Friday, August 12, 2011

BEWARE: A hacker can put you out of your misery

BTC- It happened to me.  I was hacked and for good reasons.

This summer I moved into a new building in the wealthy, surveillance laden town of Bellvue, Washington.  It is home to much of what Microsoft is known for today.  The move itself was a compromise with my sometimes privacy-deaf significant other, so he could save hundreds of hours in traffic and gas.

My misery quickly compounded when I realized, only after receiving the keys to my new digs, that every elevator ride and doorway entry was dependent on an activated and encrypted HID brand "key fobb".  The rental administrators, cheerful and accomodating birds of a feather, expressed enthusiasm  over the RFID tote as a posh security amenity. In the days to follow, I became relentlessly irritable, crabbing at every movement based on a requirement that I use the damned RFID device.  All of my new acquaintances heard my exasperation.

Misery proved desperate for company, as I dragged a local activist to the downtown area after attending an ACLU legal education series on government surveillance of non-criminal activity.  I wanted him to see exactly how prolific the CCTV surveillance had become.

"I really don't like it here and I don't want to be here," my guest said after rolling through intersection after intersection containing 2 real time CCTV cameras, a scattershot detector and some ugly speed radar equipment.  If you couldn't make the case for a government audit based on waste detection, you could make the case for sheer urban blight.

The first time I noticed the cameras weren't limited to intersections, I was shopping with my partner at Whole Foods.  As we wheeled the grocery cart to the back of the trunk,  our attentions were suddenly diverted.  A large ruffled crow was sounding off loudly after landing atop a city CCTV camera in the far corner of the parking lot. It was a creepy goad, galvanizing my resolve to not let Big Bro. get me down and to lend an effort to make a difference.

As we returned home, I was quickly reminded that an RFID record was created as I  entered the elevator at 2:30 PM at the 1st floor of the garage and then pushed the up button to my floor at 2:31PM.  If that wasn't enough, there was a dome-camera watching  my partner and I cart our groceries into the foyer while waiting on the elevator.

This was fast becoming my life and it was driving me crazy.

I went to the HID website searching for my key fobb product when I came across their governance contracts and contributions to the UAE's national ID program and a nice fat endorsement of the NSTIC program.  A matter of hours later, I irritably waited for my webmail to load in Internet Explorer and tried not to dissolve into a puddle in the middle of the business center.  A short time later  a man seated himself next to me and  introduced himself as a DHS bomb detection worker.  He proceeded to try to bait me in conversation with neat questions like, "So you think the agency should just be disbanded, huh?" and other greatest hits like, "So you would be okay with letting our guard down and people bombing this country, huh?" and "Who do you work for?"

I didn't actually answer these questions.   I just stared at him in wonder, at how close this all seemed to some sort of lucid collaborative harassment.  Could it be that someone was busy writing a SAR in anticipation of what I *might* do as an activist in the Seattle Metro area? Seattle, WA was the one of the initial pilot locations of the model Fusion Center.  My mention of certain TSA workers' cancer affliction due to airport Rapiscan equipment made for a convenient end to our conversation.

THE ADVOCATES AT BLACK HAT

Some connections with dotRights campaigners and members of the active medical marijuana community assisted me in my quest for soul survival in what seemed like digital snakes nest for a privacy & civil liberty proponent.  Some of them would be making a pilgrimage to the Defcon/Black Hat Conference.   As it turns out Black Hat, the beaming intellect of the hacker conferences, was based in Seattle too.

In the days to follow, privacy advocates aired grievances during the Black Hat conference over Facebook's cardinal sins against privacy: arbitrary data retention, open face delivery to federal and corporate surveillance authorities, biometric captures and intrusions unearthing users most sensitive information, like Social Security Numbers.  Our contribution was an interview with an app developer for Obscuracam, where we re-discovered the Big Web problem of social media profiling by prospective employers. Follow up reports from NPR revealed, social media research firms have been contracted by HR departments to dig up anything you have posted to social networks in the last 7 years.   [Pssst.  Use AccountKiller.com to clean up your mess now!]

Another late development following the conference was the rise and fall of Anonymous' Facebook Op.  The 10 month old campaign railed against Facebook's International crimes against the user privacy in this video release.  Amid their other damning claims was Facebook's involvement in trading activist profile information with authoritarian governments for purposes of targeting in Egypt and abroad.

The conference ended over the August 6th weekend.  And the people rested on Monday and Tuesday and part of Wednesday even...

WHEN SOMEONE DEACTIVATES YOUR RFID TAG....

I tend to hole up in my home, reporting, watchdogging without leaving for days.  I left my home on a Thursday afternoon and boarded the elevator.   I posted my HID key fobb to the door panel.  It glowered red and took me for a ride to the basement. Again- to the right corner was your friendly-fascist dome cam to greet me.

A nice Indo-Asian couple and their young son boarded the elevator and recommended that I just try using my key fobb a different way.  Following their advice to get to the rooftop, I took the stairs for exercise.  As I got to the top, my key fobb didn't work, glowing a nice red -NO- to my entry at the roof.  I figured this was fluke.

It wasn't.  I quickly learned I was trapped in the stairwell and unless I reached the ground floor of the building I would not be able to get out.  This was the certain taste of what it would be like to be suddenly cut off  from access in a heavily RFID dependent building.

I made haste to get down to the bottom of the building.  I went outside to test my key and had to have help from another tenant to regain entry.  My key fobb was not working.   I tried the mercies of  a gentleman coming through the doorway.

I quickly explained my distress over the electronic key malfunction and the close of the leasing office for the day.  I didn't have my phone with me to call for help.

He worked for Microsoft- how could he deny me technical support?  We worked together to get on the phone with the building's after hours service.  We retrieved the emergency number online and moved onto the next hurdle.

As a new neighbor, he successfully assured me he wasn't a serial killer and accompanied me to his new home to retrieve his cell phone.   He didn't yet have land line service.   As I milled around the couches  in partially furnished living space,  I came across interesting books, The True Believer: Thoughts on the Nature of Mass Movements and a yellowed paperback of Atlas Shrugged.  I could count my blessings,  I was in good company.

The leasing manager was then added to our conversation.  She asked me to provide my key fobb number.
LM:"Did you do anything to your key fobb?" 
Me: "No."
LM: "It's not coming up! What did you do to your key fobb?"

BE CAREFUL WHAT YOU WISH FOR...

I agreed to meet the building manager immediately downstairs in the Leasing Office to figure out what went wrong.   I handed her my keys and she punched in the numbers of the key fobb device.

LM: "You're not in here.  I've checked 5 times.  You are completely gone.   I can't find your name.  I can't find anything! It's gone. There's no record of you in this system."
Me: "Whoever did this knows me pretty well."

I sighed, realizing my incessant complaining about the RFID dependent use in the building, may have reached the ears of some pranking, friendly hacker sprites.   It was a neat trick but scary for the leasing office because they discovered a systemic vulnerability which needed professional casing.

I finally explained there are 4 types of hackers: basement hackers, corporate penetration testers,  the feds and vigilante hackers, like Anonymous.   She should probably look into a corporate hacking remedy to shore up the holes in their system.

I was given an pseudonym account with a different key fobb.  Nowadays,  I can get around the building and no one really knows it's me.  If the lights go down, I will know how to exit the building safely.

With the bulk of privacy battles still in front of me, this relief was as much welcome, as it was mildly unnerving.  It might be tough to say I am uninitiated to the pranks and benefits of the hacker community.

This blog will be my only way to thank them for their backhanded brand of help from the digital underground.

But I will look into the sunset from now on and wonder,  who was that anonymous hacker who helped me beat my chip?!




No comments: