Thor's OS Xodus

In this excerpt from chapter one of Thor's OS Xodus, author Timothy "Thor" Mullen discusses OS X, privacy, and online safety.

Thor's OS Xodus

The following is an excerpt from Thor's OS Xodus by author Timothy "Thor" Mullen with Katherine Ridgway and published by Syngress. This section from chapter one explores OS X, privacy, and online safety.

I feel confident in saying privacy and safety will be the most important concerns you will have (or should have) in your online life. And if they aren't now, they will be as time passes on.

For purposes of this chapter, I'm defining "privacy" as the level of control one has over their own personal information as well as the level of control one has as it regards personal information other people own. "Online safety" is primarily the ability to prevent unauthorized code from being executed on a system, including the specific controls one has in place to prevent code execution. That extends to preventing information disclosure, unauthorized access to files, application permissions, and so forth.

In actuality, privacy and security are fibers of the same cloth. They can be distinct concepts on their own, or they can be intimately entwined with each other. As such, I'm not going to try to classify every risk we discuss as one or the other; you are smart enough to switch to OS X, so you are smart enough to figure that part out.

I'll be discussing techniques and procedures specific to OS X, those distantly related to OS X, and in a case or two, processes that stand on their own irrespective of the OS one may be using. It's all part of the Big Privacy Picture, and though it may deviate a bit, I consider it required reading material. I'm calling this "logical security" as it does not apply to any particular technical security control, but rather behavioral changes you may wish to make in order to protect your data. So let's get started.

Internet advertising is the bane of the internet, and the core driver of the deep, vast violation of your personal privacy. These days, ad "impressions" don't mean anything. An ad "impression" is where there is some ad on a page somewhere, where the host assumes you looked at it; then bills the advertiser for aggregated impressions. Today, the "conversion" is the golden egg.

You are the goose who wasn't aware you laid it. The conversion is where you are on a site, see an ad, click it, and end up buying whatever the advertiser is selling. Those are big money. It's such big money that the advertising hosts (those who produce the ads for the host site) have technology where they collect and analyze your personal information and browsing history to not only provide an ad, but to provide an ad specially selected for you, based on your browsing patterns and purchase history. The way they can track your movements to sites where you purchase products are via cookies and other bits of shared information.

So, how comprehensive is this data, you ask? It is so comprehensive that government agencies and law enforcement routinely ask folks like Google for your individual profile history and any other personal information you may have given them by virtue of the EULA (End User License Agreement) you agree to by using their service.

Think about that for a moment. Here we have the NSA building, a 1.5 million square foot data capture facility, to harvest phone calls, emails, searches, and anything else you may do where a signal is emitted. We have 37,000 FBI agents running about and who knows how many CIA agents.

Even with all of this brainpower, manpower, and the 65 megawatts of power at the new NSA facility, government agencies get their "personal profile" information from a public advertising engine service. That should tell you how much of your life Google stores, and sells.

You now might be asking, "How many requests are made by government entities for Google users?" Well, I'll tell you. Insofar as the data requests for a particular user, there were 21,389 in the six-month period ending on 12/31/12. That's all the data requested by that user for an undetermined amount of time.

Thor's OS Xodus

Author: Timothy "Thor" Mullen

Learn more about Thor's OS Xodus from publisher Syngress

At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles

Even worse, agencies requested specific, personal information from the actual Google account held by the user 33,634 times in the same 6-month time frame.

It doesn't take a genius to ascertain that the volumes of data Google has on you and me is far more than we may have considered, to the point Law Enforcement uses it to take some manner of legal action. That's scary stuff. I could go into the legal ramifications of a judge actually thinking that data has any evidentiary value, but we'll have to wait until later for that.

Before we tackle the problem of protecting that information, let's see exactly what data Google collects and what data they give away (or sell). According to Google's own privacy statement, they collect:

  1. User account information like name, address, credit card numbers (where applicable), pictures, and might even create a Public Profile you don't even know about.
  2. What Google services you use, what web sites you view, and everything you do when looking at or clicking ads, including what specific ad it is. Cookies regarding your habits are also shared with any number of third parties. And obviously the gmail traffic you create including sending to and received from data.
  3. Phone logs like your phone number, phone numbers you call, forwarded calls, duration, where and when the call was made, SMS "routing information" (whatever that means), and finally, once they figure out it is you by cross-referencing data, they will link your phone number to your Google profile.
  4. Full set of information about the computer you are using, such as your hardware make and model, your OS, browser information, unique IDs of hardware, etc. This data alone can easily and uniquely identify you as a specific user. This data is then linked to your profile.
  5. Many applications use Google APIs. Map location is one, music streaming another. Google logs things like your GPS location, other information from a mobile device, what Wi-Fi areas you are in (again, including GPS location).
  6. They know what applications you install or uninstall, what applications you have, how and when you use them under the auspices of "auto-update" checks in the order of four or six times per day.

You know, little stuff like that. Google does, however, say they have strict policies in place regarding the disbursement of your data. These include the provision to share all of your data with:

  1. Law enforcement, government entities like the IRS or Homeland Security, or whatever agency asks and they see fit to comply with.
  2. To "affiliates," businesses or people they "trust" or who say they will access the data in "good-faith," Google employees, partner companies, and that guy from Burger King who sings "ding fries are done." And my favorite (directly quoted) where they produce data, apparently to anyone, to "detect, prevent, or otherwise address fraud, security or technical issues." So if your video won't go to 1900×1200, that's a technical issue, so someone can ask for your data.
  3. Other sarcasm aside, this I take quite seriously. Buried in their "we use SSL to protect you" bits, they say they also "restrict access" to "employees, contractors, and agents."

What that means is the data you thought was encrypted from end-point to end-point really isn't and they decrypt (or simple redirect an SSL end-point to standard HTTP traffic) your data and store it. Yes, that would be the data you thought was secure.

It's a "death by a thousand cuts" thing -- a little bit of data here and there isn't that big of a deal. But when there are so many different sources of data for you, the accumulation of it all creates a real issue. And obviously a huge monetary stream.

I don't want to make it look like I'm singling Google out (even though I am) because there are other, albeit smaller, offenders as well. If you were not aware of it, Microsoft has been trying for a long time to make headway into the advertising industry. In my opinion it's a failed endeavor, as they have already had to write off over 6 billion dollars for the purchase of a single company to support the Ads Platform. Regardless, since they couple with Bing and other Microsoft "owned and operated" sites, their data-mining is also a source of significant concern, given you may stay logged into your Windows Live ID (WLID), or "Microsoft Account" (or whatever they may call it now), in perpetuity for mail, with third-party sites using WLID to authenticate you.

I'll give you an example of the reach this type of tracking can give. Let's say while at work you logon to a Microsoft service such as Windows Live Mail and leave that page up while doing other things. Then you go to Bing to search for something -- that data is stored based on your WLID. You then search for "stereo systems" or some such and select a link to Best Buy. They store that too, as does Best Buy. Oh, all other data is stored as well, such as what work research you are doing, and the contents of any email you may send out or receive. At quitting time, you close out of everything and go home from work. After dinner, you go down to your XBox to play Forza Motorsport or something of the like. You have to log onto XBox Live to play the game, and when you do, your profile data is made available to whatever processes XBox decides they can send out. There used to be a company called Massive, which delivered targeted ads to video games. Microsoft purchased that company, so now you've got your data all tied up in a nice little bow. As you drive around the track, you see various billboards and such. As you do so, the video game makes a request to the ad tracking system for an ad to put on the billboard in the game. Your WLID is transferred to the ad delivery mechanism along with identifying information about your profile. Based on that connection, a behavioral targeting call is made and before you can even start into a turn you see a billboard ad for Kenwood Stereo Systems based on your search earlier at work. Massive actually went to the trouble of determining how much Kenwood should pay on the ad delivery, based on how long it was visible, what angle you were at when you saw it, and how much of the full ad you could have viewed.

Scary, huh? This happens billions and billions of times a day, all day, everyday, to countless numbers of other websites and data harvesters.

There are other, and in some ways greater, evils playing this game. If you were wondering, this is where I mention Facebook. Facebook is a massive "in service" ad engine, but also has a web of affiliates giving and taking your personal data. The reason Facebook has that "keep me logged in" checkbox is so they can stick to what they say their privacy policy is while also keeping that cookie alive so that all the affiliate sites you go to can get ad data from Facebook while passing back as much information as they have on you. In fact, even if you are not logged in, sites will actively create objects redirected to Facebook to contribute to the Global Fleecing.

The emperor has no clothes. And neither do you!

Now that we're all feeling exposed by these corporate wolves, the real question is "what do we do about it?" Well, remember the previous bit about me not going into the legal ramifications? I lied. One thing we can do about it is to pay attention to these legal cases where Facebook or Google data is used as part of the investigation or prosecution. The data shouldn't be allowed. There is absolutely no way whatsoever the integrity of such data can be ensured. Think about the sweeping access Google can give to your information. Think about how many global outsourced contractors they have (10,000+) such as GenPact Ltd. in Bermuda and other outsourcers in other countries. Who has access to your data then? Do you trust the 30,000+ employees world-wide? You and I have no idea, and never will, how many of these people could change, add, or delete the information Google stores on us. For instance, what if one of them dumped some child pornography into your email account and then turned you in to the feds? The courts would consider this to be "solid" evidence against you because Google said it was your information. This should be brought to everyone's attention. If we allow this data to be acceptable in court, we are doomed. DOOMED, I say! OK, I'm done with that bit.

Our goal in the rest of this chapter is to limit the overall amount of data we make available on the internet and then, to the best of our ability, limit how much of that data is available for harvesters. The first step, limiting what we give out, can be applied anywhere and on any OS, but is something I consider very important.

Read an excerpt

Download the PDF of chapter one in full to learn more!

With sites like Facebook, since more of this information is shared than we know, and even more capable of being generated, it is really important to think through what your intent of being on Facebook is. If you wish to keep in touch with friends, then make sure you make your profile private. Friends (and Facebook) will have full access, but keep it out of the public domain.

Never put your real information on Facebook if you can help it, including your name if you can. My Facebook name was a little vulgar, but since it sounded oriental (my last name was "Tang") it wasn't flagged. I said I lived in a different country, went to a different school, and was fluent in Scottish.

Your friends will know who you are, or you can tell them. It's far easier than you would think. Regarding friends, only "friend" people you actually know. If you wish to treat the number of friends you have on Facebook as a metric by which to measure your popularity or self-worth, you will do so at the cost of exposing your personal information to potentially anyone in the world. Your "friends," once you post something, can copy that data and do whatever they want with it and there is absolutely nothing you can do about it. As such, your data could be (indeed, will be) forever preserved on the internet for all time. So when your son or daughter (or you, for that matter) posts some picture with a blow-up doll in one hand and a bottle of whisky in the other, that image could turn up 10 years later when a prospective employer does a bit of research on you before giving an interview. Your ex-spouse could be spying on you to find out if an alimony increase is due, particularly if you post pictures of you in Jamaica with your new "friend" on a shopping spree. I once allowed myself to get into a chat-fight on Bill Maher's page with someone who was clearly wrong, and where I was obviously right.

I went to his page, and not only was it publicly available, but he had pictures of his kids with their names, and a list of cousins, aunts, and other relatives. Within a few minutes, I knew where he and his +1 lived, where they worked, what they looked like, and who their friends were. In just a few minutes, I had all manner of other information, which would have taken me significant effort to gather back in the day. Luckily for him I'm not some whack-job, but I must say the flowers I sent to him from his "Midnight Lover" probably twisted up his girlfriend a bit.

There is another process I want to highly recommend you adopt, and it regards the overall account data you use when purchasing items on the internet. I have done this myself and can't tell you how many times it has saved me considerable time while protecting my "identity" and money. While this has nothing to do with any specific operating system or application, I have to say that if everyone did this, identity theft and exposure to unauthorized transactions would drop dramatically.

There are two things I suggest you do: go get a P.O. box, and go open a debit card account at your bank that is an entirely separate account from any others you may have. Get a debit card for this account -- NOT a "credit card." There is no reason to use a credit card to purchase something on the internet unless you don't have the money to pay for it and wish to make payments on items. I humbly submit that from an economic standpoint, people should not buy things they can't afford. If you can't buy a new monitor or your MacBook Pro without paying cash for them, then don't buy them online. Drive down to Best Buy or phone in the order in cases where you must use a credit card, but don't buy online with one.

I have two accounts at Chase -- one is "Production" and the other "Internet." The internet account has a single debit card associated with it, and the only thing I use that account for is internet purchases. I never, ever, use my production account or any other credit card for internet purchases. The internet account was created using my P.O. box account, and I only keep about $100 in it at any given time. Right now there's $25 or so in it. It's important for you to do as I did and ensure there is NO overdraft protection on the account. I've specifically configured the account so that if there is not enough money in the account the transaction will be denied just as if you were at the ATM. In this way, you can't be charged overdraft fees.

If I wish to purchase something on the internet and don't have enough in my internet account, I simply go to Chase online banking and transfer from one account to the other. The funds are immediately available and I can make my purchase without waiting for anything.

This setup buys me a tremendous amount of protection. For one, the worst that can happen if a vendor's database is compromised and my bank information disclosed is that I lose $25 or so. They can't make any credit purchases, and they can't purchase something for more than I have in the bank. Nor can I be charged overdraft fees.

The only personal information they can possibly get from me is my special P.O. box number and not my actual address. The best thing is that I don't care in the least if my account details are released. If they are, and I see fraudulent activity, I just report it, get my money back, cancel that particular debit card and get a new one. I'm never at any level of exposure beyond what I have in that special account.

In fact, literally while I was writing this chapter, I got an email from Adobe saying they were compromised and my password information and bank account information could have been disclosed. I have a recurring payment to Adobe for Creative Cloud, so they have my internet account debit card number on file. If I were using a credit card instead, I wouldn't be writing this right now. I'd be on the phone with the bank canceling the credit card and then going through and trying to figure out where I used that card, where it may be on file, and where reoccurring transactions may be at the risk of failing and my losing service (such as Netflix and Adobe Creative Cloud) and, more importantly, I'd be worried and anxious about what exposure I may have knowing it is really outside of my control.

I honestly didn't care if that account got compromised so I just kept on writing. It's actually not even worth me canceling the account since I'm not at any financial exposure and I know every transaction on that account. That's the other benefit -- the accounting on that account is crazy simple. I know there won't be any non-internet transactions on it, and know I only need look at that account for transaction details. In other words, I don't have to scour through a hundred other transactions looking for one that may have been sourced from the internet.

Now, millions of people use PayPal, but I don't anymore. At first, it was great. I just used my internet account to associate with my PayPal account. But then PayPal wanted me to get some other debit card to use just for them which would allow me to go to the ATM and withdraw funds deposited via donations at my website. I thought I'd give it a shot, but they immediately sent me an email asking for my SSN, proof of current address by way of a utility bill, and a copy of my driver's license. I wrote back saying "in that case, no thanks." But they still wanted it to keep my regular PayPal account open. I literally emailed them about 5 times saying I just wanted my regular account but they completely ignored me. So I cancelled my account.

PayPal is a risk-management company, not a bank. When companies like this start asking for people's Social Security numbers, driver's license and copies of utility bills, something very, very wrong is happening with the way we make online transactions.

This is why it is extremely important for you to take your own measures to protect your information. If you actually trust a company like PayPal to protect your core identity information, then you're simply asking for your identity to be stolen. I know that may sound harsh, but PayPal will be breached, and your data will be exposed. It's simply a matter of time.

Don't think about damage control -- think about damage prevention.

About the author: Timothy "Thor" Mullen is an independent programming consultant who, after 25 years of supporting Microsoft operating systems and programming languages, has completely abandoned all Microsoft technologies in favor of Apple OS X and open source systems such as Linux and BSD. After years working for the software giant, Mr. Mullen now condemns the company for their unethical practices and evangelizes for Apple OS X and open systems. He has committed his research to the betterment of users by providing guidance for users to switch from their dependency upon Windows and enjoy the superior, secure, and feature-rich experience that is OS X.

Dig Deeper on Application and platform security