The pursuit of hardening your operational security, removing and obfuscating your personal information, and employing tactics to enhance your privacy is a marathon, not a sprint. It takes time, careful planning, patience, an adventurous spirit, and a willingness to learn new skills. Some dabble a bit with their new found enthusiasm for these topics, and others commit to considerable lifestyle changes for the long haul. I am always impressed and humbled when people I have met decide to make changes (small or large) in order to make themselves or their family less vulnerable to digital threats.
This past week I received an email from someone I met several months ago at a training event. They shared their personal experience with moving to an iPod Touch for communications. I found the story entertaining, genuine, and also impressive because this former student overcame alot of challenges during the process. Overcoming challenges, thinking outside of the box, and persistence are also necessary when you are employing technology in creative ways for the sake of operational security.
This individual has also spent the last several months cleaning up their online presence in a thorough manner, and moved to a new location without creating a trail that ties them to their new home. I asked for permission to post their email and they have asked me to keep their name redacted of course. I have come to know and work with this person frequently on all things op-sec, and their willingness to be a ‘student of the game’ is a rare exception to the norm. With that introduction, I give you an unedited Ipod story from the trenches…
While at home, connected to my wifi network and on a VPN, I went onto Apple’s website from my laptop. I purchased a 32GB iPod Touch 6thGen using a privacy.com card and a spam Sudo profile that I set-up for my alias. For my billing information, I used a random, ridiculous (opposite from my gender) name of “Ricky Babbot” and used a privacy.com card and an address for a homeless shelter in another state. For the shipping information, I addressed it to “Ricky’s” hypothetical niece “Ashley Wiggins” (It’s Ashley’s Birthday), used my real home address and checked out. I quickly received an e-mail from Apple requesting that I call their customer service line immediately with my assigned confirmation code in order for my transaction to go through successfully. The e-mail stated that if I did not contact them within a certain amount of time, then the transaction would be terminated. So, using my spam Sudo profile, I called Apple’s Customer Support line and provided my confirmation number. The guy looked up the number and with a confused hesitation asked, “Ricky?”. I about died, I forgot I was a male for this transaction. Never in my life have I had to restrain my laughter so hard and maintain composure. While I was crumbling on the inside, my knee-jerk reaction was a horrifying response. My response was this inner, poorly executed, deep, hollow male voice that I mustered up and said “YEEEP!” His voice cracked followed by a pause, and asked me to confirm my (Sudo) e-mail address. I confirmed. He pushed for me to provide another e-mail address and I informed him that it was the only e-mail I had. He then asked if I had any other phone numbers that I could provide, and suddenly my accent strangely turned southern… on top of the hot-mess that was my accent to begin with. I responded with “Nope, that’s all I got!”. “Well uh.. uh..okay sounds good Ricky. We will continue with processing this orderand your iPod should be delivered on Tuesday next week” PHEW! Itwas done. I went to sleep that night waking up in fits of giggles. That poor guy had to put up with my senile shenanigans.
The delivery of the iPod was tricky and I had an unforeseen obstacle. Iwork long shifts during the day and didn’t anticipate that I, or someone I live with, would have to sign for the package. So, I missedthe delivery and UPS stuck a flier on my door. The flier basically gave me two options: 1) Drive to the UPS store at the address they provided, show a valid driver’s license and you can get your package. 2) UPS will try and deliver the package again tomorrow, and if you sign on this line, you give consent to let the UPS driver leave the package at your door, leaving you liable if the package is stolen. Since I am not truly “Ashley Wiggins” and cannot provide identification with said name, I opted for option 2; signed on the dotted line as “Ashley Wiggins” and stuck the flier back on my door and hoped no-one with sticky fingers would walk by the next day and take off with my new birthday gift from my gender-confused uncle…because this millennial would be crushed. I was in luck, however; I got home the next day and found the package at my front door. I do realize that this all could’ve been avoided by just going to the Apple store and purchasing an iPod in person with cash…but that would’ve been too easy. Believe it or not, I wanted the challenge and it just so happened to make for a great story.
After receiving my anonymously purchased 6th Gen 32GB iPod, I went to a coffee shop not too close to home and got onto the public wifi and connected to my PIA VPN. I set-up a free https://protonmail.com account specifically for the new Apple ID with the intention of only using it for this sole purpose. I disconnected from my VPN for this next step since I had been told it creates additional hurdles when creating a new Apple ID.
Using my computer’s browser, I went to https://appleid.apple.com to set-up my Apple ID with the new Protonmail account. I provided my pseudonyms, a fictitious date of birth, selected my country/region,and set my password and three unique security Q&A’s. I then unsubscribed from all three of the subscriptions that Apple automatically opts you into and clicked continue. This prompted an email verification step in order for the Apple ID creation to be completed. Apple sent me an email with a code, which I used to verify my account. After verifying my account, while still logged in, I went through my account information… intentionally neglecting the“Rescue Email” backup option, opted-out of 2-factor authorization, and in the “Data & Privacy” section, I opted-out of the “Share iCloud Analytics” option. In order to purchase apps, you have to provide a payment method. With my anonymously cash-purchased Apple iTunes gift card in hand, I decided to go ahead and add this information in now, since I knew I would have to do so in the future anyways. In the “Payment &Shipping” section, I used an address for a women’s shelter in another state. For the phone number, I was able to successfully use a phone number from a burner profile on my MySudo app. I have read that using a VOIP number most likely wouldn’t work here, but I was happy to see it work just fine without any issues.
I logged out and attempted to log back in. Apple requires that you answer two of your security Q&A’s at each login attempt online. Apple wasn’t recognizing my answers to any of my security Q&A’s. I meticulously typed the answers… and still nothing. I was soon locked out of the account entirely. I knew my answers were accurate, so why I got locked out was beyond me; being the stubborn investigator that I am, I wanted to get to the bottom of this. Usinga spam Sudo number, I called Apple Tech Support. “Diamond” from Support asked for my Apple ID, which I provided, so that she could unlock my account. She also asked for the answers to all 3 of my security questions that I had set. It was a tid-bit mortifying, yet hilarious, to explain to her my unique answers and why my “petsname” is “DuhET-FoGetAboutIt”. With complete embarrassment, I quickly informed her that I don’t like to provide accurate answers to these types of questions…cricket, cricket.
At this point now, she had to reset my password 2 times. This still didn’t fix the issue and we kept running into the same problem of my security Q&A’s not being “accurate”, even though they were being answered correctly. I would also like to give a side note that resets will not work on Apple’s website if you are using Firefox as your web browser. We were doing everything right, and she couldn’t figure it out. Every failed attempt seemed to be attributed to the security questions. I asked her about this and she said there shouldn’t be an issue with my unique answers and that it should work fine. After a few more attempts, we were both completely locked out of the account for the next eight hours and even she couldn’t override it. At this point, do I start from scratch orwait the eight hours? I am feeling pretty committed yet defeated and just worn out. So, instead of creating a new Protonmail account and new Apple ID, I just decided to wait it out and try again in 8 hours. I have a theory that Apple doesn’t like unique answers to security questions, that there is something that hoses it up and I don’tt hink they are even aware of the issue themselves.
Eight hours later, I tried again. I went to https://appleid.apple.com and selected “Forgot Apple ID or Password”. From there I provided my Apple ID/Protonmail email and clicked continue. I was then asked what information I wanted to reset, they gave two options: 1) Reset Password or 2) Reset Security Questions. I decided to test my unique security Q&A theory and selected option 2. This selection required me to answer one of my security questions, and to my surprise, my unique answer to my pet’s name of “DuhET-FoGetAboutIt” went through without a hitch. I was able to reset all of my security questions. (my answer never worked when signing in, so why did it work when I opted to change my security questions? hrm…) This time I decided to keep my answers simple to see if I would have any more issues signing in. Simple answers seemed to do the trick; I was able to get signed in and close this chapter of my iPod set up.
I fired up my iPod, signed into my iTunes account and set-up my Passcode. I disabled “Location Services”, opted-out of using “iCloud Keychain” and “Siri” and also chose not to set up“Screen Time” and “Analytics”. I installed a few of my essential apps like Wire, MySudo, ProtonMail, MiniKeePass, Standard Notes, and PIA VPN. F or the time being, I am only connecting to WiFi with my PIA VPN enabled. I have not set-up an anonymously purchased Verizon Jetpack yet, but will do so in the near future. So far, this is the hotspot plan that I have in mind: (Verizon Data Plan with MiFi Jetpack device, $20/mo for 2GB of data or $30/mo for 4GB of data).
Setting up this COMSEC device with completely off-the-wall false information gave me such a strange feeling. It’s a hard habit to break… to fight that obligatory feeling of providing your true information. However, with that being said, making a unique and humorous name and giving your alias a ridiculous back story makes the process very entertaining.
A friend of mine reminded me that this is a marathon, not a sprint. However, being the enthusiastic person that I am, I went hurdling into this and I’m glad I did. Some scary events recently occurred in my professional life that could have leaked into my personal life if I had not already begun this journey, and it served as a reminder to me about why I am on this path. I went down this road for a few reasons: pure curiosity, professional reasons, and most importantly, personal reasons.
My curiosity began when instructors tasked me with researching myself online. My current OPSEC position, compared to where I was just months ago, is a night and day difference. I now find amusement and joy in the fact that no one can locate me and if they want to contact me, they have to do so on my terms. Having this amount of control andprivacy in my life has been incredibly freeing.
I work in law enforcement and have been involved with many high-profile cases involving gangs, drugs, homicide, serial homicide, and adult &child sex crimes to name a few. I am also apart of a Joint FugitiveApprehension Task Force with a focus on violent offenders, so m ythreat model is high. In my professional life, I make contact with victims, offenders, fellow coworkers, and colleagues from other agencies during investigations or at training events. At the end of the day, not having an actual phone and being able to“burn” a VOIP number that I gave to a seemingly trustworthy colleague is reassuring and helps me sleep at night… along with other OPSEC strategies like online data removal and using pseudonyms.
I have received criticism from family and friends and I have noticed that the basis of their skepticism is purely attributed to the fact that they don’t know everything that goes on in my life and it’s in their best interest not to. I’ve had stalkers, personal andprofessional, and it’s nice to say, those individuals can’t find us nor contact us. At the end of the day, I didn’t do this for me, I did this for those that I love and care about, even if it’s at the sake of sounding a little bit “paranoid”.
Being able to see first-hand that this communication strategy is possible, to break away from the norm of how society tells us to communicate and share our personal information, has been incredibly eye opening. Purchasing a copy of COMSEC by Justin Carroll and Drew M. was my guide and ticket to success. I have also had the privilege of also attending classes on this topic that were taught by “Drew”. and the knowledge gained has proven to be invaluable time and time again. I am forever grateful to those who have taken the time to teach on this topic.