# Do you really feel safe after you post on the Internet?



## George Wallace (22 Feb 2008)

Before you go any further, READ the whole scenario here:  Killing Keyboards    http://forums.army.ca/forums/threads/71137.0.html   

QUESTIONS TO ASK YOURSELF

1     *“I am no one they care about?”*   

That may be true for now, but you never know when one on-line posting will bring YOU to their attention.

Chris was just another name in a file until they needed some inside information about his program.  It never occurred to him that an intelligence agency would target him for a piece of information, but they did.


Some things to think about.

Chris had no idea that just confirming that the Clariden DSP chip was in use would be enough to hurt or kill.  But that one small piece of information was the last piece in the puzzle that the enemy was putting together.

While Chris thought he was careful, it is difficult to know exactly what an adversary is looking for, and if what you have may be of benefit.



2     “I don’t have ANY adversaries!”

Feel like all of this “war” and “terrorist” or “adversary” talk is about someone else?

Take a quick look at some other groups that use these exact same on-line information gathering techniques.

Some things to think about.

Former girlfriends, boyfriends, divorced spouses.
Angry neighbors, people you only knew casually. 
Disgruntled co-workers, employees, temporary workers. 

Identity thieves.  (Try a Google search on your name.)
Pedophiles seeking information to convince your children that they should be trusted

Anyone else who might want a little information about you, even just to know you better than you want them to.



3     “I’m smarter than the enemy!” 

It’s a common feeling.  People interviewed often say they know they are smarter than “some guy who is now just sitting in a cave hiding from us.”

Chris knew he was smarter than any adversary when he used careful expressions like, “I can’t say how I know.”

Some things to think about.

In addition to small radical groups, our adversaries are some of the largest nations in the world, who are willing to spend BILLIONS of dollars to gain an economic advantage.  Information theft is a good investment for them, even if they just trade it for something they want.

Some of the world’s best intelligence agencies are training young people as experts to go and gather information for them.  You are up against the experts!


4     “I don’t post on the Internet” 

Not posting may help you somewhat, but it is just one example of how you can come to the attention of someone with bad intentions.

Another source is unencrypted email messages which are either misrouted, intercepted, or gathered by adversaries on discarded or poorly protected backup tapes.  Stealing backup tapes is a common occurrence.

Some things to think about.

Remember that Chris did not know about all of the information sources that had information about him.  He only thought about the sites he dealt with.  Most of the others you don’t have control over, but you do have control to encrypt email and post as little “account” information as you can on web sites.



5    *“What about the Coffee Shop?”*   

The coffee shop was a reminder that while there are good business reasons to target defense contractors, etc., as customers, those methods are also good ways to gather sensitive information.

Most front businesses will not be called “Terrorist Coffee” so you need to pay attention to the less obvious.

Some things to think about.

Free Internet also provides a way to capture network traffic, including personal email passwords that are often similar to work passwords.  Every puzzle piece helps them.

Free Quiet Rooms encourage “sensitive” conversations in rooms that may have listening devices.

By showing a badge, “bad guys” know any time a facility changes its badge, and when new security like “smart chips” are rolled out.  If they have infiltrated a facility, they know to update their fake badges by the next day.









Don’t feel hopeless

Increasing your awareness  that you really are a potential target, 
remembering that being “clever” in a conversation or email is very likely to fail, 
limiting what you can on the Internet, and encrypting all email and drive storage you are able to –  Really can make the difference!


----------



## Haggis (22 Feb 2008)

So, I guess changing my screen name at Christmas didn't help???  ;D

Googling your name is a good idea, however it can yield some interesting and, at times, highly entertaining results.

Someone I know very well Googled her name and, although there were no hits for the "real her", she discovered she shares her name with a transvestite porn star. 

Seriously, though, you could discover some interseting insights into your life and how you are seen on the World Wide Web.


----------



## OkotoksRookie (22 Feb 2008)

Awesome post George!
Thanks!


----------



## Mike Baker (22 Feb 2008)

OkotoksRookie said:
			
		

> Awesome post George!
> Thanks!


+1. I think everyone should read it.


----------



## TN2IC (22 Feb 2008)

Bravo Zulu


----------



## Yrys (22 Feb 2008)

and Chris story :


Killing with Keyboards


----------



## George Wallace (22 Feb 2008)

I am so sorry if people got fooled by the big letters and missed the very first line of the topic.




			
				George Wallace said:
			
		

> Read the whole scenario here: Killing Keyboards
> 
> QUESTIONS TO ASK YOURSELF



 ;D


----------



## Mike Baker (22 Feb 2008)

Yrys said:
			
		

> and Chris story :
> 
> 
> Killing with Keyboards



Yeah, George posted the link in the first post.


----------



## Yrys (22 Feb 2008)

:-[

Saw it when I read George W reply ...


----------



## Mike Baker (22 Feb 2008)

Yrys said:
			
		

> :-[
> 
> Saw it when I read George W reply ...


Oh my, now I see that he said that hahaha.


----------



## The Bread Guy (23 Feb 2008)

Great piece - thanks for sharing.


----------



## The Bread Guy (26 Feb 2008)

Something from the CF on this, shared in accordance with the "fair dealing" provisions, Section 29, of the _Copyright Act._

*Military warns soldiers not to post info on Facebook*
CBC.ca, 25 Feb 08, 20:10 PM MT 
Article link

The Defence Department is advising Canadian soldiers not to post personal photos and information on social networking websites like Facebook, citing security concerns.

The advisory was circulated in a memo obtained by CBC News. It warns soldiers not to appear in uniform in online photos and not to disclose their military connections.

"Al Qaeda operatives are monitoring Facebook and other social networking sites," the memo says.

"This may seem overdramatic … [but] the information can be used to target members for further exploitation. It also opens the door for your families and friends to become potential targets as well."

The Defence Department says it is also concerned with postings of photos and information from the battlefront in Afghanistan.

On Feb. 14, military official Brig.-Gen. Peter Atkinson warned against such battle scene postings.

"The insurgents could use this information to determine their success or their lack of it … and determine better ways to attack us," he told reporters in Ottawa.

Military families are already heeding the Defence Department's advice.

Samie Marchand-Whittle, whose husband is in the Canadian Forces, has closed public access to the Facebook page she maintains for military families.

"It's scary to know that they could find out personal information about our families, our children, where we live," said the Edmonton mother of two. "It is really scary."

But Sunil Ram, a professor of military history and land warfare at American Military University, questioned the military's warnings about posting information online.

"What we're really talking about is censorship more than anything else," he said on Monday. "This is the military's attempt to control the imagery of what is actually happening on the ground."


----------



## sgf (26 Feb 2008)

> Samie Marchand-Whittle, whose husband is in the Canadian Forces, has closed public access to the Facebook page she maintains for military families.
> 
> "It's scary to know that they could find out personal information about our families, our children, where we live," said the Edmonton mother of two. "It is really scary."



If Marchand-Whittle was that concerned about her personal information, she should have kept her name and other personal information  out of this news release.


----------



## Yrys (26 Feb 2008)

Yep, particularly seeing she's the only on facebook with that name...


----------



## George Wallace (26 Feb 2008)

milnewstbay said:
			
		

> Something from the CF on this, shared in accordance with the "fair dealing" provisions, Section 29, of the _Copyright Act._
> 
> *Military warns soldiers not to post info on Facebook*
> CBC.ca, 25 Feb 08, 20:10 PM MT
> ...



This is another reason to be very careful of what you post.  There are many "experts" out there who want nothing better than to gather their information from you.  This guy apparently knows nothing about Security Concerns and is posing as an expert to pick up tidbits so he can spew them to the media and look good.  He should in fact be expousing the same things as the CF and reinforcing their statement, but he is doing quite the opposite.  What agenda does he have to call this all folly on the part of the CF?


----------



## OkotoksRookie (26 Feb 2008)

milnewstbay said:
			
		

> But Sunil Ram, a professor of military history and land warfare at American Military University, questioned the military's warnings about posting information online.
> 
> "What we're really talking about is censorship more than anything else," he said on Monday. "This is the military's attempt to control the imagery of what is actually happening on the ground."



There are times when censorship protects, This professor acts like theres a secret that the CF doesn't want you to know. The less information about individual military members there is on the net the safer their families and friends are imho and it sounds like thats more of what the CF is trying to do, not hide it's actions. A few of my buddies cancled their facebook accounts on this recomendation. I've considered dropping mine as well,


----------



## George Wallace (26 Feb 2008)

If you really want to find out how out to lunch he is, try this little exercise: 

Go to Killing with Keyboards and follow the steps as laid out there and see how much you can find on yourself or someone else.  It may take some time and imagination, but you will be surprised at what you may find.  Of course you will find many people with the same name, but with a little patience, you will be able to sort them out by address, nationality, employment, contacts and friends on Facebook, phone numbers, blog sites, etc.  

Give it a try.


----------



## Shamrock (26 Feb 2008)

I found out George Wallace's secret identity.


----------



## George Wallace (26 Feb 2008)

ʞɔoɹɯɐɥs said:
			
		

> I found out George Wallace's secret identity.



Are you sure you got the right George Wallace?


----------



## deedster (26 Feb 2008)

I see you're a fan of Kangol hats Mr. Wallace


----------



## NL_engineer (26 Feb 2008)

milnewstbay said:
			
		

> Something from the CF on this, shared in accordance with the "fair dealing" provisions, Section 29, of the _Copyright Act._
> 
> *Military warns soldiers not to post info on Facebook*
> CBC.ca, 25 Feb 08, 20:10 PM MT
> ...



Seen this posted at work today, with a must read attached (the CANFORGEN anyway).  I am surprised this site was not mentioned, as it has been in the past.


----------



## blacktriangle (27 Feb 2008)

George Wallace said:
			
		

> If you really want to find out how out to lunch he is, try this little exercise:
> 
> Go to Killing with Keyboards and follow the steps as laid out there and see how much you can find on yourself or someone else.  It may take some time and imagination, but you will be surprised at what you may find.  Of course you will find many people with the same name, but with a little patience, you will be able to sort them out by address, nationality, employment, contacts and friends on Facebook, phone numbers, blog sites, etc.
> 
> Give it a try.



Well it really does work, but it kind of makes me feel like a spy  

If I find you George, I'll be sure to send some flowers!


----------



## George Wallace (27 Feb 2008)

popnfresh said:
			
		

> Well it really does work, but it kind of makes me feel like a spy
> 
> If I find you George, I'll be sure to send some flowers!



My pension as a former Foreign Minister has me living with a wonderful garden overlooking the ocean.  I don't really need the flowers.  A good bottle of Scotch may do though.    ;D



PS:  Thanks Shamrock!


----------



## sober_ruski (27 Feb 2008)

Wow, that Chris guy must also work for GM. Where else would he get a 200*4* Camaro  ;D


as for finding out about myself. Turns out i have stocks in some company (weird), and where/when i graduated from high school. Nothing else.


----------



## Michael OLeary (27 Feb 2008)

sober_ruski said:
			
		

> as for finding out about myself. Turns out i have stocks in some company (weird), and where/when i graduated from high school. *Nothing else.*



Don't be too sure of that:

Rank - Private (from profile)
Trade - Signals Operator (SIG OP) 00329-01 (former MOC 215) (from profile plus Google search to confirm trade)
Signals unit (from avatar)
Current location identifiable from IP
Russian home town - "my 80K home town in middle of nowhere Russia" (your post)
Father's military service - "base where my dad used to work" "2Lt in radio/missile watching place" (your post)
Canadian home town Vancouver - "my old high school there was a coop term with either Vancouver police or local RCMP" (your post)
Vehicle - 1993 Honda Prelude (your post)

So, I'm looking for a 21 year old signaller driving a Prelude who knows Russian.

And that's from a quick scan of about half your posts here.  All someone needs to do to scan all of a member's posts is to stay under the DS radar and be a good little member, posting nothing controversial. We don't even notice the members with clean IPs, nicknames and email addresses that aren't stupid, or that make few or no posts.  Anyone who diligently wanted to mine the data here for the type of collection described above would get plenty to work with. We all forget the tidbits we post, and seldom imagine the picture we present of ourselves on line.


----------



## sober_ruski (27 Feb 2008)

where did you get the prelude part? 

i was looking for one at some point, never found one i liked in good enough condition.


----------



## Michael OLeary (27 Feb 2008)

sober_ruski said:
			
		

> where did you get the prelude part?
> 
> i was looking for one at some point, never found one i liked in good enough condition.



http://forums.army.ca/forums/threads/51035/post-459875.html#msg459875
http://forums.army.ca/forums/threads/51035/post-459941.html#msg459941

Remember, first level information collecting can include inaccuracies.  These get refined in further investigation of high value targets.


----------



## sober_ruski (27 Feb 2008)

argh, i give up. i'm screwed if i do and if i don't.

There is a reason why I did not use my icq number here. Did a quick search and found things i did a while ago and completely forgot about them 

Still, where do I find a 2004 Camaro?


----------



## The_Falcon (27 Feb 2008)

George Wallace said:
			
		

> This is another reason to be very careful of what you post.  There are many "experts" out there who want nothing better than to gather their information from you.  This guy apparently knows nothing about Security Concerns and is posing as an expert to pick up tidbits so he can spew them to the media and look good.  He should in fact be expousing the same things as the CF and reinforcing their statement, but he is doing quite the opposite.  What agenda does he have to call this all folly on the part of the CF?



I believe we have discussed the "expert" status of Mr Ram before, and he even came on this site to defend himself to boot.


----------



## The_Falcon (27 Feb 2008)

George Wallace said:
			
		

> If you really want to find out how out to lunch he is, try this little exercise:
> 
> Go to Killing with Keyboards and follow the steps as laid out there and see how much you can find on yourself or someone else.  It may take some time and imagination, but you will be surprised at what you may find.  Of course you will find many people with the same name, but with a little patience, you will be able to sort them out by address, nationality, employment, contacts and friends on Facebook, phone numbers, blog sites, etc.
> 
> Give it a try.



I have googled myself on few occasions, anyone wanting to find info will have a fun time sorting through all the pages, cause my last name means something dirty in another language  >


----------



## Thompson_JM (27 Feb 2008)

One more reason to own high powered weapons.....

not that I own any of those......   :-\


----------



## hauger (27 Feb 2008)

Alright....so in the vein of on-line privacy....how's bout a tool for a person who wants to wipe clean all past posts....sort of a "click here and become anon again" button.  I'm guessing such a function might prove tricky to make a reality though...but if the database can search for past posts, it should be able to mass delete them too.  Granted...this would probably make a number of historic threads completely unreadable.

What about de-linking posts at a users request from the profile (after a certain time frame).  This preserves the thread integrity but lessens the ability to mine the forums for information.

Or....do us a favour and delete the "search for posts from this user" function.


----------



## George Wallace (27 Feb 2008)

hauger said:
			
		

> Alright....so in the vein of on-line privacy....how's bout a tool for a person who wants to wipe clean all past posts....sort of a "click here and become anon again" button.  I'm guessing suck a function might prove tricky to make a reality though...but if the database can search for past posts, it should be able to mass delete them too.  Granted...this would probably make a number of historic threads completely unreadable.
> 
> What about de-linking posts at a users request from the profile (after a certain time frame).  This preserves the thread integrity but lessens the ability to mine the forums for information.
> 
> Or....do us a favour and delete the "search for posts from this user" function.



You obviously didn't understand what the term "Cached" meant, nor the fact that those posts are cached on the www in a variety of locations used by Google.


----------



## hauger (27 Feb 2008)

George Wallace said:
			
		

> You obviously didn't understand what the term "Cached" meant, nor the fact that those posts are cached on the www in a variety of locations used by Google.



Very fair comment.  Damn Google & low, low price storage that allows near unlimited cashe.

T'was just thinking aloud about how to make things a bit more difficult is all.


----------



## hauger (27 Feb 2008)

Hey wait a minute, isn't google cashe an opt out system? 


*From Google's web site:*The "Cached" link will be missing for sites that have not been indexed, as well as for sites whose owners have requested we not cache their content.

 (source: http://www.google.com/help/features.html)


Ummm....just thinking out loud here....couldn't army.ca just, oh, I don't know, maybe ask google to cut out the caching?


----------



## George Wallace (27 Feb 2008)

Have you heard about the "Wayback Machine"?


----------



## Haggis (27 Feb 2008)

That's it!!

I'm not posting on the Internet any more.

.... oops! :-[


----------



## George Wallace (27 Feb 2008)

In 2003, Mike had six updates to his Army.ca homepage for this site.

This is his homepage on Dec 04, 2004.


----------



## George Wallace (27 Feb 2008)

The NDP webpage from 28 Jan 2004.  Not much on it.  A link will take you to a Jack Layton news article.


----------



## midget-boyd91 (27 Feb 2008)

George Wallace said:
			
		

> In 2003, Mike had six updates to his Army.ca homepage for this site.
> 
> This is his homepage on Dec 04, 2004.



Wow, June 2004 :

Total Members: 2795
Total Posts: 75194
Total Topics: 16856
Total Categories: 5
Total Boards: 26

Quite the boom, I'd say.

Midget


----------



## George Wallace (27 Feb 2008)

Here are the 8 Commitments that the NDP pledged in June 2004


----------



## NL_engineer (27 Feb 2008)

Tommy said:
			
		

> One more reason to own high powered weapons.....
> 
> not that I own any of those......   :-\



I think I am going to have to do some shopping, maybe I'll get a few of these


----------



## George Wallace (27 Feb 2008)

It is amazing what you can find.  I wonder if Rxx was satisfied with the advice on text effects in Flash MX?  One can follow him through sites for pilots, find out his age and many other things such as check his address and all that stuff that is in the demo.  It just takes time and patience.  As the WARNING says, you don't even have to post on the internet to have your info there through some other means/person/corporation/database.  The phone company has posted your info.  The Cable companies.  Company nominal rolls are available in some cases.  Homepages contain the names personnel in Corporate hierarchies.  Schools post their alumni.  Newspapers print names and places.  Clubs, Volunteer Groups, and other Organizations publish fact sheets.  Blog sites, Posts on the Globe and Mail, National Post, Enmasse, etc. all bring up little factoids.  So a 30 year old pilot posting on various sites, is far from anonymous.

Posting style will also give a person away.  Take for instance a foul mouth character, who claims to be a US Army Reserve Airborne 1LT who crusades for the M113 to be named the Gavin.  Everyone immediately recognizes Sparky as soon as he goes on a rant on any site he has been on.


----------



## garb811 (27 Feb 2008)

George is making excellent points here and it's not only the bad guys you need to worry about but also your CofC/employer, your future employer(s), your friends, your family, your neighbour in the PMQs who has a grudge against you, the repo man, your future wife...the list goes on and on.    

The key for 99% of us is managing the exposure of the information you control to what you feel comfortable with.  As George has clearly illustrated, it is also important to realize that once it is on the Net, there is nothing you can do to completely erase all traces of it.  It's like that tattoo you thought looked so cool when you were a 16 year old rebel without a clue which is no longer so cool on a 35 year old professional...you have to live with your past decisions.

We as individuals not only need to exercise discipline but we also need to instill that into our friends and family as well.  It doesn't do you any good to be exercising good Internet Discipline only to have your Aunt Nellie posting emails and photos you send to her on her favorite "Support the Troops" site or your buddy Tim tagging you in a Facebook photo from a night on the town during your last TD.

And, you should really, really be considering moving to an encryption system for your email.  Like anything else on the web it is liable to interception without too much difficulty and it also leaves electronic tracks on any server it passes through.  There are very good, high quality products out there that you can use (some of which are free) to help safeguard your privacy.  Check out Hushmail, Pretty Good Privacy or gnuPG/GPG4win.  Hushmail has the added benefit that most other Webmail accounts lack of not sending your IP address in the header of the email.

For what it's worth though, the Net hasn't invented this problem, it has only made it much easier for people who want the info to get their hands on it.  For instance, in Canada you could always purchase directories which cross-referenced phone numbers to street addresses to names and easily learn who their neighbours were and the neighbours contact information.  If you had a library of those books you could easily reconstruct where a person had lived over a span of 10-20-30 years and you could find a neighbour from 20-30 years ago to talk to as well.  You could always go down to the courthouse and request the records of any trial which had taken place and you could go to City Hall and get the registered owner of any address...  The difference is, then it took some money and some work.  Now all you need to do it is have 10 minutes to spare and a basic understanding of how search engines work.

As for Facebook or anyother social networking site, go ahead and use it.  Just carefully manage what you put up there and don't be naive enough to believe that anything you put up there is private or won't be exploited (only by the site to make money if you're lucky), even if you have all of the privacy settings enabled.


----------



## garb811 (27 Feb 2008)

George Wallace said:
			
		

> Posting style will also give a person away.  Take for instance a foul mouth character, who claims to be a US Army Reserve Airborne 1LT who crusades for the M113 to be named the Gavin.  Everyone immediately recognizes Sparky as soon as he goes on a rant on any site he has been on.



Heh...just like they used to tell you in Voice Procedure classes...stick to the approved greyman script and don't add your own personal "flair" lest you make it easy for the other side to track you.


----------



## Michael OLeary (27 Feb 2008)

garb811 said:
			
		

> As for Facebook or anyother social networking site, go ahead and use it.  Just carefully manage what you put up there and don't be naive enough to believe that anything you put up there is private or won't be exploited (only by the site to make money if you're lucky), even if you have all of the privacy settings enabled.



Great post garb, I would add one thing to this para:

Remain aware of what your friends are posting.  It won't matter how careful you are with your own online security if your friends have no concerns for their own or yours at all.


----------



## hauger (27 Feb 2008)

George Wallace said:
			
		

> Have you heard about the "Wayback Machine"?



Wayback is a neat site, I've played with it in the past.  Anyways....it'll helpfully delete past caches, as well as allow you to (through the use of robot.txt) to keep from being archived in the future.

It's all a moot point.  With storage and processing power costing what it does, any sufficiently motivated government could built and run a purpose-built web-crawling and archiving system.  Being careful and being aware of how much what you post gives away information is of course the most important vector towards protecting yourself.  This doesn't mean though a site like this will all its information baggage it carries couldn't maybe help out a bit with the privacy thing.  The steps would be easy (please take this as a constructive suggestion and not as a corrosive demand):

1. Write google, say, hey buddies, how's bout you cut out the caching?

2. Give Wayback a ring, see if they'd remove the archives they have.  If that's unpalatable, get them to only archive the front page. (actually, when I search wayback for army.ca, although it comes up, clicking on it makes it a bit grumpy...seems milnet doesn't like hot linking)

3. Allow users to either search and delete their posts, or allow them the option to remove "Show the last posts of this person." from their profiles (make their profile names unsearchable).  

But hell, if y'all don't want to do any of that, well, whatever then....I'm just going to keep myself and not spout off any real identifying info.  Oh....forgot to mention...I did think the original thread was excellent.


----------



## garb811 (28 Feb 2008)

hauger said:
			
		

> ...any sufficiently motivated government, company, entity or individual could built can and has built and run a purpose-built web-crawling and archiving system.



There, fixed that for ya.   ;D

The thing is, this is no longer confined to the realm of governments.  With dirt cheap storage (a 1 Terabyte drive is $299 on tigerdirect.ca today), cheap bandwidth and free web crawling and data mining software, anyone can get into the business of data mining and archiving relatively cheaply.  If all you are concerned about is text, it doesn’t take up that much space.  A Terabyte of storage will hold about 1,000 copies of the Encyclopaedia Britannica and The National Archives of the UK, which covers 900 years of data, is only about 60TB in size so you really don't need a wallet the size of a G-8 Governement to get into the game anymore unless you want to start tackling encrypted traffic.

The problems with your suggestions for the site are although they look sensible and a good increase in privacy and security, they really don’t gain much.  As long as Mike keeps all items archived and searchable on the site, asking Google and Wayback to stop archiving the pages is pointless.  If they weren’t archived there, I suppose Mike could simply take the site down if the privacy and security concerns became that overwhelming but the bigger and more worrisome problem at that point is they would already be archived in the places we don’t know about which is where the damage can is really being done.  The only way to stop that is to password protect the entire site and only allow access to trusted and authenticated users and send all data via SSL but that would totally defeat the purpose of army.ca.  Even that wouldn't be enough though as I'd happily sell out Mike for $100 and use that money to finally pay for a subscription.   >

Disabling the “Show last posts of this person” doesn’t make it impossible to search for a user’s posts; you can do it via the general search tool as well.  We used to be able to edit and delete our posts at will but unfortunately what ended up happening was people would get upset and go back and edit or delete their comments not for privacy or security reasons but simply due to having a hissy fit after being “beaten” in a debate.  This had the effect of making entire threads nonsensical and unreadable.  Additionally, all it takes is for one person to quote your post and you have lost all ability to edit it….this is why some people here have developed the habit of quoting people they are debating; it is impossible for the other poster to alter their previous statements to make a rebuttal moot without it being obvious.  If you're that worried about something you've put up from a *SEC perspective and the grace period has passed, contacting a friendly mod is sure to solve the problem...at least on army.ca.

I make it a point to try to re-read my posts immediately after posting and then again before the time limit for editing expires.  The “sober second thought” not only lets me reduce the possibility of putting something out there which I don’t want but also lets me catch typos, grammar errors etc I missed the first time around.


----------



## Michael OLeary (29 Feb 2008)

If you want to know what can be done with data aggregators and your personal data, check this site:

http://www.zoominfo.com/


----------



## Yrys (29 Feb 2008)

Or read an article :

'Loose lips sink ships' witness tells terrorism trial in U.S.


----------



## Thompson_JM (29 Feb 2008)

Which would explain the knee jerk reaction Ive seen from several co-workers when they caught wind of a new CANFORGEN comming out regarding facebook. and they removed everything military on it... well... everything that they have control over.....

Personally I am going to read the damned thing first, and go from there.... Im all for OPSEC and PERSEC and all that Jazz... but when the official sites still have Combat Camera, the Maple Leaf news paper etc... and the Army Website puts up most of the specs on the damned vehicles for all to see, then I'll wait, watch and shoot, and exercise a little common sense with it all... 

until I need to start getting all super paranoid...... so far so good....


----------



## Yrys (29 Feb 2008)

Tommy said:
			
		

> until I need to start getting all super paranoid



I'm a civil, so I may be wrong, but when that time come, won't it be already too late ?


----------



## sober_ruski (29 Feb 2008)

Michael O`Leary said:
			
		

> If you want to know what can be done with data aggregators and your personal data, check this site:
> 
> http://www.zoominfo.com/



Well, apparently nothing


----------



## JesseWZ (29 Feb 2008)

I am not on the DIN by virtue of being in ROTP at a Civi university. When this Facebook CANFORGEN comes out, is there a publicly available place to view it?


----------



## Michael OLeary (29 Feb 2008)

JesseWZ said:
			
		

> I am not on the DIN by virtue of being in ROTP at a Civi university. When this Facebook CANFORGEN comes out, is there a publicly available place to view it?



Someone will probably post it here, likely in this very thread.


----------



## Jorkapp (1 Mar 2008)

Recieved via email:

CANFORGEN 038/08 SJS 007 122025Z FEB 08
OPERATIONAL SECURITY
UNCLASSIFIED
REF: A-SJ-100-001, NATIONAL DEFENCE SECURITY INSTRUCTIONS (NDSI) - 
30 SEP 98 
1.THERE IS A HIGH LEVEL OF RISK INHERENT IN SOME OF OUR ONGOING MILITARY OPERATIONS. THE NEED TO SAFEGUARD OUR PLANS VULNERABILITIES AND TO PROTECT OUR INTENT FROM AN ADVERSARY IS A FUNDAMENTAL PART OF HOW WE CONDUCT MILITARY OPERATIONS. TRADITIONAL SECURITY MEASURES SUCH AS: PROTECTING VITAL INTERESTS AGAINST THEFT, DIVERSION AND SABOTAGE, DENYING UNAUTHORIZED PERSONS ACCESS TO VITAL INFORMATION ABOUT OUR OWN CAPABILITIES AND INTENTIONS, AND ASSURING THE LOYALTY AND RELIABILITY OF THOSE PERSONS WHO ARE AUTHORIZED TO HAVE ACCESS TO CLASSIFIED OR OTHERWISE SENSITIVE ASSETS, CONTINUE TO BE AN IMPORTANT ELEMENT OF OUR DAILY ROUTINE ACTIVITIES. WHAT I WOULD LIKE TO STRESS, HOWEVER, IS THE INCREASED PERSONAL AND COLLECTIVE VIGILANCE WE MUST ADOPT AGAINST THE INADVERTENT RELEASE OF INFORMATION, WHICH COULD BE EXPLOITED BY AN ADVERSARY 
2.CANADIAN OPERATIONS ARE TAKING PLACE IN A VARIETY OF ENVIRONMENTS IN WHICH INFORMATION CAN BE READILY COLLECTED AND SHARED WORLDWIDE, IN NEAR REAL TIME. THE POTENTIAL SOURCES OF INFORMATION FOR AN ADVERSARY INCLUDE THE FULL RANGE OF OPERATIONAL, LOGISTICAL, ADMINISTRATIVE, FORCE DEVELOPMENT, AND PROCUREMENT DOCUMENTS. THEY ALSO INCLUDE FORMAL OR INFORMAL BRIEFINGS, DND OR CF WEBSITES, AND OFFICIAL OR UNOFFICIAL EMAIL EXCHANGES, CONVERSATIONS, WEB-BLOGS AND PHOTOGRAPHS AS WELL AS MOST ANY OTHER METHOD OF CONVEYING INFORMATION FROM ONE PARTY TO ANOTHER. WE MUST ALL THEREFORE BE MINDFUL OF THE NEED TO PROTECT OPERATIONALLY SENSITIVE INFORMATION, EVEN THOUGH THE INFORMATION MAY APPEAR INSIGNIFICANT ON ITS OWN. THE CAPABILITY OF AN ADVERSARY TO QUICKLY COLLECT AND PIECE TOGETHER INFORMATION CANNOT BE DISMISSED 
3.THE NATIONAL DEFENCE SECURITY INSTRUCTIONS (NDSI) AT REF, DEFINE OPERATIONS SECURITY OR OPSEC AS AN OPERATIONAL DISCIPLINE DESIGNED TO DENY ACCESS TO, AND PROTECT OPERATIONALLY SENSITIVE INFORMATION FROM AN ENEMY, ADVERSARY OR ANYONE WHO COULD EXPLOIT THE INFORMATION OR INTENTIONS, CAPABILITIES, LIMITATIONS AND ACTIVITIES OF AN ORGANIZATION. THE BASICS OF OPERATIONS SECURITY (OPSEC) ARE EASILY UNDERSTOOD AND CAN BE EFFECTIVE IN SUPPORTING MISSION SUCCESS WHILE KEEPING PERSONNEL SAFE. SIMPLY PUT, OPSEC IS A WAY OF THINKING THAT REQUIRES US TO BE ATTENTIVE TO INFORMATION THAT IS OPERATIONALLY SENSITIVE OR DESIRABLE TO AN ADVERSARY, AND THEN TO TAKE PROACTIVE STEPS TO SAFEGUARD IT 
4.OPERATIONAL SECURITY IS BOTH A PERSONAL AND A COMMAND RESPONSIBILITY. COMMANDERS AT ALL LEVELS SHALL INSTITUTE APPROPRIATE MECHANISMS USING THE OPSEC PROCESS TO IDENTIFY OPERATIONALLY SENSITIVE INFORMATION, AND SHALL ESTABLISH COORDINATED PROACTIVE MEASURES TO SAFEGUARD INFORMATION UNTIL SUCH TIME THAT THE RELEASE OF ANY PARTICULAR INFORMATION WILL NOT GIVE ANY ADVANTAGE TO AN ADVERSARY 
5.IN GENERAL, WHEN ASSESSING THE SENSITIVITY OF INFORMATION, ANY INFORMATION DEALING WITH PERSONNEL, EQUIPMENT, INSTALLATION OR OPERATIONS COULD VERY WELL BE SENSITIVE, IF NOT SECRET, AND IF SO MUST BE PROTECTED FROM INAPPROPRIATE, INADVERTENT OR UNAUTHORIZED RELEASE. THIS APPLIES TO BOTH INFORMATION RELATING TO NATIONAL ISSUES AND ACTIVITIES, AS WELL AS ALL INFORMATION PROVIDED TO CANADA IN CONFIDENCE BY OUR ALLIES. SPECIFIC CATEGORIES OF OPSEC ARE OUTLINED AS FOLLOWS: 

5.A. PERSONNEL RESPONSIBLE FOR PREPARING INFORMATION FOR RELEASE TO THE PUBLIC MUST ENSURE THAT OPERATIONALLY SENSITIVE INFORMATION IS PROTECTED FROM INADVERTENT RELEASE. THOSE PERSONNEL RESPONSIBLE FOR RESPONDING TO REQUESTS UNDER THE ACCESS TO INFORMATION ACT MUST BE FAMILIAR WITH THE ACT, AS WELL AS WITH THE PROCEDURES THAT HAVE BEEN PUT IN PLACE TO REVIEW OPERATIONALLY SENSITIVE MATERIAL BY THE INFORMATION SUPPORT TEAM ESTABLISHED FOR THAT PURPOSE WITHIN THE STRATEGIC JOINT STAFF 

5.B. THE USE OF THE INTERNET CAN BE AN INVALUABLE TOOL FOR MANY THINGS, NOT THE LEAST OF WHICH IS TO STAY IN CONTACT WITH THOSE AT HOME WHILE PERSONNEL ARE DEPLOYED. IT IS IMPORTANT TO BE AWARE THAT THE INTERNET IS NOT SECURE. ALL TRAFFIC CAN BE MONITORED, AND MUCH OF IT IS OPEN TO INADVERTENT EXPLOITATION. ONLY UNCLASSIFIED/NON-SENSITIVE INFORMATION IS TO BE SENT ON THE INTERNET/DWAN OR STORED ON UNCLASSIFIED COMPUTERS. SENSITIVE INFORMATION MUST NOT BE PASSED ON, OR STORED ON COMPUTERS CONNECTED TO, THE INTERNET 

5.C. IF NOT PROPERLY MANAGED WEBSITES, FORMAL OR INFORMAL, AND UNIT, FORMATION, OR OTHER NEWSLETTERS AND SIMILAR PUBLICATIONS CAN BE A MAJOR SOURCE OF INFORMATION FOR THE ENEMY. DND AND CF WEB SITES AND NEWSLETTERS MUST NOT DISCLOSE SENSITIVE INFORMATION, SUCH AS THE SPECIFIC CAPABILITIES OF OUR WEAPON SYSTEMS, THE DETAILS OF OUR OPERATING PROCEDURES OR OUR ORDER OF BATTLE, AND VERY IMPORTANTLY INFORMATION THAT CAN LEAD TO THE ENEMY BEING ABLE TO IDENTIFY AND THEREFORE TARGET INDIVIDUALS OR ORGANIZATIONS COOPERATING WITH THE CANADIAN FORCES OR ITS ALLIES IN AN OPERATIONAL AREA 

5.D. PHOTOGRAPHS AND VIDEOS (E.G. YOU TUBE, ETC.) POSTED TO THE WEB IN ANY CAPACITY, INCLUDING DND/CF WEBSITES, SOCIAL NETWORK SITES, PERSONAL BLOGS, OR E-MAIL OR OTHER WEB-BASED CORRESPONDENCE (SUCH AS CHAT) MUST BE CAREFULLY CONSIDERED BEFOREHAND TO ENSURE THAT THEY DO NOT CONTAIN ANY INFORMATION THAT CAN BE OF USE TO THE ENEMY 

5.E. SENSITIVE INFORMATION, WHETHER CLASSIFIED OR UNCLASSIFIED, SUCH AS OUR TACTICS, TECHNIQUES, AND PROCEDURES, OR OUR OPERATIONAL, ADMINISTRATIVE, AND LOGISTIC PLANS (INCLUDING OUR MOVEMENT PLANS), SHOULD NEVER BE DISCLOSED IN ANY UNCLASSIFIED WEB-BASED FORUM, PASSED BY INSECURE E-MAIL OR TELEPHONE, NOR DISCUSSED IN ANY MANNER WITH PERSONS WHO DO NOT HAVE A NEED TO KNOW 

5.F. DOCUMENTATION MUST BE PROTECTED. IF YOU DO NOT WORK IN A CLASSIFIED AREA, YOUR SPACE MUST BE SECURED IF YOU ARE GOING TO BE ABSENT FOR MORE THAN A SHORT PERIOD OF TIME. CO-WORKERS IN ADJOINING CUBICLES SHOULD BE MADE AWARE OF YOUR ABSENCE AND LOCATION IF YOU WILL BE AWAY FROM YOUR DESK FOR SHORT-PERIODS OF TIME 

5.G. CLASSIFIED OR SENSITIVE MATERIAL IS TO BE DISPOSED OF BY APPROVED METHODS. BLUE RECYCLING WASTEBASKETS ARE TO BE REMOVED OR MADE DIFFICULT TO ACCESS WHEREVER THERE IS A CHANCE UNCLASSIFIED INFORMATION CAN BECOME CROSS-CONTAMINATED WITH SENSITIVE OR CLASSIFIED MATERIAL - PARTICULARLY AROUND PRINTERS OR COPYING MACHINES 

5.H. INFORMATION THAT FALLS INTO THE ABOVE BROAD CATEGORIES MUST NOT BE DISCUSSED IN PUBLIC PLACES, AND ONLY WITH A PERSON WHO HAS THE NEED TO KNOW. EVEN WITHIN DND BUILDINGS, CLASSIFIED OR SENSITIVE CONVERSATIONS MUST TAKE PLACE ONLY IN APPROPRIATELY CLEARED LOCATIONS 
6.FINALLY, WE MUST ALSO REMEMBER THAT WHEN WE RETURN FROM DEPLOYED OPERATIONS, THE MISSION MAY HAVE ENDED FOR US, BUT IS LIKELY ON-GOING FOR SOMEONE ELSE. THEREFORE, WE MUST NOT LET OUR GUARD DOWN, BUT CONTINUE TO MANAGE AND CONTROL CLASSIFIED, SENSITIVE OR VALUABLE INFORMATION AND ASSETS DILIGENTLY TO PROTECT BOTH THE INTEGRITY OF THE ON-GOING MISSION AND THE LIVES OF CANADIAN AND ALLIED SOLDIERS, SAILORS, AND AIR PERSONNEL INVOLVED 
7.THE ABOVE LIST IS NOT EXHAUSTIVE, AND EACH MEMBER MUST MAKE IT HIS OR HER PERSONAL RESPONSIBILITY TO ENSURE SENSITIVE INFORMATION IS NOT COMPROMISED. IF IN DOUBT, TREAT IT AS CLASSIFIED. THE CANADIAN FORCES ARE ENGAGED IN COMBAT OPERATIONS AND THE SAFETY AND WELFARE OF OUR PEOPLE ARE AT STAKE THINK OPSEC. WE MUST ALL DO OUR PART


----------



## Yrys (1 Mar 2008)

Civilian question :



			
				Jorkapp said:
			
		

> Recieved via email:
> 
> *30 SEP 98*



Does that mean they released that memo in 98 and are replublising it now ?


----------



## Teddy Ruxpin (1 Mar 2008)

30 Sep 98 is when the reference came out.

Aside from the CANFORGEN noted above (which is hardly new information - similar warnings have come out from time to time), there is no "Facebook" message and nothing published that pertains to Facebook.  

And before someone posts an e-mail that states the opposite, I have one coined word to offer: "DINspam".


----------



## Yrys (11 Mar 2008)

garb811 said:
			
		

> And, you should really, really be considering moving to an encryption system for your email.  Like anything else on the web it is liable to interception without too much difficulty and it also leaves electronic tracks on any server it passes through.  There are very good, high quality products out there that you can use (some of which are free) to help safeguard your privacy.  Check out Hushmail, Pretty Good Privacy or gnuPG/GPG4win.  Hushmail has the added benefit that most other Webmail accounts lack of not sending your IP address in the header of the email.



Just don't think that encryption is a panacea.

Memory trick breaks PC encryption



> Encrypted information held on a laptop is more vulnerable than previously thought, US research has shown.
> 
> Scientists have shown that it is possible to recover the key that unscrambles data from a PC's memory. It was previously thought that data
> held in so-called "volatile memory" was only retained for a few seconds after the machine was switched off. But the team found that data
> ...



link


----------



## NL_engineer (11 Mar 2008)

Looks like a self destruct device is in order, at least that way the the information can't fall into the wrong hands, and the would be hacker gets what he deserves  ;D.  

Even if it is powered off there are still ways for hackers to access data.


----------



## Rodahn (11 Mar 2008)

To see your web address, just go to

www.whatismyip.com/


----------



## garb811 (11 Mar 2008)

Yrys said:
			
		

> Just don't think that encryption is a panacea.



Sure, if you're to the point that you have material on your HD which is valuable enough and have attracted the attention of someone with the technical and physical capabilities for them to pull an attack like this off.  This is one of those "security holes" that looks scary in the lab but which is almost impossible to pull off IRL; doing something in the controlled environment of a lab does not mean it is anything beyond a theoretical threat.  Plus, the simple step of properly powering down the computer makes this impossible to pull off.

For 99.9% of us, this is a non-issue and we should be worrying more about having our laptop stolen for pawning rather than staying awake at night worrying someone is going to throw it into a vat of liquid nitrogen to try to strip the key out of volatile memory.

EDIT TO ADD:  And, a much more credible threat to this problem is to install a keystroke logger.  Walk by the target computer while it is on, pop a prepared flashdrive into a USB port and it's probably done as the vast, vast majority of computers do not have their USB ports blocked.  No need for anything fancy, the KISS principle works in espionage just like the military.


----------



## Franko (11 Mar 2008)

milnewstbay said:
			
		

> Something from the CF on this, shared in accordance with the "fair dealing" provisions, Section 29, of the _Copyright Act._
> 
> *Military warns soldiers not to post info on Facebook*
> CBC.ca, 25 Feb 08, 20:10 PM MT
> ...



Come on Ram, use that noodle of yours for one second will you?

There have been pictures in the past that were very much OPSEC concerns and violations, Lord only knows what will pop up in the future.

From one good picture you can gather all kinds of information, all it takes is one moment of poor judgment on a soldier's part and it's out there for ANYONE to see.

But you only see a conspiracy.        :

Regards


----------



## Eye In The Sky (11 Mar 2008)

NL_engineer said:
			
		

> Even if it is powered off there are still ways for hackers to access data.



Would you mind telling how a hacker gets data from a powered-down system?  (assuming you mean remotely, that is, as opposed to slaving your HDD to their machine).


----------



## NL_engineer (11 Mar 2008)

Eye In The Sky said:
			
		

> Would you mind telling how a hacker gets data from a powered-down system?  (assuming you mean remotely, that is, as opposed to slaving your HDD to their machine).



I meant physicaly, (thats the only way I can see it being done) but I will have to ask a friend now, as you got me wondering if remotely is still possible after the system is shut down.


----------



## hauger (11 Mar 2008)

Eye In The Sky said:
			
		

> Would you mind telling how a hacker gets data from a powered-down system?  (assuming you mean remotely, that is, as opposed to slaving your HDD to their machine).



I'm not entirely sure of the mechanics, but the gist of it works like this.  Someone steals a laptop with an encrypted HDD on it.  The encryption key is stored in DRAM, so, the evil hacker monkey who's out to get you plugs a bootable USB key it which has a naughty little piece of software on it that, upon booting, dumps the contents of the DRAM onto the key.  Now all our anti-hero has to do is grab the key from the USB key (following all the keys?) and they've cracked your HDD encryption.

Way # 2 is to, very shortly after the laptop's powered down, freeze the DRAM with a re fridgerant that keeps the DRAM info from fading away.  Then, with the encryption key happily frozen on the DRAM, they remove the ram, check the key, then get down to the business of looking at all your vacation photos you'd so diligently encrypted.

Search for it on google, it was big nerd-news last week.


----------



## Eye In The Sky (11 Mar 2008)

NL_engineer

Don't waste your time or emabrass yourself...its not (remotely).   ;D


----------



## Eye In The Sky (11 Mar 2008)

Hauger,

Key word in my post was *remotely*


----------



## garb811 (11 Mar 2008)

It is also possible to power on a system remotely if it's Network Interface Card is "Wake on LAN".  Look at the your NIC when you have powered down your computer, if it is still lit-up, you have a WOL enabled card and theoretcially someone could power on your computer remotely.  If they knew your schedule they could power up your machine, log on via a trojan, do what ever they wanted and power down afterwards and you'd never be the wiser.

Wake on LAN mini Howto

Hauger:  That's the attack described in the article Yrys posted.


----------



## Mike Baker (26 Mar 2008)

Here is a pretty good video, espically about Facebook, on Cyberstalking.


----------

