Asset Protection BLOG - Mark Nestmann

Do you anticipate that your next garage sale will bring in at least US$100,000?  If you don't think your children's old toys and collection of obsolete electronics is worth at least that amount, you might want to take these items to a toxic waste dump instead of selling them. 

Our friends at the Consumer Product Safety Commission (CFTC) recently informed thrift stores that it's now illegal to sell used products that have been recalled or don't otherwise comply with government safety standards.  The penalty is up to US$100,000 per violation and up to $15 million for a related series of infractions.  But the CFTC regulations don't just apply to retail stores.  They also apply to anyone selling used goods—flea markets, charities, even garage sales. 

To find out if your next garage sale might result in a US$100,000 fine, the CFTC has helpfully published a "Handbook for Resale Stores and Product Resellers." After reading the long list of banned products, you might want to reconsider that garage sale.  But, if you're still determined to have it, you'll want to begin by disassembling every item you want to sell and testing each part for the various hazardous chemicals that the CFTC rules ban in resold goods. 

For instance, here's what the CFTC says you'll need to test for "phthalates," a class of now-prohibited chemicals.  Many types of plastic toys contain phthalates.

1. Tetrahydrofuran (C₄H₈O, THF), GC grade or higher
2. Hexane (C₆H₁₂), GC grade or higher
3. Cyclohexane (C₆H₁₂), GC grade or higher
4. Sealable glass vials with PTFE or silicone liner. Size 20 ml or larger
5. Cryogenic-mill (or suitable alternative to grind samples to powder)
6. 0.45 μm PTFE filters
7. Gas Chromatograph-Mass Spectrometer (GC-MS) with an auto-sampler, split/splitless inlet, programmable GC oven, and capable of selective ion monitoring
8. CRMs containing phthalates (such as NIST SRM 3074)
9. Benzyl Benzoate (C₁₄H₁₂O₂, BB), Analytical grade
10. Dibutyl Phthalate (C₁₆H₂₂O₄, DBP), CAS No. 84-74-2. Analytical grade
11. Di-(2-ethylhexyl) phthalate (C₂₄H₃₈O₄ , DEHP), CAS No. 117-81-7. Analytical grade or higher

Got that?  I don't know about you, but I've got several Gas Chromatograph-Mass Spectrometers (GC-MSs) lying around the house.  Not to mention a cryogenic mill or two.  Guess I just have to fire them up next time I want to have a garage sale.

You might be wondering how these regulations came into being.  As usual, you can blame Congress.  In 2008, Congress enacted the Consumer Product Safety Improvement Act of 2008 (CPSIA).  You may remember the brouhaha that erupted in 2007 over imported toys—primarily from China—that contained lead and other toxic substances.  The CPSIA was the congressional reaction.  Thanks, guys!  Nothing like overkill.

The CFTC, in a rare display of candor, states in its "Handbook" that. "The implementation of the CPSIA will have dramatic changes for the marketplace."  You can say that again!

To enforce the law, I suggest that the next Wall Street bailout package Congress enacts include a provision to send every family in the United States a GC-MS, just in case they don't have one sitting on the dining room table.  Of course, since you need to be conversant in chemistry to use one, the bailout should include a voucher for a chemistry class at a local community college. 

A cheap GC-MS costs about US$50,000, but since the government will be making a bulk purchase, it should be possible to get the costs down to, say, US$30,000 each, including the cost of a chemistry class. Total cost for 100 million households?  About US$3 trillion.

Now, before you criticize the cost, consider that if this initiative saves just one child's life, it will be worth every penny.  Plus, it will stimulate the economy, not to mention keeping garage sales CFTC compliant.  And, the money won't be going to fat-cat executives on Wall Street. Sure, there might be small safety problems--Tetrahydrofuran tends to explode, for instance--but hey, the CFTC can just issue some more rules, right?

That's a win-win situation all around.  Congress, are you listening?

Copyright © 2009 by Mark Nestmann

Encryption is a powerful privacy and security tool.  It is absolutely essential to our modern way of life.

Every time you use your credit card, the merchant that accepts it transmits the data on its magnetic strip in encrypted form to a processing center for approval.  A similar process occurs when you log on to your online bank or securities account.  Indeed, without encryption, hackers and identity thieves would shut down the Internet and the banking system within a matter of hours.

However, governments have a love-hate relationship with encryption.  This is particularly true with encryption technologies that permit individuals—as opposed to governments, banks, and businesses—to take back a smidgen of the privacy rights they've been systematically stripped up in recent decades.  

For instance, I've long recommended encrypting all confidential files on your PC.  This converts plain-text files on your PC into unreadable gibberish.  Programs like PGP Desktop (http://www.pgp.com) that automatically encrypt your entire hard disk are even better. 

It's no accident, though, that the inventor of PGP—a programmer named Phil Zimmermann—almost went to jail in the 1990s for the "crime" of distributing software empowering individuals to protect their privacy.  And ever since, governments worldwide have been doing their best to "control" personal encryption technologies.

A U.K. law called the Regulation of Investigatory Powers Act (RIPA) is a case in point.  A section of the RIPA that came into force in 2007 allows U.K. police to demand encryption keys or provide a clear text transcript of encrypted text.  Failure to comply can result in up to two years imprisonment for cases not involving national security, or five years for terrorism offenses and the like.  Police can order you to turn over data months or even years old.

Surely, police have reserved this draconian sanction for known associates of Osama bin Laden, or in investigations of similarly severe threats.  But that's not how it's been used.  Instead, as I described in an earlier blog post, the first known use of this authority came against an animal rights activist.

Now, the U.K.'s "Chief Surveillance Commissioner" (how's that for an Orwellian job title?) has disclosed that two defendants--apparently not including the animal rights activist--have been convicted for failing to hand over their encryption keys.  Both are now awaiting sentencing by the courts.  The cases of five other defendants accused of the same "crime" apparently remain before the courts. 

I suspect that officials in other countries—especially the United States—are nodding in approval of this process.  Under U.S. law, the Fifth Amendment to the Constitution protects individuals from being forced to incriminate themselves.  However, in a few cases, U.S. courts have already ordered individuals suspected of possession of child pornography to release their encryption passphrases.

What will you do when jackbooted thugs arrive at your home or business, seize your encrypted computer files, and demand that you give them unrestricted access to all of them?  Are you prepared to go to jail to protect your privacy?

I don't have a good answer to these questions.  But you can bet I'm thinking of them. 

If you have any ideas, I invite you to share them—my blog is now open to comments.

Copyright © 2009 by Mark Nestmann

If you're reading this posting, you're probably sitting in front of your computer without anyone gazing over your shoulder.  It's therefore easy to believe that what you do on the Internet—browsing, chatting, e-mailing, or whatever—is private. 

Don't believe it.  Your Internet Service Provider (ISP) can monitor every e-mail message you send, every Web page to which you surf, and every chat session you initiate.   If police demand this information, your ISP must turn over a record of everything you’ve done online.  And now, thanks to a ruling by U.S. District Court Judge Richard Jones in Seattle, you have no right to keep your "Internet identity" anonymous.  That opens the door to even greater privacy invasion.

Jones issued the ruling in dismissing a class-action lawsuit against Microsoft stemming from the company's practice of collecting the "Internet Protocol addresses" (IP addresses) of consumers who download automatic updates from the company.  Your IP address is a unique number that represents your publicly visible identity on the Internet.  But because the address identifies your computer—and not you personally—according to Jones, you have no "expectation of privacy" in the address.  That means any Web site can legally collect your IP address, unless they've promised not to do so. 

Moreover, it's relatively easy for Web sites, police, or anyone else to combine your IP address with other information to determine your identity.  That means if you don't want details of what you do on your computer divulged to the highest bidder, or anyone armed with a subpoena, you need to take precautions to anonymize it.

The easiest way to do this is to use a "virtual private network" (VPN).  Essentially, the VPN acts as an intermediary (called a proxy) between your PC and the Web site to which you're connecting.  That Web site records the IP address of the proxy, not of your PC.  This lets you use the Internet virtually anonymously.  And all your ISP sees is that you've signed on to the VPN—it can't track your Web surfing, either.

The only way anyone could recover your IP address would be by comparing the logs from the VPN and the logs from the Web site in question.  That’s a little like looking for a needle in a haystack.  What’s more, a well-designed VPN will be configured so that it’s impossible to retrieve a meaningful log to connect to individual subscribers.

There are many VPN services available.  I prefer services that don’t have networks installed in the United States to avoid possible compromise under legislation such as the USA PATRIOT Act.  The service that I use is http://www.cryptohippie.com.  Its only U.S. presence is to authenticate connections to Cryptohippie servers in other countries.  None of Cryptohippie’s servers are in the United States.

If you already have a VPN that you’re satisfied with, keep using it.  But if not, and you value your online privacy, give the “Road Warrior” VPN a try.

Copyright © 2009 by Mark Nestmann

Web-savvy employers and universities are increasingly employing a new tactic to screen applicants: conducting online research to unearth photos, blog entries, or other "digital dirt" you might prefer to keep private. 

Indeed, companies are springing up to dig up Internet postings that might be of interest to employers, government agencies, or whoever else might be interested.  For instance, you can view Web pages that were modified months or even years ago through the Internet Archive, also known as the Wayback Machine, at http://www.archive.org. 

But that doesn't mean you can't obscure your digital trail.  While I normally suggest that anyone interested in privacy avoid posting information to the Internet about themselves, if data you don't want others to see is already there, here are a few suggestions on how to cope:

Delete, delete, delete.  Start by deleting any photo, personal profile, or personal description on any social networking or dating Web site that is even mildly embarrassing.  For instance, I suspect Sergey Brin, the co-founder of Google founders, might prefer not to have this photo of him in drag immortalized.  While Sergey may be wealthy enough not to care, you may not be. 

Unfortunately, most social networking sites create archives in which your photos may reside permanently, even if you delete them from your profile.  Someone with a link to the original photo—or using the Internet Archive—might be able to find it. 

Do a search of yourself on Google.  Look for any links back to potentially incriminating or embarrassing posts or photos.  Unfortunately, Google won't remove content itself, but merely will refer you to the Webmaster posting the content.  If you can't figure out who's in charge of a Web site, search for the owner at www.whois.net.  Contact the owner of the site and ask that comments by or about you be deleted. In most cases the owner has no obligation to remove the content, but it may do so if you persist or threaten legal action.

Set up a Google alert for yourself.  You'll receive a daily e-mail update of the latest updates of whatever topic—yourself in this case—that you choose.  This is a great way to monitor what others are saying about you online.

Create favorable content about yourself.  You can do this in many ways.  For instance, create a professional Web site and/or professional blog.  For blogs, Wordpress, LiveJournal and TypePad all have high Google page ranks. You can also create a Wikipedia entry for yourself.  To further insure these sites are at the top of any Google search of your name, use title tags and headers to highlight information about you that you want people to see.  Don't forget to create a Google profile that contains the information about yourself you wish to highlight.  You can also leave comments on blogs and Web sites you respect under your own name. 

Use social networking sites intelligently.  It's almost impossible to permanently eliminate content you post to social networking sites, even if you unsubscribe.  However, you can also use these sites to your advantage, especially if you're setting up a profile for the first time.  Web sites like Facebook, MySpace, LinkedIn, Flickr, and Twitter are a good place to begin.  You don't even need to use these sites.  Just create a profile and add the content you want people to see.   Web sites that let you create a unique link with your name in it are especially useful (e.g., LinkedIn).  Those pages will show up ahead of most other sites that might contain content you don't want others to view.

Use protection.  There's no such thing as an Internet condom, but you can hire companies that will contact sites that have published material pertinent to your character.  One that has good reviews—although I haven't used it personally—is http://www.trackur.com.

Just don't forget that once you've posted something on the Internet, it's very difficult to permanently delete it.  So before you hit the "post" button, be absolutely certain that whatever you're about to send into cyberspace belongs there.

Copyright © 2009 by Mark Nestmann

If you live in the United States, you might have the naïve idea that police can’t enter your home without a search warrant.  That’s generally true, but the federal agency responsible for regulating electronic communications claims that it can.  If you own any electronic device that emits radio frequency (RF) energy, the Federal Communications Commission says it can enter your home any time to inspect it. 

Most of us, of course, own multiple RF devices.  Your cell phone, your wireless Internet connection, and even your garage door opener all transmit signals through the air.  All are fair game for warrantless inspection, the FCC says.

The FCC claims it is only interested in RF devices that use “unlicensed” frequencies.  For instance, if you operate a radio station out of your home, and didn’t bother to obtain a broadcasting license for it, the FCC may come calling.  That’s particular true if the signal is powerful enough to interfere with the signal from a licensed station.

However, the FCC says that it can also inspect equipment using “licensed” frequencies.  And that includes every household in the United States, with the possible exception of groups like the Amish, who eschew modern electronic devices. 

The FCC doesn’t have the right to seize anything—only to inspect any broadcasting RF devices.  However, if agents see anything in your home that’s “suspicious,” they can notify police, who may then be able to obtain a warrant for a more thorough search.

According to the FCC, its authority to search private homes comes from a 75-year old law authorizing warrantless administrative searches of radio transmitters.  Back in 1934, of course, there were no wireless routers, cell phones, or RF-activated garage door openers. Today, almost everyone does, yet the FCC still claims the same powers.

The saving grace to this policy is that the FCC won’t simply barge into your home if it wants to inspect any of the RF devices you own.  Instead, it will leave a note on your door announcing its intention to inspect whatever unlicensed (or licensed) RF devices in your home. 

If such a notice appears on your door, don’t call the FCC to schedule an inspection.  Call your lawyer.  You have a right for your lawyer to be present for any warrantless inspection of your home. 

Copyright © 2009 by Mark Nestmann

You might think that it’s illegal to wiretap telephone calls.  But that hasn’t stopped a growing number of companies from offering a full line of wiretapping software for dozens of cell phones.  And while using the software is illegal in most countries, that’s not stopping these companies from selling it. 

To install these programs, which go by names such as FlexiSPY or Mobile-Spy, all you need is access to the targeted cell phone.  Once you install it—a process that takes about five minutes—you can listen to your target’s phone calls and read his or her text messages, call detail (number, time, duration) and any e-mails sent from the phone. 

With a GPS-enabled phone, you can obtain the location where your target made each call.  And switch on “Spycall” mode (FlexiSPY) and you can listen in to any conversation in the vicinity of your target’s phone—not just phone conversations.  In some cell models, you can monitor conversations even if the phone is turned off. 

The software delivers all this data to an online account, where you can view it from any these Internet enabled cell phone or PC.

Manufacturers of these programs claim they’re legal.  For instance, the FlexiSPY Web site states: 

The product is not illegal, but the way in which it is used may break local laws. In general, you may use it on a phone that you own, for protecting your children, for archiving data, for enforcing explicitly stated business use guidelines and so on. We do not support any illegal use of our products, and the term of sale means that you agree to abide by your local laws.

Maybe that’s true in Thailand, where FlexiSPY is based.  But it’s not true in most other countries.   

You’re bugging someone’s phone and listening in on everything said and all data transmitted.  And that’s illegal in the United States, the United Kingdom, and almost everywhere else, unless you obtain a search warrant or other legal authority to do so.

 But meanwhile, sales of what one wag on the Internet calls “spouseware” appear to be booming.  So even if it’s illegal to bug someone’s phone, lots of people are doing it.  And the consequences could obviously be catastrophic if you discuss anything on your cell phone you wouldn’t want published on the front page of The New York Times.

How can you protect yourself?  One strategy is to use a phone that spouseware makers don’t support.  Click here for a list of supported phones for FlexiSPY.  

Second, never let your cell phone out of your possession.  While intelligence agencies can likely download spy software to your cell phone surreptitiously, all the commercial wiretapping software I’ve seen requires the eavesdropper to have physical possession of the target phone to install the application.

Third, use a log-on password for your cell phone.  This won't defeat a government eavesdropper, but it will frustrate efforts by a non-professional to monitor your cell phone data.

Fourth, if you want to make sure that your cell phone isn’t being used as a bug, take the battery out of it.  Obviously, you can’t use it in this situation, but at least it won’t be broadcasting your conversations to persons unknown.

Fifth, be alert to your phone battery being depleted more quickly than normal.  That might indicate a worn-out battery, but it could also be a clue that your phone is transmitting surreptitiously.

Sixth, be alert to how warm your phone is.  It’s normal for it to be warm after an extended conversation.  But if it’s warm and you haven’t used it recently, that raises the possibility it’s transmitting data without your permission. 

Seventh, if you use a GSM phone (common throughout the world except for the United States), walk toward a set of stereo speakers.  Buzzing interference from speakers is common with GSM phones.  If you hear buzzing when you’re not making a call, however, your phone could be bugged.

Copyright © 2009 by Mark Nestmann

No, it's not an April Fool's joke.  If only it were…

Imagine you're a lawyer working on an important legal brief for a client at a coffee shop, airport or other public location.  Unknown to you, your legal opponent is sitting on the other side of the room.  Using an oscilloscope and an inexpensive wireless antenna, he sits down at his own laptop, and activates monitoring software.  Thanks to a tiny antenna between your keyboard and the computer processor, your adversary can read everything you're typing into your laptop, with up to 95% accuracy, more than 60 feet away.

Even encrypted wireless keyboards are vulnerable, because each key still gives off a unique electromagnetic signal, which can be picked up with an antenna.

If that's not bad enough, if you're in the line of sight of your adversary—even hundreds of feet away—he can aim a laser microphone at your laptop to read what you've written.  Using the laser's precise rendering of the vibrations your keystrokes leave on the screen, he can monitor what you've typed. 

An attacker can pull off the same exploit, with similar results, on your home or office PC.  It's even easier, in fact, because desktop monitors are larger.  Plus, if you use an older PS/2 keyboard, hackers can pull the same information out of a nearby power socket.

Defense researchers have know for more than 50 years that it's possible to recover data from "leaks" in electronic equipment.  Most of their research—which at one time was code-named "Tempest"—is still classified.  But in the meantime, civilian researchers have discovered numerous ways to recover data using off-the-shelf components.  Indeed, the laptop keyboard sniffer I just described can be constructed for less than US$5,000. 

How can you protect yourself?  The most basic precaution is to not use a PS/2 keyboard.  Beyond that, you can purchase a "Tempest" laptop or PC certified to meet military standards.  They cost considerably more than ordinary PCs, but if you believe someone might target you for this attack, they're worth every penny.  Search the Internet for "Tempest laptop" or "tempest PC" to find suppliers.

Copyright © 2009 by Mark Nestmann