From the first days I taught Operations Security (OPSEC) for the Inter-Agency OPSEC Support Staff, selling the idea of OPSEC was hard. People saw it as another chore: try to remember your list of critical information and don't talk about it. Yawn…

But the military and Intel Agencies take this very seriously Because seemingly unimportant information that is shared carelessly is dangerous.

Purple Dragon - the original OPSEC program for the USA.

For example, during the Vietnam war, the US military inadvertently leaked their plans to the Viet Cong spy network by having their planes visibly on the runway with the supplies staged nearby.

In a more modern example, reporters in the 90's discovered that they could predict major world-events based on the number of late-night pizza delivered to the Pentagon and other key agencies – a phenomenon now playfully referred to as "the pizza meter".

Basically, by operating in the open with no care for who was watching and what they might learn, US forces suffered data leaks of their own making. But who cares about the government, right? Why should regular people should care?

The crime of disbelief

Do you believe in Zeus and Poseidon? Do you legitimately believe they're real and must be respected and feared? If not, you are a non-believer… just like the rest of us. There are many major religions and branches and we are all non-believers to one or the other… and that shouldn't be anyone's business or concern. But not everyone agrees.

Trigger warning: violence, death

I was raised Christian, but learned early that there are "right kinds" and "wrong kinds". Catholics, Baptists, and others who claim to have the same beliefs, but will still argue and judge each other. It's one reason separation of church and state is so important – even if people could agree on the religion, there's just too much disagreement about details.

A 2017 Netflix Special about an activist murdered for her cause

Luckily, brave people like Madalyn Murray O'Hair advocated against forced prayer and Bible readings in public schools as early as the 60's. Through a lifetime of court cases and advocacy, she made schools a safe place for those of a different denomination, a different religion, or no religion at all.

A 2017 Netflix special details O’Hair’s life, her struggles, her victories, and (ultimately) her kidnapping and brutal murder in 1995. By making an effort to make the USA more respectful and inclusive for people of different beliefs, she, her son, and granddaughter paid the ultimate price.

The crime of being "girly"

The crime of freedom

More than ever these days, it's become vitally important for vulnerable populations and advocates to learn how to speak without drawing undue attention from aggressors OR to be a 'hard target' if you do.

In an ideal USA, bigots and abusers would face scorn, shame, and, most of all, repercussions for their hate. But at the whims of society and politics, they not only might escape any consequence; they may be cheered and applauded. Whatever our ideals, we have to live in reality and that means sometimes being judicious about the amount and kind of attention we draw to ourselves.

Bottom line, whether it's serial killers, child molesters, haters, abusers, creeps, or con artists; strangers or people you know – it's in your best interests to learn about risks and countermeasures so you can make an informed choice about sharing information.

But first a disclaimer!

Why bother?

Commander biographies far too often publicly list family names, ages, sexes, schools and more

When I worked for the Inter-agency OPSEC Support Staff, a co-worker shared the story of a military commander who didn't think they needed an OPSEC program. In his view, "we're careful so all that extra effort is a waste."

To prove the point, my co-worker looked up his public profile online. There he found a bit of background on the commander, his wife, and his kids. It also mentioned his oldest daughter was a student at the nearby University of Maryland.

Minutes later, he'd found the daughter's profile on Facebook where it listed several photos, details of her life, and her class schedule. He grabbed a camera, a buddy, and printout of the schedule and went down to the school.

At the expected time, she came out of the Chem building, crossed the quad, and then sat at a long bench to check her bag. My co-worker sat down on the other end of the bench and did a "V" sign while his buddy took the shot. Later, he tossed the photo down on the commander's desk and said, "THAT is why you need an OPSEC program."

The good news is that the commander didn't take it personally and implemented the program, but not everyone has a team to handle this stuff for them. And even if they did, trying to trying to stay aware of (and defend from) every new type of scam, hack, or trick is impossible. But giving up isn't the answer either. There needs to be a third option and that option is LifeSec.

Like a martial art, LifeSec is a lifestyle. Not a series of steps and processes, but a set of general rules to internalize and make part of your every day life. While this could never be 100%, adjusting your mentality about personal information has a much better chance of protecting you not just from the attacks of today, but whatever new con is waiting right around the corner.

First up, The Risk of Visibility.

Targeted ads is abusive by design. A website, app, or service can advertise just fine by knowing themselves and their customer base. Otherwise, ads can be “targeted” to the content of the page.

While tracking people like animals certainly does improve targeting, it’s a violation of privacy, unnecessary for the customer, and creates opportunities for abuse.

Disable tracking IDs on any system you use, Windows, Android, etc.

• https://www.thewindowsclub.com/stop-microsoft-from-tracking-you-on-windows-computer
• https://www.eff.org/deeplinks/2022/05/how-disable-ad-id-tracking-ios-and-android-and-why-you-should-do-it-now
Tags: Advertising ID, Android, Tracking ID, Windows

Brave. The privacy browser

Keeping up with security and privacy topics when your work is only tangentially related and life sweeps you away (so you don't have time or energy the rest of the time) is not easy. That's why your best chance for getting an upgrade is finding the time to focus and experiment OR finding the right article at the right time… and I hope this will be that for you.

I've tried to focus this article on how most people use the Internet most of the time. For extreme folks, there are other options including Lone Wolf and Tor, but for everyone else, keep reading:

Hate having to read an entire article for the answer? Here's the bottom line: I use Firefox for websites with logins (except social sites), Brave for regular Internet (and social sites that constantly lead out to the Internet), and a little bit Edge as backup and personal brand segregation.

The brief background

Why is this necessary? Because companies are doing everything in their power to get into your business. They track where you go, what you click, what you're interested in, or just what they THINK you're interested in based on your browsing and clicking patterns. Besides being creepy and unwanted, it creates problems.

What happens when someone else uses your computer or you look something up for a friend or family member? Now their interests get mixed with yours causing you to see ads and recommendations that aren't remotely relevant. And what happens when you accidentally click a bad link in a chat or email (it happens to the best of us)? Many attacks are based on the idea that you're logged into your email or bank in another tab of the same browser (this is called cross-site scripting). And what if someone buys ad space and puts malicious code in or (or it's just rude and obnoxious)?

To reduce risks, annoyances, and invasion of your privacy while keeping things extremely simple, the pro tip is browser segregtation

Generally speaking, you can break down your Internet use into two or three main categories:

1. Actual browsing. Searching, clicking, exploring, etc.
2. Account-based web applications. Email, banking, shopping, etc.
3. Social and personal brand. LinkedIn, Facebook, Twitter, and other things connected to your professional image.

Let me explain each in more detail.

Browsing

When you're browsing around the Internet, you want the toughest browser around because you could end up anywhere at any time. Click a bad link, type a url wrong, or just browse around normally where sites attempt to identify you individually, track you, invade your privacy, and put you at risk due to poorly managed scripts and advertisements. As your default browser, this is the one that will load if you accidentally click the wrong thing in a Discord chat or any other app on your computer.

This is also the one you want to use for your private social accounts and any other app that is so closely tied to the general Internet that its nearly indistinguishable from open Internet anyway. Things like Reddit and Pinterest or alternate accounts for Twitter and Facebook that aren't tied to your identity.

Basically, you need your A-game browser – the best of the best – when out in the wilds of the open Internet.

Account-based Web Applications

This is where you keep your login-based accounts like emails, banking, shopping, and so on. If it's not a semi-Internet site like Reddit or Pinterest and it requires a login, keep it in your secondary browser.

Granted, sites like Amazon are very invasive as well, but much of the way they spy on you requires that you're out browsing the internet and not staying on a handful of specific websites. Additionally various types of attacks depend on you browsing around and taking a wrong turn while your tasty bank account or email are open in another tab of the same browser. Using separation this way largely prevents that too.

Don't overcomplicate it! For many people, keeping your logged in accounts and open browsing separate is good enough, but if you want to see why I use a third, read on.

Identity Accounts and Branding

In my case, I chose to have one more separation where my identity is known and my reputation at stake. To make sure that I don't cross wires and rant about how much I hate the VI editor on my branded-Reddit page, I keep them segregated too.

LinkedIn, Reddit with my professional name, Kickstarter, Twitter (if it survives into 2024 and beyond), my official Facebook (if I ever decide to make one) – basically, I keep these in a third browser because:

1. I want to keep a third more standard browser around in the rare cases where sites refuse to load in anything else
2. I can visually tell if I'm in the wrong place because of the different browser. That helps me think twice about what I'm going to post since it's tied to me individually.

For identity-based Internet

I'll cover this first and only briefly since only some people will be using the 3rd-level browser. I use Edge because it's one of the three major-supported browsers and will work for any site that doesn't like deviations from the norm. Also, it's not Chrome (the worst for privacy invasion).

For account-based Internet

For this one, I chose Firefox. Firefox is nowhere near the privacy-focused and community-friendly browser it used to be, but most of the ways it sucks now require being on open Internet. It's still going to be supported by major websites and you shouldn't have any trouble using your accounts with it.

For open Internet

I had been sleeping on this one for a while and heard bad things in the past, but read and watched videos and did some research. I determined that, as of this posting, Brave is the best browser for privacy online. It has a built-in adblock function and VPN (the first is free, the VPN you have to pay for, but not a big deal). It's nicely presented, fast, and works everywhere I've tried it so far.

Brave is also building a privacy-based search engine which is something DuckDuckGo has been known for, but even DDG has some issues that Brave does not. If the Brave search isn't working for you, Google and DDG are still there. Brave does use some kind of cryptocurrency gimmick, but that's optional and doesn't get in the way enough that I see it as a dealbreaker.

Summary

For best safety/security/privacy, use at least two browsers and mentally separate your activity online into "log-in account stuff" and "everything else" (and maybe a third for "anything that I use my real name for"). Tags: Brave, Browsers, Chrome, Edge, Firefox

Of course John didn't actually blackmail anyone, but he made a valid point that sometimes the only way for things to get done is for Congress to feel the problem actually affects them. To prove his point of how vile and dangerous unregulated data-brokering is, he used completely legal and commonly used techniques to get data about several members of Congress with a vague threat that if they were worried about what he found, they really ought to consider passing laws to prevent the kind of data gathering he used.

This video should be required watching for every US Citizen because data brokering is dangerous. If you need any proof, well… that's what the video is for (but you can also look at the ID Theft crisis which was almost entirely caused by data brokering). Tags: Congress, Identity Theft, John Oliver

MeWe: A Facebook alternative based on protecting your right to privacy.

It's been great watching DuckDuckGo rise as a major Google competitor. I've been thrilled to see Firefox taking a more aggressive approach to protecting people as a way to combat the invasiveness of Chrome. Now we might finally have a solution to the Facebook problem. "Which problem", you might ask?

If you didn't already know, Facebook has a long and sordid history of taking and misusing your data, profiling you, selling those profiles, losing and mishandling the data as well. They're essentially a data-broker masquerading as social service. This means harvesting every piece of information they can find about you so they can package and sell it to others. It's nasty business, but everyone's doing it… everyone except a few who are building a new paradigm that proves you can make a business work without abusing customers.

Data-brokering is nasty business. They learn about your habits, your private business, your medical information - all of it packaged and sold with nary a thought to whether that will be used for ID Theft, skeezy marketing, law enforcement and so on.

That's what I hope to see in MeWe. I did some research since I'd never heard of the before today and they've actually been around a while. They used some business-focused "gofundme" services (Angel.co and wefunder) to get capital and have built up MeWe.com from that. There are various reviews of the site around including Forbes.com who claims they already have 8 million members (though that's rapidly growing).

If that's the case, they hardly need my review on top, but I still reached out to the CEO (his email is listed online… something he'll want to change if the site is growing this rapidly) to point out some room for improvement. For example:

It's not actually clear in the policy what happens if they change their mind later. I read on another post (their about page or one of the reviews perhaps) that they would notify you of changes and you could opt out… not very reassuring. Better would be to make it clear that minor changes to the policy that are still in-line with the philosophy would result in notices, but major changes would not affect you until you logged into your account again and manually accepted the change. This is a bold site with a bold plan; let's see bold assurances as well!

They're actually doing pretty well already in having a conversational tone, keeping it short, and avoiding legalese, but I think it can be even better. For example, the font is pretty small and they're not making great use of whitespace. Some pics might be good to break up the wall of text. Some of the detail is a little over-kill (maybe summarize and then link/expand for people who care).

Did you know? Internet law requires at least one cat pic per post.

There are precious few companies trying to take on the giants and it would make sense for them to join forces; even if only in cross endorsement. Obviously they should first review their business model, security plan, and a deeper look at their tech strategy, but then, if they're convinced, the endorsement of someone I already researched and trust would go a lot further than online posts.

So far going through the privacy policy and terms of service, I'm generally impressed. There are some neat features like "secret messaging" that even MeWe can't see (end-to-end encrypted between you and the recipient), full right to download all your MeWe content to your local computer, and messages that will auto-delete once they're received. Of course there's the question of "how they get paid" which they answer on their FAQ page.

It's a bit lengthy so let me summarize: they make money by charging businesses for a PRO version, by selling extra emotes (if you care), and other add-ons that are optional.

Last Thoughts

Signing up was easy and, though I will never let a website scan my contacts from other services, at least there's SOME assurance this site wouldn't abuse that function. The home page is clean, easy to understand and features some posts from the CEO about important privacy issues (like the growing concerns over how Amazon uses Alexa). Nice…

Not bad. If you combine the promised privacy with a good tool, this might be the tool that saves us from Facebook.

The jury's still out for me, but at least I can feel comfortable using MeWe in my regular browser instead of having to isolate Facebook in a private window to keep it from stalking me on the web. That alone puts MeWe on top for me.

Lexis Nexis - The bottomless pit of user data

(Image used under: Creative Commons 3.0 [SRC][Mod])

LexisNexis (which acquired ChoicePoint) is the largest data-broker in the world. They create vast profiles on people and use that information to create various reports that they sell to companies of all kinds. These reports are used to make decisions about renting, insurance and more. In the past these reports have been purchased by law enforcement and criminal organizations; all to find out more information about you.

It might be a good idea to find out what's in your report, but it turns out neither simple web searching or LexisNexis themselves do much for listing out all the types of data they know about you. Well here's the list of information they had (or could have had) from my personal LexisNexis dossier:

Does that make you uncomfortable?

Data brokers are just a business like any other, but as the credit report companies proved, buying and reselling data carelessly leads to disaster. Considering that these reports are FAR more detailed with a much wider variety of information, I can only imagine the consequences of allowing them to proceed as they have been.

Fortunately, you may not have to.

I was able to order my report using this webpage. I believe that doing so would be a good idea, but after that, make sure to also use their opt out procedures if you can.

It turns out that they'll only let your data go if you can prove that you're an identity theft victim or in imminent danger of bodily harm (police officer, public officials, etc). But it's easy to understand why they make it hard. After all, why would you set free one of your prize milk cows for no good reason?

In the end, I hope that strong regulation is introduced before we reach a problem like we did with identity theft.

(Image used under: Creative Commons 2.0 [SRC])

So yesterday, we learned that OnStar tracks you even if you're not a customer and today, we learn that Facebook will track and monitor your web usage without your knowledge or permission… even if you're not logged in.

The social network is quietly retracting a cookie that continued to report your Facebook user ID even after you "logged out" of the site. But it's not sorry about five other cookies that persist after you sign off. What, you didn't think Facebook would ever let you actually for real seriously 100 percent sign out, did you?

Remember, you're not Facebook's customer, you're cattle. These kinds of issues will never stop so if you aren't using special software to counter Facebook's nastier sides, you're at a disadvantage.

(Image used under: Creative Commons 2.0 [SRC][Mod][Comp])

OnStar was recently admonished by several senators for its plan to spy on people (even non-customers).

OnStar is apparently hoping to create a new revenue stream by collecting data about the movements of OnStar-equipped cars. Obviously, this data set will be more comprehensive—and, therefore, more lucrative—if it includes data from former OnStar subscribers as well as current ones. In an announcement e-mailed to subscribers earlier this month, the company said that, starting December 1, it would continue collecting data from subscribers even after they cancel their service. OnStar also said it reserved the right to sell aggregated and anonymized data to third parties.

Can you refuse search or not? It would be good to know your rights.

(Image is in the Public Domain)

You can't use rights you don't know about or don't understand. The Electronic Frontier Foundation has posted a summary of your 4th amendment rights to deny the government permission to search you or your belongings (digital or otherwise).

It's good to know what you can and can't do since you should know that even when you've done nothing wrong, you may still get yourself into a lot of trouble if you are careless with your privacy.

You're kidding, right?

So…

Wait.

What now?

A Yahoo article says that because women's cloths sizing is hard, they're going to nude scan them to figure out what they can wear. Seriously!?

Ms. Shaw, the entrepreneur, is chief executive of a company called MyBestFit that addresses the problem. It is setting up kiosks in malls to offer a free 20-second full-body scan — a lot like the airport, minus the pat-down alternative that T.S.A. agents offer.

Lauren VanBrackle, 20, a student in Philadelphia, tried MyBestFit when she was shopping last weekend.

“I can be anywhere from a 0 at Ann Taylor to a 6 at American Eagle,” she said. “It obviously makes it difficult to shop.” This time, the scanner suggested that at American Eagle, she should try a 4 in one style and a 6 in another. Ms. VanBrackle said she tried the jeans on and was impressed: “That machine, in a 30-second scan, it tells you what to do.”

That's cute. A strip search in the name of getting something to wear? So instead of wasting millions on this disrobing plan, why not standardize women's clothing and use inch measurements like men's clothes? How's that for an idea?

How long until someone hacks these poorly protected machines to record copies of all women scanned and the photos show up on the Internet? Will you put your teenage daughters in them?

This is so, so stupid, I can't believe it's actually true. I really hope this doesn't catch on because if it does, my faith in humanity will suffer yet again.