Review: The Art of Invisibility
Let’s put aside for a short moment why you would want or need to remain invisible in the online world and think about how one can do it. Kevin Mitnick’s book The Art of Invisibility explains the unusual precautions you need to go through to stay off the radar.
There is a ton of useful information in the book, but it may be worrying bedtime reading for some people. How you make use of innocuous things such as Facebook, or how you keep track of passwords (let’s hope you don’t use the same one across all your accounts), or what sites you accessed from your friend’s laptop may have revealed more about you than you would like or have imagined.
Your internet imprint will at a minimum be used to feed advertising to you. There is sophisticated marketing software tracking your every move on the internet to try to find a way to sell you things. That search on Google or like on a Facebook wall might cause an advert the next time you are back, tailored to your interests. It may appear on a completely unrelated site; your information can be sold from one company to the next.
“So what?” you may ask. But if huge sales organisations and marketers can go through the data you leave behind on the internet every-time you visit, what might governments or criminals do if they can build up similar profiles. Could a government shut down a political rally you were organising? Could a criminal collect data about adult or dating web sites you visited and use it to blackmail you?
There are many legitimate reasons to remain anonymous on the internet. Kevin Mitnick was caught by the FBI in 1995 for activities that were neither legitimate nor legal. He has served time in prison, but is now a security consultant, helping to protect legitimate businesses and individuals from attack by the type people that he used to be.
There is an argument that he should not be rewarded or praised for using the skills he learned during criminal acts, and that it is wrong to make money from such a career, but it has been an ongoing trend for many years, that those who once committed crimes using computers (black hats), whether they were caught or not, are later recruited to the other side later on.
I think we can learn a lot from these hackers-turned-experts, now called white hats which signifies they work for the general good; their experience and point of view give them a completely different perspective on computer security, both for companies and personal users.
I will not be going to the extreme lengths that Kevin suggests are necessary to remain invisible online. Note that it is not enough to be anonymous. The book has many examples of where a link can be created from an anonymous account to an individual by a motivated police force. However, it is a good idea to know where the boundaries lie.
There are plenty of learnings to take away from the book. Here’s a summary of some key ideas that stood out for me. I might not act on them all, but at least I will consider the implications of not following them.
Chrome Book Banking
Accessing secure sites such as your online bank with a compromised computer, one that has some sort of spyware or malware, can lead to many drastic consequences. Hackers with access to your credentials may be able to initiate identity theft, fraud in your name, or even transfer the contents of your accounts to their own.
It should be obvious that accessing your bank accounts on an insecure network is risky (for example using the free wifi in Starbucks), or from a shared computer in the public library. But what about your own personal computer, is that OK? Maybe not.
Do you share it with your family? Have you ever installed software from a web site rather than the app store? Have you ever visited a less-than-mainstream site? If the answer to any of these questions is yes, then it is possible that there is some sort of infection on your computer.
It’s probably not the case, but there is no clear way to be sure. Kevin’s suggestion for this type of extreme paranoia is a simple one. Buy a cheap Chrome Book and use it for one purpose and one purpose only. Internet banking.
If you do this and do not allow it to be used for any other purpose, then you can be almost certain that your credentials will be protected and that no one can intercept the stream of data between the Chrome Book and your bank. Assuming your bank has correctly implemented the best practice security measures that is.
HTTPS Everywhere
Although the technology has been around for years to provide secure communication between your browser and the web, many sites don’t take this as seriously as they should. It is common for a link within a website to be given as the unsecured kind (the “s” gone from the “https” in the URL) even though you were careful enough to load the site and check security to begin with. This oversight is often a careless error on the part of the website’s builders but may also be caused by the use of buggy third party software or malicious attacks on the site.
HTTPS Everywhere is a plugin that is available for most browsers that can be used to cleverly rewrite any unsecured traffic that emanates from your browser to the internet. It works for many of the major browsers, such as Chrome and Firefox and can be downloaded from the Electronic Frontier Foundation web site.
HTTPS Everywhere will stop you unwittingly using a connection to a web site without the contents being encrypted; this will ensure that an eavesdropper cannot see the content of what you are sending or receiving. It does not hide the URL you visited, but at least information, for example, bank account details, will not be sent in the clear.
It is possible that some sites will cease to work due to the incorrect configuration of HTTPS, but that’s probably a good thing. You can avoid those sites or ensure that you do not share anything private if you do have to access them insecurely having turned off HTTPS Everywhere temporarily, for example.
URL Queries
There is a pitfall with HTTPS; it does not hide or encrypt the sites that you visit. With the content of the site hidden, an eavesdropper can still see the endpoints on the server that you visited. This may reveal more information about you then you would like.
The example given is a user who navigates to one of the many medical diagnosis sites that exist. After checking that his connection is secure, he uses the search function to look for information about athletes foot. The site in question submits the search by encoding the request in the URL, thus allowing an eavesdropper to see what was been queried. Not only that, but the URL will be visible in the browser’s history.
While the scenario above is fairly innocuous, you can see how this might cause embarrassment under certain circumstances. It is not limited to medical web sites; Google encodes the terms of your search into the URL so that anyone with access to your browser while you are logged in can see what you searched for.
There are some simple precautions you can take. You can use incognito browsing to hide your history. If there is a danger that the government or your Internet Service Provider (ISP) is spying on you, for example, if you were living in an oppressed country, then you might want to invest in a Virtual Private Network (VPN). Even then you might still be afraid that the logs on the VPN could be opened up to reveal your secrets. Perhaps TOR, The Onion Router, is what you need.
How deep you need to go really depends on your personal circumstances. The book is quite good at showing where the boundaries lie between what you need and what is possible. But becoming truly invisible is hard and will cost some money.
BitCoin Does Not Protect Privacy
BitCoin has grown a reputation of being a currency which you can use to buy absolutely anything online. The braver amongst us might use the Dark Web to access sites from which you can purchase drugs, weapons or a variety of illegal stuff. BitCoin is also demanded by black mailers, for example, after a virus or other malware encrypts your hard drive without you knowing. Pay up or else lose all your data.
So one might think that the crypto currency can protect your identity if you are using it, but that is not the case. At least not without some effort. It’s true that no identity is attached to the transactions that are recorded in the distributed ledger, but at some point money has to enter or exit the system. It may be possible to trace you from such a purchase or cash out.
You would have to buy BitCoin anonymously and that may be difficult. If doing so by using a prepaid card, how did you come into possession of the card? Did you walk into a store and pay cash? Or buy it online with a credit card? What about BitCoin ATMs which exchange cash for the crypto currency? But how sure can you be that there is no camera watching your actions?
Assuming you are careful and get some of the currency into a wallet, you may want to launder it through a number of transactions before making use of it, otherwise there is always a possibility of it being traced back to you. The book outlines how to go about this process but it involves an element of trust in a third party and cost for their services that you may not like.
Conclusion
I enjoyed listening to this audio book and while I am unlikely to follow the advise in order to stay invisible online, I will change a number of habits in order to make my imprint less obvious. Some of the risks that we are exposed to, without even knowing, were scary eye openers to me. And I will be educating myself and my family further along many of the topics covered by the book.
There is a lot of merit in trying to hide your personal preferences from ever present information gathering giants that will turn it against you to relentlessly try to sell you stuff. Maintaining some level of privacy can be done without damaging the web experience, if you take some simple precautions. Not being constantly bombarded with customised advertising should make the sacrifice worthwhile.
Furthermore, being less unique online can help you be passed over by criminals. If they need to apply effort to discover something about you or the devices that you use, it will probably discourage them from making a direct attack; they prefer to use known exploits on insecure profiles. By following the books advice you can reduce your visibility to them.
Having said that, I cannot see myself being able to set up a truly anonymous and invisible persona. A particularly off-putting step for me is the necessity of approaching somebody on the street, handing them over cash so that they can purchase the various pieces of equipment, a burner phones, cheap laptop, and pre-loaded money cards that will be needed to buy services on line, are some of the items on the shopping list. All to avoid your face appearing on the security cameras in the shop.
These are necessary steps to ensure that there is no possible way to link their use, phones, phone numbers, the email addresses and BitCoin wallets, MAC addresses and money trail back to you. Every step of the way there is some extra complication that needs to be addressed. I just don’t want to be invisible that much.
Kevin Mitnick himself underestimated the power of the FBI to track him down. While his capture and arrest is not the subject of this book it makes an interesting interlude. Complacency in his actions and assumptions got him caught. That and the persistence of those searching for him.
I’m sure that the advice in the book is sufficient to establish and maintain an invisible presence online this decade. But it will only become harder and harder to get the equipment necessary and move money into online accounts so that there is no link to your real self. The vigilance that is required to do so seems inordinate.
If you have no plans to commit crime but do want the invisibility promised, then this book should provide enough information to get started. But otherwise my advice is to beware, that the strategies outlined in this book may not be enough to maintain your shroud of invisibility indefinitely. You must always be vigilant and assume your pursuers are closer to your trail than you think.