[Note 02/17/21: Minimizing attack surface is what I did when I had old utility service boxes, phone lines and coaxial removed from the side of the house late last year. You may be able to opt-out of a local smart meter program but you can’t throw out your electric meter. Nor can you strip a home of every bit of the conductive copper wiring in its electrical system and the radios that gate and dispatch radio frequency signal, not unless you want to live off the grid.]

For me, and perhaps for many other writers, rain is more than weather. Rain becomes a state of mind—meditative, even a dream state—by which to write. Snow, too, whether falling or blanketing the earth, is a quieting by which to write. I wrote most of a novel about the arts, sitting here at this table overlooking the deep waters of Lake Washington, sitting at the windows as it rained and stormed outside, Michael Nyman’s compositions for the film, The Piano, the score against which I put words to the page.

It was beginning to look like it wouldn’t happen this winter, but yesterday the snow began to fall, and with the snow came the quiet. But since I’ve been the victim of a corrupt neighborhood watch working with real estate speculators to turn over at least a few rented homes, the insulating qualities of rain and snow are not simply something I feel but something I hear. Or rather, something I don’t. Whether it’s because of the clouds and the winds, or the soft and sodden earth, the mobbing harassment is quieted with the rain, and stilled with the snow.

The extent to which bad weather modulates or attenuates the mobbing harassment, is one of the greatest indicators of radio technologies put to work by those who would mob from close range to turn over properties for speculation (“Radio propagation, https://en.wikipedia.org/wiki/Radio_propagation; “Effects of Temperature and Humidity on Radio Signal Strength in Outdoor Wireless Sensor Networks,” https://annals-csis.org/Volume_5/pliks/241.pdf).

Writing on Quora, Dan O’Brien (B.Sc, MSc, Ph.D Physics, Electronics 1980) explains “[w]ater is an electrical conductor, and absorbs radio waves. The effect will be to reduce signal strength, which can cause a digital signal to break up or an analogue signal to have speckles. The problem extends all the way up to satellite signals. For reception through trees, the added water content in leaves and trunk can reduce reception.” (“How does weather affect radio reception?”, https://www.quora.com/How-does-weather-affect-radio-reception).  O’Brien’s statement on how trees can affect reception is relevant to my situation. I’ve assumed that attenuation of the mobbing harassment as I’ve passed beneath trees was because the trees physically blocked a beam of directional sound that was likely delivered from a drone, and as I mentioned in a few past blogs, had seen drones in my neighborhood. But it didn’t occur to me that the trees’ water composition was the cause for the respite from the mobbing prattle. Perhaps what I’ve really been experiencing is the diminishing of reception of a weaker signal. O’Brien also explains that wind exerts a great impact on radio signals, saying “[i]f a highly directional antenna is buffeted, then reception can be lost.” This could apply to what may be poor signal diversion when a directional antenna is used in conditions of high winds.

I’ve written a few posts about the ubiquity of radio and the likelihood that radio is the foundational technology in mobbing harassment. It is the ubiquity of radio that contributes to the creation of a limitless attack surface. Attack surface is a term of art in cybersecurity, commonly referring to the overall risk of a software or hardware environment. The attack surface includes the sum or totality of the risk of attack, in other words, the points from which an attacker can most easily inject or exfiltrate data. Each risk represents an attack vector. Reducing the attack surface reduces the available attack vectors—the exposures—and the risk of attack. Managing risk means preventing your resources or assets from becoming a platform for attack.

Perhaps because of the sheer complexity of software and hardware systems, including human interaction with them, the concept of attack surface is multi-dimensional. “A typical attack surface has complex interrelationships among three main areas of exposure: software, network, and the often-overlooked human attack surface” (“Understanding What Constitutes Your Attack Surface,” Tripwire: The State of Security, April 17, 2014, https://www.tripwire.com/state-of-security/featured/understanding-constitutes-attack-surface-2/). An attack to the network attack surface is often delivered over the network; attacks that target the software attack surface generally originate from web applications; and attacks targeting the human attack surface commonly use tactics of social engineering, they exploit errors, trusted insiders, and instances of worker absence referred to as “death and disease” (“The Attack Surface Problem,” in SANS Security Laboratory: Defense In Depth Series, https://www.sans.edu/cyber-research/security-laboratory/article/did-attack-surface). The dimensions of the attack surface expand with the ingenuity of the attackers, describing any exposed facet where risk exists, hence the concept of a “social engineering attack surface” (https://whatis.techtarget.com/definition/social-engineering-attack-surface) or a “physical attack surface” (https://whatis.techtarget.com/definition/physical-attack-surface).

In earlier blogs, I’ve made reference to attack surface but have not discussed the application of attack surface theory to mobbing in any depth. I’ve also talked about how social engineering, and sociopathy, are instrumental in effecting mobbing. The concept of a social engineering attack surface is relevant to the real estate mobbing in this northeast neighborhood of Seattle. Much of the social engineering used in mobbing locally takes place through face-to-face interaction, whether in the course of suckering the victim into trusting those who should be mistrusted (The social engineering of mobbing), the twittering and squawking you’d expect in a murder of crows (An “unofficial demonstration”), or the sleazy innuendo that sullies the reputation of the victim and contributes to her isolation (Mobbing and the Martha Mitchell effect: When defamation in the neighborhood violates due process in the courtroom (part 2)).

Physical proximity—that is, proximity in the neighborhood and the familiarity that proximity assumes—is the very foundation of mobbing as I have been mobbed in northeast Seattle in this neighborhood in which home sales are the norm and where a pattern has developed of some of the same new homes changing hands every year or two. The concept of physical attack surface has broad applicability to the intensity and brutality of neighbor mobbing.

Physical attack surface is the totality of risk that is present when an attacker is in the same location as the target. Neighbor mobbing—victimization based on the physical proximity of neighbors—ratchets up the intensity, risk, and the cost to the victim. “Physical access is a very direct attack surface” (“physical attack surface,” https://whatis.techtarget.com/definition/physical-attack-surface). Neighbor mobbing, founded on inescapable, clandestine criminal harassment from next door, capitalizes on the proximity of neighbors. Neighbor mobbing keeps the victim always within reach; exploiting edge-to-edge communications systems, permissive use agreements and drifting property lines. The goal of this kind of mobbing as I have experienced it, is forced eviction without proof, an eviction that only the victim understands is constructive, an eviction in which the victim who does not leave of her own accord faces ceaseless civil and criminal harassment. When neighbor mobbing is used to expel, the methodology is to con the victim into believing she is constantly under watch, that she is continuously monitored and stalked, even within the walls of her own home. This hoax is created with sound.

How do we know the presence of others? In lieu of the privilege of sight or the pleasure of touch, it is sound that brings the first awareness. We know the presence of others by sound. When others speak to us, we assume we have been seen. Mobbing exploits the phenomenology of address, the experience of being spoken to, to con you into believing that you are being watched in the private areas of your home. And as with any intrusion making use of any attack vector to penetrate any attack surface, mobbing harnesses your resources in the attack as not just your devices (cyber-harassment), but the windows of your home (acoustic leakage harassment) and the bones of your skull resting on the pillow (bone conduction), become the platform for inescapable verbal abuse.

In the enterprise, the physical attack surface includes the totality of resources made available to employees, including network and building infrastructure, and the employees themselves. A rogue operator who infiltrates the enterprise can bypass firewalls, exfiltrate intellectual property with the use of a memory stick, sabotage machines and erase data. In the enterprise, a rogue operator can walk up to a machine and infect it with malware on a USB key. In the neighborhood, a mobber can secrete a Yagi WiFi antenna in his house that directs verbal abuse onto every radio you’ve got.

In mobbing, proximity is everything. A skilled cell phone mobber can make you think she’s next door, she can make you believe by camfecting or by studying the pictures you put on Instagram, but nothing raises the stakes more than knowing your stalkers live next door. A mobber can pick up a cheap IMSI catcher on Amazon.com and intercept your phone calls, and one way or another, spew verbal harassment into the background of the call. A mobber can make use of police emergency frequencies or shortwave radio frequencies and a directional antenna to interfere with the broadcasts you receive. A mobber doesn’t even have to hack your router when familiarity causes you to forget a healthy sense of mistrust and you take him up on the generous offer to share his WiFi network. A mobber doesn’t have wait for you to get online when his motion-detecting floodlights shine on your steps. A mobber doesn’t have to risk your collecting forensic evidence when he delivers harassment to you during television broadcasts that you’re legally prohibited from recording. A mobber doesn’t have to threaten to kill you in texts you can save when he has access to your speakers. A mobber can just threaten you from his side of the fence that’s never high enough, from the other side of that tall hedge that can’t protect you, or from inside the house he’ll flip after he razes yours. A mobber can keep you within range of the cheap low-power TV transmitter he bought on Amazon. A mobber can probably use infrasound or directional sound to turn your window panes into sheets of harassment that you can’t blot out because he uses a rogue broadcast to overlay the soundtrack of the film you’re trying to watch with the same harassment. A mobber can threaten you over unconventional interfaces that you cannot easily record, like the windows of your home. A mobber can control the volume of the harassment, keeping it so low that that even if you do record it, digital audio applications will probably filter it out as noise. And while a mobber is harassing you, he can tell you that he’s done, or will do, all kinds of things to you, and you’ll probably believe him, because he’s got the proximity to do it.

When you’re flanked by mobbers using what I’ve called the “surround-sound” system of harassment, when they’re on either side of you and the nastiest of the nasty captains of a corrupt neighborhood watch is across the street, when they declare a “property war” and tell you that what they’re doing is “clearing by smearing,” when they quip that they’ve “triangulated” you and that the police can’t catch them because they’re “in the wind,” the attack surface is your life.

Ω

Proximity is a constant in mobbing, at least, mobbing is constructed to create the sense of proximity. Harassing someone over a smart phone, or a computer, or the television, is not enough when the harassment has the specific goal of expelling you from your legal home. You can turn off a device. If the annoyances of a more mundane nature are not enough, if the removal of the quiet enjoyment that your lease agreement guarantees is insufficient, the mobbers have to make you live in fear, and they have to do it quietly, in a manner that does not implicate their allies in the neighborhood, and in a manner that is not seen by the good people in the neighborhood who should report the crime.

Despite the constant exhortations of the mobbers, I refused to leave my home, to “get out.” But over the course of the mobbing I have embraced changes of other kinds, including observing the impact of changes in my environment on the mobbing. This has allowed me, over time, to develop strategies to reduce my personal attack surface, even as I remain under attack by a tech-enabled crime.

In the past I experimented with removing the satellite radio antenna, and then disconnecting the antenna altogether from the tidy little commuter car I bought in 2015, when I began working for out-of-state tech companies to survive. These measures helped, but did not significantly change the level of the harassment I experienced, not even when driving over the Oregon-California passes, in the San Francisco Bay Area, or in British Columbia. It wasn’t until one of the technicians from Seattle’s Stereo Warehouse pointed out that if I wanted to disable the radio it would be necessary to disconnect the antenna amplifier, that the volume of the harassment dropped below the volume of the music I listened to on my iPod.

I had switched from using an iPhone as a music player to an iPod, because I wanted to rule out the possible sources of intrusion. In other words, I was attempting to lessen the attack surface that was exposed while I listened to music on the stock radio that was specified for the car that I used to travel to worksites in the San Francisco Bay Area. The iPod had no phone number and was denied access to cellular networks. This move isolated entertainment to one device that is rarely exposed to any WiFi network; the phone calls during which I continued to experience background harassment would be conducted from another. I seldom leave the phone on and try to keep services off when they’re not required. (Note: Most of my live calls these last few months have not included harassment, although when it remains frequent when I check voicemail, especially when the origin of the calls that go to voicemail appear to be spam calls. The phone harassment significantly diminished around summer, I think, as I began to speak up more in the courtroom and tried to add evidence of the neighborhood bullying campaign to court records.)

As the mobbing began, I instinctively began the process of minimizing my exposure. This was what my decision not to be forced from my home required. Years before, I had the experience of documenting a “componentized” operating system and had encountered the term “attack surface” in documents encouraging a minimalist approach to creating a custom operating system by using only the required components and their dependencies, and by understanding the security vulnerabilities of specific components. It would take being the victim of a crime for me to apply the notion of “attack surface” to my own life. According to David Kennedy, penetration tester and CEO at TrustedSec, attackers commonly target “anything that is part of your electronic or internet surface. In the context of home users, devices on your network such as door bells that have internet connectivity, smart TVs, routers, cameras–all of these devices provide an elevated surface for attackers in order to gain access to your home network” (https://www.wired.com/2017/03/hacker-lexicon-attack-surface/).

Like most security experts, Kennedy assumes that the target of the attack is your network. When you yourself are the “target,” the concept of “attack” is much more broad. Crimes increasingly include a digital component (Police practice must change to protect us from mobbing and IoT crimes). Don’t make the mistake of assuming that the criminals who attack your network seek nothing more than data.

This process of trying to reduce attack surface by limiting functionality and isolating capabilities is something I’ve pursued since the beginning of the mobbing, when I understood less and took measures that were more extreme, like going entirely offline, something that was only possible because, having lost a long-standing contract at Microsoft after the hoax that the neighbors had put a bot (a root kit) on my laptop, I was unemployed. For a time, I sought refuge at public libraries, but the mobbing was even more intense over the poorly secured WiFi networks of the Seattle Public Library system. I quickly abandoned a cordless phone for a 1970s-style landline, but there was no change in the phone-phreaking and background harassment on my calls. About a year after the mobbing began, when I realized that the Century Link agents I talked to on the phone had no idea what phone-phreaking was, I finally gave in. Even though one of the mobbers had warned, “If you get an iPhone I’ll fuck you up so bad,” I bought an iPhone. I would need it to use two-factor authentication as I began working in the San Francisco Bay Area.

I refused to stop listening to music as I drove. Except in conditions of high winds or storm, there was always muffled harassment, even with the radio off. I’ve been meaning to write a post on that; perhaps I soon will. At any rate, there was no choice between harassment or no harassment, and despite the fact that the volume of the harassment increases with the volume of the music, I was not willing to give up listening to music to avoid the harassment. To give up music, would be to give up. But I was willing to reduce my attack surface by shutting off the free year-long subscription to XM Satellite radio and using only music that was streamed over the auxiliary connection from the iTunes music player on my iPod. When the harassment was not diminished, I jettisoned the use of the AM/FM tuner on the radio, to the extent I could, anyway, since the receiver has the chip built in.

But as simple as my little car is, and as few its bells and whistles, I remained troubled by the integration between the Bluetooth-enabled satellite radio, a dashboard microphone, and the steering wheel controls. I remained troubled even after I learned that the emergency radio frequencies could be used from any car within range to interrupt the broadcast on any radio. And I remained troubled despite learning about how a malicious signal could be at least theoretically diverted onto a target radio device based on the use of shortwave radio coupled with a directional antenna.

Perhaps it was the convergence between entertainment and communications that made me wary. As soon as I started flying back and forth to work in the San Francisco Bay Area, I’d been dismayed that the harassment traveled with me, even on the Boeing 737 aircraft that Alaska uses for so many of the shorter flights (Flying the friendly skies). I observed that the harassment was diminished when those seated near me did not use cell phones. And that the harassment was almost entirely quieted on flights that did not offer WiFi. Based on some curious experiences at the beginning of the mobbing, I wondered whether another ploy of mobbing might be for a mobber to stay close to a victim in a public place, to sit or stand next to the victim, with a smart phone in hand, while a mobber used an open connection to harass remotely. Positioning a mobber close to the “target” could be another way to avoid being caught while ensuring the victim could not escape being harassed over a smart phone they could not control.

In the case of the Boeing 737, I learned that the greatest threat to the communications system was the onboard entertainment system. With a Bluetooth-enabled stock radio supporting the integration of communication and entertainment systems, I would not be able to disentangle the security risks posed by the vehicle’s AM/FM radio from those belonging to the communications features that were intended to support a phone. Because the two technologies that mobbing appears most closely focused on are the radio and the telephone, concerns about their integration seemed reasonable.

The fact that Bluetooth is a short-range protocol also got me to thinking, especially after one recent weekend when the south mobbing house owner appeared to be out of town. At least, I assumed that there was no “coverage” positioned in the south mobbing house that weekend because it was unusually quiet. Until, that is, it was time for the Saturday 10 AM broadcast of one of the NPR radio shows I religiously tune in, no matter the prospect of harassment, Wait Wait… Don’t Tell Me.

That Saturday, as I opened a browser to stream Peter Sagal’s weekly news quiz, an unfamiliar car of the same make as my own car pulled into the driveway of the south mobbing house, right up to a vehicle left there for the weekend. The driver parked about six feet from my own vehicle in my driveway, which runs adjacent to that of the south mobbing house.

I’d never seen the car before and seldom see vehicles of the same make and model as my own in the neighborhood. The driver appeared to turn off the engine, but failed to emerge from the vehicle for the duration of Wait Wait…. As usual, the broadcast was overlaid with harassment. About an hour later, Peter Segal signed off. I gathered up my things and started out the front door to do a few errands. As I came down the front steps, the driver started the car and hurriedly backed down the driveway. But not before I saw her face and the license plate on the vehicle.

Perhaps the incident was a coincidence, but it got me thinking more about the use of emergency frequencies or the audio or video diversion of a rogue signal using a WiFi or other directional antenna from a parked vehicle, if only to provide coverage in the absence of the south mobbing house owner. There’s a lot I don’t know about the stock radio, its operating system and capabilities. But it got me thinking about the possibility of risk from vehicles using the same hardware and software as my own. Most of all, it got me thinking about the Bluetooth-enabled radio in my car, and the voice-activated Blue&Me app that allows a Bluetooth-enabled mobile device to be operated from the steering wheel.

The Blue&Me app, introduced in 2006, is based on Microsoft’s Windows Mobile for Automotive platform. James De Vile demonstrates the use of Blue&Me in his 2009 YouTube video, assuring viewers that they needn’t worry about the Windows “blue screen of death” since the software lacks capabilities outside of the realm of communications and entertainment (“Microsoft Blue&Me (Windows Mobile) in the Fiat 500,” https://www.youtube.com/watch?v=Ncb765TX_hE). Such comments are indicative of our lack of awareness of networked entertainment systems as an attractive target.

Although the app was introduced with the promise of maximum security (“Fiat and Microsoft launch Blue&Me in-car communications & entertainment system,” https://newatlas.com/go/5140/), the mere use of the Bluetooth protocol enlarges the network attack surface of the vehicles that use it. Not to mention the fact that all that’s necessary to “hack,” is to use software or hardware in a manner that is not “by design.” Take, for example, Peter von Panda’s YouTube video showing how you can use Blue&Me to integrate GPS directions from GoogleMaps into the mobile stereo system of a car whose communications system lacks those capabilities (“How to get GPS directions to come through your speakers in a Fiat 500,” https://www.youtube.com/watch?v=0z1Han0Nipg). The workaround makes use of Bluetooth Headset Profile (HSP), a profile providing a number of capabilities that should be attractive to cell phone mobbers, including the ability to answer a call.

Blue&Me pairs with multiple phones, but only the last paired phone remains active. The problem is, what if you no longer use a phone you once paired? Or what if you no longer use the Blue&Me app? I’m no hacker, but if you’re not using the integration, perhaps someone else can.

At any rate, the Bluetooth capabilities that allow for the integration of the mobile phone and the steering wheel controls are supported on the device level, by the radio in the car, and by your phone. Webroot’s article, “A Review of Bluetooth Attacks and How to Secure Your Mobile Devices,” explains, “As convenient as Bluetooth can be for productivity and comfort, it can also present major security risks” (https://www.webroot.com/us/en/resources/tips-articles/a-review-of-bluetooth-attacks-and-how-to-secure-mobile-workforce-devices). These risks include software vulnerabilities, eavesdropping, and Denial of Service (DoS) attacks. Bluetooth has also figured in AirDrop harassment. Not to mention the fact that as a short-range protocol used with entertainment and communications systems, it may have easy application in situations of neighbor harassment.

Interestingly, one of the risks of Bluetooth is a range that extends beyond the promised “personal area network” (PAN), to its use in remote attacks. Noting that “hackers have been known to use directional, high-gain antennas to communicate over much great distances successfully,” Webroot links to a demonstration of just such an attack on a Bluetooth device using an antenna from a Starbucks across the street. Notably for those interested in the application of Bluetooth to verbal abuse, the attack does not simply provide the opportunity to eavesdrop; it makes it possible to “inject sounds”:

The man in the vid explains that just by knowing the default code (0000 on just about every headset) and spoofing your device as a phone, you can remotely inject sounds or record audio from a headset. With a strong enough antenna, you can even do this from up to a mile away. So what can someone gain from this exploit? Mostly just listening to people’s conversations without their knowledge, but playing back sounds into their ear could be pretty fun. (“How to Eavesdrop on Bluetooth Headsets,” https://gizmodo.com/how-to-eavesdrop-on-bluetooth-headsets-328664)

Webroot comments that Bluetooth headsets, as well as built-in hands-free car kits, are vulnerable to being used as “mobile bugging device[s].” In all cases, to minimize the threat, the answer is to turn off Bluetooth when you’re not using it.

But how do you turn Bluetooth off on your Bluetooth-enabled car radio? This I do not know. But at least now, having removed the stock radio from my car, I probably don’t have to worry about it, at least not so long as my smart phone is off, and its Bluetooth interface too. My understanding is that in removing the radio, which has its own operating system with its own application attack surface, I also disabled the dashboard microphone. Now I have a tidy little commuter car with a reduced attack surface. I opted out of the capabilities that most want by avoiding the purchase of a replacement radio with satellite radio, Bluetooth or other wireless capabilities. There was also the unintended side effect that the car’s odometer is apparently going to flash into perpetuity. Apparently the car computer doesn’t like it when you get rid of the one receiver that is specified for the vehicle. But I’ve got the auxiliary connection I need to listen to my iPod. And I’ve also got a deck with greater volume capabilities than the stock receiver offered.

Speaking of that, I’m going to run off now, back to Stereo Warehouse for some better speakers. After that, I’ll be driving that car down to the San Francisco Bay Area again this spring. I don’t expect having changed out the receiver to be a cure-all so long as I’m still the victim of a corrupt neighborhood watch and its speculator friends. But by eliminating at least a few vulnerabilities and reducing my attack surface, I hope to make it harder, and riskier, to mob me.