• Categories

  • Pages

  • Archives

Is It Possible To Create A Person Online?

Very often. those who professionally investigate human beings have to determine if she is dealing with a real person or an invented identity.

In social discussion, countless times I’ve heard people refer to “the fake me” – a conjured identity that the user employs for his own reasons, which can range from the benign (isolating marketers) to the dangerous (a criminal seeking new prey).  More often than not, the braggart is not an IT person – or a detective – and believes that by cobbling together a few “borrowed” digital photos and planting them as profile pics on social media, he can tweet away under his fake identity with no one the wiser.  Professional investigators look for this rather lazy pattern (same pics across various platforms) as one of the first clues that they are dealing with a manufactured identity rather than an actual person.

Few people really know how to create an alternative identity and one of those rare people is Aaron Brown.  His story, in his own words, is as fascinating as it is correct.

(Reprinted with permission.)

HOW TO INVENT A PERSON ONLINE

by Curtis Wallen, (07/23/2014), The Atlantic

It’s not an exaggeration to say everything you do online is being followed. And the more precisely a company can tailor your online experience, the more money it can make from advertisers. As a result, the Internet you see is different from the Internet anyone else might see. It’s seamlessly assembled each millisecond, designed specifically to influence you. I began to wonder what it would be like to evade this constant digital surveillance—to disappear online.

From that question, Aaron Brown was born.

My project started at a small coffee shop in Bed-Stuy, Brooklyn. With the help of Tor—a software program that uses layers of encryption to anonymize online activity—I searched Craigslist and tracked down a handful of affordable laptop computers for sale in New York City. I registered a new email address with the (now-defunct) Tormail anonymous email provider and arranged to buy a used Chromebook.

xxxxxxxxxxxxxx@xxxxxxx.com (1/27/13 – 11:23):

I’m punctual, I will be there on time at 1. Theres an atrium at citi center, will let you know when I’m there.

clcrb@tormail.org (1/27/13 – 11:25):

Perfect. See you there.

xxxxxxxxxxxxxx@xxxxxxx.com (1/27/13 – 12:59):

Im here in the atrium at 53rd and lex… Gray jacket, blonde hair. Sitting at a table

The meeting was quick. I wore a hat. I kept my head down. The man at the table in a gray jacket was a real person—in a busy public place full of cameras—who could later potentially connect me to the computer. These face-to-face moments left me the most vulnerable. If I was going to evade online surveillance, I had to avoid any ties between my digital footprint and the physical world.

When I got home I immediately reformatted the computer’s hard drive and installed a Linux partition. This meant I could encrypt and cosmetically “hide” the part of my computer that was using Linux. My new laptop would boot up Chrome OS like any other Chromebook, unless I gave it the command to boot up Linux instead. I never connected to anything using  Chrome OS. And on the Linux side, I never accessed the Internet without Tor, and I never logged into anything that had any connection to Curtis Wallen.

Up to that point, I had been largely operating on instinct and common sense. Now that my project was expanding, I figured it’d probably be a good time to reach out to someone who actually knew what she or he was doing.

I created a new Tormail account, the first evidence of my new person—aaronbrown@tormail.org––and sent an encrypted email to the enigmatic researcher Gwern Branwen, asking what advice he’d give to someone “new to this whole anonymity thing.” Branwen replied with a simple but crucial piece of advice:

“Don’t get too attached to any one identity. Once a pseudonym has been linked to others or to your real identity, it’s always linked.”

Taking Branwen’s advice to heart, I put a sticky note next to my keyboard.

When most people think of Internet surveillance, they imagine government bureaucrats monitoring their emails and Google searches. In a March 2014 study, MIT professor Catherine Tucker and privacy advocate Alex Marthews analyzed data from Google Trends across 282 search terms rated for their “privacy-sensitivity.” The terms included “Islam”, “national security”, “Occupy”, “police brutality”, “protest”, and “revolution.” After Edward Snowden’s leaks about NSA surveillance, Tucker and Marthews found, the frequency of these sensitive search terms declined—suggesting that Internet users have become less likely to explore “search terms that they [believe] might get them in trouble with the U.S. government.” The study also found that people have become less likely to search “embarrassing” topics such as “AIDS”, “alcoholics anonymous,” “coming out,” “depression,” “feminism,” “gender reassignment,” “herpes,” and “suicide”—while concerns over these more personal terms could have as much to do with startling Google ads, the notable decrease observed in the study suggests the increased awareness of surveillance led to a degree of self-censorship.

In other words, people are doing their best to blend in with the crowd.

The challenge of achieving true anonymity, though, is that evading surveillance makes your behavior anomalous—and anomalies stick out. As the Japanese proverb says, “A nail that sticks out gets hammered down.” Glenn Greenwald explained recently that simply using encryption can make you a target. For me, this was all the more motivation to disappear.

Aaron had a face, but lacked “pocket litter”—an espionage term that refers to physical items that add authenticity to a spy’s cover. In order to produce this pocket litter, I needed money—the kind of currency that the counterfeit professionals of the darkweb would accept as payment. I needed bitcoin, a virtual currency that allows users to exchange goods and services without involving banks. At that time, one of the few services that exchanged cash for bitcoin was a company called Bitinstant. I made my way to a small computer shop in the Chinatown neighborhood of Manhattan to make the transfer.

At a small, teller-like window, I filled out the paperwork using fake information. Unwisely, I wrote down my name as Aaron Brown— thus creating one of the links to my real identity I should have been avoiding. As a result, my receipt had “Aarow Brown” printed on it. It seemed fitting that the first physical evidence of Aaron’s existence was a misspelled name on a receipt from a computer shop.

When I got home, 10 bitcoin were there waiting for me in my virtual wallet, stored on an encrypted flash drive. I made the necessary contacts and ordered a counterfeit driver’s license, a student ID, a boating license, car insurance, an American Indian tribal citizenship card, a social security card scan (real social security cards were a bit out of my budget), and a cable bill for proof of residency. The final bill came out to just over 7 bitcoin, roughly $400 at the time.

As I waited for my pile of documents, I began crafting Aaron’s online presence. While exploring message boards on the darknet, I came across the contact information for a self-proclaimed hacker called v1ct0r who was accepting applications to host hidden services on a server he managed. I messaged him with a request to host Aaron’s website. He was happy to offer a little space, under two conditions: “no child porn nor racism; Respects the rules or i could block/delete your account.”

I also set up a simple web proxy so that anyone could contribute to Aaron’s online presence. The proxy serves as a middleman for browsing the Internet, meaning any website you visit is first routed through the proxy server. Anyone who browses using the proxy is funneling traffic through that one node—which means those web pages look like they’re being visited by Aaron Brown.

Aaron’s Twitter account worked much the same way. There was a pre-authenticated form on the project website, allowing anyone to post a tweet to Aaron’s feed. As Aaron’s creator, it was fascinating to see what happened once strangers started interacting with it regularly. People would tweet at their friends, and then Aaron would received confused replies. Under the guise of Aaron, people tweeted out, jokes, love messages, political messages, and meta-commentaries on existence. I even saw a few advertisements. Ultimately, the account was suspended after Spanish political activists used it to spam news outlets and politicians.

In a sense, I was doing the opposite of astroturfing, a practice that uses fake social media profiles to spread the illusion of grassroots support or dissent. In 2011, the Daily Kos reported on a leaked document from defense contractor HBGary which explained how one person could pretend to be many different people:

Using the assigned social media accounts we can automate the posting of content that is relevant to the persona. … In fact using hashtags and gaming some location based check-in services we can make it appear as if a persona was actually at a conference and introduce himself/herself to key individuals as part of the exercise … There are a variety of social media tricks we can use to add a level of realness to all fictitious personas.

Aaron Brown turned that concept inside out. With a multitude of voices and interests filtering through one point, any endeavor to monitor his behavior or serve him targeted ads became a wash. None of the information was representative of any discrete interests. The surveillance had no value. I’d created a false human being, but instead of a carefully coordinated deception, the result was simply babble.

“The Internet is what we make it,” wrote security researcher Bruce Schneier in January 2013, “and is constantly being recreated by organizations, companies, and countries with specific interests and agendas. Either we fight for a seat at the table, or the future of the Internet becomes something that is done to us.”

For those of us who feel confident that we have nothing to hide, the future of Internet security might not seem like a major concern. But we underestimate the many ways in which our online identities can be manipulated. A recent study used Facebook as a testing ground to determine if the company could influence a user’s emotional disposition by altering the content of her or his News Feed. For a week in January 2012, reseachers subjected 689,003 unknowing users to this psychological experiment, showing happier-than-usual messages to some people and sadder-than-usual messages to others. They concluded that they had “experimental evidence for massive-scale contagion via social networks” because users responded by publishing more positive or negative posts of their own, depending on what they saw in their own feeds.

The U.S. Department of Defense has also figured out how influential Facebook and Twitter can be. In 2011, it announced a new “Social Media in Strategic Communication” (SMISC) program to detect and counter information the U.S. government deemed dangerous. “Since everyone is potentially an influencer on social media and is capable of spreading information,” one researcher involved in a SMISC study told The Guardian, “our work aims to identify and engage the right people at the right time on social media to help propagate information when needed.”

Private companies are also using personal information in hidden ways. They don’t simply learn our tastes and habits, offering us more of what want and less of what we don’t. As Michael Fertik wrote in a 2013 Scientific American article titled “The Rich See a Different Internet Than the Poor,” credit lenders have the ability to hide their offers from people who may need loans the most. And Google now has a patent to change its prices based on who’s buying.

Is it even possible to hide from corporate and government feelers online? While my attempt to do so was an intensely interesting challenge, it ultimately left me a bit disappointed. It is essentially impossible to achieve anonymity online. It requires a complete operational posture that extends from the digital to the physical. Downloading a secure messaging app and using Tor won’t all of a sudden make you “NSA-proof.” And doing it right is really, really hard.

Weighing these trade-offs in my day-to-day life led to a few behavioral changes, but I have a mostly normal relationship with the Internet—I deleted my Facebook account, I encrypt my emails whenever I can, and I use a handful of privacy minded browser extensions. But even those are steps many people are unwilling, or unable, to take. And therein lies the major disappointment for me: privacy shouldn’t require elaborate precautions.

No one likes being subliminally influenced, discriminated against, or taken advantage of, yet these are all legitimate concerns that come with surveillance. These concerns are heightened as we increasingly live online. Digital surveillance is pervasive and relatively cheap. It is fundamentally different than anything we’ve faced before, and we’re still figuring out what what the boundaries should be.

For now, Aaron’s IDs and documents are still sitting inside my desk. Aaron himself actually went missing a little while ago. I used Amazon’s Mechanical Turk marketplace to solicit descriptions from strangers, and then hired a forensic artist to draw a sketch. He resurfaced on Twitter. (You can go here to try tweeting as Aaron Brown.) But other than that, no word. I have a feeling he’ll probably pop up in Cleveland at some point.

Everyone always seems to get sucked back home.

******

One thing we seem to forget as we go through our daily online lives is to trust our gut instincts.  If something feels off, your primal brain is sensing it before the logical side can identify the issue.  Trust your instincts – after all, we are – literally and virtually – all strangers online.

BNI Operatives: Situationally aware.

As always, stay safe.

How To Stay Safe On Free Public WiFi.

wi fi thief

Public Wi-Fi hotspots – they’re convenient, readily available all over now and basically open to all.    They’re everywhere – airports, hotels and in every Starbucks across the nation.  And everyone uses them to read work emails, watch videos and update social media.

How identity thieves use fake public Wi-Fi to steal your information.

Well, anywhere you find a crowd, you’ll find a criminal.  Criminals love public Wi-Fi spots too – so much so that they like to create their own hotspots to deceive you. One of their most common tricks is to use a generic name like “Hotel Wi-Fi”.  So, you might think you’re logging onto the hotel’s Wi-Fi, but end up signing onto a hacker’s network instead.  (You should verify the Wi-Fi network name with the hotel.  Be sure it matches the name of the hotel Wi-Fi network.)

Accidentally logging into the criminal’s network obviously makes it  easy for them to steal sensitive information like your logins and passwords.

How To Stay Safe On Public Wi-Fi:

  • If you’re using a smartphone, use the cellular connection instead of Wi-Fi. That’s much harder for hackers to intercept.
  • When banking, use your institution’s official app and sign up for any extra security that your bank offers.
  • Checking social media? Use the network’s official app. This is more secure than accessing in through the website.
  • If your laptop is set to sharing at work or at home, shut off sharing.
  • Don’t automatically connect to Wi-Fi networks.

The basic rule of thumb is, if the site is asking for your personal log-in information, do not reveal this info and stay away from that site.

BNI Operatives: Situationally aware.

As always, stay safe.

Chatting With Strangers: Dangerous Catfishing.

FakeFB
Urban Dictionary:

A catfish is someone who pretends to be someone they’re not using Facebook or other social media to create false identities, particularly to pursue deceptive online romances.

==========================================================================

If you’ve been on social media for more than a few months, the odds are very high that you’ve been catfished or have heard the horror stories of its victims.  From the above Urban Dictionary, you can determine this to  mean that someone you’ve been chatting with is not who they state they are.  (For the purposes of this article, we will not extend the meaning of catfish to online stalkers such as exes trying to check up on former wives, husbands, etc. or people experimenting with a more fluid profile of themselves to maintain a degree of separation from their personal and work lives.)

The reasons people catfish are many and varied but in social media venues, this con game is mostly used in romantic pursuit via a fake identity.

How To Spot A Catfisher:

1. Caginess about life details: Real name, age, location, field of employment, etc. (Citing security reasons is one thing; catfishers act as if they are with the Secret Service about this information and then try to turn the tables around by asking you for your info so that “they can trust you”.)

2. Has few photos of himself. (There’s only so many pics of a regular guy that a catfisher can rip off and pretending to be a Charlie Sheen look-a-like with CS’ pics is so 2009.)

3. The few photos that he has posted aren’t usually of him involved in real time activities with the same people. (E.g., No family pics.)

4. The identities are relatively new. “I just joined Facebook.” (Really? Where have you been in the past decade??)

5. Few, if any, interactions, with others on his timeline. “I don’t let people post to my timeline anymore since I ran into this nut who blew up my page.”  (Most real people do not completely limit posts on their timelines as it defeats the purpose of being on social media – to interact with others.)

6. His webcam is always broken.

How Does A Catfisher Operate:

If somehow a catfisher gets past his target’s guard and it’s time to meet in real life and he has been using a fake picture, he will suddenly disappear off the face of the virtual earth..

But now, having gathered all of this personal information from you (your likes, tastes, aspirations, etc.), he reappears (unbeknownst to you) as a different person.  His profile pic will either be very grainy, of other poor quality or  of animals or other non-human representations  – anything but a clear, current pic of himself.   This new stranger will apply your personal knowledge in your chats and appear to be in synch with you on many subjects.  Despite the age-old adage, “Opposites attract”, we are actually more attracted to those with whom we have things in common. You begin to believe that you have met someone who “gets” you.

A connection has formed.

Why Do People Fall For Catfishers:

From Buzzfeed:

Our Leah Palmer piece reported how a man left his girlfriend for a women who didn’t exist. A popular response in the comments underneath was, “How didn’t he know?”

But there are real reasons why we choose to see what we wantto see when it comes to meeting people online.

“If someone presents to us an intact, detailed identity, we immediately trust it,” says Short. “That’s because if we recognise just the outline of the individual – online or in the real world – we assume that that is real, with no verification. So identity equals trust, even if it’s not real. If someone looks like a person, we think they are a person.”

She explains that it got a lot to do with instinct: “It’s partially an evolutionary default. We’re social creatures, that’s just what we do: We see a pattern that looks like an individual and we think it must be a real person.”

Unconscious social cues tell us what we want to know about someone depending on what we want, says Short. So if we’re looking for a friend, colleague, or a lover, we’re predisposed to find people who fit the bill.

Even if there are details missing or there’s something suspicious – for example, someone’s webcam is always broken, or their career seems sketchy – human brains are happy to fill in the blanks.

“Just as we stereotype people in the physical world and immediately make judgments, I think the same thing is happening online,” Short says. “We look at profiles and fill in the gaps – you do the dot-to-dot and make all sorts of assumptions about who this person is.

“This is happening very, very fast and we’re not switched on to the fact that verification is very poor [online]. In the physical world, people lie but at least you know it’s them in front of you. You just don’t know that in an online relationship.”

17 Of The Most Insane Catfish Stories That Will Make You Cringe

Relatedly, in our next Bulletin,  we will cover How To Handle An Online Stalker.

BNI Operatives: Situationally aware.

As always, stay safe.

Your Social Security Number, Please? Just Say NO! When Disclosing Your SSN Is Mandatory.

ssn

Your Social Security number is one of the most important keys to your financial health. It’s a unique identifier that lenders use to assess your creditworthiness. It’s also exactly what a would-be thief needs to apply for a credit card, mortgage, car loan or job in your name.

If you’re like most Americans, it’s also something you give out all too frequently and often, unnecessarily.

Case in point: A recent Javelin Strategy & Research report — their ID Fraud Survey — found that, among identity theft victims, 38 percent said the perpetrator had obtained their Social Security number and used it in the crime.  It’s certainly logical to state that you could eliminate 38 percent of your risk of identity theft by limiting access to your Social Security number.

Also, given the massive government and corporate database breaches lately, it’s equally safe to assume that someone – other than you – has your SSN info.

So, when is it mandatory to provide your true SSN and when is it not required?  See our chart below, developed by credit reporting agency, Experian.

WHO CAN, CAN’T REQUIRE YOUR SOCIAL SECURITY NUMBER
Mandatory                                                         Optional
Credit applications                                                 Doctor and dentist intake forms
Cash transactions over $10,000                          Supermarkets
When applying for certain federal benefits       Drugstores
Military paperwork                                                 Preschools
Department of Motor Vehicles                             Airlines

‘Your Social Security number, please’
Still, saying you are going to limit access to your SSN and doing it are two different things.  From the dentist’s office to your child’s pre-school, nearly every application or information form we fill out these days requests your Social Security number.  Shopping stores may ask for it, too, when accepting a check for payment or before issuing check cashing privileges. Potential employers also need it but it is important to remember that you should provide them your SSN only to process your E-Verify submission in anticipation of being employed at this company.  If you are not hired, request that your paperwork, identifying your SSN, be returned or destroyed.  Why would you want it lingering in someone else’s possession and have no control over who may have access to it?  You may also be asked for it by car dealerships, pawnshops, drugstores — even at the airport, should you lose your luggage.  It’s amazing how prolific this practice has become.  (A few years ago I was placing my mother’s things in storage, and I was asked for my SSN.  I denied the request.  It was wholly unnecessary for the transaction at hand.)

Just because someone asks for it doesn’t mean you have to comply,  especially since there are only a handful of organizations that actually have a valid need for it. For instance, anytime you’re applying for credit — for a new credit card, a loan, new utility or cellular service — the creditor will need your Social Security number to run a credit check. You’ll also need to provide it if you are applying for federal or local government benefits such as Social Security, Medicare or Medicaid, unemployment insurance or disability. The local motor vehicle department, thanks to the USA PATRIOT Act, has the legal right to ask for Social Security numbers, too. In addition, when you complete a cash transaction totaling more than $10,000 you’ll be required to provide your number so that transaction can be reported to the IRS.

Medical professionals have their own reasons, too.  As morbid as this is, should you die while under a doctor’s care, they are required to put your Social Security number on the death certificate.

Still, fulfilling noncredit-related requests — even medical-related requests — is purely optional.  The problem however is that while you have the right to refuse to disclose your SSN, a business owner has a right to deny doing business with you.  Understandably, they want reassurance should they have to track you down for not paying a bill.

Gracefully saying ‘no’
One of the best ways to get out of giving your Social Security number to someone is to simply overlook it on your paperwork.  It’ll probably not be questioned  If so, however, simply ask why they need it.  But again, be prepared to be denied service if you refuse to provide it.

 

In the worst case scenario — when you absolutely can’t get out of it, but you still don’t feel comfortable –  make up a number.  Just make sure you write it down and don’t inadvertently steal someone else’s identity. The easiest way to ensure that is by putting in two zeros for the middle digits.  No Social Security Number have double zeros in that section.

It’s high time we take back control of our personal identifiers and especially one as important as our SSN which follows us from cradle to grave.  Just be smart and non-confrontational about it.

BNI Operatives: Situationally aware.

As always, stay safe.

%d bloggers like this: