I’d argue yes, and from a legal standpoint, fuck, yes. It falls under the Computer Misuse Act here in the UK, and I know the States and most other countries have similar legislation. It’s illegal, for good reason.
I’ve just forwarded this to a friend of mine who works with DV victims. Anyone got any useful mitigation strategies that would be of use to her? The article scared the pants off her. Her advice at the moment is to advise folks to clear their browser history…
Take off and nuke the site from orbit. Full stop. Computers? Wipe and reinstall from retail media. Phones/tablets? Full restore from vendor’s image.
Accounts? All the passwords, all the security questions(and don’t, please, use answers that actually correspond to personal/biographical truths. Lexis-nexis knows that stuff, you think you ex doesn’t?)
Credit cards? Reissue, as if compromised. You are.
Hunt down every stray oath/similar delegation and terminate it. Also check everywhere for ‘reset’ emails. All it takes is one under hostile control to unravel the web of accounts you have.
Physical security? If there is anything in-line with a peripheral that you didn’t put there with specific knowledge of what it is, assume a keyloggers or other bug. Those are small and cheap these days.
That mostly covers the bare minimum. A thorough inspection of any vehicle for GPS/cell bugs isn’t a bad idea(note, unless the ex has been removed, hard, from the ‘OnStar’ or equivalent service, that counts as a bug, and an atypically powerful one at that.
1 Like
That would go FOOOOOOOM, straight over her head, like a Bussard ramjet at full-tilt (and those who’d need the advice from her, too). She ain’t tech-savvy. I’ma run her through stuff like bootable USBs/live Cds like Puppy, and so forth next time I see her. Told her to contact our local university too, as they do an Ethical Hacking course. Getting the students to put together a presentation and materials she could use would be a FAR more worthy project for them than training them for defense jobs and spying on bank employees…
(yes, I am a disillusioned drop-out from said course…)
This is quite true, techies do abuse too. My intended point was that, given the imbalance between attack and defense, it barely matters how much of a meathead the threat is or isn’t. An idiot with a small budget can buy attack tech good enough for most purposes. The state of commercial offerings is such that a techie might save some money; but is otherwise scarcely more dangerous(barring TAO spooks and people with work access to telco databases license plate records, or the like).
1 Like
You’re right. Even better. 
And in hindsight I’m like, what the fuck? Why was I so dumb? Of course he had access to everything. NO WONDER he always seemed to know where I was, who I had been with. Some other weird things come to mind as well. It’s a very strange feeling when it happens to you, and you look back a few months or years later.
1 Like
These are pretty cheap and help searching for physical bugs and pinhole cameras.
It’s probably also not a bad idea to change your primary email address so the one they’re using or trying to get into is now not even in use. Leave the account open so you don’t lose actual emails from people who didn’t know you’ve changed it and so anything sent there by the perp doesn’t bounce.
I don’t doubt it. The trouble is, I don’t think that I indulged in geek-preening or hypothetical very-low-probability stuff anywhere in there, so I wouldn’t really know what to cut (in fact, I totally forgot the, vast and messy, issue of information leakage from ‘sharing’ or ‘social’ services, especially if the provider fucks up, like ‘Google Buzz’ or if you don’t want to be driven entirely off all the social networks you like, if you are into that sort of thing.)
You’ve got a combination of security and password-recovery policies driven largely by laziness, cost sensitivity, and a desire not to deal with angry locked-out customers, privacy policies designed by advertising weasels whose idea of a scary abusive relationship is having to pull a double Irish to reduce their tax exposure, and the sheer capacity of technology for cheaply and easily aggregating lots of data. It’s an intrinsically hard problem, unless hiding out in your SCIF with a bunch of small arms is your idea of fun.
1 Like
If she’s not tech savvy enough to do these things, tell her to buy new stuff. At the very least meet her with the machine and install https everywhere https://www.eff.org/https-everywhere on her machine, tell her about private browsing sessions, tell her not to save user accounts in the browser.
There’s no reason to use a usb bootable OS if she’s got a new retail install of windows. Bootable stuff will probably further confuse since settings are usually not persistent between boots. Go and get yourself a copy from tpb if you need one - you’ll find perfectly working copies of any version you want.
Socialist Europe doesn’t employ spyware? They did in Germany. The EU sells the shit to dodgy foreign governments. In the WSJ piece EU produced spyware was sold to Ethiopian Govt and installed on computers of Ethiopians in Europe. I don’t think you’re as safe as you think you are.
As long as you’re not running as Administrator it’s much harder to install anything. It’s possible, but usually via exploits that will allow greater permissions than are granted. The biggest security hole is usually the user. It’s trivial for spyware-containing executables to be secretly packed into other software installers and installed without the user even realising they’ve installed more than the actual thing they gave permission to install.
The other sneaky trick they sometimes use is to use a computer’s ability to display right-to-left text in file names to hide the fact that you’re about to run an exe. They’ll send you a file seemingly titled NiceJugsexe.avi, but the last letters actually run in reverse, so you’re about to execute nicejugsavi.exe. Not nice.
1 Like
A few points:
I’m not saying it’s right, I’m saying it’s legal. If people don’t think the laws reflect what’s right then the thing to be doing is demanding those laws change. Very few companies will err on the side of ethics when it comes to maximising the bottom line.
The only solution, short of changing the law, is to empower users to understand these things and how to mitigate them where possible. As fuzzyfuzzyfungus mentioned there are ways to run almost any machine so you’re the boss: bootable USB drives. I’ve tested it myself on my colleague’s windows machines - running bootable Ubuntu from a USB drive. These are usually windows machines that are locked down like a mofo with no permissions that become fully functional machines with no corporate oversight.
When it comes to the government issuing laptops to the poor or schools issuing laptops to students, it’s a totally different story, because those people haven’t signed a contract that says they will exchange work for pay.
Spyware doesn’t kill people. People kill people…and animals sometimes…and mother nature…but not spyware.
Yeah, I mentioned HTTPS Everywhere & private sessions to her. It’s not for her, she’s long gone from that, it’s to help put together a presentation for her clients - she’s a DV counsellor/advisor now (well, her job is actually Domestic Violence advocate, believe it or not. I have pointed out the irony, but, hey. Management. Go figure). Re a bootable OS, I dunno about overkill, it’s what all the justifiably paranoid folks I know use for banking and so forth. And if you are stuck in a relationship and living with someone who has physical access to your machine, I reckon it could be useful. Even if there’s nothing more been done than net nanny put on there and set to screen out DV help sites and so forth, all of a sudden someone has access to help and info and a conduit through which to communicate, which is empowering. It really is difficult to overstate how easy it is for someone to be utterly cowed and controlled in that situation. Like never allowed outside on their own, no chance to use another machine, no trips to the library, nothing. It does have its own set of difficulties though. Ah, well, I get plenty of free time, I’ll poke about and see what’s useful. Cheers.
If we are using gun metaphors aren’t all guns loaded, especially the unloaded ones? And you don’t point a loaded gun at anything you don’t intend to shoot.
Likewise, if you install spyware on a machine used by anyone else, even if you don’t turn it on, you are intending to spy on them.
(I don’t know how serious you were, but I do know that some people will believe it.)
Depending on the circumstances, beware the network group… If the desktop/laptop deployment guys forgot to lock the BIOS, yes, you can boot from a different OS; but the chat with HR, it will Not Be Pleasant, if the network guys notice that your machine isn’t acting as expected, obeying the assorted group policies, and so on. If they aren’t watching, lucky you. If they are, it is quite tricky to make some liveCD look like the approved corporate Windows box. Quite tricky indeed.
And, unless this is a penny-ante operation, they’ll know which port and drop the noncompliant system is on, which system went dark, and who the expected user of that system is excitingly quickly. The network guys are the man in the middle, and only their apathy, business, or discretion limits their exploitation of that.
1: one that pleads the cause of another; specifically: one that pleads the cause of another before a tribunal or judicial court
2: one that defends or maintains a cause or proposal
3: one that supports or promotes the interests of another
Having said that, it would make more sense for her title to be Domestic Violence Victim Advocate, since she doesn’t work on domestic violence issues as a whole but rather specializes in working with the victims.
Aye, I know. From a layperson’s reading, she gets that gibe a lot though, poor lass 
1 Like
