Laying Low

[Savage805]

...the officer I was talking to was very adamant about the fact that Texas is a "Duty to retreat" state and only Law Enforcement aren't required to do so. He told me to "google it" and "educate myself".

That's a pretty critical issue that he of all people should know. That would make me doubt anything he said.

 

[jrbfishn]

Knowing your enemy, be prepared, chose the ground. That is half the battle. One piece of advice I got from a pro gambler years ago, don't let the other man choose the game, or the rules. Always play your game, not his.

from an non-recovering coffeeholic

 

[jordanmills]

We're probably not going to go with the RO. I was talking to an officer today and he told me that will give away where she is.

He said she should get a PO box and have that put on her DL when she gets it switched to Texas. Then it will lead to a dead end. He brought up the part about getting the pre-paid phone. He explained how it works, but basically the only people that can trace those are the NSA. Not even 911 can trace those for an emergency location. He gave a few tips about using lifelock and some google app that lets you know every time someone does a search of your name. He even touched on kicking social media, but if she just has to have it-the things not to do with it. The biggest thing is make sure not to post any pics of the places she hangs out and not have any friends tag her in any photos of places they've been with her. Second was to make sure that none of her friends know this guy. If they do-they get kicked. Based off of that, I think she'll be safe with FB. She uses it to keep in contact with family and friends.

Some of that is correct, and some isn't. Generally the state won't let you use anything known to be a PO box for a DL/ID. The trick is to find someone who is willing to "lease" you a "garage apartment" or "spare bedroom" (better to have a separate letter address though). Also, owning property, registering to vote (which is normally done with DL registration), having many kinds of professional licenses, or paying most state taxes will get you in public records. Avoid doing those. If you do, use different fake addresses in different cities/metro areas for them or use the one same fake address where your DL is sent to, but don't have a bunch of different addresses clustered on the same side of a big city.

911 can get the location of an incoming call through registered address, tower triangulation, and device reported information (though it depends on various devices in the chain supporting whatever method is used). A determined attacker can get some personal/location information out of a carrier, so make sure they have fake info too.

On the topic of cell phones and going to computers, lots of modern phones and computers can look up your physical location with various sensors (gateway IP address, nearby wifi networks, GPS/GLONASS, cell tower triangulation, ipv6 forwarding addresses, etc.) so be careful with web browsing and opening links in email. Using an anonymizing service like TOR does not protect you from the physical sensor interfaces, but it will paint a huge target on your connection (there are a limited and generally well known number of TOR exit nodes, and traffic coming from them will throw flags for any decent skip tracer or roaming bear).

Also, keep in mind that computers can easily be bugged to "call home" with their current physical location if an attacker can convince a mark to run something. It doesn't even have to be installed software that has to run - I can do it with a scheduled task and one line of powershell and no malware protection software will ever notice it.

Credit cards, oddly enough, are usually much less likely to be compromised. The location information is usually poisoned (it will list the physical location of whoever processes a payment by phone or web site, so the location is fairly unreliable). A dedicated attacker may be able to infer local shopping habits with a moderate amount of work IF they can access the full transaction history, but that can easily be devalued by making small bursts of transactions (over the course of two to seven days) in a small area, then repeating for another area soon after.

Most people dumb enough engage in physical stalking are not smart enough to use these kinds of information-based attacks. Attacks matching the above descriptions are much more likely to be used by a dedicated or semi-rogue government operative, like an NSA spook who had a personal problem with you. Protecting yourself against that sort of threat takes a lot of dedication, but that's not what you described here.

Simple physical attacks are much more in line with the subject as described. Things like planting a tracker on a vehicle (got a GPS jammer?), remote operated cameras at locations likely to be frequented, or a good old fashioned stake out and tail are non-interactive attacks that should be expected.

But the biggest hole, as several have pointed out, is social exploits. Basic "detective work" like interviewing contacts and passively browsing available information (listening to gossip, monitoring social networks, etc.) will return the best information. There are three defenses: sequestration with restricted release of information, engaging friendly peers, and poisoning the well. I believe all three have been mentioned already. But sequestration with restricted release of information is the most critical. A vast majority of people can be exploited with simple social engineering attacks. They want to help their friends, and anyone skilled at social engineering will convince them that they need to give the attacker information to help their friend. Don't release information of your habits or whereabouts to most people you know (or release false information, but that goes into poisoning the well). Generally it will be very effective to tell people that you're being stalked and you can't release most personal info to anyone at all. Keep most of it off social networks.

Poisoning the well could actually be pretty fun (want to have a fake vacation every weekend?). But it can be a good bit of effort and might not be worth it. I'm tempted to write more on that...

Any way, protect against social information exchange and remember to keep actual data out of easily-searched sources: state DL/ID, vehicle registration, tax records, professional licenses, and church directories.

 

[Southpaw]

Some of that is correct, and some isn't. Generally the state won't let you use anything known to be a PO box for a DL/ID..

I just came here to back the use of the PO Box on a DL, but damn Jordan, that was a great post as well.

 

[CrazedJava]

Just a note on pre-paid phones though. I would still be cautious on who I give out that number to.

Also, Facebook is littered with so many security holes you don't need any hacking skills to get personal information. The problem is that even if her profile is locked down, if any of her associates are not and there is any activity that involves her it will show up. Not just pictures. She can be effectively monitored just be keeping tabs on known associates with unsecured Facebook profiles. If you want to stay off the grid, Facebook is just about one of the worst tools to do so with. Google+ can be even worse.

Remember, these are sites designed to SHARE personal events, pictures, and information. It should be no great surprise that they suck at privacy.

 

[jordanmills]

Just a note on pre-paid phones though. I would still be cautious on who I give out that number to.

The only advantage a prepaid burner has is that your identity is not necessarily immediately associated with it on the billing side. It is very unlikely that anyone outside of law enforcement would have access to that information any way. Burners only help if you're hiding from law enforcement or a cartel.

 

[jordanmills]

I just came here to back the use of the PO Box on a DL, but damn Jordan, that was a great post as well.

woo thanks man

 

[Southpaw]

I never had one, but do you need to show ID for a prepaid cell?

 

[grasshopperglock]

I never had one, but do you need to show ID for a prepaid cell?

That would be a hades NO. Ive used straight talk for years. Iphone verzion....Austin number

Unless i tell you its my number, i actually answer....this phones a ghost.

If i change my number, i call the old one. Its usually someone that no english well.

Family Dollar sells just the sims card. I think it was $15?


Sent from my iPhone using Lost IRS hard drive.

 

[XinTX]

Some of that is correct, and some isn't. Generally the state won't let you use anything known to be a PO box for a DL/ID.

Not always true. I had a TX DL with a PO box as an address. At the time I was living on a sailboat. There was no mail box on the boat.

 

[grasshopperglock]

Having a PO on your Texas DL comes down if you can find a box in some areas. Most get rented fast.

UPS Stores offers relative private mail boxes.


Sent from my iPhone using Lost IRS hard drive.

 

[Shotgun Jeremy]

Thanks for all the great info guys! That was a very good post, jordanmills.

 

[Southpaw]

Not always true. I had a TX DL with a PO box as an address. At the time I was living on a sailboat. There was no mail box on the boat.

I can't find where they will allow that anymore. How long ago was this?

Having a PO on your Texas DL comes down if you can find a box in some areas. Most get rented fast.

UPS Stores offers relative private mail boxes.


Sent from my iPhone using Lost IRS hard drive.

If DPS finds out that the address is not an actual residence, they will revoke your license.

 

[Southpaw]

But looky here..

Jeremy, this might be an alternative for your friend:

TxDPS - Address Confidentiality Program

 

[Shotgun Jeremy]

Dude, this is just perfect!

 

[ZX9RCAM]

Nice find SP!

 

[Southpaw]

Nice find SP!

Just sort of stumbled upon that looking up PO Box use on a DL.

 

[jordanmills]

But looky here..

Jeremy, this might be an alternative for your friend:

TxDPS - Address Confidentiality Program

Good catch. I can't believe I totally forgot about that.

 

[Southpaw]

Good catch. I can't believe I totally forgot about that.

If I buy another gun this year I might need it from the wife!!!

 

[Savage805]

Shotgun Jeremy: How about an update? Hope things are going well!