The Art of Invisibility: The World's Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data

by Kevin D. Mitnick

In fact, privacy is recognized as a fundamental human right in the 1948 United Nations Universal Declaration of Human Rights.

In other words, we will use password managers as a back door to get the keys to the kingdom.

First, strong passphrases, not passwords, should be long—at least twenty to twenty-five characters. Random characters—ek5iogh#skf&skd—work best. Unfortunately the human mind has trouble remembering random sequences. So use a password manager. Using a password manager is far better than choosing your own. I prefer open-source password managers like Password Safe and KeePass that only store data locally on your computer.

It is the password hashes, not the passwords themselves, that are stored in the protected memory of our computers and can be obtained from a compromise of targeted systems or leaked in data breaches.

The more red herrings you provide, the more you become invisible online.

When attempting to authenticate a user, sites or applications look for at least two of three things. Typically these are something you have, something you know, and something you are.

Symmetrical encryption means that the same key is used both to lock and unlock the encrypted message. Symmetrical keys are hard to share, however, when two parties are unknown to each other or physically far apart, as they are on the Internet.

Sometimes in order to become invisible you have to use the visible.

Both the strength of the mathematical operation and the length of the encryption key determine how easy it is for someone without a key to crack your code.

What is e-mail metadata? It is the information in the To and From fields as well as the IP addresses of the various servers that handle the e-mail from origin to recipient. It also includes the subject line, which can sometimes be very revealing as to the encrypted contents of the message. Metadata, a legacy from the early days of the Internet, is still included on every e-mail sent and received, but modern e-mail readers hide this information from display.6 PGP, no matter what “flavor” you use, does not encrypt the metadata—the To and From fields, the subject line, and the time-stamp information.

Social engineering is a hacking technique that uses manipulation, deception, and influence to get a human target to comply with a request.

One way to mask your IP address is to use the onion router (Tor), which is what Snowden and Poitras did.

A very basic rule is that you have to keep your anonymous accounts completely separate from anything that could relate back to your true identity. To be invisible you will need to start with a clean slate for each new secure contact you make. Legacy e-mail accounts might be connected in various ways to other parts of your life—friends, hobbies, work. To communicate in secrecy, you will need to create new e-mail accounts using Tor so that the IP address setting up the account is not associated with your real identity in any way.

In security, you are only as secure as the weakest link.

In addition to using end-to-end encryption, Signal also uses perfect forward secrecy (PFS). What is PFS? It’s a system that uses a slightly different encryption key for every call, so that even if someone does manage to get hold of your encrypted phone call and the key that was used to encrypt it, your other calls will remain secure. All PFS keys are based on a single original key, but the important thing is that if someone compromises one key, it doesn’t mean your potential adversary has access to your further communications.

In the United States, law enforcement is not permitted to open a physically sealed letter without the recipient’s permission. The expectation of privacy is a legal test. It is used to determine whether the privacy protections within the Fourth Amendment to the United States Constitution apply.

In general, open-source and nonprofit organizations provide perhaps the most secure software and services because there are literally thousands of eyes poring over the code and flagging anything that looks suspicious or vulnerable. When you use proprietary software, you more or less have to take the vendor’s word.

As the Electronic Frontier Foundation has said, “no logs are good logs.”

Those that provide encryption from end to end—meaning that the communication can’t be read by third parties because the keys are stored on the individual devices.

When you’re on the app store or Google Play, look for apps that use something called off-the-record messaging, or OTR. It is a higher-standard end-to-end encryption protocol used for text messages, and it can be found in a number of products.20 Your ideal text message app should also include perfect forward secrecy (PFS). Remember that this employs a randomly generated session key that is designed to be resilient in the future. That means if one key is compromised, it can’t be used to read your future text messages.

It also provides something called certificate pinning. That means it includes a proof-of-identity certificate, which is stored on the device. Upon each contact with the servers at ChatSecure, the certificate within the app on your device is compared with the certificate at the mother ship. If the stored certificate does not match, the session does not continue.

There are also commercial apps that provide end-to-end encryption. The only caveat is that their software is proprietary, and without independent review their security and integrity cannot be confirmed.

Unsure whether you answered that browser question in the past? Then try the test page at http://benwerd.com/lab/geo.php. This is one of many test sites that will tell you whether your browser is reporting your location.

Google.com). Mozilla’s Firefox offers one of the best defenses against third-party tracking through a plug-in called NoScript.

When we use OAuth, we’re giving up a lot of privacy for the sake of convenience.

The EFF states that an IP address is not a person, meaning that wireless subscribers may not be responsible for the actions of others using their wireless networks.

Just like hidden wireless SSIDs, it’s trivial to bypass MAC address filtering.

If the connection is not encrypted, it is legal to intercept the traffic because it is generally available to the public.

Seriously, if you really have something sensitive to do away from your house, then I recommend using the cellular connection on your mobile device instead of using the wireless network at the airport or coffee shop.

The underlying VPN technology, IPsec (Internet protocol security), automatically includes PFS (perfect forward secrecy; see here), but not all services—even corporate ones—actually bother to configure it.

the protocol most use by default. However, choosing a VPN service that uses the TCP protocol instead of UDP, such as TorGuard or ExpressVPN, can greatly improve performance.

To be invisible, it’s always best to layer your privacy. Your risk of having your traffic viewed by others in a public network declines with each additional layer of security you employ. For example, from a public Wi-Fi network, access your paid VPN service, then access Tor with the HTTPS Everywhere extension installed by default in the Firefox browser.

According to documents released by Edward Snowden, the Communications Security Establishment Canada (CSEC) can identify travelers passing through Canadian airports just by capturing their MAC addresses. These are readable by any computer that is searching for any probe request sent from wireless devices. Even if you don’t connect, the MAC address can be captured. So if you don’t need it, turn off your Wi-Fi.

To stay invisible, the MAC address should be changed each time you connect to the wireless network so your Internet sessions cannot easily be correlated to you. It’s also important not to access any of your personal online accounts during this process, as it can compromise your anonymity.

In the security business, we speak of the principle of “least privilege,” which means that a machine grants a user only the minimum privileges he or she needs to get the job done.

Most people would never equate simply carrying a cell phone with forfeiting their right not to be tracked by the government—but that’s what carrying a phone amounts to these days.

The word sousveillance, coined by privacy advocate Steve Mann, is a play off the word surveillance. The French word for “above” is sur; the French word for “below” is sous. So sousveillance means that instead of being watched from above—by other people or by security cameras, for example, we’re being watched from “below” by the small devices that we carry around and maybe even wear on our bodies.

model. Perhaps that will change—someone could invent a one-stop button that removes an entire user profile from your car. Until then, at least go online and change all your social media passwords after you sell your car.

Zoz Cuccias of Nest later told VentureBeat, “All hardware devices—from laptops to smartphones—are susceptible to jailbreaking;

printers and copy machines, depending on the model, have one important thing in common—they both may contain hard drives. And unless that hard drive is encrypted—and many are still not—it is possible to access what has been printed at a later date.

Google’s Android operating system allows movements from the sensors to be read at 200 Hz, or 200 cycles per second. Most human voices range from 80 to 250 Hz. That means the sensor can pick up a significant portion of those voices.

Officially, says security researcher Michael Ossmann, whom Cui credits for the idea, “a funtenna is an antenna that was not intended by the designer of the system to be an antenna, particularly when used as an antenna by an attacker.”

First of all, because femtocells are base stations for cellular communications, your mobile device will often connect to them without informing you. Think about that.

A huge concern about using the cloud is that your data does not have the same Fourth Amendment protections that it would have if it were stored in a desk drawer or even on your desktop computer. Law enforcement agencies are requesting cloud-based data with increasing (and unsettling) frequency. And they can obtain access with relative ease, since everything you upload online—whether to a Web-based e-mail service, Google Drive, or Shutterfly—goes to a server that belongs to the cloud service provider, not to you.

Wiping data is not the same as deleting data. Deleting data only changes the master boot record entry for a file (the index used to find parts of the file on the hard drive); the file (or some of its parts) remains on the hard drive until new data is written over that part of the hard drive. This is how digital forensics experts are able to reconstruct deleted data. Wiping, on the other hand, securely overwrites the data in the file with random data. On solid-state drives, wiping is very difficult, so I carry a laptop that has a standard hard drive and wipe it with at least thirty-five passes.

What I do is reboot my iPhone before approaching immigration control in any country. And when it powers up, I deliberately do not put in my passcode. Even though I have enabled Touch ID, that feature is by default disabled until I first put in my passcode. The US courts are clear that law enforcement cannot demand your password. Traditionally, in the United States, you cannot be compelled to give testimonial evidence; however, you can be compelled to turn over a physical key to a safe. As such, a court can compel you to provide your fingerprints to unlock the device.4 Simple solution: reboot your phone. That way your fingerprint won’t be enabled and you won’t have to give up your passcode.

If I have to leave my laptop behind, then I never leave it in hibernate mode. Rather, I power it down. If I didn’t, an attacker could possibly dump the memory and obtain my PGP Whole Disk encryption keys.6 So I turn it all the way off.

So remember to change your MAC address each time you access public Wi-Fi (see here

Well, the time interval between the sender’s tapping of a key and the tapping of the key again can be measured. This method of differentiation later became known as the Fist of the Sender. Various Morse code key operators could be identified by their unique “fists.”

There’s a truism in the security business that a persistent attacker will succeed given enough time and resources.