Over Easy: Snowden Explains Passphrases

Most of us are now aware of the need to create secure passwords/passphrases to protect our online lives, as much as that is possible. There has been a lot of discussion in the past couple of years about password security, and the warning that we should use longer, complex passphrases, rather than short passwords. Unfortunately, most people still use a password or phrase that may seem complicated, but is easily guessable — and then use the same password for email, bank accounts, and other personal information.

Many websites still limit us to 8 character passwords, because their underlying databases can’t handle longer ones, but they aren’t keeping our information safe. We should no longer create or use a password, but should attempt to create a passphrase we can remember that would be difficult for hacking algorithms to crack. Once we’ve created strong passphrases, we can use password manager software to keep track of them so we don’t resort to writing them on sticky notes affixed to our computers. I use LastPass, and it is excellent.

No less an expert than Edward Snowden, in the interview above with John Oliver on Last Week Tonight, discussed the importance of passphrases. If you can’t watch the ~3 minute video, Snowden explains to John Oliver that even a complex password with letters and numbers, mixed case, and special characters, can be cracked in seconds. He guides Oliver to the realization that a clever phrase is both memorable and more secure. But if you use a common or familiar phrase, it is useless. Many people who try to create a passphrase use well known phrases from books, popular movies, memorable quotes, sports teams, or other proper nouns, and those are easily guessed.

If you don’t think you can come up with a memorable passphrase like Snowden’s margaretthatcheris110%SEXY, there’s a way to create a passphrase using the Diceware passphrase method.

Diceware™ is a method for picking passphrases that uses dice to select words at random from a special list called the Diceware Word List. Each word in the list is preceded by a five digit number. All the digits are between one and six, allowing you to use the outcomes of five dice rolls to select a word from the list.

Here is a quick summary of the directions at the Diceware website. You need one or more ordinary dice. Download the complete Diceware word list which has 7776 short words, abbreviations and easy-to-remember character strings, each preceded by a 5 digit number. Decide how many words you want in your passphrase. Now roll the dice and write down the numbers resulting from each roll in groups of five. Make as many of these five-digit groups as you want words in your passphrase. Finally, look up each group of five rolls (numbers) in the Diceware word list by finding the number in the list and writing down the word next to the number. It takes a bit of effort to memorize the phrase, but there are suggestions to help. You also can use a password manager as mentioned above.

The Intercept recently had an article featuring Diceware: Passphrases That You Can Memorize — But That Even the NSA Can’t Guess (my bold)

The strength of a Diceword passphrase depends on how many words it contains. If you choose one word (out of a list of 7,776 words), an attacker has a one in 7,776 chance of guessing your word on the first try. To guess your word it will take an attacker at least one try, at most 7,776 tries, and on average 3,888 tries (because there’s a 50 percent chance that an attacker will guess your word by the time they are halfway through the word list).

But if you choose two words for your passphrase, the size of the list of possible passphrases increases exponentially. There’s still a one in 7,776 chance of guessing your first word correctly, but for each first word there’s also a one in 7,776 chance of guessing the second word correctly, and the attacker won’t know if the first word is correct without guessing the entire passphrase.

This means that with two words, there are 7,7762, or 60,466,176 different potential passphrases. On average, a two-word Diceware passphrase could be guessed after the first 30 million tries. And a five-word passphrase, which would have 7,7765 possible passphrases, could be guessed after an average of 14 quintillion tries (a 14 with 18 zeroes).

I think I like those odds! It seems worth a bit of extra effort, doesn’t it?

Note: Effective today, I am stepping down from my regular Friday Over Easy duty. I am not leaving FDL; I will be around in the comments and available to help fill in, or bail someone out who has run into posting difficulty, as I have been doing. But I’ve just added a new personal obligation to an already full plate, and available hours and brain cells are seriously stretched. I do hope someone will step up to take my place and add a new voice and perspective to the lively mix here at Over Easy!

Over Easy: “Flying is the Safest Way to Fly”

Mobile Boarding Pass
iPhone Boarding Pass
Title of this post courtesy of an old Shelley Berman routine: (“Flying is the safest way to fly.” “They have seatbelts on airplanes in case the plane comes to a sudden stop … like against a mountain.”)

I just returned from two weeks in California, and the trip involved two long flights. I flew Southwest Airlines from Chicago Midway to Oakland, CA (plus a 2-hour outbound and return bus ride between Midway and South Bend). For all of the bad press the flying experience and the TSA get, navigating the two airports and the airport security process was surprisingly painless, thanks to a couple of relatively recent improvements since I last flew.

The first is the mobile boarding pass that allows you to display your boarding pass on your smartphone. No more rummaging in pocket, purse, or carry-on for a paper boarding pass, hoping you haven’t left it somewhere. You can use your mobile boarding pass in place of a paper boarding pass at baggage check, in the airport security line, and when boarding. Scanners accommodate a variety of mobile devices. When you check in for  your flight,  you choose how to receive your boarding pass (email, text message, or view in browser). On the outbound flight, being new to the process, I chose to receive the boarding pass via email, and opening the email on my iPhone displayed the pass. But Southwest (and probably most other airlines) has an app for the smartphone, and you can use the app to check in and to display your boarding pass within the app, which I did on the return.

The other new wrinkle is the TSA Pre? (pre-check) program. It (supposedly) requires an application, payment of an $85 fee (covers 5 years) and being fingerprinted, but I didn’t do any of that, or even know about it. The TSA Pre? symbol simply appeared on my boarding pass. Maybe they figure a 72 year old grandmother is low risk sight unseen. (They must not know about the subversive FDL and all of my surveillance posts.)

If your boarding pass has the TSA Pre? symbol:

  • You bypass the regular long security lines and are directed to a relatively short TSA Pre? lane;
  • You present your boarding pass and Government-issued ID to the Travel Document Checker;
  • The TSA Travel Document Checker scans the boarding pass barcode (on the smartphone!);
  • You don’t remove your shoes, belt or light jacket, you keep your laptop in its case, and leave your plastic bag of liquids (if you have one) in your carry-on. I was directed to put my smartphone in one of the little plastic dishes and run it through the scanner, along with my purse and carry-on.

In both airports I had to submit to their full-body scanner. I wasn’t much perturbed because as the proud owner of a titanium knee replacement, I have set off the alarms and been wanded and patted at every airport for 9 years. But interestingly, I had to be very briefly patted in places the monitor highlighted (my shoulder and a spot at my waist, neither of which had any metal, but NOT the artificial knee, which does). Go figure.

In both airports the TSA crew and the airlines employees were courteous, friendly and helpful. So in all it was not an unpleasant experience, and if you have to fly, do take advantage of the mobile boarding pass and if you can, the TSA Pre? program. If you fly often, the TSA Pre? program might be worth $17/year. I’m still trying to figure out why I got it automatically.

And just today I came across an interesting tidbit online. It seems that airline travelers forget to collect their pocket change from the little basket at the security screening. According to the Los Angeles Times, Passengers leave thousands in loose change at L.A., S.F. airports The paper reports that travelers nationwide left about $675,000 in loose change at airports in the past fiscal year.

Occasionally passengers forget or don’t bother to pick up the pennies, nickels and quarters they dig out of their pockets and put in the plastic bin that passes through the luggage scanner as they pass through metal detectors.
[…]
So where does that money go? Back to the TSA. In 2005, Congress gave the agency authority to put the money it collects from airport checkpoints back into security operations. For fiscal year 2014, that amounted to $674,841.06 nationally. In 2013, it collected $638,142.64, and in 2012, it took in $531,395.22.

Over Easy: Net Neutrality — The Fight Isn’t Over Yet

NetNeutrality logoOn February 26 the Federal Communications Commission (FCC) voted to reclassify broadband internet access as a “Title II” telecommunications service, which allows the FCC to impose specific open internet rules that prohibit activities like paid prioritization and blocking.

There are legitimate concerns about the rules, although not necessarily the ones that we are likely to hear about. This is just one battle, and the war is far from over. We have reason to remain quite vigilant in efforts to protect a free and open internet.

The devil is in the details.

The FCC finally published the full net neutrality rules on its Open Internet website, after foot dragging by the two dissenting commissioners caused a delay. The full document is more than 400 pages, including lengthy dissents from Ajit Pai and Michael O’Rielly. Now the next chapter in the story begins. Internet providers will go over the details in the ruling, looking for legal weak points they can take to court.

From the Open Internet website, here are the “Bright Line Rules” in the order.

Bright Line Rules:

  • No Blocking: broadband providers may not block access to legal content, applications, services, or non-harmful devices.
  • No Throttling: broadband providers may not impair or degrade lawful Internet traffic on the basis of content, applications, services, or non-harmful devices.
  • No Paid Prioritization: broadband providers may not favor some lawful Internet traffic over other lawful traffic in exchange for consideration of any kind—in other words, no “fast lanes.” This rule also bans ISPs from prioritizing content and services of their affiliates.

The EFF has warned about a vague “general conduct” rule that allows the FCC to reserve the right to examine practices of ISPs to see if they’re “harmful to consumers.” The Open Internet rules establish a legal standard for other broadband provider practices to ensure that they do not unreasonably interfere with or disadvantage consumers’ access to the Internet. That sounds good in theory, but the rule is so vague that it could subject perfectly reasonable practices to long, drawn out legal fights with the FCC.

Also unclear is exactly how the fight will play out over “interconnection” — which is not directly a “net neutrality” issue, but rather concerns how big ISPs accept traffic from service providers. The big broadband providers deliberately allowed those interconnection points to clog up in order to pressure service providers like Netflix to pay up. The legal framework positions the Commission for the first time to be able to address issues that may arise in the exchange of traffic between mass-market broadband providers and other networks and services. The new rules are likely to try to address this issue, but it’s not entirely clear how.

Another concern is how the rule deals with “zero rating” plans, in which broadband providers let some traffic not count against a data cap. The broadband providers claim that this is a consumer benefit, ignoring that they themselves implemented a data cap.  Exempting users from their own anti-consumer practices isn’t really consumer friendly. Bottom line: the new rules will deal with these situations on a “case by case” basis, which can be problematic.

Should we be worried? Those against net neutrality are complaining about tariffs and rate regulations that aren’t happening, but this could tie up perfectly reasonable practices in uncertainty. The rules got a lot right, but we should be concerned about possible problems with them, and be watchful about how they’re interpreted.

Lawsuits ahead!

Someone is going to sue about the new rules. Last time around, Verizon sued, and either it will sue again or Comcast or AT&T or a combination will sue this time. This will cause uncertainty about whether the rules will stick. If the courts throw out these rules, then we’re back to the beginning.

Some opponents claim that because the FCC lost lawsuits in the past, it will lose again — but this time is different. The court rejected the last rules because it said the FCC was trying to introduce “common carrier” rules without classifying broadband as a common carrier. This order does that. If a lawsuit goes to the Supreme Court, its earlier rulings suggest that it gives the FCC latitude in classifying broadband. Antonin Scalia dissented in an earlier case that broadband was obviously a Title II common carrier service.

Republicans in Congress have started moving to delay the implementation of the new rules. And Congress is gearing up to modify the Telecommunications Act to implement a different set of “net neutrality” rules that instead are only a smokescreen to strip the FCC of authority to protect consumers against current questionable practices of the broadband providers. It’s entirely possible that we’ll be back for another round in a few years. We’ll just have to wait and see.

Over Easy: Those Pesky Emails!

Hillary ClintonHillary Clinton and her advisors must have decided that it was finally time to have her address the email brouhaha, so she held a press conference this week, and attempted to simply brush the whole thing off as no big deal. According to most press reports, it didn’t work, and the furor continues unabated.

To be honest, I’ve been writing off this whole fuss as a nothingburger ginned up by her opponents and a media in hot pursuit of another shiny object. But I am gradually changing my mind.

There are two separate issues with the emails, and neither makes Clinton look good.

Security
As Secretary of State, Clinton handled important, confidential and classified information. Communicating such information using a private email server with questionable security makes her a big target for foreign intelligence. In fact, her private address was disclosed a few years ago when a hacker revealed the private inbox of a former Clinton aide, Sidney Blumenthal, the orchestrator of an underground smear campaign against Barack Obama during the Democratic primary. Blumenthal was sending emails to Clinton at a private, non-governmental address. So it was known years ago that Clinton used a private email account, and it would be naive to think it was not targeted.

Obscurity
We know that Clinton’s email was secure from one thing: FOIA requests. By using her personal email, she was able to hide important documents from FOIA requests. According to the New York Times, numerous FOIA requests from many different entities have gone unanswered, or the requestors were told the emails were unavailable because the State Department had no access to them.

From Clinton’s prepared remarks at the press conference:

There are four things I want the public to know.

First, when I got to work as Secretary of State, I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.
[snip]
Second, the vast majority of my work emails went to government employees at their government addresses, which meant they were captured and preserved immediately on the system at the State Department.

Third, after I left office, the State Department asked former secretaries of state for our assistance in providing copies of work-related emails from our personal accounts. I responded right away and provided all my emails that could possibly be work-related, which totalled roughly 55,000 printed pages, even though I knew that the State Department already had the vast majority of them.
[snip]
Fourth, I took the unprecedented step of asking that the State Department make all my work-related emails public for everyone to see.

There are several flaws in these statements:

1. It seems from news accounts that paper printouts were turned over. I have seen nothing that indicates electronic files were submitted. If that is true, then Clinton has in fact turned over exactly NO actual emails. Until she provides the full digital emails, most of the evidence is missing — or may have been tampered with. Even an export of the emails with only the mail headers intact (i.e., metadata) would be better than paper. Clinton is a lawyer, so she knows that paper printouts selected and/or edited by a defendant are worthless.

2. Clinton said the email she sent was all stored and backed up on recipient servers, so nothing was lost. While that may be technically correct, it’s like saying, “All of the evidence you are demanding has been sent to random landfills throughout the world where it is carefully archived for future generations.” Without knowing the recipients of every email she sent, the scope of potential discovery is impossibly broad. As a lawyer, she is completely aware of this, but continues to misrepresent the situation and maybe hope nobody notices.

3. Her assertion that none of the emails contained classified information also was deliberately misleading. She may or may not have included classified information (remember, no actual emails have been turned over yet), but for public officials, notes, remarks, communications, etc. are often classified after the fact, based on their content. Since these emails scattered to the winds were not subject to review, it is quite likely that some of them would be classified following such review.

4. The press asked what criteria she used to differentiate between “personal” and “public” emails. However, once she decided to conduct public affairs on a “private” email server, she lost the right to differentiate — all of those emails are public property, exactly as they would be if she had used the government email service. Which is why official business is conducted through official channels.

Perhaps the reporters should have asked whether, since she thinks she has the right to select which laws to obey based on personal convenience, she can provide a list of other laws she finds inconvenient. Hillary Clinton has handed her opponents a powerful club with which to cripple her presidential aspirations. We certainly haven’t heard the last of this.

Caricature of Hillary Clinton by DonkeyHotey via Flickr

Over Easy: Want to Research Medical Info Online? Not so fast…

Man uses laptopMy “beat” here at FDL over the past few months has mostly concerned surveillance and tracking in its many forms. I am by no means an expert, but I am fairly well informed on the subject…but the extent of health information tracking surprised even jaded, “we have no privacy” me.

Many of us hit the internet looking for more information on a symptom, a disease, or a prescribed medicine. And lots of companies collect information on us when we research medical information online. Some of the websites that use these collection tools are not using them deliberately for nefarious purposes, and may not even be aware that the tools are collecting and sharing our health information.

An article at Motherboard describes what’s happening when we go online to research medical matters.

[A]n astonishing number of the pages we visit to learn about private health concerns—confidentially, we assume—are tracking our queries, sending the sensitive data to third party corporations, even shipping the information directly to the same brokers who monitor our credit scores. It’s happening for profit, for an “improved user experience,” and because developers have flocked to “free” plugins and tools provided by data-vacuuming companies.

Using his custom webXray tool to analyze the top 50 search results for nearly 2,000 common diseases, Tim Libert, from the University of Pennsylvania, discovered that 91% of the pages made third-party requests to outside companies. For example, when I Googled “cataract surgery” recently, and clicked the highly ranked WebMD link to “Cataract Surgery Procedure: Safety, Recovery, Effects,” the website passed my request for information to one or (many) more other companies. Did I want everyone to know I needed cataract surgery? Probably no big deal. What if I’d researched “herpes” or “alcoholism”?

The majority of health information websites, from WebMD.com (a for-profit company!) to the government-run CDC.gov, are loaded with tracking components that send records of our health inquiries to companies such as Google or Facebook, and also to data brokers like Experian and Acxiom. I thought Experian just kept my credit info…silly me!

It is relatively simple for companies receiving the requests (which also collect other kinds of data, such as cookies) to use our browsing to identify us — and our illnesses. The URL identifier, which very clearly contains the disease we searched for, then is broadcast to Google, Twitter, and Facebook, along with other identifying information such as our computer’s IP address. This data gathering is common not only on commercial sites that want profits, but organizations we would normally trust, such as government entities, non-profits, even universities.
(more…)

Over Easy: Opening Statements Today in Boston Bombing Case

Dzhokar Tsarnaev-VOA
Dzhokar Tsarnaev
This post is by Masoninblue, who cannot access FDL today.

Opening statements are not evidence and they are not arguments. They are statements by the lawyers to sketch out their respective cases for the jury. Think of them as guided tours of the witnesses to be called and the evidence to be introduced. They are often described as roadmaps of the case and you can reasonably expect many sentences will begin with the phrase, “The evidence will show . . . “

Since the burden of proof is on the prosecution, the defense is not required to give an opening statement, but it would be foolish not to do so because they will not get another chance to speak to the jury until after the prosecution finishes putting on its case-in-chief, which will likely take several months.

I always gave an opening statement after the prosecution’s opening so that I could break their momentum and get the jury thinking about my case and I believe the defense will give an opening statement today for the same reason.

As I have said before, I do not believe this case is about winning or losing for the defense. It is about living or dying. From the defense perspective, they are going to be using the guilt/innocence phase of the trial as a slow motion guilty plea emphasizing evidence that mitigates the offense.

The defense has three powerful mitigators: Dzhokhar’s youth and immaturity, his absence of a serious criminal record, and most importantly, his fawning and submissive relationship with his older brother Tamerlan. When Tamerlan said, “Frog,” Dzhokhar said, “How high do I jump?” Beginning with their opening statement, I expect the defense will emphasize these mitigators every time an opportunity arises.

I am not expecting the defense to advance any elaborate government conspiracy theory to frame the Tsarnaev brothers. I do not believe there is any evidence to support such a theory and pursuing it would likely infuriate the jury and assure a death sentence. This does not necessarily mean they will refrain from mentioning and exploiting errors of commission or omission by law enforcement.

Over Easy: NSA SIM Hackers are Up to No Good!

SIM Card
SIM Card
Most of us who use cell phones or other mobile devices are familiar with SIM cards. From Wikipedia:

A subscriber identity module or subscriber identification module (SIM) is an integrated circuit that securely stores our international mobile subscriber identity (IMSI) and the related key used to identify and authenticate subscribers on mobile telephony devices.

Privacy of mobile communication, whether voice, text or internet access, depends on encrypted connection between the cellphone and the wireless carrier’s network, using keys stored on the SIM card inserted in the phone. All mobile communications on the phone depend on the SIM, which stores and guards the encryption keys created by companies like Gemalto. Our phone SIM card stores (for example) our own phone number, and our contacts, text messages, and other important data.

According to documents provided to The Intercept by NSA whistleblower Edward Snowden, both American and British spies hacked into the internal network of the world’s largest manufacturer of SIM cards, Gemalto, and stole encryption keys that protect the privacy of worldwide cellphone communications. Gemalto’s SIMs are used to help secure the communications of billions of customers’ phones around the world on AT&T, T-Mobile, Verizon, Sprint and more than 400 other wireless carriers in 85 countries. One of its global headquarters (it has three) is in Austin, Texas, and it has a large factory in Pennsylvania. There is a very good chance that the SIM card in your cell phone was manufactured by Gemalto.

The Intercept describes the hack:

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

After The Intercept contacted the company, Gemalto’s internal security team began to investigate how their system was penetrated, but weren’t able to find evidence of the hacks. When The Intercept asked if the NSA or GCHQ had ever requested access to Gemalto-manufactured encryption keys, Paul Beverly, a Gemalto executive vice president said that to the best of his knowledge, they had not.

This week Gemalto confirmed that it was the target of attacks in 2010 and 2011, likely perpetrated by the NSA and GCHQ, but the company insists that the hackers didn’t get inside the network where cryptographic keys are stored that protect mobile communications.

Wired reported that Gemalto came to this conclusion after just a week-long investigation following a news report that the NSA and GCHQ had hacked into the firm’s network in 2011. Gemalto wrote in a press release on Wednesday,

The investigation into the intrusion methods described in the document and the sophisticated attacks that Gemalto detected in 2010 and 2011 give us reasonable grounds to believe that an operation by NSA and GCHQ probably happened.

But the company said,

The attacks against Gemalto only breached its office networks and could not have resulted in a massive theft of SIM encryption keys.

Many information security professionals ridiculed Gemalto for making this claim after such a short investigation, particularly since the NSA has been known to deploy malware and use other techniques that can completely erase signs of an intrusion after the fact, to thwart forensic discovery of a breach. French developer and security researcher Matt Suiche wrote on Twitter, “Very impressive, Gemalto had no idea of any attacks in 2010, one week ago. Now they know exactly what happened.”

The Intercept article concludes,

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”

From Wired,

Edward Snowden criticized the agencies for the hack in an Ask Me Anything session for Reddit on Monday. “When the NSA and GCHQ compromised the security of potentially billions of phones (3g/4g encryption relies on the shared secret resident on the sim),” Snowden wrote, “they not only screwed the manufacturer, they screwed all of us, because the only way to address the security compromise is to recall and replace every SIM sold by Gemalto.”

Image by Georgy90, via Wikimedia Commons

Over Easy: How Well Do We Know Our World?

Because the past week has been stressful here at Firedoglake, and access still can be sporadic and a bit glitchy, I thought we could use a little humor, with perhaps a subtle lesson for us behind the fun. (All images from BuzzFeed.)

It all started when I stumbled on Vox’s 27 hilariously bad maps that explain nothing. After chortling and guffawing over all 27, I settled on #14, It’s Thanksgiving So We Asked Brits to Label the United States.

When BuzzFeed asked a group of Brits to fill out a map of the US, this was one of several disastrous attempts. This tracks with my experience: the redcoats can typically place California, Texas, Florida, and maybe Alaska immediately; they have a vague sense of New York and Chicago; the rest is a total blur.

Here’s one of my favorites, but do go look at all of them:

US Map Labeled by Brits
US Map Labeled by Brits

Lest we all be too smug, it seems that BuzzFeed also featured the results of Americans trying to label maps of both Canadian provinces and European countries, with equally hilarious results.

BuzzFeed asked their almost-entirely-American U.S. editorial team to label the provinces and territories of our Canadian neighbors.

Canada Labeled by BuzzFeed
BuzzFeed Staff Labels Canada

Also, Americans Try To Place European Countries On A Map
I know I wouldn’t do much better than this.

Europe Map Labeled by Americans
Map of Europe Labeled by Americans

All of the labeled maps in the three BuzzFeed articles are laugh-out-loud funny, as is the accompanying commentary. But the subtle lesson here is that most of us have woeful knowledge of the geography of other countries, or even knowledge of our own country that we learned in school but have mostly forgotten. It has to be difficult for us to understand other countries and their ethnic, political, national, or religious makeup if we can’t even accurately identify them on a map. I probably couldn’t. Could you?

A blank US Map is here (first in the listed maps, PDF). See if you can fill in all 50 states accurately.

Here’s an interactive one!

Over Easy: James Robertson’s Commute – A Journey of Faith and Determination

James Robertson
James Robertson

James Robertson, a 56 year old Detroiter, lives in the city and works in suburban Rochester Hills. His his 1988 Honda Accord died more than a decade ago, and he hasn’t been able to afford a replacement. His job pays $10.55/hr., which is more than Michigan’s $8.15 hourly minimum wage, but it’s not enough for him to save for the purchase, insurance, and maintenance of a car in that area. (Detroit has the highest car insurance rates in the U.S.) Robertson works at Schain Mold & Engineering, where he has run an injection-molding machine for twelve years. His boss’s wife often makes him dinner.

He leaves home at 8 a.m., and is able to ride a bus partway, out Woodward Ave. as far as an upscale mall in Troy, but then he walks from there to his job in Rochester Hills, arriving about 12:30 p.m. Monday through Friday. Five days a week. Rain and shine, heat and cold. He has a perfect attendance record.

As hard as Robertson’s morning commute is, the trip home is even harder. He works a 2 p.m. – 10 p.m. shift, and then sets out on foot in the dark for the 21-mile return to his home. None of his coworkers live near him, so he almost never gets a ride from them. At the upscale mall, he is able to catch the last SMART bus of the day, just before 1 a.m., and rides it into Detroit as far it goes, to the State Fairgrounds just south of 8 Mile. By then, the last inbound bus has left, so he walks the remaining 5 miles to the home he shares with his girlfriend, who inherited the house they live in. He gets home at about 4 a.m., then arises after a couple of hours of sleep to begin again. Five days a week.

So, what gets him past dangerous streets, and through the cold and gloom of night and winter winds?

“One word — faith,” Robertson says. “I’m not saying I’m a member of some church. But just before I get home, every night, I say, ‘Lord, keep me safe.’ ”

The next day, Robertson adds, “I should’ve told you there’s another thing: determination.”

After the story of Heart and Sole appeared in Sunday’s Detroit Free Press, recounting how a full-time job and 21 mile daily commute on foot leaves Robertson only two hours for sleep each day, a Wayne State University student launched a GoFundMe drive to raise money to buy Robertson a car, with an initial goal of $5,000. As of late Tuesday more than $254,000 has been donated, along with a choice of cars offered by local dealers.

Rochester resident Blake Pollock, a vice president at UBS, brought Robertson’s story to the Free Press after seeing him walking in every sort of weather for hours through areas of Troy and Rochester Hills. Pollock never dreamed anyone would be walking like that to keep his job. Because their commuting routes overlap in Oakland County, Pollock has picked up Robertson dozens of times this winter, ferrying the older man to the job. Now Pollock will help establish a board of advisors to help Robertson manage the rapidly increasing donations. Some of the funds will be put aside to pay for years of auto insurance, gasoline, maintenance, and also likely will help Robertson with medical and dental expenses. Dealers have offered, through the Free Press, free Chevrolets, Hondas and other makes. Apparently Robertson is leaning toward a Ford.

Local radio legend Dick Purtan interviewed Robertson at Purtan’s lakeside home in West Bloomfield.

Robertson told the retired radio funnyman he had no intention of quitting his $10.55/hour job, no plan to leave bosses and coworkers he cares deeply about, no intention of ever moving from the neighborhood in central Detroit where he’d lived all his life. Purtan was moved, like countless others who’ve read about Robertson or seen the Free Press video of him making a commute through miles of snow in Oakland County last week.

I encourage you to read the full Detroit Free Press articles about James Robertson linked below. And then keep his story in mind the next time someone tells you poor people are moochers, or the minimum wage is only for teenagers, or millages for bus service aren’t necessary in this age of the auto.

Heart and sole: Detroiter walks 21 miles in work commute

Detroiter’s daily trek inspires hundreds to donate

And then there’s this: Transportation study ranks Detroit 40th of 70 cities

Photo: Ryan Garza, Detroit Free Press