Privacy & Encryption Category


Monday, March 31, 2014


Hugh, JR, and the rest of my fellow patriots:

I would like to ask your readers who, like myself, have used Craigslist (and maybe similar sites) for years to do everything from buy and sell farm animals to random goods to meeting other people via the personal ads. Have you come to the point where you're so frustrated with even using CL because of the onslaught of phony, obviously robotic in nature, responses you've received either from your own ads or others?

Call me crazy, but perhaps it's a direct result of our very own government's attempts to not only track us (CL does often verify accounts via phone/text) BUT to also dissuade us and frustrate us as we attempt to barter, buy, and communicate with others? Talk about a PSYOP exercise. Create programs to post and respond to user ads in such a manner as to ultimately either gather intel or frustrate them from further usage?

On a side note, this veteran of OIF who learned about this website during my deployment in '08 would like to thank all of you for helping me to prepare (via your contributions to this site) for that which seems to be heading our way with greater and greater swiftness. God Bless You All! Our country will survive, but it's not going to be fun nor easy. At least I know I'm not alone. - R.B.

HJL Replies: You have to look at the agenda behind the face. It is a safe bet that nothing in this world is truly free. Everything has its cost, and like in the case of Craigsist, that price is often information. If you are not being charged for the services rendered, who is paying the bills? Facebook makes its fortune from selling advertising that you have to view or from getting a cut from companies that trick you into giving your private information away for free. Craigslist lets you advertise for free and doesn't get a cut of what you sell, but who pays for the servers and bandwidth usage? It's a safe bet that they don't do that out of the goodness of their heart. They are getting something for the dollars they spend, and it is often either information that they sell to others or a cut of the profits from those who do get your private information.


Saturday, February 22, 2014


Hugh,

When social media is discussed on this site, opsec always seems to take front seat. Entering details of your life and a network of your contacts into a database you don't own is certainly cause for pause. I don't have a social media account because I find them obnoxious. However, the letter regarding using social media for intel was spot on and, though Hugh stated that this was just one useful instance, I believe the writer of the letter indicated several, none of which could be effectively reproduced with the level of ham radio activity we have going on.

With social media I can instantly share a video of political importance with hundreds of thousands or even millions of viewers. Future elections could be won or lost by mastery or failure to master these tools. You think the Arab spring could have been organized by ham radio operators? Not a chance.

Social media is like a gun. It is a tool with its own inherent dangers. Don't fear it like Feinstein fears the AR15. Learn how it functions and point the muzzle away from you!

HJL Replies: I recognize that social media may have a place in some operations. However, it is not really comparing apples to apples. For example, your mailing address may be known to the FCC as a licensed Ham, but as part of the licensing agreement, you are expected to perform emergency communication. No one at the FCC bats an eye when they see that you are licensed. You are simply performing what you have agreed to perform. While the FCC may monitor the Ham frequencies, the NSA, CIA, and other alphabet organizations don't care unless they are specifically targeting you. Suggestions to join an ARRL associated club are based around the idea that RF bandwidth is a precious resource that the FCC wants to auction to the highest bidder. The ARRL is the recognized political lobbying organization that keeps the FCC and congress from confiscating the resource in whole or in part. Social media, on the other hand, tends to be in a medium that is automatically recorded (the Internet) and is actively trolled by both law enforcement and criminals. The exposure on social media is far greater. My greatest concern with social media is not with myself, but with my children. Ham radio does not generally have a tendency to beguile and seduce information from children like social media does. You can have a conversation with a teenager about OPSEC and they can understand your concerns, but the persuasive power of their friends is strong and constant. Without even realizing it, they begin slipping information, unless they are very mature and completely understand the need for OPSEC.


Thursday, January 16, 2014


Dear Editor,
It's nice that you published an article about system and data security. People need to be aware. Overconfidence in encrypted communications however is a disaster waiting to happen. The author wrote: "Another benefit of the way Linux deals with encryption is that any information that is read or written is directly transferred between RAM and the container: any piece of information that exists outside of the computer's memory is always encrypted."

This is flawed logic as demonstrated by recent attacks on target and other retail giants. RAM scraping is actually pretty old news.

I also heartily disagree with his contention that computers are not/can not be capable of human like intuition. They become more intuitive with every additional line of code (written by humans contributing combined years of knowledge, experiences, and bias. Shalom, - B.C.


Monday, January 13, 2014


These days, many people are concerned about their privacy, and I admit to being somewhat concerned myself. I recently took down my Facebook page - after it was hacked three times this year. So, if anyone sees a Facebook page with my name on it - it's not my Facebook page - someone hacked my original page, and made one false Facebook page that looks similar to the real one, and the second one doesn't even come close to being like my original. Additionally, I found that it was too time-consuming keeping up with everyone's newest Facebook page posts.

Also, folks are more than a little concerned about the recent news of the National Security Agency (NSA) spying on our phone calls, e-mails and conversations - and with good cause. While I have nothing to hide in my e-mails, conversations and phone calls, I still don't like the idea of the FedGov spying on my privacy. And, as everyone knows, anything you say, no matter how innocent it might be, can and will be taken out of context if the FedGov is determined to arrest you for something - it happens all the time.

In the past, I know that my e-mails were clumsily looked at by someone - I'm fairly certain it was the FedGov. Anytime I mentioned the words AR-15 or AK-47 in my e-mails, it took those e-mails several days to reach the intended party they were meant for. However, without those "catch" words, e-mails went right through - with those words, it sometimes took as long as 3 or 4 days for the e-mails to reach whoever I sent them to. I also ran a company, many, many years ago, called Rescue One - and we were registered with InterPol as a private intelligence and investigations agency, and I had offices in Athens, Greece and Cape Town, South Africa - as well as in the US. And we know mail between offices had been opened and read - it didn't take a rocket scientist to figure out that our mail had been opened and read. Funny thing was, a lot of the work we did was contract work for one of our own intelligence agencies. Whatever!

These days, I'm almost to the point of just tossing my cell phone away, it gets annoying at times, especially with text messages. Whatever happened to good ol' fashioned phone conversations between friends? Conversation is a dying art, it would appear. And, everyone is probably aware of the continuing news of the NSA spying on our phone calls - it's in the news daily. And, until now, it was hard to stop anyone from listening to your phone calls.

Signal Armor's new zip-lock portable Faraday cage design. Anyone not familiar with Michael Faraday's design, can research it. Just a short mention here, Faraday invented a "cage" that protects  an implement from static electricity. It can also protect electrical appliances from an EMP attack, too.

The Signal Armor bags consists of four layers, one is a heavy duty outer layer, another is an additional protective layer under the first, and an anti-static protective layer and the zip lock closure. It's all pretty simple when you exam it. And, it also protects your cell phone by making it waterproof when you place your cell phone inside the bag and zip it closed.

I was intrigued by the Signal Armor concept, and wanted a way to test it. Lacking an EMP attack, I placed a Family Radio Service (FRS) two-way radio in the bag, and zipped it closed. I then tried to take my second FRS radio and attempt to communicate with the first radio - no luck, the signal didn't get through. I then took my cell phone, placed it in the Signal Armor bag, zipped it closed, and had one of my family members try to call my cell phone - several times - and each time, their calls were immediately sent to my voice mail - no signal got through to my cell phone, when it was inside the Signal Armor bag.

Now, the Signal Armor bag won't protect all your cell phone calls - because you have to take your cell phone out of the bag to make or receive calls. However, when your cell phone is inside the bag, and it is zipped closed, no one can activate your cell phone and listen in on any conversations you might be having in your home or car. Not a bad start, to assuming some of your privacy back. Of course, when your cell phone is out of the bag, the NSA or whatever government agency will be able to listen-in on your phone calls, or even turn on your speaker, and they can listen to conversations in your room. Still, the Signal Armor bag isn't a bad idea if you have concerns about your cell phone privacy.

We've all probably heard the saying "just because you're paranoid, doesn't mean someone isn't out to get you..." and these days, privacy seems to be a thing of the past for the most part. So, if you want to regain a tiny bit of your privacy via your cell phone, the Signal Armor is a good first step. Someone asked me how well the bags would work against an EMP attack. Well, to be quite honest, I don't think it matters. If there is an EMP attack, and everyone's cell phones, cell towers, computers and all electrical products are fried - then what difference would it make if you cell phone still worked? You wouldn't have anyone you could call. Stop and think about it!

The Signal Armor bags sell for $8.49 and the company is designing larger bags for other purposes and uses. So, if you have some concerns about your cell phone privacy or an EMP attack, then pick-up a couple of these neat little bags. - SurvivalBlog Field Gear Editor Pat Cascio


Saturday, January 11, 2014


Welcome to all the brave souls that didn't scream and/or quickly scroll on when reading the title. I know a fair percentage of SurvivalBlog readers are concerned about OPSEC, but what about your electronic OPSEC? Is it as good as it should be? As good as it could be? I promise you won't have to read the entire submission but you should take a look at the first few paragraphs to determine if its something you need to address. If you do, you can always try to find some trusted help in securing your systems. During the second half of last year I have spent a fair amount of time reading up on the subject and, as a result, have done a complete overhaul of my own computers. This is a description of some of the things I have learned and it might be useful for some of you.

So what are we up against? Actually many things depending on your time horizon. At the moment your biggest concern may be that your laptop contains information that you do not want to be made public when it gets stolen. This is the easiest to deal with because its unlikely that the thugs have much interest in your information; most likely they just want to make a quick buck at a pawnshop or on the black market. The situation gets more complicated when someone is after your bank/credit card information, etc. You will have to assume that these are more knowledgeable individuals that know what they are looking for and how to get it. The next layer up is industrial espionage, though I doubt many of you will have to worry about that. Real problems start when you are flagged by national security agencies (yes there are many NSAs) because you have to assume that they employ some of the most intelligent people and definitely have the most advanced equipment at their disposal to crack passwords, scan hard drives, scan working computers, backdoor access, etc. The biggest headaches are of course created by politicians and bureaucrats who these days seem to change laws any way they want whenever they feel like it. What is perfectly legal today may be outlawed next year. Even if you dutifully delete any 'offending' material from your hard drive at that point, I can guarantee you a low level scan of the drive has a good chance of recovering the documents afterwards. Which probably would still be used against you if someone was out to get you. Just another reason not to wait till the last moment to take action. How far will this go? Of course I don't know but my gut feeling is that 10-15 years from now you could easily be labeled a terrorist because you have a copy of the KJV Bible on your hard drive. There are plenty of places where that is already the case today. Having a copy of the SurvivalBlog archives visible on your hard drive might land you in hot water, too.

The second challenge is the ever increasing ability of electronics to weave a web around us. I am sure you know by now to expect no privacy on your cell phone. Its encryption was cracked years ago and a call can probably be decrypted in real time. The same goes for just about anything you access on the internet. If you want to get visual confirmation of this, install the Lightbeam extension for Mozilla Firefox (it shows up as a tiny 'cube' at the lower right hand corner of the Firefox window's add-on bar) and browse normally a few days. Then click on the cube and see how all the sites you visited are connected and by whom. You have probably read how the GPS data on your cell phone can be used to trace your whereabouts and perhaps even that at some airports travelers' cell phones get taken out of their baggage to be 'checked'. 20 minutes later they get them back; presumably minus the clone that was made from device's internal data store. But it goes beyond that. How many of you have read about the shipment of Chinese electric water kettles that were held by Russian customs because they contained microprocessors and wi-fi chips capable of connecting to any wi-fi network within 650 ft. They could (and tried to) call home using the wi-fi connection. Now there is an interesting spy right inside your house.

But if the water kettle can do it, why not the fridge or your new alarm clock or ... Do you have a laptop with a webcam? I'm sure the laptop has a microphone. Have you read that the tools to remotely control them are easily available on the Internet? If not, try this link. Do you have a shiny new XBox One? It can log you into your account when you walk into the room, so you are ready to resume playing your favorite on-line game the moment you hit the couch. Sounds nice, but think about it: it must have built-in facial recognition software and be connected to the internet to be able to do so. Do you really think no one has ever thought about inserting a remote control client in the system updates that are automatically pushed down to your hardware. Do you have a D-Link router? You can send it a special code string that allows you to bypass authentication when updating its settings. Very useful for when you forget your password. Apart from a numerical code, the string reads 'editedbyjoelbackdoor' backwards (I know: you can't make this stuff up.)

Have you ever heard of WiSee? Its a technique that allows your wifi router to figure out where you are and what you are doing. I am quite sure there are many more innovations in the pipeline. Most (lets say 99%) of the people won't think anything of it because they find it convenient. Eventually you might even be seen as a threat just because you refuse to put all these gadgets in your house: you must have something to hide. And as icing on the cake, see this and this.

What to do against all these threats? Well, becoming a Tibetan monk would be one option, though its a bit drastic. Actually if you'd rather stay home, the best thing to do is what I would call passive resistance because a bigger gun or more bullets isn't going to get you anywhere with this. An understanding of your adversary's tools and tactics, on the other hand, will give you a much better chance to escape unscathed. Let me try to explain the term passive resistance in more detail. During WWII in Europe's occupied territories, most of the population was engaged in some form of passive resistance. A few engaged in active resistance but they were trained and knew what they were doing. Joe Sixpack did not have access to guns and dynamite but was mostly concerned with survival. That largely meant continuing to do whatever it was you were doing before the war with some modifications. For instance, some crops were supposed to be sold to the Germans, however official yields were rather low as part of the crop disappeared before ever making it to market. Sheep were all of a sudden very popular. If you were forced to do some work for the occupiers, slow and shoddy was the norm and preferably disappear overnight. People that housed refugees or downed pilots continued to go to work but never talked to anyone about what they hid. Things were done on a need to know basis: if you weren't the family cook or provider you didn't need to know how much food was kept in the basement. Fewer leaks that way. Another important point was to know the enemy: especially later in the war the bulk of the occupying force were conscripts: 16-18 year old kids that would have stayed home if given the choice. They were happy to leave you alone if you didn't bother them so no need to antagonize them. My suggestion is that when it comes to cybersecurity you consider yourself Joe Sixpack and try to fly under the radar as much as you can.

Flying under the radar is as much a lifestyle change as it is about encrypting your USB stick. You can still use your iPhone, just assume someone is listening in and pick the subject of your conversations carefully. Same thing goes for email: don't write anything that you wouldn't say out loud in public. If you really have to have a confidential conversation do it in a place where microphones are few and far between. I read an account of someone from the west who wanted to visit a friend in Russia during the cold war. The Russian agreed to meet him somewhere on a street in town, they walked to the train station, took the train to the next town where they got off and walked out of town into a wide open plain where nothing but heather grew. Only there did his Russian companion think they were safe enough that they could talk without fear of repercussions.

A lot has been said and written about the NSA's databases. I, too, wish they didn't exist but I believe that we have to accept them as a fact of life. Regardless of what MSM is going to tell you, neither collection efforts nor databases will be abandoned or even scaled back. So it is important to understand what they can and cannot do with that information. And there is the rub. Computers are great for searching databases for a particular data item. Lets say the computer is told print all available information for your social security number, it will be spitting out page after page within seconds including things that you have long since forgotten and could probably pass a lie detector test denying them. If on the other hand you give a computer the task to 'find me some terrorists' it will fail gloriously. Yes, you will get a list of names but the chance that these people are real terrorists is practically zero. The problem is that computers have no intuition, no feeling if you wish. They simply take the criteria that you give them and look for matches. If you set the criteria too wide, you will be deluged with false positives. If you set the criteria too narrow, you will catch some hapless bystanders but not those people that have an expectation that you are looking for them and therefore have actively scattered their trails (think of someone walking through a brook to throw off any canines that come looking for him).

Occasionally one comes across references how all of this will radically change once quantum computers are in production in a few years. I believe that's wishful thinking for several reasons: - The humans asking the questions haven't changed. - A few qubits don't make a fully functioning quantum computer capable of running advanced software. - A quantum computer is not your laptop at warp speed. It requires a totally different programming model that is being developed from scratch. This takes time to figure out, test and reliably implement. Time is in short supply. Otherwise you wouldn't need to prep. Here is a reasonably accurate representation (as near as I can tell from reading other documents) of where we currently are.

I know there are lots of other types of analysis that can be done on a database (been there, done that) but at the end of the day the analysis is only as good as the person setting the criteria. This is the primary reason why MSM talk about so many studies that refute the studies they championed 6 months earlier. Any analyst worth their money can find what his/her paymaster wants to extract from a given database because only the headline result is reported, never the actual query that coughed up those results.

Now that you know this, how can you use this knowledge to your advantage? Let me give you a simplified example. You have never cared too much about prepping but something tipped you off: SHTF in 2 weeks. So you decide to visit every store in your area 3x each week to buy 2 jars of peanut butter. SHTF and the stores are empty the next day. The day after that a hungry crowd demands that police do something, so they run a database cross check on store receipts and quickly realize you must have a pantry full of peanut butter. And so you hear the dreaded knock on the door. Your neighbor who prepped for years bought an extra jar once a month (maybe two if there was a sale) for the last two years. They got way more peanut butter than you but nobody knocks on their door because their purchase pattern would be considered normal with not the slightest hint of hoarding activity. If you have a family of 2 and a baby and buy a large jar of peanut butter every week, that might be deemed suspicious also unless you sell peanut butter cookies. The same thing goes for all of sudden insisting on paying everything in cash at your regular grocery store. Paying cash at a store you visit once a year should be just fine. Like I said: scatter your trail; don't create pattern breaks and don't get too cute about it. Its all about optimizing effort/reward ratios: make sure you are not the low hanging fruit.

I will spare you the details about how databases work but you need to understand that, in the example above, the police were able to finger you so quickly because different databases can be easily and reliably connected by matching something called key fields. This could be your credit card number, customer number, store awards ID, etc. Running a tally on any one of these identifiers will quickly show how much of what you bought during a given time frame. Matching the store's sales database against their customer database will deliver names and addresses. This is basically why the NSA only has to store the metadata of phone calls. Its all they need for their work because if you talked to a 'person of interest' you have also become a 'person of interest'. The phone company maintains names and addresses on those phone numbers and can be made to cough them up one way or another. At which point you can be 'interviewed' or 'bugged' or 'tapped' for more information. Of course most people engaged in subversive activities are aware of this and use throw-away phones with cash pre-paid SIM cards bought in a store without video surveillance. You, on the other hand, had better hope that none of your contacts will ever be caught in a sting operation.

But you are still stuck with those documents that you want to protect for one reason or another. I will try to help you with those too, however things will become gradually more technical from here on. This cannot be helped but you may want to try to stay with it as best you can because having a false sense of security is worse than having no security. If you know that your system is insecure you may make a concerted effort to physically keep the documents from falling into the wrong hands. If you leave your documents on your laptop because they are 'safely' encrypted but do not realize that your encryption can be broken in two seconds, your position is a lot worse.

There are two ways that you can protect your documents: - lock down your systems so no one can get at them - lock down your documents so no one can get at them Recapping from what I mentioned earlier: there are simply too many threats to your system (from compromised clothing irons to malware) to seriously consider option 1. So we will focus on option 2: encrypting the documents. This has an added advantage that you can send them anywhere over the internet or even store them in the cloud and be reasonably certain no one but intended parties can access those documents. But you MUST encrypt them on the machine you create them on and not send them somewhere (even within your own house) to have them encrypted for you.

Now for some bad news: regardless what type of encryption scheme you want to use to protect your documents, YOU will always be the weakest link in your security chain. This is because you need a password. Whatever you choose it will orders of magnitude less secure than the computer generated key that encrypts your documents. People who study these things say that you will need a password of at least 40 random characters (think software activation keys) to match the strength of a widely used encryption key called AES-256. [If you happen to be one of the people who study these things: I know I am over-simplifying but this is intended for novices.]

The way most encryption schemes are working is that the document itself is encrypted by an established cipher for instance AES-256. The computer generated encryption key that is used for that purpose is, together with other relevant information, stored in a header that is added to the encrypted document. Document + header is usually referred to as a container; however a container can be much bigger and hold multiple documents or even an entire hard disk. In those cases all documents in the container are encrypted with the same key. Storing the encryption key with the encrypted document defeats the purpose of encryption unless you encrypt the encryption key with another cipher. This is were your password comes in: it is used to encrypt the document's encryption key. So if you use a weak password the encryption key will be quickly recovered and the document can be as easily accessed as when you type in your password. In this scenario the use of AES-256 encryption simply gives you a false sense of security because no one in his right mind will try crack the encryption key: they will go after the way you have stored it.

In order to make your weak password stronger (i.e. harder to crack) most security algorithms add salt to it. In cryptography 'salt' refers to a random string that is concatenated to your password before it is encrypted through hashing. A hash function is a mathematical one-way street: you can store the hashed value in plain sight because no one has found a way to reverse the hashing function yet (at least that we know of). The next time you enter your password, the computer goes through the same hashing process; if the result is the same as the stored value you are granted access. Cryptographers not only use salt, sometimes they also use pepper. This refers to the use of a third input into the hashing function. This can be a static random number that is stored in a place that is not associated with the protected container. Programs like TrueCrypt have the ability to derive this third value from one or more files called key files, which opens up a whole new set of possibilities.

In my own setup key files play a very important part because: - they thwart any and all key loggers since no keys are pressed to access them. - I set the system up so it knows where the key files should be so I don't have to worry about webcams looking at me selecting the files. - the key files do not need to be on the system: you can put them on a USB stick or wherever suits your needs. For instance I store one of the key files that protect my document vaults on my NAS (Network Attached Storage.) If my laptop gets stolen and taken beyond the range of my wireless router, its container locks up because the required key file is physically unavailable to the hashing process. The information in that container is now protected by 1536 bit encryption. That is the equivalent of a 192 character password and I wish the thief good luck trying to open the container. - In a similar arrangement you can put key files on a flash drive or (micro)SD card and carry them with you so only you can access the vaults, even if your password is easy to guess. A microSD card has the advantage that it can be easily disposed of in an emergency.

When you do use key files, make sure they are write protected. Even changing a single bit (i.e. changing a 'd' to an 'e' in a text file) will render your container permanently closed. The same goes if you use pictures as key files. Some viewers have a habit of updating exif data without asking. This will also permanently lock your data.

Because most of my containers are protected by two unique keyfiles, there is a lot of information to keep track of that I do not want to memorize. All this information is stored on the computer itself but in order to keep these things under wraps, they are stored in their own small container that I think of as a systemvault.

And how does it all work once its set up? Quite nicely actually. I have an icon on my desktop that I double click. Then the computer asks for the container's password and, if I make no mistakes, opens the container to make all documents inside freely accessible. If I double click. the same icon again it closes the container. Doesn't get much simpler than that.

There are other, more nefarious, threats to your encrypted document. Why would someone try to crack your encryption if they can simply read your password with a key logger or watch your fingers with a remote controlled webcam? There are many programs (called trojans) and viruses doing the rounds on the internet with only one purpose: to get your information. Passwords are worth money on the black market. The password to your encrypted vault may not be worth as much as that of your bank account but who knows what's lurking out there. So you have antivirus software installed to keep those intruders at bay. [Remember who is the weakest link ...] Now tell me honestly: how many backdoors are there in your computer's operating system? They are not detectable by your antivirus software but grant complete access to your computer by anyone who knows how to exploit them. Someone could make a copy of your document as you are creating/reading it and send it to command central without you being aware that anything is going on. At least until they choose to notify you, possibly via the local SWAT team.

Now what do the paranoid do? Well, they stick to using open source software where the source code can be freely inspected by anyone interested [The really paranoid download the source code and then go on a customizing spree; no, I'm not kidding]. They refuse to load any software for which the source code has not been published. The latter usually being referred to as a binary blob. Most computers, tablets and cell phones run on binary blobs. All versions of Windows, OSX, iOS and Android are at least partially closed source. Some people insist that Microsoft has included backdoors since Windows95. The fact that Microsoft's monopoly was never broken up (unlike AT&T) is considered more proof of nefarious activities. I am not saying that there are backdoors because that is hard to prove without access to the source code. I will say that the silence of US companies while complying with DOJ/NSA (at least until Mr. Snowden's revelations caused their foreign clients to bolt) suggests that it is not a stretch to assume the worst about their products. And so I prefer to avoid them. And so should you if you are really into OPSEC. My personal opinion is that anyone who says he's got a secure system while running one of those blobs is misguided at best. I am not even sure I would want to receive an encrypted document from him unless its in a way that's not traceable. However that's no different from getting a call from someone that sits in front of his XBox One. If you really want to improve your cybersecurity, you'll have to run a Linux distro without any blobs. Please don't read this as me saying that those distros cannot be compromised. Its software so, yes, of course it can be 'adapted'. Its just that its a lot harder to do so unnoticed for any length of time and since Linux is used on fewer PCs/laptops such activities don't deliver a lot of bang for the buck. Again its a matter of making sure you are not the low hanging fruit.

Next up I want to expand a bit on my systems' overhaul. Three things were involved: -1- I switched the file system for my external drives to Btrfs. This isn't security related but it provides checksums on files and folder structures and self-healing capabilities based on built-in redundancies. This should help preserve data in case a drive starts getting worn-out or external backups deteriorate faster than expected. I don't think its all that useful for system drives yet because you need to run a separate command to release the space taken up by deleted files. -2- The installation of a number of virtual machines (VMs) for specific tasks like on-line banking, email and secure browsing. Since most of the VMs only take up 2GB-4GB in disk space its not a big deal to create a few extra. Mine actually reside on a USB stick with room to spare. The idea was to avoid cross contamination by programs or web sites trying to access cookies they did not put there. For instance the banking VM is only used to talk to my bank's servers and to store bank account related passwords. -3- Creating a number of encrypted containers. Most of the VMs have their own container which stores passwords, documents, browser settings, cookies, etc. This container needs to be opened before the VM is all that useful. Other containers store documents permanently or are used to send documents over a local network in encrypted form.

After going through these steps and relocating a number of files, my systems are now very much plain vanilla if you start them up. They appear to be used for some general purpose web browsing, playing a few games and contain some music. One of them stores scans of old photographs. Nothing out of the ordinary. You won't even find a copy of the text that you are reading at the moment.

Let's take a bit more in-depth look at my setup: Step -1-: If you don't know what I am talking about; just forget it. Step -2-: After reading up on my options (there are several VM vendors) I settled on Virtualbox. Its consistently ranks at or near the top in tests and is very user friendly. You install Virtualbox like any other application. I use version 4.2.18 from this site because that was the latest in the 4.2 series at the time. Don't forget to download the correct extension pack from the same web page. The software is free. Why? Basically you are one of their beta testers, which is why you want latest stable build, not bleeding edge. The company makes its money by selling fully tested versions to enterprise customers. Once you run the program, it presents you with a wizard to take you through the steps of creating a VM; the wizard will warn you if you select the wrong settings.

If you don't succeed the first time: a VM is just a specially formatted file on your computer; you can always delete it and start over to try again. Once you have created your virtual machine, you need to install an OS in it from an iso image just like you would on a normal hard drive. When the installation is complete you can click Virtualbox' start button and the VM boots up just like a real computer. As with all powerful software there are a few extra things you should learn like how to share folders between VM and host, use a clipboard to copy documents in and out of the VM and optimizing the VM's drivers and settings. You can get by without these but won't be quite as productive. The minimum hardware configuration to run VMs without too many crashes/performance penalties seems to be: dual core CPU and 1 GB ram (though 2 GB works better). Step -3-: There are several programs that create encrypted containers in a variety of ways. After looking at them I decided to go with the Linux equivalent of TrueCrypt because it seemed to be the best fit for what I wanted to achieve. I know Truecrypt is open source but Linux distros generally stay away from it for licensing reasons. According to a person that was involved in vetting TrueCrypt's license, it is worded in a way that allows the developers to sue you if you use it for its intended purpose. When the developers were alerted to this their response was along the lines of 'So what?'. Another programmer took TrueCrypt's documentation and from scratch wrote a program that creates TrueCrypt compatible containers. This wasn't too difficult because the Linux version of TrueCrypt uses functionality available in newer Linux kernels for actual encryption/decryption work. The new program is called tcplay and is carried by most Linux distros. Just make sure you get version 1.1 or higher if you want to use it. The nice thing about that setup is that the Linux kernel provides enterprise strength encryption which is continually updated and improved. You get to hitch a ride for free.

Another benefit of the way Linux deals with encryption is that any information that is read or written is directly transferred between RAM and the container: any piece of information that exists outside of the computer's memory is always encrypted. There is no program involved that could make an illicit copy before encrypting your information. In my setup I have made sure that the vaults are linked to memory locations (not locations on the hard drive) when they are opened. This is to ensure that no unencrypted data gets inadvertently written to disk.

As a final measure I implemented layered security where cracking one password only gets you some information but not all of it. Here is an example of getting to bank account passwords: - start computer and insert USB stick holding the VMs - start VM manager; requires computer's admin password and systemvault password (the system vault contains a key file and routing data of the banking VM's vault; the second key file is stored inside the VM allowing me to store backup copies of the vault in plain sight since they can only be opened inside the VM) - start banking VM; requires VM admin password and VM vault password (password file is stored inside VM vault) - decrypt password file; requires password and key file selection

All passwords are salted and hashed and most of them are peppered as well. So any attacker would need to use my computer and USB stick and then crack a series of passwords while blindly guessing one keyfile. I am counting on the fact that they will give up before they get that far, even though most of the passwords used are easy to type/remember (= inherently weak). In daily life it depends what I am working on but most of the time I only have to enter two passwords to be able to access my bank's web site through a VM which to me is a reasonable trade-off for the added security. Is such an elaborate setup overkill? Perhaps, time will tell! But hopefully I have given you some ideas to work with.

Last but not least there is one thing you need to keep in mind when working with encrypted documents. If you have a habit of hibernating your computer, its memory contents will be written directly to a special area on your hard drive called swap space. This means that any open documents are recoverable from the swap space until its overwritten with other data. So you must close your documents before hibernating or encrypt your swap space to close that loophole.

---------------------------------------

Next up, for the intrepid and those who wish to add to their skills (remember skills and knowledge are just about the only things that cannot be taken away from you), a step by step guide of what is required to get to the point of double clicking an icon to open/close a container. We will start completely from scratch by installing a Linux distro. I admit this is a bit of an experiment since some of the commands will wrap around to the next line on SurvivalBlog's web page. However after some testing I am fairly confident they will be in the correct format when pasted into a text editor.

As I have mentioned in a previous submission, the best Linux distro to use when you are used to Windows (XP/Vista/7) is Linux Mint 13. This is their current long term supported (till 04/2017) Ubuntu derivative which means out-of-the-box support for most hardware. Version 14, 15 and 16 are also available but are really development snapshots with a short life cycle. You will also want to stay away from LMDE if you never tried Linux before. Mint focuses on keeping a productive desktop environment which means it looks very familiar if you are used to XP/Vista/7. The other Linux desktops come with a (sometimes much) higher learning curve. If you have never installed an operating system you probably should get someone to assist you in the following steps: -1- Download the iso image from the Linux Mint web site. In the following instructions I am assuming you are using the MATE desktop so you may want to download that version. If you don't know if your computer can handle 64-bit code, just use the 32-bit version. -2A- Burn the downloaded image onto a DVD and start your computer from there, however this makes the system rather slow. -2B- Download the Windows version from a software package called Unetbootin. This allows you to transfer the downloaded iso image to a flash drive and boot your computer from that. This is much faster especially if you use (real) USB 3.0 drives. -3- Start the computer from your DVD or flash drive. -4A- Permanently install Linux on your hard drive - a 10GB partition is more than big enough. Backup ALL your data if you have never done this before because you will need to defragment Windows and then shrink your Windows partition. Linux installs its own bootloader that allows you to choose if you want to run Windows or Linux every time you (re)start your computer. -4B- Permanently install on an external drive. This can be a (8MB+) USB stick also. Make sure you install the bootloader on the external drive in this scenario, so your hard drive is untouched. This may be the better alternative because you can tell the installer to use the entire drive, saving you the partitioning process. If you are new to this the easiest way to tell which drive is your hard drive/external drive/etc. is to check their reported size. Note that Linux can read/write all Windows disk formats so you can use your primary hard drive to store containers if you wish. -5- During a permanent install Linux will make you enter a password. Write It Down! It is much more important than with most Windows installs and if you forget it you will be able to do nothing but re-install Linux. -6- Reboot the computer from the image you just installed.

To make your life a bit easier and more productive try the following steps (they are not critical though):
- Right click on the panel at the bottom of your screen
- Select 'Add to Panel'
- Scroll down the window and select 'Workspace Switcher'
- Click 'Add'; click 'Close'
You should see 4 gray rectangles on the panel. These represent 4 desktops, each just a mouse click away. You can run applications on each desktop and switch between them which is much nicer than having them all stacked on one desktop.

Now that you are up and running you need to install a few scripts and a program. The reason is that tcplay is a low level program that only takes care of the very basics through the command line. Opening, closing and modifying of a container from the user perspective is really a three step process and tcplay takes care of only one of those steps. Doing those steps out of order or skipping one has nasty consequences for your data or can even lock up your computer (trust me, I tried ...:). Perhaps someday someone will write a nice GUI for a program that combines those steps but in the meantime we go with quick and dirty.

Though installing the scripts can be done using 'ordinary' (= point and click GUI) programs, I will use the command line interface. This way you can simply copy and paste the commands instead of having to learn to use new software. If you are not used to typing commands you should definitely use the copy/paste method since the commands are rather picky. For instance 'echo #.. >>/etc/fstab' is harmless but 'echo #.. >/etc/fstab' will make your system unbootable and you will have to install the Linux distro from scratch.

To use the command line interface you need to open a terminal: click on 'Menu' in the lower left hand corner of the screen and then click on 'Terminal'. This should open up a new window with a blinking text cursor. This window has an 'Edit' menu that you can click on to use the 'Paste' function. Click on the terminal window to activate it. Depending on how you highlight text in your browser, the computer may or may not execute pasted commands right away. If it doesn't, press the 'ENTER' key after pasting the command.

# We begin with the command: sudo su # and enter your password as required.

# Next commands (can be copy/pasted as a single block) are:
mkdir -pm755 /srv/tc
printf "tmpfs /tmp tmpfs defaults 0 0" >> /etc/fstab
printf "tmpfs /var/tmp tmpfs defaults 0 0" >> /etc/fstab

# To get tcplay you need an internet connection as you need to download a small file.
# For 64 bit OS:
wget
http://mirrors.kernel.org/ubuntu/pool/universe/t/tcplay/tcplay_1.1-1_amd64.deb
# - or -
# For 32 bit OS:
wget
http://mirrors.kernel.org/ubuntu/pool/universe/t/tcplay/tcplay_1.1-1_i386.deb

# To install the downloaded program:
gdebi tcplay*
# answer the prompt by pressing the 'y' key

# Now we need to create the scripts that execute the various tasks.
# Note that each of the files MUST start with the phrase #!/bin/bash as its very first line.
# Open a text editor:
pluma /srv/tc/MDV.sh 2>/dev/null
# Copy and paste the first script (below) into the text editor; then click the 'save' button and close the editor.
# We also need to make this script executable:
chmod 755 /srv/tc/MDV.sh

# Open the text editor again:
pluma /srv/tc/MUV 2>/dev/null
# Copy and paste the second script (below) into the text editor; save and close.

# Open the text editor a 3rd time:
pluma /srv/tc/CV 2>/dev/null
# Copy and paste the third script (below) into the text editor; save and close.

# switch to user mode (very important):
exit

# then (you can copy/paste the following commands in one block):
ln -s /var/tmp ./Desktop/vaults
printf "[Desktop Entry]\nVersion=1.0\nType=Application\n" >
./Desktop/MDV.desktop
printf "Terminal=false\nExec=mate-terminal -e \"sudo /srv/tc/MDV.sh\"\n"
>> ./Desktop/MDV.desktop
printf "Name=MDV\nIcon=mate\n" >> ./Desktop/MDV.desktop
printf "[Desktop Entry]\nVersion=1.0\nType=Application\n" >
./Desktop/documents.desktop
printf "Terminal=false\nExec=mate-terminal -e \"sudo /srv/tc/MDV.sh toggle
documentvault\"\n" >> ./Desktop/documents.desktop
printf "Name=documents\nIcon=/usr/share/pixmaps/gksu-icon.png\n" >>
./Desktop/documents.desktop

Minimize the terminal window.
Double click on the MDV.desktop icon on your desktop. In the popup window click on 'Mark as trusted launcher'.

Next we will create a system vault. If you run into trouble and the process aborts; you need to type the following command in your terminal window and start over again:
sudo rm /srv/tc/.SystemVault

Double click on the MDV icon on your desktop again and enter your password; then select 'create' in the popup window and click OK button. In the next popup window type 'systemvault' (without quotes; then click OK button).

Your computer will now create your systemvault after asking what hash function and what cipher(s) to use [see notes below]. It will also require a password for the vault. Write that password down too. The whole process can take anywhere from 1 to 15 minutes due to random seeding. You will just have to be patient and let it run.

Once your systemvault has been created, you need to open it as follows:
Double click on the MDV icon on your desktop and enter your password; then select 'open' in the popup window, click OK, type 'systemvault' (without quotes), click OK.
Now click on the 'vaults' icon on your desktop. The file browser window that opens up should show an entry 'tc'. Double click on that and you should see an entry called 'Lost + Found' (if you don't see it try <CTRL><H> to show hidden files). If you do you are looking into an empty vault.

# Now restore your minimized terminal window and copy/paste the following block of commands into it:
user="`whoami`"
printf "containerlocation=/home/$user\n" > /var/tmp/tc/documentvault.rc
printf "container=\"DOCvault\"\n" >> /var/tmp/tc/documentvault.rc
printf "containersize=\"500M\"\n" >> /var/tmp/tc/documentvault.rc
printf "key1=\"\$SVmountpoint/lake.jpg\"\n" >> /var/tmp/tc/documentvault.rc
printf "key2=\"\$SVmountpoint/mountain.jpg\"\n" >>
/var/tmp/tc/documentvault.rc
printf "backupdir=\"\$NASmountpoint/data\"\n" >> /var/tmp/tc/documentvault.rc

Refresh the file browser window (click circular arrow). It should now show a file in your vault. This file is a called a resource file and you need to create one for each container you want to create and/or use. Double click the file to open it. If the system asks you to select a program, choose pluma. The first 3 lines are mandatory; the second 3 are optional and can be deleted (or commented out by putting a # in front of the line) if you don't want to use key files and automatic container backups. With the sample resource file the computer will try to create/use a 500 MB container called DOCvault in your home directory. If you want to use key files you must define them (and make sure they exist) before trying to create the container or the process will fail.

Click on the MDV icon on your desktop. Select 'close' and again type: systemvault and select OK.
Refresh the file browser window and the 'tc' folder should now be empty or have disappeared altogether.

# During the installation process the tc folder was located on your disk and not yet in memory. So we will clean up with:
sudo rm -fR /var/tmp/*
# And by restarting the computer we move the /var/tmp folder into memory:
sudo reboot
# Which concludes your installation process.

If you want to create the container defined in the sample resource file, you go through the same steps as when you created the system vault. But you first need to copy two key files into your systemvault and make sure that the key1= and key2= entries in the documentvault.rc file contain the names of these files.
-Doubleclick on the MDV icon on your desktop, enter your password and then select 'create' in the popup window and click OK button.
-In the next popup window type 'documentvault' (without quotes; then click OK button).
If the computer can't find the key files you specified, it will abort the process with an error message.
Once the creation process is complete, you can access the contents of this container by double clicking the 'documents' icon on the desktop. This container will show up as a folder beside the 'tc' folder that holds the system vault.

Technical Notes and Code to Copy/Paste:

By default the systemvault only uses a password. If you want to use a keyfile also change the line 'tcpopts=""' in MDV.sh to 'tcpopts="-k $key1"' before creating the system vault. A key file can be added later by running MDV's modify option. Once the modify operation has completed, you need to define tcpopts as shown above before you can open the systemvault again. To make this change in MDV.sh you must run your text editor with elevated privileges like so: sudo pluma /srv/tc/MDV.sh

To change key files for other containers you need to add lines defining key3 and key4 as the new key files to the container's resource file. Then run MDV's modify option. Then copy key3 and key4 definitions to the key1 and key2 definitions.
If you don't want to use any key files, you need to change the line
'tcpopts="-k $key1 -k $key2"' in MDV.sh to 'tcpopts=""'.

To create additional icons on your desktop: right click the desktop and select 'Create launcher'. You can check the properties of the existing MDV and 'documents' icons for an example of what to enter in the various fields. To find a fitting icon for your launcher, click on the button to the left of the text entry fields and browse the 'pixmaps' folder.
When you create a new icon make sure the container name mentioned in the 'command' field matches the name of an existing resource (.rc) file in the system vault.

$SVmountpoint and $NASmountpoint (as used in the sample resource file) are defined at the start of the MDV.sh script. Their values can be changed as required. $SVmountpoint will always point into the opened system vault wherever you want to store the vault. $NASmountpoint allows you to define the location of an external or network drive.

When creating a container you will be given some options on how to encrypt your key. You can choose from three hash functions and 8 cipher combinations. For hash functions (first menu) I only use options 1 and 2 based on their heritage. As far a the ciphers goes: the longer the cipher chain the stronger the encryption as each cipher adds 512 bits to the key length.

If you decide to use VMs also, do NOT try to create containers inside the VM. It will cause you nothing but grief. Create the container directly on your hardware and then copy it into the VM; after that it will work just fine.

The MDV script supports the following options:
- open : opens a container.
- close : closes a container.
- toggle : toggles between open and closed states.
- unload : closes all open containers (useful when hibernating/shutting
down your computer).
- opencopy : opens a (backup) copy of a container besides the current
copy. This allows you to compare contents or documents without having to
create an unencrypted copy somewhere.
- create : creates a new container.
- modify : allows you to change the container's password and/or key files.
- backup : create a backup copy of the container.
- restore : restore a container's primary header in case it has become
corrupted.
- info : display information about the container.

The scripts should work on any Linux distro but a few commands are hard coded for use with the MATE desktop. For instance 'mate-terminal' and 'matedialog' will have to be replaced by the appropriate commands for that distro/desktop. A final note regarding the scripts: they run fine on a daily basis on my systems but I do not believe all possible code paths have been fully tested so the road less traveled may be rocky.

License: The code is released under a FreeBSD license which means you can use, improve or cripple it in any way you want. You can even sell copies to your buddies. However the license also includes the magic formula: the code comes without any warranty. Its not even guaranteed to be fit for its intended purpose.

********** Save the following lines as MDV.sh ************
#!/bin/bash

tcsdir="/srv/tc"
TCmountdir="/var/tmp"
SVmountpoint="$TCmountdir/tc"
NASmountpoint="/mnt/NAS"

function SysVault {
container=SystemVault
containersize=12M
containerlocation="$tcsdir"
backupfolder="$TCmountdir/tcb"
mountname="`basename "$SVmountpoint"`"
}

function OtherVaults {
filecount=0
[ -d "$SVmountpoint" ] && filecount=`ls "$SVmountpoint" | wc -l`
if [ $filecount -eq 0 ]; then
"$tcsdir"/MDV.sh open systemvault
[ $? == 0 ] || exit 1
echo
fi

resources="$SVmountpoint/$vaultname.rc"
[ -r "$resources" ] || notify "Cannot retrieve $resources"
. "$resources"
mountname="`echo $container | sed -e's/^\.//g'`"
}

function OpenVault {
filecount=`ls "$TCmountdir" | grep "$mountname" | wc -l`
if [ $filecount -gt 0 ]; then
mountname="$mountname$filecount"
vaultpath="`matedialog --file-selection 2>/dev/null`"
container="$container$filecount"
containerlocation="/tmp"
ln -fs "$vaultpath" "$containerlocation/$container"
fi

mountpoint="$TCmountdir/$mountname"
echo " opening container on $mountpoint"
. "$tcsdir"/MUV mount
pause 0
}

function ToggleVault {
mounted=`cat /etc/mtab | grep "$container" | wc -l`
if [ $mounted -eq 0 ]; then
. "$tcsdir"/MUV mount
else
. "$tcsdir"/MUV unmount
fi
}

function UnloadVaults {
unset lastvault
while true; do
mounted="`cat /etc/mtab | grep "/dev/mapper"| cut -d" " -f1 | tail -1`"
[ -z "$mounted" ] && exit 0
vault="`echo $mounted | cut -d/ -f4`"
[ "$vault" == "$lastvault" ] && exit 1

device="`tcplay -j $vault | grep "Device:" | cut -d: -f2 | tr -d
[:space:]`"
mountpoint="`cat /etc/mtab | grep "$mounted" | cut -d" " -f2`"
umount "$mounted"
rmdir "$mountpoint"
tcplay -u "$vault"
losetup -d "$device"
lastvault="$vault"
done
}

function GetKey {
echo "Select system vault key file"
key1="`matedialog --file-selection 2>/dev/null`"
[ -z "$key1" ] && exit 1
}

function CheckKeyfileAccess {
file1=`echo "$key1" | grep "$NASmountpoint" | wc -l`
file2=`echo "$key2" | grep "$NASmountpoint" | wc -l`
NeedNAS=`echo $file1 + $file2 | bc -l`
if [ $NeedNAS -gt 0 ]; then
mounted=`cat /etc/mtab | grep "$NASmountpoint" | wc -l`
if [ $mounted -eq 0 ]; then
echo "mounting NAS ..."
mount "$NASmountpoint"
[ $? == 0 ] || pause 1
fi
fi

if [ -n "$key1" ] && [ ! -r "$key1" ]; then
notify "unable to access keyfile $key1"
fi

if [ -n "$key2" ] && [ ! -r "$key2" ]; then
notify "unable to access keyfile $key2"
fi
}

function notify {
printf "\n %s\n" "$1"
pause 1
}

function pause {
printf "%s\n" " Press any key to exit"
read -n 1
exit $1
}

# ----------------------------------------------------------
# must be run as root
[ $EUID == 0 ] || notify "You need administrator rights. Try: sudo
/path/to/MDV.sh"

action="$1"
vaultname="$2"

if [ -z $action ]; then
action="`matedialog --list --hide-header --text="Select an action"
--column=action open close backup opencopy unload create info modify restore`"
[ -z "$action" ] && exit 1
fi

[ "$action" == "unload" ] && UnloadVaults

if [ -z $vaultname ]; then
vaultname="`matedialog --entry --text="Enter vault name"`"
[ -z "$vaultname" ] && exit 1
fi

SV="`echo $vaultname | grep -i systemvault`"
if [ -n "$SV" ]; then
SysVault
tcpopts=""
tcpnewopts="--new-keyfile=$key3"
else
OtherVaults
tcpopts="-k $key1 -k $key2"
tcpnewopts="--new-keyfile=$key3 --new-keyfile=$key4"
fi

mountpoint="$TCmountdir/$mountname"
case "$action" in
"create") . "$tcsdir"/CV;;
"open") . "$tcsdir"/MUV mount;;
"close") . "$tcsdir"/MUV unmount;;
"opencopy") OpenVault;;
"unload") UnloadVaults;;
"toggle") ToggleVault;;
"info") . "$tcsdir"/MUV info;;
"restore") . "$tcsdir"/MUV restore;;
"modify") . "$tcsdir"/MUV modify;;
"backup") . "$tcsdir"/MUV backup;;
*) notify "unknown action: $action";;
esac

 

************** Save the following lines as MUV **************
#!/bin/bash

action="$1"
loopdevice="`losetup -a | grep $container | cut -d: -f1 | tail -1`"
[ -f "$containerlocation/$container" ] || notify "container
$containerlocation/$container not available"
cd $containerlocation

# ---------------------------------------------------------------------
# back up container
if [ "$action" = "backup" ]; then
[ -z "$backupdir" ] && notify "backup folder not set up"
[ -w "$backupdir" ] || notify "$backupdir not accessible"

# compare file's modification times
backupcopy=0
currentcopy=`stat -c %Y "$containerlocation/$container" | awk '{printf $1
"\n"}'`
if [ -f "$backupdir/$container" ]; then
backupcopy=`stat -c %Y "$backupdir/$container" | awk '{printf $1 "\n"}'`
fi
if [ $backupcopy -eq $currentcopy ]; then
echo " Container already backed up"
pause 0
fi
if [ $backupcopy -gt $currentcopy ]; then
echo " Backup is newer - Do you really want to overwrite it? (y/n)"
answer="`read -n 1 | tr [:upper:] [:lower:]`"
[ "$answer" == "y"] || exit 0
fi

# unmount container to make sure all caches have been flushed
mounted=`cat /etc/mtab | grep "$mountpoint" | wc -l`
if [ $mounted -gt 0 ]; then
echo closing container ...
. $tcsdir/MUV unmount
fi

# copy container
echo "backing up container to $backupdir ..."
cp -f "$containerlocation/$container" "$backupdir/$container"
[ $? == 0 ] || pause 1
chmod 644 "$backupdir/$container"
exit $?
fi

# ---------------------------------------------------------------------
if [ "$action" == "unmount" ]; then
# already unmounted
[ -z "$loopdevice" ] && return

# systemvault must be the last one to unmount
if [ "$vaultname" == "systemvault" ]; then
mounted=`cat /etc/mtab | grep "/dev/mapper" | wc -l`
sysmounts=`cat /etc/mtab | grep -i "$container" | wc -l`
[ $sysmounts -lt $mounted ] && notify "System vault in use: cannot close it"
fi

# remove user access
mounted="`cat /etc/mtab | grep "$container" | cut -d" " -f2 | tail -1`"
if [ -n "$mounted" ]; then
container="`cat /etc/mtab | grep "$mounted" | cut -d" " -f1 | cut -d/ -f4`"
umount "$mounted"
[ $? == 0 ] || pause 1
rmdir "$mounted"
fi

# remove encryption mapping
loopdevice="`tcplay -j $container 2>/dev/null | grep "Device:" | cut -d:
-f2 | tr -d [:space:]`"
if [ -n "$loopdevice" ]; then
tcplay -u $container
[ $? == 0 ] || pause 1
fi

# release the loop device
losetup -d $loopdevice
return
fi

# ------- required for all following functionality --------
# associate container with loop device
if [ -z "$loopdevice" ]; then
loopdevice=$(losetup -f)
losetup $loopdevice $container
[ $? == 0 ] || pause 1
fi

# ---------------------------------------------------------------------
if [ "$action" == "mount" ]; then
# already mounted?
mounted=`cat /etc/mtab | grep "$mountpoint" | grep $container | wc -l`
[ $mounted -eq 0 ] || notify "container $container already open"

# check key file availability
CheckKeyfileAccess

# create temp directories
if [ ! -d $mountpoint ]; then
mkdir $mountpoint
[ $? == 0 ] || pause 1
fi
if [ -n $backupfolder ] && [ ! -d $backupfolder ]; then
mkdir -m 777 $backupfolder
[ $? == 0 ] || pause 1
fi

# container already mapped?
mapped="`tcplay -j $container 2>/dev/null | grep $loopdevice`"
if [ -z "$mapped" ]; then

# no: map it now
# release loop device if not successful
if [ "$vaultname" == "systemvault" ]; then
printf "\n%s\n" "opening system vault"
[ -n "$tcpopts" ] && GetKey
else
printf "\n%s" "$container "
fi
tcplay $tcpopts -m $container -d $loopdevice
if [ $? != 0 ]; then
losetup -d $loopdevice
pause 1
fi
fi

# mount container
mount -o nosuid /dev/mapper/$container "$mountpoint"
[ $? == 0 ] || pause 1

# enable access by all users
chmod 777 $mountpoint
exit 0
fi

# ---------------------------------------------------------------------
# retrieve container info
if [ "$action" = "info" ]; then
[ -n "$tcpopts" ] && [ -z "$key1" ] && GetKey
CheckKeyfileAccess
tcplay $tcpopts -id $loopdevice
if [ $? != 0 ]; then
printf "\n%s\n" "Will try to access backup info:"
tcplay --use-backup $tcpopts -id $loopdevice
[ $? == 0 ] || pause 1
fi
pause 0
fi

# ---------------------------------------------------------------------
# restore header from backup
if [ "$action" = "restore" ]; then
[ -n "$tcpopts" ] && [ -z "$key1" ] && GetKey
CheckKeyfileAccess
tcplay --modify --restore-from-backup-hdr $tcpopts -d $loopdevice
[ $? == 0 ] || pause 1
pause 0
fi

# ---------------------------------------------------------------------
# modify password and/or keyfiles
if [ "$action" = "modify" ]; then
[ -n "$tcpopts" ] && [ -z "$key1" ] && GetKey
CheckKeyfileAccess

if [ -n "$tcpnewopts" ]; then
if [ -z "$key3" ]; then
holdkey="$key1" && GetKey
key3="$key1" && key1="$holdkey"
fi
fi
if [ -n "$key3" ] && [ ! -r "$key3" ]; then
notify " unable to access new keyfile $key3"
fi

if [ -n "$key4" ] && [ ! -r "$key4" ]; then
notify " unable to access new keyfile $key4"
fi

tcplay --modify -d $loopdevice $tcpopts $tcpnewopts
pause 0
fi

************** Save the following lines as CV **************
#!/bin/bash

# vault already created
[ -f "$containerlocation/$container" ] && notify "container already exists"

# double check for old mounts just in case
mounted=`cat /etc/mtab | grep "$mountpoint" | grep $container | wc -l`
[ $mounted -eq 0 ] || notify "an older version of this container is already open"

CheckKeyfileAccess

# select PBKDF PRF algorithm while [ 1 ]; do

clear
printf "\n\n\n\n Select the PBKDF PRF algorithm you want to use ...\n"
PS3="your choice: "
select i in "whirlpool" "RIPEMD160" "SHA512"

do case $i in
"whirlpool") algorithm="whirlpool";;
"RIPEMD160") algorithm="RIPEMD160";;
"SHA512") algorithm="SHA512";;
*) unset algorithm;;
esac
break
done

if [ -z "$algorithm" ]; then
printf "\n\t%s\n" "Invalid input"
sleep 2
continue
fi

break
done

# select cipher chain
while [ 1 ]; do

clear
printf "\n\n\n\n Select the cipher chain you want to use ...\n"
PS3="your choice: "
select i in AES-256-XTS TWOFISH-256-XTS SERPENT-256-XTS
TWOFISH-256-XTS,AES-256-XTS AES-256-XTS,SERPENT-256-XTS
SERPENT-256-XTS,TWOFISH-256-XTS
AES-256-XTS,TWOFISH-256-XTS,SERPENT-256-XTS
SERPENT-256-XTS,TWOFISH-256-XTS,AES-256-XTS

do case $i in
"AES-256-XTS") cipher="AES-256-XTS";;
"TWOFISH-256-XTS") cipher="TWOFISH-256-XTS";;
"SERPENT-256-XTS") cipher="SERPENT-256-XTS";;
"TWOFISH-256-XTS,AES-256-XTS") cipher="TWOFISH-256-XTS,AES-256-XTS";;
"AES-256-XTS,SERPENT-256-XTS") cipher="AES-256-XTS,SERPENT-256-XTS";;
"SERPENT-256-XTS,TWOFISH-256-XTS") cipher="SERPENT-256-XTS,TWOFISH-256-XTS";;
"AES-256-XTS,TWOFISH-256-XTS,SERPENT-256-XTS") cipher="AES-256-XTS,TWOFISH-256-XTS,SERPENT-256-XTS";;
"SERPENT-256-XTS,TWOFISH-256-XTS,AES-256-XTS") cipher="SERPENT-256-XTS,TWOFISH-256-XTS,AES-256-XTS";;
*) unset cipher;;
esac
break
done

if [ -z "$cipher" ]; then
printf "\n\t%s\n" "Invalid input"
sleep 2
continue
fi

echo
break
done

# create container
cd $containerlocation
dd if=/dev/zero of=$container bs=1 count=0 seek=$containersize
[ $? == 0 ] || pause 1

# setup loop device
loopdevice="`losetup -a | grep $container | cut -d: -f1 | tail -1`"
if [ -z "$loopdevice" ]; then
loopdevice=$(losetup -f)
losetup $loopdevice $container
[ $? == 0 ] || pause 1
fi

# initialize container
[ -n "$tcpopts" ] && [ -z "$key1" ] && GetKey

printf "\n%s " "Select $container's"
tcplay -c -d $loopdevice $tcpopts -a $algorithm -b $cipher
[ $? == 0 ] || pause 1

# mount on /dev/mapper
printf "\n%s " "Enter $container's"
tcplay $tcpopts -m $container -d $loopdevice
[ $? == 0 ] || pause 1

# create a filesystem in it (ext2 for flash based devices)
mkfs.ext2 /dev/mapper/$container
[ $? == 0 ] || pause 1
pause 0

And that's it, folks!


Wednesday, December 11, 2013


Dear Editor,
A long tome ago, I looked at diceware as Michael Z. Williamson mentioned (love that XKCD cartoon), and I don't find it quite as robust as I would like for password generating (I have one diceware-ish password I use for convenience, but used a couple of foreign words and specific capitals as well). Creating a series of simple words that forces the attackers to use a brute force attack on it anyway, made me want to go out and find out a better way to find brute-force-resistant passwords.

I found one (essentially, only one) really good password generator at the Foutmilab web site.

What makes it a really good password generator (relative to most others) are the following features:

First, It just doesn't randomly generate passwords (though, it can), it gives you the ability to input an alpha-numeric seed, so that using the seed "cat" will always generate the same groupings of passwords/keys.

The benefit to this is that if you share a specific seed key with someone else (um ... in person that you can easily remember and associate with them) like CrazyTimeInVegas, then you have created a an easy way for each of you to generate one-time-use pads.

It allows you to choose how long of key, and other characteristics about the passwords generated.

So, you encrypt a file, send it to them through e-mail, and in your subject line you write, "62,394 more reasons Nancy Pelosi is awesome" .... which codes to your receiver to use  62 digit key and choose the 394th key generated. (or, come up with an agreed upon way to alter it even more ... i.e., drop the 6 in the header but know that you'll always use a 60 digit length key).   Or better, snail mail them a memory card with the information you want to send, with the NSA storing all e-mail, you can be sure that as they get faster and faster (and get into quantum computing encryption breakers, that all forms of encryption will be broken at some point).

Combine that with sending your information in triple-cascading 1 mb Truecrypt drive, or other encryption routine, and you'll be one step up.   At least until quantum processing starts annihilating all forms of simple encryption.

2nd Benefit:   It stores on your local computer and can run in any browser (you aren't using a web site to run it through the Internet, you can be offline whenever it runs).   One can also add a couple of default numbers (don't do the seed), so you don't need to type a couple of the less useful features (like the number of digits between separators and which separator to use ... answer:  none).  It's a simple javascript and the code is open source so you don't have to worry about backdoors/it sending out extra data, etc.  The code is wide open for everyone to see.

3rd:  It's free.  Go to the web site, save the page to your computer, and never run it off the web site again.  (The author of the site suggests doing this.) Keep a copy of the script in your e-mail drafts as a backup and forward to your friends who need it.

It fills a nice gap, there are still important things to consider like physical security of your device (i.e., if they install monitoring software on your machine, or a keyboard tracker, or a webcam that can view your keyboard, it doesn't matter how good your encryption is), and finding an easy-for-you-impossible-for-them way of keeping track of your password generating keys. - C.S. in the Midwest


Monday, December 9, 2013


This article should be of interest to anyone who is cyber security conscious--which should be everyone, in the present era:

Kill the Password: Why a String of Characters Can’t Protect Us Anymore.

Now consider the pointed lesson of the XKCD site.

Are you now concerned? ...then use:

Diceware

and

Truecrypt

The main features of Truecrypt:

  • Creates a virtual encrypted disk within a file and mounts it as a real disk. 
  • Encrypts an entire partition or storage device such as USB flash drive or hard drive.
  • Encrypts a partition or drive where Windows is installed (pre-boot authentication).
  • Encryption is automatic, real-time (on-the-fly) and transparent.
  • Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
  • Encryption can be hardware-accelerated on modern processors.
  • Provides plausible deniability, in case an adversary forces you to reveal the password:
  • Hidden volume (steganography) and hidden operating system.

Take the time to increase your password security and your general computing security. Someday you may be very glad that you did!

Thanks, - Michael Z. Williamson (SurvivalBlog's Editor at Large)


Monday, November 25, 2013


Mr. Rawles,
If you have not yet heard of the Serval Project, I would encourage you to check out the web site. This is an Australian based non-profit that is attempting to build the software and hardware for a mesh network that can be erected post-disaster. It is all open-source and there is even a free Serval app available at the Google App Store.

For those of you not familiar with the idea, mesh networks are self-contained networks that run off of the same protocols as the internet, using the same hardware, but are not necessarily linked to the actual World Wide Web (hence, no ‘off-switch’). Each item on the network, be it a laptop, desktop, android tablet device, or android smart phone would be connected to each other, using the app or other software, giving each user the ability to place a phone call, send a text or image, etc. with any other entity on the mesh network. Literally, two devices can connect to each other with no other technology required. There are other apps similar to this, such as Open Garden, but Serval looks to be entirely self-contained.

One issue with android phones is the range (however, there seems to be a work around that adds range to the phones if they are rooted). The people at Serval are attempting to remedy this by designing and building an ‘extender’ that they claim will push the maximum range to kilometers. It is called a Serval Extender, and while it is not available yet, this is an open source movement that many people are working on, and it is only a few months along in its development. Therefore, I expect to see several items available to enhance this concept on the internet soon, either for sale or the instructions as a free download (It would be similar to the Raspberry Pi or Arduino concept, which is open source hardware that is now widely available with tons of resources on the internet for free).

Keep in mind, the original intent was for post-disaster networks to spring up with ease. The designer was inspired by the Haitian earthquake. He realized that once the cell network went down, there were potentially hundreds or thousands of smartphones that could be used to communicate which instantly became useless. He conceived Serval as an app that could go on each phone, and you could immediately be part of a this new network.

Assuming the technology survives an EMP a group could deploy this network and use existing phones, tablets, computers, and their chargers for commo gear. You even keep the same phone number! The messages are sent encrypted. Unless the looter bad guys have Serval on their phones, you could probably consider the network private. I doubt any other device would be able to translate the signal, although it would be pretty easy to detect. This, in my opinion, is more advantageous than GMRS or CB because of the ability to send texts and images. The power requirements for these would be negligible, low in fact. One small PV panel could run the extender, one more to charge the devices, or just use hand cranks.

I think this would create an interesting dialogue on SurvivalBlog.com, and I hope others look into this. I look forward to the responses! - Dan in Florida


Monday, October 14, 2013


I'm often asked about social media, forums, and meetup/networking web sites as a method for preppers to get together. I generally discourage the use of social media, as a big OPSEC risk. As I've warned my readers many times in SurvivalBlog, these sites are intelligence-gathering vacuum cleaners for self-incrimination, plain and simple. It has been well established that the NSA gobbles up as much information as it can and wherever it can.

Even if what you mention about your private life in Tweets and Facebook posts is presently legal and commonplace (such as food storage, hunting, and shooting), that doesn't mean that it won't someday become demeaned or even illegal.

You must recognize that whatever you post in social media is there forever, even if you later "delete" your posts, and even if you completely delete your user account.

I will not be surprised if it is someday revealed that most of these sites were created specifically for the purpose of intelligence gathering. (Google and Facebook have many CIA and NSA connections, and what could best be described as an incestuous relationship. Google, in particular, is suspect.)

For all of these reasons, I have never created a Facebook or Twitter page for myself, and I discourage others from doing so. And likewise, I do not have a "SurvivalBlog Forum", or a YouTube channel with "followers", nor do I have a mechanism for auto-posting of comments in my blog. Those can be tracked and easily cross-correlated. I have no intention of making myself a tool for some malefactor. The few letters from readers that I post are edited for OPSEC. For example I almost always change or truncate names and change their initials.

One quiet afternoon I did some pondering and decided that the names of the social media sites and some of their operative terms are in fact acronyms, which I've defined, as follows:

Sites:

FACEBOOK: FBI-Arranged Confessions Eternally Bookmarked On Our Komputer.

KICKSTARTER: Kicking In Cash Koupons Solely To Accord Retarded Teenage Enterprises with Relevancy

MYSPACE: My Yesterdays Saved Permanently, Allowing Character Extirpation

PINTEREST: Police (or Pedophiles) Interested in Nattering Teen Effusiveness, Regardless of any Eventual Statist Tendencies

TWITTER: Those Willingly Incriminating Themselves to The Evil Regime

LINKED IN: Lashed Interminably to National Komputers, Every DHS Intelligencer is Notified

MYLIFE: Many Youngsters Lured into Intelligence Fusion Enterprises

DEVIANTART: Datamining Extroverts and Voyeurs In Artfully Nefarious Temptations, Arguably a Resilient Trap

LIVEJOURNAL: Low Intelligence Value Everyday Jests Or Unthreatening Rantings of Nutcases And Lunatics

YAHOO GROUPS: Your Antiquated Hooligans and Obstinate Old-timers Gather Religiously--Obviously Under Police Scrutiny

GOOGLE+: Gatherings Of Overweight Geriatric Lechers and Enticers, (+Police)

PHOTOBUCKET: Photos of Hotties Obseverable To Officers Briefly, Until Canceled (but Kept Eternally in Terabytes)

BLOGGER: Blogs for Lazy Old Grannies, for GOOGLE's Evidentiary Research

MEETUP: Matching Every Extrovert To an Unprincipled Provocateur

ORKUT: Only Read in Kolkata or at Universidade Teresina

PANDORA: Pilfering Another Ditty Or Radio Attraction

SECONDLIFE: Some Escapist Charades Only Needed by Delinquent Losers, Indolents, Fantasizers or Evaders

SKYPE: Sent Konversations of Youths Penetrated by ECHELON

STUMBLEUPON: Surveillance That U.S. Magistrates Blithely Let Enforcers Use to Pressure Opponents and Naysayers

DELICIOUS: Designating Eternal Links In Cyberspace (Ignorant of OPSEC), Utilized by Stasi

YOUTUBE: Youthful Obsessions Unfit for Television, Until Brin-Endorsed

FOURSQUARE: Forgettable Or Unstable Relationships, but Some are Qualitatively Utilized (the Addresses Reveal Entanglements)

DIGG: Dissident Intelligence Gathered by Government

WIKIPEDIA: Wasted Intellect, Kreating an Immense Propaganda Encyclopedia Designed to Incapacitate America

INSTAGRAM: Innocuously, Napolitano Seizes Treasured Assets and Gendarmes Reap Actionable Material

WAYBACKMACHINE: Wonderfully Accurate Years of Belligerent Allocution by Citizens Knavishly Making Archives, Compiling HUMINT Inventories of Natterings Evidence

MY YEARBOOK: Meeting Youth of Yesteryear, Enrolling Alums at Reseau Bluffdale Or Other Keeps

FLICKR PHOTOS: Fotos, Largely that I Couldn't Kontribute Rationally, Possibly Holding On To Old Shamefulness

CLASSMATES: Could Lead Alumni to Squeal Stories Mistakenly to Agencies and Their ECHELON Storehouses

TAGGED: Those Agencies Getting Gun Evidence Details

WINDOWS LIVE HOME: Where Imbeciles Naively Disclose Old Wrongdoings, Snoops Love It, and Vigorously Engineer Hoards Of Maleficent Espionage

Component and Operative Terms:

TWEETS: The Way Everyone Evinces Themselves Slavishly

FANS: FISA And Napolitano Sensors

HASHTAGS: Harmful And Sly Handles with Thousands of Aggregated Guilt Summaries

PINS: People In NSA Stings

FORUM: Future Ordered Roundup of Undesirable Malcontents

MEETUPS: Meeting Extraordinarily Eccentric, Tactless, and Untrustworthy People Somewhere

FRIENDS: Folks who are Really Intelligence Envoys, Navigators, Dupes, and Servants

BLOG COMMENTS: Buffoons Letting Others Generate Confessions for Our Mainframes, Makes Every Nazi's Task Simple

REACH: Rahm Emmanuel's Asset Collection Hooks

GEOTAG: Getting Everyone's Obscure True Address and Geolocation

HANGOUT: Handing All Nefarious Government Operatives Useful Tidbits

MASHUP: Mixing Assorted Schumer, Hunting Unwitting Patriots

FOLLOWERS: Feds Only Like Lots Of Willing, Emasculated, Robotic Slaves

TROLLS: Those Really are Obama's Lawmen, Lying for the State

CLOUDCOMPUTING: Clapper's Latest Outlandish and Unrestrained Dream of all Computer Operations Manipulated by Placing them Under The Interests of the National Government

FLASHMOB: FISA-Launched Assemblies Secretly Harnessed to Manhandle Objective Bystanders

LURKER: License to Unrepentant Roving Komputer Expert Rabble-rousers

AVATAR: A Vivacious Alterego That Averts Reality

WIKIS: We're In Kolusion and Infiltrating Systematically

CHAT: Conversations Heard and Arranged by Troublemakers

RSS: Routed Straight to Stasi

BSD: Big Sis Department

CROWDSOURCING: Counting Reliably On Wisdom and Dollars Swiped from Others, Using Resourceful Cunning or Intrigues that Needle for Generosity
(Alternatively: Corralling and Recruiting Others to Waste Dollars and Scarce Opportunities in Uncompensated Risk to Co-create Idylls, Instituting Nothing Good)

SEO: Surreptitious Evidence Obtained

UGC: Usurped (Government's) Content

WEBINAR: We're Essentially Being Interrogated, the NSA is Always Recording

TAGCLOUD: Tallies Arranged for Government's Clandestine Location Of Unbridled Dissidents

TRIBES: The Roundup Is Becoming Extremely Simple


You have been warned! Stay away from social media sites.

My advice: Learn the lost art of letter writing. In this age of universal surveillance, a stamped envelope in the mail is perhaps the only relatively secure way relate your thoughts over a distance without risk of interception. Oh by the way: Because of the new US Postal Service mail logging program, you should type the recipient's name and address in both the center and upper left hand corner of the envelope. - JWR


Thursday, September 19, 2013


James,
I work for a large, three-letter computer manufacturer with a penchant for Blue.

Joe Ax's comments about the problems with maintaining a digital library are right on the money. When I worked in our Storage Division (hard disks, tapes, etc.), this issue came up during a talk on medical systems' storage needs. There is a requirement for medical records to be maintained 100 years, and yet no computer data storage system has been designed to do this.

So what is the 'solution'? 

It seems that doctor's offices are cajoled/required/encouraged to upgrade their office systems on average of about every five years. In so doing, all of their old records are transferred to the new system. This side-steps the problem without actually solving it.

While I am a big fan of digital libraries, I think that every book/document which is  absolutely essential to a prepper be 'backed up' by keeping a print copy on high quality  paper. At the present time, this is the most practical solution I am aware of.

Best Regards, - Bear


Jim,
As the author of the original article I wanted to wait for a while to try and address several of the issues (all good points) raised, and clarify why I made the various choices I did in my suggestions.

Some responses seem to have missed my main thrust which was bringing this concept in at the best matrix between cost, accessibility, usability, longevity, and availability of surplus gear. Obviously this type of matrix has some degree of subjectivity.

The reason I chose XP was because of the recommendation I made for purchasing older, obsolete laptops which probably will not be capable of running Windows 7 or Vista. This met my criteria for cost, usability, and availability. As one response noted correctly, the original activation can be done offline using a telephone. Copies of XP that are not pirated can still be purchased online cheaply. Also may of the surplus laptops may already come with an activation sticker (license key) still attached which obviates the need to even purchase a copy. Activation should be done ahead of time. In a grid down or disaster situation there are a variety of (relatively) easy methods to bypass the activation should the laptop decide it needs to be reactivated.

At least one response mentioned the lack of updates and age of XP as an issue. This is the primary reason I stressed to never connect these laptops to any network. It didn't have anything to do with backdoors or NSA access, it is purely to remove issues related to having the information on your digital library laptop leaked out to internet and remove the need to frequently update and patch the systems. The second simplest system to secure is one that is never connected to another system. The simplest system to secure is one that doesn't exist. (Yes, that's rather zen-ish but I like it. =)

Another letter addressed the changes in technology making backup media obsolete, and failure rates. I believe this response failed to read my entire article. This is why I stressed rebuilding the backup media every 24 to 36 months. It allows reorganization of your digital library as well as alleviates the issue of age related data corruption. Also keeping as many spares as practical, and supplies of backup media.

Several users mentioned Linux. While Linux is my personal preferred operating system, I have spent a certain amount of time doing end user support, development, and security for Linux/Unix and Windows operating systems and I would put a 95% chance that there isn't a single person on this forum who has not used Windows, and most will have used (or are still using) XP.

I would be surprised if more than 10% even have heard of Linux. Having taught a number of classes involving both Windows and Linux over the years, I will tell you there is a significant learning curve between the two environments, not the least being conceptual rather than technical. And for the Apple fan-boys out there, I'm lumping MAC OS X in with Linux at the conceptual level -- and yes, I know it is a BSD derivative. =)

Another response mentioned Calibre for a digital library organizer. This is an excellent program, and I do use it. If you are careful to tag (add index keywords to documents) that you import, it makes an excellent resource tool for organizing documents. However as a different respondent mentioned, I also primarily rely on a simple folder structure. This allows me to also include other document types (blueprints, schematics, etc.) in related folders. Also don't be afraid to have multiple copies of the same document. For example I have copies of documents relating to making charcoal in folders under 'Consumables/Smithing', 'Food/Smoking', 'Fuel/Wood', and several other locations.

All of this aside, ask 10 geeks how to preserve a digital library and you'll get at least 20 answers. As presented mine is only one of many approaches that are all workable, cost effective, and can be implemented by someone without a ton of technical expertise.

Go with God, - H335


Saturday, September 14, 2013


Dear Mr Rawles,
Since I have worked for a few decades now with computers as programmer, installing systems and building/repairing computers, I read last week's articles/letters on a digital libraries with interest. Though most information provided is correct, some possibilities weren't discussed, while others may not be entirely clear or confusing to the uninitiated.
So, in addition to the previous postings, here is my take on 'digital libraries for dummies':

Putting together a digital library is a good idea and I have one too. It contains everything from books to reference diagrams, user manuals and SurvivalBlog archives. However it can become a needless burden on (possibly scarce) resources if not done correctly. So before you run out to buy things you may not need, lets take a look at whether your intended
approach fits with your other preparations.

- How much storage is required? As much as you need/can afford/deem necessary. I know that doesn't say much but it is really what it comes down to. For example I have scanned all old family pictures I could find and stored the scans along with newer digital pictures. They are part of the library, together with copies of music CDs and vinyl records, a few movies and family videos. And some games in case people get really bored. The computer says the library has grown to over 150,000 files most of which are compressed by lossless algorithms to around 100GB total required storage space. That's a small hard drive, average SSD, 4 32GB SDHC cards, 20+ DVDs or 150 CDs.

- How do you manage this much information? I do not use a program to manage the library but simply use a folder structure to keep everything in a place where I can find it. For instance there is a 'books' folder, a 'documents' folder, a 'pictures' folder, etc. Each of these folders contains a tree of subfolders to quickly find items. I know: I'm old fashioned but it works and saves me the trouble of having to learn another piece of software that may or may not work (I still remember losing a number of pictures due to buggy picture management software that came with a camera). Besides, if I really can't find something, Linux has built-in commands to find (the path to) files and to scan any and all documents for keywords.

- So do you need encryption? Well that depends but, realistically, the answer is probably not. If your library consists of KJV, Moby Dick and chicken coop blueprints published by the government in 1922, then you are better off without encryption since that won't raise anyone's suspicions. On the other hand, if you are carrying around guerrilla warfare planning documents ... you are probably in way over your head if you are looking for advice here. Please keep in mind that weak encryption is worse than no encryption, because you may rely on the encryption to keep your secrets whereas un-encrypted info won't give you that false sense of security. FWIW I don't use encryption on my library except for folders containing personal info and password vaults.

- Should you rely on CD and/or DVD disks for your library? As H335 pointed out you will be dealing with bit rot. This can be somewhat alleviated by storing archival type (= relatively expensive) disks in a cool, dark, dry place but even that is not fool proof according test data available on the internet. Do I use disks as back up? Yes, but I keep three copies of all documents in my library on three different media: a very reliable old hard drive, DVD disks and SDHC cards. Surely something will survive!

- Why SDHC cards? They are small (=easy to hide), cheap and reliable. All you need for them to work is a good quality USB reader. Don't buy any reader that costs less than $10-$15 or you *will* regret it. For the cards themselves, try to buy units that carry a lifetime warranty [for the best price you can find]. The really nice thing about the cards is that they are re-programmable. Apart from being able to delete unwanted documents this greatly enhances their longevity. Here is how that works: their data retention is usually specified as 5-20 years depending on quality of parts used. They should also allow a minimum of 3000 write cycles before wearing out the cells. So to be on the safe side, I refresh the data (=copy to another card) once every year or so and can, conservatively, do so a 1000 times. I think they will outlast my needs ... Because of their small size I am not really worried about EMP damage, but it doesn't take much to protect them properly. If you want/need something really tiny, get a microSD card. They are about half the size of your finger nails and just as thin and have the same storage capacity as regular SDHC cards. Easy to lose but might come in handy if you want to sew them into your coat. If you don't mind something bigger than SDHC cards, USB sticks (in many disguises) can be used the same way.

- Do you really need printers, paper, toner, etc.? You might if you plan to be holed up in your fortress and expect to be without power for extended periods of time. In that case I suggest you start printing now when supplies and power are still cheap and plentiful. My philosophy is that I may need to leave in hurry without the possibility of dragging paper around so I have made no provisions for printing large quantities of documents. Nor do I care to leaf through hundreds of printed pages looking for a passage or table when the computer can find it much quicker. However if you plan to be teaching a community group for example, there are legitimate reasons to stock up on supplies.

- By going fully paperless I will need something that can read and display the stored information. A full desktop computer will do nicely, especially on your retreat, but may not be the best solution. Laptops and tablets use less space and energy.

- laptops. I usually keep two of them around. They are identical so if one dies I can use the other one and have spare parts for it. My personal preference is to use Dell Latitudes because they are plentiful (=cheap) and have worked well over the years for me. I also know how to take them apart and fix them which helps. IBM's Thinkpads also have a good reputation. If you go shopping for a laptop: look for an off-lease business laptop - they are made with premium grade components and all the bad apples have been weeded out long before they come off-lease. Do *not* buy a pallet full of laptops for $50; chances are none of them will work when you plug them in for the first time. 30%-50% of the units should be salvageable but only if you know how. Your $50 is better used for buying a laptop that has been tested and is guaranteed to be not DOA (plenty of those listings on Ebay). As a rule these laptops have their hard drives wiped and a fresh install of the OS. If the hard drive wasn't wiped there is no real reason to go out and have them professionally wiped. This was a good idea in years past when we had low capacity drives. However hard drives that were build in the last 3-4 years use very narrow magnetic tracks that can be effectively wiped by simply having your computer overwrite them once with new data as shown by blind testing in data recovery labs. Of course there is a downside to this: your own data can be lost that much easier too ... Don't go for the latest and the greatest. Older laptops are built better and have sturdier electronics because they are build on larger process nodes. Single core machines are just fine for what you will likely use it for. I still have a laptop that is over 10 years old. I only use it for programming micro-controllers which means it gets lugged around all over the place, but its doing just fine and I am less afraid of breaking it than the newer ones. It even gets 4 hours run time out of today's higher capacity batteries. The downside is that I need to run Windows 98 or something like Puppy Linux because its underpowered for almost any other OS.

-tablets. I have been thinking of getting one but have a hard time justifying the purchase. Their big attractions are small, light weight and energy efficiency which is important if you don't have too much available. But ... they are throw-away electronics. Especially the ones where you cannot replace the battery. Under normal daily use/nightly charge cycles the battery should give out in about a year (you might still get 1-2 hrs run time on a charge but nowhere near advertised spec.). So you are either tethered to your charger or can go buy a new one. That's assuming you haven't run into any of the wear-and-tear issues associated with today's high performance/small footprint/passive cooling designs. So if I need to keep laptops around as backup in (the somewhat likely) case that the tablet fails, why not just stick with the laptops. The second thing I am not too keen on is that most tablets (and smart phones for that matter) work as personal tracking devices in their default configurations. And they are really good at it. Having said that, if you already own one and it has an SD card reader or accessible USB port; there is nothing wrong with using it with your library. Just don't depend on it as your only reader.

-Windows XP. I noticed it mentioned in some posts. This product is fine to use as operating system for your library reader provided you understand the risks. From April 8, 2014 onward Microsoft will no longer support it. Without security updates you will be a sitting duck for viruses and other types of attacks. So you should only use it on computers that are not connected to the internet which may not be a problem when SHTF. However SHTF also means you will not be able to re-activate your copy should your computer crash or need a new hard drive, CPU, etc. For these situations there is a solution. Make sure you have downloaded and stored a piece of software called AntiWPA. You install this right after you install Windows XP. It works by starting windows in safe mode and switching to normal mode once you are past the activation code check. Your windows license is not tied to your activation code but to your machine. Assuming you bought your machine with a retail copy of windows or the machine came with a COA sticker, you are not doing anything illegal by using AntiWPA to start your machine. If your machine came with a COA sticker (likely if its an off-lease business laptop), make sure you make or download your own CD with a copy of windows (or any other OS) and know how to install it or know someone who does. Just adding a how-to document to your library will lead to some very unpleasant moments/thoughts when the computer tells you it can't find a bootable hard drive. As for me, I still use Windows XP occasionally to reliably run some older programs and create my tax returns. But it lives inside a Virtual Machine (VM) without access to the internet. Its universe is restricted to the 10GB file on a hard drive in which it resides. If you are really concerned with (internet) security, take a look at a program called VirtualBox. It surprisingly stable and easy to use and comes with sane defaults so you can just click your way through the initial setup wizard to get started. And if you mess up, you delete the file and start over again till you get it right ... which works great for practicing OS installs too.

- What about data security? There are many aspects to this question most of which you won't be able or need to deal with. Here I will highlight three: local data storage, cloud and internet use.

- Local storage security. Data security of your locally stored information can be achieved to a reasonable degree if you wish to do so. If you want to add a digital layer of protection to your locally stored information, the most important aspect is your password. It needs to be long, unusual and contain numbers and punctuation marks. Password cracking software tends to incorporate lists of often used passwords or even a dictionary because trying those first yields far better results than applying brute force techniques due to people's common password choices. It also needs to be long because top-of-the-line graphics cards (think Radeon HD7970 @$350-$400) can find any password of less than 9 characters via brute force in 2 days or less. The next model (due out in October) is expected to do it about 30% faster. At any rate a 12-15 character password should be safe for the next few years. In case the government confiscates your disks to look at them, I doubt any type of encryption available to you will stand up against their attempts. And please give sufficient thought to how and where you store your backups. Under a slab of concrete is far more secure than in a kitchen cupboard.

- Cloud security. Assume it doesn't exist and that the cloud is as transparent as glass. This goes for both data storage and information processing in the cloud. If you don't believe me read the fine print in the 'terms of use' you are agreeing to. Some companies use OSS cloud software which lowers your risk somewhat but you still have to traverse the internet. For example I saw someone touting the virtues of removing EXIF data from pictures before posting or emailing them. He had the right idea: I never send any picture out without stripping all its EXIF data. Then he mentioned this could be easily done in the cloud: all you have to do is send your picture over and it would come back to you in stripped format. You just have no idea how many copies were made before the exif data was stripped. For real OPSEC you want to download something like 'exif-tools' and process your image at home.

- Data security during transmission outside your computer should not be assumed as has been documented by Mr. Snowden et al. However there are a few things you can do to lower your risk because not all software is created equal. Running DOS might be fine because it pre-dates the time that the internet was a household word. Its just that its kind of useless in that it won't run any program that is capable of rendering today's web pages. All other Microsoft OS, MS Internet explorer and Apple products are suspect and I don't use them to get on the internet if I can help it. Unfortunately I feel I also have to put Google's Android and Chrome OS in this list. So what's left to lower your risk? Basically something called Open Source Software (OSS); this means that the source code of the programs that you run is freely available for download by anyone interested in improving the code, looking for bugs, back doors, etc.

The premier OSS operating system is Linux. But Linux by itself isn't much fun: you will also need a desktop environment and apps to do something useful. Examples of Linux based user interfaces are Android, Ubuntu, Fedora, Mint, etc. (The reason I mentioned Android as suspect is that its user interface comes with [closed source] binaries that cannot be inspected). If you want to try a Linux flavor for the first time: download a free copy of Linux Mint 13 (codename Maya and supported till 2017) because it has the most windows-like user interface of all Linux distros. It even has the familiar 'start' button, though they call it 'menu'. Burn the iso image on a DVD and start your computer from that DVD - guaranteed virus free for the lifetime of the DVD and also a very useful approach should your system crash after the grid goes down. Alternately you can use a program called Unetbootin to load the image on a USB stick and start your computer from there. Mint comes with Firefox as default browser and includes media players (including VLC), document viewers, pdf readers and an office suite out of the box. It also has a software center for additional app downloads.

I would be remiss if I didn't explicitly point out that 'lowering your risk' is not the same as 'taking away your risk'. For example using Linux will lower your risk of running into a virus or giving easy access to your documents via a backdoor. Sending an encrypted email lowers your risk of people other than the recipient reading them. The stronger the encryption, the lower your risk. However, in the last few weeks a number of valid concerns have been raised that the NSA has spend a lot of effort making sure that various internet encryption protocols were designed in such a way that their implementations would be easy to crack for them. In such a scenario a properly written OSS app without known backdoor still would not provide adequate protection against NSA efforts. In laymen's terms: depending on the contents of your encrypted messages you may want to consider using carrier pigeons instead of the Internet. - D.P.


Sunday, September 8, 2013


JWR: I had to ad my own two cents to the Preserving a Digital Library. As a seasoned IT pro myself (one of my early customers upgraded all the the Windows for Workgroups network I setup for him to Windows 95 himself and called me when he couldn't get it working) I have reliance on my systems, be it my cache of reference documents and ebooks to documents I've written myself to my gear and prep inventory spreadsheets.

I see no reason to choose Windows XP over Windows 7 or Windows 2000 or Windows 3.1 when it comes to back doors.  Every version I can remember since Windows 3.1 was rumored to have a back door.  That includes XP, 2000, etc.  A Windows preference you may wish to stick with XP just because it can run on older hardware.

With regard to activation, sure you can over the phone, but we are talking disaster planning. What happens when you have bugged out of the area you lived in due to a storm and arrive at a motel and your drive has crashed and you reinstall and then the phone lines are down when you try to activate.   I've seen a number of desktops, laptops and even servers just decide one day they were no longer activated and require a re activation or reinstall to fix.  I myself also have some laptops with OEM XP which will install and run for years without ever activating, so Windows 7 is not the only (Windows) OS that can do it.

On a related note Windows activation has been cracked multiple times over the years resulting in Microsoft changing and improving the code over time as well as blacklisting some licensed and OEM keys which were widely pirated.  This has resulted in a few combinations of install CDs that would not accept the license key on the computer I was attempting to reinstall.  Many of us IT folk who dealt with end user workstation installs ended up with multiple XP install CDs so we could use one with worked with a customers license.  By the way, a quick call to Microsoft World Wide Fulfillment with a valid license key would allow purchase of a replacement media for around $20, though its been quite a while since I last called.

I've chosen the Linux route.  For the average end user its no more difficult to install now a days than Windows.  I run the oldest distro (Slackware) which comes with a stock Kernel compiled to be very compatible.  I've taken the drive from a laptop and stuck it in an adapter and booted it in a desktop. Sure I might not have gotten all the extra hardware or X windows to work upon first boot but the Kernel was able to figure out the new hardware and load the right modules to get the system up and running.  Try that with XP without a BSOD.

I've seen activation issue over the years with software such as Microsoft Office as well.  I've seen compatibility issues even with Adobe PDFs. I have some scans that were created with an old version of Acrobat that the current versions of the reader have to repair them to open them. When I made the Linux switch I started converting everything to as open a format as I could.  This was I have no software that needs activation or even a license and my files are more portable to new software should the need arise.  One of the things I strongly suggest when you are refreshing your backup media is to test opening various files to ensure the software you have now can open the file you saved many years ago. Lastly there will never be an end to which is more secure, closed (Microsoft, Apple) or open (Linux, BSD) source.  Close proponents argue that its harder to find exploits without access to the source while the open source world says more eyes can quality assure it and fix it faster.  The closed source software still has the highest number of exploits if you look at statistics though there are many other factors such as size of user base, ease of exploiting, availability of tools, etc.  I believe the open source side is a better match to self reliance. - Eugene X.


Saturday, September 7, 2013


(Editor's Introductory Note: The following article is presented as an intellectual exercise, or gedanken. Be forewarned that there are mentions of torture (mental and physical) herein which are of course not conscionable behavior! But this mention is only for the sake of showing the full range of potential interrogation techniques, and as a warning that in the future -- under different circumstances -- you might have to be prepared to resist interrogation. "Forewarned is fore-armed." Again, none of the following is intended to encourage any SurvivalBlog readers to do anything immoral, or illegal, or unethical. It is in your own best interest to learn about interrogation techniques, even if you never intend to use them yourself. If nothing else, this knowledge could prove useful to recognize when subtle interrogation and propaganda techniques are being used against you. - J.W.R.)

(Author's Introductory Note: This is not a manual for interrogation, but rather an attempt to convince the preparedness community of the importance of seeking out references on this topic. The methods and mindsets associated with interrogation are too large to catalogue in even one book, let alone an article.)

"All Warfare is based on deception." - Sun Tzu

In the best case TEOTWAWKI scenarios, such as earthquakes or hurricanes, our survival training and preparedness will enable us to keep ourselves and our loved ones safe until order is restored, and we can get back to our lives. In the absolute worst case scenarios, such as economic collapse, terrible plagues that wipe out large parts of the population, or nuclear apocalypse, the American Prepper may be facing complete anarchy for an extended period of time.  In these scenarios it is highly unlikely that the supplies that have been set aside will last for more than a few months, and I’m sure that your planning on raiding your local Wal-Mart or other superstore, but remember, so is everyone else.  In this new Darwinian world money will have zero value, and there will be two ways in which a lone survivor or a family unit will be able to obtain more supplies. You can barter, or you can take, and in order to take, you must know where the goods are. Now I consider myself a moral man, so the idea of stealing repulses me, especially if that stealing will cost other persons their lives due to starvation or inability to defend themselves. But here is the simple truth, not a whole lot of other survivors will feel that way. In the initial months following the “event” there will be a quick culling of the herd. Those unprepared for the scenario will starve, and those willing to prey on others (I.E. criminals, immoral persons, or simply desperate regular people who quickly adapt an extremist mindset) will stockpile what they can take, while killing those who stand in their way. Of course Preppers will be holed up in bug-out locations, waiting for all this to blow over. But what comes after? Afterwards we will be forced to look outside for more supplies, whether by farming or by scavenging for that which cannot be grown. And here is the basic fundamental fact, others will want what you have, and you will want what others have. In talking about these scenarios often basic principles are overlooked. Most importantly that is will be highly unlikely that anything of value will be left at the super-stores. Persons will hide the supplies away. So we must ascertain the locations of these supply caches, but how? We could do house to house searches, exposing ourselves to small arms fire. We could look for camps and appeal to their humanity (it is unlikely that they will have any humanity left at this point). Or, we can approach this situation from a guerilla warfare mindset, and take the information that we need. In order to know where the goods are you will either have to go find it yourself, or ask someone who knows, enter interrogation.  

Enemy soldiers are a goldmine of information. You can learn more information in a five minute interrogation than in a week of scouting. For the purposes of this article I will speak on interrogation as related to a scenario where we are searching for supplies. But there are many other scenarios in which the need would be pressing and undeniable. One of your party’s members has been taken hostage to an unknown location, you capture an enemy scout; will you be able to educe the location of their camp from him? And in doing so save your family/friend? Your group has fallen into conflict with another group, you decide to go on the offensive, you capture one of the enemy scavengers and want to find out all the tactical details of their camp, will he break? You are alone and on the move and become engaged with small arms fire by a small group. Your superior marksmanship and cool head win the day, you kill two and wound one but are injured yourself and it looks bad, you need medical attention. The injured enemy is bleeding out and you don’t have a lot of time, you don’t know the area and need to find medical supplies, can you get him to break before he dies? The applications and need for a thorough understanding of interrogation is obvious. But the area of interrogation as a teachable science is still in its developmental stages by the US Military and Intelligence community. The average American citizen known very little about interrogation methods and most all of what he knows is learned from Hollywood or media reports; not the most reliable sources. I am in the military and have deployment experience in HUMINT operations; I am also a student of Intelligence (About to graduate with a Bachelors of Science in Intelligence Operations) and have studied every reliable source I can find. I want to be clear when I say that I am not an experienced interrogator, but rather someone who has conducted a thorough study of materials produced by experienced interrogators and am presenting my findings to yo.  I will not present you with a roadmap to a successful interrogation. I won’t even concentrate on methods; you can read every book on the subject and still be less effective than someone who has conducted only one interrogation. I will simply dispel myths, and provide several proven guidelines to interrogation so that if the Schumer ever hits the fan, you will be able to develop your skills quicker.  Interrogation is something that you can only learn by doing, so read this and know that while you will still be a novice, at least you will be an informed one.

The myths surrounding intelligence are so numerous that it is almost comical. Hollywood depicts interrogations that last a grand total of thirty seconds with the result of a highly indoctrinated terrorist in the corner crying while the hero is shaking hands with impressed onlookers. The media is so busy telling us that torture doesn’t work that they have managed to ignore all other methods used in interrogation. And here is food for thought, if torture doesn’t work, then why has it endured millenniums of use. You’d think if it had such a high failure rate someone would have noticed. You must approach interrogation with an open mind. Here are the best and most easily abbreviated principles. For a more thorough study, see the “KUBARK Counterintelligence Interrogation Manual”. [JWR Adds: "KUBARK" is an obsolete a CIA cryptonym for the agency's own name, used in internally-published documents for purposes of deniability for interagency training, or in the event of unintended release.)

  • Just ask first, you never know how unhappy he is in his current organization, you may be the answer to his prayers.
  • A successful interrogation is a process, not a series of events. You can’t torture a subject then five minutes later attempt to talk him into giving up what he knows.
  • You must tailor your methods to the subject, everything matters. Age, sex, ethnicity, all of these have influences that if not respected and worked around can hinder and even kill an interrogation.
  • No matter who you talk to, anyone who has experience with interrogation will tell you that rapport building is the most reliable way to go. Now this doesn’t mean that you need to convince the subject that you are his best friend. But you must get him firmly rooted in a relationship of your choosing, even if he sees you as his enemy, if you can get him to respect you as an enemy then you are well on your way. The roles you can take are limited only by your imagination. But he must perceive you as being in control.
  • Torture is interrogation for the unskilled. Better to break his spirit than his body. But if you must torture, don’t try to be fancy. Waterboarding and car batteries are a lot of work and you run the risk of killing him. Pliers and heated blades are classics but you have to be careful of shock and passing out. Fists are a viable option but make sure you don’t break your wrist hitting him, which would make you look ridiculous and seriously hinder your interrogation.
  • He will be silent, then he will attempt to deceive, he will keep deceiving until you catch him in a lie. Then he will tell the truth.
  • If he fears that you will kill him after you are done, then you may be forced to resort to physical torture. Try not to let him think about that.
  • Never ever lie. He must believe that you will do the things that you threaten to do. Whether you are threatening him or promising reward.
  • Fear is a product of imagination. His imagination will instill in him more fear than anything you can do. Feed that, build on it. Don’t tell him what comes next, let him fear the worst.

Keeping these tenants in mind I hope alongside you that none of us will ever be forced to resort to them. Remember that these are not rules but merely guidelines. And that nothing can take the place of experience. You may have noticed that I spend much of this article justifying the reasoning and morality of interrogation; it is because to me the biggest hurdle of interrogation wouldn’t be the interrogation itself, but convincing my group to allow it. Many people would be willing to kill but for some reason torture is completely unacceptable to them. Keep this in mind, don’t become the evil that you have set out to destroy. At all costs avoid hurting the innocent. But recognize that someday you may be forced to choose between your morals and your life, or the life of a loved one. Only you can make that decision. If you are really interested I suggest that you download a copy of the KUBARK manual, which is an interrogation manual written by an accomplished CIA interrogator in the early 1960s, before such actions were put under government oversight. The science of interrogation is still in its developmental stages, and the current engagements in Iraq and Afghanistan have provided a unique opportunity for experimentation and innovation. Expect some great products and manuals to be produced in a few years. And remember, the best skills that you can use in an interrogation are those that you use every day, the ability to read faces and emotions, the ability to relate and emphasize. Trust yourself and be willing to adapt. And good luck.

Bibliography
The Central Intelligence Agency and Dantalion Jones. The CIA Document of Human Manipulation: Kubark Counterintelligence Interrogation Manual. Central Intelligence Agency, Langley VA: CreateSpace Independent Publishing Platform, 2008.

Christopher E. Kelly: “A Taxonomy of Interrogation Methods.” dissertation., University at Albany, State University of New York, 2013

Lawrence E. Hinkle and Harold G. Wolff: The Methods of Interrogation and Indoctrination Used by the Communist State Police

National Defense Intelligence: Educing Information Interrogation: Science and Art

JWR Adds: I recommend that anyone who anticipates a societal collapse or a foreign invasion and a subsequent war of resistance should study both counterintelligence (CI) and human intelligence (HUMINT.) Though the terms are often mistakenly used almost interchangeably, CI and HUMNIT are distinct spheres. In the context of the DIA and its subordinate agencies the rule is that HUMINTers cannot do investigations and that the CI guys ("Special Agents") cannot do interrogations. (However, CI Agents do some strategic level debriefings.) When deployed overseas, CI operations are conducted "inside the wire" while HUMINT is collected "outside of the wire." (But raw HUMINT is then analyzed and fused behind the wire.)

Coincidentally, the protagonist in my fifth novel ("Liberators", scheduled for released in October of 2014) is a DIA contract CI agent.


Thursday, August 29, 2013


Mr. Rawles, 
I came across this today and thought it might be useful to other SurvivalBlog readers. It is called  JustDelete.me. From the web site:

'Many companies use dark pattern techniques to make it difficult to find how to delete your account. JustDelete.me aims to be a directory of URLs to enable you to easily delete your account from web services."

Essentially it is a listing of links to various web companies where you can delete your account. Currently 129 companies are listed and the site owner has a method for submitting others for inclusion. - Clark H.


Monday, August 12, 2013


JWR;
I had noticed some mention of Tor and I believe there was some mention of alternatives to Tor as well, to better protect one's privacy on the web.  I really hate to say this, but, anonymity on the net really only exists as fiction these days.  Tor has had problems with it's exit nodes for a very long time and there was a lot of talk in the "penetration testing" community about the FBI using Tor to set up stings last summer.  One can use a VPN (virtual private network) that claims to keep it's users secrets secret, but there is that incident where a member of "anonymous" had his activities reported to the FBI by the VPN provider he was using. (I believe it was the "Hide My Ass" VPN service).  Proxy servers, both public and private, but mostly the public ones, leak tons of information to other people using those networks.  Sometimes, a simple program like Wireshark is all that is needed to gather the info required to identify and track users.  Let's also mention that the https encryption protocol has also been cracked as well.   There is also the i2p network, which until recently was the best way to go for your proxy server needs (in my humble opinion), but even that has been cracked (look up "Practical attacks against the i2p network"). As a person who has dabbled in the field of "penetration testing" I can tell you with absolute certainty that if someone is properly motivated they will crack the programs and services people use to remain anonymous on line, or, those service providers will gladly turn over your info when pressed by law enforcement.

In summary I would like to say that in this digital age, the programs and services you use to protect your data and anonymity may be safe to use today, but probably won't be safe to use tomorrow, or next week. - E.

JWR Replies: Your points are valid. Something that most Tor users don't realize is the last exit node in a Tormail route is not hidden. As far back as 2007, we were warned:

"It should be noted that Tor does not do anything above the protocol level to anonymize traffic. Cookies, browser identification strings and other information can be used to identify who is using the connection to anyone with access to the traffic. Obviously, logging in makes that even easier. Another known threat to anonymity using Tor, even with end-to-end encryption, is timing analysis. If someone can monitor the timing of the packets at the client and those at the server, they can make a statistical correlation between the two."

What cannot be hidden electronically can be exploited by HUMINT methods like Swallow/Raven honey traps, or good old fashioned coercion--whether it is Luigi threatening to use a baseball bat on some SYS ADMIN's kneecaps, or just mentioning that he could have his IRS buddies do six years of tax audits on the IT guy, or on his mother.


Monday, August 5, 2013


Hollywood movies often show secret agents tossing cell phones out of car windows, and grabbing new ones to activate. In today's world of almost universal surveillance and tracking, that is actually fairly good tradecraft. When operating in guerrilla warfare mode, a cell phone that is used more than a few times is a liability. So is a cell phone that is "turned off", but that still has its battery installed. (They can still be tracked.)

In summary, here is some cellular phone tradecraft for times of genuinely deep drama:

1.) Don't create a paper trail when buying clandestine phones. Pay cash for cell phones and don't give your name. Preferably buy them in small stores without video surveillance.

2.) Activate phones only as needed.

3.) Never "recharge" the minutes on disposable cell phones. (This leaves a paper trail--at least leading to the place where you bought a recharge "minutes" card. And buying minutes via a phone call and credit card transaction leaves a huge paper trail.)

4.) Set a "phone talk time limit" for your group, depending on the then-current severity of the threat. Once you've reached the limit for each phone discard it. (But save the batteries, if they interchange.)

5.) Never program any cell phone numbers into your phone.

6.) Also carry a retained "cover" phone, on which only totally mundane (non-operational) calls are made. If you can make your operational phone disappear, then your cover phone will give you some plausible denial. (But you won't be Teflon Coated, since the geographical movements of your cover phone can be correlated to operational events or calls from any of your clandestine phones.

7.) Discard phones discreetly, with the batteries removed. Alternatively, you can leave the battery in if you want to lay a trail to confuse those pursuing and you suspect that phone location is being tracked.. (You can mail the phone to a random address that is a thousand miles away. (Use a padded envelope and just drop it in a mail box.) Or you can leave it in a donation box for regional charity. (These charities usually send donated items to a sorting center.)

8.) Keep in mind that cell phone Subscriber Identity Module (SIM) chips are quite compact and can be moved from phone to phone.

Take a look at the history of how Ryan Fogle was bounced out of Russia. He used some very bad tradecraft. Learn from the mistakes of others.

One final tip: Reader Jeff H. mentioned that Tracfone now sell LG800G with 1,200 minutes loaded. The nice thing about these is that their minutes never expire. So this sort of phone would be a great phone to buy and just "tuck away for a rainy day."


Sunday, June 2, 2013


Sir:
The situation described in the recently-cited article (New Jersey: Court Upholds Man Arrested For Visible Gun Case In Car) only underlines frequent Rawlesian reminders for maintaining OPSEC at all times.  His arrest might have been avoided had he simply covered the cargo area with a blanket so the cases were not visible.  Hopefully the conviction will be overturned in a higher court under the provisions of the Firearms Owners Protection Act (FOPA).  In general, this states that: "notwithstanding any state or local law, a person is entitled to transport a firearm from any place where he or she may lawfully possess and carry such firearm to any other place where he or she may lawfully possess and carry it, if the firearm is unloaded and locked out of reach. In vehicles without a trunk, the unloaded firearm must be in a locked container other than the glove compartment or console. Ammunition that is either locked out of reach in the trunk or in a locked container other than the glove compartment or console is also covered." (NRA/ILA Guide to the Interstate Transportation of Firearms)  Note, however, the requirement for a locked container.

One wonders if a warrantless search of a vehicle could be justified on the basis of an NRA sticker, or one that reads "This car insured by Smith & Wesson". 
I travel between Maine and South Carolina on a regular basis, having homes in both states.  I avoid driving through New Jersey, but I cannot avoid New York and other unfriendly jurisdictions, and there is always the possibility of someone breaking into your car.  Keeping a low profile at all times is safer, however much you want to advertise your views and affiliations. - Randy in Maine


Friday, April 26, 2013


Dear Sir:
Many are dismayed by the recent Colorado law restricting firearms. But a cursory reading shows that the law only applies to "persons liable" and not the people at large.

Regarding any new law, tax or regulation, remember to ask servant government:
[ ] Whose endowed rights are being secured by this ?
[ ] How and when did I give consent to be bound by this ?
[ ] What privilege is the subject of this tax ?

Because the Declaration of Independence states that
Job #1 = secure rights, and
Job #2 = govern those who consent.

As to consent, let us recall that the republican form of government, as defined, recognizes that the American people are sovereigns, served - not ruled - by government.

Furthermore, the courts recognize that the laws are often limited in scope and applicability.

"In common usage, the term 'person' does not include the sovereign, [and] statutes employing the [word] are ordinarily construed to exclude it."
Wilson v. Omaha Indian Tribe, 442 U.S. 653, 667, 61 L.Ed2. 153, 99 S.Ct. 2529 (1979)
(quoting United States v. Cooper Corp. 312 U.S. 600, 604, 85 L.Ed. 1071, 61S.Ct. 742 (1941)).

"A Sovereign cannot be named in any statute as merely a 'person' or 'any person'".
Wills v. Michigan State Police, 105 L.Ed. 45 (1989)

If you thought "government" was sovereign, read these:

The people of the state, as the successors of its former sovereign, are entitled to all the rights which formerly belonged to the king by his own prerogative.
Lansing v. Smith, (1829) 4 Wendell 9, (NY)

At the Revolution, the sovereignty devolved on the people and they are truly the sovereigns of the country.
Chisholm v. Georgia, 2 Dall. 440, 463

It will be admitted on all hands that with the exception of the powers granted to the states and the federal government, through the Constitutions, the people of the several states are unconditionally sovereign within their respective states.
Ohio L. Ins. & T. Co. v. Debolt 16 How. 416, 14 L.Ed. 997

In America, however, the case is widely different. Our government is founded upon compact. Sovereignty was, and is, in the people.
[ Glass v. The Sloop Betsey, 3 Dall 6 (1794)]

Sovereignty itself is, of course, not subject to law, for it is the author and source of law; but in our system, while sovereign powers are delegated to the agencies of government, sovereignty itself remains with the people, by whom and for whom all government exists and acts.
[Yick Wo v. Hopkins, 118 U.S. 356, 370 (1886)]

Finally, a non-legal reference that shows our ancestors were better informed:

ALIEN, n.  An American sovereign in his probationary state.
- "The Devil's Dictionary" (1906), by Ambrose Bierce

His audience knew what an "American sovereign" was, to understand the joke.

Reference:
GOVERNMENT (Republican Form of Government) "One in which the powers of sovereignty are vested in the people and are exercised by the people ... directly ..."
- Black's Law Dictionary, Sixth Edition, P. 695

BTW - citizens, by definition, are subjects, because they are obligated to perform mandatory civic duties (i.e., militia duty, jury duty, etc.).
There is no such thing as a sovereign citizen (with a lower case "c".) Which also means that if American people are sovereigns, no one was "born" a U.S. citizen unless they were (a) slaves and (b) outside the jurisdiction of the 50 States united (see: 13th Amendment).

With My Regards, - J.G.

JWR Replies: Sovereignty claims are root-level jurisdictional challenges to the court's relationship to the defendant. While I agree with what you've written in principle, as a practical matter for the past 30+ years the American courts have run roughshod over anyone who has attempted to make any such jurisdictional arguments. This has been true at every level--all the way from local traffic courts up to Federal tax courts. In effect they've corralled everyone into their jurisdiction, and they have selectively tossed out any legal precedents that they dislike, especially those dating from before 1913. Once you step inside their courts, they have you. Even those who rightfully claim to be outside of their synthetic jurisdiction become ensnared by it. And virtually all of the policing organizations enforce that make-believe jurisdiction, despite its contrived origin. So no matter where you go in the 50 States, you are likely to end up in the court system at some point in your life, and 99 times out of 100 you will lose, and this is regardless of how many precedent cases you cite.

Over the past 25 years I've spent hundreds and hundreds of hours researching this, and everything that I've read leads me to the same conclusion: There is precious little justice left in our justice system. It is now more of a "just us" system. And their definition "us" includes just The Powers That Be. My heart goes out to those who have tried to use sovereignty and other jurisdictional arguments in the courts, but the sad truth is that those arguments are regularly ignored--regardless of their relevance, their merit, or their import. We are now faced with a well-entrenched court system that is adjudicating statutory cases (malum prohibitum) just as if they were malum in se cases.

Don't expect to find any "silver bullets" in case citations that pre-date their more recently created (and corrupted) court system. In effect, the courts are now little more than tools of the cabal formed by the fractional reserve bankers, the statist/collectivist state and Federal legislatures, the FDR/BHO school of executive action, and their taxing agents with the BATFE and the IRS. If you fight them on jurisdictional grounds you will nearly always lose. Tilting at windmills may seem noble, but it isn't when they've put liens on your bank accounts, garnished your wages, snatched your kids with their CPS goons, thrown you in jail, or caused you to lose your job/shut down your own business. I've seen many lives, marriages and fortunes ruined by folks who did not choose their fights wisely. Be wise as serpents and meek as lambs. Don't go to war with them over trifles!

Yes, I know, I know, "The first in the order of pleadings is to the jurisdiction" and a court can't proceed with the facts of a case until its jurisdiction has been established. And yes, there are some strong cites out there, such as:

"Once challenged, jurisdiction cannot be assumed, it must be proved to exist." Stuck v. Medical Examiners, 94 Ca 2d 751. 211 P2d 389.

"Once jurisdiction is challenged, the court cannot proceed when it clearly appears that the court lacks jurisdiction, the court has no authority to reach merits, but, rather, should dismiss the action." Melo v. US, 505 F2d 1026.

"A universal principle as old as the law is that a proceedings of a court without jurisdiction are a nullity and its judgment therein without effect either on person or property." Norwood v. Renfield, 34 C 329; Ex parte Giambonini, 49 P. 732.

"The law requires proof of jurisdiction to appear on the record of the administrative agency and all administrative proceedings." Hagans v. Lavine, 415 U. S. 533.

"A court cannot confer jurisdiction where none existed and cannot make a void proceeding valid. It is clear and well established law that a void order can be challenged in any court" Old Wayne Mit. L. Aassoc. v. McDonough, 204 U. S. 8, 27 S. Ct. 236 (1907).

"There is no discretion to ignore lack of jurisdiction." Joyce v. U.S. 474 2D 215.

"Court must prove on the record, all jurisdiction facts related to the jurisdiction asserted." Latana v. Hopper, 102 F. 2d 188; Chicago v. New York, 37 F Supp. 150.

"The law provides that once State and Federal Jurisdiction has been challenged, it must be proven." Main v. Thiboutot, 100 S. Ct. 2502 (1980).

"Jurisdiction can be challenged at any time." and "Jurisdiction, once challenged, cannot be assumed and must be decided." Basso v. Utah Power & Light Co., 495 F 2d 906, 910.

"Defense of lack of jurisdiction over the subject matter may be raised at any time, even on appeal." Hill Top Developers v. Holiday Pines Service Corp., 478 So. 2d. 368 (Fla 2nd DCA 1985)

"There is no discretion to ignore that lack of jurisdiction." Joyce v. US, 474 F2d 215.

"The burden shifts to the court to prove jurisdiction." Rosemond v. Lambert, 469 F2d 416.

"Jurisdiction is fundamental and a judgment rendered by a court that does not have jurisdiction to hear is void ab initio." In Re Application of Wyatt, 300 P. 132; Re Cavitt, 118 P2d 846.

"Thus, where a judicial tribunal has no jurisdiction of the subject matter on which it assumes to act, its proceedings are absolutely void in the fullest sense of the term." Dillon v. Dillon, 187 P 27.

"A court has no jurisdiction to determine its own jurisdiction, for a basic issue in any case before a tribunal is its power to act, and a court must have the authority to decide that question in the first instance." Rescue Army v. Municipal Court of Los Angeles, 171 P2d 8; 331 US 549, 91 L. ed. 1666, 67 S.Ct. 1409.

But good luck citing those decisions in today's courts! In most instances they will simply be ignored. The courts are no longer concerned with what is right, fair, and just. Rather, they are concerned with gathering revenue and perpetuating their new-found powers.

The only good news that I have to offer is that although jurisdictional challenges have been consistently ignored, there has at least been some success in getting juries to nullify bad laws. I enthusiastically support the Fully Informed Jury Association. In summary: We The People have failed to convince the judges that they lack jurisdiction over Sovereigns, but at least we can still educate the juries of our peers, and convince them to nullify bad laws, on a case-by-case basis. As long as there is still a jury system for criminal trial in this country, then there is still hope for justice.

If ever you end up in court fighting an unconstitutional felony charge or if you are at risk of losing custody of your children to the state, then yes by all means, challenge the court's jurisdiction from the very outset. But if you fail that, then do your utmost to educate the jury that they have the long-established power to weigh both the facts of the case and the validity of the law itself. Lex mala, lex nulla! And jury nullification can work regardless of the wording of the Jury Instructions from the court. In the end, once the jury room door is shut, the judge is powerless and your fate it is entirely up to the jury. May God Bless You and Protect Your Liberty!


Monday, April 22, 2013


Jim.
I learned something from the recent Boston terrorist incident....though it passed very quickly in a reporter's interview - and even though the reporter was interrupted and didn't get to finish her thought.

In regards to one of the bombers, the reporter said something like  "We can tell from the contents of his "Wish List" online, that he"  ........(not exact quote).

so...

I was aware that Amazon.com had a "Wish List" that shoppers can create.  I had NOT been aware that you can search for anyone's "Wish Lists", but you can.

So everybody needs to know that any Wish List they have at these online sites which can be accessed by others, CAN BE ACCESSED BY JOURNALISTS OR POLCE INVESTIGATORS, simply by searching for a name or an e-mail address.

MORAL OF THE STORY:  If you don't want others to know your preferences, then don't leave anything on your Wish Lists .- O.H.

JWR Replies: Reader Papa in Mississippi mentioned: "Wish List settings can be changed to 'Public' (anyone can see), 'Shared' (invited people can see), or 'Private' (only you can see – which sorta defeats the purpose of a wish list.) The default is 'Public' which the vast majority of people probably never think to adjust."


Thursday, April 11, 2013


Good Day James,
I'm a long time fan of your books and your blog thanks for all that you do. There is some great information there. I am interested in finding out if your [local] group or another group has established any ham radio frequencies that may serve as a beacon of information in a SHTF situation or are you totally off the grid when that time comes. I do have your IP written down, but was just curious... Regards, J.M., USMC

JWR Replies: The folks at Radio Free Redoubt are already doing a fine job of coordinating communications with their AmRRON Communications Nets. Their fine efforts have even included crypto, via one time pad generating software. To clarify: Radio Free Redoubt is a separate entity that is loosely affiliated with SurvivalBlog and it is the voice of the American Redoubt Movement. Both Radio Free Redoubt and their AmRRON Communications Nets have my support and approval, but I must remind folks to be sure to maintain vigilant OPSEC and COMSEC!


Sunday, March 10, 2013


Then Isaiah said to Hezekiah, “Hear the word of the Lord of hosts: Behold, the days are coming when all that is in your house, and that which your fathers have stored up till this day, shall be carried to Babylon. Nothing shall be left, says the Lord. And some of your own sons, who will come from you, whom you will father, shall be taken away, and they shall be eunuchs in the palace of the king of Babylon.”
Isaiah 39:5-7

God’s word to Hezekiah, king of Judah, through the prophet Isaiah immediately followed a dramatic sequence of events that twice should have led to Hezekiah’s death, but ends with his miraculous healing and a visit by Babylonian envoys bearing gifts and congratulations. Hezekiah welcomed these envoys gladly and, for some reason, decided to show them “his treasure house, the silver, the gold, the spices, the precious oil, his whole armory, all that was found in his storehouses. There was nothing in his house or in all his realm that Hezekiah did not show them.” Isaiah was not aware of the envoys or their grand tour, and upon discovering their presence began questioning the king about them and what they had seen. The king’s confession prompted Isaiah’s prophecy above, and so it was that some 100 years later the first wave of Babylonian invaders began to deport Jews from their Judean homeland into what became known as the Babylonian captivity.

My theological beliefs hold that God is sovereign in all things, and He used Hezekiah’s actions and the subsequent Babylonian invasion to ultimately point the Jewish people back to Him. I also believe Paul in his second letter to Timothy when he said “all Scripture is breathed out by God and profitable for teaching, for reproof, for correction, and for training in righteousness.” (2 Timothy 3:16). It follows then that the Bible is replete with great examples of how we should live our lives daily, not just in a spiritual sense, but in a very practical sense. God used Hezekiah’s mistake as part of His ultimate plan of redemption, but that does not take away from the fact that Hezekiah made a very grave error in judgment by laying open all the possessions and capabilities of his kingdom to foreign visitors, ultimately making and giving justification to their later invasion.

So what lessons do you and I stand to learn from Hezekiah’s actions? Any student of history, and certainly any frequent reader of SurvivalBlog, should be intimately familiar with the concept, application, and importance of Operations Security (OPSEC). However, being familiar with OPSEC and putting it into practice are two very different topics. Today we face the same danger that Hezekiah faced. Relatively speaking, things are good for many of us in this day and age. We lead busy, active lives and while we know dangers exist, our busy lives have a way of lulling us to sleep and coaxing us to take our guard down because total chaos has been averted for yet another day. Just as you should not wait for a disaster to begin making use of your preparations and training, you should not wait to begin practicing OPSEC in your daily lives.

Where do you start? Any writing on OPSEC that tries to address the entire concept in a few short pages is being overly general and probably not very useful. With that in mind, I will try to focus on one specific aspect of OPSEC: the role of critical information in maintaining essential secrecy.

Let’s begin with two definitions:
Critical information is that information that is either 1) important to you successfully
achieving your objective or mission (i.e. your route to your retreat WTSHTF) or 2) information which may be of use to an actual or potential adversary (i.e. the fact that you have a deep larder when Wal-mart’s shelves are empty and never being restocked).
Essential secrecy is actually a condition that is achieved by denying critical information to actual or potential adversaries, through the combined means of traditional security (physical boundaries, guards, etc.) and OPSEC.

As preparedness-minded people, our goal is to maintain some type of essential secrecy. Note that there is a difference between maintaining essential secrecy and being paranoid. If you treat everyone in your life as a potential adversary, then you already have little hope of surviving, much less thriving, through TEOTWAWKI. This is where the often understated importance of community comes into play. It is a subject that I feel we do not emphasize often enough, but nevertheless, it is not the topic of this article.

We achieve and maintain our essential secrecy by protecting our critical information. In DoD parlance, it would be incorrect to refer to your critical information as “secrets,” but for our practical purposes it is fundamentally the same thing as few of us have a tiered system of classifying documents. To practice OPSEC is to keep your secrets secret. One of the first and most important steps in the OPSEC process is to identify information about you and your capabilities, activities, limitations (including vulnerabilities), and intentions (CALI) that you consider to be critical in nature. What is critical, you ask? Naturally, it depends.

Immediately, the size and location of your larder, the grid coordinates to your retreat, and your bug out route may come to mind. Yes, these are very important capabilities and activities, but do not stop there. Go back to the CALI acronym above. We like to focus on positives - the fact that we have made preparations and plans. Equally as critical to the things that we have done are the things we have yet to do - our limitations and vulnerabilities.

As you begin to formulate in your mind what information you would classify as critical, it is good to set a few parameters. First, you should initially limit your list to ten items. Over time and as your OPSEC practices improve, this list can expand. Trying to prioritize pieces of information in importance can become cumbersome, which brings us to the second point, prioritization. To those in your immediate circle who are like-minded and cooperatively preparing with you, your critical information will be common knowledge. However, as new members are brought into the fold, the extent of their knowledge of your preparation should be based on your critical information list and revealed incrementally as deemed appropriate by their proven level of commitment and upon approval of the primary members of your group. Next, the critical information list should be physical in form and its content and importance known by all in your group, with the understanding that its existence highlights the importance of keeping it secret from those outside. Why keep a hard copy? To serve as a reminder of what is at stake. If you cannot protect that document, what makes you think you can protect your family during a disaster? Finally, your critical information list is a living, breathing document. As your level of preparedness changes, so too should your critical information change. You should reexamine and update your critical information list quarterly, ideally at the conclusion of a rehearsal or training event (you are rehearsing and training for WTSHTF, right?).

The ability to protect your critical information is a result of the total process of OPSEC, rather than a few simple, one-time steps that will lead you down a mythical yellow brick road to essential secrecy. The fight to protect yourself is ongoing and ever-changing. This process only begins with identifying your critical information. In order to protect that, you must analyze threats against you, analyze your own vulnerabilities, assess the inherent risks, and implement measures to counter each of these areas. Each of these steps in the process have been the subject of countless pages of analysis and policy implementation, but for all the various means of implementing OPSEC, the first step will always be to identify your critical information. Without knowing your most important secrets, what use is it to plan painstaking measures to protect them?

To conclude, let’s go back to our analogy using King Hezekiah. We see that he exercised absolutely no discernment when it came to protecting the critical information and CALI of the Kingdom of Judah from his Babylonian guests. The foolishness of his actions, however, was all too clear to Isaiah when he learned of what had transpired, and God revealed to him the prophecy of what was to come for the people of Israel in the future as a result of these acts.

Now think about your own experience in taking steps to be prepared for the unforeseen. Whether you are preparing for a complete economic meltdown, an infrastructure-crippling CME event, or next year’s hurricane season, there are certainly things that are better left unsaid, especially to those who do not bother to reign in their own tongues or some who would undoubtedly turn to barbaric behavior as a result of their own failure to prepare. Perhaps you have even made an error in judgment of another’s character and trusted them with information that you now regret. Now is the time to begin systematically structuring your OPSEC plan so that it is an inherent, organic part of your preparedness plan, rather than a simple buzzword in your prepping vocabulary that you use on occasion. “An ounce of prevention is worth a pound of cure,” so spend this weekend identifying your critical information and start taking steps to protect it. Do not let the wisdom of the Bible as portrayed in Hezekiah’s mistake slip by unheeded.


Monday, March 4, 2013


I recently heard from one of my readers who holds a Top Secret clearance and who has SCI access. His clearance was up for a Single-Scope Background Investigation (SSBI) periodic reinvestigation (PR). These SSBI-PRs are standard practice for anyone who holds a Top Secret clearance with access to Special Access Programs (SAPs), Sensitive Compartmented Information (SCI), or nuclear ("Q Access") programs. He told me that he was the subject of an "Expanded Reinvestigation" and in the course of that investigation he was challenged by investigators about his loyalty. The challenges, he discovered,were based upon his e-mail history and the assortment of books that he had purchased for his Kindle reader. Among other prepper-oriented books, he had Kindle copies of all three of my novels, and the investigator's report specifically mentioned them as suspect.

I find it almost comically absurd that for someone to possess copies of novels that have been on the New York Times bestseller list is somehow "Un-American" or "disloyal." But there you have it. We have now reached the era of ultimate inversion. The kissing cousins of the Stasi have been put in charge of guarding the hen house. They have unilaterally declared that family preparedness is now be disloyal and unpatriotic. So being prepared like a Boy Scout and stocking up on canned goods like your grandmother is something suspect, or somehow sinister. Lord help us.

At the risk of having my blog's web statistics take a hit, I feel obliged to warn my readers: If you are in a "position of special trust and confidence" (you know who you are: You hold a TS clearance with a bunch of funny little letters following the "TS") then I recommend that you take the following precautions:

  • Completely avoid using any government-owned computer or network for web surfing. Use only privately owned computers and non-DOD/non-government networks.
  • Use The Onion Router (Tor) for all of your web browsing. If you are not familiar with Tor, then get up to speed quickly.
  • Use anonymous re-mailers for any e-mails that say anything more than: "I miss you and I can't wait to get home from this deployment."
  • Use an inexpensive VPN service.
  • Be very careful about how you phrase your e-mails, even if they go through a re-mailer and use strong encryption. Warn all of your friends and relatives to do likewise in their e-mails to you. (Since the contents of incoming e-mails can be nearly as damning as outgoing e-mails, in the eyes of investigators.)
  • Rather than copying and pasting the text of anything controversial from any web site, instead send just Permalink URLs, couched with statements like: "I haven't had the chance to read this yet, but Bob said it was worth reading" (or some such.) This will provide plausible deniability.
  • If you buy any books that might be deemed controversial then buy only hard copies, pay cash, and don't leave a paper trail. I would suggest gun shows, preparedness expos, and "brick and mortar" bookstores are the best places to buy such books. If you are deployed overseas, then have your relatives buy books for you and ask them to send them to you in Flat Rate boxes.
  • Don't consider ANYTHING you do over the Internet to be "secure", even if you use strong encryption.
  • Get in the habit of sending traditional typed or hand-written letters. If you are worried about the receiver of the letter being under surveillance (a warrantless Postal Mail Cover), then put their address in both the TO and FROM blocks on the envelope.

The foregoing precautions are now only recommended only for folks with a Top Secret clearance that requires a SSBI. But everyone else reading this should pay attention. Who knows? You may need to take similar steps, if the statists tighten their grasp on our collective throats. - J.W.R.


Saturday, February 16, 2013


The biggest threat to this country right now is the Socialist/Progressive movement that includes the belief that we should not be “America the great, the free”; that we must take our appropriate place among the world leaders as equals, and that we must “spread the wealth” to ensure “social justice”.  In the end, this type of thinking leads to a one-world government under the leadership of a “benevolent” governing body who controls our every move.  This belief has undermined the security of this country and exposed us to those who would have us dead - the external threats.  The internal threat is the systematic weakening of our constitutional rights and the socialization of our country.  There is no other modern society on the face of the planet that has enjoyed the prosperity that Americans have enjoyed.  Our success was built upon the Constitution, freedom to prosper, the belief in God-given unalienable rights, and Christian principles.

The conclusion that I have come to, outside of water and food storage, arms, self-sufficient lifestyle, etc., is that we must learn to live a double life.  We must give every appearance of being good little citizens (sheeple), while secretly preparing to go underground, to disappear, and to live invisibly.  Why?  Because we could become targets, be labeled “terrorists”, or deemed a threat to national security, because we disagree with the direction our country is headed, because we speak out against government overreach.

I have spent many years, reading every book/blog/opinion on privacy and security and I am a security professional by trade.  I learned the most from J.J. Luna (his blog and book “How To Be Invisible”.)  The biggest challenge with living under the radar is that we live in an interconnected society, most transactions that we make are electronic, which means there is a paper trail.  We bank electronically, we communicate electronically, we buy and sell electronically (point of sale systems at grocery store, gas station, etc.).  Smartphones and technology services like OnStar (in our cars), make our geographical location “traceable”.  Our personal records including medical, educational, employment, familial, and financial records are all in electronic form and stored in vast databases.  Everything about us is known.  There is no hiding place, unless… we create a separate identity for ourselves.  I am not talking about illegal activities, fake ID’s, or anything of that nature.  I am talking about becoming largely invisible on the one hand, and being totally visible on the other.
Your visible self has a home and an address, is known in the community, works a job (hopefully), participates in community activities, and conducts itself normally.  This is the self that you will maintain.  Your invisible self has no name, no address, is not known outside of the closest family members and trusted individuals, uses cash, not credit, barters for daily needs, and lives as self-sufficiently as possible.  If you had to walk out your front door today, never to return, while making it appear that you are still actively participating in your life, how could you do that?

The process for living a double life is fraught with difficulty because we are upright, law abiding, Christian people.  Nonetheless, we must think about, study, and learn what other peoples in other countries have done to protect their lives and their families under despots, oppressive regimes, and under threat to life and liberty.  Thinking like this is foreign to Americans because we have enjoyed liberty and luxury for generations.

If you are not following me, let me recap the necessity of creating the alternate you.  There is the possibility that our government may become hostile and oppressive, demonstrated by the slow and consistent erosion of our constitutional rights.  There is the possibility that our country could be invaded by hostile forces.  It is also true, that we may, at some point in our lives, need or want to drop out of sight to protect our privacy due to a frivolous lawsuit or due to a stalker or just plain exhaustion from the rat race.  We must acknowledge that our true selves have no place to hide, due for the most part to advanced technology and electronic communications.  Dropping our true selves out of sight is problematic and garners attention.
We must keep our visible self visible, and our invisible self invisible.
The following are steps we can take to create our alternate life, while operating within the law (each step explained further following the list):
1. Create anonymous, cash-based, home based, side businesses (may include bartering).
2. Operate outside the banking system with your new alternate source of income.
3. Pay cash for any purchases relating to prepping, purchase in small, consistent increments.
4. Locate and lease or buy with cash alternate accommodations/housing, private-party, avoiding credit checks/paper trail.
5. Keep a low profile.
6. Register vehicles (must be paid off) in a company name.
7. Prep the alternate location, plan the route out, and practice the plan.

Here they are, in detail:

1. Anonymous, cash based, home based businesses.
Keeping food on the table and a roof over your head is the highest priority, correct?  Like most people, we have to work for a living.  If you have a current job, keep it and do well at it.  In your spare time, you must start several side businesses that operate on a cash basis.  You will report your net income to the IRS because it is the law, but you are not required to divulge what your business does.  For taxation purposes, your business entity is you.  If your business is primarily services related, you do not have to deal with the local sales taxing authorities if services are not taxed in your state.  If you must sell product, it is taxable.  If you are required to register your business in your state, county, city, do so, but do so carefully.  At no point in the process will you reveal your real name, real address, or provide any information that leads back to you.

Frank A. Ahern
has written a couple of books (if you can get over the profanity), that reveal how skip tracers (and anyone in law enforcement) track people down.  The information he provides will be invaluable when it is time for you to disappear from your visible life, or how to conduct your invisible life while maintaining your visible life.  Since skip tracing became an unpopular and illegal activity, Frank decided to reengineer himself into a privacy consultant.  His focus is on disinformation and I found the idea very tantalizing.  If I could put enough wrong information about myself “out there” (on the Internet, in the various national databases), I could be quite hard to find if I decided to disappear. 

Another useful book, Hiding from the Internet: Eliminating Personal Online Information by Michael Bazzell, offers step by step instructions to eliminating your personal online information.  A very simple method is to Google yourself, and try various incarnations of your name(s).  For each web site where your personal information appears, follow the instructions for removing your personal information.  Many data aggregators provide a way to do that online and some make it very difficult.  Set up a Google alert on your name, so that each time your name(s) appear online, an email will be sent to you.  In keeping with Ahern’s strategy, rather than remove yourself, request your information be modified to “more accurately reflect your information”.  Get the idea?

It is funny (and sad), but what you will need to do is think like organized crime does, without committing any crime.  Your cash based business will not have a web site, a Facebook page, business cards, a sign on the side of your car, a listing in the phone book, or any other vestiges of marketing.  How do you market it? Word of mouth. (More options, such as Internet Businesses later on). Yes, it is the underground economy that you will be entering. However, you will report your income and pay taxes on it, like a good citizen (sheeple). You will never accept a check – only cash, cold hard cash.

Sit down and do detailed skills assessment. What are you good at? My skillset is in technology, security, and privacy. I am in process of reviving a side business that helps individuals and groups use technology privately and securely. I wish I had skills in many homesteading areas, but I am trying to teach myself. A fair trade in my mind would be to trade my skills for your farm fresh meats and produce, and handyman services. For those who can pay for private security technology services, I would arrange for my services at very reasonable barter prices. After all, I do not expect the top dollar consulting pay I make in the “real world” in exchange for complete privacy and cash. In a bartering economy, the price is determined by the demand. Right now, I see very little concern among individuals as to their online privacy and security. The demand will come when the time is right. Suffice it to say, at some point you will need to communicate using the Internet in a completely anonymous way. You will want to erase your Internet footprints and fingerprints; you will want to request deletion of your information from public and private databases, you will want your home computers safe from prying eyes, and highly sensitive electronic information safe from disclosure or confiscation, and you will want to be able to circumvent government sponsored censorship of Internet resources. Unless you plan on using carrier pigeons, smoke signals, or plan to never again communicate with your family, this is a skill you must have.
Is an Internet business the right thing for you? It is if you can manage the complexity, security, and privacy components of it.

An anonymous Internet business requires a wide variety of skills, mostly related to technology. It is possible to create one in an anonymous and secure fashion, but it is not easy. You will need to consider such things as web hosting offshore, out of U.S. jurisdiction. However, even then, transborder communications are monitored by the National Security Agency and the Department of Homeland Security, so why make your web site a target of suspicion by offshoring hosting? It would be better to use a local hosting company and retain control over your web site security and data, or host your own equipment (not from your home – yes, it gets complicated). Either way, there is a lot to understand, think about, and pay attention to. If you used PayPal (recommended) for payments via your web site, PayPal will verify you are who you say you are when you open an account. PayPal also requires a verifiable bank account for you to access your cash quickly (instantly via ATM and several business days for bank transfers). In recent times, PayPal has started to insist on social security numbers and date of birth, especially if you try to use a PayPal account sans a bank account. In all cases, it would be very tricky indeed to keep your Internet business from pointing right back to you. You could go the BitCoin route, but I have not tried that yet, so I cannot advise. Unless you have the skills to set up a completely anonymous Internet business, do not do it.

Another option is to begin your new cash business behind the doors of your existing business. Isn’t that what organized crime does? The only legality concern is income and taxes. If you keep it clean, legal, and safe, it shouldn’t be anybody’s business what you do in your own space, owned, or leased.
The goal is to create alternate revenue streams “off the public books” and out of the public eye, so if you have to walk away from your real job, you won’t starve.

2. Operate outside the banking system
Operating outside the banking system is extremely difficult. If you work for a large employer, like I do, paychecks are auto-deposited. Even the Social Security Administration is requiring recipients to provide a bank account for funds deposit. It used to be that SAR (Suspicious Activity Reports) were only created by a bank when a $10,000 or more cash deposit was made, but I heard recently through the law enforcement grapevine, that even $5,000 and as little as $3,000 cash deposits are being tracked and reported by your bank. If you think your bank account is yours, it’s not. It’s the bank’s and they are being called upon to report more and more details about cash transactions (to the FBI). The only solution is to keep your cash “at home”. There is plenty written on survivalblog about how to hide cash. J.J. Luna also offers a book and advice on how to hide cash.

I have tried numerous times to operate on a cash basis and I have found it extremely difficult in our modern society. Take a simple example, like filling your gas tank. I’m used to swiping at the pump and when the weather is cold, I don’t like walking “all the way” over to the main building, going inside, waiting in line, to pay the cashier, walking back to the truck, etc. Wow. We have become so spoiled, and we are accustomed to convenience. I’ve tried to use cash for grocery store runs that include stocking up, and find that I filled my cart with more than I had the cash to pay for, so I swiped the card. Living on a cash basis requires extreme discipline. No more Internet purchasing (my favorite!), no more plastic. The only way to keep your private life private is to live on a cash basis. However, I am not advocating a total cash based life. Your public life needs to remain normal looking and your bank account transactions need to appear normal. Your private (invisible life) needs to utilize cash. Keeping the two separate is where the extreme discipline comes in.

Basically, you will have to earn cash from an alternate cash based business, and you will have to purchase items using cash. This is inconvenient. In order to avoid suspicion, don’t buy bulk all at once. Recall earlier last year when the FBI issued the “ Potential Indicators of Terrorist Activities”, part of the “Communities Against Terrorism” program – someone’s really bright (read stupid) idea, that gives the federal government a basis to target ordinary citizens and classify them as terrorists. Google it. You will be aghast at the list of ordinary activities that are being classified as “potential terrorist” activities.

Here’s how I decided to attack this problem of buying bulk, I slowly increased my normal shopping routine to include bulk items, so that over time, my normal purchasing habits have remained consistent. I shop at a Super Wal-Mart (great place for bulk items at low cost). I don’t order emergency supplies over the Internet. I don’t walk in and make a several thousand dollar purchase. I know this sounds really ridiculous, but we are being watched.

Perhaps someone just needs to pay you by check and you agree to accept it (this applies only to low denominations). Don’t think you can go to that person’s bank and cash it at the teller window without some effort. I tried this once and was asked for a fingerprint, ID, and was charged a $5 fee, and the teller stared at me and was rude (the check was for $1,000). Just stick with cash.
If you need to get cash from your checking or savings account in order to have cash on hand, start by making it a habit of withdrawing small amounts of cash at the ATM, slowly, over the course of time – payday would be a good day to target – everyone takes out a little money on payday. Don’t show up at the bank and withdraw thousands of dollars at any one time. Isn’t this ridiculous?

3. Pay cash for any purchases relating to prepping, purchase in small, consistent increments.
I know it feels good to make that bulk food purchase online and have it shipped to your home or alternate address in unmarked boxes, but that purchase is traceable to you and puts you on the “potential terrorist” watch list, right? If you have already done it, don’t worry about it. Moving forward, don’t do it again. You may have to start planning mini vacations to visit suppliers and pay cash for your purchases. Try to purchase in prepper friendly states, such as Idaho, Nevada, Utah, and Wyoming. My tact has been to stock up incrementally during regular purchases. I established a pattern of purchasing over the past two years that allows for stocking up while appearing to be the usual shopping. While some have advised purchasing outside your area where you are known, I prefer shopping at my local Wal-Mart Superstore where the cashiers are friendly local people used to my dragging two full carts through the registers every other week. I don’t call attention to my purchases by doing “extreme couponing”. I make small talk with the cashier and ensure that I mention how relieved I am to be able to do my monthly shopping on one trip, how expensive teenagers are, along with other seemingly useless conversation. It’s a good idea to not be overly friendly, but polite and engaging. Ask the cashier how his or her day is going while your purchases are mindlessly scanned through.

4. Locate and lease or buy with cash alternate accommodations/housing, private-party, avoiding credit checks/paper trail.
This has been the most difficult objective for me personally. I do not have the financial means of buying suitable property outright (cash) in addition to my primary residence. The only option for me is to “lease vacation property” from a private party.  J.J. Luna has excellent advice on how to lease anonymously using cash. He suggests making a larger than normal cash deposit with the private party owner (you will not go through a realtor or property management company) in exchange for anonymity. Use any excuse you want to ensure the landlord understands your need for privacy (abusive ex-spouse, stalker, high pressure/high visibility sensitive position, etc.). You will always pay with a cashier’s check. If the Landlord wants to see your ID, you offer your passport as proof of citizenship, not your driver’s license or other documentation, and you never offer your social security number or consent to a credit check. References are the easy part. The best way to get this accomplished is to take vacation time to explore the various areas of interest and inquire in person at the local establishments (coffee shop, supply store, etc.). You could order the local paper, but make sure you have it sent to your P.O. Box rather than your home address. Little towns are also well known for their enjoyment of gossip. As long as you take care of the property and are seen to be vacationing there frequently, are friendly and helpful to the locals, your intermittent presence should not be a problem.

5. Keep a low profile.
This is more difficult for some than others. I have an introverted personality and I naturally keep a low profile. I’m a geek. My husband, on the other hand, is in Sales and he is extroverted, enthusiastic, popular, active, and involved in the community. Everyone in our community has his personal cell phone number. Coaching him over the last several years to “tone it down” has been difficult. My advice is: dump the expensive watch, fancy car, name brand clothes, and shoes, cool it on the aftershave, and stop making our home the hub of every get together. Hmmm. I sound very bah humbug, but we need to divert the entertaining to some neutral territory, like the local pub or restaurant.  

Get off Social Networking permanently, never to return.
Or alternatively, create the “fake you” Facebook page and post inane, funny, silly things, being careful to keep pictures of yourself and family members out of Facebook’s databases, never let anyone in your community know where your retreat property is, don’t post pictures of it on Facebook, comprende?    One of the biggest mistakes we all make in our technologically advanced society, is forget that our technology is our undoing.  Every “word we’ve spoken” (in email, on the web) is recorded somewhere and most likely resides in a database somewhere.  If the government really wanted to hunt you down, it would be easy – you gave them all the information they wanted by emailing a family member, posting on Facebook, or starting a blog.  

At a recent family gathering, we had a huge discussion about how we needed to stop discussing “prepping” on e-mail.  This is so hard to do.  We are geographically dispersed and email is soooo easy to use.  We only see one another a few times a year.  I don’t know the answer.  

We made a huge decision to close our small, local business this year. This will give us the flexibility to leave when we need to. The Pros and Cons were weighed over and over and over. The Cons won. We have cited “health” reasons for closing our business.  We agreed to make the time to take small trips throughout the year to investigate properties we could lease. We will treat our time together as mini-vacation/honeymoon time.

6. Register vehicles (must be paid off) in a company name.
If you ever had to leave Dodge, it would be a very good idea to leave in a nondescript vehicle that was registered in a private company name, not your own name. It is important that the vehicle be in good working order so as not to arouse suspicion or the attention of the highway patrol. Now that the highway patrol makes use (in many states) of hi-tech scanners, they don’t have to pull you over to “run your plates”. It’s done automatically as soon as your vehicle is in range. If, for some reason, you found yourself on an “undesirable prepper” list, it would be wise to ensure that your escape vehicle was not linked to you personally in any way. Now, of course, if you get pulled over, you have to show your driver’s license. Some people are quite stubborn about handing over a driver’s license when being pulled over, but I suggest to you that if you want to be on your way quickly, cooperate with “license and registration please”. It’s easy to explain that the car is a “company car” and you and your family are going on vacation to Whereverville. Always make sure the lights are working all the way around and for gosh sakes, don’t speed, or do anything stupid, like flip off a trucker, to garner attention. J.J. Luna offers help and advice on his blog as to how to register your vehicle in a private LLC.

7. Prep the alternate location, plan the route out, and practice the plan.
No need for any embellishment here – the expert content is on SurvivalBlog. If you really had to leave your home for an extended period of time, make sure your preparations have included securing the home you have left behind. My plan is to change the way we live slowly (but quickly, if that makes sense), to include long “vacation trips”, so that we spend time at our retreat property at least several months out of the year to begin with, and extend that duration over time, so that it seems quite natural to be gone frequently. As far as our friends in the community would know, we decided to take life a bit easier and really enjoy our retirement. Other “excuses” you could propagate are “my husband/wife took a job in Whereverville (not your retreat location please!) and the only way we can make this work for our family is to spend time in both places”. Alternatively, how about, “oh my mom and dad are not well and we committed to spending more time with them”. On the other hand, “life is short, we are out having fun and seeing the world!”.  

A note to those who are averse to telling a lie:  If the Gestapo were banging on your door, asking for the whereabouts of a family member, would you tell a lie to protect their life?  Think about it.  Get in the habit of providing lots of information without providing any information at all. Don’t mention the name of the town where your retreat is, don’t write it down, don’t put it in an email, on Facebook, don’t search the Internet for properties from your home computer, etc. Keep it in your brain and don’t ever keep a paper trail, electronic or otherwise. When you are at your retreat location, you will be using cash not your bank card. Your bank card transactions are perhaps the single most effective way of tracking you down. Don’t use it to fill your tank when you are on the road. Frank A. Ahern shares some interesting stories on this topic in his book. He suggested creating fake paper trails in locations quite far from your retreat location. His suggestions included putting in an application for a rental apartment, replete with credit check (to create a false record), purchasing small items at a local store, signing up for telephone service, and even opening a checking account at the local bank, only to abandon completion of the above tasks. These actions create the illusion that this is where you are going to move to. Meanwhile, you are on the other side of the country, anonymously, prepping your retreat.

In conclusion, my twist to surviving what is coming, is to live a double life, and slip out undetected when the time is right. The detail required to live a double life is overwhelming, but start small and try to work through each major category a little bit at a time.  Keep in mind at all times that we are being watched, Big Brother is here, and you never know when your name will show up on an “undesirable” list.  Be safe and Godspeed.


Monday, December 10, 2012


SurvivalBlog readers often buy gear for their retreats using Craigslist and Internet message boards such as Buddy's Board and eHam to buy equipment. There are some genuine bargains out there, but be advised that these web sites have become the favorite hunting grounds of Nigerian Scammers. They prey upon people who are looking for bargains. Typically, the scammers place fraudulent ads offering items for sale in the Want To Sell (WTS) category , or they respond to Want To Buy (WTB) ads.

Some Red Flags that may indicate that you've been contacted by a Nigerian merchandise scammer:

1.) The seller offers new or like new merchandise for around 1/2 of the regular retail price.

2.) The seller writes in broken English, and with strange punctuation.

3.) The seller seems ignorant about the technical details of what he is selling--never going past "copy and paste" from other ads or a manufacturer's marketing descriptions..

4.) If you are the seller, then the buyer offers to send you a check for more than your asking price with a request to wire back the difference.

5.) Their e-mails are sent at odd hours . (At 3 a.m., Pacific Time, it is 12 noon in Nigeria-- a nine hour difference.)

6.) The seller claims that he is deaf, so that he cannot converse with you by phone.

7.) The seller asks for any unusual form of payment.

8.) If it is an ad at a forum that lists member numbers, the seller has a high member number, indicating that he just recently joined the forum.

 

I was recently looking for an expensive and scarce Trijicon ACOG scope for one of my guns. So I placed a WTB (Want To Buy) ad on Buddy's Board. I got this offer via e-mail, originating from a Gmail address:


Good day,

Have you got any leads/order on your WTB ads listed on my subject
Email?? Let me know as i have one up for sale.

Respectfully,

Ben

I wrote back:

Ben:

What is the condition of the ACOG and your asking price?

He replied at 2:57 AM:

It,s in LNIB conditions with an asking price of $640 Shipped. Ben

It is notable that this is a scope normally retails for around $1,500. Note his poor punctuation of "It,s " and the misspelling: "conditions."

Smelling a rat, I wrote him in reply:

Ben:
Yes, I'll take it.  But because Nigerian sales scams have become so commonplace, I need you to provide me "proof of life".  Before I send you payment, I need you to do the following:  Take a magic marker and write your e-mail address and today's date on a strip of paper and DRAPE IT in a curve over the scope and take a crisp digital photo of the scope, showing that paper strip draped in place. This photo will prove to me that you actually have the scope in your possession.

Without this photo, we have NO DEAL.  But with it, I will send you immediate payment via US Postal Service Money Order.

Pardon me for being so cautious, but we are living in the age of deception and betrayal. - ~Jim Rawles

Not surprisingly, the scammer made no reply. Beware folks, and take precautions when dealing with potential scammers. Making a "proof of life" photo demand will almost always send a scammer scurrying back under his rock. If there is ever any doubt, one final test that works well in ferreting out scammers is to pose a fake technical question. For example, if the item in question is a gun, ask the seller to "provide its PCGS grade." If it is a scope, ask the seller to "describe it's bore condition." Or if it is a ham radio, ask him "how much squelch are you including?" Such questions will almost always trip them up.

The bottom line: If it sounds too good to be true, then it probably is.

Addendum: I have heard that one of the latest schemes used by Nigerian scammers is to buy merchandise from American vendors, making payments via wire transfers. Then, after he goods have shipped, they use a loophole in the wire transfer rules to withdraw the transfer, snatching the funds back overseas. Beware! - J.W.R.


Saturday, November 17, 2012


How do you balance the secrecy needed when prepping with letting your friends and relatives know that you are a prepper and encouraging them to become one too? Because when SHTF, you want your loved ones to be safe too. Wouldn’t it be wrong to prep in secret and not afford your favorite people the opportunity to prep like you? I know it is not wise to advertise to non-preppers that you are a prepper. But I did it anyway. I just wanted to start a conversation about prepping with my best friend. I was excited about prepping and I wanted her to start prepping too. I wanted to know she would be ok in an extreme situation. And let’s face it; I wanted to brag a little bit too. And that pride, that hubris, can get you and your family killed.

This conundrum was recently brought into sharp focus for me when I was telling my best friend about the new five gallon buckets and bulk grains I had recently secured. I was so proud of myself. Her reply was not “Where did you get the supplies from?” or “How much did it cost – I’ve been saving up and I’d like to get some grains too”. Her response was “If anything ever happens, I know where we’re going”. She meant her family would come here. I was literally stunned into silence. Because I let her know I had secured provisions for my family and about my preparations in her mind I was now responsible for her family too. Rather than plan for her own family’s safety and food security, she let me know her plan was to come here and try to claim a portion of my provisions. How did I feel about this? Would I really turn away my best friend and her husband? Would it depend on the situation or was it just a resounding no? I had screwed up royally. Not only did I fail to inspire her to prep, I jeopardized my family’s food security so I could show off. After she left I realized I had a lot of thinking to do.

And this line of thought, this failure to prepare, it’s not unique to her, and it’s certainly nothing new. People all around our country would rather rely on the government to take care of them, or burden their friends and family who are prepared, than prepare for themselves. Just look at the aftermath of any major natural disaster and you can see that outlook on life manifested. Not only will you have the Golden Hoard to deal with at The End of the World as We Know it (TEOTWAWKI), but some of that hoard will know you personally and will be headed directly to your home. So the bottom line is, are you prepared for that aspect of TEOTWAWKI? Do you have the extra provisions to take these people in? Or would you have to turn them away, with brute force if necessary?

The conversation with my friend made me realize I had talked a lot about prepping and specifically about my family’s preparations to a couple of people. I was trying to help encourage them to prep too. But in the process I had made myself very vulnerable to the people I cared most about. And what would I do if SHTF and they started showing up expecting food, water and shelter? Could our little home and provisions stock pile really stretch to accommodate more people? I didn’t think it was even adequate enough for my family yet, let alone for two or three more people. And if my best friend were coming here wouldn’t she want to bring her sister and her sister’s husband and their son too? What about the grandmother with medical needs that lives with them? Now the hoard in my head was getting bigger and bigger. And what would we do? My best friend comes over every week on Friday to watch television and catch up with me. Her sister’s family are our friends too. Could we shoot these people if that’s what it came down to? We have barbecued with them, been to their weddings, to their parties, their Sunday night dinners. Don’t we owe them something; shouldn’t we help them in an emergency? And wouldn’t they feel that way too?

I decided to make any progress in this thought process, emotion had to tone down and logic needed to be cranked up. What advice would I give to someone else? What if these weren’t people I knew – what if they were random strangers? Well, the ultimate goal is taking care of your family first. But if you have extra provisions or a bountiful crop from the garden, then wouldn’t you want to give them away to help others? That would be nice and it seems like the right thing to do, but it could also be dangerous in a post-TEOTWAWKI world. If you get to be known as the place people can go for a handout, you will soon have more hands than goods to put in them, and that leads to trouble. When the shops run out of food, people often break things and tear up the shops, fighting with one another to grasp at the last few provisions left. Shortly after that comes riots and looting. What do you think they would do to your home? If they don’t respect someone else’s store, why would your home be any different? And in a survival situation people lose a lot of their rationality and morals. Just because you have spent a lot of time with someone, and they are your friend, it does not mean they will not put themselves and their families first. In fact, you should expect them to. And this is the part of it you have got to wrap your head around: no matter how excited you get about prepping and the little stockpile you are amassing, keep your mouth shut about the items you have got! I could have easily told my friend I had picked up a little extra grain and asked her if she did any prepping yet. The recent storm in New York would have been a perfect reason to bring it up. Telling her specifics about the quantities was foolish and could be something that really comes back to haunt me later in life. I was proud of myself for what I was accomplishing, but broadcasting exactly what I was doing could drive people right to my front door in an emergency. Possibly more people than we could afford to help.

My husband and I talked about it and decided we could take in her and her husband in an emergency. He would make a great addition to our security team and she could help with the chores and the baby. The only problem would be what happens if she brings her sister and her sister’s husband and their son too? Could they be a helpful addition to our group? He knows about plumbing, but would there be enough resources to go around? With that number of people we could try to requisition more food and water, but that now takes our home from defensive to offensive, and I am not sure we want that. But that may be where my big mouth has landed me. My friend may be guilty of the folly of failure to prep, but I am guilty of the folly of hubris and letting it run away with my mouth, to the point that I made have inadvertently put my family in danger.

Be smart and keep the particulars to yourself when encouraging others to prep. Answer your friend’s and family’s questions on how to prep, but never reveal exactly what you have. If they ask something innocuous like “Well how much wheat do you have stored?” Always answer with something like “Well it’s recommended you have…” or “In the books I’ve read they say…”. Refer people to web sites and books they can get advice from so they can decide how much to store based on good data, not just by what you have stashed. And it is okay to tell your friends and family why you won’t give out specifics. Explain you aren’t trying to be rude, it’s just not something preppers do. If they really start prepping for themselves, they’ll get it, and they won’t be mad about it. Only get into more detail with other people who are actively prepping who will be in your post-TEOTWAWKI group and even then I wouldn’t tell every little thing. To those in your group you might indicate you have so many months worth of supplies, or more than so many pounds of something, but I wouldn’t list out every amount of everything you have. It is always wise to keep a little something back, especially the specific quantities and locations of your supplies. You want to encourage your friends and family to prep, but be sensible in the way you do it – you do not want to end up jeopardizing your family’s safety and food security by telling the whole world what you have squirreled away. 


Monday, November 5, 2012


Jim:
The article on constructed languages [by Snow Wolf] was fascinating. Just two concerns: An outsider might be able to crack your code based on repeated grammar. As was mentioned in the letter, "sentences follow the common subject-verb-object pattern". This pattern is predictable and could help a very intelligent decoder. Also your activity can be observed after communication, helping one define terms.

Both of these concerns can be mitigated with re-aligning, as mentioned in the letter. So take care not to overlook that step.

Finally, if every tip in this article (such as re-aligning and custom grammar) were practiced, and on top of this was layered a nice encryption method, such as was described in the 9/11/12 letter, you'd seriously give an enemy a run for their money!

I know this is true, for during WWII, Navajo-speakers were employed for code talking; that is, the messages were first translated into Navajo and then encrypted. Navajo almost fully qualifies as a constructed language. The following is from Wikipedia:

"Navajo was an attractive choice for code use because few people outside the Navajo themselves had ever learned to speak the language. Virtually no books in Navajo had ever been published. Outside of the language itself, the Navajo spoken code was not very complex by cryptographic standards and would likely have been broken if a native speaker and trained cryptographers worked together effectively. The Japanese had an opportunity to attempt this when they captured Joe Kieyoomia in the Philippines in 1942 during the Bataan Death March. Kieyoomia, a Navajo Sergeant in the U.S. Army, but not a code talker, was ordered to interpret the radio messages later in the war. However, since Kieyoomia had not participated in the code training, the messages made no sense to him. When he reported that he could not understand the messages, his captors tortured him. Given the simplicity of the alphabet code involved, it is probable that the code could have been broken easily if Kieyoomia's knowledge of the language had been exploited more effectively by Japanese cryptographers. The Japanese Imperial Army and Navy never cracked the spoken code."

Jim,
The recent submission, "Forget Codes..." while interesting, seems to neglect one rather important point: what the author is suggesting IS a code, and a fairly simple one at that!

Rather than substituting symbols for letters or letters for each other, this code is substituting words for other words. That the substituted words are made up isn't of any consequence at all.

What is proposed is thus a substitution cipher and like all such ciphers, can and will be cracked by a determined individual or group. It is more complex than the simple Caesar Ciphers we used as children to keep our "secret clubs" secret, but it's not a secure cipher by any means.

All that is needed to crack it is a sufficient collection of enciphered phrases and some indication of their meaning. These meanings could be gotten by intercepting the enciphered communication and observation of events before or after the communication. The group using the code could even be baited by an enemy into using words - for example, if I walk down the road near their BOL and drop a handful of ammunition on the ground, I can bet the encoded word "ammunition" will be used by their patrol when they report back in. Knowing their word for ammunition could be valuable, no? If the situation is such that I could safely allow myself to be observed while walking down the road, I might also get the words "man", "stranger" or "dropped". From there the process of deciphering unknown words snowballs.

Using the examples provided by the author:

puq tf urr (There's a man in the house.)

cg wzn (A stranger is coming.)

igy cg tf urr (Shoot the stranger in the house.)

aok cg tf f (Watch out for a stranger in a vehicle.)

puq fh bx tf urr (A man with a gun is in the house.)

...and with NO reference to the key, which is now out of sight, I can see that the word "house" is used in sentences 1, 3 and 5. The only code words used in all three sentences are tf and urr. One of those means house. Those sentences also have something else in common, as there is another word repeated - that is the state of "in-ness" - being in the house. A look at sentence 4 disambiguates: it is lacking a reference to "house" and is also missing the word "urr". Urr thus means "house" leaving "tf" to refer to in-ness. As further confirmation it refers to someone who is "in" a vehicle and contains the word "tf". Tf thus definitely means "in". A little more thought along the same lines reveals that the "man" in sentences 1 and 5 is represented by the word "puq" and that the remaining words in sentence 5, "fh bx", mean "with a gun". A larger sample would be needed to tease those two words apart. It would probably only take another sentence or two before the word "with" appeared without "gun", answering that question.

The plaintext is the key! Given enough samples, the key can be extracted from the text.

This cipher could be very useful if dealing with a short-term situation with a transient enemy but would become useless against a long-term neighboring enemy very quickly and suggesting that it could resist the efforts of a government is craziness.

The only way a cipher like this can remain secure is if all of the facts conveyed using it also remain unknown to the observer. This is a common weakness among substitution ciphers. Whether it is letter, digram or trigram frequency analysis for letter substitution ciphers - or analysis of the use and reuse of code words for word substitution ciphers - the weakness is the same. With a more secure cipher knowing some of the plaintext (or in this case, the information conveyed) doesn't get you even one step closer to deciphering the /next/ bit of text.

Those interested in the subject of encryption would do well to check out "Cryptanalysis - A Study of Ciphers and Their Solution" by Helen Fouche Gaines. It is a well regarded "beginning to intermediate" text on many cipher schemes, some quite difficult to crack. Applied Cryptography by Bruce Schneier contains great coverage and explanations of security and encryption, especially with regard to electronic communication.

Finally, as far as I know there is only one cipher that is known to be unbreakable if properly implemented, and that is the "one time pad". When I say unbreakable I mean unbreakable even by the wealthiest and most powerful governments. It is extremely simple but suffers from a few difficulties and limitations, the primary one being that the keys must be exchanged before any encoding can take place. Two others are that it requires the generation of a very random collection of data used as the encryption key (the pad) and pads can *never* be reused (or you'll introduce the very same weakness I illustrated above). It is well worth looking into and if you decide to use it, generate and exchange pads *now*. If you can't build a device to collect cosmic noise for random data then decent pad data can be (or used to be) gotten from www.random.org. In the event someone intercepts your pad data, it is unlikely they will also be the person out to raid your BOL!

Best, - Matt R.

James:
I was surprised to see you publish the article on "Forget Codes: Using Constructed Languages," it has to be one of the single most dangerously flawed pieces of writing I have seen on your web site. It seems based on an understanding of cryptography and mathematics set shortly after the Victorian era of heiroglyphics decryption. We have come a LONG way since then. The author is WRONG, and following his advice leaves ones communications completely vulnerable. I do not leave my argument up to a difference of style or opinion. I do not base my argument on petty infighting of Glock vs Everything else, or other arcane arguments that appear on Internet fora. My argument is based on undergraduate level mathematics and statistics. 

Yes, constructed language will serve to keep conversation "secure" in the setting of overheard conversations in the local watering hole. For that matter, I can't follow the conversation of the waiters at my local Cantonese restaurant. Constructed language might even serve a small groups security purposes in the local AO. However, make no mistake, the concept is tragically flawed when discussed in terms of security and cryptography.

By its very nature, what is being discussed is a substitution cipher. Yes, the author suggested playing some games in the construct and lingui/grammatical foundations. There is also an attempt to change "hash" on a pseudo-random basis. Or to even change keys on some time period (t.) Ultimately, should we follow the authors advice and not even substitute for each word in the dictionary, but instead a common subset of oft used nouns and actions, we are talking about a frequency breakage of a mere (in the authors suggestion) 300 factors. Lets be generous and quadruple this to 1200 words. Or change the hash 3 times, and come up with a factor of 3600. We would not even require computer horsepower to break this "code" using modern mathematics. It can be done by anyone with a basic background in statistics, a few pages of notepaper, and 5-10 pages of message intercepts or transcripts to analyze.

I heartily agree with the philosophy of grounding ourselves in secure communications. But please dear reader, do NOT create a security system that is based on radically flawed assumptions. Heck, do not even trust me on this topic. If you are serious about security, do your own research. You will likely find, that the constructed language concept was debunked shortly after Turing moved beyond water filled tubes and the first computers began number crunching. I should also note that there are now linguistic breakages, as opposed to purely statistical (I hate his politics, but Chomsky is brilliant on language commonalities.) Turing machines used brute force, now we have algorithms to assist, along with the Moore's Law logarithmic increase in brute force of computing power.

If you are truly interested in secure communication, there are many excellent and free resources.
-The book Cryptonomicon by Stephenson is an excellent novel, and contains an appendix on creating a Solitaire code based on decks of cards.
-Bruce Schneir, one of the worlds experts on cryptography has an excellent blog, and free monthly newsletter. In it, he discusses politics, security theater, snake oil ideas in security, cryptography, software, etc. Free, excellent, and from one of the modern day godfathers in the field.
-Human Rights Watch (say what you will about their politics) has an excellent resource for folks working in hostile environments, who require secure comms from the field.
-PGP and Open PGP (likely breakable by large resources such as the NSA) are free, and there are numerous reputable resources discussing its implementation.
-Read up on Onion routing (not entirely secure, but a good step amongst many needed,) one time pads (very secure, but laborious, and should be implemented with a second authentication factor,) key lengths, and hash functions.
-Open source philosophy of security i.e. public testing of all mathematical and programming functions. Also see: ISECom.

In closing, I could completely pull apart the suggestion of security via constructed language using mathematical arguments, and logical analysis. Lets just leave it at this - PLEASE do some research before you accept that suggestion as gospel to be deployed in securing your loved ones. My entire purpose is to save lives, and letting that article stand is like me not shouting FIRE in a burning building. It is a flawed course of action, potentially fatally.

Wishing gods blessings, of peace and health to all. - CypherPunkPrepper

JWR Replies: I agree completely that substitution ciphers and constructed languages only provide a very weak form of encryption. They might suffice if your opponent is just a criminal looter gang, but they absolutely will not hold up to the scrutiny of any government agency.


Saturday, November 3, 2012


Egyptologists tell us that the last hieroglyphic inscription was carved in 394 A.D., and within a few decades all memory of the ancient Egyptian language was lost. For the next fifteen hundred years the world's greatest scholars tried to translate hieroglyphics, but it was only when Jean-Francois Champollion had access to the Rosetta Stone in the 1820s that the dead language spoke once more. The Rosetta Stone, which had an identical inscription in three languages, was the key which allowed Champollion to begin translating the forgotten language.

You may be wondering what this has to do with preparedness. I believe it has a great deal, as indicated in the 9/11/12 article about using codes in emergency and survival situations. The ability to communicate privately is critical to our security as well as being a basic human right, and its importance is too often forgotten as we pursue beans, bullets, and Band-Aids.

When considering communication in the modern world, there are two unpleasant realities we must face: first, every transmission—text, email, phone call—can be intercepted. The second is that, as JWR pointed out, it's unlikely any code we make can withstand military and government decryption methods. This means that those of us who wish to communicate privately must adopt another strategy: instead of codes, we must use constructed languages for written and spoken communication.

A constructed language (CL) is simply a language which is not, and never has been, used by a natural population. The idea of constructing or making up a language may seem strange, but in fact several well-known CLs are already in existence. The oldest is Esperanto, which was created with the intention of providing the planet with a universal language. The next significant CL came from Star Trek. In one of the movies the creators decided to add spoken Klingon, which was created by a linguist and deliberately made to sound as alien as possible while still being pronounceable by human actors. A few phrases were repeated in the movie often enough to be learned by devoted Trekkers, and soon the Klingon language had its own alphabet, vocabulary, and grammar. Today there are online courses and Youtube videos about the language, and a few fans can actually use it to communicate. The movie Avatar followed this pattern, using a constructed language called Na'vi. And yes, there are some fans who speak it; information on the language and a Na'vi dictionary can be found online.

If you want privacy, you can't use Klingon or Na'vi; you must have a new language which has no connections to past or existing CL languages. This new language, if properly devised, will be as incomprehensible to anyone who sees or hears it as ancient Egyptian was to the scholar of 1700.

To create an effective CL, you must make several decisions. First, how many words are needed to communicate effectively? English has an overly abundant supply of synonyms (words with similar meaning), such as large, big, spacious. This duplication is unnecessary in a CL. You can probably function well with 300 words or less; you must decide what words are essential for your group.

Second, you must decide what methods of communication you wish to use with your CL. Will you signal it with Morse code? Use it in emails? Speak it aloud? Spell it with the manual alphabet? Signal with flags? If you intend to use your language only through such methods, all of which have a sign for each English letter, the CL should be based on the traditional Roman letters on your keyboard.

If you want a language which can be spoken aloud, it's wise to use sounds normally found in English; these will be easiest for your group to pronounce and remember (if you don't believe me, listen to Klingon). While it's possible to create a CL which uses such strategies as the tonal structure found in Chinese, this is a new concept for most Americans and would hinder the rapid acquisition of the CL as well as being impossible to indicate in Morse and all other letter-based communication systems.

The next decision is whether to create a grammatical syntax where meaning is determined by word position, as in English, or by inflectional endings such as those found in Latin and Greek.

A word position structure means that words must be arranged in a particular order for correct comprehension. “The horse sees the woman” doesn't mean the same as “The woman sees the horse”. Both sentences follow the common subject-verb-object pattern; the meaning is determined by which noun comes first and which comes second. In modern English, the position of words determines the meaning of the sentence.

In Latin, however, meaning depends not on position but on inflectional endings which distinguish subject from object. Here's a simple example using Latin words with familiar English cognates.

Equus means “horse”; (equine)

feminam means “woman”; (feminine)

videt means “sees” (video)

“The horse sees the woman” can be written in Latin without regard to word order:

Equus feminam videt.

Equus videt feminam.

Feminam equus videt.

“Equus” is in the nominative singular, indicating it is the subject of the sentence. “Feminam” is in the accusative singular, which means it's the object of the verb “videt”. The position of the words is irrelevant because their grammatical function is conveyed by their endings. Although the first sentence pattern was most commonly used by Romans, all three sentences would be equally comprehensible to Caesar and Cicero.

Using inflectional endings in your CL will make it more complicated to learn because, with few exceptions, English no longer uses such endings and most Americans are unfamiliar with them. Therefore, a positional CL is probably most practical.

Here's a simple example to show how a positional CL can function. Imagine a group which wishes to communicate by Morse code, email, texting, flag signals, or the manual alphabet. Here are some example words:


aok = watch out for (verb) cg=stranger (noun)

igy=shoot (verb) f=vehicle (noun)

wzn=come (verb) bx=gun (noun)

tf= in, into (preposition) urr=house (noun)

fh= with (preposition) puq= man (noun)

You now have the capacity to signal or text information:


puq tf urr (There's a man in the house.)

cg wzn (A stranger is coming.)

igy cg tf urr (Shoot the stranger in the house.)

aok cg tf f (Watch out for a stranger in a vehicle.)

puq fh bx tf urr (A man with a gun is in the house.)

The enemy can intercept these CL words, multiple them, count them, and turn them inside out, but they will not be able to understand the communication without the key, which ideally should exist only in the heads of those using the CL.

When creating a CL, you also make decisions about structure and grammar. You probably noticed the sample CL has no articles (a, an, the); these words are superfluous and can be eliminated. The present tense is also absent because it's not necessary for comprehension and, for this particular CL, I chose to omit it entirely. Decisions such as these can be made by the creators of a CL according to their own preferences.

For the first example I deliberately used regular keyboard letters. However, if you wish you can make words such as these:

&Knv )Yy

m% a!*

While this may look more complex, it isn't; it only gives you symbols for which there is no Morse or oral equivalent. Some may believe that the more symbols which are utilized, the less likely a communication can be decoded. This is incorrect; a CL cannot be decoded or deciphered because it is neither a code nor a cipher. It's a language, and therein lies its impenetrable strength. Remember ancient Egyptian; there were thousands of papyri and carved inscriptions to study, but without a key none could be translated.

Another secret to making your language incomprehensible to outsiders is to

frequently realign the words and meanings. This is done by randomly changing the meaning of the words, which is simple if you're communicating via computer. Aok becomes “gun”; cg becomes “under”, etc. Realignment is important because you don't want those intercepting your communications to associate your CL words with group activities. The ultimate security precaution would be to realign meanings after each communication.

Obviously, the ideal CL is one which can be used on a computer, texted, sent by Morse code, spelled with the manual alphabet, and spoken aloud. If you have this, you can communicate with absolute security under the eyes and ears of the enemy.

Below is a short, very simplified CL I prepared for SurvivalBlog readers who would like to try this method of ensuring their privacy. This CL differs from the example above because these words are in syllables found in English, which makes it easy to pronounce (tf would challenge even Henry Higgins). The CL words have been divided into syllables for easier pronunciation. Vowel sounds (short or long) can be determined by the group preference. No meaning has been assigned to any linguistic unit, which means even I, who created this CL, wouldn't be able to understand what you say, write, or signal.

Sample CL for SurvivalBlog Readers

Words

  1. sil'rah'me 14. tim'ba

  2. ru'hi 15. se'kot

  3. oh'bash'in 16. row'un

  4. ed'rek 17. ve'dok'ah

  5. pah'sas'din 18. tah'yis'vee

  6. in'tah'ba 19. yo'ee

  7. me'tick'suh 20. nu'me

  8. ir 21. it'ak'see

  9. ad'wit 22. dan'sis

  10. ha'kal'too 23. ma'ut'zo

  11. ak'tem 24. pes'hara

  12. yah'dah'sa 25. haf'den

  13. ka'ah 26. oh'ye'see

 

Grammatical Structure

  1. Plurals are formed by adding ne at the front of nouns; i.e., if you assign ma'ut'zo a noun meaning, the plural will be ne'ma'ut'zo.

  2. The present tense is indicated by the root form of the verb; if you assign ed'rek the verb meaning of “run”, no further initial or final letters/sounds are needed to use the verb in the present.

  3. The past tense is formed by adding a initial al to the verb; i.e., if oh'ye'see becomes the verb “listen”, al'oh'ye'see will mean “listened”.

  4. The future tense is created by adding an initial er; i.e., if row'un is given the meaning “come”, er'row'un means “will come”.

  5. Negatives are formed by adding pa before the verb. This prefix can also be used as a general negation, thus including the concepts of “no”, “none”, “nothing”, “not”, “don't”, etc. If dan'sis means “come”, “pa'dan'sis” means “don't come”.

  6. Questions are formed by adding kas to the beginning of the sentence.

 

To put these last two grammatical structures together, if you wish to communicate “Are you coming?” it would be kas'row'un. If the other person wishes to say “No”, the answer would be pa or pa'row'un.

IMPORTANT: Be very aware that speakers of a CL will almost certainly tend to use normal English vocal intonations when speaking. Our voices rise and fall in distinctive patterns as we ask questions, make statements, express surprise, fear, anger, urgency, etc. These vocal patterns are a clue to anyone listening. The solution to this security weakness is to learn to speak all words in a monotone voice, rather as if you were reading a list of unrelated words. You should also be careful that your voice doesn't indicate the end of a sentence.

I hope many of you will try using the CL I've provided. But before you begin communicating important information, you must pass a test. Here it is:

    You can't use this sample CL as written. Why not?

Answer: Because of the grammar section.

No one can know the meaning you assign to the CL words in the sample; however, if you follow the grammar, anyone aware of this CL will be able to say, “Ah-ha there's the prefix ne. That means the word following is a noun.” For this reason, ALL THE GRAMMATICAL RULES MUST BE ALTERED BEFORE YOU CAN SECURELY UTILIZE THIS CL.

To do this, just use your imagination: form plurals by adding om to the end of nouns—or to the middle, if the word has more than one syllable. Or don't form plurals at all; if you want to say, “I need eight bullets,” the word “eight” indicates plural; the noun “bullet” doesn't need to be changed at all. Form the future tense by adding the word wom at the end of the verb. Make questions by adding ra'hi at the end of the sentence. Remember: no one, including me, will know what meaning you assign to each linguistic unit; ak'tem can mean “wife”, “nuclear weapon”, or “move slowly”.

Learning a new language, especially one you've never heard, may seem daunting, but it's essential to group security and survival. We all know the government is listening to phone conversations, reading emails, and recording communications. If a national emergency ever arises, this spying will intensify and your group will be unable to communicate privately. The powers that be are determined to take every shred of privacy in America; let's use constructed languages to reclaim an inalienable human right.

JWR Adds: I can vouch that even an informally constructed language can baffle outsiders. Some members of my family still speak Boontling--the folk lingo of Boonville, California. (My ancestors settled there in the 1850s, after crossing the Plains by covered wagon.) We still pike to Boont or Uke by kimoshe for boshin', bahl tedricks, shattaquaws, gormin' matches, hobneelches and visits to the Rawles Dusties, but try to avoid nonch-harpin, Haines-Crispins, spilldukes and sharkin' matches.


Tuesday, September 11, 2012


This subject is a much overlooked area in the survival community and sorely neglected. I hope that the following synopses of this crucial topic will inspire an invigorating awakening in this area that I feel is vital to our collective success, without which our endeavor could well be doomed.

Every country and every military around the world through the ages has employed codes, ciphers and signals as well as signets et cetera for security and authentication of messages. Sending messages via couriers, as well as during times of war and peacetime to prevent their opposition from learning their secrets and their plans. They are crucial to any groups survival and successful operations especially in matters of cover and concealment which is of utmost importance to the modern prepper/survivalist who wishes to successfully maintain operational OPSEC as well as communications security (COMSEC.)

Most apropos to the survivalist is the aspect of camp security or camp entry codes in the ares of individuals securely moving in and out of camp as well as moving securely between friendly camps as well as sending and receiving light or radio signals to members of ones own camp such as in the area of LP/OPs (listening post-observation post) and in communicating with other friendly camps to coordinate movements and plans as well as advise other of enemy actions including METT-C. and size activity location unit/uniform time and equipment (SALUTE) reports. Not to mention something as basic as your challenge and passwords.

Sadly, few have planned, employed or even consider training in the area of signal security by broadcasting encoded Morse messages  which is imperative to any group's survival in hostile territory, especially given this governments stated goals as well as those it consorts with! These  transmissions must be made carefully and remote from camp and kept very short...preferably in burst format which the receiver can then electronically slows down  to decode. This is only limited by your means and available equipment. You then establish an radio telephone operator (RTO) who would manage all frequencies, call signs master CEOIs, et cetera. Each member of the group should have a specialty, much like a Military Occupational Specialty (MOS) while all members training in and being proficient in basic skills while having a working knowledge of all other in the event that person is lost.)

These signals not only encompass light and radio but human-- for instance a messenger who carries  a memorized message encoded or sends them via light or hand  signals or in the form of hand gestures to form near and far signals, again for the purposes of camp entry codes. Or he or she may be carrying hidden messages. Thee can include embedded distress signals therein in the event one is captured or compromised so that those within the camp can know that there has been a compromise. These signals/signs should be relatively simple while unique to that group but have alternate but subtle variations in the event one is being forced to do harm.

More sadly, we now live in a formerly free constitutional republic. The reality is we now live in a soviet style clandestine environment where we can only speak openly and freely to our most trusted friends and family weather face to face or on the phone or on a computer.

There are many forms of code/cipher that have been employed by all the various governments and their militaries. For instance in the 19th and 20th Centuries there was the Pigpen cipher, Play Fair (used by the Australians), and the rail fence cipher. These are just a step up from simple substitution codes, and only a bit more secure--they can be broken fairly easily. When I taught my church's and survival groups codes I would give them a breakdown of a few as here and then tell them that of course the best code is the code you conceive and employ yourself. I am not going to disclose the exact nature of our code of which I made copies and distributed. In that I have devised a combination of the military's brevity codes (which are pretty much unbreakable unless the source is known or there is repetition) as well as substitution codes embedded with Morse code, possibly in different languages common to a group.

We had a lot of fun breaking into groups and I would give them brief messages to encode and decode using just the angle head flashlight....of course informing them that once you know a form of Morse you can send it in many ways including light, radio dits and dahs and finger and motions as well as written cipher in that way. You are already familiar with certain subversives who employ such "close signals" for instance the Masons who use a variety of hands signals and shakes to identify one another and their condition as well as the dizzying array of miscreant gangs who use hand signals to ident one another and their misguided loyalties.

One brief aside: it is noteworthy to mention that as well the military are using infrared tabs on their ACUs so that from afar in their night vision scopes they can discern friend and foe. Something to bear in mind!

So I will begin with the Morse code aspect of the encryption, every country has their own and their is a international code which is very close to ours. I have created Morse in a few different languages and keep them in sort of a S1 CEOI format, so that if one code or messenger is known to be or thought to be captured or compromised then you just break into the next set. (Such as Spanish or French whatever you are familiar with or not at all. Now, after mastering your Morse code skills in sending and receiving which is best accomplished by learning them in rhythm. You then break them down to 3 character codes. You might for example take a foreign language dictionary and start at the first word in its columns and start designating every word or field appropriate word if you prefer a 3 letter designation. This can be done in an English dictionary but if so you will not want to do so alphabetically as it could then easily be deciphered if you do not then combine the traits of shift code (of which there are several). E.g., If you want to start left to right as is done here and everywhere west of Israel...you can start at the beginning of the alphabet and skip say...three letters so that a becomes c. Or you could Start counting right to left as the original Bible does and shift that direction by a pre-designated number. You could choose this number by the day of the week, so if the code was sent on Sunday, and by the definition of the dictionary that is the 1st day of the week then it would be known to your group and allies to shift left by one. The shift could then or also be know to be shifted by a word or name. There is a near infinite series of alterations that a group could use to confound the enemy cryptologist (code breaker.) 

Okay, so starting again in your dictionary of choice-preferably a concise one that would easily fit in your ALICE pack or go bag but even better in your BDUs, and of course whomever you are sending or receiving from would have to have a duplicate set to decode from. If you choose in your system, you can start at the beginning starting with aaa and let's say hypothetically that the first word in your foreign language dictionary means about so aaa is the 3 letter morse code designation for about, then the next word in your dictionary would be designated aab and the next aac etc., etc.. Now obviously your names/call signs and other words particular to your group and objectives might not be in a or that dictionary....so then you would create your own addendum where you would assign all members of your group their own 3 letter designations as well as say particular weapons or names of enemies or other actions for the purposes of brevity rather than having to scroll through the dictionary to find a particular word which is peculiar to you and your groups actions. So a 6 word message might look like this:jeb ofn pje suc jeu bhe and you may transmit them together and it be known to break them up in triads as such, jebofnpjesucjeubhe and that message might mean in your code: for enemy has captured friendly forces rally3.

Now, as you see "rally3" is not one word, in fact any 3 letter brevity code can not only represent one word but a phrase or direction such as proceed north or reinforce at 1200 hrs for example. This is why brevity codes combined in morse code configured with alpha/numeric shift is so valuable a cipher.And as you see I am only giving you a pattern in which to create your own without compromising mine! Now...once you and your group establish a platform to create your own cipher you then complete what is called a CEOI or "communications electronic operating instructions" card and make copies for your people. These cards must be laminated to be made waterproof, all team leaders and above having detailed copies while the individuals only needing condensed versions.This will serve as a baseline for you to create and employ your system in such a way that the enemy even if they capture you cannot necessarily break your code. You do this as you create your own computer passwords. This is something that is familiar to your group or established but in a regimented fashion. You should then create a system in your CEOI wher all your members names/call signs are encoded as well as a basic group of commands such as camp entry/denial codes as well as protocol for how to deal with stress signals and challenge pass words, remember it is your prerogative for these codes to move left right or vice versa! Or even up and down etc.,. In that you can employ colors or animals as authentication codes for each day of the week which may change for each week of the month...be creative!

We have covered signal security some in that those codes covered mostly some visual or radio signals now we can address some simple hand signals for CLOSE friend-or-foe or identification hand signals. Now...again...we have our established signals but for purposes of OpSec I will not give my examples. But again invite you to be creative and invent your own. As I alluded earlier as the decadent groups have their hand signals (which underlie their loyalties,) so do we. Now...it is for us to again be creative and establishing some group standards but also create alternatives in the inevitable event that one of our own is compromised and provide for that in the system!  In addition to employing hand signals for signaling and identification. I notice that everyone is sorely lacking in their hand signals for moving  as a unit or units in the field. This is underestimated as a prerequisite for successful movement and maneuvering bearing noise discipline in mind. Of course there are the pretty much standard hand signals for rally on me. Halt, danger I see...but what about formations such as traveling wedge formation and moving in bounds/bounding overwatch. There are standard signals for these as well that a leader should learn, master and impart to his or her group. But then what many may overlook is ammo count. When engaged or pinned down and the enemy is trying to outmaneuver your people need to be able to effectively communicate who has how much ammo. The team leader for instance using this signal could then decide who has suppressive fire abilities while another can take  well aimed shots to end the action. For this I use an extended hand with fingers straight out and rotate  90 degrees twice indicating an ammo count. The response from members should or could be  that of standard deaf signing numbers which all members should be savvy with anyway in indicating numbers.

Distant identification which is predicated upon environmental considerations, that is, how dense or sparse the vegetation is in your area of operations (A.O.) limiting visibility. So, if visibility of your observation post listening post (LP/OP) is a maximum of 100 yards, then that range should be considered your "long range signal." and perhaps then 50 yards would be your established "close range signal range." Now, at 100 yards small details of hand or arm motion may be confused so you want large pronounced movements that are not easily confused as your "challenge" arm signals. So you may want to employ a large circular movement mimicking the hands of a clock yet distinctive and these may again be tailored to the days of the week so that if an enemy observer is watching one day or so he may not easily determine what that long range signal is and counterfeit it to gain access to your camps mid range security threshold. So...let's say your challenge signal for Tuesday is palm out and one full circle outward or clockwise to the challengers perspective and the passwords long range signal response is the left arm beginning at the upward 12 o'clock position moving to the 180 degree downward then palm to center and across the chest. Permission is then granted to proceed to the close signal where closer observation can be made to positively ident the incoming party. When the incoming party advances to the close signal range,they are instructed to halt at which time the close hand signals are exchanged. This may be as simple as a particular hand sign as the gangs and Masons are notorious for, such as the deaf hand symbol for the 4th day of the week or the phase of the moon being between 1 and 5 or even a smaller arm signal recognized by the groups in that Area of operation which of course includes distress/"I am compromised" signals in which the camp would be alerted that an attack is imminent. They are then directed to advance to be recognized and asked the verbal challenge and password. If all signals are within code parameters and given a small degree of variance for error...up to the verbal challenge....then the incoming party may enter upon authorization of the s1 intelligence officer of the group, In other words. the person responsible for devising and maintain all codes/ciphers and challenge passwords which all teams including the foragers, hunters, water gatherers and security or LP/OP teams must be drilled on for camp security!
   

The foregoing dealt with daytime signals. The same would be true of night time operations except you would want to use a subdued light source such as the common angle head flashlight with filtered lenses. A red lens is optimal, blue under certain conditions but that is mostly just for map reading. Now I have devised ways of covering the lenses so that they are half and half, that is: half the lens is red and half blue and another is half purple being a combination of red and blue and the other a red hemisphere. I provided these for my group along with a camp entry code card sort of a mini CEOI. I also created these light signal cards for camp entry codes with my particular signaling devises in mind and distributed to critical members of my group. In this way when the situation goes hot and we invariably find ourselves struggling to rally to our pre-designated points etc..  We can then safely regroup at a future point without being compromised by those whose charge it is to pick up as they say in the military police field manuals distributed to the various defense force people for instance "stragglers."  

I also created similar waterproof cards demonstrating various hand and arm signals for this purpose...I sewed an extra pocket into my uniform to accommodate this information and waterproofed it inside and out as well. If you do not have angle head flashlights such as the GI issue, you can fashion you own favorite flashlight using red taillight repair tape. The Mini-MagLites are good and you can buy tail cap switch kits for them that allow you to tap out Morse code from the butt of the light. In my large angle head as well as the smaller ones I use rechargeable batteries. The D size rechargeables are immensely lighter. I use the solar powered battery charger to recharge them.

One last note on the use of brevity codes and your challenge and passwords. You can even use your 3 character brevity codes to designate a challenge and another for your password. Be creative have fun and get going cause the balloon is going up!

JWR Adds: As a former Army ASA SIGINTer with some cryptological experience I must warn readers that the foregoing simple ciphers are no match for any modern military or government intelligence organization. They would be able to fairly easily and quickly decrypt your signals, given a sample of sufficient length. However, it should work fine if your opponents don't have any greater sophistication than the average outlaw biker gang. Something as simple as a traditional Play Fair or Four Square code would likely confound them.

Some advice: Never re-use brevity codes. Change your codes frequently. Keep transmissions short and use the minimum power to get your signal through. And remember that even if you use strong encryption, most radio transmissions can be quickly located via radio direction finding.


Sunday, August 19, 2012


Let me premise this by saying I am no expert in the material I will provide. I, like most everyone on this site, is an avid hobbyist in these matters. For some background on me though, I am a Mathematics and Computer Science Major in my fourth year of college, a phone and computer enthusiast, I enjoy white hat hacking and build computers for fun. Maybe not the average prepper, but I get by.
I am writing this article as I have found almost nothing on modern technology in the several blogs that I visit on a daily basis, even this one, as esteemed as it is. Frankly, this troubled me quite a bit. First off, as many of you know, our great country is delving deeper and deeper into the lives of you and me, citizens in this country, and even people all over the world.  The amount of data they receive from seemingly harmless web searches or Facebook posts by you would curdle your blood. I recently read an article that the NSA (National Security Agency) has been gathering data electronically on US citizens for over 10 years now. I’m not trying to scare you, this is a fact. So what I will do in this article is try to educate you on how to better protect yourself from further implicating yourself on any more FBI and NSA lists than you already are, and to guide you on a technologically sound path that will help you post TEOTWAWKI.

First things first: GET OFF OF SOCIAL MEDIA. That may seem drastic, especially in today’s society where it seems that if you aren’t on Facebook or Twitter, you don’t exist. But this is the number one place that the government and other malicious agencies are getting their information on you. And if your OpSec is that terrible that you post about your prepping online, then this may be too late for you. But that’s number one. Live with it. If you feel that this is just impossible, then take as much info about you off. The agencies that run these sites already have this information, but it will limit others from accessing it, especially black hat hackers, who may try to gain access to your accounts to steal your identity. Another point to make, which I hope many of you already know: DO NOT post anything about vacation or your time away from home on the internet. This includes posting pictures of your vacation after you get back. This is an invitation to criminals to see that your home is empty and ripe for the picking.

Number Two: Protect yourself online. This is a very complex issue, as there is a plethora of ways that malicious hackers can get to you, but that’s not what I'm referring to; I’m telling you to try to become as incognito while online as possible. The first thing you can do, if your up to the task of learning a little programming, is to get the Internet browser Tor. If you aren’t into that, then get Iron as a browser. ABSOLUTLEY DO NOT browse the Internet with anything else. Maybe Firefox, but that’s a stretch too. If you are using chrome, IE, Opera, or anything else, STOP NOW. There are so many trackers and hidden packets that track every web site you go to, every keystroke you make, and every opinion you post. In other words, everything you do online is stored somewhere where someone can hack it, or the government can just swoop in under any pretense and take it, for “the betterment of the country”. Fun stuff, right?

After that, I would suggest using Proxy Servers to connect to any web site you may think is incriminating, like this one. No offense JWR, I love your site, but I’m probably on a watch list or two because of my ignorance, so I hope to help all of you. For those of you who do not know what a Proxy Server, or Proxy, is, then here is a great explanation. (http://en.wikipedia.org/wiki/Proxy_server). In short, it hides all internet traffic on your IP address (your computer’s personal traceable address online), and routs all the data you access through an offsite server, making it seem like you aren’t going to any of the sites, the other server is! You can go to any site you want, and no one will know it is your computer. Obviously there are ways around this, but it’s better than nothing. It will prevent your internet provider from getting a large majority of your internet traffic, which it does at all times, as regulated by the government. This is the number one way that school kids and other people get around firewalls on public computers in schools and libraries, so I would not recommend doing this on a computer you don’t own, as your access may be revoked.

Next up, an Antivirus! I would suggest AVG. Its free, and the free version is GREAT! As always though, if you enjoy the software, support those who make it, and pay the one time fee. Its nominal, but helps programmers like me a lot.
Next up the most important item in your EDC: your SMARTPHONE. Many people think that post TEOTWAWKI, this great culmination of modern technology will be dead and useless. Those who think that, and think that we will go back to hand cranked HAMs are fairly wrong. Yes, the grid may be down, and you won’t have internet or communications on it, but these phones are some of the smallest, most powerful computers in the history of the world. It matters what’s on this device BEFORE the collapse. As many people are preparing, you all most likely have a backup way to generate small amounts of power. Well, good think these phones do not require a lot of power! A hand cranked generator could power these phones easily. So like I said, the important thing is what you have on these phones. This is a pretty laborious topic, so I'm going to split it up.

1)  Brand. Get an ANDROID! I cannot stress this enough. There are several reasons why this is imperative.
First, they have an external microSD card. For anyone who does not what this is, it’s a tiny tiny flash/jump/thumb/usb drive. Whatever you want to call it. They are getting very inexpensive, and can hold the same amount of info as a flash drive. I currently have a 32gb microSD in my phone, and can only fill half of it. This aspect of the phone is so important as even though you may store all your important files on a usb flash, this means that you will need a power-hungry laptop or desktop to read those files. Why? Get a micro dedicated to your BOB and then you can load it into your small, portable phone, and show anyone on the screen you documents. There are even water/shock proof micro sd cards now. I have an 8gb elements proof dedicated just for my BOB files. Fills less than a 20th of it. The rest is my favorite music and a couple good movies, for the entertainment side of survival.
Secondly, most of these phones have a removable battery. This is especially important, as extra batteries are cheap now, and bleed power pretty slowly. So I keep three extra around so that I not only have extra power now for a long trip or if I forget to plug the phone in, but also as a great BOB item. Remember, these phones can be a force multiplier, so the longer you can go without a crank or solar, the better off you will probably be in the crucial days post collapse.

Lastly for hardware, get an OtterBox. These are fairly expensive cases, but they protect your phone from almost anything! I would splurge on this, and drop around $60-$100 on a good case. They are shock proof, waterproof, everything proof. I assume you all can figure out why this is so crucial.
One more point, as with anything recommended on this site, READ THE MANUAL! Especially with these devices. They are complex pieces of machinery that are fickle beasts at best, and must be dealt with properly. Also, there are ways to turn off the tracking devices if you are worried about that. Read the manual, or go online and read blogs on how to do some easy hacking to prevent anyone from using your phone against you.
Now, enough of hardware, onto the software!
When it comes to these phones, they literally have no software limit. You can game, live video chat across the world, have it sing you to sleep, wake you up, etc. But the important thing of course, is how it helps you in TEOTWAWKI.

There are several apps that deal with survival: the full army survival manual FM-21 76, Coast Guard survival, urban survival, camo tips, gun tips, sniper windage directions, incendiary devices, gardening practices, scuba practices…
If you didn’t get where I was going with that, you can get literally EVERY book on your shelf on that phone. Now I know many people advocate a Kindle, or are completely against this in the case of it breaking, power, EMP, etc, and I'm not advocating replacing your library with this. But this is ideal in a GOOD situation. You cant bring that library on your back, but you may be able to come back to it. This phone could save you in that time. Also, Amazon has made Kindle for Android, so you can access all of your Kindle books on your phone, and the resolution is great. I read books on my phone all the time, as I feel that a Kindle is a wasteful expense.
Not only can it store your survival library, but these devices have a flashlight app that can help if your other flashlights are gone/out, it has video/audio recording which may come in handy if you need to prove self defense to a later start-up government, and maybe more importantly, they have the capacity for sanity items. Like games, cards games, novels for fun, and most importantly, music. I know I will fall into depression pretty quickly if I feel that most of my favorite music, especially brilliant classics like Bach, Mozart, Rachmaninoff, etc are lost to the destruction. That would be a blow I could not bear. So instead, you can help preserve these masterpieces, and a few others for your own entertainment!
Some especially useful apps I would recommend are:

Engineering Unit Converter:
this will change every known unit to almost every other known unit. This is essential if your book tells you to take one oz of meds, but you only have a dropper labeled in ml.

Calculator
: this is pretty straightforward. We use calculators more than we know, and these can be especially useful, giving you a competitive edge over the pen and paper competition.

Notes/Picture
: Notes are great for about everything, but combined with a camera, you can take pictures of the land and note defensive positions, fields of fire, water sources, food sources, the list is endless. So you can send a few men on recon with these, and have better and more accurate knowledge to get a leg up over the enemy/nature.

First Aid
: I cant believe I forgot about this one until now, but you may not always have an experienced medic around. And even if you are fairly comfortable with the basics, you have to remember Murphy’s Law: what can go wrong, will. So for those especially strange wounds/infections/symptoms, these apps are a huge wealth of knowledge.

Cargo Decoder:
This app has you type in the number on a truck and it tell you what it is hauling and gives you the MSDS info on it. This is a great app if you want to know if you should salvage an abandoned truck or not, how to prepare for the extraction of the material, what to do first aid, etc.

Emergency Alerts:
 This app makes your phone up no matter what state it is in (unless off) and beeps loudly if there is an emergency or warning in your area. Great app to give you a leg up on those not ready for an incoming disaster.

And some others I like: United States Constitution, The Federalist Papers, The Weather Channel, Knots Tying Guide, SurvivalGuide, Screen filter.

*All of the apps I listed are free, so this won’t hurt the wallet. The list of what these phone can do is endless, but alas, your patience is not. So for a final point, if I haven’t convinced you to do all this now, at least get the phone for fun pre-TEOTWAWKI! Live the good life while we can! And these phones definitely help.


Sunday, June 24, 2012


Hi James,
I heard your recent radio interview with Alex Jones. It it you mentioned Darknets [such as Tor] and IP addresses.

I happen to use the following tools for security. Perhaps they will be of use to SurvivalBlog readers:

To make it easy to find IP addresses, I use ShowIP. This is a little tool add-on to Firefox and works a treat, makes saving favorite web site numeric addresses a breeze.

Private VPN tunneling:  Normally this is difficult to say the least, by TunnelBlick is great, easy to use, and I use RiseUp for both secure anonymous e-mail and secure anonymous VPN. And by the way, both of those are free services.

I use Flashblock  to stop all those annoying pop-ups and flash banners, that are not only annoying but also harvest info about your system, location, etc. (Bad :-( ) 

I use the QuickJava Plugin to enable / disable Java data harvesters.

User Agent Switcher is great for obfuscating your browser, system, etc. 

RefControl is an extension for Firefox that lets you control what gets sent as the HTTP Referer on a per-site basis. great for privacy and for ensuring you can still go to "broken / unavailable" (i.e. taken down) sites.

All of the aforementioned tools work with Firefox. (Apologies Internet Explorer (IE) users, but I do not use IE because they collect far too much data and hand it over to the authorities far too easily.) 

In your browser preferences pane, look for privacy and ensure that "private browsing" is enabled. Always ensure the setting for deleting cookies is set to delete them when you close your browser, as well as emptying the cache, history, etc. 

If you use Gmail, Yahoo Mail, MSN Mail or anyone else, ensure that e-mails are downloaded and not keeping copies on the server, and that the history is not collected by Google when browsing. (Go to "Settings" in your Google / MSN / Yahoo account) 

On the main setting on your PC / Mac / whatever, ensure that your language settings are not USA English, just English. For your time zone, pick another location along the same time zone as yourself. For example, if you live in London, use Dublin, Iceland, Sierra Leone, or whatever, you will still show the same time but not your location, you get my drift...

Do not enroll in a Twitter, Facebook whatever account. Get real. The people that you meet there are not your 'friends" your real friends will seek you out personally. Using "social-networking" sites only increases your digital identity and leaves you open to all sorts of problems. Enough said.

I could go on all day in this vein but you have here a decent start for online security.  Warmest Regards, - Ed (a UK Prepper)

JWR Replies: To reiterate what I mentioned in the interview that you mentioned: I do indeed recommend taking note of the IPv4 or IPv6 addresses of your favorite web sites.

For the basics on darknets see the Darknet Wikipedia Page. That will then inevitably lead you to The Onion Router (Tor.)

It is also notable that Firefox now has a Tor plu- in (included in the Tor bundle) that is easy to toggle on and off.

My advice: Dig in and study this topic in depth. Be ready to go dark, as needed. But be careful: Do not let you kids wander around unsupervised in the onion realm, as there are a lot of sinful sites in the darknet world.


Monday, June 11, 2012


James Wesley:

I was wondering if you could pose the question of “mail-order stuff” to the UPS or Fed-Ex drivers that read SurvivalBlog. Have they been told to “see something-say something”?
Thanks, - Ed S.

JWR Replies: I haven't heard anything definitive on that topic in recent years. I'd appreciate UPS and FedEx drivers chiming in.

FWIW, I should mention that David Koresh (of Waco) first came to the attention of the BATF because a UPS driver reported seeing "grenade casings" protruding from a ripped cardboard box that was sent to the Waco church address.  Well, those were actually inert dummy grenades that Koresh had been buying to re-paint and assemble with used (dead) practice grenade fuse assemblies to turn into gag/novelty gifts mounted on wooden plaques.  (Those read: "Complaint Department, Take a Number" with matching "#1" tags attached to the grenade pin.) Do you remember those? They sold those a gun shows and via mail order. Well, eight months later, this happened. Please, dear readers, be very careful about the items you mail order and both the paper trails and electronic cookie crumb trails that you leave behind.


Wednesday, June 6, 2012


On May 26, 2012 the SurvivalBlog.com server was attacked and knocked offline.  The method of attack used is commonly referred to as a Denial of Service or DoS attack. I won’t delve into who might have sprung the attack nor how it was done. Both topics have been covered.(1)  What will be discussed are the 10 lessons learned from the attack as it pertains to preparedness and survival.

Lesson #1: We don’t know what we don’t know.

We can’t all be experts in everything. Regardless of where you are in the preparedness journey, we’ve all realized at some point that we have a lot to learn in the realm of getting prepared for: TEOTWAWKI, hyperinflation, grid down scenarios, tactical strikes, supply chain disruption, natural disasters, government hostiles, and the list goes on and on.

We knew that SurvivalBlog could go down but we certainly didn’t know when or why it might happen.  Any web site can go down for any number of reasons: web site/server gets hacked, electrical failure at the site of the server, government censorship, domain name hijacked, database failure, programmer uploads some mistyped code, etc, etc. But when SurvivalBlog went silent, it was like the Encyclopedia Britannica of Survivalism went away.

What to remember from this lesson: learn what you can while you can but always try to secure a hard (paper) copy of the topic you are studying in case your source disappears (hard drive, thumb drive, SD cards, printed copy, CD, etc). You won’t regret it and you can always pass your library down to your children.

Lesson #2: Know thy enemy (Sun Tzu - The Art of War).

Prior to the attack on SurvivalBlog, an anonymous and threatening e-mail was sent to JWR.  Among other things, this person used the term “we hack good” indicating a potential to hack the web site.  I would be more than ignorant if I attempted to armchair quarterback JWR on what he could’ve or should’ve done to prepare. But I digress.

FWIW, I have been using SolutionsGrove since October, 2010 for instant notification of my server crashing. With a free account, they will search for a specific page (that you designate) every 15 minutes.  If they do not receive a response, you will be instantly notified.  They will continue to check your site and notify you when it is back online. For a donation, they will check your site every 2 or 5 minutes. I’ve had terrific success with this. I am not affiliated or compensated by this company in any way.

The point is to gather information on your opponent.  Read between the lines. Google their name, phone number, email address, avatar, tag line, meme, even quoted lines from text they’ve written. The more you deduce, the more advantage you have in preparations. To quote a translation of Sun Tzu’s The Art of War: “It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”(2)

What to remember from this lesson: regarding any topic your are studying, investigate what you see...and don’t see. Not just the physical nature, but the source, where it came from, how did it get there, it’s history.  The more you know, the more prepared you will become.

Lesson #3: Redundancy is your friend.

As I’ve said numerous times on my blog, redundancy is the key to serenity. “Three is two, two is one, one is none”.(3)  If you only have one gun and it gets stolen, then you have none. If you have two guns and one is stolen, you have one left...but what if neighbors show up to help fight off the Golden Horde but have no weapons? My point is, the more you have, the better off you will be in an emergency situation.

In JWR’s case, he has a server in Sweden and the U.S. Both were attacked leaving him dead in the water but even before that he was actively seeking additional off-shore mirror sites.  The more mirrors that he eventually has of SurvivalBlog, then the harder it will be to take it down simultaneously.  He has also added the redundancy protection of an additional URL: “SurvivalBlog.se”. Should iCANN or any other entity take control of his SurvivalBlog.com URL, fans of SurvivalBlog can still reach the site by typing “SurvivalBlog.se” [or one of the two the dotted quad addresses.]

You can be redundant with everything. Here’s is a list of a few things on my redundancy list to give you some basic ideas:

Income- (1) My main job (Sonography, Radiography). (2) My part time job (See #1, different hospital). (3) My wife is nationally certified in Radiology and can work if necessary.

Income skills- (1) Trained in Sonography. (2) Trained in Computed Tomography. (3) Trained in Radiography.

Transportation- (1) The family Suburban. (2) The family Jeep. (3) My auto insurance includes rental car coverage should one of my cars becomes disabled.

Food- (1) Our bi-weekly grocery run. (2) Our garden and short term food storage. (3) Our long term (25+ years) food storage.

Water- (1) House/city water. (2) 55 gallon drums x 12 in backyard. (3) Bottled water in garage.

Shelter- (1) Our house. (2) Our family retreat 2+ hours north of town (3) a retreat property with no shelter but we have tents, sleeping bags, etc for now.

Entertainment- (1) Electronic/card/board games. (2) A ton of music/books/movies/cartoons stored on a hard drive. (3)MacBook with solar panel recharger.

Water filtration- (1) Berkey water filter with 2 black berkey ceramic filters + pf2 x 2 filters. Filters 3 gallons per hour. (2) Sand filter. (3) Boiling water or plastic bottle in the sun sterilizing.

Cooking- (1) Indoor stove & microwave. (2) Outdoor propane barbeque grill x 2. (3) Dutch ovens to cook on charcoal/wood fires.

What to remember from this lesson: think about what could happen and prepare for it. Then have at least three backups in case something fails. If your electricity fails (and you have an electric stove) , cook outdoor on your barbeque grill. If you run out of propane, cook over coals or embers with your dutch ovens.

Lesson #4: Communication is king.

While SurvivalBlog was only able to communicate the attack with a few sentences on a blank white html page, word was still traveling at the speed of type across the globe.  As soon as I noticed the attack, I posted a quick blog post to let folks in my circle know what was going on and how to help. JWR had asked folks not to keep refreshing the homepage as it adds to the chaos during a DoS attack. I explained the request and was picked up by Google within the hour. As the internet lit up with Google searches such as “survival blog attack” and “survival blog down”, folks were pointed to my post and quickly learned of the attack in progress.

Aside from spreading the word via blogs, RSS feeds, news sites and other static/dynamic portals, JWR still had the option of using email, cell, land line, MURS, and ham radio. I wouldn’t be surprised if he even had some carrier pigeons stashed away. More likely a hawk ;-)

What to remember from this lesson: secure several lines of communications because “If you don’t have Com, you don’t have jaaack.”(4) -Jeff Trasel, from "Patriots: A Novel of Survival in the Coming Collapse"

Lesson #5: Consider your trigger points.

Consider establishing trigger points that put you into action.  This thought came to me as I traced back where visitors were coming from to view my SurvivalBlog attack post.  Using a free stat counter, I traced a visitor to a survival forum where a long conversation was underway regarding the possible causes of the disappearance of SurvivalBlog.

As I read through the posts, I came to one that stated (I’m paraphrasing from memory) “I always figured when SurvivalBlog was taken down by the government, it was time to Bug Out.”  Now, this may be rational, to a certain degree, but nobody had established that SurvivalBlog was taken out by the government.  Perhaps this person was simply saying IF the government took down SB, THEN it would be a good time to consider moving to the Redoubt. Regardless, it made me start to consider my trigger points.

Would it take a mushroom cloud to motivate me to bug out or are there more sublime triggers? Joel M. Skousen, author of Strategic Relocation--North American Guide to Safe Places , said in a recent youtube interview that he believes the next major trigger points will be if 1) North Korea nukes South Korea, and/or 2) Russia begins pulling troops home to protect the motherland and he believes these triggers could lead to America getting nuked.(5)  Once you set trigger points, consider how quickly you can leave your home.  Are your BOB’s ready? Do you have food cached outside of town? Do you have multiple escape routes mapped out in case of a traffic jam? Do you have enough gas? Or are you completely ready to Bug In?

What to remember from this lesson: Don’t wait until it is too late to establish your trigger points. Pray to our Heavenly Father about them, discuss them with those important to you, and be prepared to act upon them. Heck, I’d even recommend a few practice runs!

Lesson #6: Be active in your community.

Since JWR gives so much to the survival community, I didn’t hesitate to write my post attempting to help him slow down the page reloads on the day of the DoS attack.  Patrice Lewis over at Rural Revolution wrote something as well and the survival community was clued in to the attack within hours. Service to others isn’t just Biblically mandated, it insures that we as a community survive together.

Reach out to your local community and participate in whatever way you can.  I recently went to a grand opening of our brand new local fire department.  Two of my daughters, along with other Young Women from our church, raised and donated 200 teddy bears for the firefighters to give to children when they lose their belongings in a fire. Go to the local parades, or better yet be in the local parades. Go to Town Hall meetings and get to know your local business owners and politicians.

What to remember from this lesson: no man is an island.  To quote JWR: “The underlying theme to my writings is to be part of an integrated team.  That team might be just a few families living on a cul-de-sac, or it might be a small town. By being competent and confident with firearms, your group will avoid confrontations.  Very few bad guys will mess with someone with a capability to immediately drop them at up to 400 yards.  And if you don't have the willingness to do so yourself, then team up with someone that does.  You can provide other forms of useful and valued support to a group or small community effort. (Agriculture, advanced first aid, mechanics, et cetera.)  Not everyone has to be a warrior.”(6)

Lesson #7: Build your library.

Survivalblog offers an incredible wealth of knowledge for free.  It is easily accessible and therefore easy to get in a habit of visiting daily to absorb knowledge and then walk away. With the DoS attack, now we know SurvivalBlog may not always be so convenient to access.  However, with the purchase of an Archive CD, everyone can have an archive of the entire web site (up to 2011) to view at any time on their personal device.

Contained within this archive will be all the posts where folks have recommended other survival or preparedness minded texts such as the terrific SurvivalBlog post by Greg Ellifritz titled: The Best Free Medical References for Preppers which lists nine online texts and 12 hard copy books.  Use the Search feature on SurvivalBlog to find many other recommended archives, texts, guides and manuals.

What to remember from this lesson: whether you store your library in digital format or print it out, don’t wait until the information starts to disappear before you start to grab it all.  With one-terabyte hard drives now at the $99 mark, you can easily store volumes of information.

Lesson #8: Don’t forget there IS evil in the world.

It is easy to get caught up in the daily routines: going to work, taking kids to school, doing chores, helping with homework, church, sports, and hobbies.  You have to remember not to let your guard down because evil does not rest. Keep your skills and gear up-to-date. Teach those you love the same.  Sure, not everything is avoidable but...we can fight it.  As Ted Nugent said in January 2011, “Be prepared for evil. Rather than trying to fathom it, just be ready to stop it.”(7)

What to remember from this lesson: Don’t let your guard down...there is too much at stake.

Lesson #9: There will always be doubters.

As simple and straightforward as our posts on the DoS attack were, there were still doubters on survival forums questioning whether or not SurvivalBlog was down simply to increase the sales of archive cds.  Seriously?!?  There will always be doubters, or “scoffers” as the Bible calls them.  "Knowing this first: that scoffers will come in the last days, walking according to their own lusts, and saying, "Where is the promise of His coming? For since the fathers fell asleep, all things continue as they were from the beginning of creation." For this they willfully forget: that by the word of God the heavens were of old, and the earth standing out of water and in the water, by which the world that then existed perished, being flooded with water" (2 Peter 3:3-6).

Doubters will tell you it is pointless to prepare.  They will distract you from your mission and perhaps even impede you.  How do you deal with a doubter in your life?  "Cast out the scoffer, and contention will leave; yes, strife and reproach will cease" (Proverbs 22:10). Show them the door and perhaps even let it tap their behind on the way out.  Might make you feel better. It would me.  I’m just sayin’...

What to remember from this lesson: doubters do not care about solving a problem or learning, they feed on promoting doubt.  Walk away and leave them hungry.

Lesson #10: Do what you can, leave the rest to Him.

It was around 2130 (MST) when I received a reply from Avalanche Lily regarding the ongoing DoS attack. She casually mentioned that she was reading my e-mail to JWR as he was heading off to bed. He wasn’t staying up, around the clock, fretting what to do about his very popular web site.  No doubt the e-mails were beginning to pour into his in box.  His expertise told him to get some rest.  He knew the problem would still be waiting for him in the morning.

What to remember from this lesson: Do what you can, when you can but always know that through Him all things are possible.

In summation, these are some of the lessons I gleaned from the cause and effect of SurvivalBlog being down.  I didn’t intend on it to end so “churchy” but I won’t apologize for it either.   If this post helps one person out there then I will consider my contribution to SurvivalBlog a success.  Thank you to the Rawles family and all that you do for this community.  And thank you to the advertisers as well.

Works Cited:

1. Update on the Recent Distributed Denial of Service (DDoS) Attack on SurvivalBlog, May 29, 2012.

2. Sun Tzu - The Art of War translated by Lionel Giles, available for free download here (60 kb text only version).

3. Two is One, One is None...Be Redundant; The Orange Jeep Dad blog, Feb. 22, 2011.

4. "Patriots: A Novel of Survival in the Coming Collapse" by James W. Rawles; Ulysses Press, 2009.

5. Joel Skousen: The Origins of May Day and the Commies, YouTube Video, May 1, 2012

6. Letter Re: A Non-Warrior Surviving Traumatic Times;

7. Nugent: Be prepared for evil. The Washington Times, Jan 11, 2011.


Monday, June 4, 2012


Mr. Rawles:
I've noticed that you haven't mentioned many details about where you live, or much about your daily life, like most other blogs do. Just curious. - R.K. in Alabama

JWR Replies: I try not to clutter my blog with daily minutiae. Since SurvivalBlog is intended to be educational, I try to stick to the preparedness issues at hand, as much as possible. That means downplaying politics and minimizing posts with detailed descriptions of what I'm eating, the eccentricities of our pets, my favorite music, and so forth. There are plenty of other blogs out there in the blogosphere for that.

To maintain our family's privacy, we are forced to be very circumspect. For OPSEC reasons, I never post pictures of my family members, our vehicles, our house, our livestock, or our ranch. In past years, we had some undesirable contacts with stalkers, so we were forced to go "down periscope." Given the nature of my blog, this heightened privacy posture is a must, for our personal safety. But here is what I can tell you about our lives, in a nutshell:

We live year-round at a ranch west of the Rockies, inside the American Redoubt.

The ranch is less than 100 acres, but it is surrounded by public land. This provides the ultimate "big backyard" for hunting and cutting firewood. To heat our home, we burn mainly Red Fir and Western Larch. (The latter is commonly called Tamarack, although technically it isn't.) On the ranch and within just a couple of miles of it, there is truly a lifetime supply of both varieties--either dead-fallen or dead-standing.

The ranch is fully fenced and cross-fenced. About half of it is sub-irrigated and provides excellent pasture. We raise dairy cattle and small livestock, we keep poultry, we have dozens of fruit and nut trees, and we have a very large fenced garden with extra-tall posts for our deer fence. The majority of my time is spent writing, editing and ranch chores, but I assist my wife with her dairying, cheese, butter and yogurt making, as well as dehydrating, freezing, and canning the bounty from our land. The majority of my wife's time is spent homeschooling our kids. We homeschool using the classical model.

Our ranch is nearly 30 miles from the nearest town. That can be inconvenient, at times. The area is quite scenic, but we live at fairly low elevation so we enjoy a reasonably-long growing season. A river passes through the back end of the property.

We have a three year stored food supply that could easily be extended to serve us for much longer when supplemented with butchered livestock, wild game, wild huckleberries, and our garden produce.

We don't live in a bunker or in any sort of multi-family compound. Nor do we live at the idealized level of self-sufficiency and preparedness that is portrayed in my novels.

We faithfully attend a local Christian church that maintains Reformed distinctives. Our church supports a large number of missionaries. We also independently help support a Christian mission school in rural Zambia.

Two years ago, just a year after the untimely passing of my wife Linda ("The Memsahib"), I married a lovely young outdoorsy widow, who in the blog is called "Avalanche Lily." She had been widowed for several years, and already had children of her own. Our family is now quite large with children ranging from grade school age to college age. All of our children have been and will continue to be exclusively home schooled through the 12th grade.

We don't own a television, nor do we want one. We enjoy an eclectic mix of music, primarily via iTunes. We have a nearly a dozen shortwave radios, many of which are transformerless AC-DC All-American Five designs. (International shortwave listening has been one of my passions since I was in junior high school.) One nice thing about our locale is that we are in an electromagnetic quiet zone. This makes for outstanding shortwave and AM DXing.

At the ranch we primarily use MURS band radios for intrusion detection (with a Dakota Alert), our everyday chores, hiking, horseback riding, and hunting. We also have 2 meter, 6 meter, and HF rigs. Several family members are licensed ham radio operators, but you won't find us in any of the ham callsign databases like QRZ.com.

For our privacy, I selected a Vonage telephone number with a 510 prefix. That is a prefix normally associated with Northern California. That phone prefix often confuses mass media reporters and my consulting clients. (We don't live in California.)

Also for our privacy, we have our mail forwarded from a post office box in Moyie Springs, Idaho. We don't live anywhere near there. This address is often a source of confusion. I regularly get e-mails from readers, mentioning that they will be "passing through" Moyie Springs, and saying that they'd like to meet me for lunch or dinner. That would be a very long drive for me!

We do our best to lead a quiet, humble, Christ-centered life. Living in the hinterboonies has its drawbacks, but we wouldn't trade it for anything in the world. We are never moving back to the suburbs!


Tuesday, May 22, 2012


James:
About a year ago I remember reading a personal account in SurvivalBlog about a home invasion/robbery in Florida that went terribly wrong. I remember thinking it was almost surreal in the way it unfolded and thought things like that only happened in third world countries. It was an eye opening experience and something that made me rethink the way I handled myself in a place I considered to be secure by default. A few months ago my eyes were opened again when someone in one of my coworker's neighborhood went through a similar experience. I am not trying to kid myself into believing I live in some illusion of safety. I live within 60 miles of the Texas/Mexico boarder. And because of this, home invasions have become highly sophisticated in my area. Gangs, for lack of a better word, who were loosely affiliated with cartels would use home invasions as a tool to hijack drug shipments from rivals at safe-houses and as a profitable way to kidnap "undocumented migrant workers" (illegal aliens) from smugglers. The thought was that most of these occurrences were contained to people who were doing something illegal and that civilians were immune. Most of these people would never go to the police because they themselves were breaking the law. In recent months this has changed. Apparently, with the war on drugs in Mexico reaching new levels of violence and the upcoming summer elections, these enterprising individuals have decided to expand their range of victims.

One afternoon, in a quiet neighborhood in Brownsville, Texas, four armed men pulled up to a house while most people were at work. The put on ski masks and rang the doorbell making sure to obstruct the security eyepiece enough to obfuscate their intent. A maid opened the door and the four men burst into the house. They quickly took control over the situation by restraining her and searching the house. After searching the house and collecting any valuables, (including a handgun in the nightstand) the offenders waited for the homeowner to return home. At some point, homeowner called the house to tell the maid that he would be arriving soon with groceries. The maid, while being held at gunpoint, was forced to make the homeowner feel like nothing was wrong. Once the homeowner arrived with his wife and child, they were immediately overpowered and captured upon entering the house. The offenders forced the man at gunpoint to go from room to room opening two floor safes and one gun safe while they plundered jewelry, cash and firearms. After they had gathered all the valuables, the offenders determined that they wanted more. So, at this point, three of the men held the homeowner's family hostage while one of the men drove the homeowner to three different banks where he made large cash withdraws. The homeowner was constantly reminded that if he tried to alert a teller or signal for help that the men at the house would murder his family. They returned home with the money, tied the family to furniture in the living room, and left with the warning that if they called the law enforcement they would be back. They had explained that they had the house and the family under surveillance for weeks leading up to this event. An entire week went by before the family alerted law enforcement out of fear for their lives and now the story is slowly being made public knowledge as police search for tips and clues into the crime.

Nothing is going to fix what happened, but you can draw some lessons from it.

Lesson 1. Availability of Information

There are several things that I would like to discuss and address as possible lessons that can be taken away from this entire experience. In my occupation, I have to address many different aspects in the implantation of social engineering as a tool to both bypass and overcome security measures. The most valuable single resource that anyone has is information. What strikes me as very alarming is the amount of information that was available to the offenders in this case. They knew when to strike. They knew that there would be a valuable payload inside of the house. They knew what banks he had accounts at, when he got home, what routes he drove and how many people were in the house. They knew the names of his wife and children. They knew when the maid was going to be the only person in the house. They knew the location of the alarm pad. They even knew where the security camera DVR was located so they could collect it when they were done (we will discuss this later). The first lesson should be protecting as much of this information as possible. The amount of resources available to any member of society at their open personal disposal is just frightening. Without knowing anything about you, I could pull your property tax information from the county tax office based on your address and work backwards through a web site like Spokeo or Maltego to determine how much you make, how many people reside in your house, where you work and what you drive. Most of this can be determined just by grabbing the mail out of your mailbox one afternoon before you are even home from work.

What's the point of this? Don't make it easy for them. Use opt-out services to protect personal information. Buy a security-mailbox. Better yet: get a P.O. Box! Don't disclose all your personal information on a raffle entry that Dr. Pepper and Coca Cola emailed you last week for a chance to win a free jet ski! Information security is something that takes very little effort but can make a huge difference. I am not a counter-terrorism or counter-surveillance export, but I point out a few things that make a huge difference in those who would intend to do harm to you past protecting your credit. James Wesley Rawles is always warning about OPSEC but just because you don't disclose your phone number to the girl at the local Pizza Hut doesn't mean that you aren't doing 10 times as much damage by filling out a registration form online with your biographical information.

GPS scrubbing your pictures is another thing that is rarely mentioned. Many people post pictures directly to the internet (example Facebook) from their smartphones without first converting the image or at least running it through a program to remove tagged information. One of the most common law enforcement forensic practices is to lift GPS location data from pictures to give information on suspects. Criminals aren't stupid. They are doing the same thing. While you think it might be fun to take a picture of your fully loaded gun safe and upload it to your favorite apocalyptic survival blog, please understand that there is personal information encoded in that picture from your smart phone. Might be something you might want to address.

Lesson 2. Availability of Access

I believe Mr. Rawles and others have discussed fortifying your house with large planters, thorny bushes and even cleverly concealed cement embankments. My question is why not take this one step further when it comes to your main point of entry? I am not suggesting driving 4 foot railroad ties into your front yard hidden under lawn gnomes like tank traps, but why not install a front door entry gate? A front entry gate is probably the single best investment you can make from the perspective of additional space from contact. This will give you an extra degree of separation from any random person who rings your doorbell from a trick-or-treater to a guy looking to hit you in the head with a pipe and score your wallet. You can buy one at your local Home Depot or Lowe's and they cost less to install than a security camera system of connected intercom. This is probably one of the most important home improvements you can consider making if your Homeowners Association allows it. (Yes Mr. Rawles, I can hear you screaming "move!" as I type this)

What I also want to mention here, and I believe has been mentioned before on this site, is being aware of who you let into your house. Over the recent years, I have become increasingly suspicious of the contractors that have come into my house to do repair and construction work. While various web sites exist to do background checks on reputable companies, nothing can give a window into human intent for the individual employee. How do I know the electrician's apprentice who comes into my house to fix a bad breaker box isn't looking at my house as his friend's next possible target. It still boggles me that the robbers in my example knew exactly where the security camera DVR was without searching for it. Be cautious about the individuals you allow access to your house and definitely try to conceal valuables. There is no point your wife's jewelry collection should be left out on the dresser while the plumber is walking by to get to the master bathroom. At least restrict unsupervised access to areas of your house where a worker should not have access to. I believe this is one of the common "casing" tactics used by the operation in Florida that netted over 12 million dollars in stolen merchandise. Try to at least prevent the common mistakes and make it hard for them to do surveillance work. It might even eliminate you as a target.

Lesson 3. Predictability and Foresight

I believe I have to pay some credence to Kenneth Royce (aka. Boston T. Party) in this respect. I try not to take the same route home from work every day if possible. I try not to set myself up in a situation where I can be easily predicted, stalked, cornered, ambushed and abducted. I was in Mexico City some years back for an extended period of time and this has become standard operating procedure. I could write a whole post about the things you learn in a foreign country, but I am sure others could do it better. I am not overly paranoid and actually try to live my life fairly laid back. Kidnappings and Ransom became a way of life in Mexico. I hate to reference Hollywood, but see the movie Man on Fire and multiply it times 10. Criminal gangs do not go for the high value hard targets with ninja style SWAT team assaults. They are much happier putting in as little work as possible to grab the low hanging fruit. They are more than happy to go after middle managers and engineers (and their families) than they would be to go after plant managers and CEOs. Middle class individuals with a medium net income lack the tools and resources to protect themselves as well as a higher income individual with more to protect. Criminals do not mind, they will not starve. So for 1/10th of the risk, they will just hit 4 middle class families to reap just as much reward. Please do not think you are immune.

Have the foresight to see problems before they occur. The late Colonel Jeff Cooper always talked about levels of alertness -- in a Color Code. This is not about being relaxed or being on edge, its about being conscious of your surroundings. The best advice that he gave was to know what something feels out of place and react to it. - Matt in Texas


Saturday, May 19, 2012


James:
I too am a 25 year IT veteran with the last 14 years specializing in information security.  I am currently in process of completing a PhD in the field.  There is nothing that currently exists that can save us from the coming cyber attack that will devastate our infrastructure.  The security vulnerabilities are legion.  Our only hope is the Lord and using the good minds He gave us to become self-sufficient.  The vain attempts of Homeland Security and the National Security Agency has only resulted in a loss of our personal freedom and privacy.  The more I learn, the more I know how vulnerable we are.  I spent a couple of years being extremely depressed about our inability to protect ourselves from a technological perspective, now I’m all about action and it has nothing to do with technology.  It has to do with striving for total independence – off the grid living – and zero trust in the established government for protection.  There is no such thing as security.  There is no such thing as privacy.  There is only God.  Maranatha – Lord come quickly.  - C.J.


Friday, May 18, 2012


Computers are the exposed backbone of America’s infrastructure. They are new technology with big holes that is under attack from very skilled and motivated people who mean our country harm.  Yet, we trust them to provide almost every service our modern life requires.

I’ve spent the last 13 years as a computer security expert for a large telecom, and I would like to convince you that today your family's ability to survive is dependent on fragile and over-trusted systems.
Preppers have historically had distrust for computing technology. Y2K was a real risk, but since it seemed to be overblown, a catastrophic computer-centric risk has fallen off the radar of many.  A cyber attack should rank up there with many other potential Black Swan risks (solar flares, economic collapse, etc).

Today, most everything the average American depends on to sustain life is run by some computer or another.  Some examples:
• Wal-mart or your local grocery store cannot provide just-in-time food delivery to it's stores without complex computerized logistics systems.
• Your municipality cannot pipe water to your house or sewage from your house without computer-controlled pumps.
• Your bank cannot issue you paper money or process credit card transactions without computerized accounting systems.
• Your electrical and gas provider cannot provide power or heat to your house without computer controlled generation and distribution systems.

It's important to know that there are no manual backups to these systems.  In a race for efficiency, businesses have gotten rid of any real redundancy to the automation offered by computers.  85% of "critical infrastructure" is privately managed by businesses that have no economic incentive for manual backups to these automated functions.  Simply put, if they massively fail, society massively fails.
Today, these important computer systems are under attack.  I'd like to let you know what the view is from my front row seat. First, let's start with a brief history of cyber risks in three short acts:
1. Cyber Fun: All early attacks on computing systems seemed to start with some one saying, “Gee, I wonder if I can do that?”  Curiosity drove early floppy-net based viruses, internet-based malware like the Morris Worm, and even famous early hackers like Kevin Mitnick or Steve Wozniak. That's not to say these hackers were right or these viruses the didn't cause harm.  The Blaster virus may have knocked out the power grid in 2003, and the I Love You virus may have caused $5 Billion in global economic damage.   That harm seemed to be accidental, though, not motivated by profit or malice.
2. Cyber Crime: Somewhere around 2000, we started to see wide-spread malicious software written for profit.  It might be spyware that causes pop-ups, trojans that hijack your computer to send spam, or it could be more serious.  They organize these hijacked computers into massive groups called botnets that they can remote control to steal identities and empty bank accounts.    There are serious criminals and organized gangs stealing billions every year this way. This is scary stuff, no doubt.  However, you need to remember two things about attacks for profit: 1) The losses are generally covered by your bank or credit card company, and 2) hackers motivated by profit have every incentive for everything to stay up: if they crash your computer, your bank or the whole internet, they can't make any money.
3. Cyber Attacks: Not to say that stealing is not malicious, but the for-profit hacker probably has nothing against you or your country personally.   There is an emerging type of attack in the computer security world that is much more scary.  Some call it cyber-warfare or cyber-terrorism, but I find those terms muddy the issue more than clarify.  Let's just say they want to do bad things solely for the purpose of hurting you or hurt your country.  

We have clearly moved into a era where there is an increasing likelihood that this is a serious threat to our county's security and your personal welfare.
We are now in the age of Cyber Attacks.  Recently, we saw the Chinese breach RSA, then leverage what the grained to break into Lockheed Martin, L-3 Communications, and Northrop Grumman.  These attackers used a  personally targeted attack called an Advanced Persistent Threat (APT).  Instead of casting a wide net to get as many computers as possible, they will write an attack to go after a select set of people an a certain company.
An APT is very hard defend against because it can be malicious software no one has ever seen before, making Anti-Virus software largely useless.   Today, most companies are largely powerless to stop an APT without radically changing how they do business.

Most of these attacks are not trying to take out infrastructure... yet.  However, the massive botnets of computers that have been built for profit could easily be used for more malicious purposes, or an APT is obvious vector of attack to critical infrastructure. It get it's worse though. In the same race for efficiency that got rid of manual backups, companies have gotten rid of separate networks that keep critical infrastructure separate from the average employee checking his email.  This puts the Programmable Logic Controllers (PLCs) and other systems systems built decades ago and never patched on the same network as machines connected directly to the internet.  Even worse, this researchers found 10,000 PLCs directly reachable from the Internet.

Stuxnet was the shot over the bow and a wake-up call for to expect from this new era of attacks.  There has been much reported about it (including here and on 60 minutes), but here's the important details about Stuxnet:
1. It was light years more complex than malicious software we've ever seen before.  It's now "in the wild" for others reverse engineer.
2. It was written by a nation-state targeting another nation-state.  It was probably written by US or Israeli intelligence, and was definitely meant to (and probably did) cause substantial harm to the Iranian nuclear program.
3. It's purpose was to destroy things in the physical world.  It targeted PLCs, which control everything from power plants to pipelines to dams.
From my experience and what experts are saying, we are utterly unprepared for something like this to attack America.  If something like Stuxnet was targeted against the right systems in our country, the outcome could be catastrophic.
Some people are demonstrating what can be done: one security researcher was able to unlock prison doors remotely, another with no experience with PLCs was able to cause explosions after accessing one. There is good evidence to suggest the US critical infrastructure is already being targeted.   Targeted attacks against utility providers are on the rise, with at least some "nation-state actors that have unlimited funding available and conduct espionage as they establish a covert presence on a sensitive network."

Let me be utterly clear about one thing: the reason that America's critical infrastructure has not been knocked out is not because it is well protected, it's because the proper mix of motivations and capabilities has not been realized yet.  Similarly, in 1939, the reason French had not been overrun by the Germans was not the Maginot Line, it was because the German Army wasn't quite ready to do it.
The capabilities to mount a cyber attack are spreading exponentially.  Many counties of the world are turning out very capable and very underpaid computer scientists. Motivations to hurt America don't seem to be on the decline.

All of this leads me to agree with Brian Snow, Former NSA Technical Director, when he says he believes we are in a "Trust Bubble" (6:03 in the video) much like the Credit Derivative Bubble that recently burst in the financial markets.  This requires a little explanation.  For example, let's think about the people and systems you trust every time you buy a book on Amazon:
• The company that designed and manufactured the parts of your computer and any computer with which you are communicating.
• The army of programmers that wrote the operating system and applications you use.
• The companies that manage the networks that all your communications traverses.
• The companies that issue certificates to encrypt your data and "sign" applications to be safe.

The problem is there is an amazing lack of analysis on the actual trustworthiness of any of these things.   Just like we trusted Wall Street with to understand the risks of CDO Swaps, we today trust computers we don't understand designed and run by people we know nothing about to run our whole society.  This blind trust is what Director Snow calls the Trust Bubble.   He expects this bubble could burst in the next 18 months to 5 years.
Now, I don't take a Skynet-like approach to this.  The computers aren't going to take over.  I fear people evil people will use computing technology to hurt other people on a mass scale.
So what do we do? While there are some good things you can do to protect your personal computers and privacy, there is nothing you personally do to protect the systems that provide you phone service, generate your electricity, or deliver your water or sewer services.

Should a properly motivated and skilled attacker decide to take those out, I assure you that your bank or utility provider is not prepared to stop them, or perhaps more chillingly, recover from the attack.  How many spare generators do you imagine your power utility has on hand?  How long would it take to repair an exploded gasoline refinery?
Here's a few things the answer is not:
• Filter everything on the internet in the name of national security.  Iran did that.  It is guaranteed not to work, and guaranteed to reduce our personal liberty.
• Patch the holes.  Patching is good, but no where near enough.  It's is always reactive to known holes and too slow (Microsoft recently patched a 17 year old vulnerability), and many of the PLCs weren't even built to be patchable.
• Put up more separations. Firewalls quickly turn leaky and even separating (air gapping) their computers from the Internet didn't help the Iranians.
• Trust a government program to fix it.  Regardless of your political views, even the government agrees they are bad at this. Do you really want the TSA of Computer Security?
The only answer I know is personal resiliency.  Resiliency for your family that shouldn't have to be reliant poorly managed computers running poorly written software to drink clean water, flush a toilet, buy something, or stay warm.   Don't rely on your bank, utilities or government for your families survival.

What if you spent the next $20 or $200 or $2,000 you would normally spend on technology (computer, phone, car, power tool, etc) and instead invested it in things that can't be taken away from you by a skilled hacker?
• Stored food
• The ability to heat your home while the grid is down
• Stored water and the ability to filter dirty water
• Guns and other tools to protect your family
• First Aid supplies

I'd like to close with a few words of spiritual reflection for my Christian bothers and sisters: I like technology.  I'm a geek who believes all technology from the cotton gin, to cars, to iPhones to be a gift from God.  However, I've learned a truth about God's gifts, including technology:  the better a gift from God is the easier it is for it to become something we trust in more than God. I am reminded of the Psalmist when he talked about that great technology of his time, the chariot:
Some trust in chariots and some in horses, but we trust in the name of the LORD our God. (Psalm 20:7 ESV)
There is no technology that will save us -- not a chariot or a computer.  Our hope is Jesus and following His wisdom and plan for us.


Thursday, May 3, 2012


JWR:
One concern I have is that if I were to record unconstitutional actions by police, would my phone be seized and the videos erased?

One solution may be to record via internet stream. Then they would have to also think to take an extra step of checking for the software and logging into your account to delete your videos. Meanwhile, you could call someone from jail and request they copy the video before it gets deleted.

I found a review of the three different sites.

I recommend that you keep your recorder software signed in and ready to go and use quick locking/unlocking on the phone itself.

Even so, I urge you to comply by all written recording laws. This advice would only apply for situations where it's not technically illegal but which might happen anyway. After all, they're acting unconstitutionally in the first place! - C.D.V.


Friday, April 27, 2012


SurvivalBlog readers:
If you have a fairly recently manufactured computer, there is no reason to expose your computer to malware at all. Most computers are powerful enough to host a "virtual machine" (MM) - that is, a session that is completely isolated from the hosting computer and that does not make any permanent changes to your system without your express command. VMs can be modified, saved and discarded as you wish. If you are browsing the web using a VM and suspect that you have encountered a virus or malware, simply discard that session and start a new one. There are many tutorials on the 'net that give step-by-step instructions on how to set up and maintain VMs on your home computer. I use VMs on a decade-old hand-me-down office PC running Windows X. If that old clunker can handle it, yours probably can as well.

Respectfully, - Dr. John G.


Thursday, April 26, 2012


Hello, Mr Rawles:
I saw the Odds 'n Sods piece where Michael Z. Williamson's forwarded an article on the warning about "thousands of PCs infected" to lose Internet access that refers people to www.dcwg.org. I read the article.

Sorry, but I don't trust going to such a site. It could easily be a government-based data collection site. It's amazing how much information is passed along with simply browsing a web site. dcwg.org is registered to someone in Cupertino, California.

I found that www.DNS-OK.us will give the same information about whether a system is infected or not. That site is registered to Paul Vixie, whom the article refers to as their consultant. Vixie's site will give you a green colored screen if you are clear and a red colored screen if you are infected. His site does warn that if your Internet Service Provider (ISP) redirects DNS, the Domain Name System, your computer might pass the test yet still have the infection. It seems that only Windows systems were affected, although ISPs could have been and they're used by other systems, such as Linux and Mac systems.

After checking Vixie's site, the easiest way to know if you may yet be infected is to check your DNS server addresses against the FBI's bad list:

85.255.112.0 to 85.255.127.255 --------> 85.255.112-127.0-255
67.210.0.0 to 67.210.15.255 -----------> 67.210.0-15.0-255
93.188.160.0 to 93.188.167.255 --------> 93.188.160-167.0-255
77.67.83.0 to 77.67.83.255 ------------> 77.67.83.0-255
213.109.64.0 to 213.109.79.255 --------> 213.109.64-79.0-255
64.28.176.0 to 64.28.191.255 ----------> 64.28.176-191.0-255

For those who do not know about Internet Protocol (IP) addresses, notice that they contain four numbered parts with periods separating each part, sometimes called a dotted list. Each part will be a number in the range 0 to 255 inclusive. On the right I have denoted them as dotted range lists. For instance, if the first two or three dot-separated numbers, e.g., 85.255 or 77.67.83, do not match your DNS numbers then you are clear. If any in the bad list do match, the rest of the entry shows the ranges of the bad numbers. For instance, if your DNS server number starts with 85.255, then the third number must be between 112 and 127 inclusive to be a match in the bad list. If that third number matches then the fourth number is a guaranteed match.

Windows users can find out their DNS server IP addresses by opening the Start menu and selecting the Run option in the list. Type "cmd" and press ENTER. A window running cmd.exe will open. At the command prompt type "ipconfig /all" and press ENTER. At the end of the output will be a list of DNS Servers. Check the DNS IP address numbers against the bad list. One address could be the router's address, typically beginning with 192.168. If that's in the list of server addresses, you may have to login to your router to see what it denotes as its server. The router connects to the ISP, which does the real Internet access.

To check the DNS server that your ISP gave your router, login to the router. Start a web browser, click your mouse pointer in the location box, erase whatever is already in there, and type the IP address that ipconfig showed as the "Default Gateway."

The router's web page may prompt for your router's login name and password. If you did not change the login info from the initial settings that came from the router manufacturer, shame on you! Those names and passwords are documented and well known to system crackers -- check your router's manual. That would be the way someone could have changed yours. Enter your name and password and check your DNS Server's IP address against the bad list.

If the router's DNS address is on the bad list call your ISP's technical support immediately. Should you get the red screen on Paul Vixie's site instead of the green, or one of your own system's DNS address is on the bad list, you may have to reformat your disk drive, reinstall your operating system, all your software, and your data files. You should have a backup of your important files stored somewhere so that reinstalling is merely an inconvenient, time-consuming pain, but you are not left out in the cold. Be careful of a simple restore of your entire operating system from your backup because you may have backed up the infected system and you would just reinfect it with the restore. Safest to start from scratch. Install from your operating system and various programs you use from manufacturer's disks.

If you're not familiar with these operations, consider consulting a friend, relative, or neighbor who is familiar or contracting with a computer professional to help. - Larry R.


Tuesday, March 27, 2012


Jim:
Regarding the post of the guy in California that Google can take a photo from the public street, and see his electric meter and objects in his open windows: the problem is not so much Google as his choice to live so close to a public road that anyone could do this.  I used Street View to "sorta" see my gate, and that is all you can see--just a gate. Google Map's satellite photos show far more detail about the layout of my "spread", though the detail is fairly fuzzy. - Andy G.


Monday, March 26, 2012


Dear Editor:
A few years ago I blocked out the views of my house from Google Street View.  However, I recently discovered that the Street View vehicle had taken updated pictures of my street, and my house was again visible, and in much greater detail!  I was actually able to read my electrical meter from Street View and view objects inside of my house by zooming in on windows that were open.  It also appears that the Street View cameras are much higher than the previous vehicle; based on the height of a pedestrian on my street, the cameras look to be at least 8 feet off the ground.  So your 6 foot tall privacy fence may be mooted by the camera being able to peer over your fence.  

I would suggest to fellow readers that they should periodically review Street View and other services, like Spokeo, to ensure that they are not being displayed for all the world to see.

I have noticed that in the last few months there has been an increase in suspicious activity on my street, and I thwarted a break-in attempt a few months ago - oddly enough, after the time the updated street view pictures were taken!! (thank the Lord I had a pistol on my person).  A thief no longer needs to case your house out from the street - Google Street view does it for them!

To remove your home from Street View:

1) Find your address on Google Maps, and then zoom until the map flips from top-down to the 'Street View'
2) Center your house in the street view
3) Find the very hard to read "Report a Problem" text on the lower left corner of the Street View & click
4) A new screen should popup (a new tab for me, you may need to turn off a pop-up blocker).
5) Click "Privacy Concern", and then "My House" and then "I have found a picture of my house and would like it blurred"
6) Fill out the description field - I've cited recent theft attempts
7) Fill in an e-mail address - I would suggest using a fake e-mail address so that you are not telling Google what e-mail address lives at your house.  (Side Note: Make sure your wi-fi is locked down, as they are probably sniffing this at the same time as well).
8) At this point you will see why we centered your house earlier - there is a red box around the center of your house in the image.  Please note that you can adjust the red box from this screen as well, but the view is much smaller.
9) Fill out the word verification, and then hit submit
10) This is the most important step: you need to move the Street view up and down your street, and repeat this process from every part of the road that can see your house.  I had to make 8 separate privacy submissions to fully block my house from Google Street View.  To move the street view, there should be two or more white arrows on the road - click them, and you should see your location change.

- Nate in California


Tuesday, March 20, 2012


JWR:
Can you let your readers know what the names, identifying characteristics, and other information is that we can use to check and see if we have the FBI installed cookies on our machines? Thanks, - J.V.

Web Forensics Expert Mr. X. Replies: First let me explain how to look for cookies.  The easiest way IMHO (there is more than one way to skin a cat, my favorite method involves using high-pressure air...) because it is easy and anybody can do it with little or no chance of [accidentally] nuking their own machine:

In Internet Explorer, go into the File --> Import and Export setting.  You are given a choice of three actions - import from another browse, import from a file, or export to a file.  Choose export to a file and hit "next."  You are given three options to export -- favorites, feeds, and cookies.  Export cookies by selecting the box and clicking next.  Save the file in a location that you can then find.

When you open the file all of the cookies you've used will show up.  And since its a text file it is searchable.  You can do a search on "FBI" ... I did this and found:

fbi.gov    TRUE    /    FALSE    1394696342    __utma    158289773.903355577.1331260742.1331260742.1331260742.1

fbi.gov    TRUE    /    FALSE    1331626142    __utmb    158289773.3.10.1331260742

fbi.gov    TRUE    /    FALSE    1347392342    __utmz    158289773.1331260742.1.1.utmcsr=dogpile.com|utmccn=(referral)|utmcmd=referral|utmcct=/search/web

So what this tells you is that there is a tracking cookie from the FBI on your machine.  In this case this tracking cookie comes from dogpile.com (see the last line) which is a search engine that I use frequently.  The problem is that you never know what they will call their cookies.  The aforementioned example has nothing to do with your web site at all.  And I've picked up in the past few hours since its Monday here (I scrub down each weekend) just doing searches for topics at work.

There is a similar method in Firefox but given the number of add-ons for Firefox and the different platforms it is on putting directions for each possible combination in would just confuse most people. 

To eliminate the cookies and history you do that via the Tools --> Internet Options option and check off the "Delete Browsing History On Exit" box and/or hit the "Delete" button in the same space (should be on the opening tab of the Internet Options). 

Yes, the only reason I noticed this was because they have not done anything to try to hide what they are doing.  So the obvious stuff is well pretty darn obvious.

There are tools out there like Spybot Search and Destroy that will automatically eliminate the bulk of "bad" tracking cookies that are hidden as well.  There are a number of things you can do to scrub your machine and get very paranoid about your browsing but they are not things that most people should do simply because if you don't know what you are doing you have a good chance of [inadvertently] nuking your machine. 

 

James:
I read your blog post about the FBI's cookie caper and it brought to mind an overview article about The Onion Router (Tor) that I came across a while back

Here is a quote from the Tor web site:

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.
Individuals use Tor to keep websites from tracking them and their family members, or to connect to news sites, instant messaging services, or the like when these are blocked by their local Internet providers. Tor's hidden services let users publish web sites and other services without needing to reveal the location of the site. Individuals also use Tor for socially sensitive communication: chat rooms and web forums for rape and abuse survivors, or people with illnesses.
Journalists use Tor to communicate more safely with whistleblowers and dissidents. Non-governmental organizations (NGOs) use Tor to allow their workers to connect to their home website while they're in a foreign country, without notifying everybody nearby that they're working with that organization.
Groups such as Indymedia recommend Tor for safeguarding their members' online privacy and security. Activist groups like the Electronic Frontier Foundation (EFF) recommend Tor as a mechanism for maintaining civil liberties online. Corporations use Tor as a safe way to conduct competitive analysis, and to protect sensitive procurement patterns from eavesdroppers. They also use it to replace traditional VPNs, which reveal the exact amount and timing of communication. Which locations have employees working late? Which locations have employees consulting job-hunting websites? Which research divisions are communicating with the company's patent lawyers?
A branch of the U.S. Navy uses Tor for open source intelligence gathering, and one of its teams used Tor while deployed in the Middle East recently. Law enforcement uses Tor for visiting or surveilling web sites without leaving government IP addresses in their web logs, and for security during sting operations.
The variety of people who use Tor is actually part of what makes it so secure. Tor hides you among the other users on the network, so the more populous and diverse the user base for Tor is, the more your anonymity will be protected.

Regards, - D.D.

 

James Wesley:
Thanks for the post on the FBI cookie caper.  It is distressing, but enlightening about the times we live in.

I'm writing about your change of heart on posting the foresee-alive.js script.  The FBI posts this code on their fbi.gov site. It is available here.

I thought that link might be helpful to some.  I guess maybe those people that are savvy enough to read the script and interpret the code are probably already savvy enough to find it on their own, but I thought just in case I would send this on to you.

Also, I agree with your decision that it's probably wise to not post the code directly, but I believe that since they did not post any copyright information it is therefore public domain like any other government publication.  Otherwise, they would have to indicate it as a protected work from an outside party.  But that's my non-professional opinion, and "you're the doctor" as they say.

Thanks for keeping the flame of freedom burning! - B.C.

 


Dear Mr Rawles;
I read your announcement about "The FBI's Cookie Caper and the VPN Imperative". Thanks very much for your candor. However, I believe some of your information is mistaken or missing. Here are the most important points I saw:

Disabling cookies will not remove others' ability to track you. At best, disabling cookies only makes it a little harder. There are plenty of other ways to track you, including data collection and silent install of malware on your computer to record your keystrokes. Here is an example.

Using a paid VPN does not ensure your security. Here is a good explanation as to why this is true.
A better solution is to use The Onion Router (Tor) and/or Tails and their associated applications. There is also Orbot, an Android app to allow Tor Anonymity browsing on an Android phone. I have and use these. Granted, they are not always the simplest in terms of user friendliness, but once set up they should rarely need changes due to their structure. The Tor Browser, however, is about as simple as it gets on the web.

Not all of the listed browsers are safe to use. Some are outdated (Netscape), and others are inherently flawed from a security standpoint (such as Internet Explorer). More importantly, only two that I know of offer Anonymous Browsing - Firefox and Chrome. Please add the Tor Browser to this list, which is by far the best method for anonymous browsing available to the average user.

SurvivalBlog.com [has a working encrypted https address, but] is not yet HTTPS Everywhere enabled. This means that even if the visitor is using the Tor network, traffic between a Tor server and SurvivalBlog.com is still unencrypted, and vulnerable to spying and/or attack. Please join the HTTPS Everywhere project.

Much of this may sound like an advertisement for the Tor Project, but the reason for that is that the Tor Project is the best method I have found to secure your privacy online, if used properly. (Never identify yourself on the Tor Network.)

Thanks for your consideration in these matters. Sincerely, - I Am John Galt   

 

Dear Mr. Rawles,
I just took your advice on setting up a VPN.  I have been using an anonymizing proxy for some time and living with the speed decrease, but it's just so easy to turn it off for something and then forget to turn it back on.  At any rate, I went looking for a VPN provider that is (A) domestic and (B) accepts bitcoin.  It's just one less way to be trackable since the payments won't show up on any bank or credit card statement.

At any rate, I found one: based in Chicago, I am now using CamoList VPN and have had a very nice conversation with the proprietor about bitcoin.  Service is $5 a month.  Bandwidth is up to 5 mbps, but that actually doesn't matter to me since I live in the boonies and have to make do with 1 mbps on my end.  Just thought I'd pass this along for anyone else who might be interested. - Buckaroo


Monday, March 19, 2012


It has come to my attention that from August of 2011 to November of 2011, the FBI secretly redirected the web traffic of more than 10% of SurvivalBlog's US visitors through CJIS, their sprawling data center situated on 900 acres, 10 miles from Clarksburg, West Virginia. There, the Feebees surreptitiously collected the IP addresses of my site visitors. In all, 4,906 of 35,494 selected connections ended up going to or through the FBI servers. (Note that this happened several months before we moved our primary server to Sweden.) Furthermore, we discovered that the FBI attached a long-lived cookie that allowed them to track the sites that readers subsequently visited. I suspect that the FBI has done the same to hundreds of other web sites. I find this situation totally abhorrent, and contrary to the letter of 4th Amendment as well as the intent of our Founding Fathers.

I recognize that I am making this announcement at the risk of losing some readers. So be it. But I felt compelled to tell my readers immediately, because it was the honorable and forthright course of action.

Working on my behalf, some volunteer web forensics experts dissected some cached version histories. (Just about everything is available on the Internet, and the footprints and cookie crumb trails that you leave are essentially there for a lifetime.) The volunteers found that the bulk of the FBI redirects were selected because of a reader's association with "Intellectual Property" infringing sites like the now defunct Megaupload.  But once redirected, you were assigned a cookie.  However, some of these were direct connections to the SurvivalBlog site (around 4% of the total.) So if they had kept this practice up long enough and if you visited us enough times then the FBI's computers would have given you a cookie. This has been verified with sniffer software.

Bad Cop, No Donuts Cookies

For your privacy, I strongly recommend that you disable cookies when web browsing. Here are some detailed instructions on how to do so for the most popular web browsers:

But beyond that, more must be done to protect your privacy. You need to be proactive.

Install and Use VPN!

I am now imploring all SurvivalBlog readers to immediately install and use Virtual Private Network (VPN) on their computers. This will allow you to surf the Internet anonymously. Anyone that tries to track web site visitors e-mails will see your visit as originating from one of dozens of anonymous URLs in Europe, or elsewhere in the United States. (With most VPN services, you may pick the city of your choice.) With VPN active, your connection to the Web is "tunneled", emerging at a far-distant IP address, and it it would be very difficult to track back to your home IP address. Setting up VPN takes just a few minute to accomplish. Once installed, you can set VPN to turn on automatically by default when you start your PC, Mac, or Linux computer. Most VPN providers charge $5 to $20 per month. You can toggle off VPN with the click of your mouse. (You will find this necessary if you visit any of the few web site that disallow overseas IP addresses, such as Netflix). But I recommend that you leave VPN turned on, as much as possible. Set it up to turn on each time that you start up your computer. It is crucial that you use VPN whenever you visit web sites, blogs, and forums that are deemed politically incorrect, or whenever you purchase storage food or firearms accessories on the Web. For those of you that are not tech savvy, ask a friend or relative under age 25 to set up VPN for you. It is not difficult.

Some recommended VPN service providers include:

  • StrongVPN ($55 to $240 per year. One of the most flexible in reassigning the far end of your tunnel on the fly. Superior speed.)
  • 12VPN ($79 per year.)
  • AceVPN ($55 per year. A bare bones service, but one of the least expensive.)
  • VPNHQ. ($84 per year.)
  • PureVPN. ($75 per year for their basic service.)

(Some reviews of the various services are available here. )

Note that some of the lower cost services might see your connection speed suffer. Your Internet connect will seem noticeably slower than using your original ISP, alone.

It is my hope that in the next two months SurvivalBlog's site visit map will shift substantially, giving the appearance that most of my readership has moved to Switzerland. Say "Ein Glück, dass wir den los sind" to the FBI's snooping! It would warm my heart to soon see SurvivalBlog ranked as one of the most popular web sites for readers with Swiss IP addresses.

Beyond VPN

Because government agencies have access to lots and lots of computing power, VPN is not completely impenetrable. It is vulnerable to penetration during the key exchange phase. With the resources available to a state actor, sniffing the entirety of the traffic into and out of a web site is trivial these days. (They can use massively scalable horizontally-scaled virtual sniffers -- i.e. using a visualization engine and a template they can keep adding more virtualized instances of a windows or Linux based sniffer program and not even impact the performance of the connections.) I believe that the next loop of the threat spiral in the privacy wars will be Quantum Key Distribution (QKD). But I must clarify that this will become important only for the most high profile media commentators, bloggers, and activists. This is because all the spook legions with all of the mainframe computers in the world simply cannot backtrack everyone's VPN tunnels. (And, as VPN becomes more and more popular, this supposed goal will become even more elusive.) And if you are high profile, don't worry. Some very bright people are already working on QKD. Stay tuned.

Our Liberty is Stake

I want apologize for the cost, inconvenience and time required in implementing the foregoing security measures. But you can sleep a little better, knowing that you've added a layer of anonymity to your Internet presence. We need to recognize that the early 21st Century is a delicate time for individual liberty. Technology is leapfrogging while at the same time databases are filling at an alarming rate. These databases could provide dossiers on demand, for nefarious purposes. How you vote and how you "vote with your feet" (physically or virtually) are both of tremendous importance. Pray hard. Choose wisely. Act accordingly.

P.S.: For those who are web software savvy, I had originally planned to post the latest version of the actual "foresee-alive.js" Javascript code that the FBI used to attach the cookies. But then it was pointed out to me that ironically, revealing this might constitute copyright infringement, opening me up to a intellectual property lawsuit. That has an odd sort of irony that got me thinking. This predicament somehow dovetails with two bits of history. The first instance is from the First World War: I have read that the U.S. Government paid patent license fees to Mauser before and during the hostilities of the Great War with Imperial Germany. This was because the M1903 Springfield rifle was correctly adjudged a patent infringement on the Mauser Model 1898. During the war, the patent payments continued, conveniently handled by Swiss bankers, acting as middlemen. The U.S. taxpayers paid Mauser of Germany about $1 per rifle plus additional penalties that would have eventually totaled $250,000 USD, up until the U.S. entered the war. It has also been rumored that some payments continued to arrive even after the U.S. Congress declared war on the Kaiser's Germany. (We'll have to wait for the release of Jon Speed's next Mauser book to read the details.) This historical tidbit is just once notch below what happened two decades later when Germany's Nazi regime had the temerity to sell full fare train tickets to some Jews, to cover the costs of their forced relocation to the designated ghettos before their planned extermination. Oh, but the Nazi bureaucrats were so conciliatory. They only charged children half fare to be sent to their deaths. (If you doubt this, then read the book Fathoming the Holocaust by Ronald J. Berger.)


Sunday, March 18, 2012


Capt. Rawles,
I enjoy your blog very much, however, I have read several times that you need a physical mailing address to get an amateur (ham) radio license.  I don't believe that is correct.  If you look closely at FCC form 605, line 15, they ask for a "P.O. Box, and/or Street Address".     The FCC needs a "address of record".  One could rent a box at a UPS Store (which gives a street address) they just want to be able to reach you by mail.  You can also register as an "Entity", i.e. a business, corporation, LLC, etc.  I recently went through the process.  I used an old business that has not been active in years, along with it's EIN, instead of my social security number.  It should not be very difficult to keep ones actual physical address out of the FCC database, without lying or doing anything illegal. - The Shiny New Tech    


Thursday, March 1, 2012


If you are a frequent visitor to SurvivalBlog then I do not need to explain why the subject matter may be of importance. There are several previous posts that cover somewhat related information that I will reference and expand upon.

First, the disclaimers: I am not a data security expert. I could not blind you with science nor expertly baffle you with Bravo Sierra. However, I have been directly involved in the Internet related software business for almost 20 years. I have spent many hours a day for almost two decades using the internet and watching it evolve. During that time, especially since 9/11, I have also watched the watchers watching more of everything we do.

The second disclaimer is the software or services I mention below may not be legal in all countries. While currently legal in the US, the FBI recently sent a flyer to all Internet cafes and coffee shops warning that a number of quite normal and legal behaviors should be considered a "potential indicator of terrorist activity" and should be reported.

Hopefully the information contained herein will help you maintain the small amount of privacy you have left when it comes to the data on your computer and your online activities. The caveat being this – there is no such thing as perfect security or absolute privacy. Pretty much any code or encryption can be broken if someone has the resources and the motivation to do such.

There are certainly many more options available than I will cover here, but I wanted to keep this as simple as possible so anyone with more than rudimentary computer skills can implement whatever measures they deem necessary. I will cover the areas of securing data you keep (files, folders, etc), securing e-mails, IM and chats, protecting your identity while browsing and also making secure voice and video calls. However, the first thing I have to talk about is using some common sense.

Common Sense
Yes, an invasive government has the resources to electronically monitor any and all communications and to break almost any type of code or encryption. However, that does not mean they have the resources to manually analyze every single phone call, e-mail, chat, purchase or web browsing habits of every single person on Earth. Just because you may visit sites deemed threatening to TPTB or you have purchased a survival knife online doesn't mean you are a high priority target on some watch list.

So here is the common sense part: don't make yourself a high priority target. Try to exercise a degree of discretion and intelligence if you find it necessary to make posts online or send e-mails. I have to shake my head in disbelief when I see people making inflammatory posts online. Such posts are filled with threats, anti-government or violence inciting rhetoric. Such "keywords" will get someone's attention. The bottom line is this: unless you are one of the very brave souls that have chosen to take a public stand, to offer constructive ways to adapt to and survive the rapidly changing world we live in, it's best to draw as little attention to yourself as possible. Try to keep your emotions at bay when posting online, because once you put it out there, it is there forever.

Data Security
We all have data we need to keep and a lot of it should be secured in some manner – such as scanned copies of your important papers (birth certificates, passports, driver's license and such), supply lists, maps, routes – you get the picture. Any unsecured data on an Internet connected (or confiscated) computer is a security risk. Trojans, Viruses, Key-Loggers, Malware, Drive-by Downloads all pose the risk of exposing your data. I won't discuss the need to keep your anti-virus and/or anti-malware software up-to-date because if you aren't doing that – the rest of this information won't do you much good. Below I will cover several aspects of data security from the simplest to the more complex.

The first rule is to not to keep your sensitive data on your computer's hard drive in the first place. Flash drives (USB thumb drives) are inexpensive and can hold a tremendous amount of data. Keep your sensitive data on a flash drive, or better yet, a Micro SDHC card. For around $15 you can get a 16GB Micro SDHC card with SD adapter. You will probably need the adapter because the actual data card is smaller than your pinkie fingernail and about as thick – it can be hidden anywhere. If your computer doesn't have a flash card reader, then you can get an external card reader for less than $15.

File Encryption Using a Password
Again, I won't cover all possible options in this post, just the quick, easy and less complex solutions I have found and since Windows is the most prevalent operating system, I will limit software references to that unless noted – you can probably find similar solutions for Macs or Linux machines. For quick encryption of one or more files, dsCrypt is a free AES/Rijndael file encryption software with simple, multi-file, drag-and-drop operations. All you do is download/save the 25kB .exe file and double-click to launch – it doesn't have to be installed – the file you download is the program itself – which means it can also be used from portable media.

If you have a lot of files you need to secure, you may want to look at TrueCrypt, a free open-source disk encryption software for Windows, Mac and Linux. TrueCrypt creates a virtual encrypted disk within a single file which can be mounted as a real disk. This file can be created anywhere on your hard drive or portable media. Anything saved to this "disk" is automatically encrypted. This solution requires a multi-step installation – but is well worth it. I suggest you keep the disk space allocated to something reasonable because it cannot be undone without formatting the drive.

To exchange encrypted files with others, there are some free solutions available that offer high levels of encryption. The only caveat is the recipients also need the same software installed and the password used to unencrypt the files – not a huge price to pay for a bit of security.
Encrypt Files is a very easy to use for files or entire folders
dsCrypt - (great for portable media)
MEO Encryption is a great free program for files and e-mail. Actually, after playing with MEO for a bit, it is quickly moving to the top of my list.

Finally is the area of obsolete or replaced drives. Formatting a drive does NOT delete the data – it can be fully recovered with simple software. Most drives I replace will not be reused because they are old technology. I used to take a sledge hammer to them, but now use a drill press and put a ½" hole all the way through the case and platters. However, if that's not your style – you might want to look at Boot and Nuke. You have to create a CD or DVD from the downloaded .iso file, but then you simply re-boot using that disc and the hard drive will be wiped clean to DoD/NSA disc over-writing standards.

Also, simply deleting a file/folder – even after emptying your recycle bin – does not protect that data. It can be recovered unless you use a file shredder program. A good free one can be downloaded from Fileshredder.org/

Secure E-mail
Every e-mail you send will go through numerous servers before it is delivered (usually 10 -15 different servers). Your message can be read, scanned or copied at any step in that route. Referring back to the section on using common sense – be mindful of what words or phrases you use because you might garner someone's attention - other than your intended recipient.

One partial solution is to use a web-based "secure" e-mail service. Such services encrypt your messages before sending but the thing to keep in mind is any time you rely on a third-party service or server, your messages aren't really secure. However, some security is better than no security so here are some of the free secure email services you might want to check out:
Hushmail.com
S-mail.com
PrivacyHarbor.com
BurnNote.com

For much better security, your best bet is to encrypt messages before you send them. This can easily be done using MEO Encryption (mentioned previously for encrypting files) which can be used with your existing e-mail server.

To quickly encrypt a simple text file to send, LockNote is a good way to go.

For those worried that by simply sending encrypted files or messages will draw unwanted attention, how about encoding short messages into a standard image file? This can be done with 4t HIT Mail Privacy Lite

Secure Instant Messaging and Chats
While both Yahoo and Google offer an off-the-record or encryption option in their IM clients, I must again remind you that such service providers have full access to the original content as they handle the encryption.

Your best bet for secure IM communication is to use Pidgin for Windows or Adium for the Mac OSX. Both programs have an Off-the-Record function that uses 256-bit AES encryption that is performed before the message is sent through the 3rd party provider. Both work with all major IM servers and offer a slew of other great features:
Pidgin for Windows
Adium for Mac OSX
Jitsi for Windows, Mac and Linux

Private Web Browsing
You leave footprints everywhere you visit via any of the standard browsers. Yes, you can disable cookies and your browsing history and all that, but I'm talking about the footprints you leave on every server that transmit your requests for any web site. The footprint includes your IP address, operating system, browser and version, screen resolution and more. There is a previous SurvivalBlog post that provides more details about this.

In the post above, using the Tor proxy system was recommended. Until recently, this was not so easy to do. It involved installing a couple of programs and browser plug-ins. Further, most people would use Tor with their favorite browser not realizing that a lot of multimedia features on web sites will negate any benefits Tor is providing. For instance, Flash movies, scripting language and file downloads can reveal your actual "footprint."

However, this process has been made a lot easier by the Tor community. You can now install a Tor/FireFox combination in a single program. It is an older, stripped down version of FireFox that has all possible vulnerabilities disabled. A single icon first launches and connects you to the Tor network and then automatically launches the safe FireFox browser.

Using A Virtual Private Network (VPN)
While all other services and software I mention are free, there is a low-cost option to consider to keep all your online activity private. If you are like me, I tend to bounce around the Internet from buying wool socks online to sites where I should be using Tor - but I simply forget to launch it first.

While Virtual Private Network (VPN) services have been around a long time, it has recently become easy enough to implement that anyone can do it. Briefly, when you use a VPN, you create an encrypted tunnel between your computer and the VPN servers. All your network traffic is then routed through that server and sent back to you. The gist of it is, you download/install a simple software program, set it to start when you boot up (if you want), and all your internet activities are through the IP address of the VPN service - and the good ones don't keep logs of your activities. The one I use hides me behind 24,500 different IP addresses on servers in 40 different countries. And best of all, I don't have to remember to do anything - it's automatic and full-time.

There are a lot of VPN services out there, and prices range from $7 - $20 a month (you get much better deal on annual payments). Personally, I use http://HideMyAss.Com - but each service is a bit different in regards to usage limitations, so here is a site that reviews the top 10: http://myvpnreviews.com/

The service I use allows me to install the software on as many computers as I want, in addition to my smartphone. However, only two devices can use the service at the same time.

Two final notes on VPNs. First, you should always use some type of VPN when connected to public Wi-Fi. They are terribly unsecure. You might as well run around naked in broad daylight. Yes, you are that exposed.

Finally, a VPN is great for hiding your browsing activity - but it does not take the place of file or email encryption. While the tunnel between your computer and the VPN is encrypted, unencrypted files or emails still go through public/open servers to reach your recipient.

Secure Voice and Video Chat
We all know how easy it is to eavesdrop on cell phone or even land line telephone calls, and to repeat again, using a third-party voice or video service is not secure. But what if there was a way to tap directly into the SIP (Session Initiation Protocol) network used for VoIP (Voice Over IP) and have your conversations and video chat encrypted before they even hit the network?

As with using encrypted IM or files, all parties involved must have the same setup – but since we are talking free stuff here, that is a non-issue. I will skip the technicalities and just get you going. To do the above is a two-step process (both easy). First, you need to register to get a free SIP address.

Second, download and install Jitsi for Windows, Mac and Linux (mentioned previous for secure IM). Jitsi facilitates secure video calls, conferencing, chat, desktop sharing, file transfer, support for your favorite OS, and IM network. Jitsi uses ZRTP to encrypt all communications. To use Jitsi with a SIP address, you will have to go into Options – Accounts and create a new account for the SIP network. To save you some possible confusion, the Jitsi SIP setup asks for "SIP id" – this is the "SIP address" contained in the email you receive when you sign-up at GetonSIP.com. The rest should be self-explanatory.

Finally, I would like to add a bit to a couple of previous posts. This SurvivalBlog post explains how to setup the Hosts file for going directly to a web sites IP address in case the DNS system is unavailable.

The question unanswered in that article was: "How do I find the IP address of my favorite sites so I can add them to the Hosts file?" The fastest way is to go to http://centralops.net/co/ , click on the Ping menu. On the new page, enter in the domain name and click go. The page will refresh showing the IP address.

Multiple MAC Addresses
This SurvivalBlog post recommended buying a dedicated laptop to use at public Wi-Fi locations. The post mentions the network card in each computer has a unique MAC address. That MAC address can be captured by servers you visit – but most definitely is logged by the Wi-Fi router every time you connect to one.

If you cannot afford a dedicated laptop for this purpose, the next best bet (and less expensive) would be to buy several USB Wireless adapters (all the same make/model). You can pick these up for around $10 each online. Because all the adapters are the same make/model, they will all work seamlessly with the drivers provided. However, each adapter will have a unique MAC address (and not the one of the onboard Wi-Fi card in your laptop). They are small enough to easily put in a zip-lock baggie and cache near two or more of your favorite public Wi-Fi spots – so you don't have to keep them in your possession.

So you would just grab the wireless adapter, disable the onboard Wi-Fi card, pop in the adapter and it will be the adapter's MAC address logged. When you are done, wipe the adapter and baggie down, and return it to its hiding place. If for some reason your laptop is confiscated, you would have excellent plausible deniability because the onboard MAC address would not be one that was logged.

And, again, when using public connections, a VPN tunnel is highly recommended.


Monday, February 13, 2012


Dear SurvivalBloggers:
There are a number of ways to encrypt or read encrypted email.  This one is about the easiest to get installed and running on your Macintosh computer, that I've run across. It uses the native Apple Mail program, and adds a OpenPGP Encryption and Signature option.

All you have to do is install the program from the dmg file, and enter a password.  There's a GUI key interface for importing existing keys into it.

Of course not all emails need encryption, but that OPSEC sensitive email you need to send to loved ones or group members is a perfect example of when to use it.  Once installed, you choose what gets encrypted. 

Application: GPGTools (Developed by the GnuPG group.)
Download: https://github.com/downloads/GPGTools/GPGTools/GPGTools-20111224.dmg
Main Web site: http://www.gpgtools.org

Include in the install program are the following (from their web site):
 Compatible with OS X Lion.
 All applications are 64-bit compatible.
 Integrated GPGMail (OS X 10.5 to 10.7, Universal).
 Integrated GPG Keychain Access (OS X 10.5 to 10.7, Universal).
 Integrated GPGServices (OS X 10.6 to 10.7).
 Integrated GPGToolsPreferences (OS X 10.6 to 10.7).
 Integrated MacGPG 2 (OS X 10.5 to 10.7, Intel).
 Integrated MacGPG 1 (OS X 10.5 to 10.7, Universal).
 Integrated Enigmail (Thunderbird 3 to 8).

There's even a screen-cast of the install, encrypting email, and using the Apple 'Services' feature for text edit encryption,  if you want to watch it before installing: http://www.gpgtools.org/screencast.html though I'll warn you: it goes by so fast you should be ready to hit the pause and rewind buttons when you start it.

Steps [with Apple Mail closed]:

1. Download the GPG dmg file.
2. Have a password in mind
3. Open the dmg by double clicking the file in your web browsers Downloads window
4. Double Click the GPGtools.mpkg file and select an install location
5. When asked enter your email address, and name.
6. When asked, enter a password, then re-enter it when asked.

When completed, you can close the GPG Keychain Access application and start your Apple Mail.
When you select a 'new' email, you will see an OpenPGP section under the "from" drop-down list. Also you can get to the encryption/decryption options under "Messages -> OpenPGP" in your menu bar. This will allow you to sign and encrypt  and decrypt your email.

In addition, this bundle of GPGTools works with Apple's Services, allowing for encryption of 'Services' aware applications.
If you open your System Preferences -> Keyboard you can click on Keyboard Shortcuts -> services and click the OpenPGP items under "Files and Folders" along with "Text" allowing you to encrypt any text file you open with textedit.
When you open textedit the next time you will see "Textedit->Services->Open PGP"  in the menu bar.

The toolkit also comes with a command line interface for encrypting just about any type of file you want, but that's a little out of scope here.
For more information on the CLI, using public key servers, and general GPG information, check out this set of How-Tos.

Hope this helps, - Robert X.


Wednesday, February 8, 2012


JWR,
In reference to the recent change in Internet Protocol (IP) address for SurvivalBlog, I thought I'd describe a method to help people set up their computers to use it without DNS names.

How to add important internet addresses to your computer.
I'm using the new SurvivalBlog.com IPv4 address change as an example, I also recommend adding your mail server, and other important host names too.

Audience:  I'll try and keep the techno-babble to a minimum, so that the largest audience possible can use this.  Any Domain Name Server (DNS) experts or System Administrators out there will probably pull their hair out over the following technical generalizations, but giving instructions on setting up a DNS cache server,  secondary out of country DNS servers,  or your own DNS/NIS/YP server, would greatly restrict the number of people that can use this.

A little background:  

Computers really don't use names like SurvivalBlog.com, they use something called an IPv4 address (this was simply called called an IP address before IPv6 came around). You don't see this function take place because a component called DNS has looked up the host name e.g.  'survivalblog.com' and converted it to an IP address for you.   Think of it as the world's biggest telephone book.  When you want to call a number you found in a telephone book, you type the number not the name of the company or person.  Your brain does this conversion; it sees the name, and looks at the number.  Computers use DNS to do this conversion for you.  By adding host names and their IP addresses directly to a text file on your computer, you can bypass the need for a DNS for those specific lookups.  So, if DNS goes down, your computer will still be able to look it up for you.

Why is having a local copy of the hostname to IP lookup important?  
This is where things get a little fuzzy. Instead of a technical outline,  I'll list what some possible issues would be, and whether or not this method would help.

• Congress or the FCC passes a law or institutes a rules change requiring some web sites be removed from US-owned DNS servers, and your favorite ones are on the list: YES 
• Your local ISP has blocked your favorite web site: NO (in most cases) - these blocks are usually by means of IP address or by entire DNS domains.
•An 'anonymous' hackers has corrupted or manipulated the DNS servers that you use, directing your connections to their favorite web site: YES (some variations exist, but in almost all cases your local lookup is prioritized over DNS)
• A powerful geomagnetic storm hits, your protected computer is fine: NO (in most cases all infrastructure would be impacted, although the file would still work, the connection to the other servers would not)
• Hyperinflation hits, no one at your ISP shows up for work, systems start going offline, starting with your DNS server: YES, for a little while.

Setting it up:

Most personal computers, regardless of whether they use Windows, Apple or UNIX operating systems use essentially the same method for storing hostname to IP mappings on the computer. It's called a 'hosts' file on Apple and UNIX, and  Windows XP.  This is a text file where you enter the IP address and the hostname into.  The file has to be in a text (ASCII) format, so you should use "Notepad" or "edit"  on Windows, or "vi" or "Textedit" on UNIX/Apple. 

Note that it is important to only add your new entries (or modify existing ones). Do not edit any line with: localhost, loghost, broadcasthost, or your computers hostname! And it is critical to keep in in a 'text' format. You should not use something like MS Word. (Exceptions? Yes, but making sure that you used MS Word correctly to save in ASCII format is beyond the scope of this simple how-to document.)

Opening the hosts file (varies, by platform):

Apple OS:

Applications->Utilities->Terminal

In the terminal window type:

sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/hosts

[enter your login password]

[add the file changes described below]

Save the file. Type: Command - S

Finally, either restart your computer or go back to the Terminal window and enter:

dscacheutil -flushcache [this clears your DNS cache)

 

UNIX/Linux OS:

su -

[enter your root password]

nano /etc/hosts

[add the file changes described below]

Control - O (overwrites the old file)

Control - X (exits the nano text editor)

Windows XP OS: 

Start->Run-> 
Enter 'notepad'

In notepad open c:\windows\system32\drivers\etc\hosts

[add the file changes described below]

Control - S

[Note: The hosts file has no extensions.  It will automatically add a ".txt" file name extension to the end of the file, so you will need to click on 'No extensions'.

Updating the file (all platforms):

[The following file change example is for an Apple computer--note that some operating systems won't have localhost/broadcasthost/loghost items]

[NOTE: It is critical not to change loghost, broadcast, localhost or your hostname]

127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost.

[NOTE: Scroll down to the bottom of your localhost list and ADD any new entries. Again, it is critical not to change loghost, broadcast, localhost or your hostname.]

# Add SurvivalBlog
95.143.193.148 survivalblog.com survivalblog.se survivalblog www.survivalblog.com www.survivalblog.se

Then Save the file, and you are done!

Now, if DNS goes down, or if it is hacked, or your favorite server is removed from it, then you can still do a lookup via the hostname.

I hope this helps. - Bob X.

JWR Adds: Before attempting this procedure for the first time, I would recommend first creating a backup of the hosts file, just in case it is deleted or corrupted due to fumble fingers.


Wednesday, January 11, 2012


Mr. Rawles:
Have you all heard about this?  Yesterday I received a 2012 National Agricultural Classification Survey [from the USDA's National Agricultural Statistics Service] in the mail.  They ask 25 nosey questions about how many of each animal we have on our farm i.e. cows, chickens, beehives, turkeys, sheep, goats, horses etc., how much we spend in our "operation" every year, and how much we plan to make this year.  They also ask if we have internet access, how many "operators" are involved in the decision making of our "operation" how many acres we have, how many are pasture land or wooded, do we have greenhouse plants, grain storage and how many animals do we sell each year....and on and on. 
 
We are told on the first page of the survey that it is required by law to fill out this form, or we will get a phone call or someone will show up at our door (to count our animals themselves?)  This is ridiculous, and I believe it goes against our Constitutional rights.  
 
My family does not want to send our survey in, as we are not at all interested in allowing the government have this information which they have no right to know.  We only own 10 acres with a few sheep and goats, yet they classify us as a farmstead "operation" and instruct us to fill out the form if we so much as own one animal.  Without a doubt, the USDA is not going to use this information for our good. Either they are going to start taxing for each animal we own to keep us from being able to afford a self-sufficient lifestyle, or they are going to keep track of what we have so that they can take it from us and somehow make us dependent on them.  They have no right to know how prepared we are to support ourselves.   

I think we ought to get this information to anyone who has animals and receives one of these forms. If enough of us refuse to fill out this form it will be a very good thing. 

Thank you so much for what you are doing with Survival Blog. I am a daily reader. - Lydia B. (Age 16)

JWR Replies: The survey's cover letter is cleverly worded, to conceal the fact that sending in the form is actually voluntary. Just say no to drugs. And just say no to nosey surveys. They are only useful as kindling and bird cage lining.


Thursday, December 29, 2011


Dear Mr. Rawles,
I was reading back in the archives on the DVD I purchased and found a lot of discussion regarding communications security.  I played with a form of Digital Voice, image and file transfer for HF which could link a number of retreats together with voice, pictures and digital files with a method which in my thinking would be very, very secure.  Have you ever looked at AOR USA's digital voice, image, and data modems using analog HF, VHF, or UHF SSB?

A friend of mine here in my state purchased one and we ran a lot of tests under some of the worst summer conditions you could imagine and most of the time had very dependable, quiet static-free FM like communications on voice and I even transferred some photos from my daughter's camera which he was able to read even the name of the company on a drink cup at a birthday party.  My reason for this is that 99% of other hams and even FCC can't use this mode yet.  It only requires a special modem connected to your microphone input on your transceiver of choice, cut down the power to about half power, hook the microphone to the other end of the modem apply 10-16 volts (6 volts with jumper setting internally on the modem) and voila!, you are in business if the station you desire to communicate with on the other end has the same modem hooked to their radio.  The modem is automatic and normal operation is passed through on analog but when a digital signal is detected it switches to receiving in the digital mode. - Jack M.


Thursday, December 15, 2011


James Wesley:
We have opened up Kamiah Copy & Shipping Center in Kamiah, Idaho. (I consider Kamiah the unofficial capital of the American Redoubt).  Part of our services are private mailbox rental.  As a long time SurvivalBlog reader and contributor (you've seen my posts under the bylines B.H. in Spokane, Western Washington and North Central Idaho) I am quite familiar with the need for OPSEC and the desire for some individuals to begin to establish ties to the American Redoubt.
 
We are offering 5” x 12” mail box rentals for $10 per month.  A 12-month pre-paid rental gets you three free months.  We also provide mail forwarding services through USPS,  FedEx, or UPS.  Mail forwarding is $5.00 per occurrence plus shipping or postage.
 
From now till the end of 2011, for every 12 month rental we will make a donation to the Memsahib Memorial Fund of $10. 

Anyone interested can send e-mail to the address below.

Kamiah Copy & Shipping Center
505 4th Street
Kamiah, Idaho 83536
phone: 208-935-7500
FAX: 866-453-6781
E-mail: kamiahcopy@gmail.com

Thank you, - Brendon Hill


Saturday, July 9, 2011


Information is what makes the World go around, or at least it seems that way at times. Any Government  organization, blog or web site worth a grain of salt will suggest that you keep copies of important documents such as Birth Certificates, Drivers License,  Bank Account Information, List of Medications etc. in your emergency kit. It  is also suggested for people that are going on trips that they have this information available as they travel just in case wallets or purses are lost or stolen. If your wallet or purse is lost or stolen it is going to be to your advantage to have the information available to lock out your credit card and checking accounts quickly.

My wife and I are going on a cruise later this year and I have been looking for a way to have that information available, close at hand but not visible, and yet as secure as I can make it. After all, with identity theft what it is today, you sure don't want to take a chance of all that information falling into the wrong hands.

The first thing I wanted to do was find a way of keeping a USB drive, flash-drive, thumb drive, or whatever you choose to call it on my person but be discreet about it. I went on eBay and did a search on "flash drives" and wow!  There are a multitude of drives that don't look like drives at all. There are USB drives that look like soda can key chains, transformer toys, broaches, jewelry, Legos, etc...etc... and they are cheap. You can also get the Gold Standard of  secure USB drives made by Ironkey, if you can afford that. For my purposes I wanted something that looks like it can be worn with casual clothing and not be to dressy or flashy. After all I am seeking to be discreet and I don't want something that screams “Look at Me!” I sure don't want anything that stands out enough to make me a good candidate for a mugging while on vacation.

There are many programs available both free and for purchase that will encrypt your data, your USB, or both.

There are USBs that come with Password protection built in, such as the 1GB Cruzer Micro U3 Smart USB 2.0 Flash Drive but, with  these you will lose the “hidden in plain sight” factor but you may gain in the ease of use category. You can find many Secure USBs by many different companies by doing a web search for “Secure USB”

I would also suggest you do a web search on “securing USBs” and see what the real experts have to say on the topic. Several of the articles I read by security experts said they actually prefer buying the cheap USBs and then using their favorite encryption programs.

I chose two different styles of shall we say "camouflaged" USBs for my wife and I. For myself I chose what looks like man's bracelet with a leather band a nice looking metallic top on it. The top has enough room to have  “Dad” or maybe a name on the top to more personalize it. I suppose if you need a hint for the password for the encrypted files (more on this later) you could have a cryptic hint only you would understand engraved on the backside. For my wife I also got her a matching bracelet but she thinks that it is too big for her wrist, That's okay, I have a backup plan, I also bought a drive that looks like a
gift card/credit card. I stayed away from the cards that actually looked too much like a credit card and went with a card that has Snowy Country scene on it but no name or numbers. This card can be stored in my wife's purse or it has a slot cut in the top and it would fit nicely on one of those shoe string lanyards that you see badges attached to.

The Men's bracelet pulls apart at the top, the clasp seems to be strong and secure so I am not worried about it just coming apart and falling off under normal conditions.  The Credit/Gift Card USB has an almost invisible tab on the edge in the center of the card. To open the tab you push on the back side of the card to create a slight bend in the card and the working end of the USB folds out from the card.

To make my USBs secure I have done several things. First I put a few files on them that you might expect to see on a USB.  There is a Music folder, a Picture folder, and various otherwise useless .pdf files but, I also have included a small portable program that will open the .pdf files should I need to access any of my personal  information and for some reason the host computer does not have Adobe Reader.

The second thing I have done is to hide the encryption program, in this case “True Crypt”, inside a music folder with several albums. To me the title “True Crypt” sound like the name of a modern day band and therefore might escape initial scrutiny if found.

The Third thing I did was  encrypted each .pdf file with a different password from the one used by True Crypt to access these files. So that I can remember The passwords for each folder encrypted, the password contains the folder name plus a random password I have memorized. You not only have to open the encrypted portion of the USB (also known as a container) with a password but, to see the files you must have the password for each folder that has encrypted files within it.

Fourth I use a keyfile in addition to the password that enables access with True Crypt. You can have the correct password but if the keyfile you choose does not link to the correct file on your USB drive there is no access granted. I chose a keyfile from a folder with pictures in it. More than one keyfile can be chosen to help secure your files.  The keyfiles can be .jpg, .mp3, or many other type files. The first 1,024 bits of information in the keyfile must remain the same to be a usable keyfile so don't choose a file that will be altered in anyway if you should choose to add this extra layer of protection.

All of the programs that I have loaded on the USBs have been downloaded from www.cnet.com.
All of the programs that I have chosen to use are free. I download from CNET because they guarantee malware and virus free downloads. I know there are some programs out there that you could pay for and they might be a little easier for the more computer challenged among us but, for a free program True Crypt get high marks from both the customers and the CNET editors. None of the programs other than the encryption program are hidden on the USB. All of the other programs on the USB that facilitate either opening or viewing my files are out in the open in the first layer of info that you can see when exploring the USB.

I have a program called Open Office Portable. This is a open source program that will read and save spreadsheets, word documents, etc. whether in the Open Office format or the Windows Office format. It is capable of going back and forth between the two. The “Portable” means it is a scaled back version and made to run from the USB. When you have lost your I.D. or boarding papers you  can't afford to have documents that will get you home or help at an embassy sitting on your USB unable to opened because they don't have a program on the Host computer that would allow viewing.

This is the list of programs I keep on my USB in unprotected mode:

Open Office Portable- This program is a free alternative to Microsoft Office and it will read and save documents in either format.

SumatraPDF 1.6- This is a .pdf file reader that is small and does an excellent job of reading .pdf files without all the useless extra bells and whistles larger programs will have.

True Crypt- With True Crypt there is an option in the tools menu to set up a “Travelers Disc”. This option allows you to set aside a portion of the USB for encrypted data storage or encrypt the entire drive.  With True Crypt I can tailor the passwords for access to the folders on my wife's USB to passwords she will be able to remember and not have to depend on her remembering my particular process for choosing passwords. The section of the USB set aside for encrypted data is referred to as a container. True Crypt allows you virtually hide a second layer of encrypted information by creating a container within a container. I haven't done this but I have read about it. I am not carrying National Security secrets so I don't see any practical application for me with this option at this point.

I hope this article has been a way to get you thinking about how you can keep your important personal information with you, hidden in plain site and secure at the same time. There are many options available, and you can spend a few dollars or you can spend hundreds of dollars making your information secure. Unless you are a government agency, a spy, or are carrying around banking or corporate information, you probably won't have to worry about your information if it is encrypted and you lose the USB, after all how many people walking around out there have the knowledge, the tools, or desire to try and crack into your password protected or encrypted files. Chances are if a USB is found it will be reformatted by anyone who finds it when they come up against the security measures you have put in place to protect your USB. - C.C. in East Texas


Wednesday, June 22, 2011


The Onion Routing (TOR or Tor) project is one of the best ways to stay anonymous on the web. The project was initially funded by the Navy, but over a few years evolved into a non-profit organization. The goal of the TOR project is twofold: to allow for the anonymous browsing of the internet, and to allow people to connect to the .onion network.

This is a basic illustration of how it works is this. Lets say every internet site you visit is a store front in a basic town. You go in and out of stores in the daylight. People around you, who know how to look, can follow you around. They can see what you are viewing and track your movements. Navigating through Tor is like browsing the web in a dark warehouse. People can see you entering and leaving the warehouse, but what you do in there is untraceable. It is used in many nations where there is no such thing as being anonymous online, such as mainland China.

When I say untraceable I am not really telling the truth. The NSA, Chinese Government, and such have the technology. However, 99.99 percent of people should not have to worry about being tracked by them. If you are, then you have much bigger problems to worry about.

The reason that you can’t be traced is that Tor encrypts every action you make on the web. It is then sent to different routers, which each peel off a layer of the encryption (thus the onion reference). The end result is that no router knows the starting and ending path of the information, or what the information actually is. This is why the Tor system is so powerful.

So that is the first function of the Tor project. What is the other, you ask? Well, my prepping friends, let us take a journey into the under web.

I once saw a statistic that is actually pretty amazing: Only roughly three percent of the Internet is viewable by Google. Remember all those hundreds of millions of search results you get when you search for something? That’s three percent. The rest is know as the deep web or the under web. A large majority of it is boring. For example, anything that requires a password to view or edit is part of the under web. Therefore, your Facebook profile is part of the deep web. A lot of it is also corporate files and such. Much of it is really underwhelming.

There are, however, certain web sites that can only be viewable when using Tor. These are called .onion sites. These are mostly unmoderated and super anonymous pages.

Have you ever heard of those hidden online places where hackers exchange stolen personal identity date? Child porn? Hire assassins? Buy drugs? Communicate sensitive data (governments, Wikileaks, Anonymous (the Hacktivist’s), Lulzsec, et cetera)? Most of these happen on the .onion networks. That’s why the authorities can’t deal with it. Tracking down one person on the .onion network is like trying to search for Osama, much less tracking down the millions upon millions that use it. Many terrorist cells use these networks to communicate. If you want something totally illegal or want to do something totally unethical then you can find it in onionland.

So I am sure you are asking yourself, “How on Earth can this be of any use to me?” Many people use the .onion network to connect to each other. They have ultra secure email, instant messaging, and site hosting. You can create a site on the .onion, and the only people who will ever know it exists are the people you give the address to. One day the .onion, with all its flaws, may be the only way people can safely spread information. This is why China and the citizens having revolutions in MENA use the onionland. There are also many sites that have things you may find in The Anarchist's Cookbook, and other information that might be of value to preppers. [JWR Adds: Be forewarned that despite multiple editing iterations, The Anarchist's Cookbook still includes faulty directions for making nitroglycerine that are extremely dangerous, even if followed word-for-word.]

There is no greater threat to tyranny than the uncontrollable spread of information.

Now, has this intrigued you enough to start using Tor? Good! You can download all you need at the Tor project web site. How do you get access into the onion network? A good place to start is core.onion. From there you can access the hidden wiki, tor directory, and talk.masked. I am not going to tell you how to get there though, because if you can’t find it you probably shouldn’t be there.

Tips for Browsing in Onionland:
Because of the threats of viruses and other nasty things, I would suggest updating your firewall and virus scanner.
To further negate the risk of infection I would suggest downloading a Linux distribution of your choice (my favorite is Ubuntu, and you can dual-boot by downloading Wubi)
Always assume you are less secure than you really are. When in doubt, don’t click on the link.

There is a whole other world down there. It is the wild west of the internet. Even if you never go there, you should know how. One day it may be the only way of getting information in and out of this country. Regards, - N.J.


Monday, June 20, 2011


James,
I took notice of the malware warning in your blog regarding  Bitcoin and some of the suggestions to thwart it. I'd like to throw my 2 cents in and suggest your readers check out  ironkey.com Ironkey makes a thumb drive that is like no other device on the market. I just bought one and I love it. I will describe what it does and why your readers may want to consider getting one as part of their COMSEC arsenal. I purchased the 16 GB model and the cost including delivery was $228. Yes, that is expensive, but wait until I describe what it can do.

A little history on this device is in order. It was designed by U.S. Naval Intelligence and the largest purchasers of this product is the U.S. Government. I know what you're thinking, if the Government knows about it, I don't want one. The hardware and software for this device is devoid of a back door and the mathematical algorithms that trigger the cryptochip are totally random, not even Ironkey can unlock them once they are initiated. They warn you that if you forget your password you're on your own.

1.    When you insert the 2.0 USB device for the first time you'll be taken through a process to get it going. I takes about 20 minutes and that includes setting up your Ironkey account. You'll be given the option to "back-up" your data on Ironkey's servers. I chose not to exercise that option for obvious reasons. The web site has great tutorials for first time users (highly recommended)

2.    The set up process has you create a password for the device.

3.    Now the fun begins. The next time you plug it in, a menu pops up and you have to enter your password. If you enter the password wrong more than 10 times, the memory of the device will be permanently bleached (erased) and it cannot be recovered. Worried about key loggers? Key loggers are a real threat to your privacy. Hackers can actually log what keys you are using and identify all your passwords as you type. You can type in your password if you wish but I don't recommend it for that reason. There is a little icon on the start up menu and when you click on it a visual QWERTY board pops up on the computer screen. You simply "click" your password with your mouse instead. Even this method can be hacked if the hackers are really sophisticated so Ironkey answers that problem as well. Within the QWERTY board there is a command that allows the QWERTY board to be "shuffled" Basically all the letters and numbers get scrambled and will not be located where they would normally be so you can click your password in and if anyone was actually trying to decipher it they would not be able to.

4.    The entire device is water proof. It is made of steel and you can drive over it with your car or throw it against a wall and it won't damage it. The entire system is encased in a hard resin epoxy so that if you tried to break it open it would destroy the cryptochip beyond any hope of recovery. You can kind of get the picture of where this is going, this company takes privacy seriously.

5.    Here is where this thing gets really interesting. In the control panel there is an application called "identity manager" It works in a couple of different ways, and here is the first example. You click on it, then click on "add" and type in the web address where you want to go and the passwords that go along with it such as your bank accounts. Once you've done that you simply open the "identity manager" and click on that account. The system will launch the web browser, fill in your passwords and log you in all by itself so that key loggers have no chance in tracking your key strokes. The second way is to go to your web sites yourself and enter your own passwords. After you're done, you'll notice a brief pause and wonder what is going on. The system will pop up a screen and ask you if you want the "identity manager" to remember this and do you want to add it to the "identity manager"  If you say yes then you have essentially done what I described in step #1 above.

6.    So you're saying to yourself: "So what, I'm still on the net and therefore I'm still vulnerable" Well that's where you'd be wrong. You see, the Ironkey has it's own built in Mozilla Firefox web browser and this particular version has an integrated feature called "Secure Sessions" that can be toggled on and off mine is always set to the "ON" position. You can also import other applications into it such as Internet Explorer and Outlook just to name a few. During "Secure Sessions" you are invisible on the net. You don't exist at all. The signals "tunnel" through existing traffic without anyone knowing you're there and it gets even more intense than that. Let's say I'm writing you an e-mail like I'm doing right now and I'm operating in "Secure Session Mode" I can actually choose what part of the world I want to appear from. That's right! If I want my e-mail to originate from an IP address in Africa then I can do that. I can bounce it around the globe to multiple countries or continents if I choose. If I don't choose to do so, it'll randomly do it on it's own anyway. For true anonymity you do need to have an e-mail account that was not set up from your computer. Yahoo, GMail and others log the original computer that the e-mail account was first set up on. The public library or some other random computer that can't be associated with you comes to mind when doing this. [JWR Adds: I concur on the need to use tunneling. Even for those that don't opt to use Ironkey, I recommend the web-based Strong VPN tunneling service for both e-mail and web browsing.]

7.    Anything you do on the Ironkey will not leave a trace on the computer it is plugged into. Period. We don't ever want to end up on some "undesirables list" so should your computer ever fall into the wrong hands there will never be a trace of your activity on the net or any application that is on the computer while using the Ironkey. The files extracted will show up on your "Recent Files" menu but when you click on them to open the application you get a message telling you that you need to plug a computer in. That's operating under the assumption that you get sloppy and forget to clear the "Recent Files" on a daily basis. So why do you get a message telling you you need to plug a computer in to view these files? The answer is simple, the Ironkey is it's own mini computer inside a thumb drive that borrows needed files from your drive to operate but never leaves a trace that it did so. I turned a friend of mine (college degree in computer guru science) loose on my computer to test Ironkey's claims. He can't find any history on the drive of any activity I've had while my Ironkey was busy doing what it does.

I think the Ironkey is a must have piece of COMSEC hardware.

Thanks for the work that you do, I hope you and your readers find this helpful. - M.Y.


Saturday, April 2, 2011


Dear Mr. Rawles:
Gibson Research Corporation offers a free [PC] utility called ID Serve that will quickly tell the user the IP address of any web site, as well as some other info.  It can also look up the domain name using the IP address.  This is useful to help SurvivalBlog readers find the numerical IP for their favorite web sites in case of domain name mischief at the hands of government or private hackers.  IP Serve can be downloaded here free of charge. (As a bonus, it is tiny--just 26 kbytes--and fast. It is not "bloatware"). - Sincerely, D.V.B.


Monday, February 21, 2011


Dear Mr. Rawles,
As always, I thank you for your work and send greetings and blessings to you.

I just switched from using Windows Vista to Ubuntu Linux 10.10 on my Laptop. First, I must say I am delighted at the ease of installation and how everything works immediately. Second, I am delighted that my Windows Vista partition of the hard disk continues to work just as it always had. No loss of data nor of function.

When I began using Linux, I looked into security and learned that there is no firewall immediately installed. It is easy and free to download and install one. I queried security from the "System - Help and Support" option at the top of the screen. It informed me about the gufw package. I clicked the highlighted link and it downloaded and installed it. Next I went to Systems - Administration - Firewall configuration and turned the firewall on.

Next, I tested the integrity of the firewall using the ShieldsUP! program. This was an eye-opener. It is probably even more essential to use with a Windows-based computer. It has options to test your ports, test file sharing, test all common ports, test messenger spam, and to see what your browser headings reveal about you. I am not a computer security expert and I am sure there are those that can provide a more detailed description of steps to take to secure your identity and your computer's integrity, but this seems like a really good start. - Mr. Bennington in Pittsburgh


Monday, January 31, 2011


Hello Mr. Rawles!
Long time reader here, but had taken a break from most blogs for almost a year as I focused on generating alternative sources of income. I have an important question for you. How will we access the Internet after the government shuts off "the switch"? Would we still have access via dial up possibly? I'm on broadband now and its been a long time since I've used dial up service. I've used Ubuntu Linux the past 4, almost 5 years now and I know many old dial up modems do not work well in Linux/ (At least the inexpensive winmodems don't work well.) Of course, some brand name modems still work great. I've have been recently re-watching the Jericho television series to get some ideas of life after the SHTF. My wife from Ukraine says collapse is at USA's doorstep with all the telltale signs). In the show Jericho, Robert Hawkins continues to use a government computer even after an EMP and mention is made the Internet was designed to be able to survive a nuclear war. What about a Presidential kill switch? In any case, I was thinking of getting to know dial up again. Are there still BBS (bulletin board systems) out there? Should I even consider looking into dial up or am I wasting my time? Regards, - Dave in Southern California

James Wesley,
Take a look at the Open Mesh web site. The content of that site is a bit heavy-technical going in places but useful, given: A.) Egypt's recent actions, and B.) the current[ly pending] Combating Online Infringement and Counterfeits Act (COICA) legislation in Congress to give the White House the power to shut down chunks of the Internet in times of "national emergency."

I'm a frequent reader who appreciates your hard work in making people more aware. - Rick W.


JWR:
I believe that some TEOTWAWKI-prepping "good" will come out of the recent developments in Egypt. See this recent PC World article: Get Internet Access When Your Government Shuts It Down Does your government have an Internet kill-switch? Read our guide to Guerrilla Networking and be prepared for when the lines get cut. I'm even thinking of a "neighborhood intercom"! - The Other J.R.

JWR Replies: I concur that it is important to develop some alternatives in anticipation of draconian government actions. Yishai mentioned another good article with it own little wiki: Communicate if Your Government Shuts Off Your Internet.

Since SurvivalBlog might someday be deemed politically incorrect--either by malicious hackers, our by own government, or by a foreign government, we are developing some countermeasures:

A.) As a first step, a couple of months ago we began publicizing our IP address (It is: 64.92.111.122) I got a chuckle when I saw a wannabe blog quickly follow suit.

B.) The next logical step will be to set up an offshore SurvivalBlog mirror server that will be automagically backed up every 24 hours. (Does anyone have some inexpensive server space available?)

C.) Lastly, I hope to find a used satellite phone with modem capability, "just in case." (Perhaps Iridium...) But even buying used equipment, they seem quite expensive. Ditto for the cost of calls and modem connect time.


Saturday, December 11, 2010


We post SurvivalBlog's IP address (also referred to as a "dotted quad" or IPv4 address) as a sort of insurance policy. Recent events have proven that a government agency or a malicious hacker can fairly easily seize or hijack a domain name. This has already happened to at least 75 U.S. web sites without due process of law. Their DNS records were changed, essentially erasing them from the "phone books of the Internet." To insure against this, we are distributing our IPv4 address. This can be pasted or typed into a web browser window in place of "www.SurvivalBlog.com"

What you need to do:

Take a pen and write down our dotted quad address: 64.92.111.122, and please carry that in your wallet.

If and when "SurvivalBlog.com" disappears, or if it is replaced by a graphic and a message from a bureaucrat or a hacker, then enter our dotted quad IP address into your web browser. That way you should still be able to to continue to access SurvivalBlog, as long as our server is still functional.

If "SurvivalBlog.com" doesn't work, but our dotted quad IP address does work, then please send an alert with the dotted quad notation IP address to all your friends and relatives via e-mails, IMs, forum posts, phone text messages, or social networking services. Be sure to include the full address: http://64.92.111.122 Do your best to then spread the word, far and wide!

In the months to come we plan to implement some additional Continuity of Web Service (COWS) insurance measures, including an offshore mirror site and perhaps even a darknet setup. We will post details as these features are developed.



Hello Mr. Rawles,
I just got a link to a New York Times article about geotagging through Michael Yon's web site, but with the New York Times date of August 11 2010, you may have seen this already. Regards, Albert U.

Jim:
I have been using the Exif JPEG header manipulation tool for several years.  A batch file can be written to remove EXIF data from all images in a folder.  I have my wife do this before she uploads her photos to Facebook. Regards, Lee H.


Thursday, December 9, 2010


Dear Mr. Rawles,

With the proliferation of smart phones, as well as advanced cameras with GPSs installed, people may be giving away more information than they intend to when they snap and distribute pictures. This can be an operational security (OPSEC) issue.

Embedded in the Exchangeable Image File (EXIF) data on the picture, the GPS coordinates of the picture location may be stored for anyone to access. This is especially a problem as people post these pictures online (for social networking, emailing to friends/family, or for online sales, etc.).

This embedded GPS data can reveal the exact location of your home, work, and enable an individual with nefarious intent to build a profile of your movements. A threat to OPSEC to say the least!

Adam Savage, co-host of the popular television program "Mythbusters" inadvertently did exactly this.

Tech gurus and electronics manufacturers are touting it with that famous line - "It's not a bug, its a feature"

Accessing the data is exceedingly simple if you know that its there.

At least the U.S. military has recognized the OPSEC threat that this geolocation data represents on phones and cameras.

Stay safe, - Christopher T.



Sir,  
Your comment to the article on Budget Survival strategies cautioned about the use of grocery store club cards, as potentially allowing your purchases to be tracked.  For those concerned about this, there are simple work-arounds, and the cost savings of using club cards is usually in the order of 30% to 50% or more.   

Club cards are usually available at the store through a quick sign-up process, and fake names, phone numbers and addresses can be used.  (I signed up for my first club card under the name Georgina Orwell; and with Sherlock Holmes's "221b Baker Street" address. I'm sure the literary allusions were lost on the clerk who gave me my card.  I used that card for at least 10 years without any problem.)   If  given the option to opt out of mailings, do so, since the returned mail might trigger a cancellation of the card.    Regards, - N.A.


Wednesday, November 24, 2010


James,
Thanks for the invaluable resource - knowledge - as provided by SurvivalBlog.  I was wanting to get some feedback on long range phones, particularly the Motorola M800 Bag Phone.  From what I can gather, this phone is dual digital and analog and it is described as used "for workers in the Oil and Gas, Agriculture and Forestry industries. Now you can stay connected in the field, on rural or urban highways, when traveling, at the cottage or even camping". 

I travel into Appalachia in Eastern Tennessee and Southeast Kentucky and also have a houseboat (on a mooring line, so a fixed phone would be excellent) that is situated in a fairly inaccessible area.  In these areas, I receive very poor and unreliable cellular phone reception.  As I have found, changing carriers can help, only marginally, but does not eliminate the problem.  From what I can tell, very few people own this type of phone after the widespread conversion to digital cellular systems January 1, 2008.  It is my understanding that some carriers like Verizon still offer analog service and that this would be viable option for someone like myself to fill in the gaps.  If there is anyone within the readership, who owns or has owned one and can offer me some practical advice that would be appreciated - very little information exists on this product other than what is provided by the manufacturer. - Jorge L.

JWR Adds: One other advantage of using "legacy" analog cell phone systems is that in some locales the carriers never implemented the automatic caller location features that are standard by law with digital cell phones. (Digital phones are automatically located by process called pinging. Analog phones are located via triangulation.) This can provide a bit of privacy, but be sure to check with your local carrier to see if they implemented automatic analog signal triangulation. Many of them did not. For those providers, triangulation is a slow and cumbersome process.


Tuesday, November 16, 2010


Jim,
In response to the current discussion on moving away from Windows, I'd suggest that SurvivalBlog readers take a look at Puppy Linux as well. It is a free bare bones OS that does most of the basic Windows functions and uses very few resources on your computer. The minimal requirements are as follows:

• CPU : Pentium 166MMX
• RAM : 128 MB physical RAM for releases since version 1.0.2 or, failing that, a Linux swap file and/or swap partition is required for all included applications to run; 64 MB for releases before v.1.0.2
• Hard Drive: Optional
• CD-ROM: 20x and up

These small requirements may allow people to dust off some obsolete or malware-infested PCs and put them back to work.

Since it runs completely in a tiny amount of your PC's RAM, you can carry the extremely fast OS and all of your work on a thumb drive. This also allows you to easily dual boot it with Windows for those "must" applications.  Just reboot or shutdown the PC and your last session is wiped clean, only saving what was put on the thumb drive and leaving a small partition file. It is a wonderful choice for those who are concerned about privacy.

Boston T. Party has an excellent section on Puppy Linux and other privacy measures in his book One Nation, Under Surveillance.

Regards, - Bill Z. in Wyoming


Monday, November 15, 2010


James,

Here's a follow-up to David from Israel's article on Linux. I encourage your readers to heed David's advice and wean themselves off the MicroSoft Windows operating system ASAP.

Linux Mint Debian is a good OS option. See the Linux Mint Debian tutorial. Here is a description: "This tutorial shows how you can set up a Linux Mint Debian 201009 desktop that is a full-fledged replacement for a Windows desktop, i.e. that has all the software that people need to do the things they do on their Windows desktops"

According to this article, the the Chinese military have already removed Windows from their computers for security reasons:

Another potential replacement for Windows is PC-BSD.

These Windows replacements are free as in freedom and free as in zero cost.

Enjoy! - Rick H.


Friday, November 12, 2010


Dear Mr. Rawles:  
Thank you for your dedication to the survivalist movement.  As a Ten Cent Challenge subscriber, I appreciate being able to read many of the posts and comments on your web site.  I am hoping to pose a question to you and your readers about becoming foster parents as survivalists.   

First, I little about us:We live in a small suburban community in Ohio.  Because of several issues, we have decided to retreat in place.  With a little land, we have created a suburban homestead with a large garden and a small chicken flock.  We have also begun laying up food staples and have a good source for water and the ability to filter it.  We will soon be converting the house to heat with a wood burner.  Also, we have an ever growing supply of firearms (handguns and long guns) for hunting and self defense.  We are also blessed to be able to home school our two grade school children and are trying to instill our Christian beliefs in their lives.   My wife and I have always considered expanding our family by adopting or being foster parents.  In light of the potential for hard times around the corner, we feel that this may truly be a way to reach out to a child and offer support where there may not be other options.   

That being said, keeping OPSEC in mind, I am concerned about inviting the social services network into our home for the inspections to which we would be subjected.  Primary issues are:  Firearms (in a locked safe), food storage, and home schooling. Whether we are or are not approved as a foster home, I feel as though we would be "on record" - which of course concerns me.  While some of the items could be concealed or temporarily moved, I am sure that what we are doing would be noticed and documented.  

I am sure that you have a least a few readers who have adopted or are currently foster parents, maybe some in Ohio, who could give us some advice in relation to these questions.  Thanks - Robert in Ohio          

JWR Replies: By God's grace, I've never had any run-ins with snooping officials. Part of this may simply be because I live in such a remote area, and I lead a very quiet life, locally. Because of this, I don't feel qualified to comment on that topic. Perhaps some readers can e-mail me to comment on their experiences, and I'll post their comments, anonymously.


Friday, September 17, 2010


James Wesley:
Regarding the recent article at the Time magazine web site that has been forwarded far and wide: What Your Cell Phone Could Be Telling the Government. Remember, this is America. While there is no better place on earth to live, you are never any more free than They allow you to believe you are at any given moment. All you can do is live out your life, raise your family, eke out some happiness, and try to affect the change that is important to you in the short time you are here. It is certainly worthwhile (and patriotic) to be distrustful of Government, but I refuse to live under the thumb or watchful eye of my government. The first step in making them understand they work for us is to just refuse to play the game or let them dictate the Narrative in the first place.

Google is a prime example of why you have a lot more to fear from Corporate America than you ever did from the .gov. That is saying a lot. Corporations are a lot more free to abuse and damage you than the .gov will. A day is coming where every 'questionable' thing you ever did on the Internet or bought with a credit/debit card will be made available for a fee. At first it will be used for pre-employment screenings and to expose political enemies, eventually it will be offered to anyone for a small fee. Our Government would kill to have as free a hand as Google does! - C.D.C.

JWR Replies: I have my doubts about the government's current access to Internet data "without a warrant." It is noteworthy that Katie Jacobs Stanton, a former Google Project Manager now works in the Obama White House.


Monday, August 2, 2010


My Dear Mr. Rawles,
I am writing in regards to Tamara W.’s letter. I am an IT manager tasked with keeping data and people secure – in that order. As a prepper with an enlightened self interest for the well being of my fellow preppers, I would strongly encourage your readers to not necessarily follow all of Tamara’s W. advice.

When your readers are at work, they should understand that the IT Department has full access to their PCs and all their records and e-mails. Your readers are playing on the IT Departments’ networks and the IT Departments literally make the rules, both logical and personal.

If, in my role as IT manager, I were to use my various net monitoring tools, someone using the IP address of a web site rather than the DNS would stick out like the proverbial sore thumb. The same is true of e-mail. The best way to maintain anonymity on the Internet or inside of is to not stick out.

Ms. Tamara W. is correct about e-mail often not being covered by web filters. However, if the e-mail were happened upon (no small likelihood), the contents of the e-mail would be immediately be traced back to the employee, with all the consequences thereof. In many small companies and all large companies, e-mails are retained for years. Is sending a compromising e-mail from work really that important?

In my role as IT manager, if I found a PC with an unsanctioned proxy on my network, I would discover it (there is no if, it would be discovered) and fire the employee immediately. The employee would likely also be turned over to government officials on the grounds that they had the means and method to steal company data. That employee’s personal TEOTWAWKI would begin sooner than everyone else. Is surfing from work really that important?

Your readers should understand that there is no privacy at the office. In most medium and large sized companies, logs are kept of everything, and because of current Federal regulations (Sarbanes-Oxley (SOX) in particular), these logs are kept indefinitely. The office is not some place that your readers will want to attempt to hide their tracks as it is essentially impossible. There are easier ways to be anonymous on the Internet.

You cannot easily imagine the backdoors and listening abilities of a national body. An Internet regulatory body that had control of an ISP could easily cause your PC to install software without your knowledge. This software would operate in the background of most commonly used operating systems like Mac OS X or Windows, transmitting all you do. Logs may be easily reviewed with the help of not very complicated algorithms. If the government becomes exceedingly hostile, I would recommend giving up Internet usage as it is more or less impossible to maintain anonymity without advanced understanding of the Internet and encryption.

I can also assure you that government control of the Internet is no joke, having spent no little time in China where this is done. By attempting to circumvent government controls, you will be putting yourself or your hosts at risk. Is it worth your or their imprisonment? Your readers have Christian duty to those who provide hospitality. Getting your hosts arrested because you want to read the Washington Post fails that standard.

The Chinese control their local version of the Internet, even if they are rather ham fisted about it. This control goes well beyond The Great Firewall of China. It would seem that individual bodies control their local DNS records as well as Internet routing (incidentally both of which change from city to city and seem sometimes to be more finely applied, like from hotel to hotel – perhaps depending on the skin color of the hotel’s residence, though I wasn’t ever able to put this to the test). To give your readers an example of control:

Q: Are you visiting Google or something else entirely?
A: It’s both. And you will not be able to tell the difference. These governments control the settings of the BGP protocol in their routers. The people who control the Internet can send you where they like. If you ping an address, it may reply even if going to the ‘wrong’ destination.

There are other methods of tracking PC usage as well. It should no surprise that China has the world’s highest percentage of spyware infected machines. As much as the Chinese spy on the Americans, they spy on their own people more. A government that is intent upon tracking its people will find a way irregardless of legality or well-being of its citizens. You can expect other governments that become afraid of their citizens to embark upon the same path.

If your readers are truly intent upon being on the Internet and hiding their identities, I would strongly encourage your readers to get an operating system that they can view and customize, like Linux. I would like to warn your readers that having a Linux OS has been regarded by law enforcement in the United States as suspicious in and of itself. I would then strongly encourage your readers to learn how to use it before attempting to conceal their activities on the Internet. I would strongly encourage your readers to learn what an IP Packet is and how it routes. Your readers would also need to learn what DNS is, how it works, and why it is set up in the manner that it is.

I would also strongly encourage your readers to encrypt their e-mails rather than send to an IP address. Low cost encryption programs like WinZip are available, but your mileage may vary. I discourage your readers from doing anything illegal, but would like to point out that WinZip encryption is unlikely to deter a determined government body. Incidentally, an unencrypted e-mail is essentially a postcard. Your readers would be wise to not include any information they do not wish others to read.

I would also strongly encourage your readers to encrypt their computers’ hard disks with a program like PGP. If a government or business suspects a person of impropriety, the first thing they will do is attempt to impound the hardware. If you are doing something of impropriety, you might as well make an effort to protect yourself. Federal courts have recently ordered that a person is not required to supply combinations to computers, as that would be self incriminating.

To put it more bluntly, if your readers feel they need something from the Internet, they should print it out or download it to a flash drive and then upload it to an offline computer today. Otherwise, they may need to trust in the Sneakernet. The Federal Government of the United States is, in my opinion, still a mostly trustworthy entity. I know and like my local congressman and other government leaders. I hope most of your readers may say the same. Nevertheless, we are here to prepare. - P. from Illinois


Sunday, August 1, 2010


Dear JWR:
In response to the posting by Tamara W., I would like like to furnish an addendum. The post references an "Internet Kill Switch" which has recently been signed into law. As I am sure that you and most of your Internet savvy readers are aware, there are two distinct ways that the PTB (Powers That Be) can "kill" the Internet. The first is relatively trivial. This is by corrupting or otherwise disabling the DNS (Domain Name Server) system where human readable URL's (Universal Resource Locator) such as SurvivalBlog.com are translated into computer readable IP (Internet Protocol) addresses such as 64.92.111.146. Since this is a trivial "kill", the solution is also trivial, as that described by Tamara W. The solution is to simply bypass the "block" by bypassing the translation from URL to IP address.

This process can be likened to the common phone system. If one wants to call Joe Blow, you simply look up in the "directory" for the phone number of Joe Blow, and get the response (412) 555-1234. The trivial "block" is to prevent one getting the correct phone number for Joe Blow. And likewise, the trivial solution is to already know the correct phone number for Joe Blow, and to "dial" this number directly.

A much more effective "block" is to prevent the "switches" between you and your destination from working. In the Internet, these "switches" are known as routers. If one was to "kill" the routers, the Internet is effectively killed. In the same vein, if your phone companies' directory services was "killed", you could still dial the correct number, but if the telephone company local switching office was "down", you ain't going nowhere.

As a disciple of Sun Tzu, I refuse to underestimate my opponent. As such, I am fairly certain that their attempt to "kill" the Internet won't be limited to simply disabling the DNS system, but will also include shutting down the routers as well. The only "solution" is to develop a communication system which does not depend on infrastructure that is beyond your control. Currently the only option is amateur radio, where the entire communication path is under the "control" of those doing the communication. - NC Bluedog


Saturday, July 31, 2010


Sir:
I have several friends in China under different guises, work or school visas for instance, but their main purpose is evangelism. When we e-mail them we have to be very careful about what we say because the Chinese government reads incoming e-mails. For instance "I'm praying for you" would be written as "I talked to Dad about you". Just so we aren't thinking all our e-mails are secure. - Richard C.


Mr. Rawles,
I would like to say the article “How to Bypass Blocked Web Sites, by Tamara W.” was technically correct, and I will not question the legality of the methods used. One word of caution: trying to use any of the mentioned techniques will get you fired if you use them at work to bypass security measures in place. As a consultant for several mid-size companies, it is my job to provide the evidence to the corporate attorneys for use during dismissal.

I still love the site and read it every day!

Best Regards, - Scott P.

JWR Replies: I trust that SurvivalBlog readers will use the information in that article (and all of the others posted here) responsibly. Fighting tyranny and maintaining personal privacy are admirable, but stealing time from your employer is not!


Friday, July 30, 2010


Web sites can be blocked for many reasons. Employers block web sites to protect productivity. Parents block web sites with violence, pornography and illegal activities to protect to their children. Internet Service providers block web sites with child pornography because of the law. Some nations block certain web sites with opinions that dissent from those of the predominant political powers. Unfortunately, whether it is through the proposed “Internet kill switch” that the federal government has proposed or a deployment of government Internet censorship as China and Iran already employ, there is a possibility that those in the “free” world will find the government censoring web sites.

These blocks can be bypassed through changes in web site references, connections to anonymous proxy servers, Google redirects and changes in web site connection. All of the methods described here require either no technical skills to very little skill. The last section gives advice and resources for those who have servers and would be interested in creating the work around web sites and servers that others would value should a web of silence fall.
Accessing the Blocked Site Through Address Work-Arounds
Step 1
Enter the IP address of the blocked web site into the browser’s address bar. This may allow the web site to open via the IP address without triggering the block that is tied to the web site URL or web page name. For example, an IP address could be accessed using the address format: http://12.123.123.4/


Ping the web site name by going to the command line prompt. Then enter the command:

ping sitename.com

The response by the ping command will include the IP address of the web site.
Users can also use an IP address lookup based on the web site name. An example site for this is:
http://www.selfseo.com/find_ip_address_of_a_website.php

Step 2
In the URL of the web site, change the HTTP to an HTTPS without changing the remaining web site name. For example, http://example.com would be entered as https://example.com. The browser will then treat the web site as a secure site, in some cases bypassing the web site block.

Step 3
Bypassing the block of secondary web sites when the main web site was accessed via HTTPS or IP address may be necessary when the secondary web site is blocked because of key words in the web site. For example, a news web site is accessible but linked pages are blocked due to controversial material, references to politically incorrect views, or subject matter meta-tags. Bypass this block by selecting the “e-mail this story” option offered by some web sites. Send the story as text or html to an e-mail account. Then access your e-mail to read the material.

Step 4
Nations and ISPs that block forbidden web sites do not apply the same filters to e-mail. One work around is to have an associate with access to these sites to e-mail desired web site articles to you. This can be done by copying and pasting material into an e-mail. It can also be done by saving the web site page as a PDF, Microsoft Word document, or filtered HTML document and then e-mailing the web site as an attachment.  
One could imagine services by those in “free” areas creating e-mail mailing lists, e-mailing news articles and information to those who do not have access to blocked sites that could include FoxNews.com, SurvivalBlog.com or other politically incorrect web sites.

Connect to an Unblocked System

Step 1
Access an anonymous proxy server. These are often called anonymous web proxies. If you do not know of one, search for the key words “anonymous proxy server” for many such web sites. Then access the anonymous proxy server. From the anonymous proxy service, a search window will appear. Enter the key words or web site name in the search window of the anonymous proxy server. The anonymous proxy server will then serve up the web site in a lower portion of the browser session, bypassing the block. Examples of anonymous proxy web sites include youhide.com, kProxy.com, proxify.com, bypassthat.com, and anonymouse.org.
As a warning, avoid any anonymous proxy server web site that requires payment for use. If the intent is to remain anonymous while surfing blocked sites, payment information creates a record that is traced back to you. And unlike web site viewing history that can be deleted off a computer by a system administrator, payment records are both impossible for the user to eliminate themselves and the most likely to be kept by the system administrator. Payment records are also at high risk of review by others, such as accountants and tax officials. So it is safest to never use an anonymous proxy server web site that requires payment for usage – because that defeats the user’s desire to be anonymous.
Users should also avoid any anonymous proxy server web site that requires installation of any additional software. Even if the software is not malicious, it could provide a trail from software source to your computer that is available to network administrators. 

Step 2
Access another server via a VPN secure location. This secure access connection bypasses the blocking instituted by some firewalls. Users can then surf the web, only limited by the web site controls that the connected computer has installed.  This does require the ability to set up a VPN connection as well as knowledge and permission to access a server that is not bound by the same access restrictions.

Step 3
View the Internet through a cell phone. Many web site blocks managed on a national level are done through ISPs and telecommunication company routers. Using cell phone networks can sometimes bypass these blocks. If used in conjunction with disposable phones with Internet access, it also provides more privacy.
This is an expensive option, since Internet access will be charged to the cell phone bill at data plan rates. The cost can be reduced by requesting web sites be viewed in text instead of HTML format. However, this option can bypass the web site filters in some nations that are based on the computer network.

Step 4
Go satellite Internet. Just as satellite television bypasses the local television programming by allowing viewers to select from a wider array of television shows, satellite Internet connections can bypass the Internet restrictions based on the local network. Hughes Satellite Internet is the largest but not the only provider in this area. This option is more expensive than surfing through a cell phone. It is also easier to be tracked down to the specific user, since a satellite dish is allowed. However, the proliferation of satellite dishes for television can provide cover in this regard.

A future form of speakeasy would be a sports bar with Internet satellite connections providing web sites that are not available on the consumer’s home computer. Or Internet cafes could simply have private rooms that provide broader access than those in the main area would have. The constant flow of customers also provides anonymity. If the computer does have software to track usage and sites visited, the turnover of users makes it harder to determine which individuals were viewing which web sites. Visiting different Internet cafes or sports bars with the unrestricted Internet access also provides more opportunity to not have one’s own computer searched and then seized due to illegal viewing of politically incorrect material.

Let the Block Think It is a Harmless Page – Bypassing the Block

Step 1
Go to Google or another  browser. Search for the web site name in the search bar. Instead of clicking on the web site link, select the “cached” option below the web site description. This will be seen by the browser as viewing a web page from Google or the search engine, not the blocked site.

Step 2
Open up Google. Enter the URL in the format below, but with the blocked web site's URL in place of www.showme.com: http://www.google.com/translate?langpair=en|en&u=www.showme.com
Translations through Google are read by web site filters as coming from Google, thus the web site is visible even though the original content is brought up through this command.

Step 3
Search for the blocked topic in a search engine. If the web site summary is visible but the web site is blocked, copy the web site URL. Then e-mail it to yourself for viewing on a less restricted system. For example, if a web site appears interesting but the computer on which you are working may be monitored, simply copy the URL and e-mail it to yourself to view on an unmonitored system later.
If the computer has software used to prevent illicit digital copying of material (as is used by some companies today to prevent users copying company data and pasting it in e-mails to send to others), a simple work around is to paste the URL into a text document like Microsoft notepad. Then perform several other transactions. At a later point in the session, after the copy and paste buffer has something else stored within it, cut the link in the text editor. Then paste the link in to an e-mail to send to yourself or others. 

For Those With Advanced Computer Skills

Option 1: S
et up a personal server. Then install an anonymizing web http proxy like PHProxy. In many cases, this creates a searchable web site. The safest location to get this software is through sourceforge.net, an open source software consortium.

Option 2:
Alan Huang, the founder of UltraReach Internet and the Global Internet Freedom Consortium, does distribute his simple software through e-mail to allow anyone to bypass web surveillance. Contact his organization to install his software, currently used by many in Iran and China to get the rest of the story their own nations do not want them to see. Do NOT install software claiming to be his application from any other site; there is a high risk that software from any other source is likely malicious software.

Note: All techniques listed in this article are presently legal per the laws of the United States. Bypassing blocked sites using these methods may be illegal in the nation in which you reside.

For further reading on these topics or more advanced reading, refer to the books in the following list.

References


Monday, June 21, 2010


Dear SurvivalBloggers:

The concept of operational security (OPSEC) is simple. You conduct yourself in a way that doesn't give anyone the impression that you're doing anything out of the ordinary. Sounds simple, doesn't it? It's not.

Everything you do and say is an indication of the things that are going on in your life. Most importantly, people tend to operate in predictable patterns. It's called a rut. When you get into one, you define who and what you are. If someone has an interest in you, all they have to do is watch and establish that pattern. If you make a change, it stands out. Think about it.

You're suddenly happy for no apparent reason.

You call the newspaper office from your work phone and put a hold on delivery.

You call the post office and do the same with your mail.

You leave brochures around for Disney World, and you live in St. Paul.

How long would it take someone who is interested to figure out that you're going on vacation? You haven't said word one about your vacation to anyone in the office or workplace, but it's pretty obvious, right?

The same applies for your preparations. I know, it's over the top obvious when you have a pallet of MREs drop-shipped to your driveway. The neighbors will notice. They may never say anything, or ask you about it, but they will know. Too obvious? Okay, try this. You suddenly take an interest in off-road vehicles. A 1965 Bronco shows up in your driveway, and you live in suburbia. You're not known as an outdoors type of person, but suddenly you develop an interest in guns. The neighbors see you carry gun cases into your house, or out to your vehicle when you go to the range. How much intellect does it take to put those images together?

It's the little things that make the difference. You set up a tent in your backyard, but you never go camping. Your house grows an extra antenna or two. You're at the company picnic and the topic of camping comes up, and you spend twenty minutes telling your co-workers the difference between a 5.56 and a .223. You explain to them the best types of water filters available, and the best places to buy them. Someone is going to pick up on that.

This is not a bad thing in itself. In the military, we operated on a presumption of ignorance in many cases. It can't be avoided. When your tactical air wing is being deployed, it's hard not to let the world know about it. Everyone from the day care operator to the guy who mows the grass is going to know something is going on. The important part of that was to try to make sure they didn't know where you were going, or what you were going to do when you go there.

So what do you do? Again, it's all about patterns. It's important to make your preparations part of your normal life. Don't drop-ship that pallet of MREs. Instead, carry in a box or two at random occasions. Better yet, every time you go to the grocery store, buy a couple of extra of what you normally eat anyway. Someone will notice you carrying in boxes, but nobody will give a thought to a couple of extra bags of groceries. Once a month, do your grocery shopping and pay cash. Those store discount cards are an excellent way to track what people are buying. I'm sure if someone had access, they could tell what you have for just about every meal for the last year. You did pay for it with your debit card, right? They look up the name on the store discount card, match it with the name on the debit card, and viola! they know what you're buying, how much of it, and most importantly, if you change your buying habits.

Is this paranoia? Probably, just a bit. Is it warranted? Probably, just a bit. One of the largest employers for the last several years has been the Department of Homeland Security. To put that into context for you, the Soviet Union called their internal security apparatus the Committee for State Security. We knew them as the KGB. (Komitet Gosudarstvennoy Bezopasnosti.) Did the pucker factor just go up a notch or two for you? I hope so. I have no delusions that there are people sitting around, discussing me in the context of a threat to national security. I'm just not worth their time. They have bigger fish to fry, and all that. Does that mean I'm not aware of the possibility that someone is taking a look now and then? No.

Does that mean that I'm not being careful about the image I'm putting out there? Nope. Most importantly, I'm constantly aware of my usual patterns. What I do and when I do it. I make a habit of letting people know that I like to camp, and that I go to the range a lot to shoot, just for fun. I don't buy a lot of ammo at one time. When a sale hits on ammo or something else, I pay cash. The guy at the Army surplus store knows me. I go in and just talk on occasion, looking around without buying anything. When I do buy, I pay cash, and I never buy a lot of anything at one time. I park on the street, because I don't have a garage, and wait until after dark to bring in the big packages. The neighbors don't know me very well, and that's the way it's going to stay. I put out the image that I'm a fairly harmless guy, maybe a little redneck, but basically nobody anyone would be interested in. I don't hassle cops, and generally try to be a good citizen.

Most importantly, I try to maintain a pattern of normalcy that doesn't draw any attention to myself. If I have to hunker down, I can do that. If I need to throw it in the truck, (which I bought because, you know, I live in a little valley, and that last snow storm had me stuck for a week with that little car) and G.O.O.D., I can do that too. I don't let the gas gauge get below half, because you know, the truck runs just as well on the top half of the tank as it does the bottom half. I keep an eye on most of the political situation, and even a closer eye on the economic situation, and try to be ready. That's all we can do right now, but it's important that we do it in such a way that WTSHTF, I don't have sixteen neighbors showing up on the doorstep. - C.T.


Saturday, June 5, 2010


James Wesley:
Do you want to see a serious breach of operational security (OPSEC)? Then go to the "ANTS Group" web site and click on their map. Zoom in on some of the names and addresses of folks with supplies just waiting to help others. I'm glad to see folks ("ants") ants willing to help [others], but I'm sorry to see folks getting setting themselves up [as targets] for the [the depredations of the] not so trustworthy or "Golden Horde" (a.k.a. Grasshoppers)! Regards, - M.T.

JWR Replies: Thanks for sending that illustration of how not to keep a low profile. The naiveté that they display is astonishing, in this day and age. I agree that charity is a very important Christian duty. But please folks, use some common sense!


Saturday, May 29, 2010


Most of us that live in the post-modern era have undoubtedly heard the term “carbon footprint.” This is a term that has come to the forefront of most of our daily lives due to a streamlined and tenacious push to increase the green mentality. We have seen posters, commercials, testimonials, political rants and even legislation on this topic. The idea is to keep your impact on your local environment small so that you minimally affect the “worsening global condition.” I will not go on any type of tirade about how those that impose these ideas don’t follow it themselves (multiple houses, vehicles, wasted finances, etc.) On the surface this sounds like a sound idea and in principle we should do our best to take care of what we have been given. I believe that our Creator mandates this; “So God created man in his own image, in the image of God created he him; male and female created he them. And God blessed them, and God said unto them, Be fruitful, and multiply, and replenish the earth, and subdue it: and have dominion over the fish of the sea, and over the fowl of the air, and over every living thing that moveth upon the earth.” Genesis 1:27.

So as much as we should aim to reduce our carbon footprint in the sight of men we should more-so reduce our carbon-copy footprint. I can safely say that all reading this have probably seen, read, or heard about what transpired in Michigan a few months ago involving militia, guns, “questionable ideals”, and the web site YouTube. I am not saying anything about the people or their ideas/plans, nor am I saying if I feel this may have some Hollywood influence or be somewhat reminiscent of what took place in a particular small town in Texas. What I am saying is that regardless of what transpired we should learn from what happened there and not make the same mistakes ourselves. We should not make ourselves to have a “Carbon-Copy Footprint” of somebody else and make their mistakes. For some reason it seems that the average person lives to relish in the glory of their own accomplishments or resources. This has become more evident as technology allows for us to follow the lives of average (term used loosely) Americans. YouTube, Facebook, Twitter, MySpace, etc. make contact and information sharing almost instantaneous and impersonal. If you go on YouTube and look for “gun” or “shooting” you may find more videos than you could possibly watch in a lifetime of people flaunting their weapons and making untactful expressions of themselves. I fear this is a learned experience but can attribute almost every video that I have watched to one very common humanistic flaw, Pride. A wise Proverb holds true: “Pride goeth before destruction, and an haughty spirit before a fall.” This certainly proved to be the case in Michigan. A good portion of the investigation was done online through video and commentary analysis. An entire case was built off what they said/did through their computers.

Most of us can agree that the idea of being a survivalist does not appeal to the masses that live comfortably in a four bedroom 2 bathroom house with a flat screen in almost every room. (Not excluding myself here). Subsequently if it does not appeal to the masses it most certainly does not appeal to those that “serve” these masses. The idea of modern democracy is don’t rock the boat and point out those that do so. We live in an age of information and security, both of which are very subject to outside influence. I recently read that Facebook was in the midst of discussions with groups like the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, and the infamous Department of Alcohol, Tobacco, Firearms, and Duct tape an (inside joke most will get.) If you don’t believe me, then just as Rabbi Google by searching for the above key words. I am not here to spread paranoia and fear or start some anti-government movement. All as I am saying is to be aware of your surroundings an act accordingly. For example, I work as a Civilian contractor for one of the military installations in my area. I love to do research on survival technique, weaponry, food storage, etc. and read a certain novel twice through on my down time at work. But it took someone pointing out to me, my beloved wife, that I was not acting responsible or being aware of where I was and the implications such actions could have on my employment or security. It goes without mentioning that this all happened around the time of the Fort Hood incident and has not happened since I received reproof.

Most people reading this probably have, at least to some degree, their beans, bullets, and band-aids stored within arms reach and safe. Even though common sense would suggest that this is wise I have read where this could be deemed Un-American, hoarding, and in a loosely defined Patriot Act, Terrorism. There are probably very few of us that leave our stores and supplies out in the open for all to see, right? Or do we? It is easy to say “I don’t talk to anyone that does not need to know about what I am planning.” Even though you may not speak openly around family or friends, in some cases it is easy to infer what your plans are based on what you type or post on the internet. This brings us to the next defined term, Operational Security. In layman terms this is defined as the ability not to be detected or found out. It may be one of the few things that if you loose you can not get back, or at least not back in the same state as you created it. It seems funny that some people will go to great lengths to camouflage their guns, clothing, cars, gear, dogs, houses, etc but will speak openly into cyberspace about the very thing they are trying to conceal.

I am not the type of person to say that I was not immune to the fad that is Facebook, MySpace, or YouTube. Nor would I ever try to advise or warn someone on something that I did not experience for myself firsthand. I used to spend hours on Facebook giving updates about my life and throwing out my two cents which is fine if you feel the need to do that. But what became a survivalist’s no-no was in the videos or pictures that I had posted. I have been an avid shooter and love going to the range with my wife and friends. (My wife is quick to tell you that she is a better shot and figuratively descendant of one Mrs. Oakley.) Again nothing wrong with that. What was the problem was that I had the pictures of what we were doing plastered all over my sites. I had pictures with our pastors joining us taking shots at human silhouettes and sporting some pretty heavy firepower. For any of those people who are involved in a religious organization I would advise to not place any physical ties between your place of meeting, the people involved, and any type of weapons training or firearms. Think Waco, Texas, and think how it is going to be perceived by those trained to spot “religious extremism” even in the most mundane acts. In other words don’t advertise a day at the range during fellowship service. I only say this because I have seen it happen many times first hand. Without thinking we also had pictures of out of town friends shooting weapons not legal in all the states they may have resided in.  I placed myself and all those around me at risk. For all the preparedness that I thought I had undertaken, I broke one of the cardinal rules that could have made it all worthless. I compromised the operational security of myself, my family, and those in our group unknowingly. I let my pride say, I am a man, I have a rifle, and the world wants to see me use it. Don’t fall into that trap as I did.

Since then I have deleted my Facebook page, I don’t post on YouTube, and have become an Internet nobody. That works for me. I am not telling everyone to run out and delete their accounts or that you are putting unnecessary risk on yourself, I am saying to think before you act, post, speak, Twitter, blog, etc. All the planning and equipment will be useless if you loose the initiative and make yourself a target. I chose to write on this after much thought, consideration, and prayer. I read some of the older posts and realize there is probably not much that I can provide that has not already been discussed or written about in regards to materials and equipment. I try to make myself a student of common sense and point out things that some people often overlook. Alas, you ask, what is the point of all this? Why should I care about what I say or post on YouTube or the Internet? Or sometimes worse, what other people post about you on the Internet. The answer is, it just may be a culmination of your pride before the coming destruction. May you seek the face of the One that formed you. In Christ, - Matthew S.


Tuesday, March 9, 2010


You might have noticed that a CPA service advertising on SurvivalBlog. Her name is Mara Helland. Since it is now tax season, I thought that it would be appropriate to give my personal recommendation, and let you know what services she offers.

Like many other CPAs, Mara mainly does tax accounting. But what sets her apart from other CPA firms is absolute privacy. I know that this is crucial for a lot of people, especially fellow SurvivalBlog readers. I don’t know what privacy issues are like in the big cities, but I do know that in small towns, people who make a decent living want to be assured their personal financial information isn’t going to end up as fodder for gossip at the local bar.

I've learned that when new clients come to Mara Helland from another CPA, it is almost always because they have experienced poor service. She says that she rarely hears complaints about prior CPA fees, but she definitely hears about lack of attentiveness from other accountants. Of course, all CPAs will say that they value their clients and that they provide "excellent service", but that is not what happens in reality. A lot of times, CPAs or firm-partners will bring in the new clients, but the actual services and care for the clients are pushed off on staff members, with much less experience and fewer skills. Mara is now in her 20th year of working in public accounting. When clients come to her, they get top-notch service directly from Mara. As I have experienced personally, when a client calls her office, she answers the phone herself. She prides herself on taking good care of her clients, and I think that shows with the number of very long-term client relationships that she has developed.

Mara works with a wide clientele, including individuals, all types of businesses, estates, trusts and non-profit organizations. She has clients throughout the United States, so being in Montana does not limit her to only having Montana clients. She also works with military families and US citizens that work overseas.

March 15, 2010 is the tax-filing deadline for businesses that are corporations. And, of course April 15th is the big deadline for personal income tax returns, as well as partnership/LLC tax returns. If you need more time to gather your personal or business tax information, she can prepare and file a tax extension for you.

Mara noted in an e-mail: "I, too, am a SurvivalBlog follower. I came to your site first as a reader and then later chose to advertise with you. I can certainly relate to my SurvivalBlog clients."

I'm one of Mara's satisfied tax accounting clients, so I can highly recommend her!


Wednesday, January 27, 2010


Howdy Mr. Rawles,

I had two comments to add to the conversation about thieves using Google Earth to steal koi.

First, when we typed our address into Google Earth, it popped to a house about a 1/4 mile from us (we checked that fact many times, not just once, so it was not a typo on our part). That was just ducky with the family, as it helped our farm stay invisible. After reading about the koi thefts, I decided to check on Google Earth again. I was so disappointed when it popped right to the farm this time!

The good thing is, since we live on a 40 acre farm, it puts the cursor right dead in the middle of the farm, in the biggest pasture. It's still hard to determine which house goes with the farm.

So if you too were rural and formerly invisible because Google Earth didn't know where you address actually was, you might want to check it again.

Second thing is when I was messing around with Google Earth I discovered how vital trees are. Specifically evergreen trees.

There are a series of pictures you can look at of the farm, dating back to 1998, taken by Google Earth.

My husband sells and delivers CONEX containers (also called cargo boxes and sea cans). My hubby installed our own 40 foot CONEX container right next to our house. We specifically picked a brown one to bring home for ourselves. My husband has legally held a CDL since he was 14 years old, and is an excellent driver, able to get the CONEX containers into difficult spots. Ours is next to the house, under the evergreen trees, and just a few feet from our propane tank.

The under the evergreen trees is the important part. In the latest pictures taken by Google Earth, you positively cannot see that an entire 40 foot CONEX container has been added to our property.

So look at Google Earth, and determine the best spots to plant evergreen trees to help camouflage your property and buildings. Sincerely, - Garnet


Monday, June 22, 2009


Jim:
This article concerns me: Cuban spies' shortwave radios go undetected: Low-tech transmissions no big deal for U.S. intelligence. The journalist mentions: "The International Amateur Radio Union said there are more than 700,000 amateur radio operators in the United States." I hope the governmental paranoia does not try to constrain the best method of rural emergency communications. - KAF

JWR Replies: Without mentioning anything classified, I can safely say that they are describing clandestine operatives in in the US. receiving the old-fashioned HF "Numbers" broadcasts from Cuba. These are typically code groups of five numbers, read aloud by a woman, in a monotone, such as : "Ocho, Cinco, Cinco, Uno, Nueve..." These codes are very hard to break without a huge sample for brute force computer cryptanalysis.

This modus operandi has been used for 40+ years, and is well-known to both amateur operators and the signals intelligence (SIGINT) community. To the best of my knowledge, receivers are a non-issue vis-a-vis regulating amateur radio equipment. But clandestine transmitters may be another matter. Given our fluid borders and the ubiquitous "diplomatic pouch" it is absurd to think that regulation on the possession of HF radio transmitters would have any meaningful at stopping clandestine traffic. Licensed radio amateurs are largely self-policing. They fairly quickly identify and locate unlicensed broadcasts in their their vicinity.

The Cuban DGI is an odd anachronism. While most intelligence agencies have leapfrogged their communications to exotic methods such as steganography to imbed messages in in photos sent as .gifs via the Internet and using low-power spread spectrum transmissions, the DGI's modus operandi is at least 30 years out of date. It is somewhat analogous to Cubans still driving around cars that were manufactured in the 1950s. The last I heard, the DGI still had offices that primarily used typewriters made in the former Yugoslavia. Picturing that, you can practically smell the Cuban tobacco smoke.


Monday, December 22, 2008


Two notes about Some Call Me Tim's excellent recommendation of JanusVM:
1) Use Decloak.net to verify that you've done everything right. It uses a whole host of very strong tests to attempt to locate your computer and will find out if you've slipped up somewhere. The place you've slipped up is almost always DNS but cookies and other things can give you away too.

2) Be aware that this encrypts the traffic you're sending and receiving, it doesn't make it go away. Someone listening in can tell when you're sending/receiving and how much, they just can't read it. Timing and bulk are circumstantial evidence, true, but they are there. So it is best to keep your subtle browsing small and not be noticed. - PH .


JWR,
As a network administrator. I generally find pleasure in "testing" networks. JanusVM works great when getting past firewalls, but its large size (~22mb) could be an issue. I have found UltraSurf works extremely well. It is fast, 50 times smaller than JanusVM, and most importantly, defeats web filtering and tracking software. It was developed to be used in a certain communist country with a rather large firewall, but is now used worldwide. Its small size and no need for an install make it ideal for quickly dropping onto a system in a cafe/library/school or just simply running in the background on your personal system. I personally have used it in each of those situations.
.
One drawback is that some network virus scanners have been notified to look for it and declare it a trojan to prevent its use on networks. I've encountered this once in an Indian Internet cafe (of all places) and once on a university network. To combat this you can do two things. First, keep up with the latest version, as their signatures aren't tagged by the scanners. Two, rename the file to something like "stamp_collection.exe" to prevent simple name recognition.

All of this is great, but what if the user can't download it in the first place? Many times the web site will be blocked, but the download itself is available, especially the ".exe" download as it is not linked from the front page. You can also find it on popular download sites (like this one), which will not all be blocked. Emailing it to yourself using a web mail account is an option, but the user will have to rename it to something like "file.txt" as .exe file extensions are usually not allowed attached to emails; just change it back to an .exe extension to use. Once downloaded, the clever user can simply carry it around on a USB ["thumb"] drive or floppy disk to pull out when needed.
Keep up the good work, - Blaze

 

Jim,
In regards to SurvivalBlog, I am still able to access it via NMCI as of this morning. They have been pretty strict lately due to a Navy/DOD wide virus getting passed around via thumb drives (which have since been banned from use). On the matter of privacy, anyone should know better than to think they will have privacy while using anything that belongs to the government! Before you are granted access to a DOD information technology (IT) asset you sign an "end user agreement" which prohibits the use of third party proxies to bypass firewalls, as well as downloading anything like privacy software. I can say from my own negative experience that the computer types keep track of anything and everything, including attempts to circumvent firewalls by various means. I think the email update idea does have much merit in this regard, especially for the shipboard folks. Keep up the great work Jim! - O.E.

 

Mr. Rawles,
Thank you for your tireless work in educating the masses about the importance of preparedness. I discovered your writings and your Survival Blog a few months ago and have enjoyed the treasure trove of valuable information that both you and your audience contribute. Fortunately, it has reinforced most of the preparations I have made to date, but it is nonetheless a wonderful resource to be sure. "Patriots" was a great read, by the way, and I have given five copies away to friends, both preppers and non-preppers. The "nons" have since seen the light and are getting started on their way to complete independence and self-sufficiency. While I have been casually encouraging them to do that very thing for a while, it was your work that finally opened their eyes, hearts, and minds. Thank you.

The reason for my correspondence is to make you and your readers aware of one of the most important tools available for the computer user who wants to maintain complete privacy on both his own computer and public computers that he may use while traveling or evading.

Iron Key is a USB flash drive, but it is unlike any other flash drive on the market today. It uses an onboard browser and proprietary hardware and software encryption so information stored on the device or sent or received while online, including web traffic, cannot be intercepted by any else. I will let the folks at Iron Key do the rest of the selling. I am nothing more than a customer of theirs, but I believe wholeheartedly in their product and recommend them without equivocation. Godspeed, - Jason in Central Texas


Sunday, December 21, 2008


Dear Mr. Rawles
As a network administrator, I spend a fair amount of time making sure my end users cannot access certain web sites from company computers and data lines. I try to make sure we don't get too draconian in our filtering practices, I do my best to make sure that not streaming audio or video, social networking sites, or other time killers make their way through the network.

Recently, a friend of mine told me about a tool called JanusVM, a combination of Internet anonymity tools (TOR, PRIVoxy, Squid, and VPN) that runs in a virtual machine. You basically run the VM in a VMWare player, connect a VPN connection from your PC to the VM, and open your web browser. Like a lot of anonymity tools, it isn't very fast. It is, however, about as anonymous as you can get on the internet. I went to a web site that displayed my current IP address as well as your geographic location and found I was supposedly surfing from Paris, France. One page reload later and I was in Northern California, and then followed by Denmark, all without ever leaving my chair. According to the web site's very brief write up, the DNS requests are so scrambled that even your internet service provider can't tell where you're surfing. That made me wonder if I could use this tool to get around my web filtering firewall as well. I tested my machine to make sure I was blocked out by our firewall by trying to visit Facebook, which is a big no no site around here. Sure enough, it's blocked. Then I closed my web browser, established the VPN connection to the JanusVM, and re-launched my web browser. Bullseye! I had Facebook access. Not only was I anonymous, I'd also defeated my own web filtering software and firewall.

While this is a great tool, here are a few things to keep in mind.

1. I haven't tested it on any other system, so YMMV.

2. You need a network with at least one available IP address for the VM. It can be an internal IP, but it still needs one. This keeps it from working with Verizon broadband cards. If someone out there gets it to work with one, I'd LOVE to hear about it!

3. Anonymity is not the same as privacy, or even security. Don't count on this tool to protect your internet logins and passwords. Hackers have been known to sniff incoming and outgoing traffic on TOR nodes for unencrypted passwords. They may not know where they came from, but they can still read them. If they can figure out where they were headed, you're in trouble.

4. Your workplace or branch of the military may frown on anyone trying to circumvent their firewalls and web filters, so use this information at your own risk.

- Some Call Me Tim

 

James,
A couple of notes about your post on [SurvivalBlog being blocked by the US Navy and Marine Corps Internet system]:
* with varied duty hours and multiple shifts, there's no such thing as only blocking during "duty hours".
* Anonymizers are just about the first thing blocked by any organization that filters net access. :)
* If you have scripting capability on a web host, CGI Proxy and PHP Proxy are both good alternatives. Of course, they're going to be blocked, too...so you still would have to find an unblocked site that has it or an alternate ISP long enough to download the scripts. People also run services with these or other types of scripts, but they come and go, and as mentioned previously, will most often be blocked. You also never know who's running them.
* An alternate site works for a while, but it will eventually get blocked, too. It also dilutes your "brand".
* The XML RSS feed option is probably the best, as it doesn't rely on working around the restrictions so obviously. I use Google Reader myself, through which I can read web sites blocked by the corporate firewall. It cuts you off from reading comments, but that's not a problem with your site. Some may be concerned at Google having too much information and choose some other feed reader, but I'm not too concerned with it. [JWR Adds: To avoid trails of "cookie crumbs", I've read that the best choices are the Avant Browser for PCs and the NewsFire Reader for Macs.]

The feed option is good for current reading and keeping up, but for searching on a topic or looking at items in a non-linear fashion a proxy of some sort is a better, more flexible, yet more complicated option. Hope this helps. - Robert


Saturday, October 18, 2008


Compsec is a subset of OPSEC that is concerned with computer security. It can not be ignored if you plan to use computers now and after a SHTF situation.
The personal computer is a powerful tool to help cope with any disaster or survival situation. The capacity for enormous data storage in a very small footprint makes it a valuable resource when the grid and net go down. You will have all the information you need at your finger tips; first aid and medical info, maps and topography, equipment and firearms manuals, personal records and pictures, and the list goes on and on. Just be sure you have back ups of your data on hard drives and DVDs and a spare system or two stowed away in an EMP-shielded cabinet. Laptops make sense as spares due to their transportability and lower power consumption.[JWR Adds: Like all of you other spare small electronics, any spare laptops should be stored in 40mm ammo cans, for EMP protection.] Make sure you have spare batteries and chargers, hard drives, etc. Consider having the rugged laptops that are shock, water and dust resistant. Here are some examples:

Dell Ruggedized Laptop
Panasonic Toughbook Laptop

See the recent article on how to power your PC with solar energy in Computer Power User magazine's November, 2008 issue. The article is titled: “Get Off The Grid”.
Solar Laptop chargers are available from:
Basegear
Ready Depot
[JWR Adds: Compact photovoltaic power systems are also available from Ready Made Resources, a loyal SurvivalBlog advertiser.]


Here are some sites with useful information that you might want to stow away before TSHTF:
USGS Topography Resources
KI4U Library
First Aid References
EquippedToSurvive (PDF)
NIH Medline
eBooks
There are many other treasure troves of information on the Internet. Look around and gather those free files now[, and make backups on CD-ROM].

You don't have to spend a fortune on software; if you leave Microsoft behind and enter the world of Open Source software where you will find a plethora of great software ranging from the LINUX operating system to office automation, databases, and hundreds of useful programs. Consider that most viruses and malware are written for Microsoft products, so open source is generally more secure for that reason alone. Check out these web sites for some alternative ways to go:
Ubuntu
Red Hat
SourceForge
Tucows
If you prefer to stick with the tried and true Microsoft, do indeed follow their security recommendations and make sure you get all the updates installed as soon as they come out. I recommend using the automatic updates for the operating system and software packages as well as virus and spyware scanners.

Scott McNealy, a co-founder of Sun Microsystems once said, “You have no privacy [in the Internet era]. Get over it.” That is definitely a true statement. There are gigantic databases all over the world with data on any minutiae that may have been recorded from many diverse sources which can then be correlated by high power computers to produce a pretty good picture of you as an individual should someone wish to. Some of the data is obtained legally from public records and news sources; some is obtained illicitly through hacking or purchasing outright what should be private information. The data may also come from spybots and Trojan horses right on your very own personal computer.

Anything that is stored on a computer that is connected to the internet is susceptible to data harvesting. Anything you posted to an on-line message board, or an email you sent, or a form you filled out, may well still exist somewhere on the internet even after it seemingly is gone. In the unthinkably large database of Google it may live a long, long time or on a back up tape in some obscure data center somewhere. It may even attain near immortality in the “Wayback Machine”, a database that archives web pages.

Even though using the internet can be hazardous, there are ways to make your surfing safer. By all means install anti-virus and anti-spyware software and update it frequently. Another essential is to have a firewall. Most operating systems now come with firewalls so make sure it is enabled. It can be made even more secure if you do the homework.It’s not a good idea to leave your computer running on-line 24/7 unless you have a specific reason to do so. It gives the hackers a lot of time to work on cracking your system and once cracked hackers can use your PC in their zombie army to launch more attacks and collect more data, all in the dead of night while you sleep. You won’t notice the hard drive and network activity.

Use strong passwords, it’s a pain, but weak passwords are easily cracked and once that is done, you have absolutely no security at all. Change passwords regularly because even a strong password can eventually be cracked by brute force cracking which simply tries random character patterns until it finds the one that works. If you use words that can be found in a dictionary or even words slightly modified, be aware that these are much faster to be cracked.
You can learn about strong passwords here:
Microsoft Password Checker
LINUX Password Checker
Free Ultra-Secure Password Generator from Gibson Research
Pay attention to security settings on your web browser. I use the Firefox browser because it has better security features [than others like Microsoft Internet Explorer], such as clearing of private data when exiting, the ability to manage individual cookies, and the ability to disable the “HTTP referrer” information that tells the next web site you visit where you just came from.

Whatever browser and operating system you use, make sure that it is as secure as it can be and still be functional for your needs. The basic philosophy of system hardening is to close all the open doors, install locks, and only open up those that you absolutely must in order to operate. There are many open doors and loosely guarded doors in an unsecured system which comes right from the manufacturer that way. You need to look into all the setting and options that are available with what ever hardware and software you have, and then start tightening up as much as possible.

Another problem with most PCs running a Microsoft OS is that they become laden with junk over time. As you install new software and hardware your registry grows to a huge size and you accumulate startup programs that start up when you logon and run even if you may not need them. They make the login slower and slower as they accumulate and some of them may even be spybots reporting back to home base of your activities. I’m willing to bet that most PC users are running software for programs they never even use anymore.

Here are a few sites to learn about how to clean your PC of these start-up parasites:
Info on start-up programs
This a database of good, bad and optional programs that might be running on your PC.
Microsoft registry cleaner. There are other commercial products available, be careful to select the option to make backups before you clean up the registry. The cleaners occasionally clean too much and break a program that you need.
Here is a cleaner I have used successfully.

Visit these web sites to give yourself some good security check-outs:
Tons of good compsec information.
Free Tools and Utilities.
The Junkbusters site will tell you if your browser is giving out too much information.
Gibson Research. Click on the services tab and select Shields Up! to give your system a security check up. Check out all their other good security info.
This page will tell you about your Internet "persona" and check out other good information.

Surf anonymously. This will help keep those who do not have a need to know, out of your affairs. Just remember that ‘somebody’ will know what your internet IP addresses is, and that ‘somebody’ is the anonymity provider or proxy server. It can be traced to your PC.
Here are two free anonymizers:
CEXX.org
ComputerBytesMan

One note of caution about encrypted files and web sites that your browser accesses: The browser will copy it to cache and it will be in clear text allowing anybody to read it or a Trojan to copy the page back to its home base server. The solution is to clear browser cache immediately after accessing encrypted pages.

Using a search engine link will provide the web site you visit with all the search terms you used to make the search. Instead, copy and paste the link into the browser navigation bar for a little extra anonymity. If you have a Google account and have logged in to check your Gmail then it is possible for Google to link your login to your searches thus reducing your anonymity even more. [JWR Adds: I recommend that SurvivalBlog readers go a step further and use the Scroogle Scraper intermediary portal to do any Google searches.]

I hope this information has been helpful for those preparing for those tough times ahead that lay ahead. I do believe the personal computer can be a powerful survival tool if, or should I say when, the TSHTF. Visit Set2Survive.com for more information, links and resources.


Thursday, August 21, 2008


Sir:
I'll establish my bona fides by stating that I am a General class Amateur Radio licensee with extensive experience in the VHF and UHF radio bands. While I applaud your promotion of the MURS radio for general use, it is not the best choice for the gentleman residing in the concrete condos in Florida. Penetration of concrete and steel structures is significantly better (by approximately 30%) at UHF frequencies (as used by FRS/GMRS radios) than at the VHF frequencies as used by MURS. Though free air range favors VHF, UHF penetrates obstacles better, assuming the effective radiated power (ERP) is the same. There is a significant amount of literature on this topic in the amateur radio community, should anyone care to research it for themselves.

In the case in question, the gentleman would be better served by a GMRS radio, operating in the UHF band and radiating up to 5 watts, than with a MURS VHF unit limited to 2 watts of output. He would have the significant advantage of both the better obstacle penetration of the UHF band, and the dramatic increase in allowable output power. In a concrete and steel structure, the combination would easily outperform any MURS radio by a significant margin.

Since these are to be used as emergency communication devices in hurricane country, it is worth noting that most Community Emergency Response Teams (CERTs) are equipped with FRS radios for inter-unit communications. Since most GMRS radios include FRS channels as well, it would give the residents of the building an extra (and direct) way to contact help should the need arise.

In this case the GMRS/FRS combination is a far better choice for the conditions described. Regards, - Grant C.

 

Jim,
I recently bought TriSquare's eXRS radios. I highly recommend them. I chose the TSX300 model.

They use frequency hopping technology with 1 billion frequencies (up to 10 numbers long: you choose the frequency). The best part is that it is license-free (no $80 FCC GMRS license needed).

It may not be the best choice for everyone, but it is more secure than FRS. Regards, - David M.


Sunday, August 17, 2008


Perhaps Anatoliy Golitsyn was right. He was a high level Soviet defector that predicted the collapse of the Soviet Union, claiming that perestroika and glasnost were charades that had been planned for decades by the Soviet-era KGB leadership to strategically deceive the West into thinking that we had "won" the Cold War. Some evidence: the recent Russian invasion of Georgia, Russia's nuclear threats against Poland, and Putin's hints of positioning ICBMs in Cuba. (As I've written before, history doesn't exactly repeat itself, but it often rhymes.) Was Golitsyn right? The West may have been the victim of the greatest dezinformatisaya (disinformation) campaign in world history. If they've pulled off an illusion this grand, Sun Tzu would be proud. (Some 25 centuries ago, he wrote: "I will force the enemy to take our strength for weakness, and our weakness for strength, and thus will turn his strength into weakness.")

I can foresee that the recent Russian campaign of brinkmanship will continue for months or perhaps years. This may very well escalate, degenerating into a renewed cold war of tit-for-tat escalation--including both diplomatic moves and military posturing. Likely maneuvers for the West might include further demands, economic embargoes, troop redeployments, offshore asset seizures, and diplomatic sanctions. One crucial sanction might be removing Russia from the G8 -- reverting it to the Group of Seven (G7) Nations. We might even soon see something similar to the 1962 Cuban Missile Crisis. And from there it is no great stretch of imagination to envision the cold war tipping over into a genuine hot war--nothing short of World War III.

I believe that western intelligence analysts spotted the Russian troop buildup on the Georgian border many months ago and predicted an invasion. It is noteworthy that the majority of the US "advisers" in Georgia were Special Forces (SF or "Green Beret") troops. Their premier specialty is training guerilla fighters. (Although they are better known publicly as counter-guerilla trainers.) There is a high likelihood that the SF were training Georgian "stay behind" guerillas, in anticipation of a total invasion and takeover of Georgia, by Russia. So things might even get worse in Georgia. Instead of just South Ossetia, the Russians may want the whole enchilada.

But stepping back from these tumultuous events for a moment, it is more likely that we are simply witnessing a spate of Russian saber-rattling. This may pass, and the international scene may regain normalcy. However, I don't rule out the possibility that the recent events could presage something far more serious.

What then, are the implications for well-prepared American families if this escalation were to continue into a new cold war? Based on the experience of the War on Terror (WoT), I predict that any of the following could occur:

  1. Even greater shortages of storage food and other key preparedness logistics.
  2. Increased border security and scrutiny of Americans leaving or reentering the United States. This may have a profound effect on anyone that has, or is considering establishing an off-shore retreat.
  3. A rapid escalation in the price of gold and a coincident collapse in confidence in the United States Dollar.
  4. A new draft or other some form of forced universal military conscription.
  5. Widespread shortages and rationing of food, fuel, and other key goods.
  6. Demonization of anyone making substantive logistical preparations for their families (under the mischaracterization of "hoarding"), regardless of when and how someone stocked up. (Don't let the mass media's twisted Orwellian logic fool you. By stocking up well in advance, you have actually helped to mitigate any future shortages.)
  7. New laws or executive orders covering a plethora of nouveau 'crimes' including: private possession of a huge list of chemical "precursors"; bans on exotic "paramilitary" ammunition (such as tracer, AP, and incendiary); bans on owning unlicensed amateur radio equipment, night vision equipment, and body armor; criminalization of private hard encryption; banning of large caliber rifles, and so forth.

I urge all SurvivalBlog readers to redouble their efforts to keep a low profile in their communities and their presence on the Internet. If the Cold War reemerges with the same intensity as the Cuban Missile Crisis, we may very well soon enter an age of deception and betrayal that could sweep up innocents as well as malefactors. It is both wise and prudent to avoid creating a 'paper trail', 'electronic footprints', or 'cookie crumbs' when acquiring storage food, ammunition, night vision gear, controversial books, and various logistics. Avoid using credit cards and avoid making purchases from major Internet vendors such as Amazon.com and Buy.com. These are the ones most likely to keep detailed records and also the most likely to be asked to turn them over to authorities.

You should concentrate on making your purchases from small "Mom & Pop Operations", and from private parties. Pay cash and pick up merchandise personally, as much as possible. If you are buying other than face to face, then pay via money order rather than by personal check or credit card. Don't leave your name or address. If it is legal in your state, buy guns only on the secondary market, directly from private parties. (Be sure to consult your state and local laws!).

I also encourage all SurvivalBlog readers to use Anonymizer Safe Surfing Suite , Scroogle.org (for web searches), TrueCrypt, PGP, and other Internet privacy software and services to lower your profile. All of this might sound slightly paranoid, but in my estimation a higher degree of privacy is, again, wise and prudent, even if times aren't likely to get any worse than they already are.

I'd appreciate input from readers about what they would consider an essential checklist of preparations for a new international crisis, or, may God forbid, for World War III.



Mr. Rawles,

I just picked up two rugged 4GB USB memory sticks at a rather good price of $15 each. ($19.99 less a mail-in rebate of $5.) Your readers might consider them for their emergency kits to store scanned in copies of their legal documents, insurance, investments and personal records and photos.

This isn't bullets and butter but might just prove more valuable than both when trying to get a replacement social security card or passport. The 10 year warranty is awfully nice so keep your receipt. Maybe you should scan that and save it on the memory stick too!

If your readers would also be interested in a free encryption software they should consider trying TrueCrypt for Windows, Mac and Linux. - Neal


Friday, March 14, 2008


James;
This might seem like an odd [question], but have you given any thought to the [possible] aftermath of a major WMD terrorist attack, in which martial law is clamped down on the USofA? In times like that, political freedom might just evaporate. For [those of] us that have been [politically] outspoken--(I'm one of those cranky old guys with hundreds of published Letters To The Editor, and with one of those big Ron Paul [campaign] signs in my front yard)--where could we go in the event of some sort of round up?

Now, in peril of sounding even more odd: Are there some countries with which there is no bilateral extradition treaty? I'd just like to know if there is someplace that I could go, from where I could still be politically active on the Internet, without fear of getting swooped upon, bound and gagged, boxed up, and shipped home C.O.D. to some [expletive deleted] Supermax prison? Thanks, - J. in the Desert

JWR Replies: While extremely unlikely, your scenario does pose an interesting mental exercise. Extradition--more properly called rendition--is not universal. If you look at the map on the Wikipedia page on US Extradition Treaties, you will see that every nation in the Americas can be ruled out, because of extant rendition treaties with the US. In Western Europe, only tiny little Andorra lacks a rendition treaty. But you will also notice some big gray gaps on the map in Oceania, Africa, and Asia. In all, there are more than 50 countries that don't have rendition treaties with the US. Just be sure to do your homework. Be advised that some nominally "sovereign" and independent countries, most notably in Oceania, are in part administered by foreign governments like France, Australia, and New Zealand, so as a practical matter you might be subject to a rendition treaty. Again, I consider such planning as nothing more than an idle "what if" exercise. Your chances of ever having to flee the country are highly remote.


Wednesday, February 20, 2008


Hi Jim,
I agree with you that you shouldn't "get so paranoid that you withdraw to hide under a rock" when using the Internet. Take precautions, certainly, but strike a balance.
To illustrate why total privacy is practically impossible while making use of the Internet, here's a discussion about recent work done with "de-anonymize" algorithms. In short, the researchers were able to identify 99% of anonymous users by comparing different datasets, one anonymous, and one not.

Further, there have been studies with publicly available census data that show a person can be reasonably identified by all sorts of seemingly innocuous data. For example:
"Using public anonymous data from the 1990 census, Latanya Sweeney found that 87 percent of the population in the United States, 216 million of 248 million, could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth. About half of the U.S. population is likely identifiable by gender, date of birth and the city, town or municipality in which the person resides. Expanding the geographic scope to an entire county reduces that to a still-significant 18 percent. "In general," the researchers wrote, "few characteristics are needed to uniquely identify a person."

"Stanford University researchers reported similar results using 2000 census data. It turns out that date of birth, which (unlike birthday month and day alone) sorts people into thousands of different buckets, is incredibly valuable in disambiguating people. "

Thanks for all of your work with SurvivalBlog.com. I read it every day. - JohnTheAnon



The following is one of those items that widely gets circulated via e-mail, but this one is legitimate and I think that warrants posting to the blog:
"Be prepared should you get this call. Most of us take those summonses for jury duty seriously, but enough people skip out on their civic duty, that a new and ominous kind of fraud has surfaced.

The caller claims to be a jury coordinator. If you protest that you never received a summons for jury duty, the scammer asks you for your Social Security number and date of birth so he or she can verify the information and cancel the arrest warrant. Give out any of this information and bingo; your identity was just stolen.

The fraud has been reported so far in 11 states, including Oklahoma, Illinois, and Colorado. This swindle is particularly insidious because they use intimidation over the phone to try to bully people into giving information by pretending they are with the court system. The FBI and the federal court system have issued nationwide alerts on their web sites, warning consumers about the fraud."

Here is the FBI's web page about the scam

Here is confirmation on its authenticity at Snopes.

Any SurvivalBlog readers that do not yet have identity fraud protection should get it. This is just one aspect of well-rounded preparedness. The service that I recommend is Comprehensive Risk Solutions. (One of our advertisers.)


Wednesday, February 13, 2008


James,
I have to disagree with some of C.D.'s measures listed in his letter (i.e. using Scroogle and Zone Alarm) and refer your readership to the best article I've yet seen on the great difficulty in online anonymity: The Ugly Truth About Online Anonymity Also note comment on the linked article 12 - even if all else could be secured, the moment you behave according to your established surfing profile, you'll be spotted. Kind Regards, - J. in Kyrgyzstan

JWR Replies: I have my own perspective about online activities: Do the best that you can to cover your cyber trail, but don't get so paranoid that you withdraw to hide under a rock. In the context of political action, the day that you go off-line for the sake of privacy or anonymity, then your political opponents have won. In the context of physical preparedness, if you go off-line for the sake of privacy or anonymity, then you have isolated yourself from any like-minded potential allies. It is impossible to build a survival network without taking some risks. And if you are adverse to taking any risks, then you are relegating yourself to a "team" with just one member. A solitary individual is ineffective and vulnerable.

One individual that I greatly admire recently castigated me in an e-mail for having posted F.L. in Southern California's letter titled: "Keeping a Low Profile is Crucial for Preparedness". I think that his criticism went a bit too far. My position is that everyone should strike a balance between maintaining privacy and blatant visibility. There is an old Japanese proverb: "The nail that sticks up get hammered down." I believe that there is value in employing what David in Israel refers to as The Gray Man approach. (Blending in with your neighbors, to be unremarkable and unmemorable.) But the other end of the spectrum is being so vocal, and so visible that you end up being the #1 on the most wanted list. Each individual should consciously set their own parameters, based on their personal circumstances, prayer life, and their comfort zone.

Regardless of where you place yourself on the continuum of visibility, never, ever, give up your guns. That is an inviolable and absolute line in the sand. Without an effective means of self defense and the common defense, a man is just another sheep for the slaughter.


Friday, February 8, 2008


Jim,
My missus and I have been into "prepping" for about 15 years. Our house has a basement and it is practically wall-to-wall and floor-to-ceiling with shelves--with just narrow aisles in between. The shelves are chockablock with storage food (all labeled and organized "FIFO"-style), medical supplies, assorted "field" type gear, tools, barter/charity stuff, ammo cans, propane cylinders (that fit our camp stove and camping lantern), reels of field phone wire, paper products, and so forth. Following the example of Mr. Whiskey (from your "Profiles") we have recently built up 27 sets of designated "charity duffles", each packed in a cheap Made-in-Taiwan nylon duffle bag. Each of these contains a Dutch Army surplus wool blanket, a Chinese knockoff of a Leatherman tool, a pair of gloves, a pile ("watch") cap, a half dozen pairs of socks, a thrift store man's jacket, room for four days worth of food (which we would pack from our FIFO inventory, as needed), a collapsing plastic water container (the type that Campmor sells), a waterproof match container, a tube tent, and a hand line fishing kit. ("Teach a man to fish...")

When we moved back to California in 1998, we picked our house specially because it was built in the 1940s. It is the oldest and sturdiest house on the block. (The neighborhood built up around the house, when the property was subdivided in the 1960s.) It has a basement and its own water well, which is now "off the books"--since the house is now on "city" [metered] water, but the well is still functional with a 24 VDC submersible well pump. I have four flush roof-mounted Kyocera PV panels (cannot be seen from the street) and six deep cycle batteries. The cables are run series-parallel to provide both 12 VDC and 24 VDC outputs.

Even though we live in a standard suburban neighborhood, none of out neighbors are any the wiser about our preps. At the core, I consider my preparations my own business. When the time comes to hand out the charity duffles, we will do so through an intermediary, like our church. (We are Methodists.)

After seeing what happened to that guy in Norco last year, I am glad that I keep a low profile. The specific measures that we have taken to keep a low profile are:

1.) We take no UPS deliveries at our house. Nearly all of our mail-ordered goods are sent to our private mail box at the local UPS Store (it was formerly a "MailBoxes, Etc.") From there, we take the boxes home in our minivan.We are always sure to unload the van from inside my garage, with the garage door shut. All of the empty boxes have the "to" and "from" address labels cut out with a box cutter knife. I discard the flattened boxes in the cardboard recycling dumpster behind the office where I work. (I'm a sales engineer for a medium-size company.)

2.) We don't subscribe to any shooting or hunting magazines. We get all of the gun information we need online. To "stay in the fight" politically, I do make regular anonymous contributions to the GOA, JPFO and CRPA [The California Rifle and Pistol Association, a firearms rights organization], via Post Office Money Orders. (BTW, I do the same for the SurvivalBlog [10 Cent] Challenge. Shame on any of you that read this blog regularly but don't pony up the 10 pennies a day!)

3.) We access all web pages via Anonymizer, with no exceptions.

4.) Most of of our preps purchases are either made F2F, with cash, or with Post Office Money Orders if ordering by mail. This eliminates the "trail of paper" from writing checks or using a credit card. We buy a lot from Nitro-Pak, Ready Made Resources, Major Surplus, and Lehman's.

5.) All of our guns, ammunition, gun gadgets, targets, and cleaning supplies are bought "private party", mainly at SoCal [(Southern California)] gun shows. Also, needless to mention, these are greenback transactions only! In California, we can still at least buy rifles and shotguns that are more than 50 years old without having to buy through a [licensed] dealer. We have two [M1] Garand rifles, and a FN.49, also [chambered] in .30-06. I'm still looking for one or two more of those, but they are scarce, and even harder to find private party. We also have three [Winchester] Model 12 pump[-action] 12 gauge shotguns, two of which have had their barrels shortened to 18.5 inches. Handgun buys in California all require paperwork, but by Divine Providence I bought several Glocks and [Colt Model] 1911s when I was living in Arizona for a couple years, back in the late '90s. [JWR Adds: That loophole was recently closed for Californians. Anyone moving into the state must now register their handguns. Drat! But at least there was a grandfather clause.] There is isn't much to do out in the desert except shoot, so I bought a lot of guns when we were there.

6.) We signed up for an identity theft and credit report checking protection plan three years ago. I noticed that SurvivalBlog just started running an ad from Comprehensive Risk Solutions. Their service has more bells and whistles and a lower subscription cost that our current provider, so we will switch [to them] when our current subscription lapses. [JWR Adds: I highly recommend this service. It is cheap insurance to prevent what would otherwise be a very costly incident.]

7.) We use a TracFone whenever calling a mail order vendor. (No calling history paper trail.)

8. ) We don't mention our preps to anyone outside of our family. We have coached our kids from an early age to keep their lips zipped.

9.) Whenever we have anybody visit our home, the basement door stays closed and locked. (It is a keyed deadbolt lock.) The basement has no windows. Most of our friends and relatives don't realize that we even have a basement. (Basements are actually rare in California tract neighborhoods.) To anybody that visits, the basement door just looks like a locked closet.

10.) We don't leave anything "suspicious" out where it can be seen in our house and garage.

These precautions might seem kinda "over the top", but put yourself in my shoes. In the People's Republic of California it pays to be a bit of a Secret Squirrel. I does cost me about $300 per year to get my mail and packages at the UPS Store, but I consider that a small price to pay for my privacy. I plan to retire to the mountains of central Nevada in nine years, but for now, I am making do in my present circumstances. - F.L. in Southern California


Saturday, December 8, 2007


A significant part of being prepared and being able to weather a crisis is having information. Remember, those in charge now will make it their first priority after TSHTF to return to the status quo. Banks and mortgage companies will do everything possible to continue banking and lending. Landlords will do whatever it takes to make sure they continue to collect rent from their tenants, and any police or military personnel you come into contact with will be very unhappy if you cannot prove who you are or otherwise deflect suspicion.
You can call having critical information available during and after a crisis "life continuity." There are three aspects to it: collection, protection, and dispersion.

The first step is collection. Just as with other aspects of your survival plan, you'll want to make a list of the information you want to collect and have available during and after a crisis. Such a list should include:
- medical information and records for all family members
- names, addresses, and contact numbers of relatives, doctors and insurance companies
- copies of wills, living trusts, powers of attorney, and other legal documents
- copies of insurance policies
- copies of birth certificates, wedding licenses, children's school records, and college transcripts
- copies of property ownership documents, such as mortgage agreements and property deeds
- copies of driver licenses and passports
- e-books or scanned pages from knowledge materials you've collected
- as many family photos as you feel you need, but at a minimum make sure there is a clear "head shot" of everyone in your family that can be used by authorities if needed to conduct a search
- video taped walk-throughs of your house and property showing major purchases and valuables and the condition of any buildings
While some of the items above might seem like overkill, it is important to remember that you can never have enough supporting documentation if you ever need to prove your case or prove your identity. Imagine bugging out of your home and going to your retreat for three months, only to return to your home after the all clear to find it occupied by squatters. Will you be able to prove the house is yours? If your insurance company denies your claim, will you have the materials ready to counter their argument in your appeal?
Once you've collected the documents and photos, the next step is protection. At a minimum, you'll want to have a fireproof box or safe to hold your documents. Even better, get a box or safe that is waterproof as well. For example, Sentry makes a small waterproof and fireproof lockbox for well under $100. You might even be able to pick one up for much less at a garage sale or flea market. Put your safe in an obscure location in your home, and use any supplied mounting hardware to mount the safe to the floor or wall to prevent thieves from simply lifting it up and walking away with it. Avoid any safe or lockbox that requires power to operate, such as batteries or a wall plug. This includes the fancy safes with biometric access mechanisms. You don't need Fort Knox; you just need to be reasonably protected. If you can't afford a lockbox or safe, at least put your document stash into a large Ziploc bag and put it somewhere safe. You could put it into a locking file cabinet or even put it into a five-gallon pail and bury it.

Dispersion is another key element to protecting your information stash. Make copies of everything and mail a set to your lawyer and a couple sets to trusted family members. Mailing a set to family outside of your region is an especially good idea. For example, if you live in the Midwest, you would want to send a copy to someone on the east coast or perhaps out west. Use a service with a tracking number that requires a signature so that you can be sure the documents arrive at their location. Even better is to scan everything into an electronic format. PDF is best, as it can be read on just about any computer. Take the electronic copies and write them to a CD or DVD, also known as "burning to disk" since the CD/DVD drive's laser actually burns information into the disk. CD and DVD writers are very cheap nowadays, on the order of $20-$30 for a brand new unit and a few dollars for the disk media. Keep a couple copies along with your paper (hard) copies, and send out a DVD to your family members instead of a large pack of documents.

Some people also keep electronic copies of their important documents on USB keys. USB keys are also known as "thumb drives" because of their size. Any computer with a USB port can access a USB key as if it was a hard drive. Keep in mind, though, that a USB key is electronic and will be susceptible to anything that would damage electronics such as a magnetic field. While it might not seem like a good idea to keep important info on something that could end up damaged, the point is to analyze the trade-off between convenience and accessibility without hurting reliability. If you have hard copies of everything, then using something as convenient as a USB key might be an advantage. For example, you could hook the USB key to your belt and walk into a disaster relief shelter to use the computer there instead of walking around with a big pack of important papers.

If you choose to make electronic copies of your information, you will want to encrypt everything and make sure to use innocent-sounding labels. Imagine sending a DVD labeled "Our Family's Important Information" to someone on the other side of the country. If that DVD were to fall into the wrong hands, those people would have everything they needed to steal your identity. Instead, label the CD or DVD something like "Our Family Vacation 2006" where "2006" is the year that the DVD was made. That way you will know which is the most recent.

Encrypting your information sounds difficult, but it is actually pretty easy. The only downside is that you will need a computer to decrypt the information once it is encrypted. There are numerous free and open encryption programs available at no charge. My favorite is called TrueCrypt. How it works is beyond the scope of this article, but it is safe to say that if you encrypt your information with TrueCrypt, it would take all the computers in the world several hundreds of years to crack it. TrueCrypt runs on Windows computers only, but similar applications are available for Mac OS X and Linux.
If you are technically savvy and really want to take your USB key to the next level, you can install a complete operating system onto the USB key itself. An example would be PenDrive Linux or Damn Small Linux. Damn Small Linux is only 50 MB in size! With the OS right on your USB key, you could keep all your information encrypted and never have to worry about what type of computer you would need to decrypt and view your information.

Many people focus on the tangible aspects of being prepared. Beans, bandages and bullets are important, but so are intangibles like information. With a small amount of effort and little to no expenses, you can make sure all the information your family might need to survive, regroup, and move on is protected and in an easily-accessible and safe location.


Thursday, October 4, 2007


James:

JN is absolutely right about TrueCrypt, it's an excellent tool. Be aware, however, that you can be compelled to disclose your encryption keys in the UK legally, and you can always be compelled to do so via extra-legal means. If you have any data that you truly wish to keep secret, a good start is to use a second TrueCrypt volume containing important data inside the primary volume which contains
data that is less crucial
. Regards, - PH


Tuesday, April 24, 2007


Hi
It may be an interest to readers who use the Firefox browser, there is an extension call "Track Me Not". [Here is a description I found on the web:] "TrackMeNot is a lightweight browser extension that helps protect web searchers from surveillance and data-profiling by search engines. It does so not by means of concealment or encryption (i.e. covering one's tracks), but instead, paradoxically, by the opposite strategy: noise and obfuscation. With TrackMeNot, actual web searches, lost in a cloud of false leads, are essentially hidden in plain view. User-installed TrackMeNot works with the Firefox Browser and popular search engines (AOL, Yahoo!, Google, and MSN) and requires no 3rd-party servers or services." Its better than a not-so- reliable proxy. - Martin


Sunday, April 22, 2007


Dear Jim:
You don't have to be a "Secret Squirrel" to be concerned about Google tracking your online searching.
Here is a quick and easy way to use Google but not get tracked: http://www.scroogle.org/cgi-bin/scraper.htm
The following is a quote from their site: "Not only does Google scrape much of the web, but they keep records of who searches for what. If information about your searching is accessible by cookie ID or by your IP address, it is subject to subpoena. This is a violation of your privacy. Someday Google's data retention practices will be regulated, because Google is too arrogant to do the right thing voluntarily. In the meantime, you should not be leaving your fingerprints in Google's databases."
"There are other proxies that can protect your privacy on the web. Almost all are general-purpose proxies that cloak all of your web activity behind an IP address that is not easily traced to your service provider. One is Anonymizer.com. A possible problem with this one is that the founder, Lance Cottrell, has connections with the FBI and the Voice of America. It also costs money for a reasonable level of service. Another is Tor ["The Onion Router"], which is much more secure. But it is also slow, because Tor is a complicated system that needs networks of volunteers to run server software. Juvenile surfers from video pirates to rogue Wikipedia editors tend to clog free services such as Tor, which slows them down even more." Regards, OSOM - "Out of Sight, Out of Mind"


Saturday, January 20, 2007



Jim,
Here is some info on what is presently a freeware application which I can quite-honestly classify as in the "Save Your Bacon" category. (it sure saved my rump, on at least one very significant occasion.) It does its' job, it is small, and it is freeware. My conscience would bother me no end if I kept this gem to myself; perhaps you and/or the blog might benefit from this goody. - Ben L.


Monday, October 2, 2006


Dear Jim,
Tor ("The Onion Router") has been up and running for some time. It's a free and highly secure system for anonymous browsing. It requires installation of free, open source software on the host machine.
Also of potential interest is the current release of Freenet, which supports a "scalable darknet:"
A freeware, open source distribution of PGP (named, appropriately, GPG).
A GPG for Windows front end.
TrueCrypt (a freeware/open source hard drive encryption/steganography program)
The Electronic Privacy Information Center (EPIC) tools page
Hushmail: secure, free web mail
Secure, free hard drive/file erasure
Disclaimer and warning: Strong cryptography isn't legal everywhere. The United States, for example, still regards some types of cryptographic algorithms as munitions, and export is forbidden. Know your country's laws before you proceed. Cryptography isn't a panacea for our loss of privacy in the digital age. It is, however, a very powerful tool to put an envelope back on your mail, a lock on your computer's "filing cabinet," to destroy sensitive files or to send a letter without a return address - all things our parents took for granted. Learn its limits and use it wisely for your own sake and everyone else's. Do not attempt to send threats, traffic in drugs or child pornography, plan acts of terrorism or engage in other crimes using crypto. Sooner or later, you'll draw attention to yourself and the full weight of the law will come down, hard. You will be caught, you will be prosecuted, you will be imprisoned. Period. Regards, - Moriarty


Wednesday, September 6, 2006


Of all of the aspects of preparing a survival retreat, perhaps the most overlooked in survivalist literature are privacy and operational security (OPSEC). Your preparations must be kept secret from all but your most trusted friends. All of your expensive logistics could disappear in a few hours soon after TEOTWAWKI. Your "hidey hole" could be stripped clean by looters or overzealous government agents wielding "emergency powers." You must absolutely resist the urge to mention your preparations to anyone who does not have a need to know about them. I am not suggesting that you lie to anyone. That would be a sin. But learn to keep your mouth shut, and learn how to redirect conversations. Doing so is simply wise and prudent.

What is legal today may be deemed illegal tomorrow under martial law or at the whim of some bureaucrat that is handed "emergency powers." Witness the mass confiscations of privately owned firearms following Hurricane Katrina in 2005. With the help of the liberal media the concepts of saving and storing may be demonized and redefined as "hoarding" immediately after disaster strikes.

Let's also get our terminology straight: If you have been saving during times of plenty you are not a hoarder. A hoarder is someone that removes an disproportionately large chunk of logistics after shortages have occurred. By saving and storing now, well in advance of a crisis, you represent one less person that will rush to the grocery store after disaster strikes. So you won't be part of the problem. Rather, you'll be part of the solution, especially if you dispense your excess supplies as charity.

For a good example of common sense privacy in action, take the time to read the Profile of Mr. and Mrs. Bravo.

If you have a been vocal about the erosion of our Constitutional liberties, then you may be on some list. Ditto for letters to the editor, letters to you congresscritters, or just a subscription to a gun or hunting magazine. There has been a lot of talk the patriot community about the alleged Red and Blue round-up lists. These may or may not exist. (I tend to think that they are mythical.) Should they actually exist, you may or may not be on them. But as Mark Koernke put it so succinctly: "There is only one list. We're all on the list. Some of us are just higher up the list than others!"

If you have reason to believe that your anonymity has already been compromised, then consider that a.) You cant get anonymity back unless you change your name and completely drop out of sight (impractical for most), and B.) You will have to take some countermeasures.

Perhaps the best countermeasure is to make a clean start the next time that you move. (Presumably to your retreat location.) Do not send forward ing cards for any magazine subscription that are that are even marginally controversial. Consider buying your next home in the name of a land trust or in someone else's name. (Perhaps a sister or some aunt or uncle with a different surname and with a low profile.) See Boston T. Party's book Bulletproof Privacy for further details on making a clean break.

Make all cash (no paper trail) acquisitions of guns, bulk ammo, and bulk logistics. Never use a credit card for such purposes. Unless you already have a very high profile, resist the urge to buy your ammo, reference books and assorted gear via mail order. The only exception would be if you use an assumed name and a drop box.

It is essential to impress upon your family the importance of keeping quiet about your preparations. In one of his his books, Dr. Bruce Clayton tells the tragicomic story of when he moved to a small town in the foothills of the Sierra Nevada mountains, where he planned to construct a fallout shelter in his basement. His recently retired mother moved there with him. While Clayton was occupied ferrying supplies to his new haven, his mother was busy chatting with all of their new neighbors about Clayton's survival plans and logistics--in detail!

If you have a high political profile, it might be wise to purchase your retreat and/or rent storage space in someone else's name. For example a sister or brother-in law with a different surname could be the owner of record. Another option is establishing a land trust, and having the trust make the purchase. Your attorney could be the trustee of a trust that owns the land. Yet another option is to set up a Nevada or Delaware corporation and having the corporation make the land purchase.

In essence, keeping a low profile involves common sense and knowing when to keep your mouth shut.


Tuesday, July 4, 2006


Jim,
I thought I would give you an up-date on my raid. First, I’m not in jail, nor have I been charged with any crime. Everything that can be written has been written at this time.[JWR Adds: For example, see the discussions at the AR15.com Forums, at LibertyPost.org, 1911Forum.com, et cetera. ]

In retrospect, there are some things I should have done, but that I didn’t. (I pooh-poohed some of your preparedness ideas, shame on me. Learn from my mistakes.)

1) Did not stash my extra arms and ammo, and now I don’t have them.
2) Should not have been as cooperative as I was, and it was little.
3) Did not have code words ready with wife when I called her.
4) Did not have my files in order, PGP or other software.
5) Thought it would never happen to me.
6) Did not have a bug out bag. My wife thought I was crazy, but now she wants them.
7) Did not heed the five warning signs that I got. All [my friends] thought that I was paranoid. Had I took action on those warnings, they [the BATFE] would have got nothing.

- Richard Celata, Owner of KT Ordnance


JWR Replies: Despite a half dozen letters from readers, I refrained to posing or commenting about this case until now. I waited until I had the time to do some background research and until I got an e-mail directly from the owner of the company. KT Ordnance was formerly an advertiser on SurvivalBlog, and a member of his family is still a SurvivalBlog advertiser. I have not read anything thusfar that would indicate that Richard Celata violated any law, or any BATFE ruling, or any "ATF Letter" guidance. Nor do I have any evidence that Richard is lunatic, a radical, a racist, or an anti-Semite. (Far be it, he is in fact a member of Jews for the Preservation of Firearms Ownership.) Nor have I heard that he has any criminal record. In short, the general consensus is that he was a law-abiding guy that played by the rules, but was nonetheless the recipient of the wrath of the ATF.

For the BATFE to set the "80% Complete" standard for receivers to remain outside of Federal jurisdiction and then to later seize the inventory of a businessman that abided by the letter of their own reiterated standard in my estimation smacks of arbitrary and capricious enforcement, with possibly political motivation. I try to keep the content of SurvivalBlog apolitical and nonpartisan, in part because we have an international readership. (Our readers in France have no more interest in political affairs in the U.S. any more than our U.S. readers have an interest in politics in France.) However, in this instance where Mr. Celata's letter specifically addresses the preparedness aspects of his situation, I think that it is appropriate for posting. OBTW, I don't plan to post any follow-ups to this letter, since the facts and conjecture regarding the case itself are already well trodden ground. Mr. Celata will get his day in court. If justice is still available to him there, then I trust that he will prevail.

BTW I don't intend this post to foster any paranoia. However, I do think that it is prudent for anyone that stocks up logistically to leave a minimal paper/electronic trail. If you are not yet accessing the Internet with Anonymizer or StealthSurfer, you should be!


Sunday, April 23, 2006


I'm an engineer working on E911 systems and I'd like to correct this whole post. I've included some references so all your readers can peer review.
> #1 The chip does not function unless you either... Incorrect. The requirements typically state for Public Safety and in support of local laws, the mobile station (cell phone) has to handle all network requests for location.
> #2 Its not real GPS. There are two separate systems that can be hybridized together.
First is the network based system described above that works great in urban areas with lots of compatible cell towers. It is fast, but it can not get down to 3 ft., maybe 100 m.
The second system is Mobile Station based (Cell phone) and it typically uses GPS just like a Garmin. It works great in rural areas. It is not so great in large cities as all the concrete, steel and coated glass both block and reflect the GPS signals. A differential GPS system in time can achieve accuracies in cm. However just like your Garmin, it can take a long while to search for satellites and download the data from them.
The hybridized systems, where the network and the mobile work together, can achieve the best of both accuracy/speed and urban/rural performance. The network can tell the GPS on the mobile station approximate time, approximate position (with xx km of the cellular tower), where the satellites are in the sky and lots of other information that it would take your Garmin 20 minutes to get from the satellites.Reference. Section 10.10 GPS Assistance Data for more information. This document applies to GSM and 3G/UMTS phones, but it is not atypical.
Also the new hybridized systems can combine the cell tower ranging with the GPS satellite ranging to get a system that works where neither system alone will.
#3 While it is possible...
Ah, no. The solution is Periodic measurements. in other words generating a location every 5 minutes would not affect battery life much. It is used to track commercial delivery personnel all the time.
#4 Yes there really is....
Again no. This is internet Fear, Uncertainty, and Doubt (FUD). The FCC requirement is that x% of mobile stations can be located to certain accuracy. GPS is not a requirement.
Reference.
#5 There is also the secondary issue.
The analog is not illegal, yet. It is just not cost effective for the bandwidth reasons. Second for some networks that depend on GPS in the mobile station (typically CDMA), the old phones stand in the way of meeting the FCC requirement.
#6 Analog shutoff.
I do not have any information on this.
#7 Cell phones use lots of electrical power...
Motorola Razor talk time 200-430 minutes. Standby 180-290 hours. Reference [JWR Adds: I believe that the writer was referring to cell phone cell tower facilities rather than hand-held cell phones themselves.]

As to charging more during blackouts, any company that did this would invite a class action lawsuit for breach of contract and endangering the public.

OBTW, one other bit of FUD that I'd like to comment on:
Yes, off does not mean off in regards to modern electronic devices including cellular phones. While "off" they may need to support an alarm clock, calendar alerts, monitor battery charging, alert for low battery and do a lot of other things. However, removing all the power sources kills anything! If your phone continues to run without a charger or batteries, I think you could name your price to sell it to any of the big cell phone companies. - Raven

 

 

Jim,
I have personally been present, when a 'Federal investigator' ordered a cell phone security manager (what the heck that is I don't know) to 'turn on' a particular Electronic Serial Number (ESN).

It was my understanding that the phone had to be 'on' in the first place. It was explained to me that there was a dual mode capability. One was the retransmission of GPS positioning data and the second triangulation.

We found the 'bad guy' we were looking for for a covert surveillance regarding a narcotics investigation.

He wasn't in a call - it was a pretty weird moment for me to see this happen, and it was about four years ago. I can only imagine the capabilities built into the system mandated by post-9/11 are more enhanced than then.

I trust the data given to me by the writer about GPS positioning as he understood it. I saw different. The federal investigator was pretty closed mouth about it, and the black box he used that (I suppose) received the data was no larger than a lunchbox. Steered us right in.

I've long ago given up on trying to maintain much privacy in my electronic life. I really don't have much to hide, but if I did - electronics wouldn't have any place in my home. - Jimsee


Saturday, April 22, 2006


Dear Jim,

Someone wrote about E911 phones and GPS tracking. I worked in that industry, with that specific issue and I can provide some facts.

#1 The chip does not function unless you either Dial 911 or turn it to Location On, which shows a circle with a plus sign through it and two end parentheses to its right. It is common to see the circle-plus sign without the parentheses. Check your manual to verify this. It will list this under "icons" or E911. Phones come with them preset to "911 only", not "on". Phones from Nextel/Sprint or using location based services must have the GPS turned on to work.

#2 Its not real GPS. It does not talk to satellites. Its just triangulating on the company towers. This gives an accuracy of +/- 3 feet but its main purpose is to get you to the nearest 911 call center in the event you dial 911. That's about it.

#3 While it is possible the phone operating systems could be fibbing and the Location service could be on when it says its off, that is unlikely since it would affect battery life, require violation of customer privacy rights, risks lawsuits when exposed, and requires a conspiracy to accomplish, the black helicopter kind. I'm not a fan of conspiracies since humans are very good at bungling basic stuff and very bad at keeping secrets. It is far more likely that it really is off, just like it says.

#4 Yes, there really IS a law enacted by FCC back on Sept 12, 2001 that required these chips to be mandated into phones by July 1, 2005 and all non GPS phones taken out of service by the end of 2006. Some of my former customers had received letters from their carriers and verified by the FCC to this effect.

#5 There's also the secondary issue that older phones typically have stronger and now illegal analog signal amplifiers which when running analog can block more than 720 digital calls. This has been a real waste of bandwidth and the FCC has been after the cell companies to get them off the market and into the garbage bins. The companies have handled it by offering incentives to change out the phone for a newer model with E911 and usually all digital. All digital phones don't hog bandwidth, don't block other's calls, but don't really work in the boonies either. For the boonies, you need a Tri-Mode phone. This means digital and analog backup. You also need an extendable antenna. A stub antenna is nearly worthless in analog areas because the signal won't propagate well. Many phones have plugs for antenna extension kits, the kind you can mount on a car roof and a small cable and jack to plug into the phone. Those work well, BTW.

#6 The boonies are mostly analog until Jan 1 2008, when all analog cell service is turned OFF, permanently, another FCC mandate. This means that either these sites get upgraded to digital or they lose their licenses, probably auctioned off and end up with big carriers. The carriers will do a cost study and decide for themselves whether said boonies are worth converting to digital or if they'll just let them die with no signal. Some sites may not get bought and those regions may lose cell service entirely. Cell companies are very greedy, keep in mind. If they can't make a huge profit, they won't do it at all. A small profit or slow profit is not within their timescale. It is likely that many rural areas with low populations will lose cell service entirely.

#7 Cell phones use lots of electrical power. This means that in blackouts, while they do have generators, those must be topped off. In a survival situation or one of slowly deteriorating conditions they will work, at first. The more phones in digital, the less issues with blocked service. After spending lots of money and time topping off tanks it is highly likely, if the conditions persist, that cell companies will start charging more money for calls made during blackouts than ones when the power is on. Expect to have to pay a hefty premium and overage rates for calls made during blackouts. The companies have not released any plans for this, but they already produced emergency blackout kits for their retail stores last summer, as if they fully expect to operate when the power is out, which is particularly weird since you can't activate or change service without computer access to the network switches. Hope this info helps. Best, - Marshall


Friday, April 14, 2006


Jim,
I think this would come under the heading of privacy....or our losing more and more of it on a daily bases. I got a call from my cell phone company today (US Cellular) they told me that I was going to be required to bring in my old phone...the same one I have had for five years... and trade it for one that was capable of being tracked by 911 (these are the [E-911] ones with GPS chips in them.) I told them that I did not want to. They told me I had no choice. They said that continuing to use the phone would result in FCC fines. (Has anyone else heard about this?) It seems that the only choice they are letting me have is picking out my new phone. So I'm going to have to do this, and according to them everyone who has an old phone is also going to be required to trade. So, I guess I will also be building a Faraday cage to keep my phone in when not in use. Actually, I'm just going to keep it in an ammo can. Hey, it's my business where I go and what I do, not the government's. - The Army Aviator


Tuesday, January 24, 2006


Jim:
I've done a lot of experimenting on this and offer my take:

Rule Number One: The U.S. Government is monitoring domestic internet traffic. Anybody visiting Survivalblog is already suspect by the government because of it's very subject matter. Assume that you are being monitored. Let's not be naive here please.

Anonymizer is obviously monitored by the Government because it maintains logs of in/out IP Addresses.

Tor...the Onion Router is the best way to go if you have DSL or Cable high-speed internet connection because there is no central logging. I use it.

CCleaner [Cache Cleaner] at http://www.ccleaner.com/ is the very best way to keep your computer free of what snoops want. It is FREE, tiny, fast, easy, and I click on it after every internet surf. It instantly removes all tracking cookies. It also instantly removes all those useless internet temp files that clog/slow your computer. Download it FREE right now. -Book

 

James:

You mentioned that your readers might be interested in a brief write up of privacy on the Internet and how to keep yourself off of the radar. I'll try to oblige.
First some background: My company and I do Information Security for small businesses, so we and I have experience in keeping private things private in the real world. What I'm doing is basically putting into text the Security Speech that I give any client who I consult for (and will sit still long enough to hear it). I'll stay away from technical terms and specific products/'solutions' until the very end where I'll describe a few different levels of 'security' in real-world examples. Specific privacy stuff is further towards the end.
Rule Number One: There Is No Such Thing As A Secure Computer (or Anything Else)
Perfect security is impossible. Computer security researchers are fond of saying that the only secure computer is one that's unplugged from the network, turned off, sealed in a vault and protected by well-paid guards, and they're only partially joking. (Yes this is what passes for humor in the computer security profession.) No matter what steps you take to keep your stuff secure, someone, somewhere can break into it and steal them; given sufficient time and money all computers are vulnerable. The only thing you can do to an attacker is slow him or her down. All of modern security is devoted to slowing attackers down. This has two effects: it makes you less appealing to casual attackers and it frustrates determined attackers.
In WWII the Germans used an encryption device called "enigma" to send secret messages to their troops. They thought it was unbreakable. The allies broke it. The moral of the story is that what we think is 'secure' today will be as tough as tissue paper in fifty years.
Rule Number Two: Security Is Not A Product.
What I mean by this is twofold: one, anyone who sells you a "secure" widget is lying. Widgets, computers, servers and networks are not secure or insecure by their nature; they are merely tools. Any tool can be used for good or ill, just think of the climate concerning guns. This is a continuation of the first rule; not only is there no such thing as a secure computer, any steps that have been taken to create a more secure computer can be blown away by the mentality of the user. This rule probably should read Security Is A State Of Mind, but this way I can combine two rules into one. In a nutshell, every system is only as secure as the users of that system are willing to make it.
The canonical example of this is a hospital. Hospitals have insane oversight in terms of confidentiality of patient information and they can get in real trouble for letting the Wrong People see certain files. So the natural step is to make each level of access have a separate password and each user must login to separate authentication levels, blah blah blah. Its a 'very secure system.' End result? Nurses get tired of remembering so many passwords and write them down on sticky notes on the monitor. Security that is too hard to use will be defeated.
Rule Number Three: Your Computer Is A Castle.
Traditional security is a good analogy to computer security. Things that people would never do in the real world they don't think twice about doing online. When you open an attachment you're not expecting, its like licking your neighbor's doorknob. When you blindly click 'OK' on every pop up window, its like walking around in a bad neighborhood with a roll of hundred dollar bills poking out of your pocket. Remember the Trojan Horse? Trusting everyone online will get you in trouble, just like in real life.
Likewise, when you evaluate a system for security the first place you look is the place where security is the weakest. If you double-encrypt everything and lock your computer in a safe but your password is 'secret', you're not really secure. Always look at the big picture and don't lose the forest for the trees. Likewise, if you have an uber-secure locked-down machine but its in an office where the cleaning staff have physical access, you're not secure.
Rule Number Four: Security is Boring
This is the hardest thing to get right. The best way to be secure online is to do the little things all the time. Boring things like keeping your security updates up-to-date and getting an anti-virus. Being paranoid about your email and choosing the right software go a huge way towards keeping your stuff safe. Have a legal copy of all your software, especially your anti-virus. Pay for it. If you don't want to pay for it, AVG anti virus is free and damn good. More detail later.
That's it for the theory, there will be a quiz on Thursday. Now the practice. There are a few things that you can do to keep yourself secure and protect what little privacy you still have.
The first thing to know is that email is not secure. Think of email as sending a postcard, there's nothing to stop anyone who touches it from reading it. Email is hard but not impossible to anonymize, but there are few remaining anonymizers left. Any old Hotmail or other free account will work for certain values of 'anonymous' but they probably will not stand up to a legal search warrant unless you are very careful. Gmail is not a good provider for anonymous email because of the invite system. Unless you can get an invite anonymously anyone tracing it can simply look up who invited you and compel them to spill the beans.
Another thing is that any site you visit on the web can get a huge amount of information on you that your browser just sends out on its own. Things like your IP address which can be traced to a rough location and if the government gets involved can probably be traced down to whoever pays the bills. This can be mitigated by using anonymizing proxies, Tor and privoxy. More detail further on
Yet another key facet is that anything that is on your computer is something that you are trusting fully. If you follow good protocol, you are trusting Microsoft with all of your data, and you are trusting whoever makes your anti-virus or firewall with all your data. There is precedent for law enforcement using the anti-virus update to compromise the computer of a group that was holed up in their cabin to prevent them from emailing out. In case I wasn't clear, this has happened and will happen again.
Now for some details and the all-important links:
In terms of an operating system, Windows is the default and there's no budging most people from it. With good practices and by keeping up to date you can keep windows tolerably secure. I would trust it for mildly embarrassing data but not critical data. Please upgrade to at least Windows 2000. Windows XP with Service Pack 2 is best. I know its expensive, but Windows 95, 98, and ME are outdated and not secure.
Since no one has access to the code that makes Windows tick, there is no way to determine for sure that there is not an easy back door that could be leveraged against you. I cannot recommend keeping mission critical data on a Windows machine. If you have a bit more freedom about what you run, I heartily recommend getting a Macintosh. The new Apple OS X is built upon a very secure BSD base and it strikes an excellent balance between usability and security. Any version of Linux or BSD can be made secure, but if you're running those you probably know how to secure it.
Web browsers: There really is only one. Firefox is the best that has come along yet. It can be setup for decent everyday browsing and keep a good rein on your cookies and history. In the firefox settings, you can exercise very fine control over what sites are allowed to set cookies on your machine and when to expire them. Please do not use Internet Explorer on ANY OS. It is not secure in any way. A good addition is Privoxy and/or Tor. A must-have extension for Firefox is Adblock Plus and "Filterset.G"


Email client: I recommend either Mozilla Thunderbird, but basically anything but Outlook (Express) is acceptable. Outlook is massively insecure, Please do not use it.
Anti Virus: They're all equally mediocre. I use AVG which is free for personal use. Pick one and keep it updated.
Firewall: Again, the windows firewall cannot be trusted. I recommend Kerio Personal Firewall, and I use it myself. Tiny Personal Firewall is good too. Zone Alarm is less powerful and Black Ice is worthless.
Proxies: Privoxy is a nice semi-anonymizing proxy that runs on your local machine. It can't hide your IP but it will strip out a lot of identifiable information. Its pretty easy to set up too.
Tor is a very clever onion routing network that passes your traffic through a few levels of other machines so that theoretically not only does the site you're visiting not know who you are, nobody could trace your connection back to you. An added benefit is that Tor servers are encrypted so your traffic is harder to snoop on as well as being more anonymous. The disadvantage is that this is SLOW.
Encryption: BestCrypt can create secure images that can be viewed on Windows and Linux.
Below I'm going to outline three levels of security and what they should be reasonably protected against.
The first is an easy to use everyday machine. You will be protected from most common automated and non-directed attacks but a determined attacker will still be able to penetrate as will a governmental entity. If there is demand I can work up a similar profile for a Mac.
Microsoft Windows 2000 or XP.
AVG anti virus or similar.
Kerio Personal Firewall of similar.
Firefox, Adblock Plus and Filterset.G set to only allow same-domain cookies.
Privoxy
The second is more anonymous but it sacrifices speed. You will use this if you want to do something that you wouldn't want broadcasted.
The same as above except Firefox is set to expire cookies on close, and keep no disk cache or history. Privoxy is also connected to Tor for anonymization.
For email, Thunderbird and Enigmail can be setup to encrypt your email to a very strong degree, as long as the recipient has a similar setup. New Enigmail versions are very user-friendly in this regard.
Also, it is possible to have two different "profiles" of firefox on one machine, one that simply browses normally with sane cookie rules, and another that passes through Tor/Privoxy and keeps no history or cache and clears cookies on exit. This is simple to do and a good mix of usability and the ability to be more anonymous if desired.
One note: Remember that today's "uncrackable" will be a joke in fifty years. Also, encrypted traffic will probably raise a certain level of awareness among those doing the spying. Legally this poses no problems but if you're doing something you wouldn't like discovered sending encrypted e-mails to osama@alqaida.com it is probably a bad idea.
A Proviso: The above two systems rely on closed code and trusting updates. They would be very vulnerable to any form of governmental intrusion and nothing can be done to mitigate this. IF YOU ARE GOING TO DO SOMETHING ILLEGAL, DON'T USE ANYTHING CLOSED-SOURCE TO DO IT WITH. If you do intend to do something illegal, or even if you're just paranoid like me, a good idea would be to have a second machine. This is similar to what the NSA does internally: Classified machines cannot talk to Top Secret machines, and none of them can talk to Unclassified machines.
A good Classified or Top Secret machine might look like this. This machine should be reasonably secure against anything but a direct, physical attack.
BSD or Linux OS, properly configured (details are outside the scope of this article. I will be happy to provide further information upon request).
A solid, encrypted file system or BestCrypt for any user data.
Not connected to the network. Use a USB flash keychain/thumb drive for getting data off of it.
Again, none of this is any good at all if your master password is your birthday.
I hope someone finds this useful and I'm happy to answer any more detailed questions either via SurvivalBlog or directly. - Paedrig Hawkwing (PaedrigHawkwing-at-gmail.com--change the "-at-" to an @ symbol)

JWR Adds:  Our web statistics show that 19% of our readers now use the Firefox browser, up substantially from the 16% when we started SurvivalBlog back in August of Aught Five. My advice:  DUMP that back-door ridden, data mining Microsoft Internet Explorer. Firefox is free!

Hi Jim,
Another option for anonymous web browsing is to install Tor, an "onion routing" package that sends your data through 'layers' of different servers before reaching your desired destination. After I first installed Tor, I visited Google and was surprised to see it looked a little different -- Google detected that I was coming from Austria (since the last server 'layer' was located there) and presented me with "Google Österreich"! Tor is free and easy to setup. The EFF has instructions for Windows ( http://tor.eff.org/cvs/tor/doc/tor-doc-win32.html) and OSX (http://tor.eff.org/cvs/tor/doc/tor-doc-osx.html ). Regards, - MP


Sunday, January 22, 2006


Part of being a prepared individual is keeping a low profile. I don't heavily emphasize privacy issues on SurvivalBlog, but I do recommend that you learn how to fly under the radar, just on general principle. My philosophy: Don't leave big paper trails or bit trails. An interesting article recently appeared at Wired News, titled "How to Foil Search Engine Snoops"  See: http://wired.com/news/technology/0,70051-0.html?tw=wn_tophead_2

For greater privacy, the author recommends using either the Firefox PC browser or the Safari Macintosh browser. He states: "In Firefox, you can go into the privacy preference dialog and open Cookies. From there you can remove your search engine cookies and click the box that says: "Don't allow sites that set removed cookies to set future cookies. In Safari, try the free and versatile PithHelmet plug-in. [See: http://culater.net/software/PithHelmet/PithHelmet.php] You can let some cookies in temporarily, decide that some can last longer or prohibit some sites, including third-party advertisers, from setting cookies at all."
He also recommends: "If you are doing any search you wouldn't print on a T-shirt, consider using Tor, The Onion Router. [See: http://www.onion-router.net/] An EFF-sponsored service, Tor helps anonymize your web traffic by bouncing it between volunteer servers."

The article also mentions the tried and true (but slow) Anonymizer.com. See: http://www.anonymizer.com.

OBTW, if any of you techno gurus would be so kind, I'd greatly appreciate a summary article about Internet privacy to post on SurvivalBlog.com. You might even win our non-fiction writing contest. (The prize is a four day course certificate at Front Sight!)


Thursday, November 24, 2005


In the absence of computing power if we are reduced to using tiny QRP [low power] transmitters for communication, then there may come a time where some messages require heavy duty encryption. This is the easiest method I know of the Solitaire card deck encryption method. A group could even generate one time pads which would be starting order for a deck and store them in a secure location. See: http://www.schneier.com/solitaire.html Here is a snip from this site:

"In Neal Stephenson's novel Cryptonomicon, the character Enoch Root describes a cryptosystem code-named "Pontifex" to another character named Randy Waterhouse, and later reveals that the steps of the algorithm are intended to be carried out using a deck of playing cards. These two characters go on to exchange several encrypted messages using this system. The system is called "Solitaire" (in the novel, "Pontifex" is a code name intended to temporarily conceal the fact that it employs a deck of cards) and I designed it to allow field agents to communicate securely without having to rely on electronics or having to carry incriminating tools. An agent might be in a situation where he just does not have access to a computer, or may be prosecuted if he has tools for secret communication. But a deck of cards...what harm is that?"

[See the URL cited above, for the details on this enciphering system]

JWR Replies: Thanks for sending that, David. In the near future I plan to post a brief article about "book codes" --using two identical books as one-time pads. This method is called a Buchspiel ("book game") by the German spymasters that perfected it.


Wednesday, November 23, 2005


I've been asked by several readers for their advice on cellular phones. First, I should mention that the cellular revolution still hasn't made its way to the Rawles Ranch. Perhaps it never will. I'd appreciate your e-mails with comments on this topic. (As a non-cellular kinda guy, I will surely leave out some important points.)

The general rules of thumb on cellular phones are as follows:

All cellular phones are vulnerable to interception--some are just a bit more secure than others. There is no privacy with a cell phone--or in essence with any other radio transmitter. None. Don't kid yourself. Take my word on it--back when I was an intelligence officer, what I did for a living was supervise troops that did primarily did voice intercept and direction finding. Please don't write to tell me that you saw on television that characters from The Sopranos use encrypted cell phones to talk with their mob buddies. Yes, it is possible, but there are three big problems with this: 1.) It is illegal for private Citizens to do so. 2.)  Doing so will instantly raise your profile in the eyes of authorities. Instead of being just one nondescript cell phone emitter in an ocean of emitters, your cell phone will suddenly become an "signal of interest." (SOI)   3.) Even an encrypted signal can still be DFed.

Regardless of the type of cell phone that you use, if you remove its battery pack then it cannot be tracked. It ceases to be an emitter. (Without a battery it will not even produce local oscillator noise.)

Privacy and anonymity are worthy goals, but consider that their may be situations where you will want to have your location known--such as when you are calling 911 in the event of a car accident, or in a wilderness rescue/medevac situation. IMHO, to the ideal solution would be a cell phone on which you can selectively disable the GPS circuitry.

When the U.S. FCC mandated "Enhanced 911"  ("E911"-- a.k.a. cell phone tracking), they set a standard for direction finding (DF) accuracy, but they left the method implementation up to the major cellular service providers. Some providers chose location schemes that depend on GPS chips. Others use time-of arrival radio direction finding. (The latter approach uses cell phone towers as the DF sites--creating a DF network with a very long baseline.) For details, see: http://www.edn.com/contents/images/198901.pdf  Because of this diversity of approaches, there are still many "loophole" cell phones that cannot be tracked or triangulated.  These include pre-GPS phones or phones with their GPS receiver disabled, subscribed in Sprint, Verizon, or Nextel service plan. But be advised that there is essentially no way to avoid tracking if your cellular provider employs time-of arrival radio direction finding. Do some research the next time that you change cellular providers.

The other important  aspect of cellular phone privacy is protecting your identity. Most cellular phone service plans require that you provide detailed billing information, a physical street address, and a credit card number. But what about those nifty "pre-paid" cell phones that you can buy at you local drug store?  For now at least, most pre-paid cell phones can be purchased anonymously.  They only lose their anonymity if and when you "recharge" their minutes with a credit card. (OBTW, I'll discuss anonymous credit cards in a future SurvivalBlog post. But here is a hint to get you started: the Simon's Mall chain sells anonymous pre-paid VISA debit cards.)

For more information, see: http://www.pcworld.com/howto/article/0,aid,114721,00.asp  and http://www.americanscientist.org/template/AssetDetail/assetid/47369 



Jim:
A few items that are of concern/interest to me as of late are topics that others have brought up. Don't forget that disabling OnStar may be obtainable, but I surmise that disabling your cell phone would be patently dangerous in a slow slide or SHTF scenario. Learn [the details about] your cell phone, and VOTE WITH YOUR EAR! (Had to get that in there Jim!) I presume that handheld or vehicular mounted GPS  systems would also create some sort of signature or locale while in operation. Is this of noteworthiness? The last unit I bought, I purchased without any registration or anything. I assume if you subscribe to a service then by definition it has its "eyes upon you."

Another item that I seek your expertise on is how to obtain an "annual stockpile" of necessary prescriptions. How do you recommend that your like minded blog readers go about this process? My last purchase of cold medication resulted in the showing of my I.D. before I could obtain it. I hesitate to think this is an easily remedied issue. Take Care, - The Wanderer

JWR Replies:

On cellular phones:   Coincidentally, I addressed these issues in another blog post that is also running today. (Wednesday, November 23, 2005.)

On GPS receivers: Pardon the following side step into ASA arcana (one of my past lives): Any radio receiver creates what is called local oscillator noise--a very weak signature that can be detected by very sophisticated monitoring equipment. But from a practical standpoint, it cannot be pinpointed except if you are up against a serious DFing team with some very sophisticated equipment, and only then if you are in an electromagnetic quiet zone such as out in the middle of a National Forest. Anywhere else, the local oscillator noise will get lost in the ambient clutter. So you can safely assume that a passive GPS receiver by itself is not a threat to your privacy. But when a GPS receiver is integrated with a cellular phone (which is of course an active transmitter), you can kiss your location privacy goodbye.

On prescription meds: It is a pity that most doctors in the urban and suburban portions of  the U.S. don't have the same mentality that is prevalent in Alaska and the more remote regions of the intermountain west.  Here in the hinterboonies, many doctors are accustomed to getting requests for full-year prescriptions from ranchers, miners, bush pilots, and others that live out far beyond the sidewalks. Unless you have a relative that is an M.D., all that I can suggest is that you hunt around for a preparedness-minded doctor. Perhaps someone at church, or in your local shooting club. OBTW, I've heard that most LDS ("Mormon") doctors are sympathetic to their patients that are survival-minded.  As far as insurance company reimbursement goes: Good luck! Many insurance companies refuse pay for more than a three month supply.


Monday, November 21, 2005


Jim,
I have two somewhat related questions:
1.) Can the OnStar [tracking/communications] system on General Motors vehicles be TOTALLY turned off by an owner? If so, how? And if so, is a professional recommended to do the work? I envision the possibility of the Powers That Be (PTB) simultaneously turning off engines of all OnStar vehicles to create massive chaos if it supports their plan.

2.) If we experience an EMP event, can we carry a spare computer module in protective casing and just replace module in our vehicle and we are off and running again? If so, what is the proper procedure? If question is off base or not possible… What can we do? (Affordably) - Robbie in Va.

JWR Replies: 1.) From what I've read in Usenet forums, the shutdown feature was considered during OnStar's design phase but was never implemented, due to liability issues. OnStar does indeed, however, provide vehicle GPS tracking to assist police in the location of a stolen OnStar-equipped vehicle.

Conceivably, a situation might arise wherein you would want to disable OnStar. (See: http://whats.all.this.brouhaha.com/?p=132 ) The only way to be sure that you are completely disconnecting it from power is to disconnect the cables from the OnStar module itself. Any layman can do this. The hard part is finding the box. Typically, the OnStar modules are hidden are in the trunk--often next to the spare tire, such as in Cadillacs.  See: http://www.cadillacfaq.com/faq/answers/onstardisable/).  The location will vary, depending on the make/model of your GM vehicle. I suspect that you cannot simply remove a fuse from your vehicle's fuse holder array, because given the evil genius of GM's design engineers there are probably other components--possibly essential components--that are downstream of that same fuse. (But I may be wrong. One nice thing about this blog: I'm sure that someone more knowledgeable will e-mail me within hours if I post something incorrect about anything.)

OBTW, here is an old trick that dates back to the days when car alarms were not wired into a vehicle wiring harness upstream of the fuse box: So that you can be ready to remove a fuse at a moment's notice, one useful technique is to attach a small dimension "zip"-type plastic cable tie around the middle of a modern plastic fuse (between the fuse's "legs", or in the case of traditional tubular glass fuses, underneath the entire length of the fuse. That way all that you have to do is open the fuse box and jerk on the protruding cable tie--no fumbling around with a flashlight, trying to remember which is the correct fuse to pull.

On a related note, (purely for academic research, mind you) for those of you with a penchant for hacking, you can tap into your GM vehicle's OnStar RS-232 GPS data. See: http://members.cox.net/onstar/  You can also hack into the OnStar communications module for Bluetooth. ;-) See: http://www.hackaday.com/entry/1234000170038047/

2.) Yes, a spare electronic ignition "computer" can be purchased and padded up thoroughly and carried in an ammo can or a biscuit tin. (Either will act as an effective Faraday cage.) But keep in mind that many vehicles made since the 1980s also have electronic fuel injection, which will have its own little microchip CPU.  Ask your local car mechanic--preferably one at a factory-associated dealership--for details about the ignition and fuel injection system of your particular make/model/year of vehicle.


Thursday, September 8, 2005


Mr. Rawles,
Many thanks for an excellent web site!  I read it daily with much anticipation.  Your book Patriots is a first-class work as well. 
 
Storing fuel is a must for a survival retreat.  Having said that, how do you get delivered several hundred gallons of diesel (or gas) without raising eyebrows?  I live in the rural Blue Ridge Mountains of North Carolina on a mountain top.  Very private and quiet, but not a farm.  Maybe it is easier than I presume and nothing would raise flags to delivery folks filling a couple of above ground tanks.  Is there an approach that has worked for you or your readers?

OBTW, your Retreat Owner Profiles are super--keep up the good work! - S.P.

JWR Replies: As mentioned in previous blog posts, I recommend getting the largest underground fuel tanks that you can afford, but of course no larger than the maximum allowable under your local law. I also recommend that you purchase the tanks from a company that is a long distance away, and that you have workmen from that same company handle the delivery and installation. That will keep local rumors to a minimum. For example, one of my good friends in Clearwater County, Idaho ordered his gas and diesel tanks from a company in Missoula, Montana, more than 100 miles away. The shipping was expensive, but this was offset by the fact that Montana has no state sales tax. OBTW, the fiberglass fake basalt rocks covering the filler necks and hose stands are a nice touch.

As for the local companies that fill your tanks, there are a couple of obfuscatory statements that might prove helpful: "I only got this big tank because I want to be able to ride out large price fluctuations." Or, "I need to keep this much diesel on hand because I'm co-owner of a (fill in the blank) company." (Trucking, logging, et cetera)

The most expensive but most discreet approach is available for "Secret Squirrels" with a big budget: As I just described, have your large underground tanks installed by a company from at least 50 miles away. Then order your fuel in small increments (200 gallons or less) from several different vendors, preferably from 30+ miles away. There is no way for them to know the capacity of your underground tank just by looking at the exposed filler neck--unless of course the curvature of the tank also shows. Shelling out for multiple delivery charges is a high price to pay for privacy, but TANSTAAFL. Parenthetically, I have one acquaintance in Wyoming that has an 80 gallon diesel "L" shaped tank (the under tool box type) in the bed of his his dualie F350 diesel pickup. He buys diesel 90+ gallons at a time on his weekly trips to Cheyenne. Once he gets home, he pumps it into his 3,000 gallon diesel tank at home. It is a slow process, by very discreet.

All Content on This Web Site Copyright 2005-2014 All Rights Reserved - James Wesley, Rawles - SurvivalBlog.com

About this Archive

This page is an archive of recent entries in the Privacy & Encryption category.

Plagues and Pandemics is the previous category.

Profile is the next category.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives

Visitor Map

Map

Statistics

counter customisable
Unique visits since July 2005. More than 320,000 unique visits per week.