Note: This article was slated to be published on escapeartist.com in February.
Expats tend to be strategic thinkers, proactive planners and, above all else, action takers. However, I have discovered that, in my travels abroad, expats often overlook the importance of simple cyber security measures in their ventures. Why is cyber security so vital for the expat in particular? In the following, we will briefly survey the answers to this question and subsequently, in a following series on cyber security specific to the expat, provide a guide to cyber security solutions of vital importance to the expatriate. (Many of the solutions are free and open source and can be implemented readily by anyone who can turn on their computer and operate a mouse.)
Underdeveloped cyber infrastructure
“We’re not in Kansas anymore Toto.” Most expats hail from the major nations of the West, e.g., the U.S., UK, Australia, etc. Granted, the expat has many reasons for fleeing these proverbial coups but what these particular countries do have is a highly developed cyber infrastructure and have placed a good deal of engineering efforts into the area cyber security (true of most developed, Western nations).
On the flip side, many of the emerging nations to which expats relocate provide just the opposite in terms of network infrastructure. While the comms are there, security, if present at all, has been found to be woefully lacking. This has been the norm since the beginning implementation of networks. Convenience precedes security and thus cyber security is often but an afterthought—security is viewed as a final, ad hoc formality.
For example, I regularly travel throughout both Central and South America (most recently foraying into Asia). As an information security specialist and Ethical Hacker, I am always curious about the local networks and security architecture. From the local hotel to public Wi-Fi to local business, I have, to date, evaluated networks in Chile, Costa Rica, Puerto Rico, Panama, Guatemala, Colombia, Nicaragua, and Japan. The common thread? When these networks are secured at all, it is usually with a weak and/or outdated encryption standard (e.g., WEP) or the access key is made publicly available which, in essence, provides the means for decryption on the part of a malicious party.
Without becoming overly technical at this point in the discussion, suffice it to say that, based on a flaw in implementation of WEP, any WEP password can be decrypted in about 30 seconds by anyone with enough skill to search for directions on Google. It is that easy. However, even the higher levels of encryption such as WPA and WPA2 can be readily decrypted if the key is discovered (which can also be quite simple given the right tools and know-how) or if you are simply sharing the network.
To illustrate this point further, have you ever used the Wi-Fi provided by a local restaurant or coffee shop (or other “Free Wi-Fi”)? If so, the chances are good that a malicious individual on the same network was monitoring your every online move from checking your e-mail to reading your bank statement all the while stealing your credentials and other valuable, confidential information. This is a common tactic of hackers as well as data and identity thieves. In a subsequent article in this series we will discuss how to mitigate and outright prevent such breaches.
Leaving one’s country for greener grass and brighter shores does not always mean forsaking the conveniences of home altogether. On the contrary for those who have departed from Western nations. Such expats continue to, in most cases, rely heavily upon country-of-origin financial institutions due to both the convenience thereof and, a modicum of confidence commensurate with those institutions. This, in and of itself, is not a problem.
The problem is that “All roads lead to Rome.” What this means is that, quite simply, anything connected to the Internet, whether a desktop PC, laptop, tablet, smart phone, web server, thermostat, etc., is just that--connected! And when a device is connected to the regular Internet (or the ever more pervasive Internet of Things) it is accessible and can be monitored by any other device that is likewise connected. Moral of the story, any time one connects to the Internet without taking the appropriate security measures, especially when accessing financial or other personal and confidential information, he or she is at risk of compromise.
For example, I am often called upon to provide security assessments and awareness training for my clients. It is a trivial matter for me to set up a wireless access point and broadcast an SSID (access point name) of “Free Wi-Fi” with my personal PC being used as a gateway for any traffic via any associations with the access point. As such, I am able to monitor every single bit that flows across the ether. I can capture e-mail usernames and passwords, banking information, monitor social network usage, redirect an individual’s traffic to sites of my choosing, and plant malware. All of this with ease.
Such attacks and attempts on your data are not isolated “It can’t happen to me” events. It is happening quite frequently and, chances are good that, even as you read this article, your computer is being probed by automated botnets designed to crawl the web and probe for vulnerable networks and network devices. In a forthcoming article in this series, we will discuss the means to mitigate such attempts on your confidential data.
Not much really needs to be said under this point. The term government essentially includes intrusive as part of its modern definition. However, later in the series one article will be dedicated to just how the U.S. and other governments are monitoring and logging much of your personal data (without valid reason or warrant), exactly what types of data they are collecting, and what you can do to mitigate such intrusive government monitoring and, effectively, “go off the digital grid” without giving up the Internet. This is an ever-evolving and important issue, particularly for the expat, as home governments are even more interested in keeping up with those who have expatriated. The old cliche "you have nothing to worry about if you aren't doing anything wrong" is not a valid retort to the law abiding citizen--privacy is a psychological necessity.
There are many players at work in the Internet underground (or “Darknet”) and, as this is an introductory article to a full series on cyber security for the expat, we will not herein delve into the details of these varied and sundry individuals and groups. Further along in the series the reader will be introduced to: the hackers, the “carders,” digital pirates, major cyber crime syndicates, and the cyber jihadists. Particularly, the expat will learn just what such individuals want from them and how to best protect him or herself from exploit.
In the above, the reader was introduced to the primary topics of discussion in a forthcoming series on cyber security for the expat, an everything-you-need-to-know and how-to from soup to nuts on protecting your personal information, preventing prying digital eyes, and staying safe online.
“A proposition must restrict reality to two alternatives: yes or no” (Ludwig Wittgenstein).
One often hears the statement “It isn’t all black and white” supplemented with the
“shades of grey” utterance. But what exactly might this mean? As used in its appropriate
context (the context of attempting to weakly demonstrate that a given x is such that x is
less than clear and distinct, i.e., x is non-definitive) it seeks to present a form of relativism
(weak relativism to be sure).
The position can be stated as follows in the form of an argument:
(1) Some things are clear and distinct (read: black and white).
(2) Some things are not clear and distinct (read: shades of grey).
(3) Therefore, one cannot speak with certainty or exactitude about those things
which are shaded grey (neither black nor white).
(1) How does one know just which statements are black and white and which are
shaded grey? What are the determining criteria? If there is in fact a set of
criteria, can it be demonstrated as non-arbitrary?
(2) Is it the case that for that which is shaded grey to one might just in fact be
black and white to another (perhaps one with more background knowledge,
greater insight, or more experience)?
(3) Even if there are statements that are shaded grey, why could not one speak
with definitiveness about them? This seems less than necessary.
(4) Is the statement “It isn’t all black and white” coupled with “There are shades
of grey” itself black and white or shaded grey? If it is itself black and white (clear
and distinct) then there are in fact no shades of grey (self-refuting). If it is itself
shaded grey, then it is itself as well not clear and distinct, i.e., not black and white
and thus need not be taken seriously as we are uncertain as to its truth value as a
proposition. And, to utilize the principle behind the shades of grey argument, one
can’t speak with certainty regarding the principle that so certainly declares that
not all is so certain! For in so doing, one is presupposing black and white all
(5) On a formal note, premise (3) in the above argument does not clearly
follow from premise (2). Therefore, the argument isn’t deductively valid.
The shades-of-grey argument likely stems from a degree of indecisiveness or is used as a
justification for non-commitment on the part of its proponent (a psychological rather than
logical issue). The law of excluded middle states that either A or B but not both A and B
(exclusive sense of disjunction). (A v B) → ¬(A ⋅ B). One might take issue with this by
proposing a third option (we already have black and white and not black and white),
perhaps shades of grey is the third option. I think that this can be avoided by stating that
black and white statements are simply (or contain), in as much as they are reduced to
their logical constituents, either true or false propositions (in as much as the statements
satisfy the requirement of propositionhood). So-called shades of grey statements must,
necessarily and de facto, be either true or false as well--this can’t be avoided. So, as it
turns out, black and white statements and shades of grey statements are logical
equivalents with regard to truth value (the content of a proposition y is either true or false
as related to the facts of actual experience).
Now, it can be objected at this point that even though a statement z be true or false (in an
ultimate sense) it may not be the case necessarily that it be clear conclusively that such is
the case (z is a shade of grey in the immediate sense). This is the issue of practice vs.
principle. Even if z is less than clear with regard to its truth value in practice, nonetheless
it is knowable as true or false in principle and thus the objection is satisfied (if z can in
fact be said to have semantic significance (meaning) then z has a particular truth value).
It may be of some use to point out the failure of the analogy itself. Colors do in fact
occur on a continuum but not words; and if not words, then it follows not statements.
Words have meaning whereas what can be said about colors has meaning and not the
colors themselves. Colors are properties of things whereas words represent (stand in the
place of) things--even colors. Thus statements, in as much as they relate to the factual
world, have a particular truth value, i.e., they must be either true or false--nothing in the
middle. Representations are truth functional whereas properties are not (properties are
descriptive of representations and possibly the objects represented). The representational
statement of the instance of a pen having the property of blackness being at this moment
on my desk “There is a black pen on my desk” is either true or false; whereas simply
“black” is neither true nor false (“black” here not being a predicate of a thing). If a
statement corresponds to some fact or facts in the world, then it has a particular truth
value (cannot be shaded grey).
Now, one might argue that, ultimately, this isn’t a debate over whether or not there are in
fact propositions that are black and white and shaded grey but, rather, whether or not
there exist facts in the actual world that are themselves shaded grey and not black or
white. This can be dismissed rather easily. A proposition stands as a representation of
the facts of the world, thus, as propositions can be only black or white, i.e., true or false,
then it can’t be the case that there be facts that are shaded grey. The facts of the world
themselves have truth value (there are relationships that hold between the facts of the
The government is not only monitoring your e-mail. Since 9/11 the USPS has also been monitoring your snail mail for the spooks (technically, the postal service has been monitoring mail in some form or fashion for about a century). Every single letter or package shipped and/or received by the United States Postal Service is photographed and stored for varying government agencies (particularly the NSA) with access provided to civil authorities as well via special requisition (BUT NOT NECESSARILY REQUIRING JUDICIAL REVIEW!) Read more here.
Via a program referred to as Mail Isolation Control and Tracking, photos are taken of the fronts and backs (i.e., mail covers) of all envelopes and packages and stored by the NSA in what must, by now, be a very large database. Essentially, what is being collected is metadata--the data about data. For example, this method allows the NSA to keep tabs on just whom is communicating with who. And you thought that your Christmas Card to Aunt Judy and Uncle Dave were private...
While this may, prima facie, seem trivial, if one takes into account the amount of correspondence sent and received over a lifetime (just a few years even!), the NSA can map out some pretty specific details about a person. For example, one's network of friends, family, and general associates, companies with which one does business, creditors and debts, financial status, legal issues (e.g., documents from law firms and courts), personal interests (e.g., via magazine subscriptions, packages received), and much more.
For the most part, the data collection is general however we do know that specific individuals are quite often targeted for more detailed monitoring. (Think again if you believe that the government can't/won't open your correspondence and/or packages). (See a 2013 New York Times piece for some documented abuses.) Of course the government's argument is that no one can have a reasonable expectation of privacy as it relates to clearly visible data collected from the outsides of packages. This may be true, but certainly only to an extent. The extensive net of data collection and the maps that are being constructed of the lives of average American citizens with no connection to crime or terrorism IS an egregious violation of privacy. Why should your data be sitting on some government server without warrant? Most in InfoSec and the privacy field agree with me--it shouldn't!
Remailing is a method of (somewhat) obfuscating the origins of a parcel or piece of mail. For example, someone from Arizona doesn't want to give away his/her general area of residence or occupation to another party but communication is required with said party and, as such, he/she sends the correspondence via snail mail to another location to be remailed such that the postmark will show from, say, Florida instead of Arizona. Essentially, all that this requires is that one drop a pre-stamped letter into another stamped envelope addressed to a remailing service. The remailer receives, opens, and remails internal envelope.
It must be said upfront that utilizing a remailing service doesn't protect one from the purview of the USPS or other federal agencies (even the USPS offers a remailing option) if the remailer relies upon USPS. However, remailing can, in fact, be utilized to enhance one's personal privacy even via USPS as long as one understands that there is no way to avoid USPS monitoring pending one is relying upon their services. If one wishes to avoid the USPS's egregious data collection net, use a private service (no guarantees here that they aren't handing over your data as well, they likely are but using a third-party + following some simple protocols can mitigate at least some of the risk).
Remailing is just one of many privacy-enhancing options for individuals who must communicate with other individuals/companies/organizations in cases whereby physical location and/or general area of residence/occupation needs to remain private or in such cases as one wishes to remain fairly anonymous (note: a modicum of anonymity can indeed be had via remailing if certain protocols are followed). Who needs a remailing service? Some example users: abused and battered women attempting to remain hidden from the abuser, whistle blowers/leakers, people reporting crimes who wish to remain anonymous, sending complaint letters, recording ethics violations, communicating with pesky creditors/debt collectors, "secret admirers," or, more generally, simply for people who don't want to be found (and don't forget remailing is great for jokers and pranksters!)