime. We have lost sight of privacy, the experience of an individual, interior world so significant that is considered a human right. Each day we carry our active personal devices through the public square, with each time we bring our personal devices of communication onto the networks of public and private corporations, we sacrifice privacy—our own, others’, and that of the corporate entity—to convenience and trend.
Another pivotal condition in this, the time of Internet predators, black hat hackers and cyber-stalkers, is the failure of law enforcement and jurisprudence to respond to the new threats of the virtual world. This is a crucial issue in the fact that the real estate mobbers using technology and cyber-crime in a balls-out attempt to turn my rental home in northeast Seattle over for speculation have not been arrested in the more than two-and-a-half years for which I have endured intense criminal harassment.
President Obama spoke critically of a “cybersecurity arms race” at the recent G-20 Summit (http://www.npr.org/2016/09/05/492690109/special-coverage-analysis-of-u-s-china-relations-and-the-g-20-summit). In February as a component of his Cybersecurity National Action Plan (CNAP), the Obama appointed his former national security advisor to chair a bipartisan Commission on Enhancing National Cyber-Security. The goals of CNAP include increasing awareness of cybersecurity and empowering Americans “to take better control of their digital security” (https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan). But mediating between competing interests, both individual and institutional, is never easy. As Fred Kaplan of Slate pointed out, cyber policy is highly politicized: “The contest of security vs. privacy, the public good vs. corporate profits, interagency power struggles, budget fights, and the simple matter of setting priorities in a 24-hour day—all enter into and complicate issues that might seem clear-cut at first glance.” (http://www.slate.com/articles/technology/future_tense/2016/02/president_obama_s_cybersecurity_plan_is_ambitious_but_flawed.html)
On a personal level, to me, the victim of a Seattle neighborhood watch gone rogue and its shady developer friends, the counter-positioning of security vs. privacy is relevant. As a native of the San Francisco Bay Area who grew up in the foment of the 1970s amid civil rights movements for blacks, women, gays, the disabled and more, as well as in the troubling years of the end of the Vietnam War and Nixon’s impeachment, civil rights and liberties are core beliefs for me. At the same time that those beliefs are key in why I refuse to be illegally harassed out of my home by criminal speculators, to the best of my knowledge, I have had virtually no privacy for more than two-and-one-half years now.
As a victim of mobbing, my world is marked with themes of great contrast and great ambiguity. I have had to enter into the world of surveillance in ways I avoided in the past, using security cameras while criminals monitor me in an attempt to flush me out of my home. I had to consent to a drug test to get a contract position that would allow me to survive financially while I simultaneously fight a situation of extreme invasion of privacy, one in which countless defamations and insinuations have been made that I am a criminal or at least of a criminal nature. As of late, I am even considering taking a lie detector test—something that as a would-be card-carrying member of the ACLU, troubles me philosophically. Yet I will do this, if I must, to document how the harassment occurs in manner that the police recognize, in hopes that it might give me a better chance of having investigators take my claims seriously. Finally, there is the fact that I act on my beliefs, despite the criminal situation that has overtaken me, by blogging to get attention. I seek attention in order to see these criminals arrested and prosecuted, and yet the attention I seek will fall upon a crime engineered to stop victims from reporting lest they expose their own humiliation. In other words, I seek attention to expose a crime that is humiliating. But this is the kind of crime that must be stopped. Victims of crime have a moral obligation, to the extent they are able to act on it, to prevent the crime that has befallen them from victimizing others. If you have it within you to resist, give’em hell.
The civil rights and liberties I hold dear are why I believe with every fiber of my being, that the crime that is being done to me is wrong and must be prosecuted. But it’s also true that the same civil laws that I believe in have protected those who continue to aggress upon me, those who engage in the organized racket of real estate mobbing, a clandestine and sneaky crime that uses novel methods and technologies to evade police detection while committing acts that ultimately fall into the realm of torture and domestic terror.
In the current context, all the parameters—from the novel tools and clandestine methods to the lack of familiarity and poor response of police and other investigative authorities—point to the same result. The victim is discouraged from reporting and local police, who look for believable signifiers of crime like crooks, stolen goods and “probable cause,” do not render aid. In a criminal real estate mobbing like the one I’ve survived for more than two-and-a-half years, it’s not surprising that victims are probably quickly frightened into fleeing the situation or simply give up.
Network security comes first to the private sector. The evolution spans employee tracking, firewalls and network restrictions, cautionary messages about social engineering and email alerts on active threats. Over the years I’ve worked in tech—most of those for Microsoft Corporation—onsite workers were educated about the dangers of strange packages in the form of email and its attachments, about bad actors represented by rogue applications and about espionage by social engineering. In the same way that freedom is said not to come without cost, security does not come without the inhibition of functionality. Popup warnings and administrative prohibitions put increasing controls on the functionality available to unsophisticated Internet users. But even the employees of tech firms are slow to adopt security measures; human factors alone weigh against perpetual vigilance and more than one tech firm has attempted to secure the corporate domain by using the propaganda posters of World War II to remind employees of how socially engineered “loose lips” can sink even corporate ships.
Companies tend to be more mindful of corporate espionage but even at network security companies it is onerous to use Ethernet and personal devices brought in from home are allowed to join the network without attempt to manage this use within the business domain. At some events at some companies, I have read, attendees at secret meetings must shut off and drop their phones at the door, but the human trait of laziness always mediates against security, whether it means using wireless instead of Ethernet or refusing to regulate the access of personal devices to the corporate network.
Security comes first to the corporate world and then trickles down to consumers. Network security is another technology subject to the trickle-down theory. I would have gotten in line for the iTUS iGuardian device, having heard about it shortly after the mobbing began in spring of 2014. iTUS Guardian was an intrusion protection system (IPS) intended to give home users enterprise-level security. It was a “promising” device that, according to founder Daniel Ayoub, was left in limbo when crowdsourcing didn’t provide an avenue for revised cost projections during funding (PC Magazine, http://www.pcmag.com/article2/0,2817,2497497,00.asp). The Finnish company F-Secure will soon release another promising device to monitor the Internet of Things (IoT) in your home: F-Secure Sense, an IPS built around the Sense router (https://sense.f-secure.com/). Sense promises protection for mobile and IoT devices, without sacrificing fast Wi-Fi on the home front. The Sense router is intended to extend protection to devices that were designed without planning for security and that do not run security applications (ZDNet, http://www.zdnet.com/article/how-f-secure-wants-sense-to-act-as-iot-watchdog-for-all-your-connected-devices/).
As the victim of a real estate mobbing that relies on sneaky intrusions and uses mobile and IoT devices for entertainment and communications as a platform for harassment, I will get in line for F-Secure Sense. Unfortunately, advance purchase is the sole option presently available to U.S. customers. I was able to enter an F-Secure beta program for fs protection for the Mac, but that doesn’t keep the mobbers off my router. All I have to do is turn the volume up on IM, any browser application, or the Century Link set-top box, and the mobbing babble begins.
There’s no guarantee that a router-based IPS will keep them off, however. For example, if the Citizen’s Band radio-plus-linear-antenna recipe for putting sound on the speakers next door works for digital TV, but it seems unlikely that recipe could deliver the kind of consistency the mobbers achieve. It also might not help if instead of accessing the set-top box, the mobbers inject the harassment into the broadcast stream or use set-top box applications to download harassing content. I have tended to believe they come in on the set-top box and use alternate sound, maybe an HDMI interface, or can get easy entry through the browser applications installed on the box by the television provider.
Whatever the complexities, if the F-Secure product makes it to the American market at the year’s end, I’ll happily purchase it with a subscription if there’s half-a-chance it’ll keep the mobbers out of my music and TV. I’d still have to contend with the speaker and ventilation harassment directly on my windows at home, but at least I might be able to turn up my television without turning up the harassment. If IPS devices and a more secure network infrastructure for consumers keeps the mobbers out of the WiFi or makes it easier to trace and catch them, then mobbing someone as I have been mobbed, every moment of every day and on every device with the goal being the eradication of individual privacy (see All Your Device R Belong to Us) will hopefully become a thing of the past.
This topic turns out to be more timely than I had imagined in light of the October 21 global distributed denial of service (DDoS) attack that mounted an attack against DNS provider Dyn on unprotected IoT (International Business Times, http://www.ibtimes.co.uk/massive-ddos-attack-that-almost-brought-down-us-internet-how-it-happened-why-1587696). The attack employed the Mirai malware to search for an infect IoT devices using weak security, for example, default or hardcoded usernames and passwords.
In Japanese, Mirai (未来), a given name, means “the future,” which reminds me of Mark Goodman’s Future Crimes: Inside the Digital Underground and the Battle for Our Connected World (2015) which maps our own uncertain future over a topology of undefended IoT devices. Perhaps Mirai is our future.
Bots can be made of CCTV cameras and DVRs as well as other IoT devices. According to Hackaday, “Most of these devices run firmware out of flash, and it’s up to the end user (who is not a sysadmin) to keep it up to date or face the wrath of hackers. And it’s certainly the case that as more Internet-facing devices get deployed, the hackers’ attack surface will grow.” (“Extra-large Denial of Service Attack Uses DVRs, Webcams,” http://hackaday.com/2016/09/26/extra-large-denial-of-service-attack-uses-dvrs-webcams/)
Practically speaking, it may be “up to the user” to update the firmware in these devices, but that may not be a reasonable expectation. I listened in on the kick-off of an F-Secure MOOC (massive open online class) on security where one of the speakers flatly stated that security should be designed into the device. Another speaker stepped in to offer a more politic (corporate) opinion restoring responsibility to the consumer, but the point was easily made by an acquaintance of mine in tech:
The whole idea that security should primarily be a user problem is just so misguided. I mean, we trust car drivers to not drive into schools, but we also have crash tests and a lot of standards the cars have to meet such that they don’t (often) explode or catch fire or kill their occupants in every crash. Car manufacturers sure didn’t do that on their own; government intervention was required, and IT should be no different.
It is unreasonable to expect a consumer to have the expertise necessary to ensure the safe use of complex machines, let alone to understand the constantly changing technologies that quickly advance beyond experts in the field. It is unreasonable to expect a customer to understand the complexities of hardware, software and the interactions with these tools by good and bad actors, that make for the continual discovery and exploitation of new vulnerabilities.
Before we can even address the problem of network breaches at the hands of foreign agents, security must first be a guiding principle in the design, implementation and deployment of our network infrastructure, the infrastructure that companies like Comcast and CenturyLink provision to consumers in the United States. Second, security must be built into hardware and software, and into the devices that swing open the gates and portals to the connected world. In a world where black hats penetrate the Windows Update process to gift Microsoft customers with malware downloaded along with security updates, in a world in which software is naively designed to store passwords in memory for the Mimikatz post-exploitation tool to capture and exfiltrate to bad actors continents away, there is much to be done before we can blame customers for the intrusions into the security of their data and the attacks on their physical safety within their own homes. Software and hardware manufacturers and network infrastructure providers are the first, second and third lines of defense. Only after we reasonably secure these lines can we set a place for consumers at the table of responsibility for a poorly secured ecosystem of mobile and IoT devices. What good is it to lecture consumers about changing passwords when they’re stored in plain text, easily retrievable from memory, hard-coded or burned into the firmware? Devices should be smart so that users don’t have to be.
As corporations step up their game, hacking crimes refocus on the unprotected networks of consumers. And in the world of the Internet of Things, these already poorly secured networks are populated by unsecured device after device. There is an increasingly strong relationship between IoT devices and crime. In real estate mobbing, your privacy is held for a ransom that is your home.
The naivety of hardware that is not secure by its very design, is echoed in our failure to acknowledge our vulnerability to cyber-crime. Even when our personal information is stolen off the unsecured hard drive of some company we’ve done business with (Information wants to be free!), no one expects to wind up with a personal stalker or to be individually sought out and victimized by a criminal, either in the virtual or the material world. The same “How could this happen to me?” naivety that hampers the effective response of a crime victim is reflected in the complete unpreparedness of the police and the justice system to protect us, to respond, or even to recognize in the material world victimizations that occur in or are enabled by the virtual world. It is as though we have psychologically firewalled the real from the virtual world in which the I who is attacked is not me but my avatar, my online representation. This is the “unreality” of cybercrime. The time is now for virtual crimes against consumers who may not recognize that a crime is occurring and whose reports to police may be treated with skepticism and disregard.
I remember early on in the mobbing when I was attempting to figure out the connection between the surveillance methods of detectives and hacking, coming upon the website of a California private investigator and seeing that “root kit,” in other words, Internet “bot” or a “back door,” was a service you could hire. Mobbing as performed by the tenant relocators “mobbing” me in northeast Seattle is the culmination of this convergence between the methods of private investigators and cyber-stalkers and may well represent the deprecation of old methods of surveillance with new technologies. The “surveillance drone” is the culmination of these advances and will be the focus of the last topic and entry in this blog, “Gods of technology, or I think I can fly.”
This is the time when the Internet of Things (IoT) puts all your information online. This is the time of ransomware distributed through the Software as a Service (SaaS) business model, of Internet arsonists starting fires in wired printers, of pederasts spying on baby through the nanny cam. This is the time of cyber-stalkers.
Living in the world of the Internet of Things, we fail to comprehend the significance of network security. Consumer providers of network and Internet have provisioned us with an insecure infrastructure of shared lines and hot spots with devices supporting the convergence between Internet and TV on the same wireless interfaces. In our daily lives, we move over mesh topologies of open wireless networks with WiFi enabled on our devices even as flight is democratized by the radio- and network-enabled drones of tricksters, profiteers, hackers and criminals. We disparage privacy, ours and others, as we leave smart phones on in public locker rooms. We have come to value convenience over privacy, a concept so fundamental to being that it is considered a human right. Why is this? Perhaps because, if you have not been cyber-stalked or cyber-harassed, you can’t conceive of the possibility. Maybe because you, like the me I used to be, figured that no one cared, and if they were so bored with themselves that they had nothing better to do than to worry about others, so much the worse for them. But it’s not so simple. In a world where information is power, some people want your information to have power over you. And even those of us who could care less about whether someone is curious about whether you’re sleeping with the person you’re with, might care about whether the motive behind the nosiness or even the privacy invasion is not just idle gossip.
Perhaps you’re luckier than me. Maybe you’re the guy seated near me who stares quizzically at his cell phone when one of my mobbers crows, We’re harassing the village idiot. It’s like that thing that used to happen to me as a white gaijin (foreigner) in Japan, when I would speak to someone in Japanese and they would be so unprepared for it that they couldn’t hear what I was saying. Except the strange land turns out to be on the speaker of your cell phone, and you’re not in the middle of taking a call. A look of puzzlement crosses your face, and I wonder if this will be the day I find a witness in the face of a stranger. But then you shrug it off, your expression changes, and your fingers begin to move once more.
Stay tuned. Now that we’ve taken a look at the setup and the patsy, we’ll finish this off with the con. And then it’s on to indirection, omniscience, and that god of technology: The drone.