#19 – JUST BECAUSE THEY’RE REALLY OUT TO GET YOU, DOESN’T MEAN YOU AREN’T PARANOID – DR. CAROLYN TURBYFILL

Posted on by

turbyfillIn my work as a software architect and security expert, I always consider boundary conditions such as malicious input as opposed to normal behavior.  I also consider innocuous errors that could lead to disastrous consequences.

I immediately applied this approach to the NSA Prism program and came up with 3 scenarios:

  1. Innocent mistake and courteous response that could make me a person of interest or worse.
  2. Message embedded in a collect call request.
  3. A business or vengeance opportunity.

EXAMPLE 1: INNOCENT MISTAKE AND COURTEOUS RESPONSE
Occasionally I get call to a number on my cell phone that is a wrong number.  Sometimes the caller leaves a message that sounds important to the caller and intended recipient.  For instance, once I received a voicemail from Montreal from a man calling “Patrick”.  He said he had gotten to the hotel very late and asked to meet later the next morning.  I called the number back and said:  “Hi, this is Carolyn Turbyfill and I just got a message from you for Patrick.  There is no Patrick here.  What number were you calling?”  The caller told me the number he intended to call, I told him what he had dialed wrong, and he thanked me.

Simple.  Innocent. Even kind and thoughtful.  Right?

Wrong.  What if I get a bunch of these messages from someone connected a terrorist?  Or I accidentally dial a terrorist’s disposable phone. Have you ever kept dialing the wrong number?  I have.  Sometimes I’m embarrassed and I hang up.  Sometimes I apologize to the person if they understand English.  Sometimes I tell them the number I am trying to call and I find out that either I have the wrong number, or I keep fat-fingering the intended number into the same wrong number.

EXAMPLE 2: CODED COLLECT CALLS
I knew a mother and her two sons who would send their mom messages by placing a collect call.  The information passed on by the operator:  “I have a collect call from Ayman al-Zawahiri in Zurich” could mean they weren’t coming home that weekend.  “I have a call from Grace in Memphis” could mean pick me up at the bus station in their hometown.  The mom would reject the call but she’d have gotten the information she needed.

The problem with this approach is that a collect call from the wrong person on a disposable phone, (someone you don’t know and therefore rejected the call or even accepted as a courtesy), could be construed as a coded communication from a person of interest or an internationally sought criminal.  Maybe a terrorist conspirator makes only one call to a person of interest from a particular disposable phone and then leaves it for a random person to find and use.  Someone may pick up the abandoned phone to make a few calls. You could get a legitimate call from a “conveniently” acquired phone.

EXAMPLE 3: A SCHADENFREUDE SERVICE OFFERING
Want to complicate someone’s life?  Get a bunch of disposable phones and have random people make calls to someone from suspicious spots:

  • Inside prisons,
  • From meetings of groups under investigation,
  • From public events where something bad might happen, anywhere there is a lot of security or a lot of press:
    • Visit from the Pope.
    • Sports events.
    • A million-person march.
    • Protests where passions are running high.
    • Anywhere sirens are heading.
    • International political hot spots.
    • That terrorist training camp where the oft-shown video of trainees using monkey bars was taken.

You can pick the spots based on the crime you want to insinuate.  In order to be somewhat politically correct, I will suggest locations and you may surmise the insinuation:

  • Playgrounds, day care and elementary schools. Halfway houses for recovering addicts or prisoners just released from jail.
  • Gambling establishments.  Prisons with lots of white-collar criminals.
  • Court where a hate crime is being tried.   Neighborhoods where the people targeted by the hate group are concentrated.
  • Important sites for a particular religious group. Organizations and activities the religious group has condemned.
  • Political groups defending individual rights. Political groups attacking those rights.
  • Corporations engaging in a controversial business. Activists opposing the business.
  • Groups and businesses profiting from a problem.  Activities to raise money to address the problem:
    • Provide treatment or find a cure for a disease.
    • Help survivors of a natural disaster, man-made disaster, war, crime or terrorist attack.
    • Protect the ecosystem.

UNINTENDED CONSEQUENCES? OR AN OPPORTUNISTIC MEANS TO MANIPULATE ONE?
In all 3 Scenarios, your phone number may never become interesting to the powers that be.  Or 10 years from now they could identify a person of interest, start linking phone calls/numbers and come knocking on your door asking about a phone call or wrong number you have no memory of.  Maybe it’s an innocent artifact of a thorough and sincere investigation.  Or maybe someone just has it in for you because:

  • You have become useful to some government organization or individual(s) therein.
  • You refused to cooperate as a witness.
  • You cooperated as a witness.
  • You have become a whistleblower.
  • They need insurance that you’ll forget something if you ever knew it.
  • They want to coerce you to into doing something.

Or maybe you are just guilty and you will gleefully produce this article as evidence of a faulty investigation.

Of course, it also pays to remember that:

Just because they really are out to get you doesn’t mean you aren’t paranoid.

Steven Brust

Love Me I’m a Liberal” by Phil Ochs

 has been one of my favorite songs for a long time.

Listen to it and you will know why:

http://www.youtube.com/PhilOchsLoveMeImALiberal

For the satire challenged among you:  please don’t listen to it.

Bio:

Dr. Turbyfill has been head of engineering organizations and software architect with 20+ years of experience in: Security (Cyber and Physical); Risk Management; SDLC; Development Methodologies; Enterprise Products and Services; Compliance; Database, Strategy and Roadmaps; management of multiple groups in domestic and international locations; startups and turnarounds.  Dr. Turbyfill has a consistent track record of delivering quality products within budget and on time and has consistently built leading edge technologies and products including:

  • First database benchmark using experimental design techniques, the Wisconsin Benchmark;
  • One of the first wireless LAN’s with radio, antenna and IP Layer encryption;
  • First Firewall Appliance, SunScreen SPF 100 which also included  a certificate authority and one of the first commercial IP Layer VPN’s, SKIP;
  • First round-trip email marketing systems with interactive Java applets;
  • First Managed Security Service at Counterpane Internet Security;

First virtualized automated test environments for application stacks, the StackSafe Test Center.

Leave a Reply

Your email address will not be published. Required fields are marked *