Data security
“Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.” ~ John Perry Barlow
In the film “Running Scared,” actor Larry Hankin plays Ace, the auto mechanic for a group of crime fighters in a big city. At one point there is a conversation about a new and better vehicle for lead actors Billy Crystal and Gregory Hines. Hankin says, “Let me tell you what you want. You want to come and go like the wind. Invincible, invulnerable, invisible.”
To which Billy’s character retorts, “And we want it tomorrow.” Hankin allows as how it may be ready by Thursday.
My background
A long time ago my dad brought me fanfold paper from his work at the university. It was long ago, in what is now another country in many ways. And besides Christopher Marlowe is dead.
Later I was shown a dial-up modem in the computer lab at the high school where I laboured at harvesting from the groves of academe. I did pretty well in school, receiving a Kansas scholarship, national merit scholarship, and John Jay scholarship, graduating with honours, and giving the valedictory speech because my classmates thought my speech was funniest.
In those ancient times during the last millennium, this modem was custom built in the electrical systems lab which was part of the auto shop classes. It was soldered by hand and built of a wild array of mismatched items. It had a custom cradle. It actually modulated and demodulated because, ancient times being what they were, the local phone system was analogue. Computer networks were digital, and still are.
There is a primacy dispute with regard to email, which I shall not dignify with commentary. Suffice it to say that it was long ago when I found out after school one day that we could connect the daisy wheel printer to a computer at the university and send an email to my dad. A few days later I looked up in calculus class and here was the computer lab teacher in the doorway with a couple of fanfold pages of printout. My dad had written back. The email was printed out anyway because we didn’t have a cathode ray tube to connect to the network, just that old daisy wheel printer that sounded like a suppressed machine gun every time we let it run a page or several. Email was sufficiently an innovation that the papers were hand delivered and I was thanked for putting the system through its paces.
A little while later one of my friends at a restaurant where I was working shelling shrimp and loading the dishwasher showed me how to use a telephone flash hook to dial a call. The extension in the kitchen didn’t have a dial because we weren’t supposed to use it to make outgoing calls, but that didn’t stop us. Very few things did in those days. We were a generation that didn’t take fences seriously, didn’t think well of the waste of deposit bottles one could find in dumpsters behind the big apartment complex nearby, didn’t have any consideration about the “bird sanctuary” that surrounded the old wells that had been used during “underground railway” days by escaping slaves, and didn’t expect to be caught because nobody was looking when we built our treehouse in a community commons. We ignored the law, the law keepers mostly ignored us, and nobody got hurt.
Later still I would correspond with John Draper, John Gilmore, John Perry Barlow, Arto Bendiken, Phil Zimmermann, Harry Hursti, and meet in person people like Christine Peterson, K. Eric Drexler, Srinija Srinivasan and many others. One of the things that I have liked about computer systems, especially data security and communications privacy, is that it is mostly about what you know. Ya know?
Steve Jackson and I were on a panel together in 1991 at the Chicago world science fiction convention that year. Steve had a bit of a run-in with the United States secret service because of a confluence of factors. One of the guys in his company was running out of his home a bulletin board system called “Pirate’s Cove” which had, among other treasures, an operating manual from a 911 system that had been casually hacked and posted as a trophy. Yes, I sufficiently pre-date what you think of as the Internet that I can describe acoustically coupled modems, discuss file transfer protocol intelligibly, and recall techniques for communication before web sites were even invented. Steve’s company was developing “generic universal role playing system Cyberpunks” as a book and dice mediated role playing game, and one of the possible main quests it described for player characters was hacking credit card information from unsecure connexions. The raid on his headquarters is a matter of legend in certain circles.
Suffice it to say that I’ve been around. And I’ve been a square.
Consent
One of the things you don’t look at is the terms of service for some of the services you receive. There are limits to your consent, even when you blindly click through those screens, so it isn’t clear that you have actually given anything away that can be functionally pursued in a court of law. To be legally binding a contract would have to be entered into knowingly, willingly, competently, and with delivery of signed copies by both parties. The legalistic argument that by giving you pages of garbage written in a foreign language (legalese) by annoying persons and asking you to click your acceptance that “knowing” and “willing” and “competent” consent has been obtained is an amusing fiction which may or may not survive a court challenge.
But you really need to ask yourself if you ought to be doing business with anyone who hires annoying persons to write reams of garbage, coerce your consent, and pretend you have given it freely. Perhaps you should take a look at the garbage as an amusing exercise in self-preservation. The freedom you save may be your own.
Do you think Amazon web services and Microsoft cloud services and Google storage services and these other extremely evil, diabolical, crafty, sneaky, and wicked providers are actually agreeing to keep your data secure, private, redundantly stored, and accessible exclusively to you? Would you care to wager something on this matter?
I am not a gambling man, and I am not currently setting the odds in a casino, but if I were to set odds it would be very much against these asinine terms of service from confiscatory, greedy, ugly, mean-spirited corporate parties being in any way in service to your interests. So why sign them?
You stored in the cloud? Honey, there is no cloud. That’s just a wicked people’s euphemism for their servers and not yours. Someone in a presentation to corporate drew a few curved lines on a white board to represent a body of servers where stuff is stored for the convenience of the storage providers and someone else thought it looked like cloud. And, yes, it was a white board, and yes white boards are inherently racist, that’s why we don’t call them boards of colour. ffs
What if the terms of service say that the people who are storing all your data can make copies of it any time they want? Sure, they have to do so for redundant storage, otherwise they don’t have a data retention plan that includes remote backups, and are goofs. But what if they make and sell copies? What if they sell copies of every single thing you store to those dynamic mountains of data maintained by the evil, perfidious, ugly, nasty nsa, fbi, cia, mossad, mi6, mi5, dia, and other agencies as they see fit, and for profit? What if they don’t even have the courtesy to share any of those revenues with you, the greedy jerks?
The same thing goes for your communications providers. There was one, exactly one (1) single communications provider that tried to resist when the evil nasty ugly bureau rats wrote and the horridly wicked traitorous scum in congress passed the USAPATRIOT act (yes, it is an acronym, no I won’t write out the lying words for you; yes you can go look it up) and every communications provider was required to in effect provide an open simultaneous channel for wiretapping of every call in the USA all at the same time - three million continuous wiretaps at any time. Yes, the agencies involved in this horrendous and disgusting violation of privacy even tried to dismiss the claims that they could monitor all calls at the same time by using this very statistic when they knew that was more than the number of simultaneous calls in the country at a given moment.
You’ve been lied to all your life. Why do you think that would change if a bunch of freemason oath taking demon worshippers in the legalistic profession of whores to wealth and power got together to write the terms of service for something you’re using? Of course they have certain disclosures that are supposed to qualify as informed consent. Of course they don’t actually care, at all, even a tiny bit, about you. They actively hate their neighbours, that’s among what being a demon worshipper is all about. And if you think that part’s bad, go to one of their festivities and bring your own because you don’t want to drink what they serve.
Restriction
The basic fact is that you have a desire to restrict access to your information. Do you put a personal identification number (PIN) on your phone? If you don’t and some toddler who visits your home picks up your phone and does a factory reset, do you have a backup of any of that stuff? Do you have a PIN on your automated teller machine card and on access to your credit union (or, ugh, bank) account? You certainly should do.
You have a bunch of ways to restrict access. You can install features that require a fingerprint and use your phone’s camera or other utilities to capture that print and verify that whoever is using your phone has chopped off the relevant digit and is now using it to access your phone. I myself don’t recommend this approach.
You go around in a society that doesn’t wear gloves nearly as much as Victorian society did 140 years ago. Maybe you should bring back that fashion. You don’t wear hats, most of you. I am rarely out in public without a hat on. There are cameras everywhere, and you can keep much of your face in shadow with a hat brim. Yes, I was thinking about identity as information you would want to secure. No, I wasn’t planning to honour any of the idiotic habits you and your kith and kin have gotten into while serving a system that seeks to enslave you. kthx
But you leave your fingerprints everywhere. So maybe stop doing so, or maybe stop pretending that you have accomplished something clever by having your devices key to your fingerprint to identify you.
You can speak a voice message to confirm not only that you are you but also that you are not under the stress associated with coercion. Maybe those can be mimicked by recording you saying the six or seven hundred syllables found in most languages, maybe not. But you can bet that if you are relying on voice print security someone is wandering around contemplating how to engage you in conversation long enough to capture enough syllables to get your voice.
You can also be confident that the devices around you are recording your voice. Do you say something in front of your Amazon or Google or similar device and then start seeing ads for related products and services? Yeah, so do a lot of people. Oh, but it’s in the terms of service. And, no, the ad revenue isn’t shared with you, go figure.
You might want to figure out how to restrict access with passwords. And you might want to use sufficiently complex passwords that they are difficult to purloin by the obvious methods. A small number of characters, or a strictly numeric password, isn’t going to help you enough.
For a while in one project the secure computers I used required my login be ten dice words long. That is three to seven letter words, selected by a random choice generator, and then memorised by me because I’m good with that sort of thing. Thirty to seventy letters with spaces between the words as additional characters. Kinda mid for security tbh.
There is a software system developed by a friend, Simon “Sidd” Davis formerly of Rhodesia and lately of Australia last I heard, called Pecunix. Back in its heyday to log in you needed to know not only a strong password and a four digit PIN, but you had to meet the PIK challenge, selecting characters or numerals from a drop down list. Your “private identification key” would be a set of letters or numbers chosen by you, up to 16 characters long, and three or four of those items would be required at every log in. But the login software would make you find a different three or four items in the list each time. So you might be required to put in the 12th, 13th, 14th, and 15th character when you first tried to log in, but the 3rd, 9th, 10th, and 11th the next time.
Get the password wrong, no login proceeds. Get the password right and the PIN wrong and Pecunix would not allow you to continue. Get both password and PIN right and you would have three chances at the PIK characters which were case sensitive and shown in the drop down list in alphanumeric order. Anyway, you wouldn’t be putting in all 16 characters from this key, so it was much more difficult to hack. As far as we know, no system protected by the password/PIN/PIK technology has ever had a single account brute force hacked. When you think of the total possibilities involved with 26 upper case, 26 lowercase, and ten numeral choices, taken twelve to sixteen characters for the total set, and invoked at 3 or 4 per session, and understanding what a factorial is in relation to the possible choices, you get the idea of a long time before a brute force attack would work.
And to limit those attacks, the system only let you have a few tries before your account was locked down and other verification was needed. My point in mentioning these things is to say that it is possible to create security access technologies without biometrics. And since you don’t exactly control every sample of dna you’ve ever put into the world, maybe you shouldn’t use your saliva as a security measure.
Monitoring
You need to know if someone is trying to access your systems. Otherwise, you don’t have a data security technology.
One of the ways in which some people roll is to use “two factor authentication.” I would rate this approach very low. Can you imagine losing your phone number? It happens, and if you are ever arrested and held awaiting trial (basically if you are not a Mormon in Utah and arrested there ever for any reason) you can find out that your phone company doesn’t keep your phone number yours if you miss a payment and the late fee period. Whoops. Can you imagine not having access to your email account? That’s especially pernicious if your phone uses an email account and you never bothered to back up the access information for it.
Then you might want to ask yourself this question: Do I want all my private communications linking to a particular device that might be found in my possession? The Signal software application (app) uses a very interesting technology to establish peer to peer and end to end encrypted communication, but it is tied to your phone number when you add the app to your phone or smart device. So if you look in your contact directory for your phone, it may helpfully show you whether a particular contact is “on” WhatsApp or Signal.
Session is a very similar app (see GetSession.org for it) and it doesn’t use email address or phone number linking. The only way to know if you are using it is if you send someone else your session key. Similarly people cannot add you to Session groups without your permission, which happens with WhatsApp quite often after you’ve had a given account for a number of years, unless you mod the settings. With Session, only the group admin can modify the list of group participants, and only with the consent (session key) of the users.
Does your Amazon account use two-factor authentication? Probably. I think that’s now the default. So you should be aware that your purchases are linked to that email address or phone number where the PIN shows up for your session. Maybe it would be useful to your privacy to contemplate having a third party buyer make the purchases and ship the resulting goods to you. That was one of the very first large scale uses of e-gold way back. I think my buddy JP May called it Bananagold or some such. His business model used the 45 day terms provided to corporate accounts, aggregated all purchases through that same account, and he profited immensely from the rise in the price of gold as well as the percentage based fee added to your purchase total by his software. Interesting software indeed.
(It is probably worth mentioning in the same context of security that you are using a national currency in much of what you do. National currencies inflate all the time, stealing value from your bank accounts and wallets even though the money is still ‘in there’ because the purchasing power is eroded. From $20 to an ounce of gold in 1913 to $2,721 when the spot market for gold closed on Friday. The price will be higher or lower on Sunday evening when the spot markets for gold in Tokyo and Hong Kong are open for business, but the price will never again be $20/ounce. The Feral Reserveless scheme is run by liars and jerks who hate everyone else and are evil in a really intricate way. But my point in the paragraph above is simply that there were very few 45 day periods between 1999 and 2007 when the price of gold dropped more than the 4% fee for the Amazon purchases at Bananagold. Some services are very lucrative.)
Two-factor authentication or 2FA as it is sometimes called by the bozos who think that only one set of jargon works globally for everyone who encounters their amphigory, can be useful for limiting access to your account. It might not be in your power to prevent it, either. But you have to understand that it creates a verifiable link between what you are doing and that second factor email or phone number account. Which might be a thing to avoid, depending on what you are doing.
Do you have other monitoring techniques? I used to work with a group of people in Houston at “Mission Critical Software” including Jim and Louis Woodhill. We were deploying a software system called Enterprise Storage Manager. It used a really interesting set of equations to do data compression. And other equations were used to “checksum” whether the same amount of data was being stored at a given time. So if someone’s storage suddenly lost a gigabyte of information, the system was quick to detect it. And other like factors as well.
Do you even know how much data you are storing? Do you monitor it by backing it up on a consistent basis? Do you have a stack of thumb drives or solid state devices for storing info? And are they current? What happens if they aren’t?
Redundancy
Each individual is different. How you do things is not how I do things. And I am not one of those arrogant data systems specialists who thinks that my flatulence isn’t stinky. So I am not going to assert that you should do things the way that I do them. I’ve included the possibility that you might want to use biometrics for access to your stuff. I don’t mind, it’s your eyeball that will get held up to the iris scan, and good news if the dead tissue doesn’t read properly.
Similarly, much of what I’m writing in this overview is general discussion stuff. I am not pretending, and I would discourage you from working with anyone who were pretending, that I can design a data security technologies solution, let alone a communications privacy solution, for you without working closely with you for some days. Which I am available to do at my customary rates and with the grin and pay it level of retainer which represents your enthusiasm for actually having secure systems.
When I was working for a bank in Midtown Manhattan during the latter decades of the last millennium, they had a correspondent bank in Japan. Many banks did. They had elaborate backup plans for all kinds of conceivable catastrophes. (And a saying in the data security department that it was always the inconceivable catastrophe that would end things for good.) They would secure their data in the actual vault of that bank, in encrypted form, on physical media. Stuff was flown across the oceans and continents for that purpose. The corresponding bank’s info was on physical media in the vault in the bank’s headquarters in Chicago. As physical media progressed from magnetic tapes to solid state, and as encrypted communications became increasingly prominent, the type of media and whether it actually moved physically changed, but the policy did not. If an asteroid hit Chicago, the bank’s data lived on in Tokyo, and in a number of other bank vaults on other continents.
So if you have a desire to keep your data secure and you don’t have a fireproof box or fireproof safe, maybe think about getting one. And keeping a set of your data on some devices or media in that safe. And think about off site backup because your entire location could be engulfed in flames, water, nuclear radiation, or other deadliness depending on what you think is coming down the pike.
Identity and anonymity
The final topic that I’d like to touch upon in this overview is the topic of identity. One of my favourite scenes in the film “The Princess Bride” which is a good film to watch more than once, especially with friends and children, is between Inigo Montoya and the man until that moment known as the man in black. Dread Pirate Roberts is wearing a masque. Inigo says, “Who are you? I must know.”
Roberts says, “Get used to disappointment.”
You should have that attitude in life, especially as the number of closed circuit television cameras monitoring your every move increases on an hourly basis. You should explore the possibilities of light emitting diode fabrics as an effective antidote to facial recognition software. You should learn about “the ugly t-shirt” which was programmed into a bunch of the early machine vision systems to delete certain people from the data streams. You should have the view that knowing who you are is a privilege and not everyone out there should have that privilege.
That attitude should especially apply to thieves. And there is one thing about politicians and bureau rats on which you can always rely: they are robbin’ leeches. They want to live the good life.
I’ve mentioned it a few times lately because it is such a staggering arithmetical outcome to my way of thinking. The fiscal year 2024 budget for the USA feral gooferment was $6.5 trillion and the number of employees is 3 million, which means each of those persons gets $2.167 million to pay salary, expenses, per diem, travel, entertainment, and the budget authority to do whatever grift and ugliness is supposed to be done by their department, on average. That’s a whole lotta money. And they didn’t get it from you and your neighbours by being kind or decent or pleasant.
I don’t think you have any obligation to tell me who you really are. You are free to call yourself by any name you choose. And if you are free to have pronouns in your bio, you are also free to choose proper nouns.
You should think very carefully when you sign up for a streaming service, or any service, what email address you are using. Who are you contacting with that email address besides Netflix? How much do you want to associate your film watching choices with every other individual you have ever emailed from that account? Using more than one email account should become second nature. A new thing? A new email unless you have a really good reason for cleverly predicting a distant future day when you want everyone in your contacts for that account to be notified of a set of your purchase choices.
You should think very carefully about what it means to have encryption keys, especially the secret key that, with your password and other credentials, unlocks the messages. Maybe you have not heard yet, though I have written it a number of times in the last year: not your keys, not your coins. Anything you buy through an account based system is only yours until it is transferred into your control. Your Coinbase plugin wallet is different from your Coinbase account wallet, and if you don’t understand the difference, let’s talk in the comments.
A long time ago there were people who wanted to get on discussion lists and discussion forums and talk about their experiences being abused physically or sexually as children. They wanted to do so without exposing their identities to the people who had abused them. For this purpose, some of us in the hacker community built anonymous remailers. For this purpose, a number of public domain software systems employing public domain encryption systems were distributed by friends and family and users were trained up by me and many other people like me.
I don’t agree with Nikki Haley and the other parasitic political class robbin’ leeches who say that everyone who gets on the Internet should be identified and everything they say or write should be identifiably attributable to that person. I disagree vehemently. And I know how to keep things private. I also know a great many things I’ve written in my own name are very much not private.
In some ways I have chosen to be that “canary in a coal mine” for the freedom community. I say the things I think need saying, in my own name. And much of what I’ve written is not at all anonymous. This one time the US Marshalls service shut down L. Neil Smith’s The Libertarian Enterprise because of one of my essays. And their erstwhile domain registrar of the time, GoDaddy, helped it happen and didn’t even ask for a court order because evil.
Similarly there are companies that maintain certain “canary in the coal mine” publications on the web. If they are given a national security letter demanding certain information, they are also throttled as to saying anything about that fact. So they stop renewing the canary, and you know by its absence what has happened. Food for thought.
Which is, all things considered, the purpose of this essay. Data security and communications privacy are deeply intricate and sophisticated topics. And you should understand them if you want to get to that better time in your life when things are more free and you are more prosperous. That day is approaching, friends, God willing. Praise God. Amen. Let me know if you have questions, please.
That’s all I’ve got for today. Come back next time when I have something new. Or old.
Thank you very much for sharing. What I learned helming failed cybersecurity startup HeraSoft is commercial organizations require the corruptibility of their administrated networks as a feature. This is due to the inherent doubt within existing forced commercial systems. Why crypto: voluntary marketplaces ♥️☀️☮️🌈🏁
Aw, Jim, I have so many questions and so little "time". But, God bless you, on this beautiful Saturday in the South. I get brokenhearted sometimes thinking about this broken old world but I find that it prevents me from becoming too worldly, so theres the upside, right there. This Mean Old World, I think that's a nice song. Songs keep me working, keep me moving, those mysterious vibrations. I'm heading to Biloxi today to sing some songs for a bunch of people who are attending a "shrimp-tasting festival". Never been to one but it should be a good time in a good place. Be well, brother, I hope we can meet in person one day as you're one of my substack favorites. If not "in person" then in the Great Beyond. R