Page 2 of 5 FirstFirst 12345 LastLast
Results 16 to 30 of 68

Thread: It's Not Only Facebook!

  1. #16
    Join Date
    Feb 2008
    Location
    NE Connecticut
    Posts
    695
    Quote Originally Posted by Rick Moyer View Post
    A month ago I took a friend along to Industrial Plywood in Lewistown. He merely rode along, no personal information was given to anyone. On the way home he got an ad on his phone about plywood (from Lowe's). Obviously we are being tracked by many entities. His location could have been known by his phone GPS, but the rest of the chain of information is, at best, discomforting!
    Smartphones were built from the ground up to be spies. A less paranoid-sounding way of saying that would be that the business model for smartphones includes gathering information on users that can be sold to advertisers. If you've ever tried to make a smartphone more private by adding a firewall, adblocker, etc., you will find that it is MUCH more difficult than on a PC and that doing so destroys a lot of the functionality. Most service providers and phone manufacturers prevent you from adding security measures like this altogether.

    Part of the problem, too, is that your cellphone has to constantly ping cell towers, which makes you trackable. I'm not sure if that information is sold or shared but it's definitely stored.

    **********

    Email is often encrypted in transit BUT only if the person on the other end is set up to receive encrypted email. Not all email providers do this. I believe Google now warns you if someone you're corresponding with is not set up for encryption. Not sure about other providers.

    **********

    Setting up your own email server is, theoretically, easy. One big problem is that major email services (e.g. yahoo, gmail, etc.) won't accept email from unverified sources (i.e. your homebrew email server). This is a spam-prevention tactic. You can deal with this problem but be prepared to do a lot of research and deal with DNS records.

    If you get some sort of email service from your ISP or hosting company that allows you to put your domain on it, you're just using someone else's email service and I wouldn't bet they aren't scanning your email as well.

    **********

    Sawmill Creek is open to google and other search engines, which means their bots are scraping this site all the time. This is why you can use google to search SMC. No matter what SMC's privacy policy is, everything we post is out there for anyone to search or compile, and is attached to our names.

    **********

    Here is a resource for making your technology use more private: https://www.privacytools.io I have not tried or researched most of the services, but I do use many of the plugins / add-ons.

    For fun, check out this site: https://panopticlick.eff.org It will show you all the ways your web browser is susceptible to tracking. The same organization offers a few tools for helping cut back on some of the tracking.



    Carlos, feel free to correct me if I'm wrong about any of this. I'm kind of obsessed with this topic, if you couldn't tell.


  2. #17
    Join Date
    Mar 2005
    Location
    Anaheim, California
    Posts
    6,890
    Quote Originally Posted by Brian W Evans View Post
    One big problem is that major email services (e.g. yahoo, gmail, etc.) won't accept email from unverified sources (i.e. your homebrew email server). This is a spam-prevention tactic.
    And yet they don't seem to have any problem accepting email from verified spammers.
    Yoga class makes me feel like a total stud, mostly because I'm about as flexible as a 2x4.
    "Design"? Possibly. "Intelligent"? Sure doesn't look like it from this angle.
    We used to be hunter gatherers. Now we're shopper borrowers.
    The three most important words in the English language: "Front Towards Enemy".
    The world makes a lot more sense when you remember that Butthead was the smart one.
    You can never be too rich, too thin, or have too much ammo.

  3. #18
    Join Date
    Mar 2005
    Location
    Anaheim, California
    Posts
    6,890
    Quote Originally Posted by Carlos Alvarez View Post
    It's very frustrating to have worked your entire life in tech and see people post things they simply either made up or repeated from someone else who made them up, with zero bearing on reality. You should stop doing that.
    If you have an issue with something specific I said, just say so. You might also want to keep in mind that you're not the only one here who has worked his entire life in tech.
    Yoga class makes me feel like a total stud, mostly because I'm about as flexible as a 2x4.
    "Design"? Possibly. "Intelligent"? Sure doesn't look like it from this angle.
    We used to be hunter gatherers. Now we're shopper borrowers.
    The three most important words in the English language: "Front Towards Enemy".
    The world makes a lot more sense when you remember that Butthead was the smart one.
    You can never be too rich, too thin, or have too much ammo.

  4. #19
    Join Date
    Mar 2003
    Location
    SE PA - Central Bucks County
    Posts
    65,638
    Quote Originally Posted by Carlos Alvarez View Post
    VoIP calls are mostly in the clear and could be intercepted, just like regular analog phone calls.
    This is totally dependent on the VoIP solution and/or the provider. That said, most consumer focused VoIP solutions are indeed unencrypted normally. The business communication systems I designed and sold for the past couple of decades for one of the industry leaders were completely encrypted internally by default (no capture/listen possible like some other competitors) and until recently when clients started to embrace SIP trunks, things were secure at the hand-off to the PSTN, too. Things get fuzzy with SIP trunks...sometimes there's encryption beyond the demark; sometimes there is not...so there's always the assumption that the voice call is in the clear beyond the organization.
    --

    The most expensive tool is the one you buy "cheaply" and often...

  5. #20
    Quote Originally Posted by Carlos Alvarez View Post
    They run ads which do that on their behalf. So no different.
    I'd have to ask the people who run the site, but I doubt if the ads can view what people are posting. Also, although people can "tap" a phone line or listen in on an unencrypted VOIP call, doing so without a warrant is a crime. (People who are working on the system and inadvertently hear snippets would not be considered to be committing a crime.)

    Quote Originally Posted by Carlos Alvarez View Post
    Fax is the most awful way to send anything. It's totally not secure. It's totally easy to fake and manipulate. It's not easy to fake or manipulate an e-mail, and it's not easy to intercept an e-mail. I realize most people have been told a big lie about fax being secure.
    If the fax is sent over the standard PSTN, you'd have to get access to the lines in order to intercept a fax. And once the call reaches the central office, the signal is digitized and put into a digital data stream. Getting one signal out of the digital data stream is tough to do. For more information on the digital data streams, see here. Getting the data for one call from an optical link is even more difficult. See here for more information. And if you did so without a warrant you'd be committing a crime. Even if you were to intercept a fax that was sent over VOIP you'd be committing a crime by intercepting it, unless you had a warrant.

    Perhaps what you mean is that someone can give you a phone number that is not what you think it is and you send a fax to that number. But if you know who you're sending to, a fax is no less secure than a voice call. The fax is going over the same voice circuit and is governed by the same laws.

    Mike
    Last edited by Mike Henderson; 03-20-2018 at 5:54 PM.
    Go into the world and do well. But more importantly, go into the world and do good.

  6. #21
    EDIT: Also adding this because I may sound a little harsh... I tend to be blunt and straightforward, particularly on technical topics that I'm very familiar with. I intend no judgments of peoples' choices, they're not hurting anyone. But when I say that something seems like a "silly" idea I'm just saying that from a tech perspective it likely doesn't solve anything meaningful.

    Quote Originally Posted by Brian W Evans View Post
    Smartphones were built from the ground up to be spies. A less paranoid-sounding way of saying that would be that the business model for smartphones includes gathering information on users that can be sold to advertisers.
    Only true about Androids. Apple and MS protect your privacy. You can trivially add an adblocker to an iDevice, and in fact it comes with some of that built in. I can't say how hard/easy it is to add what most people call privacy software to an Android because they don't really help anything at all on any device, computer or handheld. They're just paranoia pacifiers with no useful effect. I use an adblocker on all devices simply because I don't want to see the junk, but it has nothing to do with privacy. Ads that mirror your interests have nothing to do with privacy IMO. But ALL ads are annoying.

    Most service providers and phone manufacturers prevent you from adding security measures like this altogether.
    Android only again. And if you're really paranoid and you refuse to buy an iDevice, then get one of the built-secure Androids. Or just buy a phone and root it, then do anything you want. The possibilities are there. I believe, however, that it's all pointless and advise against it.

    Email is often encrypted in transit BUT only if the person on the other end is set up to receive encrypted email. Not all email providers do this. I believe Google now warns you if someone you're corresponding with is not set up for encryption. Not sure about other providers.
    Not true, nearly all mail servers encrypt in flight without user intervention. Users can further set up their own encryption so even the mail server can't read the body of the mail, but right now nearly all e-mails would be impossible for a third party to just capture and read.


    Setting up your own email server is, theoretically, easy. One big problem is that major email services (e.g. yahoo, gmail, etc.) won't accept email from unverified sources (i.e. your homebrew email server). This is a spam-prevention tactic. You can deal with this problem but be prepared to do a lot of research and deal with DNS records.
    All servers require one to deal with DNS and other technical items. That's the nature of it. It's trivial for a technical person to set up a mail server and everyone will accept mail from it. I've stopped running my own servers however and outsourced to Google. They do it better. Also paid accounts are not scanned for words to market to you. Either way, keyword scanning has nothing to do with real privacy IMO.

    If you get some sort of email service from your ISP or hosting company that allows you to put your domain on it, you're just using someone else's email service and I wouldn't bet they aren't scanning your email as well.
    Read their policies.

    Here is a resource for making your technology use more private: https://www.privacytools.io I have not tried or researched most of the services, but I do use many of the plugins / add-ons.
    Define "privacy" first, for your own preferences. I find that almost everything everyone does, like VPNs, is just misunderstood and does nothing for any real privacy or protection. Hiding your IP address has nothing to do with anything I consider private. It only helps you do illegal things, or things that violate terms of service. Such as pirating movies without detection (but there are better ways) or watching media that's regionally restricted. I can't come up with any rational, legal, and non-violating reasons for any consumer to use a VPN. Corporate access, of course, is another matter.

    I find the entire OMG SNOOPING ADS hysteria to be silly, and nobody is really giving a damn about important things like government spying and what data you willingly give up to so many places who CAN do damage. For example, no government agents know my real address. That includes the close-to-government companies like banks, or really anyone who does reporting. Just yesterday I pulled my Acxiom report and as always, they think I'm a 30 year old making $30k/year and living in a small apartment (which is a postal box address). I purposely pollute public data about myself and simply don't give out unnecessary info. I bet when your doctor, a government agent, or even the oil change place down the street asks for your address and phone number, you provide it? I do not. I don't carry ID either, almost nobody needs to see that ever, so I fight when it's asked for and not required. You want paranoid but effective ideas, let's go have a beer.
    Last edited by Carlos Alvarez; 03-20-2018 at 7:03 PM.

  7. #22
    Quote Originally Posted by Carlos Alvarez View Post

    Fax is the most awful way to send anything. It's totally not secure. It's totally easy to fake and manipulate. It's not easy to fake or manipulate an e-mail, and it's not easy to intercept an e-mail. I realize most people have been told a big lie about fax being secure.
    If this is true, then it's remarkable to me that fax is considered to be HIPPA compliant among healthcare providers but conventional email is not. In the hospital environment I've watched faxes with health information including demographic info, SS#, etc, being faxed all over the place.
    Edwin
    Last edited by Edwin Santos; 03-20-2018 at 7:24 PM.

  8. #23
    Join Date
    Feb 2008
    Location
    NE Connecticut
    Posts
    695
    Define "privacy" first, for your own preferences. I find that almost everything everyone does, like VPNs, is just misunderstood and does nothing for any real privacy or protection. Hiding your IP address has nothing to do with anything I consider private. It only helps you do illegal things, or things that violate terms of service. Such as pirating movies without detection (but there are better ways) or watching media that's regionally restricted. I can't come up with any rational, legal, and non-violating reasons for any consumer to use a VPN. Corporate access, of course, is another matter.

    I find the entire OMG SNOOPING ADS hysteria to be silly, and nobody is really giving a damn about important things like government spying and what data you willingly give up to so many places who CAN do damage. For example, no government agents know my real address. That includes the close-to-government companies like banks, or really anyone who does reporting. Just yesterday I pulled my Acxiom report and as always, they think I'm a 30 year old making $30k/year and living in a small apartment (which is a postal box address). I purposely pollute public data about myself and simply don't give out unnecessary info. I bet when your doctor, a government agent, or even the oil change place down the street asks for your address and phone number, you provide it? I do not. I don't carry ID either, almost nobody needs to see that ever, so I fight when it's asked for and not required. You want paranoid but effective ideas, let's go have a beer.
    Thanks for that info. I do not use Apple products so, yes, I am speaking about Android. I'm skeptical that Apple and MS can compete while adequately protecting what I call privacy, however.

    I use a VPN almost daily to access my home network and whenever I use public wifi. Surely you think those are worthwhile reasons? I don't commit crimes, pirate media, or knowingly violate terms of service. I also find that adblockers and firewalls on a rooted Android device (harder and harder to come by, btw) are pretty effective. I use them because most apps don't need to be shipping the contents of my contacts list off to some server, and a surprising number of them seem to want access to things I can't see a reason for.

    You stated that you don't see a reason to hide an IP address that has a legal purpose. Does hiding your physical address have a legal or ethical purpose, then?


  9. #24
    Quote Originally Posted by Mike Henderson View Post
    I'd have to ask the people who run the site, but I doubt if the ads can view what people are posting.
    They can and do. The forum is public. Anyone/anything can read it. Anyone wanting to correlate an ad to the content would do it. And they do.

    Also, although people can "tap" a phone line or listen in on an unencrypted VOIP call, doing so without a warrant is a crime. (People who are working on the system and inadvertently hear snippets would not be considered to be committing a crime.)
    It's a crime to "tap" e-mail and other electronic systems also. We were discussing whether it CAN be done, not whether its legal.

    And once the call reaches the central office, the signal is digitized and put into a digital data stream. Getting one signal out of the digital data stream is tough to do.
    Not really all that difficult. Easier than capturing the one e-mail you want to snoop on.

    Perhaps what you mean is that someone can give you a phone number that is not what you think it is and you send a fax to that number.
    No, I meant that a normal fax/call is generally easier to intercept than an e-mail.

    It's not EASY, but the only point was that generally it's hard to snoop on the e-mail. I've had to do both many times for clients and law enforcement.

    All of this becomes blurrier now that phone calls (including faxes) are quickly switching to IP instead of actual circuit-switched lines. "Access" to the data becomes very different--both easier and harder. But the fact remains that the e-mail is likely to be encrypted, and the voice call/fax is not likely to be encrypted.

  10. #25
    Quote Originally Posted by Edwin Santos View Post
    If this is true, then it's remarkable to me that fax is considered to be HIPPA compliant among healthcare providers but conventional email is not. In the hospital environment I've watched faxes with health information including demographic info, SS#, etc, being faxed all over the place.
    Edwin
    Yeah, educating people on their silly requirements for things like fax is a big part of my job. For HIPAA-covered clients, we keep the calls, voicemails, and faxes on a private network and/or use VPNs. All our large clients are on a regional private network direct to us.

    HIPAA also still requires people to change a too-long password too often, which has been proven to REDUCE security, but government regs are mostly written by idiots. So there's a wink/nod thing with all the auditors where they know you will play games with your password change policies to get by.

  11. #26
    Quote Originally Posted by Carlos Alvarez View Post
    No, I meant that a normal fax/call is generally easier to intercept than an e-mail.
    For a call, either voice or fax, made across the PSTN, please explain how you would intercept the call. Seems to me that the issue is access to the physical lines or the digital data stream. Once you have access, it is possible to intercept a call or fax if you have the proper equipment and knowledge, but I wouldn't call that easy. And even if you got access to the lines, and had the equipment of decode one channel out of the data stream, how would you identify which one to decode. The information about a line is carried in a separate channel (signaling system 7) and is encrypted.

    And legal issues play into it. Any corporation, for example, is not going to do wiretapping and risk the consequences of being caught.

    Perhaps you're referring to a call made over VOIP, which is not the PSTN.

    Over all, I would consider a fax sent over the PSTN to be pretty secure.

    Mike
    Go into the world and do well. But more importantly, go into the world and do good.

  12. #27
    The e-mails go over the same networks. If you have access to that, then you have access to the voice and fax. The e-mail is encrypted, the fax/voice is not. Therefore, it's easier to grab the fax/voice, but not EASY to do. My only point was about the misconception that fax/voice is more secure.

    As far as how *I* would do it, I have full access into a voice/data network, as well as client networks. Again, I do this for a living, and have done lawful intercepts on both PSTN and VoIP.

    Also SS7 is basically dead and there have always been lots of places where the encoding is simpler.

  13. #28
    Quote Originally Posted by Carlos Alvarez View Post
    The e-mails go over the same networks. If you have access to that, then you have access to the voice and fax. The e-mail is encrypted, the fax/voice is not. Therefore, it's easier to grab the fax/voice, but not EASY to do. My only point was about the misconception that fax/voice is more secure.

    As far as how *I* would do it, I have full access into a voice/data network, as well as client networks. Again, I do this for a living, and have done lawful intercepts on both PSTN and VoIP.

    Also SS7 is basically dead and there have always been lots of places where the encoding is simpler.
    While *you* may be able to intercept voice and fax calls, I don't think that makes fax an unsecure method of sending information. You would be constrained by law from doing unlawful intercepts and people without such inhibitions would not have access to the circuits.

    Also, it's difficult for me to believe that SS7 is "dead". I know how much work and time went into developing SS7 and getting it accepted worldwide. And how much equipment is dedicated worldwide to use with SS7. I've been out of the business for a while but the telephone companies would have to have made major (expensive) changes to their networks to get rid of SS7. And it would have to have been done worldwide. To say nothing about getting all of the administrations (worldwide) to accept a change from SS7.

    When you say that fax is not secure, who do you think is going to compromise a fax that is sent between two doctor's offices across the PSTN?

    Mike
    Last edited by Mike Henderson; 03-21-2018 at 2:39 PM.
    Go into the world and do well. But more importantly, go into the world and do good.

  14. #29
    Last time I will try to be clear: Fax is LESS secure than e-mail, but probably secure enough in the real world for most uses. My original point was that the fear of e-mail is unfounded relative to data people are willing to fax or talk about. Fax is not secure because you CAN intercept it, while most e-mail cannot be. If I wanted to target a doctor's office, I could put on a hardhat and tool belt and clip a recorder on their incoming analog phone lines. Not LIKELY to happen, but can, therefore fax is not secure.

    The PSTN in general is dead, FCC order. SS7 goes away with it. I've barely touched it, my world didn't really need it for anything.

    EDIT: I did a microwave job at the state capital, and was able to access the entire telco room merely by walking in with a hard hat, clipboard, radio, etc. Looking official and walking like I belonged there. Nobody stopped me. I also made it into Rose Mofford's office accidentally, and she called me "darling" while escorting me out. Places are so easy to get into.

  15. #30
    Quote Originally Posted by Carlos Alvarez View Post
    Last time I will try to be clear: Fax is LESS secure than e-mail, but probably secure enough in the real world for most uses. My original point was that the fear of e-mail is unfounded relative to data people are willing to fax or talk about. Fax is not secure because you CAN intercept it, while most e-mail cannot be. If I wanted to target a doctor's office, I could put on a hardhat and tool belt and clip a recorder on their incoming analog phone lines. Not LIKELY to happen, but can, therefore fax is not secure.

    The PSTN in general is dead, FCC order. SS7 goes away with it. I've barely touched it, my world didn't really need it for anything.

    EDIT: I did a microwave job at the state capital, and was able to access the entire telco room merely by walking in with a hard hat, clipboard, radio, etc. Looking official and walking like I belonged there. Nobody stopped me. I also made it into Rose Mofford's office accidentally, and she called me "darling" while escorting me out. Places are so easy to get into.
    I did some more thinking about this. For a fair portion of my career, I participated in ITU communications standards setting bodies (but not the one that set the SS7 standards) (in fact, it was the CCITT when I started). In those bodies, I interfaced with representatives of the various worldwide administrations. If SS7 is "dead" I know for an absolute fact that the administrations would not accept a replacement (let's call it SS8) unless that replacement provided all the functions of SS7 and more, and was more secure than SS7.

    So based on SS7, for someone to intercept a particular call (which would include a fax call) they would first have to have physical access. Then they would have to be able to interpret the signaling in SS7 or SS8, including breaking the encryption, then they would have to find the logical "circuit" for that call, which would probably be on a different physical circuit. That's a tall order for some individual hacker. Governmenal actors can certainly do that, but they can get the access.

    If you work in a switching center, you have all the equipment and security access to view a particular "circuit" and the information carried within it. But for someone "outside" it's not so easy.

    No, I expect that phone calls and fax across the PSTN are reasonable secure from your average hacker, in addition to being a crime.

    And if you get your telephone service from one of the LECs, you, by definition, are using the PSTN. The people who run the PSTN may use IP "circuits" instead of traditional circuits but it's still the PSTN. And when you call someone essentially anywhere in the world, your call has to go over the PSTN. I'd sure like to see some FCC order that the PSTN is "dead". Can you give me a pointer to that order? I didn't think so. The FCC simply does not issue those kinds of orders.

    Mike
    Last edited by Mike Henderson; 03-21-2018 at 4:28 PM.
    Go into the world and do well. But more importantly, go into the world and do good.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •