planning for data/privacy safety
May 21, 2010 10:23 AM   Subscribe

He's angry at me and he's got serious tech resources. What should I be thinking about in terms of data/privacy safety?

Complicated story (ain't it always), but most basically: my boyfriend and I have spent great effort over several months trying to salvage something of our long-term relationship, but these attempts are going progressively worse.

I still care about him and want to trust him, but he has been acting more than a little desperate and unstable and angry (mostly because I just cannot give him the amount of processing/conversation time he wants us to keep having). Like any good geek, he has more than his share of obsessive focus. He's clearly obsessed now with the project of getting me to talk to him a lot, give him attention and ideally go visit him in person.

He has very high-level network skills (head sysadmin for money, programmer/hacker/tinkerer for fun). As for the hacking, he's usually totally honorable and white hat as far as I know... but right now he's not acting at all stable or okay and so I'm just trying to do some worst-case thinking and planning.

I'm sure vast amounts of my personal and login data have gone over his home network in clear text, just in the course of doing my usual web stuff (always on my own laptop) all the times I've been at his place over the years. He is the type who might well actually log all his traffic, for reference or paranoia or curiosity. I would like to think he wouldn't invade my privacy, but he's started claiming justifications for other things that are honestly really concerning me, like almost literally constant calling when I won't answer (e.g. 70+ calls in two hours), or accusing me of deceiving or acting against him in ways that aren't grounded in ration.

Clearly I need to change all my passwords, but what are other things to think about in terms of prepping for the worst-case possibilities of more unstableness, obsessive poking around my life, maybe some degree of messing with any of my online presences? I'm not a network expert myself, but I can understand (or google) technical advice. Thank you for your ideas.
posted by anonymous to Computers & Internet (26 answers total) 16 users marked this as a favorite
If you are going to change you passwords, use a strong one, and make sure it is sufficiently long. That means selecting a mixed case password using numbers, letters, and symbols.

Example Password: ^aZ4G-Xx

This would take more than two years to crack, unless he has access to a super computer.

Best of luck.
posted by axismundi at 10:35 AM on May 21, 2010 [1 favorite]

I hope it goes without saying that now is the time to update all your accounts with different strong passwords for each account.
posted by robinpME at 10:36 AM on May 21, 2010

I'd tend to try to take this from a technical issue where he has all the power and into a personal one.

"If I find out you've been in my email, facebook, or whatever, any hopes of reconciling or any further contact are gone."
posted by advicepig at 10:44 AM on May 21, 2010 [3 favorites]

And not to state the obvious, once you change those passwords, do not log into any of your password-protected sites via his home network.
posted by canine epigram at 10:45 AM on May 21, 2010

In addition to the tech solutions, pursue whatever anti-harassment measures are available in your area. Starting a paper trail sooner rather than later is a big help if things get worse (or simply continue in the same antagonistic vein).
posted by batmonkey at 10:49 AM on May 21, 2010

I would like to add that perhaps you should consider changing your passwords while at some machine that he has not had physical access to. Changing them won't do you any good if he has a keylogger on your computer.

Of course if you think he might have a keylogger on your computer you might want to be backing up your data and wiping that machine clean and starting fresh.
posted by komara at 10:53 AM on May 21, 2010 [3 favorites]

Set up a new gmail account right now that pulls in e-mail from your existing account, just in case, so you've got a backup. Not that it'll come to that. Even if he accesses your existing account, I don't think he'll have any way of knowing about this backup account.
posted by adamrice at 10:55 AM on May 21, 2010 [1 favorite]

If you have to log in to a website on his network make sure it's an https website- not just http. This way, if he's packet sniffing (ie, logging all network traffic), your passwords will be encrypted. However, a keylogger could still get your passwords.
posted by jmd82 at 10:57 AM on May 21, 2010

Changing all your passwords to strong passwords is definitely appropriate and probably enough. But if one were to anticipate very bad past or future behavior on his part:

Assuming he's had unsupervised physical access to your laptop, you'll want to back up your data, re-install the OS, load up the usual anti-malware stuff, and scan your files before moving them back over. (This is in case he installed a keylogger that phones home.)

If you have a router at home that he's had unsupervised physical access to, reload its firmware.

Get access to a VPN (subscribe to a commercial VPN if necessary) and use it for all your wireless networking. (This is in case he's recorded your wifi MAC address and is physically stalking you, sniffing your wifi.)

And, yeah, make sure you change your passwords on a trusted machine and network (which yours would be after taking these steps, but you don't want to wait that long for these.)

(Again, these are kind of extreme measures that suppose fairly extensive malice on his part.)
posted by Zed at 11:01 AM on May 21, 2010

I don't know a lot about keyloggers, but given the situation you described, I would back up all my data and do a clean install on my computer. I would only then change passwords, and if possible, and I had access to another secure computer, I might only change and use the passwords from there for the duration.
posted by OmieWise at 11:02 AM on May 21, 2010

How about changing the answers to your password recovery questions? Don't underestimate the social engineering skills of someone who thinks like a hacker--he knows your mother's maiden name and the last four digits of your social security number and the name of your favorite pet, right?

You should be answer those questions with something entirely untrue. Maybe write your pet's name backwards, or use a made up name. Store the answers (along with your nice, secure, long, randomly-generated passwords) somewhere secure like a KeePass file.
posted by bcwinters at 11:08 AM on May 21, 2010 [1 favorite]

As a SysAdmin, I imagine he keeps on top of security holes as part of his job. This may spell trouble for the safety of your computer if he chooses to exploit them

If you own a PC and haven't already, I recommend taking the time to setup a good firewall. It is a little over-protective for my tastes, but ZoneAlarm has a free edition that should keep him from being able to exploit some of these on your personal computer(s). Otherwise, there's a slim chance he may be able to pinpoint your internet address and gain access. There's a slew of nasty things that can be done if he does, including acquisition of personal files and any of your new passwords.

As far as websites go, keep in mind Facebook is one of the worst offenders with unsecured access; the default login page (to my knowledge) is plain text and easy to sniff.
posted by NBJack at 11:08 AM on May 21, 2010

If you think he could have installed a keylogger on your computer, you have to deal with that first.

Check important websites to make sure he can't use the "forgot my password" option to answer questions he would know or could find (mother's maiden name, pet's name, elementary school, etc.) and gain access. Make sure he hasn't set up your email to look normal but silently forward everything you get to another address. Think about who he could email pretending to be you and what he could accomplish by doing that.

And holy crap if it's gotten to this point, not just where you fear this sort of thing but where he's already engaged in harassing and paranoid behaviors you should really really stop "trying to make it work." Like really stop. Immediately. Stop talking to him. Then find a therapist and try to figure out what took you so long. Not that it's your fault, of course, but you don't want to find yourself in this situation again.
posted by callmejay at 11:11 AM on May 21, 2010 [1 favorite]

"If I find out you've been in my email, facebook, or whatever, any hopes of reconciling or any further contact are gone."

"I will also pursue criminal charges, report this behavior to the HR department of your employer, and permanently link your name to the phrase 'creepy stalker dude' online."

Basically make it clear that you'd prefer to trust him, but if he violates that trust and gets caught the downside is going to be enormous.
posted by ecurtz at 11:41 AM on May 21, 2010 [1 favorite]

Things to consider:
If Windows, worry about rootkits. Find a good scanner, check for them, kill them if present. Something like the AVG boot disk is good, because you're running from the disk itself rather than from your operating system. Make sure remote administration is turned OFF.
If Mac, worry about remote login. Check your settings: Disable remote SSH, check for any other remote access tools.

On either system, check the list of users, remove any users that shouldn't be there. Windows accounts will show up in c:\Documents and Settings\[user account name]. On a Mac, they'll be in /Users/[account name]. They might be hidden - enable "Show hidden files" in Windows when checking the users, and on a Mac open Terminal, cd /Users and do ls -al to list all files and folders, even the hidden ones.

In either case, change your account passwords. Even with SSH or a rootkit, full access to your machine is harder if he has to guess a new password. On Windows, this includes the administrator password. Oh, did you not know there's an administrator account? There is. Even if you don't see it at log-in, it's there. It's there on Vista and 7 too. Accounts can be hidden on OSX also.

(Really, you ought to assume your system is compromised beyond repair and wipe it completely, but I understand if that's too much work.)

Change any and all passwords, and check the email addresses you have on file for password recovery. Set up a new Gmail account for those if you have to. If he can access your email he can click the "forgot password" button on a site and have a reset performed, locking you out.

Do you have a home network? Check the settings. Is remote access turned on? Do you know the password for the router? Is it protected to begin with, or does it use the default settings (which can be easily found online)? You might want to do a hard reset on your home router, set it up again from scratch, and make sure you have proper security enabled. If the system allows it, disable admin access for any user not directly plugged in to it.

Do you have anyone you can trust who would let you use a system for SSH tunneling? Using a tunnel for all web access outside of connections you control (that is, your own home network) is a good idea anyway.
posted by caution live frogs at 11:54 AM on May 21, 2010 [1 favorite]

Following up on caution-live-frogs, wiping your computer is a big step, and you shouldn't take it lightly.

I say divide you computer work into two pieces, what you do online and what you do with your computer physically unplugged from the 'Net.

For online use, I say you should make a way to boot your computer to Ubuntu for your online use, until you think things have blown over. You can make a CD to boot from and use, or if you have some disk space, you can add it inside your current disk. Both are safe, and you can be sure nothing on your computer is in his control. (Later, just reboot if you're using a CD or uninstall in windows if you use the second on-disk option.)

When you're off the net altogether, you can probably safely boot into your usual environment, though you should make backups *right now*, in case there's a time bomb in there.

Good luck.

Also, the social method above, "if I find you've been in my online stuff....". That will work for a while.
posted by cmiller at 12:09 PM on May 21, 2010

In less than 5 minutes with your computer, I could install a program to log every keystroke, list all the websites you visit, log all your IM traffic, and take a snapshot of your desktop every 10 seconds and send all this to my server periodically. You wouldn't know ANY of this was happening, and even the files for the program itself would be hidden from you.

You need to reinstall your OS. It's trivial, really, especially if your computer is semi-organized. Back up your data on an external hard drive, reinstall OS, put data back on your computer. Then change all your passwords.
posted by coolguymichael at 12:54 PM on May 21, 2010 [2 favorites]

If he escalates and this gets uglier and he starts messing with you at work, do NOT be ashamed to speak to the HR person at your company about blocking his IP, e-mail, and any other network security issues.

P.S. When you change all of your "forgot password" verifications, one strategy to make these non-guessable without driving yourself crazy with memorization is to not provide the actual answer to the question, but use it as sort of a hint for a related question of your choosing.

So if the question is "your mother's maiden name," make the answer the town and year in which she got married.
posted by desuetude at 12:56 PM on May 21, 2010

Re: Recovery Questions - a good trick my friend came up with is to use a nonsense answer for all of them, one that someone won't guess (because it's nonsense), but is easy to remember.

What is your mother's maiden name? Purple.

What city were you born in? Purple.

What is the name of your first pet? Purple.

You get the idea... The systems asking you the questions won't complain (I doubt they will say "Purple" is not a good name for your mother, city, or pet), but it's not something you can easily run a dictionary check on, either.
posted by GJSchaller at 1:57 PM on May 21, 2010 [2 favorites]

Several people have suggested changing your passwords and any information that can be used to copy email or break into accounts, as well as reinstalling your laptop's OS from the ground up. I would suggest going a step further and making those changes at a public library or other trustworthy location.

If you are concerned about worst-case possibilities, remember that part of hacking is social engineering. Make the on-line communities you're involved with, or at least your trusted friends on the net, aware that there is stress in your relationship and you don't expect anything to happen but you want to let them know to inform you if they notice anything sketchy associated with your information, accounts, or on-line behaviour.

On the relationship side, my inclination would be to tell him clearly and unambiguously the specific things you've noticed that are twanging your spidey-sense (like the phone harassment) and let him know how it feels to be on the receiving end of that negative attention. I've never met him, so I have no idea how that approach would work in this case.
posted by thatdawnperson at 4:00 PM on May 21, 2010

As others have said, if you want to be super-safe, wipe your drives and re-install your OS, THEN change your passwords (using a safe connection/not at his house).

If you want an added layer, I would make up some dummy e-mail and social networking profiles that don't have anything important on them, then I WOULD log on to those at his house a few times. The idea being that if he thinks he already has access to your accounts, he won't be looking for your other, real accounts; also, it may be easier to monitor those accounts for activity that isn't you if they are rarely used, and you can expose him without actually having him look at your real personal stuff (assuming he does actually end up doing anything).
posted by Menthol at 8:42 PM on May 21, 2010

70+ calls in two hours

If he's doing this, he is stalking you. The relationship is not salvageable: even if you get back on an amicable footing, the fact remains that he can turn into scary stalker guy with a lot more power in the relationship than you, whenever he doesn't think you're paying enough attention to him. He's obsessive and controlling and you should cut off all contact with him (as well as reinstalling your OS and changing all your passwords).
posted by longdaysjourney at 9:11 PM on May 21, 2010 [2 favorites]

My best friend has been dealing with something like this for close to 6 years now. One of his tricks has been to hack a friend's account to get access to stuff she's locked down (facebook, forums etc). It's lead to her completely going underground online, changing every log in, every avatar, every name. Tedious, terrifying and sad.
posted by geek anachronism at 2:15 AM on May 22, 2010

I don't have nuanced advice in situations like this (which is a failing of mine), so I apologize for paranoia/alarmism. A few things:

1) If he's had physical access to your computer or house (or apartment), you can't trust the existing technology at that location. He can modify the hardware on your computer, such that reinstalling the OS or reformatting the hard drive won't do anything in terms of preventing him from having access. As for your living space, the wiring may have been tampered with, again, nothing that you do with your computer itself will prevent him from gaining access. If you obtain a new computer and new wireless access card (like one of those 3g things), you might have an internet connection that's safe, but it's not guaranteed. Usually, victims of stalking need a 3rd party location (library, for example) to access the internet.

2) Look at tech resources for stalking/DV victims. Some of it will be pretty basic, but if you look hard enough you might find some good things. A few places to start:

National Network to End DV - Technology Safety
National Online Resource Center on Violence Against Women -Technology Safety & Advocacy
National Center for Victims of Crime - Stalking Resource Center
Useful Google search

You might also think about contacting local law enforcement, and see if there's someone on staff who specializes in stalking. They might have tips or handouts that you'll find useful.

Again, I apologize if I sound paranoid or if this is a little over the top.
posted by Gorgik at 7:19 AM on May 22, 2010

70+ calls in two hours

Which is basically:
1) dial your number
2) let it ring long enough to go to voicemail
3) hang up
4) dial your number again

Seriously. 70 calls in 120 minutes is more than one call every two minutes. To my mind, that's already at the scary level of obsessive.

"If I find out you've been in my email, facebook, or whatever, any hopes of reconciling or any further contact are gone," sounds like a decent minimum to me. I'd actually be more inclined to say "I find your obsessive behavior, such as calling me more than 70 times in two hours, disturbing. If you want us to have a chance of reconciling, you need to demonstrate that you can behave reasonably. First step is you don't contact me for a week. Consider it a test. If you phone me, or email me, or get in touch with me by any other means before [exact date and time], it's over."
posted by Lexica at 3:54 PM on May 22, 2010

A few years ago I found out that an ex-boyfriend was logging into my email account several times a day. I'd used his laptop to check my email a few times, but I never saved the password and always logged out immediately. As best I can tell he used a keylogger.

Of course I changed all my passwords immediately, which is the obvious thing to do. The other thing I did that made me feel better was change my locks. He'd returned my house key when we broke up, but I figured that someone who'd used a keylogger to get my password and break into my email account wasn't above copying a house key. I know you didn't ask for meatspace advice, but I thought I'd throw that out there since it went a long way towards allowing me to feel safe.

I know you and your boyfriend haven't broken up, but 70 phone calls in two hours sounds really scary. If he's that desperate, he may not be above letting himself into your house when you're not at home if he has a key that works.
posted by bluishorange at 6:15 PM on May 23, 2010

« Older Cheap Fun Chicago   |   Getting off my own lawn Newer »
This thread is closed to new comments.