Security Matters! Your hobby phone is not enough.

txswing99's Avatar
This week, I had dinner and drinks with one of my long-retired ATFs who came to visit Houston from the east coast. As a provider in Dallas, she gave a younger version of myself a very welcome start in the hobby and we remained friends since...with occasional communications after her retirement. To my surprise, she wanted to thank me for some advise and help I provided years ago. Apparently it had come back to help her immensely in the last year in dealing with her divorce and the LE.

Years ago, I was a computer security consultant and the topic of how to secure her business came up when we got together. Typically folks ask me what anti-virus or firewall software to use, but I had advised her that, "The best security is not about installing the right software, but rather applying to consistent procedures with the tools to get the level of security she wanted!" In other words, it makes no sense having a hobby phone if you leave it laying around. Or, maintain a calendar of her appointments with other confidential information on her password-protected laptop that she loans to her friends. At the time, she had already planned to retire "within 5 years" and she wanted to "disappear" after that. With a website, photos, and assorted accounts at hobby sites, it seemed like a tall order. So we put together a set of secure tools (i.e. a laptop with encrypted drives, hard-to-trace hobby phone, anonymous web browsing, etc) and procedures (i.e. selectively obscuring photos, track list of all her hobby accounts) that would effectively allow her to "disappear" when she decided to finally retire. Which she did successfully a few years later.

As the story goes, she moves to the east coast with her boyfriend...who was aware of her provider past...and they marry. Kids follow and the family starts going to a good church. ...and then the economy tanks. With the family facing difficulties, she -- in agreement with her husband -- decides to return as a provider. She resurfaces with her tools and procedures from before -- and even though hubby wanted to help -- she maintains her laptop and hobby accounts separate from her husband. Hubby takes her sexy photos and generally helps, but she takes care of the confidential stuff. Things got a little better and generally all was well with the family for over a year while she was a provider.

Last summer, her husband inherits some family money and they decide she should retire...no problems, she announces to the community that she retires in 2 weeks...but then LE arrests her in her hotel waiting for an appointment. Two days later, her husband files for divorce and is taking the kids. She immediately went into "retirement" and shut down her business. When meeting with her lawyer, she is told that her husband copied her laptop hard-drive and provided it to LE...he may have had a hand in arranging the arrest. Long story short, LE could not make a case because everything in her laptop was encrypted and nothing could be traced back to her or used to corroborate her hubby's story. The divorce also went well as nothing could be proven other than a strong suspicion that she might have been cheating.

To be fair, she was lucky. But she never imagined that the biggest threat was in her own home. Still, her adherence to the procedures she established made a difference.

In a separate matter, a judge last month ruled that a person may be compelled to provide the password of an encrypted drive owned by the suspect if; the police can determine that it is encrypted and contains information about the commission of a crime. Judgements like this affects how we keep our hobby/provider life confidential.

So, when my ATF asked me to help with a laptop upgrade, we secured her laptop with a suitably hidden encrypted drive combined with a separate guest OS for non-provider or public use. The idea is that she can allow someone onto the public part of the laptop and they would not find anything. In the meantime, she can run her business on a private secure OS on her same laptop.

The point of sharing the story is to remind folks to be smart about keeping their hobby/provider life confidential. During the craziness that comes with the upcoming election year...it's likely that the bright light may yet again be pointed at the hobby. You have to decide how much exposure you can live with...then adopt the necessary practices and tools...and be consistent. Technology is not enough...use good practices.

...and have fun!

-T
Wakeup's Avatar
Link to her ad?
This week, I had dinner and drinks with one of my long-retired ATFs who came to visit Houston from the east coast. As a provider in Dallas, she gave a younger version of myself a very welcome start in the hobby and we remained friends since...with occasional communications after her retirement. To my surprise, she wanted to thank me for some advise and help I provided years ago. Apparently it had come back to help her immensely in the last year in dealing with her divorce and the LE.

Years ago, I was a computer security consultant and the topic of how to secure her business came up when we got together. Typically folks ask me what anti-virus or firewall software to use, but I had advised her that, "The best security is not about installing the right software, but rather applying to consistent procedures with the tools to get the level of security she wanted!" In other words, it makes no sense having a hobby phone if you leave it laying around. Or, maintain a calendar of her appointments with other confidential information on her password-protected laptop that she loans to her friends. At the time, she had already planned to retire "within 5 years" and she wanted to "disappear" after that. With a website, photos, and assorted accounts at hobby sites, it seemed like a tall order. So we put together a set of secure tools (i.e. a laptop with encrypted drives, hard-to-trace hobby phone, anonymous web browsing, etc) and procedures (i.e. selectively obscuring photos, track list of all her hobby accounts) that would effectively allow her to "disappear" when she decided to finally retire. Which she did successfully a few years later.

As the story goes, she moves to the east coast with her boyfriend...who was aware of her provider past...and they marry. Kids follow and the family starts going to a good church. ...and then the economy tanks. With the family facing difficulties, she -- in agreement with her husband -- decides to return as a provider. She resurfaces with her tools and procedures from before -- and even though hubby wanted to help -- she maintains her laptop and hobby accounts separate from her husband. Hubby takes her sexy photos and generally helps, but she takes care of the confidential stuff. Things got a little better and generally all was well with the family for over a year while she was a provider.

Last summer, her husband inherits some family money and they decide she should retire...no problems, she announces to the community that she retires in 2 weeks...but then LE arrests her in her hotel waiting for an appointment. Two days later, her husband files for divorce and is taking the kids. She immediately went into "retirement" and shut down her business. When meeting with her lawyer, she is told that her husband copied her laptop hard-drive and provided it to LE...he may have had a hand in arranging the arrest. Long story short, LE could not make a case because everything in her laptop was encrypted and nothing could be traced back to her or used to corroborate her hubby's story. The divorce also went well as nothing could be proven other than a strong suspicion that she might have been cheating.

To be fair, she was lucky. But she never imagined that the biggest threat was in her own home. Still, her adherence to the procedures she established made a difference.

In a separate matter, a judge last month ruled that a person may be compelled to provide the password of an encrypted drive owned by the suspect if; the police can determine that it is encrypted and contains information about the commission of a crime. Judgements like this affects how we keep our hobby/provider life confidential.

So, when my ATF asked me to help with a laptop upgrade, we secured her laptop with a suitably hidden encrypted drive combined with a separate guest OS for non-provider or public use. The idea is that she can allow someone onto the public part of the laptop and they would not find anything. In the meantime, she can run her business on a private secure OS on her same laptop.

The point of sharing the story is to remind folks to be smart about keeping their hobby/provider life confidential. During the craziness that comes with the upcoming election year...it's likely that the bright light may yet again be pointed at the hobby. You have to decide how much exposure you can live with...then adopt the necessary practices and tools...and be consistent. Technology is not enough...use good practices.

...and have fun!

-T Originally Posted by txswing99
Which is why I use Linux.. it encrypts the home directory (think My Documents for windows) where all you data/info/email/etc.. is stored..
You generate a key when you install the 1st user and as you add more users they can gen their own key.

keeping the drive encrypted is good.. there are some commercial data protecting software out there that once set up, will wipe the drive if you do not use the correct passcode after so many tries..


be safe, hide your fun, and have fun
DEAR_JOHN's Avatar
txswing99, I appreciate the time you took to post this very important message. This is the type of post that should be of great importance to the whole hobby community and is something that can be invaluable to all of us, retired, on hiatus, or active.

No doubt it will be soon taken off topic with silly little sarcastic remarks and silly little pictures that have no bearing on your thread.

This thread reminds me of the good ole days when there was solid information without semi funny to non funny wanna be comics taking the threads way off on different tangents. Hopefully this one can stay on topic.
cumalot's Avatar
I agree provider and client information both must be protected at all cost.
pyramider's Avatar
keeping the drive encrypted is good.. there are some commercial data protecting software out there that once set up, will wipe the drive if you do not use the correct passcode after so many tries.. Originally Posted by Spirit13

Would the drive be recoverable after the wipe? Or would the info be gone, or scrambled for good?
whitechocolate's Avatar
Txswing, interesting info. By the way, do you have a legal citation on that judge's ruling that you refer to about compelling a person to provide passwords? What court and what jurisdiction?
Karl Hungus's Avatar
Eleventh Circuit just came down the other way. No decryption required. http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf

I think the case the OP was referring to was Fricosu out of the District of Colorado. The Fricosu opinion came down 1/23/12 and can be found here. http://www.wired.com/images_blogs/th...01/decrypt.pdf
txswing99's Avatar
Karl is correct on the case citations. The Eleventh Circuit decision came down two days ago. It likely sets up an area of legal contention with no firm foundation until the Supreme Court weighs in.

-T
Sarunga's Avatar
Very good info. Thanks.
LexusLover's Avatar
Eleventh Circuit just came down the other way. No decryption required. http://www.ca11.uscourts.gov/opinions/ops/201112268.pdf
Originally Posted by Karl Hungus
One must read each case decision based on the individual facts:

“The district court still could have compelled Doe to turn over the unencrypted contents—and held him in contempt if he refused to do so—had the Government offered and the district court granted Doe constitutionally sufficient immunity. The district 29 court erred in limiting Doe’s immunity under 18 U.S.C. §§ 6002 and 6003 to the Government’s use of his act of decryption and production while allowing the Government derivative use of the evidence such act disclosed. Doe’s immunity was not coextensive with the protections the Fifth Amendment affords; consequently, he could not have been compelled to decrypt and produce the contents of the hard drives.”

Remember the 5th amendment only has "enforcement" through a prohibition of allowing the information acquired (or the fruit of it) against the person compelled to provide the information. For instance the "provider" can be compelled to produce the evidence to use against third-parties....e.g. a "handler" ... "agency" ... hobbyist,.
whitechocolate's Avatar
Thanks for the info. I agree that compelling passwords or other computer based info is a tricky topic constitutionally whether the info is used against the computer's owner or another. Doesnt sound like there is any Texas state or federal court rulings.
LexusLover's Avatar
... is a tricky topic constitutionally whether the info is used against the computer's owner or another. Doesnt sound like there is any Texas state or federal court rulings. Originally Posted by whitechocolate
Texas and the Fifth Circuit will be even more "conservative" and favor LE, but the Constitutional principles in play are fairly elementary in application, in fact as reading the opinion when I saw initially that the US attorney general gave a "limited" immunity I was compelled to read the outcome, which was readily apparent from the beginning. Complete immunity from the information obtained would have upheld the contempt citation, as the appellate court stated. BTW: One of the cases cited in the opinion is a 5th circuit case.

One should not read appellate opinions with "headline" conclusions. Good for inciteful statements, but poor decision making.

Speaking of: http://abclocal.go.com/ktrk/story?se...cal&id=8557648
Jusanotherdude's Avatar
Link to her ad? Originally Posted by Wakeuр
Lmfao!!!

JaD
Wakeup's Avatar
Still waiting on that shit too...