Ask HN: How to protect an abused spouse from a software engineer?
Long time member here posting with a throwaway for obvious reasons.
A family friend has recently come under attack from their spouse. Daily, brutal beatings in front of small children that make your blood turn cold.
The victim has been going the legal route for months now and has the police actively engaged. But, as we both know, the police are there after the fact and aren't able to really do much until something terrible happens again.
The abuser is a highly skilled software engineer with a decade+ of white/grey hat experience. This person is now using their professional skills to stalk their spouse.
We purchased the victim a new phone under my name with no connection to the old account. We're setting up a new Google account now (Android phone) that's not connected to the old account. Will be changing the email associated to all social/messaging accounts and set up app-based MFA going forward on everything. Password manager with randomly generated passwords for all accounts.
Thinking of setting up this new android device with MDM under a new GSuite account. Hoping this will give an added layer of protection over phishing attacks the abuser may send.
I'll be doing some education with the victim on phishing attacks, etc. to make sure they don't click on any random links.
I'm wondering if you all have any additional advice? Have you ever helped someone in a similar situation? Basically looking to crank up this non-technical person's op-sec to exceed what someone who knows "everything" can reasonably crack.
Thank you!
25 comments
[ 1.5 ms ] story [ 73.0 ms ] threadPhysical security. Does he know where she lives and does he can follow her, access her wifi, follow the children? Rummage her trash?
From what I gather, all relatives are on board with the victim leaving. Point taken, though.
The victim packed up their apartment and left today with a U-Haul and is en route to a neutral location that the abuser doesn't know of. Only the victim's parents (and me) know where they are.
Everyone I talk to says the same thing- people are the weakest link. There's something to that for sure.
Few more things that I came up with. Service accounts. Social engineering call centers is evergreen. If he knows her bank, he can extract info from them. Check if she can switch accounts or that the address is not up to date. Not sure if he can find/buy her spending patterns from an info brokerage firm.
Also, her parents location data and call history is precious. Sooner or later they will want to visit her and they will insist on talking to her every day. So, no phone calls, voip only. No phones on visits plus ensuring they are not followed.
https://anonymousplanet.github.io/thgtoa/guide.html
"aren't able to really do much until something terrible happens again."
Really hoping this doesn't mean there isn't any physical separation or isn't a restraining order. If this is still occurring, her immediate concern should be physical security and the will to do whatever may be necessary as it escalates.
There is a restraining order, active court cases, bail, all that stuff. The victim is packed up and moving out of their shared apartment today to a neutral location. I guess what I meant by that is that we are in a rural area. Police response time to a 911 call is regularly 45+ minutes. A violent spouse can do a lot of things in 45 minutes. Best to avoid that entirely.
I'm reasonably sure that the victim's physical security will be assured as of this evening. I'm looking forward, trying to think ahead of any ways (technical or not) that the abuser could use to find their new location.
Also, anything like a lease or DL update can lead to the address being found in a background check.
Apparently our state has a program for secret mailing addresses. From what I gather, victim advocates can set up a mailing address at a state govt building and from there it'll get forwarded on. I think the plan is to use that for official documents for the foreseeable future.
Edit: Also consider hiring a private detective to see if the person is actually doing serious physical stalking, or buying things like guns.
* Read and consider whatever advice the government gives to people in witness protection.
* For the victim and her parents: don't have any sort of IoT at home with a microphone. Especially digital assitants like Amazon Echo.
* Don't conenct anything to your Wi-Fi unless essential. (Yes that means not giving the password to visits at the victim's house)
* Get YubiKeys or similar for the victim and the parents. (SMS 2FA is garbage)
* Tell the victim and the parents to never reuse passwords.
* Have a VM to use misleading social media. Post as if the victim were in a different city, etc.
* Use a VPN or Tor. (lower chances of finding the victim's location through their IP or some sort of data leak)
* Use something like the Tor Browser even if you don't use Tor.
* Don't have any cameras inside the victim's house.
* For victim and parents: don't install anything that isn't really necessary.
* Also for victim and parents: get a decent WiFi router with no known vulnerabilities and change the admin password.
* Pay in cash. (Victim only. Avoid data leaks that might record where you shop)
* Don't let others take pictures of the victim or her kids, much less share them.
* Maybe use codenames when talking about location near the place the victim lives.
* Don't use the victim's real address for anything that isn't absolutely necessary. Maybe set up a mailbox in a different city and use this addresses for most purposes. (Or the victim's parent's address)
* Install a non-https blocker and use only DNSSEC over HTTPS or TLS just in case.
* Use encrypted messaging for pretty much everything, including voice calls.
* If possible, register the car and utilities under other people's names or addresses.
* Again if possible, register utilities in another city under the victim's name.
* Use email servers that use TLS for IMAP and SMTP. (Or just use webmail if through HTTPS)
* Considering hiring a private investigator to stalk the stalker. Hopefully this will make him more cautious and maybe the PI can even catch the stalker commiting some crime.
Honestly with some stuff we've seen lately, even reflections of notable locations in sunglasses or even eyes might be a concern. Not sure what you do about that.
I remember when I had an Android phone and I took a peek at Google's personal-data dashboard at one point. It had a line drawn on the map tracing my every footstep for the past several years. Vacations, commuting, visiting friends. Everything. It was neat at the time, but is a nightmare scenario for this kind of thing. You can disable some of that, I think, but Maps will constantly bug you about turning it back on.
At the very least I'd steer them away from installing any apps that don't come from major global corporations. There's a ton of malware on the Android store, especially games, and it's not hard to imagine some of it collecting data to sell on the black market.
FYI - If you file a USPS change of address they mail your old address a confirmation. IIRC the confirmation includes the new address. Maybe someone who has done this recently can confirm.
Are there any shared access online accounts to worry about? Like banking or shopping. Anything where access can be gained to get updated addresses.
Of course this will depend on the state. I can’t give general advice in the US.